github.com/linux-immutability-tools/FsGuard
Guarding your filesystem
Dependencies:
simply run build.sh to build the project and append the testing signature.
This will ensure that FsGuard is able to run properly by fetching signatures
FsGuard needs a filelist containg the sha1sum and suid permission of every binary to scan, an example file can be found here. A bash oneliner to create an entry for this file could look like this:
echo $(sha1sum /path/to/binary | sed 's/ / /g') $(ls -al /path/to/binary | awk 'BEGIN{FS=" "}; {print $1};' | grep s > /dev/null && echo "true" || echo "false")
This Filelist can be placed anywhere, as long as FsGuard has access to it when it launches.
FsGuard expects a minisign signature and filelist to be appended to the binary. An example signature "set" can be found here. A signature set can be generated and added to FsGuard with these commands:
# Create a new passwordless key pair
minisign -WG
# Signing the filelist
minisign -Sm /path/to/filelist
# Generate the signature set
touch /path/to/signature
echo -n "----begin attach----" >> /path/to/signature
cat /path/to/filelist.minisig >> /path/to/signature
echo -n "----begin second attach----" >> /path/to/signature
tail -n1 ./minisign.pub >> /path/to/signature
# Append the signature set to the FsGuard binary
cat /path/to/signature >> /path/to/FsGuard
FsGuard automatically starts the verification if it detects that it is a specific binary.
This binary name and path can be set with the InitLocation property in the config/config.go file.
Additionally, FsGuard automatically starts a proper init once it completed the verification process. The init it launches can be controlled with the PostInitExec property in config/config.go.
FsGuard can also be started in a bash script that gets launched as an init, in this case, FsGuard works like a regular cli application and accepts the filelist location as an argument. A possible pre-init script could look like this:
#!/usr/bin/bash
FsGuard verify /path/to/filelist
exec /path/to/init
Make sure to launch the proper init using exec, some init systems like systemd will refuse to launch if they are not pid1, exec makes sure that the init script "drops" its pid and systemd is able to claim it.
When reporting issues you encounter with FsGuard, please make sure to include the config.go file and how FsGuard gets launched.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The EU Cyber Resilience Act is prompting compliance requests that open source maintainers may not be obligated or equipped to handle.
Security News
Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.
Research
/Security News
Undocumented protestware found in 28 npm packages disrupts UI for Russian-language users visiting Russian and Belarusian domains.