See the child pages for more information
To have a more accurate users' information, the delete_old_users.php script will delete users not seen in the central directory for more than 'delete_users_threshold' days that have no systems assigned. If systems are assigned, send a warning that they need to be reassigned to someone else.
In order to install this feature, you first need to add its configuration variable in the config table.
INSERT INTO config SET type='integer', name='delete_users_threshold', value='365', comment='Delete users not seen in the central directory for more than XX days';
Adjust the value according to your needs. This example is meant to delete users which haven't been seen in the central directory for one year.
Add the following entry in crontab
#Delete old users 0 1 * * 1 /opt/nac/bin/delete_old_users.php
This will cause this scrpt to run once a week (Monday at 1:00 AM).
If there are users to be deleted, you'll receive an e-mail summarizing the deleted users. or information of systems assigned to those users, in order to be assigned to someone else.
How to install:
You'll need nmap v4 or later, if you don't have it, download it from www.insecure.org/nmap, or your local package source.
For versions prior to 2.2RC3, rename port_scan.inc.template to port_scan.inc
cp /opt/nac/etc/port_scan.inc.template /opt/nac/etc/port_scan.inc
and modify the configuration settings according to your needs, especially the nmap path.
If you are using release 2.2 RC2 or prior, you need to import this configuration file into the database. As of release V2.2 RC2, port_scan takes all the variables from the config table (except for $debug_flag1), so the port_scan.inc file has to be also imported into the database.
Do the following from the /opt/nac/contrib directory (in case you are using 2.2 RC2):
./config2db ../etc/port_scan.inc
If you need to redefine some of these settings, you can do so through the Windows GUI.
Next, create the following directory in case it doesn't exist
mkdir /opt/nac/scan
Now you need to define the networks you'd like to scan. This can be done with Administration > NmapSubnets in the WindowsGUI, Or, in MySQL:
insert into subnets set ip_address='192.168.1.0', ip_netmask='24', scan='1';
This will add the subnetwork 192.168.1.0/24 to your subnets table and with 'scan=1' we are saying that this subnetwork can be scanned. You need to do this for every subnet you want to take into account.
If there are specific hosts you'd like to ignore, add a CSV list of the IP addresses of systems you don't want to scan.
update subnets set dontscan='192.168.1.1, 192.168.1.127, 192.168.1.254' where ip_address='192.168.1.0' and ip_netmask='24' and scan='1';
Other settings (Administration > Config) are scan_for_hours, time_threshold, whats_units_time, nmap_flags and which_nmap. The only one which typically needs changing is scan_for_hours: only systems seen on layer 3 in this number of hours (default 3) are scanned, others are ignored. This is to make scans quicker.
Next, schedule the automatic scans. Add the following entries to the root crontab.
# FreeNAC: port_scanning of systems */5 8-18 * * 1-5 /opt/nac/bin/port_scan.php --scannow # Active scanning: nmap monday 0 11 * * 1 /opt/nac/bin/port_scan.php
The first entry runs every five minutes, and it is the main mechanism to control immediate scans requested from the GUI. With the GUI you set the flag 'scannow=1' and then this cronjob will scan the systems which have this flag set.
The second entry scans all devices present in the systems table every Monday at 11:00 AM
See also the the technical guide section on the nmap module.
At the time of this writing, some distributions (Ubuntu 7.10) lack a component needed for the Enterprise version of FreeNAC. Such a component is the FreeTDS client (tsql binary) needed to test connectivity with MSSQL databases.
If your distribution doesn't have this package, we highly recommend you to get the latest version from http://www.freetds.org/ and compile and build it yourself.
In case you don't have the expertise to perform such a task, we provide a binary (v0.64RC2) and a configuration file that will run on i386 platforms. Proceed to our downloads page in Sourceforge and get these components and install the binary under /usr/bin
Important note: The config file must be placed under /opt/freetds/etc in order to be found by the binary we provide.
Known issues:
Setting connect_timeout values for mssql_connect() in PHP using Ubuntu 7.10
There are some parameters in php.ini which allow to manipulate the timeouts (connect_timeout, query_timeout) but those are for mssql specific. In Ubuntu 7.10 there is no package php5-mssql.
If you do a
php -i | grep mssql
you can see that such a package is not installed.
The replacement for php5-mssql in Ubuntu 7.10 is php5-sybase, but the php.ini configuration for Sybase, doesn't specify any timeouts. Trying setting the values of mssql.connect_timeout and mssql.timeout doesn't work.
There is a bug report for php5-mssql
http://bugs.launchpad.net/ubuntu/+source/php5/+bug/8706
and the package we'll be created for the next release of Ubuntu (Hedgy). If that's the case, then freetds will be needed, since php5-mssql will be used to perform queries to MS SQL databases.
