imported>Vbrillau |
|
| Line 1: |
Line 1: |
| The pakiti-client can be used to send package informations to pakiti.egi.eu.
| |
|
| |
|
| If you have the proper credentials in GOC-DB and submit your report with the correct SITE_NAME, you, your NGI-CSIRT and the EGI-CSIRT will be able to monitor the packages installed on your hosts and potentially vulnerabilities. The results can be accessed at https://pakiti.egi.eu.
| | {{DeprecatedAndMovedTo|new_location=https://docs.egi.eu/internal/security-coordination/monitoring/pakiti/}} |
| | |
| == Running the Pakiti client from CVMFS for EGI ==
| |
| | |
| If you have CVMFS installed and configured to mount grid.cern.ch, you can run pakiti by simply running:
| |
| | |
| <nowiki>/cvmfs/grid.cern.ch/pakiti/bin/pakiti-client --config /cvmfs/grid.cern.ch/pakiti/conf/EGI-CSIRT.conf --site SITE_NAME</nowiki>
| |
| | |
| '''<span style="color:#FF0000"> Please remember to replace SITE_NAME by your actual site name </span> '''
| |
| | |
| | |
| == Manual Installation ==
| |
| | |
| === Installing the Pakiti client ===
| |
| | |
| The pakiti client is now available from EPEL.
| |
| If your machine already has EPEL enabled, the following command is enough to install it:
| |
| | |
| <nowiki>yum install pakiti-client</nowiki>
| |
| | |
| === Configuring the Pakiti client for EGI ===
| |
| | |
| In addition to this package, a configuration file corresponding to the EGI server must be created.
| |
| | |
| ==== Using wget (unsafe) ====
| |
| | |
| You can get the configuration via http (thus unsafe) with the following wget:
| |
| | |
| <nowiki>wget http://pakiti.egi.eu/egi-package-reporter.conf -O /etc/egi-package-reporter.conf</nowiki>
| |
| | |
| ==== Copy/paste ====
| |
| | |
| The current recommended way of getting the configuration is simply to past the following line in a shell:
| |
| | |
| <nowiki>cat <<EOF > /etc/egi-package-reporter.conf
| |
| #
| |
| # pakiti-client configuration file to submit the list of installed
| |
| # packages to the EGI Pakiti
| |
| #
| |
| | |
| url = http://pakiti.egi.eu:80/feed/
| |
| expect = 200 OK
| |
| encrypt = <<EOT
| |
| -----BEGIN CERTIFICATE-----
| |
| MIIEMTCCAxmgAwIBAgIIMzVxgpqOq7wwDQYJKoZIhvcNAQEFBQAwWTESMBAGCgmS
| |
| JomT8ixkARkWAmN6MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQK
| |
| DAlDRVNORVQgQ0ExFDASBgNVBAMMC0NFU05FVCBDQSAzMB4XDTEzMDkyNTEzMzgy
| |
| MVoXDTE0MTAyNTEzMzgyMVowWDESMBAGCgmSJomT8ixkARkWAmN6MRkwFwYKCZIm
| |
| iZPyLGQBGRYJY2VzbmV0LWNhMQ8wDQYDVQQKDAZDRVNORVQxFjAUBgNVBAMMDXBh
| |
| a2l0aS5lZ2kuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbho74
| |
