Difference between revisions of "EGI CSIRT:Pakiti client"
(Pull the https://wiki.egi.eu/csirt/index.php/Pakiti_client version (private one)) |
|||
Line 1: | Line 1: | ||
The pakiti-client can be used to send package informations to pakiti.egi.eu. | The pakiti-client can be used to send package informations to pakiti.egi.eu. | ||
If you have the proper credentials in GOC-DB and submit your report with the correct SITE_NAME, you, your NGI-CSIRT and the EGI-CSIRT will be able to monitor the packages installed on your hosts and potentially vulnerabilities. | If you have the proper credentials in GOC-DB and submit your report with the correct SITE_NAME, you, your NGI-CSIRT and the EGI-CSIRT will be able to monitor the packages installed on your hosts and potentially vulnerabilities. The results can be accessed at https://pakiti.egi.eu. | ||
Revision as of 09:09, 20 July 2015
The pakiti-client can be used to send package informations to pakiti.egi.eu.
If you have the proper credentials in GOC-DB and submit your report with the correct SITE_NAME, you, your NGI-CSIRT and the EGI-CSIRT will be able to monitor the packages installed on your hosts and potentially vulnerabilities. The results can be accessed at https://pakiti.egi.eu.
Manual Installation
Installing the Pakiti client
The pakiti client is now available from EPEL. If your machine already has EPEL enabled, the following command is enough to install it:
yum install pakiti-client
Configuring the Pakiti client for EGI
In addition to this package, a configuration file corresponding to the EGI server must be created.
Using wget (unsafe)
You can get the configuration via http (thus unsafe) with the following wget:
wget http://pakiti.egi.eu/egi-package-reporter.conf -O /etc/egi-package-reporter.conf
Copy/paste
The current recommended way of getting the configuration is simply to past the following line in a shell:
cat <<EOF > /etc/egi-package-reporter.conf # # pakiti-client configuration file to submit the list of installed # packages to the EGI Pakiti # url = http://pakiti.egi.eu:80/feed/ expect = 200 OK encrypt = <<EOT -----BEGIN CERTIFICATE----- MIIEMTCCAxmgAwIBAgIIMzVxgpqOq7wwDQYJKoZIhvcNAQEFBQAwWTESMBAGCgmS JomT8ixkARkWAmN6MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQK DAlDRVNORVQgQ0ExFDASBgNVBAMMC0NFU05FVCBDQSAzMB4XDTEzMDkyNTEzMzgy MVoXDTE0MTAyNTEzMzgyMVowWDESMBAGCgmSJomT8ixkARkWAmN6MRkwFwYKCZIm iZPyLGQBGRYJY2VzbmV0LWNhMQ8wDQYDVQQKDAZDRVNORVQxFjAUBgNVBAMMDXBh a2l0aS5lZ2kuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbho74 s32hfdcWfxle02AxWbunSnCaKuqK4S5BFhxHUbBo74LpvLw0VMaaxyQmya3O1TEu xWKjJlqFS5Evm+t8w/7NyTcbZvnCXmDopxEX9HlDRsVVSH1tQNy79iZpjmQboZhP ueRQhPsfm5b0NJuLnPjHq03JFBk7FASt7BWkJtcAQPV9Q3x/vw3780KEUoADfmIB lOnOmzoUoKT6pfxRf4iORnDhbaeApMI5PGbyMRmbzfS4Prh7w7vorG0fhRfydq0G hYOY0+kvNbbt/hH4XDcO0zeAA4E6w30Yr1DYX2VXkc/RCO/LqvGjZzZW9ZW/kquP woOWxyLaQ27Hu7RBAgMBAAGjgf0wgfowHQYDVR0OBBYEFGT5cZ2TnPXqdPpshKDx xit+R5MeMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU9V0/vJiZix/xSOf+R4dx CaLcukUwJwYDVR0gBCAwHjAMBgoqhkiG90wFAgIBMA4GDCsGAQQBvnkBAgIDATA4 BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNlc25ldC1jYS5jei9DRVNORVRf Q0FfMy5jcmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr BgEFBQcDAjAYBgNVHREEETAPgg1wYWtpdGkuZWdpLmV1MA0GCSqGSIb3DQEBBQUA A4IBAQB7OahKWgwgNn9Nv9fOt/H2L2G1WbwUlmF2xIiFWiXs8MKzshLL5qrlhBfc KxNe+EptPzfpBOEWYiBPmPq3hXKRxeCg8kjHhijSHDy9rOqZdfTN5Jf4fGqB0SIC 2YVWg9vR7kJha+BnEogZooJhVKpDJjnEKCGST+QHUDfIfB1pk2XqM1dYvgt8Ee8v cuRMJY1XiE0YKFg9ZLEtlbVLYFUfM877RKaZTVxh2L5bE7pFWAY3n0LJGNpYucr6 6uCgpre94eEW9/MBsDKkrq8d1TDTXrQ0dMlBZtzWFTSNy8oYxUMqTGk5Vj7y88Pp wAUTiDVs/PjwwQqTz80tUXMe1EC/ -----END CERTIFICATE----- EOT EOF
Running the Pakiti client for EGI
With the package and the configuration, the following commands will run the pakiti-client and transmit all its data to the EGI CSIRT pakiti instance!
pakiti-client --site SITE_NAME --conf /etc/egi-package-reporter.conf
Please remember to replace SITE_NAME by your actual site name
Running the Pakiti client for EGI every day via cron
You can also run pakiti-client as a daily cronjob, in order to send us data every days. In that case, please randomize as much as possible the cronjob between your hosts. Please also note that the pakiti-client can run as nobody.
