Stack Scan sensor

The Stack Scan sensor provides credential-less discovery (less intrusive discovery) of the installed operating system and open ports on a computer system.

In addition to Nmap, discovery sensor can use Tivoli® Remote Execution and Access (RXA) for Windows discovery. It can discover MAC address of L2Interface.

Sensor name that is used in the GUI and logs

StackScanSensor

Prerequisites

The sensor requires the following software:

  • Nmap tool. See Configuring Nmap for details.
  • WinPcap tool for Windows operating systems. Although this tool is available on the TADDM DVD, you must install it manually because it is not installed during the TADDM installation.
  • Sudo tool for non-Windows operating systems.
    For TADDM on AIX operating systems: For the TADDM user to use the nmap tool through sudo, you must install and configure sudo version 1.6.7p5. This is because TADDM has problems with the most recent sudo version, which is version 1.6.9p15.

Security issues

To configure sudo access for the TADDM user, you need to set a nopasswd option in the /etc/sudoers file for the TADDM user.

Limitations

Firewalls between targeted scopes and the TADDM server or remote anchors can severely degrade Stack Scan reliability and performance. In this situation, use remote anchors behind the firewall to improve performance. The version of the operating system might not be discovered properly depending on what the Stack Scan sensor receives from Nmap. For example, Windows Server 2008 is classified as Windows Vista, AIX® 6.x as AIX 5.x, Linux® for System z® as Other Computer System. The discovery of computer systems running the Tru64 UNIX operating system is not supported by Nmap. Use the following command to check the operating system version returned by Nmap: 
nmap -T Normal -O -sS -sU  -oX - IPaddress

Application servers and services discovered using a credential-less (Level 1) discovery are reconciled with the application servers and services using a Level 2 or Level 3 discovery, only if the binding TCP ports are the same. All application servers and services discovered using a Level 1 discovery remain following a Level 2 or Level 3 discovery, but applications and services matching on the binding ports are merged.

Model objects created

The sensor creates the following model objects:

  • net.IpAddress
  • net.IpInterface
  • net.L2Interface
  • sys.aix.Aix
  • sys.aix.AixUnitaryComputerSystem
  • sys.ComputerSystem
  • sys.hpux.HpUx
  • sys.hpux.HpUxUnitaryComputerSystem
  • sys.i5OS.I5OperatingSystem
  • sys.linux.Linux
  • sys.linux.LinuxUnitaryComputerSystem
  • sys.OperatingSystem
  • sys.sun.Solaris
  • sys.sun.SunSPARCUnitaryComputerSystem
  • sys.tru64.Tru64
  • sys.windows.WindowsComputerSystem
  • sys.windows.WindowsOperatingSystem
  • sys.zOS.ZOS
  • sys.zOS.ZSeriesComputerSystem