A *NEW* Kaseya Community is coming! The Community will be going into read-only mode on 9/28. Get more details: https://www.community.connectit.com/discussion/41381/a-new-kaseya-community-is-coming

Security Audit Report

Sidney Sahdala
Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

KASEYAN

edited June 20 in Solutions

Product Name: Security Audit Report

Version: 2.1

Description : UPDATED: 8/16/2019! - Now with more accurate BitLocker script.
One Report and six Agent Procedures to get a good overview on the following:

1. Antivirus inventory
2. Antimalware inventory
3. Installed antivirus and antimalware products including version and if it is up to date
4. Guest account status on endpoints
5. The status of SMB1 on endpoints
6. The status of machines that have USB mass storage allowed or disabled
7. Secure Boot for UEFI status
8. File table overview and list any endpoints with insecure file tables
9. Endpoint BitLocker status
10. Endpoint Firewall status
11. A list of VSA users their last login and their Roles and Scopes
12. A list of all local admins on each endpoint
13. A list of all network shares on every endpoint

In this new version the scripts have been improved, an additional test has been added, older non functioning scripts have been removed, the report has been tweaked to be more relevant, and some bugs have been fixed. Also, I removed the Software Management section and am adding that to the Automation Exchange as a separate download.

The Agent Procedures included with the import will document all data to the asset in custom fields.

This pack should help get you on your way to build your own agent procedures, custom fields, and report parts relevant to your business.

NOTE: It is important to create the Custom Fields first and if you are using VSA version 9.5 or higher then it should automatically map the fields in each Agent Procedures. Otherwise you may have to edit the agent procedures and point certain commands to the custom fields.

*** It may be best to review the Agent Procedures before running them just in case a field doesn't map correctly and overwrites the data in an existing field that you may be using for something else.

Instructions :

Login to VSA and go to System > Server Management > Import Center to import the XML file in the ZIP file. 

Documentation is included in the ZIP file. It is important to create the Custom Fields first and if you are using VSA version 9.5.0.10 or later the system should automatically map the fields in each Agent Procedure. Otherwise, you may have to edit the agent procedures and point certain commands to the custom fields. This is a dropdown in the commands in the Agent Procedures.

This will import one report and six agent procedures.

Reports:

  1. Security Audit Report

Agent Procedures:

  1. Audit - BitLocker Status / Key Retrieval 2.0
  2. Audit - Check SMB1 Status
  3. Audit - Check USB Mass Storage Status
  4. Audit - Check UEFI Status
  5. Audit - Firewall (Domain, Private, and Public)
  6. Audit - Guest Account Status Check


«1

Comments

  • Stefano Benini
    edited June 2018

    Hello,

    I receive this error when I import the report Security_Audit_Pack_Reports.xml:

    Unexpected error - System.ApplicationException: The message key 'ReportDesignerInstanceAddFailed for : Failed to retrieve DataSet 'Out of Compliance'    at Kaseya.ImportCenter.Report.ReportDesignerDataSetInstance..ctor(XmlNode reportDataSetInstanceNode, Decimal partitionId)

       at Kaseya.ImportCenter.Report.ReportDesignerInstance..ctor(XmlNode reportInstanceNode, Decimal partitionId)

       at Kaseya.ImportCenter.Report.ReportImporter.ImportCustomReport(XmlNode reportNode, Boolean systemLoad, ImportResponse response, Boolean overRide, Int32 sortOrder, String treeFullPath) ' is not in the message file ImportCenter/ImportCenterMessages.xml

       at Kaseya.ImportCenter.MessageMap.GetMessage(String key)

       at Kaseya.ImportCenter.ViewImportLogDetail.LoadGrid()

  • Tim inman
    Tim inman Member
    edited June 2018

    Hi

    When I downloaded and installed the nly repor tthat shows is the Bit Locker one, the Security Audit one is not available

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited June 2018

    If you are having problems importing the reports check which version of VSA you are using. I made a separate XML called Security_Audit_Pack_Reports.xml that should have both reports. I just did a test import on a 9.5.0.7 test box and it created a folder in Infocenter > Reporting > Reports in the Shared folders called Security Reports and both showed up. I tried importing to a previous version and the fields just didn't map properly. 

    Can you try to make sure you create the custom fields first and import the reports as a Master user and let me know the outcome, please?

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited June 2018

    Hi Stefano,

    Is the Software Management module showing up on your VSA?

    It looks like it may not be because the error is referencing a report part that is installed when the module is added. If not your Account Manager can activate it for you. 

    Thanks!

