Pakiti

Pakiti Client Setup

• Install one small client rpm on the clients and a configuration file.– pakiti-client-0.8-1.noarch.rpm– edit /etc/pakiti/pakiti-client.conf to point to the

web server, select yum/apt/up2date, and insert sys admins name

[root@ppslgen tmp]# more /usr/share/doc/pakiti-server-1/README.SERVER INTRODUCTION

The Pakiti Client is a small Perl script, which will check what packages are available to install on the system and report them to the central Pakiti Server.

WHAT DOES IT DO?It simply gather packages provided by your vendor and send the list to the server.Pakiti DOES NOT INSTALL ANY UPDATED PACKAGE.

HOW AVAILABLE PACKAGES ARE GATHERED?Pakiti can currently use 3 tools to gather information about available packages:- yum- up2date- apt-get

Of course, the tool you choose MUST be first properly configured to be able to install updated packages relevant to your distribution.

For instance, if you decide to go for yum, it MUST point to a relevant yum repository.

Extract from the README for more details:

HOW ARE THEY REPORTED TO THE SERVER?The Pakiti client send an HTTP message to the server containing the list of available packages.

It is recommended to use HTTPS to authenticate the remote server and to send information through a secure channel. To use HTTPS, your Pakiti configuration file MUST contains the full path of the certificate of the CA who issued the Pakiti server's certificate. In this way, the Pakiti client will be able to check the Pakiti server's certificate. Of course, to use HTTPS, your Pakiti server MUST be HTTPS enabled.WHERE CAN I CONFIGURE Pakiti CLIENT?There is only on configuration file to setup the Pakiti client. It is located here:/etc/pakiti/pakiti-client.confIt contains the following information:

# Configuration file for Pakiti.

# URL of your local Pakiti server. HTTPS is strongly recommended!server_url = https://pakiti.cern.ch/feed/

# CA Path for HTTPS connection to your local Pakiti server.# This is mandatory for HTTPS.ca_certificate = /etc/grid-security/certificates/

# Curl binary, with the options you likecurl_path = /usr/bin/curl -s

# Delay (minutes)delay = 0

# Package handling tool: 'up2date' or 'yum' or 'apt-get'method = apt-get

# section: the contact for the system.# Put something small that can identify your site.admin = My_Organization Production

# Log file location.log = /var/log/pakiti/pakiti.log

Pakiti Server Setup

• Need to install it on a web server

• Install the server rpm

• Configure MySQL

• Configure httpd

HOW CAN I CONFIGURE A PAKITI SERVER?

On a RHEL/SL system, the following steps should be sufficient:1. Install Apache, PHP, mysql-server, mod_ssl, php-mysql and pakiti-client# apt-get install httpd php mysql-server php-mysql mod_ssl pakiti-client

If some other dependency are needed, the packages should be available through your vendor.For more information about installing the client, please see the previous section.2. Install Pakiti-server

Download the latest RPM and run:# rpm -i pakiti-server-*.rpm3. Configure the MySQL serverConfigure MySQL to start at boot# chkconfig --level 235 mysqld onStart the mysqld service# /etc/init.d/mysqld start

Change the MySQL root password# /usr/bin/mysql mysql~ update mysql.user set Password=PASSWORD('strong_root_password') where User='root' and Host='localhost';~ flush privileges;~ quit;Create the pakiti database# mysqladmin -u root -p create pakiti

Fill the tables# /usr/bin/mysql -u root -p pakiti < /usr/share/doc/pakiti-server-*/pakiti.sqlCreate a Pakiti user# /usr/bin/mysql -u root -p mysql~ GRANT SELECT,INSERT,UPDATE,DELETE ON pakiti.* TO 'mysql_user'@'localhost' IDENTIFIED BY 'mysql_password';~ flush privileges;~ quit;

Of course, 'mysql_user'and 'mysql_password' are up to you.

