Open-AudIT

[quote="ef"][quote="jsingh"][quote="ef"]Jason, I will address the gateway issue as soon as possible. Thank you

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

Actually what we require to do is create a new table for the IP details.

The reasoning is this..

I can have no network card.

I can have one or more network cards..

It can have NO IP details. (Disabled or possibly teamed into a virtual adapter).

It can have 1 or more IP addresses (theoretically a very large number on a virtual adapter, but usually one, two, three or four)

Since there can me multiple IP details for each card, these details should be in a separate table, linked by the Card's ID probably a function of the UUID, which in turn is linked to the Machine by the UUID

As things currently stand, we can only cope with NICs with up to three addresses, and we dont make a very good job of dealing with the idea of it being networked or non networked.

If we split things, then we can tell if it is networked simply by counting the number of cards, and multiplying by the number of IP addressed linked to each NIC and if the answer is >0 then we are networked.

Finally use of the MAC address as a UUID is always a bad idea, because if the NIC is replaced... the machine pops up anew.

Any thoughts?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Jason, actually what you see listed as IP for a system is not the first ip detected on the first NIC, but the first IP detected on all NICs. So, if you don't see IP listed, keep your UUID, DELETE the system, re-audit it and all should be fine (I hope... otherwise you have a different issue, like on NIC-TCP/IP bindings order and so on).

Andrew, I totally agree with you: it should be better to add another linked table (network_card_ip or similar) as you suggested. This could also solve the ambiguity caused by system.net_ip_address and network_card.net_ip_address fields.

_________________
Edoardo

I have to humbly disagree so far. I followed your steps to remove one of the systems now showing up as "non-networked".

Here is the pertinent info concerning the network card(s) found. Please notice this system only has one network card.

[code]
Connection ID:
Description: 3Com EtherLink PCI
Manufacturer: 3Com
Service Name:
Type: Ethernet 802.3
MAC Address: 00:B0:D0:C4:92:65
Connectivity status:
Link speed: 0 Mbps
IP Enabled:
IP address: 010.023.002.004
Subnet Mask: 255.255.0.0
IP address 2:
Subnet Mask 2:
IP address 3:
Subnet Mask 3:
Gateway: 10.23.0.1
Gateway 2:
Gateway 3:
Preferred DNS: 192.168.1.2
Alternate DNS: 192.168.1.4
Alternate DNS 2:
Primary WINS: 10.20.0.2
Secondary WINS: 130.1.1.5
LMHosts Lookup enabled:
Netbios over TCP/IP:
DHCP enabled: False
DHCP Server: No
DHCP Lease obtained: --
DHCP Lease expires: --
[/code]

Why is this showing up as non-networked?

thanks

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

It seems mostly a field converting issue, as the ip seems shown in the hardware page (but many other values are missing). First of all, double check that include_functions.php and admin_pc_add_2.php are updated from svn. If it's done yet, I need more info to troubleshoot this:
- what's the audited system OS version?
- are you auditing with admin credentials?
- delete the system from OA and do an offline scan of this system (in audit.config, set online = "n"); then past here the "network" and the "system01" lines you will read in the generated system_name.txt file
- manually add the system into OA, then paste here what is showed by the admin_pc_add_2.php page (I need the network and system data)
- what's is shown in OA for the system? Is it shown as "not-networked"? Which is the page where you see that?
- redo an offline scan, then manually re-add the system to OA and paste here again what is showed by the admin_pc_add_2.php page
- what OA shows?

_________________
Edoardo

[quote="ef"]It seems mostly a field converting issue, as the ip seems shown in the hardware page (but many other values are missing). First of all, double check that include_functions.php and admin_pc_add_2.php are updated from svn. If it's done yet, I need more info to troubleshoot this:
- what's the audited system OS version?
- are you auditing with admin credentials?
- delete the system from OA and do an offline scan of this system (in audit.config, set online = "n"); then past here the "network" and the "system01" lines you will read in the generated system_name.txt file
- manually add the system into OA, then paste here what is showed by the admin_pc_add_2.php page (I need the network and system data)
- what's is shown in OA for the system? Is it shown as "not-networked"? Which is the page where you see that?
- redo an offline scan, then manually re-add the system to OA and paste here again what is showed by the admin_pc_add_2.php page
- what OA shows?

