Blog

I often utilise Postman to query the Open-AudIT API when developing.

Just using a browser, it's difficult to send anything other than a GET request - but Postman makes it simple to send a POST, PATCH or DELETE as required.

You can get it from https://www.getpostman.com/downloads/ for Windows, Mac and Linux.

Install and start Postman. You can elect to create an account or not. You can also elect to create a new item using the wizard, or just close the modal and jump in. Let's do that (smile)


For the below, my Open-AudIT server is running on 192.168.84.4. You should substitute the IP address of your Open-AudIT server.


First you need to make a post to /login to get a cookie. Set the dropdown to POST and the URL to http://192.168.84.4/omk/open-audit/login. Set the header Accept to application/json. Set the Body to form-data and provide the username and password keys, with values as appropriate for your installation. By default it will look as below.  Now click the Send button.




You should see the JSON result saying you have been authenticated.


Once that's done, it's time to request some data. Make a GET request to http://192.168.84.4/omk/open-audit/devices and you should get a JSON response containing a list of devices. You can see the start of the JSON in the screenshot below.


What about changing the attribute of an item? Not too difficult. You'll need the ID of the device you want to change, along with the attribute name from the database. You can see these in the application by going to menu → Admin → Database → List Tables and clicking on the "system" table. Let's change the description for our device with ID 14.

You'll need to create a JSON object and assign it to the "data" item to do this. It's not too difficult. Your JSON object should look like below (formatted and indented for easy reading).

{
	"data": {
		"id": "14",
		"type": "devices",
		"attributes": {
			"description": "My New Description"
		}
	}
}

It looks worse than it is. Normally you would use code to do this, so it's a simple two line conversion. Because we're using Postman, we'll have to do it ourselves. A useful site is https://jsonlint.com/

So now you have your payload, let's send it to Open-AudIT. Make a new PATCH request and use the URL http://192.168.84.4/omk/open-audit/devices/14. Supply the data attribute in the body → x-www-form-urlencoded section and hit Send. You should see the request as below.

Deleting an item is the even easier. Let's delete an Org. In this case, our Org with ID 2. Make a new DELETE request to http://192.168.84.4/omk/open-audit/orgs/2. That's it - easy (smile)

And if we want to read a specific entry, it's just a GET request. Let's get our default Org - ID 1. Just make a GET to http://192.168.84.4/omk/open-audit/orgs/1.

What about running a query? What's the HTTP verb used to EXECUTE something? There is none (sad) But we'll make do by supplying /execute after the ID. So to execute a query, make a GET request to http://192.168.84.4/omk/open-audit/queries/1/execute. To execute a discovery, task or baseline, use the same format - ID/execute.

Remember we always receive the result in JSON as that is in our request header. We could receive it as HTML is we want - just remove that header item. Maybe more useful is a CSV output. Remove the Accept header and change the URL for a GET to http://192.168.84.4/omk/open-audit/queries/1/execute?format=csv. Done - CSV output you can copy and paste into Excel.

It really is that simple. The only one to watch is the PATCH request, because you have to create your own JSON. Just about everything else is quite discoverable. Make sure you check the pages for Collections which detail the request formats. And don't forget The Open-AudIT API page as well.

That makes for a simple and easy way to test the Open-AudIT API.

Onwards and upwards.

Mark Unwin.





With the release of Open-AudIT 3.1.0 we have massively expanded the options around keeping and processing data from devices.

SubSections of a device within Open-AudIT refers to the many tables that hold specific data types - software, netstat ports, processors, memory, disks, users, groups, etc, etc.

These options exist (for now at least) in the Configuration of Open-AudIT. The items of interest are create_change_log* . and delete_noncurrent*.

We previously had these options for a couple of select couple of Subsections, but have expanded these to cover every subsection.


Create Change Logs

The items named create_change_log_* use the database table names to specify which subsection they apply to - so create_change_log_software and create_change_log_memory are both valid examples. You can override ALL items by setting create_change_log to "n" - this will stop any change logs being generated, regardless of the individual table setting. So if a device has a piece of software added (for example), a correspond change log would not be inserted if create_change_log_software was set to "n". This is set to "y" by default. This matches how Open-AudIT has always worked.


