Hi all,
Like you should know, the discovery lib will be a huge part of the comming
skonf UI. That's why I add some new features to it. The big part is
"multi-layers discovery". Ok, you start to think : "but what the hell is
that?"
It's quite simple : discovery was a one shot process :
* we got runners (scripts) that scan and output data.
* rules look at data, and give the hosts some properties.
* we write the host into file/database.
Ok, it's good for classic properties like "is it a windows or a linux?".
But what if you want to get all the shares of a windows box to monitor
them? You won't scan all ips for shares, but you want to only scan the
windows box. So you need the result from the first "discovery" to launch
another?
*Multi layer mode :*
It's the multi-layer discovery thing. You will got 2 discovery runner types
:
* large scale one : nmap, vmware. The current ones so.
* host level scan : like the "give the the share of a windows" one :)
*Sample : get a service by share for all windows :*
Ok, Let's look at an example, our window share one :)
We got our nmap runner that will launch a scan :
nmap_discovery_runner.py -t IP-RANGE
It will generate bunch of :
srv1::os=windows
We apply the current rules, so the srv1 will be generated with "use
windows".
Ok now we look for level 2 and more runners.
We got a new run definition (in the windows pack,
etc/packs/os/windows/discovery.cfg):
define discoveryrun {
discoveryrun_name WindowsShares
discoveryrun_command discovery_windows_share
# And scan only windows
# TODO : and samba hosts?
os windows
}
That will call the command discovery_windows_share only for windows hosts.
This command is :
define command {
command_name discovery_windows_share
command_line $USER1$/windows_shares_discovery_runner.py -H
$HOSTNAME$ -u '$DOMAINUSER$' -p '$DOMAINPASSWORD$'
}
And will generate data like :
srv1::_shares=Public,Other
I add a new feature for the discovery : if the data key is with _, it will
automatically add it to the object, you do not need to define a rule for
just add a custom value so.
The generated host will be :
define host{
host_name srv1
use windows
_shares Public,Other
}
Then the new service etc/packs/os/windows/services/share_space.cfg will
loop over the _shares and create a service by share :
define service{
service_description ShareSpace-$KEY$
use generic-service
register 0
host_name windows
check_command check_windows_share!$KEY$
duplicate_foreach _shares
}
So 2 services : srv1/ShareSpace-Public and srv1/ShareSpace-Other. If the
windows host do not have shares, it will just don't generate such services.
*How to write a runner ?*
Runners are the good part here : it need to be a script that output
something like hostname::key=value for each key. So you can "describe" your
hosts quite easily (here the windows_shares_discovery_runner.py is just
using the smbclient -L command :)
It can be good for exampel to list disk volumes, or others stuff (like
Oracle instances for the oracle pack).
Feel free to test it from the master sources :)
*Link with skonf?*
Ok and now the link with skonf? In fact this UI will be strongly linked
with the discovery lib. To add a new host, you will be able to just "scan"
it. So with doog rules, you will automatically have the templates and the
customs values. Then you will be able to change them if need (like change
the template order or customs maros values).
The discovery thing is already coded in the actual skonf code, I still need
to code the "show me the macro" part :)
Jean
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shinken-devel mailing list
Shinken-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shinken-devel
