Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Thu Mar 28, 2024 10:09 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 21 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Windows Audit Issues
PostPosted: Fri Feb 25, 2011 1:18 am 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
Hi all

I have gone through pages and pages of information relating to doing Windows PC audit and I have been unable to find any information that has helped me, which is rather frustrating as I'm on a deadline to get my network Audited.

So I have gotten an Ubuntu 8.04 Desktop PC up and running and have OA runing on there. I have configured ldap as I want to scan my entire domain.
I edit the audit.config file and it is as follows:
[quote]'

' Standard audit section

'

audit_location = "r"

verbose = "y"

audit_host="http://192.168.16.249"

online = "yesxml"

strComputer = ""

ie_visible = "n"

ie_auto_submit = "y"

ie_submit_verbose = "n"

ie_form_page = audit_host + "/openaudit/admin_pc_add_1.php"

non_ie_page = audit_host + "/openaudit/admin_pc_add_2.php"

input_file = "pc_list_file.txt"



'

' Email authentication

'

'



email_to = "example@example.com"

email_from = "example@example.com"

'email_sender = "Open-AudIT"

email_server = "mail.example.com" ' IP address or FQDN

email_port = "25" ' The SMTP port

email_auth = "1" ' 0 = Anonymous, 1 = Clear-text Authentication, 2 = NTLM

email_user_id = "example@example.com" ' A valid Email account in user@domain format

email_user_pwd = "some_password" ' The SMTP email password

email_use_ssl = "false" ' True/False

email_timeout = "60" ' In seconds

send_email = "false" ' True/False - Enable/Disable email sending



audit_local_domain = "y"

'

' Set domain_type = 'nt' for NT4 or SAMBA otherwise leave blank or set to ldap

'domain_type = "nt"



local_domain = "LDAP://mydomain.com"



'

' Example Set Domain name for NT ONLY for LDAP use the above format

' NOTE This is Case Sensetive. See the example below.

'

'local_domain = "WinNT://IEXPLORE"

'local_domain = "WinNT://<domainname>"

'



hfnet = "n"

Count = 0

number_of_audits = 60

script_name = "audit.vbs"

monitor_detect = "y"

printer_detect = "y"

software_audit = "y"

uuid_type = "uuid"

'

' Nmap section

'

nmap_tmp_cleanup = true ' Set this false if you want to leave the tmp files for analysis in your tmp folder

nmap_subnet = "192.168.16." ' The subnet you wish to scan

nmap_subnet_formatted = "192.168.016." ' The subnet padded with 0's

nmap_ie_form_page = audit_host + "/openaudit/admin_nmap_input.php"

nmap_ie_visible = "n"

nmap_ie_auto_close = "y"

nmap_ip_start = 1

nmap_ip_end = 254

nmap_syn_scan = "y" ' Tcp Syn scan

nmap_udp_scan = "y" ' UDP scan

nmap_srv_ver_scan = "y" ' Service version detection.

nmap_srv_ver_int = 9 ' Service version detection intensity level. Values 0-9, 0=fast


I then go to Audits menu, click on manage audits and create a new audit configuration after which I run it and all I get is:

[quote]Failed to run: Test (126)

Can someone please help, I tried to do it via a logon script but that went just as bad.

Oh I'm running OA Version 09.12.23, Ubuntu 8.04 and Server 2008 R2

Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Fri Feb 25, 2011 7:40 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
To start with I would get the latest version from SVN. [url=http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/?view=tar]SVN tarball download[/url]

Then you should pick a method of auditing your machines. Use the web-schedule method which is available from the Audits -> Manage Audit menu and configure the scan properties from the web interface. Or use the cscript method where you edit the audit.config file and run "cscript audit.vbs" from the individual machine or from a central auditing machine in the case of a domain audit.

There are [url=http://chadsikorra.com/scripting/openaudit-web-schedule]some problems[/url] with the web-schedule method if you're running the server side on 64bit Linux or a locked down Apache. I don't use the web schedule method as it was written and included in OpenAudit after I had my system set up. I cscript audit.vbs with appropriate audit.config settings from a central Windows server as a user with Administrator rights on the targeted machines.

If you go the web-schedule route all your configuration is done through the web interface not audit.config and your server host must be supported.


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Fri Feb 25, 2011 2:27 pm 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
Thanks, will give it a try and report back.
Would it make a difference if the Ubuntu box is running as a Guest OS on Hyper-V; the Ubuntu box is 32bit as I ran into the Web Schedule issues a few days ago on 64bit.


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Fri Feb 25, 2011 4:33 pm 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
Ok, so I did what you mentioned and it's already going much better. I setup a test scan, but the results came back: Audit ended abnormally or something of the sorts.
I then read up on this: viewtopic.php?f=6&t=1464 again and thought that it might be due to insufficient rights, so I enabled ldap authentication and so now sit with this:
[quote]Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'openaudit'@'localhost' (using password: YES) in /var/www/openaudit/include_functions.php on line 1084

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /var/www/openaudit/include_functions.php on line 1085

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /var/www/openaudit/include_functions.php on line 1095

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/openaudit/include_functions.php on line 1096

Warning: mysql_close(): no MySQL-Link resource supplied in /var/www/openaudit/include_functions.php on line 1115


I'm assuming it has something to do with ldap not being configured on MySQL or something...
Any ideas?

Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Sat Feb 26, 2011 2:41 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
[quote="djmohr"]
Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'openaudit'@'localhost' (using password: YES) in /var/www/openaudit/include_functions.php on line 1084

This says to me that you need to grant rights to your OpenAudit database to user openaudit coming from localhost.

Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Mon Feb 28, 2011 3:49 pm 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
OK, sorted out the MySQL issue but I still can't get any Audit to provide info.
When I run an Audit I get the following:

Audit Stopped Abnormally PCNAME 13007 28/02/11 10:00:07 am


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Wed Mar 02, 2011 10:46 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Without more logs to figure out what exactly is dying troubleshooting this is tough. Trouble is that none of this stuff is logged. As I've discovered while troubleshooting this the web schedule stuff has tons of places where things can go wrong without useful error messages. I couldn't even get a configuration saved initially because it doesn't handle MySQL setups with strict_mode set. Are you dead set on using the web schedule stuff rather than a normal cscript audit.vbs and audit.config setup? If so you'll need to post a whole lot more information about your configuration.


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Thu Mar 03, 2011 12:17 am 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
Suppose I'm just being lazy using the web schedule.
I'm open to the script, but I did have issues getting it to work but willing to have a look at it again with some guidance..


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Fri Mar 04, 2011 9:24 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
It shouldn't be very difficult as you've already got the audit.config file mostly done from the earlier post. You do need to get the local_domain line set with your current domain. Then from a Windows machine logged on as a user with administrator rights on the target machines you can run "cscript audit.vbs" and your domain should get audited and the data posted. Post any error messages if this doesn't work.

I can help troubleshoot the web schedule if you need but you'll need to edit-in some additional logging so we can see what's happening.


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Fri Mar 04, 2011 8:32 pm 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
My current audit.config file:
Could you please point out what it is that I need to change and if there is anything that needs to be changed on other files.

'
' Standard audit section
'
audit_location = "r"
verbose = "y"
audit_host="http://support"
online = "yesxml"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = audit_host + "/openaudit/admin_pc_add_1.php"
non_ie_page = audit_host + "/openaudit/admin_pc_add_2.php"
input_file = "pc_list_file.txt"

'
' Email authentication
'
'

email_to = "example@example.com"
email_from = "example@example.com"
'email_sender = "Open-AudIT"
email_server = "mail.example.com" ' IP address or FQDN
email_port = "25" ' The SMTP port
email_auth = "1" ' 0 = Anonymous, 1 = Clear-text Authentication, 2 = NTLM
email_user_id = "example@example.com" ' A valid Email account in user@domain format
email_user_pwd = "some_password" ' The SMTP email password
email_use_ssl = "false" ' True/False
email_timeout = "60" ' In seconds
send_email = "false" ' True/False - Enable/Disable email sending

audit_local_domain = "y"
'
' Set domain_type = 'nt' for NT4 or SAMBA otherwise leave blank or set to ldap
'domain_type = "nt"

local_domain = "LDAP://example.local"

'
' Example Set Domain name for NT ONLY for LDAP use the above format
' NOTE This is Case Sensetive. See the example below.
'
'local_domain = "WinNT://IEXPLORE"
'local_domain = "WinNT://<domainname>"
'

hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"
'
' Nmap section
'
nmap_tmp_cleanup = true ' Set this false if you want to leave the tmp files for analysis in your tmp folder
nmap_subnet = "192.168.0." ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.000." ' The subnet padded with 0's
nmap_ie_form_page = audit_host + "/openaudit/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
nmap_syn_scan = "y" ' Tcp Syn scan
nmap_udp_scan = "y" ' UDP scan
nmap_srv_ver_scan = "y" ' Service version detection.
nmap_srv_ver_int = 9 ' Service version detection intensity level. Values 0-9, 0=fast


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Sat Mar 05, 2011 5:54 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
I think you only need to change this one, to match your company active directory name:

local_domain = "LDAP://example.local"

our is similar to this:

local_domain = "LDAP://company.com"

Also, if the windows firewall is in use for your windows systems, the "remote administration" firewall rule will need to be opened.

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Sat Mar 05, 2011 4:30 pm 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
Cool will give it a try.

Our domain policy has the workstations firewalls disabled, so hopefully all goes well.


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Sat Mar 05, 2011 5:30 pm 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
So I made the change to th audit.config file, added our domain: local_domain = "LDAP://company.com"
and got the follwoing error:

C:\Audit>cscript audit.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved

C:\Audit\audit.vbs(168, 1) msxml3.dll: System error: -2146697211.

I ran this as domain administrator on a test pc and tried as local admin and got the same results.

Suggestions?


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Sat Mar 05, 2011 5:47 pm 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
ok finally
I had to edit the audit.vbs script
changed this_config_url = "http://openaudit/openaudit/list_export_config.php" to this_config_url = "http://serveripaddress/openaudit/list_export_config.php"

and it worked.


Top
 Profile  
Reply with quote  
 Post subject: Re: Windows Audit Issues
PostPosted: Sat Mar 05, 2011 9:45 pm 
Offline
Newbie

Joined: Wed Feb 23, 2011 4:06 pm
Posts: 14
OK, now got the script to run at logon; also managed to audit systems on my remote sites through our companies VPN link.

One thing the software is not providing me is some of the serial keys for our CAD software, so far it only shows MS software.

Any way it can show other software keys?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 21 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group