In an enterprise environment, McAfee "EPO server" is often used to manage client PCs, pushing anti-virus updates and ensuring that client AVs stay up to date.
Epo has an MS-SQL server in its core and the tables in this database were examined to see what information was in there that could be useful to FreeNAC users.
The FreeNAC "EPO module" queries information from the Epo regularly (e.g. each night) and stores it in dedicated tables in the FreeNAC database.
Pre-requisites: In order to install this feature, you need FreeTDS installed and of course an Epo server.
Create an SQL user, which FreeNAC will use to query Epo. Give this user SELECT rights on the Epo database.
1. The first step is to configure 'FreeTDS' so that SQL queries to Epo actually work.
Add the following instance to freetds.conf for your EPO server. Adjust the host and perhaps port for your Epo server:
[epo_alias] host = server.domain.com port = 1433 tds version = 4.2 dump file = /var/log/freetds_inv.log dump file append = yes debug level = 1
2. In the config_en.inc file, set up your username and password in the variables $epo_dbuser and $epo_dbpass. These corresponds to the user name and password configured on the Epo SQL server.
3. Set epo_dbalias and epo_db in the mysql opennac.config table
update config set value='epo_alias' where name='epo_dbalias'; update config set value='epo_db' where name='epo_db';
Here epo_alias is the alias you declared in your freetds.conf file and epo_db is the database that holds the information regarding the McAfee antivirus.
4. Enable the Epo module in FreeNAC:
update config set value='true' where name='epo_enabled';
If such a field doesn't exist in your config table, create it as follows:
insert into config set type='boolean', name='epo_enabled', value='true', comment='Enable or disable the McAfee Epo module';
This flag also enables Epo related features in the FreeNAC Windows GUI.
5. Ensure that the local FreeNAC MySQL user can update the local Epo tables. Grant permissions to the EpoComputerProperties table:
grant SELECT,UPDATE,DELETE ON opennac.EpoComputerProperties to inventwrite@'localhost';
Run the test script epo_test.php. If everything went fine, you'll see the output of the SQL query "SELECT TOP 5 ParentID, ComputerName, IPHostName, DomainName, IPAddress, OSType, OSVersion, OSServicePackVer, NetAddress, UserName, TheTimestamp, TheHiddenTimestamp, Description FROM ComputerProperties".
If this did not work, verify the above setting, there is probably a configuration or connectivity problem.
Next, try the EPO sync script to synchronise Epo information to the local tables.
# Watch stdout and syslog for errors.
log |grep -i epo &
Edit the epo_sync.php script, and ensure that the variable
$EPO_VERSION = 3; // either 3 or 4
represents the right EPO version you are using. Change this value accordingly.
# start the sync
./epo_sync.php
Syslog entries like the following should appear:
Aug 27 11:34:11 freenac epo_sync[31844]: Update AV status 00114336D065 0011.4336.D065 20070827103729, 5102.0000, USER1 Aug 27 11:34:11 freenac epo_sync[31844]: Update AV status 0015C54CC15D 0015.C54C.C15D 20070827111501, 5102.0000, USER2 Aug 27 11:34:11 freenac epo_sync[31844]: Update AV status 0019D139EB34 0019.D139.EB34 20070802153610, 5087.0000, USER3
Now, in the FreeNAC Windows GUI, Epo information should be visible in
Reports -> AV, and for individual end devices in Edit->Anti-Virus.
If the previous steps went ok, add it to the root cron for regular Epo synchronisation.
30 3 * * 1-5 /opt/nac/bin/epo_sync.php
In Windows GUI, updated Epo information should be visible in
Reports -> AV, and for individual end devices in Edit->Anti-Virus.
In an enterprise environment, Microsofts Systems Management Server (SMS) may be used to manage client PCs Software packages, pushing SW package updates, querying inventory and ensuring that client packages stay up to date.
MS-SMS has an MS-SQL server in its core certain information in there, such as MAC addresses and system names may be useful to FreeNAC.
The FreeNAC SMS class "SMSEndDevice.php" is usually called by "postconnect", and it queries information from its local SMS copy, to find out if the MAC address of an unknown device currently trying to connect to the LAN is in the SMS database.
postconnect then allows the device, if information is found, and updates the FreeNAC tables with the information from SMS, such as logged on user, system name etc.
If you plan to use this module, you need to modify the postconnect section of your policy file accordingly. A sample snippet is shown below:
/**
* The postconnect method is used by the postconnect daemon.
* It updates information for PORTS and HOSTS
* This method writes to the database, so it shouldn't be called from a slave server.
