Merge branch 'ui-new' of https://github.com/abhishekmj303/HardeningHub …

…into ui-new

.gitignore

@@ -3,4 +3,5 @@ __pycache__
 .DS_Store
 venv
 .venv
-temp.qss
+/*.sh
+temp.qss

config/tooltip.toml

@@ -0,0 +1,97 @@
+[physical-ports]
+enable = "defines a point of entry for communication "
+device-rules = "dynamically creates and removes nodes for hardware devices."
+
+port-rules ="lets administrators manage network services on Ubuntu systems by opening and closing ports."
+
+[file-systems]
+# Basic
+block = {udf = "storing information on the DVD (Digital Versatile Disc or Digital Video Disc) optical media", cramfs = "designed to be simple and small, and to compress things well", squashfs = "Squashfs is a compressed read-only filesystem for Linux"}
+# Intermediate
+configure_fs = {tmp = "used for programs that require temporary files ", dev_shm = "allows Linux programs to efficiently pass data between each other"} # /tmp and /dev/shm
+tmp_size = "how much space is available in tmp in your system  "
+disable_automount = "prevents Windows from automatically mounting or assigning drive letters to any new basic volumes that are visible to the system"
+# Advanced
+enable_aide = "To verify the integrity of the files"
+
+[processes] # Process Hardening
+enable_aslr = "technique that is used to increase the difficulty of performing a buffer overflow attack that requires the attacker to know the location of an executable in memory."
+remove_prelink = "time needed for the dynamic linker to perform relocations at startup significantly decreases."
+disable_error_reporting = "counts, analyzes, and aggregates the crashes in your running cloud services."
+restrict_core_dumps = "he system provides the ability to set a soft limit for core dumps, but this can be overridden by the user."
+
+[apparmor] # Mandatory Access Control
+enable = "a Linux Security Module implementation of name-based mandatory access controls"   
+mode = "enforces the SELinux policy and denies access based on SELinux policy rules" 
+
+[gdm] # GNOME Display Manager
+remove = "Uninstalls the desktop environment "
+disable_user_list = "controls if a list of users is displayed on the login screen."
+lock_on_idle = "screen inactivity idle time interval"
+no_override_lockscreen = "override the static lock screen image with a snapshot of your current live wallpaper."
+disable_automount = "prevents Windows from automatically mounting or assigning drive letters to any new basic volumes that are visible to the system"
+lock_automount = "Installs autofs mount points and associates the information in the automaster"
+disable_autorun = "Windows will no longer open these devices automatically."
+no_override_autorun = "The NoDriveAutoRun value disables AutoRun for specified drive letters"
+
+[time-sync] # Time synchronization
+enable_ntp = "your device contacts an NTP server to synchronize the time."
+ntp_servers = "allows the synchronization of system clocks (from desktops to servers)."
+enable_ntp_user = "to automatically get the correct time from NTP servers on the Internet to set the system clock."
+
+[services] # Services
+remove_avahi = "used for name resolution and service discovery within the local network."
+remove_cups = "allows a computer to act as a print server."
+remove_dhcp = "deletes the specified Dynamic Host Configuration Protocol (DHCP) server service from the list of authorized DHCP server services"
+remove_ldap = "helps users find data about organizations, persons, and more."
+remove_nfs = "a mechanism for storing files on a network."
+remove_ftp = "transfer of files from one host to another over a TCP-based network, such as the Internet"
+remove_http = "used to load webpages using hypertext links"
+remove_imap_pop3 = "email protocols used to access and manage emails on remote servers"
+remove_samba = "enables Linux / Unix machines to communicate with Windows machines in a network."
+remove_http_proxy = "help businesses detect and block suspicious traffic, protecting web servers from external cyberattacks."
+remove_snmp = "monitor and manage network devices connected over an IP."
+remove_nis = "allows you to maintain consistent configuration files throughout your network."
+remove_rsync = "transferring and synchronizing files between local and remote devices."
+
+[service_clients] # Service Clients
+remove_nis = "allows you to maintain consistent configuration files throughout your network."
+remove_rsh = "enables you to execute a command on a remote host and receive the results on your local host."
+remove_talk = "allows two users on the same host or on different hosts to have an interactive conversation."
+remove_telnet = "create a remote connection with a system over a TCP/IP network."
+remove_ldap = "helps users find data about organizations, persons, and more"
+remove_rpc = "to call other processes on the remote systems like a local system."
+
+
+[network] # Network
+disable_wireless = "support and facilitate the configuration of device drivers of wireless network interface controllers and some related aspects of networking"
+disable_packet_redirects = "to send routing information to other hosts"
+disable_ip_forwarding = "having more efficient routing of network packets."
+reject_source_routed_packets = "allows an IP packet to carry information, a list of addresses, that tells a router the path the packet must take"
+reject_icmp_redirects = "for having more efficient routing of network packets."
+reject_secure_icmp_redirects = "the same as ICMP redirects, except they come from gateways listed on the default gateway list."
+log_suspicious_packets = "monitoring and detecting security issues."
+ingore_broadcasts = "a network address used to transmit to all devices connected to a multiple-access communications network"
+ignore_bogus_icmp_errors = "prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes"
+enable_rp_filter = "protects against spoofed source addresses by causing the system to discard packets"
+enable_syn_cookies = " a technique used to resist SYN flood attacks"
+reject_ipv6_router_adv =  "allows devices to use a much larger number of unique IP addresses"
+disable_protocols = {dccp = "true", sctp = "true", rds = "true", tipc = "true"}
+
+
+[firewall] # Firewall
+enable = "a way to protect machines from any unwanted traffic from outside."
+configure_loopback_traffic = "a virtual network interface that doesn't represent any physical or hardware device."
+enable_default_deny = " Deny all traffic by default "
+
+[ssh]
+enable = "a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network."
+port = "port number 22"
+permit-empty-passwords = "anybody may log in as that user without providing a password."
+password-authentication = "user to enter their credentials — username and password — in order to confirm their identity."
+permit-root-login = "user account for administrative purposes, and typically has the highest access rights on the system."
+client-alive-interval = "a time out interval specified in seconds "
+client-alive-count-max = "sets the number of client alive messages which may be sent without sshd receiving any messages back from the client."
+allow-users = "allow SSH access for a user "
+allow-groups = "allow SSH access for an entire group,"
+x11-forwarding = "a mechanism that allows a user to start up remote applications, and then forward the application display to their local Windows machine"

