mirror of
https://github.com/ovh/the-bastion.git
synced 2025-01-06 15:31:56 +08:00
166 lines
9.7 KiB
Text
166 lines
9.7 KiB
Text
###############################################################################
|
|
## Config for ``bin/cron/osh-encrypt-rsync.pl``
|
|
##
|
|
## Any file in ``/etc/bastion/osh-encrypt-rsync.conf.d`` will also be
|
|
## parsed, in alphabetical order, and take precedence over any
|
|
## option specified in this file.
|
|
##
|
|
## Please ensure this file is only readable by root.
|
|
##
|
|
## This is a JSON file. Verify the syntax and proper GPG configuration
|
|
## with the following command:
|
|
## ``/opt/bastion/bin/cron/osh-encrypt-rsync.pl --config-test``
|
|
##
|
|
#@.. note::
|
|
#@
|
|
#@ This script is called by cron and is responsible for encrypting and
|
|
#@ optionally pushing the recorded ``ttyrec`` files to a distant server, along
|
|
#@ with the user logs (``/home/*/*.log``) and user sqlite files (``/home/*/*.sqlite``).
|
|
#@ The global log and sqlite files are also handled (located in ``/home/logkeeper/``).
|
|
#@ Note that logs sent through syslog are NOT managed by this script.
|
|
#@
|
|
#@.. warning::
|
|
#@
|
|
#@ If left unconfigured, this script won't do anything, and the recorded ``ttyrec`` files,
|
|
#@ along with the log and sqlite files won't be encrypted or moved out from the server.
|
|
#@ This might not be a problem for low-traffic bastions or if you have plenty
|
|
#@ of storage available, though.
|
|
##############################################################################
|
|
{
|
|
# > Logging
|
|
# >> These options configure the way the script logs its actions
|
|
#
|
|
# logfile (string, path to a file)
|
|
# DESC: File where the logs will be written to (don't forget to configure ``logrotate``!).
|
|
# Note that using this configuration option, the script will directly write to the file, without using syslog.
|
|
# If empty, won't log directly to any file.
|
|
# DEFAULT: ""
|
|
"logfile": "",
|
|
#
|
|
# syslog_facility (string)
|
|
# DESC: The syslog facility to use for logging the script output.
|
|
# If set to the empty string, we'll not log through syslog at all.
|
|
# If this configuration option is missing from your config file altogether,
|
|
# the default value will be used (local6), which means that we'll log to syslog.
|
|
# DEFAULT: "local6"
|
|
"syslog_facility": "local6",
|
|
#
|
|
# verbose (int >= 0)
|
|
# DESC: The verbosity level of the logs produced by the script
|
|
# 0: normal (default)
|
|
# 1: log more information about what is happening
|
|
# 2: log debug-level information
|
|
# DEFAULT: 0
|
|
"verbose": 0,
|
|
#
|
|
# > Encryption and signing
|
|
# >> These options configure how the script uses GPG to encrypt and sign the ttyrec files
|
|
#
|
|
# signing_key (string, GPG key ID in short or long format)
|
|
# DESC: ID of the GPG key used to sign the ttyrec files.
|
|
# The key must be in the local root keyring, check it with ``gpg --list-secret-keys``
|
|
# DEFAULT: (none), setting a value is mandatory
|
|
"signing_key": "FFFFFFFF",
|
|
#
|
|
# signing_key_passphrase (string)
|
|
# DESC: This passphrase should be able to unlock the ``signing_key`` defined above.
|
|
# As a side note, please ensure this configuration file only readable by root (0640),
|
|
# to protect this passphrase. As a security measure,
|
|
# the script will refuse to read the configuration otherwise.
|
|
# DEFAULT: (none), setting a value is mandatory
|
|
"signing_key_passphrase": "configure_this_passphrase",
|
|
#
|
|
# recipients (array of array of strings, a string being a GPG key ID in short or long format)
|
|
# DESC: The ttyrecs will be encrypted with those GPG keys, possibly using multi-layer GPG encryption.
|
|
# Each sub-array is a layer, the first sub-array being the first encryption layer (which is also the last one for decryption)
|
|
# To completely decrypt a ttyrec, one would need at least one key of each layer.
|
|
# To encrypt only to a single layer and to only one key, simply use [ [ "KEYID" ] ].
|
|
# To encrypt to a single layer but with 3 keys being able to decrypt the ttyrec, use [ [ "KEY1", "KEY2", "KEY3" ] ], etc.
|
|
# A common use of multi-layer encryption is to have the first layer composed of the auditors' GPG keys, and
|
|
# the second layer composed of the sysadmins' GPG keys. During an audit, the sysadmins would get the ttyrec encrypted file,
|
|
# decrypt the second encryption layer (the first for decryption), and handle the now only auditor-protected file to the auditors.
|
|
# All public keys must be in the local root keyring (gpg --list-keys).
|
|
# Don't forget to trust those keys "ultimately" in root's keyring, too (gpg --edit-key ID)
|
|
# DEFAULT: (none), setting a value is mandatory
|
|
"recipients": [
|
|
[ "AAAAAAAA", "BBBBBBBB" ],
|
|
[ "CCCCCCCC", "DDDDDDDD" ]
|
|
],
|
|
#
|
|
# encrypt_and_move_to_directory (string, a valid directory name)
|
|
# DESC: After encryption (and compression), move ttyrec, user sqlite and user log files to subdirs of this directory.
|
|
# It'll be created if it doesn't exist yet.
|
|
# You may want this directory to be the mount point of a remote filer, if you wish.
|
|
# If you change this, it's probably a good idea to ensure that the path is excluded from the
|
|
# master/slave synchronization, in ``/etc/bastion/osh-sync-watcher.rsyncfilter``.
|
|
# This is already the case for the default value.
|
|
# DEFAULT: "/home/.encrypt"
|
|
"encrypt_and_move_to_directory": "/home/.encrypt",
|
|
#
|
|
# encrypt_and_move_ttyrec_delay_days (int > 0, or -1)
|
|
# DESC: Don't touch ttyrec files that have a modification time more recent than this amount of days.
|
|
# The files won't be encrypted nor moved yet, and will still be readable by the ``selfPlaySession`` command.
|
|
# You can set this to a (possibly) much higher value, the only limit is the amount of disk space you have.
|
|
# If set to -1, the ttyrec files will never get encrypted or moved by this script.
|
|
# The eligible files will be encrypted and moved to ``encrypt_and_move_to_directory``.
|
|
# NOTE: The old name of this option is `encrypt_and_move_delay_days`.
|
|
# If it is found in your configuration file and `encrypt_and_move_ttyrec_delay_days` is not,
|
|
# then the value of `encrypt_and_move_delay_days` will be used instead of the default.
|
|
# DEFAULT: 14
|
|
"encrypt_and_move_ttyrec_delay_days": 14,
|
|
#
|
|
# encrypt_and_move_user_logs_delay_days (int >= 31, or -1)
|
|
# DESC: Don't touch user log files (``/home/*/*.log``) that have been modified more recently than this amount of days.
|
|
# The bare minimum is 31 days, to ensure we're not moving a current-month file.
|
|
# You can set this to a (possibly) much higher value, the only limit is the amount of disk space you have.
|
|
# If set to -1, the user log files will never get encrypted or moved by this script.
|
|
# The eligible files will be encrypted and moved to ``encrypt_and_move_to_directory``.
|
|
# DEFAULT: 31
|
|
"encrypt_and_move_user_logs_delay_days": 31,
|
|
#
|
|
# encrypt_and_move_user_sqlites_delay_days (int >= 31, or -1)
|
|
# DESC: Don't touch user sqlite files (``/home/*/*.sqlite``) that have been modified more recently than this amount of days.
|
|
# The files won't be encrypted nor moved yet, and will still be usable by the ``selfListSessions`` command.
|
|
# The bare minimum is 31 days, to ensure we're not moving a current-month file.
|
|
# You can set this to a (possibly) much higher value, the only limit is the amount of disk space you have.
|
|
# If set to -1, the user sqlite files will never get encrypted or moved by this script.
|
|
# The eligible files will be encrypted and moved to ``encrypt_and_move_to_directory``.
|
|
# DEFAULT: 31
|
|
"encrypt_and_move_user_sqlites_delay_days": 31,
|
|
#
|
|
# > Push files to a remote destination
|
|
# >> These options configure the way the script uses rsync to optionally push the encrypted files out of the server
|
|
#
|
|
# rsync_destination (string)
|
|
# DESC: The value of this option will be passed to ``rsync`` as the destination.
|
|
# Note that the source of the rsync is already configured above, as the ``encrypt_and_move_to_directory``.
|
|
# We only rsync the files that have already been encrypted and moved there.
|
|
# If this option is empty, this will **disable** ``rsync``, meaning that the ttyrec files will be encrypted,
|
|
# but not moved out of the server. In other words, the files will pile up in ``encrypt_and_move_to_directory``,
|
|
# which can be pretty okay in you have enough disk space.
|
|
# DEFAULT: ""
|
|
# EXAMPLE: "user@remotebackup.example.org:/remote/dir"
|
|
"rsync_destination": "",
|
|
#
|
|
# rsync_rsh (string)
|
|
# DESC: The value of this option will be passed to ``rsync``'s ``--rsh`` option.
|
|
# This is useful to specify an SSH key or an alternate SSH port for example.
|
|
# This option is ignored when ``rsync`` is disabled (i.e. when ``rsync_destination`` is empty).
|
|
# EXAMPLE: "ssh -p 222 -i /root/.ssh/id_ed25519_backup"
|
|
# DEFAULT: ""
|
|
"rsync_rsh": "",
|
|
#
|
|
# rsync_delay_before_remove_days (int >= 0, or -1)
|
|
# DESC: After encryption/compression, and successful rsync of ``encrypt_and_move_to_directory`` to remote,
|
|
# wait for this amount of days before removing the encrypted/compressed files locally.
|
|
# Specify 0 to remove the files as soon as they're transferred.
|
|
# This option is ignored when ``rsync`` is disabled (i.e. when ``rsync_destination`` is empty).
|
|
# Note that if rsync is enabled (see ``rsync_destination`` above), we'll always sync the files present in
|
|
# ``encrypt_and_move_to_directory`` as soon as we can, to ensure limitation of logs data loss in case of
|
|
# catastrophic failure of the server. The ``rsync_delay_before_remove_days`` option configures the number
|
|
# of days after we remove the files locally, but note that these have already been transferred remotely
|
|
# as soon as they were present in ``encrypt_and_move_to_directory``.
|
|
# To rsync the files remotely but never delete them locally, set this to -1.
|
|
# DEFAULT: 0
|
|
"rsync_delay_before_remove_days": 0
|
|
}
|