From a9cf7d1537492636295fc6551988b3371e719266 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 25 Jul 2025 16:10:02 +0800 Subject: [PATCH 001/109] init harden tool dir --- os-harden-tools/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 os-harden-tools/.gitkeep diff --git a/os-harden-tools/.gitkeep b/os-harden-tools/.gitkeep new file mode 100644 index 0000000..e69de29 -- Gitee From 19276ac096059d58e455b7de558c3a32395544f7 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Sat, 26 Jul 2025 08:51:19 +0800 Subject: [PATCH 002/109] add docs --- os-harden-tools/docs/README.md | 91 + os-harden-tools/docs/normal.xml | 112 + os-harden-tools/docs/openeuler_defconfig | 8222 ++++++++++++++++++++++ 3 files changed, 8425 insertions(+) create mode 100644 os-harden-tools/docs/README.md create mode 100644 os-harden-tools/docs/normal.xml create mode 100644 os-harden-tools/docs/openeuler_defconfig diff --git a/os-harden-tools/docs/README.md b/os-harden-tools/docs/README.md new file mode 100644 index 0000000..2ba44b2 --- /dev/null +++ b/os-harden-tools/docs/README.md @@ -0,0 +1,91 @@ +# 最小安全系统配置指南 + +可信 (Trusted) +计算指系统可以按照预定的设计和策略运行,并能够低于病毒和一定程度的物理干扰。为了防止外部实体以及有一定权限的内部人员通过物理、远程等方式对系统进行恶意攻击导致系统无法以预期目的运行,本指南通过内核加固选项和系统组件裁剪两个角度对 +Linux 操作系统进行加固。 + +本指南面向 aarch64 架构,其他架构可以参照本指南中的通用加固选项和指南进行修改。 + +## 内核加固选项 + +本节介绍内核加固的相关编译选项,我们基于 openeuler 默认选项进行了相关的修改和增强。 + +相关配置文件可以参考 `openeuler_defconfig`。 +将本指南提供的配置文件替换内核构建中的 `.config` 文件,并编译内核后获得加固内核。 + +### 启动时加固 + +启动时加固主要指 Linux 内核在启动时针对早期启动时存在的攻击面进行加固或裁剪。 + +| 选项名称 | 设置值 | 描述 | +|--------------------------------|-----|---------------| +| CONFIG_EFI_DISABLE_PCI_DMA | y | 启动时禁用 PCI DMA | +| CONFIG_RESET_ATTACK_MITIGATION | y | 重启后清空 RAM | + +### 内核漏洞防利用 + +内核漏洞防利用指的是通过加固内核代码,限制出现漏洞后攻击者。 + +| 选项名称 | 设置值 | 描述 | +|----------------------------------------|-----|-------------------------------------| +| CONFIG_DEBUG_WX | y | 启动时检查内核 W+X 权限段 | +| CONFIG_GCC_PLUGIN_STACKLEAK | y | 离开系统调用前清空内核栈 | +| CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT | y | 默认开启内核栈地址随机化 | +| CONFIG_SHADOW_CALL_STACK | y | 开启 Clang Shadow Call Stack 保护控制流完整性 | +| CONFIG_ARM64_PTR_AUTH_KERNEL | y | 开启 ARMv8.3-A 指针签名技术,保护控制流完整性 | + +### 内核特性裁剪 + +裁剪高危的内核特性,防止攻击者利用并获取内核信息 + +| 选项名称 | 设置值 | 描述 | +|--------------------------------|-----|--------------------------------------| +| CONFIG_DEBUG_FS | n | 禁用 debugfs | +| CONFIG_DEVMEM | n | 禁用 `/dev/mem` | +| CONFIG_PROC_KCORE | n | 禁用 `/proc/kcore` | +| CONFIG_PROC_VMCORE | n | 禁用 `/proc/vmcore` | +| CONFIG_STACK_TRACER | n | 禁用 `/sys/kernel/tracing/stack_trace` | +| CONFIG_KEXEC | n | 禁用 `kexec` 动态加载内核 | +| CONFIG_KEXEC_FILE | n | 禁用 `kexec` 动态加载内核 | +| CONFIG_USERFAULTFD | n | 禁用 `userfaultfd` 系统调用 | +| CONFIG_SECURITY_DMESG_RESTRICT | y | 限制 `dmesg` 只能被 root 读取 | +| CONFIG_SUNRPC_DEBUG | n | 禁用 sunrpc 的 debug 信息输出 | +| CONFIG_MAGIC_SYSRQ | n | 禁用 sysrq | +| CONFIG_MAGIC_SYSRQ_SERIAL | n | 禁用 sysrq | + +### 内核模块加固 + +使用更高强度的哈希算法保护内核模块完整性 + +| 选项名称 | 设置值 | 描述 | +|--------------------------|-----|----------------| +| CONFIG_MODULE_SIG_FORCE | y | 强制内核模块签名 | +| CONFIG_MODULE_SIG_SHA512 | y | 使用 SHA512 计算哈希 | + +### 用户态加固 + +内核提供了一系列功能用于用户态程序加固。 + +| 选项名称 | 设置值 | 描述 | +|------------------------------|-------|------------------------------------------| +| CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | `mmap` 可映射的起始地址 | +| CONFIG_SECURITY_LANDLOCK | y | 访问控制框架 | +| CONFIG_STATIC_USERMODEHELPER | y | 使用固定的 `usermodehelper` 运行,防止内核拉起恶意程序导致提权 | + +## 系统组件裁剪 + +系统组件裁剪主要通过修改 [oemaker](https://gitee.com/openeuler/oemaker) 配置文件,根据已有的配置进行修改和裁剪,以达到最终构建的 +iso 镜像是最小裁剪系统。 + +相关配置文件可以参考 `normal.xml`。 +使用本指南提供的配置文件需要进行以下操作: + +1. 下载 `oemaker`: + + ```shell + yum install oemaker + ``` + +2. 使用本指南提供的配置文件替换 `/opt/oemaker/config/aarch64/normal.xml` +3. 根据 [oemaker](https://gitee.com/openeuler/oemaker/tree/master) 文档编译 iso 文件获得裁剪系统 + diff --git a/os-harden-tools/docs/normal.xml b/os-harden-tools/docs/normal.xml new file mode 100644 index 0000000..afcdcea --- /dev/null +++ b/os-harden-tools/docs/normal.xml @@ -0,0 +1,112 @@ + + + + + core + Core + 核心 + Smallest possible installation + 最小安装 + true + false + + audit + kernel + basesystem + bash + coreutils + cronie + curl + dnf + e2fsprogs + filesystem + firewalld + glibc + grubby + hostname + initscripts + iproute + iprutils + iputils + irqbalance + kbd + kexec-tools + less + man-db + ncurses + openssh + openssh-server + openssh-clients + parted + passwd + policycoreutils + procps-ng + rng-tools + rootfiles + rpm + selinux-policy-targeted + setup + shadow + sssd + sudo + systemd + tuned + util-linux + vim-minimal + xfsprogs + yum + wget + openEuler-release + openEuler-performance + openEuler-latest-release + NetworkManager + NetworkManager-config-server + authselect + dnf-plugins-core + dracut-config-rescue + kernel-tools + sysfsutils + linux-firmware + lshw + lsscsi + rsyslog + security-tool + sg3_utils + dracut-config-generic + dracut-network + rdma-core + selinux-policy-mls + selinux-policy-devel + selinux-policy + setools-console + dim + dim_tools + + + + minimal-environment + Minimal Install + 最小安装 + Basic functionality. + 基本功能。 + 1 + + core + + + standard + + + + + + + + + + + + + diff --git a/os-harden-tools/docs/openeuler_defconfig b/os-harden-tools/docs/openeuler_defconfig new file mode 100644 index 0000000..cb27148 --- /dev/null +++ b/os-harden-tools/docs/openeuler_defconfig @@ -0,0 +1,8222 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/arm64 6.6.0 Kernel Configuration +# +CONFIG_CC_VERSION_TEXT="aarch64-linux-gnueabi-gcc (gcc 12.3.1) 12.3.1 (openEuler 12.3.1-95.oe2403sp2)" +CONFIG_CC_IS_GCC=y +CONFIG_GCC_VERSION=120301 +CONFIG_CLANG_VERSION=0 +CONFIG_AS_IS_GNU=y +CONFIG_AS_VERSION=24100 +CONFIG_LD_IS_BFD=y +CONFIG_LD_VERSION=24100 +CONFIG_LLD_VERSION=0 +CONFIG_CC_CAN_LINK=y +CONFIG_CC_CAN_LINK_STATIC=y +CONFIG_GCC_ASM_GOTO_OUTPUT_BROKEN=y +CONFIG_CC_HAS_ASM_INLINE=y +CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y +CONFIG_PAHOLE_VERSION=0 +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_TABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_INIT_ENV_ARG_LIMIT=32 +# CONFIG_COMPILE_TEST is not set +# CONFIG_WERROR is not set +CONFIG_LOCALVERSION="" +# CONFIG_LOCALVERSION_AUTO is not set +CONFIG_BUILD_SALT="" +CONFIG_DEFAULT_INIT="" +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_SYSVIPC_COMPAT=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +# CONFIG_WATCH_QUEUE is not set +CONFIG_CROSS_MEMORY_ATTACH=y +# CONFIG_USELIB