The BeyondTrust Discovery Agent is a service that is packaged with BeyondInsight. By default, it runs on the appliance where BeyondInsight is installed, or in the case of a cloud instance, it runs where your resource brokers are deployed.
For on-premises deployments, the discovery agent can also be installed separately on a standalone Windows system and configured to communicate with BeyondInsight on your U-Series Appliance. This increases scanning capacity and is helpful in environments that have a large number of hosts.
You can download the discovery agent from the BeyondTrust Customer Portal.
Before installing the BeyondTrust Discovery Agent, ensure the following prerequisites are met on systems where the agent is being installed:
- The .exe version of the agent installer is used so that it can install required prerequisites, such as the .NET 6 Hosting package.
- If you are using certificates as your authentication method, the eEyeEmsClient.pfx certificate is located in c:\temp.
There are three authentication methods available when setting up a Discovery Agent:
- Certificate: Export a certificate from your U-Series Appliance.
- OAuth: Use an installer activation key and create the command to install the Discovery Agent to your assets.
- Password: Enter a password during configuration (Central Policy only).
- Log in to your appliance.
- Export a certificate:
- From the left sidebar, click Security and Compliance.
- Click the Certificate Management card.
- Under Export Certificate, enter and confirm the password for the certificate.
- Click Export and Download Certificate.
- Export a copy of the eEyeEmsClient.pfx certificate to a temporary folder on the root of C (c:\temp).
- Log in to the BeyondTrust Customer Portal.
- Download the .exe installer file for the BeyondTrust Discovery Agent.
- Run the installer, selecting the default install location. Once the install is complete, the agent is located in C:\Program Files\BeyondTrust\Discovery.
- Open an administrator command prompt.
- Navigate to C:\Program Files\BeyondTrust\Discovery.
- Type btdiscovery to get a list of commands.
- Set the central policy:
- Type btdiscovery.cmd SetCentralPolicy.
- Type Y to enable and select default options.
- Enter your IP/Hostname.
- Set authentication:
- OAuth: Enter the Activation ID and Activation key generated from the Installer Activation Keys configuration. We recommend using OAuth.
- Certificate: Enter the path to the certificate along with its password.
- Password: Enter a password.
- Confirm your settings.
- Set event settings:
- Type btdiscovery.cmd SetEventSettings.
- Type Y to enable.
- Enter your IP/Hostname and select default options.
- Set authentication:
- OAuth: Enter the Activation ID and Activation key generated from the Installer Activation Keys configuration. We recommend using OAuth.
- Certificate: Enter the path to the certificate along with its password.
- Confirm your settings.
- Check communication:
- Type btdiscovery.cmd TestCentralPolicy.
- Type btdiscovery.cmd TestEventSettings.
- Log in to your BeyondInsight instance and confirm the newly created scanner is available:
- Navigate to the Discovery Scanners page.
- Confirm the newly created scanner is listed in the grid.
ℹ️
Note
It may take up to 5 minutes for the scanner to display in the grid.
The below tables outline the data returned when running a discovery scan on a Linux system.
| General Target Data | |
|---|
| Date | This is the date the scan was run on. |
| Remote Address | This is the remote address of the target being scanned. |
| Target Machine Information |
| OS Detected |
This is the Operating System running on the target system. |
| Target Connection |
This is the connection method used to communicate with the target system. |
| Domain Name |
This is the discovered domain name for the target system. |
| Open TCP Port Count |
This is the number of discovery ports which were open on the target system. |
| Closed TCP Port Count |
This is the number of discovery ports which were closed on the target system. |
| Remote Date |
This is the date which was set on the target system, at the time of the scan. |
| Remote Time |
This is the time which was set on the target system, at the time of the scan. |
| SSH Credential |
The following data is returned for each credential the scanner uses while trying to connect to the target system.
