+1
On Thu, Sep 16, 2010 at 7:16 AM, Christian Grobmeier <grobme...@gmail.com>wrote: > All, > > this vote will fail in three hours because nobody responds to it. Are > there any objections against this proposal? Or why is this vote > ignored? > > Best regards, > Christian > > On Wed, Sep 15, 2010 at 4:06 PM, Urs Lerch <m...@ulerch.net> wrote: > > Hi everybody out there > > > > The vote for ALOIS ends in about 24 hours. Are there any more comments > > or votes? We would appreciate it to get to know your opinion. > > > > Best > > Urs > > > > > > > > Am Montag, den 13.09.2010, 11:33 -0400 schrieb Urs Lerch: > >> Hi > >> > >> Since the first call a few weeks ago didn't suceed (more mentors were > >> asked), I would like to call a second vote for accepting the security > >> information and event management tool "ALOIS" for incubation in the > >> Apache Incubator. Thanks Christian Grobmeier we now have two mentors at > >> least. But any additional mentors are still warmly welcome. The full > >> proposal is available below and on the proposal wiki page > >> (http://wiki.apache.org/incubator/AloisProposal). > >> > >> Please cast your vote: > >> > >> [ ] +1, bring ALOIS into Incubator > >> [ ] +0, I don't care either way, > >> [ ] -1, do not bring ALOIS into Incubator, because... > >> > >> This vote will be open for 72 hours and, at least that's the way I > >> understood, only votes from the Incubator PMC are binding. > >> > >> Thanks, > >> Urs > >> > >> > >> > >> ----------------------------------------------------------------------- > >> > >> > >> = Preface = > >> > >> ALOIS is a log collection and correlation software with reporting and > >> alarming functionalities. It has been implemented by the Swiss company > >> IMSEC for a customer about five years ago. GPL-licenced, implemented in > >> Ruby and completely based on other OSS-licensed components, it was > >> designed for the open source community right from the start. Now that > >> the software has shown its functioning over several years in production > >> with the one customer and one IMSEC-internal installation, it seems to > >> be the right time to open it to a wider community. > >> > >> > >> = Abstract = > >> > >> ALOIS stands for „Advanced Logging and Intrusion Detection System“ and > >> is meant to be a fully implemented open source SIEM (security > >> information and event management) system. > >> > >> > >> = Proposal = > >> > >> While almost all other SIEM software, be it closed or open source, > >> concentrate on the technological part of security monitoring, ALOIS is > >> aimed to monitor the security of the content. It intends to be > >> pro-active in the detection of potential loss, theft, mistaken > >> modification or unauthorized access. ALOIS works on log messages and > >> thus contains all the basic functionality of a conventional SIEM, as > >> centralized collecting, normalizing, aggregation, analyzing and > >> correlating of all log messages, as well as reporting all security > >> related events. Therefore it can be used as any other SIEM. > >> > >> ALOIS consists of five modules interacting to ensure a scaleable > >> functionality of a SIEM: > >> > >> * Insink is the message sink, which is the receiving entry point for > >> all the different log messages into ALOIS. It is partly based on the > >> syslog-ng software. Insink listens for messages (UDP), waits for > >> messages (TCP), receives message collections (files, emails) and > >> pre-filters them to prevent from message flow overload. > >> > >> * Pumpy is the incoming FIFO buffer, implemented as a relational > >> database tables. which contain the incoming original messages (in raw > >> format). In a complex system setup, there may be several insink > >> instances, e.g. for a group of hosts, for specific types of messages, or > >> for high-avaliablity. > >> > >> * Prisma contains logic to split up the text of log messages into > >> separate fields, based on regular expressions. Actually, "prisma" is a > >> set of "prismi", each one prisma for one type of log message (apache, > >> cisco etc. Several prismi can be applied to the same message. This > >> allows for stacked messages, i.e. forwarded log messages contained in > >> compressed files contained in e-mail messages. The data retrieved form > >> the log messages is stored in a database called Dobby. Due to prisma > >> being written in Ruby, prismi can be applied interactively (when having > >> system access). > >> > >> * Dobby is the central log database. It should be separated from the > >> Pumpy database for availability and performance reasons. The current > >> implementation is based on MySQL. > >> > >> * The Analyzer contains the two sub-systems Lizard and Reptor. Lizard > >> is the analysis engine and user interface of ALOIS, implemented in Ruby > >> on Rails using AJAX. It allows for interactive browsing through the > >> collected data, exclusion/inclusion/selection of data, data sorting, > >> data filtering, creation of views, ad-hoc textual and graphical > >> reporting. Reptor allows for automatic activation of views and > >> comparison of these views' results to a predefined result (pattern > >> matching). In case of mismatch, Reptor sends the result to predefined > >> e-mail addresses. > >> > >> Its modular design guarantees ALOIS to scale from little to large > >> organizations. Since there exists a Debian package, it's easy to build a > >> test system or even a productive system for small environments. > >> > >> Although the software has been in productive use for a few years, there > >> is still a lot of desired functionality missing. The plugability of new > >> connected systems is given, but needs some revision. It is a given goal > >> of the project to allow modules in other programming language. > >> Furthermore, it has been discussed if parts of the existing > >> implementation may be replaced with other proven open source software, > >> e.g. the correlation engine or the web frontend. The other way round, it > >> has been discussed that the filter creation engine would make a good > >> tool for any kind of structured data, and thus could be separated from > >> ALOIS and standardized as a stand-alone tool. > >> > >> > >> = Background = > >> > >> It's not simple to know what happens in a bigger network. There's a > >> multitude of applications, services and appliances working together. > >> Many of them provide some kind of events or state information. The > >> network administrator needs to get hands on all of them. But they come > >> in many different flavors and multiple canals. Therefore, it's hard to > >> get the big picture. Furthermore, we have learned that it's impossible > >> to protect a system against all malicious attacks and to keep all the > >> possible faulty handling away. A monitoring of the systems to guarantee > >> a pro-active handling is therefore needed.. > >> > >> Therefore, more and more organizations collect and analyze all logfiles > >> in a centralized system, called a SIEM (security information and event > >> management). The technology provides two major functions for security > >> events from networks, systems and applications: log management and > >> compliance reporting (SIM – security information management) and > >> real-time monitoring and incident management (SEM – security event > >> management). > >> > >> > >> = Rationale = > >> > >> Why another security information and event management system? It's true, > >> there's already plenty of them. While the proprietary software is way > >> too expensive for smaller to mid-sized companies, we find that the open > >> source solutions are either too simple or not completely open. For > >> example, behind each of the well known systems “OSSIM” and “Prelude”, > >> there is a company that either closes central functionality for its own > >> business or has dual licensing and therefore asks the full copyright for > >> all contributed code. > >> > >> ALOIS is aimed to be totally free and open for all contributions. The > >> openness provided for other programming languages is certainly proof of > >> this. The plug-ability - yet to be further developed - is meant to > >> guarantee that individual needs can be realized without stressing the > >> whole system too much. In our opinion, the Linux kernel is a good > >> example that this can work very well. > >> > >> Since we are in accordance with „the Apache way“, we would be very > >> pleased if ALOIS could become part of the Apache community. In Addition, > >> the Apache Logging Services would be a perfect home for the software. > >> Furthermore, it's not the intention to compete with the already existing > >> log viewer and analyzing tool „Chainsaw“. Since Chainsaw is a relatively > >> easy tool, it meets a rather different need. Nevertheless, if the two > >> projects use synergies, both can profit. > >> > >> > >> = Initial Goals = > >> > >> When this project started ins 2005, there was no proven SIEM open source > >> software and the commercial tools were way too expensive for the needed > >> environment. Therefore, we decided together with a customer of ours to > >> implement an open source SIEM tool from scratch. Now the software has > >> run in a production environment for several years and has proven its > >> functionality and reliabilty. > >> > >> > >> = Current Status = > >> > >> == Meritocracy == > >> > >> As already mentioned, ALOIS is already in production use in two > >> organizations. All the code has been written by two persons of the same > >> company in a paid employment relationship. It is obvious that this is > >> way different from the open source approach within Apache. But > >> nevertheless, the two developers have always worked as a team and the > >> decisions were made in consensus whenever possible. But it is no secret, > >> that these developers have to learn to behave in an open community. > >> Understanding this potential problem, they already got support by a > >> freelance consulter, who has the corresponding experience and knowledge. > >> > >> == Community == > >> > >> Until today there is no real community, because the project hasn't been > >> published officially, although it had been completely published on the > >> web site for a couple of months (until a server relaunch). Convinced by > >> the concept and design of the software, we are open and hope to reach > >> many contributors and users. We think that it is realistic, because the > >> SIEM issue has yet not been resolved in the OSS space. > >> > >> == Core Developers == > >> > >> ALOIS was developed by Simon Hürliman and Flavio Pellanda, both employed > >> by the company IMSEC. Concerning Design and Architecture, Marcus > >> Holthaus, owner of IMSEC, gave his input as security specialist. Since > >> the beginning of this year, Urs Lerch, a doctorate on the subject of > >> commercial open source software development, supports the team with his > >> knowledge. Simon Hürlimann has left the company three years ago, but is > >> still active in the OSS environment (although not for ALOIS). Current > >> employee Daniel Lutz (a Debian Developer) has also contributed to the > >> project. > >> > >> == Alignment == > >> > >> Besides that we strongly believe in the „Apache way“, we think that > >> although that Apache hosts the Logging Services and different security > >> projects, there is a gap when it comes to a superordinate security view. > >> We therefore think it a good idea to add our SIEM project to the Apache > >> repository. On the other side, Apache would become an even more complete > >> software repository. > >> > >> > >> = Known Risks = > >> > >> == Orphaned products == > >> > >> Since the software is only maintained by employers of one company, there > >> is a severe risk of being orphaned. But, on the one hand, the company > >> has a sustained interest in keeping the project alive, because there are > >> plans to offer services on top of ALOIS, and IMSEC uses the software for > >> SIEM on their own systems. For this reason there exists a budget for the > >> development and support of ALOIS. On the other hand, we believe that > >> ALOIS is of great interest for other people and companies tied to IT > >> security. Therefore, our step to the Apache incubator is also a step to > >> a bigger community. > >> > >> == Inexperience with Open Source == > >> > >> While ALOIS has always been licenced under the GPL, access to the source > >> code, bug tracker and version control system has been restricted to > >> internal users for most of the time. But the company has a strong > >> believe in the open source movement and therefore engages its employees > >> to take part in the community. Furthermore, it is also a strategic > >> decision to build services on top of linux. > >> > >> We understand that the Apache Incubator is a great opportunity for us to > >> get assistance, when it comes to specific questions on the open source > >> development. Even more, the company has created a part time position for > >> the open source community work. > >> > >> == Homogenous Developers == > >> > >> Although ALOIS has been developed by employees of only one company, > >> there is a thorough openness. The company is designed to stay small and > >> therefore works with several independent partners. Furthermore, its > >> employees work in geographically different parts of the country. > >> Therefore, it is no new experience for the developers to work in a > >> distributed environment and argue rather than to command. Already today > >> the employees are enforced to document all face-to-face communication in > >> the internal wiki. Sketches are photographed and stored in the project's > >> digital folder. > >> > >> == Reliance on Salaried Developers == > >> > >> Until today all the development of ALOIS has been made in a paid > >> emplyoment. Therefore we know that this brings a significant danger. > >> Since it is our stated aim to encourage participation and recruit > >> commiters, we hope to eliminate this risk as soon as possible. > >> Furthermore, the employees of IMSEC are all open source enthusiasts and > >> are in one way or another active in the