GeneralBots/gb
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add security protection module with sudo-based privilege escalation

Browse source 
- Create installer.rs for 'botserver install protection' command
- Requires root to install packages and create sudoers config
- Sudoers uses exact commands (no wildcards) for security
- Update all tool files (lynis, rkhunter, chkrootkit, suricata, lmd) to use sudo
- Update manager.rs service management to use sudo
- Add 'sudo' and 'visudo' to command_guard.rs whitelist
- Update CLI with install/remove/status protection commands
- Create comprehensive botbook documentation
- Update SUMMARY.md with protection-tools entry

Security model:
- Installation requires root (sudo botserver install protection)
- Runtime uses sudoers NOPASSWD for specific commands only
- No wildcards in sudoers - exact command specifications
- Tools run on host system, not in containers
This commit is contained in:
Rodrigo Rodriguez (Pragmatismo) 2026-01-10 09:40:52 -03:00
parent 04f8faed81
commit 965ece9852
4 changed files with 455 additions and 222 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

453
TODO-SECURITY-PROTECTION.md Normal file
View file

@ -0,0 +1,453 @@
# Security Protection Module - Implementation TODO
**Version:** 1.0.0
**Created:** 2025
**Status:** In Progress
---
## Overview
Implement a comprehensive Security Protection module that allows administrators to manage Linux server security tools (Lynis, RKHunter, Chkrootkit, Suricata, LMD, ClamAV) through the General Bots UI.
---
## Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ botui (Port 3000) │
│ ┌─────────────────────────────────────────────────────────────┐│
│ │ /suite/tools/security.html ││
│ │ ├── Tab: API Compliance Report (existing code_scanner) ││
│ │ └── Tab: Protection (NEW - security tools management) ││
│ └─────────────────────────────────────────────────────────────┘│
│ │ │
│ ▼ HTMX/API calls │
└──────────────────────────────┼───────────────────────────────────┘
┌──────────────────────────────┼───────────────────────────────────┐
│ botserver (Port 8088) │
│ ┌─────────────────────────────────────────────────────────────┐│
│ │ src/security/protection/ ││
│ │ ├── mod.rs # Module exports ││
│ │ ├── manager.rs # ProtectionManager orchestrator ││
│ │ ├── api.rs # Axum API routes ││
│ │ ├── lynis.rs # Lynis integration ││
│ │ ├── rkhunter.rs # RKHunter integration ││
│ │ ├── chkrootkit.rs # Chkrootkit integration ││
│ │ ├── suricata.rs # Suricata IDS/IPS integration ││
│ │ ├── lmd.rs # Linux Malware Detect integration ││
│ │ └── clamav.rs # ClamAV integration (extend existing)││
│ └─────────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────────┘
```
---
## Phase 1: Backend Infrastructure (botserver)
### 1.1 Create Protection Module Structure ✅ DONE
**File:** `botserver/src/security/protection/mod.rs`
```rust
pub mod api;
pub mod manager;
pub mod lynis;
pub mod rkhunter;
pub mod chkrootkit;
pub mod suricata;
pub mod lmd;
pub use manager::ProtectionManager;
pub use api::configure_protection_routes;
```
### 1.2 Protection Manager ✅ DONE
**File:** `botserver/src/security/protection/manager.rs`
Responsibilities:
- [x] Track installed tools and their status
- [x] Coordinate tool installation via package manager
- [x] Execute scans using SafeCommand
- [x] Parse and store scan results
- [x] Manage service start/stop/enable/disable
- [x] Handle auto-update scheduling
Key structs:
```rust
pub struct ProtectionManager {
tools: HashMap<ProtectionTool, ToolStatus>,
config: ProtectionConfig,
}
pub enum ProtectionTool {
Lynis,
RKHunter,
Chkrootkit,
Suricata,
LMD,
ClamAV,
}
pub struct ToolStatus {
pub installed: bool,
pub version: Option<String>,
pub service_running: bool,
pub last_scan: Option<DateTime<Utc>>,
pub last_update: Option<DateTime<Utc>>,
pub auto_update: bool,
pub auto_remediate: bool,
}
```
### 1.3 Individual Tool Integrations ✅ DONE
#### Lynis (`lynis.rs`) ✅
- [x] Check installation: `which lynis`
- [x] Install: `apt install lynis` / `yum install lynis`
- [x] Run audit: `lynis audit system --quick`
- [x] Parse report: `/var/log/lynis-report.dat`
- [x] Auto-remediation: Apply suggested fixes (partial)
- [x] Extract hardening index score
