diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2011-06-30 01:48:11 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2011-06-30 01:48:11 -0300 |
commit | 2b377786f8bf2133019c43df9376e0363093e50d (patch) | |
tree | 1e8e0709f78adff0d9b87fa0de79ca50ddd3e97b /files | |
parent | 87418479b280ccbbaca808711516dce989cdf36d (diff) | |
parent | 1f2a5d682485ea0cbdc9e13d865485face539012 (diff) | |
download | puppet-ekeyd-2b377786f8bf2133019c43df9376e0363093e50d.tar.gz puppet-ekeyd-2b377786f8bf2133019c43df9376e0363093e50d.tar.bz2 |
Merge branch 'master' of git://git.puppet.immerda.ch/module-ekeyd
Diffstat (limited to 'files')
-rw-r--r-- | files/ekeyd.conf | 89 | ||||
-rw-r--r-- | files/ekeyd.conf.daemon | 90 | ||||
-rwxr-xr-x | files/munin/ekeyd_stat_ | 223 |
3 files changed, 402 insertions, 0 deletions
diff --git a/files/ekeyd.conf b/files/ekeyd.conf new file mode 100644 index 0000000..76a36f1 --- /dev/null +++ b/files/ekeyd.conf @@ -0,0 +1,89 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/files/ekeyd.conf.daemon b/files/ekeyd.conf.daemon new file mode 100644 index 0000000..0b1bcb4 --- /dev/null +++ b/files/ekeyd.conf.daemon @@ -0,0 +1,90 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +-- SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +EGDTCPSocket(8888, "0.0.0.0") +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/files/munin/ekeyd_stat_ b/files/munin/ekeyd_stat_ new file mode 100755 index 0000000..43a7c47 --- /dev/null +++ b/files/munin/ekeyd_stat_ @@ -0,0 +1,223 @@ +#!/usr/bin/perl -w +# +# Entropy Key statistic reporting plugin for munin +# +# use by soft linking the script to a ekey statistic +# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_KeyTemperatureC +# will give a graph of each entropy keys temperature in Celsius +# +# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_total_EntropyRate +# will give a graph of the total entropy rate from all keys in bits per second +# +# The plugin.conf.d/munin-node must have a stanza [ekeyd_*] with user root in +# it as the plugin requires root access to aquire the statistics +# +# Copyright 2009 Simtec Electronics +# +# For licence terms refer to the COPYING file. + +# Magic markers for munin +#%# family=auto +#%# capabilities=autoconf suggest + +use strict; + +use Socket; +use IO::Handle; + +my $control_sock = exists $ENV{controlsocket} ? $ENV{controlsocket} : '/var/run/ekeyd.sock'; + +# mappings to make output prettier +my %titles = ("KeyTemperatureC", "Temperature" ,"KeyTemperatureF", "Temperature", "KeyTemperatureK" , "Temperature" , "TotalEntropy", "Entropy Rate", "KeyVoltage", "Supply Voltage", "FipsFrameRate", "Fips Frame Rate", "EntropyRate", "Entropy Rate"); +my %graph_axis = ( "KeyTemperatureC", "Celsius", "KeyTemperatureF", "Fahrenheit", "KeyTemperatureK", "Kelvin" , "EntropyRate", "Bits per second" , "TotalEntropy", "Bytes per second" , "KeyVoltage", "Volts", "ConnectionTime", "Seconds", "FipsFrameRate", "Frames per second"); +my %graph_type = ( "TotalEntropy" , "DERIVE", "BytesRead" , "COUNTER", "BytesWritten" , "COUNTER", "ConnectionPackets" , "COUNTER" ); +my %graph_min = ( "TotalEntropy" , 0 ); + +sub ekeyd_connect { + my ($rendezvous) = @_; + my $line; + my $sock; + + socket($sock, PF_UNIX, SOCK_STREAM, 0) || die "socket: $!"; + connect($sock, sockaddr_un($rendezvous)) || die "connect: $!"; + + $line = <$sock>; + if ((!defined($line)) || ($line ne "PROTOCOL EKEYD/1\n")) { + die "Unrecognised EKEYD " . $line; + } + + return $sock; +} + +# issues a command to the ekeyd and retrieves the results +sub ekeyd_command { + my ($sock, $command, @params) = @_; + my @lines; + my $line; + my $pnum = scalar @params; + + if ($pnum > 0) { + my $pcnt = 0; + $command .