hardax 5.2.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- hardax-5.2.1/LICENSE +21 -0
- hardax-5.2.1/PKG-INFO +415 -0
- hardax-5.2.1/README.md +354 -0
- hardax-5.2.1/hardax/__init__.py +2453 -0
- hardax-5.2.1/hardax/__main__.py +5 -0
- hardax-5.2.1/hardax/commands/adb_security.json +43 -0
- hardax-5.2.1/hardax/commands/apps.json +451 -0
- hardax-5.2.1/hardax/commands/attestation.json +219 -0
- hardax-5.2.1/hardax/commands/automotive.json +189 -0
- hardax-5.2.1/hardax/commands/binary_hardening.json +369 -0
- hardax-5.2.1/hardax/commands/bluetooth.json +1312 -0
- hardax-5.2.1/hardax/commands/boot_security.json +184 -0
- hardax-5.2.1/hardax/commands/certificate_audit.json +229 -0
- hardax-5.2.1/hardax/commands/cis_benchmark.json +192 -0
- hardax-5.2.1/hardax/commands/cryptography.json +195 -0
- hardax-5.2.1/hardax/commands/cve_indicators.json +185 -0
- hardax-5.2.1/hardax/commands/device_management.json +122 -0
- hardax-5.2.1/hardax/commands/forensic_indicators.json +209 -0
- hardax-5.2.1/hardax/commands/input.json +86 -0
- hardax-5.2.1/hardax/commands/malware.json +184 -0
- hardax-5.2.1/hardax/commands/medical.json +70 -0
- hardax-5.2.1/hardax/commands/network.json +584 -0
- hardax-5.2.1/hardax/commands/nfc_security.json +70 -0
- hardax-5.2.1/hardax/commands/partition.json +330 -0
- hardax-5.2.1/hardax/commands/pos_security.json +232 -0
- hardax-5.2.1/hardax/commands/privacy.json +449 -0
- hardax-5.2.1/hardax/commands/selinux.json +419 -0
- hardax-5.2.1/hardax/commands/storage.json +229 -0
- hardax-5.2.1/hardax/commands/system.json +832 -0
- hardax-5.2.1/hardax/commands/usb_security.json +154 -0
- hardax-5.2.1/hardax/templates/report.html +713 -0
- hardax-5.2.1/hardax.egg-info/PKG-INFO +415 -0
- hardax-5.2.1/hardax.egg-info/SOURCES.txt +37 -0
- hardax-5.2.1/hardax.egg-info/dependency_links.txt +1 -0
- hardax-5.2.1/hardax.egg-info/entry_points.txt +2 -0
- hardax-5.2.1/hardax.egg-info/requires.txt +14 -0
- hardax-5.2.1/hardax.egg-info/top_level.txt +1 -0
- hardax-5.2.1/pyproject.toml +73 -0
- hardax-5.2.1/setup.cfg +4 -0
hardax-5.2.1/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 V33RU (Mr-IoT / IOTSRG)
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
hardax-5.2.1/PKG-INFO
ADDED
|
@@ -0,0 +1,415 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: hardax
|
|
3
|
+
Version: 5.2.1
|
|
4
|
+
Summary: Hardening Audit eXaminer: security configuration auditor for Android-based devices (POS, IoT, automotive, medical, kiosk)
|
|
5
|
+
Author-email: "V33RU (Mr-IoT, IOTSRG)" <v33raiot@gmail.com>
|
|
6
|
+
License: MIT License
|
|
7
|
+
|
|
8
|
+
Copyright (c) 2026 V33RU (Mr-IoT / IOTSRG)
|
|
9
|
+
|
|
10
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
11
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
12
|
+
in the Software without restriction, including without limitation the rights
|
|
13
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
14
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
15
|
+
furnished to do so, subject to the following conditions:
|
|
16
|
+
|
|
17
|
+
The above copyright notice and this permission notice shall be included in all
|
|
18
|
+
copies or substantial portions of the Software.
|
|
19
|
+
|
|
20
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
21
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
22
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
23
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
24
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
25
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
26
|
+
SOFTWARE.
