Files
Introduction
Open-AudIT can now retrieve details about a file or directory of files and monitor these files for changes as per other attributes in the Open-AudIT database.
This feature works out of the box for Linux Open-AudIT servers, but needs a change to the service account name under a Windows Open-AudIT server.
Supported clients are Windows and Linux.
How does it Work?
When a device is Discovered the audit script will be injected with the file (or directory) details. Both audit_linux.sh and audit_windows.vbs will be populated, regardless of the file path. If you're thinking "but putting a Linux path into a Windows machine will break things!", it won't break, you just won't receive any data from that file or directory entry.
Retrieved details will be stored in the "file" database table and are stored like any other attribute. File details will be stored as any other attribute and generate alerts if any of the following attributes change - 'full_name', 'hash', 'inode', 'last_changed'. The table contain a system_id, first_seen, last_seen and current columns as well as the file details.
Attributes recorded are:
Windows - name, size, directory, SHA1 hash (of the file contents), last changed, permissions, owner, version (file permitting).
Linux - name, size, directory, SHA1 hash (of the file contents), last changed, meta data last changed, permissions, owner, group, inode.
You will see a section in both the Windows and Linux audit scripts as below:
# DO NOT REMOVE THE LINE BELOW
# Configuration from web UI here
Below these lines are where the variables are injected into the script. Following on from our earlier example, the Linux audit script is populated with our directory like so:
# DO NOT REMOVE THE LINE BELOW
# Configuration from web UI here
files[1]="/etc/init.d/"
The audit script will use the files[ ] array and retrieve the file details.
If you would like to use the script outside of Discovery we have created another endpoint called "scripts". See the documentation here - Scripts.
Creating File Entries
To create an entry to track either a single file or a directory of files, use Open-AudIT Enterprise and go to menu: Discover-> Files -> Create Files. Create a file by providing values for the path (either the file or a directory with a trailing slash) and an optional description. Click Submit. Once you have created the file you will see it appear in the list at Discover -> Files -> List Files.
An entry will be create in the Open-AudIT database, in the "files" table.
Viewing File Details
Go to menu: Discover -> Files -> List Files.
Enabling the Feature Under Windows
There is no need to do anything if you're running Open-AudIT on a Linux server.
Windows clients are just fine and require no special actions, however.... to enable this feature the audit script must be run locally on the target Windows system. It cannot be run remotely as we do with WMI calls when running the audit script on one Windows machine, while targeting a second Windows machine. To do this we need to copy the audit script to the target Windows machine and then run it. Unfortunately the service account that Apache runs under is the Local System account. This account has no access to remote (network based) resources. To work around this issue the service must be run under another account. It is easiest to just use the local Administrator account, but you can try any account you like as long as it has the required privileges. The Local System account has as much local access as the local Administrator account.
Navigate to the Service list.
Double click the apache 2.2 service.
Click the tab for logon and then click the "this account" option. You might want to click the Browse button and search for the account. Click OK and then restart the service.
Apache will now be running under an account with network access and Open-AudIT will now be able to copy the audit script to the target Windows machine and run it, hence retrieving file details.
Database Schema
The database schema can be found in the application is the user has database::read permission by going to menu: Admin -> Database -> List Tables, then clicking on the details button for the table.
API / Web Access
You can access the collection using the normal Open-AudIT JSON based API. Just like any other collection. Please see The Open-AudIT API documentation for further details.