Tvorba zakladni osnovy a bodu README.

2589acee · Jan Soukal · 57ed5355 · 2589acee
Commit 2589acee authored Jan 18, 2012 by Jan Soukal
--- a/src/warden-server/doc/README
+++ b/src/warden-server/doc/README
@@ -6,16 +6,20 @@ Content

 A. Overall Information
 B. Installation Dependencies
- C. Registration
- D. Installation
- E. Integration with Local Applications
- F. Server Upgrade
- G. Functions, Arguments and Calls
- H. Authors
+ C. Installation
+ D. Configuration
+ E. Update
+ F. Init Scripts
+ G. Registration of Clients
+ H. Status Info
+ I. Nagios Integration
+ J. Authors

 --------------------------------------------------------------------------------
 A. Overall Information

+ /*TODO*/Upravit pro kontext warden serveru
+
 1. About Warden Client
 
    Warden is a client-based architecture service designed to share detected
@@ -47,6 +51,8 @@ A. Overall Information
 --------------------------------------------------------------------------------
 B. Installation Dependencies
 
+ /*TODO*/Zkontrolovat, zdali plati...
+
    Perl 5.10.1  
    SOAP::Lite
    IO::Socket::SSL
@@ -54,47 +60,9 @@ B. Installation Dependencies
    FindBin

 --------------------------------------------------------------------------------
-C. Registration
-
-    Any client attempting to communicate with Warden server must be registered
-    on this server. Unknown (not registered) clients are not allowed to exchange
-    any data with server.
-  
-    Registration of your client is provided by Warden server administrator.
-    Usually via e-mail.
-  
-    Clients need to have valid client certificate to prove their identity to
-    the Warden server. 
-  
-    Each client is defined by its hostname, service name, type of client, type
-    of requested events and CIDR the client is allowed to communicate from only.
-  
-    Hostname                  - hostname of client to be registered
-    Service name              - Text string. Unique name of the service
-                                the client is integrated in.
-                                E.g. 'ScanDetector_1.0'. This is mandatory for
-                                'Sender' client. Default value null is used for
-                                'Receiver' client.
-    Type of client            - Either 'Sender' or 'Receiver'.
-    Type of requested events  - Type of events the client only accepts from
-                                Warden server. This is mandatory only for
-                                'Receiver' client. Default value null is used
-                                for 'Sender' client. Brief information about
-                                event types is provided in section G. Functions
-                                arguments and calls.  
-    CIDR                      - CIDR stands for IP address or IP (sub)net
-    				the client is going to communicate from. Any
-				communications between the client and Warden
-				Server must be performed from IP address from
-				a range stated in CIDR.
-				Examples: '123.123.0.0/16', '123.123.123.123/32'
-
-  
-    For complete information about client attributes and/or event types see
-    Warden project documentation.
+C. Installation

--------------------------------------------------------------------------------
-D. Installation
+  /*TODO*/Zkontrolovat, co z klienta plati i pro server a doplnit chybejici...

 1. Check SHA1 checksum of corresponding Warden client package archive

@@ -168,170 +136,89 @@ D. Installation
 	-V                        print script version number and exit
 	
    Example: $ ./install.sh -d /opt -u detector -k /etc/ssl/private/client.key
-    			    -c /etc/ssl/certs/client.pem -a /etc/ssl/certs"
 
 --------------------------------------------------------------------------------
-E. Integration with Local Applications
+D. Configuration

- (Note: Clients need to be registered on server to be able to communicate with
-        server properly. See section C. Registration for more information about
-        client registration.)
+  /*TODO*/Doplnit konfiguraci (warden.conf) - mozna to v klientske verzi
+  zasahuje do predchozi sekce, zkontrolovat

- 1. Client sender (this type of client reports events to Warden server)
+--------------------------------------------------------------------------------       
+E. Update
 
-    Client functionality is included as a Perl module (WardenClientSend.pm)
-    into Perl code of local detection application.   
+ /*TODO*/Doplnit, jak se dela update...

-    See warden-client/doc/example-sender.pl.txt for example how to use
-    warden-client sender functionality.
+   To upgrade a client, install a new version.

-    Brief information about syntax of sending functions and functionality is
-    provided in section G. Functions arguments and calls.
+--------------------------------------------------------------------------------
+F. Init Scripts

- 2. Client receiver (this type of clients uploads events from Warden server)
+  /*TODO*/Doplnit init scripty

-    Client functionality is included as a perl module (WardenClientReceive.pm)
-    into perl code of local 'reaction' application or may be used as as core of
-    standalone local application.
+ 1. Start

-    See warden-client/doc/example-receiver.pl.txt for example how to use
-    warden-client receiver functionality.   
+    /*TODO*/Doplnit...

-    Brief information about syntax of receiving functions and functionality is
-    provided in section G. Functions arguments and calls. 
+ 2. Stop

--------------------------------------------------------------------------------
-F. Client Upgrade
+    /*TODO*/Doplnit...

-   To upgrade a client, install a new version.
+ 3. Restart

--------------------------------------------------------------------------------
-G. Functions, Arguments and Calls
+    /*TODO*/Doplnit...

- 1. WardenClientSend::saveNewEvent
- 
-    Function to upload one event on the Warden server. See example 'Sender'
-    client in warden-client/doc/example-sender.pl.txt
+ 4. Status

-    Function call (Perl):
-    
-    # Path to warden-client folder
-    $warden_path = '/opt/warden-client';
-    
-    # Inclusion of warden-client sender module
-    require $warden_path . '/lib/WardenClientSend.pm';
+    /*TODO*/Doplnit...

