Open-AudIT

Well, I can reproduce the issue with the service not starting right on Ubuntu. Ultimately I think it has to do with how I used the PP module to compile the 'audit' file. I'm going to futz with it a bit to see what I need to change to get it working.

_________________
OA Server: Debian Squeeze w/ Apache2
Auditing: 700 Workstations, 250 or so Retail Terminals, about 75 Servers
OS's: Windows XP/2003/2008/2008 R2/Vista/7, Debian
LDAP: Active Directory 2008 R2

Just updated it. I fixed a problem I saw with how it was compiled and how it was connecting via MySQL on some distros. It should work reliably on 32bit distributions now. The binary files are architecture specific though. A 64bit build would require separate builds of the file to work on those systems. I have a feeling that is what you ran into on your Windows 7 machine. I tested it on a Windows 7 machine this week and it worked fine. That was on a 32bit Windows 7 install though.

_________________
OA Server: Debian Squeeze w/ Apache2
Auditing: 700 Workstations, 250 or so Retail Terminals, about 75 Servers
OS's: Windows XP/2003/2008/2008 R2/Vista/7, Debian
LDAP: Active Directory 2008 R2

Fixed the schedule service start issue with Ubuntu (on my home network at least) as follows.

[code]
chmod a+x audit*
[/code]

... from a shell in the scripts folder, give me a bit of time to test the rest.

BTW can I put a username and password in the "Computer List" box in audit_configuration.php?config_id=1

EDIT:
I tried nmap, but no results, audit a single PC also no results.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

[quote="A_Hull"]Fixed the schedule service start issue with Ubuntu (on my home network at least) as follows.

[code]
chmod a+x audit*
[/code]

... from a shell in the scripts folder, give me a bit of time to test the rest.

_________________
OA Server: Debian Squeeze w/ Apache2
Auditing: 700 Workstations, 250 or so Retail Terminals, about 75 Servers
OS's: Windows XP/2003/2008/2008 R2/Vista/7, Debian
LDAP: Active Directory 2008 R2

If I test NMAP I see

Nmap command output was:

sudo: no tty present and no askpass program specified


I'll take another crack at this in the office tomorrow.

Here's the log in the meantime...

[code]
Web-Schedule Log (1-23/23) Disabled Disabled Disabled

Log Message PID Date and Time Search in this View



Adding Schedule: 192.168.7.102 - Daily 8006 20/12/09 02:59:10 pm
Started the Web-Schedule Service 8006 20/12/09 02:59:10 pm
Finished Running Configuration: NMAP 192,168.7.X 7104 20/12/09 02:56:26 pm
Running Configuration: NMAP 192,168.7.X 7104 20/12/09 02:55:16 pm
Adding Schedule: 192.168.7.102 - Daily 7082 20/12/09 02:54:38 pm
Started the Web-Schedule Service 7082 20/12/09 02:54:37 pm
Finished Running Configuration: NMAP 192,168.7.X 6029 20/12/09 02:45:02 pm
Running Configuration: NMAP 192,168.7.X 6029 20/12/09 02:44:01 pm
ERROR: Unable to Locate Nmap for Config - NMAP 192,168.7.X 5780 20/12/09 02:40:11 pm
Finished Running Configuration: 192.168.7.102 5685 20/12/09 02:37:48 pm
Running Configuration: 192.168.7.102 5685 20/12/09 02:37:46 pm
Schedule Updated: 192.168.7.102 - Daily 3921 20/12/09 02:34:05 pm
Adding Schedule: 192.168.7.102 - Daily 3921 20/12/09 02:34:05 pm
Removing Schedule: 192.168.7.102 - Daily 3921 20/12/09 02:34:04 pm
Finished Running Configuration: 192.168.7.102 4273 20/12/09 02:10:29 pm
Running Configuration: 192.168.7.102 4273 20/12/09 02:10:26 pm
Schedule Updated: 192.168.7.102 - Daily 3921 20/12/09 02:10:03 pm
Removing Schedule: 192.168.7.102 - Daily 3921 20/12/09 02:10:02 pm
Adding Schedule: 192.168.7.102 - Daily 3921 20/12/09 02:10:02 pm
Finished Running Configuration: 192.168.7.102 4107 20/12/09 02:06:32 pm
Running Configuration: 192.168.7.102 4107 20/12/09 02:06:28 pm
Adding Schedule: 192.168.7.102 - Daily 3921 20/12/09 02:03:58 pm
Started the Web-Schedule Service 3921 20/12/09 02:03:58 pm
[/code]

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

run 'sudo visudo' at the shell then add the following line

[code]
www-data ALL=NOPASSWD: /usr/bin/nmap
[/code]

Apparently the error output is a bit different with some versions of sudo, so the script didn't catch it. sudo is unfortunately needed on Linux to run the nmap command because any worthwhile options with nmap require root privileges.

_________________
OA Server: Debian Squeeze w/ Apache2
Auditing: 700 Workstations, 250 or so Retail Terminals, about 75 Servers
OS's: Windows XP/2003/2008/2008 R2/Vista/7, Debian
LDAP: Active Directory 2008 R2

OK, looking better, even received an email last night..

Audit Action NMAP Scan
Audit Type IP Range
Schedule Type Daily
Start Time 21/12/09 12:00:00 pm
Elapsed Time Script Execution Time: 8 hr 2 min 59 sec

Hosts Audited 254
Connection Failed Audits 0
Successful Audits 0
Exited With Error Status 0
Killed Hanging Audits 22


8 Hours to nmap 254 addresses with the default settings does seem a little excessive, especially when they all seem to have failed. No I dont have the firewall on, and yes, I can nmap from my windows box without any problem....

BTW it does seem to have done something, 'cos it has discovered a wireless access point we just set up the other day, and since nothing else is nmapping at the moment, it must have been this script.

Description: WAP XXX House Boardroom
Name: 192.168.XXX.042
Type: Netgear WPN802 Access Point
Associate with System:

IP Address: 192.168.XXX.42
MAC Address: 00:26:F2:00:XX:XX
Date First Audited: 2009-12-21 18:00

(The email with the OA Logo looks good!)

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Nmap schedule runs great from the Linux box, but I am struggling a bit to get the auditing to run, how do I go about fault finding?

I see lots of stuff like this in the logs.

[code]
Audit Stopped Abnormally MACHINE1 13652 23/12/09 03:13:25 pm
Cannot Connect to Host MACHINE2 14070 23/12/09 03:14:46 pm
Audit Stopped Abnormally MACHINE3 13520 23/12/09 03:12:58 pm
Cannot Connect to Host MACHINE4 13527 23/12/09 03:13:00 pm
Cannot Connect to Host MACHINE5 13595 23/12/09 03:13:12 pm
Cannot Connect to Host MACHINE6 13519 23/12/09 03:12:58 pm
[/code]

It smells badly of DNS, but I am not 100% certain. Scratch taht, just tried DNS both as root, and non root user, it finds everything.



LDAP works, SMTP works, NMAP logging works very well! I am loving your work!

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Well, the Nmap logging for the emails should at least be a little more accurate now. Just an issue with the regex why the successful ones weren't counted. I've also fixed the Nmap test so that it should detect the need for having to edit sudoers and give you the line to add. I just need to recompile it for linux now.

For the machine audit issue, my initial guess would be a firewall issue. Do you have windows firewall turned on? I'm not certain which port winexe connects to, but it looks like psexec requires port 445 to be open. I would try that first. Also, make sure simple file sharing is turned off. I should really figure out exactly what port winexe/remcom need and test for that before connecting to the machine. Right now it tests port 135 (RPC/DCOM) which is normally open, and is needed to connect to WMI on a remote machine. Since it connects to the machine before running audit.vbs, I guess that test is kind of arbitrary.

Also, can you ping the machines ok? I ran into an issue lately on my debian box where I had to actually enable WINS using samba and add wins to the resolution order for hosts in /etc/nsswitch.conf.

Another thing you could do to test that winexe can connect is to navigate to the scripts directory and run winexe manually to see if you can connect to the machine. The general syntax is 'winexe --user=domain\\user //machine_name cmd' . It will prompt for the password and should leave you with a cmd prompt.

_________________
OA Server: Debian Squeeze w/ Apache2
Auditing: 700 Workstations, 250 or so Retail Terminals, about 75 Servers
OS's: Windows XP/2003/2008/2008 R2/Vista/7, Debian
LDAP: Active Directory 2008 R2

Hi, wont be in the office till 5th, so will try again then.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Hi and a Happy New Year...

Just tried again, this is the result.

[code]
root@openauditbox:/var/www/openaudit/scripts# ./winexe --user=mydomain\\andrew //MYMACHINE cmd
Password for [MYDOMAIN\andrew]:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>\\mymachine.mydomain.local\htdocs\openaudit\scripts\audit.vbs .
\\mymachine.mydomain.local\htdocs\openaudit\scripts\audit.vbs .
Logon failure: unknown user name or bad password.

C:\Windows\system32>cscript \\mymachine.mydomain.local\htdocs\openaudit\scripts\audit.vbs .
\\mymachine.mydomain.local\htdocs\openaudit\scripts\audit.vbs .
Logon failure: unknown user name or bad password.


[/code]

Perhaps I am missing something here, but[color=#4040BF] audit.vbs .[/color] should audit the local machine.

Also running the Audit from the Scheduler gives...

[code]
Audit Action PC Audits
Audit Type LDAP Query
Schedule Type Daily
Start Time 05/01/10 12:15:01 pm
Elapsed Time Script Execution Time: 0 hr 4 min 43 sec

Hosts Audited 253
Connection Failed Audits 146
Successful Audits 0
Exited With Error Status 107
Killed Hanging Audits 0

[/code]

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

If I copy audit.vb and audit.config to my PC and then use winexe to connect to it and run cscript audit.vbs ... major fail.
[code]
C:\Support\Audit>cscript audit.vbs
cscript audit.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Support\Audit\audit.vbs(429, 3) Provider: Unspecified error


C:\Support\Audit>
[/code]
If I run a command prompt on my PC and run cscript audit.vbs it works...
Very strange.
It seems winexe cannot enumerate the LDAP using my credentials.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

OK Now I understand the above issue...

from a shell on the Linux box I run the following...

[color=#0040FF]./winexe --user=mydomain\\myuser%MyPassword //MY_REMOTEPC --runas=mydomain\\myuser%MyPassword cmd
[/color]
Then run

[color=#0040FF]CD c:\scripts[/color]

Where I have a copy of the audit.vbs script and a suitable domain configured audit.config
I then run ...

[color=#0040FF]cscript audit.vbs[/color]

Runs FINE!!! at last. It seems I need to use the runas option otherwise the remote shell is effectively not logged in, this is possibly because the machine is a Windows 7 box.

Now all I need to know is how to modify openaudit to run the domain audit from the remote machine using this syntax, or how to ensure that I can connect to all of the boxes being audit using the above syntax.

It would be a nice touch to be able to add an option to the OA GUI to allow us to kick off a domain or nmap audit on a remote domain using this method, on a remote machine in that domain. I am thinking ..Use ldap to get a list of machines. Select one from the list or use a text box. Set this as the remote auditing box. Everything is still controlled from the OA box and schedulable from there.

This has several advantages, but the most obvious is that this would allow is to do remote NMAP by running from the remote box, thus seeing all of the remote MAC address info.

As a further refinement, we could do this using a copy of nmap on a network reachable share, or even by copying namp to the remote box using the remote shell, prior to nmapping the subnet, all "hands off".

It potentially also allows us to uninstall and install software from OA... Dont all shout at once, its not quite that simple.. but the potential is obvious.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

I devised a simple Test script based on the above sting of commands.

Run the following code snippet from a shell on the linux box in the folder containing winexe, probably /var/www/openaudit/scripts, but this will depend on your apache and openaudit installation... You may need to be root to make this work.

Hint: If you dont have sudo rights, log in and run the script as root without the "sudo" at the start, or give yourself sudo rights using visudo.

[code]
sudo cat | ./winexe --user=mydomain\\myuser%MyPassword //REMOTEPC --runas=mydomain\\myuser%MyPassword cmd <<EOF
CD C:\support\Audit
cscript audit.vbs
exit
EOF
[/code]

Where C:\support\Audit is a folder on the remote windows PC (called in this case REMOTEPC) which has a valid audit.vbs and audit.config in this folder.
Note the double slashes. Also note the additional "exit" command to try to avoid a hung process on the Linux box.

This will prove you can manually run the audit of your domain from the linux machine. If it runs, you will see the familiar audit process output from your shell.

You may also find it worthwhile joining your Linux box to one of your domains, but thats way beyond the scope of this post. For Ubuntu and Active Directory you might want to start here. https://help.ubuntu.com/community/ActiveDirectoryHowto or https://help.ubuntu.com/community/Activ ... nbindHowto
(Back everything up first, as I will only laugh at you if you break things you cant later fix )

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Bump... Any thoughts on my inabilty to get the audit to work, is it just my normal stupidity , or is there an issue?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]