BAMRI/bellande_boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

information

Browse Source
This commit is contained in:
Ronaldson Bellande
2025-01-18 11:56:17 -05:00
commit b84b748c03
26 changed files with 7461 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

253
src/audit/audit.rs Normal file
View File

@@ -0,0 +1,253 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
use std::fs::{self, OpenOptions};
use std::io::Write;
use std::path::PathBuf;
use anyhow::{Context, Result};
use chrono::{DateTime, Local, Utc};
use lettre::message::header::ContentType;
use lettre::transport::smtp::authentication::Credentials;
use lettre::{Message, SmtpTransport, Transport};
use rusqlite::{params, Connection};
use serde::{Deserialize, Serialize};
#[derive(Debug, Serialize, Deserialize)]
pub struct AuditConfig {
log_file: PathBuf,
database_file: PathBuf,
max_log_size: u64,
rotation_count: u32,
alert_email: String,
smtp_server: String,
smtp_port: u16,
smtp_username: String,
smtp_password: String,
critical_events: Vec<String>,
}
impl Default for AuditConfig {
fn default() -> Self {
let os_specific_path = match std::env::consts::OS {
"macos" => PathBuf::from("/var/log/bell"),
"linux" => PathBuf::from("/var/log/bell"),
"bellandeos" => PathBuf::from("/bell/log"),
_ => PathBuf::from("./log"),
};
Self {
log_file: os_specific_path.join("audit.log"),
database_file: os_specific_path.join("audit.db"),
max_log_size: 10 * 1024 * 1024, // 10MB
rotation_count: 5,
alert_email: "admin@bellande-architecture-mechanism-research-innovation-center.org"
.to_string(),
smtp_server: "smtp.bellande-architecture-mechanism-research-innovation-center.org"
.to_string(),
smtp_port: 587,
smtp_username: "alerts@bellande-architecture-mechanism.org".to_string(),
smtp_password: "your_secure_password".to_string(),
critical_events: vec![
"AUTHENTICATION_FAILURE".to_string(),
"PERMISSION_DENIED".to_string(),
"SUSPICIOUS_ACTIVITY".to_string(),
"SECURITY_BREACH".to_string(),
"SYSTEM_MODIFICATION".to_string(),
],
}
}
}
#[derive(Debug, Serialize, Deserialize)]
pub struct AuditEvent {
timestamp: DateTime<Utc>,
user: String,
event: String,
details: String,
system: String,
process_id: u32,
severity: EventSeverity,
}
#[derive(Debug, Serialize, Deserialize, PartialEq)]
pub enum EventSeverity {
Info,
Warning,
Critical,
Emergency,
}
pub async fn log_audit_event(event: &str, user: &str, details: &str) -> Result<()> {
let config = AuditConfig::default();
let audit_event = create_audit_event(event, user, details);
// Ensure log directory exists
if let Some(parent) = config.log_file.parent() {
fs::create_dir_all(parent).context("Failed to create log directory")?;
}
// Check log rotation
check_and_rotate_logs(&config).await?;
// Write to log file
write_to_log_file(&config, &audit_event).await?;
// Write to database
log_to_database(&config, &audit_event).await?;
// Send alert if critical
if is_critical_event(&config, event) {
send_alert(&config, &audit_event).await?;
}
Ok(())
}
fn create_audit_event(event: &str, user: &str, details: &str) -> AuditEvent {
AuditEvent {
timestamp: Utc::now(),
user: user.to_string(),
event: event.to_string(),
details: details.to_string(),
system: std::env::consts::OS.to_string(),
process_id: std::process::id(),
severity: determine_severity(event),
}
}
async fn write_to_log_file(config: &AuditConfig, event: &AuditEvent) -> Result<()> {
let mut file = OpenOptions::new()
.append(true)
.create(true)
.open(&config.log_file)
.context("Failed to open audit log file")?;
let log_entry = format!(
"{} - User: {} - Event: {} - Details: {} - System: {} - PID: {} - Severity: {:?}\n",
event.timestamp.with_timezone(&Local),
event.user,
event.event,
event.details,
event.system,
event.process_id,
event.severity
);
file.write_all(log_entry.as_bytes())
.context("Failed to write to audit log")?;
Ok(())
}
async fn log_to_database(config: &AuditConfig, event: &AuditEvent) -> Result<()> {
let conn = Connection::open(&config.database_file).context("Failed to open database")?;
conn.execute(
"CREATE TABLE IF NOT EXISTS audit_log (
id INTEGER PRIMARY KEY,
timestamp TEXT NOT NULL,
user TEXT NOT NULL,
event TEXT NOT NULL,
details TEXT NOT NULL,
system TEXT NOT NULL,
process_id INTEGER NOT NULL,
severity TEXT NOT NULL
)",
[],
)
.context("Failed to create audit_log table")?;
conn.execute(
"INSERT INTO audit_log (timestamp, user, event, details, system, process_id, severity)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)",
params![
event.timestamp.to_rfc3339(),
event.user,
event.event,
event.details,
event.system,
event.process_id,
format!("{:?}", event.severity)
],
)
.context("Failed to insert log entry into database")?;
Ok(())
}
fn is_critical_event(config: &AuditConfig, event: &str) -> bool {
config.critical_events.contains(&event.to_string())
}
fn determine_severity(event: &str) -> EventSeverity {
match event {
"AUTHENTICATION_FAILURE" | "PERMISSION_DENIED" => EventSeverity::Warning,
"SUSPICIOUS_ACTIVITY" | "SECURITY_BREACH" => EventSeverity::Critical,
"SYSTEM_MODIFICATION" => EventSeverity::Emergency,
_ => EventSeverity::Info,
}
}
async fn send_alert(config: &AuditConfig, event: &AuditEvent) -> Result<()> {
let email = Message::builder()
.from(config.smtp_username.parse().context("Invalid from address")?)
.to(config.alert_email.parse().context("Invalid to address")?)
.subject(format!("Critical Security Alert: {}", event.event))
.header(ContentType::TEXT_PLAIN)
.body(format!(
"Critical security event detected:\n\nTimestamp: {}\nUser: {}\nEvent: {}\nDetails: {}\nSystem: {}\nProcess ID: {}\nSeverity: {:?}",
event.timestamp.with_timezone(&Local),
event.user,
event.event,
event.details,
event.system,
event.process_id,
event.severity
))
.context("Failed to build email")?;
let creds = Credentials::new(config.smtp_username.clone(), config.smtp_password.clone());
let mailer = SmtpTransport::relay(&config.smtp_server)
.context("Failed to create SMTP transport")?
.credentials(creds)
.port(config.smtp_port)
.build();
mailer.send(&email).context("Failed to send email")?;
Ok(())
}
async fn check_and_rotate_logs(config: &AuditConfig) -> Result<()> {
let metadata = fs::metadata(&config.log_file)?;
if metadata.len() >= config.max_log_size {
for i in (1..config.rotation_count).rev() {
let current = config.log_file.with_extension(format!("log.{}", i));
let next = config.log_file.with_extension(format!("log.{}", i + 1));
if current.exists() {
fs::rename(current, next)?;
}
}
let backup = config.log_file.with_extension("log.1");
fs::rename(&config.log_file, backup)?;
fs::File::create(&config.log_file)?;
}
Ok(())
}

2
src/audit/mod.rs Normal file
View File

@@ -0,0 +1,2 @@
pub mod audit;
pub mod security_audit;

