Open-AudIT

What's on your network?
It is currently Tue Jan 23, 2018 2:14 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 12 posts ] 
Author Message
PostPosted: Thu Jan 18, 2018 5:06 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
Ever... Why? Submit online always set to yes, the url is correct

/vmfs/volumes/588a57ec-6e3c0148-7db8-90e2ba468e4c/files # ./audit_esxi.sh
----------------------------
Open-AudIT ESXi audit script
Version: 2.0.11
----------------------------
Audit Start Time 2018-01-17 18:53:13
Create File y
Submit Online y
Debugging Level 2
Discovery ID
Org Id
----------------------------
System Info
BIOS Info
Processor Info
Disk Info
Memory Info
VM Guest Info
Motherboard Info
Video Cards Info
Network Cards Info
Software Info
Audit Generated in 185 seconds.
Audit Completed in 185 seconds.

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 18, 2018 5:33 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1228
Submit online is commented out in the code. Been that way forever. Maybe because the server is supposed to do the Discovery?

What happens if you remove the comments on lines 804-811? Edit: Nothing because wget doesn't have --post-file in ESXi. Which is probably why it's commented out.


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 18, 2018 11:58 pm 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
I'm trying to find an easy way to get some esxi hosts into OA2 so far the only way that works is sort of tedious, I have to copy the audit file to the host, run the script, then copy the audit results back to my pc, then import 1 device into OA2. I have tried everything else, I can't just scan subnets because I'll get all sorts of extra stuff I don't want as the whole company uses same snmpv2 community name. Was hoping import 1 device by IP would work but the new host that gets added to OA2 doesn't have any hardware info, it all shows as vmware (the OS) instead of Dell or IBM. My goal is to get a spreadsheet listing all CPU info as we work on the latest nightmare vulnerabilities in Intel. Just did the 1 by 1 import via IP of a couple dozen, and then noticed none of the hardware info gets imported.

the first couple were full audit results that I imported. the next ones I did discover 1 device by IP


Attachments:
OA2 (Medium).JPG
OA2 (Medium).JPG [ 84.35 KiB | Viewed 84 times ]

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices
Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 19, 2018 2:02 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1228
I took a quick look through the code and OA doesn't audit ESXi properly yet. At least not without help. And the code it has now uses SSH to audit. So until Mark @ Opmantek chimes in maybe you can manually hack something together.

Enable SSH on your hosts
Config SSH credentials in OA
Put the esxi audit script in a shared location
Edit include_input_discoveries.php to get OA to perform an audit.
Remove the skip-this type code from line 1202. So remove "1 == 2"
Line 1203 uses a variable for the path to the audit script. So either set the OA config discovery_linux_script_directory to your shared path. Or hard code line 1203 to use your shared path

Audit an ESXi IP. Does it work now? This is all a bit hand-wavey as I have not actually done any of the above myself. Maybe Mark has better info. But from the comments at line 1201 it's a work in progress.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 20, 2018 12:32 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
thanks for digging into this jpa! I didn't realize that nobody else seems to use the esxi scripts. At this point it seems easier for me to just continue copying the audit script and results files back and forth (the "shared location" scares me, sounds like an open unsecure share would be needed) I don't have one and if I created one secops would be all over me to shut it down). Really strange, all of these servers have ssh enabled, and all of them are being monitored by nmis so you would think snmpv2 scans would work, at least I thought so. I tried to import systems from NMIS but it looks in a local path for the nmis config, and the nmis is running on a seperate server

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 20, 2018 1:40 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1228
Maybe I should have said "fixed" or "known" location rather than "shared" location. Shared location meant somewhere on SAN/DAS storage or something like that. Since the audit code SSHs into the ESXi box and calls the script at a single, fixed path you need to have the same path for all your ESXi boxes. You could manually place the script on your ESXi machines at the same path on each machine. Then set the OA option variable or hard-code the path as I said before.

