Open-AudIT

What's on your network?
It is currently Tue Jul 17, 2018 6:23 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
PostPosted: Tue Sep 19, 2006 12:11 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
How it works....

Open Audit (or more correctly Open-AudIT) audits the hardware and software it discovers on your computers, and posts its findings to a MySQL database. From there the data is presented in a clean and readable form via a set of PHP web pages.

Open Audit is the successor to Winventory, a similar open source project from which its code base is derived.

Open Audit uses a slightly more cunning method to post data to the database than its predecessor Winventory.

For Windows based PCs, a script called audit.vbs reads data from Microsoft's Windows Management Interface (WMI) and posts its findings to the server.

Instead of installing MyODBC connector on all of the audited machines, we simply gather the data using the audit.vbs script, and write it directly to the web server in the form of a POST to a web page.

Actually we post an XML formatted page using either a direct xml post, or by hooking into the local web browser and using that to post.

Therefore we need to set up the audit.config file to match the settings we have chosen for our web server, and the method chosen to post the page.

We do this by modifying audit.config, either manually or using the menu ( Admin> Audit Config) ** (This menu option is not available in current release, but may re-appear in later releases (AJH 16jan07), so you will need to edit the file by hand. We are in the process of re-coding this.)**

Note also that the defaults for most values are listed in audit.config.defaults

The main configuration options and their meanings are shown below....

Code:
audit_location = "r"

("l"ocal or "r"emote depending on whether the machine you are auditing from is the same machine you are posting to (local) or not (remote))
Code:
verbose = "y"

(If "y" then you can see the results from the audit.vbs script as it does its work. If "n" everything is almost silent, if you run cscript audit.vbs, then leaving this as verbose = "y" is probably the best option unless you have a HUGE network).
Code:
online = "yesxml"

(this can be "yesxml" or "ie" and selects whether we submit the page via Internet explorer, or directly using XMLPOST, I would use yesxml since it doesn't waste the resource of launching ie for every audit. yesxml works for me with 80 or so machines in about ten minutes or so, depending on what else the machines are doing at the time)
Code:
strComputer = ""

(Set this to "." to audit just the local machine, for pretty much any other purpose, set it to "")
Code:
ie_visible = "n"

(only makes sense with online="ie" and lets you see the browser in operation)
Code:
ie_auto_submit = "y" 

(Ditto, but selects whether the page submits automatically or waits for user input, I would use "y" )
Code:
ie_submit_verbose = "n"

(Does what it says. Submits the ie page with all of the information exposed as it is gathered)
Code:
ie_form_page = "http://myoaserver.local/openaudit/admin_pc_add_1.php"

This is not too obvious, as it can be almost anything. The simplest case is to use http://127.0.0.1/openaudit/admin_pc_add_1.php

This will allow the script to post to the same box as the OA web server is running on.

Next we can use an IP address, something like http://192.168.0.4/openaudit/admin_pc_add_1.php

This allows us to post results from a machine other than the web server, AND from the web server.

Finally this can me something like
http://myopenauditbox.mydomain.myou/ope ... _add_1.php

This allows us to post from anywhere so long as our DNS server can resolve myopenauditbox.mydomain.myou to the correct IP address and no firewall blocks our traffic (and our web server will accept requests from the IP address running the VBS script of course).

(In short this is the page that ie submits to, can be an IP or a machine name followed by the folder within htmlroot on the web server running the OA web pages.
Code:
non_ie_page = "http://myoaserver.local/openaudit/admin_pc_add_2.php"

( the page that yesxml submits to, and the page that the ie page calls next, so it has to be valid, see previous description)
Code:
nmap_subnet = "192.168.45."            ' The subnet you wish to scan

(Does what it says, but only used by the nmap script)
Code:
nmap_subnet_formatted = "192.168.045."    ' The subnet padded with 0's

(Does what it says, but only used by the nmap script, bit of a fudge, 'cos we should generate this from the above nmap_subnet)
Code:
nmap_ie_form_page = "http://myoaserver.local/openaudit/admin_nmap_input.php"

(does what it you think it does, the same as the audit page ie_form_page, but for the nmap script, see previous ..ie_form_page descriptions)
Code:
nmap_ie_visible = "n"

(likewise , also for the nmap script)
Code:
nmap_ie_auto_close = "y"

(likewise , also for the nmap script)
Code:
nmap_ip_start = 1

(start of ip range on subnet chosen above)
Code:
nmap_ip_end = 254

(end of ip range on subnet chosen above)
Code:
nmap_tmp_cleanup = true           

Set this false if you want to leave the tmp files for analysis in your tmp folder
Code:
nmap_syn_scan = "y"      ' Tcp Syn scan
nmap_udp_scan = "y"      ' UDP scan
nmap_srv_ver_scan = "y"  ' Service version detection.
nmap_srv_ver_int = 0     ' Service version detection intensity level. Values 0-9, 0=fast

The above options add UDP and SYN scanning to the NMAP details, however this can be slow to scan large numbers of hosts (typically several hours for a class C subnet).
The extra details will allow you to see exactly what service type is being offered on discovered ports. Worth doing perhaps once, when setting up OA, and then perhaps once a month or so to keep the details reasonably up to date. Obviously if set to 'n' these options do nothing and only a basic nmap scan is performed, this would be sufficient for a lot of people who simply want to know what services are there.

