Final Round Updates

config/sampleconfig.toml

@@ -92,18 +92,18 @@ enable_default_deny = true # Deny all traffic by default
 
 [ssh]
 configure_permissions = {sshd_config = true, private_host_key = true, public_host_key = true}
-enable_allow_users = true
+enable_allow_users = true # 
 allow_users = ["user1", "user2"]
-enable_allow_groups = true
+enable_allow_groups = true #
 allow_groups = ["group1", "group2"]
-enable_log_level = true
+enable_log_level = true #
 log_level = "VERBOSE" # INFO, VERBOSE
-enable_pam = true
+enable_pam = true 
 disable_root_login = true
 disable_host_based_auth = true
 disable_permit_empty_passwords = true
 disable_permit_user_env = true
-enable_ignore_rhosts = true
+enable_ignore_rhosts = true 
 disable_x11_forwarding = true
 enable_strong_ciphers = true
 enable_strong_mac_algorithms = true
@@ -115,11 +115,11 @@ enable_max_auth_tries = true
 max_auth_tries = 4
 enable_max_sessions = true
 max_sessions = 10
-enable_login_grace_time = true
+enable_login_grace_time = true #
 login_grace_time = 60 # in seconds
-enable_client_alive_interval = true
+enable_client_alive_interval = true #
 client_alive_interval = 300 # in seconds
-enable_client_alive_count_max = true
+enable_client_alive_count_max = true #
 client_alive_count_max = 3
 
 [privilege_escalation] # Privilege Escalation
@@ -131,7 +131,7 @@ enable_authentication_timeout = true
 authentication_timeout = 15 # in minutes
 restrict_su = true
 
-[pam] # PAM
+[pam] # Pluggable Authentication Modules
 enable_password_level = true
 required_password_level = "strong" # weak, medium, strong, stronger
 enable_password_length = true

harden/file_systems/cramfs.py

@@ -2,13 +2,13 @@
 
 def get_script(config):
     file_systems_config = config["file-systems"]
-    
+
     script = "#!/bin/bash\n\n"  # Start with a bash shebang and a newline
 
     # Loop through each filesystem module in the configuration
     for fs_module in file_systems_config['block']:
         if file_systems_config['block'][fs_module]:
-            script += """
+            script += f"""
 echo "Processing module: {fs_module}..."
 
 # Check if module '{fs_module}' is set to be not loadable

harden/firewall.py

@@ -4,19 +4,19 @@ def get_script(config):
     firewall_config = config["firewall"]
     script = "#!/bin/bash\n\n"  # Start with a bash shebang and a newline
 
-    if firewall_config.get('enable', False):
+    if firewall_config['enable']:
         script += "sudo apt install ufw -y\n"  # Install UFW
         script += "sudo apt purge iptables-persistent -y\n"  # Purge iptables-persistent
         script += "sudo systemctl enable --now ufw.service\n"  # Enable and start UFW
 
-        if firewall_config.get('configure_loopback_traffic', False):
+        if firewall_config['configure_loopback_traffic']:
             # Configure loopback traffic rules
             script += "sudo ufw allow in on lo\n"
             script += "sudo ufw allow out on lo\n"
             script += "sudo ufw deny in from 127.0.0.0/8\n"
             script += "sudo ufw deny in from ::1\n"
 
-        if firewall_config.get('enable_default_deny', False):
+        if firewall_config['enable_default_deny']:
             # Set default deny policies
             script += "sudo ufw default deny incoming\n"
             script += "sudo ufw default deny outgoing\n"

