CATS¶

Name	Type	Content
cats.cacert.org.	IN A	213.154.225.243
cats.cacert.org.	IN SSHFP	1 1 D29D4CC4662D5CB5F42C02823CA8677F05439589
cats.cacert.org.	IN SSHFP	1 2 605AF57CE0F1ECF8EEAC5C71901F1434BF65C06FC0796B932D0F10F21DDF65FE
cats.cacert.org.	IN SSHFP	2 1 0342EB1E7325EB90A1C0483DE3D6597E36E569C8
cats.cacert.org.	IN SSHFP	2 2 0835241A5B1905097C332B176FAEC92E05C690169BA125184F3FE2C9612D9718
cats.cacert.org.	IN SSHFP	3 1 CC7F9EDC6F2B9CE4A3F3953FF97C951572BA0F8C
cats.cacert.org.	IN SSHFP	3 2 1F54953C96DE0E93CD19E66CA25085D6773CEEFD3C376BE2E77C1A337CCD008D
cats.intra.cacert.org.	IN A	172.16.2.27

Operating System¶

Debian GNU/Linux 7 Wheezy

Services¶

Listening services¶

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	http	ANY	CATS
443/tcp	https	ANY	CATS
5666/tcp	nrpe	monitor	remote monitoring service
3306/tcp	mysql	local	MySQL database for CATS

Running services¶

Service	Usage	Start mechanism
openssh server	ssh daemon for remote administration	init script `/etc/init.d/ssh`
Apache httpd	Webserver for CATS	init script `/etc/init.d/apache2`
cron	job scheduler	init script `/etc/init.d/cron`
MySQL	MySQL database server for CATS	init script `/etc/init.d/mysql`
Postfix	SMTP server for local mail submission	init script `/etc/init.d/postfix`
Nagios NRPE server	remote monitoring service queried by Monitor	init script `/etc/init.d/nagios-nrpe-server`

Databases¶

RDBMS	Name	Used for
MySQL	cats_cats	CATS database

Connected Systems¶

Monitor

Outbound network connections¶

DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
Emailout as SMTP relay
Proxyout as HTTP proxy for APT
crl.cacert.org (rsync) for getting CRLs
HTTPS (443/tcp) to secure.cacert.org for pushing test results
HTTPS (443/tcp) to Svn for subversion access
HTTPS (443/tcp) to github.com

Todo

disable subversion access

Security¶

SSH host keys¶

Algorithm	Fingerprints
RSA	`SHA256:YFr1fODx7PjurFxxkB8UNL9lwG/AeWuTLQ8Q8h3fZf4`, `MD5:d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f`
DSA	`SHA256:CDUkGlsZBQl8MysXb67JLgXGkBaboSUYTz/iyWEtlxg`, `MD5:0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33`
ECDSA	`SHA256:H1SVPJbeDpPNGeZsolCF1nc87v08N2vi53waM3zNAI0`, `MD5:bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93`
ED25519	-

See also

SSH host key list

Todo

setup ED25519 host key (needs update to Jessie)

Dedicated user roles¶

Group	Purpose
cats	The cats group is meant to maintain the CATS application

Non-distribution packages and modifications¶

The CATS software is a custom PHP based system. The application is contained in /home/cats/public_html. The current repository is in Github repository cats, historic versions are available at https://svn.cacert.org/CAcert/Education/CATS. Instructions for CATS setup can be found in the git repository.

CATS requires client certificate authentication setup in the Apache httpd server.

Todo

add a Vagrantfile to allow easy CATS testing setups

Risk assessments on critical packages¶

CATS as a PHP application is vulnerable to common PHP problems. The system has to be kept up-to-date with OS patches.

Critical Configuration items¶

Keys and X.509 certificates¶

The server certificate for the CATS web application.

Certificate for CN cats.cacert.org, see details in the certificate list

certificate in file /home/cats/ssl/certs/cats_cert.pem
private key in file /home/cats/ssl/private/cats_privatekey.pem

Client certificate for pushing results to secure.cacert.org.

Certificate for CN cats@cacert.org, see details in the certificate list

certificate in file /home/cats/private/cert_201605.pem
private key in file /home/cats/private/key_201605.pem

Todo

move certificates to /etc/ssl/public and keys to /etc/ssl/private

/usr/share/ca-certificates/cacert.org/cacert.org.crt CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates and certificate chain for server certificate)
/home/cats/public_html/education.txt is a symbolic link pointing to the most current client certificate issued to the education@cacert.org address.

CATS configuration¶

CATS configuration is stored in files in /home/cats/public_html/index.php (roughly based on index.php.template from git) and /home/cats/public_html/includes/db_connect.inc.

Todo

move CATS configuration to /etc/

Todo

refactor CATS to not store configuration in the PHP session

CATS uses two cronjobs in the cats user’s crontab:

# m h  dom mon dow   command
MAILTO=bernhard@cacert.org
*/5 * * * * /home/cats/tools/do_upload
# Reduced upload rate during problems...
#0 * * * * /home/cats/tools/do_upload
35 4 * * * /home/cats/tools/do_backup

The do_upload job uses the client certificate for cats@cacert.org to authenticate to secure.cacert.org.

