.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """""""""""""""""""" .. meta:: :description: Using the WAPT packages and audit data into plugins for external services :keywords: WAPT, advanced, features, documentation, GLPI, Cyberwatch .. |enterprise_feature| image:: wapt-resources/icon_wapt_enterprise.png :scale: 1% :alt: WAPT Enterprise feature only .. |ok| image:: wapt-resources/icon-ok.png :scale: 5% :alt: Feature available .. |nok| image:: wapt-resources/icon-nok.png :scale: 5% :alt: Feature not available ######################################################################################################## Using audit data into plugins for WAPT package compliance and for external services |enterprise_feature| ######################################################################################################## ******************************************************************* Displaying host audit data in the WAPT Console |enterprise_feature| ******************************************************************* You can manage audit output and display the audit result if you activate the option in the :menuselection:`View --> Display Preferences` Tab. Check the :guilabel:`Show host audit data tab` to see the tab :guilabel:`Audit Data` on each client. .. figure:: wapt-resources/wapt_console_advanced-display-preferences.png :align: center :alt: Window showing the advanced preferences Window showing the advanced preferences To use audits in WAPT packages, visit :ref:`this page to manage audit_data `. Displaying encrypted data with a certificate in the audit data tab ================================================================== With audit function, it is possible to encrypt sensitive data coming from remote hosts; it will be possible to read the encrypted sensitive with a certificate installed on the WAPT Administrator's host. This way, the WAPT Server may store sensitive inventory data without the WAPT Server becoming a sensitive asset. This method is particularly useful for example for securely managing :abbr:`LAPS (Local Administrator Password Service)` random passwords in WAPT. In :file:`setup.py`, you can use a function to encrypt data with a certificate. If you have the private key matching the certificate that was used to encrypt the data, the data will be decrypted and it will appear in a readable form. Here is an example of code: .. code-block:: python # -*- coding: utf-8 -*- from setuphelpers import * from waptcrypto import print_encrypted_data def audit(): randompassword = '1234' print_encrypted_data(randompassword, glob.glob('*.crt')) This code will encrypt the password *1234* with all certificates present on the host that is used to manage WAPT. From the WAPT Console, you will see in the :guilabel:`audit_data` tab the crypted version and you can decipher the data with your private key associated to the public certificate that was used to encrypt the data. .. figure:: wapt-resources/wapt_console_advanced-decrypted-audit-data.png :align: center :alt: Audit data result showing crypted and decrypted version .. _wapt_glpi: *********************************************************** Synchronizing WAPT inventories to GLPI |enterprise_feature| *********************************************************** Working principle ================= WAPT Enterprise offers synchronization between the inventories of your hosts and `GLPI `_ :abbr:`ITSM (IT Service Management)` Software. The method automatically synchronizes changes on your IT infrastructure with the GLPI server. WAPT can synchronize with GLPI 10 using the native JSON API. WAPT can synchronize with GLPI version 9.x using the **FusionInventory** plugin with XML format. .. attention:: GPLI on WAPT does not work with Kerberos authentification for GLPI. If you use Kerberos for GLPI, exclude :file:`glpi/plugins/fusioninventory/` from the :program:`Nginx` authentification. .. warning:: If you experience issues with GLPI server not receiving parts of inventories, you can install the package `tis-audit-glpi-inventory `_ on clients. In this way, you will get the official GLPI inventory. Installing the required dependencies for GLPI 9.x ================================================= In order to receive inventories on the GLPI server, the **FusionInventory** plugin will need to be installed on the GLPI server. This is not required for GLPI 10 which has its own native JSON API. .. note:: You can `follow this guide to install FusionInventory `_. After installing :program:`FusionInventory` on the GLPI server, an **endpoint** needs to be configured on the WAPT Server to send the inventories to the GLPI server: .. code-block:: ini http:/glpi.mydomain.lan/glpi/plugins/fusioninventory/ Configuring WAPTAgent and sync package ====================================== Install and configure the WAPT Agent on the computer that will run the synchronization. The WAPTAgent is installed by default on the WAPTServer, it just need to be configured. To configure the WAPTAgent, please refer to the corresponding documentation. Then you need to install the GLPI sync package: * for GLPI 9.x, you need to install the package `tis-glpi-plugin-export-to-glpi9 `_ * for GLPI 10.x, you need to install the package `tis-glpi-plugin-export-to-glpi10 `_ You need to configure an audit schedule on the agent .. code-block:: ini [global] ... waptaudit_task_period=120m ... With the chosen package, it will create two ini file in your $WAPT_INSTALL_DIR/private (linux : :file:`/opt/wapt/private`, windows : :file:`C:\Program Files (x86)\wapt\private``). Connect to the host and modify :file:`glpi.ini` and :file:`wapt_api.ini` files. * For GLPI9: .. code-block:: ini [glpi] username = glpi password = xxxxxxx url = https://glpi.xx.xxxxx.xx/plugins/fusioninventory/ * For GLPI10: .. code-block:: ini [glpi] username = glpi password = xxxxxxx url = https://glpi.xx.xxxxx.xx/front/inventory.php For GLPI10, please also ensure inventory is enabled. For both GLPI9 and GLPI10: .. code-block:: ini [wapt] username = waptregister password = waptregister2023! url = https://srvwapt.ad.tranquil.it To test the current configuration, you can trigger an audit .. code-block:: bash wapt-get audit tis-glpi-plugin-export-to-glpi9 # or wapt-get audit tis-glpi-plugin-export-to-glpi10 Current items sent by WAPT to the GLPI server ============================================= .. list-table:: Description of items :header-rows: 1 :stub-columns: 1 :widths: auto :align: center * - Value - Sent - Not sent * - Computer name - |ok| - * - User name - |ok| - * - Description - |ok| - * - OS name - |ok| - * - OS version - |ok| - * - Language - |ok| - * - CPU - |ok| - * - Memory - |ok| - * - Battery - |ok| - * - Chassis type - |ok| - * - Physical or virtual - |ok| - * - Network card configuration - |ok| - * - Printer list and properties - |ok| - * - Installed software [#f1]_ - |ok| - * - Network drives - |ok| - * - Environment variables [#f2]_ - |ok| - * - Display screens references - |ok| - * - Mouse and keyboard references - - |nok| * - Controllers card references (except graphic card) - - |nok| * - Antivirus version - - |nok| * - Firewall state - - |nok| * - Local group list - - |nok| * - Memory bank list and state - - |nok| * - USB ports list and connected devices - - |nok| * - Printer status - - |nok| * - Card readers - - |nok| * - System wide Appx list - - |nok| .. rubric:: Footnotes .. [#f1] Not including system wide Appx install .. [#f2] Currently both system and system-wide user environment variables are included. Possible errors in reported inventory on the GLPI server ======================================================== Inventories uploaded by the WAPT Server to the GLPI server may be incomplete or may have errors when compared to inventories uploaded directly by the FusionInventory agent deployed on hosts. One reason is that WAPT aims to report only the most important values. If you feel that important items are missing or are reported in a wrong way, please report the issue to the Tranquil IT dev team. To report the issue, you will need to send 2 :file:`.xml` files. 1. First, install `the FusionInventory agent `_ on the computer on which you are observing a missing or wrongly reported inventory item. 2. Run the FusionInventory agent and extract the report into a :file:`.xml` file. .. tabs:: .. code-tab:: bash Windows "C:\Program Files\FusionInventory-Agent\fusioninventory-inventory" > %TEMP%\inventory.xml .. code-tab:: bash Linux fusioninventory-inventory > /tmp/inventory.xml .. code-tab:: bash MAC fusioninventory-inventory > /tmp/inventory.xml 1. Set the debug directory in the :ref:`waptserver.ini `. .. code-block:: ini glpi_inventory_debug_directory = /tmp/glpi 4. Restart the WAPT Server 5. Retrieve the :file:`/tmp/glpi/UUID.xml` file from the WAPT Server, the UUID being the identifier of the host. 6. Send the 2 files to the Tranquil IT dev team. .. _wapt_cyberwatch: *************************************************************************************** Synchronizing WAPT inventories to Cyberwatch for security breaches |enterprise_feature| *************************************************************************************** Working principle ================= WAPT Enterprise offers synchronization between the inventories of your hosts and `Cyberwatch `_ :abbr:`ISVM (Information Security Vulnerability Management)` Software. The method automatically synchronizes information about updates or installed softwares to Cyberwatch tool in order to scan and alert you about detected vulnerabilities. Configuring Cyberwatch server side ================================== * Connect to your Cyberwatch server and go to your profile. * In the API section, click on **See my API Keys**. * Click on :guilabel:`Add` and name your API access key for WAPT. .. figure:: wapt-resources/cyberwatch_api_keys3.png :align: center :alt: Enter API key name, access_level and expiration * Set the **access level** to Full and give an expiration date. If you don't give one, the key will *never* expire. This key with its **API access key ID** will allow you to use the Cyberwatch API for our WAPT package. Configuring WAPTAgent and sync packages ======================================= Install and configure the WAPT Agent on the computer that will run the synchronization. The WAPTAgent is installed by default on the WAPTServer, it just need to be configured. To configure the WAPTAgent, please refer to the corresponding documentation. Yu can have two packages : * if you have the Cyberwatch agent, you can import from Cyberwatch installing the package `tis-cyberwatch-plugin-import-from-cyberwatch `_, it will give you information directly on your WAPT Console. * for agentless devices, you still can export to your Cyberwatch server information of you WAPT hosts installing the package `tis-cyberwatch-plugin-export-to-cyberwatch-airgap `_, it will give you information to your Cyberwatch Console