summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--files/ekeyd.conf89
-rw-r--r--files/ekeyd.conf.daemon90
-rwxr-xr-xfiles/munin/ekeyd_stat_223
-rw-r--r--manifests/base.pp15
-rw-r--r--manifests/client.pp15
-rw-r--r--manifests/client/base.pp3
-rw-r--r--manifests/client/centos.pp7
-rw-r--r--manifests/egd.pp17
-rw-r--r--manifests/host/base.pp15
-rw-r--r--manifests/host/centos.pp6
-rw-r--r--manifests/init.pp21
-rw-r--r--manifests/munin.pp16
12 files changed, 510 insertions, 7 deletions
diff --git a/files/ekeyd.conf b/files/ekeyd.conf
new file mode 100644
index 0000000..76a36f1
--- /dev/null
+++ b/files/ekeyd.conf
@@ -0,0 +1,89 @@
+-- -*- Lua -*-
+
+-- Sample configuration file for ekeyd
+
+-- -----------------------------------------------[ General setup ]-----
+
+-- If you want a TCP control socket on 127.0.0.1 then uncomment this
+-- command.
+-- Please note that there is no protection on a TCP socket, anyone on
+-- the box can connect to it and there is no authentication process.
+-- TCPControlSocket "1234"
+
+-- The unix control socket is typically what we use
+UnixControlSocket "/var/run/ekeyd.sock"
+
+-- The keyring contains the keys for the long-term rekey If you change
+-- this location from the default then be aware that the
+-- long-term-rekey tool may not work.
+Keyring "/etc/entropykey/keyring"
+
+-- The daemon background operation may be supressed. In this mode the
+-- daemon will run in the foreground and the controlling tty will not
+-- be released.
+-- Daemonise(false)
+
+-- -------------------------------------------------[ Output Mode ]-----
+
+-- Only one output mode is permitted to be active. Typically on Linux
+-- that would be the kernel output mode, however instead you can opt
+-- to use the EGD interface. Various other daemons then support taking
+-- EGD interfaces and adding entropy to the kernel instead, allowing
+-- multiple clients to retrieve entropy by various means.
+
+-- The SetOutputToKernel option places all the gathered entropy into
+-- the kernel pool. The data placed into the kernel pool is
+-- conservatively estimated to contain 7 shannons of entropy per byte
+-- added.
+-- Note that the data coming from the UDEKEY01 should have one Shannon
+-- of entropy per bit so this value could quite safely be set to
+-- 8. The default value only has the effect of reducing the rate
+-- entropy is mixed into the kernel pool and no other adverse
+-- affect. This default is selected as an conservative choice which is
+-- generally preferable when dealing with random sources.
+SetOutputToKernel(7)
+
+-- The daemon may support the EGD (Entropy Gathering Daemon) socket
+-- protocol. There are two choice to create either a TCP or Unix
+-- socket which speaks the EGD protocol.
+-- Note that you cannot have kernel output *and* EGD output, they are
+-- mutually exclusive.
+-- The EGD protocol support assumes entropy coming off the ekeys is at
+-- the level of 8 shannons per byte and this cannot be changed as it
+-- is a limitation of the EGD protocol itself. The TCP socket can be
+-- given an optional parameter to specify the IP address to bind to.
+-- It will default to 127.0.0.1 if not specified.
+
+-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]])
+-- EGDUnixSocket "/etc/entropy"
+
+-- EGDUnixSocket can optionally take an octal mode string and
+-- username and group to chmod and chown the socket to.
+-- If you do not wish to change the user or group, use empty strings.
+-- You cannot change the user/group without also providing a mode string.
+-- The default is to leave the user/group alone and set the socket to
+-- mode 0600
+-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers")
+
+-- The SetOutputToFile option writes all gathered entropy to the named
+-- file. No additional processing is performed. The output file must
+-- exist before the daemon is run. This option is generally only
+-- useful if the user wishes to gather data for subsequent testing.
+-- Note as with all the other output options this may be the only
+-- output selection and may not be used with either the kernel or EGD
+-- output enabled.
+
+-- SetOutputToFile "/tmp/entropy"
+
+-- -----------------------------------------------[ Device Config ]-----
+
+-- Add entropy keys from /dev/entropykey where our default udev rules
+-- will place symbolic links (on GNU/Linux operating systems).
+AddEntropyKeys "/dev/entropykey"
+-- Also add keys from /var/run/entropykeys where the UNIX domain socket
+-- rules will place sockets if using them.
