bobs
/
execguard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Exec Guardian
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
787 KiB
 
 
Tag: Branch: Tree: fba73cd158
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fba73cd158'
${ noResults }
Robert fba73cd158
Patched email alerts, so it does not block everything...! 		7 months ago
.gitignore init 7 months ago
LICENSE init 7 months ago
README.md Added go routine for sendAlert to prevent system crash... 7 months ago
build.sh Patched email alerts, so it does not block everything...! 7 months ago
config.json.example Added hashing selection, passphrase, and encryption... 7 months ago
execguard.go Patched email alerts, so it does not block everything...! 7 months ago
execguard.service init 7 months ago
export.sh Export 7 months ago
go.mod Added hashing selection, passphrase, and encryption... 7 months ago
go.sum Added hashing selection, passphrase, and encryption... 7 months ago
sys_update.sh Do Manual Apt Upgrades via sys_update.sh 7 months ago
update_bins.sh Patched email alerts, so it does not block everything...! 7 months ago

README.md

ExecGuard

Blocks UnKnown or Changed Programs from running. Please do not run on PROD!!! Do a Full Backup before installing! This for educational use ONLY. Not fit for any real world system. Beaware it is possible to lock your self out of your own system with this program, if not used right! Please look at the go code, etc...

If LOCKED OUT:

Boot into a Linux Live USB disk. Then mount your hard drive, open the folder to etc, right click and open in new Terminal. From the etc folder... change directory to systemd/system.

cd systemd/system/
mv execguard.service ../opps.backup
reboot

About execgaurd --init

This will initialize the /etc/execguard/allowed.db SQLite3 Database. It is in Leaning mode... All program will run as normal.

How it works:

NOTE: All executables are blocked that are not in the allowed.db, so the protected_dirs config does not matter! To add a program to this allowed.db Database: sudo execguard --update /THEPATH/TO/PROGRAM_GOES_HERE Beacreful when updating/add to the allowed Database as the whole point is to Block Bad Programs, However, your systen need to run things, so be wise... You should monitor the output of the log file: tail -F /var/log/execguard.log

Make a key for xxtea

This will generate a new key phrase for you that is safe in size...to be placed inside of your config.json file. Do this before you go live.

execguard --newKey

/etc/execgaurd/config.json

scan_interval is the number of minutes to delay before scanning the protected_dirs for executables that are not allowed to run, it will chmod -x those programs. If 0, disables the scan for executables to remove the executution (x) bit. DO NOT ADD system bin paths to the Protected Dirs!!! As your system will fail to Boot!! skip_dirs are directories to skip inside of the protected_dirs. alert_email is where to send alerts besides the /var/log/execgaurd.log file. If the alert_email is an empty string, that will not send any emails... hash_encryption takes one of the following: none, xor, or xxtea. Passphrase is used on xor or xxtea to provide security against people injecting hashes into the database to make a bad program run. hash_type is either sha256, or sha512. Sha512 is better for security and sha256 is better on perforance, maybe...

{ 
    "scan_interval": 0,
    "protected_dirs": ["/home"],
    "skip_dirs": [".cache",".git"],
    "alert_email": "root@loalhost",
    "passphrase": "cdzTE1Gk6/VuDlnU",
    "hash_encryption": "xxtea",
    "hash_type": "sha512"
}

Install

Be sure to update your config.json file to have a passphrase that was generated by execgaurd --newKey...

cd execgaurd
sudo mkdir -p /etc/execguard/
go build -o execguard
./execguard --newKey
## Copy the passphrase key into your clipboard.
sudo cp config.json.example /etc/execguard/config.json
sudo nano /etc/execguard/config.json
## Paste your passphrase into the config.json file and save.

sudo mv execguard /usr/local/bin/
sudo execguard --update $(pwd)/update_bins.sh 
sudo execguard --update $(pwd)/sys_update.sh
sudo ./update_bins.sh
sudo execguard --init

Ctrl+C to exit from execgaurd when done loading programs to allow.

Run a Service

Kind of Dangerious!!:

sudo cp execguard.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now execguard
sudo service execguard status

Reboot, to have all Boot programs, load into learning mode. Make sure that --init is running on the service file.

Check the Logs!

sudo tail /var/log/execguard.log

Look out for - Found unauthorized executable: /path/to/program

Update allowed list

sudo execguard --update /path/to/program
REPLACE /path/to/program with that found in the Log file.

Once done initializing the System:

sudo nano /etc/systemd/system/execguard.service
[Service]
ExecStart=/usr/local/bin/execguard --init

REMOVE the --init from ExecStart command

Reboot.

Disable Auto-Updates

sudo systemctl disable --now apt-daily.timer
sudo systemctl disable --now apt-daily-upgrade.timer
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Unattended-Upgrade "0";
sudo apt remove unattended-upgrades

Manual System Updates via Apt

./sys_update.sh

Migrations

Changes made to passwords, hashes on system with existing data on allowed.db database...need to be migrated.

sudo service execguard stop
sudo ./execguard --migrate
# Test afterword:
sudo ./execgaurd
# If successful:
sudo service execguard start