Open-AudIT
https://www.open-audit.org/phpBB3/

Windows Audit Issues
https://www.open-audit.org/phpBB3/viewtopic.php?f=5&t=4427
Page 1 of 2

Author:  djmohr [ Fri Feb 25, 2011 1:18 am ]
Post subject:  Windows Audit Issues

Hi all

I have gone through pages and pages of information relating to doing Windows PC audit and I have been unable to find any information that has helped me, which is rather frustrating as I'm on a deadline to get my network Audited.

So I have gotten an Ubuntu 8.04 Desktop PC up and running and have OA runing on there. I have configured ldap as I want to scan my entire domain.
I edit the audit.config file and it is as follows:
[quote]'

' Standard audit section

'

audit_location = "r"

verbose = "y"

audit_host="http://192.168.16.249"

online = "yesxml"

strComputer = ""

ie_visible = "n"

ie_auto_submit = "y"

ie_submit_verbose = "n"

ie_form_page = audit_host + "/openaudit/admin_pc_add_1.php"

non_ie_page = audit_host + "/openaudit/admin_pc_add_2.php"

input_file = "pc_list_file.txt"



'

' Email authentication

'

'



email_to = "example@example.com"

email_from = "example@example.com"

'email_sender = "Open-AudIT"

email_server = "mail.example.com" ' IP address or FQDN

email_port = "25" ' The SMTP port

email_auth = "1" ' 0 = Anonymous, 1 = Clear-text Authentication, 2 = NTLM

email_user_id = "example@example.com" ' A valid Email account in user@domain format

email_user_pwd = "some_password" ' The SMTP email password

email_use_ssl = "false" ' True/False

email_timeout = "60" ' In seconds

send_email = "false" ' True/False - Enable/Disable email sending



audit_local_domain = "y"

'

' Set domain_type = 'nt' for NT4 or SAMBA otherwise leave blank or set to ldap

'domain_type = "nt"



local_domain = "LDAP://mydomain.com"



'

' Example Set Domain name for NT ONLY for LDAP use the above format

' NOTE This is Case Sensetive. See the example below.

'

'local_domain = "WinNT://IEXPLORE"

'local_domain = "WinNT://<domainname>"

'



hfnet = "n"

Count = 0

number_of_audits = 60

script_name = "audit.vbs"

monitor_detect = "y"

printer_detect = "y"

software_audit = "y"

uuid_type = "uuid"

'

' Nmap section

'

nmap_tmp_cleanup = true ' Set this false if you want to leave the tmp files for analysis in your tmp folder

nmap_subnet = "192.168.16." ' The subnet you wish to scan

nmap_subnet_formatted = "192.168.016." ' The subnet padded with 0's

nmap_ie_form_page = audit_host + "/openaudit/admin_nmap_input.php"

nmap_ie_visible = "n"

nmap_ie_auto_close = "y"

nmap_ip_start = 1

nmap_ip_end = 254

nmap_syn_scan = "y" ' Tcp Syn scan

nmap_udp_scan = "y" ' UDP scan

nmap_srv_ver_scan = "y" ' Service version detection.

nmap_srv_ver_int = 9 ' Service version detection intensity level. Values 0-9, 0=fast


I then go to Audits menu, click on manage audits and create a new audit configuration after which I run it and all I get is:

[quote]Failed to run: Test (126)

Can someone please help, I tried to do it via a logon script but that went just as bad.

Oh I'm running OA Version 09.12.23, Ubuntu 8.04 and Server 2008 R2

Author:  jpa [ Fri Feb 25, 2011 7:40 am ]
Post subject:  Re: Windows Audit Issues

To start with I would get the latest version from SVN. [url=http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/?view=tar]SVN tarball download[/url]

Then you should pick a method of auditing your machines. Use the web-schedule method which is available from the Audits -> Manage Audit menu and configure the scan properties from the web interface. Or use the cscript method where you edit the audit.config file and run "cscript audit.vbs" from the individual machine or from a central auditing machine in the case of a domain audit.

