6.1.2. Data Sent to the OpenNAC Core
The Agent sends information to the OpenNAC Core, either to record actions (logs) or to execute actions such as updating data or issuing warnings for specific events.
This section will list the conditions for the information collection to happen, the queries involved, and all the information gathered from the device once the Agent is installed.
6.1.2.1. Agent callbacks
These are the callbacks that send information to the Core:
Periodic payload: This callback sends all information except the softwares installed on the device. The information sent is composed of: session events, active users, USB devices, networks, running processes, certificates, hardware, security center, WIFI, Bluetooth, Google Chrome extensions, Internet Explorer extensions, Firefox extensions, established connections and open ports.
Periodic full payload: The same as the previous case, with the difference that it also sends the device’s installed softwares and the processes running on the system. Therefore, it is a full scan that will take longer and should be done less frequently than a normal scan.
Manual payload: In addition to the periodic scans executed by the Agent himself, the user can request a manual scan. In this case all the data also will be sent as a full scan.
Network changes: When a change is detected in the network interfaces, for example, new IP address or new status.
Security Center update: When the security center has been updated (in the case of windows).
Session event: When a user connection or disconnection event has occurred. In some operating systems, also for lock and unlock events.
Software updates: When any changes are made to the software list**: Installation/uninstallation/modification of the current software.
Daemon shutdown: When the Agent is closed by the user or the operating system.
Uninstall Agent: The data sent in this event includes information about the uninstallation process.
Firewall changes: When changes are made to the firewall, this event sends data to the Core.
Recover: When the server connection recovers, this event sends data to the Core.
6.1.2.2. Data extracted from devices
This section provides an overview of the different groups of information that the Agent collects from a device on which it is installed. The data includes details about the network status, hardware specifications, installed programs, system users’ session history, connected USB devices, device security status (antivirus, firewall), certificates, available WiFi networks, installed browser extensions, running processes, established socket connections, open ports, and more.
6.1.2.2.1. Active user
This entity is very simple; it only contains the name of the domain and the user who is currently logged into the device. In this way, we can identify in the Core which user is using that device with a specific MAC and IP interface.
6.1.2.2.2. Active admin user
This entity is also simple; it only contains the name of the group which the user belongs and the user who is currently logged into the device. In this way, we can identify in the Core if the user has the administrator role.
6.1.2.2.3. BitLocker
This entity contains information about the execution of this disk encryption (BitLocker) feature when enabled in Windows operating systems.
6.1.2.2.4. Networks
Knowing the status of the user’s networks is essential for identifying their current connections, determining the status of the connection (whether it is active or not), and determining if it is a VPN connection or any other type of connection.
The following attributes represent the Network entity.
6.1.2.2.5. Hardware
Collecting data related to the device’s hardware provides valuable information about its operating system, version, virtual machine status, architecture, serial identifiers, and more. While not all the information would be about the hardware itself, certain details like the machine’s name are assigned by the user during installation.
6.1.2.2.6. Softwares
The software or applications installed on a device provide valuable information that can be extracted for various purposes. Knowing the applications and their versions enables the generation of tags and facilitates device compliance assessment. If an application on a device has a version lower than the minimum expected, it will be classified as non-compliant. Additionally, these applications assist in identifying pending operating systems updates that the user needs to install.
6.1.2.2.7. Session events
With this entity, we can have a record of the session events on a device. In this way, any session start, close, lock, or unlock will be sent to the Core.
6.1.2.2.8. Active user
This entity is very simple; it only contains the name of the domain and the user who is currently logged into the device. In this way, we can identify in the Core which user is using that device with a specific MAC and IP interface.
6.1.2.2.9. USB devices
This entity collects information about USB devices connected to a device.
6.1.2.2.10. Security center
This is a Window only entity and is especially useful to know the current state of security on a device. In this way, you can know the health of the antivirus/firewall, if it is connected or disconnected, what product it is, etc.
6.1.2.2.11. Certificates
The certificates available to the user on their device.
6.1.2.2.12. WiFi
The available WiFi networks in the range of the device. From them, we want to know its SSID, its current status, the type of security and the quality of the signal.
6.1.2.2.13. Browser extensions
The browser extensions are one of the last entities added in the Agent and it is used to know the services that have been given permissions in our browser.
6.1.2.2.14. Processes
The process entity informs us about the active tasks in the machine. Every program or script that the processor is executing at the time of a payload will be in this list.
6.1.2.2.15. Established connections
This entity is formed by a list of open network sockets in the system. Those are, for example, ESTABLISHED state connections, but not as LISTEN.
6.1.2.2.16. Open ports
This entity is formed by a list of open network sockets in the system. Those are only LISTEN state connections.
6.1.2.3. Example of payload
The payload sent to the core server always has the following format. As it can be very long, variables such as $NETWORKS have been used, in which there is a JSON object that is shown later.
