Portaudit is intended to run daily against your ports directory identifying known vulnerabilities against a central database. Each night it produce an email that gets sent out and requires inspection.
The problem with this is with many FreeBSD hosts the emails can just be too many and I tend not to look at them.
Portaudit Central provides a means for delivering portaudit output to a central email box which will then produce a simple HTML based report of all machines. You can view a Sample Report produced using these scripts.
The server side script will call logger(1) with some useful diagnostic messages but the lines being logged will include some variables from the environment. I developed this under exim and the environment variables it logs are set by Exim. This will still work under another MTA, the worst that will happen is you'd have some logging entries thats missing details like the sender and message id.
I've taken some steps to prevent man-in-the-middle attacks. An attacker can in theory produce a report that says you have no vulnerabilities on a host when in fact you do have some. In order to combat this a few things are done:
- Only 1 report per host per day, any reports after the first one will result in errors being logged, this should be a clear indication that you've either configured multiple clients with the same $hostname or someone is up to no good.
- Each email being sent has a very simple crypto signature, the signature is basically a MD5 hash of the body of the message and a passphrase md5(body, passphrase) this means as long as your passphrases are secure - they aren't being sent along in the email so no-one can sniff them - someone else should not be able to produce a report that will pass this check regardless of report content. Even if your passphrase gets compromised you should be alerted about tampering by the log entries produced by the duplicate checking mechanism above. As long as you monitor your log files.
I've used this system myself now for around a month and have been quite happy, but no-one else has had a look at it yet so I'd appreciate feedback if anyone use it. In the future I hope to make the output from the report generator themed, right now it's very ugly but it does what it should. I will also move to a actual configuration file rather than editing some perl variables. I'm open to other suggestions.
Version 1.0 can be downloaded here: portauditcentral-current.tgz the full documentation including installation instructions can be found at the Wiki
I'm not a computer audit expert. My strength lies more in the breaking down of systems and input into it.
Your post made total sense to me. Those two bulleted points, if I were checking what you're doing would be a clear indication to me that you've got things covered so to speak.
With the duplicate checking process you have I would presume that you could have your monitoring log files highlight the threats by order of time, and possibly severity?
It's Sunday! I'm not as computer literate as you so perhaps I'm not making sense and just talking from an audit viewpoint. Maybe it's time to ride my bike?
;-)
Yeah, it would be easy to extend my code to work with more sophisticated logging systems, it just calls an external tool to do the logging.
I have a pretty simple logging monitoring system so this does it for me :)
Hello,
I think this is a very usefull tool only issue is that I could not find in the package any portaudit-report.pl script , can you upload it as well ?
sorry, I've fixed the file, you can download:
http://www.devco.net/code/portauditcentral-current.tgz