faaleoleo-dev-team/Bacula-Monitor-OSS
SHA256
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
Bacula Security Monitor — A single-file Bash script that performs comprehensive security auditing of Bacula infrastructure: service health, AppArmor/SELinux enforcement, database connectivity, network ports, file permissions, storage health, and backup job status. Silent on success, loud on problems. Supports configurable thresholds, critical-only email alerts, and Bacula Admin job integration. Zero external dependencies.
12 commits 1 branch 0 tags 165 KiB
  • Shell 64.6%
  • Python 35.4%
Find a file
Exact
faaleoleo dev team b3ec3efac1
All checks were successful
Functional Tests / Run Unit Tests (push) Successful in 0s
Details
update after last audit
2026-06-12 22:54:10 +03:00
.forgejo update after last audit 2026-06-12 22:54:10 +03:00
docs sync: v3.0 hardening and docs update 2026-03-28 00:58:54 +02:00
tests update after last audit 2026-06-12 22:54:10 +03:00
.gitignore Add documentation and security issue templates 2026-04-03 03:05:05 +03:00
CHANGELOG CHNAGELOG added, GPG added 2026-03-13 15:52:05 +02:00
CONTRIBUTING.md Add CONTRIBUTING.md 2026-04-03 03:40:44 +03:00
generate-bom.py sync: v3.0 hardening and docs update 2026-03-28 00:58:54 +02:00
gpg-faaleo-dev-team.asc init 2026-03-13 15:35:06 +02:00
monitor-bacula-security.sh update after last audit 2026-06-12 22:54:10 +03:00
README.md sync: v3.0 hardening and docs update 2026-03-28 00:58:54 +02:00

README.md

Bacula Security Monitor

Comprehensive security auditing and MAC analysis for Bacula infrastructure

monitor-bacula-security.sh performs a full security audit of your Bacula environment in a single run — services, Mandatory Access Control (AppArmor/SELinux), database connectivity, network ports, file permissions, storage health, and backup job status. It produces a color-coded console report, an optional email notification, and an exit code suitable for Bacula Admin job integration.

Silent on success. Loud on problems.

What It Checks

Check What It Does
Bacula Services Director, SD, FD systemd status
MAC Framework AppArmor profile enforcement or SELinux mode, contexts, booleans — auto-detected
MAC Denials AppArmor DENIED / SELinux AVC analysis with threshold alerting
Database MySQL/MariaDB or PostgreSQL service status, config permissions
Network Security Bacula ports (91019103), firewall rule verification (ufw/firewalld/iptables)
File Permissions Audit of config files, libraries, logs — flags world-readable files
Storage Daemon Configured devices, spool directory disk usage with warning/critical thresholds
Backup Jobs Queries bconsole for recent failed/errored jobs

Key Features

  • Dual MAC support — full AppArmor and SELinux analysis with auto-detection
  • Silent-on-success — only reports problems, keeping output focused and emails short
  • Configurable thresholds — denial counts (10/100) and disk usage (80%/90%)
  • Critical-only email mode — send notifications only when action is needed
  • Multi-MTA supportmailx, mail, sendmail, msmtp with auto-detection
  • Zero external dependencies — standard Linux tools only (coreutils, systemd, iproute2)
  • Bacula integration — exit code maps to job status for Admin job RunScripts
  • Single file — no config files, no Python, no packages to install
  • Hardened email handling — sender address validated; headers sanitised against injection attacks

Requirements

Component Requirement
OS Linux with systemd (tested on RHEL 8/9, Debian 11/12, Ubuntu 22/24)
Bash 4.0+
Privileges Root required
Bacula Community or Enterprise Edition
MAC AppArmor or SELinux (auto-detected; warns if neither active)

Quick Start

# 1. Deploy
sudo cp monitor-bacula-security.sh /usr/local/sbin/
sudo chmod 750 /usr/local/sbin/monitor-bacula-security.sh

# 2. Run
sudo monitor-bacula-security.sh

# 3. Run with email (critical issues only)
sudo monitor-bacula-security.sh --email --email-to=admin@example.com --email-on-critical

# 4. Automate via cron (daily at 6 AM)
# 0 6 * * * root /usr/local/sbin/monitor-bacula-security.sh \
#   --email --email-to=admin@example.com --email-on-critical

Exit Codes

Code Meaning
0 All checks passed
1 Critical issues detected
2 Script error (missing permissions, invalid arguments)

Verifying a Release Package

All release packages are GPG-signed. Follow these steps to verify the authenticity and integrity of a downloaded package.

1. Import the Public GPG Key (One-Time)

curl -sL https://git.faaleoleo.io/faaleoleo-dev-team/bacula-monitor-oss/raw/branch/main/my-public-key.asc | gpg --import

2. Download the Package, Signature, and Checksum

Replace v1.0.0 with the version you want:

VERSION="v1.0.0"
BASE="https://git.faaleoleo.io/api/packages/faaleoleo-dev-team/generic/BaculaMonitorOSS/${VERSION}"

curl -O "${BASE}/BaculaMonitorOSS-${VERSION}.tar.gz"
curl -O "${BASE}/BaculaMonitorOSS-${VERSION}.tar.gz.asc"
curl -O "${BASE}/BaculaMonitorOSS-${VERSION}.tar.gz.sha256"

3. Verify the GPG Signature

gpg --verify BaculaMonitorOSS-${VERSION}.tar.gz.asc BaculaMonitorOSS-${VERSION}.tar.gz

Expected output: gpg: Good signature from "...". If you see BAD signature, do not use the package.

4. Verify the SHA256 Checksum

sha256sum -c BaculaMonitorOSS-${VERSION}.tar.gz.sha256

Expected output: BaculaMonitorOSS-v1.0.0.tar.gz: OK

5. Extract

tar -xzf BaculaMonitorOSS-${VERSION}.tar.gz

Documentation

See the full Functionality, Configuration & Implementation Guide for detailed check descriptions, MAC framework analysis, threshold tuning, email configuration, Bacula Admin job integration, and troubleshooting.

License

BSD 2-Clause — Copyright © 2026 faaleoleo

"Bacula" is a registered trademark of Bacula Systems SA. This software is not affiliated with or endorsed by Bacula Systems SA.