  • Tim inman
    Tim inman Member
    edited June 2018

    Hi Sidney - let me try again and will get back to you - the agent procedures work fine just the reports not working

    Also the version we are on is 9.4.0.37

    thanks

    tim


  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited June 2018

    I found out that the report import will fail if you do not have the Kaseya Antivirus, Antimalware, and Software Management modules on your VSA instance. I will be adding more reports to the ZIP file without the Antivirus, Antimalware, and Software Management components.

  • Tim inman
    Tim inman Member
    edited June 2018

    Thanks as we do not use the Kaseya Antivirus, Antimalware, and Software Management modules

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited June 2018

    Hi Tim, I updated the ZIP file and added a new XML file for a report without the KAV, KAM, and Software Management components.

  • Brandon
    Brandon Member
    edited June 2018

    This is really great Sidney, I already have it installed and using it as is.  I don't suppose you could add procedure to tell whether TLS 1.0/1.1 are disabled?  Would be great for customers with PCIDSS compliance needs..  I would be happy to donate something for the cause.  

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited July 2018

    Great idea, I'll work on that... I'm on vacation... sorry for the delay in my response.

  • Rey Marquez
    Rey Marquez Member
    edited July 2018

    I'm also only getting a Bitlocker module, which works great by the way. Would you mind confirming that the other procedures are there also?

  • Scott Wolff
    Scott Wolff Member CHOCOLATE MILK
    edited July 2018
    Unfortunately, I am only getting the Bitlocker Agent Procedure showing up, but both reports are there.  Bitlocker Procedure works great and shows up in the custom field, and report.  Would love to have the agent procedures show up for the other ones to see how they look too.
  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited July 2018

    I tested the import again and it seems to work for me. Which version on VSA are you using?

  • Scott Wolff
    Scott Wolff Member CHOCOLATE MILK
    edited July 2018

    Hey Sidney, thanks for getting back to me, and I apologize for the delay in responding.  I wanted to try a reboot of the server first, so it would not waste any of your time if this fixed the issue.  We were able to find a maintenance window this weekend to reboot our VSA server, and after the reboot all the Agent Procedures appeared in their own custom folder.  Not sure what the hangup was since the import center said everything was successful, but appears the issue was with our server.  All agent procedures, reports, and custom fields work perfect.  Thanks for your work on putting this together and posting it on the Automation Exchange!

  • Curtis Duck
    Curtis Duck Member CHOCOLATE MILK
    edited August 2018

    The Spectre/Meltdown test does not work correctly. I tested the link to download from MS and it fails. After correcting this it still does not appear to be working correctly.

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited August 2018

    Hi Curtis, I see that Pedro P. Polakoff III from CWPS posted a newer version of the Spectre/Meltdown Check. He says something wasn't right with our method. You can download it here https://automationexchange.kaseya.com/products/524. Ill have to find a way to implement it in this report. I haven't tested his solution but if it stores the information in a custom field then it should be easy to report on. 

  • Ian Shaffer
    Ian Shaffer Member
    edited September 2018

    I'm getting the following message when I attempt to import the audit pack reports (same as the first comment in this list):

    Unexpected error - System.ApplicationException: The message key 'ReportDesignerInstanceAddFailed for : Failed to retrieve DataSet 'Out of Compliance'    at Kaseya.ImportCenter.Report.ReportDesignerDataSetInstance..ctor(XmlNode reportDataSetInstanceNode, Decimal partitionId)

       at Kaseya.ImportCenter.Report.ReportDesignerInstance..ctor(XmlNode reportInstanceNode, Decimal partitionId)

       at Kaseya.ImportCenter.Report.ReportImporter.ImportCustomReport(XmlNode reportNode, Boolean systemLoad, ImportResponse response, Boolean overRide, Int32 sortOrder, String treeFullPath) ' is not in the message file ImportCenter/ImportCenterMessages.xml

       at Kaseya.ImportCenter.MessageMap.GetMessage(String key)

       at Kaseya.ImportCenter.ViewImportLogDetail.LoadGrid()

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited September 2018

    Hi Ian,

    There are two reports, one you need Software Management, Kaseya Antivirus (KAV), and Kaseya AntiMalware (KAM). If you dont have all these modules then that will fail. Import the second XML file called Security_Audit_Report__No_KAV__KAM__or_KSM_modules_.xml.

    Let me know how it goes.

  • Curtis Duck
    Curtis Duck Member CHOCOLATE MILK
    edited September 2018

    I corrected the report he was not stepping out enough spaces to parse the information correctly in the Spectre/Meltdown text files. This is working after adding the correct spacing in his procedures.

  • Ian Shaffer
    Ian Shaffer Member
    edited September 2018

    Sidney,

    I just was licensed for Software Management 15 minutes ago. It's working now. :D

    Thanks!

