Fact finding reports are a quick and useful way to analyze specific details of your systems by only providing the required information in a simple and easy to see report format. They can be used to satisfy day to day operations, provide vulnerability reporting and also audit ready reports. Auditor Professional comes with hundreds of predefined fact finding reports but the user can also define his own, based on his needs.
Generating a Fact Finding Report
1. Choose Reports>Fact-Finding Report.
2. If necessary, expand the tree in the left pane to locate the category containing the report you wish to run.
3. Select the report in the right pane.
4. Click the Next button.
5. A decision needs to be made on what time frame this report will be referenced from. Fact Finding Reports (FFR from here on) can be generated by using three different time ranges.
- Relative Time Range - A range that can be set to go back for a specific about of time from the present date. The report will then display data accumulated from collections stated in the criteria.
- Exact Time Range - A range where the user selects a beginning date and an end date. The report will then display data accumulated from collections stated in the criteria.
- Select Dataset - Selecting from only one collection time. The user will have to browse to a collection that has already been performed.
6. Click Generate.
7. Click OK to accept the default location where the report will be stored or select a different location.
8. When the report is finished, click View to browse the report.
9. Click Close to exit FFR.
Creating a Fact Finding Report
To create a new report definition:
1. Choose Edit>Fact-Finding Report Definitions
2. If necessary, expand the tree in the left pane to locate the category containing the report.
3. To create a new folder within the Fact-Finding category, right-mouse click in the left-hand pane and select New'.
4. Enter the name of the new folder. (For example, type in Custom)
5. Highlight a folder in the left hand pane that you want the new FFR to reside in.
6. Click the New... button.
- Note: There are two options to use. Create a new report or create a copy of an existing report and then make modifications to the copy. It may be easier to start with a copy and make modifications to that report. In the example below, it will be done using a New report.
7. Enter the name that you want this report to be called in the Report Title window. (Custom Report has been added in the example below)
8. Use the uppermost set of tabs to select the area of the report:
- OS includes Windows, Unix, and Novell NetWare operating systems.
- DB includes Oracle,MS-SQL and DB2 databases.
- Web includes Internet Information Services (IIS).
- Messaging includes Exchange and Domino systems.
- Network includes Citrix and Cisco routers and L3 switches.
- Directory Services includes Active Directory (AD).
- Cross Platform are reports which contain attributes from more than one module.
9. Use the left-hand pane to navigate to, expand, and select the general information you wish to include.
10. Once populated, use the center pane to select the settings to include.
11. In the example below, we walk through the steps of creating a FFR that will show passwords greater than 30 days old.
12. Expand the + symbol next to Servers.
13. Under Table Name, enter a name for the table (Passwords over 30 days was used here).
14. Under Servers/Users + Groups (0/59), you will see 59 items in the right hand pane. Double click on the setting that you want to place in the table. (Once this is done, two things happen; the status of the table changes from No output attributes! to Modified and Users + Groups (0/59) changes to Users + Groups (1/59). This indicates that 1 of the 59 settings is now being used the table below.
15. Select User Name from the same settings list.
16. In order to know which servers have users with passwords over 30 days, the Sever Name needs to be added to the Table. Highlight Servers (0/36) and find Server Name in the window on the right and double click on it.
17. Check the box Most Recent.
- Note:' By checking the box Most Recent, Auditor will only list the latest value found in collections. For example, if a collection was on Monday and it stated the password for UserX was 40 days old and another collections was done on Friday, the password for UserX would now be 44 days old (considering it has not been changed). If a report is done on how old passwords are and the time range for the report included both collections and the Most Recent box was NOT checked, the report would list UserX twice in the report. One entry stating the password was 40 days old and other entry stating it was 44 days old. In a case like this, one is only concerned with the most recent age of the password.
18. To see what this report looks like, click on the Generate button (keep default the settings of Relative Time Range 20 weeks).
