| Table of Contents |
|---|
Probe Types (Out Of Box)
wmi, snmp, ssh, http, wins, dns, printer, osx, ip_phone
How Discovery Works (Out Of Box)
- port scanner runs against IPs to see what's open
- determines device type
- depending on type, runs applicable probes:
- Windows: WMI & powershell
- Unix: SSH
- Printers: SNMP
- Network Devices: SNMP
- Web: HTTP headers
- UPS: SNMP
- search the CMDB using weighted identifiers (serial, MAC, IP etc), do either of the following:
- update/add matching CI
- no-op
Questions
- What does it find with no credentials or bogus credentials? Yes, it's agent-less, but is it still basically an opt-in technology?
- How do we recommend Yale leverages this tool? Do we use it once and update every so often? Do we enable people to use this as an asset management import tool?
- How many MID servers and where, based on: security, firewall
Assertions
- Must obey principle of least privilege for SN instance and MID Server
- We should net something; i.e., either quality of CMDB or speed of discovery should be better than without the tool
Experiments
No-Credential Discovery
Discover a DC subnet w/o credentials, see what you get with out of the box settings. (Nothing, as it turns out).
- discover a desktop subnet w/o credentials, see what you get
- ..
Platforms
Proof of Concept
Instead of using canned SSH-based probes for UNIX, we are researching the possibility of using SNMP against unix boxes (and possibly windows). In theory we can . We do this by simply replacing the SSH probes with equivalent SNMP probes which SNMP GET information from extended MIB objects which we apply to all machines we plan to instrument.
...
...we may want to use SNMPv3, but the general idea is clear... we can expose arbitrary configuration data through SNMP. Since there are only a few dozen probes (and maybe only a subset of actual interest to Yale) we should be able to leverage SNMP for UNIX discovery instrumentation.
Rewiring of Discovery
- make sure SSH discovery doesn't happen
- no credentials
- configure the behavior of the MID server to skip SSH
- Expand the stock Linux classifier for SNMP so that it runs additional Explore-phase probes
Write SNMP Hooks & Custom MIB
- scripts to call from net-snmp extend directives. Put logic in these as opposed to SN... hides information, gives the discovery targets maximum control over the process.
- custom MIB will aid in probe & sensor clarity
Probe Replacement
There are a couple of steps:
- create a probe that gets the desires SNMP object(s)
- add that probe to the "Triggers Probes" section of the Linux SNMP classifier
- write a replacement sensor (next section)
Sensor Replacement
- replace the sensor
You can probably do this with XML field mapping as well, but here is a very simple scripted sensor that works from an SNMP probe payload:Code Block /* * sensor for SNMP Distribution discovery (Yale SNMP Discovery) * * william.west@yale.edu */ new DiscoverySensor({ process: function() { // // XML should be in var payload (a global) var element = XMLUtil.getText(payload, '//unk_111'); var rows = element.split('\n'); //expecting multiple lines current.os = rows[0]; current.os_version = rows[1]; }, type: 'DiscoverySensor' }); - list the new sensor in the "Sensors" section of the appropriate probe record
Identifying Which Probes/Sensors to Replace
The most complete approach here is:
- narrow down the sensors to those that apply to our asset types
- look at which ci_ tables are being edited by those and combine sensors with the same function
- generate a list of probes from those sensors
- generate a list of data needed by SNMP
- find out what standard MIBs provide the data
- generate a list of needed extensions for data not covered above