Use startExecguard.sh init or enforce modes...

7 months ago · cee123901d
parent 589c24cc00
commit cee123901d
12 changed files with 122 additions and 53 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 execguard
 migrated_apps.txt
 my_bins_apps.txt
+sys-updates.list
--- a/README.md
+++ b/README.md
@ -15,16 +15,14 @@ Please look at the go code, etc...
 - Boot into some form of Recovery Mode: 
    - Boot into a Linux Live USB disk. 
    - Then mount your hard drive, open the folder to etc, right click and open in new Terminal. 
-    - From the etc folder... 
-    - change directory to systemd/system. 
-    - Make sure that --init is turned on...
-    - Once recovered and loaded all normal programs, so they are added to the allowed system Database, you may remove the --init to go back to enforce mode...
+    - From the etc folder: change directory to systemd/system, edit execguard@.service 
+    - Remove the %I and replace it with --init so it's in init mode...
 ```
 cd systemd/system/
-sudo nano execguard.service
+sudo nano execguard@.service
 ExecStart=/usr/local/bin/execguard --init

-# If, the program still does not work: sudo rm /etc/systemd/system/execguard.service
+# If, the program still does not work: sudo rm /etc/systemd/system/execguard@.service
 reboot
 ```
 ### About execgaurd --init
@ -38,12 +36,6 @@ It is in Leaning mode... All program will run as normal.
 * You should monitor the output of the log file: 
    - tail -F /var/log/execguard.log 

-## Make a key for xxtea
-This is done automatically in install.sh.
-```
-execguard --newKey
-```
-
 ## /etc/execgaurd/config.json
 scan_interval is the number of minutes to delay before scanning the protected_dirs for executables that are not allowed to run, it will chmod -x those programs. If 0, disables the scan for executables to remove the executution (x) bit. DO NOT ADD system bin paths to the Protected Dirs!!! As your system will fail to Boot!! skip_dirs are directories to skip inside of the protected_dirs. alert_email is where to send alerts besides the /var/log/execgaurd.log file. If the alert_email is an empty string, that will not send any emails... hash_encryption takes one of the following: none, xor, or xxtea. Passphrase is used on xor or xxtea to provide security against people injecting hashes into the database to make a bad program run. hash_type is either sha256, or sha512. Sha512 is better for security and sha256 is better on perforance, maybe...Be sure to UPDATE your downloads folders, to YOURS!!!
 ```
@ -62,7 +54,7 @@ scan_interval is the number of minutes to delay before scanning the protected_di
    "hash_type": "sha512"
 }
 ```
-## To get root mail
+## FYI - To get root mail from Alerts
 ```
 sudo mail -u root
 OR
@ -73,14 +65,13 @@ sudo mutt -f /var/mail/root
 cd execgaurd
 ./install.sh
 ```
-# Run a Service
-Kind of Dangerious!!:
+# Running as a Daemon
+Kind of Dangerious when in enforce mode!!:
 ```
-sudo systemctl enable --now execguard
-sudo service execguard status
+startExecguard.sh init
+To Switch to Enforcement more: $ startExecguard.sh enforce
 ```
 Reboot, to have all Boot programs, load into learning mode.
-Make sure that --init is running on the service file.

