Refactor directory structure

abhishekmj303 · Dec 13, 2023 · 973bba5 · 973bba5
1 parent 1142ef4
commit 973bba5
Show file tree

Hide file tree

Showing 11 changed files with 92 additions and 157 deletions.
diff --git a/.github/workflows/WorkFlow.yaml → .github/workflows/workflow.yaml b/.github/workflows/WorkFlow.yaml → .github/workflows/workflow.yaml
@@ -14,6 +14,4 @@ jobs:
       run: |
         pip install -r requirements.txt
         python tests/test_config.py
-        chmod +x BackEnd/runScript.sh
-        ./BackEnd/runScript.sh
         
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,3 @@
 __pycache__
-*/__pycache__
-venv
+venv
+.venv
diff --git a/BackEnd/disable_usbguard.tmp b/BackEnd/disable_usbguard.tmp
diff --git a/BackEnd/rules.conf b/BackEnd/rules.conf
diff --git a/BackEnd/runScript.sh b/BackEnd/runScript.sh
diff --git a/README.md b/README.md
@@ -2,98 +2,3 @@
 Hardening for ubuntu Using UI:
 ![Alt text](static/image.png)
 Hardening Hub for Ubuntu.
-
-- [Hardware](#hardware)
-  - [Physical Ports](#physical-ports)
-    - [UI](#ui)
-    - [Config File](#config-file)
-    - [Backend](#backend)
-- [Software](#software)
-  - [SSH](#ssh)
-    - [Config File](#config-file-1)
-
-## Hardware
-
-### Physical Ports
-
-USBGuard: https://usbguard.github.io/documentation/rule-language.html
-
-#### UI
-
-- checkbox: enable/disable usbguard service
-  - `systemctl status usbguard`
-  - grey out all other controls if disabled
-- checkbox: allow all devices
-- on load, refresh button: get devices from connected ports and current rules
-  - `usbguard generate-policy` + from config file
-  - `grep 'via-port'`
-  - get ids of each device
-     - `grep -oP ' id \K\S+'`
-  - get names of each device
-     - `grep -oP ' name "\K[^"]+'`
-  - get port ids of each device
-     - `grep -oP ' via-port "\K[^"]+'`
-  <!-- - get name of each ids
-     - `lsusb -d <id>`
-     - `grep -oP ' ID [0-9a-f]+:[0-9a-f]+ \K.*'` -->
-- table(list): display the list of devices
-  - checkbox: allowed(true) or blocked(false)
-  - device id
-  - device name
-  - port id
-  - checkbox: port-specific rule(true) or global rule(false)
-  - delete button
-- table(list): display the list of ports (? how to get all port ids)
-  - checkbox: allowed(true) or blocked(false)
-  - port id
-
-#### Config File
-
-```toml
-[physical-ports]
-enable = true
-allow-all = false
-rules = [
-    {allow = true, id = "1a2c:4c5e", name = "USB Keyboard", port = "1-2"}, # allow only at that port
-    {allow = true, id = "04f3:0c00", name = "ELAN:ARM-M4"},
-    {allow = false, port = "1-3"} # block all devices at that port
-]
-```
-
-#### Backend
-
-- if not `enable`:
-  - `sudo systemctl disable --now usbguard`
-  - return
-- generate `rules.conf`:
-  - if `allow-all`:
-     - `allow`
-  - else:
-     - for each rule: `allow $id name "$name" via-port "$port"`
-- install rules:
-  - `sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf`
-  - `sudo systemctl restart usbguard`
-  - `sudo systemctl enable usbguard`
-
-
-## Software
-
-### SSH
-
-sshd_config: https://v.gd/b3j7GR
-
-#### Config File
-
-```toml
-[ssh]
-enable = true
-port = 22
-permit-empty-passwords = false
-password-authentication = false
-permit-root-login = false
-client-alive-interval = 300
-client-alive-count-max = 2
-allow-users = ["user1", "user2"]
-allow-groups = ["group1", "group2"]
-x11-forwarding = false
-```
diff --git a/docs/firewall.md b/docs/firewall.md
diff --git a/docs/physical_ports.md b/docs/physical_ports.md
@@ -0,0 +1,63 @@
+# Physical Ports
+
+USBGuard: https://usbguard.github.io/documentation/rule-language.html
+
+## UI
+
+- checkbox: enable/disable usbguard service
+  - `systemctl status usbguard`
+  - grey out all other controls if disabled
+- checkbox: allow all devices
