Date: Wed, 17 Feb 2016 15:39:13 +0000 From: Fiedler Roman <Roman.Fiedler@....ac.at> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Feedback and mentoring (reviewer) for logdata-anomaly-miner Hello List, We want to share a part of a log-data analysis pipeline tool as open source Debian package. As we are especially interested in feedback from security engineers, we want to have it easily to install and remove on common distributions to lower the barrier for testing. <?Timesaver: in short, who is interested in package review, mentoring? Others may stop reading here. ?> Motivation: Have toolset to allow construction of lightweight and very flexible processing pipelines for purposes ranging from simple value checks (e.g. like logcheck on single machine but with data streaming operation (not batch), O(log(n)) instead of O(n) CPU resources due to tree-shaped parsing models, mail alerting with exponential backoff, ...) but also to find atypical sequences of commands (correlation based whitelisting of logdata - AECID approach) or analyse action sequences in normal operation, that could be exploited in malicious environments (blacklisting approach, e.g. to fully automate detection of issues similar to those reported by us last year , , ). This should all run smoothly with limited resources and limited risks even on production machines, e.g. to set intelligent probes on those machines. The package contains the initial standalone version of the distributed mining component, ported from Java. The idea is to distribute the security-critical core as reviewed lightweight package to allow simple update in case security issues were found. Rulesets and configuration packages for complex scenarios will follow in separate packages. As they do not contain root-executed code, review requirements are far less strict. Configuration format of unprivileged analysis pipeline is currently plain Python. This will be augmented with configuration generators/better generation format as soon as it becomes clear, if there is a community use for it and which usecases are most relevant for them. (we use it for research and have no problem with current semi-automatic config generation for that purpose). Is there someone on this list also mentoring for Debian, e.g. on  to review and mentor the code in , especially regarding security implications? Apart from the packaging and standard distribution-related issues, I would be glad to point to all the problematic spots with security impact I already known, hopefully to detect all security weaknesses before publication of the package. Kind Regards, Roman Fiedler  https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662  https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050  https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1470842  http://mentors.debian.net/  http://mentors.debian.net/package/logdata-anomaly-miner  https://launchpad.net/logdata-anomaly-miner  http://bazaar.launchpad.net/~roman-fiedler/logdata-anomaly-miner/roman-fiedl er/view/head:/source/root/usr/share/doc/aminer/Readme.txt PS: See  for package description,  for intro, manpage attached (nroff -man AMiner.1) DI Roman Fiedler Scientist Digital Safety & Security Department Assistive Healthcare Information Technology AIT Austrian Institute of Technology GmbH Reininghausstraße 13/1 | 8020 Graz | Austria T +43(0) 50550 2957 | M +43(0) 664 8561599 | F +43(0) 50550 2950 roman.fiedler@....ac.at | http://www.ait.ac.at/ FN: 115980 i HG Wien | UID: ATU14703506 http://www.ait.ac.at/Email-Disclaimer [ CONTENT OF TYPE application/octet-stream SKIPPED ] [ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