Bugs¶
Purpose¶
This system provides the public bug tracker for the CAcert community.
Application Links¶
- Bugtracker
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: Dirk Astrath
Application Administration¶
Application |
Administrator(s) |
|---|---|
Mantis Administrator |
Michael Tänzer, Mario Lipinski, Dirk Astrath, Jan Dittberner, Bernhard Fröhlich, Philipp Gühring |
Mantis Manager |
Contact¶
Additional People¶
Mario Lipinski and Wytze van der Raay have sudo access on that machine too.
Basics¶
Logical Location¶
- IP Internet
- IP Intranet
- IP Internal
- IPv6
- MAC address
00:ff:fe:13:14:7a(eth0)
See also
See Network
Monitoring¶
- internal checks
DNS¶
Name |
Type |
Content |
|---|---|---|
bugs.cacert.org. |
IN A |
213.154.225.232 |
bugs.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::16 |
bugs.cacert.org. |
IN SSHFP |
1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8 |
bugs.cacert.org |
IN SSHFP |
1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a |
bugs.cacert.org. |
IN SSHFP |
2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2 |
bugs.cacert.org |
IN SSHFP |
2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892 |
bugs.cacert.org |
IN SSHFP |
3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7 |
bugs.cacert.org |
IN SSHFP |
3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44 |
bugs.cacert.org |
IN SSHFP |
4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1 |
bugs.cacert.org |
IN SSHFP |
4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15 |
bugs.intra.cacert.org. |
IN A |
172.16.2.16 |
See also
Operating System¶
Debian GNU/Linux 9.9
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
|---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
web server for bug tracker |
443/tcp |
https |
ANY |
web server for bug tracker |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
3306/tcp |
mysql |
local |
MySQL database for bug tracker |
Running services¶
Service |
Usage |
Start mechanism |
|---|---|---|
Apache httpd |
Webserver for bug tracker |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus daemon |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
MariaDB |
MariaDB database server for bug tracker |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Postfix |
SMTP server for local mail submission |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Databases¶
RDBMS |
Name |
Used for |
|---|---|---|
MariaDB |
mantis |
Mantis bug tracker |
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
|---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Non-distribution packages and modifications¶
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
custom built certificate authentication-plugin by Dirk Astrath https://github.com/dastrath/CertificateAuthentication_Mantis
For client certificate authentication a Class-3 client certificate issued by CAcert is needed, 1st email-adress in certificate has to match email-adress in account
Risk assessments on critical packages¶
Mantis as a PHP application is vulnerable to common PHP problems. The system has to be kept up-to-date with OS patches. The custom built mantis package has to be updated when new releases are provided upstream.
Administrators for this system should subscribe to the mantisbt-announce@lists.sourceforge.net list to get notified when updates are released.
The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.
Todo
move configuration of Bugs to Puppet code
Keys and X.509 certificates¶
Certificate for CN bugs.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/bugs.c.o.crt
private key in file /etc/ssl/private/bugs.c.o.key
Mantis configuration¶
The Mantis bug tracker configuration is stored in the directory
/etc/mantis/.
config_inc.phpcontains the database settings for Mantisconfig_local.phpthe main configuration file, including custom bug statescustom_constants_inc.phpdefines custom constants. Required for the non-default bug statescustom_strings_inc.phpdefines custom string definitions. Required for the non-default bug states
Note
Localisation for these could go here but currently I would avoid that so all developers have the same vocabulary.
– Michael Tänzer 2011-07-04 02:44:45
Apache httpd configuration¶
The Apache httpd configuration in the directory /etc/apache2/ has been
changed to add some additional headers to improve client security:
diff -urw -X .bugs_etc_ignore orig/etc/apache2/conf-available/security.conf bugs/etc/apache2/conf-available/security.conf
--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
+++ bugs/etc/apache2/conf-available/security.conf 2016-05-08 14:04:46.335145675 +0200
@@ -5,11 +5,11 @@
# This currently breaks the configurations that come with some web application
# Debian packages.
#
-#<Directory />
-# AllowOverride None
-# Order Deny,Allow
-# Deny from all
-#</Directory>
+<Directory />
+ AllowOverride None
+ Order Deny,Allow
+ Deny from all
+</Directory>
# Changing the following options will not really affect the security of the
@@ -61,14 +61,24 @@
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
-#Header set X-Content-Type-Options: "nosniff"
+Header set X-Content-Type-Options: "nosniff"
+
+#
+# Some browsers have a built-in XSS filter that will detect some cross site
+# scripting attacks. By default, these browsers modify the suspicious part of
+# the page and display the result. This behavior can create various problems
+# including new security issues. This header will tell the XSS filter to
+# completely block access to the page instead.
+# Requires mod_headers to be enabled.
+#
+Header set X-XSS-Protection: "1; mode=block"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
-#Header set X-Frame-Options: "sameorigin"
+Header set X-Frame-Options: "sameorigin"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
The Mantis VirtualHost is
configured in /etc/apache2/sites-available/mantis (shared
configuration) that includes configuration from the mantis package provided
/etc/apache2/conf.d/mantis file,
/etc/apache2/sites-available/mantis-nossl.conf (HTTP VirtualHost) and
/etc/apache2/sites-available/mantis-ssl.conf (HTTPS VirtualHost).
MySQL configuration¶
MySQL configuration is stored in the /etc/mysql/ directory.
Rsyslog configuration¶
Rsyslog has been configured to disable draining the kernel log:
--- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
+++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
@@ -9,7 +9,7 @@
#################
$ModLoad imuxsock # provides support for local system logging
-$ModLoad imklog # provides kernel logging support
+#$ModLoad imklog # provides kernel logging support
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
The postfix package installed /etc/rsyslog.d/postfix.conf to
add an additional logging socket in the Postfix chroot.
Tasks¶
Todo
add a section documenting how to manage mantis projects
Todo
add a section documenting how to manage mantis users
