FusionInventory Agent --------------------- Description ----------- The FusionInventory agent is a generic management agent. It can perform a certain number of tasks, according to its own execution plan, or on behalf of a GLPI server with fusioninventory plugin, acting as a control point. Two of these tasks are included in agent source distribution, local inventory and wake on lan. Other tasks are distributed separatly, excepted for binary distributions where they are bundled together. Dependencies ------------ Minimum perl version: 5.8 Additional mandatory perl modules: - Digest::MD5 - XML::TreePP - LWP - Net::IP - UNIVERSAL::require - Mac::SysProfile (MacOs only) Additional optional perl modules: - Compress::Zlib, for message compression - HTTP::Daemon, for web interface - IO::Socket::SSL, for HTTPS support with certificate validation - Net::CUPS (v0.60 minimum), for printers detection - Proc::Daemon, for daemon mode (Unix only) - Proc::PID::File, for daemon mode (Unix only) Additional optional programs: - dmidecode, for hardware inventory - lspci, for hardware inventory Usage ----- They are two different ways to run the agent: - as a temporary process, exiting after completing its run - as a permanent process, staying in memory permanently (daemon under Unix, service under Windows) In the first case, the agent execution scheduling is controlled from local system, and the memory footprint between agent executions is zero. In second case, the agent execution scheduling is controlled from GLPI server, as the agent runs regulary according to a parameter initially set in its configuration (delaytime), overrided by the server at the first connection (PROLOG_FREQ). Additionaly, the server may also initiate additional out-of-schedule executions by sending HTTP requests if the web interface is used. However, it also mean you have a full perl interpreter loaded in memory constantly, and a network port open on your system with a process running with full system privileges attached to it. If you don't need to control agent execution from the server, and if you're able to periodically launch the agent without resorting to its internal scheduler, through cron on Unix systems, or scheduled tasks on Windows, you'd better use first execution mode. The various installation procedure may offer limited choice about initial configuration, but you should always be able to change it thereafter. When executing, the agent tries to run every available task for every configured target. A task is a specific kind of work to perform (local inventory, network discovery, wake on lan, etc...), while a target is both a recipient for the result and a controller for this work (an OCS server, a GLPI server, a local directory, etc...). Only the local inventory task is compatible with all kind of target, tough, all others require a GLPI server target, and will get discarded for other kind of target. System-specific informations ---------------------------- On Solaris/SPARC, you must install sneep and record the Serial Number with it. Download it from http://www.sun.com/download/products.xml?id=4304155a. On Windows, we use an additional dmidecode binary shipped in the windows distribution to retrieve many informations not available otherwise, including fine-grained multi-cores CPUs identification. Unfortunatly, this binary is not reliable enough to be used on Windows 2003, leading to less precise inventories. On any system, the privilege level used to run the agent will change inventory results. Generally speaking, this means less results when run with lesser privileges. On Windows, tough, running agent with SYSTEM privileges, which is implicit if running as a service, does sometimes gives less results, especially for shared printers only visible from a user account. Security -------- They are several potential security issues in fusioninventory. First, the server automatically trust any received message, using the identifier found in the message (unfortunatly called DEVICEID) to identify the sending agent. If you want to protect your machine inventory from rogue reports, you have to restrict access to the plugin location on your GLPI server, typically using HTTP authentication. And preferentially over HTTPS, to prevent password sniffing. Second, some messages between the server and the agent may contain sensible informations. For instance, NetInventory tasks involves sending SNMP credentials from the server to the agent. In this case, HTTPS usage ensures proper communication encryption. Third, some tasks are explicitely designed to make the agent execute arbitrary commands on its host. For instance, the Deploy task is used to install software on agent side. In this case, HTTPS usage ensures proper server authentication. SSL support ----------- LWP (also known as libwww-perl) is able to use either Crypt::SSLeay or IO::Socket::SSL transparently as underlying socket implementation for HTTPS support. However, only the second one is able to perform server certificate validation. As a consequence, the agent will refuse to use HTTPS, and exit immediatly if IO::Socket::SSL is not available, unless certificate checking has been explicitely disabled (--no-ssl-check command line parameter, or no-ssl-check configuration parameter). The SSL protocol version supported by the agent is dependant of openssl version. In particular, usage of specific certificate signature algorithms such as SHA requires at least openssl 0.9.8o, as it is supposed to be allowed starting from TLS 1.1 only. Failure to comply will result in error message such as: warning: TLS library problem: 14710:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146: This can be controlled in the certificate itself: [guillaume@beria ~]$ openssl x509 -noout -text -in cert.pem | grep Signature Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption The available workaround: - ensure server certificate complies with clients capacities, using controlled certificate generation parameters - ensure clients capacities matches server certificate properties, upgrading openssl and its perl bindings (Net::SSLeay) - disable server certificate checking on client Contacts -------- Project websites: * main site: http://www.fusioninventory.org * forge: http://forge.fusioninventory.org Project mailing lists: * http://lists.alioth.debian.org/mailman/listinfo/fusioninventory-user * http://lists.alioth.debian.org/mailman/listinfo/fusioninventory-devel Project IRC channel: * #FusionInventory on FreeNode IRC Network Please report any issues on project forge bugtracker. Authors ------- * Gonéri Le Bouder > * Guillaume Rousse Copyright 2006-2010 OCS Inventory contributors Copyright 2010-2012 FusionInventory Team License ------- This software is licensed under the terms of GPLv2+, see LICENSE file for details. Additional pieces of software ----------------------------- The memconf script: url: http://myweb.cableone.net/4schmidts/memconf.html author: Tom Schmidt copyright: 1996-2009 Tom Schmidt FusionInventory::Agent::Task::Inventory::Input::Virtualization::Vmsystem contains code from imvirt: url: http://micky.ibh.net/~liske/imvirt.html author: Thomas Liske copyright: 2008 IBH IT-Service GmbH [http://www.ibh.de/] License: GPLv2+ FusionInventory::Agent::Tools::Screen contains code from monitor-edid: url: http://svn.mandriva.com/cgi-bin/viewvc.cgi/soft/monitor-edid copyright: 2005 Mandriva license: GPLv2+