254 lines
9.9 KiB
Bash
Executable File
254 lines
9.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# ansipa-enforce-policies.sh — enforce FreeIPA host-group-driven policies on this client.
|
|
#
|
|
# Policies are idempotent and reversible: joining a group applies the policy;
|
|
# leaving the group removes it on the next run (every 30 min via systemd timer).
|
|
#
|
|
# Host-group naming conventions:
|
|
# policy-block-binary-<name> Block execution of <name> via two layers:
|
|
# 1. PATH-priority wrapper in /usr/local/bin/ (catches $PATH calls)
|
|
# 2. AppArmor deny profile in /etc/apparmor.d/ (catches absolute paths)
|
|
# AppArmor layer is skipped silently if apparmor_parser is not present.
|
|
# policy-timeshift-backup Enforce a daily Timeshift snapshot (requires timeshift installed)
|
|
# policy-security-scan Enforce daily ClamAV + rkhunter + chkrootkit scans
|
|
#
|
|
# Notes:
|
|
# - Install scan tools first: add the host to ansipa-module-anti-malware.
|
|
# - Configure Timeshift (type + target device) before enabling policy-timeshift-backup.
|
|
|
|
set -euo pipefail
|
|
|
|
LOG_TAG="ansipa-policies"
|
|
STATE_DIR="/var/lib/ansipa-policies"
|
|
BLOCK_DIR="/usr/local/bin"
|
|
APPARMOR_DIR="/etc/apparmor.d"
|
|
CRON_DIR="/etc/cron.d"
|
|
|
|
log() { echo "[$LOG_TAG] $*"; logger -t "$LOG_TAG" "$*" 2>/dev/null || true; }
|
|
warn() { echo "[$LOG_TAG][WARN] $*" >&2; logger -t "$LOG_TAG" "WARN: $*" 2>/dev/null || true; }
|
|
|
|
HOST_FQDN=$(hostname -f 2>/dev/null || hostname)
|
|
|
|
if ! command -v ipa &>/dev/null; then
|
|
warn "ipa command not found — host not enrolled in FreeIPA. Exiting."
|
|
exit 0
|
|
fi
|
|
|
|
kinit -k "host/$HOST_FQDN" &>/dev/null || true
|
|
mkdir -p "$STATE_DIR"
|
|
|
|
# ── Fetch host group membership ───────────────────────────────────────────────
|
|
RAW_GROUPS=$(ipa host-show "$HOST_FQDN" --all 2>/dev/null \
|
|
| grep -i "Member of host-groups:" | sed 's/.*: //' || true)
|
|
|
|
# ── Parse active policy groups ────────────────────────────────────────────────
|
|
ACTIVE_BLOCK_BINARIES=()
|
|
WANT_TIMESHIFT_BACKUP=false
|
|
WANT_SECURITY_SCAN=false
|
|
|
|
if [[ -n "$RAW_GROUPS" ]]; then
|
|
while IFS=',' read -ra GRP_ARRAY; do
|
|
for g in "${GRP_ARRAY[@]}"; do
|
|
g="${g// /}"
|
|
case "$g" in
|
|
policy-block-binary-*) ACTIVE_BLOCK_BINARIES+=("${g#policy-block-binary-}") ;;
|
|
policy-timeshift-backup) WANT_TIMESHIFT_BACKUP=true ;;
|
|
policy-security-scan) WANT_SECURITY_SCAN=true ;;
|
|
esac
|
|
done
|
|
done <<< "$RAW_GROUPS"
|
|
fi
|
|
|
|
log "Active policies — block-binary: ${ACTIVE_BLOCK_BINARIES[*]:-none}" \
|
|
"| timeshift-backup: $WANT_TIMESHIFT_BACKUP | security-scan: $WANT_SECURITY_SCAN"
|
|
|
|
# ── Helpers ───────────────────────────────────────────────────────────────────
|
|
in_active_list() {
|
|
local needle="$1"
|
|
for b in "${ACTIVE_BLOCK_BINARIES[@]}"; do
|
|
[[ "$b" == "$needle" ]] && return 0
|
|
done
|
|
return 1
|
|
}
|
|
|
|
# Find the real installed binary, skipping /usr/local/bin where our wrapper lives.
|
|
find_real_binary() {
|
|
local name="$1"
|
|
for dir in /usr/bin /usr/sbin /bin /sbin /usr/local/sbin /opt/bin; do
|
|
[[ -x "$dir/$name" ]] && echo "$dir/$name" && return 0
|
|
done
|
|
return 1
|
|
}
|
|
|
|
aa_profile_file() { echo "$APPARMOR_DIR/ansipa-block-${1}"; }
|
|
|
|
# Load an AppArmor deny profile for a binary path.
|
|
# An empty AppArmor profile denies all access: the binary cannot load shared
|
|
# libraries or open any files, so it exits immediately with a permission error.
|
|
apply_apparmor_block() {
|
|
local bin="$1"
|
|
command -v apparmor_parser &>/dev/null || return 0
|
|
|
|
local bin_path
|
|
bin_path=$(find_real_binary "$bin") || {
|
|
warn "AppArmor block: real binary '$bin' not found on disk — profile skipped until it is installed."
