Open-AudIT

What's on your network?
It is currently Tue Jan 16, 2018 10:58 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Tue Aug 30, 2011 11:54 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
The submitted audit's XML have the sections occur in the following order
... other items.
software
services
keys
routes

I am seeing a lot of occurences of a submitted audit (by the domain audit or list audit scripts) not completing. It usually fails in the software or services section. As a result, the next time an audit for that system is submitted and completes, OAv2 assumes "oh, none of these services, keys or routes exist - they must all be new".

This happens because when an audit does not complete, after initially getting to (say) the software section, the following sections do not get processed and the individual rows in the relevent tables (services, keys & routes) do not get their timestamps updated.

So - I'm seeing a fair bit of this.

I've tried throwing extra resources at the OAv2 server - it doesn't seem to make a difference.

I have altered the DB slightly to add an extra field in the sys_man_audits table. Now, as each section of the XML audit is processed, an update is posted to this field. So, when (say) the software section of the XML is about to be processed, the row for the audit in sys_man_audits has it's audit_debug field updated to simply show "software". The final update to this row, upon completion of the audit is to simply remove the contents of that field. The result is that I can check the table for any rows that contain data in the audit_debug field. If any do, then the audit has not finished, and the last section processed is noted in the field.

So...

I tried it this morning on and audit_list.vbs run with ~50 systems in the list, processing 8 at a time. It was sending info to an OAv2 server on my local machine (a desktop Core2Duo @ 2.33GHz with 2GB memory and a normal SAT drive). Out of the ~50 systems, 6 systems report that they did not finish and the last section was "services".

My desktop should have plenty of power to process these systems (8 at a time) to not timeout. If I re-audit any of these 8, they complete successfully - so that would indicate it's not bad data related (FYI - I have also fixed once-and-for-all the UTF-8 issue's). I'm scratching my head a bit here - so any thought's would be appreciated. Is anyone else seeing a lot of false "alerts" that look like all the services / keys / routes on a system are newly installed, when you know they are not?

I am thinking (assuming I fail to work out the actual cause), that I can implement a hack to fix this. When an audit is submitted, check to see if the last audit on that system failed. If so, update the timestamps on the relevent (subsequent) tables to reflect the last audit timestamp.

This would work - but it's ugly and would create a dependency on the audit results being submitted in a specific order. IE - if it failed on SOFTWARE, then I need to update software, services, keys & routes. If it failed on SERVICES, I would need to update services, keys & routes. This would then fail to account for changes on those tables, as at the previous audit.

I don't like that idea, but am at a loss to explain why the audits are failing and may be forced to implement it.

If anyone can offer thought's around this, please, please do post here.

In my mind the "alerts" feature of OAv2 is one of it's most compelling. We use it here to track unauthorised changes on our server fleet. It is a valuable feature that I've not seen in other products.

Help :?

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 30, 2011 4:13 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
Update.

I have my (development) audit_windows.vbs set to display the resulting page after audit submission if debug is set to "2".
I just tried auditing some more systems.
I received the attached error (screenshot) for three systems.
This indicates to me that (for some unknown reason) when attempting to submit the audit, my request was being routed through our external proxy. My settings within Internet Explorer have set my local machine name (wjkdcs1s) as not to be proxied. Even more weird, you would think none of the audit (for these three systems) would have been sent. Apparently _some_ of it must have been, as they show up in the sys_man_audits table (as described above) with the final section being the SERVICES section.

So - it look's to be some weird thing occuring at my site. Hopefully others are not having this issu. Please do post here if you are.

One thing this has made apparent, I had removed the "use_proxy" setting in audit_windows.vbs - even though you can set it from the command line. I'll have to dig up the code and re-insert it - then try again and see what happens.

More updates to follow - but it's home time right now...

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 01, 2011 6:58 pm 
Offline
Newbie

Joined: Tue Jun 07, 2011 6:06 pm
Posts: 24
Mark,

While I can't offer a great deal of help on the matter, I too am seeing similar issues with Beta 2.
Beta 1 did see systems auditing more regularly - but the script had certain elements commented out (mounts).

The server I am using is OpenSuSE, Apache, 8GB RAM, SAS disks, Gb Ethernet - so resource shouldn't be an issue. Audits are done at login, with a delay of 60 secs. Users filter in over a period of an hour. If I manually audit run the vbs script more often than not the system will update and complete.

We do use a proxy server which is set by group policy. It's a transparent Squid proxy. Machines are forced to "Automatically Detect Settings". The OAv2 server has a local ip and dns - which should force the proxy server to be taken out of the equation - but does appear to be a similar issue on the face of it.

I'm happy to run some tests if you'd like?

_________________
Auditing 5 companies, 10 sites, 13 servers & 300 workstations.


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 02, 2011 12:13 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
I think I've found it. Am testing it.
Look's like there was a couple of bugs.
One when a service was changed (not added or removed) and another in the ip route stuff.
Man - what a load off my mind.
A bug (or two) is fine - I can easily fix those (assuming I can actually find them) - but some generic infrastructure issue.... That would have been a nightmare and forced me to rethink a LOT of stuff. As it was, it couldn't be used (with reliability) in production.

My sincerest apologies for those that have been inflicted with this.

I will endevour to release another beta ASAP to address these issue's. It won't have the number of features I had wanted in it, but I think fixing these bugs is much more inportant. Look for it sometime before the end of next week. There will be database schema changes and an upgrade script.

Again, my apologies to all affected by this (f*cking annoying) bug.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 02, 2011 6:06 pm 
Offline
Newbie

Joined: Tue Jun 07, 2011 6:06 pm
Posts: 24
It has definitely been frustrating Mark - but this is a beta after all :wink:

Fantastic news that you've sorted it. Happy to test at my site if you require.

Cheers,
Gareth

_________________
Auditing 5 companies, 10 sites, 13 servers & 300 workstations.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group