Evan Pols

Script to Compile SA Inventory and Configuration Information (SA_Enviro_Check.sh)

Blog Post created by Evan Pols Employee on Jan 27, 2017

UPDATED 2-1-2017 to Version 0.4

Changelog: 

1-20-2017 (0.2) : Added capability to auto-populate all appliance IP addresses. Substitute "autoiplist" rather than

user defined iplist. See help for more information. Also fixed help file (previous typo). Removed prompts.

 

1-27-2017 (0.3): Added a number of SDK checks. Changed the logic on how it identifies the server type, added a size check for VolGroup00. If it shows up as 29.XX GB and your appliance is an R620, you're likely still utilizing the SD cards as part of the OS. Also added a check showing currently free memory. 

 

2-1-2017 (0.4): Added DRAC Firmware version check

 

I've worked with dozens of Security Analytics instances and have found myself repeatedly compiling the same information, usually relating to basic asset inventory, configuration information and simple health checks. In order to expedite this process, I've created a simple shell script that will log into each appliance in an environment, pull important information and aggregate it all into a csv file for easy reference. The nice thing about this script is that it obtains many of the important configuration items without needing to log into REST or perform NwConsole commands.

 

Prerequisites:

  • List of IP addresses or Hostnames of all SA Appliances (virtual or physical) - List needs to be one IP/Host per line. This step can now be skipped by using the "autoiplist" option (see below)
  • Key exchange between Host where script is installed and SA Appliances - This is optional, but will make things go much faster. If this hasn't been setup, you'll just be prompted for the Host OS username (usually root) for each appliance the script is connecting to
  • A Linux host to run the script from that can connect to all the SA appliances defined in the IP List (I frequently use the SA Server Host)

 

Installation Instructions:

  1. Copy the attached SA_Enviro_Check.sh script to your host
  2. Make it executable
    1. chmod +x SA_Enviro_Check.sh
  3. Ensure the md5sum matches the following:

    [root@NW-GUI new]# md5sum SA_Enviro_Check.sh

    1853be56f44cc6f6f223be48367058ab  SA_Enviro_Check.sh

Usage:

./SA_Enviro_Check.sh <options>

This Script is used to generate a comma-delimited inventory of a Security Analytics  Environment while  also

compiling several important configuration items per appliance.

 

 

 

IMPORTANT: This script functions best when key exchange has been performed between the SA Server and the

           Appliances. If not, it will prompt for a password for each appliance in the IP List

 

Options:

 

 

        -h : This help file

        -v : version information

        -a : Generates a list of all currently enabled appliance IPs and quits. File will be named "all_appliance_ips.out" 

        -p : when this option is used, all arguments must be passed in the proper order. if the user chooses "autoiplist"                  rather than defining a set list of ips (see EX2), all appliances connected to the NW GUI will be examined.  The                arguments must be passed in the following order:

                EX: ./SA_Enviro_Check.sh -p <username> <iplist>  </output/path/filename.csv> </output/path/logfile.log>

                EX2: ./SA_Enviro_Check.sh -p <username> autoiplist  </output/path/filename.csv> </output/path/logfile.log>

 

What the script gathers and where it comes from:

 

InformationRetrieval Method
Date Checkeddate command
Hostnamehostname command
IP Addresshostname command
Server Typedmidecode
Bios Versiondmidecode
Booting Kerneluname -r
Installed Kernelsrpm -qa
Serial Numberdmidecode
Memory/proc/meminfo
Free Memory/proc/meminfo
CPU Cores/proc/cpuinfo
DNS Serversresolv.conf
Search Domainresolv.conf
Puppetmaster/etc/hosts
NTP Statusntpstat
Puppet Node ID/var/lib/puppet/node_id
Services Installedrpm -qa
Local Accounts per Service/etc/netwitness/ng/Nw*.cfg files
Max Concurrent Queries Per Service/etc/netwitness/ng/Nw*.cfg files
Max Pending Queries/etc/netwitness/ng/Nw*.cfg files
Parallel Query/etc/netwitness/ng/Nw*.cfg files
Parallel Value/etc/netwitness/ng/Nw*.cfg files
Query Parse/etc/netwitness/ng/Nw*.cfg files
Cache Window Minutes Per Service/etc/netwitness/ng/Nw*.cfg files
DRAC IPipmitool
DRAC Firmware Versionipmitool
PFring Versionrpm -qa
Capture Autostart/etc/netwitness/ng/Nw*.cfg files
Capture Interface/etc/netwitness/ng/Nw*.cfg files
Capture Device Params/etc/netwitness/ng/Nw*.cfg files
Aggregating Devices/etc/netwitness/ng/Nw*.cfg files
Aggregate Autostart/etc/netwitness/ng/Nw*.cfg files
Aggregate Hours/etc/netwitness/ng/Nw*.cfg files
Aggregate Interval/etc/netwitness/ng/Nw*.cfg files
Aggregate Max Session/etc/netwitness/ng/Nw*.cfg files
Active App Rules/etc/netwitness/ng/Nw*.cfg files
Active Correlation Rules/etc/netwitness/ng/Nw*.cfg files
Installed Feedsdeduplicated files in /etc/netwitness/ng/feeds
Custom Index Entries

cleaned index-*-custom.xml files

 

VolGroup00 Size

vgs (volume group scan)

 

Meta DIR Mounts/etc/netwitness/ng/Nw*.cfg files
Packet DIR Mounts/etc/netwitness/ng/Nw*.cfg files
Session DIR Mounts/etc/netwitness/ng/Nw*.cfg files
Save Session Cound/etc/netwitness/ng/Nw*.cfg Files
Index DIR Mounts/etc/netwitness/ng/Nw*.cfg files

Index Slices Open            /etc/netwitness/ng/Nw*.cfg files

Notes:

  • The script has not been tested against Malware Appliances, does not work with WLCs (Windows Based) and will retrieve less information from ESAs due to their architecture differences.
  • This script is beta, if you notice some information does not look correct, please let me know.

Attachments

Outcomes