Open-AudIT
https://www.open-audit.org/phpBB3/

Audit not running on local machine
https://www.open-audit.org/phpBB3/viewtopic.php?f=5&t=5710
Page 1 of 1

Author:  comclusive [ Fri May 20, 2011 8:11 pm ]
Post subject:  Audit not running on local machine

Hello,

I have noticed that the audit does not run on a local machine if it is Windows 7 or 2008. We first saw that on an SBS 2008 domain the SBS box was not audited, but if you run the audit from a remote client the SBS box then does get audited.

While looking at this issue (running the audit from my Windows 7 PC) I then noticed that my PC was not audited!

Here is the audit.config in case I am missing something.

'
' Standard audit section
'
audit_location = "r"
verbose = "y"
audit_host="http://xxxxxxxxxx.com"
'online = "yesxml"
online = "n"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = audit_host + "/audit_upload/admin_pc_add_1.php"
non_ie_page = audit_host + "/audit_upload/admin_pc_add_2.php"
input_file = "pc_list_file.txt"

audit_local_domain = "y"
'
' Set domain_type = 'nt' for NT4 or SAMBA otherwise leave blank or set to ldap
'domain_type = "nt"
'
' Example Set Domain name for NT ONLY for LDAP use the above format
' NOTE This is Case Sensetive. See the example below.
'
'local_domain = "WinNT://IEXPLORE"
'local_domain = "WinNT://<domainname>"
'

hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"
'
' Nmap section
'
nmap_tmp_cleanup = false ' Set this false if you want to leave the tmp files for analysis in your tmp folder
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
nmap_syn_scan = "y" ' Tcp Syn scan
nmap_udp_scan = "y" ' UDP scan
nmap_srv_ver_scan = "y" ' Service version detection.
nmap_srv_ver_int = 9 ' Service version detection intensity level. Values 0-9, 0=fast

'Added during site creation
nmap_subnet = "x.x.0.0"
nmap_subnet_formatted = "x.x.000.000"
nmap_ie_form_page = "http://xxxxxxxxx.com/audit_upload/admin_nmap_input.php"
email_server = "x.x.0.2"
local_domain = "LDAP://xxxxx"

Author:  jpa [ Sat May 21, 2011 2:19 am ]
Post subject:  Re: Audit not running on local machine

You have "audit_online = n" which means audit to a text file. You'd then need to separately upload this to OA. Use "audit_online = yesxml" like you've got commented out in your config for automatic upload of audit data.

Uncomment the local_domain line and use the correct info for your domain. EDIT: Woops. I see that line is already at the end. You don't need to uncomment the first instance.

For the 2008/7 local audit maybe you need to run the scan elevated to Admin. Assuming the above doesn't fix it.

Author:  comclusive [ Mon May 23, 2011 4:53 pm ]
Post subject:  Re: Audit not running on local machine

Thanks for the reply, I set it to log to text file as a test to see if the local machine was even seen to be able to create the text file initially, which it wasn't.

Completely overlooked the run elevated, thanks for the pointer, I'll report back!

Author:  comclusive [ Mon May 23, 2011 7:53 pm ]
Post subject:  Re: Audit not running on local machine

Just an update, ran elevated and made no difference. :(

Author:  jpa [ Tue May 24, 2011 2:14 am ]
Post subject:  Re: Audit not running on local machine

What output do you get if you run the following elevated on a Win7 box named machinetoaudit. Maybe it has some clues.
[code]cscript audit.vbs machinetoaudit[/code]

Author:  comclusive [ Tue May 24, 2011 10:00 pm ]
Post subject:  Re: Audit not running on local machine

It says machine not available. This is the same on sbs2008 and W7. Firewall on or off makes no difference. Yet the machines audit remotely...

Oh, and WMI connects locally using Comp management.

Author:  jpa [ Wed May 25, 2011 2:15 am ]
Post subject:  Re: Audit not running on local machine

Hopefully this works run elevated from the machine in question:
[code]cscript audit.vbs .[/code]

If it does I would replace the IsConnectible function around line 4611 with the following and see if you can do "cscript audit.vbs machinename" successfully.

EDIT: My original version broke domain auditing from older Windows versions. I was using the wrong value from the registry. I've updated the code below.

[code]Function IsConnectible(sHost,iPings,iTO)
if sHost = "." then
IsConnectible = True
else
If iPings = "" Then iPings = 2
If iTO = "" Then iTO = 750
Set oShell = CreateObject("WScript.Shell")
sCurrentBuildNumber=UCase(oShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber"))
If CInt(sCurrentBuildNumber) >= 6000 Then
Set oExCmd = oShell.Exec("ping -n " & iPings & " -w " & iTO & " " & sHost & " -4")
Else
Set oExCmd = oShell.Exec("ping -n " & iPings & " -w " & iTO & " " & sHost)
End if
Select Case InStr(UCase(oExCmd.StdOut.Readall),"TTL=")
' Select Case InStr(oExCmd.StdOut.Readall,"TTL=")
Case 0 IsConnectible = False
Case Else IsConnectible = True
End Select
end if
End Function[/code]

Author:  comclusive [ Wed May 25, 2011 7:29 pm ]
Post subject:  Re: Audit not running on local machine

That got it! You star, thanks so much for bearing with me! :-)

Author:  jpa [ Thu Jun 09, 2011 4:06 am ]
Post subject:  Re: Audit not running on local machine

Woops. My change broke domain auditing from earlier Windows versions. I've changed the code above to pull the correct registry key value.

Author:  comclusive [ Thu Jun 16, 2011 10:15 pm ]
Post subject:  Re: Audit not running on local machine

Thanks for the update! :)

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/