Child pages
  • Matching and Storing Device Attributes
Skip to end of metadata
Go to start of metadata

Matching and Storing Device Attributes

Each device (computer, router, printer, et al) has an entry in the "system" table. Each entry in the "system" table has an "id" column. This value is unique - it is an auto-incrementing id.

A device is associated with other tables that store information about the components detected on that device. Examples of other tables are bios, software, processor, etc.

When data from an audit result is processed the following occurs:

1 - Determine the device id (from the system table).

2 - For each section (bios, software, processor, etc) retrieve the current list of items from the relevant table. Part of the SQL query is system.id = processor.system_id and processor.current = 'y'.

3 - For each item in the received data section, check if we have a match to an item in the database data section.

4 - For those items that match, update the last_seen timestamp.

5 - For those items where no match is found, insert a new entry.

6 - Upon completion of the received data section, any remaining items from the database data section that have not been updated, set their 'current' attribute to 'n'.

 

So, we can determine if something is currently installed - the current column is 'y'.

We can determine when something was detected - the "first_seen".

We can determine if something was installed after the initial audit - first seen will be different in the component and system tables..

We can determine if something is not currently installed, but previously was - current = 'n'.

We can determine the last time we detected an item - last_seen.

At any given point, we can determine what was on a system - by using the audit_log table and selecting the relevant components based on first_seen and last_seen.


So, that's how we determine what's on or has been on a system.


A table showing the required columns to match for each component is below.

ComponentMatch Columns
bios'description', 'manufacturer', 'serial', 'smversion', 'version'
disk'model', 'serial', 'hard_drive_index', 'size'
dns'ip', 'name', 'fqdn'
file'full_name', 'hash', 'inode', 'last_changed'
ip'ip', 'mac', 'netmask'
log'name', 'file_name', 'overwrite'
memory'bank', 'size', 'serial'
module'description', 'module_index', 'serial'
monitor'model', 'manufacturer', 'serial'
motherboard'model', 'manufacturer', 'serial'
netstat'protocol', 'ip', 'port', 'program'
network'mac'
nmap'protocol', 'ip', 'port', 'program'
optical'model', 'mount_point'
pagefile'name', 'initial_size', 'max_size'
partition'name', 'hard_drive_index', 'mount_point', 'size'
print_queue'device'
processor'description'
route'destination', 'next_hop'
san'serial'
scsi'model', 'manufacturer', 'device'
server'name', 'type', 'full_name', 'version'
server_item'name', 'type', 'instance'
service'description', 'name', 'executable'
share'name', 'path'
software'name', 'version'
software_key'name', 'string', 'rel', 'edition'
sound'model', 'manufacturer'
task'name', 'task'
user'name', 'sid'
user_group'name', 'sid'
variable'program', 'name', 'value'
video'model'
vm'name', 'uuid'
windows'service_pack', 'build_number'


  • No labels