Open-AudIT can retrieve details about a file or directory of files and monitor these files for changes as per other attributes in the Open-AudIT database.
This feature works out of the box for Linux Open-AudIT servers, but needs a change to the service account name under a Windows Open-AudIT server.
Supported clients are Windows and Linux.
' . $instance->dictionary->link . '
See the note about enabling this feature when running a Windows Open-AudIT server on the wiki, here - https://community.opmantek.com/display/OA/files#Files-EnablingtheFeatureUnderWindows.
There is no need to do anything if you\'re running Open-AudIT on a Linux server.
+
+Windows clients are just fine and require no special actions, however.... to enable this feature the audit script must be run locally on the target Windows system. It cannot be run remotely as we do with WMI calls when running the audit script on one Windows machine, while targeting a second Windows machine. To do this we need to copy the audit script to the target Windows machine and then run it. Unfortunately the service account that Apache runs under is the Local System account. This account has no access to remote (network based) resources. To work around this issue the service must be run under another account. It is easiest to just use the local Administrator account, but you can try any account you like as long as it has the required privileges. The Local System account has as much local access as the local Administrator account.
+
+See our page on enabling Running Open-AudIT Apache Service Under Windows
A query is essentially a SQL statement. This statement is run against the database with the automatic addition of the limit, filtered to apply to only those requested items and only those items the user has permission to view. A Query can be created using menu -> Manage -> Queries -> Create Queries. Queries contain an org_id and are hence restricted to the appropriate users. A user must have the org_admin or reporter role(s) to create, update or delete a query. All users can execute a query. A query has a name attribute used for the menu item as well as a menu category attribute. This tells the Open-Audit GUI which submenu to place the query in. There is also menu display which should be set to \'y\' to enable the query in the GUI (\'n\' to prevent the query from appearing at all). The query would still run if called using it\'s $id, regardless of menu display\'s value.
+To view the details of a query, the standard URL structure of /open-audit/index.php/queries/{$id} should be used.
+To actually execute the query, append a /execute, thus /open-audit/index.php/queries/{$id}/execute.
The SQL query is essentially broken into three parts.
+The SELECT section of the query should use full dot notation and also request the field with it\'s full dot name. IE - SELECT devices.id AS `devices.id`. Each field should be selected in this fashion to enable GUI side attribute filtering.
+Queries for Groups should select only the devices.id column.
SELECT devices.id AS `devices.id`, devices.icon AS `devices.icon`, devices.type AS `devices.type`, devices.name AS `devices.name`, devices.domain AS `devices.domain`, devices.ip AS `devices.ip`, user_group.name as `user_group.name`, user_group.members AS `user_group.members`
+
You should use only those tables that contain attributes you need. I usually use a LEFT JOIN. IE - SELECT devices.id AS `devices.id`, ip.ip AS `ip.ip` FROM devices LEFT JOIN ip ON (devices.id = ip.device_id).
+All device sub-tables contain a couple of important columns. $table.device_id and $table.current. $table.device_id is the link to the devices.id column. The $table.current column will contain either \'y\' or \'n\'. This indicates if this row is currently present on the device. For example software may be installed (which would result in software.current = \'y\'), but on a subsequent audit it may not be detected. Open-AudIT will then change this rows current attribute to \'n\'.
FROM user_group LEFT JOIN devices ON (user_group.device_id = devices.id AND user_group.current = \'y\')
In order for Open-AudIT to be able to apply user permissions on items, we mandate the user of WHERE @filter. If you do not use this format, the queryCreateForm will throw a warning. Only users with the Admin role are permitted to create queries that lack this attribute and even then, only after the configuration item for \'advanced_queries\' has been enavled.
Other than that restriction, you are free to select attributes as required. It\'s a good idea to use the menu -> Admin -> Database -> List Tables item to view the specific tables and their columns. This will enable you to find exactly what you need, rather than trawling through the MySQL console of the schema creation script.
+WHERE @filter AND (user_group.name = \'Administrators\' OR user_group.name = \'Power Users\' OR user_group.name = \'Remote Desktop Users\' OR user_group.name = \'wheel\' OR user_group.name = \'sudo\') AND user_group.members > \'\' GROUP BY devices.id, user_group.name ORDER BY devices.name
The database schema can be found in the application if the user has database::read permission by going to menu: Admin -> Database -> List Tables, then clicking on the details button for the table. Device details are stored in the devices table.
Note - The SQL queries used in Open-AudIT require the use of the backtick - ` character and NOT the standard single quote for fields. On most US Windows keyboards the backtick key is located in the top-left of the keyboard along with the tilde ~. On a US Mac keyboard the backtick key is located next to the SHIFT key. The standard single quote is still used to enclose values as the examples below illustrate.