| s32hfdcWfxle02AxWbunSnCaKuqK4S5BFhxHUbBo74LpvLw0VMaaxyQmya3O1TEu
| |
| xWKjJlqFS5Evm+t8w/7NyTcbZvnCXmDopxEX9HlDRsVVSH1tQNy79iZpjmQboZhP
| |
| ueRQhPsfm5b0NJuLnPjHq03JFBk7FASt7BWkJtcAQPV9Q3x/vw3780KEUoADfmIB
| |
| lOnOmzoUoKT6pfxRf4iORnDhbaeApMI5PGbyMRmbzfS4Prh7w7vorG0fhRfydq0G
| |
| hYOY0+kvNbbt/hH4XDcO0zeAA4E6w30Yr1DYX2VXkc/RCO/LqvGjZzZW9ZW/kquP
| |
| woOWxyLaQ27Hu7RBAgMBAAGjgf0wgfowHQYDVR0OBBYEFGT5cZ2TnPXqdPpshKDx
| |
| xit+R5MeMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU9V0/vJiZix/xSOf+R4dx
| |
| CaLcukUwJwYDVR0gBCAwHjAMBgoqhkiG90wFAgIBMA4GDCsGAQQBvnkBAgIDATA4
| |
| BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNlc25ldC1jYS5jei9DRVNORVRf
| |
| Q0FfMy5jcmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
| |
| BgEFBQcDAjAYBgNVHREEETAPgg1wYWtpdGkuZWdpLmV1MA0GCSqGSIb3DQEBBQUA
| |
| A4IBAQB7OahKWgwgNn9Nv9fOt/H2L2G1WbwUlmF2xIiFWiXs8MKzshLL5qrlhBfc
| |
| KxNe+EptPzfpBOEWYiBPmPq3hXKRxeCg8kjHhijSHDy9rOqZdfTN5Jf4fGqB0SIC
| |
| 2YVWg9vR7kJha+BnEogZooJhVKpDJjnEKCGST+QHUDfIfB1pk2XqM1dYvgt8Ee8v
| |
| cuRMJY1XiE0YKFg9ZLEtlbVLYFUfM877RKaZTVxh2L5bE7pFWAY3n0LJGNpYucr6
| |
| 6uCgpre94eEW9/MBsDKkrq8d1TDTXrQ0dMlBZtzWFTSNy8oYxUMqTGk5Vj7y88Pp
| |
| wAUTiDVs/PjwwQqTz80tUXMe1EC/
| |
| -----END CERTIFICATE-----
| |
| EOT
| |
| EOF</nowiki>
| |
| | |
| | |
| === Running the Pakiti client for EGI ===
| |
| | |
| With the package and the configuration, the following commands will run the pakiti-client and transmit all its data to the EGI CSIRT pakiti instance!
| |
| | |
| <nowiki>pakiti-client --site SITE_NAME --conf /etc/egi-package-reporter.conf</nowiki>
| |
| | |
| '''<span style="color:#FF0000"> Please remember to replace SITE_NAME by your actual site name </span> '''
| |
| | |
| === Running the Pakiti client for EGI every day via cron ===
| |
| | |
| You can also run pakiti-client as a daily cronjob, in order to send us data every days.
| |
| In that case, please randomize as much as possible the cronjob between your hosts.
| |
| Please also note that the pakiti-client can run as nobody.
| |
| | |
| You can enable it by running, for example (be sure to reload your cron daemon afterwards):
| |
| <nowiki>echo "$(perl -e 'print int(rand(60))') $(perl -e 'print int(rand(24))') * * * nobody /usr/bin/pakiti-client --site SITE_NAME --conf /etc/egi-package-reporter.conf" > /etc/cron.d/pakiti-egi</nowiki>
| |
| | |
| '''<span style="color:#FF0000"> Please remember to replace SITE_NAME by your actual site name </span> '''
| |
| | |
| | |
| == Puppet Installation ==
| |
| | |
| The simplest way to configure and run the pakiti-client on a cluster is to use puppet:
| |
| You just need to create a file and a manifest.