|
|
27
|
+
|
|
28
|
+
Project-URL: Homepage, https://github.com/V33RU/hardax
|
|
29
|
+
Project-URL: Repository, https://github.com/V33RU/hardax
|
|
30
|
+
Project-URL: Issues, https://github.com/V33RU/hardax/issues
|
|
31
|
+
Project-URL: Releases, https://github.com/V33RU/hardax/releases
|
|
32
|
+
Keywords: android,security,audit,hardening,iot,pos,automotive,medical,adb,ssh,uart,penetration-testing
|
|
33
|
+
Classifier: Development Status :: 5 - Production/Stable
|
|
34
|
+
Classifier: Environment :: Console
|
|
35
|
+
Classifier: Intended Audience :: System Administrators
|
|
36
|
+
Classifier: Intended Audience :: Information Technology
|
|
37
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
38
|
+
Classifier: Operating System :: POSIX :: Linux
|
|
39
|
+
Classifier: Operating System :: MacOS
|
|
40
|
+
Classifier: Operating System :: Microsoft :: Windows
|
|
41
|
+
Classifier: Programming Language :: Python :: 3
|
|
42
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
43
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
44
|
+
Classifier: Topic :: Security
|
|
45
|
+
Classifier: Topic :: System :: Systems Administration
|
|
46
|
+
Classifier: Topic :: Software Development :: Testing
|
|
47
|
+
Requires-Python: >=3.11
|
|
48
|
+
Description-Content-Type: text/markdown
|
|
49
|
+
License-File: LICENSE
|
|
50
|
+
Provides-Extra: ssh
|
|
51
|
+
Requires-Dist: paramiko>=2.7; extra == "ssh"
|
|
52
|
+
Provides-Extra: uart
|
|
53
|
+
Requires-Dist: pyserial>=3.5; extra == "uart"
|
|
54
|
+
Provides-Extra: certs
|
|
55
|
+
Requires-Dist: cryptography>=3.0; extra == "certs"
|
|
56
|
+
Provides-Extra: all
|
|
57
|
+
Requires-Dist: paramiko>=2.7; extra == "all"
|
|
58
|
+
Requires-Dist: pyserial>=3.5; extra == "all"
|
|
59
|
+
Requires-Dist: cryptography>=3.0; extra == "all"
|
|
60
|
+
Dynamic: license-file
|
|
61
|
+
|
|
62
|
+
<h1 align="center">HARDAX</h1>
|
|
63
|
+
|
|
64
|
+
|
|
65
|
+
<p align="center">
|
|
66
|
+
<img src="https://img.shields.io/badge/version-5.2.1-blue.svg" alt="Version">
|
|
67
|
+
<img src="https://img.shields.io/badge/python-3.11+-green.svg" alt="Python">
|
|
68
|
+
<img src="https://img.shields.io/badge/checks-706-orange.svg" alt="Checks">
|
|
69
|
+
<img src="https://img.shields.io/badge/categories-25-purple.svg" alt="Categories">
|
|
70
|
+
<img src="https://img.shields.io/badge/license-MIT-red.svg" alt="License">
|
|
71
|
+
<a href="https://github.com/V33RU/hardax/wiki">
|
|
72
|
+
<img src="https://img.shields.io/badge/wiki-documentation-lightgrey.svg" alt="Wiki">
|
|
73
|
+
</a>
|
|
74
|
+
</p>
|
|
75
|
+
|
|
76
|
+
<p align="center">
|
|
77
|
+
</p>
|
|
78
|
+
|
|
79
|
+

|
|
80
|
+
|
|
81
|
+
---
|
|
82
|
+
|
|
83
|
+
## Overview
|
|
84
|
+
|
|
85
|
+
**HARDAX** (Hardening Audit eXaminer) is a comprehensive security configuration auditor for Android-based devices. It performs **686 security checks** across **25 categories** to identify misconfigurations, vulnerabilities, and security weaknesses.
