6.1.3. Data Received from the OpenNAC Core
The Agent receives the following data from OpenNAC Enterprise in response to the device information sent via the POST method.
Scripts: scripts are received by the OpenNAC Server to be executed after each device’s information is sent. This point is detailed in a later section of this document.
Configuration updates and interface: The Agent’s configuration is received; time interval between each scan, if the sending of logs to the server is enabled, the language of the agent’s taskbar, etc. There is also information regarding the Agent’s connection to OpenNAC Enterprise, such as the protocol.
USB policies: USB policies generated by the OpenNAC Portal to detect valid and invalid USB devices on the device running the Agent. These are by product class and by specific product. For each type, there is a list of allowed and a list for not allowed.
VPN configuration: We get an object for each VPN configuration. Each of the configurations is a string that represents the configuration file for the connection to the VPN.
6.1.3.1. Example of payload
{
$AGENT_CONFIG,
$AGENT_CONNECTION,
$AGENT_TASKBAR_CONFIG,
$AGENT_QUERY,
$USB_POLICY_CLASS_ALLOWLIST,
$USB_POLICY_CLASS_DENYLIST,
$USB_POLICY_PRODUCT_ALLOWLIST,
$USB_POLICY_PRODUCT_DENYLIST,
$AGENT_HASH_QUERY,
$AGENT_VPN_CONFIG,
$vlan,
$AGENT_POLICY_NAME,
$AGENT_POLICY_USER_MESSAGE,
$AGENT_DEVICE_TAGS
}
AGENT_CONFIG: This JSON object offers new settings to overwrite in the Agent. This configuration is editable in the OpenNAC Portal.
INTERVAL: Time interval between each normal scan (light payload).
FULL_INTERVAL: Time interval between each full scan (full payload).
START_MODE_INTERVAL: Wait time to start full scan at agent initialization (in seconds).
IGNORE_SC_STATUS_INTERVAL: Ignore security center events during x seconds after windows initialization.
INTERVAL_BETWEEN_USER_SESSION_EVENTS: Time interval between user session events.
DISCOVERY: If discovery will be executed or not.
DEBUG: If debug mode is enabled or not.
SENDLOGSTOSERVER: If daemon logs will be sent from the Agent to the server.
MAXLOGSIZE: Maximum log file size (in MB).
MAXCOMPRESSEDLOGS: Max number of old logs saved.
UPDATE: Minimum version required.
Example:
"AGENT_CONFIG": {
"INTERVAL": "3600",
"FULL_INTERVAL": "86400",
"START_MODE_INTERVAL": "120",
"IGNORE_SC_STATUS_INTERVAL": "420",
"INTERVAL_BETWEEN_USER_SESSION_EVENTS": "30",
"DISCOVERY": "0",
"DEBUG": "1",
"SENDLOGSTOSERVER": "1",
"MAXLOGSIZE": "30",
"MAXCOMPRESSEDLOGS": "10"
AGENT_CONNECTION
PROTOCOL: Connection protocol.
ACTION: Connection endpoint.
PING_ACTION: Endpoint to discover the IP that agent uses to make requests.
IP: Connection IP.
TAG: Agent connection tag. It works as unique identifier.
Example:
"AGENT_CONNECTION": {
"PROTOCOL": "https",
"ACTION": "/opennac-agent",
"PING_ACTION": "/admin/favicon.ico"
}
AGENT_TASKBAR_CONFIG
ENABLED: If the taskbar is enabled or not.
DEBUG: If debug mode is used or not.
PLUGIN_VPN: If VPN plugin is used or not.
LANGUAGE: Taskbar language.
MUI: MUI language.
Example:
"AGENT_TASKBAR_CONFIG": {
"ENABLED": "1",
"DEBUG": "1",
"PLUGIN_VPN": "1",
"LANGUAGE": "en",
"MUI": "en-US"
}
AGENT_QUERY
TYPE: The type of the script. It can be cmd, powershell, cscript, etc.
KEY: Unique identifier for the agent script.
IMPERSONATE: If the script will be executed as impersonated or not. Impersonated means that it will be executed as a new process assigned to the user with the logged in user. Otherwise, it will be executed with the same process used for the Agent.