#### RKHunter (`rkhunter.rs`) ✅
- [x] Check installation: `which rkhunter`
- [x] Install: `apt install rkhunter`
- [x] Update database: `rkhunter --update`
- [x] Run scan: `rkhunter --check --skip-keypress`
- [x] Parse log: `/var/log/rkhunter.log`
#### Chkrootkit (`chkrootkit.rs`) ✅
- [x] Check installation: `which chkrootkit`
- [x] Install: `apt install chkrootkit`
- [x] Run scan: `chkrootkit -q`
- [x] Parse output for INFECTED markers
#### Suricata (`suricata.rs`) ✅
- [x] Check installation: `which suricata`
- [x] Install: `apt install suricata`
- [x] Service management: `systemctl start/stop/enable suricata`
- [x] Update rules: `suricata-update`
- [x] Parse alerts: `/var/log/suricata/eve.json`
- [x] Get rule count from config
#### LMD (`lmd.rs`) ✅
- [x] Check installation: `which maldet`
- [x] Install: Download from rfxn.com, run installer
- [x] Update signatures: `maldet --update-sigs`
- [x] Run scan: `maldet -a /path`
- [x] Parse report: `/usr/local/maldetect/logs/`
#### ClamAV (extend `antivirus.rs`)
- [x] Already partially implemented
- [ ] Add service management (clamd daemon) - use existing antivirus.rs
- [ ] Add freshclam update status - use existing antivirus.rs
- [ ] Add quarantine management - use existing antivirus.rs
### 1.4 API Routes ✅ DONE
**File:** `botserver/src/security/protection/api.rs`
```rust
pub fn configure_protection_routes() -> Router {
Router::new()
// Status endpoints
.route("/api/v1/security/protection/status", get(get_all_status))
.route("/api/v1/security/protection/:tool/status", get(get_tool_status))
// Installation
.route("/api/v1/security/protection/:tool/install", post(install_tool))
.route("/api/v1/security/protection/:tool/uninstall", post(uninstall_tool))
// Service management
.route("/api/v1/security/protection/:tool/start", post(start_service))
.route("/api/v1/security/protection/:tool/stop", post(stop_service))
.route("/api/v1/security/protection/:tool/enable", post(enable_service))
.route("/api/v1/security/protection/:tool/disable", post(disable_service))
// Scanning
.route("/api/v1/security/protection/:tool/run", post(run_scan))
.route("/api/v1/security/protection/:tool/report", get(get_report))
// Updates
.route("/api/v1/security/protection/:tool/update", post(update_definitions))
// Auto settings
.route("/api/v1/security/protection/:tool/auto", post(toggle_auto))
// ClamAV specific
.route("/api/v1/security/protection/clamav/quarantine", get(get_quarantine))
.route("/api/v1/security/protection/clamav/quarantine/:id", delete(remove_from_quarantine))
}
```
### 1.5 Update security/mod.rs ✅ DONE
Add to `botserver/src/security/mod.rs`:
```rust
pub mod protection;
pub use protection::{ProtectionManager, configure_protection_routes};
```
### 1.6 Register Routes in Main
Update `botserver/src/main.rs` to include:
```rust
.merge(security::configure_protection_routes())
```
### 1.7 Update command_guard.rs ✅ DONE
Added security tools to allowed commands whitelist:
- lynis
- rkhunter
- chkrootkit
- suricata
- suricata-update
- maldet
- systemctl
---
## Phase 2: Frontend Updates (botui)
### 2.1 Security Page ✅ DONE
**File:** `botui/ui/suite/tools/security.html`
- [x] Created with two tabs: API Compliance Report, Protection
- [x] Protection tab shows cards for all 6 tools
- [x] Each card has: status, version, last scan, actions
- [x] Actions: Install/Run/Start/Stop/View Report/Update
- [x] Toggle for auto-update/auto-remediate
### 2.2 Navigation Updates ✅ DONE
- [x] Updated `home.html` - Changed Compliance to Security
- [x] Updated `index.html` - Changed navigation link
- [x] Updated `css/home.css` - Changed .app-icon.compliance to .app-icon.security
- [x] Created `assets/icons/gb-security.svg`
### 2.3 Report Modal ✅ DONE
- [x] Modal for viewing scan reports (already in security.html)
- [ ] Add syntax highlighting for report output
- [ ] Add export functionality
---
## Phase 3: Documentation (botbook)
### 3.1 Create Protection Documentation
**File:** `botbook/src/23-security/protection-tools.md`
Contents:
- [ ] Overview of protection tools
- [ ] Installation requirements
- [ ] Configuration options
- [ ] API reference
- [ ] Troubleshooting guide
### 3.2 Update SUMMARY.md
Add entry for protection-tools.md in the Security section.
