Forum OpenACS Development: Ideas about: SIEM / IDS (Security Information and Event Management / Intrusion Detection System) for OpenACS / ]po[?


A customer recently asked us if we could keep track of failed login attempts. These events are kept in error.log, but this level of history is only available for a few days on a busy system.

In ]po[, we already employ a suit of im_alert_check_{integer|float|alphanum|...} procs for checking variables of insecure origin that we sometimes have to use. We currently send out individual emails, which is not great:

So what about a central in-memory store for security events with a bit of logic? I'd call this an "application-level SIEM". I'd also add the option to forward the security events to an enterprise level SIEM, to write a local security log, etc.

I've started to look at the acs-developer-support code for an example on how to use nsv_array, and I've got the first code working.

Before going for a full-blown implementation, I wanted to see if there are better ideas in the community already, or if somebody sees the need for such a package on the OpenACS level. We'd want to include such a package in our next ]po[ 5.2 release, which could be in 9-12 months.