arnoldv2
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
arnoldv2 [2008/04/02 09:39] bredal |
arnoldv2 [2008/04/02 12:40] bredal |
||
|---|---|---|---|
| Line 97: | Line 97: | ||
| This used to be the workhorse of the system. This is no longer the case as the python module 'arnold' now does all the work. This script is used now for basic use of arnold via a shell. You can run ''arnold.py -h'' to get a list of options. | This used to be the workhorse of the system. This is no longer the case as the python module 'arnold' now does all the work. This script is used now for basic use of arnold via a shell. You can run ''arnold.py -h'' to get a list of options. | ||
| - | ==== autoenable.pl ==== | ||
| - | ''autoenable.pl'' is run by cron and should not need to be run by any other user. All it does is fetch all disabled ports with an autoenable-value and enable that port if the time is due. Running it manually does the same thing. | + | ==== autoenable.py ==== |
| - | ==== start_arnold.pl ==== | + | ''autoenable.py'' is run by cron and should not need to be run by any other user. All it does is fetch all disabled ports with an autoenable-value and enable that port if the time is due. Running it manually does the same thing. |
| - | ''start_arnold.pl'' should be used in conjunction with a //blocktype//. A blocktype is first defined on the web-interface with name, options and so on. When a blocktype is defined you can use ''start_arnold.pl'' to run a block by that blocktype. Confusing? Yes. It was made for ease of use from other computers which had large lists of ip-addresses to be blocked. Lets make a scenario: | ||
| - | We want to scan our network for malicious computers. We have our own scanning-computer that has more-than-normal access to the whole network, and this is not the computer NAV is installed on. How do we deliver the list from the scanning-computer to arnold for blocking? Well, first we make a blocktype with the options we want. This is done by using the web-interface. We give the scanning-computer a public-key tuple on the NAV-server. Then we do some scanning which gives us a list of computers we don't want on the network anymore. We transfer the list like this (the -i option is the id of the blocktype): | + | |
| + | |||
| + | ==== start_arnold.py ==== | ||
| + | |||
| + | ''start_arnold.py'' should be used in conjunction with a //predefined detention//. This is first defined using the webinterface with name, options and so on. When it is defined you can use ''start_arnold.py'' to run a detention. Confusing? Yes. It was made for ease of use from other computers which had large lists of ip-addresses to be detained. Lets make a scenario: | ||
| + | |||
| + | We want to scan our network for malicious computers. We have our own scanning-computer that has more-than-normal access to the whole network, and this is not the computer NAV is installed on. How do we deliver the list from the scanning-computer to arnold for detentions? Well, first we make a predefined detention with the options we want, using the webinterface. We give the scanning-computer a public-key tuple on the NAV-server. Then we do some scanning which gives us a list of computers we don't want on the network anymore. We transfer the list like this (the -i option is the id of the predefined detention): | ||
| <code> | <code> | ||
| - | [prompt]# cat scanresult.txt | ssh scanner@navinstall.network.com:nav/bin/start_arnold_pl -i 1 | + | [prompt]# cat scanresult.txt | ssh scanner@navinstall.network.com:nav/bin/start_arnold_py -i 1 |
| </code> | </code> | ||
| - | This will ensure a clean and tidy run of arnold and some blocked ports. Of course you can also use ''start_arnold.pl'' to just pipe a local list of ip-addresses in, quick and easy. The main advantage is that all options are set by defining a blocktype and you have an easy way to "feed" Arnold. | + | This will ensure a clean and tidy run of arnold and some detained ports. Of course you can also use ''start_arnold.py'' to just pipe a local list of addresses in, quick and easy. The main advantage is that all options are set and you have an easy way to "feed" Arnold. |
| - | ==== t1000.pl ==== | ||
| - | This script is run by cron. It fetches all blocked ports from the database and starts checking if the mac-address which was behind that port is active any other place in the network. If it is, it blocks that port. Depending on options given at block-time it will either open the old closed port or just leave it closed. Needless to say this does not block the new port immediately after a blocked computer has moved to it, but it is as good as it gets (for now). | + | |
| + | ==== t1000.py ==== | ||
| + | |||
| + | This script is run by cron. It fetches all detained ports from the database and starts checking if the mac-address which was behind that port is active any other place in the network. If it is, it enforces the detention on that port aswell. Depending on options given at detention-time it will either enable the old port or just leave it. Needless to say this does not detain the new port immediately after a detained computer has moved to it as it takes some time before the mac-address is discovered, but it is as good as it gets (for now). | ||
| ====== Configuring Arnold ====== | ====== Configuring Arnold ====== | ||
| + | |||
| ===== Config files ===== | ===== Config files ===== | ||
| - | Arnold has two config-files, which both are quite small. | + | The following configuration files are used by Arnold. |
| - | ''nav/etc/arnold/arnold.cfg'' has three options. You specify the mail-program Arnold uses to send mail, the from-address Arnold identifies itself by, and a recipient which Arnold uses to send mail if something went wrong. All these are marked clearly in the file. | + | ====arnold.conf==== |
| - | ''nav/etc/arnold/nonblock.cfg'' is not really a config-file but an exception list. Some computers (ip-addresses) does not want to be blocked. If you want to grant them their wish, enter their ip-address in this file. The format is cleary defined in the file, and is quite flexible. You also have the possibility to define equipment-types that you don't want to block. This is a rather depricated option, but some switches that does not support snmp-set are included by default. | + | ''nav/etc/arnold/arnold.conf'' is divided into three sections. |
| - | In addition we have these: | + | * **arnold** is the section that contains information about what database to use and on what networking equipment Arnold should be able to detain ports. You also define email-addresses here. |
| + | * **loglevel** defines the different loglevel for each of arnold's scripts (the webinterface logs to the default weblog-file, and that loglevel is not defined here). | ||
| + | * **arnoldweb** has just one config option, which sets the default detention method when loading the webinterface. | ||
| - | ''nav/etc/arnold/mailtemplates/*'' | ||
| - | If you make a //Blocktype// you will notice a textfield called "Path to mailfile". Arnold may send mail to those listed as responsible for the ip-address it tries to block. Who is responsible is fetched from the NAV-database. But Arnold does not know what you want to tell these people, so you have to write the general format of the mail yourself. This template is what you write and place in the mailtemplates-folder, and the name of the file you make (which contains your template) is placed in the "Path to mailfile"-textfield. A description on how to make a template is in the ''README''-file located in the ''mailtemplates/''-folder. | + | ====nonblock.conf==== |
| + | ''nav/etc/arnold/nonblock.conf'' is not really a config-file but an exception list. Some computers (ip-addresses) does not want to be detained. If you want to grant them their wish, enter their ip-address in this file. The format is cleary defined in the file, and is quite flexible. You also have the possibility to define equipment-types that you don't want to block. This is a rather depricated option, but some switches that does not support snmp-set are included by default. | ||
| + | |||
| + | |||
| + | ====Mailtemplates==== | ||
| + | |||
| + | ''nav/etc/arnold/mailtemplates/*'' | ||
| - | More to come. | + | If you make a //predefined detention// you will notice a textfield called "Path to mailfile". Arnold may send mail to those listed as responsible for the address it tries to detain. Who is responsible is fetched from the NAV-database (the contact address defined for an organisation). But Arnold does not know what you want to tell these people, so you have to write the general format of the mail yourself. This template is what you write and place in the mailtemplates-folder, and the name of the file you make (which contains your template) is placed in the "Path to mailfile"-textfield. A description on how to make a template is in the ''README''-file located in the ''mailtemplates/''-folder. |
| - | ====== Details ====== | ||
| - | More details. | ||
| - | Logs of arnold-activity are stored in ''nav/var/log/arnold''. | + | ====== Logging ====== |
| + | The arnold scripts logs to individual files stored in ''nav/var/log/arnold''. The webinterface logs to the default webfront log, usually ''nav/var/log/webfront.log''. The loglevel used for each script is defined in arnold.conf. | ||
| - | ====== Arnold - why the name? ====== | ||
| - | The story. | ||
arnoldv2.txt · Last modified: 2008/04/30 09:38 by morten
Page Tools
