Setting Scan Options from the Node Page
To view and edit the scan options applied to a node, click the gear icon at the top of the node visualization. It will pop up the scan options interface. Here you can see the groups to which the node belongs and what scan options it inherits from each. This will ensure that Nodes will be scanned consistently so that whenever you want to compare two Nodes you can be confident that the important config items will be available. You can add or edit scan options here and they will be saved and applied to the parent group the next time those nodes are scanned.
Scan options set from the node page are still applied at a node group level.
You can add files to scan options directly from the node visualization. This allows you to conveniently add files that will have their entire contents scanned without needing to type the full file path.
Setting Scan Options from the Node Group Page
You can also view and edit a group’s scan options from the Node Group page. Click the blue “edit” button in the top right to view all the information associated with the group. Expanding the “scan options” section will show you the scan options and provide the interface to edit them.
Files and Directories
This section allows you to specify which files, or groups of files, are collected up under the “Files” section of the node scan. Multiple files, or patterns representing groups of files, can be specified one per line.
By default, the scan will check the file's MD5 checksum. If you select the "Contents" option, the scan will read the raw contents of the file and diff the file contents.
You can also select the "Last Modified" option like so: ![node-group-scan-options-02](/upguard/images/node-group-scan-options-09.png) This will cause the scan to read the 'Last Modified' timestamp of the file and display it accordingly.
Contents of binary files and of files larger than 100KB will not be scanned.
To specify a specific file, simply include the absolute path to that file. For example, to scan the UpGuard Agent binary you could include this line:
To request all files within a folder to be scanned, simply include the absolute path to the folder. For example, to include all files in the “C:\Windows\System32” folder use:
To request a particular type of file in a given folder you can use the wildcard “*” character. For example, to include all .exe files in “C:\Windows\System32” folder use the following line:
The above will only search for exe files in the "C:\Windows\System32" folder and will not look in any subfolders.
To request a particular type of file in a given folder and its subfolders, use the greedy “**” wildcard pattern. For example, to include all .exe files in “C:\Windows\System32” and all subdirectories use the following line:
To include all files, regardless of file extension in “C:\Windows\System32” and all of its subdirectories, use the following line:
File scanning is capped at a 1500 file count limit. Consider refining your scan options to include just configuration item extensions such as .config, .xml or .ini.
File Path Negation
You can prepend a scan directory option with
! in order to cause files that match the pattern
to not be returned as a part of the scan. All forms of globbing for the exclude option will
still be supported with file path negation.
If you were to use
C:\Folder\Folder2\sample.log will be excluded
from the scan as well.
This section only applies to CoreOS nodes running the etcd service.
This section allows you to specify which etcd key, or groups of etcd keys, will be collected under the “Etcd Keys” section of the node scan. Multiple keys, or patterns representing groups of keys, can be specified one per line.
By default, the scan will check the etcd key's MD5 checksum. If you select the "Contents" option, the scan will read the raw contents of the key and diff the key contents.
Contents of binary keys and of keys larger than 100KB will not be scanned.
This section allows you to perform external port scanning on nodes on Non-Windows based nodes. NMAP scanning is found under the Categories section of Scan Options. Ports for this scan can be designated in the following ways:
- A single port (5985)
- A set of ports (5985, 5986, 1433)
- A range of ports (1-1024)
After specifying the ports needed for NMAP scanning, click the check box to save your preferences.
Custom Scripts (Linux Only)
This section allows you to specify custom scripts that can be used to return data that you would
like to see included in the scan. The description field is used to distinguish your query. Queries
are interpreted to be bash scripts by default, but it is recommended to specify the shell explicitly
at the top of your script (for example
Returned scripts are displayed as flat files under a Scripts section of the visualization. This allows you to return back data that may not have a strictly defined structure.
If you would like to display configuration as seperate configuration item squares, refer to the scan.d options method.
SQL Queries (Database Nodes Only)
Adding SQL queries to your scan options allows you to easily detect changes to database table schemas, triggers, stored procedures or indexes. For example, to detect column or attribute changes you can select on your databases schema table. Here we set the schema first for our Microsoft SQL Server database and select our sales column data:
use sales select * from information_schema.columns
PowerShell Queries (Windows Only)
Custom PowerShell queries can be used to return data you would like to see included in the scan.
|Description||The label given to the results in the scan.|
|Key Name||If the query returns multiple values, Key Name is used to specify which field uniquely identifies the row.|
|Query||The actual PowerShell query to be run.|
Single Object Example
Multiple Objects Example
NB: Try/Catch used due to a PowerShell bug.
Registry Keys (Windows Only)
Specify registry keys to be scanned. Valid options are full paths to a key value name or parent key path. Abbreviations such as HKLM are supported.
Parent Key Value
Registry key scanning does not currently support the greedy-start (recursive) syntax.
Scanning Multiple Keys
UpGuard’s registry scanning supports glob syntax for scanning multiple registry sub keys. For sub keys, utilizing
* will function as an wildcard, and utilizing
** will function as a recursive wildcard.
Group Policy Objects (Windows Only)
Group Policy Objects (GPOs) can be scanned by entering the name of the GPO as it appears in the Windows Group Policy Management Console (GPMC).
Instructions for getting started with the GPMC can be found here.
Resultant Set of Policy (RSoP) (Windows Only)
Resultant Set of Policy (RSoP) reports can be used to identify the GPO’s that are in actuality governing a machine.
RSoP reports can be accessed by adding “RSOP” as a scan option under the “Sections” category.
The results of the RSoP report are visualized as a configuration group in the node visualization.
By treating RSoP results as configuration items in UpGuard, users can generate policies, compare differences, identify governance inconsistencies, and integrate information with additional platforms.
IIS Settings (Windows Only)
Adding IIS settings can be done through Scan Options. While logged in as an Administrator, go to the Discover tab, and choose Monitored. For the node or node group you would like to monitor IIS settings on, click on the dropdown menu next to the Edit button near the top right hand corner and select Scan Options.
Navigate to the Sections tab and enter “IIS” (case sensitive) as a section and click the check box to save the newly added option.
Exit out of Scan Options and run a scan on the node or node group. IIS settings will be listed after a successful scan.
By default, active local TCP and UDP ports from 1-1024 are scanned. To specify a particular range of ports, simply use the M-N syntax. For example, to scan all ports between 20 and 30 (inclusive), then use 20-30. You can also specify a number of individual ports, or ranges of ports, by separating them by a comma. For example, to scan ports 22, 80, 443 and all ports in the 8000s use 22,80,443,8000-8999.
The connectivity tests allow you to determine if a node is able to establish a remote connection on the specified port. The host may be specified using either IP address or FQDN.
The Web scan option allows you to verify that a node can connect to a web endpoint, and optionally retrieve the contents of the response body. The label field is used to identify the check within the scan output.
The “Excluded Text” scan option allows users define a set of textual patterns that will be excluded from differencing operations. These patterns are defined using regular expressions, and are applied to the scan data at comparison time, so no data is lost. Both attributes and raw files will be considered for text exclusion operations; regardless of the place of application, if applying exclusion rules results in no difference, no difference will be surfaced visually or as part of the event system.
Scan Option Variables
The following variables can be used in the scan options page to help parameter-ise queries. Variables can be used at the node and node group levels and must be used using liquid syntax.