Svn¶
Purpose¶
This system hosts the Subversion repository that is used for some CAcert documents and code that has not been moved to Git yet, for example:
Events
Policy development
Documentation
Application Links¶
- The subversion repository
- Anonymous read-only HTTP access
- Username/password authenticated HTTPS access
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Todo
find an additional admin
Application Administration¶
Application |
Administrator(s) |
|---|---|
Subversion |
Contact¶
Additional People¶
Mario Lipinski has sudo access on that machine too.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet
- IP Intranet
- IP Internal
- IPv6
- MAC address
00:16:3e:13:87:bb(eth0)
See also
See Network
Monitoring¶
- internal checks
DNS¶
Name |
Type |
Content |
|---|---|---|
svn.cacert.org. |
IN SSHFP |
1 1 1128972FB54F927477A781718E2F9C114E9CA383 |
svn.cacert.org. |
IN SSHFP |
2 1 3A36E5DF06304C481F01FC723FD88A086E82D986 |
svn.cacert.org. |
IN A |
213.154.225.238 |
cert.svn.cacert.org. |
IN CNAME |
svn.cacert.org. |
nocert.svn.cacert.org |
IN CNAME |
svn.cacert.org |
Todo
add AAAA record for IPv6 address
See also
Operating System¶
Debian GNU/Linux 9.13
Applicable Documentation¶
Access to specific paths in the repository is granted on request if approved by team leaders/officers.
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
|---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
application |
443/tcp |
https |
ANY |
application |
5666/tcp |
nrpe |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
|---|---|---|
Apache httpd |
Webserver for Subversion |
init script
|
cron |
job scheduler |
init script |
Exim |
SMTP server for local mail submission |
init script
|
Nagios NRPE server |
remote monitoring service queried by Monitor |
init script
|
openssh server |
ssh daemon for remote administration |
init script |
Puppet agent |
configuration management agent |
init script
|
rsyslog |
syslog daemon |
init script
|
Connected Systems¶
Connection from Blog because blog uses some resources served from svn
Connection from https://www.cacert.org/ because blog posts are embedded there
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
|---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Non-distribution packages and modifications¶
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Risk assessments on critical packages¶
Apache httpd is configured with a minimum of enabled modules to allow TLS and Subversion but nothing else to reduce potential security risks.
The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.
Todo
move configuration of svn to Puppet code
Keys and X.509 certificates¶
Certificate for CN svn.cacert.org, see details in the certificate list
certificate in file /etc/apache2/ssl/svn.cacert.org.crt.pem
private key in file /etc/apache2/ssl/svn.cacert.org.key.pem
/etc/apache2/ssl/cacert-certs.pem CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
/etc/apache2/ssl/cacert-chain.pem CAcert.org Class 1 certificate (certificate chain for server certificate)
Apache httpd configuration¶
The main configuration files for Apache httpd are:
/etc/apache2/sites-available/cert.svn.cacert.orgDefines the https VirtualHost for IPv4 and IPv6 on port 443 using client certificate authentication. The SNI server names svn.cacert.org and cert.svn.cacert.org are handled by the VirtualHost configuration in this file.
/etc/apache2/sites-available/nocert.svn.cacert.orgDefines the https VirtualHost for IPv4 and IPv6 on port 443 using username/password authentication. The SNI server name nocert.svn.cacert.org is handled by the VirtualHost configuration in this file.
/etc/apache2/sites-available/000-defaultDefines the http read-only VirtualHost for IPv4 and IPv6 on port 80.
These files include the following files to configure Subversion and authentication/authorization:
/etc/apache2/sites-available/ssl_config.includecontains VirtualHost specific TLS configuration
/etc/apache2/sites-available/svn_anonymous_config.includeconfigure anonymous SVN access without defining a password file and thus restricting SVN paths that require authentication
/etc/apache2/sites-available/svn_pwauth_config.includeconfigure username/password authenticated access to SVN using the password file
/srv/dav_svn.passwd./etc/apache2/sites-available/svn_certauth_config.includeconfigure TLS client certificate authenticated access to SVN using the first email address in the client certificate’s Subject Distinguished name as user name
Subversion configuration¶
Subversion authorization (aliases, groups and ACLs) is configured in
/srv/dav_svn.authz in the format specified in path based authorization in
the Subversion book.
The repository data is stored in /srv/svnrepo.
CRL update job¶
CRLs are updated by /etc/cron.daily/fetchcrls.
Tasks¶
X.509 Auth for policy¶
Documentation officer has endorsed
Waiting on Org-assurer word as to org-assurer policy stuff
Mail notifications¶
commit hooks on policy to policy list?
Changes¶
Planned¶
The configuration of this system will be migrated to a setup fully managed by Puppet.
System Future¶
No plans
Additional documentation¶
See also
