4514149 1999-11-23 08:13 /153 rader/ Postmaster
Mottagare: Bugtraq (import) <8634>
Ärende: ANN: Bruce v1.0 Early Access 1 - Available for downloa
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <199911221841.SAA01703@coyote.uk.sun.com>
Date: Mon, 22 Nov 1999 18:41:05 +0000
Reply-To: Alec Muffett <alecm@COYOTE.UK.SUN.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Alec Muffett <alecm@COYOTE.UK.SUN.COM>
X-To: bugtraq@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Sun Professional Services would like to announce the release of:
Sun Enterprise(TM) Network Security Service:
"Bruce" - a Networked Host-Vulnerability Scanner
v1.0 Early Access 1 (Beta)
URL: http://www.sun.com/software/communitysource/senss/
Queries: mailto:bruce-feedback@sun.com
SENSS "Bruce" is a flexible, Java-based infrastructure that permits
centralized security management of small, medium and large-sized
intranets.
The Bruce software provides you with a network service daemon that
should be installed on each host in your network; these daemons can
then be linked together in a hierarchy of trust.
This hierarchy may be used for the distribution and execution of
digitally-signed packages containing (java, script, or binary) code
that may be used to proactively check and fix host security issues in
a bulk, batch-oriented manner.
Execution requests are also digitally signed, replay attacks are
prevented, and network communications are secured by access-control
lists and pluggable authentication and secrecy modules.
Output generated during the process of checking is in HTML format, and
percolates to the root of the hierarchy, where it is browsable using a
standard web browser.
More technical information (+ screenshots) may be found at:
http://www.sun.com/software/communitysource/senss/additional.html
The Bruce software is not yet complete; this is the early-access-1
release, that we (the Bruce development team) are making available for
the benefit of parties with a professional interest in network
security, for their experimentation and comment.
The distribution contains the infrastructure code, documentation, and
a small set of example auditing modules; we intend to expand the latter
in future releases, to create a powerful networked security auditing tool.
The EA1 release is only supported on the Solaris platform, using the
recommended set of Java2 JVMs; however the target platforms for the
release version of Bruce include Solaris, Linux, Windows NT, and a
selection of other operating systems which support the Java2 JVM.
** Licensing
SENSS Bruce is being released under the Sun Community Source License
(SCSL) because it falls into a class of security tools which need to
be extremely secure in order to be useful; in this instance, the best
way to ensure that the internal mechanisms of Bruce are proof against
attack is to open them to complete public scrutiny - therefore we wish
licensees of this code to have access to the complete source code, and
thus we ship source as the standard download bundle.
It is intended that the SENSS Bruce software (including source code)
will remain under some license that permits access and use, for no cost,
to private individuals, research and academic sites, and for some forms
of company-internal use.
The version of the SCSL used for SENSS Bruce has been adapted in order
to ease some licensing concerns with respect to "example code" that
will benefit from greater public exposure - please refer to the
associated license information for details.
** Downloading
SENSS Bruce is available for free download from the Sun website:
http://www.sun.com/software/communitysource/senss/
...and licensing, support, and other queries may be addressed to:
bruce-feedback@sun.com
Software interest and announcement maillists also exist; subscription
details are supplied in the software FAQ and in the download bundle.
** Bugs and Issues
Bruce EA1 is a beta-release, and as such several issues and bugs are
known to exist in the EA1 codebase; these issues include:
1) some implementations of the Java2 JVM are not suitable for Bruce
execution, due to memory-footprint or threading issues; a list of
recommended JVMs is provided with the software.
2) one of the installation scripts is written in "ksh" and does not
function correctly under the "ksh" implementation provided with
most Linux distributions; this code will be re-written portably.
3) various scalability issues.
4) command-line-only generation/execution of audit launch requests.
5) migration to XML for report output.
6) lack of cryptosecrecy functionality, to simplify software-export
issues in the early-access release.
All of the above issues are currently being addressed, and it is
intended that the software development effort will continue in an
open-book manner, sharing patches amongst the Bruce community.
** Thanks
The Bruce development team would like to take time to thank their
development team alumni and friends, in alphabetic order: Peter
Cunningham, Rob Diamond, Casper Dik, Cheri Dowell, Dan Farmer, Sandeep
Kumar, David Leftwich, Linda McCarthy, Cathy Pielich, Brad Powell,
Christoph Schuba, Bert Sutherland, Glenn Wright and Diego Zamboni, and
all others who have aided in the development of SENSS Bruce.
The Bruce development team is Alec Muffett (architect/lead programmer)
and Keith Watson (programmer/technical developer), aided by members of
Sun Professional Services' GESS and EMEA teams.
******************************************************************
--
alec muffett - sun professional services - alec.muffett @ uk.sun.com
class c addresses please little minds
(4514149) -----------------------------------