Implementing an on demand security scanning application using Websphere Portal

This article, primarily for IT security professionals, describes how to use IBM WebSphere® Portal to encapsulate a security scan tool. Users can access a portal to request a scan of their own computers; they see the results of the scan in the portal or in an email. You learn how to integrate the scanning tool, which runs as a service on a server, with your company portal. The tool delivers the results of the scan to the user through the portal interface. Readers should have experience with Java programming, and have a good understanding of database development, the Nessus open-source vulnerability scanning tool, and portlet development for Websphere Portal.

Jing J Xu (xujjing@cn.ibm.com), IT Specialist, IBM

Jing J Xu photoJing J Xu is an IT Specialist in the IBM China Software Development Lab, where she is responsibility for IT Security, including the use of WebSphere Portal security features.



01 February 2006

Introduction

Security scans are an important part of the network security strategy for a company. Network administrators often use tools to scan their users' computers. The administrator might send scan reports to users, and then push fixes to them to plug security holes. In this situation, network users know their pc security status only in a passive sense (when notified by the administrator).

In this article, you see a simple scenario in which users can scan their own computers, on demand, from a security portal deployed on WebSphere Application Server and WebSphere Portal. A portlet service integrates the scanning tool (in this example, the Nessus tool) and the user database. Users access the security portal to check their computers, and they get the results either on the portal or through email. Figure 1 illustrates a simple view of integrating this on demand security portal with the Nessus tool and the user database.

Figure 1: On demand security scan architecture
Figure 1: On demand security scan architecture

Configuring Websphere Portal

You configure Websphere Portal to avoid unauthorized access by using an LDAP directory for authentication. Your business logic for application portlets should be in or behind a layer of session beans. You want to restrict access to the session beans such that only appropriate LDAP user ids can access the entire session bean. For more info about LDAP, refer to the Resources section.

Acquiring the Nessus tool

Nessus is a popular open source vulnerability scanner. Organizations can use a tool like the Nessus tool to audit business critical enterprise devices and applications. For the scenario described in this article, download Nessus 3.0.1 for Linux/FreeBSD. See the Resources section for a link.

The Nessus server runs on the Linux platform only. Although a Windows client is listed on their Web site, for this scenario you need the server. (The client edition does not provide any services).

After installing and configuring it, you can launch the GUI, which provides a helpful user interface for scanning devices. Nessus also provides a command-line mode so you can scan devices without launching GUI; therefore, you can integrate the Nessus tool with your application using the command-line mode. You can choose from eight formats to output to the result file, which is convenient for integrating. Listing 1 illustrates the format of Nessus command-line.

Listing 1: Nessus command-line mode
nessus -q [-pPS] <host> <port> <user> <pass> <targets-file> <result-file> [-T <format>]
format: "nbe", "html", "html_graph", "text", "xml", "old-xml", "tex", or "nsr"

To create the example described in this article, I:

  1. Installed the Nessus tool in the /opt/nessus directory.
  2. Added a Nessus account (jing/jing4nessus).
  3. Saved a list of hosts to scan in /opt/nessus/host/targets.txt.
  4. Ran the command shown in Listing 2. The result file was created in /opt/nessus/report/result.html

See the result.html file.

Listing 2: Nessus command-line example
nessus -q localhost 1241 jing jing4nessus . /host/targets.txt ./report/result.html

About the user information database

A user information database stores information about a company's users. If a user passes LDAP authentication and is able to log in to the portal, then you can get his or her detailed information from the user database; then you can provide an interactive session with the user. In this scenario, we retrieve the user's e-mail address to which you can send the scan report. The example described in this article uses IBM DB2® for example in this article.

Why use a portal?

A portal provides a wide variety of services with a single user interface, and it only requires that users have a Web browser to access it (assuming they can be authenticated). Users do need not to install or configure a complex client. A portal is often composed of many portlet services which get requests from the portal interface, operate on the requests, and return the results to the portal interface. This mechanism meets our requirement that encapsulating the Nessus tool and user information database in a portlet.

Creating the portlet

Each on demand scan request is single-threaded, and you need a session bean to encapsulate it. You can use a portlet to create a session bean for each request. The calls to the Nessus tool and user information database are encapsulated in two classes.

Examining the Nessus class

The Nessus class controls and interacts with the Nessus tool. You set the configuration information in the class, so that it can locate and call the Nessus tool. The target and report directories are created to store the target and result files. When a new instance of the class is created, the scan targets and user id are transferred into the instance for later work. This example limits the number of scans which can launch at one time to five. You can configure the number of scans launched at one time according to the performance of your server.

Listing 3: Constructor for the Nessus class
public class Nessus {
  private static final String Nessus_HOME = "/opt/nessus";
  private static final String Nessus_COMMAND="bin/nessus";
  private static final String Nessus_AUTH_INFO=
    "-q localhost 1241 jing jing4nessus";
  private static final String Nessus_TARGET_DIR="target";
  private static final String Nessus_REPORT_DIR="report";
  private static final String PATH_SEPARATOR="/";
  public static final int Nessus_MAX_Cient = 5;
  public static int Nessus_Client = 0;
  private String result;
  private lastErrorMessage="";
	
  private String[] Nessus_HOST;
  private String UserID;

  public Nessus(String[] Nessus_HOST, String UserID) {
	while (Nessus_Client >= 5){};
	++Nessus_Client;
                       Nessus_HOST = inNessus_HOST;
	UserID = inUserID;
  }
  public dispose() {
	if (Nessus_Client > 0)
	{
		--Nessus_Client;
	}
  }
	......
}

After you create a Nessus class instance, it needs to be initialized. The Nessus tool needs a target file as an argument for the scan. The target file contains the list of IP/HOSTNAMEs to be scanned. I assembled a file using the field called Nessus_HOST (as shown in Listing 4), and then I stored it into directory called target.

