SEC.pl (System Event Correlator)

There is a nice two-part article on SEC which describes how it works and what it provides. I encourage you to look it over.

The latest sec.pl distribution can be found on SourceForge at SEC at SourceForge.

The homepage also has pointers to information.

SEC is very simple to setup and is really just a Perl script. The distribution includes example startup files for various common UNIX flavors.

We run it as a separate service on atgrid.grid.umich.edu which reads from the syslog-ng output pipe at /var/log/sec. The tricky part about SEC is getting the right configuration files (rulesets) configured for your needs. Fortunately there is a community repository of rulesets that make it much easier to find and customize rules for your SEC installation.

Installation on ATGRID

First thing to do was to download and unpack the gzipped tarball. I copied the sec.pl to /usr/local/bin/sec.pl and renamed the sec.pl.man file to sec.pl.1, gzipped it and copied it to /usr/share/man/man1/sec.pl.1.gz so that man sec.pl works.

The startup script in the contrib area was copied to /etc/init.d/sec, made executable ('chmod a+x') and edited to work with our setup. The changes are shown here:

[atgrid:contrib]# diff /etc/init.d/sec ./startup.redhat
30c30
<         if [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sec ; then
---
>         if [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sensors ; then
44c44
<         if [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sec ; then
---
>         if [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sensors ; then
65c65
<         [ -e /var/lock/subsys/sec ] && restart || :
---
>         [ -e /var/lock/subsys/sensors ] && restart || :
101,102c101,102
< # Config to monitor output of AGLT2 syslog-ng
< -detach -conf=/usr/local/etc/sec/*.sec -input=/var/log/sec -log=/var/log/sec.log
---
> # Config to monitor local1
> -detach -conf=/usr/local/etc/sec/local1.sec -input=/var/log/local1 -log=/var/log/sec.log

NOTE: the 'service sec status' command is broken because the script was copied from an lm_sensors example script. This needs fixing.

The already existing /var/log/sec file on atgrid was just a regular file. I stopped syslog-ng, removed the existing /var/log/sec, created a new pipe via 'mkfifo /var/log/sec' and restarted syslog-ng.

Configuration of SEC

This task is the most critical part of getting SEC setup on AGLT2. As you can see from the init script above, we use all SEC configuration files found at /usr/local/etc/sec/*.sec.

Since we are running SNORT I grabbed an example ruleset for it. The list of examples rulesets I got from the community repository is:

snort.sec
ssh.sec
general.sec
portscan.sec
cisco-syslog.sec

The basic changes to the above scripts were to substitute smckee@umich.edu for any destination email address and to replace any occurence of mail or mailx commands with the specific command /bin/mail.

As of January 28th around 1 PM Eastern the sec.pl script was running on atgrid and processing the output of syslog-ng. You can check status and output by looking at /var/log/sec.log.

-- ShawnMcKee - 28 Jan 2009