grapheneX ~ Automated System Hardening Framework

KeyLo99 · 2019-07-25 08:31:50

https://user-images.githubusercontent.c … 7289f0.gif

In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.

Although the current technology tries to design systems as safe as possible, security flaws and situations that can lead to vulnerabilities caused by unconscious use and missing configurations still exist. The user must be knowledgeable about the technical side of system architecture and should be aware of the importance of securing his/her system from vulnerabilities like this. Unfortunately, it's not possible to know all the details about hardening and necessary commands for every ordinary user and the hardening remains to be a technical issue due to the difficulty of understanding operating system internals. Therefore there are hardening checklists that contain various commands and rules of the specified operating system available such as trimstray/linux-hardening-checklist & Windows Server Hardening Checklist on the internet for providing a set of commands with their sections and of course simplifying the concept for the end user. But still, the user must know the commands and apply the hardening manually depending on the system. That's where the grapheneX exactly comes in play.

The project name is derived from the 'graphene'. Graphene is a one-atom-thick layer of carbon atoms arranged in a hexagonal lattice. In proportion to its thickness, it is about 100 times stronger than the strongest steel.

grapheneX project aims to provide a framework for securing the system with hardening commands automatically. It's designed for the end user as well as the Linux and Windows developers due to the interface options. (interactive shell/web interface) In addition to that, grapheneX can be used to secure a web server/application.

Hardening commands and the scopes of those commands are referred to modules and the namespaces in the project. They exist at the modules.json file after installation. ($PYPATH/site-packages/graphenex/modules.json) Additionally, it's possible to add, edit or remove modules and namespaces. Also, the hardening operation can be automated with the presets that contain a list of modules.

Currently, grapheneX support the hardening sections below. Each of these namespaces contains more than one module.

• Firewall
• User
• Network
• Services
• Kernel
• Filesystem
• Other

GitHub: https://github.com/grapheneX/grapheneX
PyPI: https://pypi.org/project/graphenex/
AUR: https://aur.archlinux.org/packages/graphenex/
Website: https://graphenex.github.io/

Last edited by jasonwryan (2019-07-27 20:36:39)

loqs · 2019-07-27 20:32:11

@Kaylo some of the hardening commands in 1.10 / 6d280fcd22bf58d3b38368f374d70d75197963f5 are a little surprising to me.

          "desc": "Set file permissions of the root user",
          "command": "chown root:root; chmod og-rwx",

Missing targets?

            "desc": "Set permissions on network settings",
            "command": "chmod 02750 /bin/ping ; chmod 02750 /sbin/ifconfig",

On arch this adds setgid but stops none root from using ping (why does root need setgid?) and assumes ifconfig has been installed.

            "desc": "Set permissions of the privilege escalation",
            "command": "chmod 02750 /bin/su ; chmod 02750 /bin/sudo",

Prevent any user who is not root or in the root group from using su / sudo (and on arch replaces setuid with setgid) should the description not details the result?

            "desc": "Disable uncommon filesystems",
            "command": "echo \"install cramfs /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install freevxfs /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install jffs2 /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install hfs /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install hfsplus /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install squashfs /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install udf /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install fat /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install vfat /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install nfs /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install nfsv3 /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf ; echo \"install gfs2 /bin/false\" >> /etc/modprobe.d/uncommon-fs.conf",

Disable loading of vfat which is used for EFI's ESP if that is listed in the systems fstab the system will fail at next boot trigger emergency.target.

            "desc": "Set permissions on the sensitive system files of firewall",
            "command": "chmod 0700 /etc/profile ; chmod 0700 /etc/hosts.allow ; chmod 0700 /etc/mtab ; chmod 0700 /etc/utmp ; chmod 0700 /var/adm/wtmp ; chmod 0700 /etc/syslog.pid",

Why is mtab consider a firewall file? Also it is required to be a symlink by systemd and therefore can not be affected by chmod, utmp wtmp, syslog.pid and profile are also considered firewall files?
If only root can read /etc/profile is that the only user that is intended to log into the system?

Last edited by loqs (2019-08-13 21:28:36)

jasonwryan · 2019-07-27 20:36:58

Read the Code of Conduct and only post thumbnails http://wiki.archlinux.org/index.php/Cod … s_and_code

Moving to Community Contributions

loqs · 2019-08-11 21:23:25

https://github.com/grapheneX/grapheneX/issues/81

I'll be creating a task for searching this issue in detail based on this issue.

While upstream is searching I would suggest this application be avoided as harmful.

KeyLo99 · 2019-08-17 13:50:35

Probably we'll be removing the modules that have suspicious behaviours. Especially the ones that @loqs referenced. Thanks.

loqs · 2019-08-21 22:20:04

@KeyLo99 Thank you for address issue 81

However EnesOkutan does not comment on the the bug or explain the rational for the choices in the original commit but adds back the same commands with 0750 instead of 02750.
Again without anything in the commit message explaining the rational for the commands used.

[1] Is this meant for a single user install where the only user is root?
[2] /etc/sysctl.conf is not used on systemd and does not cover /etc/sysctl.d/* /usr/lib/sysctl.d/*
[3] w and who bot being executable but the data used by those commands in /var/run/utmp and /var/log/wtmp is still accessible, the same data that could also be obatined from /proc
[4] Same question as for [1] plus targets ifconfig over ip
[5] Same question as [1] plus preventing access to whereis is intended to prevent what issue?

None of the documentation grapheneX supplies documents interaction between package managers resetting attributes on files they supply or how that is expected to be handled.

[1] https://github.com/grapheneX/grapheneX/ … d1c4f6127d
[2] https://github.com/grapheneX/grapheneX/ … 91b32b3e2c
[3] https://github.com/grapheneX/grapheneX/ … 0d0f8e3682
[4] https://github.com/grapheneX/grapheneX/ … bb84566aaf

Arch Linux

#1 2019-07-25 08:31:50

grapheneX ~ Automated System Hardening Framework

#2 2019-07-27 20:32:11

Re: grapheneX ~ Automated System Hardening Framework

#3 2019-07-27 20:36:58

Re: grapheneX ~ Automated System Hardening Framework

#4 2019-08-11 21:23:25

Re: grapheneX ~ Automated System Hardening Framework

#5 2019-08-17 13:50:35

Re: grapheneX ~ Automated System Hardening Framework

#6 2019-08-21 22:20:04

Re: grapheneX ~ Automated System Hardening Framework

Board footer