Apologies for the lack of recent updates.
Unfortunately, not a great deal has happened lately.
Damn "real life" keeps getting in the way.
So, what HAVE I managed to do...
Well, I have a MSSQL Server compatible database script.
I am working on a bug in the Software audit processing routine.
For an Alpha, I'd like to get basic functionality complete. By basic functionality I mean:
* - Audit script runs on PCs and submits to database.
* - Users can be created and assigned rights to groups
* - Groups can be created/edited/deleted
* - Devices can be viewed with all submitted audit details
* - Devices can have their "manual" fields edited
* - "List" type pages (based on groups) complete
Most of these items are nearly complete (as in 90%). It is more a matter of "finishing them off".
Realistically, I think it would be (maybe) 30 hours work. Not sure there. Might be way off.
My main problem is having a "real" job and a young family (and a slight World of Warcraft addiction, forgive me).
I also have to go back through the models (in CodeIgniter) and check the functions work with MSSQL. I've had a few enquiries about MSSQL compatibility lately, and want to make sure it's all OK. I've also had people say they (think Govt Dept Managers), don't want to use OpenSource. Not PHP, Linux, Apache or MySQL. They would like it rewritten in DotNet and MSSQL. It's frustrating that people STILL have this attitude. I don't mind catering to database abstraction, but the actual code ??? Sure, I'll just re-write the complete application, because you have a completely misguided notion of what "secure" means... sigh. Apologies for the slight rant.
Anyway - what you all want to know (well, the two people who bother to read this) is "WHEN CAN WE HAVE THE CODE ?". All I can say is that's there's not that much left to do for an Alpha and I want it done as much as you do.
Tuesday, November 3, 2009
Tuesday, July 14, 2009
Comparisons, Templates and Items
Bit of a brain dump here.
Apologies if it doesn't make much sense.
Was talking with some collegues this morning, and the subject of reporting on systems with a config (or sections of a config) that do not match the SOE.
Naturally, I am thinking in terms of OAv2 and what it's database can provide.
Brain dump follows.
Want to compare items on a system with predefined items or a template.
Say we want to check a group of systems (WinXP) have a specific list of Group Accounts and that those Groups consist of a given list of Users & Groups.
Take a given system that fits what we want to check click "make a template".
Details on selected sections (thinking DB tables), ie - Groups for example are "imported" into a table and flagged as "Template 1".
Compare the systems in a given group to the "Template 1".
Report differences -
group does not exist,
group exists and is the same,
group exists but has these differences,
this additional group exists.
That would compare against all items (say all groups) on a group of systems.
Remember - a single system can belong to it's own group, so single systems are catered for.
Also need to define a single item, ie - software called "XYZ".
Need to compare against all systems in a group - the single line item.
Report differences -
software extsis
software does not exist
software exists with a differing version number
End goal - show me all our systems that do not meet a given Template, and give me the reasons they don't.
Code in such a way to allow for abstraction - don't care what item or table is catered for in a template. Can compare on a complete system or just selected tables (users, software, groups, etc, etc).
Brain dump finished.
Apologies if that doesn't make much sense...
Apologies if it doesn't make much sense.
Was talking with some collegues this morning, and the subject of reporting on systems with a config (or sections of a config) that do not match the SOE.
Naturally, I am thinking in terms of OAv2 and what it's database can provide.
Brain dump follows.
Want to compare items on a system with predefined items or a template.
Say we want to check a group of systems (WinXP) have a specific list of Group Accounts and that those Groups consist of a given list of Users & Groups.
Take a given system that fits what we want to check click "make a template".
Details on selected sections (thinking DB tables), ie - Groups for example are "imported" into a table and flagged as "Template 1".
Compare the systems in a given group to the "Template 1".
Report differences -
group does not exist,
group exists and is the same,
group exists but has these differences,
this additional group exists.
That would compare against all items (say all groups) on a group of systems.
Remember - a single system can belong to it's own group, so single systems are catered for.
Also need to define a single item, ie - software called "XYZ".
Need to compare against all systems in a group - the single line item.
Report differences -
software extsis
software does not exist
software exists with a differing version number
End goal - show me all our systems that do not meet a given Template, and give me the reasons they don't.
