MAC audit module

[Wyko]

The MAC Audit module will take a csv (or any other input, as added in the future) and to compare it with the database of polled mac addresses. The purpose is for things like Rogue AP audits, where a rogue device may be detected, its MAC polled, and then compared against macs connected to switchports for a similar OUI.

For each csv mac address:

1. Get a list of all polled MAC addresses in the given subnet
2. Compare the csv MAC against the polled MACS
3. Generate a confidence rating that indicates how similar the MAC's are

The csv needs at minimum the mac column as well as either a network_ip column or an ip and subnet column.

Challenges:

• [x] Currently, MAC addresses are stored by interface. The interface will not always have an associated subnet, due to being a layer 2 interface. The module should intelligently use the device's subnets when an interface specific one isn't available.

[Wyko]

Solution:

1. Use ARP instead of MAC Address Table Pros: -ARP is actually designed for this use case, since it ties IP's to MAC's Cons: -Layer 2 devices will not have a related entry -Will have to establish scanning for ARP entries

2. Tie MAC entries to a device's IP's For each unique subnet from the CSV, collect a list of the MAC addresses which have that subnet as at least one network on it's associated device. Cons: -Less accurate

[Wyko]

Implemented in the tools.mac_audit module