Re: Encrypting/emailing logs and configs
On Wednesday, 2002-10-30 at 13:07:31 -0500, Sean McAvoy wrote:
> I was looking at configuring a few of my VPN/Firewall systems to send me
> daily backups of vital config files, and selected log files. I was
> wondering what would be the easiest method of accomplishing this? I was
> thinking something along the lines of just tar/bzip and then gpg to
> encrypt. What other possibilities are there? And has anyone else setup
> something similar?
I'm doing something similar on a firewall I set up. It uses find/cpio
to make an incremental dump (--newer SOME-MARK-FILE) and encrypts it.
The dump is put in a directory that is part of a chroot jail. It gets
encrypted with a public key in gpg.
I pick it up from an internal machine with scp with a key without
passphrase. The account used on the firewall has scponlyc as shell.
(If you don't know scponly, it permits only certain ssh operations, and
the scponlyc variant puts itself in a chroot jail. Which in my case
contains only the scp executables. http://sublimation.org/scponly/
The dump can only be decrypted with a special secret key, and access to
it's passphrase is controlled.
This is the dump script (BTW, this is a FreeBSD machine, you have to
adjust the pathes):
LD_LIBRARY_PATH=/usr/local/bin export LD_LIBRARY_PATH
/bin/rm -f /jail/backup/level1.cpio.gpg && \
/usr/bin/find / /var -xdev -newer /jail/backup/Level0.mark -print0 | \
/usr/bin/cpio --create --format=newc --null --io-size=32768 --quiet | \
/usr/local/bin/gpg --encrypt --output /jail/backup/level1.cpio.gpg --recipient email@example.com
And this is the "fetch" script (SuSE box):
/usr/bin/scp -B -q -i $KEYFILE backup@cabernet:$REMOTEFILE $LOCALFILE
| firstname.lastname@example.org | http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be |
| unsinkable. The designer had a speech impediment. He said: "I have |
| thith great unthinkable conthept ..." |