[Open-scap] Design of the daemon (backend)
Daniel Kopecek
dkopecek at redhat.com
Mon Feb 23 23:48:58 UTC 2009
Hi,
I'm trying to write a useful skeleton of the daemon and I've got into still somewhat unclear areas recently. So, here are my questions and suggestions:
1) What protocol do we want to use between the frontend and backend?
(This one has been already solved by Maros, I think. But we haven't seen the protocol yet, so let's pretend it doesn't exist :])
- Steve suggested that we could use XML-RPC because it's a standard protocol and therefore many tools could speak with our backend.
2) scapctl - a tool for controlling the daemon locally
The daemon could listen on a UNIX socket (PF_LOCAL) for commands from this tool. And via scapctl you would be able to do:
a) list clients - get a list of IPs/IDs of currently connected clients (frontends)
b) kill(all) client(s) - force disconnect of a client or all clients.
c) start, stop the TCP server - shutdown the TCP server (to temporary forbid new connections)
d) reconfigure - load new configuration (same effect as sending HUP to the daemon)
e) kill scan - stop a currently running host scan
f) flush queue - remove all entries from the permanent queue (here are stored the "queued actions" as you can see on Peter's diagrams)
g) scan - start a scan using an OVAL definition file that's available locally i.e. stored in daemon's file storage (/var/lib/scapd/... or something like that). The OVAL definition file would be identified by some kind of hash/unique id. This functionality could be used for "scheduled scans" - in conjunction with cron (e.g. cron would execute "scapctl --scan hash")
h) ...what else? (maybe "list definitions", "get/list result(s)")
See interaction-schema.txt (attached)
What do you think about this?
3) How will the authentication work? SSL with CA cert, client+server certs?
Dan
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: interaction-schema.txt
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20090223/2b9ec44e/attachment.txt>
More information about the Open-scap-list
mailing list