Open-AudIT

What's on your network?
It is currently Wed Sep 19, 2018 7:57 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 
Author Message
 Post subject: Domain Audit black list
PostPosted: Tue Sep 25, 2007 12:03 pm 
Offline
Newbie

Joined: Sat Apr 02, 2005 5:00 am
Posts: 6
Hello All,

I am working on a blacklist function for Open Audit. I have encountered some systems that for whatever reason don't like to be audited. Could be a WMI thing but I have little interest in figuring out why at the moment. I have noticed it hand on some SQL servers. Anyway, I am creating a balcklist.txt file that is read into an array. At each call of the audit I compare comparray(i) to ArrSkipList(z). If they match, dont audit. If they dont match go ahead and audit it. I don't want to get too far into this if someone else is further along than I am. Let me know what you think!

for z = 0 to Ubound(ArrSkipList)
if comparray(i) <> ArrSkipList(z)
Do The Audit
Else
wscript.echo "BLACKLIST HIT!"
Write ArrSkipList to skip.txt for logging
endif
Next

Thanks!
-mwm
http://www.blatbox.com

_________________
http://www.blatbox.com
-Mike-Methe
mmethe at gmail dot com


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 12, 2008 6:43 am 
Offline
Newbie

Joined: Wed Feb 06, 2008 3:06 am
Posts: 38
I think it sounds wonderful. Did you ever finish developing this, 'cause I want to use it! :P

_________________
OA Server: W2k3/IIS/PHP5/MySQL
Currently auditing 558 servers, 138 Workstations
LDAP=AD, Audit interval ~ once/month


Top
 Profile  
Reply with quote  
PostPosted: Sat May 10, 2008 2:18 am 
Offline
Newbie
User avatar

Joined: Wed Apr 02, 2008 8:45 am
Posts: 21
yes yes this does sound good is it finished yet?

_________________
Jon
The Tech Guy
http://www.thetechguyusa.com


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 09, 2009 11:06 pm 
Offline
Newbie

Joined: Fri Mar 21, 2008 12:31 am
Posts: 16
Location: Denver, Colorado
Just wondering if anyone ever got this working, where we can add list of computers not to audit in the audit.config file.
Maybe like a text file with the list of computers you want to exclude during a domain audit.
I use ldap to connect to my Active Directory.

So I'm thinking maybe in the audit.vbs code where it puts all the computers in an array, maybe add a little code where it searches the array after it has been populated, and removes the computers from the array you don't want audited.

Maybe we can edit this function:
Function GetDomainComputers(ByVal local_domain)
Dim objIADsContainer ' ActiveDs.IADsDomain
Dim objIADsComputer ' ActiveDs.IADsComputer
Dim vReturn ' Variant

' connect to the computer.
Set objIADsContainer = GetObject(local_domain)

' set the filter to retrieve only objects of class Computer
objIADsContainer.Filter = Array("Computer")

Maybe do another filter here that removes computers in blacklist

ReDim vReturn(0)
For Each objIADsComputer In objIADsContainer
If Trim(vReturn(0)) <> "" Then
ReDim Preserve vReturn(UBound(vReturn) + 1)
End If
vReturn(UBound(vReturn)) = objIADsComputer.Name
Next

GetDomainComputers = vReturn
Set objIADsComputer = Nothing
Set objIADsContainer = Nothing
End Function)


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 12, 2010 7:46 am 
Offline
Newbie

Joined: Fri Mar 21, 2008 12:31 am
Posts: 16
Location: Denver, Colorado
I think I finally got a blacklist to work.
I attached my audit.vbs file.
You have to create a blacklist.txt file in the same folder where audit.vbs runs.
I also added an entry to the audit.config file

blacklist_file = "blacklist.txt"

I also added a Dim declaration just under the input_file declaration:
Dim blacklist_file
and also to where the Case Ucase(arg) are located:
Case "BLACKLIST_FILE" blacklist_file = Wscript.Arguments.Named(arg)

Below is the code I added just under the Do Until loop for ObjRecordSet.EOF which is located at around line 439.
Or you could just say it is located just above the Randomize scan If statement.

On Error Resume Next
if blacklist_file <> "" then
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("DomainPC.txt", 2)
Set objTextFileBl = objFSO.OpenTextFile("blacklist.txt", 1)
'This inputs the blacklist.txt file into an array blacklist()
Dim blacklist()
i = 0
Do Until objTextFileBl.AtEndOfStream
Redim Preserve blacklist(i)
blacklist(i) = UCase(objTextFileBl.Readline) 'edited this
i=i+1
Loop

'Start loop to create new comparray()
Dim Newarray()
match = false
k=0
For i=0 to Ubound(comparray)
For j = 0 to Ubound(blacklist)
If comparray(i) = blacklist(j) Then
match = true
Exit For
End if
Next
If match = false Then
Redim Preserve Newarray(k)
Newarray(k) = comparray(i)
k=k+1
End If
match = false
Next
erase comparray 'erase comparray and set equal to Newarray
For i = 0 to Ubound(Newarray) 'output edited list of computers to text file
Redim Preserve comparray(i)
comparray(i) = Newarray(i)
Next

objTextFile.Close
objTextFileBl.Close

End If


Attachments:
File comment: My audit.vbs file with the new code, was renamed to audit.txt as audit.vbs is not allowed to be uploaded.
audit.txt [216.44 KiB]
Downloaded 255 times
Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 18, 2012 1:25 am 
Offline
Newbie

Joined: Fri Mar 21, 2008 12:31 am
Posts: 16
Location: Denver, Colorado
Note: I updated the above script to convert the imported blacklist to Uppercase.
Otherwise it might not work if you type a computer name not in upper case.
I highlighted the change above in red.

I recently redeployed Open-Audit after changing jobs.
Trying to get everything working like I had it at my last job.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group