|
|
86
|
+
|
|
87
|
+
HARDAX is designed for:
|
|
88
|
+
- **Security Researchers** - Penetration testing and vulnerability assessment
|
|
89
|
+
- **IoT Security Teams** - Auditing Android-based IoT devices
|
|
90
|
+
- **POS Security Auditors** - PCI-DSS compliance verification for payment terminals
|
|
91
|
+
- **Enterprise Security** - MDM compliance verification
|
|
92
|
+
- **Developers** - Pre-release security validation
|
|
93
|
+
|
|
94
|
+
---
|
|
95
|
+
|
|
96
|
+
## Features
|
|
97
|
+
|
|
98
|
+
| Feature | Description |
|
|
99
|
+
|---------|-------------|
|
|
100
|
+
| **686 Security Checks** | Comprehensive coverage across 25 security categories |
|
|
101
|
+
| **POS/Payment Terminal Support** | 24 PCI-DSS focused checks for payment devices |
|
|
102
|
+
| **Malware & Hooking Detection** | 18 checks for rootkits, RATs, Frida, Xposed, keyloggers, memory scrapers |
|
|
103
|
+
| **Certificate Audit** | CA certificate analysis with expiry/age calculation - 27 checks |
|
|
104
|
+
| **Root Auto-Detection** | Detects root method (Magisk/SuperSU/su/ssh-root/uart-root) and adapts privilege escalation accordingly |
|
|
105
|
+
| **ADB Resilience** | 5-layer protection: connection check, auto-reconnect, timeout, SKIPPED status |
|
|
106
|
+
| **Triple Connection Modes** | ADB (USB/Network), SSH, and UART serial console support |
|
|
107
|
+
| **UART Shell Support** | Connect over serial console with auto baud detection, user/root shell identification |
|
|
108
|
+
| **SSH Root Awareness** | Detects when SSH session is already root - skips unnecessary `su` probing |
|
|
109
|
+
| **6 Status Levels** | SAFE, WARNING, CRITICAL, VERIFY, INFO, SKIPPED |
|
|
110
|
+
| **3 Report Formats** | TXT, CSV, HTML with interactive dashboard |
|
|
111
|
+
| **Smart False Positive Prevention** | Catches empty output, service unavailability, and transport errors - marks as SKIPPED not CRITICAL |
|
|
112
|
+
| **Extensible JSON Checks** | Easy to add custom security checks - drop JSON, run |
|
|
113
|
+
| **Beautiful CLI Output** | Color-coded real-time progress display |
|
|
114
|
+
| **Device Info Collection** | Automatic device fingerprinting |
|
|
115
|
+
| **Shell Environment Probe** | SSH mode probes busybox, toybox, getprop, bash availability on connect |
|
|
116
|
+
|
|
117
|
+
---
|
|
118
|
+
|
|
119
|
+
## Supported Devices
|
|
120
|
+
|
|
121
|
+
HARDAX works with any Android-based device accessible via ADB, SSH, or UART:
|
|
122
|
+
|
|
123
|
+
| Device Type | Examples |
|
|
124
|
+
|-------------|----------|
|
|
125
|
+
| **POS Terminals** | PAX, Verifone, Ingenico, Sunmi, Newland, Clover, Square |
|
|
126
|
+
| **Smartphones & Tablets** | Samsung, Pixel, OnePlus, Xiaomi, etc. |
|
|
127
|
+
| **IoT Devices** | Android Things, AOSP-based smart devices |
|
|
128
|
+
| **Collaboration Panels** | Poly, Neat, Webex Board |
|
|
129
|
+
| **Android Automotive** | Infotainment systems, head units |
|
|
130
|
+
| **Medical Devices** | Android-based clinical devices |
|
|
131
|
+
| **Industrial Android** | Rugged tablets, handheld scanners |
|
|
132
|
+
| **Android TV** | Smart TVs, set-top boxes |
|
|
133
|
+
| **Wearables** | Wear OS devices |
|
|
134
|
+
|
|
135
|
+
---
|
|
136
|
+
|
|
137
|
+
## Installation
|
|
138
|
+
|
|
139
|
+
### Prerequisites
|
|
140
|
+
|
|
141
|
+
- Python 3.11 or higher
|
|
142
|
+
- ADB (Android Debug Bridge) installed and in PATH
|
|
143
|
+
- USB Debugging enabled on target device
|
|
144
|
+
|
|
145
|
+
### Install with pip (recommended)
|
|
146
|
+
|
|
147
|
+
```bash
|
|
148
|
+
# Core (ADB mode only)
|
|
149
|
+
pip install hardax
|
|
150
|
+
|
|
151
|
+
# With SSH support (paramiko)
|
|
152
|
+
pip install 'hardax[ssh]'
|
|
153
|
+
|
|
154
|
+
# With UART / serial support (pyserial)
|
|
155
|
+
pip install 'hardax[uart]'
|
|
156
|
+
|
|
157
|
+
# With certificate audit support (cryptography)
|
|
158
|
+
pip install 'hardax[certs]'
|
|
159
|
+
|
|
160
|
+
# Everything
|
|
161
|
+
pip install 'hardax[all]'
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
After installation the `hardax` console command is available:
|
|
165
|
+
|
|
166
|
+
```bash
|
|
167
|
+
adb devices
|
|
168
|
+
hardax
|
|
169
|
+
```
|
|
170
|
+
|
|
171
|
+
### Install from source (development)
|
|
172
|
+
|
|
173
|
+
```bash
|
|
174
|
+
git clone https://github.com/V33RU/hardax.git
|
|
175
|
+
cd hardax
|
|
176
|
+
pip install -e '.[all]'
|
|
177
|
+
|
|
178
|
+
# Or run without installing
|
|
179
|
+
python3 -m hardax
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
---
|
|
183
|
+
|
|
184
|
+
## Usage
|
|
185
|
+
|
|
186
|
+
### Basic Usage (ADB)
|
|
187
|
+
|
|
188
|
+
```bash
|
|
189
|
+
# Auto-detect connected device
|
|
190
|
+
hardax
|
|
191
|
+
|
|
192
|
+
# Show commands being executed
|
|
193
|
+
hardax --show-commands
|
|
194
|
+
|
|
195
|
+
# Load all check files from commands/ directory
|
|
196
|
+
hardax --json-dir commands
|
|
197
|
+
|
|
198
|
+
# Specify device by serial
|
|
199
|
+
hardax --serial DEVICE_SERIAL
|
|
200
|
+
|
|
201
|
+
# Custom output directory
|
|
202
|
+
hardax --out ./my_reports
|
|
203
|
+
|
|
204
|
+
# Skip certificate audit
|
|
205
|
+
hardax --skip-certs
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
### SSH Mode (Network)
|
|
209
|
+
|
|
210
|
+
```bash
|
|
211
|
+
hardax --mode ssh --host 192.168.1.100 --ssh-user root --ssh-pass password
|
|
212
|
+
```
|
|
213
|
+
|
|
214
|
+
### UART Mode (Serial Console)
|
|
215
|
+
|
|
216
|
+
```bash
|
|
217
|
+
# Auto-detect baud rate
|
|
218
|
+
hardax --mode uart --uart-port /dev/ttyUSB0
|
|
219
|
+
|
|
220
|
+
# Specify baud rate
|
|
221
|
+
hardax --mode uart --uart-port /dev/ttyUSB0 --baud 115200
|
|
222
|
+
|
|
223
|
+
# Windows
|
|
224
|
+
hardax --mode uart --uart-port COM3 --baud 115200
|
|
225
|
+
```
|
|
226
|
+
|
|
227
|
+
### Network ADB
|
|
228
|
+
|
|
229
|
+
```bash
|
|
230
|
+
adb connect 192.168.1.100:5555
|
|
231
|
+
hardax --json-dir commands
|
|
232
|
+
```
|
|
233
|
+
|
|
234
|
+
### All Options
|
|
235
|
+
|
|
236
|
+
```
|
|
237
|
+
usage: hardax [OPTIONS]
|
|
238
|
+
|
|
239
|
+
Options:
|
|
240
|
+
--version Show version
|
|
241
|
+
--mode {adb,ssh,uart} Connection mode (default: adb)
|
|
242
|
+
--serial SERIAL ADB device serial number
|
|
243
|
+
--host HOST SSH hostname/IP
|
|
244
|
+
--port PORT SSH port (default: 22)
|
|
245
|
+
--ssh-user USER SSH username
|
|
246
|
+
--ssh-pass PASS SSH password
