73b9f6bc54d83fbf0e0299ef4aad803ab6039d46
[cacert-infradocs.git] / docs / systems / cats.rst
1 .. index::
2 single: Systems; CATS
3
4 ====
5 CATS
6 ====
7
8 Purpose
9 =======
10
11 This system provides the CAcert Assurer Training System (CATS), which is used
12 to perform the Assurer Challenge.
13
14 Application Links
15 -----------------
16
17 CATS
18 https://cats.cacert.org/
19
20 Administration
21 ==============
22
23 System Administration
24 ---------------------
25
26 * Primary: :ref:`people_ted`
27 * Secondary: :ref:`people_jandd`
28
29 Application Administration
30 --------------------------
31
32 +-------------+-------------------+
33 | Application | Administrator(s) |
34 +=============+===================+
35 | CATS | :ref:`people_ted` |
36 +-------------+-------------------+
37
38 Contact
39 -------
40
41 * cats-admin@cacert.org
42
43 Additional People
44 -----------------
45
46 :ref:`people_mario` and :ref:`people_wytze` have :program:`sudo` access on that
47 machine too.
48
49 Basics
50 ======
51
52 Physical Location
53 -----------------
54
55 This system is located in an :term:`LXC` container on physical machine
56 :doc:`infra02`.
57
58 Logical Location
59 ----------------
60
61 :IP Internet: :ip:v4:`213.154.225.243`
62 :IP Intranet: :ip:v4:`172.16.2.27`
63 :IP Internal: :ip:v4:`10.0.0.27`
64 :MAC address: :mac:`00:ff:53:2d:a0:65` (interfacename)
65
66 .. seealso::
67
68 See :doc:`../network`
69
70 Monitoring
71 ----------
72
73 :internal checks: :monitor:`cats.infra.cacert.org`
74
75 DNS
76 ---
77
78 .. index::
79 single: DNS records; CATS
80
81 ====================== ======== ====================================================================
82 Name Type Content
83 ====================== ======== ====================================================================
84 cats.cacert.org. IN A 213.154.225.243
85 cats.cacert.org. IN SSHFP 1 1 D29D4CC4662D5CB5F42C02823CA8677F05439589
86 cats.cacert.org. IN SSHFP 1 2 605AF57CE0F1ECF8EEAC5C71901F1434BF65C06FC0796B932D0F10F21DDF65FE
87 cats.cacert.org. IN SSHFP 2 1 0342EB1E7325EB90A1C0483DE3D6597E36E569C8
88 cats.cacert.org. IN SSHFP 2 2 0835241A5B1905097C332B176FAEC92E05C690169BA125184F3FE2C9612D9718
89 cats.cacert.org. IN SSHFP 3 1 CC7F9EDC6F2B9CE4A3F3953FF97C951572BA0F8C
90 cats.cacert.org. IN SSHFP 3 2 1F54953C96DE0E93CD19E66CA25085D6773CEEFD3C376BE2E77C1A337CCD008D
91 cats.intra.cacert.org. IN A 172.16.2.27
92 ====================== ======== ====================================================================
93
94 .. seealso::
95
96 See :wiki:`SystemAdministration/Procedures/DNSChanges`
97
98 Operating System
99 ----------------
100
101 .. index::
102 single: Debian GNU/Linux; Wheezy
103 single: Debian GNU/Linux; 7.11
104
105 * Debian GNU/Linux 7.11
106
107 Applicable Documentation
108 ------------------------
109
110 This is it :-)
111
112 Services
113 ========
114
115 Listening services
116 ------------------
117
118 +----------+---------+---------+-----------------------------+
119 | Port | Service | Origin | Purpose |
120 +==========+=========+=========+=============================+
121 | 22/tcp | ssh | ANY | admin console access |
122 +----------+---------+---------+-----------------------------+
123 | 25/tcp | smtp | local | mail delivery to local MTA |
124 +----------+---------+---------+-----------------------------+
125 | 80/tcp | http | ANY | CATS |
126 +----------+---------+---------+-----------------------------+
127 | 443/tcp | https | ANY | CATS |
128 +----------+---------+---------+-----------------------------+
129 | 5666/tcp | nrpe | monitor | remote monitoring service |
130 +----------+---------+---------+-----------------------------+
131 | 3306/tcp | mysql | local | MySQL database for CATS |
132 +----------+---------+---------+-----------------------------+
133
134 Running services
135 ----------------
136
137 .. index::
138 single: apache httpd
139 single: cron
140 single: mysql
141 single: nrpe
142 single: openssh
143 single: postfix
144
145 +--------------------+--------------------+----------------------------------------+
146 | Service | Usage | Start mechanism |
147 +====================+====================+========================================+
148 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
149 | | remote | |
150 | | administration | |
