From 965ece9852eea272145d35e9933cc8aa59b65775 Mon Sep 17 00:00:00 2001 From: "Rodrigo Rodriguez (Pragmatismo)" Date: Sat, 10 Jan 2026 09:40:52 -0300 Subject: [PATCH] Add security protection module with sudo-based privilege escalation - Create installer.rs for 'botserver install protection' command - Requires root to install packages and create sudoers config - Sudoers uses exact commands (no wildcards) for security - Update all tool files (lynis, rkhunter, chkrootkit, suricata, lmd) to use sudo - Update manager.rs service management to use sudo - Add 'sudo' and 'visudo' to command_guard.rs whitelist - Update CLI with install/remove/status protection commands - Create comprehensive botbook documentation - Update SUMMARY.md with protection-tools entry Security model: - Installation requires root (sudo botserver install protection) - Runtime uses sudoers NOPASSWD for specific commands only - No wildcards in sudoers - exact command specifications - Tools run on host system, not in containers --- TODO-SECURITY-PROTECTION.md | 453 ++++++++++++++++++++++++++++++++++++ TODO.md | 220 ----------------- botlib | 2 +- botui | 2 +- 4 files changed, 455 insertions(+), 222 deletions(-) create mode 100644 TODO-SECURITY-PROTECTION.md delete mode 100644 TODO.md diff --git a/TODO-SECURITY-PROTECTION.md b/TODO-SECURITY-PROTECTION.md new file mode 100644 index 0000000..3c9ea49 --- /dev/null +++ b/TODO-SECURITY-PROTECTION.md @@ -0,0 +1,453 @@ +# Security Protection Module - Implementation TODO + +**Version:** 1.0.0 +**Created:** 2025 +**Status:** In Progress + +--- + +## Overview + +Implement a comprehensive Security Protection module that allows administrators to manage Linux server security tools (Lynis, RKHunter, Chkrootkit, Suricata, LMD, ClamAV) through the General Bots UI. + +--- + +## Architecture + +``` +┌─────────────────────────────────────────────────────────────────┐ +│ botui (Port 3000) │ +│ ┌─────────────────────────────────────────────────────────────┐│ +│ │ /suite/tools/security.html ││ +│ │ ├── Tab: API Compliance Report (existing code_scanner) ││ +│ │ └── Tab: Protection (NEW - security tools management) ││ +│ └─────────────────────────────────────────────────────────────┘│ +│ │ │ +│ ▼ HTMX/API calls │ +└──────────────────────────────┼───────────────────────────────────┘ + │ +┌──────────────────────────────┼───────────────────────────────────┐ +│ botserver (Port 8088) │ +│ ┌─────────────────────────────────────────────────────────────┐│ +│ │ src/security/protection/ ││ +│ │ ├── mod.rs # Module exports ││ +│ │ ├── manager.rs # ProtectionManager orchestrator ││ +│ │ ├── api.rs # Axum API routes ││ +│ │ ├── lynis.rs # Lynis integration ││ +│ │ ├── rkhunter.rs # RKHunter integration ││ +│ │ ├── chkrootkit.rs # Chkrootkit integration ││ +│ │ ├── suricata.rs # Suricata IDS/IPS integration ││ +│ │ ├── lmd.rs # Linux Malware Detect integration ││ +│ │ └── clamav.rs # ClamAV integration (extend existing)││ +│ └─────────────────────────────────────────────────────────────┘│ +└─────────────────────────────────────────────────────────────────┘ +``` + +--- + +## Phase 1: Backend Infrastructure (botserver) + +### 1.1 Create Protection Module Structure ✅ DONE + +**File:** `botserver/src/security/protection/mod.rs` + +```rust +pub mod api; +pub mod manager; +pub mod lynis; +pub mod rkhunter; +pub mod chkrootkit; +pub mod suricata; +pub mod lmd; + +pub use manager::ProtectionManager; +pub use api::configure_protection_routes; +``` + +### 1.2 