Open-AudIT

I am trying to use Open-AudIT on a large enterprise network and it seems like it will accomplish much of what I would like it to accomplish.

When I run nmap_linux.sh from a central machine no data is added to Open-AudIT. Is this to be expected? If so why? I want to do daily scans of each subnet but do not want to run NMAP at each location if possible. I understand a NMAP scan will only provide limited data on the remote network but it is helpful to see new open ports or ip addresses.

I hope this has not been posted previously but I tried to search and saw some similar but did not find an answer to my particular problem.

Thanks in advance.

Doug

NMAP may or may not produce results, depending on a raft of other factors, (see the NMAP FAQ in the FAQs section). You may need to grit your teeth and just install a copy of nmap on each subnet, but take a look at the FAQ first it might shed some light on the issue.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Could you point me to the NMAP FAQ? I see 15 topics under FAQ in the forums and none of them have a title that includes NMAP??

When I run the NMAP script to a remote subnet it collects data it just never shows up on the website. It almost seems like the PHP post script isn't accepting the data because it does not include MAC or something else?

Doug

Can you point me to the NAMP FAQ's can't seem to find them and a search for nmap returns nothing due to 'too many results'.

help???

Doug

You are quite correct there is no NMAP FAQ There is a lot of information in the support forum however, but I do need to add an up to date FAQ. Will get on to that early next week, time permitting.

Meanwhile, a brief synopsis.

Nmap probes for open ports on network attached devices. It uses various methods to do this, as most firewalls will spot a simple scan, and put their shields up. So NMAP uses "...softly softly" tactics to ensure the machines will report the maximum information. (See the nmap site for how this works)

You need a copy of NMAP installed on your machine, either in the scripts folder, or somewhere in your PATH, Alternatively, edit the nmap script, and point it to your nmap executable.

Once this is done, you should be able to run the script.

If you want to glean the maximum information about devices, such as guessing the OS and manufacturer, this relies on examining the MAC address of the device, and this information is only available on the local subnet (a limitation of TCP/IP and ethernet, not NMAP) This is why you need to scan from a machine attached to the same subnet as the device. MAC info doesn't get passed between routers, only IP info.

You can run from one subnet to another, but your results will be limited.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

I understand that there would be less less information, mac address for example will be missing, when scanning a remote subnet. But NO data is put into the OA system from the remote site. It seems since there is no MAC it does not post??? NMAP returns a good bit of data from the remote subnets as I have used NMAP long before I started using OA and find the info very useful for my audits and would like it inserted into the OA database, actually it might be in the DB but I don't see it in OA???

Doug

I must admit, I haven't tried to use NMAP between subnets, as I have a box available at each site which will NMAP for me and provides the results. It may be the case that OA requires the mac address to allow it to enter data in to the database.

If, as I suspect, nmap.sh is using the mac address as the unique identifier for the items discovered, (although I haven't verified this) and therefore if the script doesn't return a mac address, or if the address returned is blank, then all of the data will be written to the same record (the one with the blank mac address). This would be consistent with your result, NMAP appears to work, but the data doesn't show up in the database. This leaves you with a problem (not an insurmountable one, but a problem none the less). If I am right, then the script needs to be altered to invent a mac address (say one based on a repeated pattern of the bytes of the IP address, converted to HEX for example) for any case where there is no mac address. You will still be unable to obtain some of the information you would see using a local scan, but at least you will see something.

...or you could run the nmap script from the remote subnet

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]