ardecy 0.0.2 → 0.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/README.md +6 -2
- data/lib/ardecy.rb +5 -4
- data/lib/ardecy/harden.rb +55 -59
- data/lib/ardecy/harden/cmdline.rb +222 -0
- data/lib/ardecy/harden/modules.rb +290 -0
- data/lib/ardecy/harden/mountpoint.rb +149 -0
- data/lib/ardecy/harden/perms.rb +110 -0
- data/lib/ardecy/harden/sysctl.rb +7 -5
- data/lib/ardecy/harden/sysctl/kernel.rb +67 -58
- data/lib/ardecy/harden/sysctl/network.rb +52 -66
- data/lib/ardecy/options.rb +12 -0
- data/lib/ardecy/privacy.rb +2 -0
- data/lib/ardecy/version.rb +1 -1
- data/lib/display.rb +13 -3
- data/lib/nito.rb +30 -0
- metadata +7 -2
- metadata.gz.sig +0 -0
@@ -4,243 +4,229 @@ module Ardecy
|
|
4
4
|
module Harden
|
5
5
|
module Sysctl
|
6
6
|
module Network
|
7
|
+
def self.exec(args)
|
8
|
+
Network::TcpSynCookie.new(args).x
|
9
|
+
Network::RFC1337.new(args).x
|
10
|
+
Network::AllRpFilter.new(args).x
|
11
|
+
Network::DefaultRpFilter.new(args).x
|
12
|
+
Network::AllAcceptRedirects.new(args).x
|
13
|
+
Network::DefaultAcceptRedirects.new(args).x
|
14
|
+
Network::AllSecureRedirects.new(args).x
|
15
|
+
Network::DefaultSecureRedirects.new(args).x
|
16
|
+
Network::Ipv6AllAcceptRedirects.new(args).x
|
17
|
+
Network::Ipv6DefaultAcceptRedirects.new(args).x
|
18
|
+
Network::AllSendRedirects.new(args).x
|
19
|
+
Network::DefaultSendRedirects.new(args).x
|
20
|
+
Network::IcmpEchoIgnoreAll.new(args).x
|
21
|
+
Network::AllAcceptSourceRoute.new(args).x
|
22
|
+
Network::DefaultAcceptSourceRoute.new(args).x
|
23
|
+
Network::Ipv6AllAcceptSourceRoute.new(args).x
|
24
|
+
Network::Ipv6DefaultAcceptSourceRoute.new(args).x
|
25
|
+
Network::Ipv6ConfAllAcceptRa.new(args).x
|
26
|
+
Network::Ipv6ConfDefaultAcceptRa.new(args).x
|
27
|
+
Network::TcpSack.new(args).x
|
28
|
+
Network::TcpDSack.new(args).x
|
29
|
+
Network::TcpFack.new(args).x
|
30
|
+
end
|
31
|
+
|
7
32
|
class TcpSynCookie < Sysctl::SysNet
|
8
33
|
def initialize(args)
|
9
34
|
@file = '/proc/sys/net/ipv4/tcp_syncookies'
|
10
|
-
@exp = '1'
|
11
|
-
@res = 'FALSE'
|
12
35
|
@line = 'net.ipv4.tcp_syncookies'
|
13
|
-
|
36
|
+
super
|
37
|
+
@exp = '1'
|
14
38
|
end
|
15
39
|
end
|
16
40
|
|
17
41
|
class RFC1337 < Sysctl::SysNet
|
18
42
|
def initialize(args)
|
19
43
|
@file = '/proc/sys/net/ipv4/tcp_rfc1337'
|
20
|
-
@exp = '1'
|
21
|
-
@res = 'FALSE'
|
22
44
|
@line = 'net.ipv4.tcp_rfc1337'
|
23
|
-
|
45
|
+
super
|
46
|
+
@exp = '1'
|
24
47
|
end
|
25
48
|
end
|
26
49
|
|
27
50
|
class AllRpFilter < Sysctl::SysNet
|
28
51
|
def initialize(args)
|
29
52
|
@file = '/proc/sys/net/ipv4/conf/all/rp_filter'
|
30
|
-
@exp = '1'
|
31
|
-
@res = 'FALSE'
|
32
53
|
@line = 'net.ipv4.conf.all.rp_filter'
|
33
|
-
@args = args
|
34
54
|
@tab = 2
|
55
|
+
super
|
56
|
+
@exp = '1'
|
35
57
|
end
|
36
58
|
end
|
37
59
|
|
38
60
|
class DefaultRpFilter < Sysctl::SysNet
|
39
61
|
def initialize(args)
|
40
62
|
@file = '/proc/sys/net/ipv4/conf/default/rp_filter'
|
41
|
-
@exp = '1'
|
42
|
-
@res = 'FALSE'
|
43
63
|
@line = 'net.ipv4.conf.default.rp_filter'
|
44
|
-
@args = args
|
45
64
|
@tab = 2
|
65
|
+
super
|
66
|
+
@exp = '1'
|
46
67
|
end
|
47
68
|
end
|
48
69
|
|
49
70
|
class AllAcceptRedirects < Sysctl::SysNet
|
50
71
|
def initialize(args)
|
51
72
|
@file = '/proc/sys/net/ipv4/conf/all/accept_redirects'
|
52
|
-
@exp = '0'
|
53
|
-
@res = 'FALSE'
|
54
73
|
@line = 'net.ipv4.conf.all.accept_redirects'
|
55
|
-
@args = args
|
56
74
|
@tab = 2
|
75
|
+
super
|
57
76
|
end
|
58
77
|
end
|
59
78
|
|
60
79
|
class DefaultAcceptRedirects < Sysctl::SysNet
|
61
80
|
def initialize(args)
|
62
81
|
@file = '/proc/sys/net/ipv4/conf/default/accept_redirects'
|
63
|
-
@exp = '0'
|
64
|
-
@res = 'FALSE'
|
65
82
|
@line = 'net.ipv4.conf.default.accept_redirects'
|
66
|
-
@args = args
|
67
83
|
@tab = 1
|
84
|
+
super
|
68
85
|
end
|
69
86
|
end
|
70
87
|
|
71
88
|
class AllSecureRedirects < Sysctl::SysNet
|
72
89
|
def initialize(args)
|
73
90
|
@file = '/proc/sys/net/ipv4/conf/all/secure_redirects'
|
74
|
-
@exp = '0'
|
75
|
-
@res = 'FALSE'
|
76
91
|
@line = 'net.ipv4.conf.all.secure_redirects'
|
77
|
-
@args = args
|
78
92
|
@tab = 2
|
93
|
+
super
|
79
94
|
end
|
80
95
|
end
|
81
96
|
|
82
97
|
class DefaultSecureRedirects < Sysctl::SysNet
|
83
98
|
def initialize(args)
|
84
99
|
@file = '/proc/sys/net/ipv4/conf/default/secure_redirects'
|
85
|
-
@exp = '0'
|
86
|
-
@res = 'FALSE'
|
87
100
|
@line = 'net.ipv4.conf.default.secure_redirects'
|
88
|
-
@args = args
|
89
101
|
@tab = 1
|
102
|
+
super
|
90
103
|
end
|
91
104
|
end
|
92
105
|
|
93
106
|
class Ipv6AllAcceptRedirects < Sysctl::SysNet
|
94
107
|
def initialize(args)
|
95
108
|
@file = '/proc/sys/net/ipv6/conf/all/accept_redirects'
|
96
|
-
@exp = '0'
|
97
|
-
@res = 'FALSE'
|
98
109
|
@line = 'net.ipv6.conf.all.accept_redirects'
|
99
|
-
@args = args
|
100
110
|
@tab = 2
|
111
|
+
super
|
101
112
|
end
|
102
113
|
end
|
103
114
|
|
104
115
|
class Ipv6DefaultAcceptRedirects < Sysctl::SysNet
|
105
116
|
def initialize(args)
|
106
117
|
@file = '/proc/sys/net/ipv6/conf/default/accept_redirects'
|
107
|
-
@exp = '0'
|
108
|
-
@res = 'FALSE'
|
109
118
|
@line = 'net.ipv6.conf.default.accept_redirects'
|
110
|