Special Items

We have also introduced three special configuration items for Netstat Ports. Because ports above 1024 are mostly designed to be dynamic, we now provide three options to keeping this data. create_change_log_netstat_registered, create_change_log_netstat_well_known and create_change_log_netstat_dynamic. These options correspond to the ports 0-1023, 1024-49151 and 49152-65535.See https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers. In particular, Windows DNS servers open a LOT of ports high in the range that are (in my opinion) silly to keep track of, see here and here. By default, only create_change_log_netstat_registered is set to "y". We may add to these options in the future for other subsection, if required.


Delete NonCurrent Items

Along similar lines, the configuration items for delete_noncurrent* use the database table names to specify which subsection they apply to. If set to "y", then no historical entries will be kept for that table, only the "current" items as at the last audit (or discovery). Again, these individual items can be overridden by the global "delete_noncurrent" item. If set to "y", it will remove all noncurrent items from all tables. This is set to "n" by default. This matches how Open-AudIT has always worked.


Hopefully these options provide some customisability for you to only keep the data you actually need.


Onwards and upwards.

Mark Unwin.


Open-AudIT 3.1.0 released

After some extensive code rework, Open-AudIT 3.1.0 has been released for both Linux and Windows.

The Release Notes for Open-AudIT v3.1.0 provide specific details, but at a high level we've been changing the codebase to allow us to provide Open-AudIT Cloud in the near future. A hosted version of Open-AudIT that is always up to date, gets the latest code before regular releases, gets patches and bug fixies straight away and minimises the amount of infrastructure on premise required to get Open-AudIT up and running.


There have also been improvements around The Default Network Address, example device data, audit subsection processing, logging improvements, bug fixes and more.


I hope you find Open-AudIT as useful as I do.

Mark Unwin.

The Default Network Address

With the new release of Open-AudIT 3.1.0, we no longer require the configuration item "default"network"address" to be set for Discoveries. It is still required for the "Audit My PC" functionality, but we hope to minimise this dependance going forward as well.

Why was Default Network Address required?

Initially when we ran a discovery, on both Linux and Windows, we ran the audit script in such a way that it needed to know where to submit it's result. What URL should it use - hence the requirement for the configuration item. A while back now we changed how Discoveries ran under Linux, removing this requirement.

Linux

Linux discoveries send the audit script to the target, run it with a flag of "submit_online = n" and "create_file = w". So do not submit the result to the server, create a file and output the filename to the console. The server waits for the script to finish and captures the console output. It now has the filename of the result on the target system. It copies the result from the target to itself and processes it. All good so far.

Windows

We could never make Windows work this way. The account we use for Apache is the standard "Local System" account. This account has no access to network resources. Hence it cannot simply copy the script to or from a target PC. This was always a pain because the Linux way of running the Discovery was so much better and cleaner. After some (more) research we realised we can use network resources via "net use" - we simply don't assign a drive letter. Yay! So Windows now can copy the audit script to the target, run it, wait for the console output and then copy the result file back and process it, just like Linux.

Finally!

All that is a long explanation for "we don't need the default network address set". That's one less item a user needs to worry about.

We do still have the requirement to set the default network address for the functionality of the "Audit My PC" on the login page. We have plans to minimise this as well - if you can view the login page, we can use the request URL and work out what the default network address should be.

For now it's still required (as at 3.1.0), but look for it to be removed as a requirement in a near future release.


One step at a time, we're trying to make Open-AudIT as easy to use as possible.


Onwards and upwards.

Mark Unwin.

Open-AudIT v3.0.0 released

After a long and interesting v2 series, we welcome v3 into the world!

 

Why v3 you ask? Well, with the recent improvements around discovery scan options and the resulting dramatic increase in discovery times along with the Windows version finally updating its XamppLite package to the latest full Xampp install, we thought it warranted the version increase.

 

What's changed? See Discovery Scan Options and the Release Notes for Open-AudIT v3.0.0.

