Linux Configuration Manager (LCM)

<img src="https://github.com/skosachiov/lcm/blob/main/lcm.png" width="200" height="250">

License

This file is part of Linux Configuration Manager (LCM).

Linux Configuration Manager (LCM) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Linux Configuration Manager (LCM) is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with Linux Configuration Manager (LCM). If not, see https://www.gnu.org/licenses/.

<a name="Introduction"></a>

Introduction

Briefly

The objective of the project is to provide management capabilities (similar to SCCM) for various types of devices operating in a corporate environment. Information security is the primary focus of development. Roles come with default settings that can be dynamically overridden using rules from the "inventories" folder based on subnet, host group (organizational unit or branch), operating system, etc. Git enables lifecycle management through a GitOps approach. Roles (policies) can also be used separately.

More details

Consider the challenge of managing an extensive fleet of user devices. For example, the French National Gendarmerie oversees 100,000 workstations, and the government of Schleswig-Holstein has approved migrating 30,000 computers to Linux and LibreOffice. This project proposes using only two simple yet widely adopted tools for this purpose: Git and Ansible. Several arguments support this approach:

• The job market offers many Ansible specialists whose salaries are not excessively high.
• Ansible includes an ansible-pull mode, which drastically reduces the load on the management server. A single server can manage tens of thousands of devices.
• Adherence to the KISS principle (Unix philosophy).
• Git provides version control and GitOps-style management.

While numerous solutions exist for specific workstation administration tasks (e.g., Ansible Galaxy), a comprehensive solution is lacking. Systems such as Foreman and Saltstack are available, but Puppet is outdated, and Salt is complex and not yet widely adopted. AWX (Ansible Tower) is suitable for servers in push mode. This project offers a complete solution reminiscent of SCCM in the Windows world, where Ansible replaces PowerShell DSC, with the added benefit of Git version control.

Additionally, the project includes inventory templates, which are essential for implementing dynamic device inventory in ansible-pull mode. These templates are designed to suit the needs of most enterprises.

Security tasks are partially derived from ComplianceAsCode and OpenSCAP but have been adapted to allow administrators to refine the code in Git as part of their daily routines. The roles feature user-readable templates and variables, distinguishing them from ComplianceAsCode.

Security, as a top priority, is addressed comprehensively. Information leakage is mitigated by the "dlp" role, which includes USBGuard and disabling WiFi and Bluetooth modules. A broad range of configurations is applied—from remounting "tmp" and "home" with noexec and nodev options to verifying repository lists using key fingerprints. The most valuable feature is mandatory access control, ensuring the integrity and signing of executable files.

Ideally, the enterprise security administrator receives a daily report with "Changed = 0" for each workstation, indicating that all hosts remain in their desired state with no modifications required. "Changed != 0" warrants further investigation.

Profiling is accomplished through a defined set of roles compiled into playbooks:

• workstation (a standard workstation within the enterprise domain)
• mobile-device (a laptop for accessing corporate resources over the internet)
• flash-drive (a bootable USB drive for BYOD)
• distribution-point (a distribution point within an enterprise unit)
• server (a general-purpose server), etc.

Profiles support security flags, such as:

• mandatory-access (AppArmor, SELinux)
• administrative-workstation (restricted group access)
• network-auditd (sending auditd data to a log server)
• always-on-display (disabling display lock and shutdown)
• devel-workstation (switching the host to test workstation mode)
• unrestricted-os (users may boot other operating systems)
• fs-userspace (file systems accessible to the user)
• thin-client (thin client mode)
• flash-drive (thin client mode on a USB drive)
• dist-upgrade (host forcibly updates all packages), etc.

For security specialists, numerous opportunities exist to coordinate changes and oversee management workflows: code reviews, merge requests, and pull requests. For instance, only a security specialist may commit to the master branch (see Lifecycle). Ansible-pull agents retrieve playbooks from the master branch. Large enterprise divisions have room for creativity—branches and units can address their specific needs in separate Git repositories without compromising baseline security configurations. On-premise solutions like GitLab or Forgejo are well-suited for collaboration.

Initially, several roles handled connections to proprietary systems such as Citrix and ESET antivirus. These roles have been removed from this repository as they are not relevant to most administrators seeking independence from proprietary software. Details for connecting to Microsoft AD domain controllers and Exchange have been retained, as many organizations are still transitioning from MS AD to FreeIPA. Moreover, these roles are also applicable to SambaAD-based controllers.

The project is designed for development in internet environments, with or without corporate repositories. Corporate resource availability is determined dynamically, and roles adjust accordingly.

<a name="Folder structure"></a>

Folder structure

├── inventories         # vars based on various parameters
│   ├── all             #
│   │    ├─ group_vars  # vars for certain hosts, for example, for distribution-points
│   │        └── dp     #
│   ├── branches        # vars based on Company
│   ├── ou              # vars based on OU membership
│   ├── distribution    # vars based on OS distribution
│   └── subnets         # vars based on Subnet
│                       #
├── roles               # roles
│   ├── ad-client       #
│   ├── ansible-client  #
│   ├── antivirus       #
│   ├── ...             #
├── tests               # test automation
└── utils               # utilities, git hooks

<a name="Roles"></a>

Roles

ad-client

The role prepares a workstation to join a SambaDC or MS AD domain. If you have domain join credentials, you can get full automation. The script for manual attachment is located in /root/realm.sh. FreeIPA client has its own connection mechanism. The role provides additional kerberos logging.

ansible-client

Ansible-client creates a special user with an authorized key, sets up a sudoers entry, adds a cron job to regularly contact the main ansible git repository.

antivirus

This role installs and configures a free antivirus suite to run in on-access scan mode and to regularly scan specific folders. The static clamav-dada package is not available in current versions of Ubuntu, and server-side freshclam may require the most recent clamav, so we had to provide the script with an rpm installation. In addition, the script installs onAccess scanning systemd service.

apt

Apt role controls all packagets on a workstation or mobile device, installs Security task checks repos fingerprints.

audit

A fairly large role is devoted to setting up an audit. Information security audit is configured in immutable mode, that is, changes require reboot. Additional control is exercised by counting active rules. If the rules are not loaded, the information security officer receives a warning message.

base-security

Basic device security settings are provided by this role. Corporate and mobile devices are checked and configured daily. Tasks include setting grub security, sudoers, access to various folders and files, checking suid files, and the like.

base-system

Many small tasks are reduced to one role for setting up the system and the user's working environment. Among them are the installation of corporate certificates, proxy settings, time service, user profile.

browser

Browser settings moved to a separate role.

desktop

For convenience, the administrative setting of the user's graphical environment has been moved to a separate role. Here you can pin favorite applications, set desktop wallpaper, set or hide icons in all apps.

distribution-point

This