Rodrigo Rodriguez (Pragmatismo) 965ece9852 Add security protection module with sudo-based privilege escalation

- Create installer.rs for 'botserver install protection' command
- Requires root to install packages and create sudoers config
- Sudoers uses exact commands (no wildcards) for security
- Update all tool files (lynis, rkhunter, chkrootkit, suricata, lmd) to use sudo
- Update manager.rs service management to use sudo
- Add 'sudo' and 'visudo' to command_guard.rs whitelist
- Update CLI with install/remove/status protection commands
- Create comprehensive botbook documentation
- Update SUMMARY.md with protection-tools entry

Security model:
- Installation requires root (sudo botserver install protection)
- Runtime uses sudoers NOPASSWD for specific commands only
- No wildcards in sudoers - exact command specifications
- Tools run on host system, not in containers

2026-01-10 09:40:52 -03:00

14 KiB

Raw Permalink Blame History

Security Protection Module - Implementation TODO

Version: 1.0.0 Created: 2025 Status: In Progress

Overview

Implement a comprehensive Security Protection module that allows administrators to manage Linux server security tools (Lynis, RKHunter, Chkrootkit, Suricata, LMD, ClamAV) through the General Bots UI.

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                         botui (Port 3000)                        │
│  ┌─────────────────────────────────────────────────────────────┐│
│  │  /suite/tools/security.html                                 ││
│  │  ├── Tab: API Compliance Report (existing code_scanner)     ││
│  │  └── Tab: Protection (NEW - security tools management)      ││
│  └─────────────────────────────────────────────────────────────┘│
│                              │                                   │
│                              ▼ HTMX/API calls                    │
└──────────────────────────────┼───────────────────────────────────┘
                               │
┌──────────────────────────────┼───────────────────────────────────┐
│                         botserver (Port 8088)                    │
│  ┌─────────────────────────────────────────────────────────────┐│
│  │  src/security/protection/                                   ││
│  │  ├── mod.rs           # Module exports                      ││
│  │  ├── manager.rs       # ProtectionManager orchestrator      ││
│  │  ├── api.rs           # Axum API routes                     ││
│  │  ├── lynis.rs         # Lynis integration                   ││
│  │  ├── rkhunter.rs      # RKHunter integration                ││
│  │  ├── chkrootkit.rs    # Chkrootkit integration              ││
│  │  ├── suricata.rs      # Suricata IDS/IPS integration        ││
│  │  ├── lmd.rs           # Linux Malware Detect integration    ││
│  │  └── clamav.rs        # ClamAV integration (extend existing)││
│  └─────────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────────┘

Phase 1: Backend Infrastructure (botserver)

1.1 Create Protection Module Structure ✅ DONE

File: botserver/src/security/protection/mod.rs

pub mod api;
pub mod manager;
pub mod lynis;
pub mod rkhunter;
pub mod chkrootkit;
pub mod suricata;
pub mod lmd;

pub use manager::ProtectionManager;
pub use api::configure_protection_routes;

1.2 Protection Manager ✅ DONE

File: botserver/src/security/protection/manager.rs

Responsibilities:

Track installed tools and their status
Coordinate tool installation via package manager
Execute scans using SafeCommand
Parse and store scan results
Manage service start/stop/enable/disable
Handle auto-update scheduling

Key structs:

pub struct ProtectionManager {
    tools: HashMap<ProtectionTool, ToolStatus>,
    config: ProtectionConfig,
}

pub enum ProtectionTool {
    Lynis,
    RKHunter,
    Chkrootkit,
    Suricata,
    LMD,
    ClamAV,
}

pub struct ToolStatus {
    pub installed: bool,
    pub version: Option<String>,
    pub service_running: bool,
    pub last_scan: Option<DateTime<Utc>>,
    pub last_update: Option<DateTime<Utc>>,
    pub auto_update: bool,
    pub auto_remediate: bool,
}

1.3 Individual Tool Integrations ✅ DONE

Lynis (`lynis.rs`) ✅

Check installation: which lynis
Install: apt install lynis / yum install lynis
Run audit: lynis audit system --quick
Parse report: /var/log/lynis-report.dat
Auto-remediation: Apply suggested fixes (partial)
Extract hardening index score

