policy-scan-notify is now a FreeIPA *user* group instead of a host group,
so alert notifications follow the user to every enrolled machine. The
fetch-alerts timer is installed fleet-wide on any host where the group exists;
the profile.d snippet gates notification daemon start on runtime group
membership (id(1) / SSSD) so non-members log in unaffected.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
policy-block-binary-<name> is now a FreeIPA *user* group instead of a host group,
so restrictions follow the user to every enrolled machine. The PATH wrapper is
installed on all hosts and checks group membership at runtime via id(1)/SSSD,
passing non-members through transparently. __ in the group name decodes to .
so Flatpak app IDs are supported (flatpak run fallback included). AppArmor layer
removed since per-user confinement requires a different approach and the wrapper
alone is sufficient. Adds local_sudo_<username> host group policy which writes
a sudoers drop-in granting that user full sudo on the specific device, reverted
on group leave.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds a new host group policy `no_local_users` that locks the passwords of root
and all local users (UID >= 1000) via `passwd -l`, ensuring only FreeIPA domain
accounts with centrally-managed sudo rules can authenticate and gain elevated
privileges. Leaving the group reverts by unlocking every account tracked in the
state file. Updates docs with group reference entry and Local User Lockdown section.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Host groups named policy-daemon-enable-<unit> and
policy-daemon-disable-<unit> are now matched by a wildcard case arm in
the group parser — no per-service configuration required.
Enforcement (every 30 min via existing timer):
enable: systemctl enable --now <unit>; state written to
/var/lib/ansipa-policies/daemon-enabled
disable: systemctl disable --now <unit>; state written to
/var/lib/ansipa-policies/daemon-disabled
revert: when a host leaves a group the opposite action is applied
on the next run (enable→disable, disable→enable)
conflict: unit in both lists is skipped with a warning
The .service suffix is optional — _svc_unit() appends it when the name
contains no dot, so all systemd unit types work as-is.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Container (ansipa image):
- Add samba + cronie to Dockerfile; expose ports 445/139
- ansipa-smb-setup.sh: idempotent setup of smbd + scanupload user +
/data/scan-results/{archive,alerts}/ on every container start
- ansipa-smb.service: runs setup before smb.service on each boot
- ansipa-check-scans.sh: hourly cron on server; analyses archive logs for
ClamAV/rkhunter/chkrootkit findings and writes <host>/<date>.alert files
- docker-compose.yml: add SMB_SCAN_PASSWORD env var + port mappings
- .env.example: document SMB_SCAN_PASSWORD
Client (policy-security-scan):
- Scan script now uploads log to //ipa-server/ansipa-scans/archive/<host>/
via smbclient after each run
Client (policy-scan-notify — new policy group):
- ansipa-fetch-alerts.sh: root timer (10 min) downloads alerts from SMB into
~/administration/<hostname>/ for each active login session; deletes server
alert when user removes local file (acknowledgment)
- ansipa-scan-notify.sh: user daemon started via /etc/profile.d/ansipa-notify.sh;
sends notify-send every 10 min while *.alert files remain in ~/administration/
- deploy-ansipa-policies.yml: installs samba-client, deploys SMB creds file
(/etc/ansipa-smb.creds, 0600), and deploys both notification scripts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Binary blocking now applies two layers:
1. PATH-priority wrapper in /usr/local/bin/ (existing)
2. Empty AppArmor profile in /etc/apparmor.d/ loaded in enforce mode
An empty AppArmor profile denies all access — the blocked binary cannot
load shared libraries and exits immediately with a permission error,
covering callers that use absolute paths and bypassed the wrapper.
AppArmor layer is skipped silently when apparmor_parser is not present,
and deferred with a warning if the real binary is not yet installed.
Profiles are unloaded and deleted when the host leaves the policy group.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Amir Alexander Abdelbaki