Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 16 Next »

Probe Types (Out Of Box)

wmi, snmp, ssh, http, wins, dns, printer, osx, ip_phone

How Discovery Works (Out Of Box)

  • port scanner runs against IPs to see what's open
  • determines device type
  • depending on type, runs applicable probes:
    • Windows: WMI & powershell
    • Unix: SSH
    • Printers: SNMP
    • Network Devices: SNMP
    • Web: HTTP headers
    • UPS: SNMP
  • search the CMDB using weighted identifiers (serial, MAC, IP etc), do either of the following:
    • update/add matching CI
    • no-op

Questions

  • What does it find with no credentials or bogus credentials? Yes, it's agent-less, but is it still basically an opt-in technology?
  • How do we recommend Yale leverages this tool? Do we use it once and update every so often? Do we enable people to use this as an asset management import tool?
  • How many MID servers and where, based on: security, firewall

Assertions

  • Must obey principle of least privilege for SN instance and MID Server
  • We should net something; i.e., either quality of CMDB or speed of discovery should be better than without the tool

Experiments

No-Credential Discovery

Discover a DC subnet w/o credentials, see what you get with out of the box settings.

Nothing, as it turns out.

Basic SSH Unix Discovery

Discover a linux server with a non-privileged shell (i.e. adduser testuser, no sudo rights), see what you get.

You get quite a bit, although it also gets a lot wrong or misses stuff entirely.
Gets:

  • OS (but revision is for kernel, not OS)
  • cpu brand/type/speed/count
  • RAM amount
  • net interfaces/IP/DNS
  • filesystems & sizes
  • installed software (RPMs)
  • running processes (do we really want/need this in DB?)
    Misses:
  • OS rev
  • "is a VM" flag not flipped
  • logical and physical disks
  • serial number
  • most of the relationships you might expect:

Privileged SSH Unix Discovery

Discover a linux server with a privileged shell (i.e. prescribed sudo rights), see what you get.

Platforms

Proof of Concept

Instead of using canned SSH-based probes for UNIX, we are researching the possibility of using SNMP against unix boxes (and possibly windows). In theory we can do this by simply replacing the SSH probes with equivalent SNMP probes which SNMP GET information from extended MIB objects which we apply to all machines we plan to instrument.

Since we have to touch all boxes anyway (even in "agentless" SSH probe mode), there is little or no opportunity cost to picking SNMP aside from the need to port the probes. But that cost is balanced by certain advantages:

  • SNMP doesn't require us to open up shell access to a broad population of machines
  • SNMP is the same protocol used for net devices & printers (2 down, Windows potentially remains the odd man out)

Linux

On Linux/net-snmp 5 here's one way to do extensions (there are several).

  • Use "exec" to add an extension to snmpd.conf 
    exec echotest /bin/cat /etc/motd
  • Restart snmpd and do a GET against a view which can see the extended MIBs 
    snmpget -v2c localhost -c public 'NET-SNMP-EXTEND-MIB::nsExtendOutputFull."echotest"'

...we may want to use SNMPv3, but the general idea is clear... we can expose arbitrary configuration data through SNMP. Since there are only a few dozen probes (and maybe only a subset of actual interest to Yale) we should be able to leverage SNMP for UNIX discovery instrumentation.

Probes to Replace

  • No labels