5222629 2000-06-23 00:42 /157 rader/ Postmaster
Mottagare: Bugtraq (import) <11382>
Ärende: Bruce 1.0 EA3: Networked Host-Vulnerability Scanner for Solaris and Linux
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Disclaimer: If you think I speak for Sun
then you greatly over-estimate my importance here.
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <18597.961610224@colossus>
Date: Wed, 21 Jun 2000 10:57:04 -0700
Reply-To: "Keith A. Watson" <Keith.Watson@ENG.SUN.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Keith A. Watson" <Keith.Watson@ENG.SUN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Sun Professional Services would like to announce the availability of:
Sun Enterprise(TM) Network Security Service:
"Bruce" - a Networked Host-Vulnerability Scanner
for Solaris and Linux
v1.0 Early Access 3 (Beta)
URL: http://www.sun.com/software/communitysource/senss/
Queries: mailto:bruce-interest@sun.com
SENSS "Bruce" is a flexible, Java-based infrastructure that permits
centralized security management of small, medium and large-sized
intranets.
The Bruce software provides you with a network service daemon that
should be installed on each host in your network; these daemons are
linked together in a hierarchy of trust.
This hierarchy may be used for the distribution and execution of
digitally-signed packages containing (Java, binary, or script) code
that may be used to check and fix host security issues in a bulk,
batch-oriented manner.
Execution requests are likewise digitally signed, replay attacks are
prevented, and network communications are secured by access-control
lists and pluggable authentication and secrecy modules.
Output generated during the process of checking is in HTML format, and
percolates to the root of the hierarchy, where it is browsable.
The Bruce software is not yet complete; this is the Early Access 3
(EA3) release, that we (the Bruce development team) are making
available for the benefit of parties with a professional interest in
network security, for their experimentation and comment.
The EA3 release is supported on the Solaris and Linux platforms, using
the recommended set of Java 2 Virtual Machines (VMs); however the
target platforms for the 1.0 Release version of Bruce include Solaris,
Linux, Windows NT/2000, and a selection of other operating systems
which will support the Java 2 VM.
** Downloading
SENSS Bruce is available for download from the Sun website:
http://www.sun.com/software/communitysource/senss/
...and licensing, support, and other queries may be addressed to the
Bruce community mail list:
bruce-interest@sun.com
An announcement mail list also exists. Subscription details for both
the community and announcement lists are supplied in the software FAQ
and in the download bundle.
** Licensing
SENSS Bruce is being released under the Sun Community Source License
(SCSL) because it falls into a class of security tools which need to
be extremely secure in order to be useful; in this instance, the best
way to ensure that the internal mechanisms of Bruce are proof against
attack is to open them to complete public scrutiny - therefore we wish
licensees of this code to have access to the complete source code, and
thus we ship source as the standard download bundle.
It is intended that the SENSS Bruce software (including source code)
will remain under some license that permits access and use, for no
cost, to private individuals, research and academic sites, and for
some forms of company-internal use.
The version of the SCSL used for Bruce has been adapted in order to
ease some licensing concerns with respect to "example code" that would
benefit from greater exposure - please refer to the associated license
information for details.
** Changes since Early Access 2 (EA2)
Here is a summary of the changes that have been made to the SENSS
Bruce system daemon (bruced) and supporting software, in the EA3
release:
- Core Bruce classes "sealed"
- Solaris 8 system JDK support
- Additional brucecmd options/features
- Report harvesting optimized
- SecureRandom device now seeded from /dev/random, if it exists
- brucesetup functionality moved to brucecnf command and
reimplemented in Java
- brucepkg command reimplemented in Java
** Bugs and Issues
Bruce EA3 is a beta-release, and as such several issues and bugs are
known to exist in the EA3 codebase; these issues include:
1) Some implementations of the Java 2 VM are not suitable for Bruce
execution, due to memory-footprint or threading issues; notably
some native-thread-enabled JVMs under Linux, where the underlying
threading mechanism can have a high impact upon the hosting O/S
when running Bruce, and some implementations where signal-handling
in native-threaded Linux JVMs is not reliable.
A list of recommended Java 2 VMs is provided with the software.
2) Various scalability issues.
3) Command-line-only generation/execution of audit launch requests.
4) Migration to XML for report output.
5) Lack of cryptosecrecy functionality, to simplify software-export
issues in the early-access release.
All of the above issues are being addressed, and it is intended that
the software development effort will continue in an open-book manner,
sharing patches amongst the Bruce community.
** Thanks
The Bruce development team would like to take time to thank their
development team alumni and friends, in alphabetic order: Peter
Cunningham, Rob Diamond, Casper Dik, Cheri Dowell, Dan Farmer, Sandeep
Kumar, David Leftwich, Linda McCarthy, Cathy Pielich, Brad Powell,
Christoph Schuba, Bert Sutherland, Glenn Wright and Diego Zamboni, and
all others who have aided in the development of SENSS Bruce.
The Bruce development team is Alec Muffett (architect/lead programmer)
and Keith Watson (programmer/technical developer), aided by members of
Sun Professional Services' GESS and EMEA teams.
(5222629) ------------------------------------------(Ombruten)