SANS ISC: Critical Control 2 - Inventory of Authorized and Unauthorized Software

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

From a support point of view, when someone calls the Helpdesk with a "there's something going on with my pc" question, very early in the process you'll want to know what is installed on that computer, and then what versions of each installed application.  It's also handy to know *when* things were installed - if things just started to go wrong, knowing what was just installed is a must-know.  Of course, the person making the call will always say "I didn't install anything", but once you have that list, the hasty "oh, except for that" is generally quickly forthcoming.

So a software inventory is useful for support, but why is it second on the Security Critical Controls list?  Well, if one of  your users has rights to install their own software, they will.  As time goes by is it likely that they'll install patches and updates?  What about version updates?  Did they pay for that app at all?  This highlights the big gaping hole in the "I'll admin my own machine" end-user argument.  6 months after they are given rights to administer their own computer,  their software will be 6 months out of date, and the machine will have 6 months worth of security vulnerabilities on it (and most likely the exploits to match them).  Not a good thing to plug back into the head office LAN.

So, in a Windows environment, how can you easily get a listing of installed software?  Luckily, you can script all this stuff, and better yet, script it to run daily, from a central location, and store the results centrally.

Note, all the script examples are pretty much lifted from a semi-recent GIAC Gold Paper of mine ( http://www.sans.org/reading_room/whitepapers/auditing/admins-documentation-hackers-pentest_33303 ).  I won't put it forth as the be-all and end-all reference for this (I didn't invent any of this stuff), but it was a handy place for me to go to for these stuff, since it's all in one place.  Another great place to go for LOTS of information on scripting is the Command Line Kung Fu site, at http://blog.commandlinekungfu.com/

We'll use WMIC (Windows Management Interface Command Line) for the Windows software inventory.  No surprise there - years ago, I would have used VBS files (and I still keep them around, just in case), but these days WMIC is just too easy for this type of reporting.  What you'll also find is that many of the fancy-dancy, for-sale-for-real-dollars inventory applications out there are simply a collection of WMI calls with a tuxedo on (a cool menu and pretty reports) - so you can save yourself some budget dollars and run these reports yourself, using your knowledge of your environment and a little bit of script development time.

To get all installed software in a Windows Domain or subnet range,  you'll only need a few commands:
 

For all of these commands, we'll tack on a formating option to pretty up the output, presenting the report in an HTML table:
/format:htable

Now, we have the bare bones of a script.  Let's put it all together, in a short script we'll called inven.cmd (short for inventory)
inven will run all the associated reports, and drop them into a separate subdirectory named for each hostname being inventoried.  (note from the environment variables that I pulled this little script out of a much larger one).


=========== inven.cmd =========
 

set HOST=%1
set DIRNAME=%1
set UID=%2
set PWD=%3

md %DIRNAME%

wmic /output:%DIRNAME%\patches.htm /user:%UID% /password:%PWD% /node:%HOST% qfe list brief /format:htable
wmic /output:%DIRNAME%\os.htm /user:%UID% /password:%PWD% /node:%HOST% os list full /format:hform
wmic /output:%DIRNAME%\products.htm /user:%UID% /password:%PWD% /node:%HOST% product get vendor,name,version,installdate,packagecache,description,identifyingnumber /format:htable
wmic /output:%DIRNAME%\services.htm /user:%UID% /password:%PWD% /node:%HOST% service list /format:htable

=============

Wait, but I said we'd run that for the entire Windows AD Domain - how do we do that?

First, get a simple list of all computers in the domain - we'll use DSQUERY for that.  The easiest way to run this is from a Domain Controller.  Note that I'm using "cut" to only give me just the names of the computers in a list - you can get "cut" by installing Microsoft Services for Unix (SFU), or use GNUTILS like throwbacks like me (I'm still getting around to installing SFU everywhere I need it, whereas the GNU utilities are all self-contained exe's)

dsquery computer  -s DCname  -u domainname\administrator -p adminpassword -limit 10000  | cut -d "," -f1 | cut -d "=" -f2 >>hostlist.txt

(you could use "dsquery servers"  to inventory server class computers)

Now that we have inven.cmd and the list of hosts in hostlist.txt, let's combine them and get the full report, by creating DOMLOOP.CMD, which will contain a single line (Note that USERID and PASSWORD will need rights to login to the remote hosts and run the WMIC commands)

FOR /F %%G IN ( HOSTLIST.TXT ) DO CALL INVEN.CMD %%G USERID PASSWORD

Now, you say, what about malware?  Oddly enough, lots of the malware out there (many of the FAKE-AV packages for instance), actually use the Windows installer and register themselves.  You can any apps that *don't* register using variations on  "dir c:\*.exe /s", or, if you are looking for hidden and/or system files, you can use variants on "attrib c:\*.exe /s" (or whatever file type, not just exe's).

