Bugs¶
Purpose¶
This system provides the public bug tracker for the CAcert community.
Application Links¶
- Bugtracker
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: Dirk Astrath
Application Administration¶
Application |
Administrator(s) |
---|---|
Mantis Administrator |
Michael Tänzer, Mario Lipinski, Dirk Astrath, Jan Dittberner, Bernhard Fröhlich, Philipp Gühring |
Mantis Manager |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:fe:13:14:7a
(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
---|---|---|
bugs.cacert.org. |
IN A |
213.154.225.232 |
bugs.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::16 |
bugs.cacert.org. |
IN SSHFP |
1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8 |
bugs.cacert.org |
IN SSHFP |
1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a |
bugs.cacert.org. |
IN SSHFP |
2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2 |
bugs.cacert.org |
IN SSHFP |
2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892 |
bugs.cacert.org |
IN SSHFP |
3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7 |
bugs.cacert.org |
IN SSHFP |
3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44 |
bugs.cacert.org |
IN SSHFP |
4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1 |
bugs.cacert.org |
IN SSHFP |
4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15 |
bugs.intra.cacert.org. |
IN A |
172.16.2.16 |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
web server for bug tracker |
443/tcp |
https |
ANY |
web server for bug tracker |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
3306/tcp |
mariadb |
local |
MariaDB database for bug tracker |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for bug tracker |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus daemon |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
MariaDB |
MariaDB database server for bug tracker |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Postfix |
SMTP server for local mail submission |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
MariaDB |
mantis |
Mantis bug tracker |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Non-distribution packages and modifications¶
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
custom built certificate authentication-plugin by Dirk Astrath https://github.com/dastrath/CertificateAuthentication_Mantis
For client certificate authentication a Class-3 client certificate issued by CAcert is needed, 1st email-adress in certificate has to match email-adress in account
Risk assessments on critical packages¶
Mantis as a PHP application is vulnerable to common PHP problems. The system has to be kept up-to-date with OS patches. The custom built mantis package has to be updated when new releases are provided upstream.
Administrators for this system should subscribe to the mantisbt-announce@lists.sourceforge.net list to get notified when updates are released.
The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Todo
move all configuration of bugs to Puppet code
Keys and X.509 certificates¶
All keys and certificates are managed in the file
hieradata/nodes/bugs.yaml
in the CAcert Git repository cacert-puppet.
Certificate for CN bugs.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/bugs.cacert.org.chain.pem
private key in file /etc/ssl/private/bugs.cacert.org.key.pem
/etc/ssl/public/bugs.cacert.org_client_cas.pem
CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
Mantis configuration¶
The Mantis bug tracker configuration is stored in the directory
/etc/mantis/
.
config_inc.php
contains the database settings for Mantisconfig_local.php
the main configuration file, including custom bug statescustom_constants_inc.php
defines custom constants. Required for the non-default bug statescustom_strings_inc.php
defines custom string definitions. Required for the non-default bug states
Note
Localisation for these could go here but currently I would avoid that so all developers have the same vocabulary.
– Michael Tänzer 2011-07-04 02:44:45
Apache httpd configuration¶
The Apache httpd configuration in the directory /etc/apache2/
has been
changed to add some additional headers to improve client security:
diff -urw -X .bugs_etc_ignore orig/etc/apache2/conf-available/security.conf bugs/etc/apache2/conf-available/security.conf
--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
+++ bugs/etc/apache2/conf-available/security.conf 2016-05-08 14:04:46.335145675 +0200
@@ -5,11 +5,11 @@
# This currently breaks the configurations that come with some web application
# Debian packages.
#
-#<Directory />
-# AllowOverride None
-# Order Deny,Allow
-# Deny from all
-#</Directory>
+<Directory />
+ AllowOverride None
+ Order Deny,Allow
+ Deny from all
+</Directory>
# Changing the following options will not really affect the security of the
@@ -61,14 +61,24 @@
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
-#Header set X-Content-Type-Options: "nosniff"
+Header set X-Content-Type-Options: "nosniff"
+
+#
+# Some browsers have a built-in XSS filter that will detect some cross site
+# scripting attacks. By default, these browsers modify the suspicious part of
+# the page and display the result. This behavior can create various problems
+# including new security issues. This header will tell the XSS filter to
+# completely block access to the page instead.
+# Requires mod_headers to be enabled.
+#
+Header set X-XSS-Protection: "1; mode=block"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
-#Header set X-Frame-Options: "sameorigin"
+Header set X-Frame-Options: "sameorigin"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
The Mantis VirtualHost is
configured in /etc/apache2/sites-available/mantis
(shared
configuration) that includes configuration from the mantis package provided
/etc/apache2/conf.d/mantis
file,
/etc/apache2/sites-available/mantis-nossl.conf
(HTTP VirtualHost) and
/etc/apache2/sites-available/mantis-ssl.conf
(HTTPS VirtualHost).
MySQL configuration¶
MySQL configuration is stored in the /etc/mysql/
directory.
Rsyslog configuration¶
Rsyslog is configured by Puppet.
Tasks¶
Todo
add a section documenting how to manage mantis projects
Todo
add a section documenting how to manage mantis users
Changes¶
Planned¶
Todo
Switch ingest traffic for webmail to proxyin and drop http redirector configuration from Apache httpd
System Future¶
No plans
Additional documentation¶
See also
References¶
- Mantis Bugtracker documentation
- Apache httpd documentation