RKHunter (`rkhunter.rs`) ✅

Check installation: which rkhunter
Install: apt install rkhunter
Update database: rkhunter --update
Run scan: rkhunter --check --skip-keypress
Parse log: /var/log/rkhunter.log

Chkrootkit (`chkrootkit.rs`) ✅

Check installation: which chkrootkit
Install: apt install chkrootkit
Run scan: chkrootkit -q
Parse output for INFECTED markers

Suricata (`suricata.rs`) ✅

Check installation: which suricata
Install: apt install suricata
Service management: systemctl start/stop/enable suricata
Update rules: suricata-update
Parse alerts: /var/log/suricata/eve.json
Get rule count from config

LMD (`lmd.rs`) ✅

Check installation: which maldet
Install: Download from rfxn.com, run installer
Update signatures: maldet --update-sigs
Run scan: maldet -a /path
Parse report: /usr/local/maldetect/logs/

ClamAV (extend `antivirus.rs`)

Already partially implemented
Add service management (clamd daemon) - use existing antivirus.rs
Add freshclam update status - use existing antivirus.rs
Add quarantine management - use existing antivirus.rs

1.4 API Routes ✅ DONE

File: botserver/src/security/protection/api.rs

pub fn configure_protection_routes() -> Router {
    Router::new()
        // Status endpoints
        .route("/api/v1/security/protection/status", get(get_all_status))
        .route("/api/v1/security/protection/:tool/status", get(get_tool_status))
        
        // Installation
        .route("/api/v1/security/protection/:tool/install", post(install_tool))
        .route("/api/v1/security/protection/:tool/uninstall", post(uninstall_tool))
        
        // Service management
        .route("/api/v1/security/protection/:tool/start", post(start_service))
        .route("/api/v1/security/protection/:tool/stop", post(stop_service))
        .route("/api/v1/security/protection/:tool/enable", post(enable_service))
        .route("/api/v1/security/protection/:tool/disable", post(disable_service))
        
        // Scanning
        .route("/api/v1/security/protection/:tool/run", post(run_scan))
        .route("/api/v1/security/protection/:tool/report", get(get_report))
        
        // Updates
        .route("/api/v1/security/protection/:tool/update", post(update_definitions))
        
        // Auto settings
        .route("/api/v1/security/protection/:tool/auto", post(toggle_auto))
        
        // ClamAV specific
        .route("/api/v1/security/protection/clamav/quarantine", get(get_quarantine))
        .route("/api/v1/security/protection/clamav/quarantine/:id", delete(remove_from_quarantine))
}

1.5 Update security/mod.rs ✅ DONE

Add to botserver/src/security/mod.rs:

pub mod protection;
pub use protection::{ProtectionManager, configure_protection_routes};

1.6 Register Routes in Main

Update botserver/src/main.rs to include:

.merge(security::configure_protection_routes())

1.7 Update command_guard.rs ✅ DONE

Added security tools to allowed commands whitelist:

lynis
rkhunter
chkrootkit
suricata
suricata-update
maldet
systemctl

Phase 2: Frontend Updates (botui)

2.1 Security Page ✅ DONE

File: botui/ui/suite/tools/security.html

Created with two tabs: API Compliance Report, Protection
Protection tab shows cards for all 6 tools
Each card has: status, version, last scan, actions
Actions: Install/Run/Start/Stop/View Report/Update
Toggle for auto-update/auto-remediate

Updated home.html - Changed Compliance to Security
Updated index.html - Changed navigation link
Updated css/home.css - Changed .app-icon.compliance to .app-icon.security
Created assets/icons/gb-security.svg

Modal for viewing scan reports (already in security.html)
Add syntax highlighting for report output
Add export functionality

Phase 3: Documentation (botbook)

3.1 Create Protection Documentation

File: botbook/src/23-security/protection-tools.md

Contents:

Overview of protection tools
Installation requirements
Configuration options
API reference
Troubleshooting guide

3.2 Update SUMMARY.md

Add entry for protection-tools.md in the Security section.