-    # Sending event to Warden server
-    WardenClientSend::saveNewEvent($warden_path, \@event);
-    
-    Event array is defined as (perl):
+ 5. Force-stop

-    @event = ($service, $detected, $type, $source_type, $source, $target_proto,
-              $target_port, $attack_scale, $note, $priority, $timeout );
+    /*TODO*/Doplnit...

-    Event array attributes with example value and explanation on the right
-    (Perl):
+--------------------------------------------------------------------------------
+G. Registration of Clients

-    # SERVICE - VARCHAR (64)
-    # Name of a service detecting this event. Service must be the same with this
-    # provided in 'Sender' client registration. See more about this issue in
-    # section C. Registration.    
-    $service      = "ScanDetector";
+  /*TODO*/Popsat registraci klientu

-    # DETECTED - TIMESTAMP in UTC, ISO 8601
-    # Date and time when was event detected.
-    $detected     = "2011-07-16T19:20:30.45";
+ 1. Register Sender

-    # TYPE - VARCHAR (64)
-    # Type of reported event. Currently supported values are:
-    # darkspace   - access into honeypot segment
-    # portscan    - scannig of TCP/UDP ports
-    # bruteforce  - bruteforce/dictionary attack against authentication
-    #               service(s)
-    # spam        - unsolicited e-mail that does not have phishing-like
-    #               character
-    # phishing    - e-mail attempting to gather sensitive data
-    # botnet_c_c  - command and control center of botnet
-    # dos         - (distributed) denial of service attack
-    # malware     - virus sample
-    # copyright   - copyright infringement issue
-    # webattack   - attack against web application
-    # other       - anything that does not match any of previous categories
-    $type         = "portscan";
+    /*TODO*/Doplnit...

-    # SOURCE_TYPE - VARCHAR 64
-    # Type of source of reported attack/issue. Currently supported values are:
-    # IP, URL, Reply-To:, null
-    $source_type  = "IP";
+ 2. Register Receiver

-    # SOURCE - VARCHAR 256
-    # identification of attack source/origin according to source_type
-    $source       = "123.123.123.123";
+   /*TODO*/Doplnit...

-    # TARGET_PROTO - VARCHAR 16
-    # Protocol type of reported attack/issue target. Supported are all L3 and L4
-    # protocols and null 
-    $target_proto = "TCP";
+ 3. Unregister Client

-    # TARGET_PORT - INT 2
-    # Port number of reported attack/issue target or null.
-    $target_port  = "22";
+   /*TODO*/Doplnit...

-    # ATTACK_SCALE - INT 4
-    # Definition of attack scale, e.g. number of affected targets. Null is also
-    # possible when attack scale is not known or clear enough.
-    $attack_scale = "1234567890";
+--------------------------------------------------------------------------------
+H. Status Info

-    # NOTE - TEXT
-    # Some important(!) note or comment or null. Also, it may contain virus
-    # sample, phishing e-mail with headers and other accordingly to event type.
-    $note         = "this threat is dangerous";
+  /*TODO*/Popsat praci s administrativnimi/dohledovymi funkcemi

-    # PRIORITY - INT 1
-    # Subjective definition of incident severity. Values 0-255 or null are
-    # possible where 0 is the lowest priority.
-    $priority     = "null";
+  1. Get Status

-    # TIMEOUT - INT 2
-    # Subjective time (in minutes) or null. After this time event might be
-    # considered timeouted.
-    $timeout      = "20";
+     /*TODO*/Doplnit...

- 2.  WardenClientReceive::getNewEvents
+  2. Get Clients

-    Function to download batch of events from the Warden server. Downloaded
-    events are stored in @events array. See example 'Receiver' client in
-    warden-client/doc/example-receiver.pl.txt
+     /*TODO*/Doplnit...

-    Function call (perl):
+--------------------------------------------------------------------------------
+I. Nagios Integration

-    # Path to warden-client directory
-    my $warden_path = '/opt/warden-client';
+  /*TODO*/Doplnit...

-    # Inclusion of warden-client receiving functionality
-    require $warden_path . '/lib/WardenClientReceive.pm';
-
-    # Definition of requested event type. Type must be the same with this
-    # provided in 'Receiver' client registration. See more about this issue in
-    # section C. Registration. See more about event types in section
-    # G. 1. WardenClientSend::saveNewEvent
-    $requested_type = "botnet_c_c";
-
-    # Download batch of new events from Warden server
-    @new_events = WardenClientReceive::getNewEvents($warden_path,
-                                                    $requested_type);
-                                                    
-    Structure of each received event in the event array equals to this explained
-    in section G. 1. WardenClientSend::saveNewEvent. It has one additional
-    attribute ID - unique id of this particular event (BIGINT).
+  Is available via Nagios plugin /opt/warden-server/bin/warden-alive.

 --------------------------------------------------------------------------------
-H. Authors
+J. Authors

 Development:	Tomas PLESNIK   <plesnik@ics.muni.cz>
 		Jan SOUKAL      <soukal@ics.muni.cz>

-Copyright (C) 2011 Cesnet z.s.p.o
+Copyright (C) 2012 Cesnet z.s.p.o

 Special thanks go to Martin Drasar from CSIRT-MU for his help and support
 in the development of Warden system.