+ +SELECT devices.id AS `devices.id`, devices.icon AS `devices.icon`, devices.type AS `devices.type`, devices.name AS `devices.name`, devices.domain AS `devices.domain`, devices.ip AS `devices.ip`, user_group.name as `user_group.name`, user_group.members AS `user_group.members` FROM user_group LEFT JOIN devices ON (user_group.device_id = devices.id AND user_group.current = \'y\') WHERE @filter AND (user_group.name = \'Administrators\' OR user_group.name = \'Power Users\' OR user_group.name = \'Remote Desktop Users\' OR user_group.name = \'wheel\' OR user_group.name = \'sudo\') AND user_group.members > \'\' GROUP BY devices.id, user_group.name ORDER BY devices.name
This example query retrieves a list of devices OVER 3 years old. The query uses today NOW() and devices.purchase_date as the reference point and filters out all virtual machines via a check of the system.serial field for %VM%.
SELECT devices.id AS `devices.id`, devices.purchase_date AS `devices.purchase_date`, devices.type AS `devices.type`, devices.name AS `devices.name`, devices.last_seen AS `devices.last_seen`, devices.manufacturer AS `devices.manufacturer`, devices.model AS `devices.model`, devices.description AS `devices.description`, devices.function AS `devices.function`, locations.name AS `locations.name` FROM devices LEFT JOIN locations ON (devices.location_id = locations.id) LEFT JOIN windows ON (devices.id = windows.device_id AND windows.current = \'y\') LEFT JOIN orgs ON (devices.org_id = orgs.id) WHERE @filter AND devices.purchase_date < DATE_SUB(NOW(),INTERVAL 3 YEAR) AND devices.serial NOT LIKE \'%VM%\'
This example uses devices.warranty_expires and looks for a warranty expiration date prior to today.
SELECT devices.id AS `devices.id`, devices.warranty_expires AS `devices.warranty_expires`, devices.type AS `devices.type`, devices.name AS `devices.name`, devices.last_seen AS `devices.last_seen`, devices.manufacturer AS `devices.manufacturer`, devices.model AS `devices.model`, devices.description AS `devices.description`, devices.function AS `devices.function`, locations.name AS `locations.name` FROM devices LEFT JOIN locations ON (devices.location_id = locations.id) LEFT JOIN windows ON (devices.id = windows.device_id AND windows.current = \'y\') LEFT JOIN orgs ON (devices.org_id = orgs.id) WHERE @filter AND devices.warranty_expires <= CURDATE() AND devices.serial NOT LIKE \'%VM%\'
This example creates a list of devices where the Function or Description fields are blank OR the Purchase Date is the default.
+SELECT devices.id AS `devices.id`, devices.ip AS `devices.ip`, devices.name AS `devices.name`, devices.description AS `devices.description`, devices.function AS `devices.function`, devices.purchase_date AS `devices.purchase_date`, devices.type AS `devices.type`, locations.name AS `locations.name` FROM system LEFT JOIN locations ON (devices.location_id = locations.id) WHERE @filter AND devices.purchase_date = \'2000-01-01\' OR devices.function = \'\' OR devices.description = \'\'
This example creates a list of devices and the open Ports, Protocols, and Programs found by the NMAP scan.
+SELECT devices.id AS `devices.id`, devices.type AS `devices.type`, devices.name AS `devices.name`, devices.domain AS `devices.domain`, devices.ip AS `devices.ip`, nmap.first_seen AS `nmap.first_seen`, nmap.last_seen AS `nmap.last_seen`, nmap.port AS `nmap.port`, nmap.protocol AS `nmap.protocol`, nmap.program AS `nmap.program` FROM nmap LEFT JOIN devices ON (nmap.device_id = devices.id) WHERE @filter
This example creates a list of all Modules marked as current=\'y\' on devices of type \'router\'.
+SELECT devices.id AS `devices.id`, devices.type AS `devices.type`, devices.name AS `devices.name`, devices.manufacturer AS `devices.manufacturer`, devices.model AS `devices.model`, devices.serial AS `devices.serial`, module.description AS `module.description` FROM devices LEFT JOIN module ON (module.device_id = devices.id AND module.current = \'y\') WHERE @filter AND devices.type = \'router\' ORDER BY devices.name
The Linux Open-AudIT installer will test for and if required, install Open-AudIT\'s dependencies from your distributions repository, including setting the Nmap SetUID. This is required for SNMP (UDP 161) detection by a non-root user. This is supported on RedHat/CentOS and Debian/Ubuntu. If you need to manually install Nmap:
+
+For RedHat/CentOS do (NOTE - if you upgrade using yum, you will need to reapply this "chmod" setting).
+sudo yum install nmap
+
+sudo chmod u+s `which nmap`
+
+For Debian/Ubuntu run (including setting dpkg to remember your override so an apt-get upgrade will not break Open-AudIT).
+sudo apt-get install nmap
+
+sudo chmod u+s `which nmap`
+sudo dpkg-statoverride --list `which nmap`
+
+
The Windows Open-AudIT installer will test for the presence of Nmap in it\'s standard install locations of:
+
+If the binary is not found in either of these locations, a warning message will be displayed in the installer.
