Open-AudIT
https://www.open-audit.org/phpBB3/

Domain Audit black list
https://www.open-audit.org/phpBB3/viewtopic.php?f=9&t=2375
Page 1 of 1

Author:  mwm [ Tue Sep 25, 2007 12:03 pm ]
Post subject:  Domain Audit black list

Hello All,

I am working on a blacklist function for Open Audit. I have encountered some systems that for whatever reason don't like to be audited. Could be a WMI thing but I have little interest in figuring out why at the moment. I have noticed it hand on some SQL servers. Anyway, I am creating a balcklist.txt file that is read into an array. At each call of the audit I compare comparray(i) to ArrSkipList(z). If they match, dont audit. If they dont match go ahead and audit it. I don't want to get too far into this if someone else is further along than I am. Let me know what you think!

for z = 0 to Ubound(ArrSkipList)
if comparray(i) <> ArrSkipList(z)
Do The Audit
Else
wscript.echo "BLACKLIST HIT!"
Write ArrSkipList to skip.txt for logging
endif
Next

Thanks!
-mwm
http://www.blatbox.com

Author:  ccpyle [ Tue Feb 12, 2008 6:43 am ]
Post subject:  Re: Domain Audit black list

I think it sounds wonderful. Did you ever finish developing this, 'cause I want to use it! :P

Author:  The Tech Guy [ Sat May 10, 2008 2:18 am ]
Post subject:  Re: Domain Audit black list

yes yes this does sound good is it finished yet?

Author:  acraiger [ Fri Oct 09, 2009 11:06 pm ]
Post subject:  Re: Domain Audit black list

Just wondering if anyone ever got this working, where we can add list of computers not to audit in the audit.config file.
Maybe like a text file with the list of computers you want to exclude during a domain audit.
I use ldap to connect to my Active Directory.

So I'm thinking maybe in the audit.vbs code where it puts all the computers in an array, maybe add a little code where it searches the array after it has been populated, and removes the computers from the array you don't want audited.

Maybe we can edit this function:
Function GetDomainComputers(ByVal local_domain)
Dim objIADsContainer ' ActiveDs.IADsDomain
Dim objIADsComputer ' ActiveDs.IADsComputer
Dim vReturn ' Variant

' connect to the computer.
Set objIADsContainer = GetObject(local_domain)

' set the filter to retrieve only objects of class Computer
objIADsContainer.Filter = Array("Computer")

[color=#0000FF]Maybe do another filter here that removes computers in blacklist[/color]

ReDim vReturn(0)
For Each objIADsComputer In objIADsContainer
If Trim(vReturn(0)) <> "" Then
ReDim Preserve vReturn(UBound(vReturn) + 1)
End If
vReturn(UBound(vReturn)) = objIADsComputer.Name
Next

GetDomainComputers = vReturn
Set objIADsComputer = Nothing
Set objIADsContainer = Nothing
End Function)

Author:  acraiger [ Fri Mar 12, 2010 7:46 am ]
Post subject:  Re: Domain Audit black list

I think I finally got a blacklist to work.
I attached my audit.vbs file.
You have to create a blacklist.txt file in the same folder where audit.vbs runs.
I also added an entry to the audit.config file

blacklist_file = "blacklist.txt"

I also added a Dim declaration just under the input_file declaration:
Dim blacklist_file
and also to where the Case Ucase(arg) are located:
Case "BLACKLIST_FILE" blacklist_file = Wscript.Arguments.Named(arg)

Below is the code I added just under the Do Until loop for ObjRecordSet.EOF which is located at around line 439.
Or you could just say it is located just above the Randomize scan If statement.

On Error Resume Next
if blacklist_file <> "" then
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("DomainPC.txt", 2)
Set objTextFileBl = objFSO.OpenTextFile("blacklist.txt", 1)
'This inputs the blacklist.txt file into an array blacklist()
Dim blacklist()
i = 0
Do Until objTextFileBl.AtEndOfStream
Redim Preserve blacklist(i)
blacklist(i) = [color=#FF0000]UCase([/color]objTextFileBl.Readline) 'edited this
i=i+1
Loop

'Start loop to create new comparray()
Dim Newarray()
match = false
k=0
For i=0 to Ubound(comparray)
For j = 0 to Ubound(blacklist)
If comparray(i) = blacklist(j) Then
match = true
Exit For
End if
Next
If match = false Then
Redim Preserve Newarray(k)
Newarray(k) = comparray(i)
k=k+1
End If
match = false
Next
erase comparray 'erase comparray and set equal to Newarray
For i = 0 to Ubound(Newarray) 'output edited list of computers to text file
Redim Preserve comparray(i)
comparray(i) = Newarray(i)
Next

objTextFile.Close
objTextFileBl.Close

End If

Attachments:
File comment: My audit.vbs file with the new code, was renamed to audit.txt as audit.vbs is not allowed to be uploaded.
audit.txt [216.44 KiB]
Downloaded 649 times

Author:  acraiger [ Wed Jan 18, 2012 1:25 am ]
Post subject:  Re: Domain Audit black list

Note: I updated the above script to convert the imported blacklist to Uppercase.
Otherwise it might not work if you type a computer name not in upper case.
I highlighted the change above in red.

I recently redeployed Open-Audit after changing jobs.
Trying to get everything working like I had it at my last job.

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/