 ## Check the Logs!
 ```
@ -93,18 +84,6 @@ Look out for - Found unauthorized executable: /path/to/program
 sudo execguard --update /path/to/program
 REPLACE /path/to/program with that found in the Log file.
 ```
-
-# Once done initializing the System, BEWARE....doing this...:
-If you have not allowed all the things needed for your system, it will HANG-UP and stop working!!!!
-```
-sudo nano /etc/systemd/system/execguard.service
-[Service]
-ExecStart=/usr/local/bin/execguard --init
-
-REMOVE the --init from ExecStart command
-```
-Reboot.
-
 # Disable Auto-Updates
 Any unknown update will make changes to your bin files, as such they will get BLOCKED!!!!
 ```
@ -120,15 +99,26 @@ If not using apt, change the script to use your package manager.
 ```
 ./sys_update.sh
 ```
-# Migrations 
+# Once done initializing the System, BEWARE....doing this...:
+If you have not allowed all the things needed for your system, it will HANG-UP and stop working!!!!
+```
+sudo systemctl disable --now execguard@init
+sudo systemctl execguard@init status
+
+sudo systemctl enable --now execguard@enforce
+sudo systemctl execguard@enforce status
+```
+Reboot.
+# Migrations ONLY after changes on config.json
+Note: It's best to set the config.json before Installing....! However, you can do it...
 Changes made to passwords, hashes on system with existing data on system.db database...need to be migrated.
 ```
-sudo service execguard stop
+./stopExecguard.sh
 sudo ./execguard --migrate
-# Test afterword:
+# Test afterword: note CTRL+C to end
 sudo ./execgaurd
 # If successful:
-sudo service execguard start
+./startExecguard.sh init
 ```
 ## What to do if found Infected files:
 ```
--- a/docs/SystemD.md
+++ b/docs/SystemD.md
@ -0,0 +1,37 @@
+[Unit]
+Description=Executable Guardian for %I
+After=network.target
+StartLimitIntervalSec=60
+StartLimitBurst=3
+
+[Service]
+ExecStart=/usr/local/bin/execguard --%I
+Restart=on-failure
+RestartSec=2
+SuccessExitStatus=0 4
+RestartForceExitStatus=0 4
+
+# Hardening 
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+SystemCallArchitectures=native
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+
+# ReadWritePaths=/etc/execguard
+#ProtectProc=invisible
+#ProtectSystem=no
+#LockPersonality=no
+#PrivateDevices=no
+#ProtectKernelModules=no
+#ProtectKernelTunables=no
+#ProtectControlGroups=no
+#ProtectClock=yes
+#ProtectHostname=yes
+#RestrictNamespaces=yes
+#DevicePolicy=closed
+#PrivateNetwork=no Don't enable!
+#PrivateTmp=false Don't enable!
+
+[Install]
+WantedBy=multi-user.target
--- a/execguard.go
+++ b/execguard.go
@ -44,6 +44,7 @@ var (
    mailFlag string
    clamscanFlag string
    initMode bool
+    enforceMode bool
    initFile string
    updateFile string
    migrateMode bool
@ -65,6 +66,7 @@ func main() {
    flag.StringVar(&mailFlag, "mail", "", "use specified file for Mail sending")
    flag.StringVar(&clamscanFlag, "scanner", "", "use specified binary for Virus Scanning")
 	flag.BoolVar(&initMode, "init", false, "initialize and populate allowed executable database")
+	flag.BoolVar(&enforceMode, "enforce", false, "enforce policies from Database Lock-down...")
 	flag.StringVar(&initFile, "initFile", "", "file containing files to add to allowed database with hash")
    flag.StringVar(&updateFile, "update", "", "add specified file to allowed database with hash")
    flag.BoolVar(&migrateMode, "migrate", false, "recompute hashes of all allowed paths using current settings")
--- a/execguard.service
+++ b/execguard.service
@ -1,10 +0,0 @@
-[Unit]
-Description=Executable Guardian
-After=network.target
-
-[Service]
-ExecStart=/usr/local/bin/execguard --init
-Restart=no
-
-[Install]
-WantedBy=multi-user.target
--- a/execguard@.service
+++ b/execguard@.service
@ -0,0 +1,22 @@
+[Unit]
+Description=Executable Guardian for %I
+After=network.target
+StartLimitIntervalSec=60
+StartLimitBurst=3
+
+[Service]
+ExecStart=/usr/local/bin/execguard --%I
+Restart=on-failure
+RestartSec=2
+SuccessExitStatus=0 4
+RestartForceExitStatus=0 4
+
+# Hardening 
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+SystemCallArchitectures=native
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+
+[Install]
+WantedBy=multi-user.target
--- a/install.sh
+++ b/install.sh
@ -63,9 +63,8 @@ do
 done
 }

-if [ -f /etc/systemd/system/execguard.service ]; then
-    /usr/bin/echo "Existing Service found. Stopping..."
-    ${USE_SUPER} /usr/sbin/service execguard stop
+if [ -f /etc/systemd/system/execguard@.service ]; then
+    ./stopExecguard.sh
 fi
 if [ ! -d /etc/execgaurd ]; then
   ${USE_SUPER} /usr/bin/mkdir -p /etc/execguard
@ -161,11 +160,11 @@ if [ ! -f /etc/execguard/config.json ]; then
 fi
 ${USE_SUPER} /usr/bin/chmod 640 /etc/execguard/config.json

