ardecy 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dfee812e31a5a1dc6f31eaa70fb6837459732157ef174fd215eb215ea299f0c7
-  data.tar.gz: 5933831912f0b6770be89ba4bf9821aa12503600ca9e4e23d90df35837d453d6
+  metadata.gz: 4c8c6a3f88a5c4b22a77af705bc9e05c4b384d71c5b9b05de8d8437d6d58faf8
+  data.tar.gz: 698148322c56fadf979171e1bcc4f79fdc148ef0da01153e0b8605e9ba87c32b
 SHA512:
-  metadata.gz: 3d2145fe504aa730c778092360531ec37da9e72c12e7c1edfcf66f8a459dd7b02188defe1fa3572c1931e7422bad12bdba19ca124f7164025c336c4c340c7f2f
-  data.tar.gz: 9032e9a78441de631fb46bd03ad47fb3770815f229a8c2b2200e161bb12581f95f49e623e7a6d7ef2e69bdd0b18f7034c116f8f9b92b9a58fcc2b9cf51a27637
+  metadata.gz: 82bd529f6a10201ac3440836f04c98a533db3537238f172387a14d94df59cf632e1794dd36a301a3baeacaaf99e304e5165c9de39bec3df60c54f78a780247f1
+  data.tar.gz: 2f7bf24bfc3923eda049c5fb58d921696b03cccdaa37f11291e1f37e0eff7fc1fafa1c65ecda1d53ddc7c9a5267b354265682af0e6af48454e3c2c7a476a1ab4

data/README.md

@@ -2,8 +2,12 @@
 
 <div align="center">
 <br/>
-[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
+
 [![Gem Version](https://badge.fury.io/rb/ardecy.svg)](https://badge.fury.io/rb/ardecy)
+![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/szorfein/ardecy/Rubocop/main)
+[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop/rubocop)
+![GitHub](https://img.shields.io/github/license/szorfein/ardecy)
+
 </div>
 
 Ardecy is a security, privacy auditing, fixing and hardening tool for Linux.
@@ -13,7 +17,7 @@ Ardecy is a security, privacy auditing, fixing and hardening tool for Linux.
 With gem:
 
     gem cert --add <(curl -Ls https://raw.githubusercontent.com/szorfein/ardecy/master/certs/szorfein.pem)
-    gem install ardecy-0.0.1.gem -P HighSecurity
+    gem install ardecy -P HighSecurity
     ardecy -h
 
 With github:

data/lib/ardecy.rb

@@ -15,10 +15,11 @@ module Ardecy
     end
 
     def scan
-      Harden.sysctl({
-        audit: @cli[:audit],
-        fix: @cli[:fix]
-      })
+      Harden.sysctl(@cli)
+      Harden.modules(@cli)
+      Harden.permissions(@cli)
+      Harden.mountpoint(@cli)
+      Harden.cmdline(@cli)
     end
 
     def bye

data/lib/ardecy/harden.rb

@@ -2,6 +2,10 @@
 
 require 'display'
 require_relative 'harden/sysctl'
+require_relative 'harden/modules'
+require_relative 'harden/perms'
+require_relative 'harden/mountpoint'
+require_relative 'harden/cmdline'
 
 module Ardecy
   module Harden
@@ -13,39 +17,59 @@ module Ardecy
       sysctl_network(args)
     end
 
-    def self.sysctl_kernel(args)
-      title 'Kernel Hardening'
+    def self.modules(args)
+      puts
+      title 'Kernel Modules'
+      Modules::Blacklist.exec(args)
+      return unless args[:fix]
+
+      if Dir.exist? '/etc/modprobe.d/'
+        conf = '/etc/modprobe.d/ardecy_blacklist.conf'
+        writing(conf, Modules::BLACKLIST, args[:audit])
+      else
+        puts "[-] Directory /etc/modprobe.d/ no found..."
+      end
+    end
 
-      Sysctl::Kernel::KPointer.new(args).x
-      Sysctl::Kernel::Dmesg.new(args).x
-      Sysctl::Kernel::Printk.new(args).x
-      Sysctl::Kernel::BpfDisabled.new(args).x
-      Sysctl::Kernel::BpfJitHarden.new(args).x
-      Sysctl::Kernel::LdiskAutoload.new(args).x
-      Sysctl::Kernel::UserFaultFd.new(args).x
-      Sysctl::Kernel::KExecLoadDisabled.new(args).x
-      Sysctl::Kernel::SysRQ.new(args).x
-      Sysctl::Kernel::UsernsClone.new(args).x
-      Sysctl::Kernel::MaxUserNameSpace.new(args).x
-      Sysctl::Kernel::PerfEventParanoid.new(args).x
-      Sysctl::Kernel::YamaPtrace.new(args).x
-      Sysctl::Kernel::VmMmapRndBits.new(args).x
-      Sysctl::Kernel::VmMmapRndCompatBits.new(args).x
-      Sysctl::Kernel::FsProtectedSymlinks.new(args).x
-      Sysctl::Kernel::FsProtectedHardlinks.new(args).x
-      Sysctl::Kernel::FsProtectedFifos.new(args).x
-      Sysctl::Kernel::FsProtectedRegular.new(args).x
+    def self.permissions(args)
+      puts
+      title 'Directory Permissions'
+      Perms::Directory.exec(args)
+    end
 
-      return unless args[:fix]
+    def self.mountpoint(args)
+      puts
+      title 'Mountpoint'
+      Mountpoint.exec(args)
+    end
 
-      conf = '/etc/sysctl.d/ardecy_kernel.conf'
-      puts if args[:audit]
-      puts " ===> Applying at #{conf}..."
+    def self.cmdline(args)
       puts
-      kernel_correct_show Sysctl::KERNEL
-      Sysctl::KERNEL << "\n"
+      title 'Kernel Cmdline'
+      CmdLine.exec(args)
+    end
+
+    def self.writing(file, list, audit = false)
+      return unless list.length >= 1
+
+      puts if audit
+      puts " ===> Applying at #{file}..."
+      display_fix_list list
+
+      list << "\n"
+      list_f = list.freeze
+
+      File.write(file, list_f.join("\n"), mode: 'w', chmod: 644)
+    end
+
+    def self.sysctl_kernel(args)
+      title 'Kernel Hardening'
+      Sysctl::Kernel.exec(args)
+      return unless args[:fix]
+
       if Dir.exist? '/etc/sysctl.d/'
-        File.write(conf, Sysctl::KERNEL.join("\n"), mode: 'w', chmod: 0644)
+        conf = '/etc/sysctl.d/ardecy_kernel.conf'
+        writing(conf, Sysctl::KERNEL, args[:audit])
       else
         puts '[-] Directory /etc/sysctl.d/ no found.'
       end
@@ -53,40 +77,12 @@ module Ardecy
 
     def self.sysctl_network(args)
       title 'Network Hardening'
-
-      Sysctl::Network::TcpSynCookie.new(args).x
-      Sysctl::Network::RFC1337.new(args).x
-      Sysctl::Network::AllRpFilter.new(args).x
-      Sysctl::Network::DefaultRpFilter.new(args).x
-      Sysctl::Network::AllAcceptRedirects.new(args).x
-      Sysctl::Network::DefaultAcceptRedirects.new(args).x
-      Sysctl::Network::AllSecureRedirects.new(args).x
-      Sysctl::Network::DefaultSecureRedirects.new(args).x
-      Sysctl::Network::Ipv6AllAcceptRedirects.new(args).x
-      Sysctl::Network::Ipv6DefaultAcceptRedirects.new(args).x
-      Sysctl::Network::AllSendRedirects.new(args).x
-      Sysctl::Network::DefaultSendRedirects.new(args).x
-      Sysctl::Network::IcmpEchoIgnoreAll.new(args).x
-      Sysctl::Network::AllAcceptSourceRoute.new(args).x
-      Sysctl::Network::DefaultAcceptSourceRoute.new(args).x
-      Sysctl::Network::Ipv6AllAcceptSourceRoute.new(args).x
-      Sysctl::Network::Ipv6DefaultAcceptSourceRoute.new(args).x
-      Sysctl::Network::Ipv6ConfAllAcceptRa.new(args).x
-      Sysctl::Network::Ipv6ConfDefaultAcceptRa.new(args).x
-      Sysctl::Network::TcpSack.new(args).x
-      Sysctl::Network::TcpDSack.new(args).x
-      Sysctl::Network::TcpFack.new(args).x
-
+      Sysctl::Network.exec(args)
       return unless args[:fix]
 