{
"OPENNAC": {
"UID": "080027B598B8",
"TIMESTAMP": "1594630875",
"TYPE": "service",
"VPNVERSION": "1",
"PLATFORM": "WINDOWS",
"VERSION": "1.0.10000",
"MONITOR_TYPE": "Pipe",
"USED_INTERFACE_IP": "10.0.3.15",
"TOKEN": "164cc268-dd31-11ea-b9ca-6f6e636f7265"
},
"QueryResults": {
$NETWORKS,
$HARDWARE,
$SOFTWARES,
$SESSION_EVENTS,
$USER_ACTIVE,
$USB_DEVICES,
$SECURITY_CENTER,
$CERTIFICATES,
$WIFI,
$BROWSER_EXTENSIONS,
$PROCESSES,
$ESTABLISHED_CONNECTIONS,
$OPEN_PORTS
},
"GatherEvents": [
{
"GatherEventId": "31e3139f-d8cf-4c22-83bf-1101c8d64fec",
"GatherStartDateTime": "2020-08-04T14:25:00.0090714Z",
"GatherEndDateTime": "2020-08-04T14:25:50.9126218Z"
}
],
"IngestTriggerType": 1,
"IngestTriggerDateTime": "2020-08-04T14:25:50.9127245Z"
}
OPENNAC: This JSON object provides useful information to OpenNAC Enterprise about the Agent and the device running it.
UID: Unique identifier of the agent.
TIMESTAMP: Timestamp in which the agent payload is generated.
TYPE: The type of VLAN associated with the agent’s connection to the server.
VPNVERSION: Agent VPN version.
PLATFORM: Platform running the Agent.
VERSION: Agent version.
MONITOR_TYPE: Monitor type.
USED_INTERFACE_IP: IP address of the interface used by the agent.
TOKEN: Token generated to verify if the agent comes from a trusted source (registered agent) or not. If the agent is not registered yet, then this parameter will not exist in the payload.
QueryResults: This JSON object contains all the objects that contain device information. That is, an object for the information about the network interfaces, another object for the information regarding the hardware of the device, etc. Variables have been used to show the JSON object of each entity below.
6.1.2.3.1. $NETWORKS
"NETWORKS": {
"Results": [
{
"DESCRIPTION": "TAP-Windows Adapter V9",
"DHCP_ENABLED": "1",
"GATEWAY": "172.16.250.254",
"IPADDRESS": "172.16.250.2",
"MACADDR": "00:ff:d4:02:ee:ff",
"NAME": "Conexión de área local",
"OPER_STATUS": "2",
"TYPE": "53"
},
{
"DESCRIPTION": "Software Loopback Interface 1",
"DHCP_ENABLED": "",
"GATEWAY": "",
"IPADDRESS": "127.0.0.1",
"MACADDR": "",
"NAME": "",
"OPER_STATUS": "",
"TYPE": "24"
}
],
"GatherEventId": "31e3139f-d8cf-4c22-83bf-1101c8d64fec",
"GatherStartDateTime": "2020-08-04T14:25:00.0153703Z",
"GatherEndDateTime": "2020-08-04T14:25:00.0189955Z"
}
6.1.2.3.2. $HARDWARE
"HARDWARE":{
"Results":[
{
"ARCH":"x86_64h",
"NAME":"MacOCF",
"OSNAME":"macOS",
"OSVERSION":"11.3.1",
"OS_VM":"0",
"SERIAL_NUMBER":"C02CQ2QDMD6N",
"UNIQUE_ID":"17FA250E-DE71-5E84-8F6F-BCC7C139FA4D"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T10:07:18.448242Z",
"GatherEndDateTime":"2021-06-07T10:07:18.596513Z"
}
6.1.2.3.3. $SOFTWARES
"SOFTWARES":{
"Results":[
{
"NAME":"loginwindow",
"PUBLISHER":"",
"VERSION":"9.0"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T10:07:18.448242Z",
"GatherEndDateTime":"2021-06-07T10:07:18.596513Z"
}
6.1.2.3.4. $SESSION_EVENTS
"SESSION_EVENTS":{
"Results":[
{
"DOMAINNAME":"",
"EVENT":"LOGON",
"TIMESTAMP":"1623053900",
"TYPE":"LOGIN",
"USERNAME":"ocf"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T08:18:41.69713Z",
"GatherEndDateTime":"2021-06-07T08:18:42.08067Z""
}
6.1.2.3.5. $USER_ACTIVE
"USER_ACTIVE":{
"Results":[
{
"NAME":"ocf"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T08:18:41.69713Z",
"GatherEndDateTime":"2021-06-07T08:18:42.239818Z"
}
6.1.2.3.6. $USER_DEVICE
"USER_DEVICE":{
"Results":[
{
"DEVICE_ID":"Apple Internal Keyboard \/ Trackpad",
"HARDWARE_ID":"0280",
"MANUFACTURER":"Apple Inc."