-if [ ! -f /etc/systemd/system/execguard.service ]; then
+if [ ! -f /etc/systemd/system/execguard@.service ]; then
    /usr/bin/echo "Adding SystemD Serivce file..."
-    ${USE_SUPER} cp execguard.service /etc/systemd/system/
+    ${USE_SUPER} cp execguard@.service /lib/systemd/system
+    ${USE_SUPER} ln -s /lib/systemd/system/execguard@.service /etc/systemd/system/
    ${USE_SUPER} systemctl daemon-reload
-    ${USE_SUPER} service execguard status
 fi

 # NOTE: If your clamav is way out of date, uninstall it:
@ -213,5 +212,12 @@ ${USE_SUPER} /usr/bin/chmod 660 /etc/execguard/system.db
 ${USE_SUPER} ./execguard --update "$(pwd)/update_bins.sh"
 ${USE_SUPER} ./execguard --update "$(pwd)/sys_update.sh"
 ${USE_SUPER} ./execguard --update "$(pwd)/vscan_bins.sh"
+${USE_SUPER} ./execguard --update "$(pwd)/stopExecguard.sh"
+${USE_SUPER} ./execguard --update "$(pwd)/startExecguard.sh"
+${USE_SUPER} /usr/bin/cp startExecguard.sh /usr/bin/local
+${USE_SUPER} /usr/bin/cp stopExecguard.sh /usr/bin/local
+${USE_SUPER} ./execguard --update "/usr/local/bin/stopExecguard.sh"
+${USE_SUPER} ./execguard --update "/usr/local/bin/startExecguard.sh"
+
 ./update_bins.sh
 ./vscan_bins.sh
--- a/reBuild.sh
+++ b/reBuild.sh
@ -1,5 +1,6 @@
 #!/bin/bash
 export CGO_ENABLED=1
+./stopExecguard.sh
 /usr/local/bin/go build -o execguard
 if [ $? -eq 0 ]; then
    /usr/bin/sudo cp execguard /usr/local/bin/
--- a/startExecguard.sh
+++ b/startExecguard.sh
@ -0,0 +1,17 @@
+#!/bin/bash
+if [ -z "$1" ]; then
+   /usr/bin/echo "Which mode to start: init or enforce?"
+   exit 1
+fi
+
+if [ "$1" == "init" ]; then
+    /usr/bin/echo "Stopping enforce and Starting init mode."
+    /usr/bin/sudo /usr/bin/systemctl stop execguard@enforce
+    /usr/bin/sudo /usr/bin/systemctl start execguard@init
+elif [ "$1" == "enforce" ]; then
+    /usr/bin/echo "Stopping init and Starting enforce mode."
+    /usr/bin/sudo /usr/bin/systemctl stop execguard@init
+    /usr/bin/sudo /usr/bin/systemctl start execguard@enforce
+else
+    /usr/bin/echo "Invaild option... use init or enforce."
+fi
--- a/stopExecguard.sh
+++ b/stopExecguard.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+/usr/bin/echo "Stopping execguard service if on..."
+/usr/bin/sudo /usr/bin/systemctl stop execguard@init
+/usr/bin/sudo /usr/bin/systemctl stop execguard@enforce
--- a/sys_update.sh
+++ b/sys_update.sh
@ -19,7 +19,7 @@ if [ -f sys-updates.list ]; then
    fi
    /usr/bin/mv sys-updates.list sys-updates.old
 fi
-/usr/bin/sudo /usr/sbin/service execguard stop
+./stopExecguard.sh
 /usr/bin/echo "Starting to download list of updates..."
 /usr/bin/sudo /usr/bin/apt update
 /usr/bin/apt list --upgradable 2>/dev/null | /usr/bin/tail -n +2 | /usr/bin/cut -d/ -f1 | while read pkg; do
--- a/vscan_bins.sh
+++ b/vscan_bins.sh
@ -1,6 +1,5 @@
 #!/bin/bash
-/usr/bin/echo "Stopping execguard service if on..."
-/usr/bin/sudo /usr/sbin/service execguard stop
+./stopExecguard.sh

 /usr/bin/echo "Dumping contents of Database to file..."
 /usr/bin/sudo /usr/bin/sqlite3 /etc/execguard/system.db "SELECT path FROM allowed;" > my_bins_apps.txt