McAfee EPO synchronization

Introduction

In an enterprise environment, McAfee "EPO server" is often used to manage client PCs, pushing anti-virus updates and ensuring that client AVs stay up to date.

Epo has an MS-SQL server in its core and the tables in this database were examined to see what information was in there that could be useful to FreeNAC users.

The FreeNAC "EPO module" queries information from the Epo regularly (e.g. each night) and stores it in dedicated tables in the FreeNAC database.

Installation

Pre-requisites: In order to install this feature, you need FreeTDS installed and of course an Epo server.

Configuration: Epo server

Create an SQL user, which FreeNAC will use to query Epo. Give this user SELECT rights on the Epo database.

Configuration: FreeNAC

1. The first step is to configure 'FreeTDS' so that SQL queries to Epo actually work.

Add the following instance to freetds.conf for your EPO server. Adjust the host and perhaps port for your Epo server:

[epo_alias]
host = server.domain.com
port = 1433
tds version = 4.2
dump file = /var/log/freetds_inv.log
dump file append = yes
debug level = 1 

2. In the config_en.inc file, set up your username and password in the variables $epo_dbuser and $epo_dbpass. These corresponds to the user name and password configured on the Epo SQL server.

3. Set epo_dbalias and epo_db in the mysql opennac.config table

update config set value='epo_alias' where name='epo_dbalias';
update config set value='epo_db' where name='epo_db'; 

Here epo_alias is the alias you declared in your freetds.conf file and epo_db is the database that holds the information regarding the McAfee antivirus.

4. Enable the Epo module in FreeNAC:

update config set value='true' where name='epo_enabled';

If such a field doesn't exist in your config table, create it as follows:

insert into config set type='boolean', name='epo_enabled', value='true', comment='Enable or disable the McAfee Epo module';

This flag also enables Epo related features in the FreeNAC Windows GUI.

5. Ensure that the local FreeNAC MySQL user can update the local Epo tables. Grant permissions to the EpoComputerProperties table:

grant SELECT,UPDATE,DELETE ON opennac.EpoComputerProperties to inventwrite@'localhost';

Testing

Run the test script epo_test.php. If everything went fine, you'll see the output of the SQL query "SELECT TOP 5 ParentID, ComputerName, IPHostName, DomainName, IPAddress, OSType, OSVersion, OSServicePackVer, NetAddress, UserName, TheTimestamp, TheHiddenTimestamp, Description FROM ComputerProperties".

If this did not work, verify the above setting, there is probably a configuration or connectivity problem.

Next, try the EPO sync script to synchronise Epo information to the local tables.

# Watch stdout and syslog for errors.

log |grep -i epo & 

Edit the epo_sync.php script, and ensure that the variable

$EPO_VERSION = 3;              // either 3 or 4

represents the right EPO version you are using. Change this value accordingly.

# start the sync

./epo_sync.php

Syslog entries like the following should appear:

Aug 27 11:34:11 freenac epo_sync[31844]: Update AV status 00114336D065 0011.4336.D065 20070827103729, 5102.0000, USER1
Aug 27 11:34:11 freenac epo_sync[31844]: Update AV status 0015C54CC15D 0015.C54C.C15D 20070827111501, 5102.0000, USER2
Aug 27 11:34:11 freenac epo_sync[31844]: Update AV status 0019D139EB34 0019.D139.EB34 20070802153610, 5087.0000, USER3

Now, in the FreeNAC Windows GUI, Epo information should be visible in

Reports -> AV, and for individual end devices in Edit->Anti-Virus.

Operations

If the previous steps went ok, add it to the root cron for regular Epo synchronisation.

30  3    * * 1-5 /opt/nac/bin/epo_sync.php

In Windows GUI, updated Epo information should be visible in

Reports -> AV, and for individual end devices in Edit->Anti-Virus.