Open-AudIT

What's on your network?
It is currently Tue Apr 24, 2018 6:42 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Feb 22, 2007 3:37 am 
Offline
Helper

Joined: Sat Sep 17, 2005 7:15 am
Posts: 71
Ok - I've been emailing Mike a few times, and I have an audit.vbs I'd like for some of the high-end users (and moderators) to take a look at.

I needed to modify this because I felt that I shouldn't have to have multiple audit.vbs files for different configurations. For example, I use the same audit.vbs to run against a dynamic OU that is being populated with computers daily and then again at a different time during the day where it will query a static list of servers.

I'm not totally done with it, as I'm not sure how far to go with the command-line switches...let me know - should I just mimic all the audit.conf settings?

Am I crazy, should I have even done this? :)

Basically, I added some command-line switches:
computer: (computername)
user: (domain\username)
password: (password)
config: (name of .conf file to use, ex. "x:\path\config.con")
list: (path of computer list to run against, ex. "x:\path\computerlist.txt")

*if you have spaces in the either the config or computer list paths, use quotes...

I added a section that had some default configuration parameters, which get superseded by the command-line switches (i.e. if you downloaded and ran the file without having access to the config files).

I also told audit.vbs to automatically default to its own directory if no path was specified for the audit.conf files (using strScriptPath).

I couldn't get this post to take the code, so I've uploaded to my own website. Download it and give it a try:

*updated to 2.3 on 12/13/07*
http://www.vbshf.com/vbshf/forum/forums ... mentid=355

_________________
Server Info:
OS : Windows Server 2003
Auditing: ~300 machines
LDAP: Windows Server 2003 Active Directory


Last edited by qc_metal on Wed Nov 14, 2007 6:33 am, edited 4 times in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Feb 24, 2007 12:18 am 
Offline
Helper

Joined: Sat Sep 17, 2005 7:15 am
Posts: 71
No feedback on this?

_________________
Server Info:
OS : Windows Server 2003
Auditing: ~300 machines
LDAP: Windows Server 2003 Active Directory


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Feb 24, 2007 4:37 am 
Sometimes it takes awhile! I haven't had time to completely process the code yet.


Top
  
Reply with quote  
 Post subject:
PostPosted: Sat Feb 24, 2007 7:40 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Looks interesting, however I am off work at the moment with flu, so I wont have a chance to check this over till Wednesday next week at the earliest.
:?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Feb 24, 2007 7:53 am 
Offline
Helper

Joined: Sat Sep 17, 2005 7:15 am
Posts: 71
mikeyrb wrote:
Sometimes it takes awhile! I haven't had time to completely process the code yet.


No problem - I was hoping that I wasn't being ignored ;) I feel like I'm onto something here!

_________________
Server Info:
OS : Windows Server 2003
Auditing: ~300 machines
LDAP: Windows Server 2003 Active Directory


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sat Jul 07, 2007 12:25 am 
Offline
Helper

Joined: Sat Sep 17, 2005 7:15 am
Posts: 71
Just curious if anyone had taken a look at this yet. I had some strangeness with config files vs. default parameters, which I believe I have resolved with version 2.2 (uploaded today, link updated as well in the first post).

Just wanted to get some feedback. Thanks guys!

_________________
Server Info:
OS : Windows Server 2003
Auditing: ~300 machines
LDAP: Windows Server 2003 Active Directory


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Jul 09, 2007 9:26 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Sorry for the lack of response. Staff shortages, all the usual excuses... I have just copied your audit.vbs to my test server, and it should kick off an audit this evening, I wont get a chance to try all of the command line switches and changes, but at least we can see if anything is broken.

If it looks good, I will push it to the SVN and let everyone have a play, we can always back out of it if it causes issues. That is what SVN is for after all.

Don't expect lightning response, since I am snowed under at the moment. (There must be an easier way to make a living :wink: )

Watch this space over the next couple of days.

BTW if you are interested in joining the developers, PM Mark and see what he says.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Jul 10, 2007 7:17 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Interesting result.... I have a scheduled audit task, which should audit the entire Glasgow domain, however, it simply audited my PC. Not sure why this was the case.. I will need to investigate.... :?

