Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Thu Mar 28, 2024 9:13 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 
Author Message
PostPosted: Thu Oct 13, 2011 2:22 am 
Offline
Newbie

Joined: Tue Jul 21, 2009 1:22 am
Posts: 8
Hello....

I had a post out on support because versions 8 and 9 of open audit were not picking up installed security patches on Windows 7.

I decided to investigate OAv2 in the mean time.....and it does the same thing.

The .NET 4 stuff shows up in the updates section:

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Extended (KB2416472) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Extended (KB2487367) 1 Microsoft Corporation
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) 1 Microsoft Corporation

But none of the other 65+ Windows patches are showing up.

I am thinking this may be a bad thing?

All help is appreciated.

Tom P


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 7:37 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
As you've found the hotfix information isn't stored the same in modern Windows and OpenAudit doesn't catch that in the audit. I've attached a quick mod to the OAv2 b3 audit to capture the hotfixes. Not tested much beyond my network. Mark should probably look at this to make sure it makes sense.

Basically added the following to audit the hotfixes in > WinVista.

[code]
' hotfixes
if (system_os_family = "Windows 2008" or system_os_family = "Windows 7" or system_os_family = "Windows Vista") then
if debugging > "0" then wscript.echo "Hotfix info" end if
set colItems2 = objWMIService.ExecQuery("Select * from Win32_QuickFixEngineering",,48)
for each objItem2 in colItems2

'on error goto 0

result = result & " <package>" & vbcrlf
result = result & " <software_name>" & escape_xml(objItem2.HotFixID) & "</software_name>" & vbcrlf
result = result & " <software_version></software_version>" & vbcrlf
result = result & " <software_location></software_location>" & vbcrlf
result = result & " <software_uninstall></software_uninstall>" & vbcrlf
result = result & " <software_install_date>" & escape_xml(objItem2.InstalledOn) & "</software_install_date>" & vbcrlf
result = result & " <software_publisher>Microsoft</software_publisher>" & vbcrlf
result = result & " <software_install_source></software_install_source>" & vbcrlf
result = result & " <software_system_component></software_system_component>" & vbcrlf
result = result & " <software_url>" & escape_xml(objItem2.Caption) & "</software_url>" & vbcrlf
result = result & " <software_email></software_email>" & vbcrlf
result = result & " <software_comment>update</software_comment>" & vbcrlf
result = result & " <software_code_base></software_code_base>" & vbcrlf
result = result & " <software_status></software_status>" & vbcrlf
result = result & " <software_installed_by>" & lcase(escape_xml(objItem2.InstalledBy)) & "</software_installed_by>" & vbcrlf
result = result & " <software_installed_on>" & escape_xml(objItem2.InstalledOn) & "</software_installed_on>" & vbcrlf
result = result & " </package>" & vbcrlf
next
end if[/code]


Attachments:
audit_windows.vbs.txt [214.75 KiB]
Downloaded 378 times
Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 7:57 am 
Offline
Newbie

Joined: Tue Jul 21, 2009 1:22 am
Posts: 8
Do you think that would work in the Version 8 and 9 OpenAudit scripts as well?

TP


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 8:46 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Wouldn't work as is but if I spent a few seconds and not too many brain cells I'd come up with the following attached audit script which may or may not work. The attached file is a modification of the audit script from SVN revision 1251. I'm not sure where you're getting the version 8 and 9 stuff from. I suggest you download the latest OpenAudit version 1 code from SVN if you want to use the old stuff.

This basically adds the following to the audit script:
[code]' hotfix inventory
' Skipping if audited system is not Vista, W2k8 or Seven
if (CInt(SystemBuildNumber) >= 6000) then
Set colItems = objWMIService.ExecQuery("Select * from Win32_QuickFixEngineering", , 48)
For Each objItem In colItems

version = ""
uninstall_string = ""
install_date = ""
publisher = "Microsoft"
install_source = ""
install_location = ""
system_component = ""
display_name = ""

display_name = objItem.hotFixID
if (isnull(display_name)) then display_name = "" end if

install_date = objItem.InstalledOn
if (isnull(install_date)) then install_date = "" end if

software_url = objItem.Caption
if (isnull(software_url)) then software_url = "" end if

if online = "p" then
software = software & display_name & vbcrlf
end if
form_input = "software^^^" & clean(display_name) & " ^^^" _
& clean(version) & " ^^^" _
& clean(install_location) & " ^^^" _
& clean(uninstall_string) & " ^^^" _
& clean(install_date) & " ^^^" _
& clean(publisher) & " ^^^" _
& clean(install_source) & " ^^^" _
& clean(system_component) & " ^^^" _
& clean(software_url) & "^^^" _
& clean(software_comments) & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
Next
end if[/code]


Attachments:
audit.vbs.txt [232.57 KiB]
Downloaded 370 times
Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 10:42 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Have incorporated this into beta4.
Thanks JPA. :D

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 13, 2011 11:09 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Cool. Test! Test! Test! I literally spent 5 minutes on this and ran it against one Windows 7 box.


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 14, 2011 1:54 am 
Offline
Newbie

Joined: Tue Jul 21, 2009 1:22 am
Posts: 8
When I mentioned Version 9....I should have been more specific for the rest....sorry...been one of those weeks.

http://sourceforge.net/projects/open-audit/files/

shows 9.12.23 which is SVN1223.....where does one find the SVN1251?

TP


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 14, 2011 2:00 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
The Sourceforge Subversion repository via SVN client or
    Browse to [url]http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/[/url].
    Scroll to the bottom and click "Download GNU tarball"
    Save the tar.gz file to disk and extract it using an appropriate extractor


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group