Question: If I want to monitor a Windows system using an 'agentless' approach, RSP uses WMI, correct?
Answer: Yes, rsp uses WMI to monitor Windows systems.
Question: How does Nimsoft store the username/password in rsp?
Answer: We encrypt the input password (string) using the Twofish algorithm and the encryption key, after this encrypted string is base64 encoded. We use Base64 encoding technique with a predefined key to encrypt the password before writing to the rsp configuration file. In the rsp.cfg file username(s) configured via the GUI are listed but the passwords are encrypted.
Question: How does rsp communicate with end servers/target machines and can that communication be encrypted?
Answer: The rsp probe can connect to either Windows servers or Unix/Linux servers. When connecting to Windows systems it uses the WMI protocol to communicate. The WMI protocol uses NTLM authentication, which is encrypted and handled by the OS. When connecting to Unix, it uses SSH2 which is an open standard which uses encryption. The rsp probe uses WMI (using port 135) to gather remote data on Windows systems and native commands gathered either through ssh (using port 22) or telnet (using port 23) on UNIX/Linux systems.
Question: Can the WMI communication between the rsp probe and Windows target server to be monitored, be secured?
Answer: The WMI protocol uses NTLM authentication, which is encrypted and handled by the OS. You could potentially use SSH auth instead if configured for the given Windows target system.
Question: Does the rsp probe send username/password data every time it communicates with the target server?
Answer: The credentials are passed used/each time depending on what the probe is fetching when using wmiprovider.exe for instance:
e.g., wmi_provider -l wmitest.log -d 5 -s <server> -u <user> -p <password> -g disk
or
wmi_provider -l mylog.txt -d 5 -s <server> -u <user> -p <password> -g os
sample log entries:
rsp: send_login(xxxxxxx.xxx.com): got a password prompt, sending password
rsp: myWrite: password not logged...
and note that the password is not logged in the log file as per sample above.
Question: Is there an rsp technical document?
Answer: There is currently no rsp tech brief or white paper available, just the current rsp Help documentation available online at:
Question: What commands are run by rsp for Windows or UNIX/Linux?
Answer: Command line details for the rsp probe are listed below but note that most calls are made via the probe interface, not via command line:
NOTE: For Windows, instead of using WMI_Provider.exe we are using a library. Exact WMI queries are given below.
You can also use the built in wbemtest in windows discussed in KB article:
For Unix, Plink is not used anymore, however the commands given against pLink hold true. They are fired using yhr OpenSSH library.
Windows:
Get OS:
wmi_provider.exe -s <server_name> -u <admin_username> -g os
select FreePhysicalMemory, TotalVisibleMemorySize, FreeSpaceInPagingFiles, SizeStoredInPagingFiles, Caption, Version, CSDVersion, OSLanguage, Locale from Win32_OperatingSystem
Get CPUs:
wmi_provider.exe -s <server_name> -u <admin_username> -g cpu
select Name, AddressWidth, Architecture, DeviceID, LoadPercentage from Win32_Processor
Get Disks:
wmi_provider.exe -s <server_name> -u <admin_username> -g disk
select DriveType, Name, Capacity, FreeSpace from Win32_Volume where DriveType=3
Get Services:
wmi_provider.exe -s <server_name> -u <admin_username> -g services
select Caption, State, StartMode, StartName from Win32_Service
Get Paging:
wmi_provider.exe -s <server_name> -u <admin_username> -g paging'
select SystemType from Win32_ComputerSystem
Get Process Table:
wmi_provider.exe -s <server_name> -u <admin_username> -g processes
select __PATH,Name,ProcessID,ParentProcessId,ThreadCount,Priority,ExecutablePath,KernelModeTime,UserModeTime,CommandLine from win32_process
Get Memory:
wmi_provider.exe -s <server_name> -u <admin_username> -g memory
select AllocatedBaseSize, CurrentUsage, Name from Win32_PageFileUsage
Get Load:
wmi_provider.exe -s <server_name> -u <admin_username> -g load
select AllocatedBaseSize, CurrentUsage, Name from Win32_PageFileUsage
UNIX:
Get OS Detail:
plink.exe -ssh root@<server_name> /bin/uname -s -v -r -m
Get Disks Stats:
plink.exe -ssh root@<server_name> /bin/df -P -k -l
Get System Uptime:
plink.exe -ssh root@<server_name> /usr/bin/uptime
Get System Snapshot Since Reboot:
plink.exe -ssh root@<server_name> /bin/cat /proc/stat
Get Memory Info:
plink.exe -ssh root@<server_name> /bin/cat /proc/meminfo
Get vmstats:
plink.exe -ssh root@<server_name> /bin/cat /proc/vmstat
Get Process Table:
plink.exe -ssh root@<server_name> /bin/ps -eLo
pid,ppid,time,cpu,nlwp,pri,vsize,user,comm,command
Get Page size:
plink.exe -ssh root@<server_name> /usr/bin/getconf PAGE_SIZE
Usage: plink [options] [user@]host [command]
("host" can also be a PuTTY saved session name)
Options:
-v show verbose messages
-load sessname Load settings from saved session
-ssh -telnet -rlogin -raw
force use of a particular protocol (default SSH)
-P port connect to specified port
-l user connect with specified username
-m file read remote command(s) from file
-batch disable all interactive prompts
The following options only apply to SSH connections:
-pw passw login with specified password
-L listen-port:host:port Forward local port to remote address
-R listen-port:host:port Forward remote port to local address
-X -x enable / disable X11 forwarding
-A -a enable / disable agent forwarding
-t -T enable / disable pty allocation
-1 -2 force use of particular protocol version
-C enable compression
-i key private key file for authentication
usage:
plink -ssh –l [user name] -pw [password] -v [user@]host [command]
example:
plink -ssh –l root -pw <password> -v root@###.##.##.## /bin/uname -s -v -r -m
Question: What information is stored in the database.db file in the rsp directory?
Answer: The database file is called database.db and is in the rsp folder at nimsoft/probes/application/rsp/.
However, that is proprietary and we do not provide any tool to edit this file.
Note: The database.db does not store or contain username and password information. It acts as a small database containing tables and indexes for all of the rsp configuration and script/templates/command information.
Question: What are the minimum rights required to collect data using the rsp probe?
Answer:
Windows: Use Domain admin user or a local admin name on the computer.
UNIX: root
You should add credentials for all servers that you want to monitor, because you need these credentials when creating monitoring profiles (see Adding a profile).
Use sudo
In the case of UNIX/Linux computers, you can allow the specified user to work with root user privileges, by selecting the Use sudo checkbox. By default, this checkbox is un-selected.
You must leave the credentials in place. They should not be removed.
Note: Non-admin access for rsp is NOT officially supported as the account must be able to access hosts, processes, services and events.
Question: How does rsp work when using SSH to connect to the target machine?
Answer: RSP first determines what authentication methods are supported by the server.
Depending on the configuration provided in rsp, it tries to login by using the following methods:-
- Key based (passwordless) using public–private key
- Password based
For more details on configuration of public/private key you may refer to latest help document.
Other details regarding Key based authentication can be obtained from respective rsp as it uses libssh which follows standard procedure.