FusionInventory Agent
			---------------------

Description
-----------
The FusionInventory agent is a generic management agent. It can perform a
certain number of tasks, according to its own execution plan, or on behalf of a
GLPI server with fusioninventory plugin, acting as a control point.

Two of these tasks are included in agent source distribution, local inventory
and wake on lan. Other tasks are distributed separatly, excepted for binary
distributions where they are bundled together.

Dependencies
------------

Minimum perl version: 5.8

Additional mandatory perl modules:
- Digest::MD5
- XML::TreePP
- LWP
- Net::IP
- UNIVERSAL::require
- Mac::SysProfile (MacOs only)

Additional optional perl modules:
- Compress::Zlib, for message compression
- HTTP::Daemon, for web interface
- IO::Socket::SSL, for HTTPS support with certificate validation
- Net::CUPS (v0.60 minimum), for printers detection 
- Proc::Daemon, for daemon mode (Unix only)
- Proc::PID::File, for daemon mode (Unix only)

Additional optional programs:
- dmidecode, for hardware inventory
- lspci, for hardware inventory

Usage
-----
They are two different ways to run the agent:
- as a temporary process, exiting after completing its run
- as a permanent process, staying in memory permanently (daemon under Unix,
  service under Windows)

In the first case, the agent execution scheduling is controlled from local
system, and the memory footprint between agent executions is zero.

In second case, the agent execution scheduling is controlled from GLPI server,
as the agent runs regulary according to a parameter initially set in its
configuration (delaytime), overrided by the server at the first connection
(PROLOG_FREQ). Additionaly, the server may also initiate additional
out-of-schedule executions by sending HTTP requests if the web interface is
used. However, it also mean you have a full perl interpreter loaded in memory
constantly, and a network port open on your system with a process running with
full system privileges attached to it.

If you don't need to control agent execution from the server, and if you're
able to periodically launch the agent without resorting to its internal
scheduler, through cron on Unix systems, or scheduled tasks on Windows, you'd
better use first execution mode. The various installation procedure may offer
limited choice about initial configuration, but you should always be able to
change it thereafter.

When executing, the agent tries to runs every available task for every
configured target. A task is a specific kind of work to perform (local
inventory, network discovery, wake on lan, etc...), while a target is both a
recipient for the result and a controller for this work (an OCS server, a GLPI
server, a local directory, etc...). Only the local inventory task is compatible
with all kind of targets, tough, all others require a GLPI server target, and
will get discarded for other kind of target.

System-specific informations
----------------------------
On Solaris/SPARC, you must install sneep and record the Serial Number with it.
Download it from http://www.sun.com/download/products.xml?id=4304155a.

On Windows, we use an additional dmidecode binary shipped in the windows
distribution to retrieve many informations not available otherwise, including
fine-grained multi-cores CPUs identification. Unfortunatly, this binary is not
reliable enough to be used on Windows 2003, leading to less precise
inventories.

On any system, the privilege level used to run the agent will change inventory
results. Generally speaking, this means less results when run with lesser
privileges. On Windows, tough, running agent with SYSTEM privileges, which is
implicit if running as a service, does sometimes gives less results, especially
for shared printers only visible from a user account.

Security
--------
They are several potential security issues in fusioninventory.

First, the server automatically trust any received message, using the
identifier found in the message (unfortunatly called DEVICEID) to identify the
sending agent. If you want to protect your machine inventory from rogue
reports, you have to restrict access to the plugin location on your GLPI
server, typically using HTTP authentication. And preferentially over HTTPS,
to prevent password sniffing.

Second, some messages between the server and the agent may contain sensible
informations. For instance, NetInventory tasks involves sending SNMP
credentials from the server to the agent. In this case, HTTPS usage ensures
proper communication encryption.

Third, some tasks are explicitely designed to make the agent execute arbitrary
commands on its host. For instance, the Deploy task is used to install
software on agent side. In this case, HTTPS usage ensures proper server
authentication.

SSL support
-----------
LWP (also known as libwww-perl) is able to use either Crypt::SSLeay or
IO::Socket::SSL transparently as underlying socket implementation for HTTPS
support. However, only the second one is able to perform server certificate
validation. As a consequence, the agent will refuse to use HTTPS, and exit
immediatly if IO::Socket::SSL is not available, unless certificate checking has
been explicitely disabled (--no-ssl-check command line parameter, or
no-ssl-check configuration parameter).

The SSL protocol version supported by the agent is dependant of openssl
version. In particular, usage of specific certificate signature algorithms such
as SHA requires at least openssl 0.9.8o, as it is supposed to be allowed
starting from TLS 1.1 only. Failure to comply will result in error message such
as:
warning: TLS library problem: 14710:error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146:

This can be controlled in the certificate itself:
[guillaume@beria ~]$ openssl x509 -noout -text -in cert.pem | grep Signature
Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption

The available workaround:
- ensure server certificate complies with clients capacities, using controlled
  certificate generation parameters
- ensure clients capacities matches server certificate properties, upgrading
  openssl and its perl bindings (Net::SSLeay)
- disable server certificate checking on client

Contacts
--------

Project websites:
* main site: http://www.fusioninventory.org
* forge: http://forge.fusioninventory.org

Project mailing lists:
* http://lists.alioth.debian.org/mailman/listinfo/fusioninventory-user
* http://lists.alioth.debian.org/mailman/listinfo/fusioninventory-devel

Project IRC channel:
* #FusionInventory on FreeNode IRC Network

Please report any issues on project forge bugtracker.

Authors 
-------
* Gonéri Le Bouder <goneri@rulezlan.org>>
* Guillaume Rousse <guillomovitch@gmail.com>

Copyright 2006-2010 OCS Inventory contributors
Copyright 2010-2012 FusionInventory Team

License
-------
This software is licensed under the terms of GPLv2+, see LICENSE file for
details.

Additional pieces of software
-----------------------------

The memconf script:
url: http://myweb.cableone.net/4schmidts/memconf.html
author: Tom Schmidt
copyright: 1996-2009 Tom Schmidt

FusionInventory::Agent::Task::Inventory::Input::Virtualization::Vmsystem
contains code from imvirt:
url: http://micky.ibh.net/~liske/imvirt.html
author: Thomas Liske <liske@ibh.de>
copyright: 2008 IBH IT-Service GmbH [http://www.ibh.de/]
License: GPLv2+

FusionInventory::Agent::Tools::Screen contains code from monitor-edid:
url: http://svn.mandriva.com/cgi-bin/viewvc.cgi/soft/monitor-edid
copyright: 2005 Mandriva
license: GPLv2+