Open-AudIT
https://www.open-audit.org/phpBB3/

What is the UUID?
https://www.open-audit.org/phpBB3/viewtopic.php?f=5&t=3261
Page 1 of 1

Author:  Phostenix [ Mon Apr 20, 2009 3:34 am ]
Post subject:  What is the UUID?

Sorry for the basic question, but with some searching, I haven't been able to find an answer to my question of how the UUID is generated. It doesn't seem to match the SID of the machines that I can tell.

TIA

Author:  Mark [ Mon Apr 20, 2009 8:51 am ]
Post subject:  Re: What is the UUID?

The actual UUID is from the motherboard.
The distinct identifier in the DB is either the UUID, Mac Address or System Name - depending on an option in the audit.config.

Author:  Phostenix [ Mon Apr 20, 2009 12:36 pm ]
Post subject:  Re: What is the UUID?

Thanks, Mark.

Author:  Phostenix [ Mon Apr 20, 2009 3:47 pm ]
Post subject:  Re: What is the UUID?

I was sure that I had seen 2 machines in OA that had the same UUID (which is why I switched to MAC address for the UUID now). Just to confirm, I added this to my WMI test script:

Set colItems = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystemProduct")

' For Each... In Loop (Next at the very end)
For Each objItem in colItems
WScript.Echo "Machine Name: " & objItem.Name & VbCr & _
"===================================" & vbCr & _
"Name: " & objItem.Name & VbCr & _
"Description: " & objItem.Description & VbCr & _
"Caption: " & objItem.Caption & VbCr & _
"IdentifyingNumber: " & objItem.IdentifyingNumber & VbCr & _
"SKUNumber: " & objItem.SKUNumber & VbCr & _
"Vendor: " & objItem.Vendor & VbCr & _
"UUID: " & objItem.UUID & VbCr & _
"Version: " & objItem.Version & VbCr & _
""
Next

And, sure enough, the 2 machines report the same UUID (other machines report different UUIDs, so the script is working). They are Dell GX270s. I thought that wasn't supposed to ever happen.

Author:  Mark [ Wed Apr 22, 2009 3:26 pm ]
Post subject:  Re: What is the UUID?

"In theory" - no it's not.
In practise..... a lot of white-box makers don't bother to set a serial or UUID in the bios. And sometimes (as you've seen) you can get duplicates. Sometimes you can flash the bios, and update this field. Depends on the bios / motherboard / chipset / manufacturer...
That's why there is the option of UUID, MAC or Name in the script.
If two systems are reporting the same MAC, then you have serious issues. Every network interface should have a uniquie MAC address. Are these machines "virtual", by chance ? Maybe you copied a VM and ended up with the same MAC ? If they're physical machines, I would be worried !!! Pull the NIC and check the MAC (usually on a sticker) - or if they're onboard NICs, check in the BIOS.

FYI - OAv2 gets around this by concatenating the UUID + MAC + Name. THAT combination oughta be distinct !!! And "yes", I am planning a "merge systems" option - for when you change a network card or rename the PC, etc. Systems are also flagged in the DB as "production", "retired", etc. So if you reinstall a system and use the same name, before you audit it after reinstalling, simply change the flag in OAv2 to "retired" and you won't get massive amounts of false positive alerts.

Author:  Phostenix [ Thu Apr 23, 2009 11:26 am ]
Post subject:  Re: What is the UUID?

Mark, to confirm, I have machines with matching UUIDs, not matching MAC Addresses.

Author:  The Tech Guy [ Thu Nov 12, 2009 7:43 am ]
Post subject:  Re: What is the UUID?

I realize it has been awhile since my last post, but I have been doing field work for the last year and have just returned to a network admin job that I had left where I had put OA in place and now that I am back there are a ton of Duplicate entries in our DB. Could really use those new features coming out in OAv2. Any ideas as to when it will come out?

Thank you

Jon

Author:  rsaavedra [ Fri Aug 06, 2010 11:28 am ]
Post subject:  Re: What is the UUID?

I can also report to have seen same UUIDs from different machines where I work, and this is in a network with just slightly above 100 computers. The "All audited systems" report from OA just lists 90 because of these UUID overlaps.

Author:  rsaavedra [ Tue Aug 10, 2010 10:49 pm ]
Post subject:  Re: What is the UUID?

To be more exact, the following is the UUID that gets repeated in our network:
03000200-0400-0500-0006-000700080009

It's not a bug in the OpenAudit script. Different machines in our network actually have this same UUID. (You can look it up on Google and realize it appears quite a few times, in spite of the fact that a UUID is supposed to be unique world-wide, and pretty much forever.) As mentioned earlier in the thread, the reason for this recurrence is that some motherboard manufacturers, in particular BIOSTAR, appear *not* to be setting the UUIDs of their products properly.

I modified the vbs script (this is for version 1 of OpenAudit though) so that it keeps using UUID, but handles this special case using Name + Domain. I prepended a text tag ("UUIDFIX#") for each special case, so as to distinguish them easily on the reports whenever they appear. This section of code is shortly after the comment "# Make the UUID #" :

[code]' Defaults below here account for oddities
if ((isnull(system_uuid) OR system_uuid = "") AND (system_model <> "") AND (system_id_number <> "")) then system_uuid = "UUIDFIX1." + system_model + "." + system_id_number end if

if (isnull(system_uuid) OR system_uuid = "" OR system_uuid = ".") then system_uuid = "UUIDFIX2." + system_name + "." + net_domain end if

if system_uuid = "00000000-0000-0000-0000-000000000000" then system_uuid = "UUIDFIX0." + system_name + "." + domain end if

if system_uuid = "FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF" then system_uuid = "UUIDFIXF." + system_name + "." + domain end if

' The following UUID can be found on different PCs with BIOSTAR motherboards
if system_uuid = "03000200-0400-0500-0006-000700080009" then
system_uuid = "UUIDFIXR." + system_name + "." + domain
end if
[/code]

Author:  rsaavedra [ Tue Aug 17, 2010 1:01 am ]
Post subject:  Re: What is the UUID?

Just for the record. As indicated in my previous post, Windows reported the following UUID from the machines that had a repeated UUID:

03000200-0400-0500-0006-000700080009

I installed Ubuntu 10.04 in dual boot mode on one of the PCs that had that UUID. Oddly enough, Ubuntu reports a slightly different UUID from that very same machine:

00020003-0004-0005-0006-000700080009

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/