|
|
247
|
+
--uart-port PORT UART serial port (e.g. /dev/ttyUSB0, COM3)
|
|
248
|
+
--baud RATE UART baud rate (0 = auto-detect, default: 0)
|
|
249
|
+
--json FILE Path to single JSON checks file
|
|
250
|
+
--json-dir DIR Directory with JSON check files
|
|
251
|
+
--out DIR Output directory (default: hardax_output)
|
|
252
|
+
--progress-numbers Show numeric progress counter
|
|
253
|
+
--show-commands Display each command being executed
|
|
254
|
+
--skip-certs Skip certificate audit
|
|
255
|
+
|
|
256
|
+
Hidden debug flags (prefix before other args):
|
|
257
|
+
--net-debug Verbose network check output
|
|
258
|
+
--net-strict Strict network check mode
|
|
259
|
+
--cert-debug Verbose certificate audit output
|
|
260
|
+
--cert-limit N Limit certificate files scanned (default: 50)
|
|
261
|
+
```
|
|
262
|
+
|
|
263
|
+
---
|
|
264
|
+
|
|
265
|
+
## Security Categories
|
|
266
|
+
|
|
267
|
+
HARDAX organizes **686 checks** into **25 security categories**:
|
|
268
|
+
|
|
269
|
+
| Category | Checks | Description |
|
|
270
|
+
|----------|--------|-------------|
|
|
271
|
+
| **SYSTEM** | 85 | Kernel, memory, TEE (QSEE/Mobicore/TEEGRIS/Trusty), SECCOMP, time, power, build properties, emulator detection, SIM status |
|
|
272
|
+
| **BLUETOOTH** | 83 | BLE/Classic, pairing, profiles (PAN, HFP, A2DP, HID, SPP, OPP, MAP), L2CAP, ATT, SMP, GAP, attack surfaces |
|
|
273
|
+
| **NETWORK** | 60 | Ports, WiFi, cellular, VPN, MQTT, CoAP, CAN bus, HL7, DICOM, active connections |
|
|
274
|
+
| **PRIVACY** | 47 | Biometrics, screen lock, location, sensors, clipboard, audio |
|
|
275
|
+
| **APPS** | 44 | Permissions, overlay attacks, installation sources, backup audit, dangerous perms |
|
|
276
|
+
| **BINARY_HARDENING** | 36 | PIE, NX, RELRO, stack canaries, stripped symbols, ASLR, kptr_restrict |
|
|
277
|
+
| **PARTITION** | 27 | dm-verity, OverlayFS, A/B slots, FBE/FDE, mount flags, block device permissions |
|
|
278
|
+
| **CERTIFICATE_AUDIT** | 25 | CA certificates, user certs, pinning bypass, keystore, expiry analysis |
|
|
279
|
+
| **SELINUX** | 25 | SELinux enforcement, policy, audit, context, boot flags |
|
|
280
|
+
| **POS_SECURITY** | 24 | PCI-DSS compliance, payment apps, kiosk mode, RAM scraper, NFC relay, PAX CVE |
|
|
281
|
+
| **STORAGE** | 24 | Filesystem, backup, encryption, partitions |
|
|
282
|
+
| **FORENSIC_INDICATORS** | 22 | Crash history, kernel panics, logcat anomalies, temp artifacts, clipboard forensics |
|
|
283
|
+
| **ATTESTATION** | 20 | SafetyNet/Play Integrity, Knox warranty bit, TIMA, RKP, Titan M, fs-verity, bypass detection |
|
|
284
|
+
| **AUTOMOTIVE** | 20 | Vehicle-specific checks, CAN bus, infotainment |
|
|
285
|
+
| **BOOT_SECURITY** | 20 | Verified boot, AVB, dm-verity, bootloader, integrity |
|
|
286
|
+
| **CRYPTOGRAPHY** | 18 | Encryption, keys, credentials, API keys, certificates |
|
|
287
|
+
| **MALWARE** | 18 | Root/Magisk/SuperSU, Frida, Xposed/LSPosed, RATs, keyloggers, memory scrapers, root cloaking |
|
|
288
|
+
| **CIS_BENCHMARK** | 17 | CIS Android Benchmark v1.6.0 controls (89% coverage) |
|
|
289
|
+
| **USB_SECURITY** | 16 | USB debugging, interfaces, serial ports, gadget mode |
|
|
290
|
+
