Open-AudIT

What's on your network?
It is currently Wed Apr 25, 2018 10:40 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 14 posts ] 
Author Message
PostPosted: Thu Apr 10, 2008 10:57 pm 
Offline
Newbie

Joined: Wed Apr 02, 2008 5:53 pm
Posts: 21
hello!
I have a domain, run a GPO to launch audit of the closing meeting of all users of the domain. I realized that the only runs when the user politics is local administrator of the workstation, or a domain administrator. Investigating I saw that each workstation on the road: "c: \ windows" are created 3 files "audit.config", "failed_audits.txt" and "setupapi.log." As users are only "domain users" have no permits "write" in the "c: \ windows" of the local machine, so the team was not audited. What if I fix to users of dominoes as local administrators. But I do not think a good solution, I would like to know how I can fix this so that simply being "authenticated users domain" no domain or local administrators. Have you ever had this problem. What is the best solution?.

Thank you for everything :P


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 11, 2008 2:28 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
First, update to the latest SVN version. Next ensure that the audit.vbs script you are running is the version from the SVN.
Run the script from a location where the users CAN change the log file (call the script from a batch file, but call it on a share where the script can write its logs when run as the user logging in and you should have no trouble).

Finally if you are still struggling, you can modify the script .

Change this section, particularly, fix the path rather then using the variables. The downside of this method is that you must re-modify the script every time a new version is released.

Code:
' Find out the name of this script, usually audit.vbs but it depends where we were called form.
full_script_name = WScript.ScriptFullName
' Strip off the .vbs and the path, so we can create files with the same suffix.
' No point in creating or overwriting audit.config if we aren't called audit.vbs
script_prefix = Left(full_script_name,(InStrRev(full_script_name,".vbs")-1))
script_prefix = Right(script_prefix,(len(script_prefix) - (InStrRev(WScript.ScriptFullName,"\"))))
' We also need the Path
sScriptPath=Left(WScript.ScriptFullName, InStrRev(WScript.ScriptFullName,"\"))

this_config = sScriptPath & script_prefix & ".config"

'this_config = "audit.config"
this_audit_log = sScriptPath & script_prefix & "_log.csv"
' keep_audit_log = "y"
'
' This takes no account of the command line switches added to a forked version, but in principal
' The logic should be...
' look for audit.config and use that, if it doesn't exist, grab it from
' the web server, if we cant do that, then use the internal defaults.
' Finally modify the defaults depending on any command line switches
'
'
' First check to see if we have no config file, if so lets see if we can grab one from the server
'


What you change it to depends on where you want the log files and config to live.

BTW Was your post translated by Google by any chance? :P

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 11, 2008 10:03 pm 
Offline
Newbie

Joined: Wed Apr 02, 2008 5:53 pm
Posts: 21
Hi Andrew!

Yes, I transladted last reply with google, and was unsuccesfull LOL :D

Is possible to send this files: "audit.config", "failed_audits.txt" and "setupapi.log." to another path?
This files now are created on this path: "C:\Windows" (in each local machine). Problem with permission is that some users don´t have permission to create and modify files on path C:\Windows.

Thanks for reply!!

Regards!!


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 11, 2008 10:32 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Well, the files should be created in the same folder as the script runs. The trouble is if you run the script from a folder where you have no permissions, you will not be able to create the log or modify the config.

As stated previously, you could simply run the script from a share where the users do have permissions.

For example create a share on server Myserver called Audit$ and give every read write permissions on this folder.
copy your audit.vbs and audit.config there.

In your login script add a line
Code:
cscript \\MYSERVER\AUDIT$\audit.vbs


Now the audit.vbs will run from the myserver share, and since the script path is \\myserver\audit$\ then this is where the script should create its logs.
If you are a little paranoid about the script being deleted or modified by your users, set it read only, set the permissions to admin r/w and you should be fine.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 14, 2008 5:01 pm 
Offline
Newbie

Joined: Wed Apr 02, 2008 5:53 pm
Posts: 21
Hi Andrew,
Thanks for reply!

Our structure is that you said. We have a folder in our server with R/W permissions, but in computers generate this scripts: "audit.config", "failed_audits.txt" and "setupapi.log" on this folder C:\Windows.
When computer run script, I suppose that it ran in windows folder.
Is possible to specify another folder to create this.

We try to change write permissions on C:\Windows (on each PC), and all computers audit perfectly.

What will I do?

Thanks for all!!

Rergards!


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 14, 2008 6:37 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
:? The script should create these files in the folder where the script is run from. Therefore if you run the audit.vbs script from for example.. J:\scripts then the files should be created in J:\scripts...