Setting nmap_srv_ver_int = 0 runs reasonably quickly, nmap_srv_ver_int = 9 is very intense, and will take a long time (it took all day on my class C network :shock: )

:idea: For a full TCP/IP security audit, it may be worth while doing ONLY an nmap audit, regularly into a separate copy of OpenAudit, as the results for windows and "other" items will all appear together in the "other" table, making reporting and diagram creation a bit simpler.


Code:
input_file = ""

(used to supply a list of PCs and their usernames and passwords, these users must have WMI access rights via the network. Note administrators without passwords will not by default have these rights, do you may have to create a user on each machine for this purpose, or set the local administrator user password. If you are using a domain, use a somain admin user to do this, or better still audit the entire domain using the audit_local_domain option ).

Older versions of Open-Audit (<Version 07.12.09) used the following email fields.

Code:
email_to = ""

(Send failed audit emails to whoever@whateverdomain.whatever)
Code:
email_from = ""

(Send failed audit emails from whoever@whateverdomain.whatever)
Code:
email_server = ""


Later versions (>Version 07.12.09) support the following email fields.
Code:
use_audit_log = "n"


Tells Open Audit to log its progress (Currently only time, machine name, connect to WMI, start Ok and finish OK for each machine in the run)
The idea is to expand this to include the result of each section of the audit, so we can tell where a particular audit comes unstuck.
Set this to "n" or "y". Default is "n"

Code:
keep_audit_log = "n"

Tells Open Audit whether to create a new log every run, or append results to the current log. Set this to "n" or "y". Default is "n"

Code:
send_email = false

Tells Open Audit whether or not to email its results. Set this to true or false. Default is false

Code:
email_to = "user@domain"     

The To: field specifies the user who will receive the email.

Code:
email_from = "user@domain"


The From: field specifies the originating account, most mail systems will insist on this account also authenticating, and may well insist the from email address matches the authenticating user.

Code:
'email_sender = "Open-AudIT"


The Sender, watch out for problems with this, by default this field is commented out in the script as a lot of spam filters will throw the mail away if they dont like this..

Code:
email_server = "aaa.bbb.ccc.ddd"  ' IP address or FQDN


IP or FQDN of the mail server

Code:
email_port = "25"                 ' The SMTP port


Change this if your local situation uses a non standard port, for example if you pass everything to a spam filter first.

Code:
email_auth = "1"                  ' 0 = Anonymous, 1 = Clear-text Authentication, 2 = NTLM


As it says, no auth, clear text auth or NTLM (For MS-Exchange most likely).

Code:
email_user_id = "user@domain"     ' A valid Email account in user@domain format


This will generally be the same as the From: field, but may not require the @.... part. Check with your mail server documentation

Code:
email_user_pwd = "abc123"         ' The SMTP email password


If auth is enabled, this must be the password for the email_user_id.
(NOTE: It would be advisable to use a unique account for mailing from OA, so if the password above is learned, no sensitive info can be gleaned by hackers.

DO NOT USE YOUR POSTMASTER OR ADMINISTRATOR ACCOUNTS, UNLESS YOU ABSOLUTELY MUST, AND UNLESS YOU ARE ABSOLUTELY CERTAIN NOBODY CAN SEE THIS PASSWORD. Don't blame us if you fail to heed this warning and drown under a sea of spam. :?

Code:
email_use_ssl = "false"           ' True/False


Use/don't use SSL for auth. May require a change to the Port value above.

Code:
email_timeout = "60"              ' In seconds


Needs no explanation. Increase this if you are not seeing all of your emails.

Code:
audit_local_domain = "y"

(set this to Audit the domain chosen with the next variable)
Code:
random_order = false

If set to true, Audits the domain in a random order to ensure that traffic is spread evenly over slow wan links.

Code:
local_domain = "LDAP://mydomain.local"

(the AD domain to audit)

You can also specify an older style (Read NT4 or SAMBA domain ) with
domain_type = "nt"
local_domain = "WinNT://<domainname>"

something like...
Code:
'
' Set domain_type = 'nt' for NT4 or SAMBA otherwise leave blank or set to ldap
domain_type = "nt"

'
' Example Set Domain name for NT ONLY for LDAP use the above format
' NOTE This is Case Sensetive. See the example below.
'
local_domain = "WinNT://MYDOMAIN"
'


If you set the domain_type to anything other than NT or dont set it at all, an LDAP domain is assumed.

Code:
hfnet = "n"

(use hfnet **experimental** does anybody have this working reliably?)

Code:
Count = 0 

Not sure wht this does? Mark?
Code:
number_of_audits = 20

(Maximum number of audit processes to spawn simultaneously when doing an audit from the domain)
Code:
script_name = "audit.vbs"

(the name for the spawned processes, should always be audit.vbs, but you can add a path if you wish)

Code:
monitor_detect = "y"

(adds monitor type, serial number etc to database)

Code:
 
printer_detect = "y"

(adds printer type etc to database)

Code:
software_audit = "y"

(audits software as well as hardware)

Code:
uuid_type = "uuid"

(Changes the key to the database, can be UUID, MAC Address, or System name + Domain, I would stick with UUID)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group