25 February 2021
Auditing Your Network, Without Credentials.
Now that I have your attention, how can we possibly audit a network and find all the juicy details about the devices upon it, without having high level credentials to talk to those devices?
Well, it’s a bit of a mistruth. Or a caveat. Or whatever you want to call it. We definitely can do this, but for devices such as routers, printers and switches you will need a minimal set (read only, minimum access level) of SNMP credentials. Computers can be audited without any credentials being stored in Open-AudIT.
“How can you do that?”, “It won’t work on my network, my network and devices are locked down”. Yes, yes, your network is perfectly secure, I understand. In that case you are the perfect candidate to implement network discovery and auditing in this fashion.
So how do we do this? Well, as mentioned, first source a set of SNMP credentials that allow the minimal level of access. Do not worry about credentials for Windows, Linux or any other computer OS.
Next configure Open-AudIT to match devices based on IP address. Note that if you have devices that frequently change IP, you may need to enable this on a per discovery basis to avoid too many false positive device matches. Note that even this can be negated by using a collector per subnet to run discoveries.
Once you have your minimal SNMP credentials and have created and configured a subnet discovery, run it. Naturally devices without credentials will probably be classed as unclassified or even unknown. That is expected – no credentials, remember.
Next use your management software to deploy the audit scripts to the appropriate operating system for each device. For Linux machines (for example), you can use Puppet, Chef or Ansible to push the audit_linux.sh script. Windows domain users also have the option to deploy and run the script at domain login. Then create a cron job (or scheduled task under Windows) to run the audit script on a schedule of your choosing and submit the results to your Open-AudIT server.
Then you should check for unclassified or unknown devices within Open-AudIT and work through them, determining what it is and remediate as necessary.
As the audit script results are submitted, the unclassified or unknown devices should be matched and decrease in number.
Eventually you should have zero unclassified or unknown devices. You have just discovered and audited your network using only a minimal set of SNMP (read only) credentials. You still have all the data Open-AudIT usually collects, but no central store of credentials!
Obviously this will take a lot more effort than using Open-AudIT as designed, but in those cases where you just cannot store sensitive credentials in a central location, Open-AudIT still has you covered.