malvern-cads / centsecure Goto Github PK

Create logging and input common functions to replace logzero.

Disable root login

This needs a custom installation at the moment:
python -m pip install pywin32
Navigate to the python install folder
python Scripts/pywin32_postinstall.py -install

• Minimum password length
• Max password age
• Min password age
• Lockout policy

Instead of keeping it in the repo, clone it
https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js

Switch to secure desktop when prompting for elevation

Allowed users, network level authentication, etc...

Disallow users from changing system time

Ensure any files that currently use the legacy back up system are moved to the newer system

The current way of generating binaries doesn't work very well because they only work on the exact OS that they were built on (e.g. binary built on Ubuntu 19.10 doesn't work on Ubuntu 16.04). So instead have 2 installer scripts (Windows and Linux) which:

• Install Python
• Install dependencies (e.g. git)
• Clone repository to a folder
• Add files to path

Detect all services running, and prompt user whether to disable them or not.
e.g. samba, avahi, ftp...

Enable warnings when installing add-ons, block dangerous downloads, automatically update, etc...

e.g.

[?] (8/368) Would you like to keep the program 'alacarte' (y/n/i)? i
alacarte/oldoldstable,now 3.11.91-2 all [installed]
  easy GNOME menu editing tool
[?] (8/368) Would you like to keep the program 'alacarte' (y/n/i)?

or even just the easy GNOME menu editing tool bit

Linux and Windows issue where the default user changed password doesn't work

Enable, update definitions, automatic scans, etc...

• Firewall on

Remove backdoors

e.g. common.run_full("for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo \"$usr :$(chage --list $usr | g rep '^Last password change' | cut -d: -f2)\"; done")

Install and configure security

Need to check these out!

Delete files ending in a list of extensions. For example: .mp3, .mp4, .ogg, .wav, etc...

Implement an easy way to backup files that payloads will change

Check running services (e.g. FTP, RDP, Telnet, UPnP, Remote Registry, etc...)

After Round 3, this probably wants to be made public so the documentation needs cleaning up and removing.

• Minimum password length
• Max password age
• Min password age
• Lockout policy

Ask for list of accounts to create and whether they need to be admin or not. Then create users in the list, remove users not in the list and promote/demote users.

e.g. ASLR is enabled

Hide surname, and require ctrl-alt-del to logon

Currently the file resides in payloads/security_policy.inf

/etc/shadow, /etc/passwd...

I belive the remove software will work on debian, as the code is based on the apt package manager

e.g. if we wanted to back up a home directory, it might contain 'illegal stuff', so archiving will remove any possibility of that being detected.
Also home directories might be quite big, so it might be a good idea to compress as well

Implement a better way of checking/installing cracklib

The win32net module isn't availlible on Linux, so something needs to be done about only loading it for Windows

Automatically create Windows and Linux binaries

IPv4 and IPv6 hardening, secure firewall...

Ask for list of accounts to create and whether they need to be admin or not. Then create users in the list, remove users not in the list and promote/demote users. Also change passwords where appropriate

Add needed software and remove banned software

/tmp sometimes gets cleaned after a reboot and this means that you loose access to the backups

For /etc/login.defs