* @param object $REQUEST A SyslogRequest object
*/
public function postconnect($REQUEST)
{
# SMS module
$SMS_HOST=new CallWrapper(new SMSEndDevice($REQUEST));
#Insert End device if unknown
$SMS_HOST->insertIfUnknown();
#Insert a switch or port if unknown
$REQUEST->switch_port->insertIfUnknown();
#Update port information
$REQUEST->switch_port->update();
# Update host lastseen timestamp
$REQUEST->host->update();
}
Pre-requisites: In order to install this feature, you need FreeTDS installed and of course an MS-SMS server.
An SQL 'view' will have to be created on the MS-SMS server with the correct fields. The view should have these fields:
Create an SQL user, which FreeNAC will use to query MS-SQL. Give this user SELECT rights on the above view.
You also need to create the SMS table (nac_sms_1) in the FreeNAC database. To do so, go to /opt/nac/contrib and run the following command:
mysql opennac < sms_tables
1. The first step is to configure 'FreeTDS' so that SQL queries to MS-SQL actually work.
Add the following instance to freetds.conf. Adjust the host and perhaps port for your MS-SQL server:
[epo_alias] host = server.domain.com port = 1433 tds version = 4.2 dump file = /var/log/freetds_sms.log dump file append = yes debug level = 1
2. In the config_en.inc file, set up your username and password in the variables $sms_dbuser and $sms_dbpass. These corresponds to the user name and password configured on the Epo SQL server.
3. Set sms_dbalias and sms_db in the mysql opennac.config table
update config set value='sms_alias' where name='sms_dbalias'; update config set value='sms_db' where name='sms_db';
Here sms_alias is the alias you declared in your freetds.conf file and sms_db is the database that holds the information regarding the McAfee antivirus.
4. Enable the Epo module in FreeNAC:
update config set value='true' where name='sms_enabled';
If such a field doesn't exist in your config table, create it as follows:
insert into config set type='boolean', name='sms_enabled', value='true', comment='Enable or disable the SMS module';
This flag also enables SMS related features in the FreeNAC Windows GUI.
Configure the MS-SMS module in the config table.
These can be assigned in the FreeNAC Windows GUI under Administration->config
Run the sync script from /opt/nac/bin
./sms_getinfo
and watch syslog. It could take some time to complete. If everything went fine, you should see in syslog a message like the following:
Dec 19 09:23:47 freenac sms_getinfo[16087]: SMS synchronization was successful.
Now that your nac_sms_1 table is populated, you need to restart postconnect in order to load your policy and the changes you made to the SMS config variables.
/etc/init.d/postconnect restart
Add an entry in cron to perform the synchronization automatically according to your needs.
0 2 * * 1 /opt/nac/bin/sms_getinfo
In an enterprise environment, Microsft's"WSUS server" is often used to manage client PCs patches, pushing Windows and Office updates and ensuring that Windows client PCs stay up to date.
Wsus has an MS-SQL server in its core and the tables in this database were examined to see what information was in there that could be useful to FreeNAC users.
The FreeNAC "WSUS module" queries information from the WSUS regularly (e.g. each night) and stores it in dedicated tables in the FreeNAC database.
The script that performs the WSUS synchronization is wsus_sync.php.
Pre-requisites:
Create an SQL user, which FreeNAC will use to query Wsus. Give this user SELECT rights on the Wsus database.
Enusre that network connectivity to the MS-SQL engine is enabled.
1. The first step is to configure 'FreeTDS' so that SQL queries to Wsus actually work.
Add the following instance to freetds.conf. Adjust the host and perhaps port for your Wsus server:
[wsus_alias] host = server.domain.com port = 1433 tds version = 4.2 dump file = /var/log/freetds_inv.log dump file append = yes debug level = 1
2. In the config_en.inc file, set up your username and password in the variables $wsus_dbuser and $wsus_dbpass. These corresponds to the user name and password configured on the MS-SQL server.
3. Set wsus_dbalias and wsus_db in the mysql opennac.config table
update config set value='wsus_dbalias' where name='wsus_dbalias'; update config set value='wsus_db' where name='wsus_db';
Here wsus_dbalias is the alias you declared in your freetds.conf file and wsus_db is the database that holds the information regarding the WSUS patches information.
4. Enable the Wsus module in FreeNAC:
update config set value='true' where name='wsus_enabled';
If such a field doesn't exist in your config table, create it as follows:
insert into config set type='boolean', name='wsus_enabled', value='true', comment='Enable or disable the WSUS module';
This flag also enables Wsus related features in the FreeNAC Windows GUI.
Once you have done the above, running the script is very straightforward.
/opt/nac/bin/wsus_sync.php
If you don't receive any errors, that means that all parameters have been properly set.
Add the following entry in crontab in order to update patch information every day
0 4 * * 1-5 /opt/nac/bin/wsus_sync.php
In this way, it'll run from Monday to Friday at 4:00AM.
Now, in the FreeNAC Windows GUI, Wsus information should be visible in Reports -> Wsus, and for individual end devices in Edit->Wsus.