You can enable it by running, for example (be sure to reload your cron daemon afterwards):
echo "$(perl -e 'print int(rand(60))') $(perl -e 'print int(rand(24))') * * * nobody /usr/bin/pakiti-client --site SITE_NAME --conf /etc/egi-package-reporter.conf" > /etc/cron.d/pakiti-egi
Please remember to replace SITE_NAME by your actual site name
Puppet Installation
The simplest way to configure and run the pakiti-client on a cluster is to use puppet: You just need to create a file and a manifest.
- Create a file named egi-package-reporter.conf in the 'files' folders of you configuration containing:
# # pakiti-client configuration file to submit the list of installed # packages to the EGI Pakiti # url = http://pakiti.egi.eu:80/feed/ expect = 200 OK encrypt = <<EOT -----BEGIN CERTIFICATE----- MIIEMTCCAxmgAwIBAgIIMzVxgpqOq7wwDQYJKoZIhvcNAQEFBQAwWTESMBAGCgmS JomT8ixkARkWAmN6MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQK DAlDRVNORVQgQ0ExFDASBgNVBAMMC0NFU05FVCBDQSAzMB4XDTEzMDkyNTEzMzgy MVoXDTE0MTAyNTEzMzgyMVowWDESMBAGCgmSJomT8ixkARkWAmN6MRkwFwYKCZIm iZPyLGQBGRYJY2VzbmV0LWNhMQ8wDQYDVQQKDAZDRVNORVQxFjAUBgNVBAMMDXBh a2l0aS5lZ2kuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbho74 s32hfdcWfxle02AxWbunSnCaKuqK4S5BFhxHUbBo74LpvLw0VMaaxyQmya3O1TEu xWKjJlqFS5Evm+t8w/7NyTcbZvnCXmDopxEX9HlDRsVVSH1tQNy79iZpjmQboZhP ueRQhPsfm5b0NJuLnPjHq03JFBk7FASt7BWkJtcAQPV9Q3x/vw3780KEUoADfmIB lOnOmzoUoKT6pfxRf4iORnDhbaeApMI5PGbyMRmbzfS4Prh7w7vorG0fhRfydq0G hYOY0+kvNbbt/hH4XDcO0zeAA4E6w30Yr1DYX2VXkc/RCO/LqvGjZzZW9ZW/kquP woOWxyLaQ27Hu7RBAgMBAAGjgf0wgfowHQYDVR0OBBYEFGT5cZ2TnPXqdPpshKDx xit+R5MeMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU9V0/vJiZix/xSOf+R4dx CaLcukUwJwYDVR0gBCAwHjAMBgoqhkiG90wFAgIBMA4GDCsGAQQBvnkBAgIDATA4 BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNlc25ldC1jYS5jei9DRVNORVRf Q0FfMy5jcmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr BgEFBQcDAjAYBgNVHREEETAPgg1wYWtpdGkuZWdpLmV1MA0GCSqGSIb3DQEBBQUA A4IBAQB7OahKWgwgNn9Nv9fOt/H2L2G1WbwUlmF2xIiFWiXs8MKzshLL5qrlhBfc KxNe+EptPzfpBOEWYiBPmPq3hXKRxeCg8kjHhijSHDy9rOqZdfTN5Jf4fGqB0SIC 2YVWg9vR7kJha+BnEogZooJhVKpDJjnEKCGST+QHUDfIfB1pk2XqM1dYvgt8Ee8v cuRMJY1XiE0YKFg9ZLEtlbVLYFUfM877RKaZTVxh2L5bE7pFWAY3n0LJGNpYucr6 6uCgpre94eEW9/MBsDKkrq8d1TDTXrQ0dMlBZtzWFTSNy8oYxUMqTGk5Vj7y88Pp wAUTiDVs/PjwwQqTz80tUXMe1EC/ -----END CERTIFICATE----- EOT
- Add to one of your manifest:
package { 'pakiti-client': ensure => 'present', } file { /etc/egi-package-reporter.conf: mode => '0644', source => 'puppet:///path/to/egi-package-reporter.conf', } cron { 'pakiti-egi': ensure => 'present', command => 'pakiti-client --conf /etc/egi-package-reporter.conf --site SITE_NAME', user => 'nobody', hour => fqdn_rand(24), minute => fqdn_rand(60), }
Please remember to replace SITE_NAME by your actual site name. Please remember to replace /path/to/egi-package-reporter.conf by your actual path to egi-package-reporter.conf.