without Cyberwatch agent installed. You need to configure an audit schedule on the agent .. code-block:: ini [global] ... waptaudit_task_period=120m ... With the package, whichever you chose (you can oblviously choose both), it will create two ini files in your $WAPT_INSTALL_DIR/private (linux : :file:`/opt/wapt/private`, windows : :file:`C:\Program Files (x86)\wapt\private``). Connect to the host and modify :file:`cyberwatch_api.ini` and :file:`wapt_api.ini` files. .. code-block:: ini [cyberwatch] api_key = secret_key = url = https://cyberwatch.mydomain.lan .. code-block:: ini [wapt] username = waptregister password = waptregister2023! url = https://srvwapt.ad.tranquil.it To test the current configuration, you can trigger an audit .. code-block:: bash wapt-get audit tis-cyberwatch-plugin-import-from-cyberwatch # and/or wapt-get audit tis-cyberwatch-plugin-export-to-cyberwatch-airgap ************************************************* Customizing audit reports with Mustache templates ************************************************* Introduction and explanation ============================ WAPT can collect detailed hardware and software audit data from client machines using the `audit_data` plugin. The collected data includes system information such as: The collected data includes system information such as installed software, running services, disk usage, user accounts, network configuration, and more. This data is stored in structured JSON format and displayed in the WAPT console using HTML templates. By default, WAPT provides generic templates to visualize this data. However, these templates can be fully customized to match your needs. Why customize audit reports? ---------------------------- Audit report customization lets you focus on data specific to your organization Create dashboards or tables adapted to internal policies, Improve readability and ease of use for technical support teams, Generate better documentation for audits or compliance. WAPT uses Mustache templates to render JSON data into structured HTML content inside the console. What is Mustache? ----------------- Mustache is a **logic-less template language**. It allows injecting dynamic data into static HTML layouts, without complex scripting. A Mustache template is a plain text file containing: - Static HTML - Dynamic tags like ``{{key}}``, ``{{#section}} ... {{/section}}``, ``{{^section}} ... {{/section}}`` It is lightweight, simple to learn, and ideal for customizing visual reports without writing code. Template storage and naming conventions ======================================= All Mustache templates used to render audit data in WAPT are stored in the following folder: :: C:\Program Files (x86)\wapt\templates If you are running WAPT in a portable or development environment, it may be: :: \templates Each template file is a `.html` file written in Mustache format. Naming convention ------------------ To override or define a new audit template, the file must follow a strict naming pattern: :: host_audit_
_.html Where: - `section` corresponds to the audit section name (e.g. `audit-network-profile`) - `key` corresponds to the data key to render (e.g. `auto-remediate-card`) Example: :: host_audit_audit-network-profile_auto-remediate-card.html This template will be used to render the key `auto-remediate-card` from the `audit-network-profile` section. Modifying or creating a template --------------------------------- There are two ways to customize audit rendering: - **If the template already exists**: open and edit the corresponding `.html` file in the `templates` folder. - **If the template does not exist**: create a new file with the correct name, and write the structure in Mustache format. Make sure the HTML is valid and uses proper Mustache syntax, as shown in the examples above. This mechanism allows you to fully customize how audit data appears in the WAPT console, per key and per section. How to write templates ====================== Basic example – rendering audit data with placeholders ------------------------------------------------------ Let’s start with a simple example that shows how data from an audit can be inserted into a Mustache template. Given the following HTML template: .. code-block:: html
Hostname: {{hostname}}
Operating System: {{os_name}} {{os_version}}
And the values for the placeholders are provided in a JSON object (this object is called the *rendering context* – it holds the data passed to the template): .. code-block:: json { "hostname": "PC123", "os_name": "Windows", "os_version": "10" } Then the rendered result will be: .. code-block:: html
Hostname: PC123
Operating System: Windows 10
This basic example shows how Mustache replaces each ``{{ placeholder }}`` with the matching value from the JSON context. There is no logic, only substitution. Mustache syntax overview ------------------------- Mustache is simple and declarative. Below are the most common tags with practical examples. Display a single value – ``{{key}}`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Use `{{key}}` to insert a single value from the rendering context into the template. The value of the key `hostname` will be searched for in the current context (and if not found, in any parent context). When a value is found, the entire tag is replaced with the value, properly HTML-escaped to avoid injection. **JSON context:** .. code-block:: json { "hostname": "PC123" } **Template:** .. code-block:: html

