How Discovery Works
A detailed look at what Open-AudIT does during a discovery — from Nmap scanning through credential testing, audit script execution, and data processing.
On this page
How Discovery Works
Understanding what Open-AudIT does during a discovery helps you troubleshoot problems, tune performance, and set realistic expectations. Here's a look at the process from start to finish.
The High-Level Process
When you click Execute on a discovery, Open-AudIT spawns a background process and returns you to the discovery details page immediately (so you're not sitting there waiting). That background process then:
- Runs an Nmap command to identify live IP addresses in the range
- Places each live IP into a processing queue
- Spawns up to 20 parallel worker processes (configurable via
discovery_limit) to scan each IP
Each worker process handles one IP at a time, working through the steps below.
Per-Device Steps
Step 1: Port Scan
Nmap scans the top 1,000 TCP ports on the device, plus UDP port 161 (SNMP) and UDP port 62078 (Apple iOS). Based on what responds, Open-AudIT determines which protocol to use:
- Port 22 open → try SSH
- Port 135 open → try WMI (Windows)
- UDP 161 open → try SNMP
Note
A device with only UDP/161 open is treated as a false positive (many firewalls respond to SNMP queries even if no device is there). To override this, you can edit the discovery script and set consider_161_enough to "y".
Step 2: SNMP
If SNMP is available, Open-AudIT queries the device first. SNMP gives basic device information and works on almost everything — routers, switches, printers, Linux servers, and Windows machines with SNMP enabled.
Step 3: SSH
SSH is next. Open-AudIT supports both password and key-based authentication. For best results, use the root user or a sudo-enabled account. On Linux systems where sudo without a TTY is blocked, you'll need root credentials to get a complete audit.
If a Windows machine is running SSH, Open-AudIT detects this and switches to WMI instead.
Step 4: WMI
WMI (Windows Management Instrumentation) is used for Windows devices. An account with Administrator-level access is required for complete results.
Step 5: Audit Script
Once the initial connection is made, Open-AudIT copies the appropriate audit script to the device and runs it:
- On Linux/SSH: the script is copied to
/tmp/(configurable viadiscovery_linux_script_directory) and executed remotely. The device audits itself, generates an XML result file, and Open-AudIT retrieves and deletes it. - On Windows/WMI from a Linux server: the script is copied via SMB and executed remotely.
- On Windows/WMI from a Windows server: the script runs directly.
Supported operating systems for full audit scripts: Windows, Linux, macOS, AIX, HP-UX, Solaris, and ESXi.
The audit script is self-deleting on the target — it removes itself after running.
Step 6: Data Processing
The returned audit results are matched against existing devices in the database (see Matching Devices). If a match is found, the record is updated. If not, a new device record is created.
How Long Does it Take?
The honest answer: it depends. Factors include:
- Number of IPs in the scan range
- Network speed and latency
- Number of unique credentials being tested
- Device response times
- Type of devices (full OS audit takes longer than SNMP-only)
A practical guideline: keep discoveries to /24 subnets (256 IPs). Open-AudIT can handle larger ranges (customers have successfully scanned /16 subnets with 65,000+ IPs), but /24 blocks are far more manageable and easier to troubleshoot.
Useful Configuration Items
| Config Item | Default | What it Does |
|---|---|---|
discovery_limit | 20 | Max parallel discovery processes |
discovery_linux_script_directory | /tmp/ | Where the audit script is copied on Linux targets |
log_level | 5 | Increase to 7 for detailed debug output |