Monitor¶
Purpose¶
This system hosts an Icinga 2 instance to centrally monitor the services in the CAcert network (especially for security updates and certificate expiry).
Note
To access the system you need a client certificate where the first email address in the Subject Distinguished Name field is a cacert.org address. Subject Alternative Names are not checked.
If you are the administrator of a service please ask the monitor admins to add your system to the monitoring configuration and add you as system contact to allow for notifications and tasks like service outage acknowledgement, adding notes, rescheduling checks or setting downtimes for your service.
Application Links¶
- The Icingaweb 2 frontend
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Application Administration¶
Application |
Administrator(s) |
---|---|
Icinga 2 |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:73:b3:17:43
(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
---|---|---|
monitor.cacert.org. |
IN CNAME |
infrastructure.cacert.org |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Applicable Documentation¶
This is it :-)
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
Redirect to https |
443/tcp |
https |
ANY |
Icingaweb 2 frontend |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
5432/tcp |
pgsql |
local |
PostgreSQL database for IDO |
8000/tcp |
git-hook |
internal |
HTTP endpoint for git-pull-hook |
Note
The ssh port is reachable via NAT on infrastructure.cacert.org:11822
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for Icingaweb 2 |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus daemon |
systemd unit |
git-pull-hook |
Custom Python3 hook to pull git changes from the cacert-icinga2-conf_d repository |
systemd unit |
Icinga2 |
Icinga2 monitoring daemon |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Postfix |
SMTP server for local mail submission |
systemd unit |
PostgreSQL |
PostgreSQL database server |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
PostgreSQL |
icinga2 |
Icinga 2 performance and alerting data |
PostgreSQL |
icingaweb2 |
Icingaweb 2 group and user preference data |
Connected Systems¶
Outbound network connections¶
Infra02 as resolving nameserver
Emailout as SMTP relay
Git to fetch new commits from the cacert-icinga2-conf_d repository
Puppet (tcp/8140) as Puppet master
Proxyout as HTTP proxy for APT
crl.cacert.org (rsync) for getting CRLs
all
10.0.0.0/24
,172.16.2.0/24
and2001:7b8:616:162:2::/80
systems for monitoring their services
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Non-distribution packages and modifications¶
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Risk assessments on critical packages¶
Icinga 2 and Icingaweb 2 are well maintained community projects with a good security track record.
Apache httpd has a good reputation and is a low risk package.
The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.
Keys and X.509 certificates¶
All keys and certificates are managed in the file
hieradata/nodes/monitor.yaml
in the CAcert Git repository cacert-puppet.
Certificate for CN monitor.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/monitor.cacert.org.chain.pem
private key in file /etc/ssl/private/monitor.cacert.org.key.pem
/etc/ssl/public/monitor.cacert.org_client_cas.pem
CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)/var/local/ssl/crls/
CRL fetch job¶
The script /etc/cron.hourly/update-crls
is used to fetch CRLs once per
hour.
Apache httpd configuration¶
The HTTP and HTTPS VirtualHost configuration is defined in
/etc/apache2/sites-available/icinga-nossl
and
/etc/apache2/sites-available/icinga
the HTTP VirtualHost redirects to
the HTTPS VirtualHost.
Icinga configuration¶
The Icinga 2 configuration is stored in the /etc/icinga2/
directory.
The /etc/icinga2/conf.d/
directory is managed in
CAcert Git repository cacert-icinga2-conf_d repository which has a post-receive hook to
trigger updates of the Icinga 2 configuration and performs a graceful reload
when configuration has changed.
Tasks¶
Changes¶
Planned¶
System Future¶
No plans
Additional documentation¶
See also
References¶
- Wiki page for this system