From e7a1d738c9c95ff059fbaeff107d91a2e1742f8e Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 21:56:22 +0100 Subject: add egd-management We can now run hosts with a key in the host mode, so it will provide entropy to other hosts. Furthermore we can define clients that will collect entropy from such a host. --- files/ekeyd.conf | 89 ++++++++++++++++++++++++++++++++++++++++++++++++ files/ekeyd.conf.daemon | 90 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 179 insertions(+) create mode 100644 files/ekeyd.conf create mode 100644 files/ekeyd.conf.daemon (limited to 'files') diff --git a/files/ekeyd.conf b/files/ekeyd.conf new file mode 100644 index 0000000..76a36f1 --- /dev/null +++ b/files/ekeyd.conf @@ -0,0 +1,89 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/files/ekeyd.conf.daemon b/files/ekeyd.conf.daemon new file mode 100644 index 0000000..0b1bcb4 --- /dev/null +++ b/files/ekeyd.conf.daemon @@ -0,0 +1,90 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +-- SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +EGDTCPSocket(8888, "0.0.0.0") +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" -- cgit v1.2.3 From 9ab5f4e33884d59c1edcda28e305318f701ddcff Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 23:02:20 +0100 Subject: add munin plugins --- files/munin/ekeyd_stat_ | 223 ++++++++++++++++++++++++++++++++++++++++++++++++ manifests/init.pp | 4 + manifests/munin.pp | 16 ++++ 3 files changed, 243 insertions(+) create mode 100755 files/munin/ekeyd_stat_ create mode 100644 manifests/munin.pp (limited to 'files') diff --git a/files/munin/ekeyd_stat_ b/files/munin/ekeyd_stat_ new file mode 100755 index 0000000..43a7c47 --- /dev/null +++ b/files/munin/ekeyd_stat_ @@ -0,0 +1,223 @@ +#!/usr/bin/perl -w +# +# Entropy Key statistic reporting plugin for munin +# +# use by soft linking the script to a ekey statistic +# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_KeyTemperatureC +# will give a graph of each entropy keys temperature in Celsius +# +# for example ln -s /usr/share/munin/ekeyd_stat_ ekeyd_stat_total_EntropyRate +# will give a graph of the total entropy rate from all keys in bits per second +# +# The plugin.conf.d/munin-node must have a stanza [ekeyd_*] with user root in +# it as the plugin requires root access to aquire the statistics +# +# Copyright 2009 Simtec Electronics +# +# For licence terms refer to the COPYING file. + +# Magic markers for munin +#%# family=auto +#%# capabilities=autoconf suggest + +use strict; + +use Socket; +use IO::Handle; + +my $control_sock = exists $ENV{controlsocket} ? $ENV{controlsocket} : '/var/run/ekeyd.sock'; + +# mappings to make output prettier +my %titles = ("KeyTemperatureC", "Temperature" ,"KeyTemperatureF", "Temperature", "KeyTemperatureK" , "Temperature" , "TotalEntropy", "Entropy Rate", "KeyVoltage", "Supply Voltage", "FipsFrameRate", "Fips Frame Rate", "EntropyRate", "Entropy Rate"); +my %graph_axis = ( "KeyTemperatureC", "Celsius", "KeyTemperatureF", "Fahrenheit", "KeyTemperatureK", "Kelvin" , "EntropyRate", "Bits per second" , "TotalEntropy", "Bytes per second" , "KeyVoltage", "Volts", "ConnectionTime", "Seconds", "FipsFrameRate", "Frames per second"); +my %graph_type = ( "TotalEntropy" , "DERIVE", "BytesRead" , "COUNTER", "BytesWritten" , "COUNTER", "ConnectionPackets" , "COUNTER" ); +my %graph_min = ( "TotalEntropy" , 0 ); + +sub ekeyd_connect { + my ($rendezvous) = @_; + my $line; + my $sock; + + socket($sock, PF_UNIX, SOCK_STREAM, 0) || die "socket: $!"; + connect($sock, sockaddr_un($rendezvous)) || die "connect: $!"; + + $line = <$sock>; + if ((!defined($line)) || ($line ne "PROTOCOL EKEYD/1\n")) { + die "Unrecognised EKEYD " . $line; + } + + return $sock; +} + +# issues a command to the ekeyd and retrieves the results +sub ekeyd_command { + my ($sock, $command, @params) = @_; + my @lines; + my $line; + my $pnum = scalar @params; + + if ($pnum > 0) { + my $pcnt = 0; + $command .= "("; + while ($pcnt < $pnum) { + $command = $command . "\"" . $params[$pcnt] . "\""; + $pcnt++; + if ($pcnt == $pnum) { + $command .= ")"; + } else { + $command .= ","; + } + } + } + + print $sock $command . "\n"; + $sock->flush; + + push @lines, $line while ((defined($line = <$sock>)) and $line ne "OK\n" and $line !