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Jul 10, 2007 11:58 pm 
Offline
Helper

Joined: Sat Sep 17, 2005 7:15 am
Posts: 71
A_Hull wrote:
Interesting result.... I have a scheduled audit task, which should audit the entire Glasgow domain, however, it simply audited my PC. Not sure why this was the case.. I will need to investigate.... :?


Hmm...what is your command-line string like?

What I've had to do is test it on the system while I was logged in so I could watch it. I must admit, getting the logic to work correctly was a bit of a task. Did you get the latest version of the file?

Rob

_________________
Server Info:
OS : Windows Server 2003
Auditing: ~300 machines
LDAP: Windows Server 2003 Active Directory


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Jul 11, 2007 3:03 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
qc_metal wrote:
A_Hull wrote:
Interesting result.... I have a scheduled audit task, which should audit the entire Glasgow domain, however, it simply audited my PC. Not sure why this was the case.. I will need to investigate.... :?


Hmm...what is your command-line string like?

What I've had to do is test it on the system while I was logged in so I could watch it. I must admit, getting the logic to work correctly was a bit of a task. Did you get the latest version of the file?

Rob


I really like the idea here, and have given it a bit of thought.

To answer your questions, I am using the latest version.

How my scheduled task works is that it runs the audit.vbs script from the W:\xampp\htdocs\open-audit\scripts folder (a SMB share on my local workstation).

using a batch file as follows.

Code:
@echo off
rem audit glasgow pcs (the rest are done remotely)
cscript audit.vbs

:end


Since I use no command line switches, this should pick up the local audit.config file, which contains the config needed to audit my local domain.

The scheduled task runs in the same folder (not that this should matter as I assume that the command.com that runs audit_glasgow.bat file will set its own path)

I presume that if there are no command line options, the script will look for its settings in the current working directory.

A nice touch would be to check the working directory AND a default page on the web server relative to the POST page. That way we could use multiple configs from the web server without having to save any info anywhere...

Take the following example.

Script looks to the web server, the web server page says something like
Code:
[NETWORKS]
Glasgow
London
NewYork
Sydney
Paris
[/NETWORKS]



The script then runs itself with a command line switch of NETWORK:Glasgow NETWORK:London ... etc. and each of these scripts checks for a sub page of config called Glasgow.. London and so forth.

On each of these pages is a set of options to parse as per the original script, like...

Code:
[NETWORK_GLASGOW]
audit_location = "r"
verbose = "y"
online = "yesxml"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = "http://support.glasgow.local/openauditserver/admin_pc_add_1.php"
non_ie_page = "http://support.glasgow.local/openauditserver/admin_pc_add_2.php"
input_file = ""
email_to = ""
email_from = ""
email_server = ""
audit_local_domain = "y"
local_domain = "LDAP://glasgow.local"
hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"
ldap_base_dn= 'dc=glasgow,dc=local';
ldap_server = 'blah.glasgow.local';
ldap_user = 'johndoe@glasgow.local';
ldap_secret = 'encrypted_password';
[/NETWORK_GLASGOW]


That way we can modify the config(s) for multiple domains and options from within the web page... :lol:

Extending the idea further we can use an option like

Code:
[MACHINES]
MACHINE1:name
USER1:blah
PASSWORD1:encrypted_blah_blah
MACHINE2:name
USER2:blah
PASSWORD2:encrypted_blah_blah
...
[/MACHINES]


which again will spawn more processes to audit each machine in the list MACHINE1 MACHINE2 ....

and

Code:
[NMAP_NETWORKS]
SUBNET:192.168.0.0
SUBNET_MASK:255.255.255.0
[/NMAP_NETWORKS]


Which will fire off the nmap script for each of the subnets.

Obviously in the examples each of the above files is a very simple bit of text but we could extent the idea to use a server side generated PHP/HTML/XML file or whatever is appropriate to allow us to keep the thing relatively secure.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 19, 2007 1:02 am 
Offline
Helper

Joined: Sat Sep 17, 2005 7:15 am
Posts: 71
Whoa - this sounds very cool, although the web stuff is a bit outside of my realm (at least with XML & PHP). I can certainly help on the vbs front, however.