Hostname: {{hostname}}

**Rendered result:** .. code-block:: html

Hostname: PC123

Conditional block – ``{{#section}} ... {{/section}}`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This syntax allows you to display a block of content **only if the value of the key exists and is considered "truthy"** (not null, false, or empty). It's commonly used to conditionally render a section, or to iterate over a list. **Example with an object** **JSON context:** .. code-block:: json { "user": { "name": "Alice" } } **Template:** .. code-block:: html {{#user}}

User: {{name}}

{{/user}} **Rendered result:** .. code-block:: html

User: Alice

If the `user` key was missing or `null`, nothing would be rendered. **Example with a list** If the value of the section is a list (array), the block is rendered **once for each item**, with the context set to the current item. **JSON context:** .. code-block:: json { "services": [ {"name": "WAPT"}, {"name": "Antivirus"} ] } **Template:** .. code-block:: html
    {{#services}}
  • {{name}}
    • {{/services}}
**Rendered result:** .. code-block:: html
  • WAPT
  • Antivirus
Inverse block – ``{{^section}} ... {{/section}}`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The inverse section `{{^section}}` is used to show a block **only if the value is falsy** – meaning it does not exist, is `false`, `null`, or an empty list. This is useful to display fallback messages or "no data" indicators. **JSON context:** .. code-block:: json { "has_battery": false } **Template:** .. code-block:: html {{^has_battery}}

This device has no battery.

{{/has_battery}} **Rendered result:** .. code-block:: html

This device has no battery.

