Configuring Nmap

The Stack Scan sensor uses Nmap to gather data about the targets for credential-less discovery.

Installing Nmap

Before installing Nmap for any operating system, see the TADDM support site at https://www-947.ibm.com/support/entry/portal/product/tivoli/tivoli_application_dependency_discovery_manager?productContext=267282604 for recent news about your specific operating system and Nmap versions.

Nmap is not installed during the TADDM installation. The Nmap tool is available on TADDM DVD #2, and you must install it manually. Install Nmap on the TADDM server and all anchor servers. For more information, see the readme file in the Nmap directory on the DVD.

Configuring root authority

For non-Windows platforms, give root authority for all commands to the TADDM user ID that starts the TADDM server.

If you are using a TADDM anchor server, give root authority to the discovery service account on the anchor server.

As root user, add the following line in the /etc/sudoers configuration file, using the visudo command:
TADDM_userid ALL=(ALL) NOPASSWD:ALL
where
  • TADDM_userid is the user ID that starts the TADDM server, or the discovery service account on an anchor.
If the sudoers file contains a Defaults requiretty line, comment it out or delete the line.

When the Stack Scan sensor is running with Nmap, the TADDM server user ID can be given root execution permission only for the Nmap command. Add the following line in the /etc/sudoers configuration file:

TADDM_userid ALL=(ALL) NOPASSWD:nmap_path
where
  • TADDM_userid is the user ID that starts the TADDM server, or the discovery service account on an anchor.
  • nmap_path is the full path to the location of the nmap command.
If the sudoers file contains a Defaults requiretty line, comment it out or delete the line.

Configuring the Path environment variable

Nmap must be installed on your TADDM server and on all anchor servers. The Nmap command must be in the $PATH environment variable for the TADDM user ID that starts the TADDM server. If you are using a TADDM anchor server, the Nmap command must be in the $PATH environment variable for the discovery service account.

On Windows platforms, take the following steps to set the Path system environment variable to include the directory where Nmap is installed:

  1. Click Start > Control Panel > System
  2. Click the Advanced tab, and select Environment Variables.
  3. Edit the Path system variable and add the directory where Nmap is installed.
  4. Restart the computer.

    This task makes Nmap available to services on the computer.

Verifying that Nmap is working

To verify that Nmap is working complete the following steps:
  1. Log in to the system using one of the following TADDM user IDs:
    • The user ID that starts the TADDM server.
    • The user ID that starts the discovery service account on the anchor server.
  2. Run the following command: 
    sudo nmap -T Normal -O -sS  -oX - IPaddress/32
    where
    • IPaddress is a valid host system that is up and running on your network.

    The output produces an XML document that shows the ports and operating systems on that computer system.

Limitation

Because of a limitation on AIX®, only four active Nmap commands can be run at the same instance. To ensure that this limit of Nmap commands is not exceeded, complete the following steps:
  1. Create a discovery profile.
  2. In the new discovery profile, create a StackScanSensor configuration, and enable the configuration.
  3. Set the values of the following properties to 1:
    • nmapMaxOsScanTreads
    • nmapMaxPingScanTreads
  4. To save the configuration, click OK.
  5. To save the discovery profile, click Save. Use this discovery profile for StackScan discoveries.
  6. If the number of computer systems in the scope being discovered exceeds 2048, set the following property in the collation.properties file:
    com.collation.discover.dwcount=4