Merge pull request #11 from abhishekmj303/new-branch

Update In File System Hardening

.github/workflows/workflow.yaml

@@ -19,11 +19,7 @@ jobs:
     - name: Run test scripts
       run: |
         export PYTHONPATH="${PYTHONPATH}:/home/runner/work/HardeningHub/HardeningHub" 
-        chmod +x tests/test_physical_ports_output.sh
-        ./tests/test_physical_ports_output.sh
-        chmod +x tests/test_cramfs_output.sh
-        ./tests/test_cramfs_output.sh
-        chmod +x tests/test_squashfs_output.sh
-        ./tests/test_squashfs_output.sh
-        chmod +x tests/test_udf_output.sh
-        ./tests/test_udf_output.sh
+        for script in tests/*.sh; do
+          chmod +x "$script"
+          ./"$script"
+        done

harden/file_systems/aide.py

@@ -0,0 +1,20 @@
+import subprocess
+from harden import config_file
+
+def get_script(config):
+    file_systems_config = config["file-systems"]
+    # Start with an empty script and build it up
+    script = ""
+
+    if file_systems_config['enable_aide']:
+        # Each file system gets its own set of commands
+        script += f"""
+apt install aide aide-common
+aideinit
+mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+"""
+    return script
+
+if __name__ == "__main__":
+    config = config_file.read()
+    print(get_script(config))

harden/file_systems/cramfs.py

@@ -7,7 +7,7 @@ def get_script(config):
     # Start with an empty script and build it up
     script = ""
 
-    if 'cramfs' in file_systems_config['block']:
+    if file_systems_config['block']['cramfs']:
         # Each file system gets its own set of commands
         script += f"""
 l_mname="cramfs" # set module name
@@ -17,7 +17,7 @@ def get_script(config):
 echo -e " - setting module: \"$l_mname\" to be not loadable"
 echo -e "install $l_mname /bin/false" >>
 /etc/modprobe.d/"$l_mname".conf
-fi
+fic
 if lsmod | grep "$l_mname" > /dev/null 2>&1; then
 echo -e " - unloading module \"$l_mname\""
 modprobe -r "$l_mname"

harden/file_systems/dev_shm.py

@@ -0,0 +1,18 @@
+import subprocess
+from harden import config_file
+
+def get_script(config):
+    file_systems_config = config["file-systems"]
+    # Start with an empty script and build it up
+    script = ""
+
+    if file_systems_config['config_fs']['dev_shm']:
+        # Each file system gets its own set of commands
+        script += f"""
+
+"""
+    return script
+
+if __name__ == "__main__":
+    config = config_file.read()
+    print(get_script(config))

harden/file_systems/tmp.py

@@ -0,0 +1,18 @@
+import subprocess
+from harden import config_file
+
+def get_script(config):
+    file_systems_config = config["file-systems"]
+    # Start with an empty script and build it up
+    script = ""
+
+    if file_systems_config['config_fs']['tmp']:
+        # Each file system gets its own set of commands
+        script += f"""
+
+"""
+    return script
+
+if __name__ == "__main__":
+    config = config_file.read()
+    print(get_script(config))

harden/process_hardening/remove_prelink.py

@@ -0,0 +1,20 @@
+import subprocess
+from harden import config_file
+
+def get_script(config):
+    file_systems_config = config["processes"]
+
+    # Start with an empty script and build it up
+    script = ""
+
+    if file_systems_config['remove_prelink']:
+        # Each file system gets its own set of commands
+        script += f"""
+prelink -ua
+apt purge prelink
+"""
+    return script
+
+if __name__ == "__main__":
+    config = config_file.read()
+    print(get_script(config))

tests/test_aide.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+PYTHON_SCRIPT="$SCRIPT_DIR/../harden/file_systems/aide.py"
+echo "Python script path: $PYTHON_SCRIPT"
+
+# Check if the Python script exists
+if [ ! -f "$PYTHON_SCRIPT" ]; then
+    echo "Error: Python script not found."
+    exit 1
+fi
+
+# Run the Python script and capture its output
+echo "Running the Python script..."
+script_output=$(python3 "$PYTHON_SCRIPT")
+
+# Check the exit status of the Python script
+if [ $? -ne 0 ]; then
+    echo "Python script execution failed."
+    exit 1
+fi
+
+# Optionally, print the output for verification
+echo "Python script output:"
+echo "$script_output"
+
+# Execute the output as a Bash script
+# WARNING: Executing scripts directly can be risky, especially with sudo commands.
+# Ensure you thoroughly understand and trust the script before executing.
+echo "Executing the generated Bash script..."
+bash -c "$script_output"
+
+echo "Script executed successfully."

tests/test_remove_prelink.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+PYTHON_SCRIPT="$SCRIPT_DIR/../harden/process_hardening/remove_prelink.py"
+echo "Python script path: $PYTHON_SCRIPT"
+
+# Check if the Python script exists
+if [ ! -f "$PYTHON_SCRIPT" ]; then
+    echo "Error: Python script not found."
+    exit 1
+fi
+
+# Run the Python script and capture its output
+echo "Running the Python script..."
+script_output=$(python3 "$PYTHON_SCRIPT")
+
+# Check the exit status of the Python script
+if [ $? -ne 0 ]; then
+    echo "Python script execution failed."
+    exit 1
+fi
+
+# Optionally, print the output for verification
+echo "Python script output:"
+echo "$script_output"
+
+# Execute the output as a Bash script
+# WARNING: Executing scripts directly can be risky, especially with sudo commands.
+# Ensure you thoroughly understand and trust the script before executing.
+echo "Executing the generated Bash script..."
+bash -c "$script_output"
+
+# Execute dpkg-query command and check the output
+echo "Executing dpkg-query..."
+dpkg_output=$(dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n')
+
+# Check if dpkg-query output contains the specific line
+if echo "$dpkg_output" | grep -q "prelink unknown ok not-installed not-installed"; then
+    echo "pre-link is not installed."
+else
+    echo "pre-link may be installed."
+fi
+
+echo "Script executed successfully."