4. Configure ApacheIt is *strongly* recommended to use HTTPS and client authentication.One way of doing this is to create a /etc/httpd/conf.d/pakiti.conf containing:

<VirtualHost 0.0.0.0:443>SSLEngine onSSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateKeyFile <YOUR_HOST_KEY_PATH>SSLCertificateFile <YOUR_HOST_CERTIFICATE_PATH>SSLCACertificatePath /etc/grid-security/certificates

DocumentRoot /var/lib/pakiti/www/ErrorLog logs/pakiti-errorCustomLog logs/pakiti-access common

Alias /feed "/var/lib/pakiti/feed"

<Directory "/var/lib/pakiti/feed">SSLRequireSSLOptions -AllAllowOverride NoneDirectoryIndex index.php</Directory>

<Directory "/var/lib/pakiti/www/">SSLVerifyClient requireSSLVerifyDepth 5SSLCACertificatePath /etc/grid-security/certificates/SSLOptions +FakeBasicAuthAuthName "Pakiti: YOUR CERTIFICATE MUST BE REGISTERED"AuthType Basicrequire valid-userAuthUserFile /var/lib/pakiti/usersSSLRequireSSLOptions -AllAllowOverride NoneDirectoryIndex index.php</Directory>

</VirtualHost>

Then people can be authenticated by putting their DN in /var/lib/pakiti/users such as:

/C=CH/O=CERN/OU=GRID/CN=Romain Wartel 7120:xxj31ZMTZzkVA

Note that FakeBasicAuth must have ":xxj31ZMTZzkVA" as a suffix of every DN.The format is the following:

<DN of user 1>:xxj31ZMTZzkVA<DN of user 2>:xxj31ZMTZzkVA<DN of user 3>:xxj31ZMTZzkVA...

For more details refer to Apache's FakeBasicAuth documentation.

5. Configure the Pakiti Server

The configuration of the Pakiti server can be changed in /etc/pakiti/pakiti-server.conf

# Configuration file for the Pakiti webinterface.

# Set the parameters for connecting to# the Pakiti database.

[mysql]hostname = localhostdbname = pakitiusername = mysql_userpassword = mysql_password

[webinterface]# URL of your local Pakiti serverurl = https://pakiti.cern.chtitle = My_Organization

# Reference URL to download the list of security RPMs.# This setting should normally *not* be changed.[security_module]security_rpms = http://pakiti.cern.ch/security.xml

[reporting]# This section contains details about statistics and full reports# that can be exported from this local Pakiti server to central Pakiti servers.

# URLs of trusted *central* Pakiti servers, separated by ';'# that would receive statistics from this local Pakiti server#send_stats_to = http://pakiti.cern.ch/feed/

# URLs of trusted *central* Pakiti servers, separated by ';'# that would receive detailed reports from this local Pakiti server#send_detailed_report_to = http://pakiti.cern.ch/feed/

# CA Path for HTTPS reporting to the central servers. This is mandatory for HTTPSca_certificate = /etc/grid-security/certificates/

# Curl binary to connect to the central Pakiti servers, with the options you likecurl_path = /usr/bin/curl -s

Known Bugs

• RHEL 2.1 is using curl 7.8.1, which does not support SSL. This version of curl has also limited buffers. As a result, if the sy

• stem tries to report a large number of packages to be installed (>50), the reporting process might be broken.

• There are two workarounds:

• 1. Apply a few patches to reduce the number of outstanding updates. your system should not have a large number of fixes to appl

• y!• 2. Update the curl package to curl 7.9.8. The installation might not be nice, you might

need to install it with "--no-deps" and• you might need to create the following synlink:• ln -s /usr/lib/libcurl.so.2 /usr/lib/libcurl.so.1• Note that curl 7.9.8 handles SSL.

• Contact

• Please contact Romain Wartel <Romain.Wartel@cern.ch> for any information.

pakiti Shows all nodes grouped by OS version

pakiti 2 Shows Unpatched nodes

pakiti 3 Shows only vulnerable nodes

Shows Nodes not responding