SCRIPT: The script code to execute.
Example:
"AGENT_QUERY": [
{
"TYPE":"CSCRIPT",
"KEY":"MCAFEE_DAT",
"IMPERSONATE":"0",
"SCRIPT":"Dim windowsShell,regValue, currentDate, maxDays, regKey#maxDays = 14#'regKey = "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion\"#regKey = "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\MfeAV\Install Date\"#On Error Resume Next#Set windowsShell = CreateObject("WScript.Shell")#regValue = windowsShell.RegRead(regKey)#If err.number <> 0 then# 'Error reading regkey# Wscript.Echo "FALSE"#Else# If IsDate(regValue) then# currentDate = Now# If Abs(DateDiff("d",regValue,currentDate)) <= maxDays then# Wscript.Echo"TRUE"# Else# Wscript.Echo"FALSE"# End If# Else# Wscript.Echo regValue# End if#End if#"
}
]
USB_POLICY_CLASS_ALLOWLIST:
CLASS_ID: The family class identifier (hexa format XX). It can represent a type of device, for example, Audio, Printer, etc.
Example:
"USB_POLICY_CLASS_ALLOWLIST": {
"VENDOR_ID": "0x090C",
"PRODUCT_ID": "0x1000"
}
USB_POLICY_CLASS_DENYLIST:
CLASS_ID: The family class identifier (hexa format XX). It can represent a type of device, for example, Audio, Printer, etc.
Example:
"USB_POLICY_CLASS_DENYLIST": {
"VENDOR_ID": "0x090C",
"PRODUCT_ID": "0x1000"
}
USB_POLICY_PRODUCT_ALLOWLIST:
VENDOR_ID: Vendor identifier (hexa format XXXX).
PRODUCT_ID: Product identifier (hexa format XXXX). If this value is * it means that all products of the vendor will be in the list.
Example:
"USB_POLICY_PRODUCT_ALLOWLIST": {
"VENDOR_ID": "0x090C",
"PRODUCT_ID": "0x1000"
}
USB_POLICY_PRODUCT_DENYLIST:
VENDOR_ID: Vendor identifier (hexa format XXXX).
PRODUCT_ID: Product identifier (hexa format XXXX). If this value is * it means that all products of the vendor will be in the list.
Example:
"USB_POLICY_PRODUCT_DENYLIST": {
"VENDOR_ID": "0x090C",
"PRODUCT_ID": "0x1000"
}
AGENT_HASH_QUERY: Agent hash query.
Example:
"AGENT_HASH_QUERY": "105283bb5d45ebaa0f961f3303f7d268"
AGENT_VPN_CONFIG:
vpn”name”: VPN configuration code.
EmmaVPN”name”: Emma VPN configuration code.
Example:
"AGENT_VPN_CONFIG": {