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

It is also helpful to note that since the PC shows up as "non-networked", if you go to the system page all Remote Management portions are also blank.

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

Since there is no system01 line in the offline scan, the ip address isn't inserted into the system table. W2k WMI also justify why there is no connection id, status and speed.
How many systems are in the same situation? What is common to them?
Update audit.vbs from svn and find the following lines
[code]
form_input = "system01^^^" & clean(net_ip_address) & "^^^" & clean(net_domain) _
& "^^^" & clean(net_user_name) & "^^^" & clean(net_client_site_name) _
& "^^^" & clean(Replace(net_domain_controller_address, "\\", "")) & "^^^" & clean(Replace(net_domain_controller_name, "\\", "")) & "^^^"
[/code]
add just below
[code]
wscript.echo "net_ip_address = " & net_ip_address
wscript.echo "form_input= " & form_input
[/code]
Run an audit: what do you see as form_input and net_ip_address?

_________________
Edoardo

[code]
form_input = "system01^^^" & clean(net_ip_address) & "^^^" & clean(net_domain) _
& "^^^" & clean(net_user_name) & "^^^" & clean(net_client_site_name) _
& "^^^" & clean(Replace(net_domain_controller_address, "\\", "")) & "^^^" & clean(Replace(net_domain_controller_name, "\\", "")) & "^^^"
[/code]

is not in SVN audit.vbs

Similarities? Can't say for sure. i do notice Win2K systems don't have connected state and link speed. In addition on one system, it appears that another has the same UUID. I was under the impression this is not possible, that is, it is definitely unique among system.

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

You're right: the following lines are missing, just after my mod
[code]

On Error Resume Next
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48)
For Each objItem in colItems
net_domain = objItem.Domain
net_user_name = objItem.UserName
Next
On Error Resume Next
Set colItems = objWMIService.ExecQuery("Select * from Win32_NTDomain",,48)
For Each objItem in colItems
net_client_site_name = objItem.ClientSiteName
net_domain_controller_address = objItem.DomainControllerAddress
net_domain_controller_name = objItem.DomainControllerName
Next

if isnull(net_ip_address) then net_ip_address = "" end if

if isnull(net_domain) then
oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultDomainName", net_domain
if isnull(net_domain) then net_domain = "" end if
end if
if isnull(net_user_name) then
oReg.GetStringValue HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultUserName", net_user_name
if isnull(net_user_name) then net_user_name = "" end if
end if

if isnull(net_client_site_name) then net_client_site_name = "" end if
if isnull(net_domain_controller_address) then net_domain_controller_address = "" end if
if isnull(net_domain_controller_name) then net_domain_controller_name = "" end if

form_input = "system01^^^" & clean(net_ip_address) & "^^^" & clean(net_domain) _
& "^^^" & clean(net_user_name) & "^^^" & clean(net_client_site_name) _
& "^^^" & clean(Replace(net_domain_controller_address, "\\", "")) & "^^^" & clean(Replace(net_domain_controller_name, "\\", "")) & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""

[/code]
Could someone please fix the svn? It should close this opened can of worms...

_________________
Edoardo

Hi Eduardo,

Where in audit.vbs should i stick that code? I wouldn't mind testing myself.

Hope is really does close the can on worms

Thanks,

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

It surely does: add them at line 678 of audit.vbs, just before
[code]
'''''''''''''''''
' Make the UUID '
'''''''''''''''''
[/code]

_________________
Edoardo

Added this at SVN 921. Can we check this has done the trick, there are worms all over my desk now, the pesky things are drowning in my coffee.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Surely it does: I never had those lines removed and all works fine. I verified that the 911 svn revision accidentally deleted them.

_________________
Edoardo

Excellent. If you are still struggling with all of those worms, here are a few suggestion...

http://www.yesnet.yk.ca/schools/jackhul ... index.html

Vegetarian option... miss out the worms..

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]