-
Notifications
You must be signed in to change notification settings - Fork 2
/
README
305 lines (205 loc) · 10.8 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
Overview
--------
There was once an AIRT home page at http://www.airt.nl.
Installation
------------
It depends how you want to install the AIRT system. The easiest way is from
package, but if you read this, you likely want to do something more
elaborate.
For a typical development installation of AIRT (on a personal workstation),
make sure you have a working Apache with PHP and a working PostgreSQL database
server. Then cd to the source directory and type:
$ ./bootstrap
This creates a few scripts and files that the GNU Autoconf system needs. Now
type:
$ ./configure
This by default configures stuff to be dropped in the following places:
/usr/local/bin CLI things: airt_import, airt_export...
/usr/local/etc/airt config things: airt.cfg, importqueue.cfg...
/usr/local/lib/man man pages: airt.1, airt_export.1...
/usr/local/share/airt/php PHP files to be published on the www.
/usr/local/share/airt/lib PHP (library) files not to be published on www.
/usr/local/share/doc/airt Documentation files.
It does not actually drop stuff there. ./configure only creates a bunch of
files with the correct paths filled in, so that you now can type:
$ make
which generates even more files and leaves your source tree littered with
production versions of the code. But still there is nothing installed in the
list of directories above. To do this, you need:
$ make install
which you may also do from one of the lower directories. For example, if you
have modified something in the source/php directory, you only need to
execute "make install" in that directory, as all others have been unchanged.
Especially in the source/etc directory you will not often want to execute
"make install" as this overwrites your own live config files (in
/usr/local/etc/airt) with fresh versions with default values. If you do a
"make install" in the source directory itself, it will recurse down the
tree, so be careful with that given the etc directory.
bootstrap, configure, and make are "safe", they won't touch anything in your
live AIRT installation. "make install" is not safe, it will touch things in
your live AIRT installation, and usually you don't want etc to be touched.
You also need to install the following packages:
$ apt install php-mail php-mail-mime php-mail-mimedecode php-soap
Site customization
------------------
No two incident response teams are the same. AIRT offers a number of local
site customization hooks which can be used to taylor its behaviour for local
circumstances. The hooks that are presently provided are
* site specific ip address classification
Depending on the setup of a site, simple classification of an IP address
into a network might not be enough. AIRT offers customization by defining
a function
function custom_categorize($ip, $networkid) {
return $networkid;
}
The function takes as input the IP address that needs to be categorized
and the network id in which it is placed by AIRT's built-in categorization
system. Return the network id in which you want the ip to be categorized.
* site specific ip address details
After an IP address has been categorized into a network, additional
detail can be provided by defining this function. Note that it is possible
to see session variables in this function. A list of settable session
variables can be found in the documentation tree.
function search_info($ip, $networkid) {
return;
} // search_info
* hooks for "events"
Use the customfunctions.plib list to add custom event handlers. Event
handlers take the format
addEventHandler($eventType, $handlerFunction)
E.g. to add a local event handler for the creation of a new incident, add
a line
addEventHander("newincident", "local_NewIncident");
Every time a new incident is created, the function local_NewIncident will
be called, which may take one argument. The argument will contain a
event-specific string.
Installation manual for packages
--------------------------------
1. Configuring AIRT after installation
After installing AIRT, a few actions need to be taken.
Step 1. Create the database referred to in the configuration file. This
would typically be achieved by changing to the postgres user and giving
the following commands
postgres:~% createdb airt
CREATE DATABASE
Step 2. Create the database user that is referred to in the configuration
file. For example,
postgres:~% createuser airt --no-createdb --no-adduser -P
CREATE USER
You will be prompted for a password for the AIRT user. Keep this password
somewhere handy, as you will need it again.
Step 3. Edit /opt/airt/etc/airt/airt/airt.cfg and set the
variables apropriately. Note that the configuration file is a
regular PHP program, and any PHP construct can be used in it. For example,
it is possible to move the database password out of the main configuration
file and move it to its own file by using PHP's require_once operator.
Step 4 (preferred). Make sure that the airt user has access to the
database. Edit pg_ident.conf and add a map
airt-users www-data airt
Also, in pg_hba.conf, make sure that the airt-users have access to the
database.
local airt airt ident airt-users
Step 4 (alternative). If you do not wish to use ident maps, you need to
use username/password authentication. Since the password will be available
in plain text in your filesystem, you will need to take precautions.
Make sure the airt user has access to the database. Edit
pg_hba.conf. On most systems, that file can be found in /etc/postgresql,
but your milage may vary.
