bobs
/
execguard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Exec Guardian
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
20 Commits
1 Branch
0 Tags
787 KiB
 
 
Tag: Branch: Tree: main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Robert c0cf7c8a03
ifs 		6 months ago
core YAML config, and log rotation 7 months ago
docs YAML config, and log rotation 7 months ago
.gitignore Use startExecguard.sh init or enforce modes... 7 months ago
LICENSE init 7 months ago
README.md YAML config, and log rotation 7 months ago
config.yaml.example YAML config, and log rotation 7 months ago
execguard.go YAML config, and log rotation 7 months ago
execguard@.service (c) 2025 Robert Strutts, LIC: MIT 7 months ago
export.sh (c) 2025 Robert Strutts, LIC: MIT 7 months ago
go.mod YAML config, and log rotation 7 months ago
go.sum YAML config, and log rotation 7 months ago
install.sh YAML config, and log rotation 7 months ago
reBuild.sh (c) 2025 Robert Strutts, LIC: MIT 7 months ago
startExecguard.sh (c) 2025 Robert Strutts, LIC: MIT 7 months ago
stopExecguard.sh (c) 2025 Robert Strutts, LIC: MIT 7 months ago
sys_update.sh (c) 2025 Robert Strutts, LIC: MIT 7 months ago
update_bins.sh (c) 2025 Robert Strutts, LIC: MIT 7 months ago
vscan_bins.sh ifs 6 months ago

README.md

ExecGuard

Blocks UnKnown or Changed Programs from running. Please do not run on PROD!!! Do a Full Backup before installing! This for educational use ONLY. Not fit for any real world system. Beaware it is possible to lock your self out of your own system with this program, if not used right! Please look at the go code, etc...

Pre requirements:

  1. You must be in the sudoers file to become root.
  2. You should understand Linux Admin...
  3. Do a Full System Backup
  4. Know how to recover from a downed system. IE mount the filesystem from somewhere else to change the service file. If you do not understand SystemD then this program is not for you.

If LOCKED OUT:

  • Boot into some form of Recovery Mode: 
pwd
## you should be in /etc/systemd/system/ if not cd into it...
sudo rm multi-user.target.wants/execguard@enforce.service
reboot

About execgaurd --init

This will initialize the /etc/execguard/system.db SQLite3 Database. It is in Leaning mode... All program will run as normal.

How it works:

  • NOTE: All executables are blocked that are not in the system.db, so the protected_dirs config does not matter!
  • To add a program to this system.db Database: sudo execguard --update /THEPATH/TO/PROGRAM_GOES_HERE Becareful when updating/adding to the allowed Database as the whole point is to Block Bad Programs.
  • However, your systen need to run things, so be wise...
  • You should monitor the output of the log file:
    • tail -F /var/log/execguard.log

/etc/execgaurd/config.yaml

scan_interval is the number of minutes to delay before scanning the protected_dirs for executables that are not allowed to run, it will chmod -x those programs. If 0, disables the scan for executables to remove the executution (x) bit. DO NOT ADD system bin paths to the Protected Dirs!!! As your system will fail to Boot!! skip_dirs are directories to skip inside of the protected_dirs. alert_email is where to send alerts besides the /var/log/execgaurd.log file. If the alert_email is an empty string, that will not send any emails... hash_encryption takes one of the following: none, xor, or xxtea. Passphrase is used on xor or xxtea to provide security against people injecting hashes into the database to make a bad program run. hash_type is either sha256, or sha512. Sha512 is better for security and sha256 is better on perforance, maybe...Be sure to UPDATE your downloads folders, to YOURS!!!

logging:
  filePath: "/var/log/execguard.log" # Main Log file to watch
  maxSizeMB: 10               # Max log size in megabytes
  backups: 5                  # Number of backup logs to keep
  compressBackups: true       # Whether to gzip old logs
  timestampFormat: "2006-01-02T15:04:05" # Go time format

db_file: "/etc/execguard/system.db" # Allowed programs DB
mail_prog: "/usr/bin/mail"          # Mail Util
scanner_prog: "/usr/bin/clamscan"   # AV Scanner

downloads:                          # folders to Scan for Viruses     
    - "/home/EXAMPLEUSER1/Downloads"
    - "/home/exampleUser2/Downloads"

scan_interval: 90                   # Minutes before next Exec bit Scan
protected_dirs:                     # Folders that should Never have an Exec Bit Enabled!    
    - "/home/EXAMPLEUSER1/Documents"
skip_dirs: [".cache",".git"]

alert_email: ""                     # root@localhost - Admin local Mail
passphrase: "cdzTE1Gk6/VuDlnU"      # Hash change protection
hash_encryption: "xxtea"            # Encryption xxtea, xor, or none
hash_type: "sha512"                 # Hashing Algo. sha 256, or sha 512

FYI - To get root mail from Alerts

sudo mail -u root
OR
sudo mutt -f /var/mail/root

Install

cd execgaurd
./install.sh

Running as a Daemon

Kind of Dangerious when in enforce mode!! Do a AV scan on your computer, then have all your program run that are safe while in init mode.

startExecguard.sh init
To Switch to Enforcement more: $ startExecguard.sh enforce
sudo systemctl enable --now execguard@init

Reboot, to have all Boot programs, load into learning mode.

Check the Logs!

sudo tail /var/log/execguard.log

Look out for - Found unauthorized executable: /path/to/program

Update allowed list

sudo execguard --update /path/to/program
REPLACE /path/to/program with that found in the Log file.

Disable Auto-Updates

Any unknown update will make changes to your bin files, as such they will get BLOCKED!!!!

sudo systemctl disable --now apt-daily.timer
sudo systemctl disable --now apt-daily-upgrade.timer
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Unattended-Upgrade "0";
sudo apt remove unattended-upgrades

Manual System Updates via Apt

If not using apt, change the script to use your package manager.

./sys_update.sh

Once done initializing the System, BEWARE....doing this...:

If you have not allowed all the things needed for your system, it will HANG-UP and stop working!!!!

sudo systemctl disable --now execguard@init
sudo systemctl execguard@init status

startExecguard enforce

Reboot.

Migrations ONLY after changes on config.yaml

Note: It's best to set the config.yaml before Installing....! However, you can do it... Changes made to passwords, hashes on system with existing data on system.db database...need to be migrated.

./stopExecguard.sh
sudo ./execguard --migrate
# Test afterword: note CTRL+C to end
sudo ./execgaurd
# If successful:
./startExecguard.sh init

What to do if found Infected files:

sudo rm -rf /var/lib/clamav/quarantine/*

TODOs:

  • Allow Hash Type choice: sha256 or sha512.
  • Allow Encyption on sad Hash: xxtea (default), xor, or none.
  • Take a passphrase for Encyption.
  • Local Mail Alerts to root user.
  • Clamscan AV or use of other AV.
  • Set Scan Interval in Minutes for Protected Dirs like: Docs
    • Will remove executable bit from Documents...
  • Auto scan new files in Downloads.
  • Watch/Monitor Logs via: $ tail -F /var/log/execguard.log
  • Use custom SQLite3 Database file: Default is /etc/execguard/system.db
  • Log Rotation
  • Debug more...this is in Alpha.