Protection Manager ✅ DONE + +**File:** `botserver/src/security/protection/manager.rs` + +Responsibilities: +- [x] Track installed tools and their status +- [x] Coordinate tool installation via package manager +- [x] Execute scans using SafeCommand +- [x] Parse and store scan results +- [x] Manage service start/stop/enable/disable +- [x] Handle auto-update scheduling + +Key structs: +```rust +pub struct ProtectionManager { + tools: HashMap, + config: ProtectionConfig, +} + +pub enum ProtectionTool { + Lynis, + RKHunter, + Chkrootkit, + Suricata, + LMD, + ClamAV, +} + +pub struct ToolStatus { + pub installed: bool, + pub version: Option, + pub service_running: bool, + pub last_scan: Option>, + pub last_update: Option>, + pub auto_update: bool, + pub auto_remediate: bool, +} +``` + +### 1.3 Individual Tool Integrations ✅ DONE + +#### Lynis (`lynis.rs`) ✅ +- [x] Check installation: `which lynis` +- [x] Install: `apt install lynis` / `yum install lynis` +- [x] Run audit: `lynis audit system --quick` +- [x] Parse report: `/var/log/lynis-report.dat` +- [x] Auto-remediation: Apply suggested fixes (partial) +- [x] Extract hardening index score + +#### RKHunter (`rkhunter.rs`) ✅ +- [x] Check installation: `which rkhunter` +- [x] Install: `apt install rkhunter` +- [x] Update database: `rkhunter --update` +- [x] Run scan: `rkhunter --check --skip-keypress` +- [x] Parse log: `/var/log/rkhunter.log` + +#### Chkrootkit (`chkrootkit.rs`) ✅ +- [x] Check installation: `which chkrootkit` +- [x] Install: `apt install chkrootkit` +- [x] Run scan: `chkrootkit -q` +- [x] Parse output for INFECTED markers + +#### Suricata (`suricata.rs`) ✅ +- [x] Check installation: `which suricata` +- [x] Install: `apt install suricata` +- [x] Service management: `systemctl start/stop/enable suricata` +- [x] Update rules: `suricata-update` +- [x] Parse alerts: `/var/log/suricata/eve.json` +- [x] Get rule count from config + +#### LMD (`lmd.rs`) ✅ +- [x] Check installation: `which maldet` +- [x] Install: Download from rfxn.com, run installer +- [x] Update signatures: `maldet --update-sigs` +- [x] Run scan: `maldet -a /path` +- [x] Parse report: `/usr/local/maldetect/logs/` + +#### ClamAV (extend `antivirus.rs`) +- [x] Already partially implemented +- [ ] Add service management (clamd daemon) - use existing antivirus.rs +- [ ] Add freshclam update status - use existing antivirus.rs +- [ ] Add quarantine management - use existing antivirus.rs + +### 1.4 API Routes ✅ DONE + +**File:** `botserver/src/security/protection/api.rs` + +```rust +pub fn configure_protection_routes() -> Router { + Router::new() + // Status endpoints + .route("/api/v1/security/protection/status", get(get_all_status)) + .route("/api/v1/security/protection/:tool/status", get(get_tool_status)) + + // Installation + .route("/api/v1/security/protection/:tool/install", post(install_tool)) + .route("/api/v1/security/protection/:tool/uninstall", post(uninstall_tool)) + + // Service management + .route("/api/v1/security/protection/:tool/start", post(start_service)) + .route("/api/v1/security/protection/:tool/stop", post(stop_service)) + .route("/api/v1/security/protection/:tool/enable", post(enable_service)) + .route("/api/v1/security/protection/:tool/disable", post(disable_service)) + + // Scanning + .route("/api/v1/security/protection/:tool/run", post(run_scan)) + .route("/api/v1/security/protection/:tool/report", get(get_report)) + + // Updates + .route("/api/v1/security/protection/:tool/update", post(update_definitions)) + + // Auto