Warden

Zdravím,

protože jsme o tom mluvili na schůzce 24. 11. (konkrétní nasazení provozovatelem) a mám to rozpracované, připojuju svůj návrh, zatím jen sem, pokud máte připomínky nebo další nápady, sem s nimi. Snažil jsem se o stejný styl, jako je původní README, pokud ho generujete z jiného výchozího formátu, klidně příslušně upravte.

Vzhledem k tomu, že info přijde zřejmě až do tarballu další minor verze, bude třeba informace o verzi v dokumentu upravit (nebo je z něj vyřadit úplně).

Zahrnul jsem i URL produkčního serveru (v hlavním README je jako příklad warden-dev, tak ať je to zřejmé) a testovací zprávu.

Dokument (pro konzistenci s 1.0.0) ještě nezahrnuje (ne)přijímání vlastních událostí (#293), tagy (#294) a terminologii (#298).

Jako autora uvádím sebe a Honzu Soukala, z jehož intro mailu jsem části vyzobal.

+-------------------------------------+
| README.cesnet - Warden Client 1.0.0 |
| CESNET Specifics                    |
+-------------------------------------+

Content

 A. Overall Information
 B. Registration
 C. Configuration
 D. Testing
 E. Authors of this document

--------------------------------------------------------------------------------
A. Overall Information

 1. About CESNET Warden Server

    Warden is a client-based architecture service designed to share detected
    security issues (events) among CSIRT and CERT teams in a simple and fast way.

    CESNET offers Warden server for security events exchange within its networks.

 2. Version

    1.0.0 (2011-11-16)

--------------------------------------------------------------------------------
B. Registration

    Client attempting to communicate with CESNET Warden server must be
    registered. Registration is currently provided by Tom Plesnik at
    address plesnik@ics.muni.cz and following information is needed:

    * For sender client:
      - hostname of the machine, where client runs,
      - name of the detection service (for example 'ScanDetector'),
      - client type = sender,
      - CIDR from which client will communicate with Warden server.

    * For receiver client:
      - hostname of the machine, where client runs,
      - client type = receiver,
      - type of requested events (for example 'portscan', more at
        https://homeproj.cesnet.cz/projects/warden/wiki/Typy_udalosti),
      - CIDR from which client will communicate with Warden server.

    Clients need to have valid certificate to prove their identity to the
    Warden server. For CESNET network, 'server' type certificate from Terena
    Certificate Service (provided by Comodo) is needed. Administrator of
    Warden client must be entitled to obtain this certificate. CESNET TCS
    request service interface resides at

      https://tcs.cesnet.cz/

--------------------------------------------------------------------------------
C. Configuration

    CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.  

--------------------------------------------------------------------------------       
D. Testing

    For testing purposes of sender clients, event type 'test' can be used.
    These events will end up in server database, but will not be taken
    further into consideration.

--------------------------------------------------------------------------------
E. Authors of this document

    Pavel Kacha     <ph@cesnet.cz>
    Jan Soukal      <soukal@ics.muni.cz>

Copyright (C) 2011 Cesnet z.s.p.o

Verze s doplněným vyžadovaným subjectem.

+-------------------------------------+
| README.cesnet - Warden Client 1.0.0 |
| CESNET Specifics                    |
+-------------------------------------+

Content

 A. Overall Information
 B. Registration
 C. Configuration
 D. Testing
 E. Authors of this document

--------------------------------------------------------------------------------
A. Overall Information

 1. About CESNET Warden Server

    Warden is a client-based architecture service designed to share detected
    security issues (events) among CSIRT and CERT teams in a simple and fast way.

    CESNET offers Warden server for security events exchange within its networks.

 2. Version

    1.0.0 (2011-11-16)

--------------------------------------------------------------------------------
B. Registration

    Client attempting to communicate with CESNET Warden server must be
    registered. Registration is currently provided by Tom Plesnik at
    address plesnik@ics.muni.cz and following information is needed:

    * For sender client:
      - hostname of the machine, where client runs,
      - name of the detection service (for example 'ScanDetector'),
      - client type = sender,
      - CIDR from which client will communicate with Warden server.

    * For receiver client:
      - hostname of the machine, where client runs,
      - client type = receiver,
      - type of requested events (for example 'portscan', more at
        https://homeproj.cesnet.cz/projects/warden/wiki/Typy_udalosti),
      - CIDR from which client will communicate with Warden server.

    Clients need to have valid certificate to prove their identity to the
    Warden server. For CESNET network, 'server' type certificate from Terena
    Certificate Service (provided by Comodo) is needed. Hostname of the
    machine must correspond with certificate subject, Alternative Name
    extension is not supported. Administrator of Warden client must be
    entitled to obtain this certificate. CESNET TCS request service 
    interface resides at

      https://tcs.cesnet.cz/

--------------------------------------------------------------------------------
C. Configuration

    CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.  

--------------------------------------------------------------------------------       
D. Testing

    For testing purposes of sender clients, event type 'test' can be used.
    These events will end up in server database, but will not be taken
    further into consideration.

