Open-AudIT

Hi all

I have gone through pages and pages of information relating to doing Windows PC audit and I have been unable to find any information that has helped me, which is rather frustrating as I'm on a deadline to get my network Audited.

So I have gotten an Ubuntu 8.04 Desktop PC up and running and have OA runing on there. I have configured ldap as I want to scan my entire domain.
I edit the audit.config file and it is as follows:


I then go to Audits menu, click on manage audits and create a new audit configuration after which I run it and all I get is:



Can someone please help, I tried to do it via a logon script but that went just as bad.

Oh I'm running OA Version 09.12.23, Ubuntu 8.04 and Server 2008 R2

To start with I would get the latest version from SVN. SVN tarball download

Then you should pick a method of auditing your machines. Use the web-schedule method which is available from the Audits -> Manage Audit menu and configure the scan properties from the web interface. Or use the cscript method where you edit the audit.config file and run "cscript audit.vbs" from the individual machine or from a central auditing machine in the case of a domain audit.

There are some problems with the web-schedule method if you're running the server side on 64bit Linux or a locked down Apache. I don't use the web schedule method as it was written and included in OpenAudit after I had my system set up. I cscript audit.vbs with appropriate audit.config settings from a central Windows server as a user with Administrator rights on the targeted machines.

If you go the web-schedule route all your configuration is done through the web interface not audit.config and your server host must be supported.

Thanks, will give it a try and report back.
Would it make a difference if the Ubuntu box is running as a Guest OS on Hyper-V; the Ubuntu box is 32bit as I ran into the Web Schedule issues a few days ago on 64bit.

Ok, so I did what you mentioned and it's already going much better. I setup a test scan, but the results came back: Audit ended abnormally or something of the sorts.
I then read up on this: viewtopic.php?f=6&t=1464 again and thought that it might be due to insufficient rights, so I enabled ldap authentication and so now sit with this:


I'm assuming it has something to do with ldap not being configured on MySQL or something...
Any ideas?

This says to me that you need to grant rights to your OpenAudit database to user openaudit coming from localhost.

OK, sorted out the MySQL issue but I still can't get any Audit to provide info.
When I run an Audit I get the following:

Audit Stopped Abnormally PCNAME 13007 28/02/11 10:00:07 am

Without more logs to figure out what exactly is dying troubleshooting this is tough. Trouble is that none of this stuff is logged. As I've discovered while troubleshooting this the web schedule stuff has tons of places where things can go wrong without useful error messages. I couldn't even get a configuration saved initially because it doesn't handle MySQL setups with strict_mode set. Are you dead set on using the web schedule stuff rather than a normal cscript audit.vbs and audit.config setup? If so you'll need to post a whole lot more information about your configuration.

Suppose I'm just being lazy using the web schedule.
I'm open to the script, but I did have issues getting it to work but willing to have a look at it again with some guidance..

It shouldn't be very difficult as you've already got the audit.config file mostly done from the earlier post. You do need to get the local_domain line set with your current domain. Then from a Windows machine logged on as a user with administrator rights on the target machines you can run "cscript audit.vbs" and your domain should get audited and the data posted. Post any error messages if this doesn't work.

I can help troubleshoot the web schedule if you need but you'll need to edit-in some additional logging so we can see what's happening.

My current audit.config file:
Could you please point out what it is that I need to change and if there is anything that needs to be changed on other files.

'
' Standard audit section
'
audit_location = "r"
verbose = "y"
audit_host="http://support"
online = "yesxml"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = audit_host + "/openaudit/admin_pc_add_1.php"
non_ie_page = audit_host + "/openaudit/admin_pc_add_2.php"
input_file = "pc_list_file.txt"

'
' Email authentication
'
'

email_to = "example@example.com"
email_from = "example@example.com"
'email_sender = "Open-AudIT"
email_server = "mail.example.com" ' IP address or FQDN
email_port = "25" ' The SMTP port
email_auth = "1" ' 0 = Anonymous, 1 = Clear-text Authentication, 2 = NTLM
email_user_id = "example@example.com" ' A valid Email account in user@domain format
email_user_pwd = "some_password" ' The SMTP email password
email_use_ssl = "false" ' True/False
email_timeout = "60" ' In seconds
send_email = "false" ' True/False - Enable/Disable email sending

audit_local_domain = "y"
'
' Set domain_type = 'nt' for NT4 or SAMBA otherwise leave blank or set to ldap
'domain_type = "nt"

local_domain = "LDAP://example.local"

'
' Example Set Domain name for NT ONLY for LDAP use the above format
' NOTE This is Case Sensetive. See the example below.
'
'local_domain = "WinNT://IEXPLORE"
'local_domain = "WinNT://<domainname>"
'

hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"
'
' Nmap section
'
nmap_tmp_cleanup = true ' Set this false if you want to leave the tmp files for analysis in your tmp folder
nmap_subnet = "192.168.0." ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.000." ' The subnet padded with 0's
nmap_ie_form_page = audit_host + "/openaudit/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
nmap_syn_scan = "y" ' Tcp Syn scan
nmap_udp_scan = "y" ' UDP scan
nmap_srv_ver_scan = "y" ' Service version detection.
nmap_srv_ver_int = 9 ' Service version detection intensity level. Values 0-9, 0=fast

I think you only need to change this one, to match your company active directory name:

local_domain = "LDAP://example.local"

our is similar to this:

local_domain = "LDAP://company.com"

Also, if the windows firewall is in use for your windows systems, the "remote administration" firewall rule will need to be opened.

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices

Cool will give it a try.

Our domain policy has the workstations firewalls disabled, so hopefully all goes well.

So I made the change to th audit.config file, added our domain: local_domain = "LDAP://company.com"
and got the follwoing error:

C:\Audit>cscript audit.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved

C:\Audit\audit.vbs(168, 1) msxml3.dll: System error: -2146697211.

I ran this as domain administrator on a test pc and tried as local admin and got the same results.

Suggestions?

ok finally
I had to edit the audit.vbs script
changed this_config_url = "http://openaudit/openaudit/list_export_config.php" to this_config_url = "http://serveripaddress/openaudit/list_export_config.php"

and it worked.

OK, now got the script to run at logon; also managed to audit systems on my remote sites through our companies VPN link.

One thing the software is not providing me is some of the serial keys for our CAD software, so far it only shows MS software.

Any way it can show other software keys?