harden/__init__.py

@@ -1 +1 @@
-__all__ = ['config_file', 'file_systems','physical_ports']
+# __all__ = ['config_file', 'file_systems','physical_ports']

harden/file_systems/__init__.py

@@ -0,0 +1,11 @@
+from harden.file_systems import aide, cramfs, dev_shm, squashfs, tmp, udf
+
+def get_script(config):
+    script = ""
+    script += aide.get_script(config)
+    script += cramfs.get_script(config)
+    script += dev_shm.get_script(config)
+    script += squashfs.get_script(config)
+    script += tmp.get_script(config)
+    script += udf.get_script(config)
+    return script

harden/process_hardening.py

@@ -0,0 +1,49 @@
+from harden import config_file
+
+def get_script(config):
+    file_systems_config = config["processes"]
+
+    # Start with an empty script and build it up
+    script = ""
+
+    if file_systems_config.get('remove_prelink', False):
+        script += """
+prelink -ua
+apt purge prelink
+"""
+
+    if file_systems_config.get('enable_aslr', False):
+        script += """
+echo "kernel.randomize_va_space = 2" >> /etc/sysctl.d/60-kernel_sysctl.conf
+sysctl -w kernel.randomize_va_space=2
+"""
+
+    if file_systems_config.get('disable_error_reporting', False):
+        script += """
+# Disable error reporting
+echo "enabled=0" > /etc/default/apport
+systemctl stop apport.service
+systemctl --now disable apport.service
+# Alternatively, to remove the apport package
+# apt purge apport
+"""
+
+    if file_systems_config.get('restrict_core_dumps', False):
+        script += """
+# Restrict core dumps
+echo "* hard core 0" >> /etc/security/limits.conf
+echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
+sysctl -w fs.suid_dumpable=0
+# If systemd-coredump is installed, configure coredump settings
+if [ -f /etc/systemd/coredump.conf ]; then
+    echo "Storage=none" >> /etc/systemd/coredump.conf
+    echo "ProcessSizeMax=0" >> /etc/systemd/coredump.conf
+    systemctl daemon-reload
+fi
+"""
+
+    return script
+
+if __name__ == "__main__":
+    config = config_file.read()
+    print(get_script(config))