My scheduled task command-line is: C:\WINDOWS\system32\cscript.exe \\server\scripts$\audit.vbs config:\\server\scripts$\configs\audit_subnet.conf

This seems to work without a hitch - btw, the forums look nice!

_________________
Server Info:
OS : Windows Server 2003
Auditing: ~300 machines
LDAP: Windows Server 2003 Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 19, 2007 2:59 pm 
So here's an idea, relating to Andy's thoughts. Not sure if I'm overlapping a lot, since I didn't quite read all of that post, but here goes!

I like the idea of having many command-line options for audit.vbs. That way, we can develop a helper script, which sole purpose is to download the configuration for the audit, as well as cache a copy of the latest audit.vbs. I think in this manner, we could develop "locations" which include a group of computers, then you could download an audit script that is ready to go. This script would probably contain minimal information, just the name of the location and the server URL, along with some logic to download audit.vbs, etc. To save bandwidth (not that 140 KB is tremendous, but might as well), it would check that it already has the latest audit.vbs as compared to the server. I think this would allow for easy updating to the audit script across the enterprise, while still preserving the "locations" settings with minimal hassle. This would serve to not add more bloat to audit.vbs, while still allowing audit.vbs to function separately from the helper script.

In that instance, we could add time scheduling to the server, by instructing users to set the helper script to auto-execute every 30 minutes. Have the helper script set a lock file to prohibit excessive scanning or something. Then each pc page could have a section indicating next audit time, as well as the option to force an audit on the next run (or until it finally gets auditing in the instance of laptops out in the field).

This also would simplify rolling out the audit, as there's only one file to copy to a remote server.


Top
  
Reply with quote  
PostPosted: Fri Jul 20, 2007 2:42 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Hows this for an idea.

A "Get auditing script" link on the OA host, that downloads the preconfigured script. With the server URL in it.

When the script is run, the script looks to the server which in turn looks for the options associated with the source IP address of the script and passes those options back to the script. No access to the server, forces the script to look locally for its settings.

By the same token if you run the script from elsewhere, then if OA has no record of that host IP address, then the script wont be able to post to the server...

The script can still be run with local settings, to a local file, which can then be posted to OA so long as the results contain a valid key (generated by OA, and again associated with the host IP doing the audit).

This allows the same script to be run from anywhere so long as it is a valid auditing host, but stops unwanted posts to the database.

Your thoughts?

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 20, 2007 8:46 am 
I do like the fact that then you would have one identical script. Only problem would be a server with dhcp (which is possible -- if say people access it using dns name, and you just throw the script on because it doesn't have enough to do). So, we'd need to make that consideration.


Top
  
Reply with quote  
PostPosted: Fri Jul 20, 2007 7:35 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
mikeyrb wrote:
I do like the fact that then you would have one identical script. Only problem would be a server with dhcp (which is possible -- if say people access it using dns name, and you just throw the script on because it doesn't have enough to do). So, we'd need to make that consideration.


Not quite sure I follow?

The audit would be done for a domain for example, from one Workstation as before. The only difference being that the script would pick all its options by default from the OA server. Cant get my head around the DHCP bit, if the IP or DNS name match, then the script runs, if the IP address is wrong, but the DNS name is right, then fine its a DHCP client, so the script still runs,but if the IP is wrong AND the DNS name is wrong, then thanks, but no thanks.

Obviously this could be an optional feature, since we could just have the script run from anywhere as before. Another method would be to ignore the IP address or system name. Consider this. If the script is hard coded with a URL on the OA server, then each script could be coded with a different URL (since it is generated by the server), something like
Code:
non_ie_page = "http://openauditserver/openaudit/admin_set_script_options.php?location=mysite.mydonain.com&scriptkey=ABCDEF12345AB"
It is then up to the server to decide whether it wants to accept the conversation or not, and what options to post if it does decide to chat. Since the server generates the script, it could even put a token in the script, (A PGP Key for example) thus identifying which script is being run. Revoke the key, kill the script.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group