From cee123901d0cb4f9833a0e8b3d175b4e334ed64a Mon Sep 17 00:00:00 2001 From: Robert Date: Wed, 21 May 2025 15:55:01 -0400 Subject: [PATCH] Use startExecguard.sh init or enforce modes... --- .gitignore | 1 + README.md | 58 +++++++++++++++++++--------------------------- docs/SystemD.md | 37 +++++++++++++++++++++++++++++ execguard.go | 2 ++ execguard.service | 10 -------- execguard@.service | 22 ++++++++++++++++++ install.sh | 18 +++++++++----- reBuild.sh | 1 + startExecguard.sh | 17 ++++++++++++++ stopExecguard.sh | 4 ++++ sys_update.sh | 2 +- vscan_bins.sh | 3 +-- 12 files changed, 122 insertions(+), 53 deletions(-) create mode 100644 docs/SystemD.md delete mode 100644 execguard.service create mode 100644 execguard@.service create mode 100755 startExecguard.sh create mode 100755 stopExecguard.sh diff --git a/.gitignore b/.gitignore index 98c7cc3..c3fb263 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ execguard migrated_apps.txt my_bins_apps.txt +sys-updates.list diff --git a/README.md b/README.md index 82f6099..f4e9b8c 100644 --- a/README.md +++ b/README.md @@ -15,16 +15,14 @@ Please look at the go code, etc... - Boot into some form of Recovery Mode: - Boot into a Linux Live USB disk. - Then mount your hard drive, open the folder to etc, right click and open in new Terminal. - - From the etc folder... - - change directory to systemd/system. - - Make sure that --init is turned on... - - Once recovered and loaded all normal programs, so they are added to the allowed system Database, you may remove the --init to go back to enforce mode... + - From the etc folder: change directory to systemd/system, edit execguard@.service + - Remove the %I and replace it with --init so it's in init mode... ``` cd systemd/system/ -sudo nano execguard.service +sudo nano execguard@.service ExecStart=/usr/local/bin/execguard --init -# If, the program still does not work: sudo rm /etc/systemd/system/execguard.service +# If, the program still does not work: sudo rm /etc/systemd/system/execguard@.service reboot ``` ### About execgaurd --init @@ -38,12 +36,6 @@ It is in Leaning mode... All program will run as normal. * You should monitor the output of the log file: - tail -F /var/log/execguard.log -## Make a key for xxtea -This is done automatically in install.sh. -``` -execguard --newKey -``` - ## /etc/execgaurd/config.json scan_interval is the number of minutes to delay before scanning the protected_dirs for executables that are not allowed to run, it will chmod -x those programs. If 0, disables the scan for executables to remove the executution (x) bit. DO NOT ADD system bin paths to the Protected Dirs!!! As your system will fail to Boot!! skip_dirs are directories to skip inside of the protected_dirs. alert_email is where to send alerts besides the /var/log/execgaurd.log file. If the alert_email is an empty string, that will not send any emails... hash_encryption takes one of the following: none, xor, or xxtea. Passphrase is used on xor or xxtea to provide security against people injecting hashes into the database to make a bad program run. hash_type is either sha256, or sha512. Sha512 is better for security and sha256 is better on perforance, maybe...Be sure to UPDATE your downloads folders, to YOURS!!! ``` @@ -62,7 +54,7 @@ scan_interval is the number of minutes to delay before scanning the protected_di "hash_type": "sha512" } ``` -## To get root mail +## FYI - To get root mail from Alerts ``` sudo mail -u root OR @@ -73,14 +65,13 @@ sudo mutt -f /var/mail/root cd execgaurd ./install.sh ``` -# Run a Service -Kind of Dangerious!!: +# Running as a Daemon +Kind of Dangerious when in enforce mode!!: ``` -sudo systemctl enable --now execguard -sudo service execguard status +startExecguard.sh init +To Switch to Enforcement more: $ startExecguard.sh enforce ``` Reboot, to have all Boot programs, load into learning mode. -Make sure that --init is running on the service file. ## Check the Logs! ``` @@ -93,18 +84,6 @@ Look out for - Found unauthorized executable: /path/to/program sudo execguard --update /path/to/program REPLACE /path/to/program with that found