From 6bdabf09f618e64fdc5999986decc799a3f2ca4f Mon Sep 17 00:00:00 2001 From: chanakya Date: Wed, 20 Dec 2023 14:28:49 +0530 Subject: [PATCH 1/8] gdm commands updated --- harden/file_systems/cramfs.py | 4 +- harden/gdm.py | 158 ++++++++++++++++------------------ 2 files changed, 76 insertions(+), 86 deletions(-) diff --git a/harden/file_systems/cramfs.py b/harden/file_systems/cramfs.py index 66952bd..f688c49 100644 --- a/harden/file_systems/cramfs.py +++ b/harden/file_systems/cramfs.py @@ -2,13 +2,13 @@ def get_script(config): file_systems_config = config["file-systems"] - + script = "#!/bin/bash\n\n" # Start with a bash shebang and a newline # Loop through each filesystem module in the configuration for fs_module in file_systems_config['block']: if file_systems_config['block'][fs_module]: - script += """ + script += f""" echo "Processing module: {fs_module}..." # Check if module '{fs_module}' is set to be not loadable diff --git a/harden/gdm.py b/harden/gdm.py index 56882d9..9b4fc51 100644 --- a/harden/gdm.py +++ b/harden/gdm.py @@ -38,51 +38,56 @@ def get_script(config): echo -e "[org/gnome/desktop/screensaver]\nlock-delay=uint32 1" | dconf write /org/gnome/desktop/screensaver/lock-delay""" if file_systems_config['no_override_lockscreen']: script += """ +#!/bin/bash + +# Check if GNOME Desktop Manager is installed l_pkgoutput="" if command -v dpkg-query > /dev/null 2>&1; then l_pq="dpkg-query -W" elif command -v rpm > /dev/null 2>&1; then l_pq="rpm -q" +else + echo "Package manager not found." + exit 1 fi + +# Space-separated list of packages to check l_pcl="gdm gdm3" for l_pn in $l_pcl; do - $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "\n - Package: \"$l_pn\" exists on the system\n - Remediating configuration if needed" + if $l_pq "$l_pn" > /dev/null 2>&1; then + l_pkgoutput+=$'\n'"- Package: \"$l_pn\" exists on the system\n - checking configuration" + fi done + +# If GDM is installed, check configuration if [ -n "$l_pkgoutput" ]; then - l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" # Set the directory of the key file to be locked - l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" # Set the directory of the key file to be locked + l_output="" l_output2="" - if [ -d "$l_kfd" ]; then - if grep -Prilq '^\h*\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then - echo " - \"idle-delay\" is locked in \"$(grep -Pril'^\h*\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\"" + # Check for automount and automount-open settings + for key in automount automount-open; do + l_kfd="/etc/dconf/db/$(grep -Psril "^\h*$key\b" /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + + if [ -d "$l_kfd" ]; then + if grep -Piq "^\h*\/org\/gnome\/desktop\/media-handling\/$key\b" "$l_kfd"; then + l_output+=$'\n'"- \"$key\" is locked in \"$(grep -Pil "^\h*\/org\/gnome\/desktop\/media-handling\/$key\b" "$l_kfd")\"" + else + l_output2+=$'\n'"- \"$key\" is not locked" + fi else - echo "Creating entry to lock \"idle-delay\"" - [ ! -d "$l_kfd"/locks ] && echo "Creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks - { - echo -e '\n# Lock desktop screensaver idle-delay setting' - echo '/org/gnome/desktop/session/idle-delay' - } >> "$l_kfd"/locks/00-screensaver + l_output2+=$'\n'"- \"$key\" is not set so it cannot be locked" fi - else - echo -e " - \"idle-delay\" is not set so it cannot be locked\n - Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again" - fi + done +else + l_output+=$'\n'"- GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" +fi - if [ -d "$l_kfd2" ]; then - if grep -Prilq '^\h*\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then - echo " - \"lock-delay\" is locked in \"$(grep -Pril'^\h*\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\"" - else - echo "Creating entry to lock \"lock-delay\"" - [ ! -d "$l_kfd2"/locks ] && echo "Creating directory $l_kfd2/locks" && mkdir "$l_kfd2"/locks - { - echo -e '\n# Lock desktop screensaver lock-delay setting' - echo '/org/gnome/desktop/screensaver/lock-delay' - } >> "$l_kfd2"/locks/00-screensaver - fi - else - echo -e " - \"lock-delay\" is not set so it cannot be locked\n - Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again" - fi +# Report results +[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" +if [ -z "$l_output2" ]; then + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" else - echo -e " - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" fi """ if file_systems_config['disable_automount']: @@ -168,73 +173,58 @@ def get_script(config): if file_systems_config['lock_automount']: script += """ -# Check if GNOME Desktop Manager is installed. If package isn't -installed, recommendation is Not Applicable\n -# determine system's package manager +#!/bin/bash + +# Check if GNOME Desktop Manager is installed l_pkgoutput="" if command -v dpkg-query > /dev/null 2>&1; then -l_pq="dpkg-query -W" + l_pq="dpkg-query -W" elif command -v rpm > /dev/null 2>&1; then -l_pq="rpm -q" + l_pq="rpm -q" +else + echo "Package manager not found." + exit 1 fi -# Check if GDM is installed -l_pcl="gdm gdm3" # Space seporated list of packages to check + +# Space-separated list of packages to check +l_pcl="gdm gdm3" for l_pn in $l_pcl; do -$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n - -Package: \"$l_pn\" exists on the system\n - checking configuration" + if $l_pq "$l_pn" > /dev/null 2>&1; then + l_pkgoutput+=$'\n'"- Package: \"$l_pn\" exists on the system\n - checking configuration" + fi done -# Check configuration (If applicable) + +# If GDM is installed, check configuration if [ -n "$l_pkgoutput" ]; then -l_output="" l_output2="" -# Look for idle-delay to determine profile in use, needed for remaining -tests -l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ | -awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file -to be locked -l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b' -/etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set -directory of key file to be locked -if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options -can't be locked -if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b' -"$l_kfd"; then -l_output="$l_output\n - \"automount\" is locked in \"$(grep -Pil -'^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\"" -else -l_output2="$l_output2\n - \"automount\" is not locked" -fi -else -l_output2="$l_output2\n - \"automount\" is not set so it can not be -locked" -fi -if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist, -options can't be locked -if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount- -open\b' "$l_kfd2"; then -l_output="$l_output\n - \"lautomount-open\" is locked in \"$(grep --Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b' -"$l_kfd2")\"" -else -l_output2="$l_output2\n - \"automount-open\" is not locked" -fi -else -l_output2="$l_output2\n - \"automount-open\" is not set so it can -not be locked" -fi + l_output="" l_output2="" + + # Check for automount and automount-open settings + for key in automount automount-open; do + l_kfd="/etc/dconf/db/$(grep -Psril "^\h*$key\b" /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" + + if [ -d "$l_kfd" ]; then + if grep -Piq "^\h*\/org\/gnome\/desktop\/media-handling\/$key\b" "$l_kfd"; then + l_output+=$'\n'"- \"$key\" is locked in \"$(grep -Pil "^\h*\/org\/gnome\/desktop\/media-handling\/$key\b" "$l_kfd")\"" + else + l_output2+=$'\n'"- \"$key\" is not locked" + fi + else + l_output2+=$'\n'"- \"$key\" is not set so it cannot be locked" + fi + done else -Page 180 -l_output="$l_output\n - GNOME Desktop Manager package is not installed -on the system\n - Recommendation is not applicable" + l_output+=$'\n'"- GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable" fi -# Report results. If no failures output in l_output2, we pass + +# Report results [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput" if [ -z "$l_output2" ]; then -echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" + echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" else -echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit -failure:\n$l_output2\n" -[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" + echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" + [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" fi + """ if file_systems_config['disable_autorun']: From 7544b483beb545686ff5fd85ef3720614e825df0 Mon Sep 17 00:00:00 2001 From: chanakya Date: Wed, 20 Dec 2023 14:31:09 +0530 Subject: [PATCH 2/8] fire wal enable and commands updated --- harden/firewall.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/harden/firewall.py b/harden/firewall.py index 2f95761..d7854ae 100644 --- a/harden/firewall.py +++ b/harden/firewall.py @@ -4,19 +4,19 @@ def get_script(config): firewall_config = config["firewall"] script = "#!/bin/bash\n\n" # Start with a bash shebang and a newline - if firewall_config.get('enable', False): + if firewall_config['enable']: script += "sudo apt install ufw -y\n" # Install UFW script += "sudo apt purge iptables-persistent -y\n" # Purge iptables-persistent script += "sudo systemctl enable --now ufw.service\n" # Enable and start UFW - if firewall_config.get('configure_loopback_traffic', False): + if firewall_config['configure_loopback_traffic']: # Configure loopback traffic rules script += "sudo ufw allow in on lo\n" script += "sudo ufw allow out on lo\n" script += "sudo ufw deny in from 127.0.0.0/8\n" script += "sudo ufw deny in from ::1\n" - if firewall_config.get('enable_default_deny', False): + if firewall_config['enable_default_deny']: # Set default deny policies script += "sudo ufw default deny incoming\n" script += "sudo ufw default deny outgoing\n" From 36cdf1e83ff2293de17a3b830401028797bd7644 Mon Sep 17 00:00:00 2001 From: chanakya Date: Wed, 20 Dec 2023 14:46:09 +0530 Subject: [PATCH 3/8] Network commands updated --- harden/network.py | 271 ++++++++++++++++++++++++---------------------- 1 file changed, 142 insertions(+), 129 deletions(-) diff --git a/harden/network.py b/harden/network.py index 0f8f77a..e830dd8 100644 --- a/harden/network.py +++ b/harden/network.py @@ -375,164 +375,177 @@ def get_script(config): if network_config['reject_ipv6_router_adv']: script += ''' -{ +#!/bin/bash + l_output="" l_output2="" -l_parlist="net.ipv6.conf.all.accept_ra=0 -net.ipv6.conf.default.accept_ra=0" -l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf -/usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf -/etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^\s*IPT_SYSCTL=/ -{print $2}' /etc/default/ufw)" -KPF() -{ -# comment out incorrect parameter(s) in kernel parameter file(s) -l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- -"\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}')" -for l_bkpf in $l_fafile; do -echo -e "\n - Commenting out \"$l_kpname\" in \"$l_bkpf\"" -sed -ri "/$l_kpname/s/^/# /" "$l_bkpf" -done -# Set correct parameter in a kernel parameter file -if ! grep -Pslq -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" -$l_searchloc; then -echo -e "\n - Setting \"$l_kpname\" to \"$l_kpvalue\" in -\"$l_kpfile\"" -echo "$l_kpname = $l_kpvalue" >> "$l_kpfile" -fi -# Set correct parameter in active kernel parameters -l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" -if [ "$l_krp" != "$l_kpvalue" ]; then -echo -e "\n - Updating \"$l_kpname\" to \"$l_kpvalue\" in the active -kernel parameters" -sysctl -w "$l_kpname=$l_kpvalue" -sysctl -w "$(awk -F'.' '{print $1"."