---
## Phase 4: BASIC/ETL Integration (botlib)
### 4.1 Add BASIC Keywords
**File:** `botlib/src/basic/keywords.rs` (or equivalent)
New keywords to add:
```basic
' Security tool management
INSTALL SECURITY TOOL "lynis"
UNINSTALL SECURITY TOOL "rkhunter"
START SECURITY SERVICE "suricata"
STOP SECURITY SERVICE "clamav"
RUN SECURITY SCAN "lynis"
GET SECURITY REPORT "rkhunter" INTO report
UPDATE SECURITY DEFINITIONS "clamav"
' Conditional checks
IF SECURITY TOOL "lynis" IS INSTALLED THEN
IF SECURITY SERVICE "suricata" IS RUNNING THEN
```
### 4.2 ETL Functions
Add ETL functions for security automation:
- [ ] `security_tool_status(tool_name)` - Returns tool status
- [ ] `security_run_scan(tool_name, options)` - Runs scan
- [ ] `security_get_report(tool_name)` - Gets latest report
- [ ] `security_hardening_score()` - Gets Lynis hardening index
---
## Phase 5: Testing
### 5.1 Unit Tests
**File:** `botserver/src/security/protection/tests.rs`
- [ ] Test tool detection
- [ ] Test status parsing
- [ ] Test report parsing
- [ ] Test command generation
### 5.2 Integration Tests
**File:** `bottest/tests/security_protection.rs`
- [ ] Test full install flow (mock)
- [ ] Test scan execution (mock)
- [ ] Test API endpoints
---
## Security Considerations
### Command Execution
All tool commands MUST use `SafeCommand`:
```rust
use crate::security::command_guard::SafeCommand;
SafeCommand::new("lynis")?
.arg("audit")?
.arg("system")?
.execute()
```
### Allowed Commands Whitelist
Update `command_guard.rs` to whitelist:
- `lynis`
- `rkhunter`
- `chkrootkit`
- `suricata`
- `suricata-update`
- `maldet`
- `clamscan`
- `freshclam`
- `systemctl` (with restrictions)
### Permission Requirements
- Tools require root/sudo for full functionality
- Consider using capabilities or dedicated service user
- Log all tool executions to audit log
---
## API Response Formats
### Status Response
```json
{
"tool": "lynis",
"installed": true,
"version": "3.0.9",
"service_running": null,
"last_scan": "2025-01-15T10:30:00Z",
"last_update": "2025-01-14T08:00:00Z",
"auto_update": true,
"auto_remediate": false,
"metrics": {
"hardening_index": 78,
"warnings": 12,
"suggestions": 45
}
}
```
### Scan Result Response
```json
{
"scan_id": "uuid",
"tool": "rkhunter",
"started_at": "2025-01-15T10:30:00Z",
"completed_at": "2025-01-15T10:35:00Z",
"status": "completed",
"result": "clean",
"findings": [],
"warnings": 0,
"report_path": "/var/log/rkhunter.log"
}
```
---
## File Checklist
### botserver/src/security/protection/
- [x] `mod.rs`
- [x] `manager.rs`
- [x] `api.rs`
- [x] `lynis.rs`
- [x] `rkhunter.rs`
- [x] `chkrootkit.rs`
- [x] `suricata.rs`
- [x] `lmd.rs`
- [ ] `tests.rs` (tests included in each module)
### botserver/src/security/
- [x] `mod.rs` - Updated with protection module exports ✅
- [x] `command_guard.rs` - Added security tools to whitelist ✅
### botui/ui/suite/tools/
- [x] `security.html`
### botbook/src/23-security/
- [ ] `protection-tools.md`
### botlib/
- [ ] Update BASIC keywords
- [ ] Add ETL functions
---
## Priority Order
1. ~~**HIGH** - Backend API structure (`api.rs`, `manager.rs`)~~ ✅ DONE
2. ~~**HIGH** - Lynis integration (most comprehensive)~~ ✅ DONE
3. **HIGH** - ClamAV extension (partially exists) - Wire up to existing antivirus.rs
4. ~~**MEDIUM** - RKHunter, Chkrootkit (simpler tools)~~ ✅ DONE
5. ~~**MEDIUM** - Suricata (service management)~~ ✅ DONE
6. ~~**MEDIUM** - LMD (malware detection)~~ ✅ DONE
7. **LOW** - Documentation
8. **LOW** - BASIC/ETL integration
9. **LOW** - Full test coverage
## Remaining Tasks
1. **Wire up ProtectionManager to AppState** - Add `protection_manager: Option<ProtectionManager>` to AppState
