Probe Types (Out Of Box)
wmi, snmp, ssh, http, wins, dns, printer, osx, ip_phone
How Discovery Works (Out Of Box)
- port scanner runs against IPs to see what's open
- determines device type
- depending on type, runs applicable probes:
- Windows: WMI & powershell
- Unix: SSH
- Printers: SNMP
- Network Devices: SNMP
- Web: HTTP headers
- UPS: SNMP
- search the CMDB using weighted identifiers (serial, MAC, IP etc), do either of the following:
- update/add matching CI
- no-op
Questions
- What does it find with no credentials or bogus credentials? Yes, it's agent-less, but is it still basically an opt-in technology?
- How do we recommend Yale leverages this tool? Do we use it once and update every so often? Do we enable people to use this as an asset management import tool?
- How many MID servers and where, based on: security, firewall
Assertions
- Must obey principle of least privilege for SN instance and MID Server
- We should net something; i.e., either quality of CMDB or speed of discovery should be better than without the tool
Experiments
No-Credential Discovery
Discover a DC subnet w/o credentials, see what you get with out of the box settings.
Result: Nothing, as it turns out.
Basic SSH Unix Discovery
Discover a linux server with a non-privileged shell (i.e. adduser testuser, no sudo rights), see what you get.
Result: You get quite a bit, although it also gets a lot wrong or misses stuff entirely.
Gets:
- OS (but revision is for kernel, not OS)
- cpu brand/type/speed/count
- RAM amount
- net interfaces/IP/DNS
- filesystems & sizes
- installed software (RPMs)
- running processes (do we really want/need this in DB?)
Misses: - OS rev
- "is a VM" flag not flipped
- logical and physical disks
- serial number
- most of the relationships you might expect:
Privileged SSH Unix Discovery
Discover a linux server with a privileged shell (i.e. prescribed sudo rights), see what you get.
Result: Not at all different from the non-privileged version. Don't know if this is because RHEL6 is different or what, but I don't see any additional benefit from allowing lsof or dmidecode. Maybe because nothing of interest is exposed by those commands on this particular machine.
Platforms
Proof of Concept
Instead of using canned SSH-based probes for UNIX, we are researching the possibility of using SNMP against unix boxes (and possibly windows). In theory we can do this by simply replacing the SSH probes with equivalent SNMP probes which SNMP GET information from extended MIB objects which we apply to all machines we plan to instrument.
Since we have to touch all boxes anyway (even in "agentless" SSH probe mode), there is little or no opportunity cost to picking SNMP aside from the need to port the probes. But that cost is balanced by certain advantages:
- SNMP doesn't require us to open up shell access to a broad population of machines
- SNMP is the same protocol used for net devices & printers (2 down, Windows potentially remains the odd man out)
Linux
On Linux/net-snmp 5 here's one way to do extensions (there are several).
- Use "exec" to add an extension to snmpd.conf
exec echotest /bin/cat /etc/motd
- Restart snmpd and do a GET against a view which can see the extended MIBs
snmpget -v2c localhost -c public 'NET-SNMP-EXTEND-MIB::nsExtendOutputFull."echotest"'
...we may want to use SNMPv3, but the general idea is clear... we can expose arbitrary configuration data through SNMP. Since there are only a few dozen probes (and maybe only a subset of actual interest to Yale) we should be able to leverage SNMP for UNIX discovery instrumentation.