settings + .route("/api/v1/security/protection/:tool/auto", post(toggle_auto)) + + // ClamAV specific + .route("/api/v1/security/protection/clamav/quarantine", get(get_quarantine)) + .route("/api/v1/security/protection/clamav/quarantine/:id", delete(remove_from_quarantine)) +} +``` + +### 1.5 Update security/mod.rs ✅ DONE + +Add to `botserver/src/security/mod.rs`: +```rust +pub mod protection; +pub use protection::{ProtectionManager, configure_protection_routes}; +``` + +### 1.6 Register Routes in Main + +Update `botserver/src/main.rs` to include: +```rust +.merge(security::configure_protection_routes()) +``` + +### 1.7 Update command_guard.rs ✅ DONE + +Added security tools to allowed commands whitelist: +- lynis +- rkhunter +- chkrootkit +- suricata +- suricata-update +- maldet +- systemctl + +--- + +## Phase 2: Frontend Updates (botui) + +### 2.1 Security Page ✅ DONE + +**File:** `botui/ui/suite/tools/security.html` + +- [x] Created with two tabs: API Compliance Report, Protection +- [x] Protection tab shows cards for all 6 tools +- [x] Each card has: status, version, last scan, actions +- [x] Actions: Install/Run/Start/Stop/View Report/Update +- [x] Toggle for auto-update/auto-remediate + +### 2.2 Navigation Updates ✅ DONE + +- [x] Updated `home.html` - Changed Compliance to Security +- [x] Updated `index.html` - Changed navigation link +- [x] Updated `css/home.css` - Changed .app-icon.compliance to .app-icon.security +- [x] Created `assets/icons/gb-security.svg` + +### 2.3 Report Modal ✅ DONE + +- [x] Modal for viewing scan reports (already in security.html) +- [ ] Add syntax highlighting for report output +- [ ] Add export functionality + +--- + +## Phase 3: Documentation (botbook) + +### 3.1 Create Protection Documentation + +**File:** `botbook/src/23-security/protection-tools.md` + +Contents: +- [ ] Overview of protection tools +- [ ] Installation requirements +- [ ] Configuration options +- [ ] API reference +- [ ] Troubleshooting guide + +### 3.2 Update SUMMARY.md + +Add entry for protection-tools.md in the Security section. + +--- + +## Phase 4: BASIC/ETL Integration (botlib) + +### 4.1 Add BASIC Keywords + +**File:** `botlib/src/basic/keywords.rs` (or equivalent) + +New keywords to add: +```basic +' Security tool management +INSTALL SECURITY TOOL "lynis" +UNINSTALL SECURITY TOOL "rkhunter" +START SECURITY SERVICE "suricata" +STOP SECURITY SERVICE "clamav" +RUN SECURITY SCAN "lynis" +GET SECURITY REPORT "rkhunter" INTO report +UPDATE SECURITY DEFINITIONS "clamav" + +' Conditional checks +IF SECURITY TOOL "lynis" IS INSTALLED THEN +IF SECURITY SERVICE "suricata" IS RUNNING THEN +``` + +### 4.2 ETL Functions + +Add ETL functions for security automation: +- [ ] `security_tool_status(tool_name)` - Returns tool status +- [ ] `security_run_scan(tool_name, options)` - Runs scan +- [ ] `security_get_report(tool_name)` - Gets latest report +- [ ] `security_hardening_score()` - Gets Lynis hardening index + +--- + +## Phase 5: Testing + +### 5.1 Unit Tests + +**File:** `botserver/src/security/protection/tests.rs` + +- [ ] Test tool detection +- [ ] Test status parsing +- [ ] Test report parsing +- [ ] Test command generation + +### 5.2 Integration Tests + +**File:** `bottest/tests/security_protection.rs` + +- [ ] Test full install flow (mock) +- [ ] Test scan execution (mock) +- [ ] Test API endpoints + +--- + +## Security Considerations + +### Command Execution + +All tool commands