Code in such a way to allow for abstraction - don't care what item or table is catered for in a template. Can compare on a complete system or just selected tables (users, software, groups, etc, etc).
Brain dump finished.
Apologies if that doesn't make much sense...
Tuesday, May 19, 2009
Bling
Added some sparkle to the List pages today.
When you mouse over a system, you get selected details appearing.
Done via jQuery and ajax.
When you mouse over a system, you get selected details appearing.
Done via jQuery and ajax.
Monday, May 18, 2009
Quick OAv2 update
Just a quick one.
I now have columns on the list page, for any group, displaying selected fields associated with that group. You're probably now saying "what the?".
Let me explain.
On any given Group List page, you see a list of devices in that group. Previously, the columns that were displayed were static (set in the display code). The columns were System Name, Description, IP Address, OS Type, OS Name, Tags. If you wanted something with different columns, you would need to code the PHP display stuff in the View. Now, you can add and remove columns on a per group basis and it's stored in the database. Instant reporting !!! Sweet.
Think of this...
You create a dynamic group. That group includes any systems that have Apache installed. On the list page for that group you might also include the Apache version number (for instance).
This is available on a per group basis. You can define if a column has a link, and what to. If a column just displays text or is an image. This should aleviate a _lot_ of the requests we currently receive in Open-AudIT like "Can you make me a report page that shows blah...". Also, because they're defined in the app and the definitions are stored in the database, you can update the base OAv2 code and not loose your custom reports.
Now I just need to front end it... sigh.
I now have columns on the list page, for any group, displaying selected fields associated with that group. You're probably now saying "what the?".
Let me explain.
On any given Group List page, you see a list of devices in that group. Previously, the columns that were displayed were static (set in the display code). The columns were System Name, Description, IP Address, OS Type, OS Name, Tags. If you wanted something with different columns, you would need to code the PHP display stuff in the View. Now, you can add and remove columns on a per group basis and it's stored in the database. Instant reporting !!! Sweet.
Think of this...
You create a dynamic group. That group includes any systems that have Apache installed. On the list page for that group you might also include the Apache version number (for instance).
This is available on a per group basis. You can define if a column has a link, and what to. If a column just displays text or is an image. This should aleviate a _lot_ of the requests we currently receive in Open-AudIT like "Can you make me a report page that shows blah...". Also, because they're defined in the app and the definitions are stored in the database, you can update the base OAv2 code and not loose your custom reports.
Now I just need to front end it... sigh.
Thursday, May 14, 2009
Nominate Open-AudIT in the Sourceforge Community Choise Awards
Anyone who likes what we're doing (or what we've done) with Open-AudIT could do us a favor. Go to the Open-AudIT homepage and click the shiny picture (or just click the one below). Don't forget to enter your email address and click the link in the email sent to you to confirm the vote.
Thanks in advance.
Thanks in advance.
Thursday, April 30, 2009
Open-AudIT as a CMDB
So, I've been thinking about CMDB's (Configuration Management Database's) and how Open-AudIT can be used.
Essentially, I am thinking a CMDB is a list of CI's (Configuration Items) and their relationships (to other CI's). Open-AudIT contains a large list of details about many items - so there's a list of CI's right there. All we really need to do is to define how these CI's relate to one another.
I have encapsulated this data in essentially two tables. Table one defines a CI. What is it ? What table (and row) is it in ? Some other details not automatically captued by the audit scripts. Another table detailing the relationship between the CI's. The two CI's concerned. The type of relationship. Any credentials used, etc.
A large amount of this can be automatically populated, upon initial setup of a CI. I am thinking about the logic needed to auto create a number of CI's and their relationships by "following" the trail through the OAv2 database, linking them up.
I have also created a third table, essentially to say "These CI's (and their associated relationships) belong to this particular 'CMDB App'". So you can create a CMDB App of, say, a particular web application. Example CI's would be the website, the database, the users URL, the group of systems accessing it, the database credentials, etc, etc. Wrap the whole thing into a CMDB App, and it then becomes easy to run "what - if" type questions on the CMDB.
What if I change the website from server A to server B ? Show me all the affected CMDB Apps and the specific CI's for each CMDB App. That kind of thing.