$2".route.flush=1"}' <<< -"$l_kpname")" -fi +l_parlist="net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0" +l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf" +[ -f /etc/default/ufw ] && l_searchloc+=" $(awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)" + +KPF() { + # Comment out incorrect parameter(s) in kernel parameter file(s) + local l_fafile="$(grep -s -- "^\s*$l_kpname" $l_searchloc | grep -Pv -- "\h*=\h*$l_kpvalue\b\h*" | awk -F: '{print $1}')" + for l_bkpf in $l_fafile; do + echo -e "\n - Commenting out \"$l_kpname\" in \"$l_bkpf\"" + sed -ri "/$l_kpname/s/^/# /" "$l_bkpf" + done + + # Set correct parameter in a kernel parameter file + if ! grep -Pslq -- "^\h*$l_kpname\h*=\h*$l_kpvalue\b\h*(#.*)?$" $l_searchloc; then + echo -e "\n - Setting \"$l_kpname\" to \"$l_kpvalue\" in \"$l_kpfile\"" + echo "$l_kpname = $l_kpvalue" >> "$l_kpfile" + fi + + # Set correct parameter in active kernel parameters + local l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)" + if [ "$l_krp" != "$l_kpvalue" ]; then + echo -e "\n - Updating \"$l_kpname\" to \"$l_kpvalue\" in the active kernel parameters" + sysctl -w "$l_kpname=$l_kpvalue" + sysctl -w "$(awk -F'.' '{print $1"."$2".route.flush=1"}' <<< "$l_kpname")" + fi } -IPV6F_CHK() -{ -l_ipv6s="" -grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' - -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} -\;) -if [ -s "$grubfile" ]; then -! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq --- ipv6.disable=1 && l_ipv6s="disabled" -fi -if grep -Pqs -- -"^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && \ -grep -Pqs -- -"^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc -&& \ -sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- -"^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\h*(#.*)?$" && \ -sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- -"^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\h*(#.*)?$"; then -l_ipv6s="disabled" -fi -if [ -n "$l_ipv6s" ]; then -echo -e "\n - IPv6 is disabled on the system, \"$l_kpname\" is not -applicable" -else -KPF -fi + +IPV6F_CHK() { + local l_ipv6s="" + local grubfile=$(find /boot -type f \( -name 'grubenv' -o -name 'grub.conf' -o -name 'grub.cfg' \) -exec grep -Pl -- '^\h*(kernelopts=|linux|kernel)' {} \;) + + if [ -s "$grubfile" ] && ! grep -P -- "^\h*(kernelopts=|linux|kernel)" "$grubfile" | grep -vq -- "ipv6.disable=1"; then + l_ipv6s="disabled" + fi + + if grep -Pqs -- "^\h*net.ipv6.conf.all.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && grep -Pqs -- "^\h*net.ipv6.conf.default.disable_ipv6\h*=\h*1\h*(#.*)?$" $l_searchloc && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Pqs -- "^\h*net.ipv6.conf.all.disable_ipv6\h*=\h*1\h*(#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Pqs -- "^\h*net.ipv6.conf.default.disable_ipv6\h*=\h*1\h*(#.*)?$"; then + l_ipv6s="disabled" + fi + + if [ -n "$l_ipv6s" ]; then + echo -e "\n - IPv6 is disabled on the system, \"$l_kpname\" is not applicable" + else + KPF + fi } + for l_kpe in $l_parlist; do -l_kpname="$(awk -F= '{print $1}' <<< "$l_kpe")" -l_kpvalue="$(awk -F= '{print $2}' <<< "$l_kpe")" -if grep -q '^net.ipv6.' <<< "$l_kpe"; then -l_kpfile="/etc/sysctl.d/60-netipv6_sysctl.conf" -IPV6F_CHK -else -l_kpfile="/etc/sysctl.d/60-netipv4_sysctl.conf" -KPF -fi + l_kpname="$(awk -F= '{print $1}' <<< "$l_kpe")" + l_kpvalue="$(awk -F= '{print $2}' <<< "$l_kpe")" + if grep -q '^net.ipv6.' <<< "$l_kpe"; then + l_kpfile="/etc/sysctl.d/60-netipv6_sysctl.conf" + IPV6F_CHK + else + l_kpfile="/etc/sysctl.d/60-netipv4_sysctl.conf" + KPF + fi done -} + ''' disable_protocols = network_config['disable_protocols'] if disable_protocols['dccp']: script += ''' +#!/bin/bash + { -l_mname="dccp" # set module name -if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install -\/bin\/(true|false)'; then -echo -e " - setting module: \"$l_mname\" to be not loadable" -echo -e "install $l_mname /bin/false" >> -/etc/modprobe.d/"$l_mname".conf -fi -if lsmod | grep "$l_mname" > /dev/null 2>&1; then -echo -e " - unloading module \"$l_mname\"" -modprobe -r "$l_mname" -fi -if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then -echo -e " - deny listing \"$l_mname\"" -echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf -fi + l_mname="dccp" # Set module name + + # Check if the module is set to be not loadable and set it if not + if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install \/bin\/(true|false)'; then + echo -e " - Setting module: \"$l_mname\" to be not loadable" + echo "install $l_mname /bin/false" | sudo tee /etc/modprobe.d/"$l_mname".conf + fi + + # Unload the module if it is currently loaded + if lsmod | grep -q "$l_mname"; then + echo -e " - Unloading module \"$l_mname\"" + sudo modprobe -r "$l_mname" + fi + + # Blacklist the module if it is not already blacklisted + if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then + echo -e " - Blacklisting \"$l_mname\"" + echo "blacklist $l_mname" | sudo tee -a /etc/modprobe.d/"$l_mname".conf + fi } ''' if disable_protocols['sctp']: script += ''' { -l_mname="sctp" # set module name -if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install -\/bin\/(true|false)'; then -echo -e " - setting module: \"$l_mname\" to be not loadable" -echo -e "install $l_mname /bin/false" >> -/etc/modprobe.d/"$l_mname".conf -fi -if lsmod | grep "$l_mname" > /dev/null 2>&1; then -echo -e " - unloading module \"$l_mname\"" -modprobe -r "$l_mname" -fi -if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then -echo -e " - deny listing \"$l_mname\"" -echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf -fi + l_mname="sctp" # Set module name + + # Check if the module is set to be not loadable and set it if not + if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install \/bin\/(true|false)'; then + echo -e " - Setting module: \"$l_mname\" to be not loadable" + echo "install $l_mname /bin/false" | sudo tee /etc/modprobe.d/"$l_mname".conf + fi + + # Unload the module if it is currently loaded + if lsmod | grep -q "$l_mname"; then + echo -e " - Unloading module \"$l_mname\"" + sudo modprobe -r "$l_mname" + fi + + # Blacklist the module if it is not already blacklisted + if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then + echo -e " - Blacklisting \"$l_mname\"" + echo "blacklist $l_mname" | sudo tee -a /etc/modprobe.d/"$l_mname".conf + fi } + + ''' if disable_protocols['rds']: script += ''' +#!