812
src/audit/security_audit.rs Normal file
View File

@@ -0,0 +1,812 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
use std::collections::{HashMap, HashSet};
use std::fs::{self, File};
use std::io::BufReader;
use std::path::{Path, PathBuf};
use std::process::Command;
use std::time::Duration;
use anyhow::{Context, Result};
use log::info;
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};
use std::os::unix::fs::PermissionsExt;
use sysinfo::{ProcessExt, System, SystemExt};
use walkdir::WalkDir;
use crate::audit::audit::log_audit_event;
use crate::config::config::Config;
#[derive(Debug, Serialize, Deserialize)]
pub struct SecurityAuditConfig {
pub critical_paths: Vec<PathBuf>,
pub suspicious_process_patterns: Vec<String>,
pub allowed_ports: HashSet<u16>,
pub file_hash_database: PathBuf,
pub scan_interval: Duration,
}
impl Default for SecurityAuditConfig {
fn default() -> Self {
SecurityAuditConfig {
critical_paths: get_os_critical_paths(),
suspicious_process_patterns: vec![
"crypto".to_string(),
"miner".to_string(),
"suspicious".to_string(),
],
allowed_ports: [80, 443, 22, 53].iter().cloned().collect(),
file_hash_database: PathBuf::from("file_hashes.db"),
scan_interval: Duration::from_secs(3600),
}
}
}
fn get_os_critical_paths() -> Vec<PathBuf> {
match std::env::consts::OS {
"macos" => vec![
PathBuf::from("/etc"),
PathBuf::from("/System"),
PathBuf::from("/usr/local/bin"),
],
"linux" => vec![
PathBuf::from("/etc"),
PathBuf::from("/bin"),
PathBuf::from("/sbin"),
],
"bellandeos" => vec![
PathBuf::from("/bell/etc"),
PathBuf::from("/bell/bin"),
PathBuf::from("/bell/security"),
],
_ => vec![],
}
}
/// Performs a comprehensive security audit of the system
pub async fn perform_security_audit(config: &Config) -> Result<()> {
let audit_config = SecurityAuditConfig::default();
info!("Starting security audit for {}", std::env::consts::OS);
// Check for system updates
check_system_updates().await?;
// Scan for vulnerabilities
scan_for_vulnerabilities(&audit_config).await?;
// Check for suspicious processes
check_suspicious_processes(&audit_config).await?;
// Check for unauthorized users
check_unauthorized_users(config).await?;
// Check for open ports
check_open_ports(&audit_config).await?;
// Check file integrity
check_file_integrity(&audit_config).await?;
// OS-specific security checks
perform_os_specific_checks().await?;
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Completed security audit on {}", std::env::consts::OS),
)
.await?;
Ok(())
}
async fn check_system_updates() -> Result<()> {
match std::env::consts::OS {
"macos" => {
let output = Command::new("softwareupdate")
.arg("--list")
.output()
.context("Failed to check for macOS updates")?;
if !output.stdout.is_empty() {
log_audit_event("SECURITY_AUDIT", "SYSTEM", "macOS updates available").await?;
}
}
"linux" => {
let output = Command::new("apt")
.args(&["list", "--upgradable"])
.output()
.context("Failed to check for Linux updates")?;
if !output.stdout.is_empty() {
log_audit_event("SECURITY_AUDIT", "SYSTEM", "Linux updates available").await?;
}
}
"bellandeos" => {
let output = Command::new("bellctl")
.args(&["update", "check"])
.output()
.context("Failed to check for BellandeOS updates")?;
if !output.stdout.is_empty() {
log_audit_event("SECURITY_AUDIT", "SYSTEM", "BellandeOS updates available").await?;
}
}
_ => anyhow::bail!("Unsupported operating system"),
}
Ok(())
}
async fn scan_for_vulnerabilities(config: &SecurityAuditConfig) -> Result<()> {
log_audit_event("SECURITY_AUDIT", "SYSTEM", "Starting vulnerability scan").await?;
// Check for known vulnerable software versions
check_software_versions().await?;
// Check for common misconfigurations
check_common_misconfigurations(config).await?;
// Check for weak permissions
check_permissions(config).await?;
log_audit_event("SECURITY_AUDIT", "SYSTEM", "Vulnerability scan completed").await?;
Ok(())
}
async fn check_software_versions() -> Result<()> {
// Check OpenSSL version
let openssl_version = Command::new("openssl")
.arg("version")
.output()
.context("Failed to check OpenSSL version")?;
if !openssl_version.status.success() {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
"Warning: Unable to verify OpenSSL version",
)
.await?;
}
Ok(())
}
async fn check_common_misconfigurations(config: &SecurityAuditConfig) -> Result<()> {
for path in &config.critical_paths {
check_path_permissions(path).await?;
}
// Check world-writable files
check_world_writable_files().await?;
// Check for dangerous SUID/SGID binaries
check_suid_binaries().await?;
Ok(())
}
async fn check_permissions(config: &SecurityAuditConfig) -> Result<()> {
for path in &config.critical_paths {
let metadata = fs::metadata(path).context("Failed to get path metadata")?;
let mode = metadata.permissions().mode();
if mode & 0o777 > 0o755 {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Excessive permissions found on: {:?}", path),
)
.await?;
}
}
Ok(())
}
async fn check_path_permissions(path: &Path) -> Result<()> {
let metadata = fs::metadata(path).context("Failed to get path metadata")?;
let mode = metadata.permissions().mode();
// Check for excessive permissions
if mode & 0o777 > 0o755 {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!(
"Warning: Excessive permissions ({:o}) on path: {:?}",
mode & 0o777,
path
),
)
.await?;
}
// Check owner/group
if mode & 0o7000 != 0 {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!(
"Warning: Special bits ({:o}) set on path: {:?}",
mode & 0o7000,
path
),
)
.await?;
}
Ok(())
}
async fn check_world_writable_files() -> Result<()> {
let critical_directories = match std::env::consts::OS {
"macos" => vec!["/etc", "/usr", "/bin", "/sbin", "/System"],
"linux" => vec!["/etc", "/usr", "/bin", "/sbin", "/lib", "/boot"],
"bellandeos" => vec!["/bell/etc", "/bell/bin", "/bell/lib", "/bell/security"],
_ => vec![],
};
for dir in critical_directories {
for entry in WalkDir::new(dir)
.follow_links(false)
.into_iter()
.filter_map(|e| e.ok())
{
let path = entry.path();
if let Ok(metadata) = fs::metadata(path) {
let mode = metadata.permissions().mode();
// Check for world-writable permissions (others write permission)
if mode & 0o002 != 0 {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Warning: World-writable file found: {:?}", path),
)
.await?;
}
}
}
}
Ok(())
}
async fn check_suid_binaries() -> Result<()> {
let critical_directories = match std::env::consts::OS {
"macos" => vec!["/usr/bin", "/usr/sbin", "/usr/local/bin"],
"linux" => vec!["/usr/bin", "/usr/sbin", "/usr/local/bin", "/usr/local/sbin"],
"bellandeos" => vec!["/bell/bin", "/bell/sbin", "/bell/local/bin"],
_ => vec![],
};
// Known safe SUID binaries
let safe_suid_binaries = HashSet::from([
"ping",
"su",
"sudo",
"passwd",
"mount",
"umount",
"fusermount",
"newgrp",
"chsh",
"gpasswd",
]);
for dir in critical_directories {
for entry in WalkDir::new(dir)
.follow_links(false)
.into_iter()
.filter_map(|e| e.ok())
{
let path = entry.path();
if let Ok(metadata) = fs::metadata(path) {
let mode = metadata.permissions().mode();
// Check for SUID/SGID bits
if mode & 0o6000 != 0 {
// Get binary name
let binary_name = path
.file_name()
.and_then(|n| n.to_str())
.unwrap_or("unknown");
// If it's not in our safe list, log it
if !safe_suid_binaries.contains(binary_name) {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!(
"Warning: SUID/SGID binary found: {:?} (mode: {:o})",
path,
mode & 0o7777
),
)
.await?;
}
}
}
}
}
Ok(())
}
async fn check_suspicious_processes(config: &SecurityAuditConfig) -> Result<()> {
let system = System::new_all();
for (pid, process) in system.processes() {
let process_name = process.name().to_lowercase();
for pattern in &config.suspicious_process_patterns {
if process_name.contains(pattern) {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Suspicious process found: {} (PID: {})", process_name, pid),
)
.await?;
// Additional process information
if let Some(cmd) = process.cmd().first() {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Process command: {}", cmd),
)
.await?;
}
}
}
}
Ok(())
}
async fn check_unauthorized_users(config: &Config) -> Result<()> {
match std::env::consts::OS {
"macos" => check_macos_users(config).await?,
"linux" => check_linux_users(config).await?,
"bellandeos" => check_bellande_users(config).await?,
_ => anyhow::bail!("Unsupported operating system"),
}
Ok(())
}
async fn check_macos_users(config: &Config) -> Result<()> {
let output = Command::new("dscl")
.args(&[".", "list", "/Users"])
.output()
.context("Failed to list macOS users")?;
let users = String::from_utf8_lossy(&output.stdout);
for user in users.lines() {
if !config.users.iter().any(|u| u.username == user) && !is_macos_system_user(user) {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Unauthorized macOS user found: {}", user),
)
.await?;
}
}
Ok(())
}
async fn check_linux_users(config: &Config) -> Result<()> {
let passwd = fs::read_to_string("/etc/passwd").context("Failed to read /etc/passwd")?;
for line in passwd.lines() {
let username = line.split(':').next().unwrap_or("");
if !config.users.iter().any(|u| u.username == username) && !is_linux_system_user(username) {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Unauthorized Linux user found: {}", username),
)
.await?;
}
}
Ok(())
}
async fn check_bellande_users(config: &Config) -> Result<()> {
let output = Command::new("bellctl")
.args(&["user", "list"])
.output()
.context("Failed to list BellandeOS users")?;
let users = String::from_utf8_lossy(&output.stdout);
for user in users.lines() {
if !config.users.iter().any(|u| u.username == user) && !is_bellande_system_user(user) {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Unauthorized BellandeOS user found: {}", user),
)
.await?;
}
}
Ok(())
}
fn is_macos_system_user(username: &str) -> bool {
matches!(
username,
"_spotlight" | "_locationd" | "_mdnsresponder" | "root" | "daemon"
)
}
fn is_linux_system_user(username: &str) -> bool {
matches!(
username,
"root"
| "daemon"
| "bin"
| "sys"
| "sync"
| "games"
| "man"
| "lp"
| "mail"
| "news"
| "uucp"
| "proxy"
| "www-data"
| "backup"
| "list"
| "irc"
| "gnats"
| "nobody"
| "systemd-network"
| "systemd-resolve"
| "systemd-timesync"
| "messagebus"
| "syslog"
| "avahi"
| "_apt"
| "sshd"
)
}
fn is_bellande_system_user(username: &str) -> bool {
matches!(
username,
"bellroot" | "bellsys" | "bellservice" | "bellnetwork" | "bellsecurity"
)
}
async fn check_open_ports(config: &SecurityAuditConfig) -> Result<()> {
match std::env::consts::OS {
"macos" => {
let output = Command::new("lsof")
.args(&["-i", "-P", "-n"])
.output()
.context("Failed to check macOS open ports")?;
check_port_output(
&String::from_utf8_lossy(&output.stdout),
&config.allowed_ports,
)
.await?;
}
"linux" => {
let output = Command::new("netstat")
.args(&["-tuln"])
.output()
.context("Failed to check Linux open ports")?;
check_port_output(
&String::from_utf8_lossy(&output.stdout),
&config.allowed_ports,
)
.await?;
}
"bellandeos" => {
let output = Command::new("bellctl")
.args(&["network", "ports"])
.output()
.context("Failed to check BellandeOS open ports")?;
check_port_output(
&String::from_utf8_lossy(&output.stdout),
&config.allowed_ports,
)
.await?;
}
_ => anyhow::bail!("Unsupported operating system"),
}
Ok(())
}
async fn check_port_output(output: &str, allowed_ports: &HashSet<u16>) -> Result<()> {
for line in output.lines() {
if line.contains("LISTEN") {
let port = extract_port_from_line(line);
if let Some(port) = port {
if !allowed_ports.contains(&port) {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Unauthorized open port found: {}", port),
)
.await?;
}
}
}
}
Ok(())
}
fn extract_port_from_line(line: &str) -> Option<u16> {
line.split(':')
.last()?
.split_whitespace()
.next()?
.parse()
.ok()
}
async fn check_file_integrity(config: &SecurityAuditConfig) -> Result<()> {
// Initialize or load hash database
let mut hash_database = load_hash_database(&config.file_hash_database)?;
for path in &config.critical_paths {
check_directory_integrity(path, &mut hash_database).await?;
}
// Save updated hashes
save_hash_database(&config.file_hash_database, &hash_database)?;
Ok(())
}
async fn check_directory_integrity(
path: &Path,
hash_database: &mut HashMap<PathBuf, String>,
) -> Result<()> {
if path.is_dir() {
for entry in fs::read_dir(path)? {
let entry = entry?;
let path = entry.path();
if path.is_file() {
let current_hash = calculate_file_hash(&path)?;
if let Some(stored_hash) = hash_database.get(&path) {
if stored_hash != &current_hash {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("File integrity mismatch: {:?}", path),
)
.await?;
}
}
// Update hash in database
hash_database.insert(path, current_hash);
} else if path.is_dir() {
Box::pin(check_directory_integrity(&path, hash_database)).await?;
}
}
}
Ok(())
}
async fn perform_os_specific_checks() -> Result<()> {
match std::env::consts::OS {
"macos" => perform_macos_specific_checks().await?,
"linux" => perform_linux_specific_checks().await?,
"bellandeos" => perform_bellande_specific_checks().await?,
_ => anyhow::bail!("Unsupported operating system"),
}
Ok(())
}
async fn perform_macos_specific_checks() -> Result<()> {
// Check System Integrity Protection (SIP)
let sip_status = Command::new("csrutil")
.arg("status")
.output()
.context("Failed to check SIP status")?;
if !String::from_utf8_lossy(&sip_status.stdout).contains("enabled") {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
"Warning: System Integrity Protection is disabled",
)
.await?;
}
// Check FileVault status
let filevault_status = Command::new("fdesetup")
.arg("status")
.output()
.context("Failed to check FileVault status")?;
if !String::from_utf8_lossy(&filevault_status.stdout).contains("On") {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
"Warning: FileVault is not enabled",
)
.await?;
}
// Check Gatekeeper status
let gatekeeper_status = Command::new("spctl")
.args(&["--status"])
.output()
.context("Failed to check Gatekeeper status")?;
if !String::from_utf8_lossy(&gatekeeper_status.stdout).contains("enabled") {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
"Warning: Gatekeeper is disabled",
)
.await?;
}
Ok(())
}
async fn perform_linux_specific_checks() -> Result<()> {
// Check SELinux status
if Path::new("/etc/selinux/config").exists() {
let selinux_status = Command::new("getenforce")
.output()
.context("Failed to check SELinux status")?;
if !String::from_utf8_lossy(&selinux_status.stdout).contains("Enforcing") {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
"Warning: SELinux is not in enforcing mode",
)
.await?;
}
}
// Check AppArmor status
if Path::new("/etc/apparmor").exists() {
let apparmor_status = Command::new("aa-status")
.output()
.context("Failed to check AppArmor status")?;
if !apparmor_status.status.success() {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
"Warning: AppArmor is not properly configured",
)
.await?;
}
}
// Check kernel parameters
check_kernel_parameters().await?;
Ok(())
}
async fn perform_bellande_specific_checks() -> Result<()> {
// Check BellandeOS security module status
let security_status = Command::new("bellctl")
.args(&["security", "status"])
.output()
.context("Failed to check BellandeOS security status")?;
if !String::from_utf8_lossy(&security_status.stdout).contains("enabled") {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
"Warning: BellandeOS security module is not enabled",
)
.await?;
}
// Check BellandeOS integrity
let integrity_check = Command::new("bellctl")
.args(&["verify", "system"])
.output()
.context("Failed to verify BellandeOS integrity")?;
if !integrity_check.status.success() {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
"Warning: BellandeOS system integrity check failed",
)
.await?;
}
// Check BellandeOS update status
let update_status = Command::new("bellctl")
.args(&["update", "status"])
.output()
.context("Failed to check BellandeOS update status")?;
if !update_status.status.success() {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
"Warning: BellandeOS update check failed",
)
.await?;
}
Ok(())
}
async fn check_kernel_parameters() -> Result<()> {
let critical_params = [
"kernel.randomize_va_space",
"kernel.kptr_restrict",
"kernel.dmesg_restrict",
"kernel.perf_event_paranoid",
"net.ipv4.tcp_syncookies",
];
for param in &critical_params {
let output = Command::new("sysctl")
.arg(param)
.output()
.context(format!("Failed to check kernel parameter: {}", param))?;
if !output.status.success() {
log_audit_event(
"SECURITY_AUDIT",
"SYSTEM",
&format!("Warning: Failed to verify kernel parameter: {}", param),
)
.await?;
}
}
Ok(())
}
fn calculate_file_hash(path: &Path) -> Result<String> {
let mut file = File::open(path)?;
let mut hasher = Sha256::new();
std::io::copy(&mut file, &mut hasher)?;
Ok(format!("{:x}", hasher.finalize()))
}
fn load_hash_database(path: &Path) -> Result<HashMap<PathBuf, String>> {
if path.exists() {
let file = File::open(path)?;
let reader = BufReader::new(file);
Ok(serde_json::from_reader(reader)?)
} else {
Ok(HashMap::new())
}
}
fn save_hash_database(path: &Path, database: &HashMap<PathBuf, String>) -> Result<()> {
let file = File::create(path)?;
serde_json::to_writer_pretty(file, database)?;
Ok(())
}

123
src/authentication_compliance/authentication.rs Normal file
View File

@@ -0,0 +1,123 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
use crate::audit::audit::log_audit_event;
use crate::config::config::Config;
use crate::user_privilege::user::User;
use anyhow::{Context, Result};
use argon2;
use argon2::password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString};
use argon2::Argon2;
use rand_core::OsRng;
use std::collections::HashMap;
use std::time::{Duration, Instant, SystemTime};
use totp_rs::TOTP;
pub struct Session {
pub user: User,
pub expiry: SystemTime,
}
pub struct RateLimiter {
attempts: HashMap<String, Vec<Instant>>,
max_attempts: usize,
window: Duration,
}
impl RateLimiter {
pub fn new(max_attempts: usize, window: Duration) -> Self {
RateLimiter {
attempts: HashMap::new(),
max_attempts,
window,
}
}
pub fn check(&mut self, key: &str) -> bool {
let now = Instant::now();
let attempts = self
.attempts
.entry(key.to_string())
.or_insert_with(Vec::new);
attempts.retain(|&t| now.duration_since(t) < self.window);
if attempts.len() >= self.max_attempts {
false
} else {
attempts.push(now);
true
}
}
}
pub async fn authenticate_user(
config: &Config,
username: &str,
password: &str,
totp_code: &str,
rate_limiter: &mut RateLimiter,
) -> Result<Option<User>> {
if !rate_limiter.check(username) {
log_audit_event("AUTHENTICATION_RATE_LIMIT", username, "Rate limit exceeded").await?;
return Ok(None);
}
if let Some(user) = config.users.iter().find(|u| u.username == username) {
if verify_password(&user.password_hash, password)? {
let totp = TOTP::new(
totp_rs::Algorithm::SHA1,
6,
1,
30,
user.totp_secret.as_bytes().to_vec(),
)
.context("Failed to create TOTP")?;
if totp.check_current(totp_code)? {
log_audit_event(
"AUTHENTICATION_SUCCESS",
&user.username,
"User authenticated successfully",
)
.await?;
return Ok(Some(user.clone()));
}
}
}
log_audit_event("AUTHENTICATION_FAILURE", username, "Authentication failed").await?;
Ok(None)
}
fn verify_password(hash: &str, password: &str) -> Result<bool> {
let parsed_hash = PasswordHash::new(hash).context("Failed to parse password hash")?;
Ok(Argon2::default()
.verify_password(password.as_bytes(), &parsed_hash)
.is_ok())
}
fn hash_password(password: &str) -> Result<String> {
let salt = SaltString::generate(&mut OsRng);
let argon2 = Argon2::default();
let password_hash = argon2
.hash_password(password.as_bytes(), &salt)
.context("Failed to hash password")?
.to_string();
Ok(password_hash)
}

1503
src/authentication_compliance/complication.rs Normal file
View File

File diff suppressed because it is too large Load Diff

2
src/authentication_compliance/mod.rs Normal file
View File

@@ -0,0 +1,2 @@
pub mod authentication;
pub mod complication;