in the Log file. ``` - -# Once done initializing the System, BEWARE....doing this...: -If you have not allowed all the things needed for your system, it will HANG-UP and stop working!!!! -``` -sudo nano /etc/systemd/system/execguard.service -[Service] -ExecStart=/usr/local/bin/execguard --init - -REMOVE the --init from ExecStart command -``` -Reboot. - # Disable Auto-Updates Any unknown update will make changes to your bin files, as such they will get BLOCKED!!!! ``` @@ -120,15 +99,26 @@ If not using apt, change the script to use your package manager. ``` ./sys_update.sh ``` -# Migrations +# Once done initializing the System, BEWARE....doing this...: +If you have not allowed all the things needed for your system, it will HANG-UP and stop working!!!! +``` +sudo systemctl disable --now execguard@init +sudo systemctl execguard@init status + +sudo systemctl enable --now execguard@enforce +sudo systemctl execguard@enforce status +``` +Reboot. +# Migrations ONLY after changes on config.json +Note: It's best to set the config.json before Installing....! However, you can do it... Changes made to passwords, hashes on system with existing data on system.db database...need to be migrated. ``` -sudo service execguard stop +./stopExecguard.sh sudo ./execguard --migrate -# Test afterword: +# Test afterword: note CTRL+C to end sudo ./execgaurd # If successful: -sudo service execguard start +./startExecguard.sh init ``` ## What to do if found Infected files: ``` diff --git a/docs/SystemD.md b/docs/SystemD.md new file mode 100644 index 0000000..84f08c1 --- /dev/null +++ b/docs/SystemD.md @@ -0,0 +1,37 @@ +[Unit] +Description=Executable Guardian for %I +After=network.target +StartLimitIntervalSec=60 +StartLimitBurst=3 + +[Service] +ExecStart=/usr/local/bin/execguard --%I +Restart=on-failure +RestartSec=2 +SuccessExitStatus=0 4 +RestartForceExitStatus=0 4 + +# Hardening +MemoryDenyWriteExecute=true +NoNewPrivileges=true +SystemCallArchitectures=native +RestrictSUIDSGID=yes +RestrictRealtime=yes + +# ReadWritePaths=/etc/execguard +#ProtectProc=invisible +#ProtectSystem=no +#LockPersonality=no +#PrivateDevices=no +#ProtectKernelModules=no +#ProtectKernelTunables=no +#ProtectControlGroups=no +#ProtectClock=yes +#ProtectHostname=yes +#RestrictNamespaces=yes +#DevicePolicy=closed +#PrivateNetwork=no Don't enable! +#PrivateTmp=false Don't enable! + +[Install] +WantedBy=multi-user.target diff --git a/execguard.go b/execguard.go index b79c625..d39526a 100644 --- a/execguard.go +++ b/execguard.go @@ -44,6 +44,7 @@ var ( mailFlag string clamscanFlag string initMode bool + enforceMode bool initFile string updateFile string migrateMode bool @@ -65,6 +66,7 @@ func main() { flag.StringVar(&mailFlag, "mail", "", "use specified file for Mail sending") flag.StringVar(&clamscanFlag, "scanner", "", "use specified binary for Virus Scanning") flag.BoolVar(&initMode, "init", false, "initialize and populate allowed executable database") + flag.BoolVar(&enforceMode, "enforce", false, "enforce policies from Database Lock-down...") flag.StringVar(&initFile, "initFile", "", "file containing files to add to allowed database with hash") flag.StringVar(&updateFile, "update", "", "add specified file to allowed database with hash") flag.BoolVar(&migrateMode, "migrate", false, "recompute hashes of all allowed paths using current settings") diff --git a/execguard.service b/execguard.service deleted file mode 100644 index 477d3d3..0000000 --- a/execguard.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Executable Guardian -After=network.target - -[Service] -ExecStart=/usr/local/bin/execguard --init -Restart=no - -[Install] -WantedBy=multi-user.target diff --git a/execguard@.service b/execguard@.service new file mode 100644 index 0000000..625865a --- /dev/null +++ b/execguard@.service @@ -0,0 +1,22 @@ +[Unit] +Description=Executable Guardian for %I +After=network.target +StartLimitIntervalSec=60 +StartLimitBurst=3 + +[Service] +ExecStart=/usr/local/bin/execguard --%I +Restart=on-failure +RestartSec=2 +SuccessExitStatus=0 4 +RestartForceExitStatus=0 4 + +# Hardening +MemoryDenyWriteExecute=true +NoNewPrivileges=true +SystemCallArchitectures=native +RestrictSUIDSGID=yes +RestrictRealtime=yes + +[Install] +WantedBy=multi-user.target diff --git a/install.sh b/install.sh index 50ebe05..8fa1e9e 100755 --- a/install.sh +++ b/install.sh @@ -63,9 +63,8 @@ do done } -if [ -f /etc/systemd/system/execguard.service ]; then - /usr/bin/echo "Existing Service found. Stopping..." - ${USE_SUPER} /usr/sbin/service execguard stop +if [ -f /etc/systemd/system/execguard@.service ]; then + ./stopExecguard.sh fi if [ ! -d /etc/execgaurd ]; then ${USE_SUPER} /usr/bin/mkdir -p /etc/execguard @@ -161,11 +160,11 @@ if [ ! -f /etc/execguard/config.json ]; then fi ${USE_SUPER} /usr/bin/chmod 640 /etc/execguard/config.json -if [ ! -f /etc/systemd/system/execguard.service ]; then +if [ ! -f /etc/systemd/system/execguard@.service ]; then /usr/bin/echo "Adding SystemD Serivce file..." - ${USE_SUPER} cp execguard.service /etc/systemd/system/ + ${USE_SUPER} cp execguard@.service /lib/systemd/system + ${USE_SUPER} ln -s /lib/systemd/system/execguard@.service /etc/systemd/system/ ${USE_SUPER} systemctl daemon-reload - ${USE_SUPER} service execguard status fi # NOTE: If your clamav is way out of date, uninstall it: @@ -213,5 +212,12 @@ ${USE_SUPER} /usr/bin/chmod 660 /etc/execguard/system.db ${USE_SUPER} ./execguard --update "$(pwd)/update_bins.sh" ${USE_SUPER} ./execguard --update "$(pwd)/sys_update.sh" ${USE_SUPER} ./execguard --update "$(pwd)/vscan_bins.sh" +${USE_SUPER} ./execguard --update "$(pwd)/stopExecguard.sh" +${USE_SUPER} ./execguard --update "$(pwd)/startExecguard.sh" +${USE_SUPER} /usr/bin/cp startExecguard.sh /usr/bin/local +${USE_SUPER} /usr/bin/cp stopExecguard.sh /usr/bin/local +${USE_SUPER} ./execguard --update "/usr/local/bin/stopExecguard.sh" +${USE_SUPER} ./execguard --update "/usr/local/bin/startExecguard.sh" + ./update_bins.sh ./vscan_bins.sh diff --git a/reBuild.sh b/reBuild.sh index dd205a6..06a3dc2 100755 --- a/reBuild.sh +++ b/reBuild.sh @@ -1,5 +1,6 @@ #!/bin/bash export CGO_ENABLED=1 +./stopExecguard.sh /usr/local/bin/go build -o execguard if [ $? -eq 0 ]; then /usr/bin/sudo cp execguard /usr/local/bin/ diff --git a/startExecguard.sh b/startExecguard.sh new file mode 100755 index 0000000..92d3841 --- /dev/null +++ b/startExecguard.sh @@ -0,0 +1,17 @@ +#!/bin/bash +if [ -z "$1" ]; then + /usr/bin/echo "Which mode to start: init or enforce?" + exit 1 +fi + +if [ "$1" == "init" ]; then + /usr/bin/echo "Stopping enforce and Starting init mode." + /usr/bin/sudo /usr/bin/systemctl stop execguard@enforce + /usr/bin/sudo /usr/bin/systemctl start execguard@init +elif [ "$1" == "enforce" ]; then + /usr/bin/echo "Stopping init and Starting enforce mode." + /usr/bin/sudo /usr/bin/systemctl stop execguard@init + /usr/bin/sudo /usr/bin/systemctl start execguard@enforce +else + /usr/bin/echo "Invaild option... use init or enforce." +fi diff --git a/stopExecguard.sh b/stopExecguard.sh new file mode 100755 index 0000000..7bc0119 --- /dev/null +++ b/stopExecguard.sh @@ -0,0 +1,4 @@ +#!/bin/bash +/usr/bin/echo "Stopping execguard service if on..." +/usr/bin/sudo /usr/bin/systemctl stop execguard@init +/usr/bin/sudo /usr/bin/systemctl stop execguard@enforce diff --git a/sys_update.sh b/sys_update.sh index 5f86e32..eb6ab60 100755 --- a/sys_update.sh +++ b/sys_update.sh @@ -19,7 +19,7 @@ if [ -f sys-updates.list ]; then fi /usr/bin/mv sys-updates.list sys-updates.old fi -/usr/bin/sudo /usr/sbin/service execguard stop +./stopExecguard.sh /usr/bin/echo "Starting to download list of updates..." /usr/bin/sudo /usr/bin/apt update /usr/bin/apt list --upgradable 2>/dev/null | /usr/bin/tail -n +2 | /usr/bin/cut -d/ -f1 | while read pkg; do diff --git a/vscan_bins.sh b/vscan_bins.sh index ae1ca98..ff418eb 100755 --- a/vscan_bins.sh +++ b/vscan_bins.sh @@ -1,6 +1,5 @@ #!/bin/bash -/usr/bin/echo "Stopping execguard service if on..." -/usr/bin/sudo /usr/sbin/service execguard stop +./stopExecguard.sh /usr/bin/echo "Dumping contents of Database to file..." /usr/bin/sudo /usr/bin/sqlite3 /etc/execguard/system.db "SELECT path FROM allowed;" > my_bins_apps.txt