So, I've been thinking about CMDB's (Configuration Management Database's) and how Open-AudIT can be used.
Essentially, I am thinking a CMDB is a list of CI's (Configuration Items) and their relationships (to other CI's). Open-AudIT contains a large list of details about many items - so there's a list of CI's right there. All we really need to do is to define how these CI's relate to one another.
I have encapsulated this data in essentially two tables. Table one defines a CI. What is it ? What table (and row) is it in ? Some other details not automatically captued by the audit scripts. Another table detailing the relationship between the CI's. The two CI's concerned. The type of relationship. Any credentials used, etc.
A large amount of this can be automatically populated, upon initial setup of a CI. I am thinking about the logic needed to auto create a number of CI's and their relationships by "following" the trail through the OAv2 database, linking them up.
I have also created a third table, essentially to say "These CI's (and their associated relationships) belong to this particular 'CMDB App'". So you can create a CMDB App of, say, a particular web application. Example CI's would be the website, the database, the users URL, the group of systems accessing it, the database credentials, etc, etc. Wrap the whole thing into a CMDB App, and it then becomes easy to run "what - if" type questions on the CMDB.
What if I change the website from server A to server B ? Show me all the affected CMDB Apps and the specific CI's for each CMDB App. That kind of thing.
I'm still thinking this through, but I think it could be a very powerful and compelling way to utilise the data contained within Open-AudIT.
Any comments and suggestions are more than welcome.
Thursday, April 30, 2009
Monday, April 27, 2009
User Access Levels
So, I am coding OAv2 with different levels of User access.
Basically, all Users have access of varying levels to different Groups.
A Group is a selection of systems (PCs, Printers, Switches, et al).
Bear in mind most systems will belong to several groups. If a system is in both a group with visibility and without, it _will_ be shown.
Below when I refer to a Group, this means the Group and the Systems that belong to it.
My Group access levels are below:
0 - No visibility of the group.
2 - Group visible in "list" type pages only. No "details" pages on individual items.
4 - Group visible in "list" type pages. "Details" pages on individual items. No "sensitive" class of information visible (CD Keys, etc).
6 - Group visible in "list" type pages. "Details" pages on individual items. "Sensitive" class of information visible (CD Keys, etc).
8 - Group visible in "list" type pages. "Details" pages on individual items. "Sensitive" class of information visible (CD Keys, etc). Fields belonging to system are editable.
The code for this is in place, but I have to audit the pages making sure it's implemented at a page level.
As well as the Group level access there is a single flag to indicate if a User is an Administrator of the application.
The Users that are designated "administrator" level access will be able to CRUD Groups and Users. "Normal" application users will not be able to CRUD Groups and Users.
If anyone can think of other User access levels, please let me know.
Basically, all Users have access of varying levels to different Groups.
A Group is a selection of systems (PCs, Printers, Switches, et al).
Bear in mind most systems will belong to several groups. If a system is in both a group with visibility and without, it _will_ be shown.
Below when I refer to a Group, this means the Group and the Systems that belong to it.
My Group access levels are below:
0 - No visibility of the group.
2 - Group visible in "list" type pages only. No "details" pages on individual items.
4 - Group visible in "list" type pages. "Details" pages on individual items. No "sensitive" class of information visible (CD Keys, etc).
6 - Group visible in "list" type pages. "Details" pages on individual items. "Sensitive" class of information visible (CD Keys, etc).
8 - Group visible in "list" type pages. "Details" pages on individual items. "Sensitive" class of information visible (CD Keys, etc). Fields belonging to system are editable.
The code for this is in place, but I have to audit the pages making sure it's implemented at a page level.
As well as the Group level access there is a single flag to indicate if a User is an Administrator of the application.
The Users that are designated "administrator" level access will be able to CRUD Groups and Users. "Normal" application users will not be able to CRUD Groups and Users.
If anyone can think of other User access levels, please let me know.
Weekend Coding
Got a couple of neat things done on the weekend.
Wrote a function to log database calls to FirePHP. Every query now logs time to execute, rows returned/affected, SQL string, function performing the call. 3 lines of code needed for each SQL call. Very nice.
EDIT - this is mainly for debugging purposes. The App itself has an internal audit trail of who changed what, and when...
Finally got around to making the app create groups automatically, based on network segment. For example, if you audit a PC that is on 192.168.0.50 255.255.255.0 the app checks if there is a group that fits these criteria (192.168.0.0/24). If it exists, the PC is added to that group, if it doesn't exist it's created and the PC added. I just have to finish the assigning of User rights to the newly created group.
