Add Node Group

The term 'node' in Cloudhouse Guardian (Guardian) is used to represent any scannable object in your environment. Anything with an IP address or a single cloud entity can be added to your environment as a node. Node groups are used to group nodes with similar properties and roles. For more information on node groups and their purpose, see Node Groups. There are two types of node groups you can create; a standard (static) node group or a dynamic node group. Dynamic node groups are defined by a pattern or common attribute that is set via a dynamic search query. Any nodes that would be returned by the query are automatically assigned to the node group. Once a node no longer meets the criteria stipulated in the query, it is removed. Standard node groups are static in nature – without manual intervention, the group will remain exactly as it was upon creation, until it is edited or deleted. However, there are many opportunities for customization within either group type. The following topic describes how to create a node group, including the various methods of customization available during this process. For more information on the difference between a static and dynamic node group, see Static / Dynamic Node Groups.

To add a new node group, complete the following steps:

1. In the Guardian web application, navigate to the Monitored tab (Inventory > Monitored). By default, all currently monitored nodes are displayed.

   

2. In the Node Groups drop-down menu, click the Add Node Group button. The node group's settings page is then displayed.

   

3. Enter the information required in each of the following sections, according to the types of nodes you intend to be scanned:

   

   Section	Description
   General	Identifying information about the node group. The following fields are displayed: Name field – The display name for the node group. Description (Optional) field – Description of the node group and its configurations. Notify on Group Diff checkbox – Option to report any group diff in scheduled environment scan reports. For more information on group difference reports, see Group Differencing.
   Dynamic Group Query (Optional)	Option to add a dynamic query that will automatically add node types that meet the specified criteria to the node group. This additional step makes the node group dynamic. For more information on how to do this, see Dynamic Group Queries.
   Node Rules	Option to use regular expressions to set a rule, or rules, for the node group to automatically add nodes that meet the specified criteria to the node group. For more information on how to do this, see Node Rules.
   Scan Directories	The directories to be scanned for files. Multiple files, or patterns representing groups of files, can be specified one per line. The following options are displayed: Path field – The absolute path to the file or folder that you want to be scanned. For example, C:\Windows\System32. For more information on the different syntax and rules you can use here, see Syntax Rules. Priority field – The priority of the file(s) in number format. From 1 - 1000, 1 being the highest priority you can set. For more information, see Custom Order of Precedence. Note: Since file scan options are set within node groups and nodes can be assigned to multiple node groups, there is a possibility that a conflict could occur. For example, if the priority is set to '1000' (the lowest priority) in one node group and '1' (the highest priority) in another, the higher priority is used by default. Contents checkbox – Option to scan the raw file contents. This option is only valid for text files. Note: By default, the scan collects text file contents as an MD5 checksum. If the Contents checkbox is selected, the scan will read the raw contents of the file and enable change detection to be executed on the file contents. Last Modified checkbox – Option to scan the last modified time stamp of the file(s) and display it within the scan results. Allow Missing checkbox – Option to allow the presence of missing files within a scan. If selected, an error is not triggered if one or more of the stipulated file(s) are not present. Scan-Type drop-down list – Select whether you want to include 'Config' files, 'Real-time' events, or 'Both' options in your file scans. Once complete, click the Check button () to add the scan directory to your node group's settings. Repeat as required. Warning: The contents of binary files and files exceeding 100KB are not retrieved during a scan, regardless of whether the Content checkbox is selected.
   Etcd Keys	The key value pairs to be scanned for etcd files. The following options are displayed: Path field – The absolute path to the file or folder that you want to be scanned. For example, C:\Windows\System32. Contents field – Option to scan the raw key contents. Note: By default, the scan collects text files contents as an MD5 checksum. If the Contents checkbox is selected, the scan will read the raw contents of the key and enable change detection to be executed on the key contents. Warning: The contents of binary files and files exceeding 100KB are not retrieved during a scan, regardless of whether the Contents checkbox is selected. Once complete, click the Check button () to add the etcd keys to your node group's settings. Repeat as required. For more information on the different syntax and rules you can use, see Syntax Rules.
   Custom Scripts (Linux only)	Custom scripts for Linux nodes to be run and scanned. Custom scripts enable you to run commands outside of those provided by a default node scan. The following options are displayed: Note: This functionality requires Guardian Agent v3.1.1. Description field – The display name for the scan results. Key Name field – The key name specifies which field uniquely identifies the row. This is especially useful in scenarios where multiple results are returned by the query. Query field – By default, queries are interpreted to be bash scripts, but it is recommended to specify the shell explicitly at the top of your script. For example, '#!/bin/bash, #!/usr/bin/env ruby, #!/usr/bin/env python'. Tip: For more information on different queries you can use, see Custom Scripts (Linux only). Returned scripts are displayed as flat files under the scripts section of the visualization. For more information, see Node Scan Results. This allows you to return back data that may not have a strictly defined structure. Once complete, click the Check button () to apply the registry keys to your node group's settings. Repeat as required.
   Sections (Windows and Linux only)	Additional sections that you want to be scanned. Enter a value in the Additional Scan Sections field. For example, 'CertStore' or 'docker', for Windows and Linux nodes respectively. Note: For Windows nodes only, you can enter 'IIS' to be scanned by your Windows Connection Manager. Once the scan options are saved and applied, the next time the nodes are scanned, the IIS setting is displayed in the node scan results page. Once complete, click the Check button () to add the scan sections to your node group's settings. Repeat as required. For more information on IIS settings for Windows only nodes, see Sections (Windows and Linux only).