harden/script.py

@@ -0,0 +1,22 @@
+from harden import config_file, physical_ports, file_systems\
+    , process_hardening, apparmor, gdm, time_sync
+
+def generate():
+    config = config_file.read()
+    script = "#/bin/bash\n\n"
+    script += physical_ports.get_script(config)
+    script += file_systems.get_script(config)
+    script += process_hardening.get_script(config)
+    script += apparmor.get_script(config)
+    script += gdm.get_script(config)
+    script += time_sync.get_script(config)
+    return script
+
+def save(file_path: str):
+    with open(file_path, "w") as f:
+        f.write(generate())
+
+if __name__ == "__main__":
+    config_file.init()
+    save("script.sh")
+

harden/tooltip_file.py

@@ -0,0 +1,8 @@
+import tomlkit
+import os
+
+FILE_PATH = os.path.join(os.path.dirname(__file__), "../config/tooltip.toml")
+
+def read():
+    with open(FILE_PATH, "r") as f:
+        return tomlkit.load(f)

main.py

@@ -4,13 +4,14 @@
 from ui.sidebar import Sidebar
 from ui.page import Pages
 from ui.toolbar import ToolBar
-from harden import config_file
+from harden import config_file, tooltip_file
 import sys
 
 class MainWindow(QMainWindow):
     def __init__(self):
         super().__init__()
         self.config = config_file.init()
+        self.tooltip = tooltip_file.read()
         self.init_ui()
 
     def init_ui(self):
@@ -20,7 +21,7 @@ def init_ui(self):
         self.toolbar = ToolBar(self.config)
         self.addToolBar(self.toolbar)
 
-        self.pages = Pages(self.config)
+        self.pages = Pages(self.config, self.tooltip)
         self.pages.setObjectName("page")
         self.toolbar.import_signal.connect(self.pages.refresh_config)
         self.toolbar.theme_changed_signal.connect(self.change_theme)

ui/components/hardware/file_systems.py

@@ -5,10 +5,12 @@
 from harden import config_file
 
 class FileSystems(QWidget):
-    def __init__(self, config):
+    def __init__(self, config, tooltip):
         super().__init__()
         self.config = config
+        self.tooltip = tooltip
         self.toml_file_systems = self.config['file-systems']
+        self.file_systems_tooltip = self.tooltip['file-systems']
         self.init_ui()
         self.refresh_config(config)
 
@@ -41,6 +43,7 @@ def init_ui(self):
         self.block_checkboxes = {}
         for name, state in self.toml_file_systems['block'].items():
             checkbox = QCheckBox(f'Block {name}')
+            checkbox.setToolTip(self.file_systems_tooltip['block'][name])
             checkbox.stateChanged.connect(lambda state, name=name: self.save_checkbox_state(state, 'block', name))
             self.container_layout.addWidget(checkbox)
             self.block_checkboxes[name] = checkbox
@@ -54,6 +57,7 @@ def init_ui(self):
         self.configure_fs_checkboxes = {}
         for name, state in self.toml_file_systems['configure_fs'].items():
             checkbox = QCheckBox(f"Configure /{name.replace('_', '/')}")
+            checkbox.setToolTip(self.file_systems_tooltip['configure_fs'][name])
             checkbox.stateChanged.connect(lambda state, name=name: self.save_checkbox_state(state, 'configure_fs', name))
             self.container_layout.addWidget(checkbox)
             self.configure_fs_checkboxes[name] = checkbox
@@ -64,6 +68,7 @@ def init_ui(self):
         hlayout.setContentsMargins(0, 0, 0, 0)
         hlayout.setAlignment(Qt.AlignmentFlag.AlignLeft)
         self.configure_label = QLabel('Configure /tmp size (in GB):')
+        self.configure_label.setToolTip(self.file_systems_tooltip['tmp_size'])
         self.size_input = QLineEdit()
         # self.size_input.setFixedWidth(100)
         validator = QIntValidator()
@@ -77,6 +82,7 @@ def init_ui(self):
 
