Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 1:55 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 23 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Mon Jul 30, 2012 9:17 pm 
Offline
Newbie

Joined: Fri Jul 27, 2012 4:46 pm
Posts: 13
Hello,

I am using Open Audit V1 (I will upgrade to V2 but not just yet). And I have been having trouble to audit Windows 7 and W2K8(R2) machines. In my domain the windows firewall is disabled but on all PC's UAC is enabled. With a group policy we run the audit.vbs script but I think UAC is blocking the script. We see some audit information but not everything. For example a W7 machine with MS office 2010 shows this:

Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation 2012-06-22 14:51
Microsoft Office Shared 64-bit MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-06-22 14:51

But it doesn't show which program from Office 2010

Is there any way to bypass this without disabling UAC?

Thanks in advance!


Last edited by MikeS on Thu Aug 09, 2012 2:04 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 01, 2012 1:53 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Just run the script as an elevated Admin user and see what the output looks like. If you still have missing applications then you probably have a different problem. Also make sure you're running the latest OAv1 from [url=http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/?view=tar]SVN[/url].


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 01, 2012 4:56 pm 
Offline
Newbie

Joined: Fri Jul 27, 2012 4:46 pm
Posts: 13
[quote="jpa"]Just run the script as an elevated Admin user and see what the output looks like. If you still have missing applications then you probably have a different problem. Also make sure you're running the latest OAv1 from [url=http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/?view=tar]SVN[/url].



I'll upgrade first to see if it fixes the problem because I am on Version 09.03.17. How exactly do I upgrade, because I never did the installation a colleague of mine did so I'm kinda new to it all. Just overwrite the existing files?

Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 02, 2012 1:22 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Make a backup of your OA MySQL database and all files or minimally openaudit\include_config.php and openaudit\scripts\audit.config. You should be doing this regularly anyway.

Download the latest [url=http://open-audit.svn.sourceforge.net/viewvc/open-audit/trunk/?view=tar]tarball of OAv1 from SVN[/url]. Unzip and untar the open-audit-trunk.tar.gz file that you just downloaded. Copy the new files over the existing ones. Where they go is dependent on how you have it set up.

Log in to OpenAudit and you should get a message at the top of the page that there are database updates to apply. Click the link and hopefully your database gets updated without error. If there are errors you can restore your database backup, reinstall your old version of OA base and config files.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 02, 2012 7:58 pm 
Offline
Newbie

Joined: Fri Jul 27, 2012 4:46 pm
Posts: 13
Jpa thank you very much! I will try to see if it solves my problem.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 02, 2012 10:06 pm 
Offline
Newbie

Joined: Fri Jul 27, 2012 4:46 pm
Posts: 13
Everything went great besides a few rights my user was missing on the database. Now I have another problem..

[img]http://i47.tinypic.com/530686.png[/img]

Our audit script runs when people login with a group policy. But because of the new audit.vbs script I am getting all these popups. It's asif the script is running in debug mode so I can see the values. Is there any way to turn this off?


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 03, 2012 1:01 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
You should run the script using "cscript audit.vbs" and not using wscript.


Top
 Profile  
Reply with quote  
PostPosted: Fri Aug 03, 2012 5:26 pm 
Offline
Newbie

Joined: Fri Jul 27, 2012 4:46 pm
Posts: 13
I fixed it. But I just don't get it why UAC is giving me a hard time.

If I run the audit.vbs script locally as an administrator it works perfect but even if I make a group policy with elevated permission the audit.vbs doesn't work like it should.

I think UAC is great and all but it also blocks too much stuff but I rather leave it on, is there another way that will let me run the audit.vbs with group policy?


Top
 Profile  
Reply with quote  
PostPosted: Sat Aug 04, 2012 1:59 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
I don't know how you're running a logon script elevated using Group Policy but if you want everything audited you need to run the script elevated. You could run the script as a Computer Startup script in Group Policy but this will only run on computer boot. If you want to run at every user logon you could use Group Policy to create a Scheduled Task that ran "At log on" of any user and set up the permissions to run elevated.


Top
 Profile  
Reply with quote  
PostPosted: Sat Aug 04, 2012 9:02 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
I recommend a Domain Audit - that's what we use on our ~5,000 systems.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Sun Aug 05, 2012 6:50 am 
Offline
Newbie

Joined: Fri Jul 27, 2012 4:46 pm
Posts: 13
[quote="jpa"]I don't know how you're running a logon script elevated using Group Policy but if you want everything audited you need to run the script elevated. You could run the script as a Computer Startup script in Group Policy but this will only run on computer boot. If you want to run at every user logon you could use Group Policy to create a Scheduled Task that ran "At log on" of any user and set up the permissions to run elevated.


Yes I have a Group Policy with a Scheduled Task that runs the script with Elevated Permission. I also tried running it as a Computer Start script and even this isn't working. I tried all the possible ways to bypass the UAC when executing a logon script.
If I just run the script locally as an Administrator the audit is correct.

When I let the audit script run on a Windows 7 machine with a scheduled task I see this in my software:

Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation

When I run it locally as an Administrator

Microsoft Office Excel MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-02 15:15
Microsoft Office Groove MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation 2012-08-02 15:15
Microsoft Office InfoPath MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Office 64-bit Components 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office OneNote MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Outlook MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office PowerPoint MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Professional Plus 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proof (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proof (English) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proof (French) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proof (German) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Proofing (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Publisher MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Shared 64-bit MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Shared MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation
Microsoft Office Word MUI (Dutch) 2010 14.0.6029.1000 Microsoft Corporation

[quote="Mark"]I recommend a Domain Audit - that's what we use on our ~5,000 systems.

What do you mean with Domain Audit?

Top
 Profile  
Reply with quote  
PostPosted: Sun Aug 05, 2012 7:39 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Maybe you're using the wrong version of cscript [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=8&t=5874&hilit=cscript&start=30#p20428]like in this earlier thread[/url] where software was mysteriously missing from an audit?


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 06, 2012 9:46 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
[quote="MikeS"]What do you mean with Domain Audit?

In the same directory in the download as the audit_windows.vbs script, there is another called audit_domain.vbs. Check out the variable settings within it. Basically, you point it at your Domain, let it know where audit_windows.vbs is (locally on your filesystem), tell it how many audits you want to spawn at once and it audits all the Windows machines in your domain. There are options within to restrict it to certain operating systems (say, all your machines with the string "server" in the OS name).

number_of_audits == how many audits you want running at any given time. I set this to 20.
audit_run_type == whether to copy the audit_windows script to the remote PC then initiate it remotely. NOTE - this doesn't work very well. It runs these in serial - ie, one at a time. It takes a LONG time to get through a domain of any size. I am working on a script to spawn multiple instances. For now, leave this set to "local".
remote_user and remote_password == set these if your systems are not on a domain. It's a bit of a hack. I don't use this.
script_name == the full path to audit_windows.vbs
local_domain == an array of domains your wish to audit. Make sure your have Admin in each domain for the user account running audit_domain. I have three domains here and my designated account has "local admin" on all computers in these domains.
operating_system == a string that matches against the OS name pulled from Active Directory. If this string appears anywhere in the OS name, it's a match. Leave blank for ALL systems.
output_file == If you want a dump of the matched systems, provide a file name. I leave this blank...

NOTE - all these variables can be passed in from the command line at runtime (same as audit_windows.vbs). Personally, I have a couple of these scripts configured how I like - one for our servers that runs at night, another for our workstations that runs in the daytime, another for a second domain, etc.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 06, 2012 10:15 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Which is all true for when you upgrade to OA v2. With version 1 you'll want to follow the [url=http://www.open-audit.org/phpBB3/viewtopic.php?f=6&t=1464#p6324]How to Audit a Domain FAQ[/url].


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 06, 2012 3:56 pm 
Offline
Newbie

Joined: Fri Jul 27, 2012 4:46 pm
Posts: 13
Thank you guys for your replies. Mark I have some of the settings you posted. I also tried to see if I was running the wrong version of cscript.

So on a machine I executed the audit script with cscript as a Non-Administrator. Guess what? Everything audited the way it should. So UAC doesn't block it, even a non-administrator can execute it.

So somehow the script isn't executing properly at logon with the scheduled task. The next thing I did was 5 minutes after logon I executed the scheduled task to see if that would help. It also didn't help but if use cscript/wscript audit.vbs it works like a charm. Any ideas why the scheduled task isn't working like it should?

edit: Apparently some other people are having problems with running scripts with scheduled tasks under W7 & Server 2008. But apparently UAC blocks UNC paths because I run my script from netlogon folder and it's not allowed.


Last edited by MikeS on Mon Aug 06, 2012 4:52 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 23 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group