213
src/bell.rs Normal file
View File

@@ -0,0 +1,213 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
mod audit;
mod authentication_compliance;
mod command;
mod config;
mod hsm;
mod network;
mod user_privilege;
use std::time::{Duration, SystemTime};
use structopt::StructOpt;
use tokio;
use crate::authentication_compliance::authentication::{authenticate_user, RateLimiter, Session};
use crate::command::command::run_command_with_privilege;
use crate::config::config::Config;
use crate::user_privilege::privilege::{PrivilegeConfig, PrivilegeLevel, PrivilegeManager};
use crate::user_privilege::user::{
add_user, add_user_to_group, change_password, change_privilege, remove_user,
remove_user_from_group,
};
#[derive(StructOpt, Debug)]
#[structopt(name = "bell", about = "Privilege escalation system")]
enum Opt {
#[structopt(name = "run")]
Run {
#[structopt(short, long)]
privilege_level: String,
#[structopt(short, long)]
command: String,
#[structopt(short, long)]
args: Vec<String>,
},
#[structopt(name = "user")]
User {
#[structopt(subcommand)]
cmd: UserCommand,
},
}
#[derive(StructOpt, Debug)]
enum UserCommand {
Add {
username: String,
#[structopt(short, long)]
privilege: String,
},
Remove {
username: String,
},
ChangePassword {
username: String,
},
ChangePrivilege {
username: String,
privilege: String,
},
AddToGroup {
username: String,
group: String,
},
RemoveFromGroup {
username: String,
group: String,
},
}
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Initialize logging
log4rs::init_file("log4rs.yaml", Default::default())?;
let opt = Opt::from_args();
let mut config = Config::load()?;
let privilege_config = PrivilegeConfig::default();
let mut rate_limiter = RateLimiter::new(5, Duration::from_secs(60));
let privilege_manager = PrivilegeManager::new(privilege_config);
match opt {
Opt::Run {
privilege_level,
command,
args,
} => {
println!("Enter username:");
let mut username = String::new();
std::io::stdin().read_line(&mut username)?;
let username = username.trim();
println!("Enter password:");
let mut password = String::new();
std::io::stdin().read_line(&mut password)?;
let password = password.trim();
println!("Enter TOTP code:");
let mut totp_code = String::new();
std::io::stdin().read_line(&mut totp_code)?;
let totp_code = totp_code.trim();
if let Some(user) =
authenticate_user(&config, username, password, totp_code, &mut rate_limiter).await?
{
let session = Session {
user: user.clone(),
expiry: SystemTime::now() + Duration::from_secs(config.session_duration),
};
let privilege_level = match privilege_level.as_str() {
"bell" => PrivilegeLevel::Bell,
"root" => PrivilegeLevel::Root,
"admin" => PrivilegeLevel::Administrator,
"user" => PrivilegeLevel::User,
_ => {
println!(
"Invalid privilege level. Use 'bell', 'root', 'admin', or 'user'."
);
return Ok(());
}
};
run_command_with_privilege(
&session,
&command,
&args,
privilege_level,
&config,
&privilege_manager,
)
.await?;
} else {
println!("Authentication failed.");
}
}
Opt::User { cmd } => match cmd {
UserCommand::Add {
username,
privilege,
} => {
println!("Enter new password:");
let mut password = String::new();
std::io::stdin().read_line(&mut password)?;
let password = password.trim();
let privilege_level = match privilege.as_str() {
"bell" => PrivilegeLevel::Bell,
"root" => PrivilegeLevel::Root,
"admin" | "administrator" => PrivilegeLevel::Administrator,
"user" => PrivilegeLevel::User,
_ => {
println!(
"Invalid privilege level. Use 'bell', 'root', 'admin', or 'user'."
);
return Ok(());
}
};
add_user(&mut config, &username, password, privilege_level).await?;
}
UserCommand::Remove { username } => {
remove_user(&mut config, &username).await?;
}
UserCommand::ChangePassword { username } => {
println!("Enter new password:");
let mut password = String::new();
std::io::stdin().read_line(&mut password)?;
let password = password.trim();
change_password(&mut config, &username, password).await?;
}
UserCommand::ChangePrivilege {
username,
privilege,
} => {
let privilege_level = match privilege.as_str() {
"bell" => PrivilegeLevel::Bell,
"root" => PrivilegeLevel::Root,
"admin" | "administrator" => PrivilegeLevel::Administrator,
"user" => PrivilegeLevel::User,
_ => {
println!(
"Invalid privilege level. Use 'bell', 'root', 'admin', or 'user'."
);
return Ok(());
}
};
change_privilege(&mut config, &username, privilege_level).await?;
}
UserCommand::AddToGroup { username, group } => {
add_user_to_group(&mut config, &username, &group).await?;
}
UserCommand::RemoveFromGroup { username, group } => {
remove_user_from_group(&mut config, &username, &group).await?;
}
},
}
Ok(())
}

693
src/command/command.rs Normal file
View File

@@ -0,0 +1,693 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
use std::collections::HashSet;
use std::path::PathBuf;
use std::time::{Duration, SystemTime};
use tokio::process::Command as TokioCommand;
use anyhow::{Context, Result};
use nix::unistd::{Gid, Uid};
use serde::{Deserialize, Serialize};
use syscallz::{Context as SyscallContext, Syscall};
use tokio::time::timeout;
use crate::audit::audit::log_audit_event;
use crate::authentication_compliance::authentication::Session;
use crate::config::config::Config;
use crate::network::network::{is_network_allowed, isolate_network, restore_network};
use crate::user_privilege::privilege::{PrivilegeLevel, PrivilegeManager};
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CommandConfig {
dangerous_patterns: HashSet<String>,
allowed_paths: Vec<PathBuf>,
max_execution_time: Duration,
sandbox_enabled: bool,
network_isolation_required: bool,
max_output_size: usize,
log_output: bool,
}
impl Default for CommandConfig {
fn default() -> Self {
let allowed_paths = match std::env::consts::OS {
"macos" => vec![
PathBuf::from("/usr/bin"),
PathBuf::from("/usr/local/bin"),
PathBuf::from("/opt/homebrew/bin"),
],
"linux" => vec![
PathBuf::from("/usr/bin"),
PathBuf::from("/usr/local/bin"),
PathBuf::from("/bin"),
],
"bellandeos" => vec![
PathBuf::from("/bell/bin"),
PathBuf::from("/bell/usr/bin"),
PathBuf::from("/bell/local/bin"),
],
_ => vec![],
};
let mut dangerous_patterns = HashSet::new();
dangerous_patterns.insert("rm -rf /*".to_string());
dangerous_patterns.insert("chmod 777".to_string());
dangerous_patterns.insert("dd if=/dev/zero".to_string());
dangerous_patterns.insert("mkfs".to_string());
dangerous_patterns.insert("> /dev/sda".to_string());
dangerous_patterns.insert(":(){ :|:& };:".to_string()); // Fork bomb
dangerous_patterns.insert("sudo rm".to_string());
dangerous_patterns.insert("> /dev/null".to_string());
CommandConfig {
dangerous_patterns,
allowed_paths,
max_execution_time: Duration::from_secs(300),
sandbox_enabled: true,
network_isolation_required: true,
max_output_size: 1024 * 1024,
log_output: true,
}
}
}
// Create a wrapper that implements Debug
struct SandboxContext {
inner: SyscallContext,
}
impl std::fmt::Debug for SandboxContext {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.debug_struct("SandboxContext")
.field("inner", &"SyscallContext")
.finish()
}
}
impl SandboxContext {
fn new(context: SyscallContext) -> Self {
Self { inner: context }
}
fn load(&self) -> Result<()> {
self.inner
.load()
.map_err(|e| anyhow::anyhow!("Failed to load sandbox: {}", e))
}
fn allow_syscall(&mut self, syscall: Syscall) -> Result<()> {
self.inner
.allow_syscall(syscall)
.map_err(|e| anyhow::anyhow!("Failed to allow syscall: {}", e))
}
}
#[derive(Debug)]
struct CommandContext {
command: String,
args: Vec<String>,
privilege_level: PrivilegeLevel,
username: String,
start_time: SystemTime,
sandbox: Option<SandboxContext>,
config: CommandConfig,
}
#[derive(Debug, Clone)]
struct DangerousPattern {
pattern: String,
description: String,
}
impl From<(&str, &str)> for DangerousPattern {
fn from((pattern, description): (&str, &str)) -> Self {
DangerousPattern {
pattern: pattern.to_string(),
description: description.to_string(),
}
}
}
// Implementation for command validation and execution
pub async fn run_command_with_privilege(
session: &Session,
command: &str,
args: &[String],
required_privilege: PrivilegeLevel,
config: &Config,
privilege_manager: &PrivilegeManager,
) -> Result<()> {
let cmd_config = CommandConfig::default();
// Validate input
validate_command_input(command, args)?;
// Check privileges and session
check_session_and_permissions(
session,
command,
args,
required_privilege,
config,
privilege_manager,
&cmd_config, // Add the command config parameter
)
.await?;
// Create and execute command context
let ctx = create_command_context(command, args, required_privilege, session, &cmd_config)?;
execute_command_safely(ctx).await
}
fn validate_command_input(command: &str, args: &[String]) -> Result<()> {
if command.is_empty() {
return Err(anyhow::anyhow!("Command cannot be empty"));
}
// Check for null bytes and other dangerous characters
if command.contains('\0') || args.iter().any(|arg| arg.contains('\0')) {
return Err(anyhow::anyhow!("Command contains invalid characters"));
}
// Validate command path
let command_path = PathBuf::from(command);
if !command_path.is_absolute() {
return Err(anyhow::anyhow!("Command must use absolute path"));
}
Ok(())
}
async fn check_session_and_permissions(
session: &Session,
command: &str,
args: &[String],
required_privilege: PrivilegeLevel,
config: &Config,
privilege_manager: &PrivilegeManager,
cmd_config: &CommandConfig,
) -> Result<()> {
// Check session state
check_session_state(session, command, args).await?;
// Check permissions
check_command_permissions(
session,
command,
args,
required_privilege,
config,
privilege_manager,
)
.await?;
// Check network access if required by command config
if cmd_config.network_isolation_required {
check_network_access(config, session, command, args).await?;
}
Ok(())
}
async fn check_session_state(session: &Session, command: &str, args: &[String]) -> Result<()> {
// Check session expiry
if SystemTime::now() > session.expiry {
log_audit_event(
"SESSION_EXPIRED",
&session.user.username,
&format!(
"Attempted to run command with expired session: {} {:?}",
command, args
),
)
.await?;
return Err(anyhow::anyhow!(
"Session expired. Please authenticate again."
));
}
// Check that user exists and is valid
if session.user.username.is_empty() {
log_audit_event(
"INVALID_SESSION",
"unknown",
&format!(
"Attempted to run command without valid user: {} {:?}",
command, args
),
)
.await?;
return Err(anyhow::anyhow!("Invalid session: no user associated"));
}
Ok(())
}
async fn check_command_permissions(
session: &Session,
command: &str,
args: &[String],
required_privilege: PrivilegeLevel,
config: &Config,
privilege_manager: &PrivilegeManager,
) -> Result<bool> {
// Check base user privileges
if !privilege_manager
.check_permission(&session.user, required_privilege, config)
.await?
{
log_audit_event(
"PERMISSION_DENIED",
&session.user.username,
&format!(
"Insufficient privileges for command: {} {:?}, required: {:?}",
command, args, required_privilege
),
)
.await?;
return Ok(false); // Return Ok(false) instead of Err
}
// Check if user belongs to required groups
let has_required_group = session.user.groups.iter().any(|group| {
config
.groups
.iter()
.any(|g| &g.name == group && g.permissions.contains(&required_privilege.to_string()))
});
if !has_required_group && required_privilege > session.user.privilege {
log_audit_event(
"GROUP_PERMISSION_DENIED",
&session.user.username,
&format!(
"User lacks required group membership for command: {} {:?}",
command, args
),
)
.await?;
return Ok(false); // Return Ok(false) instead of Err
}
Ok(true) // Return Ok(true) if all checks pass
}
async fn check_network_access(
config: &Config,
session: &Session,
command: &str,
args: &[String],
) -> Result<bool> {
// Use is_network_allowed directly with the config
if !is_network_allowed(config).await? {
log_audit_event(
"NETWORK_DENIED",
&session.user.username,
&format!("Network access denied for: {} {:?}", command, args),
)
.await?;
return Ok(false);
}
Ok(true)
}
async fn execute_command_safely(ctx: CommandContext) -> Result<()> {
// Log command execution start
log_audit_event(
"COMMAND_START",
&ctx.username,
&format!("Executing: {} {:?}", ctx.command, ctx.args),
)
.await?;
// Check for dangerous patterns
check_dangerous_patterns(&ctx).await?;
// Apply sandbox if enabled
if let Some(ref sandbox) = ctx.sandbox {
sandbox.load().context("Failed to load sandbox")?;
}
// Drop privileges if necessary
if ctx.privilege_level != PrivilegeLevel::Bell {
drop_privileges().context("Failed to drop privileges")?;
}
// Isolate network if required
let network_isolated = if ctx.config.network_isolation_required {
isolate_network().await?;
true
} else {
false
};
// Execute command with timeout
let result = execute_command_with_timeout(&ctx).await;
// Restore network if it was isolated
if network_isolated {
restore_network().await?;
}
// Handle command result
match result {
Ok(output) => process_command_output(&ctx, &output).await?,
Err(e) => {
log_audit_event(
"COMMAND_FAILED",
&ctx.username,
&format!("Command failed: {} - Error: {}", ctx.command, e),
)
.await?;
return Err(e);
}
}
Ok(())
}
fn create_command_context(
command: &str,
args: &[String],
privilege_level: PrivilegeLevel,
session: &Session,
cmd_config: &CommandConfig,
) -> Result<CommandContext> {
Ok(CommandContext {
command: command.to_string(),
args: args.to_vec(),
privilege_level,
username: session.user.username.clone(),
start_time: SystemTime::now(),
sandbox: if cmd_config.sandbox_enabled {
Some(create_sandbox()?)
} else {
None
},
config: cmd_config.clone(),
})
}
async fn execute_command_with_timeout(ctx: &CommandContext) -> Result<std::process::Output> {
// Create tokio command
let mut command = TokioCommand::new(&ctx.command);
command.args(&ctx.args);
// Run with timeout
let output = timeout(ctx.config.max_execution_time, command.output())
.await
.context("Command execution timed out")?
.context("Command execution failed")?;
Ok(output)
}
async fn process_command_output(ctx: &CommandContext, output: &std::process::Output) -> Result<()> {
// Check output size limits
if output.stdout.len() > ctx.config.max_output_size
|| output.stderr.len() > ctx.config.max_output_size
{
log_audit_event(
"COMMAND_OUTPUT_TOO_LARGE",
&ctx.username,
&format!(
"Output size exceeds limit of {} bytes",
ctx.config.max_output_size
),
)
.await?;
return Err(anyhow::anyhow!("Command output exceeds size limit"));
}
// Process stderr if present
if !output.stderr.is_empty() {
let stderr = String::from_utf8_lossy(&output.stderr);
log_audit_event(
"COMMAND_ERROR",
&ctx.username,
&format!("Command produced error output: {}", stderr),
)
.await?;
}
// Process stdout if logging is enabled
if ctx.config.log_output && !output.stdout.is_empty() {
let stdout = String::from_utf8_lossy(&output.stdout);
log_audit_event(
"COMMAND_OUTPUT",
&ctx.username,
&format!("Command output: {}", stdout),
)
.await?;
}
// Check exit status
if !output.status.success() {
return Err(anyhow::anyhow!(
"Command failed with exit code: {}",
output.status.code().unwrap_or(-1)
));
}
Ok(())
}
fn create_sandbox() -> Result<SandboxContext> {
let mut ctx = SyscallContext::init()?;
use syscallz::Syscall;
// Essential system calls
let essential_syscalls = [
Syscall::read,
Syscall::write,
Syscall::exit,
Syscall::exit_group,
Syscall::brk,
Syscall::arch_prctl,
];
// File operations
let file_syscalls = [
Syscall::open,
Syscall::openat,
Syscall::close,
Syscall::access,
Syscall::getcwd,
Syscall::lseek,
Syscall::stat,
Syscall::fstat,
Syscall::lstat,
Syscall::readlink,
];
// Memory management
let memory_syscalls = [
Syscall::mmap,
Syscall::munmap,
Syscall::mprotect,
Syscall::mremap,
];
// Process management
let process_syscalls = [
Syscall::clone,
Syscall::fork,
Syscall::execve,
Syscall::kill,
Syscall::wait4,
Syscall::getpid,
Syscall::getppid,
Syscall::getuid,
Syscall::geteuid,
];
// Allow the syscalls
for syscall in essential_syscalls
.iter()
.chain(file_syscalls.iter())
.chain(memory_syscalls.iter())
.chain(process_syscalls.iter())
{
ctx.allow_syscall(*syscall)
.with_context(|| format!("Failed to add syscall rule: {:?}", syscall))?;
}
Ok(SandboxContext::new(ctx))
}
fn drop_privileges() -> Result<()> {
let nobody_uid = Uid::from_raw(65534); // nobody user
let nobody_gid = Gid::from_raw(65534); // nobody group
// Clear supplementary groups first
nix::unistd::setgroups(&[]).context("Failed to clear supplementary groups")?;
// Drop group privileges
nix::unistd::setresgid(nobody_gid, nobody_gid, nobody_gid)
.context("Failed to drop group privileges")?;
// Drop user privileges
nix::unistd::setresuid(nobody_uid, nobody_uid, nobody_uid)
.context("Failed to drop user privileges")?;
Ok(())
}
async fn check_dangerous_patterns(ctx: &CommandContext) -> Result<()> {
let full_command = format!("{} {}", ctx.command, ctx.args.join(" "));
// Check against dangerous patterns
for pattern in &ctx.config.dangerous_patterns {
if full_command.contains(pattern) {
log_audit_event(
"DANGEROUS_COMMAND",
&ctx.username,
&format!("Dangerous pattern detected: {}", pattern),
)
.await?;
return Err(anyhow::anyhow!("Dangerous command pattern detected"));
}
}
// OS-specific pattern checks
match std::env::consts::OS {
"macos" => check_macos_specific_patterns(ctx, &full_command).await?,
"linux" => check_linux_specific_patterns(ctx, &full_command).await?,
"bellandeos" => check_bellande_specific_patterns(ctx, &full_command).await?,
_ => {}
}
Ok(())
}
fn convert_patterns<const N: usize>(patterns: [(&str, &str); N]) -> Vec<DangerousPattern> {
patterns.into_iter().map(DangerousPattern::from).collect()
}
async fn check_macos_specific_patterns(ctx: &CommandContext, command: &str) -> Result<()> {
let dangerous_patterns = convert_patterns([
("diskutil eraseDisk", "Disk erasure attempt"),
("csrutil disable", "SIP disable attempt"),
("nvram", "NVRAM modification attempt"),
("kextload", "Kernel extension loading attempt"),
("spctl --master-disable", "Gatekeeper disable attempt"),
]);
check_patterns(ctx, command, &dangerous_patterns).await
}
async fn check_linux_specific_patterns(ctx: &CommandContext, command: &str) -> Result<()> {
let dangerous_patterns = convert_patterns([
("modprobe", "Kernel module loading attempt"),
("insmod", "Kernel module insertion attempt"),
("mount", "File system mounting attempt"),
("sysctl -w", "Sysctl modification attempt"),
("echo 1 > /proc/sys", "Sysctl modification attempt"),
("iptables -F", "Firewall flush attempt"),
]);
check_patterns(ctx, command, &dangerous_patterns).await
}
async fn check_bellande_specific_patterns(ctx: &CommandContext, command: &str) -> Result<()> {
let dangerous_patterns = convert_patterns([
("bellctl system reset", "System reset attempt"),
("bellctl security disable", "Security disable attempt"),
("bellctl kernel modify", "Kernel modification attempt"),
("bellctl firewall disable", "Firewall disable attempt"),
("bellctl audit stop", "Audit stop attempt"),
]);
check_patterns(ctx, command, &dangerous_patterns).await
}
async fn check_patterns(
ctx: &CommandContext,
command: &str,
patterns: &[DangerousPattern],
) -> Result<()> {
for pattern in patterns {
if command.contains(&pattern.pattern) {
log_audit_event("DANGEROUS_COMMAND", &ctx.username, &pattern.description).await?;
return Err(anyhow::anyhow!("Dangerous command pattern detected"));
}
}
Ok(())
}
async fn check_macos_patterns(ctx: &CommandContext, command: &str) -> Result<()> {
let patterns = vec![
DangerousPattern {
pattern: "diskutil eraseDisk".to_string(),
description: "Disk erasure attempt".to_string(),
},
DangerousPattern {
pattern: "csrutil disable".to_string(),
description: "SIP disable attempt".to_string(),
},
DangerousPattern {
pattern: "nvram".to_string(),
description: "NVRAM modification attempt".to_string(),
},
DangerousPattern {
pattern: "kextload".to_string(),
description: "Kernel extension loading attempt".to_string(),
},
];
check_patterns(ctx, command, &patterns).await
}
async fn check_linux_patterns(ctx: &CommandContext, command: &str) -> Result<()> {
let patterns = vec![
DangerousPattern {
pattern: "modprobe".to_string(),
description: "Kernel module loading attempt".to_string(),
},
DangerousPattern {
pattern: "insmod".to_string(),
description: "Kernel module insertion attempt".to_string(),
},
DangerousPattern {
pattern: "mount".to_string(),
description: "File system mounting attempt".to_string(),
},
DangerousPattern {
pattern: "sysctl -w".to_string(),
description: "Sysctl modification attempt".to_string(),
},
];
check_patterns(ctx, command, &patterns).await
}
async fn check_bellande_patterns(ctx: &CommandContext, command: &str) -> Result<()> {
let patterns = vec![
DangerousPattern {
pattern: "bellctl system reset".to_string(),
description: "System reset attempt".to_string(),
},
DangerousPattern {
pattern: "bellctl security disable".to_string(),
description: "Security disable attempt".to_string(),
},
DangerousPattern {
pattern: "bellctl kernel modify".to_string(),
description: "Kernel modification attempt".to_string(),
},
];
check_patterns(ctx, command, &patterns).await
}

