HOW TO ADD A NEW SECURITY TEST INTO SAM

For each new security test intended to be used by SAM, you must provide two files:

  • a file describing the test
  • the test script

A Test Description File

File Naming Convention:

You should call this file in the format < sensor name >-< test name >.def, where < sensor name > is the service type your script will test:

ArcCE, BDII, CE, FTS, LFC, MyProxy, RB, RGMA, SE, SRM, SRMv2, VOBOX, VOMS, gCE, gRB, sBDII

An example would be: CE-wn-sec-crl.def

Structure:

Inside this file you must specify the:

testName: <sensor name>-<test name>
testTitle: <a short line describing the test>
testAbbr: <an abbreviation name>
testHelp: <a URL pointing to the documentation>
EOT

Note that you should end the file with a single line having EOT

An example of this file would be:

testName: CE-wn-sec-crl
testTitle: CRLs validity on WN
testAbbr: crl
testHelp: http://grid.cyfronet.pl/sam-doc/CE/CE-wn-sec-crl.html
EOT

The Test Script

File Naming Convention:

As explained before, call this file in the format < sensor name >-< test name >

Example: CE-wn-sec-crl

Exit Code:

When executing the test, it must return one of these values:

Value Description
0 Cannot determine service status
$SAME_OK Service is running as expected
$SAME_WARNING Service may be degraded in some way, or about to become degraded
$SAME_ERROR Service has a problem affecting functionality and/or availability

Note that UNKNOWN is used by the probe when the probe has a internal problem which means that it cannot accurately determine the status of the service. This is different, for instance, to the service not being contactable.

The Test Output and Encrypting Part of its Data:

About the test output, it can print to stdout whatever you consider interesting in HTML compatible format. Example:

<h2>Searching files writtable for Other</h2>
<p>Checking files and directories found in env vars...<br/>Detailed results may not be publicly visible.</p>
<br>
Here you can put the detailed result of the test <br>
in HTML compatible format<br>
<br>
EOT

but the sensible information must be encrypted first. For this, we recommend to store in a variable all the outputs, and print & encrypt the sensible data at the end of the script execution.

Here you have an example of a bash function that outputs the test encrypting part of it (what we previously stored in the output variable):

function Print_Summary_Metric_Results () {
   echo "<h2>Searching files writtable for Other</h2>"
   echo "<p>Checking files and directories found in env vars...<br/>Detailed results may not be publicly visible.</p>"

   if [ $total_errors -gt 0 ]; then
      echo "<h4><font color=red>ERROR</font></h4>"
   else
      echo "<h4><font color=green>OK</font></h4>"
   fi

   OPENSSL=`which openssl`
   ENCRYPTION_CERT=$SAME_HOME/sensors/common/sam-cert.pem

   # SSL is mandatory for security tests
   if [ "x$OPENSSL" == "x" ]; then
      echo "<p><i>FAILED</i> - Cannot find OpenSSL, detailed results will <b>not</b> be available.</p>"
      return_code=$SAME_WARNING
   fi

   # A certificate is also mandatory to encrypt the results
   if [ "x$ENCRYPTION_CERT" == "x" ]; then
      echo "<p><i>FAILED</i> - Cannot find an encryption certificate, detailed results will <b>not</b> be available.</p>"
      return_code=$SAME_WARNING
   fi

   if [ "x$ENCRYPTION_CERT" != "x" ]; then
      if [ "x$OPENSSL" != "x" ]; then
         echo "<!--"
         CRYPTED_OUTPUT=`echo -e "${output}" | ${OPENSSL} smime -encrypt -des3 ${ENCRYPTION_CERT}`
         echo -e "BEGIN_ENCRYPTED_RESULT\n${CRYPTED_OUTPUT}\nEND_ENCRYPTED_RESULT"
         echo "-->"
      fi
   else
      echo $output
   fi

}

If adding such a function to your test is painful because you cannot test in a real environment, we'll do it for you when we will integrate your test into SAM. More work for us but...

Where to submit your new tests

Once you have the two files, send them by email to: same-devel@cernNOSPAMPLEASE.ch

SAM security tests in CVS

You can find all SAM tests at this CVS location.

By now there are only two security tests, which are:

Questions/Comments

If you have any question about this procedure, feel free to send an email to: sam-support@cernNOSPAMPLEASE.ch


-- RomainWartel - 03 Sep 2007

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r7 - 2007-10-30 - DavidCollados
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback