Systems - Issue (OTRS)
Basics
Purpose
The purpose of the issue server is to serve the issue tracking system, implemented with OTRS (http://www.otrs.org/) used by Triage and Support for handling requests going to the support@cacert.org mail address. Usage for other teams e.g. Arbitration (currently used occasionally), Organisation Assurance is planned in future.
Physical Location
This system is located on a Debian Etch vserver on physical machine sun2.
Logical location
- IP: 172.16.2.28
- IP External: 213.154.225.244 (issue.cacert.org)
Administration
- Nick Bebout
Contact: issue-admin@cacert.org
Services
Listening services
port
service
access origin
purpose
22
SSH
all
SSH access for systems administration
25
SMTP
all
SMTP server for sending outgoing mail and incoming mail from mail
80
HTTP
all
HTTP access to issue, redirects to HTTPS
443
HTTP
all
HTTPS access to issue
3306
MySQL
all
MySQL database server for OTRS, only accessible from local IP
DNS
- wiki.intra.cacert.org: 172.16.2.28
- wiki.cacert.org: 213.154.225.244
- 244.225.154.213.in-addr.arpa: (none)
Connected Systems
Outbound network connections
- SMTP (25, tcp) relay host: emailout.intra.cacert.org
- Submission (587, tcp) relay host: email.intra.cacert.org (for authenticated users)
- DNS (53, udp) resolving nameserver: 172.28.50.1
HTTP (80, tcp) package update http://ftp.nl.debian.org/ and http://security.debian.org/
Software
- Debian GNU/Linux 6.0
- apache2
- mysql-server
- postfix
- otrs
Security
Operating system and database level admin access
- Nick Bebout
Application level admin access
- Nick Bebout
- Ian Grigg
- Michael Tänzer
Non-distribution packages
Risk assessments on critical packages
- apache2 - good reputation - low number of vulnerabilities
- mod_perl2
- OTRS
Common Tasks
Critical Configuration items
/etc/apache2/sites-available/
FIXME
Creating new user accounts
Go to Admin -> Users -> Add
- Fill out user details
- Use a securely random generated password (min. 12 chars, mixed of capital- non-capital letters, numbers and special chars), send it to the user via encrypted mail (also include URL of the issue tracking system, username and some initial instructions or a link to documentation if available)
- Only use CAcert email addresses
- Set the preferences for the user. Good standards are:
- Show tickets: 25
- New ticket notification: Yes (or No for high volume queues having agents regulary looking at
- Follow up notification: Yes
- Ticket lock timeout notification: Yes
- Move notification: Yes (or No if the queues for the user get many new tickets)
- Spelling Dictionary: English
- Submit
- Do NOT set any groups for the user.
Go to Admin -> Users -> Roles <-> Users
- Choose the new created user
- Set the roles the user has
- Submit
Now you are done
Changes
Planned
Deployment
- Implement access for other teams
OTRS
- Change to CAcert corporate design (low priority)
Monitoring
- Create lists of services to monitor
- Check requirements for internal monitoring
Configuration Management
Implement SystemAdministration/Procedures/OperatingSystemPatches https://lists.cacert.org/wws/arc/cacert-sysadm/2009-08/msg00007.html
Logging
Need to centralise this.
- fail2ban
- log rotation according to SP/SM
- change to general logging schema, also for httpd?
Authentication
- X.509