HOW TO ADD A NEW SECURITY TEST INTO SAM

For each new security test intended to be used by SAM, you must provide two files:

  • a file describing the test
  • the test script

A file describing the test

File Naming Convention:

You should call this file in the format < sensor name >-< test name >.def, where < sensor name > is the service type your script will test:

ArcCE, BDII, CE, FTS, LFC, MyProxy, RB, RGMA, SE, SRM, SRMv2, VOBOX, VOMS, gCE, gRB, sBDII

An example would be: CE-wn-sec-crl.def

Structure:

Inside this file you must specify the:

testName: <sensor name>-<test name>
testTitle: <a short line describing the test>
testAbbr: <an abbreviation name>
testHelp: <a URL pointing to the documentation>
EOT

Note that you should end the file with a single line having EOT

An example of this file would be:

testName: CE-wn-sec-crl
testTitle: CRLs validity on WN
testAbbr: crl
testHelp: http://grid.cyfronet.pl/sam-doc/CE/CE-wn-sec-crl.html
EOT

The test script

File Naming Convention:

As explained before, call this file in the format < sensor name >-< test name >

Example: CE-wn-sec-crl

Encrypted Test Output:

When executing the test, it must return one of these possible values:

Value Status Description
0 UNKNOWN Cannot determine service status
10 OK Service is running as expected
40 WARNING Service may be degraded in some way, or about to become degraded
60 CRITICAL Service has a problem affecting functionality and/or availability

Note that UNKNOWN is used by the probe when the probe has a internal problem which means that it cannot accurately determine the status of the service. This is different, for instance, to the service not being contactable.

At the same time, you can print to stdout whatever you want, in HTML compatible format. Example:

<br>
Here you can put the detailed result of the test <br>
in HTML compatible format<br>
<br>
EOT

but the sensible information must be encrypted first.

Here is a bash example for this:

SAME_HOME="$HOME/same"
OPENSSL=`which openssl`
ENCRYPTION_CERT=$SAME_HOME/client/sensors/common/sam-cert.pem

# SSL is mandatory for security tests
if [ "x$OPENSSL" == "x" ]; then
        echo "<p><i>ERROR</i> - Cannot find OpenSSL, detailed results will <b>not</b> be available.</p>"
        crl_check=$SAME_WARNING
fi

# A certificate is also mandatory to encrypt the results
if [ "x$ENCRYPTION_CERT" == "x" ]; then
        echo "<p><i>ERROR</i> - Cannot find an encryption certificate, detailed results will <b>not</b> be available.</p>"
        crl_check=$SAME_WARNING
fi

##########################
# COMPONENT SPECIFIC PART
##########################

bla,bla,bla

#############################
# Encrypting OUTPUT
#############################

if [ "x$ENCRYPTION_CERT" != "x" ]; then
    if [ "x$OPENSSL" != "x" ]; then
        echo "<!--"
        CRYPTED_OUTPUT=`echo -e "${OUTPUT}" | ${OPENSSL} smime -encrypt -des3 ${ENCRYPTION_CERT}`
        echo -e "BEGIN_ENCRYPTED_RESULT <br /> ${CRYPTED_OUTPUT} <br /> END_ENCRYPTED_RESULT"
        echo "-->"
    fi
else
  echo $OUTPUT
fi

exit $result_check

Where to submit your new tests

One you have the two files, send them by email to: same-devel@cernNOSPAMPLEASE.ch


-- RomainWartel - 03 Sep 2007

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2007-09-14 - DavidCollados
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback