CATS

Purpose

This system provides the CAcert Assurer Training System (CATS), which is used to perform the Assurer Challenge.

Administration

System Administration

Application Administration

Application

Administrator(s)

CATS

Bernhard Fröhlich

Additional People

Mario Lipinski and Wytze van der Raay have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.243

IP Intranet

172.16.2.27

IP Internal

10.0.0.27

MAC address

00:ff:53:2d:a0:65 (interfacename)

See also

See Network

DNS

Name

Type

Content

cats.cacert.org.

IN A

213.154.225.243

cats.cacert.org.

IN SSHFP

1 1 D29D4CC4662D5CB5F42C02823CA8677F05439589

cats.cacert.org.

IN SSHFP

1 2 605AF57CE0F1ECF8EEAC5C71901F1434BF65C06FC0796B932D0F10F21DDF65FE

cats.cacert.org.

IN SSHFP

2 1 0342EB1E7325EB90A1C0483DE3D6597E36E569C8

cats.cacert.org.

IN SSHFP

2 2 0835241A5B1905097C332B176FAEC92E05C690169BA125184F3FE2C9612D9718

cats.cacert.org.

IN SSHFP

3 1 CC7F9EDC6F2B9CE4A3F3953FF97C951572BA0F8C

cats.cacert.org.

IN SSHFP

3 2 1F54953C96DE0E93CD19E66CA25085D6773CEEFD3C376BE2E77C1A337CCD008D

cats.intra.cacert.org.

IN A

172.16.2.27

Operating System

  • Debian GNU/Linux 7.11

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

CATS

443/tcp

https

ANY

CATS

5666/tcp

nrpe

monitor

remote monitoring service

3306/tcp

mysql

local

MySQL database for CATS

Running services

Service

Usage

Start mechanism

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

Apache httpd

Webserver for CATS

init script /etc/init.d/apache2

cron

job scheduler

init script /etc/init.d/cron

MySQL

MySQL database server for CATS

init script /etc/init.d/mysql

Postfix

SMTP server for local mail submission

init script /etc/init.d/postfix

Nagios NRPE server

remote monitoring service queried by Monitor

init script /etc/init.d/nagios-nrpe-server

Databases

RDBMS

Name

Used for

MySQL

cats_cats

CATS database

Connected Systems

Outbound network connections

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Emailout as SMTP relay

  • Proxyout as HTTP proxy for APT

  • crl.cacert.org (rsync) for getting CRLs

  • HTTPS (443/tcp) to secure.cacert.org for pushing test results

  • HTTPS (443/tcp) to Svn for subversion access

  • HTTPS (443/tcp) to github.com

Todo

disable subversion access

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:YFr1fODx7PjurFxxkB8UNL9lwG/AeWuTLQ8Q8h3fZf4, MD5:d4:1f:0a:c9:a6:18:7a:a4:72:6b:42:5d:8e:63:44:1f

DSA

SHA256:CDUkGlsZBQl8MysXb67JLgXGkBaboSUYTz/iyWEtlxg, MD5:0c:0a:94:fc:99:b2:49:a2:41:3a:59:3f:dd:3d:e4:33

ECDSA

SHA256:H1SVPJbeDpPNGeZsolCF1nc87v08N2vi53waM3zNAI0, MD5:bc:28:fb:72:b9:e3:cb:0f:a0:ff:d2:38:8a:ac:6d:93

ED25519

-

Todo

setup ED25519 host key (needs update to Jessie)

Dedicated user roles

Group

Purpose

cats

The cats group is meant to maintain the CATS application

Non-distribution packages and modifications

The CATS software is a custom PHP based system. The application is contained in /home/cats/public_html. The current repository is at https://github.com/CAcertOrg/cats, historic versions are available at https://svn.cacert.org/CAcert/Education/CATS. Instructions for CATS setup can be found in the git repository.

CATS requires client certificate authentication setup in the Apache httpd server.

Todo

add a Vagrantfile to allow easy CATS testing setups

Risk assessments on critical packages

CATS as a PHP application is vulnerable to common PHP problems. The system has to be kept up-to-date with OS patches.

Critical Configuration items

Keys and X.509 certificates

The server certificate for the CATS web application.

  • Certificate for CN cats.cacert.org, see details in the certificate list

    • certificate in file /home/cats/ssl/certs/cats_cert.pem

    • private key in file /home/cats/ssl/private/cats_privatekey.pem

Client certificate for pushing results to secure.cacert.org.

  • Certificate for CN cats@cacert.org, see details in the certificate list

    • certificate in file /home/cats/private/cert_201605.pem

    • private key in file /home/cats/private/key_201605.pem

Todo

move certificates to /etc/ssl/public and keys to /etc/ssl/private

  • /usr/share/ca-certificates/cacert.org/cacert.org.crt CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates and certificate chain for server certificate)

  • /home/cats/public_html/education.txt is a symbolic link pointing to the most current client certificate issued to the education@cacert.org address.

CATS configuration

CATS configuration is stored in files in /home/cats/public_html/index.php (roughly based on index.php.template from git) and /home/cats/public_html/includes/db_connect.inc.

Todo

move CATS configuration to /etc/

Todo

refactor CATS to not store configuration in the PHP session

CATS uses two cronjobs in the cats user’s crontab:

# m h  dom mon dow   command
MAILTO=bernhard@cacert.org
*/5 * * * * /home/cats/tools/do_upload
# Reduced upload rate during problems...
#0 * * * * /home/cats/tools/do_upload
35 4 * * * /home/cats/tools/do_backup

The do_upload job uses the client certificate for cats@cacert.org to authenticate to secure.cacert.org.

The do_backup job creates a backup of the cats_cats MySQL database. The backups are rotated (9 copies are kept) and encrypted to PGP keys of Bernhard Fröhlich and Philipp Gühring. The job also attempts to fetch a database dump from http://cats1.it-sls.de/dump.gz and store it in /home/cats/dumps/dump.dev.gz. This functionality is broken.

Todo

either fix fetching from the test system or remove this functionality

Todo

use /etc/cron.d instead of user specific crontab

Todo

put the scripts in /home/cats/tools/ into git

See also

Instructions for CATS translation

Apache httpd configuration

The Apache httpd configuration in the directory /etc/apache2/ has been modified to improve TLS settings and define an HTTP and an HTTPS VirtualHost for cats.cacert.org.

diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf cats/etc/apache2/mods-available/ssl.conf
--- orig/etc/apache2/mods-available/ssl.conf	2015-08-18 09:35:40.000000000 +0200
+++ cats/etc/apache2/mods-available/ssl.conf	2014-10-21 15:38:01.894358956 +0200
@@ -53,7 +53,7 @@
 #   ciphers(1) man page from the openssl package for list of all available
 #   options.
 #   Enable only secure ciphers:
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),
@@ -66,10 +66,11 @@
 #   compromised, captures of past or future traffic must be
 #   considered compromised, too.
 #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-#SSLHonorCipherOrder on
+SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES:!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
+SSLHonorCipherOrder on
 
 # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
-SSLProtocol all -SSLv2
+SSLProtocol all -SSLv2 -SSLv3
 
 # Allow insecure renegotiation with clients which do not yet support the
 # secure renegotiation protocol. Default: Off
diff -urwN -X diffignore-apache2 orig/etc/apache2/ports.conf cats/etc/apache2/ports.conf
--- orig/etc/apache2/ports.conf	2015-08-18 09:35:40.000000000 +0200
+++ cats/etc/apache2/ports.conf	2016-05-16 16:53:43.551587545 +0200
@@ -14,6 +14,7 @@
     # to <VirtualHost *:443>
     # Server Name Indication for SSL named virtual hosts is currently not
     # supported by MSIE on Windows XP.
+    NameVirtualHost *:443
     Listen 443
 </IfModule>
 
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/cats cats/etc/apache2/sites-available/cats
--- orig/etc/apache2/sites-available/cats	1970-01-01 01:00:00.000000000 +0100
+++ cats/etc/apache2/sites-available/cats	2016-05-16 16:56:53.220765336 +0200
@@ -0,0 +1,22 @@
+<VirtualHost *:80>
+    ServerAdmin support@cacert.org
+    DocumentRoot /home/cats/public_html
+    ServerName cats.cacert.org
+    ErrorLog /home/cats/logs/error.log
+    CustomLog /home/cats/logs/access.log combined
+</VirtualHost>
+<VirtualHost *:443>
+    SSLEngine On
+    SSLCertificateFile /home/cats/ssl/certs/cats_cert.pem
+    SSLCertificateKeyFile /home/cats/ssl/private/cats_privatekey.pem
+    SSLCACertificateFile /usr/share/ca-certificates/cacert.org/cacert.org.crt
+    SSLVerifyDepth  10
+    SSLOptions +StdEnvVars +ExportCertData +StrictRequire
+    SSLVerifyClient require
+
+    ServerAdmin support@cacert.org
+    DocumentRoot /home/cats/public_html
+    ServerName cats.cacert.org
+    ErrorLog /home/cats/logs/error.log
+    CustomLog /home/cats/logs/access.log "%h %l %{SSL_CLIENT_S_DN_Email}x %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
+</VirtualHost>

logrotate configuration

CATS specific Apache httpd logfiles are rotated by logrotate. The rotation is controlled by a separate configuration in /etc/logrotate.d/cats:

/home/cats/logs/*.log {
	weekly
	missingok
	rotate 52
	compress
	delaycompress
	notifempty
	create 640 root cats
	sharedscripts
	postrotate
		/etc/init.d/apache2 reload > /dev/null
	endscript
	prerotate
		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
			run-parts /etc/logrotate.d/httpd-prerotate; \
		fi; \
	endscript
}

MySQL configuration

MySQL configuration is stored in the /etc/mysql/ directory.

Tasks

Todo

document how to update the CATS software

Changes

Planned

Todo

switch to Puppet management

Todo

replace nrpe with icinga2 agent

Todo

update to Debian 8/9/10

Todo

setup IPv6

Todo

setup CRL checks

System Future

  • No plans

Additional documentation

References

PHP documentation

https://secure.php.net/manual/en/