HOW TO ADD A NEW SECURITY TEST INTO SAM

For each new security test intended to be used by SAM, you must provide two files:

• a file describing the test
• the test script

A Test Description File

You should call this file in the format < sensor name >-< test name >.def, where < sensor name > is the service type your script will test:

ArcCE, BDII, CE, FTS, LFC, MyProxy, RB, RGMA, SE, SRM, SRMv2, VOBOX, VOMS, gCE, gRB, sBDII

An example would be: CE-wn-sec-crl.def

Structure:

Inside this file you must specify the:

testName: <sensor name>-<test name>
testTitle: <a short line describing the test>
testAbbr: <an abbreviation name>
testHelp: <a URL pointing to the documentation>
EOT

Note that you should end the file with a single line having EOT

An example of this file would be:

testName: CE-wn-sec-crl
testTitle: CRLs validity on WN
testAbbr: crl
testHelp: http://grid.cyfronet.pl/sam-doc/CE/CE-wn-sec-crl.html
EOT

The Test Script

As explained before, call this file in the format < sensor name >-< test name >

Example: CE-wn-sec-crl

Exit Code:

When executing the test, it must return one of these values:

Note that UNKNOWN is used by the probe when the probe has a internal problem which means that it cannot accurately determine the status of the service. This is different, for instance, to the service not being contactable.

The Test Output and Encrypting Part of its Data:

About the test output, it can print to stdout whatever you consider interesting in HTML compatible format. Example:

<h2>Searching files writtable for Other</h2>
<p>Checking files and directories found in env vars...<br/>Detailed results may not be publicly visible.</p>
<br>
Here you can put the detailed result of the test <br>
in HTML compatible format<br>
<br>
EOT

but the sensible information must be encrypted first. For this, we recommend to store in a variable all the outputs, and print & encrypt the sensible data at the end of the script execution.

Here you have an example of a bash function that outputs the test encrypting part of it (what we previously stored in the output variable):

function Print_Summary_Metric_Results () {
   echo "<h2>Searching files writtable for Other</h2>"
   echo "<p>Checking files and directories found in env vars...<br/>Detailed results may not be publicly visible.</p>"

   if [ $total_errors -gt 0 ]; then
      echo "<h4><font color=red>ERROR</font></h4>"
   else
      echo "<h4><font color=green>OK</font></h4>"
   fi

   OPENSSL=`which openssl`
   ENCRYPTION_CERT=$SAME_HOME/sensors/common/sam-cert.pem

   # SSL is mandatory for security tests
   if [ "x$OPENSSL" == "x" ]; then
      echo "<p><i>FAILED</i> - Cannot find OpenSSL, detailed results will <b>not</b> be available.</p>"
      return_code=$SAME_WARNING
   fi

   # A certificate is also mandatory to encrypt the results
   if [ "x$ENCRYPTION_CERT" == "x" ]; then
      echo "<p><i>FAILED</i> - Cannot find an encryption certificate, detailed results will <b>not</b> be available.</p>"
      return_code=$SAME_WARNING
   fi

   if [ "x$ENCRYPTION_CERT" != "x" ]; then
      if [ "x$OPENSSL" != "x" ]; then
         echo "<!--"
         CRYPTED_OUTPUT=`echo -e "${output}" | ${OPENSSL} smime -encrypt -des3 ${ENCRYPTION_CERT}`
         echo -e "BEGIN_ENCRYPTED_RESULT\n${CRYPTED_OUTPUT}\nEND_ENCRYPTED_RESULT"
         echo "-->"
      fi
   else
      echo $output
   fi

}

If adding such a function to your test is painful because you cannot test in a real environment, we'll do it for you when we will integrate your test into SAM. More work for us but...

Where to submit your new tests

SAM security tests in CVS

this CVS location

By now there are only two security tests, which are:

• CE-wn-sec-fp
• CE-wn-sec-crl

Questions/Comments

-- RomainWartel - 03 Sep 2007