-
@args = args
|
111
119
|
@tab = 1
|
120
|
+
super
|
112
121
|
end
|
113
122
|
end
|
114
123
|
|
115
124
|
class AllSendRedirects < Sysctl::SysNet
|
116
125
|
def initialize(args)
|
117
126
|
@file = '/proc/sys/net/ipv4/conf/all/send_redirects'
|
118
|
-
@exp = '0'
|
119
|
-
@res = 'FALSE'
|
120
127
|
@line = 'net.ipv4.conf.all.send_redirects'
|
121
|
-
@args = args
|
122
128
|
@tab = 2
|
129
|
+
super
|
123
130
|
end
|
124
131
|
end
|
125
132
|
|
126
133
|
class DefaultSendRedirects < Sysctl::SysNet
|
127
134
|
def initialize(args)
|
128
135
|
@file = '/proc/sys/net/ipv4/conf/default/send_redirects'
|
129
|
-
@exp = '0'
|
130
|
-
@res = 'FALSE'
|
131
136
|
@line = 'net.ipv4.conf.default.send_redirects'
|
132
|
-
@args = args
|
133
137
|
@tab = 1
|
138
|
+
super
|
134
139
|
end
|
135
140
|
end
|
136
141
|
|
137
142
|
class IcmpEchoIgnoreAll < Sysctl::SysNet
|
138
143
|
def initialize(args)
|
139
144
|
@file = '/proc/sys/net/ipv4/icmp_echo_ignore_all'
|
140
|
-
@exp = '1'
|
141
|
-
@res = 'FALSE'
|
142
145
|
@line = 'net.ipv4.icmp_echo_ignore_all'
|
143
|
-
@args = args
|
144
146
|
@tab = 2
|
147
|
+
super
|
148
|
+
@exp = '1'
|
145
149
|
end
|
146
150
|
end
|
147
151
|
|
148
152
|
class AllAcceptSourceRoute < Sysctl::SysNet
|
149
153
|
def initialize(args)
|
150
154
|
@file = '/proc/sys/net/ipv4/conf/all/accept_source_route'
|
151
|
-
@exp = '0'
|
152
|
-
@res = 'FALSE'
|
153
155
|
@line = 'net.ipv4.conf.all.accept_source_route'
|
154
|
-
@args = args
|
155
156
|
@tab = 1
|
157
|
+
super
|
156
158
|
end
|
157
159
|
end
|
158
160
|
|
159
161
|
class DefaultAcceptSourceRoute < Sysctl::SysNet
|
160
162
|
def initialize(args)
|
161
163
|
@file = '/proc/sys/net/ipv4/conf/default/accept_source_route'
|
162
|
-
@exp = '0'
|
163
|
-
@res = 'FALSE'
|
164
164
|
@line = 'net.ipv4.conf.default.accept_source_route'
|
165
|
-
@args = args
|
166
165
|
@tab = 1
|
166
|
+
super
|
167
167
|
end
|
168
168
|
end
|
169
169
|
|
170
170
|
class Ipv6AllAcceptSourceRoute < Sysctl::SysNet
|
171
171
|
def initialize(args)
|
172
172
|
@file = '/proc/sys/net/ipv6/conf/all/accept_source_route'
|
173
|
-
@exp = '0'
|
174
|
-
@res = 'FALSE'
|
175
173
|
@line = 'net.ipv6.conf.all.accept_source_route'
|
176
|
-
@args = args
|
177
174
|
@tab = 1
|
175
|
+
super
|
178
176
|
end
|
179
177
|
end
|
180
178
|
|
181
179
|
class Ipv6DefaultAcceptSourceRoute < Sysctl::SysNet
|
182
180
|
def initialize(args)
|
183
181
|
@file = '/proc/sys/net/ipv6/conf/default/accept_source_route'
|
184
|
-
@exp = '0'
|
185
|
-
@res = 'FALSE'
|
186
182
|
@line = 'net.ipv6.conf.default.accept_source_route'
|
187
|
