Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Sat Mar 30, 2024 12:03 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 28 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Jul 16, 2010 2:08 am 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
Hi

My database is slowly filled with duplications of the same installed software for the same machine. Like GlidePoint® Touchpad Driver 3 which is only installed on one PC. But there are still 93 rows in the software table, where the only row difference is in these coloums:
software_id
software_count
software_timestamp
software_first_timestamp

All the other coloumns are identical for each row. Why does this happen? It is actually a problem because software_register_details.php uses the software_first_timestamp to distinguish between which rows to count and show. The results is that even though i added a singe license for this driver, then because software_register_details.php and software_register.php uses software_first_timestamp which is different, then the system keeps telling me i am not compliant because it counts the software wrong.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 16, 2010 6:09 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
This is a real quick question without having reviewed the code. Do all the problem entries have special characters like the "®" in "GlidePoint® Touchpad Driver 3" or are some plain ASCII?


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 16, 2010 7:44 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
[quote="jpa"]This is a real quick question without having reviewed the code. Do all the problem entries have special characters like the "®" in "GlidePoint® Touchpad Driver 3" or are some plain ASCII?

No, i see the same problem with a program called Connect from Adobe, EPU-6 Engine from ?? and IBM 32-bit Runtime Environment for Java 2, v1.4.2 from IBM. All above are different computers, and they run XP, Vista and Windows 7, so no common ground there.

Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 16, 2010 8:38 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
[quote="jpa"]This is a real quick question without having reviewed the code. Do all the problem entries have special characters like the "®" in "GlidePoint® Touchpad Driver 3" or are some plain ASCII?

No, i also see it with these programs
Connect by Adobe
7-Zip 4.65
32 Bit HP BiDi Channel Components Installer by HP
Acrobat.com by Adobe
IBM 32-bit Runtime Environment for Java 2, v1.4.2 by IBM

And probably others i dont want to find. It happens for XP, Vista and Windows 7 machines.

Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 16, 2010 8:42 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
sorry that i forgot to write the version number, it is here: Version 09.12.23


Top
 Profile  
Reply with quote  
PostPosted: Fri Jul 16, 2010 8:51 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
it gets even stranger, looking at the openaudit webpage i see 2 rows for one machine for the 7-Zip 4.57 software, but when i look in the database i see 35 rows

select count(*) from software where software_name regexp '7-Zip 4.57' and software_uuid='6EA44D56-A24F-474F-8657-71BF689F929B';

+----------+
| count(*) |
+----------+
| 35 |
+----------+

i would expect it to show either 1, or all 35.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 17, 2010 8:04 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
[quote="jonbendtsen"]sorry that i forgot to write the version number, it is here: Version 09.12.23

You might try to [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=6&t=1430&start=0]get current[/url] to 10.05.25 and see if the problem continues.

Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 10, 2010 11:14 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
[quote="jpa"][quote="jonbendtsen"]sorry that i forgot to write the version number, it is here: Version 09.12.23

You might try to [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=6&t=1430&start=0]get current[/url] to 10.05.25 and see if the problem continues.
It did not help. I just saw the problem with Microsoft Visual Web Developer 2010 Express - ENU which I just added to the software register today, and already 1 computer name has 2 entry lines for the same UUID.

Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 11, 2010 3:01 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Another question then - do you have multiple systems with the same UUID? Check if you have the same system_uuid with a different system_name in the system table. If you've renamed a machine you'll have duplicates but hopefully you haven't renamed anything and duplicates will be machines with the same UUID. Just guessing at the problem here as I don't experience it myself.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 11, 2010 7:16 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
[quote="jpa"]Another question then - do you have multiple systems with the same UUID? Check if you have the same system_uuid with a different system_name in the system table.

No, i do not have that.

Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 11, 2010 8:58 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
Which behaviour should we see from OpenAudIT?

Should OA only list identical computers once even if the database contains more entries? Or should the database only contain 1 entry?


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 12, 2010 2:54 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
[quote="jonbendtsen"]Which behaviour should we see from OpenAudIT?

I'd need to review the display code to see what it does with duplicate UUID's.

As for your software problem the software insert code tries to update existing software entries with a fresh timestamp. If no software entry is updated it inserts a new software record. Your original report seems to indicate that the software update stuff is failing and it's always inserting a new record for the software with multiple instances. My crappy questioning is an effort to figure out why this happens.

The update code looks for existing software entries based on UUID, Software Name and last software timestamp or current timestamp. Somehow this is failing to find the existing entries.

One more question. Does your audit.config have software_audit = 'n" or = 'y'?

Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 12, 2010 9:50 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
[quote="jpa"][quote="jonbendtsen"]Which behaviour should we see from OpenAudIT?

I'd need to review the display code to see what it does with duplicate UUID's.

As for your software problem the software insert code tries to update existing software entries with a fresh timestamp. If no software entry is updated it inserts a new software record. Your original report seems to indicate that the software update stuff is failing and it's always inserting a new record for the software with multiple instances. My crappy questioning is an effort to figure out why this happens.

The update code looks for existing software entries based on UUID, Software Name and last software timestamp or current timestamp. Somehow this is failing to find the existing entries.
It sounds like you say that the database should only contain one entry. I do not think your questioning is crappy.

