Security scans are an important part of the network security strategy for a company. Network administrators often use tools to scan their users' computers. The administrator might send scan reports to users, and then push fixes to them to plug security holes. In this situation, network users know their pc security status only in a passive sense (when notified by the administrator).
In this article, you see a simple scenario in which users can scan their own computers, on demand, from a security portal deployed on WebSphere Application Server and WebSphere Portal. A portlet service integrates the scanning tool (in this example, the Nessus tool) and the user database. Users access the security portal to check their computers, and they get the results either on the portal or through email. Figure 1 illustrates a simple view of integrating this on demand security portal with the Nessus tool and the user database.
Figure 1: On demand security scan architecture
You configure Websphere Portal to avoid unauthorized access by using an LDAP directory for authentication. Your business logic for application portlets should be in or behind a layer of session beans. You want to restrict access to the session beans such that only appropriate LDAP user ids can access the entire session bean. For more info about LDAP, refer to the Resources section.
Nessus is a popular open source vulnerability scanner. Organizations can use a tool like the Nessus tool to audit business critical enterprise devices and applications. For the scenario described in this article, download Nessus 3.0.1 for Linux/FreeBSD. See the Resources section for a link.
The Nessus server runs on the Linux platform only. Although a Windows client is listed on their Web site, for this scenario you need the server. (The client edition does not provide any services).
After installing and configuring it, you can launch the GUI, which provides a helpful user interface for scanning devices. Nessus also provides a command-line mode so you can scan devices without launching GUI; therefore, you can integrate the Nessus tool with your application using the command-line mode. You can choose from eight formats to output to the result file, which is convenient for integrating. Listing 1 illustrates the format of Nessus command-line.
Listing 1: Nessus command-line mode
nessus -q [-pPS] <host> <port> <user> <pass> <targets-file> <result-file> [-T <format>] format: "nbe", "html", "html_graph", "text", "xml", "old-xml", "tex", or "nsr" |
To create the example described in this article, I:
- Installed the Nessus tool in the /opt/nessus directory.
- Added a Nessus account (jing/jing4nessus).
- Saved a list of hosts to scan in /opt/nessus/host/targets.txt.
- Ran the command shown in Listing 2. The result file was created in /opt/nessus/report/result.html
See the result.html file.
Listing 2: Nessus command-line example
nessus -q localhost 1241 jing jing4nessus . /host/targets.txt ./report/result.html |
About the user information database
A user information database stores information about a company's users. If a user passes LDAP authentication and is able to log in to the portal, then you can get his or her detailed information from the user database; then you can provide an interactive session with the user. In this scenario, we retrieve the user's e-mail address to which you can send the scan report. The example described in this article uses IBM DB2® for example in this article.
A portal provides a wide variety of services with a single user interface, and it only requires that users have a Web browser to access it (assuming they can be authenticated). Users do need not to install or configure a complex client. A portal is often composed of many portlet services which get requests from the portal interface, operate on the requests, and return the results to the portal interface. This mechanism meets our requirement that encapsulating the Nessus tool and user information database in a portlet.
Each on demand scan request is single-threaded, and you need a session bean to encapsulate it. You can use a portlet to create a session bean for each request. The calls to the Nessus tool and user information database are encapsulated in two classes.
The Nessus class controls and interacts with the Nessus tool. You set the configuration information in the class, so that it can locate and call the Nessus tool. The target and report directories are created to store the target and result files. When a new instance of the class is created, the scan targets and user id are transferred into the instance for later work. This example limits the number of scans which can launch at one time to five. You can configure the number of scans launched at one time according to the performance of your server.
Listing 3: Constructor for the Nessus class
public class Nessus {
private static final String Nessus_HOME = "/opt/nessus";
private static final String Nessus_COMMAND="bin/nessus";
private static final String Nessus_AUTH_INFO=
"-q localhost 1241 jing jing4nessus";
private static final String Nessus_TARGET_DIR="target";
private static final String Nessus_REPORT_DIR="report";
private static final String PATH_SEPARATOR="/";
public static final int Nessus_MAX_Cient = 5;
public static int Nessus_Client = 0;
private String result;
private lastErrorMessage="";
private String[] Nessus_HOST;
private String UserID;
public Nessus(String[] Nessus_HOST, String UserID) {
while (Nessus_Client >= 5){};
++Nessus_Client;
Nessus_HOST = inNessus_HOST;
UserID = inUserID;
}
public dispose() {
if (Nessus_Client > 0)
{
--Nessus_Client;
}
}
......
} |
After you create a Nessus class instance, it needs to be initialized. The Nessus tool needs a target file as an argument for the scan. The target file contains the list of IP/HOSTNAMEs to be scanned. I assembled a file using the field called Nessus_HOST (as shown in Listing 4), and then I stored it into directory called target.
Listing 4: Initializing a Nessus class instance
public int init();{
String Nessus_HOSTs="";
for (int i=0;i<Nessus_HOST.length;++i)
{
Nessus_HOSTs+=Nessus_HOST[i]+"/n";
}
try {
String filename = Nessus_HOME + PATH_SEPARATOR +
Nessus_TARGET_DIR + PATH_SEPARATOR + UserID
File file = new File(filename);
if (file.exist())
{
file.delete();
}
BufferedWriter fileDesc = new
BufferedWriter(new FileWriter(filename));
fileDesc.write(Nessus_HOSTs);
fileDesc.close();
fileDesc = null;
}
catch {
lastErrorMessage="Init failed!";
return 1;
}
return 0;
} |
The core method of the Nessus class, scanTarget(), calls the Nessus tool using the command-line interface. The method suspends until the Nessus tool returns the result, which it stores in the result directory.
