Microsoft Event Viewer meets Unix shell tools

Part of the core of Unix tool set philosophy is to use small single-purpose tools that both input and output text.These tools can then be chained together, massaging the text along the way.

Recently, I was tasked with retiring an aging Windows 2003 Server. As a part of that process, I wanted to find out what users were using the Printer shares on the machine.
Printer logging had been activated, and a typical printing event appeared in this format:
9/4/2009 9:26:03 AM Print Information None 10 DOMAIN\username SERVERNAME Document 56, Microsoft Word - Document10 owned by username was
printed on PRINTERNAME via port IP_192.1.3.212. Size in bytes: 108824; pages printed: 5

My goal was to output results like the following sorted by PRINTERNAME,username, and of course the Printing events were scattered among the other Windows events.

9/4/2009 9:26:03 Print DOMAIN\username PRINTERNAME

After exporting the log to text, copying it to a Linux machine, and researching, I came up with the following:

# Pull out references to printer events

grep Print.*Information $1 > temp.txt

# Chop off everything behind the printer name pull out desired fields with awk and then sort

while read line
do output=`expr "$line" : '\(.*printed on [a-zA-Z0-9_-]*\)'`
echo $output | awk '{print $1, $2, $4, $8, $NF }'
done < temp.txt | sort -k5,5 -k4,4

Well, it did the job, but I was later inspired to use 'sed' while reading "Classic Shell Scripting" by Arnold Robbins & Nelson H.F. Beebe .

grep Print.*Information $1 | sed s'/ via port.*//'g | awk '{print $1,$2,$4,$8,$NF}' | sort -k5,5-k4,4

Not surprisingly , execution time for the first script is :

real 0m5.531s
user 0m1.836s
sys 0m3.180s

Vs. the second:

real 0m1.271s
user 0m0.124s
sys 0m0.008s

An obsession with text

In a computing age of ever-increasing abstractions and bloated proprietary file formats, I seem to find myself drawn quite frequently to text-based file formats and command-line interfaces. Maybe its a sign of my age. Maybe I mistrust things unless I fully understand what is going on.

At any rate, I re-discovered the MoinMoin wiki engine as a means of keeping myself organized and documented at work. Its python-based(which I like) and keeps its pages in simple text in the filesystem(which I also like). I dabbled a little with re-structured text( part of Python's docutils ), and while it may have its usage as a final document, for example software manuals, I find the wiki concept to be more practical for quickly organizing projects in a free flowing manner.

I also have used todo.sh to manage a text-based todo list http://ginatrapani.github.com/todo.txt-cli/ , for quite a while now.

Only leaders can change the system

First, off topic, I recently started reading "Blog Schmog" by Robert W. Bly. Ho Hum, maybe this blogging business isn't so great after all !

Back to topic, a former CEO at my POE was fond of saying "Most problems are system problems", and then eventually following that with "Only leaders can change the system". Turning this idea to Digital security, how does an IT Person positively affect change , especially if he is not endowed with a strong mandate from C-level management ?

Three ideas that I have gleaned along the way are thus:( I'm being extremely lazy here and only crediting the person, I should have a hyperlink to the document...Blog Schmog, I guess you are right !)

First : Marcus Ranum argued that fear as a motivator is unethical and the security pro should try and get security incorporated at the very beginning of projects.

Second: Richard Bejtlich suggested that we have our mechanisms in place(i.e. forensic friendly) so that when the digital trainwreck occurs , we can step in an give the re-assuring words "We can help".

Third: Unfortunately, I can't remember this source, but this expert actually prescribed a good dose of fear , esp. in these lean economic times. His view was that idealistic views would not go far given the economic climate.

For myself, I seem to be having trouble with all of the above, except maybe the second.

