Archive for October, 2009
Today I was giving a presentation at the Ethical Hacking workshop of the Electrical Engineering Students’ Hungarian Association’s annual workshop series. The presentation was in English and I mainly presented my previous Ethical Hacking conference presentation again. It was pretty much OK and almost all of my life demo did work. (It was even surprise for me!)
You can get the slides from here.
I have been a bit silent recently and it is not because I do not work indeed we are working hard on the upcoming SSB 1.1 release.
Starting with this release we introduced a new release cycle system. Rather having long and big release cycles we introduced the concept of having so called feature releases where we introduced only fewer changes time to time, but we do release more often. We generally introduce two tracks of releases: a stable track with longer support where only bugs are fixed and no enhancements are added and a feature track where new features are added. However feature track releases are only supported till the next feature release. You can read more on this new system on the syslog-ng roadmap page.
SSB 1.1 is a feature release scheduled for 2009Q4 with the following enhancements (some changes are originating from SCB 2.0):
High Availability improvements
SSB will be able to use the production interfaces (external/management) as redundant heartbeat links between the nodes of the SSB cluster. This will prevent split-brain scenarios in case the primary HA link fails.
SSB will be able to monitor the next-hop routers from the nodes and trigger takeovers if the monitored routers become unaccessible from the master node, while available from slave node.
Enhanced reporting and statistics
It will be possible to display the number of collected log messages as bar or pie charts in the reports and on the dashboards.
Reports and statistics will include charts on Top Talkers, Top Host names, Top Programs and others.
Users will be able to create and customize periodic reports to include charts and lists from syslog-ng statistics, as well as statistics on the collected log messages (including messages stored in SQL databases and the indexed logspaces).
Searching and indexing
Users will be able to create and save reusable filters on the Search pages. Permissions can be assigned to global filters to grant access to certain log messages for users who have no SSB access otherwise.
Users will be able to display the distribution of the log messages based on certain parameters (like sender address, hostname, program, facility etc.) as graphical charts. The charts can be included in custom periodic reports as well to provide more details on log messages.
Search queries on logspaces could be restricted to search only certain columns, but not in all part of the message.
It will be possible to index and search encrypted logspaces. Decryption keys can be assigned to logspaces or it will be possible to create user-specific key stores.
Message classification extensions
SSB 1.1 will support version 3.1 of the pattern database format and functionality, including full tagging and value assignment support. The tags and name/value pairs assigned to log messages can be used in
logpath filters, and also stored and searched later.
Other miscellaneous changes
SSB 1.1 will support both SNMP version 2c and 3 (with authentication and encryption). SSB will be able to send SNMP traps and reply to queuries both using version 2c and 3. To allow only authenticated and encrypted SNMP access, it will be possible to disable SNMP 2c.
Authenticating users logging in to SSB on the web interface will be possible to RADIUS servers as well. Group membership will be stored locally, or queried from an LDAP/AD directory. The challenge/response based authentication will not be supported in this version of SSB.
For locally stored SSB users a password policy can be used to enforce password expiry and strength checking.
Configuration can be exported using PGP/GPG encryption. Public keys can be configured and used in both manual export and during automatic configuration backups.
It will be possible to seal SSB during its initial configuration or any time later to disable remote SSH access to SSB and disallow changing the root password. Sealed mode can be turned off only from the local console.
I am back from my trip in Asia (Russia, Mongolia, China) and slowly getting back to work. Last weekend we had a sunny and very nice Saturday for the First Hungarian IT Security Football Cup, which was organized by BalaBit mainly by Bence. The cup was open for the esec.hu member companies to see who is the best in soccer and in who makes the best goulash soup or stew-pot.
We had a wonderful day – unfortunately with one injury – and a lot of colleges and friends joined us. The soccer champion was this time the team of Kurt, while all of the chefs did amazing job though the jury liked the Virusbuster goulash the best. (It was very good, maybe a bit spicy…)
We were good in goulash cooking (thanks to Attila and the girls), but we need to do more training and exercises for next years cup.