harden/gdm.py

@@ -38,51 +38,56 @@ def get_script(config):
 echo -e "[org/gnome/desktop/screensaver]\nlock-delay=uint32 1" | dconf write /org/gnome/desktop/screensaver/lock-delay"""
     if file_systems_config['no_override_lockscreen']:
         script += """
+#!/bin/bash
+
+# Check if GNOME Desktop Manager is installed
 l_pkgoutput=""
 if command -v dpkg-query > /dev/null 2>&1; then
     l_pq="dpkg-query -W"
 elif command -v rpm > /dev/null 2>&1; then
     l_pq="rpm -q"
+else
+    echo "Package manager not found."
+    exit 1
 fi
+
+# Space-separated list of packages to check
 l_pcl="gdm gdm3"
 for l_pn in $l_pcl; do
-    $l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="y" && echo -e "\n - Package: \"$l_pn\" exists on the system\n - Remediating configuration if needed"
+    if $l_pq "$l_pn" > /dev/null 2>&1; then
+        l_pkgoutput+=$'\n'"- Package: \"$l_pn\" exists on the system\n - checking configuration"
+    fi
 done
+
+# If GDM is installed, check configuration
 if [ -n "$l_pkgoutput" ]; then
-    l_kfd="/etc/dconf/db/$(grep -Psril '^\h*idle-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"  # Set the directory of the key file to be locked
-    l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*lock-delay\h*=\h*uint32\h+\d+\b' /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"  # Set the directory of the key file to be locked
+    l_output="" l_output2=""
 
-    if [ -d "$l_kfd" ]; then
-        if grep -Prilq '^\h*\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd"; then
-            echo " - \"idle-delay\" is locked in \"$(grep -Pril'^\h*\/org\/gnome\/desktop\/session\/idle-delay\b' "$l_kfd")\""
+    # Check for automount and automount-open settings
+    for key in automount automount-open; do
+        l_kfd="/etc/dconf/db/$(grep -Psril "^\h*$key\b" /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
+
+        if [ -d "$l_kfd" ]; then
+            if grep -Piq "^\h*\/org\/gnome\/desktop\/media-handling\/$key\b" "$l_kfd"; then
+                l_output+=$'\n'"- \"$key\" is locked in \"$(grep -Pil "^\h*\/org\/gnome\/desktop\/media-handling\/$key\b" "$l_kfd")\""
+            else
+                l_output2+=$'\n'"- \"$key\" is not locked"
+            fi
         else
-            echo "Creating entry to lock \"idle-delay\""
-            [ ! -d "$l_kfd"/locks ] && echo "Creating directory $l_kfd/locks" && mkdir "$l_kfd"/locks
-            {
-                echo -e '\n# Lock desktop screensaver idle-delay setting'
-                echo '/org/gnome/desktop/session/idle-delay'
-            } >> "$l_kfd"/locks/00-screensaver
+            l_output2+=$'\n'"- \"$key\" is not set so it cannot be locked"
         fi
-    else
-        echo -e " - \"idle-delay\" is not set so it cannot be locked\n - Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again"
-    fi
+    done
+else
+    l_output+=$'\n'"- GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
+fi
 
-    if [ -d "$l_kfd2" ]; then
-        if grep -Prilq '^\h*\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2"; then
-            echo " - \"lock-delay\" is locked in \"$(grep -Pril'^\h*\/org\/gnome\/desktop\/screensaver\/lock-delay\b' "$l_kfd2")\""
-        else
-            echo "Creating entry to lock \"lock-delay\""
-            [ ! -d "$l_kfd2"/locks ] && echo "Creating directory $l_kfd2/locks" && mkdir "$l_kfd2"/locks
-            {
-                echo -e '\n# Lock desktop screensaver lock-delay setting'
-                echo '/org/gnome/desktop/screensaver/lock-delay'
-            } >> "$l_kfd2"/locks/00-screensaver
-        fi
-    else
-        echo -e " - \"lock-delay\" is not set so it cannot be locked\n - Please follow Recommendation \"Ensure GDM screen locks when the user is idle\" and follow this Recommendation again"
-    fi
+# Report results
+[ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
+if [ -z "$l_output2" ]; then
+    echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
 else
-    echo -e " - GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
+    echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+    [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
 fi
 """
     if file_systems_config['disable_automount']:
@@ -168,73 +173,58 @@ def get_script(config):
     if file_systems_config['lock_automount']:
         script += """
 