= "("; + while ($pcnt < $pnum) { + $command = $command . "\"" . $params[$pcnt] . "\""; + $pcnt++; + if ($pcnt == $pnum) { + $command .= ")"; + } else { + $command .= ","; + } + } + } + + print $sock $command . "\n"; + $sock->flush; + + push @lines, $line while ((defined($line = <$sock>)) and $line ne "OK\n" and $line !~ "^ERROR.*"); + + chomp @lines; + + return @lines; +} + +# discover if plugin can actually be used on this system +if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) { + if ($control_sock and -S $control_sock) { + print "yes\n"; + exit 0; + } else { + print "no (Control socket $control_sock not found)\n"; + exit 1; + } +} + +# suggest appropriate default links +if ( defined $ARGV[0] and $ARGV[0] eq "suggest" ) { + print "total_TotalEntropy\n"; + print "KeyTemperatureC\n"; + exit 0; +} + +# aquire the name of the statistic to monitor. +$0 =~ /ekeyd_stat_total_(.+)*$/; +my $statistic = $1; +my $total_flag = 1; +if (!defined($statistic)) { + $0 =~ /ekeyd_stat_(.+)*$/; + $statistic = $1; + $total_flag = 0; + if (!defined($statistic)) { + die "A statistic must be provided"; + } +} + +# connect to the ekeyd command socket +my $SOCKET = ekeyd_connect($control_sock); + +# find all the entropy keys attached +my @result = ekeyd_command($SOCKET, "ListEntropyKeys"); + +# remove header line +shift @result; + +if ( defined $ARGV[0] and $ARGV[0] eq "config" ) { + + # work out graph title + my $title; + if (defined $titles{$statistic}) { + $title = $titles{$statistic}; + } else { + $title = $statistic; + } + + if ($total_flag == 1) { + if (scalar(@result) < 2) { + print "graph_title Entropy Key " . $title . "\n"; + } else { + print "graph_title Entropy Key Combined " . $title . "\n"; + } + } else { + print "graph_title Entropy Key " . $title . "\n"; + } + + # label the axis as apropriate + if (defined $graph_axis{$statistic}) { + print "graph_vlabel " . $graph_axis{$statistic} . "\n"; + } + + print "graph_category sensors\n"; + + if ($total_flag == 1) { + if (scalar(@result) < 2) { + print "totstat.label $title\n"; + } else { + print "totstat.label Combined $title for " . scalar(@result) . " Entropy Keys\n"; + } + + # set the graph type + if (defined $graph_type{$statistic}) { + print "totstat.type " . $graph_type{$statistic} . "\n"; + } else { + print "totstat.type GAUGE\n"; + } + + #set the graph minimum + if (defined $graph_min{$statistic}) { + print "totstat.min " . $graph_min{$statistic} . "\n"; + } + } else { + # details for each key + foreach my $keyline (@result) { + my @elmnt = split(/\t/, $keyline); + my $name = $elmnt[5]; + $name =~ s,/,_,g; + print "stats" . $name . ".label " . $elmnt[5] . "\n"; + + # set the graph type + if (defined $graph_type{$statistic}) { + print "stats" . $name . ".type " . $graph_type{$statistic} . "\n"; + } else { + print "stats" . $name . ".type GAUGE\n"; + } + + #set the graph minimum + if (defined $graph_min{$statistic}) { + print "stats". $elmnt[5] . ".min " . $graph_min{$statistic} . "\n"; + } + } + } +} else { + my $total = 0; + foreach my $keyline (@result) { + + # split up the result line + my @elmnt = split(/\t/, $keyline); + + # get the status of the entropy key + my @stat_res = ekeyd_command($SOCKET, "StatEntropyKey", $elmnt[5]); + + my $tmp; + my %key_stats; + + foreach $tmp (@stat_res) { + my @keyval = split(/\t/, $tmp); + @keyval = split(/=/, $keyval[1]); + $key_stats{$keyval[0]} = $keyval[1]; + } + $total += $key_stats{$statistic}; + + if ($total_flag == 0) { + print "stats" . $elmnt[5] . ".value " . $key_stats{$statistic} . "\n"; + } + } + if ($total_flag == 1) { + if (scalar(@result) < 1) { + $total = "U"; + } + print "totstat.value " . $total . "\n"; + } +} + +close $SOCKET; + +exit 0; |