Bugs

Purpose

This system provides the public bug tracker for the CAcert community.

Administration

System Administration

Application Administration

Application

Administrator(s)

Mantis Administrator

Michael Tänzer, Mario Lipinski, Dirk Astrath, Jan Dittberner, Bernhard Fröhlich, Philipp Gühring

Mantis Manager

Additional People

Mario Lipinski and Wytze van der Raay have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.232

IP Intranet

172.16.2.16

IP Internal

10.0.0.16

IPv6

2001:7b8:616:162:2::16

MAC address

00:ff:fe:13:14:7a (eth0)

See also

See Network

DNS

Name

Type

Content

bugs.cacert.org.

IN A

213.154.225.232

bugs.cacert.org.

IN AAAA

2001:7b8:616:162:2::16

bugs.cacert.org.

IN SSHFP

1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8

bugs.cacert.org

IN SSHFP

1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a

bugs.cacert.org.

IN SSHFP

2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2

bugs.cacert.org

IN SSHFP

2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892

bugs.cacert.org

IN SSHFP

3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7

bugs.cacert.org

IN SSHFP

3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44

bugs.cacert.org

IN SSHFP

4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1

bugs.cacert.org

IN SSHFP

4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15

bugs.intra.cacert.org.

IN A

172.16.2.16

Operating System

  • Debian GNU/Linux 9.9

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

web server for bug tracker

443/tcp

https

ANY

web server for bug tracker

5665/tcp

icinga2

monitor

remote monitoring service

3306/tcp

mysql

local

MySQL database for bug tracker

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for bug tracker

systemd unit apache2.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus daemon

systemd unit dbus.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

MariaDB

MariaDB database server for bug tracker

systemd unit mariadb.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Postfix

SMTP server for local mail submission

systemd unit postfix.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Databases

RDBMS

Name

Used for

MariaDB

mantis

Mantis bug tracker

Connected Systems

Outbound network connections

  • Infra02 as resolving nameserver

  • Emailout as SMTP relay

  • Puppet (tcp/8140) as Puppet master

  • Proxyout as HTTP proxy for APT

  • crl.cacert.org (rsync) for getting CRLs

  • HTTP (80/tcp) to Git

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:UfECWISdEZTygt6w2pcAkBZCPV8LKKAFalUcTzjChwo, MD5:59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45

DSA

SHA256:djKopA8VNKOvo8Yw0GIGLdI8ex/ST8UYM02Cz6SXeJI, MD5:17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9

ECDSA

SHA256:FS/J+NfXKXmEZ1fbf6QzvT9jQM0NzrzOXWgeYNxGykQ, MD5:a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc

ED25519

SHA256:yqUuTF3ezF7hRKoraWUQGWH/fnUYBjtDkI0TPxzfbhU, MD5:54:67:22:bf:2d:ae:35:1f:fd:13:98:ee:af:3a:f3:07

Non-distribution packages and modifications

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Risk assessments on critical packages

Mantis as a PHP application is vulnerable to common PHP problems. The system has to be kept up-to-date with OS patches. The custom built mantis package has to be updated when new releases are provided upstream.

Administrators for this system should subscribe to the mantisbt-announce@lists.sourceforge.net list to get notified when updates are released.

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.

Todo

move configuration of Bugs to Puppet code

Keys and X.509 certificates

  • Certificate for CN bugs.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/bugs.c.o.crt

    • private key in file /etc/ssl/private/bugs.c.o.key

Mantis configuration

The Mantis bug tracker configuration is stored in the directory /etc/mantis/.

  • config_inc.php contains the database settings for Mantis

  • config_local.php the main configuration file, including custom bug states

  • custom_constants_inc.php defines custom constants. Required for the non-default bug states

  • custom_strings_inc.php defines custom string definitions. Required for the non-default bug states

Note

Localisation for these could go here but currently I would avoid that so all developers have the same vocabulary.

Michael Tänzer 2011-07-04 02:44:45

Apache httpd configuration

The Apache httpd configuration in the directory /etc/apache2/ has been changed to add some additional headers to improve client security:

diff -urw -X .bugs_etc_ignore orig/etc/apache2/conf-available/security.conf bugs/etc/apache2/conf-available/security.conf
--- orig/etc/apache2/conf-available/security.conf	2015-11-28 13:59:22.000000000 +0100
+++ bugs/etc/apache2/conf-available/security.conf	2016-05-08 14:04:46.335145675 +0200
@@ -5,11 +5,11 @@
 # This currently breaks the configurations that come with some web application
 # Debian packages.
 #
-#<Directory />
-#   AllowOverride None
-#   Order Deny,Allow
-#   Deny from all
-#</Directory>
+<Directory />
+	AllowOverride None
+	Order Deny,Allow
+	Deny from all
+</Directory>
 
 
 # Changing the following options will not really affect the security of the
@@ -61,14 +61,24 @@
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Content-Type-Options: "nosniff"
+Header set X-Content-Type-Options: "nosniff"
+
+#
+# Some browsers have a built-in XSS filter that will detect some cross site
+# scripting attacks. By default, these browsers modify the suspicious part of
+# the page and display the result. This behavior can create various problems
+# including new security issues. This header will tell the XSS filter to
+# completely block access to the page instead.
+# Requires mod_headers to be enabled.
+#
+Header set X-XSS-Protection: "1; mode=block"
 
 #
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Frame-Options: "sameorigin"
+Header set X-Frame-Options: "sameorigin"
 
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The Mantis VirtualHost is configured in /etc/apache2/sites-available/mantis (shared configuration) that includes configuration from the mantis package provided /etc/apache2/conf.d/mantis file, /etc/apache2/sites-available/mantis-nossl.conf (HTTP VirtualHost) and /etc/apache2/sites-available/mantis-ssl.conf (HTTPS VirtualHost).

MySQL configuration

MySQL configuration is stored in the /etc/mysql/ directory.

Rsyslog configuration

Rsyslog has been configured to disable draining the kernel log:

--- orig/etc/rsyslog.conf      2015-12-14 13:34:27.000000000 +0100
+++ bugs/etc/rsyslog.conf  2015-03-03 22:22:44.385835152 +0100
@@ -9,7 +9,7 @@
 #################

 $ModLoad imuxsock # provides support for local system logging
-$ModLoad imklog   # provides kernel logging support
+#$ModLoad imklog   # provides kernel logging support
 #$ModLoad immark  # provides --MARK-- message capability

 # provides UDP syslog reception

The postfix package installed /etc/rsyslog.d/postfix.conf to add an additional logging socket in the Postfix chroot.

Tasks

Todo

add a section documenting how to manage mantis projects

Todo

add a section documenting how to manage mantis users

Changes

Planned

Todo

upgrade to Debian 10 (when Puppet is available)

System Future

  • No plans

Additional documentation

References

Mantis Bugtracker documentation

https://www.mantisbt.org/documentation.php

Apache httpd documentation

https://httpd.apache.org/docs/2.4/