--------------------------------------------------------------------------------
E. Authors of this document

    Pavel Kacha     <ph@cesnet.cz>
    Jan Soukal      <soukal@ics.muni.cz>

Copyright (C) 2011 Cesnet z.s.p.o

Cau Pavle,

Pavel Kácha wrote:

Verze s doplněným vyžadovaným subjectem.
[...]

jeste jsem si vsiml, ze u odesilajiciho klienta (* For sender client:) chyby description tags viz vypis napovedy registracniho skriptu:

registerSender.pl [-h -n <hostname> -r <requestor> -s <service> -d <description_tags> -i <ip_net_client>]
-h     print this text and exit
-n     hostname of sender
-r     client registration requestor
-s     service of send events
-d     description tags of send events
-i     CIDR of sender

a u prijimajiciho (* For receiver client:) zase polozka zdali chce uzivatel prijimat sve vlastni udalosti:

registerReceiver.pl [-h -o -n <hostname> -r <requestor> -t <type> -i <ip_net_client>]
-h     print this text and exit
-n     hostname of receiver
-r     client registration requestor
-t     type of receive events
-o     enable receive of own events
-i     CIDR of receiver

Tom

Vím, #294, a taky #293, viz moje první poznámka tady. Už je to aktuální, mám obojí doplnit?

Pavel Kácha wrote:

Vím, #294, a taky #293, viz moje první poznámka tady. Už je to aktuální, mám obojí doplnit?

Aha, tak tu jsem prehledl. Nicmene tyto informace muzes do textu doplnit a ja pak preklopim dany dokument do souboru REGISTRATION a ulozim do GITu. Dale me pak napadlo, ze muzeme sekci Registration vymazat z README aby se nam informace nedublovali. V registracni casti README bude stacit pouze odkaz na soubor REGISTRATION.

Co ty nato?

Tomáš Plesník wrote:

Pavel Kácha wrote:

Vím, #294, a taky #293, viz moje první poznámka tady. Už je to aktuální, mám obojí doplnit?

Aha, tak tu jsem prehledl. Nicmene tyto informace muzes do textu doplnit a ja pak preklopim dany dokument do souboru REGISTRATION a ulozim do GITu. Dale me pak napadlo, ze muzeme sekci Registration vymazat z README aby se nam informace nedublovali. V registracni casti README bude stacit pouze odkaz na soubor REGISTRATION.

Co ty nato?

Mnou navrhovana verze je tedy nasledujici:

+-------------------------------------+
| REGISTRATION - Warden Client 1.0.0  | 
+-------------------------------------+

Content

 A. Overall Information
 B. Registration
 C. Configuration
 D. Testing
 E. Authors of this document

--------------------------------------------------------------------------------
A. Overall Information

 1. About CESNET Warden Server

    Warden is a client-based architecture service designed to share detected
    security issues (events) among CSIRT and CERT teams in a simple and fast way.

    CESNET offers Warden server for security events exchange within its networks.

 2. Version

    1.0.0 (2011-11-16)

--------------------------------------------------------------------------------
B. Registration

    Client attempting to communicate with CESNET Warden server must be
    registered. Registration is currently provided by Tomas Plesnik at
    address plesnik@ics.muni.cz and following information is needed:

    * For sender client:
      - hostname of the machine, where client runs,
      - name of the detection service (for example 'ScanDetector'),
      - client type = sender,
      - description tags of sent events (more at 
        https://homeproj.cesnet.cz/projects/warden/wiki/Typy_udalosti), 
      - CIDR from which client will communicate with Warden server.

    * For receiver client:
      - hostname of the machine, where client runs,
      - client type = receiver,
      - type of requested events (for example 'portscan', more at
        https://homeproj.cesnet.cz/projects/warden/wiki/Typy_udalosti),
      - receiving of sent events from my organization = yes/no (organizations
        are separated based on the top-level and second-level domain),
      - CIDR from which client will communicate with Warden server.

    Clients need to have valid certificate to prove their identity to the
    Warden server. For CESNET network, 'server' type certificate from Terena
    Certificate Service (provided by Comodo) is needed. Hostname of the
    machine must correspond with certificate subject, Alternative Name
    extension is not supported. Administrator of Warden client must be
    entitled to obtain this certificate. CESNET TCS request service 
    interface resides at

      https://tcs.cesnet.cz/

--------------------------------------------------------------------------------
C. Configuration

    CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.  

--------------------------------------------------------------------------------       
D. Testing

    For testing purposes of sender clients, event type 'test' can be used.
    These events will end up in server database, but will not be taken
    further into consideration.

--------------------------------------------------------------------------------
E. Authors of this document

    Pavel Kacha     <ph@cesnet.cz>
    Jan Soukal      <soukal@ics.muni.cz>

Copyright (C) 2011 Cesnet z.s.p.o

Díky, ještě jsem se k tomu nedostal.

Oki, vlastní události souhlas.

Tagy viz #294, ať jsme pod správným úkolem.

Pavel Kácha wrote:

Díky, ještě jsem se k tomu nedostal.

Oki, vlastní události souhlas.

Tagy viz #294, ať jsme pod správným úkolem.

Ahoj, tak jsem pretavil README.cesnet tahane po redminu do textoveho souboru v GITu. README.cesnet naleznete na https://homeproj.cesnet.cz/projects/warden/repository/revisions/master/changes/src/warden-client/doc/README.cesnet dalsi upravy prosim delejte do nej.

Události a tagy doplněny do GITu.