   NMAP (Linux only)	Additional arguments to be used during NMAP scanning. Enter an argument in the NMAP field to initiate an NMAP scan via the Linux Connection Manager (using the provided settings). Ports for this scan can be designated in the following ways: Single port – 5985. Set of ports – 5985, 5986, 1433. Range of ports – 1-1024. Once complete, click the Check button () to apply the NMAP settings to your node group. Repeat as required. For more information, see NMAP (Linux only).
   PowerShell Queries (Windows only)	PowerShell queries to be run and scanned by your Windows Connection Manager. The following options are displayed: Note: This functionality requires Guardian Agent v3.1.1. Description field – The display name for the scan results. Key Name field – The key name specifies which field uniquely identifies the row. This is especially useful in scenarios where multiple results are returned by the query. Query field – The PowerShell query to be run by the Windows Connection Manager. Once complete, click the Check button () to apply the registry keys to your node group's settings. Repeat as required. For more information, see PowerShell (Windows only). Note: This functionality requires Guardian Agent v3.1.1.
   Registry Keys (Windows only)	Registry keys to be scanned by your Windows Connection Manager. Enter the absolute path to a key value name or parent key path in the Registry Key field. Abbreviations such as 'HKLM' are supported. For example: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\DataBasePath. Note: For scanning multiple registry sub keys, Guardian supports glob syntax to make it easier to work with multiple files that share the same or similar file names. For sub keys, using '*' will function as wild card syntax, and using '**' will function as a recursive wild card. For more information, For more information, see Syntax Rules. Once complete, click the Check button () to apply the registry keys to your node group's settings. Repeat as required. For more information see, Registry (Windows only).
   Group Policy Objects (Windows only)	Group Policy Objects (GPO) to be scanned by your Windows Connection Manager. Enter the name of the GPO as it appears in the Windows Group Policy Management Console. Once complete, click the Check button () to apply the registry keys to your node group's settings. Repeat as required. For more information see, Group Policy (Windows only).
   SQL Queries (Databases only)	SQL queries to be run and results scanned to detect changes to database table schemas, triggers, stored procedures, or indexes, for example. To detect column or attribute changes you can select on your databases schema table, for example, you would set the schema for the first Microsoft SQL Server database and select the sales column data: use sales select * from information_schema.columns. The following options are displayed: Description field – The display name for the scan results. Key Column 1 field – The key column specifies which field uniquely identifies the row. This is especially useful in scenarios where multiple results are returned by the query. Key Column 2 field – The key column specifies which field uniquely identifies the row. Query field – The SQL query to monitor the stipulated schema. Once complete, click the Check button () to apply the SQL queries to your node group's settings. Repeat as required.
   Connectivity	Any connectivity checks that you want to be done against the host and port, via TCP or UDP connection protocol, to determine whether a node is able to establish a connection to a specific system (or service) via the specified port. The following options are displayed: Host field – The Full Qualified Domain Name (FQDN) or IP address. Port field – The port to use for connection Protocol drop-down list – The connection protocol to use, select 'TCP' or 'UDP' from the drop-down list. Once complete, click the Check button () to apply the connectivity checks to your node group's settings. Repeat as required.
   Web	Any Web checks that you want to be done against an endpoint URL to determine whether a node is able to connect to the Web endpoint and, optionally, retrieve the contents of the response body. The following options are displayed: Label field – The display name for the scan results. URL field – The endpoint URL to connect to. Verb drop-down list – The type of request, select 'GET' or 'POST' from the drop-down list. Contents checkbox – Option to retrieve and store the contents of the response body. Note: By default, the scan collects text file contents as an MD5 checksum. If the Contents checkbox is selected, the scan will read the raw contents of the file and enable change detection to be executed on the file contents. Warning: The contents of binary files and files exceeding 100KB are not retrieved during a scan, regardless of whether the Contents checkbox is selected. Once complete, click the Check button () to apply the Web checks to your node group's settings. Repeat as required.
   Ports	The ports to be scanned. By default, active local TCP and UDP ports 1 - 1024 are scanned. Here, you can specify a range of ports to be scanned. The following options are displayed: Protocol drop-down list – The connection protocol to use, select 'TCP' or 'UDP' from the drop-down list. Port field – The ports to be scanned. To specify a range of ports, use M-N syntax. For example, 20-30. Alternatively, you can specify a number of individual ports in a comma-separated list. For example, 22,80,443. Once complete, click the Check button () to add the ports to your node group's settings. Repeat as required.
   Ignored Items	The configuration items that you have set to be ignored from node scans and drift reports. Click to Edit or Delete () items from this list. For more information on how to add a configuration item to the ignore list, see Node Scan Ignore Lists.
   Group Diff Ignored Items	The configuration items that you have set to be ignored from group difference reports. Click to Edit or Delete () items from this list. For more information on how to add a configuration item to the ignore list, see Group Diff Ignore Lists.
   Text Excluded When Comparing	Any text that you want to be excluded during differencing. For more information, see Configuration Differencing. Enter text that you want to be excluded in the Text to Exclude field, using regular expressions (RegEx). For example, to exclude any string that starts with 'version', use '^version\s\d+'. Once complete, click the Check button () to apply the setting to your node group's configuration settings. Repeat as required.

4. Once complete, click to Save your changes and create the node group.

If successful, a confirmation message is displayed and the new node group is created and displayed. Then, you can begin adding nodes to your group, see Node Groups for more information.

Note: If you added a dynamic group query, Guardian will automatically start adding nodes that match the stipulated criteria to your node group.