EGI CSIRT:Pakiti client

From EGIWiki
Jump to: navigation, search

The pakiti-client can be used to send package informations to pakiti.egi.eu.

If you have the proper credentials in GOC-DB and submit your report with the correct SITE_NAME, you, your NGI-CSIRT and the EGI-CSIRT will be able to monitor the packages installed on your hosts and potentially vulnerabilities. The results can be accessed at https://pakiti.egi.eu.

Running the Pakiti client from CVMFS for EGI

If you have CVMFS installed and configured to mount grid.cern.ch, you can run pakiti by simply running:

/cvmfs/grid.cern.ch/pakiti/bin/pakiti-client --config /cvmfs/grid.cern.ch/pakiti/conf/EGI-CSIRT.conf --site SITE_NAME

Please remember to replace SITE_NAME by your actual site name


Manual Installation

Installing the Pakiti client

The pakiti client is now available from EPEL. If your machine already has EPEL enabled, the following command is enough to install it:

yum install pakiti-client

Configuring the Pakiti client for EGI

In addition to this package, a configuration file corresponding to the EGI server must be created.

Using wget (unsafe)

You can get the configuration via http (thus unsafe) with the following wget:

wget http://pakiti.egi.eu/egi-package-reporter.conf -O /etc/egi-package-reporter.conf

Copy/paste

The current recommended way of getting the configuration is simply to past the following line in a shell:

cat <<EOF > /etc/egi-package-reporter.conf
#
# pakiti-client configuration file to submit the list of installed
# packages to the EGI Pakiti
#

url = http://pakiti.egi.eu:80/feed/
expect = 200 OK
encrypt = <<EOT
-----BEGIN CERTIFICATE-----
MIIEMTCCAxmgAwIBAgIIMzVxgpqOq7wwDQYJKoZIhvcNAQEFBQAwWTESMBAGCgmS
JomT8ixkARkWAmN6MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQK
DAlDRVNORVQgQ0ExFDASBgNVBAMMC0NFU05FVCBDQSAzMB4XDTEzMDkyNTEzMzgy
MVoXDTE0MTAyNTEzMzgyMVowWDESMBAGCgmSJomT8ixkARkWAmN6MRkwFwYKCZIm
iZPyLGQBGRYJY2VzbmV0LWNhMQ8wDQYDVQQKDAZDRVNORVQxFjAUBgNVBAMMDXBh
a2l0aS5lZ2kuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbho74
s32hfdcWfxle02AxWbunSnCaKuqK4S5BFhxHUbBo74LpvLw0VMaaxyQmya3O1TEu
xWKjJlqFS5Evm+t8w/7NyTcbZvnCXmDopxEX9HlDRsVVSH1tQNy79iZpjmQboZhP
ueRQhPsfm5b0NJuLnPjHq03JFBk7FASt7BWkJtcAQPV9Q3x/vw3780KEUoADfmIB
lOnOmzoUoKT6pfxRf4iORnDhbaeApMI5PGbyMRmbzfS4Prh7w7vorG0fhRfydq0G
hYOY0+kvNbbt/hH4XDcO0zeAA4E6w30Yr1DYX2VXkc/RCO/LqvGjZzZW9ZW/kquP
woOWxyLaQ27Hu7RBAgMBAAGjgf0wgfowHQYDVR0OBBYEFGT5cZ2TnPXqdPpshKDx
xit+R5MeMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU9V0/vJiZix/xSOf+R4dx
CaLcukUwJwYDVR0gBCAwHjAMBgoqhkiG90wFAgIBMA4GDCsGAQQBvnkBAgIDATA4
BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNlc25ldC1jYS5jei9DRVNORVRf
Q0FfMy5jcmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAYBgNVHREEETAPgg1wYWtpdGkuZWdpLmV1MA0GCSqGSIb3DQEBBQUA
A4IBAQB7OahKWgwgNn9Nv9fOt/H2L2G1WbwUlmF2xIiFWiXs8MKzshLL5qrlhBfc
KxNe+EptPzfpBOEWYiBPmPq3hXKRxeCg8kjHhijSHDy9rOqZdfTN5Jf4fGqB0SIC
2YVWg9vR7kJha+BnEogZooJhVKpDJjnEKCGST+QHUDfIfB1pk2XqM1dYvgt8Ee8v
cuRMJY1XiE0YKFg9ZLEtlbVLYFUfM877RKaZTVxh2L5bE7pFWAY3n0LJGNpYucr6
6uCgpre94eEW9/MBsDKkrq8d1TDTXrQ0dMlBZtzWFTSNy8oYxUMqTGk5Vj7y88Pp
wAUTiDVs/PjwwQqTz80tUXMe1EC/
-----END CERTIFICATE-----
EOT
EOF


Running the Pakiti client for EGI

With the package and the configuration, the following commands will run the pakiti-client and transmit all its data to the EGI CSIRT pakiti instance!

pakiti-client --site SITE_NAME --conf /etc/egi-package-reporter.conf

Please remember to replace SITE_NAME by your actual site name

Running the Pakiti client for EGI every day via cron

You can also run pakiti-client as a daily cronjob, in order to send us data every days. In that case, please randomize as much as possible the cronjob between your hosts. Please also note that the pakiti-client can run as nobody.

