...
These actions will only occur if the conditions (also in the agent definition) are met. All conditions must be met for actions to occur. If a condition is empty, it need not match. The conditions tested are: minutes since last seen, device is in subnet, device OS Family is like. The default Agent entry only tests for minutes > 1300 (yes, there are 1440 minutes in a day, but we allow for +/- 30 minutes and some extra).
...
The only way we have come up with someone being able to abuse this is for them to commandeer your DNS and point the FQDN (or hostname, whatever your Agent is using for the URL) of your normal Open-AudIT server to their "bad" server. Their server could then instruct the Agent to download anything and run any command. HTTPS should negate this (as the host int he in the URL and certificate won't match) and is why we require it.
That is the scary stuff out of the way. It's simple - 99.9% of users will not need this functionality so it's not an issue. If you do require it, it is there - just use it bearing in mind these warnings.
The entry to download a file needs to be a URL.
The entry to run a command must be able to be run by powershell.
But Which Executes When?
...
- Download File (assuming this is enabled)
- Execute Command (assuming this is enabled)
- Audit
- Uninstall
- Update
When an agent check in using the generic URL, the order of agent entries checked is determined by the 'weight' attribute of each individual agent entry.
Being More Specific
One more option is the ability to match on the tests and assign the agent (or more accurately the device being audited) to an Organisation and/or Location in Open-AudIT.
...