~ "^ERROR.*"); + + chomp @lines; + + return @lines; +} + +# discover if plugin can actually be used on this system +if ( defined $ARGV[0] and $ARGV[0] eq "autoconf" ) { + if ($control_sock and -S $control_sock) { + print "yes\n"; + exit 0; + } else { + print "no (Control socket $control_sock not found)\n"; + exit 1; + } +} + +# suggest appropriate default links +if ( defined $ARGV[0] and $ARGV[0] eq "suggest" ) { + print "total_TotalEntropy\n"; + print "KeyTemperatureC\n"; + exit 0; +} + +# aquire the name of the statistic to monitor. +$0 =~ /ekeyd_stat_total_(.+)*$/; +my $statistic = $1; +my $total_flag = 1; +if (!defined($statistic)) { + $0 =~ /ekeyd_stat_(.+)*$/; + $statistic = $1; + $total_flag = 0; + if (!defined($statistic)) { + die "A statistic must be provided"; + } +} + +# connect to the ekeyd command socket +my $SOCKET = ekeyd_connect($control_sock); + +# find all the entropy keys attached +my @result = ekeyd_command($SOCKET, "ListEntropyKeys"); + +# remove header line +shift @result; + +if ( defined $ARGV[0] and $ARGV[0] eq "config" ) { + + # work out graph title + my $title; + if (defined $titles{$statistic}) { + $title = $titles{$statistic}; + } else { + $title = $statistic; + } + + if ($total_flag == 1) { + if (scalar(@result) < 2) { + print "graph_title Entropy Key " . $title . "\n"; + } else { + print "graph_title Entropy Key Combined " . $title . "\n"; + } + } else { + print "graph_title Entropy Key " . $title . "\n"; + } + + # label the axis as apropriate + if (defined $graph_axis{$statistic}) { + print "graph_vlabel " . $graph_axis{$statistic} . "\n"; + } + + print "graph_category sensors\n"; + + if ($total_flag == 1) { + if (scalar(@result) < 2) { + print "totstat.label $title\n"; + } else { + print "totstat.label Combined $title for " . scalar(@result) . " Entropy Keys\n"; + } + + # set the graph type + if (defined $graph_type{$statistic}) { + print "totstat.type " . $graph_type{$statistic} . "\n"; + } else { + print "totstat.type GAUGE\n"; + } + + #set the graph minimum + if (defined $graph_min{$statistic}) { + print "totstat.min " . $graph_min{$statistic} . "\n"; + } + } else { + # details for each key + foreach my $keyline (@result) { + my @elmnt = split(/\t/, $keyline); + my $name = $elmnt[5]; + $name =~ s,/,_,g; + print "stats" . $name . ".label " . $elmnt[5] . "\n"; + + # set the graph type + if (defined $graph_type{$statistic}) { + print "stats" . $name . ".type " . $graph_type{$statistic} . "\n"; + } else { + print "stats" . $name . ".type GAUGE\n"; + } + + #set the graph minimum + if (defined $graph_min{$statistic}) { + print "stats". $elmnt[5] . ".min " . $graph_min{$statistic} . "\n"; + } + } + } +} else { + my $total = 0; + foreach my $keyline (@result) { + + # split up the result line + my @elmnt = split(/\t/, $keyline); + + # get the status of the entropy key + my @stat_res = ekeyd_command($SOCKET, "StatEntropyKey", $elmnt[5]); + + my $tmp; + my %key_stats; + + foreach $tmp (@stat_res) { + my @keyval = split(/\t/, $tmp); + @keyval = split(/=/, $keyval[1]); + $key_stats{$keyval[0]} = $keyval[1]; + } + $total += $key_stats{$statistic}; + + if ($total_flag == 0) { + print "stats" . $elmnt[5] . ".value " . $key_stats{$statistic} . "\n"; + } + } + if ($total_flag == 1) { + if (scalar(@result) < 1) { + $total = "U"; + } + print "totstat.value " . $total . "\n"; + } +} + +close $SOCKET; + +exit 0; diff --git a/manifests/init.pp b/manifests/init.pp index 036ff82..204d877 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,4 +17,8 @@ class ekeyd( include shorewall::rules::ekeyd } } + + if $use_munin { + include ekeyd::munin + } } diff --git a/manifests/munin.pp b/manifests/munin.pp new file mode 100644 index 0000000..c2566f3 --- /dev/null +++ b/manifests/munin.pp @@ -0,0 +1,16 @@ +class ekeyd::munin { + munin::plugin::deploy{'ekeyd_stat_': + source => "ekeyd/munin/ekeyd_stat_" , + ensure => "absent", + } + munin::plugin{ + [ 'ekeyd_stat_total_EntropyRate', + 'ekeyd_stat_total_TotalEntropy', + 'ekeyd_stat_total_KeyVoltage', + 'ekeyd_stat_total_FipsFrameRate', + 'ekeyd_stat_KeyTemperatureC' ]: + require => Munin::Plugin::Deploy['ekeyd_stat_'], + ensure => 'ekeyd_stat_', + config => "'user root\nenv.controlsocket /var/run/ekeyd.sock", + } +} -- cgit v1.2.3