From c5fd63e099cec30154e2a9c0b5ee7715491263bf Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Wed, 21 Jun 2023 10:56:41 +0000 Subject: DTail: Restrict SSH MAC algorithms allowed - Update of few dependencies --- examples/check_dserver.sh.example | 3 + examples/dserver-update-keycache.service.example | 6 + examples/dserver-update-keycache.timer.example | 5 + examples/dserver.service.example | 19 + examples/dtail.json.example | 127 ++++++ examples/dtail.schema.json | 532 +++++++++++++++++++++++ examples/update_key_cache.sh.example | 33 ++ 7 files changed, 725 insertions(+) create mode 100755 examples/check_dserver.sh.example create mode 100644 examples/dserver-update-keycache.service.example create mode 100644 examples/dserver-update-keycache.timer.example create mode 100644 examples/dserver.service.example create mode 100644 examples/dtail.json.example create mode 100755 examples/dtail.schema.json create mode 100644 examples/update_key_cache.sh.example (limited to 'examples') diff --git a/examples/check_dserver.sh.example b/examples/check_dserver.sh.example new file mode 100755 index 0000000..77f01f0 --- /dev/null +++ b/examples/check_dserver.sh.example @@ -0,0 +1,3 @@ +#!/bin/sh + +exec /usr/local/bin/dtailhealth --server localhost:2222 diff --git a/examples/dserver-update-keycache.service.example b/examples/dserver-update-keycache.service.example new file mode 100644 index 0000000..7e6144c --- /dev/null +++ b/examples/dserver-update-keycache.service.example @@ -0,0 +1,6 @@ +[Unit] +Description=Refresh DServer SSH Key Cache + +[Service] +Type=oneshot +ExecStart=/var/run/dserver/update_key_cache.sh diff --git a/examples/dserver-update-keycache.timer.example b/examples/dserver-update-keycache.timer.example new file mode 100644 index 0000000..e7158ca --- /dev/null +++ b/examples/dserver-update-keycache.timer.example @@ -0,0 +1,5 @@ +[Unit] +Description=Refresh DServer SSH Key Cache every 30 minutes. + +[Timer] +OnCalendar=*:0/30 diff --git a/examples/dserver.service.example b/examples/dserver.service.example new file mode 100644 index 0000000..c5e5e59 --- /dev/null +++ b/examples/dserver.service.example @@ -0,0 +1,19 @@ +[Unit] +Description=DTail server +After=network.target + +[Service] +Slice=dserver.slice +User=dserver +Group=dserver +ExecStart=/usr/local/bin/dserver -cfg /etc/dserver/dtail.json +WorkingDirectory=/var/run/dserver +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +CPUAccounting=true +MemoryAccounting=true +BlockIOAccounting=true + +[Install] +WantedBy=multi-user.target diff --git a/examples/dtail.json.example b/examples/dtail.json.example new file mode 100644 index 0000000..26eb8a1 --- /dev/null +++ b/examples/dtail.json.example @@ -0,0 +1,127 @@ +{ + "Client": { + "TermColorsEnable": true, + "TermColors": { + "Remote": { + "DelimiterAttr": "Dim", + "DelimiterBg": "Blue", + "DelimiterFg": "Cyan", + "RemoteAttr": "Dim", + "RemoteBg": "Blue", + "RemoteFg": "White", + "CountAttr": "Dim", + "CountBg": "Blue", + "CountFg": "White", + "HostnameAttr": "Bold", + "HostnameBg": "Blue", + "HostnameFg": "White", + "IDAttr": "Dim", + "IDBg": "Blue", + "IDFg": "White", + "StatsOkAttr": "None", + "StatsOkBg": "Green", + "StatsOkFg": "Black", + "StatsWarnAttr": "None", + "StatsWarnBg": "Red", + "StatsWarnFg": "White", + "TextAttr": "None", + "TextBg": "Black", + "TextFg": "White" + }, + "Client": { + "DelimiterAttr": "Dim", + "DelimiterBg": "Yellow", + "DelimiterFg": "Black", + "ClientAttr": "Dim", + "ClientBg": "Yellow", + "ClientFg": "Black", + "HostnameAttr": "Dim", + "HostnameBg": "Yellow", + "HostnameFg": "Black", + "TextAttr": "None", + "TextBg": "Black", + "TextFg": "White" + }, + "Server": { + "DelimiterAttr": "AttrDim", + "DelimiterBg": "BgCyan", + "DelimiterFg": "FgBlack", + "ServerAttr": "AttrDim", + "ServerBg": "BgCyan", + "ServerFg": "FgBlack", + "HostnameAttr": "AttrBold", + "HostnameBg": "BgCyan", + "HostnameFg": "FgBlack", + "TextAttr": "AttrNone", + "TextBg": "BgBlack", + "TextFg": "FgWhite" + }, + "Common": { + "SeverityErrorAttr": "AttrBold", + "SeverityErrorBg": "BgRed", + "SeverityErrorFg": "FgWhite", + "SeverityFatalAttr": "AttrBold", + "SeverityFatalBg": "BgMagenta", + "SeverityFatalFg": "FgWhite", + "SeverityWarnAttr": "AttrBold", + "SeverityWarnBg": "BgBlack", + "SeverityWarnFg": "FgWhite" + }, + "MaprTable": { + "DataAttr": "AttrNone", + "DataBg": "BgBlue", + "DataFg": "FgWhite", + "DelimiterAttr": "AttrDim", + "DelimiterBg": "BgBlue", + "DelimiterFg": "FgWhite", + "HeaderAttr": "AttrBold", + "HeaderBg": "BgBlue", + "HeaderFg": "FgWhite", + "HeaderDelimiterAttr": "AttrDim", + "HeaderDelimiterBg": "BgBlue", + "HeaderDelimiterFg": "FgWhite", + "HeaderSortKeyAttr": "AttrUnderline", + "HeaderGroupKeyAttr": "AttrReverse", + "RawQueryAttr": "AttrDim", + "RawQueryBg": "BgBlack", + "RawQueryFg": "FgCyan" + } + } + }, + "Server": { + "SSHBindAddress": "0.0.0.0", + "HostKeyFile": "cache/ssh_host_key", + "HostKeyBits": 2048, + "MapreduceLogFormat": "default", + "MaxConcurrentCats": 2, + "MaxConcurrentTails": 50, + "MaxConnections": 50, + "MaxLineLength": 1048576, + "Permissions": { + "Default": [ + "readfiles:^/.*$" + ], + "Users": { + "paul": [ + "readfiles:^/.*$" + ], + "pbuetow": [ + "readfiles:^/.*$" + ], + "jamesblake": [ + "readfiles:^/tmp/foo.log$", + "readfiles:^/.*$", + "readfiles:!^/tmp/bar.log$" + ] + } + } + }, + "Common": { + "LogDir": "log", + "Logger": "Fout", + "LogRotation": "Daily", + "CacheDir": "cache", + "SSHPort": 2222, + "LogLevel": "Info" + } +} diff --git a/examples/dtail.schema.json b/examples/dtail.schema.json new file mode 100755 index 0000000..d13b133 --- /dev/null +++ b/examples/dtail.schema.json @@ -0,0 +1,532 @@ +{ + "$schema": "https://json-schema.org/2019-09/schema", + "description": "Schema for dtail.json", + "definitions": { + "userPermission": { + "type": "array", + "items": { + "type": "string" + } + }, + "userPermissions": { + "type": "object", + "patternProperties": { + "^.*$": { + "$ref": "#/definitions/userPermission" + } + } + }, + "loglevel": { + "type": "string", + "enum": [ + "None", + "Fatal", + "Error", + "Warn", + "Info", + "Default", + "Verbose", + "Debug", + "Devel", + "Trace", + "All" + ] + }, + "logger": { + "type": "string", + "enum": [ + "None", + "Stdout", + "File", + "Fout" + ] + }, + "logrotation": { + "type": "string", + "enum": [ + "Daily", + "Signal" + ] + }, + "color": { + "type": "string", + "enum": [ + "Black", + "Red", + "Green", + "Yellow", + "Blue", + "Magenta", + "Cyan", + "White" + ] + }, + "attribute": { + "type": "string", + "enum": [ + "None", + "Bold", + "Dim", + "Italic", + "Underline", + "Blink", + "SlowBlink", + "RapidBlink", + "Reverse", + "Hidden" + ] + } + }, + "type": "object", + "additionalProperties": false, + "properties": { + "Client": { + "additionalProperties": false, + "properties": { + "TermColorsEnable": { + "type": "boolean" + }, + "TermColors": { + "type": "object", + "additionalProperties": false, + "properties": { + "Remote": { + "additionalProperties": false, + "properties": { + "DelimiterAttr": { + "$ref": "#/definitions/attribute" + }, + "DelimiterBg": { + "$ref": "#/definitions/color" + }, + "DelimiterFg": { + "$ref": "#/definitions/color" + }, + "RemoteAttr": { + "$ref": "#/definitions/attribute" + }, + "RemoteBg": { + "$ref": "#/definitions/color" + }, + "RemoteFg": { + "$ref": "#/definitions/color" + }, + "CountAttr": { + "$ref": "#/definitions/attribute" + }, + "CountBg": { + "$ref": "#/definitions/color" + }, + "CountFg": { + "$ref": "#/definitions/color" + }, + "HostnameAttr": { + "$ref": "#/definitions/attribute" + }, + "HostnameBg": { + "$ref": "#/definitions/color" + }, + "HostnameFg": { + "$ref": "#/definitions/color" + }, + "IDAttr": { + "$ref": "#/definitions/attribute" + }, + "IDBg": { + "$ref": "#/definitions/color" + }, + "IDFg": { + "$ref": "#/definitions/color" + }, + "StatsOkAttr": { + "$ref": "#/definitions/attribute" + }, + "StatsOkBg": { + "$ref": "#/definitions/color" + }, + "StatsOkFg": { + "$ref": "#/definitions/color" + }, + "StatsWarnAttr": { + "$ref": "#/definitions/attribute" + }, + "StatsWarnBg": { + "$ref": "#/definitions/color" + }, + "StatsWarnFg": { + "$ref": "#/definitions/color" + }, + "TextAttr": { + "$ref": "#/definitions/attribute" + }, + "TextBg": { + "$ref": "#/definitions/color" + }, + "TextFg": { + "$ref": "#/definitions/color" + } + } + }, + "Client": { + "additionalProperties": false, + "properties": { + "DelimiterAttr": { + "$ref": "#/definitions/attribute" + }, + "DelimiterBg": { + "$ref": "#/definitions/color" + }, + "DelimiterFg": { + "$ref": "#/definitions/color" + }, + "ClientAttr": { + "$ref": "#/definitions/attribute" + }, + "ClientBg": { + "$ref": "#/definitions/color" + }, + "ClientFg": { + "$ref": "#/definitions/color" + }, + "HostnameAttr": { + "$ref": "#/definitions/attribute" + }, + "HostnameBg": { + "$ref": "#/definitions/color" + }, + "HostnameFg": { + "$ref": "#/definitions/color" + }, + "TextAttr": { + "$ref": "#/definitions/attribute" + }, + "TextBg": { + "$ref": "#/definitions/color" + }, + "TextFg": { + "$ref": "#/definitions/color" + } + } + }, + "Server": { + "additionalProperties": false, + "properties": { + "DelimiterAttr": { + "#ref": "#/definitions/attribute" + }, + "DelimiterBg": { + "#ref": "#/definitions/color" + }, + "DelimiterFg": { + "#ref": "#/definitions/color" + }, + "ServerAttr": { + "#ref": "#/definitions/attribute" + }, + "ServerBg": { + "#ref": "#/definitions/color" + }, + "ServerFg": { + "#ref": "#/definitions/color" + }, + "HostnameAttr": { + "#ref": "#/definitions/attribute" + }, + "HostnameBg": { + "#ref": "#/definitions/color" + }, + "HostnameFg": { + "#ref": "#/definitions/color" + }, + "TextAttr": { + "#ref": "#/definitions/attribute" + }, + "TextBg": { + "#ref": "#/definitions/color" + }, + "TextFg": { + "#ref": "#/definitions/color" + } + } + }, + "Common": { + "additionalProperties": false, + "properties": { + "SeverityErrorAttr": { + "#ref": "#/definitions/attribute" + }, + "SeverityErrorBg": { + "#ref": "#/definitions/color" + }, + "SeverityErrorFg": { + "#ref": "#/definitions/color" + }, + "SeverityFatalAttr": { + "#ref": "#/definitions/attribute" + }, + "SeverityFatalBg": { + "#ref": "#/definitions/color" + }, + "SeverityFatalFg": { + "#ref": "#/definitions/color" + }, + "SeverityWarnAttr": { + "#ref": "#/definitions/attribute" + }, + "SeverityWarnBg": { + "#ref": "#/definitions/color" + }, + "SeverityWarnFg": { + "#ref": "#/definitions/color" + } + } + }, + "MaprTable": { + "additionalProperties": false, + "properties": { + "DataAttr": { + "#ref": "#/definitions/attribute" + }, + "DataBg": { + "#ref": "#/definitions/color" + }, + "DataFg": { + "#ref": "#/definitions/color" + }, + "DelimiterAttr": { + "#ref": "#/definitions/attribute" + }, + "DelimiterBg": { + "#ref": "#/definitions/color" + }, + "DelimiterFg": { + "#ref": "#/definitions/color" + }, + "HeaderAttr": { + "#ref": "#/definitions/attribute" + }, + "HeaderBg": { + "#ref": "#/definitions/color" + }, + "HeaderFg": { + "#ref": "#/definitions/color" + }, + "HeaderDelimiterAttr": { + "#ref": "#/definitions/attribute" + }, + "HeaderDelimiterBg": { + "#ref": "#/definitions/color" + }, + "HeaderDelimiterFg": { + "#ref": "#/definitions/color" + }, + "HeaderSortKeyAttr": { + "#ref": "#/definitions/attribute" + }, + "HeaderGroupKeyAttr": { + "#ref": "#/definitions/attribute