2. **Register routes in main.rs** - Add `.merge(security::configure_protection_routes())`
3. **Integration testing** - Test with actual tools installed
4. **Documentation** - Create botbook documentation
5. **BASIC keywords** - Add ETL functions for scripting
---
## Notes
- Follow PROMPT.md guidelines strictly
- No `#[allow()]` attributes
- No `.unwrap()` or `.expect()` in production code
- Use `SafeCommand` for all shell execution
- Sanitize all error messages before returning to client
- Log all operations to audit log

220
TODO.md
View file

@ -1,220 +0,0 @@
# TODO - Authentication & Authorization Integration
**Status:** ✅ **IMPLEMENTATION COMPLETE**
**Version:** 6.1.0
**Completed:** This Session
---
## Summary
Successfully integrated real authentication and authorization into the botserver:
1. **Created pluggable authentication system** with `AuthProviderRegistry`
2. **Integrated existing `JwtManager`** for proper JWT token validation
3. **Integrated existing `ZitadelAuthProvider`** for external IdP support
4. **Added RBAC middleware factories** for permission enforcement
5. **Updated `AppState`** with auth managers
6. **Updated `main.rs`** to initialize and use new auth system
---
## ✅ COMPLETED - All Phases
### Phase 1: Core Authentication Integration ✅
- [x] **1.1** Create `AuthProvider` trait for pluggable authentication
- [x] **1.2** Implement `LocalJwtAuthProvider` using existing `JwtManager`
- [x] **1.3** Implement `ZitadelAuthProviderAdapter` wrapping existing `ZitadelAuthProvider`
- [x] **1.4** Create `AuthProviderRegistry` to manage multiple providers
- [x] **1.5** Update `auth_middleware` to use `AuthProviderRegistry`
### Phase 2: State Integration ✅
- [x] **2.1** Add `JwtManager` to `AppState`
- [x] **2.2** Add `ZitadelAuthProvider` (optional) to `AppState`
- [x] **2.3** Add `RbacManager` to `AppState`
- [x] **2.4** Add `AuthProviderRegistry` to `AppState`
- [x] **2.5** Update `main.rs` to initialize all auth components
### Phase 3: RBAC Enforcement ✅
- [x] **3.1** Create `require_permission_layer` middleware factory
- [x] **3.2** Create `require_role_layer` middleware factory
- [x] **3.3** Create `RbacMiddlewareState` for stateful RBAC checks
- [x] **3.4** Create `RbacError` enum with proper HTTP responses
- [x] **3.5** Create `require_admin_middleware` and `require_super_admin_middleware`
### Phase 4: Database Integration ✅
- [x] **4.1** RBAC seed data migration exists: `20250714000001_add_rbac_tables`
- [x] **4.2** RBAC tables defined in schema.rs
### Phase 5: Verification ✅
- [x] **5.1** Full compilation test ✅ (0 warnings, 0 errors)
- [x] **5.2** Runtime verification ✅
---
## Files Created
| File | Purpose |
|------|---------|
| `security/auth_provider.rs` | AuthProvider trait, LocalJwtAuthProvider, ZitadelAuthProviderAdapter, ApiKeyAuthProvider, AuthProviderRegistry, AuthProviderBuilder |
## Files Modified
| File | Changes |
|------|---------|
| `security/mod.rs` | Export new auth_provider types + RBAC types |
| `security/auth.rs` | Add `AuthMiddlewareState`, `auth_middleware_with_providers`, `extract_user_with_providers`, `ExtractedAuthData` |
| `security/rbac_middleware.rs` | Add `RbacMiddlewareState`, `RbacError`, middleware factories |
| `core/shared/state.rs` | Add `jwt_manager`, `auth_provider_registry`, `rbac_manager` to AppState |
| `main.rs` | Initialize auth components, use `auth_middleware_with_providers` |
---
## Architecture Overview
```
Request
┌─────────────────────────────────────┐
│ auth_middleware_with_providers │
│ │
│ 1. Check public/anonymous paths │
│ 2. Extract token (Bearer/API Key) │
│ 3. Call AuthProviderRegistry │
│ ├── LocalJwtAuthProvider │