As an aside, I installed Ubuntu 9.04 (Jaunty Jackalope) on the weekend. I also re-installed Windows XP. It amazes me that people say Linux is difficult to install. Obviously they haven't tried it for years. Ubuntu install == 1 hour (installed, patched, configured). Windows XP install == 4 hours (installed, patched, configured + some additional apps). Windows, with the need to install drivers and reboot, install patches and reboot and install additional applications to get a functional system, is so much slower and more difficult. I implore anyone reading this - go download Ubuntu and try it. You can do so without affecting your installed system (Ubuntu has what's called a "Live CD" - boot from it and you can try the OS without affecting your Windows install).
Ubuntu user since 5.04 and loving it more with every release. [/Zealot rant] :-)
Wrote a function to log database calls to FirePHP. Every query now logs time to execute, rows returned/affected, SQL string, function performing the call. 3 lines of code needed for each SQL call. Very nice.
EDIT - this is mainly for debugging purposes. The App itself has an internal audit trail of who changed what, and when...
Finally got around to making the app create groups automatically, based on network segment. For example, if you audit a PC that is on 192.168.0.50 255.255.255.0 the app checks if there is a group that fits these criteria (192.168.0.0/24). If it exists, the PC is added to that group, if it doesn't exist it's created and the PC added. I just have to finish the assigning of User rights to the newly created group.
As an aside, I installed Ubuntu 9.04 (Jaunty Jackalope) on the weekend. I also re-installed Windows XP. It amazes me that people say Linux is difficult to install. Obviously they haven't tried it for years. Ubuntu install == 1 hour (installed, patched, configured). Windows XP install == 4 hours (installed, patched, configured + some additional apps). Windows, with the need to install drivers and reboot, install patches and reboot and install additional applications to get a functional system, is so much slower and more difficult. I implore anyone reading this - go download Ubuntu and try it. You can do so without affecting your installed system (Ubuntu has what's called a "Live CD" - boot from it and you can try the OS without affecting your Windows install).
Ubuntu user since 5.04 and loving it more with every release. [/Zealot rant] :-)
Wednesday, April 22, 2009
Status Update
| Task | Status |
|---|---|
| Audit results in XML format | done |
| Multiple levels of user access | done |
| Auto assigned groups (Linux, Windows, Database, Web Server, etc) | done |
| User Defined static and dynamic groups | done |
| Auto created groups (based on network segment) | in progress |
| Audit results encrypted using PKI | proof code complete |
| Audit initiated from Linux server | proof code complete |
| Auto generate network maps using GraphML markup (yEd - http://www.yworks.com/) | proof code complete |
| Alerting based on per User + Group + alert type + interval (immediate, daily, weekly) | idea |
| Each group can have displayed columns defined | idea |
Friday, April 3, 2009
Debug with FirePHP
I am using FirePHP to write debug messages. It works with CodeIgniter quite well. There's a simple flag (TRUE / FALSE) in a config file to enable it.
When enabled, every SQL statement along with a returned record count (in the case of a SELECT) is dumped to the console. Nice. Easy to see where you go wrong in your SQL statements. IE - "well, that query should have returned 100 rows - why is it returning 10?". It also has the nice side effect of displaying when a given query runs more than once. I had some logic in code that was causeing one SQL statement to be run 4 or 5 times. Output to the web page was fine, though. Using the FirePHP debugger, I soon realised that "Hey, how come that statement appears several times ?".
One other gotcha is that if you don't have FirePHP installed, but run with debugging on - it borks badly. I have to confirm this, but worse case... It should be off in production, anyway.
EDIT - no, it doesn't bork. It's fine to run with debug = on and not have FirePHP installed. I must have been having a bad hair day !!!
EDIT #2 - In Xampp (Windows) you need to alter the php.ini. In an Ubuntu LAMP install, you don't.
Stay tuned.
When enabled, every SQL statement along with a returned record count (in the case of a SELECT) is dumped to the console. Nice. Easy to see where you go wrong in your SQL statements. IE - "well, that query should have returned 100 rows - why is it returning 10?". It also has the nice side effect of displaying when a given query runs more than once. I had some logic in code that was causeing one SQL statement to be run 4 or 5 times. Output to the web page was fine, though. Using the FirePHP debugger, I soon realised that "Hey, how come that statement appears several times ?".
One other gotcha is that if you don't have FirePHP installed, but run with debugging on - it borks badly. I have to confirm this, but worse case... It should be off in production, anyway.
EDIT - no, it doesn't bork. It's fine to run with debug = on and not have FirePHP installed. I must have been having a bad hair day !!!
EDIT #2 - In Xampp (Windows) you need to alter the php.ini. In an Ubuntu LAMP install, you don't.
Stay tuned.
Subscribe to:
Posts (Atom)
Posts