-      conf = '/etc/sysctl.d/ardecy_network.conf'
-      puts if args[:audit]
-      puts " ===> Applying at #{conf}..."
-      puts
-      kernel_correct_show Sysctl::NETWORK
-      Sysctl::NETWORK << "\n"
       if Dir.exist? '/etc/sysctl.d/'
-        File.write(conf, Sysctl::NETWORK.join("\n"), mode: 'w', chmod: 0644)
+        conf = '/etc/sysctl.d/ardecy_network.conf'
+        writing(conf, Sysctl::NETWORK, args[:audit])
       else
         puts '[-] Directory /etc/sysctl.d/ no found.'
       end

data/lib/ardecy/harden/cmdline.rb

@@ -0,0 +1,222 @@
+# frozen_string_literal: true
+
+require 'display'
+require 'nito'
+
+module Ardecy
+  module Harden
+    module CmdLine
+      def self.exec(args)
+        SlabNoMerge.new(args).x
+        SlubDebug.new(args).x
+        InitOnAlloc.new(args).x
+        InitOnFree.new(args).x
+        PageAllocShuffle.new(args).x
+        PtiOn.new(args).x
+        VSyscall.new(args).x
+        DebugFS.new(args).x
+        ModuleSig.new(args).x
+        LockdownConfident.new(args).x
+        Quiet.new(args).x
+        LogLevel.new(args).x
+      end
+
+      class LineInc
+        include Display
+        include NiTo
+
+        def initialize(args)
+          @name = 'pti=on'
+          @res = 'FAIL'
+          @tab = 4
+          @args = args
+        end
+
+        def x
+          scan
+          fix
+        end
+
+        def scan
+          curr_line = File.readlines('/proc/cmdline')
+          curr_line.each { |l| @res = 'OK' if l =~ /#{@name}/ }
+          print "  - include #{@name}" if @args[:audit]
+          @tab ? result(@res, @tab) : result(@res) if @args[:audit]
+        end
+
+        def fix
+          return unless @args[:fix]
+          return if @res =~ /OK/
+
+          if File.exist? '/etc/default/grub'
+            apply_grub '/etc/default/grub'
+          elsif @args[:syslinux]
+            apply_syslinux @args[:syslinux]
+          elsif File.exist? '/boot/syslinux/syslinux.cfg'
+            apply_syslinux '/boot/syslinux/syslinux.cfg'
+          elsif @args[:bootctl]
+            apply_bootctl @args[:bootctl]
+          else
+            puts
+            puts "[-] No config file supported yet to applying #{@name}."
+          end
+        end
+
+        # conf path can be something like:
+        # /efi/loader/entries/gentoo.conf
+        def apply_bootctl(conf)
+          line = get_bootctl_line(conf)
+          args = []
+          line.split(' ').each { |a| args << a if a =~ /[a-z0-9=]+/ }
+          args << @name
+          args = args.uniq()
+          args.delete('options')
+          @final_line = 'options ' + args.join(' ')
+          print " ===> Adding #{@name} \n\n"
+          sed(/^options/, "#{@final_line}", conf)
+        end
+
+        def get_bootctl_line(conf)
+          File.readlines(conf).each { |l| return l if l =~ /^options/ }
+          'options'
+        end
+
+        def apply_syslinux(conf)
+          line = get_syslinux_line(conf)
+          args = []
+          line.split(' ').each { |a| args << a if a =~ /[a-z0-9=]+/ }
+          args << @name
+          args = args.uniq()
+          @final_line = 'APPEND ' + args.join(' ')
+          print " ===> Adding #{@name} \n\n"
+          sed(/\s+APPEND/, "    #{@final_line}", conf) # with 4 spaces
+        end
+
+        # apply_grub
+        # Get all the current arguments from config file
+        # And reinject them with new @name
+        # Build the variable @final_line
+        def apply_grub(conf)
+          line = get_grub_line(conf)
+          args = []
+
+          line_split = line.split("GRUB_CMDLINE_LINUX_DEFAULT=\"")
+          args_split = line_split[1].split(' ')
+          args_split.each { |a| args << a.tr('"', '') if a =~ /[a-z0-9=]+/ }
+          args << @name
+          args = args.uniq()
+
+          @final_line = "GRUB_CMDLINE_LINUX_DEFAULT=\"" + args.join(' ') + "\""
+          print " ===> Adding #{@name} \n\n"
+          write_to_grub(conf)
+        end
+
+        def write_to_grub(conf)
+          sed(/^GRUB_CMDLINE_LINUX_DEFAULT/, @final_line, conf)
+        end
+
+        def get_grub_line(conf)
+          File.readlines(conf).each { |l| return l if l =~ /^GRUB_CMDLINE_LINUX_DEFAULT/ }
+          "GRUB_CMDLINE_LINUX_DEFAULT=\"\""
+        end
+
+        def get_syslinux_line(conf)
+          File.readlines(conf).each { |l| return l if l =~ /\s+APPEND/ }
+          'APPEND'
+        end
+      end
+
+      class SlabNoMerge < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'slab_nomerge'
+        end
+      end
+
+      class SlubDebug < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'slub_debug=ZF'
+        end
+      end
+
+      class InitOnAlloc < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'init_on_alloc=1'
+        end
+      end
+
+      class InitOnFree < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'init_on_free=1'
+        end
+      end
+
+      class PageAllocShuffle < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'page_alloc.shuffle=1'
+          @tab = 3
+        end
+      end
+
+      class PtiOn < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'pti=on'
+          @tab = 5
+        end
+      end
+
+      class VSyscall < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'vsyscall=none'
+          @tab = 4
+        end
+      end
+
+      class DebugFS < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'debugfs=off'
+          @tab = 5
+        end
+      end
+
+      class ModuleSig < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'module.sig_enforce=1'
+          @tab = 3
+        end
+      end
+
+      class LockdownConfident < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'lockdown=confidentiality'
+          @tab = 3
+        end
+      end
+
+      class Quiet < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'quiet'
+          @tab = 5
+        end
+      end
+
+      class LogLevel < CmdLine::LineInc
+        def initialize(args)
+          super
+          @name = 'loglevel=0'
+          @tab = 5
+        end
+      end
+    end
+  end
+end