1
src/command/mod.rs Normal file
View File

@@ -0,0 +1 @@
pub mod command;

334
src/config/config.rs Normal file
View File

@@ -0,0 +1,334 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
use std::collections::HashSet;
use std::fs::{self, OpenOptions};
use std::io::Write;
use std::os::unix::fs::OpenOptionsExt;
use std::path::PathBuf;
use std::time::Duration;
use anyhow::{Context, Result};
use log::warn;
use serde::{Deserialize, Serialize};
use tokio::runtime::Runtime;
use crate::hsm::hsm::{decrypt_data, encrypt_data};
use crate::user_privilege::user::User;
#[derive(Debug, Serialize, Deserialize)]
pub struct Config {
pub users: Vec<User>,
pub groups: Vec<Group>,
pub session_duration: u64,
pub allowed_commands: Vec<String>,
pub denied_commands: Vec<String>,
pub allowed_networks: Vec<String>,
pub hsm_slot: u64,
pub hsm_pin: String,
pub security_settings: SecuritySettings,
pub os_specific: OsSpecificConfig,
pub paths: ConfigPaths,
}
#[derive(Debug, Serialize, Deserialize)]
pub struct Group {
pub name: String,
pub permissions: Vec<String>,
pub members: Vec<String>,
pub description: Option<String>,
pub created_at: chrono::DateTime<chrono::Utc>,
pub modified_at: chrono::DateTime<chrono::Utc>,
}
#[derive(Debug, Serialize, Deserialize)]
pub struct SecuritySettings {
pub password_min_length: usize,
pub password_require_special: bool,
pub password_require_numbers: bool,
pub password_require_uppercase: bool,
pub max_login_attempts: usize,
pub lockout_duration: Duration,
pub session_timeout: Duration,
pub mfa_required: bool,
pub allowed_ip_ranges: Vec<String>,
}
#[derive(Debug, Serialize, Deserialize)]
pub struct OsSpecificConfig {
pub macos: MacOSConfig,
pub linux: LinuxConfig,
pub bellandeos: BellandeOSConfig,
}
#[derive(Debug, Default, Serialize, Deserialize)]
pub struct MacOSConfig {
pub require_filevault: bool,
pub require_sip: bool,
pub allowed_applications: Vec<String>,
}
#[derive(Debug, Default, Serialize, Deserialize)]
pub struct LinuxConfig {
pub selinux_mode: String,
pub require_apparmor: bool,
pub kernel_hardening: bool,
}
#[derive(Debug, Default, Serialize, Deserialize)]
pub struct BellandeOSConfig {
pub security_level: String,
pub require_secure_boot: bool,
pub enable_kernel_protection: bool,
}
#[derive(Debug, Serialize, Deserialize)]
pub struct ConfigPaths {
pub config_dir: PathBuf,
pub log_dir: PathBuf,
pub backup_dir: PathBuf,
}
impl Default for Config {
fn default() -> Self {
let os_paths = match std::env::consts::OS {
"macos" => ConfigPaths {
config_dir: PathBuf::from("/Library/Application Support/bell"),
log_dir: PathBuf::from("/var/log/bell"),
backup_dir: PathBuf::from("/var/backup/bell"),
},
"linux" => ConfigPaths {
config_dir: PathBuf::from("/etc/bell"),
log_dir: PathBuf::from("/var/log/bell"),
backup_dir: PathBuf::from("/var/backup/bell"),
},
"bellandeos" => ConfigPaths {
config_dir: PathBuf::from("/bell/etc/bell"),
log_dir: PathBuf::from("/bell/log/bell"),
backup_dir: PathBuf::from("/bell/backup/bell"),
},
_ => ConfigPaths {
config_dir: PathBuf::from("./config"),
log_dir: PathBuf::from("./log"),
backup_dir: PathBuf::from("./backup"),
},
};
Config {
users: Vec::new(),
groups: Vec::new(),
session_duration: 3600,
allowed_commands: get_default_allowed_commands(),
denied_commands: get_default_denied_commands(),
allowed_networks: vec!["127.0.0.1/8".to_string()],
hsm_slot: 0,
hsm_pin: String::new(),
security_settings: SecuritySettings {
password_min_length: 12,
password_require_special: true,
password_require_numbers: true,
password_require_uppercase: true,
max_login_attempts: 3,
lockout_duration: Duration::from_secs(300),
session_timeout: Duration::from_secs(3600),
mfa_required: true,
allowed_ip_ranges: vec!["192.168.0.0/16".to_string()],
},
os_specific: OsSpecificConfig {
macos: MacOSConfig {
require_filevault: true,
require_sip: true,
allowed_applications: vec![],
},
linux: LinuxConfig {
selinux_mode: "enforcing".to_string(),
require_apparmor: true,
kernel_hardening: true,
},
bellandeos: BellandeOSConfig {
security_level: "high".to_string(),
require_secure_boot: true,
enable_kernel_protection: true,
},
},
paths: os_paths,
}
}
}
impl Config {
pub fn load() -> Result<Self> {
let rt = Runtime::new()?;
rt.block_on(async {
let config_path = Self::get_config_path()?;
Self::ensure_directories_exist()?;
let encrypted_config =
fs::read_to_string(&config_path).context("Failed to read config file")?;
let decrypted_config = decrypt_data(&encrypted_config)
.await
.context("Failed to decrypt config file")?;
let mut config: Config =
toml::from_str(&decrypted_config).context("Failed to parse config file")?;
config.verify_integrity()?;
config.update_os_settings()?;
Ok(config)
})
}
pub fn save(&self) -> Result<()> {
let rt = Runtime::new()?;
rt.block_on(async {
self.verify_integrity()?;
self.create_backup().await?;
let config_str = toml::to_string(self).context("Failed to serialize config")?;
let encrypted_config = encrypt_data(&config_str)
.await
.context("Failed to encrypt config")?;
let config_path = Self::get_config_path()?;
let mut file = OpenOptions::new()
.write(true)
.create(true)
.mode(0o600)
.open(&config_path)
.context("Failed to open config file for writing")?;
file.write_all(encrypted_config.as_bytes())
.context("Failed to write config file")?;
Ok(())
})
}
fn get_config_path() -> Result<PathBuf> {
let config = Config::default();
let config_file = config.paths.config_dir.join("config.toml");
Ok(config_file)
}
fn ensure_directories_exist() -> Result<()> {
let config = Config::default();
fs::create_dir_all(&config.paths.config_dir)?;
fs::create_dir_all(&config.paths.log_dir)?;
fs::create_dir_all(&config.paths.backup_dir)?;
Ok(())
}
fn verify_integrity(&self) -> Result<()> {
if self.users.is_empty() {
warn!("No users defined in configuration");
}
for group in &self.groups {
for permission in &group.permissions {
if !is_valid_permission(permission) {
return Err(anyhow::anyhow!("Invalid permission: {}", permission));
}
}
}
let mut seen_users = HashSet::new();
for user in &self.users {
if !seen_users.insert(&user.username) {
return Err(anyhow::anyhow!("Duplicate user: {}", user.username));
}
}
Ok(())
}
async fn create_backup(&self) -> Result<()> {
let timestamp = chrono::Utc::now().format("%Y%m%d_%H%M%S");
let backup_path = self
.paths
.backup_dir
.join(format!("config_backup_{}.toml", timestamp));
let config_str = toml::to_string(self)?;
let encrypted_backup = encrypt_data(&config_str).await?;
fs::write(backup_path, encrypted_backup)?;
Ok(())
}
fn update_os_settings(&mut self) -> Result<()> {
match std::env::consts::OS {
"macos" => {
self.os_specific.macos = MacOSConfig {
require_filevault: true,
require_sip: true,
allowed_applications: get_default_macos_applications(),
};
}
"linux" => {
self.os_specific.linux = LinuxConfig {
selinux_mode: "enforcing".to_string(),
require_apparmor: true,
kernel_hardening: true,
};
}
"bellandeos" => {
self.os_specific.bellandeos = BellandeOSConfig {
security_level: "high".to_string(),
require_secure_boot: true,
enable_kernel_protection: true,
};
}
_ => warn!("Unsupported operating system"),
}
Ok(())
}
}
fn get_default_allowed_commands() -> Vec<String> {
match std::env::consts::OS {
"macos" => vec!["ls".to_string(), "cd".to_string(), "pwd".to_string()],
"linux" => vec!["ls".to_string(), "cd".to_string(), "pwd".to_string()],
"bellandeos" => vec!["bellctl".to_string(), "ls".to_string(), "cd".to_string()],
_ => vec![],
}
}
fn get_default_denied_commands() -> Vec<String> {
match std::env::consts::OS {
"macos" => vec!["rm -rf /*".to_string(), "sudo su -".to_string()],
"linux" => vec!["rm -rf /*".to_string(), "dd".to_string()],
"bellandeos" => vec![
"bellctl system reset".to_string(),
"bellctl security disable".to_string(),
],
_ => vec![],
}
}
fn get_default_macos_applications() -> Vec<String> {
vec![
"/Applications/Terminal.app".to_string(),
"/Applications/Utilities/Terminal.app".to_string(),
]
}
fn is_valid_permission(permission: &str) -> bool {
matches!(
permission,
"read" | "write" | "execute" | "admin" | "system"
)
}

1
src/config/mod.rs Normal file
View File

@@ -0,0 +1 @@
pub mod config;

