From a99f6a0e5453cc118b35b49f4bbf17b7d7f02942 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 16:46:37 +0530 Subject: [PATCH 01/16] cramfs, squashfs, udf, updated according to updated sampleconfig.toml --- harden/file_systems/cramfs.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/harden/file_systems/cramfs.py b/harden/file_systems/cramfs.py index f32574c..a6d1c54 100644 --- a/harden/file_systems/cramfs.py +++ b/harden/file_systems/cramfs.py @@ -3,11 +3,12 @@ def get_script(config): file_systems_config = config["file-systems"] + print(file_systems_config) # Start with an empty script and build it up script = "" - if 'cramfs' in file_systems_config['block']: + if file_systems_config['block']['cramfs']: # Each file system gets its own set of commands script += f""" l_mname="cramfs" # set module name From 39aa74ee604caaa6a620d4c622488aa9ad38017f Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 18:45:12 +0530 Subject: [PATCH 02/16] Intrusion Detection Added --- harden/file_systems/aide.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 harden/file_systems/aide.py diff --git a/harden/file_systems/aide.py b/harden/file_systems/aide.py new file mode 100644 index 0000000..98e8867 --- /dev/null +++ b/harden/file_systems/aide.py @@ -0,0 +1,20 @@ +import subprocess +from harden import config_file + +def get_script(config): + file_systems_config = config["file-systems"] + # Start with an empty script and build it up + script = "" + + if file_systems_config['config-fs']['dev_shm']: + # Each file system gets its own set of commands + script += f""" +apt install aide aide-common +aideinit +mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db +""" + return script + +if __name__ == "__main__": + config = config_file.read() + print(get_script(config)) From 29ebe6f813e26e0646871401aadde672204723fa Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 18:45:52 +0530 Subject: [PATCH 03/16] Intrustion detection test added --- tests/test_aide.sh | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 tests/test_aide.sh diff --git a/tests/test_aide.sh b/tests/test_aide.sh new file mode 100644 index 0000000..a82a76f --- /dev/null +++ b/tests/test_aide.sh @@ -0,0 +1,32 @@ +#!/bin/bash +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" +PYTHON_SCRIPT="$SCRIPT_DIR/../harden/file_systems/aide.py" +echo "Python script path: $PYTHON_SCRIPT" + +# Check if the Python script exists +if [ ! -f "$PYTHON_SCRIPT" ]; then + echo "Error: Python script not found." + exit 1 +fi + +# Run the Python script and capture its output +echo "Running the Python script..." +script_output=$(python3 "$PYTHON_SCRIPT") + +# Check the exit status of the Python script +if [ $? -ne 0 ]; then + echo "Python script execution failed." + exit 1 +fi + +# Optionally, print the output for verification +echo "Python script output:" +echo "$script_output" + +# Execute the output as a Bash script +# WARNING: Executing scripts directly can be risky, especially with sudo commands. +# Ensure you thoroughly understand and trust the script before executing. +echo "Executing the generated Bash script..." +bash -c "$script_output" + +echo "Script executed successfully." From 424f4b98cd2081ec62dac8e7f7480f1110f77b02 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 18:46:31 +0530 Subject: [PATCH 04/16] Copy Config Updated --- config/sampleconfig.toml | 46 ++++++++++++++++++++++++++++++++++------ 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/config/sampleconfig.toml b/config/sampleconfig.toml index c8f585c..8d931ff 100644 --- a/config/sampleconfig.toml +++ b/config/sampleconfig.toml @@ -2,12 +2,49 @@ enable = true device-rules = [ {allow = true, id = "1a2c:4c5e", name = "USB Keyboard"}, # allow only at that port - {allow = true, id = "04f3:0c00", name = "ELAN:ARM-M4"} + {allow = true, id = "04f3:0c00", name = "ELAN:ARM-M4"}, + {allow = false, id = "1a3d:5b4e", name = "USB Mouse"} ] port-rules = [ - {allow = false, id = "1-3"} # block all devices at that port + {allow = false, id = "1-3", name = "USB Keyboard"}, # block all devices at that port + {allow = true, id = "1-2", name = "USB Mouse"} ] +[file-systems] +# Basic +block = {udf = true, cramfs = true, squashfs = false} +# Intermediate +configure_fs = {tmp = true, dev_shm = true} # /tmp and /dev/shm +tmp_size = 2 # in GB +disable_automount = true +# Advanced +enable_aide = true # Advanced Intrusion Detection Environment + +[processes] # Process Hardening +enable_aslr = true # Address Space Layout Randomization +remove_prelink = true +disable_error_reporting = true +restrict_core_dumps = true + +[apparmor] # Mandatory Access Control +enable = true +mode = "enforce" # enforce, complain + +[gdm] # GNOME Display Manager +remove = false +disable_user_list = true +lock_on_idle = 100 # in seconds, 0 to disable +no_override_lockscreen = true +disable_automount = true +lock_automonut = true +disable_autorun = true +no_override_autorun = true + +[time-sync] # Time synchronization +enable_ntp = true +ntp_servers = [ "time1.google.com", "time2.google.com", "time3.google.com"] +enable_ntp_user = true + [ssh] enable = true port = 22 @@ -18,7 +55,4 @@ client-alive-interval = 300 client-alive-count-max = 2 allow-users = ["user1", "user2"] allow-groups = ["group1", "group2"] -x11-forwarding = false - -[file-systems] -block = ["udf", "cramfs", "squashfs"] \ No newline at end of file +x11-forwarding = false \ No newline at end of file From 0b1f23f09bf83bf95e0e84c0ee853326162ca4b0 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 18:47:18 +0530 Subject: [PATCH 05/16] cramfs updated --- harden/file_systems/cramfs.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/harden/file_systems/cramfs.py b/harden/file_systems/cramfs.py index a6d1c54..5bd54c1 100644 --- a/harden/file_systems/cramfs.py +++ b/harden/file_systems/cramfs.py @@ -3,7 +3,6 @@ def get_script(config): file_systems_config = config["file-systems"] - print(file_systems_config) # Start with an empty script and build it up script = "" @@ -18,7 +17,7 @@ def get_script(config): echo -e " - setting module: \"$l_mname\" to be not loadable" echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf -fi +fic if lsmod | grep "$l_mname" > /dev/null 2>&1; then echo -e " - unloading module \"$l_mname\"" modprobe -r "$l_mname" From bea53a5b89200b78ed9a687d075e4c7e3b86e67d Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 18:51:28 +0530 Subject: [PATCH 06/16] dev_shm , tmp python files added, scripts needs to be updated --- harden/file_systems/dev_shm.py | 18 ++++++++++++++++++ harden/file_systems/tmp.py | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 harden/file_systems/dev_shm.py create mode 100644 harden/file_systems/tmp.py diff --git a/harden/file_systems/dev_shm.py b/harden/file_systems/dev_shm.py new file mode 100644 index 0000000..72ecb85 --- /dev/null +++ b/harden/file_systems/dev_shm.py @@ -0,0 +1,18 @@ +import subprocess +from harden import config_file + +def get_script(config): + file_systems_config = config["file-systems"] + # Start with an empty script and build it up + script = "" + + if file_systems_config['config-fs']['dev_shm']: + # Each file system gets its own set of commands + script += f""" + +""" + return script + +if __name__ == "__main__": + config = config_file.read() + print(get_script(config)) diff --git a/harden/file_systems/tmp.py b/harden/file_systems/tmp.py new file mode 100644 index 0000000..309dff0 --- /dev/null +++ b/harden/file_systems/tmp.py @@ -0,0 +1,18 @@ +import subprocess +from harden import config_file + +def get_script(config): + file_systems_config = config["file-systems"] + # Start with an empty script and build it up + script = "" + + if file_systems_config['config-fs']['tmp']: + # Each file system gets its own set of commands + script += f""" + +""" + return script + +if __name__ == "__main__": + config = config_file.read() + print(get_script(config)) From 794bd6e54f37f9e2e06a189a8111b2d4f7e4963e Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:11:56 +0530 Subject: [PATCH 07/16] remove_prelink added --- harden/process_hardening/remove_prelink.