diff options
-rw-r--r-- | files/ekeyd.conf | 89 | ||||
-rw-r--r-- | files/ekeyd.conf.daemon | 90 | ||||
-rwxr-xr-x | files/munin/ekeyd_stat_ | 223 | ||||
-rw-r--r-- | manifests/base.pp | 15 | ||||
-rw-r--r-- | manifests/client.pp | 15 | ||||
-rw-r--r-- | manifests/client/base.pp | 3 | ||||
-rw-r--r-- | manifests/client/centos.pp | 7 | ||||
-rw-r--r-- | manifests/egd.pp | 17 | ||||
-rw-r--r-- | manifests/host/base.pp | 15 | ||||
-rw-r--r-- | manifests/host/centos.pp | 6 | ||||
-rw-r--r-- | manifests/init.pp | 21 | ||||
-rw-r--r-- | manifests/munin.pp | 16 |
12 files changed, 510 insertions, 7 deletions
diff --git a/files/ekeyd.conf b/files/ekeyd.conf new file mode 100644 index 0000000..76a36f1 --- /dev/null +++ b/files/ekeyd.conf @@ -0,0 +1,89 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/files/ekeyd.conf.daemon b/files/ekeyd.conf.daemon new file mode 100644 index 0000000..0b1bcb4 --- /dev/null +++ b/files/ekeyd.conf.daemon @@ -0,0 +1,90 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +-- SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +EGDTCPSocket(8888, "0.0.0.0") +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/files/munin/ekeyd_stat_ b/files/munin/ekeyd_stat_ new file mode 100755 index 0000000..43a7c47 --- /dev/null +++ b/files/munin/ekeyd_stat_ @@ -0,0 +1,223 @@ +#!/usr/bin/perl -w +# +# Entropy Key statistic reporting plugin for munin +# +# use by soft linking the script to a ekey statistic +# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_KeyTemperatureC +# will give a graph of each entropy keys temperature in Celsius +# +# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_total_EntropyRate +# will give a graph of the total entropy rate from all keys in bits per second +# +# The plugin.conf.d/munin-node must have a stanza [ekeyd_*] with user root in +# it as the plugin requires root access to aquire the statistics +# +# Copyright 2009 Simtec Electronics +# +# For licence terms refer to the COPYING file. + +# Magic markers for munin +#%# family=auto +#%# capabilities=autoconf suggest + +use strict; + +use Socket; +use IO::Handle; + +my $control_sock = exists $ENV{controlsocket} ? $ENV{controlsocket} : '/var/run/ekeyd.sock'; + +# mappings to make output prettier +my %titles = ("KeyTemperatureC", "Temperature" ,"KeyTemperatureF", "Temperature", "KeyTemperatureK" , "Temperature" , "TotalEntropy", "Entropy Rate", "KeyVoltage", "Supply Voltage", "FipsFrameRate", "Fips Frame Rate", "EntropyRate", "Entropy Rate"); +my %graph_axis = ( "KeyTemperatureC", "Celsius", "KeyTemperatureF", "Fahrenheit", "KeyTemperatureK", "Kelvin" , "EntropyRate", "Bits per second" , "TotalEntropy", "Bytes per second" , "KeyVoltage", "Volts", "ConnectionTime", "Seconds", "FipsFrameRate", "Frames per second"); +my %graph_type = ( "TotalEntropy" , "DERIVE", "BytesRead" , "COUNTER", "BytesWritten" , "COUNTER", "ConnectionPackets" , "COUNTER" ); +my %graph_min = ( "TotalEntropy" , 0 ); + +sub ekeyd_connect { + my ($rendezvous) = @_; + my $line; + my $sock; + + socket($sock, PF_UNIX, SOCK_STREAM, 0) || die "socket: $!"; + connect($sock, sockaddr_un($rendezvous)) || die "connect: $!"; + + $line = <$sock>; + if ((!defined($line)) || ($line ne "PROTOCOL EKEYD/1\n")) { + die "Unrecognised EKEYD " . $line; + } + + return $sock; +} + +# issues a command to the ekeyd and retrieves the results +sub ekeyd_command { + my ($sock, $command, @params) = @_; + my @lines; + my $line; + my $pnum = scalar @params; + + if ($pnum > 0) { + my $pcnt = 0; + $command .= "("; + while ($pcnt < $pnum) { + $command = $command . "\"" . $params[$pcnt] . "\""; + $pcnt++; + if ($pcnt == $pnum) { + $command .= ")"; + } else { + $command .= ","; + } + } + } + + print $sock $command . "\n"; + $sock->flush; + + push @lines, $line while ((defined($line = <$sock>)) and $line ne "OK\n" and $line !~ "^ERROR.