820
src/hsm/hsm.rs Normal file
View File

@@ -0,0 +1,820 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
use std::collections::HashMap;
use std::fs::{self, File, OpenOptions};
use std::io::{Read, Write};
use std::path::{Path, PathBuf};
use std::sync::Arc;
use std::time::SystemTime;
use aes_gcm::{
aead::{Aead, KeyInit},
Aes256Gcm, Key, Nonce,
};
use anyhow::{Context, Result};
use base64::{engine::general_purpose::STANDARD as base64, Engine as _};
use log::{info, warn};
use rand::{rngs::OsRng, RngCore};
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};
use tokio::sync::RwLock;
const KEY_SIZE: usize = 32;
const NONCE_SIZE: usize = 12;
const KEY_ROTATION_DAYS: u64 = 30;
#[derive(Debug, Serialize, Deserialize)]
pub struct KeyStore {
label: String,
key_id: [u8; 8],
encrypted_key: Vec<u8>,
created_at: SystemTime,
rotated_at: Option<SystemTime>,
fingerprint: String,
metadata: KeyMetadata,
}
#[derive(Debug, Serialize, Deserialize)]
struct KeyMetadata {
algorithm: String,
key_type: KeyType,
usage: KeyUsage,
platform: String,
}
#[derive(Debug, Serialize, Deserialize)]
enum KeyType {
Master,
Data,
Signing,
Authentication,
}
#[derive(Debug, Serialize, Deserialize)]
enum KeyUsage {
Encryption,
Decryption,
Both,
}
pub struct SecureStorage {
key_store: Arc<RwLock<HashMap<String, KeyStore>>>,
storage_path: PathBuf,
}
// Platform-specific implementations
#[cfg(unix)]
fn set_secure_permissions(options: &mut OpenOptions) -> &mut OpenOptions {
use std::os::unix::fs::OpenOptionsExt;
options.mode(0o600)
}
fn encode_sensitive_data(data: &[u8]) -> String {
base64.encode(data)
}
fn decode_sensitive_data(data: &str) -> Result<Vec<u8>> {
base64
.decode(data.trim())
.context("Failed to decode base64 data")
}
impl SecureStorage {
pub async fn new() -> Result<Self> {
let storage_path = get_platform_storage_path()?;
ensure_secure_directory(&storage_path)?;
let key_store = Arc::new(RwLock::new(HashMap::new()));
let storage = SecureStorage {
key_store,
storage_path,
};
storage.initialize().await?;
Ok(storage)
}
async fn initialize(&self) -> Result<()> {
// Load existing keys
self.load_keys().await?;
// Check for key rotation
self.check_key_rotation().await?;
// Initialize platform-specific secure storage
match std::env::consts::OS {
"macos" => self.initialize_keychain().await?,
"linux" => self.initialize_keyring().await?,
"bellandeos" => self.initialize_bellande_secure_store().await?,
_ => warn!("No platform-specific secure storage available"),
}
Ok(())
}
async fn load_key_from_keyring(&self, line: &str) -> Result<Option<KeyStore>> {
let label = match line.split("bell_key_").nth(1) {
Some(l) => l,
None => return Ok(None),
};
let output = std::process::Command::new("keyctl")
.args(&["read", "user", &format!("bell_key_{}", label)])
.output()
.context("Failed to read key from keyring")?;
if output.status.success() {
let encoded_data = String::from_utf8_lossy(&output.stdout);
let key_data = decode_sensitive_data(&encoded_data)?;
let key_store: KeyStore =
serde_json::from_slice(&key_data).context("Failed to deserialize key store")?;
Ok(Some(key_store))
} else {
Ok(None)
}
}
async fn load_key_from_keychain(&self, line: &str) -> Result<Option<KeyStore>> {
let label = match line.split("bell_key_").nth(1) {
Some(l) => l,
None => return Ok(None),
};
let output = std::process::Command::new("security")
.args(&[
"find-generic-password",
"-s",
&format!("bell_key_{}", label),
"-w",
])
.output()
.context("Failed to read key from keychain")?;
if output.status.success() {
let encoded_data = String::from_utf8_lossy(&output.stdout);
let key_data = decode_sensitive_data(&encoded_data)?;
let key_store: KeyStore =
serde_json::from_slice(&key_data).context("Failed to deserialize key store")?;
Ok(Some(key_store))
} else {
Ok(None)
}
}
async fn load_key_from_bellande(&self, line: &str) -> Result<Option<KeyStore>> {
let label = match line.split("bell_key_").nth(1) {
Some(l) => l,
None => return Ok(None),
};
let output = std::process::Command::new("bellctl")
.args(&["secure-store", "get", &format!("bell_key_{}", label)])
.output()
.context("Failed to read key from BellandeOS secure store")?;
if output.status.success() {
let encoded_data = String::from_utf8_lossy(&output.stdout);
let key_data = decode_sensitive_data(&encoded_data)?;
let key_store: KeyStore =
serde_json::from_slice(&key_data).context("Failed to deserialize key store")?;
Ok(Some(key_store))
} else {
Ok(None)
}
}
async fn load_master_key_from_keychain(&self) -> Result<Key<Aes256Gcm>> {
let output = std::process::Command::new("security")
.args(&["find-generic-password", "-s", "bell_master_key", "-w"])
.output()
.context("Failed to read from keychain")?;
if output.status.success() {
let encoded = String::from_utf8_lossy(&output.stdout);
let key_data = decode_sensitive_data(&encoded)?;
if key_data.len() != KEY_SIZE {
return Err(anyhow::anyhow!("Invalid key length"));
}
let key = Key::<Aes256Gcm>::from_slice(&key_data);
Ok(key.clone())
} else {
self.generate_and_store_master_key().await
}
}
async fn load_master_key_from_bellande(&self) -> Result<Key<Aes256Gcm>> {
let output = std::process::Command::new("bellctl")
.args(&["secure-store", "get", "bell_master_key"])
.output()
.context("Failed to read from BellandeOS secure store")?;
if output.status.success() {
let encoded = String::from_utf8_lossy(&output.stdout);
let key_data = decode_sensitive_data(&encoded)?;
if key_data.len() != KEY_SIZE {
return Err(anyhow::anyhow!("Invalid key length"));
}
let key = Key::<Aes256Gcm>::from_slice(&key_data);
Ok(key.clone())
} else {
self.generate_and_store_master_key().await
}
}
async fn save_keys(&self) -> Result<()> {
let store = self.key_store.read().await;
for key_store in store.values() {
let key_data = serde_json::to_string(key_store)?;
let encoded_data = encode_sensitive_data(key_data.as_bytes());
match std::env::consts::OS {
"macos" => {
std::process::Command::new("security")
.args(&[
"add-generic-password",
"-s",
&format!("bell_key_{}", key_store.label),
"-w",
&encoded_data,
])
.output()
.context("Failed to store in keychain")?;
}
"linux" => {
std::process::Command::new("keyctl")
.args(&[
"add",
"user",
&format!("bell_key_{}", key_store.label),
&encoded_data,
"@u",
])
.output()
.context("Failed to store in keyring")?;
}
"bellandeos" => {
std::process::Command::new("bellctl")
.args(&[
"secure-store",
"set",
&format!("bell_key_{}", key_store.label),
&encoded_data,
])
.output()
.context("Failed to store in BellandeOS secure store")?;
}
_ => {
let key_file = self.storage_path.join(format!("{}.key", key_store.label));
fs::write(key_file, &encoded_data)?;
}
}
}
Ok(())
}
pub async fn generate_key(
&self,
label: &str,
key_type: KeyType,
usage: KeyUsage,
) -> Result<Vec<u8>> {
let mut key = vec![0u8; KEY_SIZE];
OsRng.fill_bytes(&mut key);
let key_id = rand::random::<[u8; 8]>();
let master_key = self.load_master_key().await?;
let encrypted_key = self.encrypt_with_master_key(&master_key, &key).await?;
let fingerprint = calculate_key_fingerprint(&key);
let key_store = KeyStore {
label: label.to_string(),
key_id,
encrypted_key,
created_at: SystemTime::now(),
rotated_at: None,
fingerprint,
metadata: KeyMetadata {
algorithm: "AES-256-GCM".to_string(),
key_type,
usage,
platform: std::env::consts::OS.to_string(),
},
};
// Store in platform-specific secure storage
self.store_key_in_platform_storage(&key_store).await?;
// Update in-memory store
let mut store = self.key_store.write().await;
store.insert(label.to_string(), key_store);
// Save to disk
self.save_keys().await?;
Ok(key_id.to_vec())
}
pub async fn encrypt_data(&self, data: &str) -> Result<Vec<u8>> {
let master_key = self.load_master_key().await?;
let cipher = Aes256Gcm::new(&master_key);
let mut nonce = [0u8; NONCE_SIZE];
OsRng.fill_bytes(&mut nonce);
let nonce = Nonce::from_slice(&nonce);
let ciphertext = cipher
.encrypt(nonce, data.as_bytes())
.context("Failed to encrypt data")?;
let mut result = Vec::with_capacity(NONCE_SIZE + ciphertext.len());
result.extend_from_slice(nonce);
result.extend_from_slice(&ciphertext);
log_crypto_operation("ENCRYPT", &result).await?;
Ok(result)
}
pub async fn decrypt_data(&self, data: &[u8]) -> Result<String> {
if data.len() < NONCE_SIZE {
anyhow::bail!("Invalid encrypted data");
}
let master_key = self.load_master_key().await?;
let cipher = Aes256Gcm::new(&master_key);
let nonce = Nonce::from_slice(&data[..NONCE_SIZE]);
let ciphertext = &data[NONCE_SIZE..];
let plaintext = cipher
.decrypt(nonce, ciphertext)
.context("Failed to decrypt data")?;
log_crypto_operation("DECRYPT", data).await?;
String::from_utf8(plaintext).context("Failed to convert decrypted data to string")
}
async fn load_master_key_from_keyring(&self) -> Result<Key<Aes256Gcm>> {
let output = std::process::Command::new("keyctl")
.args(&["read", "user", "bell_master_key"])
.output()
.context("Failed to read from keyring")?;
if output.status.success() {
let encoded = String::from_utf8_lossy(&output.stdout);
let key_data = decode_sensitive_data(&encoded)?;
if key_data.len() != KEY_SIZE {
return Err(anyhow::anyhow!("Invalid key length"));
}
let key = Key::<Aes256Gcm>::from_slice(&key_data);
Ok(key.clone())
} else {
self.generate_and_store_master_key().await
}
}
async fn load_master_key(&self) -> Result<Key<Aes256Gcm>> {
match std::env::consts::OS {
"macos" => self.load_master_key_from_keychain().await,
"linux" => self.load_master_key_from_keyring().await,
"bellandeos" => self.load_master_key_from_bellande().await,
_ => self.load_master_key_from_file().await,
}
}
async fn load_master_key_from_file(&self) -> Result<Key<Aes256Gcm>> {
let master_key_path = self.storage_path.join("master.key");
if master_key_path.exists() {
let mut file =
File::open(&master_key_path).context("Failed to open master key file")?;
let mut key_bytes = [0u8; KEY_SIZE];
file.read_exact(&mut key_bytes)
.context("Failed to read master key")?;
let key = Key::<Aes256Gcm>::from_slice(&key_bytes);
Ok(key.clone())
} else {
self.generate_and_store_master_key().await
}
}
async fn encrypt_with_master_key(
&self,
master_key: &Key<Aes256Gcm>,
data: &[u8],
) -> Result<Vec<u8>> {
let cipher = Aes256Gcm::new(master_key);
let nonce = Nonce::from_slice(&[0u8; NONCE_SIZE]);
cipher
.encrypt(nonce, data)
.context("Failed to encrypt with master key")
}
async fn check_key_rotation(&self) -> Result<()> {
let mut store = self.key_store.write().await;
let now = SystemTime::now();
for key_store in store.values_mut() {
let last_rotation = key_store.rotated_at.unwrap_or(key_store.created_at);
if now.duration_since(last_rotation)?.as_secs() > KEY_ROTATION_DAYS * 24 * 60 * 60 {
let mut new_key = vec![0u8; KEY_SIZE];
OsRng.fill_bytes(&mut new_key);
let master_key = self.load_master_key().await?;
key_store.encrypted_key =
self.encrypt_with_master_key(&master_key, &new_key).await?;
key_store.rotated_at = Some(now);
key_store.fingerprint = calculate_key_fingerprint(&new_key);
self.store_key_in_platform_storage(key_store).await?;
}
}
Ok(())
}
// Platform-specific implementations
async fn initialize_keychain(&self) -> Result<()> {
let output = std::process::Command::new("security")
.args(&["create-keychain", "bell.keychain"])
.output()
.context("Failed to create keychain")?;
if !output.status.success() {
warn!("Keychain already exists or creation failed");
}
Ok(())
}
async fn initialize_keyring(&self) -> Result<()> {
let output = std::process::Command::new("keyctl")
.args(&["new_session"])
.output()
.context("Failed to create keyring session")?;
if !output.status.success() {
warn!("Keyring session creation failed");
}
Ok(())
}
async fn initialize_bellande_secure_store(&self) -> Result<()> {
let output = std::process::Command::new("bellctl")
.args(&["secure-store", "init"])
.output()
.context("Failed to initialize BellandeOS secure store")?;
if !output.status.success() {
warn!("BellandeOS secure store initialization failed");
}
Ok(())
}
async fn generate_and_store_master_key(&self) -> Result<Key<Aes256Gcm>> {
let mut key_bytes = [0u8; KEY_SIZE];
OsRng.fill_bytes(&mut key_bytes);
let key = Key::<Aes256Gcm>::from_slice(&key_bytes).clone();
let encoded_key = encode_sensitive_data(&key_bytes);
match std::env::consts::OS {
"macos" => {
std::process::Command::new("security")
.args(&[
"add-generic-password",
"-s",
"bell_master_key",
"-w",
&encoded_key,
])
.output()
.context("Failed to store in keychain")?;
}
"linux" => {
std::process::Command::new("keyctl")
.args(&["add", "user", "bell_master_key", &encoded_key, "@u"])
.output()
.context("Failed to store in keyring")?;
}
"bellandeos" => {
std::process::Command::new("bellctl")
.args(&["secure-store", "set", "bell_master_key", &encoded_key])
.output()
.context("Failed to store in BellandeOS secure store")?;
}
_ => {
self.store_master_key_to_file(&key_bytes).await?;
}
}
Ok(key)
}
async fn store_master_key_to_file(&self, key: &[u8]) -> Result<()> {
let master_key_path = self.storage_path.join("master.key");
let mut options = OpenOptions::new();
options.write(true).create(true).truncate(true);
let mut file = set_secure_permissions(&mut options)
.open(&master_key_path)
.context("Failed to create master key file")?;
file.write_all(key).context("Failed to write master key")?;
file.sync_all().context("Failed to sync master key file")?;
Ok(())
}
async fn store_key_in_platform_storage(&self, key_store: &KeyStore) -> Result<()> {
let key_data = serde_json::to_string(key_store)?;
let encoded_data = encode_sensitive_data(key_data.as_bytes());
match std::env::consts::OS {
"macos" => self.store_key_in_keychain(key_store, &encoded_data).await?,
"linux" => self.store_key_in_keyring(key_store, &encoded_data).await?,
"bellandeos" => self.store_key_in_bellande(key_store, &encoded_data).await?,
_ => self.store_key_in_file(key_store, &encoded_data).await?,
}
Ok(())
}
async fn store_key_in_keychain(&self, key_store: &KeyStore, encoded_data: &str) -> Result<()> {
let output = std::process::Command::new("security")
.args(&[
"add-generic-password",
"-s",
&format!("bell_key_{}", key_store.label),
"-w",
encoded_data,
])
.output()
.context("Failed to store key in keychain")?;
if !output.status.success() {
// Try to delete existing entry first and retry
let _ = std::process::Command::new("security")
.args(&[
"delete-generic-password",
"-s",
&format!("bell_key_{}", key_store.label),
])
.output();
std::process::Command::new("security")
.args(&[
"add-generic-password",
"-s",
&format!("bell_key_{}", key_store.label),
"-w",
encoded_data,
])
.output()
.context("Failed to store key in keychain after deletion")?;
}
Ok(())
}
async fn store_key_in_keyring(&self, key_store: &KeyStore, encoded_data: &str) -> Result<()> {
// First, try to remove any existing key
let _ = std::process::Command::new("keyctl")
.args(&["unlink", &format!("bell_key_{}", key_store.label), "@u"])
.output();
let output = std::process::Command::new("keyctl")
.args(&[
"add",
"user",
&format!("bell_key_{}", key_store.label),
encoded_data,
"@u",
])
.output()
.context("Failed to store key in keyring")?;
if !output.status.success() {
anyhow::bail!("Failed to store key in keyring: {:?}", output);
}
Ok(())
}
async fn store_key_in_bellande(&self, key_store: &KeyStore, encoded_data: &str) -> Result<()> {
let output = std::process::Command::new("bellctl")
.args(&[
"secure-store",
"set",
&format!("bell_key_{}", key_store.label),
encoded_data,
])
.output()
.context("Failed to store key in BellandeOS secure store")?;
if !output.status.success() {
// Try to delete and retry
let _ = std::process::Command::new("bellctl")
.args(&[
"secure-store",
"delete",
&format!("bell_key_{}", key_store.label),
])
.output();
std::process::Command::new("bellctl")
.args(&[
"secure-store",
"set",
&format!("bell_key_{}", key_store.label),
encoded_data,
])
.output()
.context("Failed to store key in BellandeOS secure store after deletion")?;
}
Ok(())
}
async fn store_key_in_file(&self, key_store: &KeyStore, encoded_data: &str) -> Result<()> {
let key_file = self.storage_path.join(format!("{}.key", key_store.label));
// Create a temporary file first
let temp_file = key_file.with_extension("tmp");
// Write to temporary file
let mut options = OpenOptions::new();
options.write(true).create(true).truncate(true);
let mut file = set_secure_permissions(&mut options)
.open(&temp_file)
.context("Failed to create temporary key file")?;
file.write_all(encoded_data.as_bytes())
.context("Failed to write key data")?;
file.sync_all().context("Failed to sync key file")?;
// Atomically rename temporary file to final location
fs::rename(&temp_file, &key_file).context("Failed to save key file")?;
Ok(())
}
async fn load_keys(&self) -> Result<()> {
let mut store = self.key_store.write().await;
match std::env::consts::OS {
"macos" => {
let output = std::process::Command::new("security")
.args(&["dump-keychain"])
.output()
.context("Failed to dump keychain")?;
if output.status.success() {
for line in String::from_utf8_lossy(&output.stdout).lines() {
if line.contains("bell_key_") {
if let Some(key_store) = self.load_key_from_keychain(line).await? {
store.insert(key_store.label.clone(), key_store);
}
}
}
}
}
"linux" => {
let output = std::process::Command::new("keyctl")
.args(&["list", "@u"])
.output()
.context("Failed to list keyring")?;
if output.status.success() {
for line in String::from_utf8_lossy(&output.stdout).lines() {
if line.contains("bell_key_") {
if let Some(key_store) = self.load_key_from_keyring(line).await? {
store.insert(key_store.label.clone(), key_store);
}
}
}
}
}
"bellandeos" => {
let output = std::process::Command::new("bellctl")
.args(&["secure-store", "list"])
.output()
.context("Failed to list BellandeOS secure store")?;
if output.status.success() {
for line in String::from_utf8_lossy(&output.stdout).lines() {
if line.contains("bell_key_") {
if let Some(key_store) = self.load_key_from_bellande(line).await? {
store.insert(key_store.label.clone(), key_store);
}
}
}
}
}
_ => {
// Fallback to file-based storage
if let Ok(entries) = fs::read_dir(&self.storage_path) {
for entry in entries {
if let Ok(entry) = entry {
if let Some(filename) = entry.file_name().to_str() {
if filename.ends_with(".key") {
if let Ok(key_data) = fs::read_to_string(entry.path()) {
match serde_json::from_str::<KeyStore>(&key_data) {
Ok(key_store) => {
store.insert(key_store.label.clone(), key_store);
}
Err(err) => {
warn!("Failed to deserialize key store: {}", err);
continue;
}
}
}
}
}
}
}
}
}
}
Ok(())
}
}
fn get_platform_storage_path() -> Result<PathBuf> {
let path = match std::env::consts::OS {
"macos" => PathBuf::from("/Library/Application Support/bell/secure"),
"linux" => PathBuf::from("/var/lib/bell/secure"),
"bellandeos" => PathBuf::from("/bell/secure/storage"),
_ => {
let mut path = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
path.push("secure");
path
}
};
Ok(path)
}
fn ensure_secure_directory(path: &Path) -> Result<()> {
if !path.exists() {
fs::create_dir_all(path)?;
#[cfg(unix)]
{
use std::os::unix::fs::PermissionsExt;
fs::set_permissions(path, fs::Permissions::from_mode(0o700))?;
}
}
Ok(())
}
fn calculate_key_fingerprint(key: &[u8]) -> String {
let mut hasher = Sha256::new();
hasher.update(key);
format!("{:x}", hasher.finalize())
}
async fn log_crypto_operation(operation: &str, data: &[u8]) -> Result<()> {
let fingerprint = calculate_key_fingerprint(data);
info!(
"Crypto operation: {} - Size: {} bytes - Fingerprint: {}",
operation,
data.len(),
fingerprint
);
Ok(())
}
pub async fn encrypt_data(data: &str) -> anyhow::Result<String> {
let storage = SecureStorage::new().await?;
let encrypted = storage.encrypt_data(data).await?;
Ok(base64::engine::general_purpose::STANDARD.encode(&encrypted))
}
pub async fn decrypt_data(encrypted_data: &str) -> anyhow::Result<String> {
let storage = SecureStorage::new().await?;
let data = base64::engine::general_purpose::STANDARD.decode(encrypted_data)?;
storage.decrypt_data(&data).await
}

