Blastwall Documentation

blastwall

A short path through the Blastwall argument: install the host policy, map the automation identity, then prove the session starts constrained.

This is the shortest version of the idea. I want a managed endpoint to prove three things before I trust it for privileged automation: the local policy is installed, IdM maps the automation identity into the confined SELinux user, and AAP can see enough policy state to fail closed before it runs.

Managed Host Setup

Install the local SELinux policy on each managed RHEL host that should accept the confined automation identity.

sudo ./scripts/install-local.sh

IdM Objects

Generate the IdM commands for the demo group, HBAC rule, sudo rule, and SELinux user map. Review the output, then apply it from a host with an admin ticket.

./scripts/configure-idm-map.sh --print
./scripts/configure-idm-map.sh --apply

AAP Inventory And Gate

Sync inventory from the eigenstate.ipa inventory source, then run the preflight before any mutation job.

inventory/blastwall-idm.yml
playbooks/preflight.yml

Verification

Run the managed-host verification playbook. The expected result is a confined SELinux context and an EPERM result for the AF_ALG/authencesn probe on the automation endpoint.

playbooks/verify-managed-host.yml