+- on load, refresh button: get devices from connected ports and current rules
+  - `usbguard generate-policy` + from config file
+  - `grep 'via-port'`
+  - get ids of each device
+     - `grep -oP ' id \K\S+'`
+  - get names of each device
+     - `grep -oP ' name "\K[^"]+'`
+  - get port ids of each device
+     - `grep -oP ' via-port "\K[^"]+'`
+  <!-- - get name of each ids
+     - `lsusb -d <id>`
+     - `grep -oP ' ID [0-9a-f]+:[0-9a-f]+ \K.*'` -->
+- table(list): display the list of devices
+  - checkbox: allowed(true) or blocked(false)
+  - device id
+  - device name
+  - port id
+  - checkbox: port-specific rule(true) or global rule(false)
+  - delete button
+- table(list): display the list of ports (? how to get all port ids)
+  - checkbox: allowed(true) or blocked(false)
+  - port id
+
+## Config File
+
+```toml
+[physical-ports]
+enable = true
+allow-all = false
+device-rules = [
+    {allow = true, id = "1a2c:4c5e", name = "USB Keyboard", port = "1-2"}, # allow only at that port
+    {allow = true, id = "04f3:0c00", name = "ELAN:ARM-M4"}
+]
+port-rules = [
+    {allow = false, port = "1-3"} # block all devices at that port
+]
+```
+
+## Backend
+
+- if not `enable`:
+  - `sudo systemctl disable --now usbguard`
+  - return
+- generate `rules.conf`:
+  - if `allow-all`:
+     - `allow`
+  - else:
+     - for each rule: `allow $id name "$name" via-port "$port"`
+- install rules:
+  - `sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf`
+  - `sudo systemctl restart usbguard`
+  - `sudo systemctl enable usbguard`
+
diff --git a/docs/ssh.md b/docs/ssh.md
@@ -0,0 +1,19 @@
+# SSH
+
+sshd_config: https://v.gd/b3j7GR
+
+## Config File
+
+```toml
+[ssh]
+enable = true
+port = 22
+permit-empty-passwords = false
+password-authentication = false
+permit-root-login = false
+client-alive-interval = 300
+client-alive-count-max = 2
+allow-users = ["user1", "user2"]
+allow-groups = ["group1", "group2"]
+x11-forwarding = false
+```
diff --git a/BackEnd/readtoml.py → harden/physical_ports.py b/BackEnd/readtoml.py → harden/physical_ports.py
@@ -44,24 +44,16 @@ def ConfUtile(parsed_data,test_directory):
                 if key == 'allow':
                     if rule[key]:
                         rules_content += "allow "
-                        if 'id' in rule:
-                            rules_content += f"{rule['id']} "
-                        if 'name' in rule:
-                            rules_content += f"name  \"{rule['name']}\" "
-                        if 'port' in rule:
-                            rules_content += f"via-port \"{rule['port']}\"\n"
-                        else:
-                            rules_content += "\n"
                     else:
                         rules_content += "reject "
-                        if 'id' in rule:
-                            rules_content += f"reject {rule['id']} "
-                        if 'name' in rule:
-                            rules_content += f"name \"{rule['name']}\" "
-                        if 'port' in rule:
-                            rules_content += f"via-port {rule['port']}\n"
-                        else:
-                            rules_content += "\n"
+                    if 'id' in rule:
+                        rules_content += f"{rule['id']} "
+                    if 'name' in rule:
+                        rules_content += f"name  \"{rule['name']}\" "
+                    if 'port' in rule:
+                        rules_content += f"via-port \"{rule['port']}\"\n"
+                    else:
+                        rules_content += "\n"
     return rules_content
 
 

diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,2 @@
 pyQt6
-toml
 tomlkit
-Original file line number
+Diff line change
@@ -1,3 +1,2 @@
     pyQt6
-    toml
     tomlkit