Part 2.d: Scheduling asset inventory and configuring software inventory


Scheduled inventory can take place from the OSSIM agent via the following:

  • nmap: agentless Network Scanner
  • p0f: agentless passive OS detector
  • pads: agentless passive Services detector
  • arpwatch: agentless passive ARP detector
  • ocs: active agent for hosts

In Adding assets to OSSIM, I covered running an nmap scan to get obtain a list of assets.

However, a more granular and full asset inventory must take place.

Using OCS-ng to Inventory assets:

An introduction to the OCS-ng architecture can be found within this article.

[[ Note that you can deploy OCS-ng using it’s own installer… but since this requires a client to be deployed to gather information, I’ll move onto writing up Local Update Publisher, and deploy it using WSUS. I may also cover Puppet+Foreman+Rundeck. ]]

Additional notes:
The following registry keys contain ALL the installed software on a machine.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CLASSES_ROOT\Installer\Products
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall # if it exists

`wmic` (for linux) doesn’t contain code to interact with StdRegProv, so you can not use it to query the registry. Another option would be winexe, but it transmits return data unencrypted.

I had originally thought I could do this without an agent. But since I don’t want to spend time working on changing winexe to run only `reg.exe`

  1. Keith Wright
    August 7, 2015 at 3:08 pm

    Hello, you’re article has probably been one of the more useful articles on the internet for OSSIM. I have a question regarding OCS-NG. I have been able to get property data display in the interface “memory, CPU, video card” but no software. I can see it sitting in the database but it doesn’t populate to the interface. Do you know why that is?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: