Welcome to the Inventory Analyzer documentation

The ASGARD Inventory Analyzer is used to create an inventory of all your assets. There are several methods to feed asset data into the Inventory Analyzer, which are all described throughout this document.

Before You Begin

This is an introductory chapter to ASGARD Inventory Analyzer. Please read this chapter before you start installing or even configure your new ASGARD Inventory Analyzer.

This chapter contains Hardware Requirements, Licensing and other topics.

General Understanding

The ASGARD Inventory Analyzer is used to create and inventory of your endpoints. Data can be fed into it by connecting existing ASGARD instances or by deploying NMAP Agents. By specifying Assignment Rules you can decide if a new asset will be created or an existing one updated.

Performance Considerations

Since your Inventory Analyzer is running on a separate instance, it will not create a big performance impact on your existing environment.

Requirements

Hardware Requirements

The Inventory Analyzers hardware requirements [...]]

Connected Endpoints	Minimum Hardware Requirements
TBA	System memory: TBA, Hard disk: TBA, CPU Cores: TBA

NMAP Agent Requirements

Our NMAP Agent is running only on current debian based distributions.

The NMAP Agent needs nmap installed. You can either do this before installing the agent, or let apt resolve the dependency.

Network Requirements

The Inventory Analyzer requires the following open firewall ports.

From Management Workstation to Inventory Analyzer

Description	Ports
Administrative web interface	8443/tcp
Command line administration	22/tcp

From Inventory Analyzer to NMAP Agent

Description	Ports
Task distribution	4545/tcp

From Inventory Analyzer to the Internet

The Inventory Analyzer is configured to retrieve updates from the following remote systems via HTTPS on port 443/tcp:

Product	Remote Systems
ASGARD packages	update3.nextron-systems.com

Hint

All proxy systems should be configured to allow access to these URLs without TLS/SSL interception. (We use client-side SSL certificates for authentication). It is possible to configure a proxy server, username and password during the setup process of the underlying platform. Only BASIC authentication is supported (no NTLM authentication support).

Time Synchronization

The application tries to reach the public Debian time servers by default.

Server	Port
0.debian.pool.ntp.org	123/udp
1.debian.pool.ntp.org	123/udp
2.debian.pool.ntp.org	123/udp

Hint

The NTP server configuration can be changed.

DNS

The application needs to be able to resolve internal and external IP addresses.

Warning

Please make sure that you install your Inventory Analyzer with a domain name (see Network Configuration). If you do not set the Domain Name and install the Inventory Analyzer, you might encounter certain problems with future integrations.

All components you install should have a proper domain name configured to avoid issues further during the configuration.

Verify the Downloaded ISO (Optional)

You can do a quick hash check to verify that the download was not corrupted. We recommend to verify the downloaded ISO's signature as this is the cryptographically sound method.

The hash and signature file are both part of the ZIP archive you download from our portal server.

Via Hash

Extract the ZIP and check the sha256 hash:

On Linux

user@host:~$ sha256sum -c nextron-universal-installer.iso.sha256
nextron-universal-installer.iso: OK

or in Windows command prompt

C:\Users\user\Desktop\asgard2-installer>type nextron-universal-installer.iso.sha256
efccb4df0a95aa8e562d42707cb5409b866bd5ae8071c4f05eec6a10778f354b  nextron-universal-installer.iso
C:\Users\user\Desktop\asgard2-installer>certutil -hashfile nextron-universal-installer.iso SHA256
SHA256 hash of nextron-universal-installer.iso:
efccb4df0a95aa8e562d42707cb5409b866bd5ae8071c4f05eec6a10778f354b
CertUtil: -hashfile command completed successfully.

or in Powershell

PS C:\Users\user\Desktop\asgard2-installer>type .\nextron-universal-installer.iso.sha256
efccb4df0a95aa8e562d42707cb5409b866bd5ae8071c4f05eec6a10778f354b  nextron-universal-installer.iso
PS C:\Users\user\Desktop\asgard2-installer>Get-FileHash .\nextron-universal-installer.iso

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          EFCCB4DF0A95AA8E562D42707CB5409B866BD5AE8071C4F05EEC6A10778F354B       C:\Users\user\Desktop\asgard2-installer\nextron-universal-installer.iso

Via Signature (Recommended)

Extract the ZIP, download the public signature and verify the signed ISO:

On Linux

user@host:~$ wget https://www.nextron-systems.com/certs/codesign.pem
user@host:~$ openssl dgst -sha256 -verify codesign.pem -signature nextron-universal-installer.iso.sig nextron-universal-installer.iso
Verified OK

or in powershell

PS C:\Users\user\Desktop\asgard2-installer>Invoke-WebRequest -Uri https://www.nextron-systems.com/certs/codesign.pem -OutFile codesign.pem
PS C:\Users\user\Desktop\asgard2-installer>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" dgst -sha256 -verify codesign.pem -signature nextron-universal-installer.iso.sig nextron-universal-installer.iso
Verified OK

Note

If openssl is not present on your system you can easily install it using winget: winget install openssl.

Setup Guide

This chapter contains the setup guide with an example on how to create a new ESXi virtual machine and installing the ASGARD Inventory Analyzer.

Create a new ESX VM and Mount the ISO

Create a new VM with your virtualization software. In this case, we will use VMWare ESXi managed through a VMWare VCenter.

The new VM must be configured with a Linux base system and Debian GNU/Linux 10 (64 bits) as target version. It is recommended to upload the nextron-universal-installer.iso to an accessible data store and mount the same to your newly created VM.

Please make sure to select a suitable v-switch or physical interface that reflects the IP address scheme you are planning to use for the new Inventory Analyzer. Only use one Hard Disk for the installation.

Navigate through the installer

The installation Process is started by selecting ASGARD Installation. The installer then loads the additional components from the ISO and lets you select location and language.

Warning

Please make sure to select the correct Country, as this will also set your local timezone!

If DHCP is available, network parameters will be configured automatically. Without DHCP, the installer drops into the manual network configuration dialogue.

Without DHCP, the installer proceeds with the manual network configuration dialogue.

Network Configuration

Warning

ASGARD needs to be able to resolve internal and external IP addresses.

Warning

Important: Make sure that the combination of hostname and domain creates an FQDN that can be resolved from the endpoints on which you intend to install the ASGARD agents. If you've configured a FQDN (hostname + domain) that cannot be resolved on the clients, no agent will be able to find and connect to the ASGARD server.

Choosing a password

Set up users and passwords — Choosing a password for the `nextron` user

Partitioning the Hard Disk

Warning

ASGARD is intended to be installed with only one disk. Do not configure your server with multiple disks. The system won't configure additional disks. Make sure that your disk has the recommended size. See Hardware Requirements for more information.

Finally, write your configuration to the disk by selecting "Yes" and clicking "Continue".

Proxy Configuration

If you are using a proxy to access the internet, enter the proxy details in the next step. Please note, Internet connectivity is required for the next step – the installation of the Inventory Analyzer service.

The base installation is now complete. In the next step we will install the service. For this step Internet connectivity is required.

Install the Inventory Analyzer Service

Use SSH to connect to the appliance using the user nextron and the password you specified during the installation. Now you can run the following command:

nextron@inventory:~$ sudo nextronInstaller -inventory

This will install the Inventory Analyzer

CHANGE PICTURE HERE

After installation is complete type sudo systemctl status asgard2.

The output should look something like this (note the status Active: active (running):

nextron@inventory:~$ sudo systemctl status asgard-inventory.service
[sudo] password for nextron:
● asgard-inventory.service - ASGARD Inventory
     Loaded: loaded (/lib/systemd/system/asgard-inventory.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2023-03-03 21:26:40 CET; 45s ago
    Process: 701 ExecStartPre=/etc/asgard-inventory/pre_run_asgard_inventory.sh (code=exited, status=0/SUCCESS)
   Main PID: 718 (bash)
      Tasks: 9 (limit: 4633)
     Memory: 22.3M
        CPU: 140ms
     CGroup: /system.slice/asgard-inventory.service
             ├─718 /bin/bash /etc/asgard-inventory/run_asgard_inventory.sh
             └─719 asgard-inventory

Mar 03 21:26:40 inventory systemd[1]: Starting ASGARD Inventory...
Mar 03 21:26:40 inventory systemd[1]: Started ASGARD Inventory.

The installation is now completed, you are ready to log into the web-based GUI via:

https://<your-FQDN>:8443

Changing the IP-Address

Your servers IP-Address can be changed in /etc/network/interfaces. The IP is configured with the address variable.

nextron@inventory:~$ sudoedit /etc/network/interfaces

allow-hotplug ens32
iface ens32 inet static
address 192.0.2.7
netmask 255.255.255.0
gateway 192.0.2.254

The new IP can be applied with the command sudo systemctl restart networking.

Warning

It might be the case where the name of the network adaptor (in this example: ens32) is different. Please consider this when changing the values and leave the interface name how it is currently set in the configuration.

Verifying DNS Settings

To verify if your Inventory Analyzer is using the correct DNS Server, you can inspect the file /etc/resolv.conf and look for the nameserver parameter. Multiple parameters could be set here.

nextron@inventory:~$ cat /etc/resolv.conf
search example.org
nameserver 172.16.200.2

If you see errors in this configuration, you can change it with the following command:

nextron@inventory:~$ sudoedit /etc/resolv.conf

Changing the Web Password

The default username and password is admin.

You should change the password for the admin user after the installation is finished.

To do this, navigate to Settings > Password. Please see the chapter Password.

Assets View

In this chapter we will explain what Assignment Rules are and how to use them, how to create Tasks, and information found in the History.

Assets

In the Assets section you will find all imported assets. You can also use the ASGARD Search Query to find assets.

You will also be able to change the View in the top right corner. To create a new view, please see Views.

Hint

If you created a personalized view and use it, all the column settings and ordering of columns will be saved.

Columns

The Column section gives you the option to define new columns for your view. The Inventory Analyzer comes with predefined and non removable columns.

All columns created here can also be used to import asset data in your Assignment Rules.

Creating new Columns

To create a new Column, click the Add Column button in the top right corner.

You can chose between different Column Types:

Column Type	Options
Text	Normal Text. If `Show as Badge` is enabled, your text will be surrounded by colored background
Splitted String	String is split into multiple badges with the chosen color. Separator can be defined
Boolean	True or False, for searching
Multi Select	Multiple Values can be defined and selected in for the Column. If `Show as Badge` is enabled, your text will be surrounded by colored background
Date	Date field (XYZ Format?)

Views

In the Views section you can create personal Asset Views. Those views are used to save a current view in the Assets section. All the views are personalized, meaning they are only visible by your user.

To create a new personalized view, click the Create Asset View button and give the view a name.

You can now choose the view in the Assets section. When choosing a view and changing column visibility or sort order, the changes will be saved to this view.

Data Sources

In this chapter we will explain what Data Sources are and how to use them. We need to define data sources before we can create Discovery tasks to collect information from those data sources.

This step should be the first thing you set up in a new environment.

Currently we have three data sources available for asset import:

ASGARDs
NMAP Agents
CSV Templates

ASGARDs

The ASGARD data source are your existing ASGARDs. You can use them to directly import any asset which is known to your ASGARDs.

To do this, navigate to Data Sources > ASGARDs.

You can see your connected ASGARDs in the overview, or add a new ASGARD as a data source.

Adding a new ASGARD

To add a new ASGARD to your data sources, click the Add ASGARD button. Here you can set the URL and API Key.

You can now use this ASGARD as Data Source for a new Discovery Task. Please see chapter Tasks.

NMAP Agents

We crated an NMAP Agent which can be installed and used on endpoints to be used for Discovery. This Agent can scan a IP subnet to detect and inventory endpoints/assets.

To do this, navigate to Data Sources > NMAP Agents.

You will see all currently created NMAP Agents, but also be able to create a new one by clicking + Create Agent Installer in the top right corner.

You will also be able to see when the Agent communicated the last time with your Inventory Analyzer (Last Seen).

Creating a new NMAP Agent Installer

When creating a new NMAP Agent Installer, you will need to provide a FQDN. This is needed for the Client Certificate, which will be built into the Agent. This Client Certificate is used for TLS communication with your Inventory Analyzer.

After specifying your FQDN, you can click Create to create your new NMAP Agent Installer.

After creating and installing your NMAP Agent, you can later use it while creating a new NMAP Agent Task. Please see the chapter Tasks.

Hint

Unused Agent Installers can be deleted if they are no longer needed.

Installing an NMAP Agent

The created NMAP Agent Installer is a .deb file. You should be able to install it on any debian based linux distribution. Download the file and transfer it to your chosen server.

You can install it via apt, since this will also resolve dependencies (nmap):

nextron@server:~$ sudo apt install ./server.domain.local_agent.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'asgard-inventory-agent' instead of './debian-demo.pi_agent.deb'
The following additional packages will be installed:
  nmap
Suggested packages:
  ncat ndiff zenmap
The following NEW packages will be installed:
  asgard-inventory-agent nmap
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,899 kB/7,990 kB of archives.
After this operation, 25.4 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 /home/nextron/server.domain.local_agent.deb asgard-inventory-agent amd64 1.0.0~pre+20221101.0 [6,092 kB]
Get:2 http://deb.debian.org/debian bullseye/main amd64 nmap amd64 7.91+dfsg1+really7.80+dfsg1-2 [1,899 kB]
Fetched 1,899 kB in 0s (10.5 MB/s)
Selecting previously unselected package nmap.
(Reading database ... 260986 files and directories currently installed.)
Preparing to unpack .../nmap_7.91+dfsg1+really7.80+dfsg1-2_amd64.deb ...
Unpacking nmap (7.91+dfsg1+really7.80+dfsg1-2) ...
Selecting previously unselected package asgard-inventory-agent.
Preparing to unpack .../server.domain.local_agent.deb ...
Unpacking asgard-inventory-agent (1.0.0~pre+20221101.0) ...
Setting up nmap (7.91+dfsg1+really7.80+dfsg1-2) ...
Setting up asgard-inventory-agent (1.0.0~pre+20221101.0) ...
Created symlink /etc/systemd/system/multi-user.target.wants/asgard-inventory-agent.service → /lib/systemd/system/asgard-inventory-agent.service.
Processing triggers for man-db (2.9.4-2) ...

You can check if the Inventory Analyzer Agent is running:

nextron@server:~$ systemctl status asgard-inventory-agent.service
● asgard-inventory-agent.service - ASGARD Inventory Agent
     Loaded: loaded (/lib/systemd/system/asgard-inventory-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-02-27 15:19:58 UTC; 1min 10s ago
   Main PID: 3027 (bash)
      Tasks: 6 (limit: 14230)
     Memory: 2.0M
     CGroup: /system.slice/asgard-inventory-agent.service
             ├─3027 /bin/bash /etc/asgard-inventory-agent/run_asgard_inventory_agent.sh
             └─3029 asgard-inventory-agent run

Feb 27 15:19:58 server systemd[1]: Started ASGARD Inventory Agent.
Feb 27 15:19:58 server asgard-inventory-agent[3029]: 2023/02/27 15:19:58 {"CA":"/etc/asgard-inventory-agent/ca-inventory.pem","HOST":"0.0.0.0","KEY":"/etc/asgard-inventory-agent/se>

Uninstall an NMAP Agent

To uninstall your NMAP Agent from an endpoint, run the following command:

nextron@server:~$ sudo apt purge asgard-inventory-agent
[sudo] password for nextron:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  asgard-inventory-agent
0 upgraded, 0 newly installed, 1 to remove and 41 not upgraded.
After this operation, 22.0 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 71815 files and directories currently installed.)
Removing asgard-inventory-agent (1.0.0~pre+20221101.0) ...
nextron@server:~$ sudo rm -r /var/lib/asgard-inventory-agent

You can also remove the dependencies which came with the NMAP Agent (nmap):

nextron@server:~$ sudo apt autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  liblinear4 nmap nmap-common
0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded.
After this operation, 25.9 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 261013 files and directories currently installed.)
Removing nmap (7.91+dfsg1+really7.80+dfsg1-2) ...
Removing liblinear4:amd64 (2.3.0+dfsg-5) ...
Removing nmap-common (7.91+dfsg1+really7.80+dfsg1-2) ...
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u3) ...

CSV Templates

You can also create CSV Templates to import assets.

You can freely design multiple templates to your liking and import the data later.

To do this, navigate to Data Sources > CSV Templates.

You will see all currently existing CSV Templates, but also be able to create a new template by clicking + Create Template in the top right corner.

Creating a new CSV Template

When creating a new template, you will be able to customize how the structure of the CSV file should look like.

Chose your Column Separator and Columns as you need. Please keep in mind, that you can choose any column, either system defaults or manually created ones. Please see chapter Columns.

After creating your CSV template, you can later use it while creating a new CSV Template Task. Please see chapter Tasks.

Discovery

The Discovery Chapter describes how asset data is collected, how the asset data is being handled and how to create reoccurring tasks to keep the inventory up to date.

The first step should be to create Assignment Rules.

History

The Discovery History shows you all the Tasks which ran on your Inventory Analyzer. Here you can see which Data Source the tasks used (Discovered In), if new Assets were found or existing ones were updated, and the status of the Task. You can also see which Template was used and the NMAP Arguments of the your NMAP Task.

To see the New Assets from a Task, click on the number in the New Assets Count Column.

To see the Updates Assets from a Task, click on the number in the Updates Assets Count Column. You can see which Rule triggered the Update.

Assignment Rules

Assignment Rules are used to determine if an existing asset should be updated, or if a new asset should be created instead.

Your system comes with two predefined Assignment Rules, one for ASGARDs and one for NMAP, which cannot be deleted or changed.

You can create Assignment Rules based on a Rule Type. Those Rule Types are the same as your Data Sources: ASGARDs, NMAP Agents and CSV Templates.

Creating Assignment Rules

An Assignment Rule is stored inside an Assignment Set. One Assignment Set can contain multiple Assignment Rules. One Assignment Rule can contain multiple Conditions.

To create new Assignment Set, click + Create Set in the top right corner. You will be able to set a Description and a Type.

You also have the option to set Add new assets if no assign-rule matches. This option is helpful if you want to add new assets to the inventory analyzer.

This will create a new Assignment Set, which in turn can then be used to Add Assignment Rules to it.

Expand your Set on the left hand side, you will see that no rules are defined yet.

Create a new Assignment Rule by clicking Assignment Rule. You can specify conditions for this specific Assignment Rule.

In our example we created:

An Assignment Set with the type ASGARD
An Assignment Rule within the ASGARD Assignment Set
The rule contains the following conditions:
- If imported field ASGARD Addresses starts with value 172.16.100
- If imported field ASGARD Hostname starts with value win-

This means, if we create a Task to run a Discovery on one of our ASGARDs, and an asset with the IP 172.16.100.22 and Hostname win-example-01 is found, it will be added to our inventory. If the asset was already present in our inventory, it will be updated.

You can reorder the priority of single rules. The first has the highest priority.

Note

Conditions within a rule are connected with an AND operator. Rules within a set are connected with an OR operator.

You can change the order of the Rules within your Set. To do this, you can use the Action Buttons on the right hand side.

Overview of Conditions in a Assignment Rule

Tasks

Within the Tasks section of the Discovery menu, you can create on time tasks to search for new assets. Those tasks will only run once.

There are three different type of tasks, which are identical to your Data Sources:

ASGARD
NMAP Agent
CSV Import

ASGARD Task

The ASGARD Task will scan the selected ASGARD instance for all available, or rather connected, assets. How the assets are assigned will depend on your assignment rule.

After your task has finished, you can inspect the results:

You can also inspect the details of the found hostnames. Those details contain what RuleID matched in the task, where it was discovered and more.

NMAP Task

The NMAP Task will run an nmap scan from the defined data source. You have to provide the assignment ruleset, the agent and a scan target. The scan target can be in the following format:

FQDN, for example myhost.domain.local
Single IP, for example 192.168.0.122
Subnets, for example 192.168.0.0/24
Comma Separated, for example 192.168.0.1,5,10
- This would scan the hosts 192.168.0.1, 192.168.0.5 and 192.168.0.10
Ranges, for example 192.168.1-10.1
- This would scan the hosts 192.168.1.1 until 192.168.10.1
Or combinations, for example 192.168.0-10,20,30.1-20,30,40
You can use a combination of all of the above, for example myhost.domain.local 192.168.0.0/4 192.168.1-10.1-254

Hint

For a full explanation of the target specification, please see the official nmap documentation here.

For the Flags we also have a few predefined options:

Polite Scan - Scan my take ten times longer than a default scan. This is recommended for cautious (less aggressive) scans.
Operating System Fingerprint - Using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses.
Ports Top 100 - This option specifies the number of ports to 100 to scan in each protocol. This will pick the most popular ports for you based on the new frequency data. Default is 1000
TCP Connect Scan - TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges

After choosing your input, you will see the Scan Arguments on the bottom.

You can inspect the results of your task just like any other task.

Hint

The result of a NMAP Task can be downloaded (XML file).

CSV Import

The CSV Import lets you upload a CSV file and import that way assets.

You can again chose an assignment ruleset and a template.

Inspecting the task will show you the columns which were used to import the file with additional information.

Scheduled Tasks

Scheduled Tasks are identical to normal tasks with the only exception to configure them for a specific Start Time and a schedule.

You can choose between the following Schedules:

Schedule
No (run only once)
Every day
Every 2 days
Every 4 days
Every week
Every 2 weeks
Every 3 weeks
Every month
Every 2 months

The overview will show you all of the scheduled tasks.

Hint

The result of a scheduled NMAP Task can be downloaded (XML file).

Settings

The Settings Section gives you the option to change and set up different administrative options for your Inventory Analyzer. You can create new users, define roles and install a TLS Certificate to avoid browser warnings.

Users

In the Users section, you will be able to review, create or delete users.

To create a new user, just click Add User in the top right corner and fill out the information. Roles can be created in the Roles view.

Roles

You can create different roles based on predefined sets of permissions/rights. After installation, you will only see the Admin role, but can add new roles as needed.

The following Rights can be configured:

Rights	Description
Admin	Right: User has administrative rights
Audit Log	Right: User can access Audit Logs
Manage ASGARDs	Rights: Adding, Removing and Updating ASGARDs
Manage Agents	Rights: Adding, Removing and Updating Agents
Manage Asset Columns	Rights: Adding, Removing and Updating Columns
Manage Assign Rules	Rights: Adding, Removing and Updating Assign Rulesets
Manage CSV Templates	Rights: Adding, Removing and Updating CSV Templates
Manage Tasks	Rights: Adding, Removing and Updating Tasks
Read Only	Restriction: User can only read

Note

Restrictions overwrite permissions. If you set Read Only for a Role, all users in the group will be restricted to read-only, regardless of other permissions in the same role.

TLS

You can install a TLS Certificate to avoid browser warnings when using your Inventory Analyzer.

To do this, navigate to Settings > TLS.

You need to generate a CSR (Certificate Signing Request) and let the CSR sign by your CA (Certificate Authority). Afterwards, you can install the certificate - generated and signed from your CA - in the same page.

Generating a CSR

To generate a CSR for your Certificate Authority, just fill in the correct information into the text fields. Most importantly is the Common Name field. Hostnames and IP Addresses are not needed, but are often used in organizations (subjectAlternativeName).

After filling out the information, click Generate CSR. You will be able to download the CSR now.

Password

This section allows the current user to change their password.

Known-Issues

This sections gives you an overview of known issues with the Inventory Analyzer. You can find

Open Issues

This section contains all the issues which are currently open.

Hint

There are no open issues at the moment.

Fixed Issues

This section contains all the issues which have been fixed already.

Hint

There are no fixed issues at the moment.

Index

Index