Open-AudIT
https://www.open-audit.org/phpBB3/

[bug] audit_windows: Issue with man_ip_address field
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6470
Page 1 of 1

Author:  cso [ Thu Oct 29, 2015 9:52 pm ]
Post subject:  [bug] audit_windows: Issue with man_ip_address field

So, the way I'm running this using "audit_domain.vbs" with the option set to run the script locally... however, when I do this, it executes a "route print 0.0.0.0" on the server running the audit and seems to use it's local IP address for the "man_ip_address" field in the records for that system.

Am I the only one seeing this?

Author:  jpa [ Fri Oct 30, 2015 3:04 am ]
Post subject:  Re: audit_windows: Issue with man_ip_address field

It is a problem with the new code trying to set man_ip_address to the IP of the adapter with the default route. Previously it was getting it "wrong" by choosing an undesired network adapter to get the IP address. The new code assumes it's running on the machine being audited and this is not the case when called from audit_domain.

Mark will need to fix this. Instead of using a shell to run "route print" we'll probably need to use WMI or a simple nslookup like we do for ldap audits.

Author:  jpa [ Fri Oct 30, 2015 8:42 am ]
Post subject:  Re: audit_windows: Issue with man_ip_address field

jpa wrote:
Mark will need to fix this.
Or here's a stab at the problem. Works in my testing. May need more error checking or I've assumed things that aren't true.

This uses WMI to get the routing table, finds the default route and the associated network adapter then grabs the primary ip address from that if it can or it looks in the registry for the ip address if it can't.

Attachment:
audit_windows.txt [351.36 KiB]
Downloaded 143 times


This doesn't find an ip address if the ipv4 gateway is blank. But the previous didn't either so it's no worse that way. The WMI routing stuff is IPV4 only so it also doesn't work with IPV6 only configs. Haven't tested how it breaks. Probably just doesn't get an ip address. I also threw this together quick so it could use some pretty-ifiying.

Author:  jpa [ Sat Nov 21, 2015 5:56 am ]
Post subject:  Re: audit_windows: Issue with man_ip_address field

I'm bumping this because it didn't make it into 1.8.4

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/