| **CVE_INDICATORS** | 15 | Dirty Pipe, Bad Binder, Dirty COW, MTK-su, Exynos baseband, Mali GPU, kernel CVE ranges |
|
|
291
|
+
| **DEVICE_MANAGEMENT** | 13 | MDM, accounts, developer options |
|
|
292
|
+
| **INPUT** | 9 | Keyboards, accessibility, input methods |
|
|
293
|
+
| **MEDICAL** | 7 | Medical device-specific checks |
|
|
294
|
+
| **NFC_SECURITY** | 7 | NFC state, Android Beam, tap-to-pay, reader mode, secure element (eSE/UICC) |
|
|
295
|
+
| **ADB_SECURITY** | 4 | ADB keys, network ADB, debugging |
|
|
296
|
+
|
|
297
|
+
---
|
|
298
|
+
|
|
299
|
+
## HTML Report Features
|
|
300
|
+
|
|
301
|
+
The interactive HTML report includes:
|
|
302
|
+
|
|
303
|
+
- **Summary Dashboard** - Total checks, pass/fail counts, doughnut chart
|
|
304
|
+
- **Device Information** - Model, Android version, build, serial, security patch level
|
|
305
|
+
- **Collapsible Categories** - Click to expand/collapse each security area
|
|
306
|
+
- **Color-Coded Results** - Green=SAFE, Yellow=WARNING, Red=CRITICAL
|
|
307
|
+
- **Certificate Audit Table** - CA certificates with expiry dates and risk status
|
|
308
|
+
- **Search & Filter** - Find specific checks by keyword
|
|
309
|
+
- **Category Statistics** - Per-category breakdown of findings
|
|
310
|
+
|
|
311
|
+
---
|
|
312
|
+
|
|
313
|
+
## Extending HARDAX
|
|
314
|
+
|
|
315
|
+
### Adding Custom Checks
|
|
316
|
+
|
|
317
|
+
Create or modify JSON files in the `commands/` directory:
|
|
318
|
+
|
|
319
|
+
```json
|
|
320
|
+
{
|
|
321
|
+
"checks": [
|
|
322
|
+
{
|
|
323
|
+
"category": "CUSTOM",
|
|
324
|
+
"label": "My Custom Port Check",
|
|
325
|
+
"command": "netstat -tlnp 2>/dev/null | grep ':8080'",
|
|
326
|
+
"safe_pattern": "^$",
|
|
327
|
+
"level": "warning",
|
|
328
|
+
"description": "Check if port 8080 is open",
|
|
329
|
+
"empty_is_safe": true
|
|
330
|
+
}
|
|
331
|
+
]
|
|
332
|
+
}
|
|
333
|
+
```
|
|
334
|
+
|
|
335
|
+
### JSON Check Fields
|
|
336
|
+
|
|
337
|
+
| Field | Required | Description |
|
|
338
|
+
|-------|----------|-------------|
|
|
339
|
+
| `category` | Yes | Category name (e.g. SYSTEM, NETWORK) |
|
|
340
|
+
| `label` | Yes | Human-readable check name |
|
|
341
|
+
| `command` | Yes | Shell command to run on device |
|
|
342
|
+
| `safe_pattern` | Yes | Regex pattern that indicates a safe result |
|
|
343
|
+
| `level` | Yes | Severity: `info`, `warning`, `critical` |
|
|
344
|
+
| `description` | Yes | What the check detects |
|
|
345
|
+
| `empty_is_safe` | No | If true, empty output = SAFE |
|
|
346
|
+
| `why` | No | Explanation of why this matters |
|
|
347
|
+
| `risk_if_fail` | No | What risk the failure represents |
|
|
348
|
+
| `nist_800_53` | No | Relevant NIST 800-53 control IDs |
|
|
349
|
+
| `id` | No | Unique check identifier (e.g. BT-001) |
|
|
350
|
+
|
|
351
|
+
---
|
|
352
|
+
|
|
353
|
+
## Project Structure
|
|
354
|
+
|
|
355
|
+
```
|
|
356
|
+
HARDAX/
|
|
357
|
+
├── pyproject.toml # Package metadata, dependencies, entry point
|
|
358
|
+
├── README.md # This file
|
|
359
|
+
├── LICENSE # MIT
|
|
360
|
+
└── hardax/ # The installable Python package
|
|
361
|
+
├── __init__.py # Main engine (was hardax.py)
|
|
362
|
+
├── __main__.py # Enables 'python -m hardax'