/bin/bash + { -l_mname="rds" # set module name -if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install -\/bin\/(true|false)'; then -echo -e " - setting module: \"$l_mname\" to be not loadable" -echo -e "install $l_mname /bin/false" >> -/etc/modprobe.d/"$l_mname".conf -fi -if lsmod | grep "$l_mname" > /dev/null 2>&1; then -echo -e " - unloading module \"$l_mname\"" -modprobe -r "$l_mname" -fi -if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then -echo -e " - deny listing \"$l_mname\"" -echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf -fi + l_mname="rds" # Set module name + + # Check if the module is set to be not loadable and set it if not + if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install \/bin\/(true|false)'; then + echo -e " - Setting module: \"$l_mname\" to be not loadable" + echo "install $l_mname /bin/false" | sudo tee /etc/modprobe.d/"$l_mname".conf + fi + + # Unload the module if it is currently loaded + if lsmod | grep -q "$l_mname"; then + echo -e " - Unloading module \"$l_mname\"" + sudo modprobe -r "$l_mname" + fi + + # Blacklist the module if it is not already blacklisted + if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then + echo -e " - Blacklisting \"$l_mname\"" + echo "blacklist $l_mname" | sudo tee -a /etc/modprobe.d/"$l_mname".conf + fi } + + ''' if disable_protocols['tipc']: script += ''' +#!/bin/bash + { -l_mname="tipc" # set module name -if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install -\/bin\/(true|false)'; then -echo -e " - setting module: \"$l_mname\" to be not loadable" -echo -e "install $l_mname /bin/false" >> -/etc/modprobe.d/"$l_mname".conf -fi -if lsmod | grep "$l_mname" > /dev/null 2>&1; then -echo -e " - unloading module \"$l_mname\"" -modprobe -r "$l_mname" -fi -if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then -echo -e " - deny listing \"$l_mname\"" -echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf -fi + l_mname="tipc" # Set module name + + # Check if the module is set to be not loadable and set it if not + if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install \/bin\/(true|false)'; then + echo -e " - Setting module: \"$l_mname\" to be not loadable" + echo "install $l_mname /bin/false" | sudo tee /etc/modprobe.d/"$l_mname".conf + fi + + # Unload the module if it is currently loaded + if lsmod | grep -q "$l_mname"; then + echo -e " - Unloading module \"$l_mname\"" + sudo modprobe -r "$l_mname" + fi + + # Blacklist the module if it is not already blacklisted + if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then + echo -e " - Blacklisting \"$l_mname\"" + echo "blacklist $l_mname" | sudo tee -a /etc/modprobe.d/"$l_mname".conf + fi } ''' From 7e67fc5591ce2b99f400cfbab51f703417ca1a55 Mon Sep 17 00:00:00 2001 From: chanakya Date: Wed, 20 Dec 2023 14:51:33 +0530 Subject: [PATCH 4/8] previlege escalation commands updated, enable added --- harden/privilege_escalation.py | 69 +++++++++++++++------------------- 1 file changed, 30 insertions(+), 39 deletions(-) diff --git a/harden/privilege_escalation.py b/harden/privilege_escalation.py index b073c79..ef86724 100644 --- a/harden/privilege_escalation.py +++ b/harden/privilege_escalation.py @@ -2,86 +2,77 @@ def get_script(config): privilege_escalation_config = config["privilege_escalation"] - script = "" + script = "#!/bin/bash\n\n" # Start with a bash shebang and a newline if privilege_escalation_config["use_pty"]: script += ''' config_file="/etc/sudoers" +sudo cp "$config_file" "$config_file.bak" -cp "$config_file" "$config_file.bak" - -if grep -q "^Defaults[[:space:]]*use_pty" "$config_file"; then - echo -else - echo "Defaults use_pty" >> "$config_file" +if ! sudo grep -q "^Defaults[[:space:]]*use_pty" "$config_file"; then + echo "Defaults use_pty" | sudo tee -a "$config_file" fi ''' if privilege_escalation_config["enable_logfile"]: script += ''' config_file="/etc/sudoers" +sudo cp "$config_file" "$config_file.bak" -cp "$config_file" "$config_file.bak" - -if grep -q "^Defaults[[:space:]]*logfile" "$config_file"; then - echo -else - echo "Defaults logfile=/var/log/sudo.log" >> "$config_file" +if ! sudo grep -q "^Defaults[[:space:]]*logfile" "$config_file"; then + echo "Defaults logfile=/var/log/sudo.log" | sudo tee -a "$config_file" fi ''' if privilege_escalation_config["disable_nopassword"]: script += ''' config_file="/etc/sudoers" +sudo cp "$config_file" "$config_file.bak" -cp "$config_file" "$config_file.bak" - -if grep -q NOPASSWD "$config_file"; then - sed -i 'NOPASSWD/d' "$config_file" +if sudo grep -q NOPASSWD "$config_file"; then + sudo sed -i '/NOPASSWD/d' "$config_file" fi ''' if privilege_escalation_config["enable_reauthentication"]: script += ''' config_file="/etc/sudoers" +sudo cp "$config_file" "$config_file.bak" -cp "$config_file" "$config_file.bak" - -if grep -q "!authenticate" "$config_file"; then - sed -i '!authenticate/d' "$config_file" +if sudo grep -q "!authenticate" "$config_file"; then + sudo sed -i '/!authenticate/d' "$config_file" fi ''' + if privilege_escalation_config['enable_timeout']: + return script if privilege_escalation_config["authentication_timeout"]: - script += ''' -authentication_timeout = privilege_escalation_config["authentication_timeout"] + authentication_timeout = privilege_escalation_config["authentication_timeout"] + script += f''' config_file="/etc/sudoers" +sudo cp "$config_file" "$config_file.bak" -cp "$config_file" "$config_file.bak" - -if grep -q "^Defaults[[:space:]]*timestamp_timeout" "$config_file"; then - sed -i "s/^Defaults[[:space:]]*timestamp_timeout.