[quote="jpa"]One more question. Does your audit.config have software_audit = 'n" or = 'y'?
It has yes, 'y'. I have attached my full audit.config file.

[code]'
' Standard audit section
'
audit_location = "r"
verbose = "n"
audit_host="http://openaudit.example.com"
online = "yesxml"
strComputer = "."
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = audit_host + "/open-audit/admin_pc_add_1.php"
non_ie_page = audit_host + "/open-audit/admin_pc_add_2.php"

'
' Email authentication
'
'

email_to = "example@example.com"
email_from = "example@example.com"
'email_sender = "Open-AudIT"
email_server = "mail.example.com" ' IP address or FQDN
email_port = "25" ' The SMTP port
email_auth = "1" ' 0 = Anonymous, 1 = Clear-text Authentication, 2 = NTLM
email_user_id = "example@example.com" ' A valid Email account in user@domain format
email_user_pwd = "some_password" ' The SMTP email password
email_use_ssl = "false" ' True/False
email_timeout = "60" ' In seconds
send_email = "false" ' True/False - Enable/Disable email sending

audit_local_domain = "n"
'
' Set domain_type = 'nt' for NT4 or SAMBA otherwise leave blank or set to ldap
'domain_type = ""

local_domain = "LDAP://example.com"

'
' Example Set Domain name for NT ONLY for LDAP use the above format
' NOTE This is Case Sensetive. See the example below.
'
'local_domain = "WinNT://IEXPLORE"
'local_domain = "WinNT://<domainname>"
'

hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"
'
' Nmap section
'
nmap_tmp_cleanup = true ' Set this false if you want to leave the tmp files for analysis in your tmp folder
nmap_subnet = "10.20.30." ' The subnet you wish to scan
nmap_subnet_formatted = "10.20.30." ' The subnet padded with 0's
nmap_ie_form_page = audit_host + "/open-audit/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
nmap_syn_scan = "y" ' Tcp Syn scan
nmap_udp_scan = "y" ' UDP scan
nmap_srv_ver_scan = "y" ' Service version detection.
nmap_srv_ver_int = 9 ' Service version detection intensity level. Values 0-9, 0=fast
[/code]

Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 12, 2010 10:50 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
I have just again today added a duplicate entry for WinRAR. When I looked in the database the ONLY difference was the software_id. All the timestamps are identical, and they are usually different.

Looking back at the Microsoft Visual Web Developer 2010 Express - ENU I talked about yesterday I do see difference at software_first_timestamp and software_id.

If I look at the audit trails for both computers I see (WinRar first):

[code]2010-08-12 12:13 adminuser
2010-08-12 10:49 adminuser
2010-08-11 17:04 adminuser
2010-08-11 17:04 adminuser
2010-08-11 13:23 normaluser1
2010-07-23 13:19 normaluser1[/code]

and for the computer with Microsoft Visual Web Developer 2010 Express - ENU I see:

[code]
2010-08-12 12:05 adminuser
2010-08-12 10:40 adminuser
2010-08-12 09:13 normaluser1
2010-08-11 12:25 adminuser
2010-08-11 10:56 adminuser
2010-08-11 10:56 adminuser
2010-08-11 09:03 normaluser1
2010-08-09 08:59 normaluser1
2010-08-05 14:08 adminuser
2010-08-05 12:36 adminuser
2010-08-05 09:09 normaluser1
2010-08-04 12:58 adminuser
2010-08-04 09:13 normaluser1
2010-08-03 09:05 normaluser1
2010-08-02 14:57 adminuser
2010-08-02 13:26 adminuser
2010-08-02 13:26 adminuser
2010-08-02 13:26 adminuser
2010-08-02 09:00 normaluser1
2010-07-30 15:20 adminuser
2010-07-30 13:51 normaluser1
2010-07-30 13:49 adminuser
2010-07-30 13:30 normaluser1
2010-07-30 09:22 adminuser
2010-07-30 09:00 normaluser1
2010-07-29 15:28 adminuser
2010-07-29 13:58 adminuser
2010-07-29 09:31 adminuser
2010-07-29 09:18 normaluser1
2010-07-28 15:39 adminuser
[/code]

The reason for normaluser1 being on both computer is that normaluser1 is my fellow systemadministrator which setup both computers.

However, the reason for posting these audit trails is that some of them are listed with the same time and date. This might be because they are run twice, or they post twice to the openaudit server, or that they openaudit server lists them twice. I will try to investigate both Computers scheduled tasks as well as my Apache logs.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 12, 2010 10:52 pm 
Offline
Helper

Joined: Thu Apr 15, 2010 12:28 am
Posts: 83
Investigation did show audit.vbs were executed twice (or more) and even on the same time. I understand that this might create duplicate entries in the database the first time software are seen. Unless of course there are some code in OpenAudIT that prevents processing more than one session of the same UUID on the same time. If there are no such code I think it should be added.

I do not think this multiple execution can explain the growth over time where I saw more and more rows in the database where software_first_timestamp are different, because software_first_timestamp should always be unique, right?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 28 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group