Keep in mind that the order of access control rules in pg_hba.conf is
important. Add the following line after the line which grants the postgres
user access to all databases:
local airt airt password
Step 5. As root, signal postgres to reload the configuration. On most
installations, this may be achieved by a command similar to
/etc/init.d/postgresql restart, however you may have chosen a different
setup.
Debian administrators may use the command:
root:~# invoke-rc.d postgresql reload
Step 6. Initialise the database.
Dont worry if the script outputs ERRORs in the the beginning; this is due
to the fact that it tries to drop sequences and tables that may not exist
yet.
Having psql and gunzip in your PATH, do:
postgres:~% gunzip -c /opt/airt/doc/database/airtschema.sql.gz \
|psql airt airt
Step 7. Bootstrap the database.
postgres:~% psql airt airt < \
/opt/airt/doc/database/airtbootstrap.sql
Step 8. Configure your web server. If you are using Apache, the easiest
way to do this is to add a symbolic link in your configuration directory
and include that file.
Debian administrators can achieve the same by adding a symbolic link
in /etc/apache/conf.d (or /etc/apache2/conf.d) which leads to
/opt/airt/etc/airt/airt/airt-apache.conf
Step 9. Confirm that the configuration file is correct. Apache
administrators do
root:~# apachectl configtest
(or apache2ctl, or apache-sslctl, etc)
Step 10. If everything checks out, reload the apache configuration and you
should be done. If apache is already running, do
root:~# /etc/init.d/apache reload
else do
root:~# /etc/init.d/apache start
Step 11. Change the admin password. Point your browser at the machine that
hosts the application, typically:
http://your.host.com/airt/
(mind the trailing slash) and log in with user admin, password admin. On
the main menu, click Edit settings > Edit users. Then, on the line with
the admin user, click edit and set a (different) password.
AIRT deinstallation manual for packages
---------------------------------------
Uninstalling AIRT consists of the following steps:
Step 1: Remove PHP files; generally this may be achieved by
root:~# rm -rf /usr/share/airt
Depending on your packacing policy, this may differ. Debian administrators
do
root:~# apt-get remove --purge airt
Step 2: Remove data files. Generally this may be achieved by
root:~# rm -rf /var/lib/airt
Debian administrators can skip this step, as it is taken care of by the
--purge option to apt-get remove.
Step 3: Remove the database. This may be achieved by
postgres:~% psql template1
Welcome to psql 7.4.6, the PostgreSQL interactive terminal.
...
template1=# drop database airt;
DROP database
Step 4: Remove the database user. This may be achieved by
template1=# drop user airt;
DROP USER
Step 5: Update pg_hba.conf. Remove the line which grants access to the
airt database from pg_hba.conf and signal Postgresql to reload its
configuration files.
AIRT upgrade manual for packages
--------------------------------
If you upgrade AIRT with a live database in place, the current package
system does *not* automatically perform a database schema upgrade yet. You
need to do this manually. However, we give you a tool to do this.
Each release contains a database schema file which can be used to compare
your current database to what it should be. This file is
/opt/airt/doc/database/airtschema.sql. At any time, your database should be
consistent with this schema file.
When relevant, a new release contains a database upgrade script to
facilitate your database upgrade. The upgrade scripts are named:
/opt/airt/doc/database/airtschema-from-PREVREL-to-CURRENTREL.sql
If you run the appropriate script against a database from PREVREL, you will
hopefully end up with a database for CURRENTREL. The development team has
tested these upgrade scripts, but as always it is wise to first make a
backup of your complete AIRT database before running anything out of the
ordinary against it.
Example upgrade session (first backup, then upgrade):
postgres:~% pg_dump -f /var/tmp/airt-20050607.1.sql airt
postgres:~% psql airt airt < \
/opt/airt/doc/database/airtschema-from-20050607.1-to-20050610.1.sql
Should you see any warnings or errors, please review them carefully. In
many cases, there is no real problem, but for consistency reasons you should
try to fix the offending issues.
Digitally signing outgoing mail with GPG
----------------------------------------
AIRT is able to digitally sign messages using GPG. To enable the feature, edit
the configuration file and uncomment the line which defined the GPG_KEYID.
Replace the keyID with your own key, and set the GPG_HOMEDIR to a directory in
which a keyring can be found containing the key that must be used to signed
messages.
The GPG_HOMEDIR should point to a directory which is owned by www-data.www-data and has permission mode 700. The pubring.gpg and the secring.gpg files which must be present in that directory must be mode 500.
# EOF