1
src/hsm/mod.rs Normal file
View File

@@ -0,0 +1 @@
pub mod hsm;

1
src/network/mod.rs Normal file
View File

@@ -0,0 +1 @@
pub mod network;

522
src/network/network.rs Normal file
View File

@@ -0,0 +1,522 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
use std::fs::{File, OpenOptions};
use std::io::Write;
use std::net::IpAddr;
use std::path::PathBuf;
use std::process::Command;
use std::time::{Duration, SystemTime, UNIX_EPOCH};
use anyhow::{Context, Result};
use chrono::{DateTime, Utc};
use ipnetwork::Ipv4Network;
use log::{error, info, warn};
use serde::{Deserialize, Serialize};
use tokio::time::sleep;
use crate::config::config::Config;
#[derive(Debug, Serialize, Deserialize)]
pub struct NetworkConfig {
pub interface: String,
pub namespace: String,
pub allowed_ports: Vec<u16>,
pub dns_servers: Vec<String>,
pub retry_attempts: u32,
pub retry_delay: u64,
}
impl Default for NetworkConfig {
fn default() -> Self {
NetworkConfig {
interface: get_default_interface(),
namespace: "bell_isolated".to_string(),
allowed_ports: vec![53, 80, 443], // DNS, HTTP, HTTPS
dns_servers: vec!["8.8.8.8".to_string(), "8.8.4.4".to_string()],
retry_attempts: 3,
retry_delay: 1,
}
}
}
#[derive(Debug)]
struct NetworkCommands {
down_cmd: Vec<String>,
up_cmd: Vec<String>,
flush_cmd: Vec<String>,
firewall_cmd: Vec<String>,
}
impl NetworkCommands {
fn new() -> Self {
match std::env::consts::OS {
"macos" => Self {
down_cmd: vec!["ifconfig".into(), "{interface}".into(), "down".into()],
up_cmd: vec!["ifconfig".into(), "{interface}".into(), "up".into()],
flush_cmd: vec![
"ifconfig".into(),
"{interface}".into(),
"inet".into(),
"0".into(),
],
firewall_cmd: vec!["pfctl".into(), "-f".into(), "/etc/pf.conf".into()],
},
"linux" => Self {
down_cmd: vec![
"ip".into(),
"link".into(),
"set".into(),
"{interface}".into(),
"down".into(),
],
up_cmd: vec![
"ip".into(),
"link".into(),
"set".into(),
"{interface}".into(),
"up".into(),
],
flush_cmd: vec![
"ip".into(),
"addr".into(),
"flush".into(),
"dev".into(),
"{interface}".into(),
],
firewall_cmd: vec!["iptables".into(), "-F".into()],
},
"bellandeos" => Self {
down_cmd: vec![
"bellctl".into(),
"net".into(),
"down".into(),
"{interface}".into(),
],
up_cmd: vec![
"bellctl".into(),
"net".into(),
"up".into(),
"{interface}".into(),
],
flush_cmd: vec![
"bellctl".into(),
"net".into(),
"flush".into(),
"{interface}".into(),
],
firewall_cmd: vec!["bellctl".into(), "firewall".into(), "reset".into()],
},
_ => Self {
down_cmd: vec![],
up_cmd: vec![],
flush_cmd: vec![],
firewall_cmd: vec![],
},
}
}
}
#[derive(Debug, Serialize, Deserialize)]
struct AuditEvent {
timestamp: DateTime<Utc>,
event_type: String,
user: String,
message: String,
source_ip: Option<String>,
severity: AuditSeverity,
}
#[derive(Debug, Serialize, Deserialize)]
enum AuditSeverity {
Info,
Warning,
Error,
Critical,
}
impl Default for AuditSeverity {
fn default() -> Self {
AuditSeverity::Info
}
}
pub async fn isolate_network() -> Result<()> {
let config = NetworkConfig::default();
let commands = NetworkCommands::new();
info!(
"Starting network isolation process for {}",
std::env::consts::OS
);
let down_cmd = replace_interface_placeholder(&commands.down_cmd, &config.interface);
if let Some((cmd, args)) = down_cmd.split_first() {
run_command(cmd, args).await?;
}
let flush_cmd = replace_interface_placeholder(&commands.flush_cmd, &config.interface);
if let Some((cmd, args)) = flush_cmd.split_first() {
run_command(cmd, args).await?;
}
setup_firewall_rules(&config).await?;
log_audit_event(
"NETWORK_ISOLATION",
"SYSTEM",
&format!(
"Network isolated on {}: {}",
std::env::consts::OS,
config.interface
),
)
.await?;
Ok(())
}
pub async fn restore_network() -> Result<()> {
let config = NetworkConfig::default();
let commands = NetworkCommands::new();
info!(
"Starting network restoration process for {}",
std::env::consts::OS
);
let up_cmd = replace_interface_placeholder(&commands.up_cmd, &config.interface);
if let Some((cmd, args)) = up_cmd.split_first() {
run_command(cmd, args).await?;
}
let mut attempts = 0;
while attempts < config.retry_attempts {
match request_dhcp_lease(&config.interface).await {
Ok(_) => break,
Err(e) => {
warn!("DHCP request failed, attempt {}: {}", attempts + 1, e);
if attempts + 1 == config.retry_attempts {
return Err(e);
}
sleep(Duration::from_secs(config.retry_delay)).await;
attempts += 1;
}
}
}
log_audit_event(
"NETWORK_RESTORATION",
"SYSTEM",
&format!(
"Network restored on {}: {}",
std::env::consts::OS,
config.interface
),
)
.await?;
Ok(())
}
async fn run_command(cmd: &str, args: &[String]) -> Result<()> {
let status = Command::new(cmd)
.args(args)
.status()
.context(format!("Failed to run command: {} {:?}", cmd, args))?;
if !status.success() {
error!("Command failed: {} {:?}", cmd, args);
anyhow::bail!("Command failed with status: {}", status);
}
Ok(())
}
fn replace_interface_placeholder(cmd: &[String], interface: &str) -> Vec<String> {
cmd.iter()
.map(|s| s.replace("{interface}", interface))
.collect()
}
async fn setup_firewall_rules(config: &NetworkConfig) -> Result<()> {
match std::env::consts::OS {
"macos" => setup_pf_firewall(config).await?,
"linux" => setup_iptables_firewall(config).await?,
"bellandeos" => setup_bell_firewall(config).await?,
_ => anyhow::bail!("Unsupported operating system"),
}
Ok(())
}
async fn setup_pf_firewall(config: &NetworkConfig) -> Result<()> {
let pf_rules = generate_pf_rules(config);
std::fs::write("/etc/pf.conf", pf_rules).context("Failed to write PF configuration")?;
run_command("pfctl", &["-f".to_string(), "/etc/pf.conf".to_string()])
.await
.context("Failed to load PF rules")?;
run_command("pfctl", &["-e".to_string()])
.await
.context("Failed to enable PF firewall")?;
Ok(())
}
async fn setup_iptables_firewall(config: &NetworkConfig) -> Result<()> {
run_command("iptables", &["-F".to_string()]).await?;
for port in &config.allowed_ports {
let port_str = port.to_string();
let args = vec![
"-A".to_string(),
"OUTPUT".to_string(),
"-p".to_string(),
"tcp".to_string(),
"--dport".to_string(),
port_str,
"-j".to_string(),
"ACCEPT".to_string(),
];
run_command("iptables", &args).await?;
}
run_command(
"iptables",
&["-P".to_string(), "OUTPUT".to_string(), "DROP".to_string()],
)
.await
}
async fn setup_bell_firewall(config: &NetworkConfig) -> Result<()> {
run_command("bellctl", &["firewall".to_string(), "reset".to_string()]).await?;
for port in &config.allowed_ports {
let port_str = port.to_string();
let args = vec![
"firewall".to_string(),
"allow".to_string(),
"port".to_string(),
port_str,
];
run_command("bellctl", &args).await?;
}
run_command(
"bellctl",
&["firewall".to_string(), "default-deny".to_string()],
)
.await
}
fn generate_pf_rules(config: &NetworkConfig) -> String {
let mut rules = String::new();
rules.push_str("# Generated PF rules\n");
rules.push_str("set skip on lo0\n");
rules.push_str("set block-policy drop\n");
rules.push_str("\n# Default deny all\n");
rules.push_str("block all\n\n");
// Allow DNS to specified servers
rules.push_str("# Allow DNS to specified servers\n");
for dns in &config.dns_servers {
rules.push_str(&format!("pass out proto udp to {} port 53\n", dns));
}
// Allow specified ports
rules.push_str("\n# Allow specified outbound ports\n");
for port in &config.allowed_ports {
rules.push_str(&format!("pass out proto tcp to any port {}\n", port));
}
// Security rules
rules.push_str("\n# Security rules\n");
rules.push_str("block in quick from urpf-failed\n");
rules.push_str("block in quick from { 10/8, 172.16/12, 192.168/16 } to any\n");
rules.push_str("block in quick from any to { 10/8, 172.16/12, 192.168/16 }\n");
rules
}
fn get_default_interface() -> String {
match std::env::consts::OS {
"macos" => "en0".to_string(),
"linux" => "eth0".to_string(),
"bellandeos" => "bell0".to_string(),
_ => "unknown".to_string(),
}
}
async fn request_dhcp_lease(interface: &str) -> Result<()> {
match std::env::consts::OS {
"macos" => {
run_command(
"ipconfig",
&["set".to_string(), interface.to_string(), "DHCP".to_string()],
)
.await?;
}
"linux" => {
run_command("dhclient", &[interface.to_string()]).await?;
}
"bellandeos" => {
run_command(
"bellctl",
&["net".to_string(), "dhcp".to_string(), interface.to_string()],
)
.await?;
}
_ => anyhow::bail!("Unsupported operating system"),
}
Ok(())
}
async fn log_audit_event(event_type: &str, user: &str, message: &str) -> Result<()> {
let event = AuditEvent {
timestamp: Utc::now(),
event_type: event_type.to_string(),
user: user.to_string(),
message: message.to_string(),
source_ip: get_source_ip().await,
severity: get_event_severity(event_type),
};
info!(
"Audit: {} - {}: {}",
event.event_type, event.user, event.message
);
write_audit_log(&event).await?;
if matches!(event.severity, AuditSeverity::Critical) {
flush_audit_log().await?;
}
Ok(())
}
async fn get_source_ip() -> Option<String> {
match local_ip_address::local_ip() {
Ok(ip) => Some(ip.to_string()),
Err(_) => None,
}
}
fn get_event_severity(event_type: &str) -> AuditSeverity {
match event_type {
"NETWORK_ISOLATION" | "NETWORK_RESTORATION" => AuditSeverity::Warning,
"NETWORK_CHECK" => AuditSeverity::Info,
"SECURITY_VIOLATION" | "NETWORK_ATTACK" => AuditSeverity::Critical,
_ => AuditSeverity::Info,
}
}
async fn write_audit_log(event: &AuditEvent) -> Result<()> {
let log_path = get_audit_log_path();
let mut file = OpenOptions::new()
.create(true)
.append(true)
.open(&log_path)
.context(format!("Failed to open audit log file: {:?}", log_path))?;
let log_entry = serde_json::to_string(&event).context("Failed to serialize audit event")?;
writeln!(file, "{}", log_entry).context("Failed to write to audit log")?;
Ok(())
}
async fn flush_audit_log() -> Result<()> {
let log_path = get_audit_log_path();
let mut file = OpenOptions::new()
.append(true)
.open(&log_path)
.context("Failed to open audit log for flushing")?;
file.sync_all()
.context("Failed to flush audit log to disk")?;
Ok(())
}
fn get_audit_log_path() -> PathBuf {
match std::env::consts::OS {
"macos" => PathBuf::from("/var/log/security/audit.log"),
"linux" => PathBuf::from("/var/log/audit/audit.log"),
"bellandeos" => PathBuf::from("/bell/logs/audit/system.log"),
_ => PathBuf::from("audit.log"),
}
}
pub async fn rotate_audit_logs() -> Result<()> {
let log_path = get_audit_log_path();
if let Ok(metadata) = std::fs::metadata(&log_path) {
// Rotate if file is larger than 10MB
if metadata.len() > 10_000_000 {
let timestamp = SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_secs();
let backup_path = log_path.with_extension(format!("log.{}", timestamp));
std::fs::rename(&log_path, &backup_path).context("Failed to rotate audit log")?;
File::create(&log_path).context("Failed to create new audit log after rotation")?;
log_audit_event(
"AUDIT_LOG_ROTATION",
"SYSTEM",
&format!("Rotated audit log to {:?}", backup_path),
)
.await?;
}
}
Ok(())
}
pub async fn is_network_allowed(config: &Config) -> Result<bool> {
let local_ip = local_ip_address::local_ip().context("Failed to get local IP address")?;
for network_str in &config.allowed_networks {
let network: Ipv4Network = network_str
.parse()
.context("Failed to parse network configuration")?;
if let IpAddr::V4(ipv4) = local_ip {
if network.contains(ipv4) {
log_audit_event(
"NETWORK_CHECK",
"SYSTEM",
&format!("Network allowed: {}", local_ip),
)
.await?;
return Ok(true);
}
}
}
log_audit_event(
"NETWORK_CHECK",
"SYSTEM",
&format!("Network denied: {}", local_ip),
)
.await?;
Ok(false)
}