         # disable_automount
         self.disable_auto_mount = QCheckBox('Disable Auto-Mount')
+        self.disable_auto_mount.setToolTip(self.file_systems_tooltip['disable_automount'])
         self.disable_auto_mount.stateChanged.connect(lambda state: self.save_checkbox_state(state, 'disable_automount', None))
         self.container_layout.addWidget(self.disable_auto_mount)
 
@@ -87,6 +93,7 @@ def init_ui(self):
 
 
         self.enable_aide = QCheckBox('Enable AIDE (Advanced Intrusion Detection Environment)')
+        self.enable_aide.setToolTip(self.file_systems_tooltip['enable_aide'])
         self.enable_aide.stateChanged.connect(lambda state: self.save_checkbox_state(state, 'enable_aide', None))
         self.container_layout.addWidget(self.enable_aide)
 

ui/components/hardware/physical_ports.py

@@ -4,10 +4,12 @@
 from PyQt6.QtCore import Qt
 
 class PhysicalPorts(QWidget):
-    def __init__(self, config):
+    def __init__(self, config, tooltip):
         super().__init__()
         self.config = config
+        self.tooltip = tooltip
         self.toml_physical_ports = self.config['physical-ports']
+        self.physical_ports_tooltip = self.tooltip['physical-ports']
         self.init_ui()
         self.refresh_config(config)
 
@@ -44,6 +46,7 @@ def init_ui(self):
 
         # enable checkbox
         self.main_checkbox = QCheckBox("Enable USB Blocking")
+        self.main_checkbox.setToolTip(self.physical_ports_tooltip['enable'])
         self.container_layout.addWidget(self.main_checkbox)
         self.main_checkbox.stateChanged.connect(self.enable_checkbox_clicked)
 
@@ -55,6 +58,7 @@ def init_ui(self):
 
     def block_devices_table(self):
         self.block_devices_label = QLabel("Block Devices")
+        self.block_devices_label.setToolTip(self.physical_ports_tooltip['device-rules'])
         self.container_layout.addWidget(self.block_devices_label)
         self.block_devices_label.setObjectName("sub-component-title")
 
@@ -81,6 +85,7 @@ def add_device_rows(self):
 
     def block_ports_table(self):
         self.block_ports_label = QLabel("Block Ports")
+        self.block_ports_label.setToolTip(self.physical_ports_tooltip['port-rules'])
         self.container_layout.addWidget(self.block_ports_label)
         self.block_ports_label.setObjectName("sub-component-title")
 

ui/components/network/firewall.py

@@ -2,10 +2,12 @@
 from harden import config_file
 
 class Firewall(QWidget):
-    def __init__(self, config):
+    def __init__(self, config, tooltip):
         super().__init__()
         self.config = config
+        self.tooltip = tooltip
         self.toml_firewall = self.config['firewall']
+        self.firewall_tooltip = self.tooltip['firewall']
         self.init_ui()
         self.refresh_config(config)
 
@@ -31,6 +33,7 @@ def init_ui(self):
         self.checkboxes = {}
         for name, state in self.toml_firewall.items():
             checkbox = QCheckBox(name.replace('_', ' ').title())
+            checkbox.setToolTip(self.firewall_tooltip[name])
             checkbox.stateChanged.connect(lambda state, name=name: self.save_checkbox_state(state, name))
             self.container_layout.addWidget(checkbox)
             self.checkboxes[name] = checkbox