Using Audit functions

Note

This feature is available in the Enterprise version.

Principle of audit

The audit function allows to make regular checks to desktop configurations and to centralize the results of these checks in the WAPT console. This feature allows you to ascertain that your installed base of machines matches your set of conformity rules over time.

For example you can:

  • regularly check the list of local administrators on the desktops;
  • ascertain over time the correct configuration of a critical software;
  • regularly check the presence of the correct version of a piece of software;
  • ascertain the security settings of a workstation;

The audit function benefits from the depth and the breadth of python libraries for unmatched levels of precision and finesse for your auditing needs.

Working principle of the audit function

The audit tasks are launched once after every upgrade, then regularly as defined with the audit_schedule value.

To manually launch an audit check, you may also use the following command:

C:\Program Files (x86)\wapt\wapt-get.exe audit

Note

By default, the audit function will not launch if the audit is note necessary.

To force the execution, you may launch the following command:

C:\Program Files (x86)\wapt\wapt-get.exe audit -f

Calling this function will launch the audit scripts present in each WAPT package installed on the machine.

WAPT saves in its local database C:\Program Files (x86)\wapt\waptdb.sqlite the audit scripts of all installed WAPT packages.

Output example of wapt-get audit:

Auditing tis-disable-ipv6 ...
Skipping audit of tis-disable-ipv6(=1.0-6), returning last audit from 2018-09-25T11:20:58.426000
tis-disable-ipv6 -> OK
Auditing tis-disable-js-adobe ...
Skipping audit of tis-disable-js-adobe(=13), returning last audit from 2018-09-25T11:20:58.502000
tis-disable-js-adobe -> OK
Auditing tis-disable-js-chrome ...
Skipping audit of tis-disable-js-chrome(=3), returning last audit from 2018-09-25T11:20:58.566000
tis-disable-js-chrome -> OK
Auditing tis-disable-office-dde ...
Skipping audit of tis-disable-office-dde(=1.0-2), returning last audit from 2018-09-25T11:20:58.615000
tis-disable-office-dde -> OK
Auditing tis-sysmon ...
Skipping audit of tis-sysmon(=8.0-12), returning last audit from 2018-09-25T11:20:58.722000
tis-sysmon -> OK
Auditing tis-java ...
OK: Uninstall Key {26A24AE4-039D-4CA4-87B4-2F32180181F0} in Windows Registry.
OK: Uninstall Key {26A24AE4-039D-4CA4-87B4-2F64180181F0} in Windows Registry.
tis-java -> OK

Note

In the example above, the audit script had already been executed for tis-disable-js-chrome and tis-disable-ipv6 … but not for tis-java.

How to write the audit function

The audit script is defined in the package’s setup.py with a function def audit():

Example:

def audit():
    if not registry_readstring(HKEY_LOCAL_MACHINE,makepath('SYSTEM','CurrentControlSet','Services','USBSTOR'),'Start'):
        print(r"La key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Start n'existe pas")
        return "ERROR"
    valuestart = registry_readstring(HKEY_LOCAL_MACHINE,makepath('SYSTEM','CurrentControlSet','Services','USBSTOR'),'Start')
    if int(valuestart) != 4 :
        print("La valeur de Start n'est pas 4 , Start=%s " % valuestart )
        return "WARNING"
    print(ur"La valeur de Start est bien est bien égal a 4")
    return "OK"

Hint

This example ascertains that USB storage is not allowed on the workstation.

The audit function returns one of these 3 values:

  • OK;
  • WARNING;
  • ERROR;

Attention

With the audit function, it is not possible to use files that are contained in the WAPT packages.

To use files embedded in the WAPT package that will be used for an audit, you must first copy the file(s) in a temporary folder during package installation.

Planning an audit

The audit tasks are launched once after every upgrade, then regularly as defined with the audit_schedule value.

The value is contained in the control file of your package.

By default, if audit_schedule is empty, the audit task will need to be launched manually or from teh WAPT console.

Otherwise, the periodicity may be indicated in several ways:

  • An integer (in minutes);
  • An integer followed by a letter (m = minutes, h = hours , d = days , w = weeks);

Default behavior of the audit function

By default, the only audit function checks the presence of UninstallKey for its WAPT package.

This way, WAPT ascertains that the software is still present on the host, according to the host configuration.