Open-AudIT

What's on your network?
It is currently Mon Jan 22, 2018 12:39 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 50 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
 Post subject: Re: Linux auditing?
PostPosted: Sat Jan 12, 2013 4:52 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1935
Location: Brisbane, Australia
Quote:
but I'm still getting "Speed: 0 MB/s" in the OAv2 web interface (including for the wireless device that shows 72.2 in SQL).


The speed should be stored in Kb, not Mb. Times is by 1,000 and you should fix the issue :D

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Sun Jan 13, 2013 5:08 am 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
Mark wrote:
Might as well add in the Memory Serial #.


Done... sorta... I get the serial numbers in the XML:

Code:
   <memory>                                                                                                                       
        <slot>                                                                                                                     
            <bank>ChannelA-DIMM0</bank>                                                                                             
            <type>Synchronous</type>                                                                                               
            <form_factor>SODIMM</form_factor>                                                                                       
            <detail>DDR3</detail>                                                                                                   
            <capacity>4096</capacity>                                                                                               
            <speed>1333</speed>                                                                                                     
            <tag>BANK 0</tag>                                                                                                       
            <serial>0C853278</serial>                                                                                               
        </slot>                                                                                                                     
        <slot>                                                                                                                     
            <bank>ChannelB-DIMM0</bank>                                                                                             
            <type>Synchronous</type>                                                                                               
            <form_factor>SODIMM</form_factor>                                                                                       
            <detail>DDR3</detail>                                                                                                   
            <capacity>4096</capacity>                                                                                               
            <speed>1333</speed>                                                                                                     
            <tag>BANK 2</tag>                                                                                                       
            <serial>163B4898</serial>                                                                                               
        </slot>                                                                                                                     
    </memory>


But I don't see them loaded into the database:

Code:
mysql> SELECT * FROM sys_hw_memory WHERE system_id = '24';
+-----------+-----------+----------------+-------------+--------------------+---------------+-----------------+--------------+------------+---------------------+---------------------+
| memory_id | system_id | memory_bank    | memory_type | memory_form_factor | memory_detail | memory_capacity | memory_speed | memory_tag | timestamp           | first_timestamp     |
+-----------+-----------+----------------+-------------+--------------------+---------------+-----------------+--------------+------------+---------------------+---------------------+
|        36 |        24 | ChannelA-DIMM0 | Synchronous | SODIMM             | DDR3          |            4096 |         1333 | BANK 0     | 2013-01-12 10:47:06 | 2013-01-12 10:47:06 |
|        37 |        24 | ChannelB-DIMM0 | Synchronous | SODIMM             | DDR3          |            4096 |         1333 | BANK 2     | 2013-01-12 10:47:06 | 2013-01-12 10:47:06 |
+-----------+-----------+----------------+-------------+--------------------+---------------+-----------------+--------------+------------+---------------------+---------------------+
2 rows in set (0.00 sec)


... perhaps this isn't implemented in the back-end yet?

I Committed it anyway since it does add what was requested and doesn't seem to have any negative impact on previously audited things.

https://bazaar.launchpad.net/~ihashacks/oav2/linux-audit-additions/revision/50


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Mon Jan 14, 2013 8:50 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1935
Location: Brisbane, Australia
Memory serial is in the back end.
Can't remember which version I implemented it in.
Make sure you're on 7.3.
v8 should be coming very soon now, too.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Mon Jan 14, 2013 2:30 pm 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
Mark wrote:
Memory serial is in the back end.

I guess I'll have to dig deeper then. I'm definitely using the zip from OAv2_beta_7.3. I tried using latest BZR at one point but that was fubar'ed. The SQL DB wouldn't even import.


BTW, release 51 is up. I have put basic support for services on CentOS/RedHat. I have service name and startup type (Auto vs. Manual). All services are listed (regardless of start type). I determine what is an "auto" service based on whether or not it loads at the system default runlevel:

Code:
INITDEFAULT=$($OA_AWK -F: '/id:/,/:initdefault:/ { print $2 }' /etc/inittab)
            $OA_CHKCONFIG |\
            $OA_AWK -v ID="$INITDEFAULT" ' { print "\t\t<service>\n\t\t\t<service_name>"$1"</service_name>"; if ($5 ==ID":on") print "\t\t\t<service_start_mode>Auto</service_start_mode>"; else if ($5 ==ID":off") print "\t\t\t<service_start_mode>Manual</service_start_mode>"; print "\t\t</service>" } '



I'm trying really hard to get the service description as described in:

Code:
grep -h description: /etc/init.d/* | sed -e 's/.*description:[ \t]*//' -e 's/[ \t]\\$//'

... but I can't quite get the damn thing wedged into my awk up above

I get this:

Code:
chkconfig | awk -v ID=$INITDEFAULT ' {  print "\t<service>\n\t\t<service_name>"$1"</service_name>"; if ($5 ==ID":on") print "\t\t<service_start_mode>Auto</service_start_mode>"; else if ($5 ==ID":off") print "\t\t<service_start_mode>Manual</service_start_mode>"; "grep description: /etc/init.d/"$1 |&getline $1; print "\t\t<service_description>"$1"</service_description>"; print "\t</service>" } '


But it looks like this:

Code:
<service>
                <service_name>sshd</service_name>
                <service_start_mode>Auto</service_start_mode>
                <service_description># description: SSH is a protocol for secure remote shell access. \</service_description>
        </service>


When I try to throw that sed up above in there, I just get "syntax error" from awk.