|
|
363
|
+
├── templates/
|
|
364
|
+
│ └── report.html # Interactive HTML report template
|
|
365
|
+
└── commands/ # Security check definitions (706 checks, 25 categories)
|
|
366
|
+
├── system.json # 85 checks - Kernel, TEE (QSEE/Mobicore/TEEGRIS/Trusty), SECCOMP, build, emulator
|
|
367
|
+
├── bluetooth.json # 83 checks - BLE/Classic, pairing, all profiles
|
|
368
|
+
├── network.json # 60 checks - Ports, WiFi, VPN, IoT protocols
|
|
369
|
+
├── privacy.json # 47 checks - Biometrics, location, sensors
|
|
370
|
+
├── apps.json # 44 checks - Permissions, overlay, backup, install
|
|
371
|
+
├── binary_hardening.json # 36 checks - PIE, NX, RELRO, stack canaries, ASLR
|
|
372
|
+
├── partition.json # 27 checks - dm-verity, A/B slots, FBE, mount flags
|
|
373
|
+
├── certificate_audit.json # 25 checks - CA certs, expiry, MITM
|
|
374
|
+
├── selinux.json # 25 checks - Enforcement, policy, audit
|
|
375
|
+
├── pos_security.json # 24 checks - PCI-DSS, kiosk, NFC relay, PAX CVE
|
|
376
|
+
├── storage.json # 24 checks - Encryption, partitions, backup
|
|
377
|
+
├── forensic_indicators.json # 22 checks - Crashes, logcat, temp artifacts
|
|
378
|
+
├── attestation.json # 20 checks - SafetyNet/Play Integrity, Knox, Titan M, bypass detection
|
|
379
|
+
├── automotive.json # 20 checks - Vehicle, CAN bus, infotainment
|
|
380
|
+
├── boot_security.json # 20 checks - Verified boot, AVB, dm-verity
|
|
381
|
+
├── cryptography.json # 18 checks - Keystore, StrongBox, algorithms
|
|
382
|
+
├── malware.json # 18 checks - Root, Frida, Xposed, RATs, scrapers
|
|
383
|
+
├── cis_benchmark.json # 17 checks - CIS Android Benchmark v1.6.0
|
|
384
|
+
├── usb_security.json # 16 checks - USB debug, MTP, gadget mode
|
|
385
|
+
├── cve_indicators.json # 15 checks - Dirty Pipe, Bad Binder, MTK-su, kernel CVEs
|
|
386
|
+
├── device_management.json # 13 checks - MDM, accounts, dev options
|
|
387
|
+
├── input.json # 9 checks - Keyboards, accessibility, IME
|
|
388
|
+
├── medical.json # 7 checks - Medical device-specific
|
|
389
|
+
├── nfc_security.json # 7 checks - NFC, reader mode, secure element
|
|
390
|
+
└── adb_security.json # 4 checks - ADB keys, network ADB
|
|
391
|
+
```
|
|
392
|
+
|
|
393
|
+
---
|
|
394
|
+
|
|
395
|
+
## Future Roadmap
|
|
396
|
+
|
|
397
|
+
- [ ] `--category` flag to run specific categories
|
|
398
|
+
- [ ] `--severity` flag to filter by level
|
|
399
|
+
- [ ] `--format json` for JSON output
|
|
400
|
+
- [ ] Exit codes for CI/CD integration
|
|
401
|
+
- [ ] CVE Correlation Engine
|
|
402
|
+
- [ ] Binary Hardening Analysis (ASLR, NX, PIE)
|
|
403
|
+
- [ ] HARDAX Risk Score (0-100)
|
|
404
|
+
- [ ] Save baseline configuration
|
|
405
|
+
- [ ] Diff reports between scans
|
|
406
|
+
- [ ] Device profiles (IoT/Automotive/Medical presets)
|
|
407
|
+
- [ ] CIS Android Benchmark full mapping
|
|
408
|
+
- [ ] OWASP MASVS/MSTG mapping
|
|
409
|
+
- [ ] NIST guidelines mapping
|
|
410
|
+
- [ ] Remediation suggestions
|
|
411
|
+
- [ ] Multi-device parallel scanning
|
|
412
|
+
- [ ] Web dashboard (Flask/FastAPI)
|
|
413
|
+
- [ ] Plugin architecture
|
|
414
|
+
- [ ] APK analysis integration
|
|
415
|
+
- [ ] Firmware extraction support
|