Table of Contents |
---|
Introduction
You may wish to change the defaults for several sensitive items before deploying Open-AudIT. These are detailed below.
MySQL credentials
Open-AudIT User
Open-AudIT (as per any normal web application) uses a configured set of credentials to access the MySQL database.
...
Code Block |
---|
$db['default']['username'] = "YOUR_USER"; $db['default']['password'] = "YOUR_PASSWORD"; |
Root User
Changing the password of the MySQL root user can also be completed as above. I would recommend the below though, for safety.
...
Log on as the MySQL root user in session #1.
Code Block |
---|
mysql -u root -p |
In the second shell (after successfully logging in above) run the below command, substituting YOUR_NEW_ROOT_PASSWORD.
Code Block |
---|
mysql -u root -p -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = password('YOUR_NEW_ROOT_PASSWORD'); FLUSH PRIVILEGES; |
Now try to log in using that same (second) shell.
Code Block |
---|
mysql -u root -pYOUR_NEW_ROOT_PASSWORD |
If you can log in, you're all done!
...
Code Block |
---|
SELECT User, Host, Password FROM mysql.user; |
And change the SET PASSWORD command above to reflect the Host value in the second session.
Restricting MySQL to localhost
On our shipped version for Windows, we already restrict to localhost.
On some Linux distributions, you might find MySQL listening on all IP addresses. Unless you have a specific reason for this, it is very much recommended to restrict this to localhost.
You can check the listening address by running the below command.
For Debian and Ubuntu
Code Block |
---|
sudo grep -R bind /etc/mysql/ |
For Redhat and Centos
Code Block |
---|
sudo grep -R bind /etc/my.cnf.d/ |
If you don't get a result, try runnig the below netstat command.
Code Block |
---|
sudo netstat -lntup | grep mysqld |
If you see an IP address of 0.0.0.0 with a port of (usually) 3306 (as below), this means MySQL is listening on all available IPs.
Code Block |
---|
root@dev:/etc/mysql# sudo netstat -lntup | grep mysqld tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 8491/mysqld |
You should configure the bind-address to be 127.0.0.1 in:
Debian / Ubuntu: /etc/mysql/mariadb.conf.d/50-server.cnf
Redhat / Centos: /etc/my.cnf.d/server.cnf
Code Block |
---|
bind-address = 127.0.0.1 |
Credentials Encryption Key
Open-AudIT encrypts credentials when it stores them in the database, but we must be able to decrypt them in order to use them when querying devices. Because this is reversible encryption, we need a shared secret (or key). This is kept in the file:
...
Exporting, deleting and Importing can be done using the GUI.
Admin User and Licensing
You are free to change the password for the Admin user, but the user name itself should be left as is. If changed the license entry will be broken.
This is because at the moment we restrict access to the license functionality based on username, with no GUI options to change it.
If you must change the username, set your license before doing so.
This will be addressed in a future version, however Opmantek can be contacted to walk you through editing files and inserting a license if absolutely required. This is non-trivial.