*/Defaults timestamp_timeout=$authentication_timeout/" "$config_file" +if sudo grep -q "^Defaults[[:space:]]*timestamp_timeout" "$config_file"; then + sudo sed -i "s/^Defaults[[:space:]]*timestamp_timeout.*/Defaults timestamp_timeout={authentication_timeout}/" "$config_file" else - echo "Defaults timestamp_timeout=$authentication_timeout" >> "$config_file" + echo "Defaults timestamp_timeout={authentication_timeout}" | sudo tee -a "$config_file" fi -if grep -q "^Defaults[[:space:]]*env_reset,[[:space:]]*timestamp_timeout" "$config_file"; then - sed -i "s/^Defaults[[:space:]]*env_reset,[[:space:]]*timestamp_timeout.*/Defaults env_reset, timestamp_timeout=$authentication_timeout/" "$config_file" +if sudo grep -q "^Defaults[[:space:]]*env_reset,[[:space:]]*timestamp_timeout" "$config_file"; then + sudo sed -i "s/^Defaults[[:space:]]*env_reset,[[:space:]]*timestamp_timeout.*/Defaults env_reset, timestamp_timeout={authentication_timeout}/" "$config_file" else - echo "Defaults env_reset, timestamp_timeout=$authentication_timeout" >> "$config_file" + echo "Defaults env_reset, timestamp_timeout={authentication_timeout}" | sudo tee -a "$config_file" fi ''' if privilege_escalation_config["restrict_su"]: - script += ''' -empty_group = "sugroup" - -groupadd "$empty_group" - -su_line = "auth required pam_wheel.so use_uid group=$empty_group" -echo "$su_line" >> /etc/pam.d/su + empty_group = "sugroup" + script += f''' +sudo groupadd "$empty_group" || true # Ignore if group already exists +su_line="auth required pam_wheel.so use_uid group=$empty_group" +echo "$su_line" | sudo tee -a /etc/pam.d/su ''' return script if __name__ == "__main__": config = config_file.init() - print(get_script(config)) \ No newline at end of file + print(get_script(config)) From 4a864b4c5d1b41154541e0c44fa4364bba9b7667 Mon Sep 17 00:00:00 2001 From: chanakya Date: Wed, 20 Dec 2023 14:53:26 +0530 Subject: [PATCH 5/8] time Sync commands updated, enable added --- harden/time_sync.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/harden/time_sync.py b/harden/time_sync.py index 8b61edc..26d65d6 100644 --- a/harden/time_sync.py +++ b/harden/time_sync.py @@ -10,13 +10,13 @@ def get_script(config): # Install NTP package script += "sudo apt install ntp\n" # Add or edit the line in /etc/init.d/ntp - if file_systems_config['ntp_servers']: - for item in file_systems_config['ntp_servers']: - script += f"echo 'server {item}' iburst| sudo tee -a /etc/ntp.conf\n" - if file_systems_config['enable_ntp_user']: - script += "echo 'RUNASUSER=ntp' | sudo tee -a /etc/init.d/ntp\n" + if file_systems_config['enable_ntp_server']: + if file_systems_config['ntp_servers']: + for item in file_systems_config['ntp_servers']: + script += f"echo 'server {item}' iburst| sudo tee -a /etc/ntp.conf\n" + if file_systems_config['enable_ntp_user']: + script += "echo 'RUNASUSER=ntp' | sudo tee -a /etc/init.d/ntp\n" - # Restart NTP service script += "sudo systemctl restart ntp.service\n" From 1eff65b4b7220bfb3f3c7ea999d5b368b40ef636 Mon Sep 17 00:00:00 2001 From: chanakya Date: Wed, 20 Dec 2023 15:34:23 +0530 Subject: [PATCH 6/8] updated --- harden/ssh.py | 432 +++++++++++++++++++++++++------------------------- 1 file changed, 218 insertions(+), 214 deletions(-) diff --git a/harden/ssh.py b/harden/ssh.py index 023c4a8..6376c4f 100644 --- a/harden/ssh.py +++ b/harden/ssh.py @@ -54,224 +54,228 @@ def get_script(config): find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \; ''' - script += f''' -user_list = {" ".join(network_config['allow_users'])} -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^AllowUsers" "$config_file"; then - sed -i "s/^AllowUsers.*/AllowUsers $user_list/" "$config_file" -else - echo "AllowUsers $user_list" >> "$config_file" -fi -''' - script += f''' -group_list = {" ".join(network_config['allow_groups'])} -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^AllowGroups" "$config_file"; then - sed -i "s/^AllowGroups.*/AllowGroups $group_list/" "$config_file" -else - echo "AllowGroups $group_list" >> "$config_file" -fi -''' - script += f''' -log_level = {network_config['log_level']} -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^LogLevel" "$config_file"; then - sed -i "s/^LogLevel.*/LogLevel $log_level/" "$config_file" -else - echo "LogLevel $log_level" >> "$config_file" -fi -''' - if network_config['enable_pam']: + if network_config['enable_users']: script += f''' -use_pam = yes -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^UsePAM" "$config_file"; then - sed -i "s/^UsePAM.*/UsePAM $use_pam/" "$config_file" -else - echo "UsePAM $use_pam" >> "$config_file" -fi -''' - if network_config['disable_root_login']: + user_list = {" ".join(network_config['allow_users'])} + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^AllowUsers" "$config_file"; then + sed -i "s/^AllowUsers.*/AllowUsers $user_list/" "$config_file" + else + echo "AllowUsers $user_list" >> "$config_file" + fi + ''' + if network_config['enable_groups']: script += f''' -permit_root_login = no -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^PermitRootLogin" "$config_file"; then - sed -i "s/^PermitRootLogin.*/PermitRootLogin $permit_root_login/" "$config_file" -else - echo "PermitRootLogin $permit_root_login" >> "$config_file" -fi -''' - if network_config['disable_host_based_auth']: - script += f''' -host_based_auth = no -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^HostbasedAuthentication" "$config_file"; then - sed -i "s/^HostbasedAuthentication.