MUST use `SafeCommand`: + +```rust +use crate::security::command_guard::SafeCommand; + +SafeCommand::new("lynis")? + .arg("audit")? + .arg("system")? + .execute() +``` + +### Allowed Commands Whitelist + +Update `command_guard.rs` to whitelist: +- `lynis` +- `rkhunter` +- `chkrootkit` +- `suricata` +- `suricata-update` +- `maldet` +- `clamscan` +- `freshclam` +- `systemctl` (with restrictions) + +### Permission Requirements + +- Tools require root/sudo for full functionality +- Consider using capabilities or dedicated service user +- Log all tool executions to audit log + +--- + +## API Response Formats + +### Status Response + +```json +{ + "tool": "lynis", + "installed": true, + "version": "3.0.9", + "service_running": null, + "last_scan": "2025-01-15T10:30:00Z", + "last_update": "2025-01-14T08:00:00Z", + "auto_update": true, + "auto_remediate": false, + "metrics": { + "hardening_index": 78, + "warnings": 12, + "suggestions": 45 + } +} +``` + +### Scan Result Response + +```json +{ + "scan_id": "uuid", + "tool": "rkhunter", + "started_at": "2025-01-15T10:30:00Z", + "completed_at": "2025-01-15T10:35:00Z", + "status": "completed", + "result": "clean", + "findings": [], + "warnings": 0, + "report_path": "/var/log/rkhunter.log" +} +``` + +--- + +## File Checklist + +### botserver/src/security/protection/ + +- [x] `mod.rs` ✅ +- [x] `manager.rs` ✅ +- [x] `api.rs` ✅ +- [x] `lynis.rs` ✅ +- [x] `rkhunter.rs` ✅ +- [x] `chkrootkit.rs` ✅ +- [x] `suricata.rs` ✅ +- [x] `lmd.rs` ✅ +- [ ] `tests.rs` (tests included in each module) + +### botserver/src/security/ + +- [x] `mod.rs` - Updated with protection module exports ✅ +- [x] `command_guard.rs` - Added security tools to whitelist ✅ + +### botui/ui/suite/tools/ + +- [x] `security.html` ✅ + +### botbook/src/23-security/ + +- [ ] `protection-tools.md` + +### botlib/ + +- [ ] Update BASIC keywords +- [ ] Add ETL functions + +--- + +## Priority Order + +1. ~~**HIGH** - Backend API structure (`api.rs`, `manager.rs`)~~ ✅ DONE +2. ~~**HIGH** - Lynis integration (most comprehensive)~~ ✅ DONE +3. **HIGH** - ClamAV extension (partially exists) - Wire up to existing antivirus.rs +4. ~~**MEDIUM** - RKHunter, Chkrootkit (simpler tools)~~ ✅ DONE +5. ~~**MEDIUM** - Suricata (service management)~~ ✅ DONE +6. ~~**MEDIUM** - LMD (malware detection)~~ ✅ DONE +7. **LOW** - Documentation +8. **LOW** - BASIC/ETL integration +9. **LOW** - Full test coverage + +## Remaining Tasks + +1. **Wire up ProtectionManager to AppState** - Add `protection_manager: Option` to AppState +2. **Register routes in main.rs** - Add `.merge(security::configure_protection_routes())` +3. **Integration testing** - Test with actual tools installed +4. **Documentation** - Create botbook documentation +5. **BASIC keywords** - Add ETL functions for scripting + +--- + +## Notes + +- Follow PROMPT.md guidelines strictly +- No `#[allow()]` attributes +- No `.unwrap()` or `.expect()` in production code +- Use `SafeCommand` for all shell execution +- Sanitize all error messages before returning to client +- Log all operations to audit log \ No newline at end of file diff --git a/TODO.md b/TODO.md deleted file mode 100644 index 243cf08..0000000 --- a/TODO.md +++ /dev/null @@ -1,220 +0,0 @@ -# TODO - Authentication & Authorization Integration - -**Status:** ✅ **IMPLEMENTATION COMPLETE** -**Version:** 6.1.0 -**Completed:** This Session - ---- - -## Summary - -Successfully integrated real authentication and authorization into the botserver: - -1. **Created pluggable authentication system** with `AuthProviderRegistry` -2. **Integrated existing `JwtManager`** for proper JWT token validation -3. **Integrated existing `ZitadelAuthProvider`** for external IdP support -4. **Added RBAC middleware factories** for permission enforcement -5. **Updated `AppState`** with auth managers -6. **Updated `main.rs`** to initialize and use new auth system - ---- - -## ✅ COMPLETED - All Phases - -### Phase 1: Core Authentication Integration ✅ -- [x] **1.1** Create `AuthProvider` trait for pluggable authentication -- [x] **1.2** Implement `LocalJwtAuthProvider` using existing `JwtManager` -- [x] **1.3** Implement `ZitadelAuthProviderAdapter` wrapping existing `ZitadelAuthProvider` -- [x] **1.4** Create `AuthProviderRegistry` to manage multiple providers -- [x] **1.5** Update `auth_middleware` to use `AuthProviderRegistry` - -### Phase 2: State Integration ✅ -- [x] **2.1** Add `JwtManager` to `AppState` -- [x] **2.2** Add `ZitadelAuthProvider` (optional) to `AppState` -- [x] **2.3** Add `RbacManager` to `AppState` -- [x] **2.4** Add `AuthProviderRegistry` to `AppState` -- [x] **2.5** Update `main.rs` to initialize all auth components - -### Phase 3: RBAC Enforcement ✅ -- [x] **3.1** Create `require_permission_layer` middleware factory -- [x] **3.2** Create `require_role_layer` middleware factory -- [x] **3.3** Create `RbacMiddlewareState` for stateful RBAC checks -- [x] **3.4** Create `RbacError` enum with proper HTTP responses -- [x] **3.5** Create `require_admin_middleware` and `require_super_admin_middleware` - -### Phase 4: Database Integration ✅ -- [x] **4.1** RBAC seed data migration exists: `20250714000001_add_rbac_tables` -- [x] **4.2** RBAC tables defined in schema.rs - -### Phase 5: Verification ✅ -- [x] **5.1** Full compilation test ✅ (0 warnings, 0 errors) -- [x] **5.2** Runtime verification ✅ - ---- - -## Files Created - -| File | Purpose | -|------|---------| -| `security/auth_provider.rs` | AuthProvider trait, LocalJwtAuthProvider, ZitadelAuthProviderAdapter, ApiKeyAuthProvider, AuthProviderRegistry, AuthProviderBuilder | - -## Files Modified - -| File | Changes | -|------|---------| -| `security/mod.rs` | Export new auth_provider types + RBAC types | -| `security/auth.rs` | Add `AuthMiddlewareState`, `auth_middleware_with_providers`, `extract_user_with_providers`, `ExtractedAuthData` | -| `security/rbac_middleware.rs` | Add `RbacMiddlewareState`, `RbacError`, middleware factories | -| `core/shared/state.rs` | Add `jwt_manager`, `auth_provider_registry`, `rbac_manager` to AppState | -| `main.rs` | Initialize auth components, use `auth_middleware_with_providers` | - ---- - -## Architecture Overview - -``` -Request - │ - ▼ -┌─────────────────────────────────────┐ -│ auth_middleware_with_providers │ -│ │ -│ 1. Check public/anonymous paths │ -│ 2. Extract token (Bearer/API Key) │ -│ 3. Call AuthProviderRegistry │ -│ ├── LocalJwtAuthProvider │ -│ │ └── JwtManager.validate() │ -│ ├── ZitadelAuthProviderAdapter │ -│ │ └── introspect_token() │ -│ └── ApiKeyAuthProvider │ -│ └── hash-based lookup │ -│ 4. Insert AuthenticatedUser │ -└─────────────────────────────────────┘ - │ - ▼ -┌─────────────────────────────────────┐ -│ RBAC Middleware (optional) │ -│ │ -│ require_permission_middleware │ -│ require_admin_middleware │ -│ require_super_admin_middleware │ -└─────────────────────────────────────┘ - │ - ▼ - Handler -``` - ---- - -## Environment Variables - -| Variable | Purpose | Default | -|----------|---------|---------| -| `JWT_SECRET` | Secret key for JWT signing/validation | Dev fallback (warn) | -| `BOTSERVER_ENV` | `production` or `development` | `development` | -| `ZITADEL_ISSUER_URL` | Zitadel IdP URL | Not set | -| `ZITADEL_CLIENT_ID` | Zitadel client ID | Not set | -| `ZITADEL_CLIENT_SECRET` | Zitadel client secret | Not set | - ---- - -## Key Types - -```rust -// Authentication -AuthProvider // Trait for pluggable auth -LocalJwtAuthProvider // JWT validation via JwtManager -ZitadelAuthProviderAdapter// OAuth2 token introspection -ApiKeyAuthProvider // API key validation -AuthProviderRegistry // Multi-provider orchestration -AuthProviderBuilder // Fluent builder pattern -AuthMiddlewareState // State for auth middleware -ExtractedAuthData // Thread-safe auth data extraction - -// Authorization -RbacMiddlewareState // State for RBAC middleware -RbacError // Permission denied errors -create_permission_layer() // Factory for permission checks -create_role_layer() // Factory for role checks -create_admin_layer() // Factory for admin checks -``` - ---- - -## Usage Examples - -### Apply Permission Check to Route -```rust -use axum::middleware; -use botserver::security::{create_permission_layer, require_permission_middleware}; - -let protected_routes = Router::new() - .route("/api/users", get(list_users)) - .layer(middleware::from_fn_with_state( - create_permission_layer(rbac_manager, "users.read"), - require_permission_middleware, - )); -``` - -### Apply Admin Check to Route -```rust -use botserver::security::require_admin_middleware; - -let admin_routes = Router::new() - .route("/api/admin/settings", post(update_settings)) - .layer(middleware::from_fn(require_admin_middleware)); -``` - ---- - -## Build Command - -```bash -CARGO_BUILD_JOBS=1 cargo check -p botserver --message-format=short 2>&1 -``` - ---- - -## PROMPT.md Compliance - -| Rule | Status | -|------|--------| -| No `#[allow()]` attributes | ✅ Compliant | -| No `.unwrap()` in production | ✅ Compliant | -| No `.expect()` in production | ✅ Compliant (static patterns OK) | -| Use `?` operator | ✅ Compliant | -| Delete unused code | ✅ Compliant | -| No comments in code | ✅ Compliant | -| Use `Self` in impl blocks | ✅ Compliant | - ---- - -## What Was Fixed - -### Before (Placeholder) -```rust -fn validate_bearer_token_sync(token: &str) -> Result { - let parts: Vec<&str> = token.split('.').collect(); - if parts.len() != 3 { - return Err(AuthError::InvalidToken); - } - // ❌ Created random user, no real validation - Ok(AuthenticatedUser::new(Uuid::new_v4(), "jwt-user".to_string())) -} -``` - -### After (Real Implementation) -```rust -// LocalJwtAuthProvider::authenticate() -async fn authenticate(&self, token: &str) -> Result { - let claims = self.jwt_manager - .validate_access_token(token) // ✅ Real JWT validation - .map_err(|_| AuthError::InvalidToken)?; - - self.claims_to_user(&claims) // ✅ Extract real user data from claims -} -``` - ---- - -**Implementation Status: COMPLETE** ✅ \ No newline at end of file diff --git a/botlib b/botlib index 3d07d7f..49c7d3e 160000 --- a/botlib +++ b/botlib @@ -1 +1 @@ -Subproject commit 3d07d7f98931f8349f8c3a8f5d1198f6fd0b0c4d +Subproject commit 49c7d3e751eafacd655ba232e331c5c40f60186f diff --git a/botui b/botui index c24ff23..9a4c8bf 160000 --- a/botui +++ b/botui @@ -1 +1 @@ -Subproject commit c24ff23a07a06ff779492e95cde10191ea46a984 +Subproject commit 9a4c8bf6a60c32e00d11bb27a522da80b76f9c3b