# ExecGuard Blocks UnKnown or Changed Programs from running. Please do not run on PROD!!! Do a Full Backup before installing! This for educational use ONLY. Not fit for any real world system. Beaware it is possible to lock your self out of your own system with this program, if not used right! Please look at the go code, etc... ### About execgaurd --init This will initialize the /etc/execguard/allowed.db SQLite3 Database. It is in Leaning mode... All program will run as normal. ## How it works: NOTE: All executables are blocked that are not in the allowed.db, so the protected_dirs config does not matter! To add a program to this allowed.db Database: sudo execguard --update /THEPATH/TO/PROGRAM_GOES_HERE Beacreful when updating/add to the allowed Database as the whole point is to Block Bad Programs, However, your systen need to run things, so be wise... You should monitor the output of the log file: tail -F /var/log/execguard.log ## Make a key for xxtea This will generate a new key phrase for you that is safe in size...to be placed inside of your config.json file. Do this before you go live. ``` execguard --newKey ``` ## /etc/execgaurd/config.json scan_interval is the number of minutes to delay before scanning the protected_dirs for executables that are not allowed to run, it will chmod -x those programs. If 0, disables the scan for executables to remove the executution (x) bit. DO NOT ADD system bin paths to the Protected Dirs!!! As your system will fail to Boot!! skip_dirs are directories to skip inside of the protected_dirs. alert_email is where to send alerts besides the /var/log/execgaurd.log file. If the alert_email is an empty string, that will not send any emails... hash_encryption takes one of the following: none, xor, or xxtea. Passphrase is used on xor or xxtea to provide security against people injecting hashes into the database to make a bad program run. hash_type is either sha256, or sha512. Sha512 is better for security and sha256 is better on perforance, maybe... ``` { "scan_interval": 0, "protected_dirs": ["/home"], "skip_dirs": [".cache",".git"], "alert_email": "root@loalhost", "passphrase": "cdzTE1Gk6/VuDlnU", "hash_encryption": "xxtea", "hash_type": "sha512" } ``` ## Install Be sure to update your config.json file to have a passphrase that was generated by execgaurd --newKey... ``` cd execgaurd sudo mkdir -p /etc/execguard/ go build -o execguard ./execguard --newKey ## Copy the passphrase key into your clipboard. sudo cp config.json.example /etc/execguard/config.json sudo nano /etc/execguard/config.json ## Paste your passphrase into the config.json file and save. sudo mv execguard /usr/local/bin/ sudo execguard --update $(pwd)/update_bins.sh sudo execguard --update $(pwd)/sys_update.sh sudo ./update_bins.sh sudo execguard --init ``` Ctrl+C to exit from execgaurd when done loading programs to allow. # Run a Service Kind of Dangerious!!: ``` sudo cp execguard.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now execguard sudo service execguard status ``` Reboot, to have all Boot programs, load into learning mode. Make sure that --init is running on the service file. ## Check the Logs! ``` sudo tail /var/log/execguard.log ``` Look out for - Found unauthorized executable: /path/to/program # Update allowed list ``` sudo execguard --update /path/to/program REPLACE /path/to/program with that found in the Log file. ``` # Once done initializing the System: ``` sudo nano /etc/systemd/system/execguard.service [Service] ExecStart=/usr/local/bin/execguard --init REMOVE the --init from ExecStart command ``` Reboot. # Disable Auto-Updates ``` sudo systemctl disable --now apt-daily.timer sudo systemctl disable --now apt-daily-upgrade.timer sudo nano /etc/apt/apt.conf.d/20auto-upgrades APT::Periodic::Update-Package-Lists "0"; APT::Periodic::Unattended-Upgrade "0"; sudo apt remove unattended-upgrades ``` # Manual System Updates via Apt ``` ./sys_update.sh ``` # Migrations Changes made to passwords, hashes on system with existing data on allowed.db database...need to be migrated. ``` sudo service execguard stop sudo ./execguard --migrate # Test afterword: sudo ./execgaurd # If successful: sudo service execguard start ```