I have no idea yet how I want to tackle the mix of SysV and Upstart boot scripts in Ubuntu. As much as I love Ubuntu, at least RedHat based distros have one cohesive approach to startup scripts. ;-)


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Fri Jan 18, 2013 8:47 pm 
Offline
Newbie

Joined: Thu Jan 17, 2013 12:13 am
Posts: 4
Hi, Thanks for the great work on the audit_linux.sh script.

Not sure if this is supposed to be posted here or as a new topic.

OAv2 (beta7.3) is running on a LAMP stack
I'm using the latest revision (55) of the audit_linux.sh script but I'm running into an issue when selecting submit_online='y'
After a few unsuccessful tries I edited line 1243 and removed the "2>/dev/null"
Running the script again I received the error "./audit_linux.sh: line 1243: /usr/bin/wget: Argument list too long"

After a bit of research (google) I found that this is apparently not a wget error but a shell error.

Any pointers that will help fix this would be great.

I'm fairly new to linux and did I mention this is my first post.
Thanks

:D


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Sat Jan 19, 2013 7:24 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
I'm not a Linux guy either but it seems we should use wget --post-file rather than --post-data.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Sat Jan 19, 2013 9:21 am 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
How did you guys know that was on my TODO list? :)

Code:
/apps/oav2% ztodo list | grep wget
 9: investigate other XML options as wget chokes after a certain size


I have noticed that as well. If the XML gets to a certain size it is too much to pass through as a variable. I noticed it once I added in installed software.

Code:
% wc -l rocket-20130118151242.xml
16585 rocket-20130118151242.xml


~16k lines of XML on my laptop which has over 3k packages installed.

Code:
% wc -l openaudit-20130118151339.xml
2381 openaudit-20130118151339.xml


~2k lines of XML on a server with no GUI, no -dev packages, etc. The latter of course uploads just fine.


Quote:
it seems we should use wget --post-file rather than --post-data.


I started poking around with that earlier this week. I don't recall what issue I had, but nothing ended up getting imported at all. I'm *hoping* to get that resolved this weekend.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Sat Jan 19, 2013 10:40 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1935
Location: Brisbane, Australia
We should look at compressing the XML (zip), uploading, then uncompressing on the server...
The PHP Zip module is installed by default on Ubuntu if you install via tasksel.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Sat Jan 19, 2013 4:45 pm 
Offline
Newbie

Joined: Thu Jan 17, 2013 12:13 am
Posts: 4
I tried using --post-files but guess I got the syntax wrong.
If you need anyone to test just let me know.
I'll keep trying though.
:D :D :D

_________________
Server Info:
OS : (Windows 2003, Windows 2008, Windows XP, Windows 7, Ubuntu)
Auditing: 80 machines
LDAP: (Active Directory, OpenLDAP)


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Sat Jan 19, 2013 4:48 pm 
Offline
Newbie

Joined: Thu Jan 17, 2013 12:13 am
Posts: 4
Also I forgot to mention that the manual copy, paste and clicking submit works... :D

_________________
Server Info:
OS : (Windows 2003, Windows 2008, Windows XP, Windows 7, Ubuntu)
Auditing: 80 machines
LDAP: (Active Directory, OpenLDAP)


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Mon Jan 21, 2013 11:30 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1935
Location: Brisbane, Australia
Apparently the error stems from the memory allocated to bash AND wget cannot do what we want.
I've sent ihashacks some code to increase the memory for bash, send the XML, then revert back to normal.
Here's the unedited and untested code:

get amount of memory reserved + store in variable.
Code:
stack_mem=`ulimit -s`


Increase amount of memory to something suitable.
Code:
ulimit -s 65536


Send WGET command.
Code:
wget --delete-after --post-data="submit=submit&form_systemXML=$xml_results" $url 2>/dev/null


Revert memory to initial value as stored in the variable.
Code:
ulimit -s $stack_mem


ihashacks may want to test with suitable sizes so we don't simply increase it by a massive amount and cause issues on low memory systems.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Mon Jan 21, 2013 2:40 pm 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
I *think* my patch is almost done. I was able to switch over to post-file but am receiving a different error. Before I commit the patch I want to figure out if the new error is because of an unrelated issue in the audit script creating bad XML or if the giant XML is still an issue just moving up the ladder.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Mon Jan 21, 2013 3:10 pm 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
BOOM:

Code:
------------------------------------------------------------
revno: 58
committer: Brandon Pierce <brandon@ihashacks.com>
branch nick: linux-audit-additions
timestamp: Sun 2013-01-20 21:04:12 -0800
message:
  switched to wget --post-file to avoid "Argument list too long"
  more sanitization of the software_url to avoid breaking the XML


https://bazaar.launchpad.net/~ihashacks/oav2/linux-audit-additions/revision/58


Thank you everyone for reporting issues and helping me to resolve them. Please break this update too! :)


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Mon Jan 21, 2013 9:42 pm 
Offline
Newbie

Joined: Thu Jan 17, 2013 12:13 am
Posts: 4
Thanks ihashacks,
Great work...

The comment on the server url states to use the OAv2 "submit" page.
Changing the url by removing "/add_system" does not work.
I had to leave "/add_system" in the url path to have it work.
Code:
# the address of the OAv2 server "submit" page
url="http://my_OAv2_server/oav2/index.php/system/add_system"


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 19, 2013 9:58 am 
Offline
Newbie

Joined: Sat Apr 13, 2013 10:32 am
Posts: 24
I am sure this is something environmental on my CentOS release 5.8 (Final) box's, just looking for a point in the right direction. When I run the script i receive the following output.

System Info
./audit_linux.sh: line 513: -s: command not found
./audit_linux.sh: line 517: -s: command not found
./audit_linux.sh: line 527: -s: command not found
BIOS Info
Processor Info
./audit_linux.sh: line 695: -t: command not found
./audit_linux.sh: line 718: -t: command not found

On my Ubuntu 12.0.4 TLS box's it runs perfect.

Also on the network side I receive the following.

Network Cards Info
/bin/cat: /sys/class/net/44 bond0/address: No such file or directory
audit_linux.sh: line 1028: -vms: command not found
audit_linux.sh: line 1032: -vms: command not found
audit_linux.sh: line 1042: 44 bond0: command not found
/bin/cat: /sys/class/net/44 bond0/operstate: No such file or directory
audit_linux.sh: line 1008: addr: command not found
audit_linux.sh: line 1008: addr: command not found
/bin/cat: /sys/class/net/32 bonding_masters/address: No such file or directory
audit_linux.sh: line 1028: -vms: command not found
audit_linux.sh: line 1032: -vms: command not found
audit_linux.sh: line 1042: 32 bonding_masters: command not found
/bin/cat: /sys/class/net/32 bonding_masters/operstate: No such file or directory
audit_linux.sh: line 1008: addr: command not found
audit_linux.sh: line 1008: addr: command not found
/bin/cat: /sys/class/net/50 eth0/address: No such file or directory
audit_linux.sh: line 1028: -vms: command not found
audit_linux.sh: line 1032: -vms: command not found
audit_linux.sh: line 1042: 50 eth0: command not found
/bin/cat: /sys/class/net/50 eth0/operstate: No such file or directory
audit_linux.sh: line 1008: addr: command not found
audit_linux.sh: line 1008: addr: command not found
/bin/cat: /sys/class/net/48 eth1/address: No such file or directory
audit_linux.sh: line 1028: -vms: command not found
audit_linux.sh: line 1032: -vms: command not found
audit_linux.sh: line 1042: 48 eth1: command not found
/bin/cat: /sys/class/net/48 eth1/operstate: No such file or directory
audit_linux.sh: line 1008: addr: command not found
audit_linux.sh: line 1008: addr: command not found
/bin/cat: /sys/class/net/48 eth2/address: No such file or directory
audit_linux.sh: line 1028: -vms: command not found
audit_linux.sh: line 1032: -vms: command not found
audit_linux.sh: line 1042: 48 eth2: command not found
/bin/cat: /sys/class/net/48 eth2/operstate: No such file or directory
audit_linux.sh: line 1008: addr: command not found
audit_linux.sh: line 1008: addr: command not found
/bin/cat: /sys/class/net/48 eth3/address: No such file or directory
audit_linux.sh: line 1028: -vms: command not found
audit_linux.sh: line 1032: -vms: command not found
audit_linux.sh: line 1042: 48 eth3: command not found
/bin/cat: /sys/class/net/48 eth3/operstate: No such file or directory
audit_linux.sh: line 1008: addr: command not found
audit_linux.sh: line 1008: addr: command not found
/bin/cat: /sys/class/net/48 sit0/address: No such file or directory
audit_linux.sh: line 1028: -vms: command not found
audit_linux.sh: line 1032: -vms: command not found
audit_linux.sh: line 1042: 48 sit0: command not found
/bin/cat: /sys/class/net/48 sit0/operstate: No such file or directory
audit_linux.sh: line 1008: addr: command not found
audit_linux.sh: line 1008: addr: command not found

Any help would be greatly appreciated.

:)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 50 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group