I'm still thinking this through, but I think it could be a very powerful and compelling way to utilise the data contained within Open-AudIT.
Any comments and suggestions are more than welcome.
Essentially, I am thinking a CMDB is a list of CI's (Configuration Items) and their relationships (to other CI's). Open-AudIT contains a large list of details about many items - so there's a list of CI's right there. All we really need to do is to define how these CI's relate to one another.
I have encapsulated this data in essentially two tables. Table one defines a CI. What is it ? What table (and row) is it in ? Some other details not automatically captued by the audit scripts. Another table detailing the relationship between the CI's. The two CI's concerned. The type of relationship. Any credentials used, etc.
A large amount of this can be automatically populated, upon initial setup of a CI. I am thinking about the logic needed to auto create a number of CI's and their relationships by "following" the trail through the OAv2 database, linking them up.
I have also created a third table, essentially to say "These CI's (and their associated relationships) belong to this particular 'CMDB App'". So you can create a CMDB App of, say, a particular web application. Example CI's would be the website, the database, the users URL, the group of systems accessing it, the database credentials, etc, etc. Wrap the whole thing into a CMDB App, and it then becomes easy to run "what - if" type questions on the CMDB.
What if I change the website from server A to server B ? Show me all the affected CMDB Apps and the specific CI's for each CMDB App. That kind of thing.
I'm still thinking this through, but I think it could be a very powerful and compelling way to utilise the data contained within Open-AudIT.
Any comments and suggestions are more than welcome.
Monday, April 27, 2009
User Access Levels
So, I am coding OAv2 with different levels of User access.
Basically, all Users have access of varying levels to different Groups.
A Group is a selection of systems (PCs, Printers, Switches, et al).
Bear in mind most systems will belong to several groups. If a system is in both a group with visibility and without, it _will_ be shown.
Below when I refer to a Group, this means the Group and the Systems that belong to it.
My Group access levels are below:
0 - No visibility of the group.
2 - Group visible in "list" type pages only. No "details" pages on individual items.
4 - Group visible in "list" type pages. "Details" pages on individual items. No "sensitive" class of information visible (CD Keys, etc).
6 - Group visible in "list" type pages. "Details" pages on individual items. "Sensitive" class of information visible (CD Keys, etc).
8 - Group visible in "list" type pages. "Details" pages on individual items. "Sensitive" class of information visible (CD Keys, etc). Fields belonging to system are editable.
The code for this is in place, but I have to audit the pages making sure it's implemented at a page level.
As well as the Group level access there is a single flag to indicate if a User is an Administrator of the application.
The Users that are designated "administrator" level access will be able to CRUD Groups and Users. "Normal" application users will not be able to CRUD Groups and Users.
If anyone can think of other User access levels, please let me know.
Basically, all Users have access of varying levels to different Groups.
A Group is a selection of systems (PCs, Printers, Switches, et al).
Bear in mind most systems will belong to several groups. If a system is in both a group with visibility and without, it _will_ be shown.
Below when I refer to a Group, this means the Group and the Systems that belong to it.
My Group access levels are below:
0 - No visibility of the group.
2 - Group visible in "list" type pages only. No "details" pages on individual items.
4 - Group visible in "list" type pages. "Details" pages on individual items. No "sensitive" class of information visible (CD Keys, etc).
6 - Group visible in "list" type pages. "Details" pages on individual items. "Sensitive" class of information visible (CD Keys, etc).
8 - Group visible in "list" type pages. "Details" pages on individual items. "Sensitive" class of information visible (CD Keys, etc). Fields belonging to system are editable.
The code for this is in place, but I have to audit the pages making sure it's implemented at a page level.
As well as the Group level access there is a single flag to indicate if a User is an Administrator of the application.
The Users that are designated "administrator" level access will be able to CRUD Groups and Users. "Normal" application users will not be able to CRUD Groups and Users.
If anyone can think of other User access levels, please let me know.
Weekend Coding
Got a couple of neat things done on the weekend.
Wrote a function to log database calls to FirePHP. Every query now logs time to execute, rows returned/affected, SQL string, function performing the call. 3 lines of code needed for each SQL call. Very nice.
EDIT - this is mainly for debugging purposes. The App itself has an internal audit trail of who changed what, and when...
