Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 12:48 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 37 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
PostPosted: Wed May 30, 2012 4:51 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Checking the basics: does your audit script have skip_software = "y" in the variables section at the top? To get software audited you need skip_software = "n" and I think recent versions of the script have defaulted to "y" to speed up testing as auditing software takes longer and makes for a larger upload.


Top
 Profile  
Reply with quote  
PostPosted: Thu May 31, 2012 4:31 am 
Offline
Newbie

Joined: Tue Mar 09, 2010 3:02 am
Posts: 32
[quote="jpa"]Checking the basics: does your audit script have skip_software = "y" in the variables section at the top? To get software audited you need skip_software = "n" and I think recent versions of the script have defaulted to "y" to speed up testing as auditing software takes longer and makes for a larger upload.


It's set to N, although I was toggling some options in the script to get different results at one point to see if it would change anything. Long story short, Lync never showed up.

Top
 Profile  
Reply with quote  
PostPosted: Thu May 31, 2012 4:36 am 
Offline
Newbie

Joined: Tue Mar 09, 2010 3:02 am
Posts: 32
[quote="Mark"][quote]1) The description finally was updated once the system was deleted at the website level and re-audited. Not a fix really, but for whatever reason, the data isn't being overwritten.


That is actually by design.
How it works is: (and this applies to a few items in the System table - see below).
Initial audit populates the description and man_description fields.
Subsequent audits don't populate man_description.
The web pages always show man_description.
This is so that if the audit returns data that you consider incorrect (or inaccurate or don't want displayed or whatever), you can over write it and have your changes stay stored.

Other fields that do the same thing are:
man_os_group
man_os_family
man_os_name
man_domain
man_serial
man_model
man_manufacturer
man_form_factor

Those are the fields you see in the web pages, not their audit obtained equivalents (serial, model, et al). I probably need to enable editing of a couple of these in the System Display page (I don't think you can edit them all at the moment).

There is also the "special" case of man_ip_address. If the IP address from the audit result is taken from DHCP, then man_ip_address is updated. If it's not taken from DHCP (see: a server with a static IP), then it is initially populated but left alone on subsequent audits.

OK, so how to solve your issue with this. I don't want to over write them if blank because that is deliberately by design. We do actually store the info in the fields each time we process an audit (serial, description, etc). Because I usually think along the lines of "but what if I have to update 1,000 of these" versus "I just need to update 2 or 3".

Option 1:
Maybe a switch somewhere to say "over write all info in man_* fields regardless".

Option 2:
Maybe put something on the "bulk edit" page (when you select more than one system from a report and edit it) to say "revert this field to the audit contents" - that could apply to each field as above.

Hopefully not a stupid question, but would this be done at the audit level, or at the server level?

Top
 Profile  
Reply with quote  
PostPosted: Thu May 31, 2012 5:07 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
[quote="jpurcell"]Long story short, Lync never showed up.
Given the information you've provided for the registry keys I can't see why this is happening. I would open the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall reg key and find the valid (have DisplayName property) entries just before and after the Lync one and then search for these in the audit file.

Top
 Profile  
Reply with quote  
PostPosted: Thu May 31, 2012 6:41 am 
Offline
Newbie

Joined: Tue Mar 09, 2010 3:02 am
Posts: 32
[quote="jpa"][quote="jpurcell"]Long story short, Lync never showed up.
Given the information you've provided for the registry keys I can't see why this is happening. I would open the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall reg key and find the valid (have DisplayName property) entries just before and after the Lync one and then search for these in the audit file.

Well that just told me a lot!!! :D

NOTHING in the 32 bit zone (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) shows up. Everything in the 64bit key (HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall) shows up.

Top
 Profile  
Reply with quote  
PostPosted: Thu May 31, 2012 1:06 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
[quote]Hopefully not a stupid question, but would this be done at the audit level, or at the server level?

Never a stupid question. This occurs at the server level (when processing the submitted audit).
The audit script should just retrieve details - no formatting or processing logic should be applied at the script level.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Thu May 31, 2012 1:07 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
[quote]NOTHING in the 32 bit zone (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) shows up. Everything in the 64bit key (HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall) shows up.


Are you using the audit script from here?
[url]http://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5864[/url]

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Thu May 31, 2012 10:28 pm 
Offline
Newbie

Joined: Tue Mar 09, 2010 3:02 am
Posts: 32
[quote="Mark"][quote]NOTHING in the 32 bit zone (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) shows up. Everything in the 64bit key (HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall) shows up.


Are you using the audit script from here?
[url]http://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5864[/url]

Yep. I had updated to the latest version (v3) at the time of opening this thread.

Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 01, 2012 1:10 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
I haven't been able to replicate this. How exactly are you auditing (remote, local), what versions of Windows are you using, 32/64-bit, etc?