If `"has_battery": true`, the block would not be rendered at all. Comment – ``{{! comment }}`` ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Mustache allows inline comments using `{{! ... }}`. These comments are completely ignored during rendering and will not appear in the output HTML. This is useful for leaving notes for template authors without affecting the output. **Template:** .. code-block:: html {{! This is a comment for developers }}

Hello

**Rendered result:** .. code-block:: html

Hello

Current value – ``{{.}}`` ^^^^^^^^^^^^^^^^^^^^^^^^^ The `{{.}}` tag is used when iterating over a list of **simple values** (strings, numbers, booleans). It refers to the current value in the context. If you are iterating over an array like `["important", "urgent"]`, each `{{.}}` corresponds to the current string in the loop. **JSON context:** .. code-block:: json { "tags": ["important", "urgent", "todo"] } **Template:** .. code-block:: html
    {{#tags}}
  • {{.}}
    • {{/tags}}
**Rendered result:** .. code-block:: html
  • important
  • urgent
  • todo
Available Mustache helpers ========================== WAPT provides many custom helpers that can be used inside Mustache templates to transform, format, or extract data. These helpers extend the basic Mustache syntax and are especially useful when working with audit data. The available helpers are listed below: **Comparison and logic** - `IIf` – Inline conditional rendering (`if cond then val1 else val2`) - `If_` – Full conditional expression (advanced) - `Equals_` – Compares values - `Match` – Matches regex (case-sensitive) - `MatchI` – Matches regex (case-insensitive) **List and object operations** - `Items` – Converts a dictionary to an iterable list - `Get` – Retrieves a key from an object with default fallback - `Count` – Counts items in a list or keys in a dict - `Values` – Extracts values from a dict - `Keys` – Extracts keys from a dict - `First` – Gets the first `n` items in a list - `Last` – Gets the last `n` items - `Slice` – Extracts a slice `[start:end]` from a list **Data formatting** - `HumanBytes` – Converts byte sizes to KB, MB, GB - `CSV` – Joins lists of objects into CSV format **String and text manipulation** - `Lower` – Converts to lowercase - `Upper` – Converts to uppercase - `Pad` – Pads a string to the right - `PadLeft` – Pads a string to the left - `Sub` – Extracts a substring - `CamelCase` – Converts string to camelCase - `SnakeCase` – Converts string to snake_case - `EnumTrim` – Cleans enumerated values (e.g., trim `[0]`) - `EnumTrimRight` – Like EnumTrim but trims only on the right **Date and time formatting** - `LocalDateTime` – Converts UTC to localized datetime - `LocalDate` – Local date from UTC input - `DateFmt` – Custom date formatting with strftime-style format - `DateTimeToText` – Converts date to readable text - `DateToText` – Formats date value (legacy variant) - `TimeLogToText` – Parses duration from logs (e.g., "00:04:32") **HTML and rendering** - `ToJson2` – Converts a value to formatted JSON - `ToJson` – Basic JSON conversion - `JsonQuote` – Escapes JSON content inside a string - `JsonQuoteUri` – Escapes JSON for safe use in URLs - `SimpleToHtml` – Renders basic line/text formatting - `MarkdownToHtml` – Parses Markdown into HTML - `WikiToHtml` – Parses wiki-style markup into HTML **Other utilities** - `JoinValues` – Joins values of a list or dict with separator - `Join` – Joins items (keys or values) into a string - `NewGuid` – Generates a new UUID - `ExtractFileName` – Extracts filename from a full path **Encoding and hashing** - `b64encode` – Base64-encodes a string - `sha256` – SHA-256 hash of a string - `sha1` – SHA-1 hash of a string - `md5` – MD5 hash of a string - `BlobToBase64` – Encodes binary blob to base64 - `b64decode` – Decode a base64-encoded string - `_chr` – Converts ASCII codes to characters **Networking and HTTP** - `HttpGet` – Performs an HTTP GET request - `HttpGetSafe` – Like `HttpGet` but safer for templates - `DoHttpGet` – Low-level GET with optional certificate check - `HttpPost` – Sends an HTTP POST request - `HttpPostSafe` – POST variant with safety checks - `DoHttpPost` – Low-level POST with optional cert verification Each helper accepts a value or a list of values as input and returns a formatted result usable inside any Mustache tag. Documentation for each helper is provided in the next section. See Mustache helpers documentation :doc:`wapt-audit-mustache-helpers`.