Open-AudIT

What's on your network?
It is currently Tue Apr 24, 2018 11:03 am

All times are UTC + 10 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Thu Oct 13, 2011 2:22 am 
Offline
Newbie

Joined: Tue Jul 21, 2009 1:22 am
Posts: 8
Hello....

I had a post out on support because versions 8 and 9 of open audit were not picking up installed security patches on Windows 7.

I decided to investigate OAv2 in the mean time.....and it does the same thing.

The .NET 4 stuff shows up in the updates section:

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Extended (KB2416472) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Extended (KB2487367) 1 Microsoft Corporation
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) 1 Microsoft Corporation

But none of the other 65+ Windows patches are showing up.

I am thinking this may be a bad thing?

All help is appreciated.

Tom P


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 7:37 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
As you've found the hotfix information isn't stored the same in modern Windows and OpenAudit doesn't catch that in the audit. I've attached a quick mod to the OAv2 b3 audit to capture the hotfixes. Not tested much beyond my network. Mark should probably look at this to make sure it makes sense.

Basically added the following to audit the hotfixes in > WinVista.

Code:
' hotfixes
if (system_os_family = "Windows 2008" or system_os_family = "Windows 7" or system_os_family = "Windows Vista") then
   if debugging > "0" then wscript.echo "Hotfix info" end if
   set colItems2 = objWMIService.ExecQuery("Select * from Win32_QuickFixEngineering",,48)
   for each objItem2 in colItems2

      'on error goto 0
      
      result = result & "      <package>" & vbcrlf
      result = result & "         <software_name>" & escape_xml(objItem2.HotFixID) & "</software_name>" & vbcrlf
      result = result & "         <software_version></software_version>" & vbcrlf
      result = result & "         <software_location></software_location>" & vbcrlf
      result = result & "         <software_uninstall></software_uninstall>" & vbcrlf
      result = result & "         <software_install_date>" & escape_xml(objItem2.InstalledOn) & "</software_install_date>" & vbcrlf
      result = result & "         <software_publisher>Microsoft</software_publisher>" & vbcrlf
      result = result & "         <software_install_source></software_install_source>" & vbcrlf
      result = result & "         <software_system_component></software_system_component>" & vbcrlf
      result = result & "         <software_url>" & escape_xml(objItem2.Caption) & "</software_url>" & vbcrlf
      result = result & "         <software_email></software_email>" & vbcrlf
      result = result & "         <software_comment>update</software_comment>" & vbcrlf
      result = result & "         <software_code_base></software_code_base>" & vbcrlf
      result = result & "         <software_status></software_status>" & vbcrlf
      result = result & "         <software_installed_by>" & lcase(escape_xml(objItem2.InstalledBy)) & "</software_installed_by>" & vbcrlf
      result = result & "         <software_installed_on>" & escape_xml(objItem2.InstalledOn) & "</software_installed_on>" & vbcrlf
      result = result & "      </package>" & vbcrlf
   next
end if


Attachments:
audit_windows.vbs.txt [214.75 KiB]
Downloaded 90 times
Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 7:57 am 
Offline
Newbie

Joined: Tue Jul 21, 2009 1:22 am
Posts: 8
Do you think that would work in the Version 8 and 9 OpenAudit scripts as well?

TP


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 8:46 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Wouldn't work as is but if I spent a few seconds and not too many brain cells I'd come up with the following attached audit script which may or may not work. The attached file is a modification of the audit script from SVN revision 1251. I'm not sure where you're getting the version 8 and 9 stuff from. I suggest you download the latest OpenAudit version 1 code from SVN if you want to use the old stuff.

This basically adds the following to the audit script:
Code:
' hotfix inventory
' Skipping if audited system is not Vista, W2k8 or Seven
if (CInt(SystemBuildNumber) >= 6000) then
   Set colItems = objWMIService.ExecQuery("Select * from Win32_QuickFixEngineering", , 48)
   For Each objItem In colItems

      version = ""
      uninstall_string = ""
      install_date = ""
      publisher = "Microsoft"
      install_source = ""
      install_location = ""
      system_component = ""
      display_name = ""

      display_name = objItem.hotFixID
      if (isnull(display_name)) then display_name = "" end if
      
      install_date = objItem.InstalledOn
      if (isnull(install_date)) then install_date = "" end if

      software_url = objItem.Caption
      if (isnull(software_url)) then software_url = "" end if

      if online = "p" then
        software = software & display_name & vbcrlf
      end if
      form_input = "software^^^" & clean(display_name)      & " ^^^" _
               & clean(version)           & " ^^^" _
               & clean(install_location)  & " ^^^" _
               & clean(uninstall_string)  & " ^^^" _
               & clean(install_date)      & " ^^^" _
               & clean(publisher)         & " ^^^" _
               & clean(install_source)    & " ^^^" _
               & clean(system_component)  & " ^^^" _
               & clean(software_url)      &  "^^^" _
               & clean(software_comments) & "^^^"
      entry form_input,comment,objTextFile,oAdd,oComment
      form_input = ""
   Next
end if


Attachments:
audit.vbs.txt [232.57 KiB]
Downloaded 102 times
Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 10:42 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1944
Location: Brisbane, Australia
Have incorporated this into beta4.
Thanks JPA. :D

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 11:09 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Cool. Test! Test! Test! I literally spent 5 minutes on this and ran it against one Windows 7 box.


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 14, 2011 1:54 am 
Offline
Newbie

Joined: Tue Jul 21, 2009 1:22 am
Posts: 8
When I mentioned Version 9....I should have been more specific for the rest....sorry...been one of those weeks.

http://sourceforge.net/projects/open-audit/files/

shows 9.12.23 which is SVN1223.....where does one find the SVN1251?

TP


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 14, 2011 2:00 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
The Sourceforge Subversion repository via SVN client or


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group