Open-AudIT :: View topic - OAv2 audit script

Open-AudIT https://www.open-audit.org/phpBB3/

OAv2 audit script https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=3401	Page 1 of 2

Author:

Mark [ Thu Aug 20, 2009 3:00 pm ]

Post subject:

OAv2 audit script

Anyone interested in helping me test the new audit script ?
It isn't quite finished, and it's "local" only (no remote audits).

Missing bits are-
SHARES - get rmtshare.exe from OA server, if needed (rmtshare.exe is a free download from MS that enables retrieval of share permissions).
USB Attached Devices
SCSI Devices
Tape Information
Floppy Drives
Keyboard Information
Battery Information
Modem Information
Mouse Information
Printer Information

code is attached.
Rename to audit_windows.vbs, then run with cscript audit_windows.vbs
It should produce a text file in the same directory.

Attachments:

File comment: audit script

audit_windows.txt [106.06 KiB]
Downloaded 731 times

Author:	A_Hull [ Thu Aug 20, 2009 8:49 pm ]
Post subject:	Re: OAv2 audit script
Works for me... If you want a copy of the output, let me know and I'll audit my laptop in the house. (Too much confidential info on the corporate PC).

Author:	A_Hull [ Thu Aug 20, 2009 8:50 pm ]
Post subject:	Re: OAv2 audit script
BTW Cant you sleep?

Author:	Mark [ Thu Aug 20, 2009 9:50 pm ]
Post subject:	Re: OAv2 audit script
No need for me to have a copy. Just have a look through it and see if it looks OK. And I posted that at 3pm local time...

Author:	A_Hull [ Thu Aug 20, 2009 10:23 pm ]
Post subject:	Re: OAv2 audit script
[quote="Mark"].... And I posted that at 3pm local time... ... hmmmm maybe thats why I keep waking up my brother in Melbourne at 3 in the morning... The output looks OK, If I get a chance, I'll audit a virtual box and send the results if you want...

Author:	JayDee [ Thu Aug 20, 2009 10:56 pm ]
Post subject:	Re: OAv2 audit script
Mark, Tried it on a couple of XP-SP2 boxes. Ran OK but the "Software Info" and/or the ".NET Assembly info" sections took a long time on one box at 90%+ CPU. Not sure if the message is before or after the section in question. One buglet. The output file, <system_variables> section, was putting out closing markers of <variable_name> and <variable_value> instead of the preceding slash - </variable_name> - and so on. I'll try it on some W2K3 servers later if I get a chance. EDIT 14:35 EDT - Ran OK on W2K3 and W2K3 R2 John

Author:	Mark [ Fri Aug 21, 2009 7:28 am ]
Post subject:	Re: OAv2 audit script
Thanks John. Yep, the .NET info does chew up time and CPU. If you comment it out, you'll find it's heaps quicker. I do intend on leaving it in, but I also intend on providing a system to select the sections you want to create a customised audit script.

Author:	JayDee [ Fri Feb 12, 2010 12:42 am ]
Post subject:	Re: OAv2 audit script
Trying the latest audit_windows.vbs in the OAv2 Alpha release, it crashes when running on a Windows 7 Enterprise box at line 1234 - really! This the the BHO section and lines 1233 & 1234 read [code]if (system_os_full_name <> "Microsoft Windows 95" AND system_os_full_name <> "Microsoft Windows 98") then set objWMIService_IE = GetObject("winmgmts:\\" & strComputer & "\root\cimv2\Applications\MicrosoftIE")[/code] If I comment out this section the rest of the script runs fine and the whole thing works OK on Win XP boxes. Sadly I'm no WMI expert - anyone have any thoughts? Thanks, John

Author:	jpa [ Fri Feb 12, 2010 5:23 am ]
Post subject:	Re: OAv2 audit script
Found another crash problem with the audit script. For writing the audit result output file I had to set the format argument of OpenTextFile to -1. I was getting an "Invalid procedure call or argument" crash. This is likely due to garbage characters in the audit result caused by [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=8&t=3436]this problem[/url]. Other than that the audit worked on my first test system. I'll audit more machines and see what I get.

Author:	iamonlyafigment [ Fri Feb 12, 2010 8:05 am ]
Post subject:	Re: OAv2 audit script
It also seems the audit script crashes when windows (7 pro in this case) reports a memory card reader which the audit sees as a hard disk and it has null space in an integer field

Author:	iamonlyafigment [ Fri Feb 12, 2010 8:07 am ]
Post subject:	Re: OAv2 audit script
[quote]Trying the latest audit_windows.vbs in the OAv2 Alpha release, it crashes when running on a Windows 7 Enterprise box at line 1234 - really! JayDee I think the issue here is the WMI class for IE in windows 7. I had the same issue and use WMIExplorer and couldn't find the WMI class that the audit was trying to use causing it to return an error

Author:	Mark [ Fri Feb 12, 2010 8:29 am ]
Post subject:	Re: OAv2 audit script
[quote="jpa"]Found another crash problem with the audit script. For writing the audit result output file I had to set the format argument of OpenTextFile to -1. I was getting an "Invalid procedure call or argument" crash. This is likely due to garbage characters in the audit result caused by [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=8&t=3436]this problem[/url]. Other than that the audit worked on my first test system. I'll audit more machines and see what I get. I just had a read through that link. Damn. Not sure how to fix this. One thought though - in OAv2, the end goal is to have the audit script run locally on the machine being audited. Not (as in Open-AudIT), run from a remtoe computer. I plan to do this by using either PSEXEC (on the Windows side) or winexe (on the Linux side). Basically, it would connect to the remote PC, copy the audit script to it, setup a scheduled task (for say 1 minute's time) and then run the audit script on itself. Combine the fix mentioned in the thread (which only works locally) and I think we would have a fix. Only problem is I haven't coded the remote scripting stuff yet... and it wouldn't work from remote audits (even though I don't plan to use them). More thought needed. Thanks though.

Author:	Mark [ Fri Feb 12, 2010 8:30 am ]
Post subject:	Re: OAv2 audit script
[quote="iamonlyafigment"]It also seems the audit script crashes when windows (7 pro in this case) reports a memory card reader which the audit sees as a hard disk and it has null space in an integer field So, with this and the software issue, we need to work out what to do with NULL values returned... Thanks again for the feedback - much appreciated.

Author:	Mark [ Fri Feb 12, 2010 8:30 am ]
Post subject:	Re: OAv2 audit script
[quote="iamonlyafigment"][quote]Trying the latest audit_windows.vbs in the OAv2 Alpha release, it crashes when running on a Windows 7 Enterprise box at line 1234 - really! JayDee I think the issue here is the WMI class for IE in windows 7. I had the same issue and use WMIExplorer and couldn't find the WMI class that the audit was trying to use causing it to return an error Great - easy fix then. Test to see if we're running on a Win7 machine and adjust accordingly. Will work on this.

Author:	wnyhelpdesk [ Mon Mar 15, 2010 11:06 am ]
Post subject:	Re: OAv2 audit script
Mark, Good work so far 1. In OAV1 the script that performed the auditing assigned "" to initialize variables with an empty string. Wouldn't it be more practical to instead of initializing variables with "" to assign them something such as "Uknown". Let me show you this screen shot where assigning "" to variables is problematic. [url]http://gyazo.com/909e710ad25329919334814bcf30a72e.png[/url] Notice the empty version yet there are 6 hosts with empty versions just that I can't click on it to "drill down".

Page 1 of 2	All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/