-
@args = args
|
188
183
|
@tab = 1
|
184
|
+
super
|
189
185
|
end
|
190
186
|
end
|
191
187
|
|
192
188
|
class Ipv6ConfAllAcceptRa < Sysctl::SysNet
|
193
189
|
def initialize(args)
|
194
190
|
@file = '/proc/sys/net/ipv6/conf/all/accept_ra'
|
195
|
-
@exp = '0'
|
196
|
-
@res = 'FALSE'
|
197
191
|
@line = 'net.ipv6.conf.all.accept_ra'
|
198
|
-
@args = args
|
199
192
|
@tab = 2
|
193
|
+
super
|
200
194
|
end
|
201
195
|
end
|
202
196
|
|
203
197
|
class Ipv6ConfDefaultAcceptRa < Sysctl::SysNet
|
204
198
|
def initialize(args)
|
205
199
|
@file = '/proc/sys/net/ipv6/conf/default/accept_ra'
|
206
|
-
@exp = '0'
|
207
|
-
@res = 'FALSE'
|
208
200
|
@line = 'net.ipv6.conf.default.accept_ra'
|
209
|
-
@args = args
|
210
201
|
@tab = 2
|
202
|
+
super
|
211
203
|
end
|
212
204
|
end
|
213
205
|
|
214
206
|
class TcpSack < Sysctl::SysNet
|
215
207
|
def initialize(args)
|
216
208
|
@file = '/proc/sys/net/ipv4/tcp_sack'
|
217
|
-
@exp = '0'
|
218
|
-
@res = 'FALSE'
|
219
209
|
@line = 'net.ipv4.tcp_sack'
|
220
|
-
@args = args
|
221
210
|
@tab = 4
|
211
|
+
super
|
222
212
|
end
|
223
213
|
end
|
224
214
|
|
225
215
|
class TcpDSack < Sysctl::SysNet
|
226
216
|
def initialize(args)
|
227
217
|
@file = '/proc/sys/net/ipv4/tcp_dsack'
|
228
|
-
@exp = '0'
|
229
|
-
@res = 'FALSE'
|
230
218
|
@line = 'net.ipv4.tcp_dsack'
|
231
|
-
@args = args
|
232
219
|
@tab = 4
|
220
|
+
super
|
233
221
|
end
|
234
222
|
end
|
235
223
|
|
236
224
|
class TcpFack < Sysctl::SysNet
|
237
225
|
def initialize(args)
|
238
226
|
@file = '/proc/sys/net/ipv4/tcp_fack'
|
239
|
-
@exp = '0'
|
240
|
-
@res = 'FALSE'
|
241
227
|
@line = 'net.ipv4.tcp_fack'
|
242
|
-
@args = args
|
243
228
|
@tab = 4
|
229
|
+
super
|
244
230
|
end
|
245
231
|
end
|
246
232
|
end
|
data/lib/ardecy/options.rb
CHANGED
@@ -21,6 +21,18 @@ module Ardecy
|
|
21
21
|
@options[:fix] = true
|
22
22
|
end
|
23
23
|
|
24
|
+
opts.on('--path-bootctl PATH', String, 'Path for bootctl, esp should be mounted') do |f|
|
25
|
+
raise "No file #{f}" unless File.exists? f
|
26
|
+
|
27
|
+
@options[:bootctl] = f
|
28
|
+
end
|
29
|
+
|
30
|
+
opts.on('--path-syslinux PATH', String, 'Path for syslinux if not /boot/syslinux/syslinux.cfg') do |f|
|
31
|
+
raise "No file #{f}" unless File.exists? f
|
32
|
+
|
33
|
+
@options[:syslinux] = f
|
34
|
+
end
|
35
|
+
|
24
36
|
opts.on('-h', '--help', 'Show this message.') do
|
25
37
|
puts opts
|
26
38
|
exit
|
data/lib/ardecy/privacy.rb
CHANGED
data/lib/ardecy/version.rb
CHANGED
data/lib/display.rb
CHANGED
@@ -12,11 +12,21 @@ module Display
|
|
12
12
|
print " - #{line} (exp: #{exp})"
