Is it possible to extend the discovery capability of open-audit to capture additional information from a server? For example if i wanted to capture the output of ps -ef on UNIX hosts could i edit the audit_linux.sh script, add a line to run the new command?
If so - do i need to do anything to the DB, UI to show this new information?
Many thanks in advance.
In short, yes but not easily. You could add to the audit script, processing routine, database and html templates.
Personally, I see this as more of a monitoring item than an audit item. Processes are created and destroyed constantly. Open-AudIT would record at each audit every process and compare to the last audit - generating a lot of useless data. Kind of like recording high netstat ports (watch out for an improvement on this in a future version).
If you're after a list of running services for a given machine, as long as the audit script has been run, you'll see them in the Services (under Software) menu item on the device details page. You'll see details such as the state of the service and how it's configured to start.
You can also see any processes that have open network ports on the Netstat (under Settings) menu item on the device details page. You'll see details such as the program name and port it's listening on.
If you truely need to see the process list in an ongoing fashion, I'd take a look at our monitoring solution (also open source) NMIS for this.