Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Thu Mar 28, 2024 11:44 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 68 posts ]  Go to page 1, 2, 3, 4, 5  Next
Author Message
 Post subject: more information on user
PostPosted: Wed Apr 16, 2008 10:20 am 
Offline
Newbie

Joined: Fri Feb 22, 2008 1:43 am
Posts: 13
Our login names have been implemented as initials + a country code. So for example my log in could be hlr-us for Harold Lee Renolds - United States (not my real information). I would really like it if open-audit could do a little more digging into Active Directory for me to pull out more than just my sAMAccountName and also display some information like 'cn', 'givenName', 'sn', 'deptartment', and a few others.

Any thoughts on enabling the script to gather a bit more user information. The real reason I want this is for the search capability in the tool. I would really like to look up Harold's computer, but I don't know anything about it or really his log in name since I don't always know his initials. But I do know his name. It would be very handy if that information was present to search on.

I have thought about adding this information myself, but thought I would ask first.

_________________
Matt Feider
Internal: OS : Hardy Heron Ubuntu, apache, VM'ed
Auditing: 172 machines
LDAP: Active Directory

External: OS : Don't know as it is hosted
Auditing: 826 machines
LDAP: AD, but not hooked up as it is external


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 16, 2008 6:26 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Currently the LDAP (Active Directory) information is not audited, and is therefore not search-able. I was looking at adding this feature in to Open Audit, but I simply haven't had the time. Open Audit will search on the Network User however ( which typically is DOMAIN\User ) and this information coupled with ticking Show Full Ldap Details on the Admin pages may give you what you need.

I look up my users by name, but in your case you could try putting -us or whatever in the search box. Not ideal, but until I add auditing the Active Directory to OA then its slightly tricky.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 16, 2008 11:36 pm 
Offline
Newbie

Joined: Fri Feb 22, 2008 1:43 am
Posts: 13
Want any help adding it? I have a few ideas but I wouldn't mind making sure I got off on the right foot to contribute the code and table design.

It seems to me that we probably need an additional table with columns for each common AD record. Add one function that queries the AD system and output the values per user / per OU / per domain?

I have a start for another project already. This one simply displays using an input box, but also has the possibility to display many names. If the search string is simply sAMAccountName though you are guarenteed only one. This one just shows the variables I was concerned with, there may be more or less that OA should search. Would be nice to put in CONFIG file but our table design would have to accommodate that as well.

[code]
'Using ADO to query the Active Directory for a particule user
Function DisplayUserInfo(strSearchUser, DOMAINNAME)
set oConnect = CreateObject("ADODB.Connection")
set oCommand = CreateObject("ADODB.Command")

'opening the connection
oConnect.Provider = "ADsDSOObject"
oConnect.Open "Active Directory Provider"

'creating a command object for this connection
Set oCommand.ActiveConnection = oConnect

strCN = strSearchUser
strDomain = "<LDAP://>" & DOMAINNAME
strFilter = "(&(objectCategory=person)(objectClass=user))"
strAttributes = "sAMAccountName,cn,DisplayName,givenName,distinguishedName,department,mail,telephoneNumber,sn"
strQuery = strDomain & ";" & strFilter & ";" & strAttributes & ";subtree"
oCommand.CommandText = strQuery
oCommand.Properties("Page Size") = 1000
oCommand.Properties("Timeout") = 30
oCommand.Properties("Cache Results") = False

'oCommand.CommandText = "SELECT samAccountName FROM '" & strDomain & "'"

'creating a recordset based on the ADO command
set rs = oCommand.Execute

'Navigating the record set
if rs.EOF then 'and rs.BOF then
msgbox "No user found!"
else
Do Until rs.EOF
if instr(ucase(rs.Fields("sAMAccountName").value), ucase(strSearchUser)) > 0 or _
instr(ucase(rs.Fields("cn").value), ucase(strSearchUser)) > 0 Then
sAns = "Login : " & rs.Fields("sAMAccountName") & vbCrLf
sAns = sAns & "Common : " & rs.Fields("cn") & vbCrLf
'sAns = sAns & "Display: " & rs.Fields("DisplayName") & vbCrLf
sAns = sAns & "Given : " & rs.Fields("givenName") & vbCrLf
sAns = sAns & "Last : " & rs.Fields("sn") & vbCrLf
sAns = sAns & "Dept : " & rs.Fields("department") & vbCrLf
sAns = sAns & "eMail : " & rs.Fields("mail") & vbCrLf
sAns = sAns & "Phone : " & rs.Fields("telephoneNumber") & vbCrLf
sAns = sAns & "Disti : " & rs.Fields("distinguishedName") & vbCrLf
UserAns = inputbox(sAns, "Login Information", rs.Fields("sAMAccountName") & ", (" & rs.Fields("cn") & ")")
if UserAns = "" Then
exit do
end if
end if
rs.MoveNext
Loop
set rs = nothing
end if
msgbox "Done."
End Function
[/code]

_________________
Matt Feider
Internal: OS : Hardy Heron Ubuntu, apache, VM'ed
Auditing: 172 machines
LDAP: Active Directory

External: OS : Don't know as it is hosted
Auditing: 826 machines
LDAP: AD, but not hooked up as it is external


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 17, 2008 12:47 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Any help would be much appreciated, also you might like to look ad the ldap_details.php it has a "hidden switch" if you use the inject=y option, it will attempt to "inject" the current user in to the database from the AD, however this was only a proof of concept, so you don't need to do things this way.

