Open-AudIT
https://www.open-audit.org/phpBB3/

OAv2 and Windows 7 updates
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5777
Page 1 of 1

Author:  Thomas_Powers [ Thu Oct 13, 2011 2:22 am ]
Post subject:  OAv2 and Windows 7 updates

Hello....

I had a post out on support because versions 8 and 9 of open audit were not picking up installed security patches on Windows 7.

I decided to investigate OAv2 in the mean time.....and it does the same thing.

The .NET 4 stuff shows up in the updates section:

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Extended (KB2416472) 1 Microsoft Corporation
Security Update for Microsoft .NET Framework 4 Extended (KB2487367) 1 Microsoft Corporation
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) 1 Microsoft Corporation

But none of the other 65+ Windows patches are showing up.

I am thinking this may be a bad thing?

All help is appreciated.

Tom P

Author:  jpa [ Thu Oct 13, 2011 7:37 am ]
Post subject:  Re: OAv2 and Windows 7 updates

As you've found the hotfix information isn't stored the same in modern Windows and OpenAudit doesn't catch that in the audit. I've attached a quick mod to the OAv2 b3 audit to capture the hotfixes. Not tested much beyond my network. Mark should probably look at this to make sure it makes sense.

Basically added the following to audit the hotfixes in > WinVista.

[code]
' hotfixes
if (system_os_family = "Windows 2008" or system_os_family = "Windows 7" or system_os_family = "Windows Vista") then
if debugging > "0" then wscript.echo "Hotfix info" end if
set colItems2 = objWMIService.ExecQuery("Select * from Win32_QuickFixEngineering",,48)
for each objItem2 in colItems2

'on error goto 0

result = result & " <package>" & vbcrlf
result = result & " <software_name>" & escape_xml(objItem2.HotFixID) & "</software_name>" & vbcrlf
result = result & " <software_version></software_version>" & vbcrlf
result = result & " <software_location></software_location>" & vbcrlf
result = result & " <software_uninstall></software_uninstall>" & vbcrlf
result = result & " <software_install_date>" & escape_xml(objItem2.InstalledOn) & "</software_install_date>" & vbcrlf
result = result & " <software_publisher>Microsoft</software_publisher>" & vbcrlf
result = result & " <software_install_source></software_install_source>" & vbcrlf
result = result & " <software_system_component></software_system_component>" & vbcrlf
result = result & " <software_url>" & escape_xml(objItem2.Caption) & "</software_url>" & vbcrlf
result = result & " <software_email></software_email>" & vbcrlf
result = result & " <software_comment>update</software_comment>" & vbcrlf
result = result & " <software_code_base></software_code_base>" & vbcrlf
result = result & " <software_status></software_status>" & vbcrlf
result = result & " <software_installed_by>" & lcase(escape_xml(objItem2.InstalledBy)) & "</software_installed_by>" & vbcrlf
result = result & " <software_installed_on>" & escape_xml(objItem2.InstalledOn) & "</software_installed_on>" & vbcrlf
result = result & " </package>" & vbcrlf
next
end if[/code]

Attachments:
audit_windows.vbs.txt [214.75 KiB]
Downloaded 379 times

Author:  Thomas_Powers [ Thu Oct 13, 2011 7:57 am ]
Post subject:  Re: OAv2 and Windows 7 updates

Do you think that would work in the Version 8 and 9 OpenAudit scripts as well?

TP

Author:  jpa [ Thu Oct 13, 2011 8:46 am ]
Post subject:  Re: OAv2 and Windows 7 updates

Wouldn't work as is but if I spent a few seconds and not too many brain cells I'd come up with the following attached audit script which may or may not work. The attached file is a modification of the audit script from SVN revision 1251. I'm not sure where you're getting the version 8 and 9 stuff from. I suggest you download the latest OpenAudit version 1 code from SVN if you want to use the old stuff.

This basically adds the following to the audit script:
[code]' hotfix inventory
' Skipping if audited system is not Vista, W2k8 or Seven
if (CInt(SystemBuildNumber) >= 6000) then
Set colItems = objWMIService.ExecQuery("Select * from Win32_QuickFixEngineering", , 48)
For Each objItem In colItems

version = ""
uninstall_string = ""
install_date = ""
publisher = "Microsoft"
install_source = ""
install_location = ""
system_component = ""
display_name = ""

display_name = objItem.hotFixID
if (isnull(display_name)) then display_name = "" end if

install_date = objItem.InstalledOn
if (isnull(install_date)) then install_date = "" end if

software_url = objItem.Caption
if (isnull(software_url)) then software_url = "" end if

if online = "p" then
software = software & display_name & vbcrlf
end if
form_input = "software^^^" & clean(display_name) & " ^^^" _
& clean(version) & " ^^^" _
& clean(install_location) & " ^^^" _
& clean(uninstall_string) & " ^^^" _
& clean(install_date) & " ^^^" _
& clean(publisher) & " ^^^" _
& clean(install_source) & " ^^^" _
& clean(system_component) & " ^^^" _
& clean(software_url) & "^^^" _
& clean(software_comments) & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
Next
end if[/code]

Attachments:
audit.vbs.txt [232.57 KiB]
Downloaded 371 times

Author:  Mark [ Thu Oct 13, 2011 10:42 am ]
Post subject:  Re: OAv2 and Windows 7 updates

Have incorporated this into beta4.
Thanks JPA. :D

Author:  jpa [ Thu Oct 13, 2011 11:09 am ]
Post subject:  Re: OAv2 and Windows 7 updates

Cool. Test! Test! Test! I literally spent 5 minutes on this and ran it against one Windows 7 box.

Author:  Thomas_Powers [ Fri Oct 14, 2011 1:54 am ]
Post subject:  Re: OAv2 and Windows 7 updates

When I mentioned Version 9....I should have been more specific for the rest....sorry...been one of those weeks.

http://sourceforge.net/projects/open-audit/files/

shows 9.12.23 which is SVN1223.....where does one find the SVN1251?

TP

Author:  jpa [ Fri Oct 14, 2011 2:00 am ]
Post subject:  Re: OAv2 and Windows 7 updates

The Sourceforge Subversion repository via SVN client or
    Browse to [url]http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/[/url].
    Scroll to the bottom and click "Download GNU tarball"
    Save the tar.gz file to disk and extract it using an appropriate extractor

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/