Dotfiles

Commit Graph

Author	SHA1	Message	Date
Amir Alexander Abdelbaki	45fd7e5d36	feat(freeipa): add policy enforcement for binary blocking, backups, scans, and sudo Introduces a FreeIPA host-group-driven policy system alongside a sudo rules management playbook: - ansipa-enforce-policies.sh: client-side enforcer (systemd timer, 30 min) - policy-block-binary-<name>: PATH-priority wrapper blocks the binary - policy-timeshift-backup: daily Timeshift snapshot cron (03:00) - policy-security-scan: daily ClamAV/rkhunter/chkrootkit cron (02:00) Policies are reversible — leaving a group removes enforcement on next run. - deploy-ansipa-policies.yml: deploys enforcer + systemd service/timer to clients - manage-sudo-rules.yml: creates FreeIPA sudo rules (allow_sudoers, allow_sudo_nopasswd) that SSSD clients already pick up via --sudo enrollment. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-20 11:34:09 +02:00

Author

SHA1

Message

Date

Amir Alexander Abdelbaki

45fd7e5d36

feat(freeipa): add policy enforcement for binary blocking, backups, scans, and sudo

Introduces a FreeIPA host-group-driven policy system alongside a sudo
rules management playbook:

- ansipa-enforce-policies.sh: client-side enforcer (systemd timer, 30 min)
  - policy-block-binary-<name>: PATH-priority wrapper blocks the binary
  - policy-timeshift-backup: daily Timeshift snapshot cron (03:00)
  - policy-security-scan: daily ClamAV/rkhunter/chkrootkit cron (02:00)
  Policies are reversible — leaving a group removes enforcement on next run.

- deploy-ansipa-policies.yml: deploys enforcer + systemd service/timer to clients

- manage-sudo-rules.yml: creates FreeIPA sudo rules (allow_sudoers,
  allow_sudo_nopasswd) that SSSD clients already pick up via --sudo enrollment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-20 11:34:09 +02:00

1 Commits (45fd7e5d3647ef4cc6170ba0b31bcf57da122d66)