Sun Professional Services would like to announce the availability of: Sun Enterprise(TM) Network Security Service: "Bruce" - a Networked Host-Vulnerability Scanner for Solaris and Linux v1.0 Early Access 2 (Beta) URL: http://www.sun.com/software/communitysource/senss/ Queries: mailto:bruce-feedbackat_private SENSS "Bruce" is a flexible, Java-based infrastructure that permits centralized security management of small, medium and large-sized intranets. The Bruce software provides you with a network service daemon that should be installed on each host in your network; these daemons are linked together in a hierarchy of trust. This hierarchy may be used for the distribution and execution of digitally-signed packages containing (java, binary, or script) code that may be used to check and fix host security issues in a bulk, batch-oriented manner. Execution requests are likewise digitally signed, replay attacks are prevented, and network communications are secured by access-control lists and pluggable authentication and secrecy modules. Output generated during the process of checking is in HTML format, and percolates to the root of the hierarchy, where it is browsable. The Bruce software is not yet complete; this is the Early Access 2 (EA2) release, that we (the Bruce development team) are making available for the benefit of parties with a professional interest in network security, for their experimentation and comment. The EA2 release is supported on the Solaris and Linux platforms, using the recommended set of Java 2 Virtual Machines (VMs); however the target platforms for the 1.0 Release version of Bruce include Solaris, Linux, Windows NT, and a selection of other operating systems which will support the Java 2 VM. ** Downloading SENSS Bruce is available for download from the Sun website: http://www.sun.com/software/communitysource/senss/ ...and licensing, support, and other queries may be addressed to: bruce-feedbackat_private Software interest and announcement maillists also exist; subscription details are supplied in the software FAQ and in the download bundle. ** Licensing SENSS Bruce is being released under the Sun Community Source License (SCSL) because it falls into a class of security tools which need to be extremely secure in order to be useful; in this instance, the best way to ensure that the internal mechanisms of Bruce are proof against attack is to open them to complete public scrutiny - therefore we wish licensees of this code to have access to the complete source code, and thus we ship source as the standard download bundle. It is intended that the SENSS Bruce software (including source code) will remain under some license that permits access and use, for no cost, to private individuals, research and academic sites, and for some forms of company-internal use. The version of the SCSL used for Bruce has been adapted in order to ease some licensing concerns with respect to "example code" that would benefit from greater exposure - please refer to the associated license information for details. ** Changes since Early Access 1 (EA1) Here is a summary of the changes that have been made to the SENSS Bruce system daemon (bruced) and supporting software, in the EA2 release: - Linux support - text documentation converted to HTML - faster build process - modular configuration process for increased portability - improved HTTP client caching mechanism - improved/optimized HTTP server ** New pollets In addition to the above changes, extra security audit modules ("pollets", in SENSS Bruce parlance) have been added, including the following: Solaris pollets solaris-patches -- downloads a patch database file and reports updated, missing, bad, Y2K, security, and recommended patches to install. Generic Unix pollets genunix-access-config -- provides basic sanity-checking of /etc/hosts.equiv, /.rhosts, /etc/ftpusers and /etc/shells genunix-aliases -- invokes "/usr/lib/sendmail -bv" to expand various system mail aliases, to ensure that they are left set or unset as appropriate. genunix-banners -- checks that /etc/issue and /etc/motd banner files are installed on each system. genunix-hosts -- performs several basic sanity-checks on /etc/hosts. genunix-passwd -- performs a number of basic formatting checks on the local /etc/passwd file, and reports duplication of UIDs and other dubious constructs. genunix-usrlocal -- checks for non-root-owned files in /usr/local, if it exists. genunix-wwritable -- attempts to identify files, devices and directories, that exist in the local filestore, and which have world-writable permissions which may be incorrect. Java pollets java-url-exe -- remotely downloads a file from the specified URL and checks its contents against a MD5 hash value specified in a configuration file. If the file's hash value is unchanged, a command is executed against the file. ...and a variety of other work-in-progress pollets for reference. ** Bugs and Issues Bruce EA2 is a beta-release, and as such several issues and bugs are known to exist in the EA2 codebase; these issues include: 1) Some implementations of the Java 2 VM are not suitable for Bruce execution, due to memory-footprint or threading issues; notably some native-thread-enabled JVMs under Linux, where the underlying threading mechanism can have a high impact upon the hosting O/S when running Bruce, and some implementations where signal-handling in native-threaded Linux JVMs is not reliable. A list of recommended Java 2 VMs is provided with the software. 2) Various scalability issues. 3) Command-line-only generation/execution of audit launch requests. 4) Migration to XML for report output. 5) Lack of cryptosecrecy functionality, to simplify software-export issues in the early-access release. All of the above issues are being addressed, and it is intended that the software development effort will continue in an open-book manner, sharing patches amongst the Bruce community. ** Thanks The Bruce development team would like to take time to thank their development team alumni and friends, in alphabetic order: Peter Cunningham, Rob Diamond, Casper Dik, Cheri Dowell, Dan Farmer, Sandeep Kumar, David Leftwich, Linda McCarthy, Cathy Pielich, Brad Powell, Christoph Schuba, Bert Sutherland, Glenn Wright and Diego Zamboni, and all others who have aided in the development of SENSS Bruce. The Bruce development team is Alec Muffett (architect/lead programmer) and Keith Watson (programmer/technical developer), aided by members of Sun Professional Services' GESS and EMEA teams. --
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:45 PDT