 

Windows users have been left waiting lately, so you might also want to check the release notes for Release Notes for Open-AudIT v2.3.2 and Release Notes for Open-AudIT v2.3.3

 

We have introduced a new field for your devices called "identification" along with a new device type of "unclassified". This is used when we have some information about a device, but have not been able to talk to it using SNMP, WMI or SSH. So if we have a MAC address, or we know port X is open, then we know something and provide a type of unclassified. We populate the identification field with what we know. In the case where we literally have an IP and possibly a DNS hostname, the device will remain unknown in type. You can see these details on the Devices section of the Discoveries screen. This should help point you in the right direction to identifiying a device, rather than us throwing our hands in the air and saying "we couldn't talk to it, so it's unknown".

 

The new Discovery Scan Options are fully customisable for Enterprise users, choosable on a per discovery basis for Professional users and selectable on an install basis for Community users. We set the default to use UltraFast options and the increase in speed (especially on Linux servers) is, to put it midly, massive. We have genuine reports of a customer scanning their /22 and having the scan time drop from 29 hours to under 10 minutes. That is not a lie or exaggeration. I know it sounds hard to believe. Obviously there are surrounding conditions - network speed, device speed, reduced Nmap ports reporting, etc - but the result is genuine. To say we're happy with the performance is understating it quite a lot (smile)

 

We have finally managed to move Windows users from XamppLite to full Xampp. This wasn't without it's challenges, the largest being the PHP changes from 5.3 to 7.3 and encryption functions. In order to facilitate this, we use the existing 2.x install to export the encrypted credentials for credentials, device specific credentials, clouds and LDAP servers to a file, upgrade Xampp and Open-AudIT, then on the database schema upgrade, use the generated text file to encrypt the credentials and update the database entries. Once that's done and you're happy everything has worked, you can delete the file c:\xampplite\open-audit\migrate.json (we do not delete this file automatically). We also do not remove the old XamppLite installation. That is left for the user to decide to delete it at a time when they're happy with their new Open-AudIT 3.0.0 install.

 

Open-AudIT has never been easier to use, faster or more customisable than it is right now.

 

If you haven't upgraded, get on board!

New Discovery Options

Introduction

As at Open-AudIT 2.3.2 and later, we have introduced some easy to use and extremely powerful options for discovering devices. These options centre around directing Nmap on how to discover devices.

We have grouped these options into what we're calling Discovery Scan Options. We ship seven different groups of options (items) by default that cover the common use-cases.

This benefits Community, Professional and Enterprise customers.

Feature Availability

Feature availability is dependent on license type as per the table below.

FeatureCommunityProfessionalEnterprise
Match Rules - set default for all discoveriesyyy
Discovery Scan Options - set default for all discoveriesyyy
Discovery Scan Options - read yy
Discovery Scan Options - set per discovery yy
Discovery Scan Options - create, read, update, delete  y
Discovery Scan Options - Custom per Discovery  y
Discovery Scan Options - Exclude IP, range, subnet per discovery  y
Discovery Scan Options - Exclude ports per discovery  y
Discovery Scan Options - Set device timeout, per discovery  y
Discovery Scan Options - Custom SSH port per discovery  y
Match Rules - set per discovery  y

 

Discovery Scan Types

The Discovery Scan Options we ship are detailed in the table below. As above, Enterprise users can create more of these or edit the shipped items.

 

AttributeUltraFastSuperFastFastMedium (Classic)1MediumSlowUltraSlow
Approximate time in seconds for remote IP scan1540901002401200
Must Respond to Pingyyynyyn
Use Service Version Detectionnnnnnyy
Consider Filtered Ports as Opennnnynyy
TimingT4T4T4T4T4T3T2
Top Nmap TCP Ports 101001000100010001000
Top Nmap UDP Ports 10100 1001001000
Custom TCP Ports22,135,62078620786207862078620786207862078
Custom UDP Ports161  161   
Exclude TCP Ports       
Exclude UDP Ports       
Timeout per Host       
Exclude IP (address, range, subnet)       
Custom SSH Port       

1The item for Medium (Classic) is similar to the Nmap for Discovery setting available in Open-AudIT 2.3.2.

Check the wiki here for a deeper look at Discovery Scan Options.

