SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Improve docs

Browse source 
* Correct language in a few points.
 * Move upload example to use TLS client certificates as recommended.
This commit is contained in:
Bernhard Reiter 2022-05-31 15:58:46 +02:00
parent 773047a91d
commit 873fa9ccb4
No known key found for this signature in database
GPG key ID: 2B7BA3BF9BC3A554
2 changed files with 20 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -51,7 +51,7 @@ Binaries will be placed in directories named like `bin-linux-amd64/` and `bin-wi
### Setup (Trusted Provider) ### Setup (Trusted Provider)
- [Install](https://nginx.org/en/docs/install.html) **nginx** - [Install](https://nginx.org/en/docs/install.html) **nginx**
- To install server certificate on nginx see [docs/install-server-certificate.md](docs/install-server-certificate.md) - To install a TLS server certificate on nginx see [docs/install-server-certificate.md](docs/install-server-certificate.md)
- To configure nginx see [docs/provider-setup.md](docs/provider-setup.md) - To configure nginx see [docs/provider-setup.md](docs/provider-setup.md)
- To configure nginx for client certificate authentication see [docs/client-certificate-setup.md](docs/client-certificate-setup.md) - To configure nginx for client certificate authentication see [docs/client-certificate-setup.md](docs/client-certificate-setup.md)

32
docs/provider-setup.md
View file

@ -11,7 +11,7 @@ adjust the examples to your needs.
apt-get install nginx fcgiwrap apt-get install nginx fcgiwrap
cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf
``` ```
Check if the CGI server and the fcgiwrap Socket active (running): Check if the CGI server and the fcgiwrap Socket are active (running):
```bash ```bash
systemctl status fcgiwrap.service systemctl status fcgiwrap.service
systemctl status fcgiwrap.socket systemctl status fcgiwrap.socket
@ -87,17 +87,18 @@ server {
``` ```
Reload nginx to apply the changes (e.g. ```systemctl reload nginx``` on Debian or Ubuntu). Reload nginx to apply the changes (e.g. ```systemctl reload nginx``` on Debian or Ubuntu).
Create `cgi-bin` folder if not exists `mkdir -p /usr/lib/cgi-bin/`. Create `cgi-bin` folder if it not exists: `mkdir -p /usr/lib/cgi-bin/`.
Rename and place the `csaf_provider` binary file under `/usr/lib/cgi-bin/csaf_provider.go`. Rename and place the `csaf_provider` binary file under `/usr/lib/cgi-bin/csaf_provider.go`.
Create configuration file under `/usr/lib/csaf/config.toml` Create configuration file under `/usr/lib/csaf/config.toml`
and make sure is has good restrictive permissions. and make sure is has good, restrictive permissions.
It must be readable by the user id, which the webserver fastcgi interface It must be readable by the user(id), which the webserver's fastcgi interface
uses to start the CGI-binary, as `csaf_provider.go` must be able to read it. uses to start the CGI-binary with,
as `csaf_provider.go` must be able to read it.
Many setups use `www-data` as user id, so you could do something like Many systems use `www-data` as user id, so you could do something like
<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=84-86) --> <!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/setupProviderForITest.sh&lines=84-86) -->
<!-- MARKDOWN-AUTO-DOCS:END --> <!-- MARKDOWN-AUTO-DOCS:END -->
@ -126,15 +127,18 @@ on a GNU/Linux operating system.
Create the folders: Create the folders:
```(shell) ```(shell)
curl https://192.168.56.102/cgi-bin/csaf_provider.go/create --cert-type p12 --cert {clientCertificatfile} curl https://192.168.56.102/cgi-bin/csaf_provider.go/create --cert-type p12 --cert {clientCertificat.p12}
``` ```
Replace {clientCertificate} with the client certificate file. Replace {clientCertificate.p12} with the client certificate file
in pkcs12 format which includes the corresponding key as well.
Or using the uploader: Or using the uploader:
```(shell) ```(shell)
./csaf_uploader -a create -u http://192.168.56.102/cgi-bin/csaf_provider.go -p {password} ./csaf_uploader --action create --url https://192.168.56.102/cgi-bin/csaf_provider.go --client-cert {clientCert.crt} --client-key {clientKey.pem}
``` ```
Replace {password} with the password used for the authentication with csaf_provider.
This needs to set the `password` option in `config.toml`. Again replacing `{clientCert.crt}` and `{clientKey.pem}` accordingly.
To let nginx resolves the DNS record `csaf.data.security.domain.tld` to fulfill the [Requirement 10](https://docs.oasis-open.org/csaf/csaf/v2.0/cs01/csaf-v2.0-cs01.html#7110-requirement-10-dns-path) configure a new server block (virtual host) in a separated file under `/etc/nginx/available-sites/{DNSNAME}` like following: To let nginx resolves the DNS record `csaf.data.security.domain.tld` to fulfill the [Requirement 10](https://docs.oasis-open.org/csaf/csaf/v2.0/cs01/csaf-v2.0-cs01.html#7110-requirement-10-dns-path) configure a new server block (virtual host) in a separated file under `/etc/nginx/available-sites/{DNSNAME}` like following:
<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/DNSConfigForItest.sh&lines=18-35) --> <!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/DNSConfigForItest.sh&lines=18-35) -->
@ -202,12 +206,12 @@ Provider has many config options described as following:
* Uploading should be done with the uploader and secured by TLS * Uploading should be done with the uploader and secured by TLS
client certificates which are individual per person allowed to upload. client certificates which are individual per person allowed to upload.
This way it can be traced in the log, who did which uploads. This way it can be traced in the log, who did which uploads.
* For TLS client and setups with normal security requirement, * For TLS client setups with normal security requirements,
it should be okay to run a small internal it should be okay to run a small internal
certificate authority like the example certificate authority like the example
in [development-client-certs.md](development-client-certs.md), in [development-client-certs.md](development-client-certs.md),
and import the root certificate on the systems that are allowed to and import the root certificate on the systems that have users which
upload. want to upload.
* The single `password` is only for very simple settings, testing or * The single `password` is only for very simple settings, testing or
(planned feature) as (planned feature) as
additional method in the special situation that TLS client certificates additional method in the special situation that TLS client certificates