|
|
return 0
|
|
}
|
|
|
|
local profile_file
|
|
profile_file=$(aa_profile_file "$bin")
|
|
|
|
# Write the profile only if it doesn't exist or points to a different path.
|
|
if [[ ! -f "$profile_file" ]] || ! grep -qF "$bin_path" "$profile_file" 2>/dev/null; then
|
|
log "Writing AppArmor block profile: $profile_file ($bin_path)"
|
|
cat > "$profile_file" <<PROFILE
|
|
#include <tunables/global>
|
|
|
|
# ansipa-block-policy: managed by ansipa-enforce-policies — do not edit manually.
|
|
# Deny all access so the binary cannot load libraries or run.
|
|
# To unblock manually: apparmor_parser -R $profile_file && rm $profile_file
|
|
$bin_path {
|
|
}
|
|
PROFILE
|
|
fi
|
|
|
|
# Load (or reload) the profile in enforce mode.
|
|
if ! apparmor_parser -r "$profile_file" 2>/dev/null; then
|
|
warn "apparmor_parser failed to load $profile_file — AppArmor block not active"
|
|
fi
|
|
}
|
|
|
|
# Remove the AppArmor deny profile for a binary.
|
|
remove_apparmor_block() {
|
|
local bin="$1"
|
|
command -v apparmor_parser &>/dev/null || return 0
|
|
|
|
local profile_file
|
|
profile_file=$(aa_profile_file "$bin")
|
|
[[ -f "$profile_file" ]] || return 0
|
|
|
|
if grep -q "ansipa-block-policy" "$profile_file" 2>/dev/null; then
|
|
apparmor_parser -R "$profile_file" 2>/dev/null || true
|
|
rm -f "$profile_file"
|
|
log "Removed AppArmor block profile: $bin"
|
|
fi
|
|
}
|
|
|
|
# ── Binary blocking ───────────────────────────────────────────────────────────
|
|
# Layer 1: PATH-priority wrapper in /usr/local/bin/ — blocks $PATH-based calls.
|
|
# Layer 2: AppArmor deny profile — blocks absolute-path calls and direct exec().
|
|
# Both layers use the "ansipa policy" sentinel to identify managed files.
|
|
|
|
BLOCK_STATE="$STATE_DIR/blocked-binaries"
|
|
[[ -f "$BLOCK_STATE" ]] || touch "$BLOCK_STATE"
|
|
|
|
for BIN in "${ACTIVE_BLOCK_BINARIES[@]}"; do
|
|
WRAPPER="$BLOCK_DIR/$BIN"
|
|
if [[ ! -f "$WRAPPER" ]] || ! grep -q "blocked by ansipa policy" "$WRAPPER" 2>/dev/null; then
|
|
log "Applying PATH wrapper block: $BIN"
|
|
cat > "$WRAPPER" <<WRAPPER
|
|
#!/bin/bash
|
|
# blocked by ansipa policy
|
|
echo "[$LOG_TAG] '$BIN' is blocked by system policy on this host." >&2
|
|
exit 1
|
|
WRAPPER
|
|
chmod 755 "$WRAPPER"
|
|
fi
|
|
apply_apparmor_block "$BIN"
|
|
done
|
|
|
|
# Remove blocks for binaries no longer in any active policy group.
|
|
while IFS= read -r OLD_BIN; do
|
|
[[ -z "$OLD_BIN" ]] && continue
|
|
if ! in_active_list "$OLD_BIN"; then
|
|
WRAPPER="$BLOCK_DIR/$OLD_BIN"
|
|
if [[ -f "$WRAPPER" ]] && grep -q "blocked by ansipa policy" "$WRAPPER" 2>/dev/null; then
|
|
rm -f "$WRAPPER"
|
|
log "Removed PATH wrapper block: $OLD_BIN"
|
|
fi
|
|
remove_apparmor_block "$OLD_BIN"
|
|
fi
|
|
done < "$BLOCK_STATE"