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 harden/process_hardening/remove_prelink.py diff --git a/harden/process_hardening/remove_prelink.py b/harden/process_hardening/remove_prelink.py new file mode 100644 index 0000000..1739879 --- /dev/null +++ b/harden/process_hardening/remove_prelink.py @@ -0,0 +1,20 @@ +import subprocess +from harden import config_file + +def get_script(config): + file_systems_config = config["processes"] + + # Start with an empty script and build it up + script = "" + + if file_systems_config['remove_prelink']: + # Each file system gets its own set of commands + script += f""" +prelink -ua +apt purge prelink +""" + return script + +if __name__ == "__main__": + config = config_file.read() + print(get_script(config)) From fda9faffe19b08d71dbb45684f9e1a23bccfd656 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:27:56 +0530 Subject: [PATCH 08/16] Pre-Link test Updaated with audit message --- tests/test_remove_prelink.sh | 43 ++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 tests/test_remove_prelink.sh diff --git a/tests/test_remove_prelink.sh b/tests/test_remove_prelink.sh new file mode 100644 index 0000000..c623534 --- /dev/null +++ b/tests/test_remove_prelink.sh @@ -0,0 +1,43 @@ +#!/bin/bash +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" +PYTHON_SCRIPT="$SCRIPT_DIR/../harden/process_hardening/remove_prelink.py" +echo "Python script path: $PYTHON_SCRIPT" + +# Check if the Python script exists +if [ ! -f "$PYTHON_SCRIPT" ]; then + echo "Error: Python script not found." + exit 1 +fi + +# Run the Python script and capture its output +echo "Running the Python script..." +script_output=$(python3 "$PYTHON_SCRIPT") + +# Check the exit status of the Python script +if [ $? -ne 0 ]; then + echo "Python script execution failed." + exit 1 +fi + +# Optionally, print the output for verification +echo "Python script output:" +echo "$script_output" + +# Execute the output as a Bash script +# WARNING: Executing scripts directly can be risky, especially with sudo commands. +# Ensure you thoroughly understand and trust the script before executing. +echo "Executing the generated Bash script..." +bash -c "$script_output" + +# Execute dpkg-query command and check the output +echo "Executing dpkg-query..." +dpkg_output=$(dpkg-query -W -f='${binary:Package}\t${Status}\t${db:Status-Status}\n') + +# Check if dpkg-query output contains the specific line +if echo "$dpkg_output" | grep -q "prelink unknown ok not-installed not-installed"; then + echo "pre-link is not installed." +else + echo "pre-link may be installed." +fi + +echo "Script executed successfully." From cfd461cd6328e6b213ab987b4bcafa67328ad4df Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:30:31 +0530 Subject: [PATCH 09/16] testing workflow automated --- .github/workflows/workflow.yaml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index f7b997c..79f18b2 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -19,11 +19,7 @@ jobs: - name: Run test scripts run: | export PYTHONPATH="${PYTHONPATH}:/home/runner/work/HardeningHub/HardeningHub" - chmod +x tests/test_physical_ports_output.sh - ./tests/test_physical_ports_output.sh - chmod +x tests/test_cramfs_output.sh - ./tests/test_cramfs_output.sh - chmod +x tests/test_squashfs_output.sh - ./tests/test_squashfs_output.sh - chmod +x tests/test_udf_output.sh - ./tests/test_udf_output.sh + for script in tests/*.sh; do + chmod +x "$script" + ./"$script" + done From 3cafe7b0796508405ee21f0da9305c9471dd3879 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:33:00 +0530 Subject: [PATCH 10/16] key updated config_fs in dev_shm, tmp --- harden/file_systems/dev_shm.py | 2 +- harden/file_systems/tmp.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/harden/file_systems/dev_shm.py b/harden/file_systems/dev_shm.py index 72ecb85..e985851 100644 --- a/harden/file_systems/dev_shm.py +++ b/harden/file_systems/dev_shm.py @@ -6,7 +6,7 @@ def get_script(config): # Start with an empty script and build it up script = "" - if file_systems_config['config-fs']['dev_shm']: + if file_systems_config['config_fs']['dev_shm']: # Each file system gets its own set of commands script += f""" diff --git a/harden/file_systems/tmp.py b/harden/file_systems/tmp.py index 309dff0..7e9c4c5 100644 --- a/harden/file_systems/tmp.py +++ b/harden/file_systems/tmp.py @@ -6,7 +6,7 @@ def get_script(config): # Start with an empty script and build it up script = "" - if file_systems_config['config-fs']['tmp']: + if file_systems_config['config_fs']['tmp']: # Each file system gets its own set of commands script += f""" From d9ade3676c1f1eb0beca69abae94830fd957f5f5 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:34:18 +0530 Subject: [PATCH 11/16] key updated config_fs in aide --- harden/file_systems/aide.