Subject: Custom Software Registry Searching (thanks to Malenx for this FAQ)
Open-Audit contains a simple method for logging registry keys as software. This uses existing code to read a registry key and place it into the database under the Software table. This topic covers what's going on, how to do it ourself, and how to view the data.
1. WHAT'S HAPPENING / DO IT OURSELF. In the scripts folder of your open-audit you should find a file named audit_custom_software.inc, by default it contains two examples. Around line 2578 of the audit.vbs is a section (' Include customer specific audits) that calls the code in the audit_custom_software.inc to run. As such, our audit_custom_software.inc needs to be stored in the same directory as our audit.vbs. To get started, I've listed the code to log a key for Mcafee's Network Associates Engine Definition.
[code] ' McAffe Engine-Version to the Software Register strKeyPath = "SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion" strValueName = "szEngineVer" display_name = "McAfee Engine-Definition-Version" oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,McAfeeVirEng_Version form_input = "software^^^" & display_name & "^^^" _ & McAfeeVirEng_Version & "^^^" _ & "" & "^^^" _ & "" & "^^^" _ & OSInstall & "^^^" _ & "McAfee^^^^^^^^^^^^^^^^^^" _ & "" & "^^^" _ & "" & "^^^" _ & "http://www.mcafee.com" & "^^^ " entry form_input,comment,objTextFile,oAdd,oComment form_input = "" [/code] [color=#0000BF]strKeyPath[/color] is our base key folder. [color=#0000BF]szEngineVer[/color] is the registry key we want. [color=#0000BF]display_name[/color] is what we will register the key's label as in our database. [color=#0000BF]oReg.GetStringValue[/color]... pulls the string from the registry. If you are pulling a different data value (IE DWORD, Binary) then you will need to tweak this. Strings = GetSTRINGValue Dword = GetDWORDValue Binary = GetBINARYValue
The rest formats the data into a string and adds it to our xml. The software table has numerous columns, which is why we have so many blank sections. If desired, you could move the data into a different column.
[color=#00BF00](TIP - ^^^ is what open-audit uses to keep the data seperated)[/color]
From here, you can just edit what values you want to read into the database, save the file, and test it on something. I like to have the database open in a viewer like phpmyadmin so I can verify it copied the data correctly. Just browse the software category.
2. VIEWING THE DATA
No point in writing data to the database without viewing it. You need two things to view it in open-audit; a query to read the data and a link in the menu to use the query. Both are explained at [url]http://www.open-audit.org/phpBB3/viewtopic.php?f=6&t=2545[/url].
[color=#00BF00]Tip: Define the correct path in the menu link.
(Example) CORRECT: link.view=all_systems_virus_uptodate_test INCORRECT: link.view=list_viewdef_all_systems_virus_uptodate_test.php[/color]
_________________ Andrew
[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home) LDAP: Active Directory[/size]
|