Does the batch file you are running call the script from \\server\share or from a mapped drive?

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 14, 2008 6:54 pm 
Offline
Newbie

Joined: Wed Apr 02, 2008 5:53 pm
Posts: 21
A_Hull wrote:
:? The script should create these files in the folder where the script is run from. Therefore if you run the audit.vbs script from for example.. J:\scripts then the files should be created in J:\scripts...

Does the batch file you are running call the script from \\server\share or from a mapped drive?


Hi Andrew!!
Thanks for reply!

The batch file call the script from 'cscript \\server\share\audit.vbs'!!

Yes, I know that scripts will generate on run directory, but in workgroup scripts generate this files on each PC windows folder. I don´t know if we can create this files in other directory, because users don´t have permissions for modify Windows folder!

Regards!!


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 14, 2008 7:44 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
As a workround, create an audit.config in the same folder as the audit.vbs, and ensure that use_audit_log = "n" is set in the audit.config this will ensure that no files are created anywhere.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 15, 2008 12:29 am 
Offline
Newbie

Joined: Wed Apr 02, 2008 5:53 pm
Posts: 21
A_Hull wrote:
As a workround, create an audit.config in the same folder as the audit.vbs, and ensure that use_audit_log = "n" is set in the audit.config this will ensure that no files are created anywhere.


Thanks for reply Andrew!

We created a config file with use_audit_log = "n", but didn´t works well. Didn´t audit and also have the same problem, permissions on windows folder.
I´m turning crazy with this problem, what is happening?
Andrew, no more people have this problem? Am I the only one that have it???

Thanks for all, and regards!!


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 15, 2008 5:58 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
What version are you using. Try calling the script from a mapped drive, it could be the case that because the script is being run from a UNC it doesn't work correctly.

To summarise... Place the script, the config file and the batch file running the script in the share, Map a drive letter (for example J:) to the share (you could use a second batch file to do this) run the script with something like...
Code:
@echo off
j:
CSCRIPT J:\audit.vbs
pause

What SHOULD happen is that the script will run, use the config file it finds in the current folder (in this case J:audit.config) and complete the audit, creating its log file also on drive J: (assuming the use_audit_log = "n" is not set in the config)

Modify this config file to suit your server name.

Code:
audit_location = "r"
verbose = "y"
audit_host="http://myserver.mydomain.local"
online = "yesxml"
strComputer = "."
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = "http://myserver.mydomain.local/openaudit/admin_pc_add_1.php"
non_ie_page = "http://myserver.mydomain.local/openaudit/admin_pc_add_2.php"
input_file = ""
email_to = ""
email_from = ""
email_server = ""
audit_local_domain = "n"
local_domain = "LDAP://mydomain.local"
hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"
nmap_subnet = "192.168.0."            ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.000.000"    ' The subnet padded with 0's
nmap_ie_form_page = audit_host & "/openaudit/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
use_audit_log = "n"


Let me know the results. Good luck. :D

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 17, 2008 12:28 am 
Offline
Newbie

Joined: Wed Apr 02, 2008 5:53 pm
Posts: 21
Hi Andrew,

We tried to map drive letter where are scripts, but wasn´t succesfull.

The problem really is that this files can´t create on this folder "c:\windows".
I think that problems comes from another part. Mapping folder with scripts doesn´t change folder where the files are created.

Thanks for all!!

Regards!!!!!


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 17, 2008 1:11 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Modify the line.
Code:
sScriptPath=Left(WScript.ScriptFullName, InStrRev(WScript.ScriptFullName,"\"))

to
Code:
sScriptPath="J:\PATHNAME"


Where J:\PATHNAME is the location you would like the script to create the files. Run the script and let me know the results.

Thanks

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 22, 2008 6:26 pm 
Offline
Newbie

Joined: Wed Apr 02, 2008 5:53 pm
Posts: 21
Thanks for reply Andrew!

The evidence that we have done thus far are satisfactory, as you say goes all in 2 days :D :D :D

Thanks for all, and regards!! :mrgreen:


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 30, 2008 5:02 pm 
Offline
Newbie

Joined: Wed Apr 02, 2008 5:53 pm
Posts: 21
Hi Andrew,
I feel the delay in reply, have not been 2 days, but it is better late than never ... jaja :mrgreen: . Now I have more tests to verify whether the operation is correct. The code works perfectly with the changes. thanks for support :mrgreen: :mrgreen:

Thanks for all, and regards!!
:mrgreen:


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 14 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group