|
|
|
|
# Persist current blocked list.
|
|
if [[ ${#ACTIVE_BLOCK_BINARIES[@]} -gt 0 ]]; then
|
|
printf '%s\n' "${ACTIVE_BLOCK_BINARIES[@]}" | sort -u > "$BLOCK_STATE"
|
|
else
|
|
> "$BLOCK_STATE"
|
|
fi
|
|
|
|
# ── Timeshift daily backup ─────────────────────────────────────────────────────
|
|
TIMESHIFT_CRON="$CRON_DIR/ansipa-timeshift-backup"
|
|
|
|
if [[ "$WANT_TIMESHIFT_BACKUP" == true ]]; then
|
|
if [[ ! -f "$TIMESHIFT_CRON" ]]; then
|
|
if ! command -v timeshift &>/dev/null; then
|
|
warn "timeshift not found — add host to ansipa-module-timeshift first. Cron will be installed anyway."
|
|
fi
|
|
log "Enabling daily Timeshift backups"
|
|
cat > "$TIMESHIFT_CRON" <<'CRON'
|
|
# ansipa-policy-timeshift-backup: managed by ansipa-enforce-policies — do not edit manually.
|
|
# Timeshift must be configured on this host (type + target device) before snapshots work.
|
|
0 3 * * * root /usr/bin/timeshift --create --comments "ansipa-daily" --tags D 2>&1 | logger -t timeshift-backup
|
|
CRON
|
|
chmod 644 "$TIMESHIFT_CRON"
|
|
fi
|
|
else
|
|
if [[ -f "$TIMESHIFT_CRON" ]]; then
|
|
rm -f "$TIMESHIFT_CRON"
|
|
log "Removed Timeshift backup cron (host left policy-timeshift-backup group)"
|
|
fi
|
|
fi
|
|
|
|
# ── Security scan ─────────────────────────────────────────────────────────────
|
|
SCAN_CRON="$CRON_DIR/ansipa-security-scan"
|
|
SCAN_SCRIPT="/usr/local/bin/ansipa-security-scan.sh"
|
|
|
|
if [[ "$WANT_SECURITY_SCAN" == true ]]; then
|
|
# (Re-)write the scan script so it stays current with this version of the enforcer.
|
|
cat > "$SCAN_SCRIPT" <<'SCAN'
|
|
#!/bin/bash
|
|
# ansipa-security-scan — daily ClamAV / rkhunter / chkrootkit run.
|
|
# Managed by ansipa-enforce-policies — do not edit manually.
|
|
LOG=/var/log/ansipa-security-scan.log
|
|
{
|
|
echo "=== ansipa-security-scan: $(date) ==="
|
|
|
|
if command -v freshclam &>/dev/null; then
|
|
freshclam --quiet 2>/dev/null || true
|
|
fi
|
|
if command -v clamscan &>/dev/null; then
|
|
clamscan -r --infected --quiet /home /etc /tmp /var/tmp 2>/dev/null || true
|
|
fi
|
|
if command -v rkhunter &>/dev/null; then
|
|
rkhunter --update --quiet 2>/dev/null || true
|
|
rkhunter --check --skip-keypress --quiet 2>/dev/null || true
|
|
fi
|
|
if command -v chkrootkit &>/dev/null; then
|
|
chkrootkit 2>/dev/null || true
|
|
fi
|
|
|
|
echo "=== scan complete ==="
|
|
} >> "$LOG" 2>&1
|
|
SCAN
|
|
chmod 755 "$SCAN_SCRIPT"
|
|
|
|
if [[ ! -f "$SCAN_CRON" ]]; then
|
|
log "Enabling daily security scans (ClamAV / rkhunter / chkrootkit)"
|
|
cat > "$SCAN_CRON" <<'CRON'
|
|
# ansipa-policy-security-scan: managed by ansipa-enforce-policies — do not edit manually.
|
|
# Install scan tools by adding the host to the ansipa-module-anti-malware group.
|
|
0 2 * * * root /usr/local/bin/ansipa-security-scan.sh
|
|
CRON
|
|
chmod 644 "$SCAN_CRON"
|
|
fi
|
|
else
|
|
if [[ -f "$SCAN_CRON" ]]; then
|
|
rm -f "$SCAN_CRON"
|
|
rm -f "$SCAN_SCRIPT"
|
|
log "Removed security scan policy (host left policy-security-scan group)"
|
|
fi
|
|
fi
|
|
|
|
log "Policy enforcement complete."
|