It seems the OA stuff is real close to working it's just not automagic right now. There is a TODO to make the automagic happen. Add a PHP SCP package, couple lines to call it and get the audit script over to ESXi, done. See how easy that is. I am good at hand-wavey just as long as someone else has to do the actual work.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 22, 2018 10:58 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1935
Location: Brisbane, Australia
hmmm, interesting.

In all honesty, I thought it was working. JPA is correct in that wget on ESX doesn't support POST (which is a PITA).

But it SHOULD copy the audit script, run it and capture the command output (essentials the audit result), then process that. Maybe I did comment it out though. It should (maybe) be running SSH commands directly and using that output, too.

It should also retrieve some details using SNMP (likely not much hardware details though).

I'd set the log_level to 7 and run a discovery on a single ESX IP. Then check that device in OA and look at the "discovery_log" in the left side menu. You should be able to see if it's detecting SSH/SNMP and if it's able to connect.

I'll run some tests here and report back.

MU.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 22, 2018 11:18 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1935
Location: Brisbane, Australia
Yep - can see the code is commented out.
Code:
            # TODO - Cannot copy audit_esxi.sh - more work required to fix
            if ($audit_script == 'audit_esxi.sh' and 1 == 2) {


Having found that, SNMP and SSH commands DO work as intended. I do get info, but not as much as a real audit script. We don't get SPU details (for example).

Will see what I can do here.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 23, 2018 2:35 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
thanks! When I run the script locally on the esxi host the result file has the hardware details, been doing this. Will try this test today and report back

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 23, 2018 3:11 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1228
I still think you're 99% of the way to doing what you need. Copy the audit script to /tmp on each ESXi host and make it executable. Remove the "1 == 2" stuff as I mentioned earlier. Should work how you'd like. This only works if the discovery_linux_script_directory config is set to /tmp. And /tmp on ESXi is ramdisk so your script won't survive a reboot.

But it looks like Mark might add the script copy stuff eventually so if the manual method is working for you...


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 23, 2018 4:50 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 184
Location: Massachusetts
I can't figure out how to do some of this stuff. Copying the script over, running it, and copying the results file back, and creating a system from the results file works, most of the hardware info is entered. Then I config the system with credentials pick snmpv2, and then "discover" and that remote scan works. This gets me by. If I can help test anything for esxi, let me know. I may need step by step instructions though :?

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 23, 2018 7:37 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1228
FYI: couple bugs found. Info buried in the EDIT below.

shanimal wrote:
I can't figure out how to do some of this stuff.
OK. There is a reason they keep me in the basement filling out TPS reports. Communication is not my strong suit. Nor is documentation.

Also, we use barely make use of proper OpenAudit functionality here. No discoveries, no credentials, nada.

So I:

SCPd the audit_esxi.sh file to a test ESXi machine into the /tmp directory.
Made it executable with chmod +x audit_esxi.sh
Removed " and 1 == 2" from line 1202 of code_igniter\application\controllers\include_input_discoveries.php
Performed a discovery on the ESXi machine ip address
Waited for that to complete. Once it completed I found the entry and it had partial info and a Last Seen By of nmap.
On the machine entry I clicked Add Credentials and supplied a valid type ssh credential
I executed the discovery again on the ESXi machine ip address
While executing I clicked the Refresh button to update log data
One of the log lines has "Valid XML input for ESX audit script received"
I selected the ESXi host and now there is much more data. Last Seen By is audit_ssh. Looks like it worked.

Just for fun I put the " and 1 == 2" skip code back
Deleted the ESXi host from OA
Ran the discovery again
Added SSH credentials for the nmap discovered ESXi host
Ran the discovery yet again
The device now has a Last Seen By of ssh. There is more info but no hardware.

So now the only bit missing is for OpenAudit to automatically use the latest ESXi script instead of manually SCPing it to the host. I honestly don't think it's that hard as the hard part would be the SCP or SFTP client which is already available for PHP.

EDIT:
So looking at the audit data; memory info is not getting audited properly on my ESXi 6 and 6.5 hosts.
Change "Bank" to "Location:" in audit_esxi.sh on line 486

Uptime does not work either.
Change "$quickstats" on line 355 to "$quickStats" (subtle case variation)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group