Document the CATS system
[cacert-infradocs.git] / docs / systems / cats.rst
1 .. index::
2 single: Systems; CATS
3
4 ====
5 CATS
6 ====
7
8 Purpose
9 =======
10
11 This system provides the CAcert Assurer Training System (CATS), which is used
12 to perform the Assurer Challenge.
13
14 Application Links
15 -----------------
16
17 CATS
18 https://cats.cacert.org/
19
20 Administration
21 ==============
22
23 System Administration
24 ---------------------
25
26 * Primary: :ref:`people_ted`
27 * Secondary: :ref:`people_jandd`
28
29 Application Administration
30 --------------------------
31
32 +-------------+-------------------+
33 | Application | Administrator(s) |
34 +=============+===================+
35 | CATS | :ref:`people_ted` |
36 +-------------+-------------------+
37
38 Contact
39 -------
40
41 * cats-admin@cacert.org
42
43 Additional People
44 -----------------
45
46 :ref:`people_mario` and :ref:`people_wytze` have :program:`sudo` access on that
47 machine too.
48
49 Basics
50 ======
51
52 Physical Location
53 -----------------
54
55 This system is located in an :term:`LXC` container on physical machine
56 :doc:`infra02`.
57
58 Logical Location
59 ----------------
60
61 :IP Internet: :ip:v4:`213.154.225.243`
62 :IP Intranet: :ip:v4:`172.16.2.27`
63 :IP Internal: :ip:v4:`10.0.0.27`
64 :MAC address: :mac:`00:ff:53:2d:a0:65` (interfacename)
65
66 .. seealso::
67
68 See :doc:`../network`
69
70 DNS
71 ---
72
73 .. index::
74 single: DNS records; CATS
75
76 ====================== ======== ====================================================================
77 Name Type Content
78 ====================== ======== ====================================================================
79 cats.cacert.org. IN A 213.154.225.243
80 cats.cacert.org. IN SSHFP 1 1 D29D4CC4662D5CB5F42C02823CA8677F05439589
81 cats.cacert.org. IN SSHFP 1 2 605AF57CE0F1ECF8EEAC5C71901F1434BF65C06FC0796B932D0F10F21DDF65FE
82 cats.cacert.org. IN SSHFP 2 1 0342EB1E7325EB90A1C0483DE3D6597E36E569C8
83 cats.cacert.org. IN SSHFP 2 2 0835241A5B1905097C332B176FAEC92E05C690169BA125184F3FE2C9612D9718
84 cats.cacert.org. IN SSHFP 3 1 CC7F9EDC6F2B9CE4A3F3953FF97C951572BA0F8C
85 cats.cacert.org. IN SSHFP 3 2 1F54953C96DE0E93CD19E66CA25085D6773CEEFD3C376BE2E77C1A337CCD008D
86 cats.intra.cacert.org. IN A 172.16.2.27
87 ====================== ======== ====================================================================
88
89 .. seealso::
90
91 See :wiki:`SystemAdministration/Procedures/DNSChanges`
92
93 Operating System
94 ----------------
95
96 .. index::
97 single: Debian GNU/Linux; Wheezy
98 single: Debian GNU/Linux; 7.10
99
100 * Debian GNU/Linux 7.10
101
102 Applicable Documentation
103 ------------------------
104
105 This is it :-)
106
107 Services
108 ========
109
110 Listening services
111 ------------------
112
113 +----------+---------+---------+-----------------------------+
114 | Port | Service | Origin | Purpose |
115 +==========+=========+=========+=============================+
116 | 22/tcp | ssh | ANY | admin console access |
117 +----------+---------+---------+-----------------------------+
118 | 25/tcp | smtp | local | mail delivery to local MTA |
119 +----------+---------+---------+-----------------------------+
120 | 80/tcp | http | ANY | CATS |
121 +----------+---------+---------+-----------------------------+
122 | 443/tcp | https | ANY | CATS |
123 +----------+---------+---------+-----------------------------+
124 | 5666/tcp | nrpe | monitor | remote monitoring service |
125 +----------+---------+---------+-----------------------------+
126 | 3306/tcp | mysql | local | MySQL database for CATS |
127 +----------+---------+---------+-----------------------------+
128
129 Running services
130 ----------------
131
132 .. index::
133 single: Apache
134 single: MySQL
135 single: Postfix
136 single: cron
137 single: nrpe
138 single: openssh
139
140 +--------------------+--------------------+----------------------------------------+
141 | Service | Usage | Start mechanism |
142 +====================+====================+========================================+
143 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