+AddEntropyKeys "/var/run/entropykeys"
+-- On OpenBSD/MirBSD you will probably need to use something like this
+-- instead (match the device minor (here: 0) with the ucom(4) instance
+-- your umodem(4) device attaches to):
+-- AddEntropyKey "/dev/cuaU0"
diff --git a/files/ekeyd.conf.daemon b/files/ekeyd.conf.daemon
new file mode 100644
index 0000000..0b1bcb4
--- /dev/null
+++ b/files/ekeyd.conf.daemon
@@ -0,0 +1,90 @@
+-- -*- Lua -*-
+
+-- Sample configuration file for ekeyd
+
+-- -----------------------------------------------[ General setup ]-----
+
+-- If you want a TCP control socket on 127.0.0.1 then uncomment this
+-- command.
+-- Please note that there is no protection on a TCP socket, anyone on
+-- the box can connect to it and there is no authentication process.
+-- TCPControlSocket "1234"
+
+-- The unix control socket is typically what we use
+UnixControlSocket "/var/run/ekeyd.sock"
+
+-- The keyring contains the keys for the long-term rekey If you change
+-- this location from the default then be aware that the
+-- long-term-rekey tool may not work.
+Keyring "/etc/entropykey/keyring"
+
+-- The daemon background operation may be supressed. In this mode the
+-- daemon will run in the foreground and the controlling tty will not
+-- be released.
+-- Daemonise(false)
+
+-- -------------------------------------------------[ Output Mode ]-----
+
+-- Only one output mode is permitted to be active. Typically on Linux
+-- that would be the kernel output mode, however instead you can opt
+-- to use the EGD interface. Various other daemons then support taking
+-- EGD interfaces and adding entropy to the kernel instead, allowing
+-- multiple clients to retrieve entropy by various means.
+
+-- The SetOutputToKernel option places all the gathered entropy into
+-- the kernel pool. The data placed into the kernel pool is
+-- conservatively estimated to contain 7 shannons of entropy per byte
+-- added.
+-- Note that the data coming from the UDEKEY01 should have one Shannon
+-- of entropy per bit so this value could quite safely be set to
+-- 8. The default value only has the effect of reducing the rate
+-- entropy is mixed into the kernel pool and no other adverse
+-- affect. This default is selected as an conservative choice which is
+-- generally preferable when dealing with random sources.
+-- SetOutputToKernel(7)
+
+-- The daemon may support the EGD (Entropy Gathering Daemon) socket
+-- protocol. There are two choice to create either a TCP or Unix
+-- socket which speaks the EGD protocol.
+-- Note that you cannot have kernel output *and* EGD output, they are
+-- mutually exclusive.
+-- The EGD protocol support assumes entropy coming off the ekeys is at
+-- the level of 8 shannons per byte and this cannot be changed as it
+-- is a limitation of the EGD protocol itself. The TCP socket can be
+-- given an optional parameter to specify the IP address to bind to.
+-- It will default to 127.0.0.1 if not specified.
+
+-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]])
+EGDTCPSocket(8888, "0.0.0.0")
+-- EGDUnixSocket "/etc/entropy"
+
+-- EGDUnixSocket can optionally take an octal mode string and
+-- username and group to chmod and chown the socket to.
+-- If you do not wish to change the user or group, use empty strings.
+-- You cannot change the user/group without also providing a mode string.
+-- The default is to leave the user/group alone and set the socket to
+-- mode 0600
+-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers")
+
+-- The SetOutputToFile option writes all gathered entropy to the named
+-- file. No additional processing is performed. The output file must
+-- exist before the daemon is run. This option is generally only
+-- useful if the user wishes to gather data for subsequent testing.
+-- Note as with all the other output options this may be the only
+-- output selection and may not be used with either the kernel or EGD
+-- output enabled.
+
+-- SetOutputToFile "/tmp/entropy"
+
+-- -----------------------------------------------[ Device Config ]-----
+
+-- Add entropy keys from /dev/entropykey where our default udev rules
+-- will place symbolic links (on GNU/Linux operating systems).
+AddEntropyKeys "/dev/entropykey"
+-- Also add keys from /var/run/entropykeys where the UNIX domain socket
+-- rules will place sockets if using them.