2
src/user_privilege/mod.rs Normal file
View File

@@ -0,0 +1,2 @@
pub mod privilege;
pub mod user;

314
src/user_privilege/privilege.rs Normal file
View File

@@ -0,0 +1,314 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
use std::collections::HashMap;
use std::fmt;
use std::hash::Hash;
use std::str::FromStr;
use std::time::{Duration, SystemTime};
use anyhow::Result;
use log::error;
use serde::{Deserialize, Serialize};
use thiserror::Error;
use crate::audit::audit::log_audit_event;
use crate::config::config::Config;
use crate::user_privilege::user::User;
use chrono::Timelike;
#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize, Clone, Copy)]
pub enum PrivilegeLevel {
User, // Basic user privileges
Group, // Group-based privileges
Administrator, // Administrative privileges
Root, // Root-level access
Bell, // Highest level - system owner
}
#[derive(Error, Debug)]
pub enum PrivilegeLevelError {
#[error("Invalid privilege level: {0}")]
InvalidPrivilegeLevel(String),
#[error("Insufficient privileges")]
InsufficientPrivileges,
#[error("Expired privileges")]
ExpiredPrivileges,
#[error("Group not found: {0}")]
GroupNotFound(String),
#[error("Permission not found: {0}")]
PermissionNotFound(String),
}
#[derive(Debug, Serialize, Deserialize)]
pub struct PrivilegeConfig {
pub elevation_timeout: Duration,
pub require_mfa: bool,
pub allowed_elevation_hours: Vec<u8>,
pub max_concurrent_elevations: usize,
pub restricted_commands: HashMap<PrivilegeLevel, Vec<String>>,
}
impl Default for PrivilegeConfig {
fn default() -> Self {
Self {
elevation_timeout: Duration::from_secs(3600),
require_mfa: true,
allowed_elevation_hours: (0..24).collect(),
max_concurrent_elevations: 3,
restricted_commands: HashMap::new(),
}
}
}
#[derive(Debug)]
pub struct PrivilegeManager {
config: PrivilegeConfig,
active_elevations: HashMap<String, Vec<PrivilegeElevation>>,
}
#[derive(Debug)]
struct PrivilegeElevation {
level: PrivilegeLevel,
granted_at: SystemTime,
expires_at: SystemTime,
reason: String,
}
impl FromStr for PrivilegeLevel {
type Err = PrivilegeLevelError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
match s.to_lowercase().as_str() {
"user" => Ok(PrivilegeLevel::User),
"group" => Ok(PrivilegeLevel::Group),
"admin" | "administrator" => Ok(PrivilegeLevel::Administrator),
"root" => Ok(PrivilegeLevel::Root),
"bell" => Ok(PrivilegeLevel::Bell),
_ => Err(PrivilegeLevelError::InvalidPrivilegeLevel(s.to_string())),
}
}
}
impl fmt::Display for PrivilegeLevel {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
PrivilegeLevel::User => write!(f, "user"),
PrivilegeLevel::Group => write!(f, "group"),
PrivilegeLevel::Administrator => write!(f, "administrator"),
PrivilegeLevel::Root => write!(f, "root"),
PrivilegeLevel::Bell => write!(f, "bell"),
}
}
}
impl PrivilegeManager {
pub fn new(config: PrivilegeConfig) -> Self {
Self {
config,
active_elevations: HashMap::new(),
}
}
pub async fn check_permission(
&self,
user: &User,
required_privilege: PrivilegeLevel,
config: &Config,
) -> Result<bool> {
// Direct privilege level check
if user.privilege >= required_privilege {
log_audit_event(
"PRIVILEGE_CHECK",
&user.username,
&format!("Direct privilege granted: {:?}", required_privilege),
)
.await?;
return Ok(true);
}
// Check active elevations
if let Some(elevations) = self.active_elevations.get(&user.username) {
for elevation in elevations {
if elevation.level >= required_privilege && SystemTime::now() < elevation.expires_at
{
log_audit_event(
"PRIVILEGE_CHECK",
&user.username,
&format!("Elevation privilege granted: {:?}", required_privilege),
)
.await?;
return Ok(true);
}
}
}
// Check group permissions
for group_name in &user.groups {
if let Some(group) = config.groups.iter().find(|g| g.name == *group_name) {
if group.permissions.contains(&required_privilege.to_string()) {
log_audit_event(
"PRIVILEGE_CHECK",
&user.username,
&format!(
"Group privilege granted: {:?} from {}",
required_privilege, group_name
),
)
.await?;
return Ok(true);
}
}
}
log_audit_event(
"PRIVILEGE_CHECK",
&user.username,
&format!("Permission denied for: {:?}", required_privilege),
)
.await?;
Ok(false)
}
pub async fn elevate_privilege(
&mut self,
user: &User,
requested_level: PrivilegeLevel,
reason: &str,
mfa_token: Option<&str>,
) -> Result<()> {
// Check if elevation is allowed at current hour
let current_hour = chrono::Local::now().hour() as u8;
if !self.config.allowed_elevation_hours.contains(&current_hour) {
return Err(PrivilegeLevelError::InsufficientPrivileges.into());
}
// Check MFA requirement
if self.config.require_mfa && mfa_token.is_none() {
return Err(anyhow::anyhow!(
"MFA token required for privilege elevation"
));
}
// Check concurrent elevations
let user_elevations = self
.active_elevations
.entry(user.username.clone())
.or_default();
if user_elevations.len() >= self.config.max_concurrent_elevations {
return Err(anyhow::anyhow!("Maximum concurrent elevations reached"));
}
// Create new elevation
let elevation = PrivilegeElevation {
level: requested_level,
granted_at: SystemTime::now(),
expires_at: SystemTime::now() + self.config.elevation_timeout,
reason: reason.to_string(),
};
user_elevations.push(elevation);
log_audit_event(
"PRIVILEGE_ELEVATION",
&user.username,
&format!("Elevated to {:?} for reason: {}", requested_level, reason),
)
.await?;
Ok(())
}
pub async fn revoke_elevation(&mut self, user: &str, level: PrivilegeLevel) -> Result<()> {
if let Some(elevations) = self.active_elevations.get_mut(user) {
elevations.retain(|e| e.level != level);
log_audit_event(
"PRIVILEGE_REVOCATION",
user,
&format!("Revoked elevation: {:?}", level),
)
.await?;
}
Ok(())
}
pub fn cleanup_expired_elevations(&mut self) {
let now = SystemTime::now();
for elevations in self.active_elevations.values_mut() {
elevations.retain(|e| e.expires_at > now);
}
}
}
// OS-specific privilege checks
pub async fn check_os_specific_privileges(
user: &User,
required_privilege: PrivilegeLevel,
) -> Result<bool> {
match std::env::consts::OS {
"macos" => check_macos_privileges(user, required_privilege).await,
"linux" => check_linux_privileges(user, required_privilege).await,
"bellandeos" => check_bellande_privileges(user, required_privilege).await,
_ => Ok(false),
}
}
async fn check_macos_privileges(user: &User, required_privilege: PrivilegeLevel) -> Result<bool> {
// Check admin group membership
if required_privilege >= PrivilegeLevel::Administrator {
let output = std::process::Command::new("dseditgroup")
.args(&["-o", "checkmember", "-m", &user.username, "admin"])
.output()?;
if !output.status.success() {
return Ok(false);
}
}
Ok(true)
}
async fn check_linux_privileges(user: &User, required_privilege: PrivilegeLevel) -> Result<bool> {
// Check sudo group membership
if required_privilege >= PrivilegeLevel::Administrator {
let output = std::process::Command::new("groups")
.arg(&user.username)
.output()?;
let groups = String::from_utf8_lossy(&output.stdout);
if !groups.contains("sudo") && !groups.contains("wheel") {
return Ok(false);
}
}
Ok(true)
}
async fn check_bellande_privileges(
user: &User,
required_privilege: PrivilegeLevel,
) -> Result<bool> {
// Check BellandeOS specific privileges
let output = std::process::Command::new("bellctl")
.args(&[
"user",
"check-privilege",
&user.username,
&required_privilege.to_string(),
])
.output()?;
Ok(output.status.success())
}