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/harden/file_systems/aide.py b/harden/file_systems/aide.py index 98e8867..54f4bfb 100644 --- a/harden/file_systems/aide.py +++ b/harden/file_systems/aide.py @@ -6,7 +6,7 @@ def get_script(config): # Start with an empty script and build it up script = "" - if file_systems_config['config-fs']['dev_shm']: + if file_systems_config['config_fs']['dev_shm']: # Each file system gets its own set of commands script += f""" apt install aide aide-common From 9de92cb0a1f432004ada558f9cd505a8b16f0275 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:37:26 +0530 Subject: [PATCH 12/16] key update enable_aide in aide.py --- harden/file_systems/aide.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/harden/file_systems/aide.py b/harden/file_systems/aide.py index 54f4bfb..3da2063 100644 --- a/harden/file_systems/aide.py +++ b/harden/file_systems/aide.py @@ -6,7 +6,7 @@ def get_script(config): # Start with an empty script and build it up script = "" - if file_systems_config['config_fs']['dev_shm']: + if file_systems_config['enable_aide']: # Each file system gets its own set of commands script += f""" apt install aide aide-common From bebdf219e72579e4c6aed8e9f58695703faf7f17 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:49:06 +0530 Subject: [PATCH 13/16] update config --- config/sampleconfig.toml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/sampleconfig.toml b/config/sampleconfig.toml index 8d931ff..018ac3d 100644 --- a/config/sampleconfig.toml +++ b/config/sampleconfig.toml @@ -55,4 +55,9 @@ client-alive-interval = 300 client-alive-count-max = 2 allow-users = ["user1", "user2"] allow-groups = ["group1", "group2"] -x11-forwarding = false \ No newline at end of file +x11-forwarding = false +<<<<<<< new-branch +x11-forwarding = false +======= +x11-forwarding = false +>>>>>>> main \ No newline at end of file From ccac1d7a38b0cf6091edd1db14527cd788c450f1 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:50:47 +0530 Subject: [PATCH 14/16] update config --- config/sampleconfig.toml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/config/sampleconfig.toml b/config/sampleconfig.toml index 018ac3d..8d931ff 100644 --- a/config/sampleconfig.toml +++ b/config/sampleconfig.toml @@ -55,9 +55,4 @@ client-alive-interval = 300 client-alive-count-max = 2 allow-users = ["user1", "user2"] allow-groups = ["group1", "group2"] -x11-forwarding = false -<<<<<<< new-branch -x11-forwarding = false -======= -x11-forwarding = false ->>>>>>> main \ No newline at end of file +x11-forwarding = false \ No newline at end of file From 45bb85cfcfbb096da191de0960596b20c19c9ab9 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:53:45 +0530 Subject: [PATCH 15/16] update config --- config/sampleconfig.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/sampleconfig.toml b/config/sampleconfig.toml index 8d931ff..6a0539a 100644 --- a/config/sampleconfig.toml +++ b/config/sampleconfig.toml @@ -54,5 +54,4 @@ permit-root-login = false client-alive-interval = 300 client-alive-count-max = 2 allow-users = ["user1", "user2"] -allow-groups = ["group1", "group2"] -x11-forwarding = false \ No newline at end of file +allow-groups = ["group1", "group2"] \ No newline at end of file From 33d071e51e93e009d2b68bcb75518bc317f72666 Mon Sep 17 00:00:00 2001 From: chanakya Date: Fri, 15 Dec 2023 19:59:08 +0530 Subject: [PATCH 16/16] update --- config/sampleconfig.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/sampleconfig.toml b/config/sampleconfig.toml index 6a0539a..8d931ff 100644 --- a/config/sampleconfig.toml +++ b/config/sampleconfig.toml @@ -54,4 +54,5 @@ permit-root-login = false client-alive-interval = 300 client-alive-count-max = 2 allow-users = ["user1", "user2"] -allow-groups = ["group1", "group2"] \ No newline at end of file +allow-groups = ["group1", "group2"] +x11-forwarding = false \ No newline at end of file