Open-AudIT

What's on your network?
It is currently Fri Apr 27, 2018 10:59 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 10 posts ] 
Author Message
PostPosted: Fri May 20, 2011 8:11 pm 
Offline
Newbie

Joined: Thu Aug 16, 2007 12:12 am
Posts: 10
Hello,

I have noticed that the audit does not run on a local machine if it is Windows 7 or 2008. We first saw that on an SBS 2008 domain the SBS box was not audited, but if you run the audit from a remote client the SBS box then does get audited.

While looking at this issue (running the audit from my Windows 7 PC) I then noticed that my PC was not audited!

Here is the audit.config in case I am missing something.

'
' Standard audit section
'
audit_location = "r"
verbose = "y"
audit_host="http://xxxxxxxxxx.com"
'online = "yesxml"
online = "n"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = audit_host + "/audit_upload/admin_pc_add_1.php"
non_ie_page = audit_host + "/audit_upload/admin_pc_add_2.php"
input_file = "pc_list_file.txt"

audit_local_domain = "y"
'
' Set domain_type = 'nt' for NT4 or SAMBA otherwise leave blank or set to ldap
'domain_type = "nt"
'
' Example Set Domain name for NT ONLY for LDAP use the above format
' NOTE This is Case Sensetive. See the example below.
'
'local_domain = "WinNT://IEXPLORE"
'local_domain = "WinNT://<domainname>"
'

hfnet = "n"
Count = 0
number_of_audits = 10
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"
'
' Nmap section
'
nmap_tmp_cleanup = false ' Set this false if you want to leave the tmp files for analysis in your tmp folder
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
nmap_syn_scan = "y" ' Tcp Syn scan
nmap_udp_scan = "y" ' UDP scan
nmap_srv_ver_scan = "y" ' Service version detection.
nmap_srv_ver_int = 9 ' Service version detection intensity level. Values 0-9, 0=fast

'Added during site creation
nmap_subnet = "x.x.0.0"
nmap_subnet_formatted = "x.x.000.000"
nmap_ie_form_page = "http://xxxxxxxxx.com/audit_upload/admin_nmap_input.php"
email_server = "x.x.0.2"
local_domain = "LDAP://xxxxx"


Top
 Profile  
Reply with quote  
PostPosted: Sat May 21, 2011 2:19 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
You have "audit_online = n" which means audit to a text file. You'd then need to separately upload this to OA. Use "audit_online = yesxml" like you've got commented out in your config for automatic upload of audit data.

Uncomment the local_domain line and use the correct info for your domain. EDIT: Woops. I see that line is already at the end. You don't need to uncomment the first instance.

For the 2008/7 local audit maybe you need to run the scan elevated to Admin. Assuming the above doesn't fix it.


Top
 Profile  
Reply with quote  
PostPosted: Mon May 23, 2011 4:53 pm 
Offline
Newbie

Joined: Thu Aug 16, 2007 12:12 am
Posts: 10
Thanks for the reply, I set it to log to text file as a test to see if the local machine was even seen to be able to create the text file initially, which it wasn't.

Completely overlooked the run elevated, thanks for the pointer, I'll report back!


Top
 Profile  
Reply with quote  
PostPosted: Mon May 23, 2011 7:53 pm 
Offline
Newbie

Joined: Thu Aug 16, 2007 12:12 am
Posts: 10
Just an update, ran elevated and made no difference. :(


Top
 Profile  
Reply with quote  
PostPosted: Tue May 24, 2011 2:14 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
What output do you get if you run the following elevated on a Win7 box named machinetoaudit. Maybe it has some clues.
Code:
cscript audit.vbs machinetoaudit


Top
 Profile  
Reply with quote  
PostPosted: Tue May 24, 2011 10:00 pm 
Offline
Newbie

Joined: Thu Aug 16, 2007 12:12 am
Posts: 10
It says machine not available. This is the same on sbs2008 and W7. Firewall on or off makes no difference. Yet the machines audit remotely...

Oh, and WMI connects locally using Comp management.


Top
 Profile  
Reply with quote  
PostPosted: Wed May 25, 2011 2:15 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Hopefully this works run elevated from the machine in question:
Code:
cscript audit.vbs .


If it does I would replace the IsConnectible function around line 4611 with the following and see if you can do "cscript audit.vbs machinename" successfully.

EDIT: My original version broke domain auditing from older Windows versions. I was using the wrong value from the registry. I've updated the code below.

Code:
Function IsConnectible(sHost,iPings,iTO)
 if sHost = "." then
   IsConnectible = True
 else
   If iPings = "" Then iPings = 2
   If iTO = "" Then iTO = 750
    Set oShell = CreateObject("WScript.Shell")
   sCurrentBuildNumber=UCase(oShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber"))
   If CInt(sCurrentBuildNumber) >= 6000 Then
     Set oExCmd = oShell.Exec("ping -n " & iPings & " -w " & iTO & " " & sHost & " -4")
   Else
     Set oExCmd = oShell.Exec("ping -n " & iPings & " -w " & iTO & " " & sHost)
   End if
   Select Case InStr(UCase(oExCmd.StdOut.Readall),"TTL=")
   '    Select Case InStr(oExCmd.StdOut.Readall,"TTL=")
      Case 0 IsConnectible = False
      Case Else IsConnectible = True
    End Select
  end if
End Function


Last edited by jpa on Thu Jun 09, 2011 4:05 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Wed May 25, 2011 7:29 pm 
Offline
Newbie

Joined: Thu Aug 16, 2007 12:12 am
Posts: 10
That got it! You star, thanks so much for bearing with me! :-)


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 09, 2011 4:06 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1254
Woops. My change broke domain auditing from earlier Windows versions. I've changed the code above to pull the correct registry key value.


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 16, 2011 10:15 pm 
Offline
Newbie

Joined: Thu Aug 16, 2007 12:12 am
Posts: 10
Thanks for the update! :)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 10 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group