},
{
"DEVICE_ID":"Touch Bar Backlight",
"HARDWARE_ID":"8102",
"MANUFACTURER":"Apple Inc."
},
{
"DEVICE_ID":"Headset",
"HARDWARE_ID":"8103",
"MANUFACTURER":"Apple"
},
{
"DEVICE_ID":"USB Audio",
"HARDWARE_ID":"49c5",
"MANUFACTURER":"Generic"
},
{
"DEVICE_ID":"2.4G Mouse",
"HARDWARE_ID":"0064",
"MANUFACTURER":""
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T08:18:41.69713Z",
"GatherEndDateTime":"2021-06-07T08:18:42.239818Z"
}
6.1.2.3.7. $SECURITY_CENTER
"SECURITY_CENTER":{
"Results":[
{
"CATEGORY":"Firewall",
"COMPANY":"Firewall de Windows",
"ENABLED":"1",
"PRODUCT":"Firewall de Windows",
"SC_ENABLED":"1",
"UPTODATE":"1"
},
{
"CATEGORY":"Antivirus",
"COMPANY":"Antivirus de Microsoft Defender",
"ENABLED":"0",
"PRODUCT":"Antivirus de Microsoft Defender",
"SC_ENABLED":"1",
"UPTODATE":"1"
},
{
"CATEGORY":"Antivirus",
"COMPANY":"Avast Antivirus",
"ENABLED":"1",
"PRODUCT":"Avast Antivirus",
"SC_ENABLED":"1",
"UPTODATE":"1"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T08:18:41.69713Z",
"GatherEndDateTime":"2021-06-07T08:18:42.239818Z"
}
6.1.2.3.8. $CERTIFICATE
"CERTIFICATE":{
"Results":[
{
"END_DATE":"1755523200",
"ISSUER":"US, California, San Jose, Adobe Systems, Cloud Technology, Adobe Intermediate CA 10-4",
"START_DATE":"1534771200",
"SUBJECT":"US, California, San Jose, Adobe Systems, Cloud Technology, Adobe Content Certificate 10-6"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T08:18:41.69713Z",
"GatherEndDateTime":"2021-06-07T08:18:42.239818Z"
}
6.1.2.3.9. $WIFI
"WIFI":{
"Results":[
{
"CONNECTABLE":"1",
"INTERFACE_GUID":"4d4f5649 53544152 5f453543 385f4558 54",
"IS_CONNECTED":"1",
"SECURITY":"",
"SECURITY_ENABLED":"Unknown",
"SIGNAL_QUALITY":"-68",
"SSID":"MOVISTAR_E5C8_EXT"
},
{
"CONNECTABLE":"1",
"INTERFACE_GUID":"52454d4f 54453535 73787261",
"IS_CONNECTED":"0",
"SECURITY":"",
"SECURITY_ENABLED":"Unknown",
"SIGNAL_QUALITY":"-91",
"SSID":"REMOTE55sxra"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T08:18:41.69713Z",
"GatherEndDateTime":"2021-06-07T08:18:42.239818Z"
}
6.1.2.3.10. $PROCESSES”:
"PROCESSES":":{
"Results":[
{
"CMDLINE": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0x4",
"NAME": "conhost.exe",
"PARENT": "28464",
"PATH": "C:\\Windows\\System32\\conhost.exe",
"PID": "9688",
"START_TIME": "1666694790",
"THREADS": "4",
"TOTAL_SIZE": "5595136"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T08:18:41.69713Z",
"GatherEndDateTime":"2021-06-07T08:18:42.239818Z"
}
6.1.2.3.11. $ESTABLISHED_CONNECTIONS
"ESTABLISHED_CONNECTIONS":{
"Results":[
{
"FAMILY": "2",
"LOCAL_ADDRESS": "10.20.250.34",
"LOCAL_PORT": "57811",
"PID": "0",
"PROTOCOL": "6",
"REMOTE_ADDRESS": "10.21.1.24",
"REMOTE_PORT": "443",
"STATE": "TIME_WAIT"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T08:18:41.69713Z",
"GatherEndDateTime":"2021-06-07T08:18:42.239818Z"
}
6.1.2.3.12. $OPEN_PORTS
"OPEN_PORTS":{
"Results":[
{
"FAMILY": "2",
"LOCAL_ADDRESS": "0.0.0.0",
"LOCAL_PORT": "135",
"PID": "1716",
"PROTOCOL": "6",
"REMOTE_ADDRESS": "0.0.0.0",
"REMOTE_PORT": "0",
"STATE": "LISTEN"
}
],
"GatherEventId":"5729a147-f64c-411a-a122-d11d4d712355",
"GatherStartDateTime":"2021-06-07T08:18:41.69713Z",
"GatherEndDateTime":"2021-06-07T08:18:42.239818Z"
}