Part 2.d: Scheduling asset inventory and configuring software inventory
< Part 1: Raise your awareness
< Part 2: The Console
< Part 2.a: Configure AlienVault’s OSSIM as your primary security console
< Part 2.b: Adding assets to OSSIM
< Part 2.c: Configuring OSSIM plugins
Part 2.f: Configuring the OSSIM correlation engine >
Part 3: Patch Management >
Scheduled inventory can take place from the OSSIM agent via the following:
- nmap: agentless Network Scanner
- p0f: agentless passive OS detector
- pads: agentless passive Services detector
- arpwatch: agentless passive ARP detector
- ocs: active agent for hosts
In Adding assets to OSSIM, I covered running an nmap scan to get obtain a list of assets.
However, a more granular and full asset inventory must take place.
Using OCS-ng to Inventory assets:
[[ Note that you can deploy OCS-ng using it’s own installer… but since this requires a client to be deployed to gather information, I’ll move onto writing up Local Update Publisher, and deploy it using WSUS. I may also cover Puppet+Foreman+Rundeck. ]]
The following registry keys contain ALL the installed software on a machine.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall HKEY_CLASSES_ROOT\Installer\Products HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall # if it exists
`wmic` (for linux) doesn’t contain code to interact with StdRegProv, so you can not use it to query the registry. Another option would be winexe, but it transmits return data unencrypted.
I had originally thought I could do this without an agent. But since I don’t want to spend time working on changing winexe to run only `reg.exe`