*"); + + chomp @lines; + + return @lines; +} + +# discover if plugin can actually be used on this system +if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) { + if ($control_sock and -S $control_sock) { + print "yes\n"; + exit 0; + } else { + print "no (Control socket $control_sock not found)\n"; + exit 1; + } +} + +# suggest appropriate default links +if ( defined $ARGV[0] and $ARGV[0] eq "suggest" ) { + print "total_TotalEntropy\n"; + print "KeyTemperatureC\n"; + exit 0; +} + +# aquire the name of the statistic to monitor. +$0 =~ /ekeyd_stat_total_(.+)*$/; +my $statistic = $1; +my $total_flag = 1; +if (!defined($statistic)) { + $0 =~ /ekeyd_stat_(.+)*$/; + $statistic = $1; + $total_flag = 0; + if (!defined($statistic)) { + die "A statistic must be provided"; + } +} + +# connect to the ekeyd command socket +my $SOCKET = ekeyd_connect($control_sock); + +# find all the entropy keys attached +my @result = ekeyd_command($SOCKET, "ListEntropyKeys"); + +# remove header line +shift @result; + +if ( defined $ARGV[0] and $ARGV[0] eq "config" ) { + + # work out graph title + my $title; + if (defined $titles{$statistic}) { + $title = $titles{$statistic}; + } else { + $title = $statistic; + } + + if ($total_flag == 1) { + if (scalar(@result) < 2) { + print "graph_title Entropy Key " . $title . "\n"; + } else { + print "graph_title Entropy Key Combined " . $title . "\n"; + } + } else { + print "graph_title Entropy Key " . $title . "\n"; + } + + # label the axis as apropriate + if (defined $graph_axis{$statistic}) { + print "graph_vlabel " . $graph_axis{$statistic} . "\n"; + } + + print "graph_category sensors\n"; + + if ($total_flag == 1) { + if (scalar(@result) < 2) { + print "totstat.label $title\n"; + } else { + print "totstat.label Combined $title for " . scalar(@result) . " Entropy Keys\n"; + } + + # set the graph type + if (defined $graph_type{$statistic}) { + print "totstat.type " . $graph_type{$statistic} . "\n"; + } else { + print "totstat.type GAUGE\n"; + } + + #set the graph minimum + if (defined $graph_min{$statistic}) { + print "totstat.min " . $graph_min{$statistic} . "\n"; + } + } else { + # details for each key + foreach my $keyline (@result) { + my @elmnt = split(/\t/, $keyline); + my $name = $elmnt[5]; + $name =~ s,/,_,g; + print "stats" . $name . ".label " . $elmnt[5] . "\n"; + + # set the graph type + if (defined $graph_type{$statistic}) { + print "stats" . $name . ".type " . $graph_type{$statistic} . "\n"; + } else { + print "stats" . $name . ".type GAUGE\n"; + } + + #set the graph minimum + if (defined $graph_min{$statistic}) { + print "stats". $elmnt[5] . ".min " . $graph_min{$statistic} . "\n"; + } + } + } +} else { + my $total = 0; + foreach my $keyline (@result) { + + # split up the result line + my @elmnt = split(/\t/, $keyline); + + # get the status of the entropy key + my @stat_res = ekeyd_command($SOCKET, "StatEntropyKey", $elmnt[5]); + + my $tmp; + my %key_stats; + + foreach $tmp (@stat_res) { + my @keyval = split(/\t/, $tmp); + @keyval = split(/=/, $keyval[1]); + $key_stats{$keyval[0]} = $keyval[1]; + } + $total += $key_stats{$statistic}; + + if ($total_flag == 0) { + print "stats" . $elmnt[5] . ".value " . $key_stats{$statistic} . "\n"; + } + } + if ($total_flag == 1) { + if (scalar(@result) < 1) { + $total = "U"; + } + print "totstat.value " . $total . "\n"; + } +} + +close $SOCKET; + +exit 0; diff --git a/manifests/base.pp b/manifests/base.pp index e4d572d..34c1cb8 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -4,15 +4,20 @@ class ekeyd::base { ensure => installed, } + file{'/etc/entropykey/ekeyd.conf': + source => 'puppet:///modules/ekeyd/ekeyd.conf', + require => Package['ekeyd'], + notify => Service['ekeyd'], + owner => root, group => 0, mode => 0644; + } service{'ekeyd': ensure => running, enable => true, - require => Package['ekeyd'], } - exec{'configure_ekey_key': - command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekey_masterkey}", - unless => "ekeydctl list | grep -q 'Running OK'", - require => Service['ekeyd'], + exec{'configure_ekeyd_key': + command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekeyd::ekeyd_masterkey}", + unless => "ekeydctl list | grep -q 'Running OK'", + require => Service['ekeyd'], } } diff --git a/manifests/client.pp b/manifests/client.pp new file mode 100644 index 0000000..b965015 --- /dev/null +++ b/manifests/client.pp @@ -0,0 +1,15 @@ +class ekeyd::client( + $ekeyd_host, + $shorewall_zones = ['net'] +) { + case $operatingsystem { + centos: { include ekeyd::client::centos } + default: { include ekeyd::client::base } + } + + if $use_shorewall { + shorewall::rules::out::ekeyd{$shorewall_zones: + ekeyd_host => $ekeyd_host, + } + } +} diff --git a/manifests/client/base.pp b/manifests/client/base.pp new file mode 100644 index 0000000..411b7ee --- /dev/null +++ b/manifests/client/base.pp @@ -0,0 +1,3 @@ +class ekeyd::client::base { + include ekeyd::egd +} diff --git a/manifests/client/centos.pp b/manifests/client/centos.pp new file mode 100644 index 0000000..4be46d8 --- /dev/null +++ b/manifests/client/centos.pp @@ -0,0 +1,7 @@ +class ekeyd::client::centos inherits ekeyd::client::base { + file{'/etc/sysconfig/egd-linux': + content => "DAEMON_HOST=${ekeyd::client::ekeyd_host}\n", + notify => Service['egd-linux'], + owner => root, group => 0, mode => 0644; + } +} diff --git a/manifests/egd.pp b/manifests/egd.pp new file mode 100644 index 0000000..8a7da6f --- /dev/null +++ b/manifests/egd.pp @@ -0,0 +1,17 @@ +class ekeyd::egd { + package{'ekeyd-egd-linux': + ensure => present, + before => Service['egd-linux'], + } + + service{'egd-linux': + enable => true, + ensure => running, + } + + if $use_shorewall { + Service['egd-linux']{ + require => Service['shorewall'], + } + } +} diff --git a/manifests/host/base.pp b/manifests/host/base.pp new file mode 100644 index 0000000..ec8525b --- /dev/null +++ b/manifests/host/base.pp @@ -0,0 +1,15 @@ +class ekeyd::host::base inherits ekeyd::base { + sysctl::value{'kernel.random.write_wakeup_threshold': + value => 1024 + } + + File['/etc/entropykey/ekeyd.conf']{ + source => 'puppet:///modules/ekeyd/ekeyd.conf.daemon', + } + + Service['ekeyd']{ + before => Service['egd-linux'], + } + + include ekeyd::egd +} diff --git a/manifests/host/centos.pp b/manifests/host/centos.pp new file mode 100644 index 0000000..d989d55 --- /dev/null +++ b/manifests/host/centos.pp @@ -0,0 +1,6 @@ +class ekeyd::host::centos inherits ekeyd::host::base { + file{'/etc/sysconfig/egd-linux': + ensure => 'absent', + notify => Service['egd-linux'], + } +} diff --git a/manifests/init.pp b/manifests/init.pp index bf0fef7..b3b780d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,9 +1,26 @@ -class ekeyd { +class ekeyd( + $ekeyd_host = false, + $ekeyd_masterkey +){ package { "usbutils": ensure => installed } if $ekeyd_key_present != 'true' { fail("Can't find an ekey key plugged into usb on ${fqdn}") } - if !$ekey_masterkey { fail("You need to define \$ekey_masterkey for ${fqdn}") } include ekeyd::base + + if $ekeyd_host { + case $operatingsystem { + centos: { include ekeyd::host::centos } + default: { include ekeyd::host::base } + } + + if $use_shorewall { + include shorewall::rules::ekeyd + } + } + + if $use_munin { + include ekeyd::munin + } } diff --git a/manifests/munin.pp b/manifests/munin.pp new file mode 100644 index 0000000..1ef1d2b --- /dev/null +++ b/manifests/munin.pp @@ -0,0 +1,16 @@ +class ekeyd::munin { + munin::plugin::deploy{'ekeyd_stat_': + source => "ekeyd/munin/ekeyd_stat_" , + ensure => "absent", + } + munin::plugin{ + [ 'ekeyd_stat_total_EntropyRate', + 'ekeyd_stat_total_TotalEntropy', + 'ekeyd_stat_total_KeyVoltage', + 'ekeyd_stat_total_FipsFrameRate', + 'ekeyd_stat_KeyTemperatureC' ]: + require => Munin::Plugin::Deploy['ekeyd_stat_'], + ensure => 'ekeyd_stat_', + config => "user root\nenv.controlsocket /var/run/ekeyd.sock", + } +} |