don’t panic it-services gmbh Knowledge Base

Evidence collections

Scanning networks
The free network scanner nmap is used to scan the networks. A network can be scanned in just a few seconds with a simple ping scan. If you do this as the root user, nmap also records the associated MAC addresses, provided that the host to be scanned is itself located in the network to be scanned. The output option -oX causes nmap to write the scan result structured as XML in a file.

For example, the command sudo nmap -sn -oX lan.xml 172.16.0.1-254 scans all hosts in the range 172.16.0.1 to 172.16.0.254 and writes the result to the file lan.xml.

If a network other than the local network is to be scanned, we need a host with nmap installed in the relevant network and preferably SSH access. The scan can then be performed, for example, with the command ssh root@dockerhost.panic.lan nmap -sn -oX - 172.18.0.2-254 > docker.xml to prompt a host with Docker containers to scan “its” Docker network.

Importing scan results into the RfC Manager
The evidence collections are accessed via the corresponding menu item by users with the role Change Manager.

An evidence collection must be created for each network that is to be monitored for changes.

In the Metadata tab, a name for the collection and, if necessary, a description are entered and, above all, an i-doit object of type Layer 3 for IPv4 or IPv6 networks is linked.

The actual scan results can now be uploaded and subsequently viewed in the Scans tab. Individual scan results are opened by clicking on the creation date. If exactly two scans are selected, they can be compared with each other.

In the column with the heading Configuration object, the respective i-doit objects are displayed with the respective host address, if available. The DNS entries that were determined using reverse lookups are displayed in the Hostname column, the corresponding hardware address is displayed in the MAC address column and the manufacturer of the device is displayed in the Manufacturer column, if possible, based on the MAC address.

If there is a difference in one of the above values between two compared scans, the respective line can be colored by selecting the Highlight changed entries checkbox. By selecting the Hide unchanged entries checkbox, only those lines are displayed where a difference was found between the two scan results.