...
To install the Agent requires Administrative Privileges. To download the agent, simply go to http://YOUR_SERVER/open-audit/index.php/agents/windows/download. That will provide the generic Windows Agent. If your user(s) have Admin rights, on the bottom of the Agents List page there are commands they can run using Command Prompt (Open As Administrator) to download and install. Copy, paste, done. Obviously if you have existing management software on machines, you can use these commands (or variations of) to deploy the agents automatically.
NOTE - As at 5.2.0 the agent audit script (audit_windows.ps1) does not retrieve the database and web server items that audit_windows.vbs does. This will be coming ASAP.
NOTE - IIS and SQL are now available in 5.2.2.
How Does it Work?
The Agent will install itself to c:\Program Files\Open-AudIT Agent. It will appear in the Add/Remove Programs list (and can be uninstalled from there).
...
These actions will only occur if the conditions (also in the agent definition) are met. All conditions must be met for actions to occur. If a condition is empty, it need not match. The conditions tested are: minutes since last seen, device is in subnet, device OS Family is like. The default Agent entry only tests for minutes > 1300 (yes, there are 1440 minutes in a day, but we allow for +/- 30 minutes and some extra).
...
The only way we have come up with someone being able to abuse this is for them to commandeer your DNS and point the FQDN (or hostname, whatever your Agent is using for the URL) of your normal Open-AudIT server to their "bad" server. Their server could then instruct the Agent to download anything and run any command. HTTPS should negate this (as the host int he in the URL and certificate won't match) and is why we require it.
That is the scary stuff out of the way. It's simple - 99.9% of users will not need this functionality so it's not an issue. If you do require it, it is there - just use it bearing in mind these warnings.
The attribute to download a file needs to be a URL.
The attribute to run a command must be able to be run by powershell.
But Which Executes When?
...
- Download File (assuming this is enabled)
- Execute Command (assuming this is enabled)
- Audit
- Uninstall
- Update
When an agent check in using the generic URL, the order of agent entries checked is determined by the 'weight' attribute of each individual agent entry.
Being More Specific
One more option is the ability to match on the tests and assign the agent (or more accurately the device being audited) to an Organisation and/or Location in Open-AudIT.
...