Finally got around to making the app create groups automatically, based on network segment. For example, if you audit a PC that is on 192.168.0.50 255.255.255.0 the app checks if there is a group that fits these criteria (192.168.0.0/24). If it exists, the PC is added to that group, if it doesn't exist it's created and the PC added. I just have to finish the assigning of User rights to the newly created group.
As an aside, I installed Ubuntu 9.04 (Jaunty Jackalope) on the weekend. I also re-installed Windows XP. It amazes me that people say Linux is difficult to install. Obviously they haven't tried it for years. Ubuntu install == 1 hour (installed, patched, configured). Windows XP install == 4 hours (installed, patched, configured + some additional apps). Windows, with the need to install drivers and reboot, install patches and reboot and install additional applications to get a functional system, is so much slower and more difficult. I implore anyone reading this - go download Ubuntu and try it. You can do so without affecting your installed system (Ubuntu has what's called a "Live CD" - boot from it and you can try the OS without affecting your Windows install).
Ubuntu user since 5.04 and loving it more with every release. [/Zealot rant] :-)
Wrote a function to log database calls to FirePHP. Every query now logs time to execute, rows returned/affected, SQL string, function performing the call. 3 lines of code needed for each SQL call. Very nice.
EDIT - this is mainly for debugging purposes. The App itself has an internal audit trail of who changed what, and when...
Finally got around to making the app create groups automatically, based on network segment. For example, if you audit a PC that is on 192.168.0.50 255.255.255.0 the app checks if there is a group that fits these criteria (192.168.0.0/24). If it exists, the PC is added to that group, if it doesn't exist it's created and the PC added. I just have to finish the assigning of User rights to the newly created group.
As an aside, I installed Ubuntu 9.04 (Jaunty Jackalope) on the weekend. I also re-installed Windows XP. It amazes me that people say Linux is difficult to install. Obviously they haven't tried it for years. Ubuntu install == 1 hour (installed, patched, configured). Windows XP install == 4 hours (installed, patched, configured + some additional apps). Windows, with the need to install drivers and reboot, install patches and reboot and install additional applications to get a functional system, is so much slower and more difficult. I implore anyone reading this - go download Ubuntu and try it. You can do so without affecting your installed system (Ubuntu has what's called a "Live CD" - boot from it and you can try the OS without affecting your Windows install).
Ubuntu user since 5.04 and loving it more with every release. [/Zealot rant] :-)
Wednesday, April 22, 2009
Status Update
| Task | Status |
|---|---|
| Audit results in XML format | done |
| Multiple levels of user access | done |
| Auto assigned groups (Linux, Windows, Database, Web Server, etc) | done |
| User Defined static and dynamic groups | done |
| Auto created groups (based on network segment) | in progress |
| Audit results encrypted using PKI | proof code complete |
| Audit initiated from Linux server | proof code complete |
| Auto generate network maps using GraphML markup (yEd - http://www.yworks.com/) | proof code complete |
| Alerting based on per User + Group + alert type + interval (immediate, daily, weekly) | idea |
| Each group can have displayed columns defined | idea |
Friday, April 3, 2009
Debug with FirePHP
I am using FirePHP to write debug messages. It works with CodeIgniter quite well. There's a simple flag (TRUE / FALSE) in a config file to enable it.
When enabled, every SQL statement along with a returned record count (in the case of a SELECT) is dumped to the console. Nice. Easy to see where you go wrong in your SQL statements. IE - "well, that query should have returned 100 rows - why is it returning 10?". It also has the nice side effect of displaying when a given query runs more than once. I had some logic in code that was causeing one SQL statement to be run 4 or 5 times. Output to the web page was fine, though. Using the FirePHP debugger, I soon realised that "Hey, how come that statement appears several times ?".
One other gotcha is that if you don't have FirePHP installed, but run with debugging on - it borks badly. I have to confirm this, but worse case... It should be off in production, anyway.
EDIT - no, it doesn't bork. It's fine to run with debug = on and not have FirePHP installed. I must have been having a bad hair day !!!
EDIT #2 - In Xampp (Windows) you need to alter the php.ini. In an Ubuntu LAMP install, you don't.
Stay tuned.