Listing 4: Initializing a Nessus class instance
public int init();{
  String Nessus_HOSTs="";
  for (int i=0;i<Nessus_HOST.length;++i)
  {
	Nessus_HOSTs+=Nessus_HOST[i]+"/n";
  }
  try {
	String filename = Nessus_HOME + PATH_SEPARATOR + 
	Nessus_TARGET_DIR + PATH_SEPARATOR + UserID
	File file = new File(filename);
	if (file.exist())
	{
		file.delete();
	}
	BufferedWriter fileDesc = new 
	BufferedWriter(new FileWriter(filename));	
	fileDesc.write(Nessus_HOSTs);		
	fileDesc.close();
	fileDesc = null;
  }
  catch {
	lastErrorMessage="Init failed!";
	return 1;
  }
   return 0;
}

The core method of the Nessus class, scanTarget(), calls the Nessus tool using the command-line interface. The method suspends until the Nessus tool returns the result, which it stores in the result directory.

Listing 5: Scanning the target directories
public int scanTarget() {
	String targetfile = Nessus_HOME + PATH_SEPARATOR + Nessus_TARGET_DIR + 
	  PATH_SEPARATOR + UserID;
	String reportfile= Nessus_HOME + PATH_SEPARATOR + Nessus_REPORT_DIR + 
	  PATH_SEPARATOR + UserID+".html";
	String command = Nessus_HOME + PATH_SEPARATOR + Nessus_COMMAND + 
	  PATH_SEPARATOR 	+ Nessus_AUTH_INFO + PATH_SEPARATOR + 
	  targetfile + PATH_SEPARATOR + reportfile;
	try {
		Process process = Runtime.getRuntime().exec(command);
		InputStreamReader ir=new InputStreamReader(process.getInputStream()); 
		LineNumberReader input = new LineNumberReader(ir);
		while (input.readLine() != null);
	} catch (IOException ex) {
		lastErrorMessage = "Scan failed";
		return 1;
	}
	result = reportfile;
	return 0;
}
public String getResult() {
	return result;
}

Examining the UserInfo class

The UserInfo class controls and interacts with the user information database. In this example, it retrieves an email address from the database which will be used for mailing the result to user. A single connection is shared by all queries to reduce the waste of resource.

Listing 6: Sample of UserInfo
public class UserInfo {
	private static final String DB2_JDBC_DRIVER = "COM.ibm.db2.jdbc.app.DB2Driver";
	private static final String UserInfo_DB_URL = "jdbc:db2:userinfo";
	private static final String UserInfo_DB_USER = "db2inst1";
	private static final String UserInfo_DB_PASS = "password";
	private Static Connection con;
	private Static UserInfo userinfo;
            private Static reference=0;

	private UserInfo() {
	}
	public static UserInfo getUserInfo() {
		if (userinfo == null)
		{
			userinfo = new UserInfo();
			try {
				Class.forName(DB2_JDBC_DRIVER);
			} catch(java.lang.ClassNotFoundException e) {
				lastErrorMessage = "DB connect error!";
				return null;
			}
			try {
				con = DriverManager.getConnection(UserInfo_DB_URL, 
				UserInfo_DB_USER, UserInfo_DB_PASS);
			} catch (SQLException ex) {
				lastErrorMessage = "DB login error!";
				return null;
			}
		}
		return userinfo;
	}
	public int dispose() {
		try {
			con.close();
		} catch (SQLException ex) {
			lastErrorMessage = "DB connect error!";
			return 1;
		}
		return 0;
	}
	public String getEmail(String UserID) {
		While (reference>0) ;
                        ++reference; 
            String sql;
		sql = "select email from userinfo where id = " + UserID;
		Statement stmt;
		String result;
	
		try {
			stmt = con.createStatement();
	   		ResultSet rs = stmt.executeQuery(sql);
	   		while(rs.next()){
	   			result = rs.getString(0);
	   		}
	   		stmt.close();	
		} catch(SQLException ex) {
			lastErrorMessage = "DB query error!";
			result = null;
		}
                        --reference;
		return result;
	}
}

Because each on demand scan is single-threaded, a session bean is created to encapsulate the Nessus class to provide the session interface to the portlet. Listing 7 shows the prototype

Listing 7: Prototype of session bean
public class OnDemandScanPortletSessionBean {
	private Nessus nessus;
	private UserInfo userinfo;
	public int setUserID(String inUserID);
	public int setTarget(String[] inNessus_HOST);
	public Nessus getNessus();
	public UserInfo getUserInfo();
	public String getEmailAddress();

Displaying the results

You can design the results portal page to meet your own interface requirements, and then embed the results html in the page. Figures 2 and 3 show two examples of scan results. Figure 2 shows results in HTML format; Figure 3 shows results in HTML_graph format.

Figure 2: Scan results in HTML format
Figure 2: Scan results in HTML format
Figure 3: Scan results in HTML_graph format
Figure 3: Scan results in HTML_graph format

Conclusion

Now you can construct your own on demand scan server with a portal interface. You can integrate your tools (including those which run on only one platform—in this case Linux) with your company portal to provide new services to your users. Providing users with an on demand scan capability could help your company meet its security strategy.

Resources

Learn

Get products and technologies

Discuss

More downloads

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=102827
ArticleTitle=Implementing an on demand security scanning application using Websphere Portal
publish-date=02012006