+
+To install Nmap on Windows, visit the Nmap page at https://nmap.org/download.html and download the Latest Release self-installer. You may need to scroll down the page to find it.
+ . 'images/faq_03.png)
+
+Save and run the file. Make sure you run the file as an Administrator in order to install it (right click, Run as Administrator).
+
+ . 'images/faq_04.png)
+
+Use the standard install options when displayed and click the "I Agree", "Next" and "Install" buttons to install Nmap.
+
+';
diff --git a/app/Views/faq/Running Open-AudIT Apache Service Under Windows.php b/app/Views/faq/Running Open-AudIT Apache Service Under Windows.php
new file mode 100644
index 000000000..3b95f7048
--- /dev/null
+++ b/app/Views/faq/Running Open-AudIT Apache Service Under Windows.php
@@ -0,0 +1,29 @@
+
+If you\'re running an Open-AudIT server on Linux, this doesn\'t affect you.
+
+When running Open-AudIT on Windows the Apache service account must be that of a \'regular\' user (or the Administrator). This is because the "Local System" account normally used to run Apache has no access to any network resources. IE - We cannot use Apache when running as the Local System account account to copy the audit script to Windows PCs.
+
To make the change, just follow the steps below.
+
+Select the Start menu and type "services". Click the Services icon.
+ . 'images/faq_01.png)
+
+Next, right click the Apache2.4 service and select Properties, then click the Log On tab.
+ . 'images/faq_02.png)
+
+Select the "This Account" checkbox and provide the account name and password.
+
+Next, click OK, then right click the Apache 2.4 service and click Restart. Done!
+
+
+
+
There is no need to do anything if you\'re running Open-AudIT on a Linux server.
+
+Windows clients are just fine and require no special actions, however.... to enable this feature the audit script must be run locally on the target Windows system. It cannot be run remotely as we do with WMI calls when running the audit script on one Windows machine, while targeting a second Windows machine. To do this we need to copy the audit script to the target Windows machine and then run it. Unfortunately the service account that Apache runs under is the Local System account. This account has no access to remote (network based) resources. To work around this issue the service must be run under another account. It is easiest to just use the local Administrator account, but you can try any account you like as long as it has the required privileges. The Local System account has as much local access as the local Administrator account.
+
+See our page on enabling Running Open-AudIT Apache Service Under Windows
Groups are used as simple lists of devices that match the required conditions. If requested using JSON they return a list of devices.id\'s only. If requested using the web interface, they return the standard column attribute list.
'; - -$body = 'Please see the wiki here.
+$intro = 'Groups are used as simple lists of devices that match the required conditions. If requested using JSON they return a list of devices.id\'s only. If requested using the web interface, they return the standard column attribute list. Groups can be used for Integrations, Baselines and other items.
Please see the FAQ here.
Open-AudIT comes with many queries inbuilt. If you require a specific query and none of the pre-packaged queries fit your needs, it\'s quite easy to create a new one and load it into Open-AudIT for running.
'; $body = 'Please see the wiki here.
+Please see the wiki here.
Nmap
-
Open-AudIT uses Nmap in its Discovery function. Without Nmap, Open-AudIT will not function correctly. Every Open-AudIT install assumes Nmap is installed and will also test for it on the Discovery web pages. More information about Open-AudIT and Nmap is available here - Open-AudIT and Nmap.
Windows
-Nmap is available for Windows, here - https://nmap.org/download.html. All other dependencies are packaged with the Open-AudIT download.
-
Linux
-The Linux Open-AudIT installer will test for and if required, install Open-AudIT's dependencies from your distributions repository. After installing you should run the below to SetUID. This is required for SNMP (UDP 161) detection. This is supported on RedHat/CentOS and Debian/Ubuntu. To enable the Apache user to use Nmap to detect port UDP 161, run the below commands:
- For Centos / Redhat: (NOTE - if you upgrade using yum, you will need to reapply this "chmod" setting).
sudo chmod u+s `which nmap`
- For Debian / Ubuntu:
sudo chmod u+s `which nmap`
sudo dpkg-statoverride --list `which nmap`
Open-AudIT uses Nmap in its Discovery function. Without Nmap, Open-AudIT will not function correctly. Every Open-AudIT install assumes Nmap is installed and will also test for it on the Discovery web pages. More information about Open-AudIT and Nmap is available here - Open-AudIT and Nmap.
Permissions
Open-AudIT needs specific directory permissions to be able to create files, upload results, etc. Please set as below.
Linux
diff --git a/app/Views/locationsRead.php b/app/Views/locationsRead.php index 18a32f396..d65d03086 100644 --- a/app/Views/locationsRead.php +++ b/app/Views/locationsRead.php @@ -77,7 +77,7 @@