[Open-scap] Design of the daemon (backend)

Daniel Kopecek dkopecek at redhat.com
Mon Feb 23 23:48:58 UTC 2009 

Hi,
 I'm trying to write a useful skeleton of the daemon and I've got into still somewhat unclear areas recently. So, here are my questions and suggestions:

1) What protocol do we want to use between the frontend and backend?
(This one has been already solved by Maros, I think. But we haven't seen the protocol yet, so let's pretend it doesn't exist :])
  - Steve suggested that we could use XML-RPC because it's a standard protocol and therefore many tools could speak with our backend.

2) scapctl - a tool for controlling the daemon locally
 The daemon could listen on a UNIX socket (PF_LOCAL) for commands from this tool. And via scapctl you would be able to do:
  a) list clients - get a list of IPs/IDs of currently connected clients (frontends) 
  b) kill(all) client(s) - force disconnect of a client or all clients.
  c) start, stop the TCP server - shutdown the TCP server (to temporary forbid new connections)
  d) reconfigure - load new configuration (same effect as sending HUP to the daemon)
  e) kill scan - stop a currently running host scan
  f) flush queue - remove all entries from the permanent queue (here are stored the "queued actions" as you can see on Peter's diagrams)
  g) scan - start a scan using an OVAL definition file that's available locally i.e. stored in daemon's file storage (/var/lib/scapd/... or something like that). The OVAL definition file would be identified by some kind of hash/unique id. This functionality could be used for "scheduled scans" - in conjunction with cron (e.g. cron would execute "scapctl --scan hash")
  h) ...what else? (maybe "list definitions", "get/list result(s)")

  See interaction-schema.txt (attached)

  What do you think about this?

3) How will the authentication work? SSL with CA cert, client+server certs?


Dan
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: interaction-schema.txt
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20090223/2b9ec44e/attachment.txt>

More information about the Open-scap-list mailing list