Open-AudIT
https://www.open-audit.org/phpBB3/

New audit Script
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5857
Page 1 of 1

Author:  Mark [ Tue Apr 10, 2012 8:08 pm ]
Post subject:  New audit Script

I've done up another version of the audit_windows script.
If a PC is attempted to audit but it cannot be contacted (or firewall is on or whatever), assuming the PC is on a domain, the audit script asks the domain for any information it can give about the PC. This is designed to be called from the audit_domain script, but for testing we can call it directly.

To test, could I ask you run the attached script against a machine you know is not powered on and that is joined to the same domain as your PC.

The debug level is set to 2, so you should see some useful output. It will NOT attempt to send the data to the audit server.

Items of note are:
ldap = ""
This should normally be left as is. If an ldap variable is passed via the command line, this will be used. If it is not, the local ldap settings will be used. Normally the ldap attribute will be passed by the audit_domain script.
No need to set this for testing.

ldap_seen_days = "0"
You can set this to only return info from AD if a system has been seen by AD in the last XX days. IE - we have systems that are in AD but have been disposed of and not seen by AD in years (don't ask). We don't care about these, but they will be returned by the audit_domain script.

ldap_seen_date = "2000-01-01"
This is very similar to the attribute above. If the system has been seen by AD since this date then it will be returned. If it has not been seen, no AD details are returned.

So, to test simply run "cscript audit_windows.vbs COMPUTERNAME" against a computer that is on the domain, but turned off. You should see the XML dumped to the console. This contains useful (by extremely limited) taken from Active Directory.

You can also try altering the ldap_seen_ attributes and see if it returns as expected.

This particular feature is useful when you have systems that are on and off the network (think laptops) and that don't have logon scripts.

Anyway, have at it and post your comments (fingers crossed)!
:)

Attachments:
File comment: rename to audit_windows.vbs
audit_windows.txt [251.18 KiB]
Downloaded 431 times

Author:  jpa [ Wed Apr 11, 2012 2:12 am ]
Post subject:  Re: New audit Script

Works here. Is nslookup output internationalized in Windows? Parsing it's output might fail on other Windows language versions if so.

[code]
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

starting audit - computer1
Problem authenticating (4) to computer1
Error Number:462
Error Description:The remote server machine does not exist or is unavailable
<?xml version="1.0" encoding="UTF-8"?>
<computers>
<computer>
<hostname>computer1</hostname>
<man_ip_address>192.168.0.108</man_ip_address>
<domain>domain.com</domain>
<type>system</type>
<icon>windows_7</icon>
<os_group>windows</os_group>
<os_family>Windows 7</os_family>
<os_name>Microsoft Windows 7 Enterprise</os_name>
<windows_active_directory_ou>ou=shared computers,ou=users and computers,ou=stuff,dc=domain,dc=com<windows_active_directory_ou>
<last_seen>2012-04-06</last_seen>
<last_seen_by>active directory</last_seen_by>
</computer>
</computers>

LDAP Seen Days: 0
LDAP Actual Days: 4
LDAP Seen Date: 2000-01-01
LDAP Actual Date: 2012-04-06
PC not able to be audited but seen in Active Directory on 2012-04-06.
As this is after 2000-01-01, using AD details for audit.


[Output snip]
LDAP Seen Days: 0
LDAP Actual Days: 4
LDAP Seen Date: 2012-04-07
LDAP Actual Date: 2012-04-06
PC not able to be audited and last seen by Active Directory on 2012-04-06.
As this is before 2012-04-07, no audit recorded.


[Output snip]
LDAP Seen Days: 1
LDAP Actual Days: 4
LDAP Seen Date: 2000-01-01
LDAP Actual Date: 2012-04-06
PC not able to be audited but seen in Active Directory on 2012-04-06.
As this is after 2000-01-01, using AD details for audit.
[/code]

Author:  JayDee [ Wed Apr 11, 2012 11:52 pm ]
Post subject:  Re: New audit Script

Same success as jpa here; handled the offline laptop with no problem.
[code]starting audit - lapt-006
Problem authenticating (4) to lapt-006
Error Number:462
Error Description:The remote server machine does not exist or is unavailable
<?xml version="1.0" encoding="UTF-8"?>
<computers>
<computer>
<hostname>lapt-006</hostname>
<man_ip_address>192.168.99.99</man_ip_address>
<domain>mydomain.local</domain>
<type>system</type>
<icon>windows_xp</icon>
<os_group>windows</os_group>
<os_family>Windows XP</os_family>
<os_name>Microsoft Windows XP Professional</os_name>
<windows_active_directory_ou>cn=computers,dc=mydomain,dc=local
<windows_active_directory_ou>
<last_seen>2012-04-04</last_seen>
<last_seen_by>active directory</last_seen_by>
</computer>
</computers>

LDAP Seen Days: 0
LDAP Actual Days: 6
LDAP Seen Date: 2000-01-01
LDAP Actual Date: 2012-04-04
PC not able to be audited but seen in Active Directory on 2012-04-04.
As this is after 2000-01-01, using AD details for audit.[/code]

John

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/