The do_backup job creates a backup of the cats_cats MySQL database. The backups are rotated (9 copies are kept) and encrypted to PGP keys of Bernhard Fröhlich and Philipp Gühring. The job also attempts to fetch a database dump from http://cats1.it-sls.de/dump.gz and store it in /home/cats/dumps/dump.dev.gz. This functionality is broken.

Todo

either fix fetching from the test system or remove this functionality

Todo

use /etc/cron.d instead of user specific crontab

Todo

put the scripts in /home/cats/tools/ into git

See also

Instructions for CATS translation

Apache httpd configuration¶

The Apache httpd configuration in the directory /etc/apache2/ has been modified to improve TLS settings and define an HTTP and an HTTPS VirtualHost for cats.cacert.org.

diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf cats/etc/apache2/mods-available/ssl.conf
--- orig/etc/apache2/mods-available/ssl.conf	2015-08-18 09:35:40.000000000 +0200
+++ cats/etc/apache2/mods-available/ssl.conf	2014-10-21 15:38:01.894358956 +0200
@@ -53,7 +53,7 @@
 #   ciphers(1) man page from the openssl package for list of all available
 #   options.
 #   Enable only secure ciphers:
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),
@@ -66,10 +66,11 @@
 #   compromised, captures of past or future traffic must be
 #   considered compromised, too.
 #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-#SSLHonorCipherOrder on
+SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES:!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
+SSLHonorCipherOrder on
 
 # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
-SSLProtocol all -SSLv2
+SSLProtocol all -SSLv2 -SSLv3
 
 # Allow insecure renegotiation with clients which do not yet support the
 # secure renegotiation protocol. Default: Off
diff -urwN -X diffignore-apache2 orig/etc/apache2/ports.conf cats/etc/apache2/ports.conf
--- orig/etc/apache2/ports.conf	2015-08-18 09:35:40.000000000 +0200
+++ cats/etc/apache2/ports.conf	2016-05-16 16:53:43.551587545 +0200
@@ -14,6 +14,7 @@
     # to <VirtualHost *:443>
     # Server Name Indication for SSL named virtual hosts is currently not
     # supported by MSIE on Windows XP.
+    NameVirtualHost *:443
     Listen 443
 </IfModule>
 
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/cats cats/etc/apache2/sites-available/cats
--- orig/etc/apache2/sites-available/cats	1970-01-01 01:00:00.000000000 +0100
+++ cats/etc/apache2/sites-available/cats	2016-05-16 16:56:53.220765336 +0200
@@ -0,0 +1,22 @@
+<VirtualHost *:80>
+    ServerAdmin support@cacert.org
+    DocumentRoot /home/cats/public_html
+    ServerName cats.cacert.org
+    ErrorLog /home/cats/logs/error.log
+    CustomLog /home/cats/logs/access.log combined
+</VirtualHost>
+<VirtualHost *:443>
+    SSLEngine On
+    SSLCertificateFile /home/cats/ssl/certs/cats_cert.pem
+    SSLCertificateKeyFile /home/cats/ssl/private/cats_privatekey.pem
+    SSLCACertificateFile /usr/share/ca-certificates/cacert.org/cacert.org.crt
+    SSLVerifyDepth  10
+    SSLOptions +StdEnvVars +ExportCertData +StrictRequire
+    SSLVerifyClient require
+
+    ServerAdmin support@cacert.org
+    DocumentRoot /home/cats/public_html
+    ServerName cats.cacert.org
+    ErrorLog /home/cats/logs/error.log
+    CustomLog /home/cats/logs/access.log "%h %l %{SSL_CLIENT_S_DN_Email}x %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
+</VirtualHost>

logrotate configuration¶

CATS specific Apache httpd logfiles are rotated by logrotate. The rotation is controlled by a separate configuration in /etc/logrotate.d/cats:

/home/cats/logs/*.log {
	weekly
	missingok
	rotate 52
	compress
	delaycompress
	notifempty
	create 640 root cats
	sharedscripts
	postrotate
		/etc/init.d/apache2 reload > /dev/null
	endscript
	prerotate
		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
			run-parts /etc/logrotate.d/httpd-prerotate; \
		fi; \
	endscript
}

MySQL configuration¶

MySQL configuration is stored in the /etc/mysql/ directory.

Tasks¶

Todo

document how to update the CATS software

Changes¶

Planned¶

Todo

switch to Puppet management

Todo

replace nrpe with icinga2 agent

Todo

update to Debian 8/9/10

Todo

setup IPv6

Todo

setup CRL checks

System Future¶

No plans

Additional documentation¶

See also

Wiki page PostfixConfiguration

References¶

PHP documentation: https://secure.php.net/manual/en/