data/lib/ardecy/harden/modules.rb

@@ -0,0 +1,290 @@
+# frozen_string_literal: true
+
+require 'display'
+
+module Ardecy
+  module Harden
+    module Modules
+      BLACKLIST = []
+
+      class Drop
+        include Display
+
+        def initialize(args)
+          @res = 'OK'
+          @args = args
+        end
+
+        def quit_unless_modules
+          unless File.exist? '/proc/modules'
+            warn '/proc/modules no found'
+            exit 1
+          end
+        end
+
+        def research_found
+          quit_unless_modules
+
+          File.readlines('/proc/modules').each do |l|
+            return true if l =~ /^#{@name}/
+          end
+          false
+        end
+
+        def x
+          @res = 'FAIL' if research_found
+          if @args[:audit]
+            show_bad_mod(@name)
+            @tab ? result(@res, @tab) : result(@res)
+          end
+          fix
+        end
+
+        def fix
+          return if @res =~ /OK/
+
+          BLACKLIST << "install #{@name} /bin/false"
+        end
+      end
+
+      module Blacklist
+        def self.exec(args)
+          Blacklist::Dccp.new(args).x
+          Blacklist::Sctp.new(args).x
+          Blacklist::Rds.new(args).x
+          Blacklist::Tipc.new(args).x
+          Blacklist::NHdlc.new(args).x
+          Blacklist::Ax25.new(args).x
+          Blacklist::Netrom.new(args).x
+          Blacklist::X25.new(args).x
+          Blacklist::Rose.new(args).x
+          Blacklist::Decnet.new(args).x
+          Blacklist::Econet.new(args).x
+          Blacklist::Af802154.new(args).x
+          Blacklist::Ipx.new(args).x
+          Blacklist::Appletalk.new(args).x
+          Blacklist::Psnap.new(args).x
+          Blacklist::P8023.new(args).x
+          Blacklist::P8022.new(args).x
+          Blacklist::Can.new(args).x
+          Blacklist::Atm.new(args).x
+
+          # Filesystem
+          Blacklist::CramFs.new(args).x
+          Blacklist::FreevxFs.new(args).x
+          Blacklist::Jffs2.new(args).x
+          Blacklist::HFs.new(args).x
+          Blacklist::HFsplus.new(args).x
+          Blacklist::SquashFs.new(args).x
+          Blacklist::Udf.new(args).x
+
+          Blacklist::Vivid.new(args).x
+          Blacklist::UvcVideo.new(args).x
+        end
+
+        class Dccp < Modules::Drop
+          def initialize(args)
+            @name = 'dccp'
+            super
+          end
+        end
+
+        class Sctp < Modules::Drop
+          def initialize(args)
+            @name = 'sctp'
+            super
+          end
+        end
+
+        class Rds < Modules::Drop
+          def initialize(args)
+            @name = 'rds'
+            super
+          end
+        end
+
+        class Tipc < Modules::Drop
+          def initialize(args)
+            @name = 'tipc'
+            super
+          end
+        end
+
+        class NHdlc < Modules::Drop
+          def initialize(args)
+            @name = 'n-hdlc'
+            super
+          end
+        end
+
+        class Ax25 < Modules::Drop
+          def initialize(args)
+            @name = 'ax25'
+            super
+          end
+        end
+
+        class Netrom < Modules::Drop
+          def initialize(args)
+            @name = 'netrom'
+            super
+          end
+        end
