 SARA -- A Better Scanning Tool
Ron McCarty
The Security Auditor Research Assistant (SARA) is a
network analysis tool for finding vulnerabilities in your network. SARA
reports its findings via an integrated Web server by running an analysis
against its dictionary, which uses the Common Vulnerabilities and Exposure
(CVE) dictionary. The CVE is sponsored by the US-CERT, is free for
download, and is regularly updated through a committee process. By using
the dictionary, the tool remains current without requiring a release of
code or involvement by the developer, thus improving the odds that current
vulnerabilities will be recognized by the tool assuming the dictionary is
upgraded regularly. In addition to the CVE dictionary, SARA also supports
an additional 14 scans at the time of this writing.
Besides performing the network assessment that should
be completed on a regular basis, SARA can also supplement a certification
process when turning up new systems. For example, a Web server in a DMZ
should likely not have much more running than Secure Shell (SSH), Apache,
and backup and monitoring daemons. SARA can validate that all the services
are turned off accurately. This assumes that SARA is run before the system
is placed in the DMZ or is run from within the DMZ, because the firewall
will block most of the ports SARA will query.
SARA Architecture Overview
SARA will run on most versions of Unix, Linux, Mac OS
X, and Windows (using coLinux). For this article, I used Red Hat 6.2 to get
some good examples of vulnerabilities identified by SARA.
SARA is a Perl program that executes both the
vulnerability scanning and serves up the Web pages. It can be run as a
command-line tool or started as a daemon. The results are presented via a
Web browser.
The SARA directory structure is made up of these
directories: bin, config, docs, html, perl, perlib, results, and rules.
(See the sidebar for a breakdown of the directory structure.) The directory
most important for this article is the config directory. You may also want
to take a look at the docs directory for additional information.
SARA classifies possible weaknesses in your
environment using three categories within an "Approximate Danger
Level". These categories are Critical Problems, Areas of Concern, and
Potential Problems. Besides reporting on these Approximate Danger Levels,
SARA can report based upon the type of vulnerability, and the number of
issues found per host. SARA can also take advantage of nmap (http://www.insecure.org) to
identify the operating systems of scanned hosts.
Installation
To install SARA, download the gzipped tarball from:
http://www-arc.com/sara/
and place it in /usr/local/src/ or your preferred
source directory. At the time of this writing, the current version of SARA
is 6.0.7d.
Unzip the distribution with:
gunzip sara-6.0.7d.tgz
Untar the archive with:
tar xvf sara-6.0.7.d.tgz
Then go to the directory created by untarring the archive:
cd /usr/local/src/sara-6.0.7.d/
Execute the following commands:
./configure
make
make install
The make install places the binaries and other SARA directories in
/usr/local/sara/. The install routine does not install the man page, so you
will need to install that yourself. On Red Hat, I did the following:
cp sara.8 /usr/local/man/man8
gzip -9 /usr/local/man/man8/sara.8
To access the reports (even if SARA is run as a
command line), a user must be created. User entries and passwords are
stored in the /usr/local/sara/config/password file. The user ID and
password can be created using the add_user script:
./add_user
The add_user script will prompt for the user ID and
password. Once entered, the user ID will be entered into the file in clear
text, but the password will be encrypted.
There are two ways that SARA performs scans: via the
Web interface or the command line. SARA's author recommends that the
scan not be run from the Web browser. I assume this is because the
authentication passes over the network in clear text, and the Unix
permissions (i.e., root) is not in place with the Web, but the scan is
running as root. If this is a concern for you, run the scans from the
command line only. I prefer to run the scans from the Web interface when
"poking around" a network to determine whether unauthorized
services have appeared. An SSL implementation would address some of the
risk.
Regardless of how SARA is run, the reports must be
viewed using a browser.
To run scans from the command line, the following
command can be run from /usr/local/sara/:
./sara -a0 192.168.1.1
The -a parameter defines the level from 0-4; these levels map to
light, normal, heavy, and extreme. The normal scan is quick but typically
does not find any vulnerabilities. Normal is also pretty quick and is good
at analysis of which services are running. I prefer the heavy scan,
although it can be time consuming. The extreme level is unusable in
"real time" but is very thorough -- just be prepared to
leave it running and work on something else. Note that if you start SARA
without a parameter, then it will also start the default Web browser on the
host SARA is running.
Once SARA's scan is complete, the results can be
viewed by starting SARA in daemon mode with:
./sara -D
Then point your Web browser to the server on port 666
(default). Replace the host name with your host's specifics; for
example, I use:
http://lefty.mcwrite.net:666/
If you are accessing the information over the network,
you will need to add the Web browser's system to the configuration
file by editing /usr/local/sara/config/sara.cf and adding the IP address to the
$allowable_hosts entry.
If you do choose to scan hosts using the Web
interface, then edit the /usr/local/sara/config/sara.cf
file prior to starting SARA in daemon mode and change $allow_scan =0 to $allow_scan = 1.
You may also not like the default 666 port SARA runs
on. You can change it by editing the entry:
$daemon_port = "666"
to an appropriate open port on the system.
Figure 1 shows the Sara main menu page after
connecting to the Web server. SARA's interface is broken down into
the following eight sections:
SARA Home -- The start screen after logging on.
Not much useful information on the screen except possibly programs that it
can use, which it lists at the bottom of the screen. The two programs it
may report finding are nmap and Samba.
SARA Search -- This screen (Figure 2) allows you
to search the database of scanned hosts by IP, host name, or vulnerability.
An example of searching the vulnerabilities would be Apache (where it is
searching Apache against the list of hosts you have scanned, not all
vulnerabilities for Apache). After running the search, SARA presents a
report with the data as shown in Figure 3.
Data Management -- This section allows you to
configure the database in which SARA stores results. By default, SARA uses
/usr/local/sara/results/sara-data/ as the
directory for storing files associated with the results of scans. However,
additional databases can also be created within this section. This could be used to logically
separate the data gathered. I commonly group scans by networks and/or by
date.
Target Selection -- If you have enabled SARA to
run scans using the Web interface, then this section will allow you to
enter the host name or IP address that you would like to scan. After
entering the host information and running the scan, results will be
displayed accordingly (Figure 4).
Data Analysis -- This is the true strength of
SARA. By associating particular ports with the applicable daemon and
version, SARA identifies vulnerabilities and weaknesses that are specific
to the environment being analyzed. The view is similar to the results from
the target selection, but it uses all the information contained in the
scans run with a particular database. This creates a hierarchy where
vulnerabilities can be addressed starting with the most important within a
complete environment (network, subnet, location, etc.) The output is very
similar to that shown in Figure 4 but includes all the hosts scanned.
Configuration Management -- This screen provides
an interface to the configure/sara.cf file.
Generally, the standard configuration with the
exceptions discussed above is adequate.
Documents/CVE -- This section contains a
repository of informational and how-to documents on SARA.
Troubleshooting -- This section contains
troubleshooting help for making SARA work.
Summary
SARA is a very powerful tool for performing network
analysis, system certification, and system hardening. It is easy to
compile, install, and use and should be included in your network tool box.
Ronald McCarty is a systems/network professional,
freelance author, and founder of Your Net Guard, a company specializing in
systems, networking, and security services. Ron completed his undergraduate
in CIS with University of Maryland and is currently seeking his graduate
degree from Capella University. His free time is spent with his best friend
and wife, Claudia, and their two children. Ron can be reached at mccarty@mcwrite.net.
|