Compoly
Home
Analyse
Download
Documentation
News
Links
 
About the Compoly
Compoly is Free and distributed under the terms of the GNU General Public Licence.
Compoly consist of two main parts: collection and analysis scripts. Collection scripts are system specific. Analysis scripts are Perl based. "Best Practices" standards are stored in XML files in the directory kb. The analysis script could generate a report in a different format.
Advantages
  • No installation is required - peace of mind for IT administrators
  • Collecting scripts are open source - ability to review content for IT administrators
  • Analyze collected information against "best practice" or company specific standards
  • Easy to update Knowledge Base with risk, impact and references
  • Reporting in different formats (HTML, RTF-MS Word compatible, PDF)
  • Multilanguage support
  • Platform independent
Process flow diagram
 
Warning
All materials here are FREE and copyrighted under GNU GPL.  All efforts have been made to make these scripts safe and efficient. They were tested on different platforms under different conditions. But no implicit or explicit warranty! So, use at you own risk!
 
Online Analysis Security Controls
The following controls are in place to provide confidentiality of your submitted data and integrity of generated reports:
  • The online-analysis process is fully automated. Exception - when you will report problems or errors. Otherwise nobody from the support group will see your configuration files and the report.
  • All submitted files except session and error logs will be automatically deleted in 24 hours.
  • A random 15 characters session number is used to separate different submissions and provide confidentiality of submitted data.
  • The web server will reject any GET request to files other than with .php, .htm, .rtf and .pdf extensions. So, your xml and txt configuration data files could not be viewed on-line.
  • For file submission communication between your computer and the server is encrypted with 128-bit encrypted SSL to prevent content interception in transit. Yes, the servers uses a self-signed certificate. Donate, and it will be from a third-party authority.
  • A dedicated virtual server in a secure data centre location is used for the analysis site. Donate, and it will be a dedicated physical server.
  • The web server has a form of Intrusion Prevention System (IPS). So, please report to web admin (one word) at lbsecurity.org if you have been locked out by mistake.
  • The web site server is regularly updated and scanned for known vulnerabilities.
  • All collection scripts are clear text files with comments inside. No installation is required. So, review the content of a script for your peace of mind.
  • Off-line analysis script is available for download. Run it as an alternative.

Wish list to improve security controls

  • Implement trusted third-party SSL certificate. Current restriction - cost.
  • Create a RAM based partition to store configuration and report files. Thus, no recording on a physical hard drive. Current restriction - cost of additional RAM.
  • Have a dedicated physical server with explicitly restricted physical access. Current restriction  - co-location cost.
  • Your suggestions
 
Contact
Hope you will find it useful. To contact me send an e-mail to etaylashev at hotmail or web admin (one word) at lbsecurity.org.
  About   |   Legal   |   Contact   Copyright (C) 2005-2006 by Eugene Taylashev