|
13
13
|
end
|
14
14
|
|
15
|
-
def
|
15
|
+
def perm_show(line, exp)
|
16
|
+
print " - #{line} (exp: < "
|
17
|
+
printf "%04o", exp
|
18
|
+
print ")"
|
19
|
+
end
|
20
|
+
|
21
|
+
def result(res, ntab = 3)
|
16
22
|
puts "\t" * ntab + "[ #{res} ]"
|
17
23
|
end
|
18
24
|
|
19
|
-
def
|
20
|
-
list.each { |l| puts " - #{l}" }
|
25
|
+
def display_fix_list(list)
|
26
|
+
list.each { |l| puts " - #{l}" } if list.length >= 2
|
27
|
+
end
|
28
|
+
|
29
|
+
def show_bad_mod(name)
|
30
|
+
print " - Checking if #{name} is not available"
|
21
31
|
end
|
22
32
|
end
|
data/lib/nito.rb
ADDED
@@ -0,0 +1,30 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'tempfile'
|
4
|
+
require 'fileutils'
|
5
|
+
|
6
|
+
# Nito for Nix Tools
|
7
|
+
module NiTo
|
8
|
+
|
9
|
+
# sed
|
10
|
+
# Like sed from Unix
|
11
|
+
# e.g > sed(/^GRUB_CMDLINE/, '', '/etc/default/grub)
|
12
|
+
def sed(regex, replacement, file)
|
13
|
+
tmp = Tempfile.new('tmp_sed')
|
14
|
+
File.open(file).each do |l|
|
15
|
+
if l.match regex
|
16
|
+
File.write(tmp, "#{replacement}\n", mode: 'a')
|
17
|
+
else
|
18
|
+
File.write(tmp, l, mode: 'a')
|
19
|
+
end
|
20
|
+
end
|
21
|
+
mv tmp, file
|
22
|
+
end
|
23
|
+
|
24
|
+
# mv (move file || directory)
|
25
|
+
# e.g > mv /home/user/lab, /tmp/lab, 0750
|
26
|
+
def mv(src, dest, perm = 0644)
|
27
|
+
FileUtils.mv src, dest
|
28
|
+
File.chmod perm, dest
|
29
|
+
end
|
30
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ardecy
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- szorfein
|
@@ -35,7 +35,7 @@ cert_chain:
|
|
35
35
|
F9Dl4EPzjBJOgQWf+NxzxNuNKI46Lp5Q8AI+xtDUHAPbSswHa40BA6ChFehP+j0L
|
36
36
|
fg==
|
37
37
|
-----END CERTIFICATE-----
|
38
|
-
date: 2021-07-
|
38
|
+
date: 2021-07-10 00:00:00.000000000 Z
|
39
39
|
dependencies: []
|
40
40
|
description: " Ardecy is a security, privacy auditing, fixing and hardening tool
|
41
41
|
for GNU/Linux.\n"
|
@@ -51,6 +51,10 @@ files:
|
|
51
51
|
- lib/ardecy.rb
|
52
52
|
- lib/ardecy/guard.rb
|
53
53
|
- lib/ardecy/harden.rb
|
54
|
+
- lib/ardecy/harden/cmdline.rb
|
55
|
+
- lib/ardecy/harden/modules.rb
|
56
|
+
- lib/ardecy/harden/mountpoint.rb
|
57
|
+
- lib/ardecy/harden/perms.rb
|
54
58
|
- lib/ardecy/harden/sysctl.rb
|
55
59
|
- lib/ardecy/harden/sysctl/kernel.rb
|
56
60
|
- lib/ardecy/harden/sysctl/network.rb
|
@@ -58,6 +62,7 @@ files:
|
|
58
62
|
- lib/ardecy/privacy.rb
|
59
63
|
- lib/ardecy/version.rb
|
60
64
|
- lib/display.rb
|
65
|
+
- lib/nito.rb
|
61
66
|
homepage: https://github.com/szorfein/ardecy
|
62
67
|
licenses:
|
63
68
|
- MIT
|
metadata.gz.sig
CHANGED
Binary file
|