Open-AudIT :: View topic - [bug] [solved] audit

Open-AudIT https://www.open-audit.org/phpBB3/

[bug] [solved] audit_domain using remote run type https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6113	Page 1 of 1

Author:

jpa [ Sat Jun 08, 2013 5:27 am ]

Post subject:

[bug] [solved] audit_domain using remote run type

Not sure if it's just me or a bug but I needed to run audit_domain with audit_run_type = "remote" and it wasn't working. Attached is my changed audit_domain.vbs that gets it to work.

Need to run as a user with admin permissions to the remote machine and psexec.exe needs to be in your path. You don't need to supply remote_user and remote_path in my testing from Win7 and WinServer2003R2.

I disabled CheckForHungWMI because I don't think it does what it advertises (beyond the fact that it does nothing in it's current state.) And I also made audit_run_type remote obey number_of_audits.

p.s. I needed to audit "remotely" because Scheduled Tasks are not audited on remote machines with a "local" domain audit. I could have used a GPO or something but we might as well get audit_domain fixed. Needs testing but works here.

Attachments:

audit_domain_jpa.txt [13.08 KiB]
Downloaded 386 times

Author:	jpa [ Tue Jun 11, 2013 6:12 am ]
Post subject:	Re: [bug] audit_domain using remote run type
And now I see the new scheduled task format has messed everything up and scheduled task data isn't even processed by OpenAudit v2. At least the remote audit stuff is working better than the across the WAN WMI audits.

Author:	Mark [ Tue Jun 11, 2013 11:29 am ]
Post subject:	Re: [bug] audit_domain using remote run type
Thanks JPA - have included your mods.

Page 1 of 1	All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/