ardecy 0.0.2 → 0.0.3

data/lib/ardecy/harden/mountpoint.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require 'display'
+require 'nito'
+
+module Ardecy
+  module Harden
+    module Mountpoint
+      def self.exec(args)
+        ProcHidepid.new(args).x
+        puts " ===> Mountpoint Corrected." if args[:fix]
+      end
+
+      class MountInc
+        include Display
+        include NiTo
+
+        def initialize(args)
+          @res = 'FAIL'
+          @args = args
+          @tab = 2
+        end
+
+        def x
+          scan
+          add_group
+          build_args
+          fix
+          systemd_case
+        end
+
+        def add_group
+          return unless @args[:fix] && @group
+
+          has_group = group_search
+          unless has_group
+            if File.exists? '/usr/sbin/groupadd'
+              puts " => Group #{@group} added." if system("/usr/sbin/groupadd #{@group}")
+            elsif File.exists? '/usr/bin/groupadd'
+              puts " => Group #{@group} added." if system("/usr/bin/groupadd #{@group}")
+            else
+              puts '[-] Can\'t find command groupadd'
+            end
+          end
+        end
+
+        def group_search
+          if File.readable? '/etc/group'
+            etc_group = File.readlines('/etc/group')
+            etc_group.each { |l| return true if l =~ /#{@group}/ }
+          else
+            puts " [-] /etc/group is not readable"
+          end
+          false
+        end
+
+        def scan
+          return unless mount_match('/proc/mounts')
+
+          print "  - Checking #{@name} contain " + @ensure.join(',') if @args[:audit]
+          res_a = []
+          @ensure.each do |v|
+            o = v.split('=')
+            res_a << true if @val =~ /#{o[0]}=[a-z0-9]+/
+          end
+          @res = 'OK' if res_a.length == @ensure.length
+
+          @tab ? result(@res, @tab) : result(@res) if @args[:audit]
+        end
+
+        def build_args
+          return unless @args[:fix]
+          return if @res =~ /OK/
+
+          v = @val.split ' '
+          @ensure.each do |e|
+            o = e.split('=')
+            v[3] += ",#{e}" unless v[3] =~ /#{o[0]}=[a-z0-9]+/
+          end
+          @new = v.join(' ')
+        end
+
+        def fix
+          return unless @args[:fix]
+          return if @res =~ /OK/
+
+          if mount_match('/etc/fstab')
+            edit_fstab
+          else
+            File.write('/etc/fstab', "\n#{@new}\n", mode: 'a')
+          end
+
+          puts "old -> " + @val
+          puts "new -> " + @new
+          puts
+        end
+
+        def mount_match(file)
+          File.readlines(file).each do |l|
+            if l =~ /^#{@name}/
+              @val = l
+              return true
+            end
+          end
+          false
+        end
+
+        def edit_fstab
+          sed(/^#{@name}/, @new, '/etc/fstab')
+        end
+
+        def systemd_case
+        end
+      end
+
+      class ProcHidepid < Mountpoint::MountInc
+        def initialize(args)
+          super
+          @name = 'proc'
+          @ensure = [ 'hidepid=2', 'gid=proc' ]
+          @group = 'proc'
+        end
+
+        # man logind.conf check under:
+        # > /etc/systemd/logind.conf.d/*.conf
+        # > /run/systemd/logind.conf.d/*.conf
+        # > /usr/lib/systemd/logind.conf.d/*.conf
+        def systemd_case
+          return unless @args[:fix]
+
+          if File.exist? '/etc/systemd/logind.conf'
+            create_content '/etc/systemd/logind.conf.d'
+          end
+        end
+
+        def create_content(in_dir)
+          content = [
+            '[Service]',
+            'SupplementaryGroups=proc',
+            ''
+          ]
+          Dir.mkdir in_dir, 0700 unless Dir.exists? in_dir
+          File.write("#{in_dir}/hidepid.conf", content.join("\n"), mode: 'w')
+          puts " > Creating file #{in_dir}/hidepid.conf"
+        end
+      end
+    end
+  end
+end