"vpnPublicDemoCenter": "client\\r\\dev tun\\r\\proto udp\\r\remote 95.216.236.62 1296\\r\resolv-retry infinite\\r\nobind\\r\\persist-key\\r\\persist-tun\\r\\comp-lzo\\r\\verb 3\\r\\<ca>\\r\\-----BEGIN CERTIFICATE-----\\r\\MIIFLTCCBBWgAwIBAgIJALi8EuRPC3TCMA0GCSqGSIb3DQEBCwUAMIG\\/MQswCQYD\\r\\VQQGEwJFUzELMAkGA1UECBMCQkExETAPBgNVBAcTCFRlcnJhc3NhMR8wHQYDVQQK\\r\\ExZvcGVuY2xvdWQgZmFjdG9yeSBzLmwuMQ4wDAYDVQQLEwVDb21tczEiMCAGA1UE\\r\\AxMZb3BlbmNsb3VkIGZhY3Rvcnkgcy5sLiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEp\\r\\MCcGCSqGSIb3DQEJARYaY2VydEBvcGVuY2xvdXlkZmFjdG9yeS5jb20wHhcNMTcw\\r\\MjE0MTcyOTA0WhcNMjcwMjEyMTcyOTA0WjCBvzELMAkGA1UEBhMCRVMxCzAJBgNV\\r\\BAgTAkJBMREwDwYDVQQHEwhUZXJyYXNzYTEfMB0GA1UEChMWb3BlbmNsb3VkIGZh\\r\\Y3Rvcnkgcy5sLjEOMAwGA1UECxMFQ29tbXMxIjAgBgNVBAMTGW9wZW5jbG91ZCBm\\r\\YWN0b3J5IHMubC4gQ0ExEDAOBgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEW\\r\\GmNlcnRAb3BlbmNsb3V5ZGZhY3RvcnkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC\\r\\AQ8AMIIBCgKCAQEArcwlJPSlR9\\/zw0xVO9DzTn+jpoAiqVL7R6eWXI7dkSC4Tq62\\r\\ul0QY6Cw6bSybiEJCYE7J2iCcIQN\\/0Lfa\\/lAzx4OSjVX8h+5bZQ6CJYtxajmJXWe\\r\\6L5QrCPMEYXgRS77uBUU3KKettNGK8Q4xhZEUZaVzf3QsHtpzDUpzqIdU2khmLF9\\r\\OpTzS5G76kcsH7oBCwiW6PTHTc1WuZZHWAIZOq7M\\/1lLqQE4dzC\\/tubWinhhy9kC\\r\\PszfmYCEwM0Ot4xqL1btkPFAOK3CtRhky+rlsnObVymqkUY41kjwqZxD6jEnzm4W\\r\\QaPehoQs77cdcCsQy9GTUvk5gMMvj+EWUYYtOQIDAQABo4IBKDCCASQwHQYDVR0O\\r\\BBYEFD\\/DqSfj4jKuG\\/RtQCCHK06HtWqwMIH0BgNVHSMEgewwgemAFD\\/DqSfj4jKu\\r\\G\\/RtQCCHK06HtWqwoYHFpIHCMIG\\/MQswCQYDVQQGEwJFUzELMAkGA1UECBMCQkEx\\r\\ETAPBgNVBAcTCFRlcnJhc3NhMR8wHQYDVQQKExZvcGVuY2xvdWQgZmFjdG9yeSBz\\r\\LmwuMQ4wDAYDVQQLEwVDb21tczEiMCAGA1UEAxMZb3BlbmNsb3VkIGZhY3Rvcnkg\\r\\cy5sLiBDQTEQMA4GA1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaY2VydEBv\\r\\cGVuY2xvdXlkZmFjdG9yeS5jb22CCQC4vBLkTwt0wjAMBgNVHRMEBTADAQH\\/MA0G\\r\\CSqGSIb3DQEBCwUAA4IBAQBPC2UfU\\/ElhT2GDLhjxjGPM1aWA+G0r+zc7lD3FjaT\\r\\ud+MQa6s9loNaGvJqaHSm8IMWKbMuLSprvYrqLpmTC\\/sEtsnOLLOTh3bWV3vo6\\/p\\r\\QVGUhFsjG6G\\/Ad5Pwv6JoRAbCFcU5hvY66\\/B0YO49yEJ7VQ\\/\\/FNV8vTBws1ycLZM\\r\\JAtJA6pxSoyoMdBcW9x+ocDPQ6z0pKlcGH7PQt7SIFTW87Jf5uYcOcwAZ4ljBZHY\\r\\haMo7x+mBHE8Ev+hP4Ohzc3Xw5eBXp0jaM6GZWnPtsypJWGCu\\/il9Sc+r5BFOQfx\\r\\ZGRHcYohKx+AwqBynkOM3ou2+qLL84O5gFL25V3UuL9I\\r\\-----END CERTIFICATE-----\\r\\<\\/ca>\\r\\key-direction 1\\r\\cipher BF-CBC\\r\\auth SHA1\\r\\auth-user-pass\\r\ns-cert-type server\\r\\explicit-exit-notify\\r\\management-query-passwords",