+AddEntropyKeys "/var/run/entropykeys"
+-- On OpenBSD/MirBSD you will probably need to use something like this
+-- instead (match the device minor (here: 0) with the ucom(4) instance
+-- your umodem(4) device attaches to):
+-- AddEntropyKey "/dev/cuaU0"
diff --git a/files/munin/ekeyd_stat_ b/files/munin/ekeyd_stat_
new file mode 100755
index 0000000..43a7c47
--- /dev/null
+++ b/files/munin/ekeyd_stat_
@@ -0,0 +1,223 @@
+#!/usr/bin/perl -w
+#
+# Entropy Key statistic reporting plugin for munin
+#
+# use by soft linking the script to a ekey statistic
+# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_KeyTemperatureC
+# will give a graph of each entropy keys temperature in Celsius
+#
+# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_total_EntropyRate
+# will give a graph of the total entropy rate from all keys in bits per second
+#
+# The plugin.conf.d/munin-node must have a stanza [ekeyd_*] with user root in
+# it as the plugin requires root access to aquire the statistics
+#
+# Copyright 2009 Simtec Electronics
+#
+# For licence terms refer to the COPYING file.
+
+# Magic markers for munin
+#%# family=auto
+#%# capabilities=autoconf suggest
+
+use strict;
+
+use Socket;
+use IO::Handle;
+
+my $control_sock = exists $ENV{controlsocket} ? $ENV{controlsocket} : '/var/run/ekeyd.sock';
+
+# mappings to make output prettier
+my %titles = ("KeyTemperatureC", "Temperature" ,"KeyTemperatureF", "Temperature", "KeyTemperatureK" , "Temperature" , "TotalEntropy", "Entropy Rate", "KeyVoltage", "Supply Voltage", "FipsFrameRate", "Fips Frame Rate", "EntropyRate", "Entropy Rate");
+my %graph_axis = ( "KeyTemperatureC", "Celsius", "KeyTemperatureF", "Fahrenheit", "KeyTemperatureK", "Kelvin" , "EntropyRate", "Bits per second" , "TotalEntropy", "Bytes per second" , "KeyVoltage", "Volts", "ConnectionTime", "Seconds", "FipsFrameRate", "Frames per second");
+my %graph_type = ( "TotalEntropy" , "DERIVE", "BytesRead" , "COUNTER", "BytesWritten" , "COUNTER", "ConnectionPackets" , "COUNTER" );
+my %graph_min = ( "TotalEntropy" , 0 );
+
+sub ekeyd_connect {
+ my ($rendezvous) = @_;
+ my $line;
+ my $sock;
+
+ socket($sock, PF_UNIX, SOCK_STREAM, 0) || die "socket: $!";
+ connect($sock, sockaddr_un($rendezvous)) || die "connect: $!";
+
+ $line = <$sock>;
+ if ((!defined($line)) || ($line ne "PROTOCOL EKEYD/1\n")) {
+ die "Unrecognised EKEYD " . $line;
+ }
+
+ return $sock;
+}
+
+# issues a command to the ekeyd and retrieves the results
+sub ekeyd_command {
+ my ($sock, $command, @params) = @_;
+ my @lines;
+ my $line;
+ my $pnum = scalar @params;
+
+ if ($pnum > 0) {
+ my $pcnt = 0;
+ $command .= "(";
+ while ($pcnt < $pnum) {
+ $command = $command . "\"" . $params[$pcnt] . "\"";
+ $pcnt++;
+ if ($pcnt == $pnum) {
+ $command .= ")";
+ } else {
+ $command .= ",";
+ }
+ }
+ }
+
+ print $sock $command . "\n";
+ $sock->flush;
+
+ push @lines, $line while ((defined($line = <$sock>)) and $line ne "OK\n" and $line !~ "^ERROR.*");
+
+ chomp @lines;
+
+ return @lines;
+}
+
+# discover if plugin can actually be used on this system
+if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) {
+ if ($control_sock and -S $control_sock) {
+ print "yes\n";
+ exit 0;
+ } else {
+ print "no (Control socket $control_sock not found)\n";
+ exit 1;
+ }
+}
+
+# suggest appropriate default links
+if ( defined $ARGV[0] and $ARGV[0] eq "suggest" ) {
+ print "total_TotalEntropy\n";
+ print "KeyTemperatureC\n";
+ exit 0;
+}
+
+# aquire the name of the statistic to monitor.