144 | | remote | |
145 | | administration | |
146 +--------------------+--------------------+----------------------------------------+
147 | Apache httpd | Webserver for CATS | init script |
148 | | | :file:`/etc/init.d/apache2` |
149 +--------------------+--------------------+----------------------------------------+
150 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
151 +--------------------+--------------------+----------------------------------------+
152 | MySQL | MySQL database | init script |
153 | | server for CATS | :file:`/etc/init.d/mysql` |
154 +--------------------+--------------------+----------------------------------------+
155 | Postfix | SMTP server for | init script |
156 | | local mail | :file:`/etc/init.d/postfix` |
157 | | submission | |
158 +--------------------+--------------------+----------------------------------------+
159 | Nagios NRPE server | remote monitoring | init script |
160 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
161 | | :doc:`monitor` | |
162 +--------------------+--------------------+----------------------------------------+
163
164 Databases
165 ---------
166
167 .. index::
168 pair: MySQL database; cats_cats
169
170 +------------+--------------+---------------------------+
171 | RDBMS | Name | Used for |
172 +============+==============+===========================+
173 | MySQL | cats_cats | CATS database |
174 +------------+--------------+---------------------------+
175
176 Connected Systems
177 -----------------
178
179 * :doc:`monitor`
180
181 Outbound network connections
182 ----------------------------
183
184 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
185 * :doc:`emailout` as SMTP relay
186 * ftp.nl.debian.org as Debian mirror
187 * security.debian.org for Debian security updates
188 * crl.cacert.org (rsync) for getting CRLs
189 * HTTPS (443/tcp) to :doc:`secure.cacert.org <../critical/webdb>` for pushing
190 test results
191 * HTTPS (443/tcp) to :doc:`svn` for subversion access
192 * HTTPS (443/tcp) to `github.com <https://github.com>`_
193
194 .. todo:: disable subversion access
195
196 Security
197 ========
198
199 .. sshkeys::
200 :RSA: d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f
201 :DSA: 0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33
202 :ECDSA: bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93
203
204 Dedicated user roles
205 --------------------
206
207 +-------+----------------------------------------------------------+
208 | Group | Purpose |
209 +=======+==========================================================+
210 | cats | The cats group is meant to maintain the CATS application |
211 +-------+----------------------------------------------------------+
212
213 Non-distribution packages and modifications
214 -------------------------------------------
215
216 The CATS software is a custom PHP based system. The application is contained in
217 :file:`/home/cats/public_html`. The current repository is at
218 https://github.com/CAcertOrg/cats, historic versions are available at
219 https://svn.cacert.org/CAcert/Education/CATS. `Instructions for CATS setup
220 <https://github.com/CAcertOrg/cats/blob/release/INSTALL.txt>`_ can be found in
221 the git repository.
222
223 CATS requires client certificate authentication setup in the Apache httpd
224 server.
225
226 .. todo:: add a Vagrantfile to allow easy CATS testing setups
227
228
229 Risk assessments on critical packages
230 -------------------------------------
231
232 CATS as a PHP application is vulnerable to common PHP problems. The system
233 has to be kept up-to-date with OS patches.
234
235 Critical Configuration items
236 ============================
237
238 Keys and X.509 certificates
239 ---------------------------
240
241 The server certificate for the CATS web application.
242
243 .. sslcert:: cats.cacert.org
244 :certfile: /home/cats/ssl/certs/cats_cert.pem
245 :keyfile: /home/cats/ssl/private/cats_privatekey.pem
246 :serial: 11E840
247 :expiration: Mar 31 18:11:48 2018 GMT
248 :sha1fp: 9B:9B:C5:8B:26:51:3A:CF:C1:11:7A:27:24:DB:DD:CF:AF:C3:61:C4
249 :issuer: CAcert.org Class 1 Root
250
251 .. _cats_client_cert:
252
253 Client certificate for pushing results to secure.cacert.org.
254
255 .. sslcert:: cats@cacert.org
256 :altnames: EMAIL:cats@cacert.org
257 :certfile: /home/cats/private/cert_201605.pem
258 :keyfile: /home/cats/private/key_201605.pem
259 :serial: 0266AE
260 :expiration: May 7 21:14:39 2016 GMT
261 :sha1fp: F9:8D:DC:67:68:30:5D:46:84:DE:77:F1:70:1A:E1:F7:9C:F4:DC:9A
262 :issuer: CAcert Class 3 Root
263
264 .. todo:: move certificates to :file:`/etc/ssl/public` and keys to
265 :file:`/etc/ssl/private`
266
267 * :file:`/usr/share/ca-certificates/cacert.org/cacert.org.crt` CAcert.org Class
268 1 and Class 3 CA certificates (allowed CA certificates for client certificates
269 and certificate chain for server certificate)
270 * :file:`/home/cats/public_html/education.txt` is a symbolic link pointing to
271 the most current client certificate issued to the education@cacert.org
272 address.
273
274 .. index::
275 pair: CATS; configuration
276
277 CATS configuration
278 ------------------
279
280 CATS configuration is stored in files in
281 :file:`/home/cats/public_html/index.php` (roughly based on
282 :file:`index.php.template` from git) and
283 :file:`/home/cats/public_html/includes/db_connect.inc`.
284
285 .. todo:: move CATS configuration to :file:`/etc/`
286 .. todo:: refactor CATS to not store configuration in the PHP session
287
288 CATS uses two cronjobs in the cats user's crontab::
289
290 # m h dom mon dow command
291 MAILTO=bernhard@cacert.org
292 */5 * * * * /home/cats/tools/do_upload
293 # Reduced upload rate during problems...
294 #0 * * * * /home/cats/tools/do_upload
295 35 4 * * * /home/cats/tools/do_backup
296
297 The :file:`do_upload` job uses the client :ref:`certificate for cats@cacert.org
298 <cats_client_cert>` to authenticate to secure.cacert.org.
299
300 The :file:`do_backup` job creates a backup of the *cats_cats* MySQL database.
301 The backups are rotated (9 copies are kept) and encrypted to PGP keys of
302 :ref:`people_ted` and :ref:`people_philipp`. The job also attempts to fetch a
303 database dump from http://cats1.it-sls.de/dump.gz and store it in
304 :file:`/home/cats/dumps/dump.dev.gz`. This functionality is broken.
305
306 .. todo:: either fix fetching from the test system or remove this functionality
307 .. todo:: use :file:`/etc/cron.d` instead of user specific crontab
308 .. todo:: put the scripts in :file:`/home/cats/tools/` into git
309
310 .. seealso::
311
312 Instructions for `CATS translation
313 <https://wiki.cacert.org/Brain/Study/EducationTraining/CATSTranslation>`_
314
315 .. index::
316 pair: Apache httpd; configuration
317
318 Apache httpd configuration
319 --------------------------
320
321 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
322 modified to improve TLS settings and define an HTTP and an HTTPS VirtualHost
323 for cats.cacert.org.
324
325 .. literalinclude:: ../configdiff/cats/apache/cats-apache-config.diff
326 :language: diff
327
328 .. index::
329 pair: logrotate; configuration
330
331 logrotate configuration
332 -----------------------
333
334 CATS specific Apache httpd logfiles are rotated by logrotate. The rotation is
335 controlled by a separate configuration in :file:`/etc/logrotate.d/cats`:
336
337 .. literalinclude:: ../configdiff/cats/logrotate/cats
338
339 .. index::
340 pair: MySQL; configuration
341
342 MySQL configuration
343 -------------------
344
345 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
346
347 .. index::
348 pair: Postfix; configuration
349
350 Tasks
351 =====
352
353 Planned
354 -------
355
356 .. todo:: update to Debian Jessie
357 .. todo:: setup IPv6
358 .. todo:: setup CRL checks
359
360 Changes
361 =======
362
363 System Future
364 -------------
365
366 * No plans
367
368 Additional documentation
369 ========================
370
371 .. seealso::
372
373 * :wiki:`PostfixConfiguration`
374
375 References
376 ----------
377
378 PHP documentation
379 https://secure.php.net/manual/en/