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 01, 2012 1:19 am 
Offline
Newbie

Joined: Tue Mar 09, 2010 3:02 am
Posts: 32
[quote="jpa"]I haven't been able to replicate this. How exactly are you auditing (remote, local), what versions of Windows are you using, 32/64-bit, etc?


Audits are being performed locally, and then served up to the server.

Windows versions are primarily 32bit (due to archaic software), but we have a handful of 64.

Mostly Win7 now, with roughly 100 XP. Also 2003 servers, 2008 servers, etc.

Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 01, 2012 2:26 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
I still can't replicate this. I tried on a Win 8 CP 64bit VM and it worked. Do you have any error messages in the script output around the Software info lines or does it look like the snippet below? How exactly are you running the audit locally - logon script, scheduled task, etc?

[code]
...
Outlook Express info
Software info
Software for 64bit
Services info
...[/code]


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 01, 2012 4:07 am 
Offline
Newbie

Joined: Tue Mar 09, 2010 3:02 am
Posts: 32
[quote="jpa"]I still can't replicate this. I tried on a Win 8 CP 64bit VM and it worked. Do you have any error messages in the script output around the Software info lines or does it look like the snippet below? How exactly are you running the audit locally - logon script, scheduled task, etc?

[code]
...
Outlook Express info
Software info
Software for 64bit
Services info
...[/code]


Scheduled task from within a much larger script that does various other things.

In any case, the last thing I have it do is run 'cscript.exe openaudit.vbs'

On a 64bit machine, I see the following:

Outlook Express info
Software info
Hotfix info
Services info

No Software for 64bit is listed.

Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 01, 2012 4:15 am 
Offline
Newbie

Joined: Tue Mar 09, 2010 3:02 am
Posts: 32
Well, at least now I am on the right path:

I went ahead and modified the script to echo the results that get checked as to whether it audits those paths and the reg_node value is not getting set to Y (it is set to N) so the following if statement never triggers:

if (address_width = "64" and reg_node = "y") then


So whatever is happening here:

' need to test if this is a Win64 machine
strKeyPath = "SOFTWARE"
reg_node = "n"
oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
if (not isnull(arrSubKeys)) then
For Each subkey In arrSubKeys
if subkey = "Wow6432Node" then
reg_node = "y"
end if
next
end if

Isn't clicking.

EDIT:
Manually set reg_node to Y with no qualifier on my system, and it works like a champ. Lync now appears.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 01, 2012 4:28 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
If it's not too much trouble what does the following code output?

[code]set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set wmiLocator = CreateObject("WbemScripting.SWbemLocator")
Set wmiNameSpace = wmiLocator.ConnectServer(strComputer, "\root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait)
wmiNameSpace.Security_.ImpersonationLevel = 3
Set oReg = wmiNameSpace.Get("StdRegProv")
const HKEY_LOCAL_MACHINE = &H80000002

' need to test if this is a Win64 machine
strKeyPath = "SOFTWARE"
reg_node = "n"
oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

if (not isnull(arrSubKeys)) then
wscript.echo "Subkey list:"
For Each subkey In arrSubKeys
wscript.echo subkey
next
end if[/code]


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 01, 2012 6:59 am 
Offline
Newbie

Joined: Tue Mar 09, 2010 3:02 am
Posts: 32
[quote="jpa"]If it's not too much trouble what does the following code output?

[code]set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set wmiLocator = CreateObject("WbemScripting.SWbemLocator")
Set wmiNameSpace = wmiLocator.ConnectServer(strComputer, "\root\default", strUser, strPass, "", "", wbemConnectFlagUseMaxWait)
wmiNameSpace.Security_.ImpersonationLevel = 3
Set oReg = wmiNameSpace.Get("StdRegProv")
const HKEY_LOCAL_MACHINE = &H80000002

' need to test if this is a Win64 machine
strKeyPath = "SOFTWARE"
reg_node = "n"
oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

if (not isnull(arrSubKeys)) then
wscript.echo "Subkey list:"
For Each subkey In arrSubKeys
wscript.echo subkey
next
end if[/code]



No trouble at all. Here you go:

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Subkey list:
Asset Services Management
BackWeb
BEA Systems
Canneverbe Limited
Caphyon
Cisco
ClassLibrary
Dell
ej-technologies
Elaborate Bytes
FileZilla 3
FileZilla Client
Foxit Software
Funk Software, Inc.
GNU Ghostscript
Google
IM Providers
InstallShield
Intel
JavaSoft
JreMetrics
Licenses
LogMeIn Rescue
Lumension
Macromedia
Marimba
McAfee
MICROS-Fidelio
Microsoft
MozillaPlugins
Network Associates
Notepad++
ODBC
Patchlink.com
Quest Software
storage
VMware, Inc.
Volatile
WinPcap
Wise Solutions
Classes
Clients
Policies
RegisteredApplications

Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 37 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group