*NIX distribution thoughts

Since I listed as some of my interests being Free and Open Source software, I thought I would summarize some of my beginnings with different distributions. There really is little point in too much, overly dogmatic, flamewars concerning what is the "best" distro. When I use the term distro, I am also including all the other wonderful free Unix-Like OS's available , including the BSD's , etc ... . My advice is to start somewhere, learn all you can, then tailor your choice(choice being one of the prime benefits of the FOSS movement) to reflect your own priorities and goals in computing.

My personal priorities have always been somewhat along these lines:

• Stability -- I can't stand crashing software, esp. the proprietary, closed source type
• Security -- This includes ease of security updates and patches, esp. since I have for one reason or another been stuck with dialup internet access far too often in my life. I have always considered that if I am going to recommend the usage of a FOSS OS at my place of employment , ease of security updates will take a high priority. Ironically, I have been mentally holding FOSS to a higher standard, since the existing proprietary OS's already in use at my place of employment are "in the lax" in the updating dept.
  
• Simplicity -- A reliance on text-based configuration and not too much "automagical" stuff going on. Eye-Candy is nice, but I'm not sure its worth it.
• A Sane, dependable choice for a business application or other meaningful work. By this I don't necesarily mean one of the big supported players in the spirit of RedHat or Novell.
  

My first linux installations were Slackware 3.6 back in 1999( I don't remember now why I picked Slackware) This turned out to be a good learning experience and I still have a profound respect for Slackware's KISS principles. I used Slackware successfully to run a PHP-MySQL auction(real-time,live) system for a fund raiser sometime back in '03 or '04. Excellent performance and stability on modest hardware.

I also dabbled with RedHat(pre-Fedora days) actually using it at my employment for routing and a fileserver, again on very modest hardware. I also used the Freesco routing distro in various roles.

Debian Stable is currently my most used distro and it pretty much allows me to meet the goals stated above.Secure-Apt is now standard and addresses some of the issues with downloading software from the Internet.For example, how do you know what you are downloading hasn't been trojaned, etc ... . Its also handy for updating machines not connected to a broadband connection. Just copy the .deb packages(previously downloaded via apt) to /var/cache/apt/archives on the target machine, and away you go.

I have dabbled in FreeBSD and will continue, although I have found it difficult to keep updated(third-party ports).Portaudit is a very handy utility for checking your currently installed ports for vulnerabilities. The core system is actually easy(to update) , even on dialup . You have the choice of binary updates via freebsd-update or CVS with direct compilation. The compilation of the kernel and userland I have found to be very straight-forward and for lack of a better word "awesome".I have found the structure of FreeBSD to be very organized and "sane", for example, all third party ports and configs are placed in /usr/local . A FreeBSD-based server is probably easier to update with regards to ports than a GUI-heavy workstation. As an example, firefox seems to require constant updating( goes with the turf in being a browser and all ), but with all the dependencies , etc ... constant re-compilation grows painful fast.With dialup it becomes almost unthinkable.Currently, at my place of employment , I am using a FreeBSD-based machine as a Network Security Monitor in the spirit of http://www.taosecurity.com/ . As an aside and giving credit, Mr. Bejtlich's(of taosecurity ) books and ideas are very worthy reading.

Ubuntu has been receiving a lot of attention lately, but I haven't had the time to explore it much. My thoughts are, Ubuntu is based on Debian, why not just go to the "pure root" ? Also, the Universe package repository, if I understand correctly, does not receive proper security and bug updates. Ubuntu is also dependent upon Canonical, whereas Debian is Community-based.

Recently, I noticed the Minix project has been resurrected and has some interesting ideas. Plan9 also has some interesting concepts.Probably too much to explore in my lifetime/intellect, but again its wonderful to have a choice. These choices also make the options of learning about computing much greater. I hope to contribute to the FOSS in the best way I can.

Reading over this post, I realize my writing skills, if I ever had any are rusty. Perhaps this blog will turn out to be one way of polishing them.

Starting Post

I'm not sure how much I'll post here. My interests tend toward open source and free software subjects, science , ecology , and sustainable stewardship of the earth's resources. My current day job title is "Network Administrator" at a small rural critical access hospital.