43f1b9ed90668410394abef024e190990816094e
[cacert-infradocs.git] / docs / systems / cats.rst
1 .. index::
2 single: Systems; CATS
3
4 ====
5 CATS
6 ====
7
8 Purpose
9 =======
10
11 This system provides the CAcert Assurer Training System (CATS), which is used
12 to perform the Assurer Challenge.
13
14 Application Links
15 -----------------
16
17 CATS
18 https://cats.cacert.org/
19
20 Administration
21 ==============
22
23 System Administration
24 ---------------------
25
26 * Primary: :ref:`people_ted`
27 * Secondary: :ref:`people_jandd`
28
29 Application Administration
30 --------------------------
31
32 +-------------+-------------------+
33 | Application | Administrator(s) |
34 +=============+===================+
35 | CATS | :ref:`people_ted` |
36 +-------------+-------------------+
37
38 Contact
39 -------
40
41 * cats-admin@cacert.org
42
43 Additional People
44 -----------------
45
46 :ref:`people_mario` and :ref:`people_wytze` have :program:`sudo` access on that
47 machine too.
48
49 Basics
50 ======
51
52 Physical Location
53 -----------------
54
55 This system is located in an :term:`LXC` container on physical machine
56 :doc:`infra02`.
57
58 Logical Location
59 ----------------
60
61 :IP Internet: :ip:v4:`213.154.225.243`
62 :IP Intranet: :ip:v4:`172.16.2.27`
63 :IP Internal: :ip:v4:`10.0.0.27`
64 :MAC address: :mac:`00:ff:53:2d:a0:65` (interfacename)
65
66 .. seealso::
67
68 See :doc:`../network`
69
70 DNS
71 ---
72
73 .. index::
74 single: DNS records; CATS
75
76 ====================== ======== ====================================================================
77 Name Type Content
78 ====================== ======== ====================================================================
79 cats.cacert.org. IN A 213.154.225.243
80 cats.cacert.org. IN SSHFP 1 1 D29D4CC4662D5CB5F42C02823CA8677F05439589
81 cats.cacert.org. IN SSHFP 1 2 605AF57CE0F1ECF8EEAC5C71901F1434BF65C06FC0796B932D0F10F21DDF65FE
82 cats.cacert.org. IN SSHFP 2 1 0342EB1E7325EB90A1C0483DE3D6597E36E569C8
83 cats.cacert.org. IN SSHFP 2 2 0835241A5B1905097C332B176FAEC92E05C690169BA125184F3FE2C9612D9718
84 cats.cacert.org. IN SSHFP 3 1 CC7F9EDC6F2B9CE4A3F3953FF97C951572BA0F8C
85 cats.cacert.org. IN SSHFP 3 2 1F54953C96DE0E93CD19E66CA25085D6773CEEFD3C376BE2E77C1A337CCD008D
86 cats.intra.cacert.org. IN A 172.16.2.27
87 ====================== ======== ====================================================================
88
89 .. seealso::
90
91 See :wiki:`SystemAdministration/Procedures/DNSChanges`
92
93 Operating System
94 ----------------
95
96 .. index::
97 single: Debian GNU/Linux; Wheezy
98 single: Debian GNU/Linux; 7.11
99
100 * Debian GNU/Linux 7.11
101
102 Applicable Documentation
103 ------------------------
104
105 This is it :-)
106
107 Services
108 ========
109
110 Listening services
111 ------------------
112
113 +----------+---------+---------+-----------------------------+
114 | Port | Service | Origin | Purpose |
115 +==========+=========+=========+=============================+
116 | 22/tcp | ssh | ANY | admin console access |
117 +----------+---------+---------+-----------------------------+
118 | 25/tcp | smtp | local | mail delivery to local MTA |
119 +----------+---------+---------+-----------------------------+
120 | 80/tcp | http | ANY | CATS |
121 +----------+---------+---------+-----------------------------+
122 | 443/tcp | https | ANY | CATS |
123 +----------+---------+---------+-----------------------------+
124 | 5666/tcp | nrpe | monitor | remote monitoring service |
125 +----------+---------+---------+-----------------------------+
126 | 3306/tcp | mysql | local | MySQL database for CATS |
127 +----------+---------+---------+-----------------------------+
128
129 Running services
130 ----------------
131
132 .. index::
133 single: Apache
134 single: MySQL
135 single: Postfix
136 single: cron
137 single: nrpe
138 single: openssh
139
140 +--------------------+--------------------+----------------------------------------+
141 | Service | Usage | Start mechanism |
142 +====================+====================+========================================+
143 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
144 | | remote | |