data/lib/ardecy/harden/perms.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require 'display'
+
+module Ardecy
+  module Harden
+    module Perms
+      class DirCheck
+        include Display
+
+        def initialize(args)
+          @args = args
+          @res = 'OK'
+          @exp = 0755
+          @tab = 2
+        end
+
+        def x
+          scan
+          fix
+        end
+
+        def scan
+          return unless Dir.exist? @name
+
+          perm = File.stat(@name).mode & 07777
+          @line = "Permission on #{@name}"
+
+          perm_show(@line, @exp) if @args[:audit]
+          @res = 'FAIL' if perm > @exp
+          @tab ? result(@res, @tab) : result(@res) if @args[:audit]
+        end
+
+        def fix
+          return unless @args[:fix]
+
+          File.chmod @exp, @name unless @res =~ /OK/
+        end
+      end
+
+      module Directory
+        def self.exec(args)
+          Directory::Home.new(args).x
+          Directory::CronDaily.new(args).x
+          Directory::Boot.new(args).x
+          Directory::UsrSrc.new(args).x
+          Directory::LibMod.new(args).x
+          Directory::UsrLibMod.new(args).x
+          puts " ===> Permission Corrected." if args[:fix]
+        end
+
+        class Home < Perms::DirCheck
+          def initialize(args)
+            super
+            @exp = 0700
+          end
+
+          def x
+            Dir.glob('/home/*').each { |d|
+              @name = d
+              scan
+              fix
+            }
+          end
+        end
+
+        class CronDaily < Perms::DirCheck
+          def initialize(args)
+            super
+            @name = '/etc/cron.daily'
+            @exp = 0700
+          end
+        end
+
+        class Boot < Perms::DirCheck
+          def initialize(args)
+            super
+            @name = '/boot'
+            @exp = 0700
+            @tab = 3
+          end
+        end
+
+        class UsrSrc < Perms::DirCheck
+          def initialize(args)
+            super
+            @name = '/usr/src'
+            @exp = 0700
+          end
+        end
+
+        class LibMod < Perms::DirCheck
+          def initialize(args)
+            super
+            @name = '/lib/modules'
+            @exp = 0700
+          end
+        end
+
+        class UsrLibMod < Perms::DirCheck
+          def initialize(args)
+            super
+            @name = '/usr/lib/modules'
+            @exp = 0700
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ardecy/harden/sysctl.rb

@@ -11,6 +11,12 @@ module Ardecy
       class SysKern
         include Display
 
+        def initialize(args)
+          @res = 'FALSE'
+          @args = args
+          @exp = '0'
+        end
+
         def scan
           kernel_show(@line, @exp) if @args[:audit]
           if File.exist? @file
@@ -23,11 +29,7 @@ module Ardecy
           else
             @res = 'NO FOUND'
           end
-          if @tab
-            kernel_res(@res, @tab) if @args[:audit]
-          elsif @args[:audit]
-            kernel_res(@res)
-          end
+          @tab ? result(@res, @tab) : result(@res) if @args[:audit]
         end
 
         def fix

data/lib/ardecy/harden/sysctl/kernel.rb

@@ -4,205 +4,214 @@ module Ardecy
   module Harden
     module Sysctl
       module Kernel
+        def self.exec(args)
+          Kernel::KPointer.new(args).x
+          Kernel::Dmesg.new(args).x
+          Kernel::Printk.new(args).x
+          Kernel::BpfDisabled.new(args).x
+          Kernel::BpfJitHarden.new(args).x
+          Kernel::LdiskAutoload.new(args).x
+          Kernel::UserFaultFd.new(args).x
+          Kernel::KExecLoadDisabled.new(args).x
+          Kernel::SysRQ.new(args).x
+          Kernel::UsernsClone.new(args).x
+          Kernel::MaxUserNameSpace.new(args).x
+          Kernel::PerfEventParanoid.new(args).x
+          Kernel::YamaPtrace.new(args).x
+          Kernel::VmMmapRndBits.new(args).x
+          Kernel::VmMmapRndCompatBits.new(args).x
+          Kernel::FsProtectedSymlinks.new(args).x
+          Kernel::FsProtectedHardlinks.new(args).x
+          Kernel::FsProtectedFifos.new(args).x
+          Kernel::FsProtectedRegular.new(args).x
+          Kernel::FsSuidDumpable.new(args).x
+        end
+
         class KPointer < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/kernel/kptr_restrict'
-            @exp = '2'
-            @res = 'FALSE'
             @line = 'kernel.kptr_restrict'
-            @args = args
+            super
+            @exp = '2'
           end
         end
 
         class Dmesg < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/kernel/dmesg_restrict'
-            @exp = '1'
-            @res = 'FALSE'
             @line = 'kernel.dmesg_restrict'
-            @args = args
+            super
+            @exp = '1'
           end
         end
 
         class Printk < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/kernel/printk'
-            @exp = '3 3 3 3'
-            @res = 'FALSE'
             @line = 'kernel.printk'
-            @args = args
+            @tab = 6
+            super
+            @exp = '3 3 3 3'
           end
 
