update

abhishekmj303 · Jan 13, 2024 · 5cc5c47 · 5cc5c47
2 parents 3c29e27 + de9a72d
commit 5cc5c47
Show file tree

Hide file tree

Showing 16 changed files with 439 additions and 101 deletions.
diff --git a/config/server/level-1.toml b/config/server/level-1.toml
@@ -103,7 +103,7 @@ disable_root_login = true
 disable_host_based_auth = true
 disable_permit_empty_passwords = true
 disable_permit_user_env = true
-enable_ingore_rhosts = true
+enable_ignore_rhosts = true
 disable_x11_forwarding = false
 enable_strong_ciphers = true
 enable_strong_mac_algorithms = true
@@ -117,15 +117,25 @@ enable_max_sessions = true
 max_sessions = 10
 enable_login_grace_time = true
 login_grace_time = 60 # in seconds
-enable_client_alive = true
+enable_client_alive_interval = true
 client_alive_interval = 300 # in seconds
+enable_client_alive_count_max = true
 client_alive_count_max = 3
 
 [privilege_escalation] # Privilege Escalation
 use_pty = true
 enable_logfile = true
-disable_nopasswd = false
+disable_nopassword = false
 enable_reauthentication = true
 enable_authentication_timeout = true
 authentication_timeout = 15 # in minutes
-restrict_su = true
+restrict_su = true
+
+[pam] # PAM
+enable_password_level = true
+required_password_level = "strong" # weak, medium, strong, stronger
+enable_password_length = true
+minimum_password_length = 14
+limit_password_reuse = true
+password_reuse_limit = 5
+configure_hashing_algorithm = true
diff --git a/config/server/level-2.toml b/config/server/level-2.toml
@@ -102,7 +102,7 @@ disable_root_login = true
 disable_host_based_auth = true
 disable_permit_empty_passwords = true
 disable_permit_user_env = true
-enable_ingore_rhosts = true
+enable_ignore_rhosts = true
 disable_x11_forwarding = true
 enable_strong_ciphers = true
 enable_strong_mac_algorithms = true
@@ -116,15 +116,25 @@ enable_max_sessions = true
 max_sessions = 10
 enable_login_grace_time = true
 login_grace_time = 60 # in seconds
-enable_client_alive = true
+enable_client_alive_interval = true
 client_alive_interval = 300 # in seconds
+enable_client_alive_count_max = true
 client_alive_count_max = 3
 
 [privilege_escalation] # Privilege Escalation
 use_pty = true
 enable_logfile = true
-disable_nopasswd = false
+disable_nopassword = false
 enable_reauthentication = true
 enable_authentication_timeout = true
 authentication_timeout = 15 # in minutes
-restrict_su = true
+restrict_su = true
+
+[pam] # PAM
+enable_password_level = true
+required_password_level = "strong" # weak, medium, strong, stronger
+enable_password_length = true
+minimum_password_length = 14
+limit_password_reuse = true
+password_reuse_limit = 5
+configure_hashing_algorithm = true
diff --git a/config/workstation/level-1.toml b/config/workstation/level-1.toml
@@ -103,7 +103,7 @@ disable_root_login = true
 disable_host_based_auth = true
 disable_permit_empty_passwords = true
 disable_permit_user_env = true
-enable_ingore_rhosts = true
+enable_ignore_rhosts = true
 disable_x11_forwarding = true
 enable_strong_ciphers = true
 enable_strong_mac_algorithms = true
@@ -120,8 +120,17 @@ client_alive_count_max = {enable = true, value = 3}
 [privilege_escalation] # Privilege Escalation
 use_pty = true
 enable_logfile = true
-disable_nopasswd = false
+disable_nopassword = false
 enable_reauthentication = true
 enable_authentication_timeout = true
 authentication_timeout = 15 # in minutes
-restrict_su = true
+restrict_su = true
+
+[pam] # PAM
+enable_password_level = true
+required_password_level = "strong" # weak, medium, strong, stronger
+enable_password_length = true
+minimum_password_length = 14
+limit_password_reuse = true
+password_reuse_limit = 5
+configure_hashing_algorithm = true
diff --git a/config/workstation/level-2.toml b/config/workstation/level-2.toml
@@ -102,7 +102,7 @@ disable_root_login = true
 disable_host_based_auth = true
 disable_permit_empty_passwords = true
 disable_permit_user_env = true
-enable_ingore_rhosts = true
+enable_ignore_rhosts = true
 disable_x11_forwarding = true
 enable_strong_ciphers = true
 enable_strong_mac_algorithms = true
@@ -116,15 +116,25 @@ enable_max_sessions = true
 max_sessions = 10
 enable_login_grace_time = true
 login_grace_time = 60 # in seconds
-enable_client_alive = true
+enable_client_alive_interval = true
 client_alive_interval = 300 # in seconds
+enable_client_alive_count_max = true
 client_alive_count_max = 3
 
 [privilege_escalation] # Privilege Escalation
 use_pty = true
 enable_logfile = true
-disable_nopasswd = false
+disable_nopassword = false
 enable_reauthentication = true
 enable_authentication_timeout = true
 authentication_timeout = 15 # in minutes
-restrict_su = true
+restrict_su = true
+
+[pam] # PAM
+enable_password_level = true
+required_password_level = "strong" # weak, medium, strong, stronger
+enable_password_length = true
+minimum_password_length = 14
+limit_password_reuse = true
+password_reuse_limit = 5
+configure_hashing_algorithm = true
diff --git a/harden/config_file.py b/harden/config_file.py
@@ -4,19 +4,25 @@
 from typing import Mapping
 from harden import physical_ports
 
-FILE_PATH = ""
-TEMP_FILE_PATH = ""
+# Config directory of user
+CONFIG_DIR = os.path.expanduser("~/.config/HardeningHub")
+PROFILE_DIR = os.path.join(CONFIG_DIR, "profiles")
+DEFAULT_CONFIG_PATH = os.path.expanduser("~/.config/HardeningHub/default_config.toml")
+TEMP_FILE_PATH = DEFAULT_CONFIG_PATH + ".tmp"
 
+SAMPLE_FILE_PATH = os.path.join(os.path.dirname(__file__), "../config/sampleconfig.toml")
 
-def create_copy():
-    shutil.copyfile(FILE_PATH, TEMP_FILE_PATH)
+def create_copy(file_path: str = DEFAULT_CONFIG_PATH, temp_file_path: str = None):
+    global TEMP_FILE_PATH
+    if temp_file_path is None:
+        temp_file_path = file_path + ".tmp"
+    TEMP_FILE_PATH = temp_file_path
+    shutil.copyfile(file_path, TEMP_FILE_PATH)
 
 
 def read(file_path: str = None):
     if file_path is None:
         file_path = TEMP_FILE_PATH
-    if not os.path.exists(file_path):  # Check if the copy does not exist
-        create_copy()  # Create the copy if it doesn't exist
     with open(file_path, "r") as f:
         return tomlkit.load(f)
 
@@ -28,13 +34,66 @@ def write(config: Mapping):
 
 def save(file_path: str = None):
     if file_path is None:
-        file_path = FILE_PATH
+        file_path = TEMP_FILE_PATH.replace(".tmp", "")
     shutil.copyfile(TEMP_FILE_PATH, file_path)
 
