Dotfiles

Commit Graph

Author	SHA1	Message	Date
Amir Alexander Abdelbaki	fb8ca498ef	feat(freeipa): add AppArmor deny profiles to binary blocking policy Binary blocking now applies two layers: 1. PATH-priority wrapper in /usr/local/bin/ (existing) 2. Empty AppArmor profile in /etc/apparmor.d/ loaded in enforce mode An empty AppArmor profile denies all access — the blocked binary cannot load shared libraries and exits immediately with a permission error, covering callers that use absolute paths and bypassed the wrapper. AppArmor layer is skipped silently when apparmor_parser is not present, and deferred with a warning if the real binary is not yet installed. Profiles are unloaded and deleted when the host leaves the policy group. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-20 12:00:55 +02:00
Amir Alexander Abdelbaki	45fd7e5d36	feat(freeipa): add policy enforcement for binary blocking, backups, scans, and sudo Introduces a FreeIPA host-group-driven policy system alongside a sudo rules management playbook: - ansipa-enforce-policies.sh: client-side enforcer (systemd timer, 30 min) - policy-block-binary-<name>: PATH-priority wrapper blocks the binary - policy-timeshift-backup: daily Timeshift snapshot cron (03:00) - policy-security-scan: daily ClamAV/rkhunter/chkrootkit cron (02:00) Policies are reversible — leaving a group removes enforcement on next run. - deploy-ansipa-policies.yml: deploys enforcer + systemd service/timer to clients - manage-sudo-rules.yml: creates FreeIPA sudo rules (allow_sudoers, allow_sudo_nopasswd) that SSSD clients already pick up via --sudo enrollment. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-20 11:34:09 +02:00

Author

SHA1

Message

Date

Amir Alexander Abdelbaki

fb8ca498ef

feat(freeipa): add AppArmor deny profiles to binary blocking policy

Binary blocking now applies two layers:
  1. PATH-priority wrapper in /usr/local/bin/ (existing)
  2. Empty AppArmor profile in /etc/apparmor.d/ loaded in enforce mode

An empty AppArmor profile denies all access — the blocked binary cannot
load shared libraries and exits immediately with a permission error,
covering callers that use absolute paths and bypassed the wrapper.

AppArmor layer is skipped silently when apparmor_parser is not present,
and deferred with a warning if the real binary is not yet installed.
Profiles are unloaded and deleted when the host leaves the policy group.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-20 12:00:55 +02:00

Amir Alexander Abdelbaki

45fd7e5d36

feat(freeipa): add policy enforcement for binary blocking, backups, scans, and sudo

Introduces a FreeIPA host-group-driven policy system alongside a sudo
rules management playbook:

- ansipa-enforce-policies.sh: client-side enforcer (systemd timer, 30 min)
  - policy-block-binary-<name>: PATH-priority wrapper blocks the binary
  - policy-timeshift-backup: daily Timeshift snapshot cron (03:00)
  - policy-security-scan: daily ClamAV/rkhunter/chkrootkit cron (02:00)
  Policies are reversible — leaving a group removes enforcement on next run.

- deploy-ansipa-policies.yml: deploys enforcer + systemd service/timer to clients

- manage-sudo-rules.yml: creates FreeIPA sudo rules (allow_sudoers,
  allow_sudo_nopasswd) that SSSD clients already pick up via --sudo enrollment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-20 11:34:09 +02:00

2 Commits (fb8ca498efd590c534f853b4e3c2faadf86616b4)