           def scan
             kernel_show(@line, @exp) if @args[:audit]
             value = File.read(@file).chomp
             @res = 'OK' if value =~ /3\s+3\s+3\s+3/
-            kernel_res(@res) if @args[:audit]
+            result(@res) if @args[:audit]
           end
         end
 
         class BpfDisabled < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/kernel/unprivileged_bpf_disabled'
-            @exp = '1'
-            @res = 'FALSE'
             @line = 'kernel.unprivileged_bpf_disabled'
             @tab = 2
-            @args = args
+            super
+            @exp = '1'
           end
         end
 
         class BpfJitHarden < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/net/core/bpf_jit_harden'
-            @exp = '2'
-            @res = 'FALSE'
             @line = 'net.core.bpf_jit_harden'
-            @args = args
+            super
+            @exp = '2'
           end
         end
 
         class LdiskAutoload < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/dev/tty/ldisc_autoload'
-            @exp = '0'
-            @res = 'FALSE'
             @line = 'dev.tty.ldisc_autoload'
-            @args = args
+            super
           end
         end
 
         class UserFaultFd < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/vm/unprivileged_userfaultfd'
-            @exp = '0'
-            @res = 'FALSE'
             @line = 'vm.unprivileged_userfaultfd'
-            @args = args
             @tab = 2
+            super
           end
         end
 
         class KExecLoadDisabled < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/kernel/kexec_load_disabled'
-            @exp = '1'
-            @res = 'FALSE'
             @line = 'kernel.kexec_load_disabled'
-            @args = args
+            super
+            @exp = '1'
           end
         end
 
         class SysRQ < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/kernel/sysrq'
-            @exp = '0'
-            @res = 'FALSE'
             @line = 'kernel.sysrq'
-            @args = args
             @tab = 4
+            super
           end
         end
 
         class UsernsClone < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/kernel/unprivileged_userns_clone'
-            @exp = '0'
-            @res = 'FALSE'
             @line = 'unprivileged_userns_clone'
-            @args = args
+            super
           end
         end
 
         class MaxUserNameSpace < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/user/max_user_namespaces'
-            @exp = '0'
-            @res = 'FALSE'
             @line = 'user.max_user_namespaces'
-            @args = args
+            super
           end
         end
 
         class PerfEventParanoid < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/kernel/perf_event_paranoid'
-            @exp = '3'
-            @res = 'FALSE'
             @line = 'kernel.perf_event_paranoid'
-            @args = args
+            super
+            @exp = '3'
           end
         end
 
         class YamaPtrace < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/kernel/yama/ptrace_scope'
-            @exp = '2'
-            @res = 'FALSE'
             @line = 'kernel.yama.ptrace_scope'
-            @args = args
+            super
+            @exp = '2'
           end
         end
 
         class VmMmapRndBits < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/vm/mmap_rnd_bits'
-            @exp = '32'
-            @res = 'FALSE'
             @line = 'vm.mmap_rnd_bits'
-            @args = args
             @tab = 4
+            super
+            @exp = '32'
           end
         end
 
         class VmMmapRndCompatBits < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/vm/mmap_rnd_compat_bits'
-            @exp = '16'
-            @res = 'FALSE'
             @line = 'vm.mmap_rnd_compat_bits'
-            @args = args
+            super
+            @exp = '16'
           end
         end
 
         class FsProtectedSymlinks < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/fs/protected_symlinks'
-            @exp = '1'
-            @res = 'FALSE'
             @line = 'fs.protected_symlinks'
-            @args = args
+            super
+            @exp = '1'
           end
         end
 
         class FsProtectedHardlinks < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/fs/protected_hardlinks'
-            @exp = '1'
-            @res = 'FALSE'
             @line = 'fs.protected_hardlinks'
-            @args = args
+            super
+            @exp = '1'
           end
         end
 
         class FsProtectedFifos < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/fs/protected_fifos'
-            @exp = '2'
-            @res = 'FALSE'
             @line = 'fs.protected_fifos'
-            @args = args
             @tab = 4
+            super
+            @exp = '2'
           end
         end
 
         class FsProtectedRegular < Sysctl::SysKern
           def initialize(args)
             @file = '/proc/sys/fs/protected_regular'
-            @exp = '2'
-            @res = 'FALSE'
             @line = 'fs.protected_regular'
-            @args = args
+            super
+            @exp = '2'
+          end
+        end
+
+        class FsSuidDumpable < Sysctl::SysKern
+          def initialize(args)
+            @file = '/proc/sys/fs/suid_dumpable'
+            @line = 'fs.suid_dumpable'
+            super
+            @tab = 4
           end
         end
       end