ANN: Bruce 1.0ea2: Networked Host-Vulnerability Scanner for Solaris & Linux

[alecm () COYOTE UK SUN COM (Alec Muffett)]

Sun Professional Services would like to announce the availability of:

             Sun Enterprise(TM) Network Security Service:
           "Bruce" - a Networked Host-Vulnerability Scanner
                        for Solaris and Linux

                     v1.0 Early Access 2 (Beta)

       URL: http://www.sun.com/software/communitysource/senss/

                Queries: mailto:bruce-feedback () sun com

SENSS "Bruce" is a flexible, Java-based infrastructure that permits
centralized security management of small, medium and large-sized
intranets.

The Bruce software provides you with a network service daemon that
should be installed on each host in your network; these daemons are
linked together in a hierarchy of trust.

This hierarchy may be used for the distribution and execution of
digitally-signed packages containing (java, binary, or script) code
that may be used to check and fix host security issues in a bulk,
batch-oriented manner.

Execution requests are likewise digitally signed, replay attacks are
prevented, and network communications are secured by access-control
lists and pluggable authentication and secrecy modules.

Output generated during the process of checking is in HTML format, and
percolates to the root of the hierarchy, where it is browsable.

The Bruce software is not yet complete; this is the Early Access 2
(EA2) release, that we (the Bruce development team) are making
available for the benefit of parties with a professional interest in
network security, for their experimentation and comment.

The EA2 release is supported on the Solaris and Linux platforms, using
the recommended set of Java 2 Virtual Machines (VMs); however the
target platforms for the 1.0 Release version of Bruce include Solaris,
Linux, Windows NT, and a selection of other operating systems which
will support the Java 2 VM.

** Downloading

SENSS Bruce is available for download from the Sun website:

          http://www.sun.com/software/communitysource/senss/

...and licensing, support, and other queries may be addressed to:

                        bruce-feedback () sun com

Software interest and announcement maillists also exist; subscription
details are supplied in the software FAQ and in the download bundle.

** Licensing

SENSS Bruce is being released under the Sun Community Source License
(SCSL) because it falls into a class of security tools which need to
be extremely secure in order to be useful; in this instance, the best
way to ensure that the internal mechanisms of Bruce are proof against
attack is to open them to complete public scrutiny - therefore we wish
licensees of this code to have access to the complete source code, and
thus we ship source as the standard download bundle.

It is intended that the SENSS Bruce software (including source code)
will remain under some license that permits access and use, for no
cost, to private individuals, research and academic sites, and for
some forms of company-internal use.

The version of the SCSL used for Bruce has been adapted in order to
ease some licensing concerns with respect to "example code" that would
benefit from greater exposure - please refer to the associated license
information for details.

** Changes since Early Access 1 (EA1)

Here is a summary of the changes that have been made to the SENSS Bruce
system daemon (bruced) and supporting software, in the EA2 release:

    - Linux support
    - text documentation converted to HTML
    - faster build process
    - modular configuration process for increased portability
    - improved HTTP client caching mechanism
    - improved/optimized HTTP server

** New pollets

In addition to the above changes, extra security audit modules
("pollets", in SENSS Bruce parlance) have been added, including
the following:

  Solaris pollets

    solaris-patches -- downloads a patch database file and reports
        updated, missing, bad, Y2K, security, and recommended patches
        to install.

  Generic Unix pollets

    genunix-access-config -- provides basic sanity-checking of
        /etc/hosts.equiv, /.rhosts, /etc/ftpusers and /etc/shells

    genunix-aliases -- invokes "/usr/lib/sendmail -bv" to expand
        various system mail aliases, to ensure that they are left set
        or unset as appropriate.

    genunix-banners -- checks that /etc/issue and /etc/motd banner
        files are installed on each system.

    genunix-hosts -- performs several basic sanity-checks on /etc/hosts.

    genunix-passwd -- performs a number of basic formatting checks on
        the local /etc/passwd file, and reports duplication of UIDs and
        other dubious constructs.

    genunix-usrlocal -- checks for non-root-owned files in /usr/local,
        if it exists.

    genunix-wwritable -- attempts to identify files, devices and
        directories, that exist in the local filestore, and which have
        world-writable permissions which may be incorrect.

  Java pollets

    java-url-exe -- remotely downloads a file from the specified URL
        and checks its contents against a MD5 hash value specified in
        a configuration file.  If the file's hash value is unchanged,
        a command is executed against the file.

...and a variety of other work-in-progress pollets for reference.

** Bugs and Issues

Bruce EA2 is a beta-release, and as such several issues and bugs are
known to exist in the EA2 codebase; these issues include:

1) Some implementations of the Java 2 VM are not suitable for Bruce
   execution, due to memory-footprint or threading issues; notably
   some native-thread-enabled JVMs under Linux, where the underlying
   threading mechanism can have a high impact upon the hosting O/S
   when running Bruce, and some implementations where signal-handling
   in native-threaded Linux JVMs is not reliable.

   A list of recommended Java 2 VMs is provided with the software.

2) Various scalability issues.

3) Command-line-only generation/execution of audit launch requests.

4) Migration to XML for report output.

5) Lack of cryptosecrecy functionality, to simplify software-export
   issues in the early-access release.

All of the above issues are being addressed, and it is intended that
the software development effort will continue in an open-book manner,
sharing patches amongst the Bruce community.

** Thanks

The Bruce development team would like to take time to thank their
development team alumni and friends, in alphabetic order: Peter
Cunningham, Rob Diamond, Casper Dik, Cheri Dowell, Dan Farmer, Sandeep
Kumar, David Leftwich, Linda McCarthy, Cathy Pielich, Brad Powell,
Christoph Schuba, Bert Sutherland, Glenn Wright and Diego Zamboni, and
all others who have aided in the development of SENSS Bruce.

The Bruce development team is Alec Muffett (architect/lead programmer)
and Keith Watson (programmer/technical developer), aided by members of
Sun Professional Services' GESS and EMEA teams.

--