Listing 5: Scanning the target directories
public int scanTarget() {
String targetfile = Nessus_HOME + PATH_SEPARATOR + Nessus_TARGET_DIR +
PATH_SEPARATOR + UserID;
String reportfile= Nessus_HOME + PATH_SEPARATOR + Nessus_REPORT_DIR +
PATH_SEPARATOR + UserID+".html";
String command = Nessus_HOME + PATH_SEPARATOR + Nessus_COMMAND +
PATH_SEPARATOR + Nessus_AUTH_INFO + PATH_SEPARATOR +
targetfile + PATH_SEPARATOR + reportfile;
try {
Process process = Runtime.getRuntime().exec(command);
InputStreamReader ir=new InputStreamReader(process.getInputStream());
LineNumberReader input = new LineNumberReader(ir);
while (input.readLine() != null);
} catch (IOException ex) {
lastErrorMessage = "Scan failed";
return 1;
}
result = reportfile;
return 0;
}
public String getResult() {
return result;
} |
The UserInfo class controls and interacts with the user information database. In this example, it retrieves an email address from the database which will be used for mailing the result to user. A single connection is shared by all queries to reduce the waste of resource.
Listing 6: Sample of UserInfo
public class UserInfo {
private static final String DB2_JDBC_DRIVER = "COM.ibm.db2.jdbc.app.DB2Driver";
private static final String UserInfo_DB_URL = "jdbc:db2:userinfo";
private static final String UserInfo_DB_USER = "db2inst1";
private static final String UserInfo_DB_PASS = "password";
private Static Connection con;
private Static UserInfo userinfo;
private Static reference=0;
private UserInfo() {
}
public static UserInfo getUserInfo() {
if (userinfo == null)
{
userinfo = new UserInfo();
try {
Class.forName(DB2_JDBC_DRIVER);
} catch(java.lang.ClassNotFoundException e) {
lastErrorMessage = "DB connect error!";
return null;
}
try {
con = DriverManager.getConnection(UserInfo_DB_URL,
UserInfo_DB_USER, UserInfo_DB_PASS);
} catch (SQLException ex) {
lastErrorMessage = "DB login error!";
return null;
}
}
return userinfo;
}
public int dispose() {
try {
con.close();
} catch (SQLException ex) {
lastErrorMessage = "DB connect error!";
return 1;
}
return 0;
}
public String getEmail(String UserID) {
While (reference>0) ;
++reference;
String sql;
sql = "select email from userinfo where id = " + UserID;
Statement stmt;
String result;
try {
stmt = con.createStatement();
ResultSet rs = stmt.executeQuery(sql);
while(rs.next()){
result = rs.getString(0);
}
stmt.close();
} catch(SQLException ex) {
lastErrorMessage = "DB query error!";
result = null;
}
--reference;
return result;
}
} |
Because each on demand scan is single-threaded, a session bean is created to encapsulate the Nessus class to provide the session interface to the portlet. Listing 7 shows the prototype
Listing 7: Prototype of session bean
public class OnDemandScanPortletSessionBean {
private Nessus nessus;
private UserInfo userinfo;
public int setUserID(String inUserID);
public int setTarget(String[] inNessus_HOST);
public Nessus getNessus();
public UserInfo getUserInfo();
public String getEmailAddress();
|
You can design the results portal page to meet your own interface requirements, and then embed the results html in the page. Figures 2 and 3 show two examples of scan results. Figure 2 shows results in HTML format; Figure 3 shows results in HTML_graph format.
Figure 2: Scan results in HTML format
Figure 3: Scan results in HTML_graph format
Now you can construct your own on demand scan server with a portal interface. You can integrate your tools (including those which run on only one platform—in this case Linux) with your company portal to provide new services to your users. Providing users with an on demand scan capability could help your company meet its security strategy.
- Code sample: Nessus result.html file
Learn
-
developerWorks DB2 zone: Provides a wide variety of technical resources to help you use DB2 information management software.
-
developerWorks WebSphere Portal zone: Provides a wide variety of technical resources to help you develop portals and portlets.
- IBM Redbook: IBM Rational Application Developer V6 Portlet Application Development and Portlet tools: Basic information for creating portlets using the Rational Application Developer environment and built-in portal tools .
-
IBM Redbook: Understanding LDAP - Design and Implementation describes LDAP concepts and architecture.
-
Portlet development guide: Helps you get started developing portlets in WebSphere Portal V5.x.
-
WebSphere Portal production documentation: Provides access to all current product documentation including InfoCenters, release notes, and readmes for all releases of WebSphere Portal.
-
WebSphere Portal V5.1 Security Overview includes an architecture overview and deployment scenarios to illustrate the flexibility and breadth of options you have to implement your own portal security infrastructure.
Get products and technologies
-
Get the Nessus 3.0.1 for Linux/FreeBSD
download.
Discuss
Comments (Undergoing maintenance)
Table of contents
Local resources
My developerWorks community
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