*/HostbasedAuthentication $host_based_auth/" "$config_file" -else - echo "HostbasedAuthentication $host_based_auth" >> "$config_file" -fi -''' + group_list = {" ".join(network_config['allow_groups'])} + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^AllowGroups" "$config_file"; then + sed -i "s/^AllowGroups.*/AllowGroups $group_list/" "$config_file" + else + echo "AllowGroups $group_list" >> "$config_file" + fi + ''' + if network_config['enable_log_level']: + script += f''' + log_level = {network_config['log_level']} + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^LogLevel" "$config_file"; then + sed -i "s/^LogLevel.*/LogLevel $log_level/" "$config_file" + else + echo "LogLevel $log_level" >> "$config_file" + fi + ''' + if network_config['enable_pam']: + script += f''' + use_pam = yes + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^UsePAM" "$config_file"; then + sed -i "s/^UsePAM.*/UsePAM $use_pam/" "$config_file" + else + echo "UsePAM $use_pam" >> "$config_file" + fi + ''' + if network_config['disable_root_login']: + script += f''' + permit_root_login = no + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^PermitRootLogin" "$config_file"; then + sed -i "s/^PermitRootLogin.*/PermitRootLogin $permit_root_login/" "$config_file" + else + echo "PermitRootLogin $permit_root_login" >> "$config_file" + fi + ''' + if network_config['disable_host_based_auth']: + script += f''' + host_based_auth = no + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^HostbasedAuthentication" "$config_file"; then + sed -i "s/^HostbasedAuthentication.*/HostbasedAuthentication $host_based_auth/" "$config_file" + else + echo "HostbasedAuthentication $host_based_auth" >> "$config_file" + fi + ''' - if network_config['disable_permit_empty_passwords']: + if network_config['disable_permit_empty_passwords']: + script += f''' + permit_empty_passwords = no + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^PermitEmptyPasswords" "$config_file"; then + sed -i "s/^PermitEmptyPasswords.*/PermitEmptyPasswords $permit_empty_passwords/" "$config_file" + else + echo "PermitEmptyPasswords $permit_empty_passwords" >> "$config_file" + fi + ''' + if network_config['disable_permit_user_env']: + script += f''' + permit_user_env = no + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^PermitUserEnvironment" "$config_file"; then + sed -i "s/^PermitUserEnvironment.*/PermitUserEnvironment $permit_user_env/" "$config_file" + else + echo "PermitUserEnvironment $permit_user_env" >> "$config_file" + fi + ''' + if network_config['enable_ignore_rhosts']: + script += f''' + ignore_rhosts = yes + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^IgnoreRhosts" "$config_file"; then + sed -i "s/^IgnoreRhosts.*/IgnoreRhosts $ignore_rhosts/" "$config_file" + else + echo "IgnoreRhosts $ignore_rhosts" >> "$config_file" + fi + ''' + if network_config['disable_x11_forwarding']: + script += f''' + x11_forwarding = no + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^X11Forwarding" "$config_file"; then + sed -i "s/^X11Forwarding.*/X11Forwarding $x11_forwarding/" "$config_file" + else + echo "X11Forwarding $x11_forwarding" >> "$config_file" + fi + ''' + if network_config['enable_strong_ciphers']: + script += f''' + ciphers = chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^Ciphers" "$config_file"; then + sed -i "s/^Ciphers.*/Ciphers $ciphers/" "$config_file" + else + echo "Ciphers $ciphers" >> "$config_file" + fi + ''' + if network_config['enable_strong_mac_algorithms']: + script += f''' + macs = hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^MACs" "$config_file"; then + sed -i "s/^MACs.*/MACs $macs/" "$config_file" + else + echo "MACs $macs" >> "$config_file" + fi + ''' + if network_config['enable_strong_key_exchange_algorithms']: + script += f''' + kex_algorithms = curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^KexAlgorithms" "$config_file"; then + sed -i "s/^KexAlgorithms.*/KexAlgorithms $kex_algorithms/" "$config_file" + else + echo "KexAlgorithms $kex_algorithms" >> "$config_file" + fi + ''' + if network_config['disable_tcp_forwarding']: + script += f''' + allow_tcp_forwarding = no + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^AllowTcpForwarding" "$config_file"; then + sed -i "s/^AllowTcpForwarding.*/AllowTcpForwarding $allow_tcp_forwarding/" "$config_file" + else + echo "AllowTcpForwarding $allow_tcp_forwarding" >> "$config_file" + fi + ''' + if network_config['configure_warning_banner']: + script += f''' + warning_banner = /etc/issue.net + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^Banner" "$config_file"; then + sed -i "s/^Banner.*/Banner $warning_banner/" "$config_file" + else + echo "Banner $warning_banner" >> "$config_file" + fi + ''' + if network_config['enable_max_auth_tries']: script += f''' -permit_empty_passwords = no -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^PermitEmptyPasswords" "$config_file"; then - sed -i "s/^PermitEmptyPasswords.*/PermitEmptyPasswords $permit_empty_passwords/" "$config_file" -else - echo "PermitEmptyPasswords $permit_empty_passwords" >> "$config_file" -fi -''' - if network_config['disable_permit_user_env']: - script += f''' -permit_user_env = no -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^PermitUserEnvironment" "$config_file"; then - sed -i "s/^PermitUserEnvironment.*/PermitUserEnvironment $permit_user_env/" "$config_file" -else - echo "PermitUserEnvironment $permit_user_env" >> "$config_file" -fi -''' - if network_config['enable_ignore_rhosts']: - script += f''' -ignore_rhosts = yes -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^IgnoreRhosts" "$config_file"; then - sed -i "s/^IgnoreRhosts.