Mailing List Archive

BOSS project: Concept paper for Nessus improvements
Dear Nessus developers,

finally we completed the translation of our concept paper
into english langauage. From now on only the english version
will be further maintained.

So, if you are interested feel free to read it (and let us know
what you think):

http://ftp.intevation.de/boss/concept/

Best

Jan
--
Jan-Oliver Wagner http://intevation.de/~jan/

Intevation GmbH http://intevation.de/
FreeGIS http://freegis.org/
Re: BOSS project: Concept paper for Nessus improvements [ In reply to ]
Hi David,

[. I am answering to nessus-devel as it might be of general interest ]

On Tue, Sep 07, 2004 at 12:58:52PM +0200, David Maciejak wrote:
> I just quickly read your pdf,
>
> I don’t understand why you want to do SLAD agent which need to be compiled
> on target system.
>
> You can do that (launch commands and return results) from local security
> check that comes with nessus devel branch

I am not the designer of BOSS - Lukas can give a detailed answer for sure.

However, with SLAD we want to avoid having the whole nessus server
installed on a system that is suspected to be compromised itself.
To my understanding it makes sense to have nessusd only on
a system where you are pretty sure it is not compromised - otherwise
the reported results could already be faked.

But your question is a very valid one.
We should add a section to the concept that exactly explains this
question: Why don't we use nessusd's new features for local
security check.

Thanks a lot

Jan
--
Jan-Oliver Wagner http://intevation.de/~jan/

Intevation GmbH http://intevation.de/
FreeGIS http://freegis.org/
Re: BOSS project: Concept paper for Nessus improvements [ In reply to ]
On Tue, Sep 07, 2004 at 01:13:12PM +0200, Jan-Oliver Wagner wrote:
> However, with SLAD we want to avoid having the whole nessus server
> installed on a system that is suspected to be compromised itself.

The Nessus local security checks don't require a nessusd server on the
tested host, only sshd running (and an ssh account).



-- Renaud
Re: BOSS project: Concept paper for Nessus improvements [ In reply to ]
>
>On Tue, Sep 07, 2004 at 01:13:12PM +0200, Jan-Oliver Wagner wrote:
>> However, with SLAD we want to avoid having the whole nessus server
>> installed on a system that is suspected to be compromised itself.
>
>The Nessus local security checks don't require a nessusd server on the
>tested host, only sshd running (and an ssh account).

That's right. But since we are running local tests against a potentially
compromised system we cannot be sure that the various auditing and intrusion
detection tools installed locally have not been tampered with. SLAD delivers
the infrastructure plus all the tools we want to use in one single image
file which you can verify by checksum (see concept document for more
details). But it's a very valid question and I will add a section to the
concept document for clarification.

Boris
Re: BOSS project: Concept paper for Nessus improvements [ In reply to ]
> That's right. But since we are running local tests against a potentially
> compromised system we cannot be sure that the various auditing and intrusion
> detection tools installed locally have not been tampered with. SLAD delivers
> the infrastructure plus all the tools we want to use in one single image
> file which you can verify by checksum (see concept document for more
> details). But it's a very valid question and I will add a section to the
> concept document for clarification.

Installing new security tools on a compromised system will not give you
more security than use compromised ones. For example, if a rootkit hacks
(or hooks) some kernel calls, i'm not sure your newly installed tools
will give you correct results.


You can use sshd as SLAD listenner. It will be easier than create a new
network protocol. Maybe you will need to add sftp support, though.

But if you really want to do something like that, i don't think (just my
opinion) it should be integrated to nessus.
Do client/server communication and managment (modification of
configuration files) is not the goal of Nessus.
I did something like that to manage logs with ssh plugin. It worked but
had nothing to do in Nessus.
It should be added in higher level, for example in your boss managment
console.

Regards,

Nicolas
Re: BOSS project: Concept paper for Nessus improvements [ In reply to ]
On Wed, Sep 08, 2004 at 02:38:54PM +0200, Nicolas Pouvesle wrote:
> > That's right. But since we are running local tests against a potentially
> > compromised system we cannot be sure that the various auditing and intrusion
> > detection tools installed locally have not been tampered with. SLAD delivers
> > the infrastructure plus all the tools we want to use in one single image
> > file which you can verify by checksum (see concept document for more
> > details). But it's a very valid question and I will add a section to the
> > concept document for clarification.
>
> Installing new security tools on a compromised system will not give you
> more security than use compromised ones. For example, if a rootkit hacks
> (or hooks) some kernel calls, i'm not sure your newly installed tools
> will give you correct results.

of course you can never be 100% save. Still I think the hurdle would be
just a bit higher for the average crackers if we bring our own auditing
tools with us.

> But if you really want to do something like that, i don't think (just my
> opinion) it should be integrated to nessus.
> Do client/server communication and managment (modification of
> configuration files) is not the goal of Nessus.
> I did something like that to manage logs with ssh plugin. It worked but
> had nothing to do in Nessus.
> It should be added in higher level, for example in your boss managment
> console.

Nessus has a very nice and tested infrastucture like the protocol and KB.
IMHO it makes sense to take advantage of this rather than to invent
new things. SLAD is just another Plugin for Nessus Server. Nessus Server
needs not to be modified, at least AFAIU.

Jan
--
Jan-Oliver Wagner http://intevation.de/~jan/

Intevation GmbH http://intevation.de/
FreeGIS http://freegis.org/