diff options
author | Jan Dittberner <jandd@cacert.org> | 2016-05-08 22:20:15 +0200 |
---|---|---|
committer | Jan Dittberner <jandd@cacert.org> | 2016-05-08 22:20:15 +0200 |
commit | 246d28b181c69091386369a04ec1797902991520 (patch) | |
tree | 09cce4bcaa3623f1c4fa8579594dc3371ee083df | |
parent | 0c8e90c9ff94bbaef05afd7e0a06c3096d3e022e (diff) | |
download | cacert-infradocs-246d28b181c69091386369a04ec1797902991520.tar.gz cacert-infradocs-246d28b181c69091386369a04ec1797902991520.tar.xz cacert-infradocs-246d28b181c69091386369a04ec1797902991520.zip |
Add bugs container description
-rw-r--r-- | docs/configdiff/bugs/apache/bugs-apache-config.diff | 47 | ||||
-rw-r--r-- | docs/people.rst | 37 | ||||
-rw-r--r-- | docs/systems.rst | 1 | ||||
-rw-r--r-- | docs/systems/bugs.rst | 349 |
4 files changed, 433 insertions, 1 deletions
diff --git a/docs/configdiff/bugs/apache/bugs-apache-config.diff b/docs/configdiff/bugs/apache/bugs-apache-config.diff new file mode 100644 index 0000000..355b796 --- /dev/null +++ b/docs/configdiff/bugs/apache/bugs-apache-config.diff @@ -0,0 +1,47 @@ +diff -urw -X .bugs_etc_ignore orig/etc/apache2/conf-available/security.conf bugs/etc/apache2/conf-available/security.conf +--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100 ++++ bugs/etc/apache2/conf-available/security.conf 2016-05-08 14:04:46.335145675 +0200 +@@ -5,11 +5,11 @@ + # This currently breaks the configurations that come with some web application + # Debian packages. + # +-#<Directory /> +-# AllowOverride None +-# Order Deny,Allow +-# Deny from all +-#</Directory> ++<Directory /> ++ AllowOverride None ++ Order Deny,Allow ++ Deny from all ++</Directory> + + + # Changing the following options will not really affect the security of the +@@ -61,14 +61,24 @@ + # else than declared by the content type in the HTTP headers. + # Requires mod_headers to be enabled. + # +-#Header set X-Content-Type-Options: "nosniff" ++Header set X-Content-Type-Options: "nosniff" ++ ++# ++# Some browsers have a built-in XSS filter that will detect some cross site ++# scripting attacks. By default, these browsers modify the suspicious part of ++# the page and display the result. This behavior can create various problems ++# including new security issues. This header will tell the XSS filter to ++# completely block access to the page instead. ++# Requires mod_headers to be enabled. ++# ++Header set X-XSS-Protection: "1; mode=block" + + # + # Setting this header will prevent other sites from embedding pages from this + # site as frames. This defends against clickjacking attacks. + # Requires mod_headers to be enabled. + # +-#Header set X-Frame-Options: "sameorigin" ++Header set X-Frame-Options: "sameorigin" + + + # vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/docs/people.rst b/docs/people.rst index 91d2a92..49c0c5e 100644 --- a/docs/people.rst +++ b/docs/people.rst @@ -2,6 +2,18 @@ People list =========== +The following list shows information for people in charge of some systems or +applications. The list of roles is known to not be complete. + +.. maybe this can be improved by some automation later + +.. _people_dirk: + +Dirk Astrath +============ + +:roles: :term:`Application Administrator` on :doc:`systems/bugs` + .. _people_abahlo: Alexander Bahlo @@ -10,6 +22,14 @@ Alexander Bahlo :roles: :term:`Application Administrator` on :doc:`systems/blog` :contact: alexander.bahlo@cacert.org +.. _people_benbe: + +Benny Baumann +============= + +:roles: :term:`Infrastructure Administrator`, :term:`Application Administrator` + on :doc:`systems/bugs` + .. _people_jandd: Jan Dittberner @@ -20,6 +40,13 @@ Jan Dittberner :wiki: :wiki:`JanDittberner` :irc: jandd +.. _people_ted: + +Bernhard Fröhlich +================= + +:roles: :term:`Application Administrator` on :doc:`systems/bugs` + .. _people_martin: Martin Gummi @@ -28,6 +55,13 @@ Martin Gummi :roles: :term:`Infrastructure Administrator` :contact: martin.gummi@cacert.org +.. _people_philipp: + +Philipp Gühring +=============== + +:roles: :term:`Application Administrator` on :doc:`systems/bugs` + .. _people_mario: Mario Lipinski @@ -57,8 +91,9 @@ Mendel Mobach Michael Tänzer ============== -:roles: :term:`Infrastructure Administrator` +:roles: :term:`Infrastructure Administrator` :contact: michael.taenzer@cacert.org +:wiki: :wiki:`MichaelTänzer` .. _people_gero: diff --git a/docs/systems.rst b/docs/systems.rst index 69b72a6..6bf6f2f 100644 --- a/docs/systems.rst +++ b/docs/systems.rst @@ -12,6 +12,7 @@ administrator team. systems/arbitration systems/blog systems/board + systems/bugs systems/email systems/emailout systems/monitor diff --git a/docs/systems/bugs.rst b/docs/systems/bugs.rst new file mode 100644 index 0000000..f815ae5 --- /dev/null +++ b/docs/systems/bugs.rst @@ -0,0 +1,349 @@ +.. index:: + single: Systems; Bugs + +==== +Bugs +==== + +Purpose +======= + +This system provides the public bug tracker for the CAcert community. + +.. note:: There currently seems to be a problem for users signing up themselves + for new accounts. Unless this is fixed by Debian, new accounts must be + created by administrators. For more details ask the `support mailing list + <cacert-support@lists.cacert.org>`_. + +Application Links +----------------- + +Bugtracker + https://bugs.cacert.org/ + +Administration +============== + +System Administration +--------------------- + +* Primary: :ref:`people_neo` +* Secondary: :ref:`people_jandd` + +Application Administration +-------------------------- + ++----------------------+--------------------------------------------+ +| Application | Administrator(s) | ++======================+============================================+ +| Mantis Administrator | :ref:`people_benbe`, :ref:`people_neo`, | +| | :ref:`people_dirk`, :ref:`people_jandd`, | +| | :ref:`people_ted`, :ref:`people_mario`, | +| | :ref:`people_philipp` | ++----------------------+--------------------------------------------+ +| Mantis Manager | :ref:`people_marcus`, :ref:`people_ulrich` | ++----------------------+--------------------------------------------+ + +Contact +------- + +* bugs-admin@cacert.org + +Additional People +----------------- + +:ref:`people_benbe` and :ref:`people_mario` have :program:`sudo` access on that +machine too. + +Basics +====== + +Physical Location +----------------- + +This system is located in an :term:`LXC` container on physical machine +:doc:`infra02`. + +Logical Location +---------------- + +:IP Internet: :ip:v4:`213.154.225.232` +:IP Intranet: :ip:v4:`172.16.2.16` +:IP Internal: :ip:v4:`10.0.0.16` +:MAC address: :mac:`00:ff:fe:13:14:7a` (eth0) + +.. seealso:: + + See :doc:`../network` + +DNS +--- + +.. index:: + single: DNS records; Bugs + +======================== ======== ============================================ +Name Type Content +======================== ======== ============================================ +bugs.cacert.org. IN A 213.154.225.232 +bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8 +bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2 +bugs.intra.cacert.org. IN A 172.16.2.16 +======================== ======== ============================================ + +.. seealso:: + + See :wiki:`SystemAdministration/Procedures/DNSChanges` + +Operating System +---------------- + +.. index:: + single: Debian GNU/Linux; Jessie + single: Debian GNU/Linux; 8.4 + +* Debian GNU/Linux 8.4 + +Applicable Documentation +------------------------ + +This is it :-) + +Services +======== + +Listening services +------------------ + ++----------+---------+---------+--------------------------------+ +| Port | Service | Origin | Purpose | ++==========+=========+=========+================================+ +| 22/tcp | ssh | ANY | admin console access | ++----------+---------+---------+--------------------------------+ +| 25/tcp | smtp | local | mail delivery to local MTA | ++----------+---------+---------+--------------------------------+ +| 80/tcp | http | ANY | web server for bug tracker | ++----------+---------+---------+--------------------------------+ +| 443/tcp | https | ANY | web server for bug tracker | ++----------+---------+---------+--------------------------------+ +| 5666/tcp | nrpe | monitor | remote monitoring service | ++----------+---------+---------+--------------------------------+ +| 3306/tcp | mysql | local | MySQL database for bug tracker | ++----------+---------+---------+--------------------------------+ + +Running services +---------------- + +.. index:: + single: Apache + single: MySQL + single: Postfix + single: cron + single: nrpe + single: openssh + single: rsyslog + ++--------------------+--------------------+----------------------------------------+ +| Service | Usage | Start mechanism | ++====================+====================+========================================+ +| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` | +| | remote | | +| | administration | | ++--------------------+--------------------+----------------------------------------+ +| Apache httpd | Webserver for bug | init script | +| | tracker | :file:`/etc/init.d/apache2` | ++--------------------+--------------------+----------------------------------------+ +| cron | job scheduler | init script :file:`/etc/init.d/cron` | ++--------------------+--------------------+----------------------------------------+ +| rsyslog | syslog daemon | init script | +| | | :file:`/etc/init.d/syslog` | ++--------------------+--------------------+----------------------------------------+ +| MySQL | MySQL database | init script | +| | server for bug | :file:`/etc/init.d/mysql` | +| | tracker | | ++--------------------+--------------------+----------------------------------------+ +| Postfix | SMTP server for | init script | +| | local mail | :file:`/etc/init.d/postfix` | +| | submission | | ++--------------------+--------------------+----------------------------------------+ +| Nagios NRPE server | remote monitoring | init script | +| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` | +| | :doc:`monitor` | | ++--------------------+--------------------+----------------------------------------+ + +Databases +--------- + ++-------+--------+--------------------+ +| RDBMS | Name | Used for | ++=======+========+====================+ +| MySQL | mantis | Mantis bug tracker | ++-------+--------+--------------------+ + +Connected Systems +----------------- + +* :doc:`monitor` + +Outbound network connections +---------------------------- + +* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 +* :doc:`emailout` as SMTP relay +* ftp.nl.debian.org as Debian mirror +* security.debian.org for Debian security updates +* crl.cacert.org (rsync) for getting CRLs +* HTTP (80/tcp) to :doc:`git` + +Security +======== + +.. sshkeys:: + :RSA: 59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45 + :DSA: 17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9 + :ECDSA: a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc + +Non-distribution packages and modifications +------------------------------------------- + +.. index:: + pair: non-distribution package; Mantis + +* custom built `mantis`_ package by :ref:`people_benbe` + +.. _mantis: https://www.mantisbt.org/ + +Risk assessments on critical packages +------------------------------------- + +Mantis as a PHP application is vulnerable to common PHP problems. The system +has to be kept up-to-date with OS patches. The custom built mantis package has +to be updated when new releases are provided upstream. + +Critical Configuration items +============================ + +Keys and X.509 certificates +--------------------------- + +.. sslcert:: bugs.cacert.org + :certfile: /etc/ssl/public/bugs.c.o.20160314.crt + :keyfile: /etc/ssl/private/bugs.c.o.20160314.key + :serial: 028A72 + :expiration: Mar 14 13:12:13 2018 GMT + :sha1fp: 4D:1F:14:B2:BB:C8:59:68:D0:CF:86:36:DA:2F:B2:58:A7:90:E5:85 + :issuer: CAcert.org Class 3 Root + +* :file:`/etc/ssl/public/bugs.c.o.20160314.crt.chain` contains the server + certificate and the Class 3 CA certificate + +* :file:`/etc/mantis/config_inc.php` contains the database settings for Mantis + +.. index:: + pair: Mantis; configuration + +Mantis configuration +-------------------- + +The Mantis bug tracker configuration is stored in the directory +:file:`/etc/mantis/`. + +* :file:`config_local.php` the main configuration file, including custom bug states +* :file:`custom_constants_inc.php` defines custom constants. Required for the + non-default bug states +* :file:`custom_strings_inc.php` defines custom string definitions. Required + for the non-default bug states + +.. note:: + + Localisation for these could go here but currently I would avoid that so all + developers have the same vocabulary. + + -- :ref:`people_neo` 2011-07-04 02:44:45 + +.. index:: + pair: Apache httpd; configuration + +Apache httpd configuration +-------------------------- + +The Apache configuration in the directory :file:`/etc/apache2/` has been +changed to add some additional headers to improve client security: + +.. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff + :language: diff + +The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is +configured in :file:`/etc/apache2/sites-available/mantis` (shared +configuration) that includes configuration from the mantis package provided +:file:`/etc/apache2/conf.d/mantis` file, +:file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and +:file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost). + +.. index:: + pair: MySQL; configuration + +MySQL configuration +------------------- + +MySQL configuration is stored in the :file:`/etc/mysql/` directory. + +.. index:: + pair: rsyslog; configuration + +Rsyslog configuration +--------------------- + +Rsyslog has been configured to disable draining the kernel log: + +.. code-block:: diff + + --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100 + +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100 + @@ -9,7 +9,7 @@ + ################# + + $ModLoad imuxsock # provides support for local system logging + -$ModLoad imklog # provides kernel logging support + +#$ModLoad imklog # provides kernel logging support + #$ModLoad immark # provides --MARK-- message capability + + # provides UDP syslog reception + +The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to +add an additional logging socket in the Postfix chroot. + + +Tasks +===== + +Planned +------- + +.. todo:: provide the custom mantis package from a infrastructure Debian + package repository +.. todo:: setup IPv6 +.. todo:: setup X.509 authentication if possible :bug:`678` + +Changes +======= + +System Future +------------- + +* No plans + +Additional documentation +======================== + +.. seealso:: + + * :wiki:`PostfixConfiguration` + +References +---------- + +Mantis Bugtracker documentation + https://www.mantisbt.org/documentation.php +Apache httpd documentation + https://httpd.apache.org/docs/2.4/ |