The_miro
/
Dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,044 Commits
1 Branch
0 Tags
20 MiB
Commit Graph

3 Commits (0fcb9fb19300fb4153419442e12762d8bc27b7c7)

Author SHA1 Message Date
Amir Alexander Abdelbaki aced2c754e feat(ansipa): add daemon enable/disable policy via host-group regex 
Host groups named policy-daemon-enable-<unit> and
policy-daemon-disable-<unit> are now matched by a wildcard case arm in
the group parser — no per-service configuration required.

Enforcement (every 30 min via existing timer):
  enable:  systemctl enable --now <unit>; state written to
           /var/lib/ansipa-policies/daemon-enabled
  disable: systemctl disable --now <unit>; state written to
           /var/lib/ansipa-policies/daemon-disabled
  revert:  when a host leaves a group the opposite action is applied
           on the next run (enable→disable, disable→enable)
  conflict: unit in both lists is skipped with a warning

The .service suffix is optional — _svc_unit() appends it when the name
contains no dot, so all systemd unit types work as-is.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-20 15:25:15 +02:00
Amir Alexander Abdelbaki 11e66dbddd feat(freeipa): scan result reporting, alert notifications, and SMB share 
Container (ansipa image):
- Add samba + cronie to Dockerfile; expose ports 445/139
- ansipa-smb-setup.sh: idempotent setup of smbd + scanupload user +
  /data/scan-results/{archive,alerts}/ on every container start
- ansipa-smb.service: runs setup before smb.service on each boot
- ansipa-check-scans.sh: hourly cron on server; analyses archive logs for
  ClamAV/rkhunter/chkrootkit findings and writes <host>/<date>.alert files
- docker-compose.yml: add SMB_SCAN_PASSWORD env var + port mappings
- .env.example: document SMB_SCAN_PASSWORD

Client (policy-security-scan):
- Scan script now uploads log to //ipa-server/ansipa-scans/archive/<host>/
  via smbclient after each run

Client (policy-scan-notify — new policy group):
- ansipa-fetch-alerts.sh: root timer (10 min) downloads alerts from SMB into
  ~/administration/<hostname>/ for each active login session; deletes server
  alert when user removes local file (acknowledgment)
- ansipa-scan-notify.sh: user daemon started via /etc/profile.d/ansipa-notify.sh;
  sends notify-send every 10 min while *.alert files remain in ~/administration/
- deploy-ansipa-policies.yml: installs samba-client, deploys SMB creds file
  (/etc/ansipa-smb.creds, 0600), and deploys both notification scripts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-20 12:32:21 +02:00
Amir Alexander Abdelbaki 45fd7e5d36 feat(freeipa): add policy enforcement for binary blocking, backups, scans, and sudo 
Introduces a FreeIPA host-group-driven policy system alongside a sudo
rules management playbook:

- ansipa-enforce-policies.sh: client-side enforcer (systemd timer, 30 min)
  - policy-block-binary-<name>: PATH-priority wrapper blocks the binary
  - policy-timeshift-backup: daily Timeshift snapshot cron (03:00)
  - policy-security-scan: daily ClamAV/rkhunter/chkrootkit cron (02:00)
  Policies are reversible — leaving a group removes enforcement on next run.

- deploy-ansipa-policies.yml: deploys enforcer + systemd service/timer to clients

- manage-sudo-rules.yml: creates FreeIPA sudo rules (allow_sudoers,
  allow_sudo_nopasswd) that SSSD clients already pick up via --sudo enrollment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-20 11:34:09 +02:00