145 | | administration | |
146 +--------------------+--------------------+----------------------------------------+
147 | Apache httpd | Webserver for CATS | init script |
148 | | | :file:`/etc/init.d/apache2` |
149 +--------------------+--------------------+----------------------------------------+
150 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
151 +--------------------+--------------------+----------------------------------------+
152 | MySQL | MySQL database | init script |
153 | | server for CATS | :file:`/etc/init.d/mysql` |
154 +--------------------+--------------------+----------------------------------------+
155 | Postfix | SMTP server for | init script |
156 | | local mail | :file:`/etc/init.d/postfix` |
157 | | submission | |
158 +--------------------+--------------------+----------------------------------------+
159 | Nagios NRPE server | remote monitoring | init script |
160 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
161 | | :doc:`monitor` | |
162 +--------------------+--------------------+----------------------------------------+
163
164 Databases
165 ---------
166
167 .. index::
168 pair: MySQL database; cats_cats
169
170 +------------+--------------+---------------------------+
171 | RDBMS | Name | Used for |
172 +============+==============+===========================+
173 | MySQL | cats_cats | CATS database |
174 +------------+--------------+---------------------------+
175
176 Connected Systems
177 -----------------
178
179 * :doc:`monitor`
180
181 Outbound network connections
182 ----------------------------
183
184 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
185 * :doc:`emailout` as SMTP relay
186 * :doc:`proxyout` as HTTP proxy for APT
187 * crl.cacert.org (rsync) for getting CRLs
188 * HTTPS (443/tcp) to :doc:`secure.cacert.org <../critical/webdb>` for pushing
189 test results
190 * HTTPS (443/tcp) to :doc:`svn` for subversion access
191 * HTTPS (443/tcp) to `github.com <https://github.com>`_
192
193 .. todo:: disable subversion access
194
195 Security
196 ========
197
198 .. sshkeys::
199 :RSA: d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f
200 :DSA: 0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33
201 :ECDSA: bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93
202
203 .. todo:: setup ED25519 host key (needs update to Jessie)
204
205 Dedicated user roles
206 --------------------
207
208 +-------+----------------------------------------------------------+
209 | Group | Purpose |
210 +=======+==========================================================+
211 | cats | The cats group is meant to maintain the CATS application |
212 +-------+----------------------------------------------------------+
213
214 Non-distribution packages and modifications
215 -------------------------------------------
216
217 The CATS software is a custom PHP based system. The application is contained in
218 :file:`/home/cats/public_html`. The current repository is at
219 https://github.com/CAcertOrg/cats, historic versions are available at
220 https://svn.cacert.org/CAcert/Education/CATS. `Instructions for CATS setup
221 <https://github.com/CAcertOrg/cats/blob/release/INSTALL.txt>`_ can be found in
222 the git repository.
223
224 CATS requires client certificate authentication setup in the Apache httpd
225 server.
226
227 .. todo:: add a Vagrantfile to allow easy CATS testing setups
228
229
230 Risk assessments on critical packages
231 -------------------------------------
232
233 CATS as a PHP application is vulnerable to common PHP problems. The system
234 has to be kept up-to-date with OS patches.
235
236 Critical Configuration items
237 ============================
238
239 Keys and X.509 certificates
240 ---------------------------
241
242 The server certificate for the CATS web application.
243
244 .. sslcert:: cats.cacert.org
245 :altnames: DNS:cats.cacert.org
246 :certfile: /home/cats/ssl/certs/cats_cert.pem
247 :keyfile: /home/cats/ssl/private/cats_privatekey.pem
248 :serial: 1381F7
249 :expiration: Mar 16 10:59:35 2020 GMT
250 :sha1fp: 8E:26:FE:E9:EE:86:35:D4:F4:E9:AE:7C:85:78:0A:A9:5B:AD:CE:53
251 :issuer: CA Cert Signing Authority
252
253 .. _cats_client_cert:
254
255 Client certificate for pushing results to secure.cacert.org.
256
257 .. sslcert:: cats@cacert.org
258 :altnames: EMAIL:cats@cacert.org
259 :certfile: /home/cats/private/cert_201605.pem
260 :keyfile: /home/cats/private/key_201605.pem
261 :serial: 0266AE
262 :expiration: May 7 21:14:39 2016 GMT
263 :sha1fp: F9:8D:DC:67:68:30:5D:46:84:DE:77:F1:70:1A:E1:F7:9C:F4:DC:9A
264 :issuer: CAcert Class 3 Root
265
266 .. todo:: move certificates to :file:`/etc/ssl/public` and keys to
267 :file:`/etc/ssl/private`
268
269 * :file:`/usr/share/ca-certificates/cacert.org/cacert.org.crt` CAcert.org Class
270 1 and Class 3 CA certificates (allowed CA certificates for client certificates
271 and certificate chain for server certificate)
272 * :file:`/home/cats/public_html/education.txt` is a symbolic link pointing to
273 the most current client certificate issued to the education@cacert.org
274 address.
275
276 .. index::
277 pair: CATS; configuration
278
279 CATS configuration
280 ------------------
281
282 CATS configuration is stored in files in
283 :file:`/home/cats/public_html/index.php` (roughly based on
284 :file:`index.php.template` from git) and
285 :file:`/home/cats/public_html/includes/db_connect.inc`.
286
287 .. todo:: move CATS configuration to :file:`/etc/`
288 .. todo:: refactor CATS to not store configuration in the PHP session
289
290 CATS uses two cronjobs in the cats user's crontab::
291
292 # m h dom mon dow command
293 MAILTO=bernhard@cacert.org
294 */5 * * * * /home/cats/tools/do_upload
295 # Reduced upload rate during problems...
296 #0 * * * * /home/cats/tools/do_upload
297 35 4 * * * /home/cats/tools/do_backup
298
299 The :file:`do_upload` job uses the client :ref:`certificate for cats@cacert.org
300 <cats_client_cert>` to authenticate to secure.cacert.org.
301
302 The :file:`do_backup` job creates a backup of the *cats_cats* MySQL database.
303 The backups are rotated (9 copies are kept) and encrypted to PGP keys of
304 :ref:`people_ted` and :ref:`people_philipp`. The job also attempts to fetch a
305 database dump from http://cats1.it-sls.de/dump.gz and store it in
306 :file:`/home/cats/dumps/dump.dev.gz`. This functionality is broken.
307
308 .. todo:: either fix fetching from the test system or remove this functionality
309 .. todo:: use :file:`/etc/cron.d` instead of user specific crontab
310 .. todo:: put the scripts in :file:`/home/cats/tools/` into git
311
312 .. seealso::
313
314 Instructions for `CATS translation
315 <https://wiki.cacert.org/Brain/Study/EducationTraining/CATSTranslation>`_
316
317 .. index::
318 pair: Apache httpd; configuration
319
320 Apache httpd configuration
321 --------------------------
322
323 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
324 modified to improve TLS settings and define an HTTP and an HTTPS VirtualHost
325 for cats.cacert.org.
326
327 .. literalinclude:: ../configdiff/cats/apache/cats-apache-config.diff
328 :language: diff
329
330 .. index::
331 pair: logrotate; configuration
332
333 logrotate configuration
334 -----------------------
335
336 CATS specific Apache httpd logfiles are rotated by logrotate. The rotation is
337 controlled by a separate configuration in :file:`/etc/logrotate.d/cats`:
338
339 .. literalinclude:: ../configdiff/cats/logrotate/cats
340
341 .. index::
342 pair: MySQL; configuration
343
344 MySQL configuration
345 -------------------
346
347 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
348
349 .. index::
350 pair: Postfix; configuration
351
352 Tasks
353 =====
354
355 Planned
356 -------
357
358 .. todo:: update to Debian Jessie
359 .. todo:: setup IPv6
360 .. todo:: setup CRL checks
361
362 Changes
363 =======
364
365 System Future
366 -------------
367
368 .. todo:: system should be updated to Debian 8/9
369
370 Additional documentation
371 ========================
372
373 .. seealso::
374
375 * :wiki:`PostfixConfiguration`
376
377 References
378 ----------
379
380 PHP documentation
381 https://secure.php.net/manual/en/