Example Scanning Improvement

We have a customer who is running discovery on a /22. The scan time to complete when using the original (hard set) options, prior to 2.3.2 was 29 hours. Using 2.3.2's UltraFast option, that scan now takes less than 10 minutes. To say they are impressed would be an understatement! They are now left with a smaller set of unknown devices that they can run a more detailed audit against. And remember, if the audited device is a computer, you will have a list of open ports derived from Netstat, anyway - possibly saving another audit cycle.

Use Cases

Handling Duplicate Serials

Recently we had cause to scan a subnet that was made up of virtual Cisco networking devices. These devices all happened to have identical serial numbers. Using the Match Rules per Discovery (available to Enterprise users) we were able to tweak the ruleset for this discovery only, without affecting other discoveries that rely upon matching a serial number. This ability solved a long-standing issue of working around a less than ideal setup on a network. A serial number, by definition, should be unique.

Filtered Ports

Networks respond differently depending on how they're configured. Some routers and/or firewalls can respond "on behalf" of IPs on the other side of their interfaces to the Open-AudIT Server. It is quite common to see Nmap report a probe for SNMP (UDP port 161) to respond as open|filtered for devices that do and do not exist. This is misleading as there is no device at that IP, yet it ends up with a device entry in the database. 99.9% of the time, it is not Open-AudIT, nor even Nmap, but the network causing this issue. Now that we have the options to treat open|filtered ports as either open or closed, we can eliminate a lot of this confusion. Enterprise users even have the option to change this on a per discovery basis (more than just using the Medium (Classic) item, as above).

 

Discovery Enterprise Options

The screenshot below is the Open-AudIT discovery page where all the audit configuration is set. I've added ample notes in the page explaining all the options making the tool easy to use for less technical staff. 

Click to enlarge.

Check the wiki for a more detailed explanation about Discoveries

Display Improvements

As well as the functional improvements to discovery, we have also revised the Discovery Details page. We have sections for Summary, Details, Devices, Logs and IP Addresses. The Devices section, in particular, is now much more useful. We have added a new type of Unclassified to the list and we use this when we have more than just an IP and/or name for the device. For instance, we may know it's IP, name and the fact that it has port 135 open. This at least is a good indication that the device is likely a Windows machine. So we know "something". More than just "there is something at this IP". That is now an Unclassified device. We still support Unknown devices as always - for those devices we really know nothing about. An example of this screen is below. We also provide a quick link to creating credentials when a service (SSH, WMI, SNMP) has been identified, but we were not able to authenticate to it.

We think these display improvements will go a long way to assisting you to remove any Unknown or Unclassified devices that are on your network.

Click to enlarge.

 

Wrap Up

This new functionality makes Open-AudIT a powerful and easy to use discovery solution while providing great flexibility for advanced users.

I hope you enjoy the new features as much as our test customers and I do.

 

Mark Unwin.

 

 

 

 

Open-AudIT 2.2.0 released

We've released version 2.2.0 of Open-AudIT today. As outlined on the release notes page, this release concentrates on the new Dashboards and Widgets features. Open-AudIT can be downloaded here.

Open-AudIT 2.1.1 released

We've released version 2.1.1 of Open-AudIT today. As outlined on the release notes page, this is primarily a maintenance release with no new features. Open-AudIT can be downloaded here.

Your antivirus console should tell you which PCs have their antivirus software installed. But will it tell you which PCs don’t have their antivirus software installed? What about your server’s that live in a DMZ or another disconencted network? What about antivirus software from another vendor?

Because Open-AudIT captures the programs installed on a PC, Open-AudIT can report on specific installed programs very easily.

Open-AudIT contains a query for installed antivirus software which will tell you not only which PCs have which antivirus software installed, but also those without antivirus software installed.

Information is presented in an easily readable table format that is exportable to CSV (Excel), HTML, XML and JSON formats.

This is a very simple query and can easily be extended by the user to add additional software names when checking (if your antivirus software name doesn’t match the default names provided).

To enable the query go to menu -> Admin -> Queries -> Activate Query. You will see a list of available queries. Click the ‘tick’ icon on the right side to activate the “Installed Antivirus” query and make it appear in your menu’s.

Now go back to the homepage and click on the name of a group.

Once you see that group of devices, click menu -> Queries -> Installed – Antivirus.

Done. How easy was that!