Skip to content
/ FsGuard Public

FsGuard is a tool for verifying filesystem integrity at boot time.

License

GPL-3.0 license
9 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

linux-immutability-tools/FsGuard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits

.github/workflows

.github/workflows

 
 

cmd

cmd

 
 

config

config

 
 

core

core

 
 

.gitignore

.gitignore

 
 

.goreleaser.yaml

.goreleaser.yaml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

build.sh

build.sh

 
 

fsguard.svg

fsguard.svg

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

signatures

signatures

 
 

test_filelist

test_filelist

 
 

Repository files navigation

FsGuard Wrapper logo

FsGuard is a tool for verifying filesystem integrity at boot time.

Building

Dependencies:

  • go

simply run build.sh to build the project and append the testing signature.

This will ensure that FsGuard is able to run properly by fetching signatures

Deploying

Filelist

FsGuard needs a filelist containg the sha1sum and suid permission of every binary to scan, an example file can be found here. A bash oneliner to create an entry for this file could look like this:

echo $(sha1sum /path/to/binary | sed 's/  / /g') $(ls -al /path/to/binary | awk 'BEGIN{FS=" "}; {print $1};' | grep s > /dev/null && echo "true" || echo "false")

This Filelist can be placed anywhere, as long as FsGuard has access to it when it launches.

Signing the Filelist

FsGuard expects a minisign signature and filelist to be appended to the binary. An example signature "set" can be found here. A signature set can be generated and added to FsGuard with these commands:

# Create a new passwordless key pair
minisign -WG
# Signing the filelist
minisign -Sm /path/to/filelist

# Generate the signature set
touch /path/to/signature
echo -n "----begin attach----" >> /path/to/signature
cat /path/to/filelist.minisig >> /path/to/signature
echo -n "----begin second attach----" >> /path/to/signature
tail -n1 ./minisign.pub >> /path/to/signature

# Append the signature set to the FsGuard binary
cat /path/to/signature >> /path/to/FsGuard

Launching FsGuard

As an init

FsGuard automatically starts the verification if it detects that it is a specific binary. This binary name and path can be set with the InitLocation property in the config/config.go file.

Additionally, FsGuard automatically starts a proper init once it completed the verification process. The init it launches can be controlled with the PostInitExec property in config/config.go.

As a pre-init script

FsGuard can also be started in a bash script that gets launched as an init, in this case, FsGuard works like a regular cli application and accepts the filelist location as an argument. A possible pre-init script could look like this:

#!/usr/bin/bash
FsGuard verify /path/to/filelist
exec /path/to/init

Make sure to launch the proper init using exec, some init systems like systemd will refuse to launch if they are not pid1, exec makes sure that the init script "drops" its pid and systemd is able to claim it.

Reporting issues

When reporting issues you encounter with FsGuard, please make sure to include the config.go file and how FsGuard gets launched.

About

FsGuard is a tool for verifying filesystem integrity at boot time.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

9 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases 5

v0.1.2-2 Latest
Jan 12, 2024
+ 4 releases

Packages

No packages published

Contributors 5

Languages