I am doing the same thing. But what I have done is used a database. I have a table that logs all machines on the network during a scan. 

last_ipaddress------computer_name-----timestamp

[download]
A table that profiles the machine 
computer_name---os_version---service_pack---hotfixes_installed---hotfi
+xes_not_intsalled

[download]
And a table that keeps track of hotfixes. 
hot_fix_id---hotfix_name---os---sp_level----hotfix_fingerprint

[download]

The fields Hotfixes_installed, Hotfixes_not_install and hotfix_fingerprint contain xml data. I have found that xml is the best way to store variable width data.

Than I have perl scripts that get the data for these machines. The first script scans a range of IP addresses and gets the machine name of any connected machine. This updates the first table. Slowly building a list of the machines in the network. The second script connects and uses the Tie::Registry modules to build the second database defining the machines. The third script upacks all the xml files creating a list of files and registry keys to check for each os and service pack. It than connects to each machine in the second table by name, it grabs the fingerprint for that machine and service pack and checks the reg keys and files and returns what is installed and what is not.

I started with scripts just to hunt machines but after some false positives and false negatives from the Microsoft supplied scanner for MS03-039 I needed to make my own check on if the files installed. We have 14,000 machines to check so I figured keeping a db as a storage mechanism would be more efficient. I have the first two scripts running fine. The fingerprinting of the third script I am trying to make more efficient. But the nature of our network and machines I have found this to best layout to do this. Some notes to get the Tie::Registry information and the file attributes on footprinted file the machine running the scripts has to be the domain admin for the connected machines. I use this to flag machines that are not configured properly.

We tried Microsoft's Baseline security analyser and it just didn't do what we needed. So we are moving to this. It is my joyful work in progress. And was a handful of individual scripts run by hand to check each of these things one by one text lists of machines. The only problems I have with the design is the fingerprint system needs an entry for each os and an entry for service pack. though I am going to add an sp field that is not just the sp number but 2=>, 3, 2<=. What has become good about this is the database can be used to check other things against our network.

I don't see it as being easier, but it is the best model for our organisation. My scripts are barely working right now and I don't have it all automated to work on its own. I am trying to get it to be scheduled doing different levels of checks on different days and times. My biggest gripe is getting my head around fork on win32 and should this be one script or multiple scripts that can call each other.

Now from your question, I would use database queries to output to the html page. I would seperate the queries probably by OS with a sub category of service pack and list fully patched machines, partially patched machines, and completely unpatched machines. With options to display the details further. But that is the benefit of using a database. Also our large number of machines make other storage formats impratical. I was writing this and just released that instead of unpacking the xml files and creating the fingerprint in memory which is impratical, and instead on adding a new hotfix file to the database I could create the needed fingerprint file at that time for each os and service pack.

My question is how are you determining if the patch is installed? We started by just reading HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINNT\CURRENT_VERSION\HOTFIXES or HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINNT\UPDATES, but I was never sure if that would be complete enough. So we took versions and file sizes of the files in the updates as a check. I am wondering if there is an easy way of doing this. Is there something already out there I can use instead of having to fight with these scripts I am doing.

In reply to Re: Got's to be a better way by Ninthwave
in thread Got's to be a better way by ear

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.