675
src/user_privilege/user.rs Normal file
View File

@@ -0,0 +1,675 @@
// Copyright (C) 2024 Bellande Architecture Mechanism Research Innovation Center, Ronaldson Bellande
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
use std::time::Duration;
use anyhow::{Context, Result};
use argon2::{
password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
Argon2,
};
use chrono::{DateTime, Utc};
use log::error;
use serde::{Deserialize, Serialize};
use std::io::Write;
use thiserror::Error;
use totp_rs::Secret;
use crate::audit::audit::log_audit_event;
use crate::config::config::Config;
use crate::user_privilege::privilege::PrivilegeLevel;
#[derive(Debug, Serialize, Deserialize, Clone)]
pub struct User {
pub username: String,
pub password_hash: String,
pub privilege: PrivilegeLevel,
pub totp_secret: String,
pub groups: Vec<String>,
pub created_at: DateTime<Utc>,
pub last_login: Option<DateTime<Utc>>,
pub password_changed_at: DateTime<Utc>,
pub failed_login_attempts: u32,
pub locked_until: Option<DateTime<Utc>>,
pub settings: UserSettings,
}
#[derive(Debug, Serialize, Deserialize, Clone)]
pub struct UserSettings {
pub require_mfa: bool,
pub password_expiry_days: u32,
pub max_failed_attempts: u32,
pub lockout_duration: Duration,
pub allowed_ip_ranges: Vec<String>,
}
#[derive(Error, Debug)]
pub enum UserError {
#[error("User not found: {0}")]
UserNotFound(String),
#[error("User already exists: {0}")]
UserExists(String),
#[error("Invalid password: {0}")]
InvalidPassword(String),
#[error("Account locked: {0}")]
AccountLocked(String),
#[error("Password expired")]
PasswordExpired,
#[error("Invalid group: {0}")]
InvalidGroup(String),
}
impl Default for UserSettings {
fn default() -> Self {
Self {
require_mfa: true,
password_expiry_days: 90,
max_failed_attempts: 5,
lockout_duration: Duration::from_secs(1800), // 30 minutes
allowed_ip_ranges: vec!["127.0.0.1/8".to_string()],
}
}
}
impl User {
pub fn new(username: &str, password: &str, privilege: PrivilegeLevel) -> Result<Self> {
let password_hash = hash_password(password)?;
let totp_secret = generate_totp_secret();
let now = Utc::now();
Ok(Self {
username: username.to_string(),
password_hash,
privilege,
totp_secret,
groups: Vec::new(),
created_at: now,
last_login: None,
password_changed_at: now,
failed_login_attempts: 0,
locked_until: None,
settings: UserSettings::default(),
})
}
pub fn is_locked(&self) -> bool {
if let Some(locked_until) = self.locked_until {
Utc::now() < locked_until
} else {
false
}
}
pub fn password_expired(&self) -> bool {
let expiry = chrono::Duration::days(self.settings.password_expiry_days as i64);
Utc::now() - self.password_changed_at > expiry
}
pub fn record_login_attempt(&mut self, success: bool) {
if success {
self.last_login = Some(Utc::now());
self.failed_login_attempts = 0;
self.locked_until = None;
} else {
self.failed_login_attempts += 1;
if self.failed_login_attempts >= self.settings.max_failed_attempts {
self.locked_until = Some(
Utc::now()
+ chrono::Duration::from_std(self.settings.lockout_duration).unwrap(),
);
}
}
}
}
pub async fn add_user(
config: &mut Config,
username: &str,
password: &str,
privilege: PrivilegeLevel,
) -> Result<()> {
// Check if user already exists
if config.users.iter().any(|u| u.username == username) {
return Err(UserError::UserExists(username.to_string()).into());
}
// Create new user
let new_user = User::new(username, password, privilege)?;
// Create OS-specific user account
create_os_user(username, privilege).await?;
config.users.push(new_user.clone());
config.save()?;
log_audit_event(
"USER_ADDED",
"SYSTEM",
&format!("Added user: {} with privilege: {:?}", username, privilege),
)
.await?;
println!(
"User added successfully. TOTP secret: {}",
new_user.totp_secret
);
Ok(())
}
pub async fn remove_user(config: &mut Config, username: &str) -> Result<()> {
// Check if user exists
if !config.users.iter().any(|u| u.username == username) {
return Err(UserError::UserNotFound(username.to_string()).into());
}
// Remove OS-specific user account
remove_os_user(username).await?;
config.users.retain(|u| u.username != username);
config.save()?;
log_audit_event(
"USER_REMOVED",
"SYSTEM",
&format!("Removed user: {}", username),
)
.await?;
println!("User removed successfully.");
Ok(())
}
pub async fn change_password(
config: &mut Config,
username: &str,
new_password: &str,
) -> Result<()> {
// Validate password complexity first
validate_password_complexity(new_password)?;
// Find user index
let user_index = config
.users
.iter()
.position(|u| u.username == username)
.ok_or_else(|| UserError::UserNotFound(username.to_string()))?;
// Update password
let new_hash = hash_password(new_password)?;
// Update the user's password
{
let user = &mut config.users[user_index];
user.password_hash = new_hash;
user.password_changed_at = Utc::now();
}
// Update OS-specific password
update_os_password(username, new_password).await?;
config.save()?;
log_audit_event(
"PASSWORD_CHANGED",
username,
"Password changed successfully",
)
.await?;
println!("Password changed successfully.");
Ok(())
}
pub async fn change_privilege(
config: &mut Config,
username: &str,
new_privilege: PrivilegeLevel,
) -> Result<()> {
// Find user index first
let user_index = config
.users
.iter()
.position(|u| u.username == username)
.ok_or_else(|| UserError::UserNotFound(username.to_string()))?;
// Get the values we need before modifying the user
let old_privilege = config.users[user_index].privilege;
let username_clone = config.users[user_index].username.clone();
// Update the privilege
config.users[user_index].privilege = new_privilege;
// Update OS-specific privileges
update_os_privileges(username, new_privilege).await?;
// Save the configuration
config.save()?;
// Log the audit event
log_audit_event(
"PRIVILEGE_CHANGED",
&username_clone,
&format!(
"Privilege changed from {:?} to {:?}",
old_privilege, new_privilege
),
)
.await?;
println!("Privilege level changed successfully.");
Ok(())
}
pub async fn add_user_to_group(
config: &mut Config,
username: &str,
group_name: &str,
) -> Result<()> {
// Check if group exists first
if !config.groups.iter().any(|g| g.name == group_name) {
return Err(UserError::InvalidGroup(group_name.to_string()).into());
}
// Find user index
let user_index = config
.users
.iter()
.position(|u| u.username == username)
.ok_or_else(|| UserError::UserNotFound(username.to_string()))?;
// Check if user is already in group
let already_in_group = config.users[user_index]
.groups
.contains(&group_name.to_string());
if !already_in_group {
// Get username for audit log before modification
let username_clone = config.users[user_index].username.clone();
// Add user to group
config.users[user_index].groups.push(group_name.to_string());
// Update OS-specific group membership
add_os_user_to_group(username, group_name).await?;
// Save configuration
config.save()?;
// Log audit event
log_audit_event(
"USER_ADDED_TO_GROUP",
&username_clone,
&format!("Added to group: {}", group_name),
)
.await?;
println!("User added to group successfully.");
} else {
println!("User is already in this group.");
}
Ok(())
}
pub async fn remove_user_from_group(
config: &mut Config,
username: &str,
group_name: &str,
) -> Result<()> {
// Find user index
let user_index = config
.users
.iter()
.position(|u| u.username == username)
.ok_or_else(|| UserError::UserNotFound(username.to_string()))?;
// Get username for audit log before modification
let username_clone = config.users[user_index].username.clone();
// Remove the group
config.users[user_index].groups.retain(|g| g != group_name);
// Update OS-specific group membership
remove_os_user_from_group(username, group_name).await?;
// Save configuration
config.save()?;
// Log audit event
log_audit_event(
"USER_REMOVED_FROM_GROUP",
&username_clone,
&format!("Removed from group: {}", group_name),
)
.await?;
println!("User removed from group successfully.");
Ok(())
}
// Helper functions
fn hash_password(password: &str) -> Result<String> {
// Generate a random salt
let salt = SaltString::generate(&mut OsRng);
// Create default Argon2 instance
let argon2 = Argon2::default();
// Hash the password
Ok(argon2
.hash_password(password.as_bytes(), &salt)?
.to_string())
}
// And here's a corresponding verify function you'll need
fn verify_password(hash: &str, password: &str) -> Result<bool> {
use argon2::password_hash::PasswordHash;
use argon2::PasswordVerifier;
// Parse the hash string into a PasswordHash instance
let parsed_hash = PasswordHash::new(hash)?;
// Verify the password against the hash
Ok(Argon2::default()
.verify_password(password.as_bytes(), &parsed_hash)
.is_ok())
}
fn generate_totp_secret() -> String {
Secret::generate_secret().to_string()
}
fn validate_password_complexity(password: &str) -> Result<()> {
if password.len() < 12 {
return Err(UserError::InvalidPassword("Password too short".to_string()).into());
}
let has_uppercase = password.chars().any(|c| c.is_uppercase());
let has_lowercase = password.chars().any(|c| c.is_lowercase());
let has_digit = password.chars().any(|c| c.is_digit(10));
let has_special = password.chars().any(|c| !c.is_alphanumeric());
if !(has_uppercase && has_lowercase && has_digit && has_special) {
return Err(UserError::InvalidPassword(
"Password does not meet complexity requirements".to_string(),
)
.into());
}
Ok(())
}
// OS-specific functions
async fn create_os_user(username: &str, privilege: PrivilegeLevel) -> Result<()> {
match std::env::consts::OS {
"macos" => create_macos_user(username, privilege).await,
"linux" => create_linux_user(username, privilege).await,
"bellandeos" => create_bellande_user(username, privilege).await,
_ => Ok(()),
}
}
async fn remove_os_user(username: &str) -> Result<()> {
match std::env::consts::OS {
"macos" => remove_macos_user(username).await,
"linux" => remove_linux_user(username).await,
"bellandeos" => remove_bellande_user(username).await,
_ => Ok(()),
}
}
async fn update_os_password(username: &str, password: &str) -> Result<()> {
match std::env::consts::OS {
"macos" => update_macos_password(username, password).await,
"linux" => update_linux_password(username, password).await,
"bellandeos" => update_bellande_password(username, password).await,
_ => Ok(()),
}
}
async fn update_os_privileges(username: &str, privilege: PrivilegeLevel) -> Result<()> {
match std::env::consts::OS {
"macos" => update_macos_privileges(username, privilege).await,
"linux" => update_linux_privileges(username, privilege).await,
"bellandeos" => update_bellande_privileges(username, privilege).await,
_ => Ok(()),
}
}
// OS-specific implementations for macOS, Linux, and BellandeOS...
async fn create_macos_user(username: &str, privilege: PrivilegeLevel) -> Result<()> {
let mut cmd = std::process::Command::new("sysadminctl");
cmd.args(&["-addUser", username]);
match privilege {
PrivilegeLevel::Administrator => {
cmd.arg("-admin");
}
_ => {}
}
cmd.output().context("Failed to create macOS user")?;
Ok(())
}
async fn create_linux_user(username: &str, privilege: PrivilegeLevel) -> Result<()> {
let mut cmd = std::process::Command::new("useradd");
cmd.arg(username);
match privilege {
PrivilegeLevel::Administrator => {
cmd.args(&["-G", "sudo"]);
}
_ => {}
}
cmd.output().context("Failed to create Linux user")?;
Ok(())
}
async fn create_bellande_user(username: &str, privilege: PrivilegeLevel) -> Result<()> {
let mut cmd = std::process::Command::new("bellctl");
cmd.args(&["user", "create", username]);
match privilege {
PrivilegeLevel::Administrator => {
cmd.arg("--admin");
}
PrivilegeLevel::Root => {
cmd.arg("--root");
}
PrivilegeLevel::Bell => {
cmd.arg("--bell");
}
_ => {}
}
cmd.output().context("Failed to create BellandeOS user")?;
Ok(())
}
async fn remove_macos_user(username: &str) -> Result<()> {
std::process::Command::new("sysadminctl")
.args(&["-deleteUser", username])
.output()
.context("Failed to remove macOS user")?;
Ok(())
}
async fn remove_linux_user(username: &str) -> Result<()> {
std::process::Command::new("userdel")
.args(&["-r", username]) // -r flag removes home directory and mail spool
.output()
.context("Failed to remove Linux user")?;
Ok(())
}
async fn remove_bellande_user(username: &str) -> Result<()> {
std::process::Command::new("bellctl")
.args(&["user", "remove", username])
.output()
.context("Failed to remove BellandeOS user")?;
Ok(())
}
async fn update_macos_password(username: &str, password: &str) -> Result<()> {
std::process::Command::new("dscl")
.args(&[".", "-passwd", &format!("/Users/{}", username), password])
.output()
.context("Failed to update macOS password")?;
Ok(())
}
async fn update_linux_password(username: &str, password: &str) -> Result<()> {
let passwd_input = format!("{}:{}", username, password);
let mut child = std::process::Command::new("chpasswd")
.stdin(std::process::Stdio::piped())
.spawn()
.context("Failed to spawn chpasswd")?;
if let Some(mut stdin) = child.stdin.take() {
stdin
.write_all(passwd_input.as_bytes())
.context("Failed to write to chpasswd stdin")?;
}
child.wait().context("Failed to wait for chpasswd")?;
Ok(())
}
async fn update_bellande_password(username: &str, password: &str) -> Result<()> {
let mut child = std::process::Command::new("bellctl")
.args(&["user", "set-password", username])
.stdin(std::process::Stdio::piped())
.spawn()
.context("Failed to spawn bellctl")?;
if let Some(mut stdin) = child.stdin.take() {
stdin
.write_all(password.as_bytes())
.context("Failed to set BellandeOS password")?;
}
child.wait().context("Failed to wait for bellctl")?;
Ok(())
}
async fn update_macos_privileges(username: &str, privilege: PrivilegeLevel) -> Result<()> {
match privilege {
PrivilegeLevel::Administrator | PrivilegeLevel::Root | PrivilegeLevel::Bell => {
std::process::Command::new("dseditgroup")
.args(&["-o", "edit", "-a", username, "-t", "user", "admin"])
.output()
.context("Failed to update macOS privileges")?;
}
_ => {
std::process::Command::new("dseditgroup")
.args(&["-o", "edit", "-d", username, "-t", "user", "admin"])
.output()
.context("Failed to update macOS privileges")?;
}
}
Ok(())
}
async fn update_linux_privileges(username: &str, privilege: PrivilegeLevel) -> Result<()> {
match privilege {
PrivilegeLevel::Administrator | PrivilegeLevel::Root => {
std::process::Command::new("usermod")
.args(&["-aG", "sudo", username])
.output()
.context("Failed to update Linux privileges")?;
}
PrivilegeLevel::Bell => {
std::process::Command::new("usermod")
.args(&["-aG", "sudo,adm,root", username])
.output()
.context("Failed to update Linux privileges")?;
}
_ => {
std::process::Command::new("deluser")
.args(&[username, "sudo"])
.output()
.context("Failed to update Linux privileges")?;
}
}
Ok(())
}
async fn update_bellande_privileges(username: &str, privilege: PrivilegeLevel) -> Result<()> {
let privilege_str = match privilege {
PrivilegeLevel::User => "user",
PrivilegeLevel::Group => "group",
PrivilegeLevel::Administrator => "admin",
PrivilegeLevel::Root => "root",
PrivilegeLevel::Bell => "bell",
};
std::process::Command::new("bellctl")
.args(&["user", "set-privilege", username, privilege_str])
.output()
.context("Failed to update BellandeOS privileges")?;
Ok(())
}
async fn add_os_user_to_group(username: &str, group: &str) -> Result<()> {
match std::env::consts::OS {
"macos" => {
std::process::Command::new("dseditgroup")
.args(&["-o", "edit", "-a", username, "-t", "user", group])
.output()
.context("Failed to add macOS user to group")?;
}
"linux" => {
std::process::Command::new("usermod")
.args(&["-aG", group, username])
.output()
.context("Failed to add Linux user to group")?;
}
"bellandeos" => {
std::process::Command::new("bellctl")
.args(&["user", "add-to-group", username, group])
.output()
.context("Failed to add BellandeOS user to group")?;
}
_ => {}
}
Ok(())
}
async fn remove_os_user_from_group(username: &str, group: &str) -> Result<()> {
match std::env::consts::OS {
"macos" => {
std::process::Command::new("dseditgroup")
.args(&["-o", "edit", "-d", username, "-t", "user", group])
.output()
.context("Failed to remove macOS user from group")?;
}
"linux" => {
std::process::Command::new("deluser")
.args(&[username, group])
.output()
.context("Failed to remove Linux user from group")?;
}
"bellandeos" => {
std::process::Command::new("bellctl")
.args(&["user", "remove-from-group", username, group])
.output()
.context("Failed to remove BellandeOS user from group")?;
}
_ => {}
}
Ok(())
}