It does illustrate how to create the database table "on the fly" however, which I needed to do, as I couldn't find any complete documentation about what AD was likely to throw back with the query. (It doesn't (yet) work for the Computer account from AD, but I would like to add this functionality somehow, and is very buggy, so use with care :? )

To try this idea out, look at the ldap details for a user from the OA page, for example
..ldap_details.php?name=MYDOMAIN%5Cjsmith&full_details=y&record_type=user&

then try

..ldap_details.php?name=MYDOMAIN%5Cjsmith&full_details=y&record_type=user&inject=y

Look at the OA tables, and the new ldap tables should have "automagically" appeared and the user jsmith should be in the table.

The alternative method would be to use the audit script to do the job, (as per the above example) for which we would need to pin down all of the fields we want to harvest, and create the tables in advance of running the script on the domain.

If we also harvest the Computer accounts, we can see which machines have never been audited, by comparing the AD info with the audited machine info.. in fact there are lots of things we can do with this info.....

I was thinking of having a page to "harvest" the Active details, say 100 records at a query till it got the lot, so as not to kill my DC, but never completed the code as I have other things to do :( which pay the bills... :roll:

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 17, 2008 1:16 am 
Offline
Newbie

Joined: Fri Feb 22, 2008 1:43 am
Posts: 13
I will look more into that. I happened to just be in that file trying to get the $DN syntax correct as the linux box this is running on was a bit particular on how to connect to our LDAP stuff on win2003. I think I have it running at least it is giving me result for both the users as well as the computer now, so that is a great help just right there. Too bad it is not searchable yet. But I can understand it being in a different database. It is also very cool to be able to return all the information like that. But I will have to review a bit and see if there are certain things that might be useful to store (at least for me) in OA over everything.

I did notice the hidden switch but haven't started playing with it yet. I will review this. One thing I noticed is you are using the sAMAccountName as the primary key, and you would never have duplicates. But it seems to me to use the GUID would be better as I think the sAMAccountName can actually change but the GUID never would unless they actually deleted the account and recreated it. Which I hear they do on occasion - at least our group.

I like the concept of harvesting computers to compare as well. In our situation, I am a sub-company of a much bigger one. So while there could be 10,000 computers out there as our AD is trying to span the entire corporation, I am only one OU of it, and only running OA on our computers. And in my situation I also have a few outlying (non AD connected) computers that I want to monitor as well. I am hopeful to get the SMTP type scan up and running for them sometime, just no time either :cry: But the above comparison would be a great ability to have to check against. The nmap scan helped a bit with this but the AD scan would be just one more point of reference that would be great to have.

It wouldn't be too bad to just schedule the 'killing of the DC' at night or off hours... :lol:

--Matt

_________________
Matt Feider
Internal: OS : Hardy Heron Ubuntu, apache, VM'ed
Auditing: 172 machines
LDAP: Active Directory

External: OS : Don't know as it is hosted
Auditing: 826 machines
LDAP: AD, but not hooked up as it is external


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 17, 2008 5:43 am 
Offline
Newbie

Joined: Wed May 25, 2005 5:11 am
Posts: 49
Location: Toronto, Ontario, Canada
I've thought about this too. The only problem I see with adding Active Directory information to the Open Audit databease is that you are basically duplicating that data that is already in the LDAP database (and that may be more up to date in the LDAP database). Also it may increase the size of each audit as well as the time that the audit takes to run

Perhaps instead we could just regularly query the LDAP database for the user information that we need and then add that to Open Audit instead of doing this as part of an audit.


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 17, 2008 6:19 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
[quote="Kris M"]I've thought about this too. The only problem I see with adding Active Directory information to the Open Audit databease is that you are basically duplicating that data that is already in the LDAP database (and that may be more up to date in the LDAP database). Also it may increase the size of each audit as well as the time that the audit takes to run


Good point, however, we would be Auditing the Active Directory, in other words what would be in the OA database would be all of the Activie Directory, including all of the changes. See the Software section for the kind of thing I am talking about, not only do we have installed software, but also un-installed software. The idea of auditing Active Directory would be to track changes. If My Hacker deletes a user, that has been previously audited, we can see when and also see how the user was previously created, their details etc. We duplicate the data, but in the great scheme of things, its not a large amount of data.