Phase 4: BASIC/ETL Integration (botlib)

4.1 Add BASIC Keywords

File: botlib/src/basic/keywords.rs (or equivalent)

New keywords to add:

' Security tool management
INSTALL SECURITY TOOL "lynis"
UNINSTALL SECURITY TOOL "rkhunter"
START SECURITY SERVICE "suricata"
STOP SECURITY SERVICE "clamav"
RUN SECURITY SCAN "lynis"
GET SECURITY REPORT "rkhunter" INTO report
UPDATE SECURITY DEFINITIONS "clamav"

' Conditional checks
IF SECURITY TOOL "lynis" IS INSTALLED THEN
IF SECURITY SERVICE "suricata" IS RUNNING THEN

4.2 ETL Functions

Add ETL functions for security automation:

security_tool_status(tool_name) - Returns tool status
security_run_scan(tool_name, options) - Runs scan
security_get_report(tool_name) - Gets latest report
security_hardening_score() - Gets Lynis hardening index

Phase 5: Testing

5.1 Unit Tests

File: botserver/src/security/protection/tests.rs

Test tool detection
Test status parsing
Test report parsing
Test command generation

5.2 Integration Tests

File: bottest/tests/security_protection.rs

Test full install flow (mock)
Test scan execution (mock)
Test API endpoints

Security Considerations

Command Execution

All tool commands MUST use SafeCommand:

use crate::security::command_guard::SafeCommand;

SafeCommand::new("lynis")?
    .arg("audit")?
    .arg("system")?
    .execute()

Allowed Commands Whitelist

Update command_guard.rs to whitelist:

lynis
rkhunter
chkrootkit
suricata
suricata-update
maldet
clamscan
freshclam
systemctl (with restrictions)

Permission Requirements

Tools require root/sudo for full functionality
Consider using capabilities or dedicated service user
Log all tool executions to audit log

API Response Formats

Status Response

{
  "tool": "lynis",
  "installed": true,
  "version": "3.0.9",
  "service_running": null,
  "last_scan": "2025-01-15T10:30:00Z",
  "last_update": "2025-01-14T08:00:00Z",
  "auto_update": true,
  "auto_remediate": false,
  "metrics": {
    "hardening_index": 78,
    "warnings": 12,
    "suggestions": 45
  }
}

Scan Result Response

{
  "scan_id": "uuid",
  "tool": "rkhunter",
  "started_at": "2025-01-15T10:30:00Z",
  "completed_at": "2025-01-15T10:35:00Z",
  "status": "completed",
  "result": "clean",
  "findings": [],
  "warnings": 0,
  "report_path": "/var/log/rkhunter.log"
}

File Checklist

botserver/src/security/protection/

mod.rs ✅
manager.rs ✅
api.rs ✅
lynis.rs ✅
rkhunter.rs ✅
chkrootkit.rs ✅
suricata.rs ✅
lmd.rs ✅
tests.rs (tests included in each module)

botserver/src/security/

mod.rs - Updated with protection module exports ✅
command_guard.rs - Added security tools to whitelist ✅

botui/ui/suite/tools/

security.html ✅

botbook/src/23-security/

protection-tools.md

botlib/

Update BASIC keywords
Add ETL functions

Priority Order

HIGH - Backend API structure (api.rs, manager.rs) ✅ DONE
HIGH - Lynis integration (most comprehensive) ✅ DONE
HIGH - ClamAV extension (partially exists) - Wire up to existing antivirus.rs
MEDIUM - RKHunter, Chkrootkit (simpler tools) ✅ DONE
MEDIUM - Suricata (service management) ✅ DONE
MEDIUM - LMD (malware detection) ✅ DONE
LOW - Documentation
LOW - BASIC/ETL integration
LOW - Full test coverage

Remaining Tasks

Wire up ProtectionManager to AppState - Add protection_manager: Option<ProtectionManager> to AppState
Register routes in main.rs - Add .merge(security::configure_protection_routes())
Integration testing - Test with actual tools installed
Documentation - Create botbook documentation
BASIC keywords - Add ETL functions for scripting

Notes

Follow PROMPT.md guidelines strictly
No #[allow()] attributes
No .unwrap() or .expect() in production code
Use SafeCommand for all shell execution
Sanitize all error messages before returning to client
Log all operations to audit log

14 KiB Raw Permalink Blame History