  • Gregory Mikesell
    Gregory Mikesell Member CHOCOLATE MILK
    edited October 2018

    Issues I've found:

    1) Agent Procedure: Audit - BitLocker Status / Key Retrieval

    This was detecting every PC as having bitlocker turned on. It looks like the problem is that it's only checking for the word "Encrypted" in the text file it produces at the start of the procedure which appears multiple times in the output. I'm working on changing this around on my VSA to check other statuses directly such as "Fully Decrypted" instead. I'm still working on it some as I also have issues with what to do when manage-bde isn't a known command on the system (should list Fully Decrypted).

    2) Agent Procedure: Audit - Guest Account Status Check

    This will produce a result of "Enabled" when the guest account has been renamed to something besides the default "Guest". Again I'm working on this some on my VSA, but I'm not happy with it yet. I'm thinking instead I want to list users of the "Guest" local group who are enabled.

    3) Agent Procedure: Audit - Meltdown/Spectre Vulnerability Check
    This was downloading a zip file from a Microsoft page that doesn't appear to exist anymore as a new version of the script is available. I've updated to the new script and put it on my VSA's Managed Files to prevent this issue in the future, but the new version of the scripts inside of the zip also have different spacing in their output that requires editing the procedure in two if it's more complicated lines to adjust.

    4) Report: Security Audit Report

    In general the report is good, but care needs to be taken with the custom fields as I was seeing some parts of the report fill in with several of my previously existing custom fields instead of using the new ones. This even after opening and resaving each part, places that used the custom fields had to be rebuilt. I'm on VSA 9.5.0.12 so this may be adjusted in a newer version, and as long as you're aware of what you're doing it's not terrible to zip through real fast.

    General Comments:

    I plan on splitting this up some and creating a higher level "executive summery" version that our vCIO can go over with clients. Large chunks of this report are most useful for our technicians or for auditors. So I'm going to make it more directly target each audience with new versions of the reporting parts that target each audience directly (Execs in client meetings, our own techs, and auditors).

    All in all this has given me a great starting place for generating these sorts of reports and while I have things I want to change or adjust for our needs it's very much a valuable tool.

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited October 2018

    Hi Gregory,

    Thanks for the feedback. The bitlocker issue just recently showed up as there seems to have been a change in the output when the manage-bde command is run.  I will be coming out with a newer version and updating this in the coming month. 

    Thanks!

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited March 2019

    Hi Everyone,

    The new version is out, I removed a few items from this report and added test for UEFI Secure Boot, cleaned up report, and a new BitLocker detection script. I changed the presentation of the report, tweaked the results, and cleaned up some code. I still am working on showing the members of the guests group. Finally, also an Executive Summary.

    Please send me feedback and I'll continue to work on it. 

  • Paul Stanley
    Paul Stanley Member
    edited March 2019

    I just downloaded the the new version and it looks like the Agent Procedures are missing.

  • Paul Stanley
    Paul Stanley Member
    edited March 2019

    Never mind I see them now, I was looking for 6 individual procedures and they are in the xml file.

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited March 2019

    Hi Paul,

    I may change that since people may just want portions of this. Before you run this the first time, edit the Agent Procedures and verify that the UpdateSystemInfo commands are mapped to the right fields. Someone contacted me that the import mapped to other fields and overwrote the data that was there. 

  • Paul Stanley
    Paul Stanley Member
    edited March 2019

    Yes, I noticed it after I ran the report it pulled in Custom Field 18 instead of the custom field I had set for SMB1 and the field was blank. I went thru and updated it on my end. Thanks.

  • Jim M
    Jim M Member
    edited April 2019

    Sidney,  I understand that the 'Security Products' portion of the Audit module looks at WSS (Windows Security Center).  As I need to run it against windows servers, how would you recommend finding Anti-Virus/Anti-Malware products, as servers do not use WSS ?

  • Sidney Sahdala
    Sidney Sahdala Member, Kaseya Certified, Kaseyan, Kaseya Staff

    KASEYAN

    edited April 2019

    I am working on a server page but its a little trickier. I am able to query the Installed programs specifically for AV products that we need to add the product name to a filter. This will only list the AV products and not show the version or if they are up-to-date. It can be done with Agent Procedures and Custom Fields but the Agent Procedures would have to be customized for each AV product. I'll be updating the document in the coming week and will add a page for just displaying the antivirus software installed on the servers. It will take me longer to come up with a sample Agent Procedure that can at least grab the version and report on it.

  • Heiko Soest
    Heiko Soest Member
    edited June 2019

    Somehow Bitlocker is not working and I´m getting the error "Script Summary: Failed THEN in step 2 (Line 11)", could you please help or tell me how we can troubleshoot this?

Weekly Leaderboard