[quote="Kris M"]
Perhaps instead we could just regularly query the LDAP database for the user information that we need and then add that to Open Audit instead of doing this as part of an audit.

That would do to start with, but suggests a separate process. I would rather that we audit as part of a current audit process in order to keep things simple.
My idea would be to have the "master" audit process (the one that kicks off all of the child processes) do the AD audit at the end of the run just before it tidies up ad sends its email.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 18, 2008 1:52 am 
Offline
Newbie

Joined: Wed May 25, 2005 5:11 am
Posts: 49
Location: Toronto, Ontario, Canada
[quote]The idea of auditing Active Directory would be to track changes. If My Hacker deletes a user, that has been previously audited, we can see when and also see how the user was previously created, their details etc. We duplicate the data, but in the great scheme of things, its not a large amount of data.


Tracking changes is a good idea and I suppose that in order to do that properly you need to store the whole Active Directory instead of just storing the changes.

[quote]That would do to start with, but suggests a separate process. I would rather that we audit as part of a current audit process in order to keep things simple.
My idea would be to have the "master" audit process (the one that kicks off all of the child processes) do the AD audit at the end of the run just before it tidies up ad sends its email.

That's what I was wondering about. Having everything in one script (nmap, AD check, patch checking etc) is not a bad idea..... it makes it easier to run as long as there are configuration options where it can be turned on or off (like nmap is now). Doing the AD scan at the end of the audit is probably a good time to run it.

Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 18, 2008 2:48 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
OK... How do we set about it?

Anybody fancy taking a crack at doing a bit of coding... (I'm up to my armpits in the proverbial alligators at the moment). :?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 21, 2008 9:12 pm 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
I might start to take a look at this. We need to be careful of a few things:

- Any AD integration should be optional. Core functionality of OA shouldn't become reliant on it.
- Initially at least, restrict the auditing to simple user/computer/groups added/removed.

We could maintain a link between the audited system/current user and the objects in AD. I could see some useful functions that could come from this:
- Quick summary on the home page of new/deleted users/groups/computers
- Display on the "Delete Systems Not Audited ..." page the corresponding status of the computer account in AD. Taken one step further we could optionally auto purge systems from OA if the computer account is deleted from AD.

Cheers, Nick.

_________________
Cheers, Nick.

[size=85]OA Server: Windows Server 2003 / Apache 2
Auditing: 1600 Workstations, 200 Servers
OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 25, 2008 9:40 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Any progress?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Sun Apr 27, 2008 8:02 pm 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
The first problem appears to be that the PHP LDAP extension doesn't support the LDAP pagedResultsControl control (see RFC 2696 [url]http://www.ietf.org/rfc/rfc2696[/url]) which means that it's difficult to accurately pull data from larger AD systems - because AD returns paged results with a page size of 1000 objects.

There appears to be a resolution to this in OpenLDAP, but it doesn't appear to have filtered it's way through to the PHP distributions [url]http://qaix.com/php-web-programming/412-755-php-dev-ldap-module-patch-adding-new-functionality-read.shtml[/url] and [url]http://64.233.183.104/search?q=cache:eSY4ZDytGL4J:moodle.org/mod/forum/discuss.php%3Fd%3D28791+ldap_parse_result+moodle&hl=en&ct=clnk&cd=1&gl=uk[/url]

I'm running PHP 5.2.5 (windows\apache) and the relevant functions don't appear to be supported, which are:
ldap_parse_result() - with additonal serverctrls argument
ldap_ber_printf()
ldap_ber_scanf

From my phpinfo():
LDAP Support enabled
RCS Version $Id: ldap.c,v 1.161.2.3.2.11.2.7 2008/04/16 14:21:04 tony2001 Exp $
Total Links 0/unlimited
API Version 2004
Vendor Name OpenLDAP
Vendor Version 0

So at the moment I'm working on a client-side LDAP paging function to get round the problem.

Cheers, Nick.

_________________
Cheers, Nick.

[size=85]OA Server: Windows Server 2003 / Apache 2
Auditing: 1600 Workstations, 200 Servers
OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 29, 2008 1:25 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Thanks for that, keep me posted, let me know if you need any assistance testing or whatever.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Thu May 08, 2008 12:49 am 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
Quick update: I've got the basics of this coded now and should have something to present for testing soon.

Cheers, Nick.

_________________
Cheers, Nick.

[size=85]OA Server: Windows Server 2003 / Apache 2
Auditing: 1600 Workstations, 200 Servers
OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Thu May 08, 2008 2:22 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
:D Sounds good.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 68 posts ]  Go to page 1, 2, 3, 4, 5  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group