[Openvas-commits] r8241 - trunk/doc/website

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Jun 29 23:09:04 CEST 2010 

Author: jan
Date: 2010-06-29 23:09:03 +0200 (Tue, 29 Jun 2010)
New Revision: 8241

Modified:
   trunk/doc/website/openvas-cr-44.htm4
Log:
Reworked CR#44.



Modified: trunk/doc/website/openvas-cr-44.htm4
===================================================================
--- trunk/doc/website/openvas-cr-44.htm4	2010-06-29 20:15:12 UTC (rev 8240)
+++ trunk/doc/website/openvas-cr-44.htm4	2010-06-29 21:09:03 UTC (rev 8241)
@@ -83,65 +83,52 @@
 </p>
 
 <p>
-The practical implementation will be mostly analog to the ovaldi-integration for OVAL
-scripts.
+The practical implementation will not be analog to the ovaldi-integration for OVAL
+scripts, because the NSE scripts do not offer a consistent scheme to inform
+their capabilities and needs, for example preferences.
 </p>
 
-<h4>NSE Metadata in the format of NVT</h4>
-<p>
-OpenVAS will read the metadata from NSE scripts, basically the description 
-portion and communicates to the client which will allow users to select the
-NSE scripts to be run.
-</p>
+<h4>NASL Wrapper for NSE scripts</h4>
 
-<h4>NSE's Launch and Report</h4>
 <p>
-The NMAP interpreter will be run as a sub-process of openvassd based on the
-script selection with all the preferences. NMAP outputs the results in the
-form of XML or grepable format. This output is parsed by OpenVAS server to
-the format of the reports. The OpenVAS server returns the results of the NMAP
-script output to the client along with the results of other NVTs.
+The meta data for NSE scripts will be collected in a NASL wrapper for
+each NSE script. These wrapper scripts will take care of launching nmap with the
+respective preferences, issue messages according to the results and handle errors.
 </p>
 
-<p>
-Some of the NSE scripts need "--script-args". However, all of the NSE's work
-without this since they have default options to fall back on. In future, if
-there are scripts that need a mandatory "--script-args" option, we need to 
-associate script_preferences to each script and accordingly fetch those
-preferences before launching.
-</p>
+<h4>ID's for NSE scripts</h4>
 
-<h4>OID Map for NSE's</h4>
 <p>
 NVTs are identified by OIDs within OpenVAS. NSE's are not associated with 
-any identifiers. For the purpose of identification, in order to launch the
-selected script, OpenVAS must allocate an ID range at the time of loading
-NSE's and build an internal map between OID and NSE names.
+any identifiers. Since for each NSE a invidual wrapper needs to be developed,
+the ID scheme should follow the current practice of ranges assigned for
+developers/developer teams.
 </p>
 
-<h4>Integrity Check of NSE's</h4>
+<h4>Integration of NSE scripts into the feed</h4>
+
 <p>
-  OpenVAS uses OpenPGP signatures to check
-  the <a href="http://www.openvas.org/trusted-nvts.html">integrity of
-  NASL files</a> and will not run any NASL file that does not have a
-  valid signature from a trusted key.  Something like this would be
-  desirable for the NSE scripts too. The easiest way to support it
-  would be to use the same signature mechanism as for NASL scripts and
-  have openvassd check the signatures before running NMAP.
+A new subdirectory "Nmap" in the feed would carry
+the .nse file and the corresponding .nsal-wrapper.
+For both files corresponding .asc signature
+files are added. This would automatically
+care for signature checks.
 </p>
 
-
 <h3>Implementation</h3>
 
-<ul>
-<li> openvas-server/openvasd/nse_plugins.c: New "class" implementing the
-     described functionality similar to the oval_plugins.c.
-</ul>
+<p>
+No modifications of the scanner are required.
+It is a pure NASL-based solution: For each NSE script
+a NASL wrapper is to be implemented.
+</p>
 
 
 <h3>History</h3>
 
 <ul>
+<li> 2010-06-29 Jan-Oliver Wagner &lt;jan-oliver.wagner at greenbone.net&gt;:<br>
+     Reworked and simplified concept to be a pure NASL approach.</li>
 <li> 2010-02-26 Jan-Oliver Wagner &lt;jan-oliver.wagner at greenbone.net&gt;:<br>
      Fixed some typos. Updated Rationale: 0-day should not be promised by OpenVAS
      as it would surely need more than 1 day to add new NSEs into the Feed.

More information about the Openvas-commits mailing list