*/IgnoreRhosts $ignore_rhosts/" "$config_file" -else - echo "IgnoreRhosts $ignore_rhosts" >> "$config_file" -fi -''' - if network_config['disable_x11_forwarding']: - script += f''' -x11_forwarding = no -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^X11Forwarding" "$config_file"; then - sed -i "s/^X11Forwarding.*/X11Forwarding $x11_forwarding/" "$config_file" -else - echo "X11Forwarding $x11_forwarding" >> "$config_file" -fi -''' - if network_config['enable_strong_ciphers']: - script += f''' -ciphers = chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^Ciphers" "$config_file"; then - sed -i "s/^Ciphers.*/Ciphers $ciphers/" "$config_file" -else - echo "Ciphers $ciphers" >> "$config_file" -fi -''' - if network_config['enable_strong_mac_algorithms']: - script += f''' -macs = hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^MACs" "$config_file"; then - sed -i "s/^MACs.*/MACs $macs/" "$config_file" -else - echo "MACs $macs" >> "$config_file" -fi -''' - if network_config['enable_strong_key_exchange_algorithms']: - script += f''' -kex_algorithms = curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^KexAlgorithms" "$config_file"; then - sed -i "s/^KexAlgorithms.*/KexAlgorithms $kex_algorithms/" "$config_file" -else - echo "KexAlgorithms $kex_algorithms" >> "$config_file" -fi -''' - if network_config['disable_tcp_forwarding']: - script += f''' -allow_tcp_forwarding = no -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^AllowTcpForwarding" "$config_file"; then - sed -i "s/^AllowTcpForwarding.*/AllowTcpForwarding $allow_tcp_forwarding/" "$config_file" -else - echo "AllowTcpForwarding $allow_tcp_forwarding" >> "$config_file" -fi -''' - if network_config['configure_warning_banner']: - script += f''' -warning_banner = /etc/issue.net -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^Banner" "$config_file"; then - sed -i "s/^Banner.*/Banner $warning_banner/" "$config_file" -else - echo "Banner $warning_banner" >> "$config_file" -fi -''' - script += f''' -max_auth_tries = {network_config['max_auth_tries']} -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^MaxAuthTries" "$config_file"; then - sed -i "s/^MaxAuthTries.*/MaxAuthTries $max_auth_tries/" "$config_file" -else - echo "MaxAuthTries $max_auth_tries" >> "$config_file" -fi -''' - if network_config['configure_max_startups']: - script += f''' -max_startups = 10:30:60 -config_file="/etc/ssh/sshd_config" - -cp "$config_file" "$config_file.bak" - -if grep -q "^MaxStartups" "$config_file"; then - sed -i "s/^MaxStartups.*/MaxStartups $max_startups/" "$config_file" -else - echo "MaxStartups $max_startups" >> "$config_file" -fi -''' + max_auth_tries = {network_config['max_auth_tries']} + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^MaxAuthTries" "$config_file"; then + sed -i "s/^MaxAuthTries.*/MaxAuthTries $max_auth_tries/" "$config_file" + else + echo "MaxAuthTries $max_auth_tries" >> "$config_file" + fi + ''' + if network_config['configure_max_startups']: + script += f''' + max_startups = 10:30:60 + config_file="/etc/ssh/sshd_config" + + cp "$config_file" "$config_file.bak" + + if grep -q "^MaxStartups" "$config_file"; then + sed -i "s/^MaxStartups.*/MaxStartups $max_startups/" "$config_file" + else + echo "MaxStartups $max_startups" >> "$config_file" + fi + ''' script += f''' max_sessions = {network_config['max_sessions']} config_file="/etc/ssh/sshd_config" From 4794b94c6cbabed0547f7f7e66ee204f00dae62d Mon Sep 17 00:00:00 2001 From: chanakya Date: Wed, 20 Dec 2023 15:52:46 +0530 Subject: [PATCH 7/8] update --- config/sampleconfig.toml | 22 +++++++------- harden/pam.py | 64 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 11 deletions(-) create mode 100644 harden/pam.py diff --git a/config/sampleconfig.toml b/config/sampleconfig.toml index f29b13a..0f02b5b 100644 --- a/config/sampleconfig.toml +++ b/config/sampleconfig.toml @@ -92,34 +92,34 @@ enable_default_deny = true # Deny all traffic by default [ssh] configure_permissions = {sshd_config = true, private_host_key = true, public_host_key = true} -enable_allow_users = true +enable_allow_users = true # allow_users = ["user1", "user2"] -enable_allow_groups = true +enable_allow_groups = true # allow_groups = ["group1", "group2"] -enable_log_level = true +enable_log_level = true # log_level = "VERBOSE" # INFO, VERBOSE -enable_pam = true +enable_pam = true disable_root_login = true disable_host_based_auth = true disable_permit_empty_passwords = true disable_permit_user_env = true -enable_ignore_rhosts = true +enable_ignore_rhosts = true disable_x11_forwarding = true enable_strong_ciphers = true enable_strong_mac_algorithms = true enable_strong_key_exchange_algorithms = true disable_tcp_forwarding = false configure_warning_banner = true -enable_max_auth_tries = true +enable_max_auth_tries = true # max_auth_tries = 4 configure_max_startups = true -enable_max_sessions = true +enable_max_sessions = true # max_sessions = 10 -enable_login_grace_time = true +enable_login_grace_time = true # login_grace_time = 60 # in seconds -enable_client_alive_interval = true +enable_client_alive_interval = true # client_alive_interval = 300 # in seconds -enable_client_alive_count_max = true +enable_client_alive_count_max = true # client_alive_count_max = 3 [privilege_escalation] # Privilege Escalation @@ -131,6 +131,6 @@ enable_authentication_timeout = true authentication_timeout = 15 # in minutes restrict_su = true -[pam] # PAM +[pam] # Pluggable Authentication Modules required_password_level = "strong" # weak, medium, strong, stronger minimum_password_length = 14 diff --git a/harden/pam.py b/harden/pam.py new file mode 100644 index 0000000..4e241c3 --- /dev/null +++ b/harden/pam.py @@ -0,0 +1,64 @@ +from harden import config_file + +def get_script(config): + pam_config = config["pam"] + + required_password_level = pam_config.get('required_password_level', 'medium') + minimum_password_length = pam_config.get('minimum_password_length', 14) + + # Start with an empty script and build it up + script = """ +#!