-# Check if GNOME Desktop Manager is installed. If package isn't
-installed, recommendation is Not Applicable\n
-# determine system's package manager
+#!/bin/bash
+
+# Check if GNOME Desktop Manager is installed
 l_pkgoutput=""
 if command -v dpkg-query > /dev/null 2>&1; then
-l_pq="dpkg-query -W"
+    l_pq="dpkg-query -W"
 elif command -v rpm > /dev/null 2>&1; then
-l_pq="rpm -q"
+    l_pq="rpm -q"
+else
+    echo "Package manager not found."
+    exit 1
 fi
-# Check if GDM is installed
-l_pcl="gdm gdm3" # Space seporated list of packages to check
+
+# Space-separated list of packages to check
+l_pcl="gdm gdm3"
 for l_pn in $l_pcl; do
-$l_pq "$l_pn" > /dev/null 2>&1 && l_pkgoutput="$l_pkgoutput\n -
-Package: \"$l_pn\" exists on the system\n - checking configuration"
+    if $l_pq "$l_pn" > /dev/null 2>&1; then
+        l_pkgoutput+=$'\n'"- Package: \"$l_pn\" exists on the system\n - checking configuration"
+    fi
 done
-# Check configuration (If applicable)
+
+# If GDM is installed, check configuration
 if [ -n "$l_pkgoutput" ]; then
-l_output="" l_output2=""
-# Look for idle-delay to determine profile in use, needed for remaining
-tests
-l_kfd="/etc/dconf/db/$(grep -Psril '^\h*automount\b' /etc/dconf/db/*/ |
-awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set directory of key file
-to be locked
-l_kfd2="/etc/dconf/db/$(grep -Psril '^\h*automount-open\b'
-/etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d" #set
-directory of key file to be locked
-if [ -d "$l_kfd" ]; then # If key file directory doesn't exist, options
-can't be locked
-if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount\b'
-"$l_kfd"; then
-l_output="$l_output\n - \"automount\" is locked in \"$(grep -Pil
-'^\h*\/org/gnome\/desktop\/media-handling\/automount\b' "$l_kfd")\""
-else
-l_output2="$l_output2\n - \"automount\" is not locked"
-fi
-else
-l_output2="$l_output2\n - \"automount\" is not set so it can not be
-locked"
-fi
-if [ -d "$l_kfd2" ]; then # If key file directory doesn't exist,
-options can't be locked
-if grep -Piq '^\h*\/org/gnome\/desktop\/media-handling\/automount-
-open\b' "$l_kfd2"; then
-l_output="$l_output\n - \"lautomount-open\" is locked in \"$(grep
--Pril '^\h*\/org/gnome\/desktop\/media-handling\/automount-open\b'
-"$l_kfd2")\""
-else
-l_output2="$l_output2\n - \"automount-open\" is not locked"
-fi
-else
-l_output2="$l_output2\n - \"automount-open\" is not set so it can
-not be locked"
-fi
+    l_output="" l_output2=""
+
+    # Check for automount and automount-open settings
+    for key in automount automount-open; do
+        l_kfd="/etc/dconf/db/$(grep -Psril "^\h*$key\b" /etc/dconf/db/*/ | awk -F'/' '{split($(NF-1),a,".");print a[1]}').d"
+
+        if [ -d "$l_kfd" ]; then
+            if grep -Piq "^\h*\/org\/gnome\/desktop\/media-handling\/$key\b" "$l_kfd"; then
+                l_output+=$'\n'"- \"$key\" is locked in \"$(grep -Pil "^\h*\/org\/gnome\/desktop\/media-handling\/$key\b" "$l_kfd")\""
+            else
+                l_output2+=$'\n'"- \"$key\" is not locked"
+            fi
+        else
+            l_output2+=$'\n'"- \"$key\" is not set so it cannot be locked"
+        fi
+    done
 else
-Page 180
-l_output="$l_output\n - GNOME Desktop Manager package is not installed
-on the system\n - Recommendation is not applicable"
+    l_output+=$'\n'"- GNOME Desktop Manager package is not installed on the system\n - Recommendation is not applicable"
 fi
-# Report results. If no failures output in l_output2, we pass
+
+# Report results
 [ -n "$l_pkgoutput" ] && echo -e "\n$l_pkgoutput"
 if [ -z "$l_output2" ]; then
-echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
+    echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
 else
-echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
-failure:\n$l_output2\n"
-[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
+    echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
+    [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
 fi
+
 """
 
     if file_systems_config['disable_autorun']: