Open-AudIT

What's on your network?
It is currently Sun Jan 21, 2018 7:11 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 11 posts ] 
Author Message
PostPosted: Sun Apr 26, 2015 6:41 pm 
Offline
Newbie

Joined: Thu Apr 09, 2015 4:30 pm
Posts: 25
Hi,

I'm using 1.6.2 and auditing windows machines. I've added code into the vbs to update man_description in the system table. If I audit a NEW machine it does store the data into man_description, however, if I audit a machine that was audited before I added that line of code it does not store anything in the man-description field.

Any ideas why it won't let me update it for older audited machines?

Thanks,
Stephen


Last edited by swilkey on Mon Apr 27, 2015 4:25 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 27, 2015 5:41 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
The "man_*" fields are for manually entered data. On first audit of a machine OpenAudit will populate many of the man_ fields with the first data it sees. So IP address gets stored into man_ipaddress. If the IP changes in the future the man_ipaddress from the initial audit is not updated.


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 27, 2015 12:39 pm 
Offline
Newbie

Joined: Thu Apr 09, 2015 4:30 pm
Posts: 25
Oh, thanks for that information jpa! that is a great help.
I didn't realise that the IP address would be static after initially recorded.


Last edited by swilkey on Mon Apr 27, 2015 4:26 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 27, 2015 2:58 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
Technically, the IP address is updated with each audit but the man_ipaddress is not. I'm fairly certain, but haven't really checked, that the OpenAudit web interface reports the man_ipaddress in most of its output.


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 27, 2015 4:23 pm 
Offline
Newbie

Joined: Thu Apr 09, 2015 4:30 pm
Posts: 25
Well I've been doing some testing and it is not actually consistent. If an audit supplies:
- man_owner
- man_org_id
- man_location_d
then these will all be updated. These were the only ones i tested. However, ip address, which would change much more regularly is not updated.

How can we find out which manual fields are actually updated and which are not? it would be nice to understand the design logic behind why that is too.

thanks,
Stephen


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 28, 2015 3:51 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
Hate to do this to you but it's complicated and you'll need to read the source to see what is going on.

See insert_system and update_system in code_igniter\application\models\m_system.php.


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 28, 2015 8:41 pm 
Offline
Newbie

Joined: Thu Apr 09, 2015 4:30 pm
Posts: 25
Thanks jpa. That is a great help - thanks for pointing me to the right place to look. I'll see if I can work it out and post back here so that everyone knows. I guess though that unless there are comments in the code I probably won't be able to explain why things are being done inconsistently but lets see what I can find.
Regards,
Stephen


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 29, 2015 9:25 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
The audit result is posted to system -> add_system
Line 739 in controllers/system.php calls a function to set the address, as below.
Code:
$this->m_ip_address->set_initial_address($details->system_id);

Look at the file models/m_ip_address.php and that function to see the logic.
It is below.
I have commented out the print_r that some idiot left in there.... It's difficult to get good help these days :oops:

You could force the setting of the address with each audit submission by changing line 739 to
Code:
$this->m_ip_address->set_initial_address($details->system_id, 'y');


The issue is that any manually set addresses would be overwritten if they are different, every time an audit is submitted.
If anyone would like to propose some logic for this (as opposed to actual code), I'm happy to listen.

Quote:
public function set_initial_address($system_id, $force = 'n')
{

# new logic
# only set an ip address if we do not already have an existing in system table
# no unset ('', '0.0.0.0', '000.000.000.000') addresses
# no localhost ('127.0.0.1', '127.000.000.001') addresses
# no 169.254.x.x addresses (RFC 3927)
# prefer non-DHCP address (ORDER BY sys_hw_network_card.net_dhcp_enabled ASC)
# secondary prefer private to public ip address (pubpriv)

# get the stored attribute for man_ip_address
$sql = "SELECT man_ip_address, timestamp FROM system WHERE system_id = ?";
$data = array("$system_id");
$query = $this->db->query($sql, $data);
$result = $query->result();
if ($force == 'y' or $result[0]->man_ip_address == '' or $result[0]->man_ip_address == '000.000.000.000' or $result[0]->man_ip_address == '0.0.0.0') {
# we do not already have an ip address - attempt to set one
$sql = "SELECT
sys_hw_network_card.net_dhcp_enabled,
sys_hw_network_card_ip.ip_address_v4,
if( (sys_hw_network_card_ip.ip_address_v4 >= '010.000.000.000' AND sys_hw_network_card_ip.ip_address_v4 <= '010.255.255.255') OR
(sys_hw_network_card_ip.ip_address_v4 >= '172.016.000.000' AND sys_hw_network_card_ip.ip_address_v4 <= '172.031.255.255') OR
(sys_hw_network_card_ip.ip_address_v4 >= '192.168.000.000' AND sys_hw_network_card_ip.ip_address_v4 <= '192.168.255.255'), 'prv', 'pub') as pubpriv
FROM
sys_hw_network_card LEFT JOIN sys_hw_network_card_ip ON
(sys_hw_network_card.system_id = sys_hw_network_card_ip.system_id AND
sys_hw_network_card.timestamp = sys_hw_network_card_ip.timestamp AND
LOWER(sys_hw_network_card_ip.net_mac_address) = LOWER(sys_hw_network_card.net_mac_address))
WHERE
sys_hw_network_card.system_id = ? AND
LOWER(sys_hw_network_card.net_ip_enabled) != 'false' AND
sys_hw_network_card_ip.timestamp = ? AND
sys_hw_network_card_ip.ip_address_v4 != '' AND
sys_hw_network_card_ip.ip_address_v4 != '0.0.0.0' AND
sys_hw_network_card_ip.ip_address_v4 != '000.000.000.000' AND
sys_hw_network_card_ip.ip_address_v4 != '127.0.0.1' AND
sys_hw_network_card_ip.ip_address_v4 != '127.000.000.001' AND
sys_hw_network_card_ip.ip_address_v4 != '127.0.1.1' AND
sys_hw_network_card_ip.ip_address_v4 != '127.000.001.001' AND
sys_hw_network_card_ip.ip_address_v4 NOT LIKE '169.254.%'
ORDER BY
sys_hw_network_card.net_dhcp_enabled ASC,
pubpriv ASC,
sys_hw_network_card_ip.ip_address_v4 DESC
LIMIT 1";
$sql = $this->clean_sql($sql);
$data = array("$system_id", $result[0]->timestamp);
$query = $this->db->query($sql, $data);
$result = $query->result();

if (strtolower($result[0]->ip_address_v4) != '') {
$sql = "UPDATE system SET man_ip_address = ? WHERE system_id = ?";
$data = array($result[0]->ip_address_v4, "$system_id");
$query = $this->db->query($sql, $data);
}
}
}

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 30, 2015 1:18 pm 
Offline
Newbie

Joined: Thu Apr 09, 2015 4:30 pm
Posts: 25
Hi Mark,

I've thought about your question at length. I haven't been able to come up with any good reason that we would ever want manually entered data to be trusted for accuracy over audited data. In my thinking if you are able to find out the information from an audit you would always want to override any manual information that had been entered into the database as the information collected from the audit will be more accurate and current. Can you think of any reason that this would not be the case?

Further observations as I looked through the code...note that I don't profess to be a php expert or a codeigniter expert and therefore some of my observations might be inaccurate.

The logic that I think I'm reading in the code for the following is "if it isn't already set or is set to blank, set it":
- man_ip_address - but this will change often, so why would you want to manually set an IP address that never changes in the database (even if it was a static IP address, if it is changed to a new static IP address surely you want to know it if an audit detects it has changed?)
- man_description - this might change, why would you want to manually set it in the database and not allow it to change if you have newer information?
- man_domain - this might change depending on an organisations' network design, again why would you want to trust a manually entered entry over an audit result?
- man_environment - I'm not actually sure what this is
- man_form_factor - this is unlikely to change so although my earlier comments would apply, it probably doesn't matter
- man_manufacturer - this is unlikely to change so although my earlier comments would apply, it probably doesn't matter
- man_model - this is unlikely to change so although my earlier comments would apply, it probably doesn't matter
- man_os_family - this is unlikely to change so although my earlier comments would apply, it probably doesn't matter
- man_os_group - I presume this is unlikely to change, so although my earlier comments would apply, it probably doesn't matter
- man_os_name - but this could change if the os was upgraded. Are we supposed know when it is upgraded and manually delete it from the database so it can be added again? What will happen when Windows 10 is installed on computers? My reading of the code makes me think that they will be stuck in the database as whatever version of Windows they previously had. Is this true?
- man_serial - this shouldn't change unless the computer gets a replacement motherboard, which could happen if the motherboard is faulty
- man_status - this is only likely to be updated in the database and wouldn't need to change from an audit.
- man_type - not sure what this is so I have no comment.
- man_location_id - this is not normally provided by the vbs, but if it were provided in the vbs I'd like to see it override anything in the database
- man_class - not sure what this is so I have no comment

These DO change when you do an audit, but I'm really not sure how yet!
- man_location_id
- man_org_id

I can't work out the code for whether these change or not. However, by testing, they don't. I would like them to as I've modified the audit code to be able to collect this information (as submitted to Mark recently). My theory remains, if you can collect it in an audit then you should trust it more than if it was manually entered into the database at some historical point:
- man_owner
- man_description

This is what I think the overall current logic in the php code is:
- load all the details from the audit into some sort of a named array or something
- unset anything we don't want to change based on logic that considers the type of audit and the existing contents of the database
- submit all the details we didn't unset into the database

Therefore any man_ item that is not specifically named in m_system.php that is supplied by the audit script WILL be loaded into the database. Those that are named in m_system.php are checked and may be prevented from updating if there is information already in the database or other logic applies.

I hope this is helpful for your thinking. Please feel free to correct any misunderstandings I might have created with misinformation from my analysis.

Regards,
Stephen


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 30, 2015 2:43 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
I just ignore the man_ fields for the very reason you specify. Audited data goes into the non-man_* fields so I use those. I think the man_* fields are specifically designed to override the audit data but get a jump start with audit data if they're empty. The main problem is that the OpenAudit interface seems to display the man_* fields more than the straight audit fields. So in my usage OA scripts do a great job auditing my data and I normally view the raw tables to review things.

Not much help but I think the man_* fields are the way they are by design and unlikely to change.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jul 06, 2015 4:45 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
Not all devices provide a serial number, model or manufacturer for example.
Remember - ANY device with an IP address could end up in the database.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group