Adding Custom Field to Audit

 
1
0
-1

We would like to capture extra information on Audit and send it to Custom Field.  For example, the version of PowerShell that is running on the host.

Is this a feature or do we need to change the source code to process the additional data from an audit file?

    CommentAdd your comment...

    1 answer

    1.  
      1
      0
      -1

      I have to say I am somewhat surprised that PowerShell doesn't return in the list of installed software.

      Anyway...

      I have now added it manually to the audit_windows.vbs script (as we do with other items like Codecs, ODBC Drivers, etc). You can find an updated version on GitHub, link below. This is a drop in replacement for your current audit script. Just copy it to -

      Linux: /usr/local/open-audit/other/audit_windows.vbs

      Windows: c:\xampp\open-audit\other\audit_windows.vbs

      Please make sure you backup your original file before replacing with this new one so you can revert if anything unexpected occurs.

      https://raw.githubusercontent.com/Opmantek/open-audit/master/other/audit_windows.vbs

      Once an audit is performed using this new script, PowerShell should appear in the list of installed software in Open-AudIT (including it's version number).

      Mark.


      PS - At present there is no way to associate a custom field in the audit script to be processed by the application. This is something we are giving thought to.

      PPS - One way you might  have solved it is to add the complete executable path to /files in Open-AudIT (Enterprise only). The .exe would then be recorded against any machine that contains it. That does produce a different version though (the version of the actual executable).

      Output from the file detection is below.

        <file>
      <item>
          <name>powershell.exe</name>
          <full_name>c:\windows\syswow64\windowspowershell\v1.0\powershell.exe</full_name>
          <size>431616</size>
          <directory>c:\windows\syswow64\windowspowershell\v1.0\</directory>
          <hash>21d5224e20a4be7f303ab6c4b9f219d0d70904ee</hash>
          <last_changed>1/6/2017 7:24:33 PM</last_changed>
          <meta_last_changed></meta_last_changed>
          <permission>17957033</permission>
          <owner>TrustedInstaller@NT SERVICE</owner>
          <version>10.0.14393.206</version>
          <inode>0</inode>
          <group></group>
      </item>
  </file>

      Output from the software detection is below.

            <item>
          <name>PowerShell</name>
          <version>5.1.14393.0</version>
          <install_date></install_date>
          <publisher>Microsoft Corporation</publisher>
          <url>https://docs.microsoft.com/en-us/powershell/</url>
      </item>

      I hope this helps.

      Mark.

        CommentAdd your comment...