Blog from January, 2020

With the release of Open-AudIT 3.3.0, we've introduced a great new feature users have been asking for, for a while now - selectable columns on the List Devices page!

As of 3.3.0, when you go to menu → Manage → Devices → List Devices, you will see a new button on the top right of the device list. Click it and it will drop down, as per the screenshot below (click to enlarge).

You will see two buttons - "Save as Default" and "Reset to Default". The attributes in bold are currently displayed. If you click one of them, that attribute will disappear. Because you have changed the attribute list, the "Save as Default" button will be enabled. If you then click that, these columns will be your (as in your individual user login) default columns from then on. Once you have saved your default attribute list, if it is different to the default list, the "Reset to Default" button will be enabled. Click it and your attribute list will be reverted to the default, which is stored in the configuration under devices_default_display_columns.

If you click an attribute that is not in bold, it will be added to the column list and the "Save as Default" button activated, as per above. There is no page reload for this. All the data is loaded ahead of time and simply displayed or hidden as required.

In the case where this is causing too much load for your server and / or browser, the default list of attributes to be retrieved are also stored in the configuration under devices_default_retrieve_columns. We do not retrieve every attribute from the system table. You may wish to add or removes attributes from that list as you see fit.

Each user has a default column list (if they're not using the default), so different users can display attributes they care about, without worrying about other users.

This won't replace Queries as we are only displaying attributes form the 'system' table. Queries can display anything you like. But it will enable your users to show the attributes they most care about in their default device listing.

By default (config → devices_default_retrieve_columns) we retrieve the following attributes:, system.uuid,, system.ip, system.hostname, system.dns_hostname, system.domain, system.dns_domain, system.dbus_identifier, system.fqdn, system.dns_fqdn, system.description, system.type, system.icon, system.os_group, system.os_family, system.os_name, system.os_version, system.manufacturer, system.model, system.serial, system.form_factor, system.status, system.environment, system.class, system.function, system.org_id, system.location_id, system.snmp_oid, system.sysDescr, system.sysObjectID, system.sysUpTime, system.sysContact, system.sysName, system.sysLocation, system.first_seen, system.last_seen, system.last_seen_by, system.identification

If you would like another column, just add it in the configuration.

By default (config → devices_default_display_columns) we display the following attributes:, system.icon, system.type,, system.ip, system.dns_fqdn, system.identification, system.description, system.manufacturer, system.os_family, system.status

Oh, and one more thing... In case you were wondering what the panel header with caret titled Resources (All Devices) is in the above screenshot, it drops down to show a selection of the components of devices. Clicking on an icon shows a list of all those things for all devices. On that following list you can click the individual entry and see it's details. This is limited by the config item for XXX rows at a time (the software tables can have 100's of thousands of rows, for example). See below.

For better or worse, all those people that insist on wanting "a list of all my software", this will do exactly that (and any other device component table). In my opinion a list like that is next to useless and you should narrow your scope and write a query, but hey what would I know (smile) This was previously able to be done by specifying the URL /devices?sub_resource=software, but not exposed in the GUI anywhere. Now it is. Have fun!

Apache and ModSecurity

Recently I noticed errors on my Ubuntu 18.04 machine in /var/log/apache2/errors.log that look as below. These may also occur on any other Linux server running Apache and ModSecurity.

[Tue Jan 14 09:58:51.980208 2020] [:error] [pid 8812] [client ::1:48280] [client ::1] ModSecurity: Rule 7f6584a61a50 [id "-"][file "/usr/share/modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "98"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "localhost"] [uri "/open-audit/index.php/discoveries/26"] [unique_id "Xh0EO9HUUpzELlm@OJLwKwAAAAA"], referer: http://localhost/open-audit/index.php/discoveries/26

These would show multiple times for any requested page.

According to the Atomicorp ModSecurity page here - you should increase a couple of limits.

I have edited /etc/modsecurity/modsecurity.conf and set these as recommended below.

SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000

I restarted Apache (sudo systemctl restart apache2) and I have no more warnings in my Apache error log.