/bin/bash + +# Ensure the pam_pwquality module is installed +echo "Installing pam_pwquality module..." +sudo apt install libpam-pwquality -y + +# Configure password quality requirements in /etc/security/pwquality.conf +echo "Configuring password policies..." + +pwquality_conf="/etc/security/pwquality.conf" + +# Create a backup of the original pwquality.conf file +sudo cp "$pwquality_conf" "$pwquality_conf.bak" + +# Set minimum password length +sudo sed -i '/^minlen = /d' "$pwquality_conf" # Remove existing minlen settings +echo "minlen = {}" | sudo tee -a "$pwquality_conf" +""".format(minimum_password_length) + + if required_password_level == 'strong': + # Strong password complexity settings + script += """ +# Strong password complexity requirements +sudo sed -i '/^dcredit = /d' "$pwquality_conf" # Remove existing dcredit settings +sudo sed -i '/^ucredit = /d' "$pwquality_conf" # Remove existing ucredit settings +sudo sed -i '/^ocredit = /d' "$pwquality_conf" # Remove existing ocredit settings +sudo sed -i '/^lcredit = /d' "$pwquality_conf" # Remove existing lcredit settings +echo "dcredit = -1" | sudo tee -a "$pwquality_conf" +echo "ucredit = -1" | sudo tee -a "$pwquality_conf" +echo "ocredit = -1" | sudo tee -a "$pwquality_conf" +echo "lcredit = -1" | sudo tee -a "$pwquality_conf" +""" + + elif required_password_level == 'medium': + # Medium password complexity settings + # (Adjust as needed based on your definition of medium complexity) + script += """ +# Medium password complexity requirements +sudo sed -i '/^minclass = /d' "$pwquality_conf" # Remove existing minclass settings +echo "minclass = 3" | sudo tee -a "$pwquality_conf" +""" + + # Add further conditions for 'weak' or 'stronger' if required + + script += """ +echo "PAM password policies have been configured successfully." +""" + + return script + +if __name__ == "__main__": + config = config_file.init() + generated_script = get_script(config) + print(generated_script) From 3c29e27e10ffcf253b0bd37f28a7697ef0795f37 Mon Sep 17 00:00:00 2001 From: chanakya Date: Wed, 20 Dec 2023 16:06:52 +0530 Subject: [PATCH 8/8] pam added --- harden/pam.py | 45 +++++++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/harden/pam.py b/harden/pam.py index 4e241c3..263c1a0 100644 --- a/harden/pam.py +++ b/harden/pam.py @@ -4,7 +4,11 @@ def get_script(config): pam_config = config["pam"] required_password_level = pam_config.get('required_password_level', 'medium') - minimum_password_length = pam_config.get('minimum_password_length', 14) + enable_password_length = pam_config.get('enable_password_length', True) + minimum_password_length = pam_config.get('minimum_password_length', 14) if enable_password_length else 6 + limit_password_reuse = pam_config.get('limit_password_reuse', True) + password_reuse_limit = pam_config.get('password_reuse_limit', 5) + configure_hashing_algorithm = pam_config.get('configure_hashing_algorithm', True) # Start with an empty script and build it up script = """ @@ -18,44 +22,45 @@ def get_script(config): echo "Configuring password policies..." pwquality_conf="/etc/security/pwquality.conf" - -# Create a backup of the original pwquality.conf file sudo cp "$pwquality_conf" "$pwquality_conf.bak" - -# Set minimum password length -sudo sed -i '/^minlen = /d' "$pwquality_conf" # Remove existing minlen settings echo "minlen = {}" | sudo tee -a "$pwquality_conf" """.format(minimum_password_length) if required_password_level == 'strong': - # Strong password complexity settings script += """ -# Strong password complexity requirements -sudo sed -i '/^dcredit = /d' "$pwquality_conf" # Remove existing dcredit settings -sudo sed -i '/^ucredit = /d' "$pwquality_conf" # Remove existing ucredit settings -sudo sed -i '/^ocredit = /d' "$pwquality_conf" # Remove existing ocredit settings -sudo sed -i '/^lcredit = /d' "$pwquality_conf" # Remove existing lcredit settings +sudo sed -i '/^dcredit = /d' "$pwquality_conf" +sudo sed -i '/^ucredit = /d' "$pwquality_conf" +sudo sed -i '/^ocredit = /d' "$pwquality_conf" +sudo sed -i '/^lcredit = /d' "$pwquality_conf" echo "dcredit = -1" | sudo tee -a "$pwquality_conf" echo "ucredit = -1" | sudo tee -a "$pwquality_conf" echo "ocredit = -1" | sudo tee -a "$pwquality_conf" echo "lcredit = -1" | sudo tee -a "$pwquality_conf" """ - elif required_password_level == 'medium': - # Medium password complexity settings - # (Adjust as needed based on your definition of medium complexity) script += """ -# Medium password complexity requirements -sudo sed -i '/^minclass = /d' "$pwquality_conf" # Remove existing minclass settings +sudo sed -i '/^minclass = /d' "$pwquality_conf" echo "minclass = 3" | sudo tee -a "$pwquality_conf" """ - # Add further conditions for 'weak' or 'stronger' if required - script += """ -echo "PAM password policies have been configured successfully." + if limit_password_reuse: + script += """ +# Limit password reuse +common_password="/etc/pam.d/common-password" +sudo sed -i '/pam_unix.so/ s/remember=[0-9]*/remember={}/' "$common_password" +""".format(password_reuse_limit) + + if configure_hashing_algorithm: + script += """ +# Configure hashing algorithm +sudo sed -i '/pam_unix.so/ s/\bmd5\b/yescrypt/' "$common_password" +login_defs="/etc/login.defs" +sudo sed -i '/^ENCRYPT_METHOD /c\ENCRYPT_METHOD yescrypt' "$login_defs" """ + script += "echo \"PAM configurations have been applied successfully.\"" + return script if __name__ == "__main__":