19. Click OK.
20. Click View when prompted. This report should list the age of all passwords, with the users name and server name.
21. Minimize this window to be viewed later for comparisons.
22. Back in the FFR Definitions Editor, click on Edit in Report Properties.
23. Under the column User Password Age in Days, double click on … in the row labeled Criteria.
24. Select >= as the operation to use and type in 30 for the value.
25. Click OK.
26. Click Save.
27. Click Generate.
28. Click OK.
29. Click View.
30. Compare this view to the previous view. Any users that had passwords less then 30 days will not show up in the new view. See an example below.
31. Change this report to look differently. Have the Server Name in the first column (and sort by Server Names), the second column to be the User Name and password length to be the last column.
32. Back in the FFR Definition Editor, click on Edit (the table) under Report properties.
33. Change the Output Column for User Password Age in Days to 3.
34. Change the Output Column for Server Name to 1.
35. Change the Sort for Server Name to Ascend.
36. Click Save.
37. Click Generate.
38. Click Ok.
39. Click View.
40. Back in the FFR Definition Editor, click on Edit (the table) under Report properties.
41. Change the Sort value to Merge and Ascend.
42. Click Save.
43. Click Generate.
44. Click OK.
45. Click View.
46. The Server Name column has been merged to allow for easier viewing of settings in the table.
47. Back in the FFR Definition Editor, double click on Installed App Name found under Server/Software/Applications to add this setting to the table.
48. Click on Edit (the table) under Report properties.
49. The Installed App Name should not have been added and now must be removed. Right mouse click on the Windows for the column that contains Installed App Name and select Remove. This column is now removed.
50. Click on Save.
51. Back in the FFR Definition Editor, right click on Edit in Report properties and select New. This will add a new table to the FFR.
52. Enter a name for the new table and add a description.
53. Add Server Name, CPU Speed and BIOS version to the new table.
54. Click Save.
55. Click Generate.
56. Click OK.
57. Click View.
- Note: You have now created one report that has two tables, one table containing user accounts with passwords greater than thirty days and a second table containing servers with CPU Speed and System Bios Versions.
58. Back in the FFR Definition Editor, click on Edit (the table) under Report properties.
59. Click on View SQL.
60. Auditor creates SQL scripts when creating tables within FFR. Experienced programmers can either copy the script to be used outside of Auditor, programmers could modify the script to allow more freedom than Auditor provides with the current tools.
Warning: Manually editing the SQL script will change the ability of Auditor to read the script and not allow the user to add items to the table via normal method of double clicking on a Setting and placing it in the table.
61. Click Cancel.
62. Click Close.
63. Click Finish.
Tips:
The SQL wildcard is the percent sign % (for letters and numbers).
Reports are cleaner if attributes and their labels, such as system and an attribute, are pulled from the same area of the tree.
To put related attributes in a single row and reference the same or like parent object (such as computer name pulled from the various areas of the tree), map like attribute to the same display column. For example, in creating a cross-platform report, Unix host name, windows computer name, and exchange server name could all be mapped to the first or second column to keep the report reasonably concise.
In Windows, Notice that domain and server name attributes are often concatenated as domain/server. Use a wildcard (%) if you do not wish to specify both, such as %server1.
Copying a Fact-Finding Definition
To copy a report definition to create a new report definition:
1. Choose Edit>Fact-Finding Report Definitions.
2. If necessary, expand the tree in the left pane to locate the category containing the report you wish to use.
3. In the right pane, select the report definition on which to base your new report definition.
4. Click Copy.
5. Select the copy and click Edit.
6. Follow the instructions in Creating a New Fact-Finding Report to make changes to this report.
Editing a Fact-Finding Report Definition
- Note: Report definitions included with the product cannot be deleted or edited. They can be copied and modified, but not changed and saved with the same name.
To edit a report definition:
1. Choose Edit>Fact-Finding Report Definitions.
2. If necessary, expand the tree in the left pane to locate the category containing the report.
3. Select the report in the right pane (default reports cannot be edited; select and click Copy first).
4. Click Edit.
Use the uppermost set of tabs to select the area of the report:
- OS includes Windows, Unix, and Novell NetWare operating systems.
