Versions Compared

Old Version 6

changes.mady.by.user Mark Unwin

Saved on

compared with

New Version 7

changes.mady.by.user Mark Unwin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


UPDATE - Open-AudIT now requires http to be accepted works perfectly fine using HTTPS. But - there's always a but... We do require http traffic be allowed from localhost / 127.0.0.1. The below information is now outdated.

Tasks

If you are using https This is for Open-AudIT , you will need to manually edit the files /usr/local/omk/bin/open-audit_tasks.[sh|vbs]. You will need to update the URL to reflect the https prefix. To use https, there is a line below that should be un-commented, and the regular line commented out. that's all there is to it.

Default regular line

Code Block
curl -s -o /dev/null --data "" "http://localhost/omk/open-audit/tasks/execute" >/dev/null 2>&1

Commented out line

Code Block
# curl -s -o /dev/null  --insecure --data "" "https://localhost/omk/open-audit/tasks/execute" >/dev/null 2>&1

Config

The config option oae_server located in /usr/local/omk/conf/opCommon.nmis under the openauditenterprise section will also need to be changed. The default value for this is http://127.0.0.1/open-audit/ and changing this to https://127.0.0.1/open-audit/ will allow use of https.

After these values are changed perform a omkd restart:

Code Block
service omkd restart

Discoveries

When creating a Discovery, but sure to select the https URL or if it does not appear, select Other, then manually enter the correct URL.

Independent audit scripts

to spawn more processes when discovery runs and for task execution (well, task checking for execution). As the traffic is localhost only, it never actually hits the network interface, so is never at risk of being eavesdropped upon. We also do not use these connections to send any sensitive information. They are purely to tell Open-AudIT "check if any tasks need running" or "start another discovery thread".

If your security group insists that http be disabled from absolutely everywhere (including localhost), Opmantek is always will to assist a supported customer achieve this. Having said that:

  • The onus and burden of maintaining the required changes after each upgrade will fall to you.
  • This work may be chargeable.
  • There is no security benefit to disabling localhost http.

Configuring https is an exercise left to your System Administrator as no code or configuration changes are required in the Open-AudIT application itselfIf you have deployed scripts directly to devices (and are running them using cron | task scheduler) you will need to manually edit the URL paramter within the audit script and set it to use https.