Versions Compared

Old Version 2

changes.mady.by.user Mark Unwin

Saved on

compared with

New Version Current

changes.mady.by.user Mark Unwin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

You may wish to change the defaults for several sensitive items before deploying Open-AudIT. These are detailed below.

MySQL credentials

Open-AudIT User

Open-AudIT (as per any normal web application) uses a configured set of credentials to access the MySQL database.

...

Code Block
$db['default']['username'] = "YOUR_USER";
$db['default']['password'] = "YOUR_PASSWORD";

Root User

Changing the password of the MySQL root user can also be completed as above. I would recommend the below though, for safety.

...

Log on as the MySQL root user in session #1.

Code Block
mysql -u root -p

In the second shell (after successfully logging in above) run the below command, substituting YOUR_NEW_ROOT_PASSWORD.

Code Block
mysql -u root -p -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = password('YOUR_NEW_ROOT_PASSWORD'); FLUSH PRIVILEGES;

Now try to log in using that same (second) shell.

Code Block
mysql -u root -pYOUR_NEW_ROOT_PASSWORD

If you can log in, you're all done!

...

Code Block
SELECT User, Host, Password FROM mysql.user;

And change the SET PASSWORD command above to reflect the Host value in the second session.


Restricting MySQL to localhost

On our shipped version for Windows, we already restrict to localhost.

On some Linux distributions, you might find MySQL listening on all IP addresses. Unless you have a specific reason for this, it is very much recommended to restrict this to localhost.

You can check the listening address by running the below command.

For Debian and Ubuntu

Code Block
sudo grep -R bind /etc/mysql/

For Redhat and Centos

Code Block
sudo grep -R bind /etc/my.cnf.d/

If you don't get a result, try runnig the below netstat command.

Code Block
sudo netstat -lntup | grep mysqld

If you see an IP address of 0.0.0.0 with a port of (usually) 3306 (as below), this means MySQL is listening on all available IPs.

Code Block
root@dev:/etc/mysql# sudo netstat -lntup | grep mysqld
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      8491/mysqld

You should configure the bind-address to be 127.0.0.1 in:

Debian / Ubuntu: /etc/mysql/mariadb.conf.d/50-server.cnf

Redhat / Centos: /etc/my.cnf.d/server.cnf

Code Block
bind-address		= 127.0.0.1



Credentials Encryption Key

Open-AudIT encrypts credentials when it stores them in the database, but we must be able to decrypt them in order to use them when querying devices. Because this is reversible encryption, we need a shared secret (or key). This is kept in the file:

...

Exporting, deleting and Importing can be done using the GUI.


Admin User and Licensing

You are free to change the password for the Admin user, but the user name itself should be left as is. If changed the license entry will be broken.

...