When enabled, every SQL statement along with a returned record count (in the case of a SELECT) is dumped to the console. Nice. Easy to see where you go wrong in your SQL statements. IE - "well, that query should have returned 100 rows - why is it returning 10?". It also has the nice side effect of displaying when a given query runs more than once. I had some logic in code that was causeing one SQL statement to be run 4 or 5 times. Output to the web page was fine, though. Using the FirePHP debugger, I soon realised that "Hey, how come that statement appears several times ?".
One other gotcha is that if you don't have FirePHP installed, but run with debugging on - it borks badly. I have to confirm this, but worse case... It should be off in production, anyway.
EDIT - no, it doesn't bork. It's fine to run with debug = on and not have FirePHP installed. I must have been having a bad hair day !!!
EDIT #2 - In Xampp (Windows) you need to alter the php.ini. In an Ubuntu LAMP install, you don't.
Stay tuned.
Monday, March 23, 2009
Tech used by OAv2
A LAMP stack. Personally, I use Ubuntu, Apache, PHP, MySQL but OAv2 should be quite portable as far as databases and webservers go.
CodeIgniter for a PHP framework.
JQuery for a javascript abstraction framework.
XML Charts for pretty graphs.
The Tango icon set.
NMAP for network scanning.
WINexe for running programs on Windows machines, from Linux.
CodeIgniter for a PHP framework.
JQuery for a javascript abstraction framework.
XML Charts for pretty graphs.
The Tango icon set.
NMAP for network scanning.
WINexe for running programs on Windows machines, from Linux.
Weekend Work - organising directories in OAv2
So, I'm using the CodeIgniter framework for OAv2. Best practice states you should move any sensitive files (think config.php) out of your web directories. So, a few hours and a few periods of WTF, and I have the application separated into two main sections.
Inside /var/www is index.php along with the JavaScript, css and images files. In another directory (outside the web) is the rest of the framework and application. It's working well. I think the directory structure I'll use will be along the lines of:
/var/www
/usr/bin/OAv2/codeigniter
/usr/bin/OAv2/scripts
Oh - as for Windows installs.... well, they're secondary. I plan to be able to run everything from a Debian/Ubuntu install. There should be no need for a Windows machine. This includes auditing a Windows Domain. Having said that, I'll probably expend a limited amount of effort to get it working under Windows....
Inside /var/www is index.php along with the JavaScript, css and images files. In another directory (outside the web) is the rest of the framework and application. It's working well. I think the directory structure I'll use will be along the lines of:
/var/www
/usr/bin/OAv2/codeigniter
/usr/bin/OAv2/scripts
Oh - as for Windows installs.... well, they're secondary. I plan to be able to run everything from a Debian/Ubuntu install. There should be no need for a Windows machine. This includes auditing a Windows Domain. Having said that, I'll probably expend a limited amount of effort to get it working under Windows....
Hello World
Well, I figured I should get some things down "in print", and a blog is as good a place as any - hence "Hello World", and here we are.
I've never blogged before, so please excuse any foobar's, at least initially.
I plan for this blog to be (mainly) about the experience of re-writing Open-AudIT (OAv2). What I'm doing, reasons for decisions, updates and all that stuff. There will be a few note's on tech I am researching and how it could be used for OAv2.
For anyone that doesn't know, Open-AudIT (http://www.open-audit.org) is free software (GPL Licensed) for keeping track of the devices on your network and their configuration. OAv2 builds upon this notion with comprehensive alerting, multiple users, groups and tagging and a whole host of new features.
Needless to say - "Stay Tuned"...
I've never blogged before, so please excuse any foobar's, at least initially.
I plan for this blog to be (mainly) about the experience of re-writing Open-AudIT (OAv2). What I'm doing, reasons for decisions, updates and all that stuff. There will be a few note's on tech I am researching and how it could be used for OAv2.
For anyone that doesn't know, Open-AudIT (http://www.open-audit.org) is free software (GPL Licensed) for keeping track of the devices on your network and their configuration. OAv2 builds upon this notion with comprehensive alerting, multiple users, groups and tagging and a whole host of new features.
Needless to say - "Stay Tuned"...
Subscribe to:
Posts (Atom)
Posts
