Skip to end of banner
Go to start of banner

Removing Default Secrets

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Introduction

You may wish to change the defaults for several sensitive items before deploying Open-AudIT. These are detailed below.

MySQL credentials

Open-AudIT User

Open-AudIT (as per any normal web application) uses a configured set of credentials to access the MySQL database.

These can be found in :

Windows: c:\xampp\open-audit\code_igniter\application\config\database.php

Linux: /usr/local/open-audit/code_igniter/application/config/database.php

To create a fresh new database user, run the below (if using Windows, first do cd c:\xampp\mysql.

If you have installed Open-AudIT on a newly installed database, in the installer you may have elected to set the root user password. By default this password is openauditrootuserpassword.

On some Linux distributions, if you sudo su to the root user, no password is required, hence remove the -p options from the commands below.

Substitude your username and password for YOUR_USER and YOUR_PASSWORD in the commands below.

mysql -u root -p -e "CREATE USER YOUR_USER@localhost IDENTIFIED BY 'YOUR_PASSWORD';"

mysql -u root -p -e "GRANT ALL PRIVILEGES ON openaudit.* TO YOUR_USER@localhost IDENTIFIED BY 'YOUR_PASSWORD'; FLUSH PRIVILEGES;"

Now test running a query by the command below.

NOTE - There is no space between the -p and YOUR_PASSWORD.

mysql -u YOUR_USER -pYOUR_PASSWORD openaudit -e "SELECT * FROM configuration WHERE name = 'internal_version';"

You should see a result as below.

+-----+------------------+----------+--------+----------+-----------+---------------------+-------------------------------------+
| id  | name             | value    | type   | editable | edited_by | edited_date         | description                         |
+-----+------------------+----------+--------+----------+-----------+---------------------+-------------------------------------+
| 115 | internal_version | 20220126 | number | n        | system    | 2000-01-01 00:00:00 | The internal numerical version.     |
+-----+------------------+----------+--------+----------+-----------+---------------------+-------------------------------------+

Once you have confirmed the user can access the openaudit database, we need to change the credentials file.

Edit the file as above, replacing the username and password fields.

$db['default']['username'] = "YOUR_USER";
$db['default']['password'] = "YOUR_PASSWORD";

Root User

Changing the password of the MySQL root user can also be completed as above. I would recommend the below though, for safety.

You will need two shells on the Open-AudIT server open.

Log on as the MySQL root user in session #1.

In the second shell run the below command.

mysql -u root -p -e "USE mysql; SET PASSWORD FOR 'root'@'localhost' = password('YOUR_NEW_ROOT_PASSWORD'); FLUSH PRIVILEGES;

Now try to log in using that same shell.

If you can log in, you're all done!

If you cannot log in, something has gone wrong - and that is why we have the second session open and already logged in.

Your root user may have different items set, such as it's Host attribute. You should use the already logged in user to check, as below.

SELECT User, Host, Password FROM mysql.user;


Restricting MySQL to localhost

On our shipped version for Windows, we already restrict to localhost.

On some Linux distributions, you might find MySQL listening on all IP addresses. Unless you have a specific reason for this, it is very much recommended to restrict this to localhost.

You can check the listening address by running the below command.

sudo grep -R bind /etc/mysql/


Credentials Encryption Key

Open-AudIT encrypts credentials when it stores them in the database, but we must be able to decrypt them in order to use them when querying devices. Because this is reversible encryption, we need a shared secret (or key). This is kept in the file:

Windows: c:\xampp\open-audit\code_igniter\application\config\config.php

Linux: /usr/local/open-audit/code_igniter/application/config/config.php

Look for the variable as below.

$config['encryption_key'] = "openaudit";

Warning - If you are using the Collectors feature of Open-AudIT Enterprise, this key must be changed on ALL instances - both Server and Collector(s).

Warning #2 - If you already have credentials stored in the database, changing this key will render them unable to be decrypted. I'd suggest exporting the credentials, deleting them all, changing the key, then importing them.

Exporting, deleting and Importing can be done using the GUI.




  • No labels