Services audit analysis

system · June 6, 2009, 12:42am

(imported topic written by SystemAdmin)

I would like to analyze both the state and startup type for the known services on a Windows server. I know that this can be done with individual properties per service:

if ((start type of it) of service “A” = “auto”) and ((state of it) of service “A” = “Running”) then “Good” else “Bad”

Would also like to audit the current services on a Windows server against a pre-defined list of services. For example:

Server1 is has services A, B, C, and D

Server2 is has services A, B, C, and E

The pre-defined list of services that should be on the box is (A, B, C and F). It sure seems like this can be done, but struggling with how to write the relevance. Help!

Noah · June 6, 2009, 12:56am

(imported comment written by NoahSalzman)

Do you mean something like:

if exists service “A” and exists service “B” and exists service “C” and exists service “F” then “ABCF are there” else “one of them is missing”

Noah

system · June 6, 2009, 1:05am

(imported comment written by SystemAdmin)

I was thinking more along the lines of this logic:

Each branch of the company has Server1. Server1 was configured with services (A,B,C and F).

Server 1 at the Seattle branch has services (A, B, C and D), which means that ‘D’ was added and ‘F’ was removed.

I am thinking of relevance that would evaluate the “existing services” against a “defined array of original/planned services”.

Noah · June 6, 2009, 1:28am

(imported comment written by NoahSalzman)

This logic will tell you the subset of services that match a desired list. Once you have a list of “items that matched” it is not too much trouble to determine the items that are missing from the desired list.

Q: (display names of services) whose (exists (it, (“BES Client”; “DHCP Client”; “foo”)) whose (item 0 of it is item 1 of it))

A: BES Client

A: DHCP Client

Also, are you asking how to remove the desired list from being hard-coded in the Relevance?

system · June 6, 2009, 1:44am

(imported comment written by SystemAdmin)

no, I would actually like the desired list to remain in the relevance, so that we can update the desired list right in the analysis when we do happen to add/subtract a service from the baseline configuration.

system · June 6, 2009, 2:02am

(imported comment written by SystemAdmin)

Noah - you rock! You are certainly on the right track!

I would like to have the logic such that:

If the only services running on the box are “BES Client”, “DHCP Client”, that “foo” would be my resultant output of the relevance.

system · June 6, 2009, 2:15am

(imported comment written by SystemAdmin)

Got it:

Q: (“BES Client”; “DHCP Client”; “foo”) whose (not exists (it, (display names of services)) whose (item 0 of it is item 1 of it))

A: foo

Noah · June 6, 2009, 2:28am

(imported comment written by NoahSalzman)

Nice! Just for completeness, here is another way:

Q: elements of (set of (“BES Client”; “DHCP Client”; “foo”) - set of (display names of services))

A: foo

I would have mentioned that at the start but I only learned that set manipulation just now.

system · June 6, 2009, 3:15am

(imported comment written by SystemAdmin)

I need a DIFF of the two, rather than a subtraction. Any service that doesn’t match the list on either side of the equation should report out.

By the way, I love the “set manipulation” much more than the other logic!

Noah · June 8, 2009, 9:59pm

(imported comment written by NoahSalzman)

We can produce two set comparisons and then combine them.

This gives you the services missing from the approved list:

elements of (set of () - set of ())

This gives you the services currently on the machine that are not in the approved list:

elements of (set of () - set of ())

Then find the union of both sets with:

elements of (

(set of () - set of ())

)

Seems like there should be shorter way to write that… but it will work.

system · June 6, 2009, 7:59am

(imported comment written by jessewk)

If you have the Inventory and License site (I believe that’s where it lives), the Service Baseline Wizard will generate the relevance and remediation action for you.

Incidentally… that’s the first wizard I ever wrote

system · June 9, 2009, 12:46am

(imported comment written by SystemAdmin)

I see in the CHM that a “union of” relevance exists… any chance it could be used here?

system · June 9, 2009, 2:44am

(imported comment written by SystemAdmin)

q: elements of union of (set of (“foo”; “BESClient”; “bar”); set of (service names of services)) - elements of set of (service names of services)

E: A singular expression is required.

What is wrong?

system · June 9, 2009, 5:07am

(imported comment written by jessewk)

you can only subtract sets, where as right now you are doing: - elements of

Also, depending where you place parenthesis you will get various answers to the query above (after removing the ‘elements of’ bit). I’m not sure exactly the answer you’re looking for, but make sure you are specific with your parentheses.