What's that, you have Linux stations and servers?  Even easier, there are only about a dozen ways to get the same info out of Linux.  I'll hit one method for each of the variants I normally see

============ Redhat ==============

For startup services (and when they are configured to start), use chkconfig –list

[robv@pt01 ~]$ chkconfig --list
NetworkManager     0:off    1:off    2:on    3:on    4:on    5:on    6:off
abrtd              0:off    1:off    2:off    3:on    4:off    5:on    6:off
acpid              0:off    1:off    2:on    3:on    4:on    5:on    6:off
atd                0:off    1:off    2:off    3:on    4:on    5:on    6:off
auditd             0:off    1:off    2:on    3:on    4:on    5:on    6:off
avahi-daemon       0:off    1:off    2:off    3:on    4:on    5:on    6:off
bluetooth          0:off    1:off    2:off    3:on    4:on    5:on    6:off
btseed             0:off    1:off    2:off    3:off    4:off    5:off    6:off
... and so on ...


to list all installed packages:
rpm -qa

libsepol-devel-2.0.41-3.fc13.i686
wpa_supplicant-0.6.8-9.fc13.i686
system-config-keyboard-1.3.1-1.fc12.i686
libbeagle-0.3.9-5.fc12.i686
m17n-db-kannada-1.5.5-4.fc13.noarch
pptp-1.7.2-9.fc13.i686
device-mapper-multipath-libs-0.4.9-14.fc13.i686
dracut-005-5.fc13.noarch
comps-extras-20-1.fc13.noarch
report-config-bugzilla-redhat-com-0.20-0.fc13.i686
PackageKit-gtk-module-0.6.6-2.fc13.i686
gsm-1.0.13-2.fc12.i686
perl-ExtUtils-ParseXS-2.20-121.fc13.i686
... (and so on)

for more information on a specific package, use rpm -qi

[robv@pt01 ~]$ rpm -qi python
Name        : python                       Relocations: (not relocatable)
Version     : 2.6.4                             Vendor: Fedora Project
Release     : 27.fc13                       Build Date: Fri 04 Jun 2010 02:22:55 PM EDT
Install Date: Sat 19 Mar 2011 08:21:36 PM EDT      Build Host: x86-02.phx2.fedoraproject.org
Group       : Development/Languages         Source RPM: python-2.6.4-27.fc13.src.rpm
Size        : 21238314                         License: Python
Signature   : RSA/SHA256, Fri 04 Jun 2010 02:36:33 PM EDT, Key ID 7edc6ad6e8e40fde
Packager    : Fedora Project
URL         : http://www.python.org/
Summary     : An interpreted, interactive, object-oriented programming language
Description :
Python is an interpreted, interactive, object-oriented programming
language often compared to Tcl, Perl, Scheme or Java. Python includes
....
(and so on)


For more information, on all packages (perhaps too much), use rpm -qia



================ Debian, Ubuntu and the like ===================
To get a list of installed applications:

dpkg --get-selections
to get more information in the list:
dpkg -l

Name                                 Version                                         Description
====================================-===============================================-============================================
acpi-support                         0.136.1                                         scripts for handling many ACPI events
acpid                                1.0.10-5ubuntu2.1                               Advanced Configuration and Power Interface e
adduser                              3.112ubuntu1                                    add and remove users and groups
adium-theme-ubuntu                   0.1-0ubuntu1                                    Adium message style for Ubuntu
adobe-flash-properties-gtk           10.3.183.10-0lucid1                             GTK+ control panel for Adobe Flash Player pl
.... and so on ....

to get startups, I often just install chkconfig, and run it as on Redhat variants:
sudo apt-get install chkconfig
chkconfig --list

alternatively, sysv-rc-conf is an alternate package to do this (this will often also need an install)
sudo apt-get install sysv-rc-conf
sysv-rc-conf  --list

====================================================================================

Finally, we're interested in how you tackle the software inventory problem.  Please use our comment form - let us know of any cool tools you use, or post any scripts you may have written to help out !

===============

Rob VandenBrink
Metafore