- DB includes Oracle,MS-SQL and DB2 databases.
- Web includes Internet Information Services (IIS).
- Messaging includes Exchange and Domino systems.
- Network includes Citrix and Cisco routers and L3 switches.
- Directory Services includes Active Directory (AD).
- Cross Platform are reports which contain attributes from more than one module.
5. Use the left-hand pane to navigate to, expand, and select the general information you wish to include.
6. Once populated, use the center pane to select the settings to include.
7. Click Edit in the table if the report already contains a table
OR
click the New Table button to begin defining a table.
OR
click the Edit Table button to begin editing the selected table.
Tip: Fact-Finding Reports are formatted as a series of tables containing the results of the queries you define in this dialog box. You can choose to present only one attribute per table or to group related settings in one table.
8. Enter a table name and description (double-click in the cell to edit).
9. Select an attribute from the center pane and drag it to the table name below, releasing the mouse when the plus sign appears.
10. Repeat with any additional attributes you wish to include in the same table.
11. Click on the Edit button to the left of the table name.
12. For each attribute you added, there is a column in the table. If you wish to Sort the results, use the drop-down to select Ascending or Descending.
13. If you wish to change the column order for the report, double-click in the cell for Output Column under each and enter the number for the column order (1 = first column, 2 = second and so on).
14. If you wish to filter data based on criteria (such as password age is more than 15 days), double-click in the cell for Criteria in the column for the attribute.
15. Use the drop-down to select the appropriate operator (see operator explanations).
16. Enter the value for your filter. For example, if you choose a numeric operator, like greater than, you might enter a number; if you choose LIKE, you might enter a string value, etc.
Tip: To use operators requiring two values, such as BETWEEN and NOT BETWEEN, use the Add button after entering the first value, then enter the second and click Add again. The Mod(ify) and Del(ete) buttons also apply to the current selection in the value box / drop-down.
17. Click OK.
18. If you wish to create a compound filter (two criteria), click on the ellipsis button under Criteria and use the drop-down to select the appropriate operator (AND, OR, or NOT), then repeat steps 15-18.
Tip: Add values in the new row under the attributes you want to further filter. Operators in the same row automatically take the AND operator. Each OR statement must be in an additional separate row.
19. Click in the checkbox to enable the Distinct option to return only unique (vs duplicate) records.
20. If you would like to see the underlying SQL query, click View SQL button.
21. If you would like to modify the underlying SQL query, click Edit SQL button.
22. Click Save.
23. Verify or change the Report title.
24. Click the Logo button to change the image/logo appearing on the report.
- Note: The image should not exceed 80 pixels high.
25. In the Report Criteria area click in the radio button for the data range:
Relative Time Range - includes data from the last n hour, day, week, month, or year you choose in the drop-down lists;
Exact Time Range - includes data from a time span you specify in the drop-downs;
Select Dataset - includes data from a single collection / data set entered or located using the Browse... button;
Most Recent - includes the most current data available in the database;
26. Click Save to preserve your query.
27. Click Generate to run your query now (once generated once, the View button is available for checking the last results).
28. Click Finish to close the box.
29. Select the report you just created (or any other available report) and click Generate to get your report.
Tips:
The SQL wildcard is the percent sign % (for letters and numbers).
Reports are cleaner if attributes and their labels, such as system and an attribute, are pulled from the same area of the tree.
To put related attributes in a single row and reference the same or like parent object (such as computer name pulled from the various areas of the tree), map like attribute to the same display column. For example, in creating a cross-platform report, Unix host name, windows computer name, and exchange server name could all be mapped to the first or second column to keep the report reasonably concise.
In Windows, Notice that domain and server name attributes are often concatenated as domain/server. Use a wildcard (%) if you do not wish to specify both, such as %server1.
