Welcome to the Scavenger Trac Server

In order to make managing the code and tickets easier, we are using Trac and subversion.

If you're looking to download the code, use the following commands to grab the latest:

svn co https://svn.anl.gov/repos/scavenger/trunk/scanner
svn co https://svn.anl.gov/repos/scavenger/trunk/web

Once we release a stable branch, use the following instead:

svn co https://svn.anl.gov/repos/scavenger/branches/RB-1.0/scanner
svn co https://svn.anl.gov/repos/scavenger/branches/RB-1.0/web/

What is Scavenger?

Scavenger is an open source real-time vulnerability management tool. It helps system administrators respond to vulnerability findings, track vulnerability findings, review accepted or false-positive answered vulnerabilities, and not 'nag' system administrators with old vulnerabilities.

At this time, Scavenger parses the results from a Nessus scan and stores them in a MySQL database. From that point, a user can login to a web interface and answer a vulnerability as 'addressed', 'accept', or 'false-positive'. If an administrator answers accept or false-positive, Scavenger will not insert a new vulnerability again. However, if a user marks a vulnerability as 'addressed' and it comes up again in a scan, it will insert a new vulnerability into the database.

The Cyber Security Program Office at Argonne National Laboratory developed the software in 2006 and have been using it for a year. The reason for developing the software was to take the burden of going through vulnerability scan results from our shoulders and distribute the work automatically to the system administrators. An archived presentation from the 2007 DOE Cyber Security Training Conference can be found here (click on "Archived Presentations" and the presentation is located in the "Wednesday/Room A/2pm Wisniewski.pdf") that explains the details of the system.

In the future, we would like to add other alerts to Scavenger. Even though Nessus is an open-source vulnerability scanner, we would like to try to have the organization decide what they would like to add to the program. For example, we are looking at integrating IDS and Netflow alerts so a system administrator of a particular area would have to answer the alarm. This could be applied to so many different applications in this day and age that the possibilities are endless.

Organizations need an application to manage vulnerabilities, and Scavenger is a tool that can do this.

Screen Shots

• Screen Shots
• Check out the presentation from the Cyber Security Conference for now. It can be found here There are some screenshots of Scavenger in there.

Status

We now have an Open Source License!!! Please see here for the license.

Trac Starting Points

• TracGuide -- Built-in Documentation
• The Trac project -- Trac Open Source Project
• Trac FAQ -- Frequently Asked Questions
• TracSupport -- Trac Support

For a complete list of local wiki pages, see TitleIndex.