cmusei.rwreceiver

Panoramica Versioni Approfondimenti

rwreceiver

This is a setup for the rwreceiver service, which is a background tool that receives files sent from one or more rwsender processes and stores them in a designated folder. For more details, check the rwreceiver documentation.

Requirements

If you plan to use TLS (a secure connection), you need to create and upload matching certificates for both the sender and receiver.

Role Variables

Here are the variables you can use, along with their default values (see defaults/main.yml):

  • silk_packing_tools_loc: "/usr/local/sbin"
    This is the location of the silk packing tools.

  • silk_tls_support: False
    Indicates if TLS will be used for connections.

  • rwreceiver_myname: "rwreceiver"
    This is the name of the rwreceiver process. You can run multiple instances on the same machine with different names.

  • rwreceiver_conf_template: "rwreceiver.conf.j2"

  • rwreceiver_conf_file_loc: "/usr/local/etc"

  • rwreceiver_conf_file_path: "{{ rwreceiver_conf_file_loc }}/{{ rwreceiver_myname }}.conf"

  • rwreceiver_init_template: "rwreceiver.j2"

  • rwreceiver_init_file_path: "/etc/init.d/{{ rwreceiver_myname }}"
    These are templates for configuration files and where they will be saved.

Variable Description
rwreceiver_statedirectory "/usr/local/var/lib/rwreceiver" - Directory for rwreceiver state
rwreceiver_create_directories "no" - Set to "yes" to create defined directories automatically
rwreceiver_bin_dir "{{ silk_packing_tools_loc }}" - Directory for the "rwreceiver" program
rwreceiver_destination_dir "{{ rwreceiver_statedirectory }}/destination" - Where received files go
rwreceiver_mode "client" - Defines whether the receiver runs in server or client mode
rwreceiver_id "receiver-1" - Name for this receiver instance
rwreceiver_port Port for the server to listen for connections (only in server mode)
rwreceiver_post_command Command to run after each file is received
rwreceiver_freespace_min Space to keep free in bytes
rwreceiver_space_max_percent Maximum percentage of space to use in the destination directory
rwreceiver_sender_servers Required in client mode; format: <identifier> <host>:<port>
rwreceiver_sender_clients Required in server mode; format: <identifier>
rwreceiver_duplicate_dirs Allows multiple destination directories for incoming files
rwreceiver_duplicate_copies Controls how files are copied, either as links or complete copies
rwreceiver_log_type Type of logging, either "legacy" or "syslog"
rwreceiver_log_level Minimum log level (varies from emergency to debug)
rwreceiver_log_dir Where log files are saved
rwreceiver_pid_dir Directory for the PID file
rwreceiver_user "root" - User who runs the program (root for privileged ports)
rwreceiver_extra_options Additional options for rwreceiver

When using optional GnuTLS support with silk_tls_support: True, you need to specify a CA file path and either a PKCS#12 file or certificate and key files. If the PKCS#12 file has a password, set the RWRECEIVER_TLS_PASSWORD environment variable before starting rwreceiver.

TLS Variable Description
rwreceiver_tls_ca Path to the root CA file, in PEM format
rwreceiver_tls_pkcs Path to the PKCS#12 file, in DER format
rwreceiver_tls_key Path to the key file, in PEM format
rwreceiver_tls_cert Path to the certificate file, in PEM format
rwreceiver_tls_crl Path to the Certificate Revocation List (optional)
rwreceiver_tls_priority Cipher preference order (optional)
rwreceiver_tls_security Security level for Diffie-Hellman parameters (optional)
rwreceiver_tls_debug_level Debugging level for GnuTLS (optional)

Dependencies

  • cmusei.silk

Example Playbook

- hosts: server
  become: true
  vars:
    data_root_dir: "/data"
    silk_tls_support: True
    rwreceiver_statedirectory: "{{ data_root_dir }}/rwreceiver"
    rwreceiver_destination_dir: "{{ rwreceiver_statedirectory }}/incoming"
    rwreceiver_create_directories: "yes"
    rwreceiver_mode: "server"
    rwreceiver_port: "3737"
    rwreceiver_sender_clients: |
        sender1
        sender2
    tls_ca: "testcert.pem"
    tls_key: "client-key.pem"
    tls_cert: "client-cert.pem"
    rwreceiver_tls_ca: "/etc/pki/tls/{{ tls_ca }}"
    rwreceiver_tls_key: "/etc/pki/tls/private/{{ tls_key }}"
    rwreceiver_tls_cert: "/etc/pki/tls/{{ tls_cert }}"
    rwreceiver_pid_dir: "/var/run"
  pre_tasks:
    - name: Copy ssl certs
      copy:
        src: "{{ item.f }}"
        dest: "{{ item.d }}"
        mode: "{{ item.m }}"
        owner: "root"
        group: "root"
      with_items:
        - f: "{{ tls_ca }}"
          d: "{{ rwreceiver_tls_ca }}"
          m: '0644'
        - f: "{{ tls_key }}"
          d: "{{ rwreceiver_tls_key }}"
          m: '0600'
        - f: "{{ tls_cert}}"
          d: "{{ rwreceiver_tls_cert }}"
          m: '0644'
  roles:
    - role: cmusei.rwreceiver
      tags: [ 'rwreceiver' ]

License

Copyright 2020 Carnegie Mellon University.
NO WARRANTY. This material is provided "AS-IS". No guarantees of any kind are made. This document is released under an MIT (SEI)-style license. For more details, see license.txt or contact permission@sei.cmu.edu.

Author Information

This role was created in 2019 by Matt Heckathorn.

Informazioni sul progetto

A role to configure the rwreceiver service

role cert netflow netsa rwreceiver sei silk
Installa
ansible-galaxy install cmusei.rwreceiver
GitHub repository
0 stelle
0 fork
1 problemi aperti
Licenza
other
Download
103
Proprietario
Software Engineering Institute
At the SEI, we research software engineering, cybersecurity, and AI engineering problems; create innovative technologies; and put solutions into practice.