Versions Compared

Old Version 7

changes.mady.by.user Mark Unwin

Saved on

compared with

New Version 8

changes.mady.by.user Mark Unwin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Active Directory Discovery Overview

Discovery is a new feature in Open-AudIT version 1.2. Discovery will audit Windows and Linux computers, SNMP scan network devices and record active target addresses if no SNMP is active. Discovery runs entirely from the web interface regardless of the Open-AudIT server running on Linux or Windows. 

NOTE - You will need the ports for WMI on the Windows firewall opened on each target Windows computer. For Windows Core servers, ensure you allow the firewall connections as per - http://blogs.technet.com/b/brad_rutkowski/archive/2007/10/22/unable-to-remotely-manage-a-server-core-machine-mmc-wmi-device-manager.aspx

How to use Discovery

Setting Default Attributes

To use Discovery , first a few default attributes should be set.

As an Open-AudIT admin level user, go to Menu -> Admin -> Config.

The single most important attribute to set the the "default_network_address" attribute. This is used for Discovery so that when we send an audit script to a remote machine we can also provide the URL of the Open-AudIT server for the remote machine to send it's data back to. We set this manually because your Open-AudIT server may have multiple network addresses. Rather than try and work out the correct address, we ask you to complete this step manually so there can be no mistakes.

For an Active Directory Discovery, you should also set the following fields:

  • default_windows_username
  • default_windows_domain
  • default_windows_password

For completeness, the following fields are also best set:

  • default_snmp_community
  • default_ssh_username
  • default_ssh_password

we require access credentials on the target devices. Go to Menu -> Discover -> Credentials -> Create Credentials and create credentials for all the types of devices you have. They may be for Windows, SSH (Linux / OSX / etc), SNMP, etc.

Once these have been completed you can go to Menu -> Admin Discover -> Discovery Discoveries -> Discover a Subnet.

Image Removed

 

This form will pre-populate with your defaults (which you have just configured), but you can also over ride them with specific attributes for any given Discovery run.

Fill the form details and click the Discover button.

Results

Create Discoveries.

If you have set the "Local Network Address" in the config (Menu -> Admin -> Community -> Discovery Configuration) the Network Address will be pre-populated. This should be the URL of your Open-Audit server. You can use HTTPS if preferred (and you have installed a SSL certificate).

Change the 'type' attribute to Active Directory, input the AD server you would like to query and the domain name.

Click the "Submit" button and you will be directed to the Discovery list page.

When you click Execute to start the Discovery, Open-AudIT will query the specified Domain Controller for a list of network subnets belonging to the domain. Open-AudIT will then create a discovery entry for each subnet (if it doesn't already exist) and commence discovery for that subnet.You will be redirected to the Logging page. You can refresh this page and see the progress of the Discovery run. 

Once the initial list of target devices has been obtained you should see details of each target as it is scanned and input into Open-AudIT.

Logging

NOTE - The logging is quite verbose so there is now a feature to purge the log file at Menu -> Admin -> Logs -> Purge Log.

You can set the log level in the configuration (menu -> System > Open-AudIT Basic Configuration). By default it is set to 5, but you may wish to temporarily increase it to 7 for debugging purposes.

You should see logging similar to the below (if set to level 7). In the below instance, a Discovery run was performed on the open-audit.com domain and the two computers win2k8dc and winxp-pro were audited.

Image Removed

How Does it Work

When running a Discovery against an Active Directory domain, the process is different depending on if your Open-AudIT server is installed on a Windows or Linux machine.

Windows Discovery of AD

The discover_domain.vbs script is run locally with the values provided as per the form. The Open-AudIT server will then talk to the domain controller, obtain a list of computers and audit them.

Linux Discovery of AD

Image AddedThe discover_domain.vbs and audit_windows.vbs are copied to the nominated Active Directory server and the discover_domain.vbs script is started on that Active Directory server. The Active Directory server will obtain a list of computers, audit them and then submit the result to the Open-AudIT server. The linux programs smbclient and winexe are used to enable Linux to copy the scripts and start them on the Windows server.