Bugs

Purpose

This system provides the public bug tracker for the CAcert community.

Application Links

Bugtracker

https://bugs.cacert.org/

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: Dirk Astrath

Application Administration

Application	Administrator(s)
Mantis Administrator	Michael Tänzer, Mario Lipinski, Dirk Astrath, Jan Dittberner, Bernhard Fröhlich, Philipp Gühring
Mantis Manager

Contact

• bugs-admin@cacert.org

Additional People

Mario Lipinski and Wytze van der Raay have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.232

IP Intranet

172.16.2.16

IP Internal

10.0.0.16

IPv6

2001:7b8:616:162:2::16

MAC address

00:ff:fe:13:14:7a (eth0)

See also

See Network

Monitoring

internal checks

Monitoring checks for bugs.infra.cacert.org

DNS

Name	Type	Content
bugs.cacert.org.	IN A	213.154.225.232
bugs.cacert.org.	IN AAAA	2001:7b8:616:162:2::16
bugs.cacert.org.	IN SSHFP	1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
bugs.cacert.org	IN SSHFP	1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a
bugs.cacert.org.	IN SSHFP	2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
bugs.cacert.org	IN SSHFP	2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892
bugs.cacert.org	IN SSHFP	3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7
bugs.cacert.org	IN SSHFP	3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44
bugs.cacert.org	IN SSHFP	4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1
bugs.cacert.org	IN SSHFP	4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15
bugs.intra.cacert.org.	IN A	172.16.2.16

See also

See Wiki SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 10.9

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	http	ANY	web server for bug tracker
443/tcp	https	ANY	web server for bug tracker
5665/tcp	icinga2	monitor	remote monitoring service
3306/tcp	mariadb	local	MariaDB database for bug tracker

Running services

Service	Usage	Start mechanism
Apache httpd	Webserver for bug tracker	systemd unit apache2.service
cron	job scheduler	systemd unit cron.service
dbus-daemon	System message bus daemon	systemd unit dbus.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
MariaDB	MariaDB database server for bug tracker	systemd unit mariadb.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
Postfix	SMTP server for local mail submission	systemd unit postfix.service
Puppet agent	configuration management agent	systemd unit puppet.service
rsyslog	syslog daemon	systemd unit rsyslog.service

Databases

RDBMS	Name	Used for
MariaDB	mantis	Mantis bug tracker

Connected Systems

• Monitor

Outbound network connections

• Infra02 as resolving nameserver

• Emailout as SMTP relay

• Puppet (tcp/8140) as Puppet master

• Proxyout as HTTP proxy for APT

• crl.cacert.org (rsync) for getting CRLs

• HTTP (80/tcp) to Git

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:UfECWISdEZTygt6w2pcAkBZCPV8LKKAFalUcTzjChwo, MD5:59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
DSA	SHA256:djKopA8VNKOvo8Yw0GIGLdI8ex/ST8UYM02Cz6SXeJI, MD5:17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
ECDSA	SHA256:FS/J+NfXKXmEZ1fbf6QzvT9jQM0NzrzOXWgeYNxGykQ, MD5:a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
ED25519	SHA256:yqUuTF3ezF7hRKoraWUQGWH/fnUYBjtDkI0TPxzfbhU, MD5:54:67:22:bf:2d:ae:35:1f:fd:13:98:ee:af:3a:f3:07

See also

SSH host key list

Non-distribution packages and modifications

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

• Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)

• custom built certificate authentication-plugin by Dirk Astrath https://github.com/dastrath/CertificateAuthentication_Mantis

• For client certificate authentication a Class-3 client certificate issued by CAcert is needed, 1st email-adress in certificate has to match email-adress in account

Risk assessments on critical packages

Mantis as a PHP application is vulnerable to common PHP problems. The system has to be kept up-to-date with OS patches. The custom built mantis package has to be updated when new releases are provided upstream.

Administrators for this system should subscribe to the mantisbt-announce@lists.sourceforge.net list to get notified when updates are released.

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Todo

move all configuration of bugs to Puppet code

Keys and X.509 certificates

All keys and certificates are managed in the file hieradata/nodes/bugs.yaml in the CAcert Git repository cacert-puppet.

• Certificate for CN bugs.cacert.org, see details in the certificate list

• certificate in file /etc/ssl/public/bugs.cacert.org.chain.pem

• private key in file /etc/ssl/private/bugs.cacert.org.key.pem

• /etc/ssl/public/bugs.cacert.org_client_cas.pem CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)

Mantis configuration

The Mantis bug tracker configuration is stored in the directory /etc/mantis/.

• config_inc.php contains the database settings for Mantis

• config_local.php the main configuration file, including custom bug states

• custom_constants_inc.php defines custom constants. Required for the non-default bug states

• custom_strings_inc.php defines custom string definitions. Required for the non-default bug states

Note

Localisation for these could go here but currently I would avoid that so all developers have the same vocabulary.

– Michael Tänzer 2011-07-04 02:44:45

Apache httpd configuration

The Apache httpd configuration in the directory /etc/apache2/ has been changed to add some additional headers to improve client security:

diff -urw -X .bugs_etc_ignore orig/etc/apache2/conf-available/security.conf bugs/etc/apache2/conf-available/security.conf
--- orig/etc/apache2/conf-available/security.conf	2015-11-28 13:59:22.000000000 +0100
+++ bugs/etc/apache2/conf-available/security.conf	2016-05-08 14:04:46.335145675 +0200
@@ -5,11 +5,11 @@
 # This currently breaks the configurations that come with some web application
 # Debian packages.
 #
-#<Directory />
-#   AllowOverride None
-#   Order Deny,Allow
-#   Deny from all
-#</Directory>
+<Directory />
+	AllowOverride None
+	Order Deny,Allow
+	Deny from all
+</Directory>
 
 
 # Changing the following options will not really affect the security of the
@@ -61,14 +61,24 @@
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Content-Type-Options: "nosniff"
+Header set X-Content-Type-Options: "nosniff"
+
+#
+# Some browsers have a built-in XSS filter that will detect some cross site
+# scripting attacks. By default, these browsers modify the suspicious part of
+# the page and display the result. This behavior can create various problems
+# including new security issues. This header will tell the XSS filter to
+# completely block access to the page instead.
+# Requires mod_headers to be enabled.
+#
+Header set X-XSS-Protection: "1; mode=block"
 
 #
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
 #
-#Header set X-Frame-Options: "sameorigin"
+Header set X-Frame-Options: "sameorigin"
 
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The Mantis VirtualHost is configured in /etc/apache2/sites-available/mantis (shared configuration) that includes configuration from the mantis package provided /etc/apache2/conf.d/mantis file, /etc/apache2/sites-available/mantis-nossl.conf (HTTP VirtualHost) and /etc/apache2/sites-available/mantis-ssl.conf (HTTPS VirtualHost).

MySQL configuration

MySQL configuration is stored in the /etc/mysql/ directory.

Rsyslog configuration

Rsyslog is configured by Puppet.

Tasks

Todo

add a section documenting how to manage mantis projects

Todo

add a section documenting how to manage mantis users

Changes

Planned

Todo

Switch ingest traffic for webmail to proxyin and drop http redirector configuration from Apache httpd

System Future

• No plans

Additional documentation

See also

• Wiki PostfixConfiguration

References

Mantis Bugtracker documentation

https://www.mantisbt.org/documentation.php

Apache httpd documentation

https://httpd.apache.org/docs/2.4/