+$0 =~ /ekeyd_stat_total_(.+)*$/;
+my $statistic = $1;
+my $total_flag = 1;
+if (!defined($statistic)) {
+ $0 =~ /ekeyd_stat_(.+)*$/;
+ $statistic = $1;
+ $total_flag = 0;
+ if (!defined($statistic)) {
+ die "A statistic must be provided";
+ }
+}
+
+# connect to the ekeyd command socket
+my $SOCKET = ekeyd_connect($control_sock);
+
+# find all the entropy keys attached
+my @result = ekeyd_command($SOCKET, "ListEntropyKeys");
+
+# remove header line
+shift @result;
+
+if ( defined $ARGV[0] and $ARGV[0] eq "config" ) {
+
+ # work out graph title
+ my $title;
+ if (defined $titles{$statistic}) {
+ $title = $titles{$statistic};
+ } else {
+ $title = $statistic;
+ }
+
+ if ($total_flag == 1) {
+ if (scalar(@result) < 2) {
+ print "graph_title Entropy Key " . $title . "\n";
+ } else {
+ print "graph_title Entropy Key Combined " . $title . "\n";
+ }
+ } else {
+ print "graph_title Entropy Key " . $title . "\n";
+ }
+
+ # label the axis as apropriate
+ if (defined $graph_axis{$statistic}) {
+ print "graph_vlabel " . $graph_axis{$statistic} . "\n";
+ }
+
+ print "graph_category sensors\n";
+
+ if ($total_flag == 1) {
+ if (scalar(@result) < 2) {
+ print "totstat.label $title\n";
+ } else {
+ print "totstat.label Combined $title for " . scalar(@result) . " Entropy Keys\n";
+ }
+
+ # set the graph type
+ if (defined $graph_type{$statistic}) {
+ print "totstat.type " . $graph_type{$statistic} . "\n";
+ } else {
+ print "totstat.type GAUGE\n";
+ }
+
+ #set the graph minimum
+ if (defined $graph_min{$statistic}) {
+ print "totstat.min " . $graph_min{$statistic} . "\n";
+ }
+ } else {
+ # details for each key
+ foreach my $keyline (@result) {
+ my @elmnt = split(/\t/, $keyline);
+ my $name = $elmnt[5];
+ $name =~ s,/,_,g;
+ print "stats" . $name . ".label " . $elmnt[5] . "\n";
+
+ # set the graph type
+ if (defined $graph_type{$statistic}) {
+ print "stats" . $name . ".type " . $graph_type{$statistic} . "\n";
+ } else {
+ print "stats" . $name . ".type GAUGE\n";
+ }
+
+ #set the graph minimum
+ if (defined $graph_min{$statistic}) {
+ print "stats". $elmnt[5] . ".min " . $graph_min{$statistic} . "\n";
+ }
+ }
+ }
+} else {
+ my $total = 0;
+ foreach my $keyline (@result) {
+
+ # split up the result line
+ my @elmnt = split(/\t/, $keyline);
+
+ # get the status of the entropy key
+ my @stat_res = ekeyd_command($SOCKET, "StatEntropyKey", $elmnt[5]);
+
+ my $tmp;
+ my %key_stats;
+
+ foreach $tmp (@stat_res) {
+ my @keyval = split(/\t/, $tmp);
+ @keyval = split(/=/, $keyval[1]);
+ $key_stats{$keyval[0]} = $keyval[1];
+ }
+ $total += $key_stats{$statistic};
+
+ if ($total_flag == 0) {
+ print "stats" . $elmnt[5] . ".value " . $key_stats{$statistic} . "\n";
+ }
+ }
+ if ($total_flag == 1) {
+ if (scalar(@result) < 1) {
+ $total = "U";
+ }
+ print "totstat.value " . $total . "\n";
+ }
+}
+
+close $SOCKET;
+
+exit 0;
diff --git a/manifests/base.pp b/manifests/base.pp
index e4d572d..34c1cb8 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -4,15 +4,20 @@ class ekeyd::base {
ensure => installed,
}
+ file{'/etc/entropykey/ekeyd.conf':
+ source => 'puppet:///modules/ekeyd/ekeyd.conf',
+ require => Package['ekeyd'],
+ notify => Service['ekeyd'],
+ owner => root, group => 0, mode => 0644;
+ }
service{'ekeyd':
ensure => running,
enable => true,
- require => Package['ekeyd'],
}
- exec{'configure_ekey_key':
- command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekey_masterkey}",
- unless => "ekeydctl list | grep -q 'Running OK'",
- require => Service['ekeyd'],
+ exec{'configure_ekeyd_key':
+ command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekeyd::ekeyd_masterkey}",
+ unless => "ekeydctl list | grep -q 'Running OK'",
