SARA is a derived work of the Security Administrator Tool for Analyzing
Networks (SATAN) (http://www.porcupine.org/satan).  SATAN was developed
by Dan Farmer and Wietse Venema.  

  o For a copyright notice of SARA and SATAN, refer to COPYING

  o For configuration information on SARA's daemon mode, please refer
    to the comments in the config/sara.cf file.

  o For operational information on SARA Reporter (SARA report writer), 
    look for information on the initial SARA page.

  o For information on SARA and SANS Top 10 Vulnerability Certification,
    check out the initial SARA page.

  o For CVE compliance, review the initial SARA page.

  o For SARA Self Scan, read sss/README.

Check the INSTALL for details on installing, building, and running SARA.

-------------------------------------------------------------------------
15 December 2003

Many changes were made to the report generation process.  The report.xml
becomes the focal point for the csv and html reports.  The html and csv
reports have been changed significantly to improve readability and
consistency with CVE and SANS20.

We are headed more towards a rule based architecture where several functions
have ben migrated to rules/<service>.rules.  More to come in the future.

We are about 40 % towards migrating our tutorials to the standard Cert
advisories.  More to come here also.

We are current with the CVE and the SANS/20-4 specifications.

We have been reminded about some of the security issues with SARA.  For
enterprise level SARA scans, it is advisable that the SARA host(s) only
allow trusted users.  Though difficult, any legitimate user on the SARA
system, could access the SARA server while it is running.

We have dropped all reportwriter support for SAINT (as it now proprietary)
and SATAN (as it is obsolete).  Reportwriter is now integrated into the
SARA report process.  Note that the operation of the -r switch has changed
check ./sara -h or man sara.8 for details.

Users are encouraged to join the sara-l list at www-arc.com/sara.
-------------------------------------------------------------------------
2 October 2002

The Advanced Research Corporation (r), supporting the FBI/SANS Vulnerability
Consensus, is releasing SARA-4.1.1 which fully incorporates the new
Top 20 list and the industry consensus of relevant vulnerabilities
(as referenced by Common Vulnerabilities and Exposures (CVE) items).
This feature will be available in the SARA ReportWriter and will be
migrated into the XML report in future releases.

SARA will be available from the Advanced Research Corporation (ARC) web site
at:

      http://www-arc.com/sara/downloads/sara-4.1.1.tgz

General information on SARA and the ARC can be found at:

      http://www-arc.com

Contact Bob Todd (toddr@arc.com) for details.


19 September 2002

One of customers asked for a method to insert the MAC address into
the SARA reports.  The customer agreed to build the MAC proxy server
for their enterprise.   SARA would query the MAC server, add the MAC to
the all-hosts file, and insert it into the appropriate csv and xml files.
SARA users are invited to build their own MAC servers and use the 
ip2mac() function in perl/misc.pl to access it.  This facility is 
deactivated by default.  To enable it, uncoment the $mac_proxy line in
config/sara.cf and add the appropriate server address.

01 February 2002

We added the SARA Self Scan (SSS) facility.  Details on SSS can be found
in the file sss/README.

02 August 2001

Several of our customers have requested a facility to associate hosts
with the system administrator in the ReportWriter outputs (html and csv
formats).  Starting with SARA-3.4.8, a beta version has been introduced.
A new directory (administrators) has been added to the sara directory
structure.  For each administrator, a file should be created that
contains one or more lines, each containing an IP or IP range (Class C
limit).  I am using the email address for the filename for each 
administrator.  You can use any legal Unix file name scheme.  A sample
file is provide under the administators directory.  To activiate
this feature, set the $get_admins to "1" in config/sara.cf. That should
do it. 


17 July 2001

During our enterprise scans, we determined that we were missing many
hosts during the night hours.  Many foks turned of their systems at
night.  In order to maximize coverage, SARA has an option of running
during periods.  The file rules/timing contains smaples of how to 
restrict SARA scanning periods.
 

Many SARA tests cannot determine with absolute certainty if
the service is vulnerable.  In these cases, it makes a best
guess.  The guess may not always be correct which could 
result in an unfair assessment.  As a result, we have
added a facility to cancel possible incorrect assesssments.

What to do?

1. Define the file rules/correct_report with the following
   format:

   host|keyword|Certifier|Date

   Where

	host:       The name/IP as represented in the SARA report

	keywordx:   Word in the SARA report that identifies the
                    improperly detected vulnerability (e.g., RDS,
		    printer, etc)

	Certifier:  Name of person who certifies that the keyword
                    services are not vulnerable

	Date:       Date of certification


2.  When running sara, add the -C argument to enable manual correction
    or change the $correction variable in config/sara.cf

3.  Run SARA Reporter.  The corrections will be applied to the report.

4.  Note that this correction table only functions with SARA Reporter
    at this time.