| User Name |
This is the username specified in a credential. |
| Authentication Success/Failure
|
This indicates whether or not the credential was able to connect. |
| Credential Type |
This specifies what type of credential this is. |
| Login Shell |
This reports back the login shell for the user specified in the credential. |
| Privilege |
This reports back the privilege level for the user specified in the credential. |
|
| Host Name
|
This is the discovered host name for the target. |
| Asset - The asset record contains additional information about the scanned target. | |
|---|
| Asset Description | |
| Asset Name | This is the determined asset name. |
| FQDN | This is the Fully Qualified Domain Name returned by the DSN query. It may contain the IP address, if the domain query fails. |
| Asset Type | This specifies if the target is a server, a domain controller, or a workstation. |
| Workgroup/Domain Name | This specifies either the workgroup or the domain the target belongs to. |
| OS Hostname | This specifies the target’s name, based on OS queries. |
| DNS Name | This specifies the target’s name, based on the DNS query. |
| Remote Target Name | This specifies the target’s name, using alternate OS dependent queries. |
| NetBIOS Name | This specifies the target’s name as specified in the NetBIOS. |
| BI Provided Name | This specifies the target’s name as specified in the original scan job. |
| Open Ports - The scanner reports back the below information for each open discovery or scan port. A scan port is a port number retrieved from a scan credential. | |
|---|
| Port Number | This is the port number. |
| Port Banner | This is the banner returned when a successful connection is made via TCP. |
| Port State | This reflects the open state of the port. |
| Connected | This indicates that the scanner was able to establish a TCP connection on the port. |
| Detected Protocol | This indicates what protocol was detected on the port. |
| Excluded From Protocol Detection | This indicates whether or not the port is excluded from active protocol detection. |
| Users - The below data is potentially returned for each user on the target system. | | |
|---|
| User Name | This is the username being reported. | |
| Base User Name | This is the username stripped of ornamentation. | |
| Last Password Change Date | This is the data the password was last changed on. | |
| Minimum Days for Password Change | This is the minimum days allowed between password changes. | |
| Maximum Days for Password Change | This is the maximum days allowed between password changes. | |
| Account Expiration Date | This is the date the account expires on. | This indicates if the account is a local user or a remote (domain) user. |
| User Type Code | This indicates if the account is a Windows or SSH user. | |
| Home Directory | This reports back the home directory of the user. | |
| Privilege | This reports back the privilege level of the users. | |
| Account Disabled | This indicates whether the account has been disabled. | |
| Member of Groups List | This contains a list of groups the user is a member of. | |
| OS Type | This contains the OS type the user was found on. | |
| User ID | This returns the numeric UID of the user. | |
| Group ID | This reports the numeric GID of the user. | |
| Login Shell | This reports the shell run when the user logs in. | |
| Password Warning Days | This reports the number of days a password change warning is issued before locking the account. | |
| Inactive Days | This reports the number of days the user account has been inactive. | |
| SSH With Key | This reports whether or not the user may use SSH with a key to authenticate. | |
| Last Login | This reports the last time the user logged in. | |
| SID | This reports the user’s SID. | |
| SUDO Permissions | This reports the SUDO permissions the user has been granted. | |
SSH Authorization Keys
(See below table) | | |
SSH Keys
(See below table) | | |
| Is Local User | This reports if a user is a local user or a remote (domain) user. | |
| SSH Authorization Key | |
|---|
| Key Path | Location where the key was found. |
| Key Type | The type of key. |
| Key Algorithm | The encryption algorithm used by the key. |
| Key Value | The encrypted key value. |
| Key Bits | The number of bits the key is. |
| Key Exponent | The exponent portion of the key. |
| Key Modulus | The modulus component of the key. |
| Key Comment | The comment associated with the key. |
| SSH Keys | |
|---|
| Bits | The number of bits the key is. |
| Fingerprint | A hash representation of the key. |
| Comment | The comment associated with the key. |
| User | The user the key is associated with. |
| Algorithm | The algorithm used to generate the key. |
| Groups - The below information is returned for each group discovered on the target. Not all items are available on all OS variants. | |
|---|
| Group Name | This is the name of the group. |
| Comment | This is a comment or description for the group. |
| Group ID | This is the numeric ID of the group. |
| Members | This is a list of members belonging to the group. |
| SID | This is the SID of the group. |
| Privileges | This is a list of privileges granted to the group. |
| OS Type | The type of OS the group was found on. |
| Services - The below information is returned for each service configured on the target. Not all items are available on all OS variants. | |
|---|
| PID | The process ID of the service task. |
| Control PID | The process ID of the service control task. |
| Result | The result of the last time the service ran. |
| Main Start | A Linux assigned value returned when querying Systemctl for a service status. |
| Main PID | The process ID of the service task. |
| Execution Start | The last time the service ran OR the initial service start time. |
| Execution Reload | A Linux assigned value returned when querying Systemctl for a service status. |
| Memory | The amount of memory associated with the service task. |
| ID | A Linux assigned value returned when querying Systemctl for a service status. |
| Description | A description of the service. |
| Load State | The current state of the service code. |
| State | The current state of the service execution status. |
| Sub State | A Linux assigned value returned when querying Systemctl for a service status. |
| Fragment Path | A Linux assigned value returned when querying Systemctl for a service status. |
| Timestamp | A Linux assigned value returned when querying Systemctl for a service status. |
| Refuse Manual Start | A Linux assigned value returned when querying Systemctl for a service status. |
| Refuse Manual Stop | A Linux assigned value returned when querying Systemctl for a service status. |
| Log On As | The user the service impersonates as while running. |
| Software - The below information is returned for each software component installed on the target system. Only those packages using the preferred package management system are reported. | |
|---|
| Name | The name of the software package. |
| Version | The version of the software package. |
| Vendor | The company owning or distributing the software package. |
| Description | A description of the software package. |
| Installation Path | The location of the software package in the file system. |
| Scheduled Tasks - The below information is reported for each scheduled task discovered on the target system. Not all items are available on all OS variants. | |
|---|
| Task Name | The name of the scheduled task. This may be generated by the scanner. |
| Status | The current status of the scheduled task. |
| Run As User | The user which will be impersonated by the task execution. |
| Task To Run | The actual command to be run. |
| Last Result | The result from the last time the task was run. |
| Last Run Time | The time stamp for the last time the task was run. |
| Next Run Time | The next scheduled run time for the task. |
| Schedule Type | The type of schedule for the task. |
| Comment | A comment about the scheduled task. |
| Timer File | The location of the timer file containing the schedule information for systemctl scheduled tasks. |
| Service File | The location of the service file containing the task command information for systemctl scheduled tasks. |
| Cron Time Specification | The time specification for Cron Table scheduled tasks. |
| AT Time Specification | The time specification for AT command scheduled tasks. |