+ require => Service['ekeyd'],
}
}
diff --git a/manifests/client.pp b/manifests/client.pp
new file mode 100644
index 0000000..b965015
--- /dev/null
+++ b/manifests/client.pp
@@ -0,0 +1,15 @@
+class ekeyd::client(
+ $ekeyd_host,
+ $shorewall_zones = ['net']
+) {
+ case $operatingsystem {
+ centos: { include ekeyd::client::centos }
+ default: { include ekeyd::client::base }
+ }
+
+ if $use_shorewall {
+ shorewall::rules::out::ekeyd{$shorewall_zones:
+ ekeyd_host => $ekeyd_host,
+ }
+ }
+}
diff --git a/manifests/client/base.pp b/manifests/client/base.pp
new file mode 100644
index 0000000..411b7ee
--- /dev/null
+++ b/manifests/client/base.pp
@@ -0,0 +1,3 @@
+class ekeyd::client::base {
+ include ekeyd::egd
+}
diff --git a/manifests/client/centos.pp b/manifests/client/centos.pp
new file mode 100644
index 0000000..4be46d8
--- /dev/null
+++ b/manifests/client/centos.pp
@@ -0,0 +1,7 @@
+class ekeyd::client::centos inherits ekeyd::client::base {
+ file{'/etc/sysconfig/egd-linux':
+ content => "DAEMON_HOST=${ekeyd::client::ekeyd_host}\n",
+ notify => Service['egd-linux'],
+ owner => root, group => 0, mode => 0644;
+ }
+}
diff --git a/manifests/egd.pp b/manifests/egd.pp
new file mode 100644
index 0000000..8a7da6f
--- /dev/null
+++ b/manifests/egd.pp
@@ -0,0 +1,17 @@
+class ekeyd::egd {
+ package{'ekeyd-egd-linux':
+ ensure => present,
+ before => Service['egd-linux'],
+ }
+
+ service{'egd-linux':
+ enable => true,
+ ensure => running,
+ }
+
+ if $use_shorewall {
+ Service['egd-linux']{
+ require => Service['shorewall'],
+ }
+ }
+}
diff --git a/manifests/host/base.pp b/manifests/host/base.pp
new file mode 100644
index 0000000..ec8525b
--- /dev/null
+++ b/manifests/host/base.pp
@@ -0,0 +1,15 @@
+class ekeyd::host::base inherits ekeyd::base {
+ sysctl::value{'kernel.random.write_wakeup_threshold':
+ value => 1024
+ }
+
+ File['/etc/entropykey/ekeyd.conf']{
+ source => 'puppet:///modules/ekeyd/ekeyd.conf.daemon',
+ }
+
+ Service['ekeyd']{
+ before => Service['egd-linux'],
+ }
+
+ include ekeyd::egd
+}
diff --git a/manifests/host/centos.pp b/manifests/host/centos.pp
new file mode 100644
index 0000000..d989d55
--- /dev/null
+++ b/manifests/host/centos.pp
@@ -0,0 +1,6 @@
+class ekeyd::host::centos inherits ekeyd::host::base {
+ file{'/etc/sysconfig/egd-linux':
+ ensure => 'absent',
+ notify => Service['egd-linux'],
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index bf0fef7..b3b780d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,9 +1,26 @@
-class ekeyd {
+class ekeyd(
+ $ekeyd_host = false,
+ $ekeyd_masterkey
+){
package { "usbutils": ensure => installed }
if $ekeyd_key_present != 'true' { fail("Can't find an ekey key plugged into usb on ${fqdn}") }
- if !$ekey_masterkey { fail("You need to define \$ekey_masterkey for ${fqdn}") }
include ekeyd::base
+
+ if $ekeyd_host {
+ case $operatingsystem {
+ centos: { include ekeyd::host::centos }
+ default: { include ekeyd::host::base }
+ }
+
+ if $use_shorewall {
+ include shorewall::rules::ekeyd
+ }
+ }
+
+ if $use_munin {
+ include ekeyd::munin
+ }
}
diff --git a/manifests/munin.pp b/manifests/munin.pp
new file mode 100644
index 0000000..1ef1d2b
--- /dev/null
+++ b/manifests/munin.pp
@@ -0,0 +1,16 @@
+class ekeyd::munin {
+ munin::plugin::deploy{'ekeyd_stat_':
+ source => "ekeyd/munin/ekeyd_stat_" ,
+ ensure => "absent",
+ }
+ munin::plugin{
+ [ 'ekeyd_stat_total_EntropyRate',
+ 'ekeyd_stat_total_TotalEntropy',
+ 'ekeyd_stat_total_KeyVoltage',
+ 'ekeyd_stat_total_FipsFrameRate',
+ 'ekeyd_stat_KeyTemperatureC' ]:
+ require => Munin::Plugin::Deploy['ekeyd_stat_'],
+ ensure => 'ekeyd_stat_',
+ config => "user root\nenv.controlsocket /var/run/ekeyd.sock",
+ }
+}