Integrity Checks in the ePages System | → 6.17.12 | Created: 6.0.8; Updated: 6.17.5 |
In order to further increase security of the ePages System, its integrity can be regularly checked.
The following procedure is used:
Read section Installation and Execution to find out how integrity checks are normally set up and used.
Read section Analysis and Errors to find out which results are produced and how you will be notified of errors.
Read section Configuration to find out how you can customize the integrity check to your needs.
Read section Setting Up the Scheduler to find out how the Scheduler can be set up and started.
Read section Signing External Cartridges to find out how you can set up the integrity check for your self-developed cartridges.
Table of Contents |
The integrity check functionality will be installed during either the full installation or a patch as of ePages version 6.0.7. It will be configured with standard parameter values that fit most situations.
The integrity check must be started manually. Proceed as follows:
Execute following command inside the patch directory:
./patch.sh start_sic
Execute following commands:
. /etc/default/epages6 $PERL $EPAGES/bin/CheckIntegrity.PL -add scheduler /etc/init.d/epages6 start_cron
The target value comparison is set by default to be carried out once every minute. The signatures are checked every hour. If a difference is found, the differing files are saved into a .tar.gz package and an error message is sent by E-Mail. This E-Mail is sent by default to the address entered into the TBO as recipient for error messages.
If the same discrepancy is registered during the next integrity check (the same files demonstrate the same violations of the rules), there will be no reaction.
All files that are produced by CheckIntegrity.PL are located in:
*.NOMINAL : desired state *.ACTUAL : actual state *.ERROR : file-system inconsistencies *.tar.gz : package with files that differ from the norm
Integrity checking is installed and started with default values that should fit most installations.
When necessary, you can customize the integrity check. The configuration is defined in the following file:
$EPAGES_CONFIG/CheckIntegrity.conf
The most important parameters are those that determine which files in what directories should be tested, and how that should happen:
CheckFiles= .pl|.pm
CheckPath=$ENV{EPAGES_PERL}/bin
1 [:Default:] 2 # Each parameter in this section can also be written as parameter:HOSTNAME. 3 # If parameter:HOSTNAME exists, then host HOSTNAME uses parameter:HOSTNAME, 4 # otherwise it uses parameter (HOSTNAME is the short name without dots). 5 6 # Path to CheckIntegrity.PL (parameter must be set) 7 Command=$ENV{EPAGES}/bin/CheckIntegrity.PL 8 # VarDir contains variable data files (default: ~/.epages) 9 VarDir= 10 ### For GPG: 11 # Path to the gpg program (if not in PATH) 12 GpgPath= 13 # list of public keys (files,dirs,URLs) to import separated by ',' 14 PublicKeys=$ENV{EPAGES_CONFIG}/pubring.txt 15 #PublicKeys=http://epages.com/security/b1d28320.txt 16 ### For mail: 17 # e-mail address of sender (default: as defined in MailConnection resp. MailStore) 18 MailSender= 19 # list of recipients separated by [;,] (default: MailSender) 20 MailRecipient= 21 # EITHER use the e-mail connection as defined in store (only with ePages perl; default: Site): 22 MailStore= 23 # OR define the e-mail connection explicitly (default: localhost): 24 # Format: passwd:user@server or user@server or server 25 MailConnection= 26 ### For UNIX: 27 # Path to wrapScheduler.sh script (default: $ENV{EPAGES}/bin/wrapScheduler.sh) 28 WrapSchedulerSh= 29 # Path to wrapScheduler.PL script (default: $ENV{EPAGES}/bin/wrapScheduler.PL) 30 WrapSchedulerPl= 31 # Use '/bin/env perl' or ePages perl? (default: ePages perl) 32 UseBinEnvPerl=
The :Default:-section contains parameter values that are used whenever parameters are missing in the actual sections.
Each section that begins and ends with a ":" are ignored (except for :Default:). The :Example: section demonstrates all the settings that can be configured for CheckIntegrity.PL.
Warning!: No section name that needs to be used may contain a colon, except for :Default:.
34 [:Example:] 35 # check what: 36 Check=signature,size,mode,owner,inode,ctime,mtime 37 # check internal signature of files ending in: (separated by |) 38 InternalSignatures=.conf|.PL|.pl|.pm|.t|.sh 39 # check external signature of files ending in: (separated by |) 40 ExternalSignatures=.so|.exe|.dll 41 # check status of files ending in: (separated by |) 42 CheckFiles=.so|.exe 43 # check where (if SignaturePath isn't defined: path list separated by ',') 44 CheckPath=$ENV{EPAGES_PERL}/bin 45 # check against (if detached signatures): 46 SignaturePath=$ENV{EPAGES_PERL}/.gpg/bin 47 # run? (1 - yes, else - no) 48 IsActive=1 49 # what? (section names separated by ',') 50 SubTasks=DE_EPAGES_Size,Perl_Size,Perl_Signature,Config,Core 51 # where? (separated by ','; unset -> any) 52 Machine= 53 # when? (job won't run if Cron= (UNIX) or Schtasks= and At= (Win) is/are unset) 54 # when? (Unix: minute/hour/day of month/month/day of week) [see 'man crontab'] 55 Cron=* * * * * 56 # when? (Windows: schtasks arguments) [see online help of schtasks] 57 Schtasks=/st 00:00 /sc MINUTE /mo 1 58 # when? (Windows: at args) [if schtasks runs, ignore at; see online help of at] 59 At=00:00 /every:5,10,15,20,25,30,35,40,45,50,55 60 # how long the cronjob may take without a subsequent instance reports 61 # an error? (default: until the next instance occurs) 62 # MaxDuration has one of the formats: 63 # <DAYS>-<HOURS>:<MINUTES> (e.g.: MaxDuration=3-12:00) 64 # <HOURS>:<MINUTES> (e.g.: MaxDuration=2:16) 65 # <MINUTES> (e.g.: MaxDuration=18) 66 MaxDuration=4 67 # what command options? (-section SECTION must be set) 68 Options=-section :Example:
In the next section, several sections of the standard configuration file are explained.
70 [DE_EPAGES_Signature] 71 Check=signature 72 InternalSignatures=.pl|.pm 73 CheckPath=$ENV{EPAGES_CARTRIDGES}/DE_EPAGES
75 [DE_EPAGES_Stat] 76 Check=size,owner,mode,mtime 77 CheckPath=$ENV{EPAGES_CARTRIDGES}/DE_EPAGES
79 [Perl_Signature] 80 IsActive=0 81 Check=signature 82 ExternalSignatures= 83 CheckPath=$ENV{EPAGES_PERL}/bin 84 SignaturePath=$ENV{EPAGES_PERL}/.gpg/bin
90 [bin_Signature] 91 Check=signature 92 InternalSignatures=.PL|.pl|.sh 93 CheckPath=$ENV{EPAGES}/bin
99 [Core_Signature] 100 Check=signature 101 InternalSignatures=.pl|.pm 102 CheckPath=$ENV{EPAGES_CARTRIDGES} /DE_EPAGES/Core,$ENV{EPAGES_CARTRIDGES}/DE_EPAGES/WebInterface
104 [Config_Stat] 105 Check=size,owner,mode,mtime 106 CheckFiles=Servlet.conf|log4perl.conf 107 CheckPath=$ENV{EPAGES_CONFIG}
109 [Task_Cartridges_Hourly] 110 IsActive=1 111 SubTasks=DE_EPAGES_Signature 112 Machine= 113 Cron=55 * * * * 114 MaxDuration= 115 Options=-section Task_Cartridges_Hourly -again
117 [Task_Cartridges_UNIX] 118 IsActive=1 119 SubTasks=DE_EPAGES_Stat,Core_Signature 120 Machine= 121 Cron=* * * * * 122 MaxDuration=4 123 Options=-section Task_Cartridges_UNIX
Prerequisite: Knowledge of the ePages-Scheduler concept
Until now, the only way to run jobs was via the ePages Scheduler. Now, UNIX cron jobs can be administered directly. That has the advantage that the integrity tests can run outside the ePages environment.
If the -add option for the parameter scheduler=epages is entered, the ePages scheduler will be used. The parameter can also be set to scheduler=cron. Then a standard UNIX cron job will be used (default setting).
This extended scheduler concept lets you define scheduler tasks via $HOME/.epages/cron.d/* in addition to the standard $EPAGES_CONFIG/Scheduler.conf and $EPAGES_CONFIG/Scheduler.d/*.env. $HOME is the Homedir of user 'root', '$AMUSER', 'ep_appl', 'ep_db' or 'ep_web'.
The files found in $HOME/.epages/cron.d/* are copied by /etc/init.d/epages6 start_cron (and also /epages6 start) to /etc/cron.d. They are removed from that folder by /epages6 stop. Files found in /etc/cron.d will be run as cron jobs.
In UNIX, the following commands create the same results:
perl $EPAGES/bin/CheckIntegrity.PL -add scheduler=cron perl $EPAGES/bin/CheckIntegrity.PL -add scheduler
These commands create cron-job files in $HOME/.epages/cron.d/. /etc/init.d/epages6 start is used to start the cron jobs.
The output of each cron job is sent by wrapscheduler.PL via SendProgramOutput.pl (for ePages-Perl) or SMTPSendProgramOutput.PL (for any other Perl).
The connection to the mail server can be defined via the following parameters in the scheduler configuration file, such as Scheduler.conf:
Until now, all jobs defined in Scheduler.conf were run by UNIX-user "ep_appl". Now, other users can be defined via the parameter "User=".
[ClearTrash] # run? (1 - yes, else - no) IsActive=1 # who? (UNIX user) User=$ENV{EPAGES_APPUSER} ...
If no user is entered, "ep_appl" will be chosen. Allowed users are:
The following code is found in /etc/init.d/epages6:
[ -z "$EPAGES_IGNORE_CRON" ] && $SU_EXE ep_web -c ". \"$EP_DEFAULT\" ; LOGNAME=ep_web \"$EPAGES\"/bin/epagesScheduler.sh start" 2>/dev/null [ -z "$EPAGES_IGNORE_CRON" ] && $SU_EXE ep_db -c ". \"$EP_DEFAULT\" ; LOGNAME=ep_db \"$EPAGES\"/bin/epagesScheduler.sh start" 2>/dev/null $SU_EXE ep_appl -c ". \"$EP_DEFAULT\" ; LOGNAME=ep_appl \"$EPAGES\"/bin/epagesScheduler.sh start" 2>/dev/null $SU_EXE $EPAGES_APPUSER -c ". \"$EP_DEFAULT\" ; LOGNAME= $EPAGES_APPUSER \"$EPAGES\"/bin/epagesScheduler.sh start" 2> /dev/null
The patch sets all scheduler jobs (except those that begin with "Sybase") to 'User=$ENV{EPAGES_APPUSER}'. This applies only to jobs from Database/Data/Scheduler/Scheduler.conf.
This doesn't apply for cron jobs that don't come from ePages. If a cron job doesn't run, then use 'User=ep_appl' instead of 'User=$ENV{EPAGES_APPUSER}' (or the other way around).
The script "SignFiles.PL" is used by ePages to sign files with the ePages key. It can also be used by third-parties to sign their self- developed cartridges with their own keys.
In order to do this, you must obtain a private-/public-key-pair. The private key is used to sign the files. The public key is given to the code owner. The user must add the path to the public key as the value for PublicKeys= in CheckIntegrity.conf.
The signatures are created with the following script:
$EPAGES/bin/SignFiles.PL
The script is mainly meant to create GPG signatures. It can also, however, check or remove GPG signatures, similar to CheckIntegrity.PL. Contrary to CheckIntegrity.PL, SignFiles.PL does not use a configuration file. Each parameter must be entered in a command window. The following command illustrates the possible parameters and their use:
perl SignFiles.PL -help
SignFiles.PL understands the following modes:
-verify : verifies files -unsign : removes the signature -resign : removes the signature and writes them again (otherwise): signs files
The remaining options correspond to parameters in CheckIntegrity.conf:
-files "LIST" : see InternalSignatures= or ExternalSignatures= -dir DIR : see CheckPath= -detach DIR : see SignaturePath=