| |
| * Create a file named egi-package-reporter.conf in the 'files' folders of you configuration containing:
| |
| <nowiki>#
| |
| # pakiti-client configuration file to submit the list of installed
| |
| # packages to the EGI Pakiti
| |
| #
| |
| | |
| url = http://pakiti.egi.eu:80/feed/
| |
| expect = 200 OK
| |
| encrypt = <<EOT
| |
| -----BEGIN CERTIFICATE-----
| |
| MIIEMTCCAxmgAwIBAgIIMzVxgpqOq7wwDQYJKoZIhvcNAQEFBQAwWTESMBAGCgmS
| |
| JomT8ixkARkWAmN6MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQK
| |
| DAlDRVNORVQgQ0ExFDASBgNVBAMMC0NFU05FVCBDQSAzMB4XDTEzMDkyNTEzMzgy
| |
| MVoXDTE0MTAyNTEzMzgyMVowWDESMBAGCgmSJomT8ixkARkWAmN6MRkwFwYKCZIm
| |
| iZPyLGQBGRYJY2VzbmV0LWNhMQ8wDQYDVQQKDAZDRVNORVQxFjAUBgNVBAMMDXBh
| |
| a2l0aS5lZ2kuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbho74
| |
| s32hfdcWfxle02AxWbunSnCaKuqK4S5BFhxHUbBo74LpvLw0VMaaxyQmya3O1TEu
| |
| xWKjJlqFS5Evm+t8w/7NyTcbZvnCXmDopxEX9HlDRsVVSH1tQNy79iZpjmQboZhP
| |
| ueRQhPsfm5b0NJuLnPjHq03JFBk7FASt7BWkJtcAQPV9Q3x/vw3780KEUoADfmIB
| |
| lOnOmzoUoKT6pfxRf4iORnDhbaeApMI5PGbyMRmbzfS4Prh7w7vorG0fhRfydq0G
| |
| hYOY0+kvNbbt/hH4XDcO0zeAA4E6w30Yr1DYX2VXkc/RCO/LqvGjZzZW9ZW/kquP
| |
| woOWxyLaQ27Hu7RBAgMBAAGjgf0wgfowHQYDVR0OBBYEFGT5cZ2TnPXqdPpshKDx
| |
| xit+R5MeMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU9V0/vJiZix/xSOf+R4dx
| |
| CaLcukUwJwYDVR0gBCAwHjAMBgoqhkiG90wFAgIBMA4GDCsGAQQBvnkBAgIDATA4
| |
| BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNlc25ldC1jYS5jei9DRVNORVRf
| |
| Q0FfMy5jcmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
| |
| BgEFBQcDAjAYBgNVHREEETAPgg1wYWtpdGkuZWdpLmV1MA0GCSqGSIb3DQEBBQUA
| |
| A4IBAQB7OahKWgwgNn9Nv9fOt/H2L2G1WbwUlmF2xIiFWiXs8MKzshLL5qrlhBfc
| |
| KxNe+EptPzfpBOEWYiBPmPq3hXKRxeCg8kjHhijSHDy9rOqZdfTN5Jf4fGqB0SIC
| |
| 2YVWg9vR7kJha+BnEogZooJhVKpDJjnEKCGST+QHUDfIfB1pk2XqM1dYvgt8Ee8v
| |
| cuRMJY1XiE0YKFg9ZLEtlbVLYFUfM877RKaZTVxh2L5bE7pFWAY3n0LJGNpYucr6
| |
| 6uCgpre94eEW9/MBsDKkrq8d1TDTXrQ0dMlBZtzWFTSNy8oYxUMqTGk5Vj7y88Pp
| |
| wAUTiDVs/PjwwQqTz80tUXMe1EC/
| |
| -----END CERTIFICATE-----
| |
| EOT</nowiki>
| |
| | |
| * Add to one of your manifest:
| |
| <nowiki>package { 'pakiti-client':
| |
| ensure => 'present',
| |
| }
| |
| file { /etc/egi-package-reporter.conf:
| |
| mode => '0644',
| |
| source => 'puppet:///path/to/egi-package-reporter.conf',
| |
| } | |
| cron { 'pakiti-egi':
| |
| ensure => 'present',
| |
| command => 'pakiti-client --conf /etc/egi-package-reporter.conf --site SITE_NAME',
| |
| user => 'nobody',
| |
| hour => fqdn_rand(24),
| |
| minute => fqdn_rand(60),
| |
| }</nowiki> | |
| | |
| '''<span style="color:#FF0000"> Please remember to replace SITE_NAME by your actual site name. </span>'''
| |
| '''<span style="color:#FF0000"> Please remember to replace /path/to/egi-package-reporter.conf by your actual path to egi-package-reporter.conf.</span>'''
| |
The wiki is deprecated and due to be decommissioned by the end of September 2022.