There are [url=http://chadsikorra.com/scripting/openaudit-web-schedule]some problems[/url] with the web-schedule method if you're running the server side on 64bit Linux or a locked down Apache. I don't use the web schedule method as it was written and included in OpenAudit after I had my system set up. I cscript audit.vbs with appropriate audit.config settings from a central Windows server as a user with Administrator rights on the targeted machines.

If you go the web-schedule route all your configuration is done through the web interface not audit.config and your server host must be supported.

Author:  djmohr [ Fri Feb 25, 2011 2:27 pm ]
Post subject:  Re: Windows Audit Issues

Thanks, will give it a try and report back.
Would it make a difference if the Ubuntu box is running as a Guest OS on Hyper-V; the Ubuntu box is 32bit as I ran into the Web Schedule issues a few days ago on 64bit.

Author:  djmohr [ Fri Feb 25, 2011 4:33 pm ]
Post subject:  Re: Windows Audit Issues

Ok, so I did what you mentioned and it's already going much better. I setup a test scan, but the results came back: Audit ended abnormally or something of the sorts.
I then read up on this: viewtopic.php?f=6&t=1464 again and thought that it might be due to insufficient rights, so I enabled ldap authentication and so now sit with this:
[quote]Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'openaudit'@'localhost' (using password: YES) in /var/www/openaudit/include_functions.php on line 1084

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /var/www/openaudit/include_functions.php on line 1085

Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /var/www/openaudit/include_functions.php on line 1095

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/openaudit/include_functions.php on line 1096

Warning: mysql_close(): no MySQL-Link resource supplied in /var/www/openaudit/include_functions.php on line 1115


I'm assuming it has something to do with ldap not being configured on MySQL or something...
Any ideas?

Author:  jpa [ Sat Feb 26, 2011 2:41 am ]
Post subject:  Re: Windows Audit Issues

[quote="djmohr"]
Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'openaudit'@'localhost' (using password: YES) in /var/www/openaudit/include_functions.php on line 1084
This says to me that you need to grant rights to your OpenAudit database to user openaudit coming from localhost.

Author:  djmohr [ Mon Feb 28, 2011 3:49 pm ]
Post subject:  Re: Windows Audit Issues

OK, sorted out the MySQL issue but I still can't get any Audit to provide info.
When I run an Audit I get the following:

Audit Stopped Abnormally PCNAME 13007 28/02/11 10:00:07 am

Author:  jpa [ Wed Mar 02, 2011 10:46 am ]
Post subject:  Re: Windows Audit Issues

Without more logs to figure out what exactly is dying troubleshooting this is tough. Trouble is that none of this stuff is logged. As I've discovered while troubleshooting this the web schedule stuff has tons of places where things can go wrong without useful error messages. I couldn't even get a configuration saved initially because it doesn't handle MySQL setups with strict_mode set. Are you dead set on using the web schedule stuff rather than a normal cscript audit.vbs and audit.config setup? If so you'll need to post a whole lot more information about your configuration.

Author:  djmohr [ Thu Mar 03, 2011 12:17 am ]
Post subject:  Re: Windows Audit Issues

Suppose I'm just being lazy using the web schedule.
I'm open to the script, but I did have issues getting it to work but willing to have a look at it again with some guidance..

Author:  jpa [ Fri Mar 04, 2011 9:24 am ]
Post subject:  Re: Windows Audit Issues

It shouldn't be very difficult as you've already got the audit.config file mostly done from the earlier post. You do need to get the local_domain line set with your current domain. Then from a Windows machine logged on as a user with administrator rights on the target machines you can run "cscript audit.vbs" and your domain should get audited and the data posted. Post any error messages if this doesn't work.

I can help troubleshoot the web schedule if you need but you'll need to edit-in some additional logging so we can see what's happening.