151 +--------------------+--------------------+----------------------------------------+
152 | Apache httpd | Webserver for CATS | init script |
153 | | | :file:`/etc/init.d/apache2` |
154 +--------------------+--------------------+----------------------------------------+
155 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
156 +--------------------+--------------------+----------------------------------------+
157 | MySQL | MySQL database | init script |
158 | | server for CATS | :file:`/etc/init.d/mysql` |
159 +--------------------+--------------------+----------------------------------------+
160 | Postfix | SMTP server for | init script |
161 | | local mail | :file:`/etc/init.d/postfix` |
162 | | submission | |
163 +--------------------+--------------------+----------------------------------------+
164 | Nagios NRPE server | remote monitoring | init script |
165 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
166 | | :doc:`monitor` | |
167 +--------------------+--------------------+----------------------------------------+
168
169 Databases
170 ---------
171
172 .. index::
173 pair: MySQL database; cats_cats
174
175 +------------+--------------+---------------------------+
176 | RDBMS | Name | Used for |
177 +============+==============+===========================+
178 | MySQL | cats_cats | CATS database |
179 +------------+--------------+---------------------------+
180
181 Connected Systems
182 -----------------
183
184 * :doc:`monitor`
185
186 Outbound network connections
187 ----------------------------
188
189 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
190 * :doc:`emailout` as SMTP relay
191 * :doc:`proxyout` as HTTP proxy for APT
192 * crl.cacert.org (rsync) for getting CRLs
193 * HTTPS (443/tcp) to :doc:`secure.cacert.org <../critical/webdb>` for pushing
194 test results
195 * HTTPS (443/tcp) to :doc:`svn` for subversion access
196 * HTTPS (443/tcp) to `github.com <https://github.com>`_
197
198 .. todo:: disable subversion access
199
200 Security
201 ========
202
203 .. sshkeys::
204 :RSA: SHA256:YFr1fODx7PjurFxxkB8UNL9lwG/AeWuTLQ8Q8h3fZf4 MD5:d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f
205 :DSA: SHA256:CDUkGlsZBQl8MysXb67JLgXGkBaboSUYTz/iyWEtlxg MD5:0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33
206 :ECDSA: SHA256:H1SVPJbeDpPNGeZsolCF1nc87v08N2vi53waM3zNAI0 MD5:bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93
207
208 .. todo:: setup ED25519 host key (needs update to Jessie)
209
210 Dedicated user roles
211 --------------------
212
213 +-------+----------------------------------------------------------+
214 | Group | Purpose |
215 +=======+==========================================================+
216 | cats | The cats group is meant to maintain the CATS application |
217 +-------+----------------------------------------------------------+
218
219 Non-distribution packages and modifications
220 -------------------------------------------
221
222 The CATS software is a custom PHP based system. The application is contained in
223 :file:`/home/cats/public_html`. The current repository is at
224 https://github.com/CAcertOrg/cats, historic versions are available at
225 https://svn.cacert.org/CAcert/Education/CATS. `Instructions for CATS setup
226 <https://github.com/CAcertOrg/cats/blob/release/INSTALL.txt>`_ can be found in
227 the git repository.
228
229 CATS requires client certificate authentication setup in the Apache httpd
230 server.
231
232 .. todo:: add a Vagrantfile to allow easy CATS testing setups
233
234
235 Risk assessments on critical packages
236 -------------------------------------
237
238 CATS as a PHP application is vulnerable to common PHP problems. The system
239 has to be kept up-to-date with OS patches.
240
241 Critical Configuration items
242 ============================
243
244 Keys and X.509 certificates
245 ---------------------------
246
247 The server certificate for the CATS web application.
248
249 .. sslcert:: cats.cacert.org
250 :altnames: DNS:cats.cacert.org
251 :certfile: /home/cats/ssl/certs/cats_cert.pem
252 :keyfile: /home/cats/ssl/private/cats_privatekey.pem
253 :serial: 1381F7
254 :expiration: Mar 16 10:59:35 2020 GMT
255 :sha1fp: 8E:26:FE:E9:EE:86:35:D4:F4:E9:AE:7C:85:78:0A:A9:5B:AD:CE:53
256 :issuer: CA Cert Signing Authority
257
258 .. _cats_client_cert:
259
260 Client certificate for pushing results to secure.cacert.org.
261
262 .. sslcert:: cats@cacert.org
263 :altnames: EMAIL:cats@cacert.org
264 :certfile: /home/cats/private/cert_201605.pem
265 :keyfile: /home/cats/private/key_201605.pem
266 :serial: 0266AE
267 :expiration: May 7 21:14:39 2016 GMT
268 :sha1fp: F9:8D:DC:67:68:30:5D:46:84:DE:77:F1:70:1A:E1:F7:9C:F4:DC:9A
269 :issuer: CAcert Class 3 Root
270
271 .. todo:: move certificates to :file:`/etc/ssl/public` and keys to
272 :file:`/etc/ssl/private`
273
274 * :file:`/usr/share/ca-certificates/cacert.org/cacert.org.crt` CAcert.org Class
275 1 and Class 3 CA certificates (allowed CA certificates for client certificates
276 and certificate chain for server certificate)
277 * :file:`/home/cats/public_html/education.txt` is a symbolic link pointing to
278 the most current client certificate issued to the education@cacert.org
279 address.
280
281 .. index::
282 pair: CATS; configuration
283
284 CATS configuration
285 ------------------
286
287 CATS configuration is stored in files in
288 :file:`/home/cats/public_html/index.php` (roughly based on
289 :file:`index.php.template` from git) and
290 :file:`/home/cats/public_html/includes/db_connect.inc`.
291
292 .. todo:: move CATS configuration to :file:`/etc/`
293 .. todo:: refactor CATS to not store configuration in the PHP session
294
295 CATS uses two cronjobs in the cats user's crontab::
296
297 # m h dom mon dow command
298 MAILTO=bernhard@cacert.org
299 */5 * * * * /home/cats/tools/do_upload
300 # Reduced upload rate during problems...
301 #0 * * * * /home/cats/tools/do_upload
302 35 4 * * * /home/cats/tools/do_backup
303
304 The :file:`do_upload` job uses the client :ref:`certificate for cats@cacert.org
305 <cats_client_cert>` to authenticate to secure.cacert.org.
306
307 The :file:`do_backup` job creates a backup of the *cats_cats* MySQL database.
308 The backups are rotated (9 copies are kept) and encrypted to PGP keys of
309 :ref:`people_ted` and :ref:`people_philipp`. The job also attempts to fetch a
310 database dump from http://cats1.it-sls.de/dump.gz and store it in
311 :file:`/home/cats/dumps/dump.dev.gz`. This functionality is broken.
312
313 .. todo:: either fix fetching from the test system or remove this functionality
314 .. todo:: use :file:`/etc/cron.d` instead of user specific crontab
315 .. todo:: put the scripts in :file:`/home/cats/tools/` into git
316
317 .. seealso::
318
319 Instructions for `CATS translation
320 <https://wiki.cacert.org/Brain/Study/EducationTraining/CATSTranslation>`_
321
322 .. index::
323 pair: Apache httpd; configuration
324
325 Apache httpd configuration
326 --------------------------
327
328 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
329 modified to improve TLS settings and define an HTTP and an HTTPS VirtualHost
330 for cats.cacert.org.
331
332 .. literalinclude:: ../configdiff/cats/apache/cats-apache-config.diff
333 :language: diff
334
335 .. index::
336 pair: logrotate; configuration
337
338 logrotate configuration
339 -----------------------
340
341 CATS specific Apache httpd logfiles are rotated by logrotate. The rotation is
342 controlled by a separate configuration in :file:`/etc/logrotate.d/cats`:
343
344 .. literalinclude:: ../configdiff/cats/logrotate/cats
345
346 .. index::
347 pair: MySQL; configuration
348
349 MySQL configuration
350 -------------------
351
352 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
353
354 .. index::
355 pair: Postfix; configuration
356
357 Tasks
358 =====
359
360 .. todo:: switch to Puppet management
361 .. todo:: replace nrpe with icinga2 agent
362
363 Planned
364 -------
365
366 .. todo:: update to Debian 8/9/10
367 .. todo:: setup IPv6
368 .. todo:: setup CRL checks
369
370 Changes
371 =======
372
373 System Future
374 -------------
375
376 .. todo:: system should be updated to Debian 8/9
377
378 Additional documentation
379 ========================
380
381 .. seealso::
382
383 * :wiki:`PostfixConfiguration`
384
385 References
386 ----------
387
388 PHP documentation
389 https://secure.php.net/manual/en/