OUTPUT MODES DESCRIPTION - FERRET The Ferret core, the vulnerability-checking plug-ins, and the output plug-ins can be run in different modes. For each of the modes, the Ferret core generates a raw format output file using the output from different vulnerability-checking plug-ins. This raw format output file differs from one mode to another. Each mode can have a number of different formats in which to present the final output results generated by that mode. Two modes have been implemented. The first mode has been designed to focus specifically on information on vulnerabilities. The second mode has been designed to provide some more detailed information on the vulnerabilities found and their possible exploitations for the purpose of quantifying the security. We now detail the output plug-ins for these two modes. OUTPUT PLUG-IN WITH FIRST MODE The raw format output file created by the Ferret core for this mode consists of four fields. The first field contains the name of the plug-in. The second field contains a short description of what the plug-in does. The third field indicates the result of the scan by the plug-in. It specifies whether a vulnerability was found. The last field provides some more information relevant to the vulnerability found by the plug-in. For example, if a plug-in finds that the home directory in a password file is group-writable, then the output field will list the exact home directory that is group-writable. This mode is useful to the system administrator for determining various vulnerabilities present in the system, including in users' home directories. Based on the obtained results, an organization security policy can be framed out, and users' negligence can be effectively checked. For example, the system administrator will be aware of the users who consistently keep their .login files world-writable or have their password fields as blank. OUTPUT PLUG-IN WITH SECOND MODE The raw format output file created by the Ferret core for this output plug-in consists first of the list of all the users (along with their groups) present in the home directory of the host on which Ferret is running. The remaining part of the file consists of four fields. The first field contains the name of the plug-in. The second field contains information about any possible change in the privilege associated with the vulnerability. The third field provides the name of the file or directory that is vulnerable. For example, if a plug-in finds that a home directory in a password file is group-writable, then the third field will list the name of the password file. The last field gives a brief description of the vulnerability. Through the use of a privilege graph, the information provided by this output plug-in on the vulnerability and its exploitation through the possible change of privilege can be used to evaluate the security of a computing system. The way in which we do this is based on work by Ortalo et al., who presented a method for evaluating security by building a privilege graph, and Dacier and Deswarte, who demonstrated that host vulnerabilities can be represented in a privilege graph. In such a graph, each node represents a set of privileges assigned to a user or set of users (e.g., a Unix group). Any arc that connects two nodes is the representative of system vulnerability, which allows a user (starting node) to achieve another user's privilege (ending node). The output file provided by Ferret contains the different elements for building a privilege graph. Besides special nodes defining a user with no privilege (an outsider) and a user having administrative privileges, the list of all users along with their groups contained in the output file define the set of nodes. With each vulnerability is associated a transition between 2 nodes. The obtained output file contains the list of vulnerabilities found on a host, and thus contains the list of transitions between two nodes in the privilege graph. The output plug-in with the second mode thus contains the textual description of a privilege graph.