Re: Encrypting/emailing logs and configs

To: Sean McAvoy <sean.mcavoy@megawheels.com>
Cc: debian-security@lists.debian.org
Subject: Re: Encrypting/emailing logs and configs
From: lupe@lupe-christoph.de (Lupe Christoph)
Date: Sat, 2 Nov 2002 10:26:07 +0100
Message-id: <[🔎] 20021102092607.GD11922@lupe-christoph.de>
In-reply-to: <1036001252.15035.8.camel@tech03>
References: <1036001252.15035.8.camel@tech03>

On Wednesday, 2002-10-30 at 13:07:31 -0500, Sean McAvoy wrote:

> I was looking at configuring a few of my VPN/Firewall systems to send me
> daily backups of vital config files, and selected log files. I was
> wondering what would be the easiest method of accomplishing this? I was
> thinking something along the lines of just tar/bzip and then gpg to
> encrypt. What other possibilities are there? And has anyone else setup
> something similar?

I'm doing something similar on a firewall I set up. It uses find/cpio
to make an incremental dump (--newer SOME-MARK-FILE) and encrypts it.
The dump is put in a directory that is part of a chroot jail. It gets
encrypted with a public key in gpg.

I pick it up from an internal machine with scp with a key without
passphrase. The account used on the firewall has scponlyc as shell.
(If you don't know scponly, it permits only certain ssh operations, and
the scponlyc variant puts itself in a chroot jail. Which in my case
contains only the scp executables. http://sublimation.org/scponly/

The dump can only be decrypted with a special secret key, and access to
it's passphrase is controlled.

This is the dump script (BTW, this is a FreeBSD machine, you have to
adjust the pathes):

#!/bin/sh

LD_LIBRARY_PATH=/usr/local/bin export LD_LIBRARY_PATH

/bin/rm -f /jail/backup/level1.cpio.gpg && \
/usr/bin/find / /var -xdev -newer /jail/backup/Level0.mark -print0 | \
  /usr/bin/cpio --create --format=newc --null --io-size=32768 --quiet | \
  /usr/local/bin/gpg --encrypt --output /jail/backup/level1.cpio.gpg --recipient backup@biering.de

And this is the "fetch" script (SuSE box):
#!/bin/sh

LOCALFILE=/data/backup/cabernet/level1.cpio-`date +%Y%m%d-%a`.gpg
REMOTEFILE=backup/level1.cpio.gpg
KEYFILE=/root/.ssh/cabernet-backup-id

/usr/bin/scp -B -q -i $KEYFILE backup@cabernet:$REMOTEFILE $LOCALFILE

HTH,
Lupe Christoph
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be        |
| unsinkable. The designer had a speech impediment. He said: "I have     |
| thith great unthinkable conthept ..."                                  |

Reply to:

Prev by Date: tiger reporting thousands of files with "undefined groups ownership"
Next by Date: RE: tiger reporting thousands of files with "undefined groups ownership"
Previous by thread: Re: tiger reporting thousands of files with "undefined groups ownership"
Next by thread: unsubscribe
Index(es):
- Date
- Thread