"EmmaVPNRoadWarrior": "client\\r\\dev tun\\r\\proto udp\\r\remote 194.116.240.3 21196\\r\resolv-retry 3\\r\nobind\\r\\persist-key\\r\\persist-tun\\r\\cipher AES-256-CBC\\r\\verb 1\\r\\comp-lzo \\r\\explicit-exit-notify\\r\\auth SHA1\\r\\auth-nocache\\r\\<ca>\\r\\-----BEGIN CERTIFICATE-----\\r\\MIIDUzCCAjugAwIBAgIJAKvgHeau41AzMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV\\r\\BAMMFUVtbWFWUE5Sb2FkV2Fycmlvcl9DQTAeFw0yMDAzMTcxMzExMTlaFw0zMDAz\\r\\MTUxMzExMTlaMCAxHjAcBgNVBAMMFUVtbWFWUE5Sb2FkV2Fycmlvcl9DQTCCASIw\\r\\DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANdpZY3xVEutc0ka8XrYjxGbfDyD\\r\\P8UnADCsOz2BFbYqC0ZI+RLxtYaGCdXCxRu1Ks7+iPk3KUled4qAaXPs2wA9dhIf\\r\\QUOQrPMp2UP8zB4PUuddL3q6rrx9hvuP4Srt9dZiX5TxEA3cVILNjoJ+\\/viOIlKJ\\r\\B\\/kHD4jnlSCVQ2hK1hEPnuMb6B60hwIo86gZb5D5W+f6UGEzE6kChHQdQjiF7sbo\\r\\coC9fatdhFHf5rS0ViR0lz+DhcbLa5egNXpKZXAERi25VVKA5eZqhkppVNB9vs9u\\r\\X9Q8G\\/wwHXtgrQeTLO\\/7pZ1V\\/275tL\\/6fhE1GBefaJby\\/\\/QqpyukHm+bJfMCAwEA\\r\\AaOBjzCBjDAdBgNVHQ4EFgQUkceeifX2OpBtZNQ0QPFuuzq6ErQwUAYDVR0jBEkw\\r\\R4AUkceeifX2OpBtZNQ0QPFuuzq6ErShJKQiMCAxHjAcBgNVBAMMFUVtbWFWUE5S\\r\b2FkV2Fycmlvcl9DQYIJAKvgHeau41AzMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD\\r\\AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQDNItJ792Ay22YyucV+CpRAvRxdxnm1rANM\\r\\z7JB9iOzItfRj+x1s+gKV7\\/hlDUjg9q7ms2Y2F8x2v83LiIyzperI3tXECI52QPF\\r\\GSHGnuDA6ZBak7CaH14vaetV128uTyIf746K9usmlqhZUv0OmayOlGRl22XOcAql\\r\\jgrzTEgNg8rxMFtAwzIhn97CGprTbXugbbFLtiyx8MzOgy50usBv+U9obwROWMbT\\r\\BqQXkUwIVT\\/YzQIOYOIKH4tIDCV1+6U1KwKgOdEXRtkxiSQagQlCOENvCkFwuwt6\\r\\uTRbZD8vMCmpMIGieUGDrt59N4zgGXnTGJrfOT1ysFafdTkNY7G5\\r\\-----END CERTIFICATE-----\\r\\<\\/ca>\\r\remote-cert-tls server\\r\\auth-user-pass\\r\\explicit-exit-notify\\r\\management-query-passwords\\r\"
}
VLAN
VLAN ID: VLAN assigned for the user specified in the UID parameter within OPENNAC
Example:
"vlan": "253"
AGENT_POLICY_NAME: Agent policy name matched for the user specified in the UID parameter within OPENNAC.
Example:
"AGENT_TASKBAR_CONFIG": "Corp. User & Corp. Device (AV & UPDATES)"
AGENT_POLICY_USER_MESSAGE: User message when the policy matches.
Example:
"AGENT_POLICY_USER_MESSAGE": "msg example"
AGENT_DEVICE_TAGS: Tags learned by matching the policy.
Example:
"AGENT_DEVICE_TAGS": "ONC_AUTOLEARNED,ONC_AGENT,ONC_WIN_AGENT,ISS_FW_STATUS,ISS_FW_UPDATE,ISS_FW_ENABLED,ISS_AV_STATUS,ISS_AV_UPDATE,ISS_AV_ENABLED,DOS_WINDOWS_10,ROS_WINDOWS"