Monitor

Purpose

This system hosts an Icinga instance to centrally monitor the services in the CAcert network (especially for security updates and certificate expiry).

Note

To access the system you need a client certificate where the first email address in the Subject Distinguished Name field is a cacert.org address. Subject Alternative Names are not checked.

If you are the administrator of a service please ask the monitor admins to add your system to the monitoring configuration and add you as system contact to allow for notifications and tasks like service outage acknowledgement, adding notes, rescheduling checks or setting downtimes for your service.

Administration

System Administration

Application Administration

Application

Administrator(s)

Icinga

Jan Dittberner

Additional People

Jan Dittberner and Mario Lipinski have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.230

IP Intranet

172.16.2.18

IP Internal

10.0.0.18

IPv6

2001:7b8:616:162:2::18

MAC address

00:ff:73:b3:17:43 (eth0)

See also

See Network

DNS

Name

Type

Content

monitor.cacert.org.

IN CNAME

infrastructure.cacert.org

Operating System

  • Debian GNU/Linux 9.4

Applicable Documentation

This is it :-)

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

Icinga classic web frontend

443/tcp

https

ANY

Icinga classic web frontend

5666/tcp

nrpe

monitor

remote monitoring service

5432/tcp

pgsql

local

PostgreSQL database for IDO

Note

The ssh port is reachable via NAT on infrastructure.cacert.org:11822

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for Icinga classic

init script /etc/init.d/apache2

cron

job scheduler

init script /etc/init.d/cron

Icinga

Icinga monitoring daemon

init script /etc/init.d/icinga

IDO2DB

IDO database writer daemon

init script /etc/init.d/ido2db

Nagios NRPE server

remote monitoring service by this system itself

init script /etc/init.d/nagios-nrpe-server

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

Postfix

SMTP server for local mail submission

init script /etc/init.d/postfix

PostgreSQL

PostgreSQL database server for IDO

init script /etc/init.d/postgresql

Puppet agent

configuration management agent

init script /etc/init.d/puppet

rsyslog

syslog daemon

init script /etc/init.d/syslog

Databases

RDBMS

Name

Used for

PostgreSQL

icinga

Icinga IDO data

Connected Systems

None

Outbound network connections

Todo

add IPv6 ranges when they are monitored

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0, MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6

DSA

SHA256:Sh/3OWrodFWc8ZbVTV1/aJDbpt5ztGrwSSWLECTNrOI, MD5:07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc

ECDSA

SHA256:GWvYqhQUt9INh/7VRVu6Z2YORoy/YzgBxNBmX+ZvMsk, MD5:48:46:b1:5a:4e:05:64:8a:c3:76:33:77:20:91:14:70

ED25519

SHA256:L5roC867bvxDJ0ckbhIQOt2A9Nh1RQBVuIJFWwrPLG0, MD5:10:94:56:09:5b:a2:28:ab:11:e0:0f:6e:e4:0c:38:bb

Non-distribution packages and modifications

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Risk assessments on critical packages

Icinga and the classic frontend are a bit aged but have a good security track record.

Apache httpd has a good reputation and is a low risk package.

NRPE is flawed and should be replaced. The risk is somewhat mitigated by firewalling on the infrastructure host.

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.

Todo

move configuration of Monitor to Puppet code

Keys and X.509 certificates

  • Certificate for CN monitor.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/certs/monitor.c.o.pem

    • private key in file /etc/ssl/private/monitor.c.o.priv

  • /etc/ssl/certs/cacert.allcerts.pem CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates and the certificate chain for the server certificate)

  • /var/local/ssl/crls/

CRL fetch job

The script /etc/cron.hourly/update-crls is used to fetch CRLs once per hour.

Apache httpd configuration

The HTTP and HTTPS VirtualHost configuration is defined in /etc/apache2/sites-available/icinga-nossl and /etc/apache2/sites-available/icinga the HTTP VirtualHost redirects to the HTTPS VirtualHost.

Icinga configuration

The Icinga configuration is stored in the /etc/icinga/ directory. Database configuration for IDO is stored in ido2db.cfg. The Icinga classic frontend configuration is stored in cgi.cfg. Host and service configurations are defined in the objects/ subdirectory.

Tasks

Changes

Planned

System Future

  • No plans

Additional documentation

References

Wiki page for this system

Wiki SystemAdministration/Systems/Monitor