" + }, + "RawQueryAttr": { + "#ref": "#/definitions/attribute" + }, + "RawQueryBg": { + "#ref": "#/definitions/color" + }, + "RawQueryFg": { + "#ref": "#/definitions/color" + } + } + } + } + } + } + }, + "Server": { + "additionalProperties": false, + "properties": { + "SSHBindAddress": { + "type": "string" + }, + "KeyExchanges": { + "type": "array", + "items": { + "type": "string" + } + }, + "Ciphers": { + "type": "array", + "items": { + "type": "string" + } + }, + "MACs": { + "type": "array", + "items": { + "type": "string" + } + }, + "HostKeyFile": { + "type": "string" + }, + "HostKeyBits": { + "type": "integer", + "minimum": 2048 + }, + "MapreduceLogFormat": { + "type": "string" + }, + "MaxConcurrentCats": { + "type": "integer", + "minimum": 1, + "maximum": 20 + }, + "MaxConcurrentTails": { + "type": "integer", + "minimum": 1, + "maximum": 200 + }, + "MaxConnections": { + "type": "integer", + "minimum": 1, + "maximum": 200 + }, + "MaxLineLength": { + "type": "integer", + "minimum": 1024, + "maximum": 10240000 + }, + "Permissions": { + "type": "object", + "additionalProperties": true, + "patternProperties": { + "^Default$": { + "$ref": "#/definitions/userPermission" + }, + "^Users$": { + "$ref": "#/definitions/userPermissions" + } + } + }, + "Schedule": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "Name": { + "type": "string" + }, + "Enable": { + "type": "boolean" + }, + "AllowFrom": { + "type": "array", + "items": { + "type": "string" + } + }, + "Servers": { + "type": "array", + "items": { + "type": "string" + } + }, + "TimeRange": { + "type": "array", + "items": [ + { + "type": "integer" + }, + { + "type": "integer" + } + ] + }, + "Files": { + "type": "string" + }, + "Outfile": { + "type": "string" + }, + "Query": { + "type": "string" + } + } + } + }, + "Continuous": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "Name": { + "type": "string" + }, + "Enable": { + "type": "boolean" + }, + "AllowFrom": { + "type": "array", + "items": { + "type": "string" + } + }, + "Servers": { + "type": "array", + "items": { + "type": "string" + } + }, + "RestartOnDayChange": { + "type": "boolean" + }, + "Files": { + "type": "string" + }, + "Outfile": { + "type": "string" + }, + "Query": { + "type": "string" + } + } + } + } + } + }, + "Common": { + "additionalProperties": false, + "properties": { + "LogDir": { + "type": "string" + }, + "Logger": { + "#ref": "#/definitions/logger" + }, + "LogLevel": { + "#ref": "#/definitions/loglevel" + }, + "LogRotation": { + "#ref": "#/definitions/logrotation" + }, + "CacheDir": { + "type": "string" + }, + "SSHPort": { + "type": "integer", + "minimum": 2, + "maximum": 16000 + }, + "ExperimentalFeaturesEnable": { + "type": "boolean" + } + } + } + }, + "required": [ + "Client", + "Server", + "Common" + ] +} diff --git a/examples/update_key_cache.sh.example b/examples/update_key_cache.sh.example new file mode 100644 index 0000000..9817f04 --- /dev/null +++ b/examples/update_key_cache.sh.example @@ -0,0 +1,33 @@ +#!/bin/bash + +declare -r CACHEDIR=/var/run/dserver/cache +declare -r DSERVER_USER=dserver + +echo "Updating SSH key cache" + +ls /home/ | while read remoteuser; do + keysfile=/home/$remoteuser/.ssh/authorized_keys + + if [ -f $keysfile ]; then + cachefile=$CACHEDIR/$remoteuser.authorized_keys + echo "Caching $keysfile -> $cachefile" + + cp $keysfile $cachefile + chown $DSERVER_USER $cachefile + chmod 600 $cachefile + fi +done + +# Cleanup obsolete public SSH keys +find $CACHEDIR -name \*.authorized_keys -type f | +while read cachefile; do + remoteuser=$(basename $cachefile | cut -d. -f1) + keysfile=/home/$remoteuser/.ssh/authorized_keys + + if [ ! -f $keysfile ]; then + echo "Deleting obsolete cache file $cachefile" + rm $cachefile + fi +done + +echo "All set..." -- cgit v1.2.3