+
+        class X25 < Modules::Drop
+          def initialize(args)
+            @name = 'x25'
+            super
+          end
+        end
+
+        class Rose < Modules::Drop
+          def initialize(args)
+            @name = 'rose'
+            super
+          end
+        end
+
+        class Decnet < Modules::Drop
+          def initialize(args)
+            @name = 'decnet'
+            super
+          end
+        end
+
+        class Econet < Modules::Drop
+          def initialize(args)
+            @name = 'econet'
+            super
+          end
+        end
+
+        class Af802154 < Modules::Drop
+          def initialize(args)
+            @name = 'af_802154'
+            @tab = 2
+            super
+          end
+        end
+
+        class Ipx < Modules::Drop
+          def initialize(args)
+            @name = 'ipx'
+            super
+          end
+        end
+
+        class Appletalk < Modules::Drop
+          def initialize(args)
+            @name = 'appletalk'
+            @tab = 2
+            super
+          end
+        end
+
+        class Psnap < Modules::Drop
+          def initialize(args)
+            @name = 'psnap'
+            super
+          end
+        end
+
+        class P8023 < Modules::Drop
+          def initialize(args)
+            @name = 'p8023'
+            super
+          end
+        end
+
+        class P8022 < Modules::Drop
+          def initialize(args)
+            @name = 'p8022'
+            super
+          end
+        end
+
+        class Can < Modules::Drop
+          def initialize(args)
+            @name = 'can'
+            super
+          end
+        end
+
+        class Atm < Modules::Drop
+          def initialize(args)
+            @name = 'atm'
+            super
+          end
+        end
+
+        class CramFs < Modules::Drop
+          def initialize(args)
+            @name = 'cramfs'
+            super
+          end
+        end
+
+        class FreevxFs < Modules::Drop
+          def initialize(args)
+            @name = 'freevxfs'
+            @tab = 2
+            super
+          end
+        end
+
+        class Jffs2 < Modules::Drop
+          def initialize(args)
+            @name = 'jffs2'
+            super
+          end
+        end
+
+        class HFs < Modules::Drop
+          def initialize(args)
+            @name = 'hfs'
+            super
+          end
+        end
+
+        class HFsplus < Modules::Drop
+          def initialize(args)
+            @name = 'hfsplus'
+            @tab = 2
+            super
+          end
+        end
+
+        class SquashFs < Modules::Drop
+          def initialize(args)
+            @name = 'spuashfs'
+            @tab = 2
+            super
+          end
+        end
+
+        class Udf < Modules::Drop
+          def initialize(args)
+            @name = 'udf'
+            super
+          end
+        end
+
+        class Vivid < Modules::Drop
+          def initialize(args)
+            @name = 'vivid'
+            super
+          end
+        end
+
+        # Webcam
+        class UvcVideo < Modules::Drop
+          def initialize(args)
+            @name = 'uvcvideo'
+            @tab = 2
+            super
+          end
+        end
+      end
+    end
+  end
+end