Motion

Purpose

This system provides the CAcert board motion system. The system replaced the board voting system that had been provided on Webmail (Community) at https://community.cacert.org/board/.

Administration

System Administration

Application Administration

Application

Administrator(s)

board motion system

Jan Dittberner

Additional People

No other people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

None

IP Intranet

None

IP Internal

10.0.0.117

IPv6

2001:7b8:616:162:2::117

MAC address

00:ff:cc:ce:0d:24 (eth0)

See also

See Network

DNS

Name

Type

Content

motion.cacert.org.

IN A

213.154.225.241

motion.cacert.org.

IN AAAA

2001:7b8:616:162:2::241

motion.cacert.org.

IN SSHFP

1 1 f018202c72749af5f48d45d5d536422f9c364fbb

motion.cacert.org.

IN SSHFP

1 2 0d17bbfe2efa97edbb13ffe3e6bfd3b4b9be5117f3c831a2f1a55b6c50e92fd4

motion.cacert.org.

IN SSHFP

2 1 ee6f2e346a5d5164100721f99765a4d3d08c6dce

motion.cacert.org.

IN SSHFP

2 2 53dedfd2c566011db80311528eba15fd000b0a5092ab1fc8104ca5804490cd18

motion.cacert.org.

IN SSHFP

3 1 6d4a9ec30f30aa0634b8879cded8ce884498e290

motion.cacert.org.

IN SSHFP

3 2 325ee301da21844adb8f12c0011b8d73709be8b2b9f375829224ac79c8fdfa6e

motion.cacert.org.

IN SSHFP

4 1 78e1edee04907de6b56d9c0d4900178f9426c02d

motion.cacert.org.

IN SSHFP

4 2 ca108fc298cb08406fe02454d9245ee1cf26c7241691da9a5b6bc69c56afd5c1

motion.infra.cacert.org.

IN A

10.0.0.117

Operating System

  • Debian GNU/Linux 10.0

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

8443/tcp

https

ANY

board motion application

5665/tcp

icinga2

monitor

remote monitoring service

The board motion system is reachable via Proxyin. SSH is forwarded from port 11722 on the public IP addresses.

Running services

Service

Usage

Start mechanism

cacert-boardvoting

application

systemd unit cacert-boardvoting.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus daemon

systemd unit dbus.service

Exim

SMTP server for local mail submission

systemd unit exim4.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Databases

RDBMS

Name

Used for

SQLite

/srv/cacert-boardvoting/data/database.sqlite

cacert-boardvoting

Connected Systems

Outbound network connections

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:DRe7/i76l+27E//j5r/TtLm+URfzyDGi8aVbbFDpL9Q, MD5:8a:a8:61:d2:07:79:27:6a:37:f8:30:2a:36:aa:d9:4f

DSA

SHA256:U97f0sVmAR24AxFSjroV/QALClCSqx/IEEylgESQzRg, MD5:ec:76:0a:d5:5e:ff:29:1e:f4:b4:78:5f:5e:0f:2a:af

ECDSA

SHA256:Ml7jAdohhErbjxLAARuNc3Cb6LK583WCkiSsecj9+m4, MD5:3f:38:14:95:9e:fb:10:79:c5:72:d6:c6:79:a8:84:cf

ED25519

SHA256:yhCPwpjLCEBv4CRU2SRe4c8mxyQWkdqaW2vGnFav1cE, MD5:c5:40:79:42:09:9d:5e:47:45:d6:ab:e9:58:af:eb:26

Dedicated user roles

  • None

Non-distribution packages and modifications

  • Board motion system

    The system runs the board motion system developed in the CAcert Git repository cacert-boardvoting.

    The software is installed from a Debian package that is hosted on Webstatic.

    The sofware is built on Jenkins via the cacert-boardvoting Job when there are changes in Git. The Debian package can be built using gbp.

    The software is installed and configured via Puppet.

    Todo

    describe more in-depth how to build the Debian package

Risk assessments on critical packages

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

The system is stripped down to the bare minimum. The CAcert board voting system software is developed using Go which handles a lot of common programming errors at compile time and has a quite good security track record.

The board motion tool is run as a separate system user cacert-boardvoting and is built as a small self-contained static binary. Access is restricted via https.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Keys and X.509 certificates

  • Certificate for CN motion.cacert.org, see details in the certificate list

    • certificate in file /srv/cacert-boardvoting/data/server.crt

    • private key in file /srv/cacert-boardvoting/data/server.key

  • /srv/cacert-boardvoting/data/cacert_class3.pem CAcert class 3 CA certificate (allowed CA certificate for client certificates)

cacert-boardvoting configuration

cacert-boardvoting is configured via Puppet profile profiles::cacert-boardvoting.

Tasks

Add/Remove voters

An Application Administrator can add and remove voters from the CAcert board voting system using the sqlite3 program:

cd /srv/cacert-boardvoting/data
# open database
sqlite3 database.sqlite
-- find existing voters
select * from voters where enabled=1;

-- disable voters that should not be able to vote using Ids from the result
-- of the previous query
update voters set enabled=0 where id in (1, 2, 3);

-- find existing accounts of voter John Doe and Jane Smith
select * from voters where name like 'John%' or name like 'Jane%';

-- John has an account with id 4, Jane is not in the system
-- enable John
update voters set enabled=1 where id=4;

-- insert Jane
insert into voters (name, enabled, reminder) values ('Jane Doe', 1,
  'jane.doe@cacert.org');

-- find voter id for Jane
select id from voters where name='Jane Doe';

-- Jane has id 42
-- insert email address mapping for Jane (used for authentication)
insert into emails (voter, address) values (42, 'jane.doe@cacert.org');

Changes

Planned

Todo

implement user administration inside the application

System Future

  • No plans