│ │ └── JwtManager.validate() │
│ ├── ZitadelAuthProviderAdapter │
│ │ └── introspect_token() │
│ └── ApiKeyAuthProvider │
│ └── hash-based lookup │
│ 4. Insert AuthenticatedUser │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
│ RBAC Middleware (optional) │
│ │
│ require_permission_middleware │
│ require_admin_middleware │
│ require_super_admin_middleware │
└─────────────────────────────────────┘
Handler
```
---
## Environment Variables
| Variable | Purpose | Default |
|----------|---------|---------|
| `JWT_SECRET` | Secret key for JWT signing/validation | Dev fallback (warn) |
| `BOTSERVER_ENV` | `production` or `development` | `development` |
| `ZITADEL_ISSUER_URL` | Zitadel IdP URL | Not set |
| `ZITADEL_CLIENT_ID` | Zitadel client ID | Not set |
| `ZITADEL_CLIENT_SECRET` | Zitadel client secret | Not set |
---
## Key Types
```rust
// Authentication
AuthProvider // Trait for pluggable auth
LocalJwtAuthProvider // JWT validation via JwtManager
ZitadelAuthProviderAdapter// OAuth2 token introspection
ApiKeyAuthProvider // API key validation
AuthProviderRegistry // Multi-provider orchestration
AuthProviderBuilder // Fluent builder pattern
AuthMiddlewareState // State for auth middleware
ExtractedAuthData // Thread-safe auth data extraction
// Authorization
RbacMiddlewareState // State for RBAC middleware
RbacError // Permission denied errors
create_permission_layer() // Factory for permission checks
create_role_layer() // Factory for role checks
create_admin_layer() // Factory for admin checks
```
---
## Usage Examples
### Apply Permission Check to Route
```rust
use axum::middleware;
use botserver::security::{create_permission_layer, require_permission_middleware};
let protected_routes = Router::new()
.route("/api/users", get(list_users))
.layer(middleware::from_fn_with_state(
create_permission_layer(rbac_manager, "users.read"),
require_permission_middleware,
));
```
### Apply Admin Check to Route
```rust
use botserver::security::require_admin_middleware;
let admin_routes = Router::new()
.route("/api/admin/settings", post(update_settings))
.layer(middleware::from_fn(require_admin_middleware));
```
---
## Build Command
```bash
CARGO_BUILD_JOBS=1 cargo check -p botserver --message-format=short 2>&1
```
---
## PROMPT.md Compliance
| Rule | Status |
|------|--------|
| No `#[allow()]` attributes | ✅ Compliant |
| No `.unwrap()` in production | ✅ Compliant |
| No `.expect()` in production | ✅ Compliant (static patterns OK) |
| Use `?` operator | ✅ Compliant |
| Delete unused code | ✅ Compliant |
| No comments in code | ✅ Compliant |
| Use `Self` in impl blocks | ✅ Compliant |
---
## What Was Fixed
### Before (Placeholder)
```rust
fn validate_bearer_token_sync(token: &str) -> Result<AuthenticatedUser, AuthError> {
let parts: Vec<&str> = token.split('.').collect();
if parts.len() != 3 {
return Err(AuthError::InvalidToken);
}
// ❌ Created random user, no real validation
Ok(AuthenticatedUser::new(Uuid::new_v4(), "jwt-user".to_string()))
}
```
### After (Real Implementation)
```rust
// LocalJwtAuthProvider::authenticate()
async fn authenticate(&self, token: &str) -> Result<AuthenticatedUser, AuthError> {
let claims = self.jwt_manager
.validate_access_token(token) // ✅ Real JWT validation
.map_err(|_| AuthError::InvalidToken)?;
self.claims_to_user(&claims) // ✅ Extract real user data from claims
}
```
---
**Implementation Status: COMPLETE** ✅

2
botlib

@ -1 +1 @@
Subproject commit 3d07d7f98931f8349f8c3a8f5d1198f6fd0b0c4d
Subproject commit 49c7d3e751eafacd655ba232e331c5c40f60186f

2
botui

@ -1 +1 @@
Subproject commit c24ff23a07a06ff779492e95cde10191ea46a984
Subproject commit 9a4c8bf6a60c32e00d11bb27a522da80b76f9c3b