Author:  djmohr [ Fri Mar 04, 2011 8:32 pm ]
Post subject:  Re: Windows Audit Issues

My current audit.config file:
Could you please point out what it is that I need to change and if there is anything that needs to be changed on other files.

'
' Standard audit section
'
audit_location = "r"
verbose = "y"
audit_host="http://support"
online = "yesxml"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = audit_host + "/openaudit/admin_pc_add_1.php"
non_ie_page = audit_host + "/openaudit/admin_pc_add_2.php"
input_file = "pc_list_file.txt"

'
' Email authentication
'
'

email_to = "example@example.com"
email_from = "example@example.com"
'email_sender = "Open-AudIT"
email_server = "mail.example.com" ' IP address or FQDN
email_port = "25" ' The SMTP port
email_auth = "1" ' 0 = Anonymous, 1 = Clear-text Authentication, 2 = NTLM
email_user_id = "example@example.com" ' A valid Email account in user@domain format
email_user_pwd = "some_password" ' The SMTP email password
email_use_ssl = "false" ' True/False
email_timeout = "60" ' In seconds
send_email = "false" ' True/False - Enable/Disable email sending

audit_local_domain = "y"
'
' Set domain_type = 'nt' for NT4 or SAMBA otherwise leave blank or set to ldap
'domain_type = "nt"

local_domain = "LDAP://example.local"

'
' Example Set Domain name for NT ONLY for LDAP use the above format
' NOTE This is Case Sensetive. See the example below.
'
'local_domain = "WinNT://IEXPLORE"
'local_domain = "WinNT://<domainname>"
'

hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"
'
' Nmap section
'
nmap_tmp_cleanup = true ' Set this false if you want to leave the tmp files for analysis in your tmp folder
nmap_subnet = "192.168.0." ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.000." ' The subnet padded with 0's
nmap_ie_form_page = audit_host + "/openaudit/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
nmap_syn_scan = "y" ' Tcp Syn scan
nmap_udp_scan = "y" ' UDP scan
nmap_srv_ver_scan = "y" ' Service version detection.
nmap_srv_ver_int = 9 ' Service version detection intensity level. Values 0-9, 0=fast

Author:  shanimal [ Sat Mar 05, 2011 5:54 am ]
Post subject:  Re: Windows Audit Issues

I think you only need to change this one, to match your company active directory name:

local_domain = "LDAP://example.local"

our is similar to this:

local_domain = "LDAP://company.com"

Also, if the windows firewall is in use for your windows systems, the "remote administration" firewall rule will need to be opened.

Author:  djmohr [ Sat Mar 05, 2011 4:30 pm ]
Post subject:  Re: Windows Audit Issues

Cool will give it a try.

Our domain policy has the workstations firewalls disabled, so hopefully all goes well.

Author:  djmohr [ Sat Mar 05, 2011 5:30 pm ]
Post subject:  Re: Windows Audit Issues

So I made the change to th audit.config file, added our domain: local_domain = "LDAP://company.com"
and got the follwoing error:

C:\Audit>cscript audit.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved

C:\Audit\audit.vbs(168, 1) msxml3.dll: System error: -2146697211.

I ran this as domain administrator on a test pc and tried as local admin and got the same results.

Suggestions?

Author:  djmohr [ Sat Mar 05, 2011 5:47 pm ]
Post subject:  Re: Windows Audit Issues

ok finally
I had to edit the audit.vbs script
changed this_config_url = "http://openaudit/openaudit/list_export_config.php" to this_config_url = "http://serveripaddress/openaudit/list_export_config.php"

and it worked.

Author:  djmohr [ Sat Mar 05, 2011 9:45 pm ]
Post subject:  Re: Windows Audit Issues

OK, now got the script to run at logon; also managed to audit systems on my remote sites through our companies VPN link.

One thing the software is not providing me is some of the serial keys for our CAD software, so far it only shows MS software.

Any way it can show other software keys?

Page 1 of 2 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/