 
+def get_profiles():
+    if not os.path.exists(PROFILE_DIR):
+        init_config_dir()
+        return []
+
+    all_files = os.listdir(PROFILE_DIR)
+    profiles = []
+    for file in all_files:
+        if file.endswith("_config.toml"):
+            profiles.append(file.replace("_config.toml", ""))
+
+    return profiles
+
+
+def get_profile_path(profile_name: str):
+    return os.path.join(PROFILE_DIR, profile_name + "_config.toml")
+
+
+def init_config_dir():
+    # Create the config directory if it doesn't exist
+    if not os.path.exists(CONFIG_DIR):
+        os.makedirs(CONFIG_DIR)
+        os.makedirs(PROFILE_DIR)
+    # Create the default config file if it doesn't exist
+    if not os.path.exists(DEFAULT_CONFIG_PATH):
+        shutil.copyfile(SAMPLE_FILE_PATH, DEFAULT_CONFIG_PATH)
+
+
+def init(file_path: str = DEFAULT_CONFIG_PATH):
+    create_copy(file_path)
+    return physical_ports.get_devices(read(file_path))
+
+
+def init_profile(profile_name: str):
+    file_path = get_profile_path(profile_name)
+    shutil.copyfile(DEFAULT_CONFIG_PATH, file_path)
+    create_copy(file_path)
+    return physical_ports.get_devices(read(file_path))
+
+
+def import_level(level: str = "w1"):
+    if level == "w1":
+        file_path = os.path.join(os.path.dirname(__file__), "../config/workstation/level-1.toml")
+    elif level == "w2":
+        file_path = os.path.join(os.path.dirname(__file__), "../config/workstation/level-2.toml")
+    elif level == "s1":
+        file_path = os.path.join(os.path.dirname(__file__), "../config/server/level-1.toml")
+    elif level == "s2":
+        file_path = os.path.join(os.path.dirname(__file__), "../config/server/level-2.toml")
+
+    create_copy(file_path, TEMP_FILE_PATH)
+    return physical_ports.get_devices(read(file_path))
+
+
 def update_toml_obj(toml_obj: tomlkit.items.Item, config: dict):
     # Recursively update the toml object with the config dict
-    print(config)
     for key, value in config.items():
         if isinstance(value, dict):
             update_toml_obj(value, toml_obj[key])
@@ -48,27 +107,3 @@ def update_toml_obj(toml_obj: tomlkit.items.Item, config: dict):
                     toml_obj[key][i] = value[i]
         else:
             toml_obj[key] = value
-
-
-def init(file_path: str = None):
-    global FILE_PATH, TEMP_FILE_PATH
-
-    if file_path is None:
-        file_path = os.path.join(os.path.dirname(__file__), "../config/sampleconfig.toml")
-
-    FILE_PATH = file_path
-    TEMP_FILE_PATH = FILE_PATH + ".tmp"
-    create_copy()
-    return physical_ports.get_devices(read())
-
-def import_level(level: str = "w1"):
-    if level == "w1":
-        file_path = os.path.join(os.path.dirname(__file__), "../config/workstation/level-1.toml")
-    elif level == "w2":
-        file_path = os.path.join(os.path.dirname(__file__), "../config/workstation/level-2.toml")
-    elif level == "s1":
-        file_path = os.path.join(os.path.dirname(__file__), "../config/server/level-1.toml")
-    elif level == "s2":
-        file_path = os.path.join(os.path.dirname(__file__), "../config/server/level-2.toml")
-
-    return init(file_path)
diff --git a/harden/physical_ports.py b/harden/physical_ports.py
@@ -39,7 +39,10 @@ def get_devices(all_config):
         else:
             ports[port_id] = {"id": port_id, "name": device_name, "allow": True}
 
-    config.update({"device-rules": list(devices.values()), "port-rules": list(ports.values())})
+    new_config = all_config.unwrap()
+    new_config["physical-ports"]["device-rules"] = list(devices.values())
+    new_config["physical-ports"]["port-rules"] = list(ports.values())
+    config_file.update_toml_obj(all_config, new_config)
     return all_config
 
 

diff --git a/harden/script.py b/harden/script.py
@@ -1,4 +1,5 @@
 import subprocess
+import shlex
 from harden import config_file, physical_ports, file_systems\
     , process_hardening, apparmor, gdm, time_sync, firewall\
     , network, ssh, privilege_escalation
@@ -33,7 +34,9 @@ def save(file_path: str, backup: bool = False):
 
 def run(backup: bool = False):
     save("hardening_script.sh", backup)
-    subprocess.Popen(["x-terminal-emulator", "-e", "'bash hardening_script.sh'"])
+    subprocess.Popen(
+        shlex.split("""x-terminal-emulator -e "bash -c 'sudo bash hardening_script.sh; read -p \"Press enter to continue\"'" """)
+    )
 
 if __name__ == "__main__":
     config_file.init()

diff --git a/main.py b/main.py
@@ -11,6 +11,7 @@ class MainWindow(QMainWindow):
     theme_signal = pyqtSignal(bool)
     def __init__(self):
         super().__init__()
+        config_file.init_config_dir()
         self.config = config_file.init()
         self.tooltip = tooltip_file.read()
         self.init_ui()