You can enable it by running, for example (be sure to reload your cron daemon afterwards):

echo "$(perl -e 'print int(rand(60))') $(perl -e 'print int(rand(24))') * * * nobody /usr/bin/pakiti-client --site SITE_NAME --conf /etc/egi-package-reporter.conf" > /etc/cron.d/pakiti-egi

Please remember to replace SITE_NAME by your actual site name


Puppet Installation

The simplest way to configure and run the pakiti-client on a cluster is to use puppet: You just need to create a file and a manifest.

  • Create a file named egi-package-reporter.conf in the 'files' folders of you configuration containing:
#
# pakiti-client configuration file to submit the list of installed
# packages to the EGI Pakiti
#

url = http://pakiti.egi.eu:80/feed/
expect = 200 OK
encrypt = <<EOT
-----BEGIN CERTIFICATE-----
MIIEMTCCAxmgAwIBAgIIMzVxgpqOq7wwDQYJKoZIhvcNAQEFBQAwWTESMBAGCgmS
JomT8ixkARkWAmN6MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQK
DAlDRVNORVQgQ0ExFDASBgNVBAMMC0NFU05FVCBDQSAzMB4XDTEzMDkyNTEzMzgy
MVoXDTE0MTAyNTEzMzgyMVowWDESMBAGCgmSJomT8ixkARkWAmN6MRkwFwYKCZIm
iZPyLGQBGRYJY2VzbmV0LWNhMQ8wDQYDVQQKDAZDRVNORVQxFjAUBgNVBAMMDXBh
a2l0aS5lZ2kuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbho74
s32hfdcWfxle02AxWbunSnCaKuqK4S5BFhxHUbBo74LpvLw0VMaaxyQmya3O1TEu
xWKjJlqFS5Evm+t8w/7NyTcbZvnCXmDopxEX9HlDRsVVSH1tQNy79iZpjmQboZhP
ueRQhPsfm5b0NJuLnPjHq03JFBk7FASt7BWkJtcAQPV9Q3x/vw3780KEUoADfmIB
lOnOmzoUoKT6pfxRf4iORnDhbaeApMI5PGbyMRmbzfS4Prh7w7vorG0fhRfydq0G
hYOY0+kvNbbt/hH4XDcO0zeAA4E6w30Yr1DYX2VXkc/RCO/LqvGjZzZW9ZW/kquP
woOWxyLaQ27Hu7RBAgMBAAGjgf0wgfowHQYDVR0OBBYEFGT5cZ2TnPXqdPpshKDx
xit+R5MeMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU9V0/vJiZix/xSOf+R4dx
CaLcukUwJwYDVR0gBCAwHjAMBgoqhkiG90wFAgIBMA4GDCsGAQQBvnkBAgIDATA4
BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmNlc25ldC1jYS5jei9DRVNORVRf
Q0FfMy5jcmwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAYBgNVHREEETAPgg1wYWtpdGkuZWdpLmV1MA0GCSqGSIb3DQEBBQUA
A4IBAQB7OahKWgwgNn9Nv9fOt/H2L2G1WbwUlmF2xIiFWiXs8MKzshLL5qrlhBfc
KxNe+EptPzfpBOEWYiBPmPq3hXKRxeCg8kjHhijSHDy9rOqZdfTN5Jf4fGqB0SIC
2YVWg9vR7kJha+BnEogZooJhVKpDJjnEKCGST+QHUDfIfB1pk2XqM1dYvgt8Ee8v
cuRMJY1XiE0YKFg9ZLEtlbVLYFUfM877RKaZTVxh2L5bE7pFWAY3n0LJGNpYucr6
6uCgpre94eEW9/MBsDKkrq8d1TDTXrQ0dMlBZtzWFTSNy8oYxUMqTGk5Vj7y88Pp
wAUTiDVs/PjwwQqTz80tUXMe1EC/
-----END CERTIFICATE-----
EOT
  • Add to one of your manifest:
package { 'pakiti-client':
  ensure => 'present',
}
file { /etc/egi-package-reporter.conf:
  mode   => '0644',
  source => 'puppet:///path/to/egi-package-reporter.conf',
}
cron { 'pakiti-egi':
  ensure  => 'present',
  command => 'pakiti-client --conf /etc/egi-package-reporter.conf --site SITE_NAME',
  user    => 'nobody',
  hour    => fqdn_rand(24),
  minute  => fqdn_rand(60),
}

Please remember to replace SITE_NAME by your actual site name. Please remember to replace /path/to/egi-package-reporter.conf by your actual path to egi-package-reporter.conf.