community. Although we have no > >> certainty, there is good indication that the current commiters would > >> continue their work on ALOIS, even if they wouldn't be paid for it. > >> > >> == Relationships with Other Apache Products == > >> > >> The Apache Logging Service would be a perfect home for ALOIS as a > >> centralized logging collection and analyzing tool. Furthermore, we think > >> that we could share part of the code with the Chainsaw subproject, since > >> both need similar functionality in the web frontend. Since it is our > >> statet aim to replace our own code with proofen open source libraries, > >> we are open for any collaboration with other projects. For example, the > >> replacement of the MySQL with a NoSQL database might be useful for > >> performance reasons; therefore HBase is a good candidate. > >> > >> == An Excessive Fascination with the Apache Brand == > >> > >> The Apache brand is in fact for its own a very good reason to join the > >> Incubator. But much more our desire to become part of the Apache > >> Incubator is our strong believe in open source software in general and > >> in the „Apache way“ in particular. We would love to learn from the > >> experience and knowledge of the foundation's members and participants, > >> which is an important part of the brand as well. The foundation has > >> shown many times, that it has the processes and people to succeed in > >> launching a project. We would be very proud to be part of this success > >> story. > >> > >> > >> = Documentation = > >> > >> The documentation is rather weak and scattered. It has mainly been > >> maintained on a wiki and is open to improvement. Since we are totally > >> aware that this is a killer for a successfull open source project, we > >> have already started an internal project with its own budget to improve > >> this shortcomming. Once the project has been launched, writing a blog or > >> open a forum are other possibilities we already thought of. > >> > >> Furthermore, as the employees are used to work in a geographycally > >> distributed environment, a lot of the internal communication happens in > >> a chat. Thus, opening a new chat channel for the community is scheduled. > >> (To document the discussions for all those who were off-line, we would > >> send the logs daily to the mailing list.) > >> > >> > >> = Initial Source = > >> > >> Although the initial source comes from a project for a customer. it has > >> an open source licence since the beginning. Therefore it doesn't have > >> any propriatary code in it. A thorough revision before releasing it to a > >> public repository is recommend and is also in planning. > >> > >> The initial source will be a snapshot of the version control system, > >> accompanied by a related debian package. > >> > >> > >> = Source and Intellectual Property Submission Plan = > >> > >> ALOIS is currently under a GPL licence. Since there are only two > >> contributors so far, both from the same company, there is no problem to > >> re-licence the code and contribute it to Apache. The commitment of the > >> company's owner has been granted. > >> > >> > >> = External Dependencies = > >> > >> So far, no external dependencies are known. As mentioned before, a > >> thorough revision of the codebase is in planning. There it can be > >> controlled, that no other licence is affected by the code. > >> > >> > >> = Cryptography = > >> > >> ALOIS does not involve cryptographic code. > >> > >> > >> = Required Resources = > >> > >> == Mailing lists == > >> > >> The following mailing lists will be required: > >> > >> * alois-private > >> * alois-dev > >> * alois-commits > >> * alois-users > >> > >> == Subversion Directory == > >> > >> https://svn.apache.org/repos/asf/incubator/alois > >> > >> == Issue Tracking == > >> > >> JIRA ALOIS (ALOIS) > >> > >> == Other Resources == > >> > >> We would like to open a chat channel. If this isn't possible within the > >> infrastructure of Apache, we would love to do this in our own already > >> existing infrastructure. > >> > >> > >> = Initial Commiters = > >> > >> * NAME EMAIL AFFILIATION CLA > >> * Flavio Pellanda flavio.pellanda at logintas dot ch IMSEC no > >> * Urs Lerch mail at ulerch dot net IMSEC yes > >> * Daniel Lutz daniel.lutz at logintas dot ch IMSEC no > >> * Marcus Holthaus marcus.holthaus at imsec dot ch IMSEC no > >> > >> > >> = Sponsors = > >> > >> == Champion == > >> > >> * Scott Deboy <sdeboy at apache dot org> > >> > >> == Nominated Mentors == > >> > >> * Scott Deboy <sdeboy at apache dot org> > >> * Christian Grobmeier <grobmeier at apache dot org> > >> > >> == Sponsoring Entity == > >> > >> The Incubator PMC (requested) > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