is not set +CONFIG_AUDIT=y +CONFIG_HAVE_ARCH_AUDITSYSCALL=y +CONFIG_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_GENERIC_IRQ_SHOW_LEVEL=y +CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK=y +CONFIG_GENERIC_IRQ_MIGRATION=y +CONFIG_GENERIC_IRQ_INJECTION=y +CONFIG_HARDIRQS_SW_RESEND=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_IRQ_FASTEOI_HIERARCHY_HANDLERS=y +CONFIG_GENERIC_IRQ_IPI=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_IRQ_MSI_IOMMU=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +# end of IRQ subsystem + +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_ARCH_HAS_TICK_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_HAVE_POSIX_CPU_TIMERS_TASK_WORK=y +CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y +CONFIG_CONTEXT_TRACKING=y +CONFIG_CONTEXT_TRACKING_IDLE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +# CONFIG_NO_HZ_IDLE is not set +CONFIG_NO_HZ_FULL=y +CONFIG_CONTEXT_TRACKING_USER=y +# CONFIG_CONTEXT_TRACKING_USER_FORCE is not set +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y +# CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE is not set +# end of Timers subsystem + +CONFIG_BPF=y +CONFIG_HAVE_EBPF_JIT=y +CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y + +# +# BPF subsystem +# +CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT=y +CONFIG_BPF_JIT_ALWAYS_ON=y +CONFIG_BPF_JIT_DEFAULT_ON=y +# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set +# CONFIG_BPF_PRELOAD is not set +# end of BPF subsystem + +CONFIG_PREEMPT_NONE_BUILD=y +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +# CONFIG_PREEMPT_DYNAMIC is not set + +# +# CPU/Task time and stats accounting +# +CONFIG_VIRT_CPU_ACCOUNTING=y +CONFIG_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_SCHED_AVG_IRQ=y +CONFIG_SCHED_THERMAL_PRESSURE=y +CONFIG_BSD_PROCESS_ACCT=y +CONFIG_BSD_PROCESS_ACCT_V3=y +CONFIG_TASKSTATS=y +CONFIG_TASK_DELAY_ACCT=y +CONFIG_TASK_XACCT=y +CONFIG_TASK_IO_ACCOUNTING=y +CONFIG_PSI=y +CONFIG_PSI_DEFAULT_DISABLED=y +CONFIG_PSI_CGROUP_V1=y +CONFIG_PSI_FINE_GRAINED=y +# end of CPU/Task time and stats accounting + +CONFIG_CPU_ISOLATION=y + +# +# RCU Subsystem +# +CONFIG_TREE_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_TREE_SRCU=y +CONFIG_TASKS_RCU_GENERIC=y +CONFIG_TASKS_TRACE_RCU=y +CONFIG_RCU_STALL_COMMON=y +CONFIG_RCU_NEED_SEGCBLIST=y +CONFIG_RCU_NOCB_CPU=y +# CONFIG_RCU_NOCB_CPU_DEFAULT_ALL is not set +# CONFIG_RCU_LAZY is not set +# end of RCU Subsystem + +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +# CONFIG_IKHEADERS is not set +CONFIG_LOG_BUF_SHIFT=20 +CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 +CONFIG_GENERIC_SCHED_CLOCK=y + +# +# Scheduler features +# +# CONFIG_UCLAMP_TASK is not set +# end of Scheduler features + +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_CC_HAS_INT128=y +CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5" +CONFIG_GCC10_NO_ARRAY_BOUNDS=y +CONFIG_CC_NO_ARRAY_BOUNDS=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_NUMA_BALANCING=y +CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +# CONFIG_CGROUP_FAVOR_DYNMODS is not set +CONFIG_MEMCG=y +CONFIG_MEMCG_V1_RECLAIM=y +CONFIG_MEMCG_MEMFS_INFO=y +CONFIG_MEMCG_OOM_PRIORITY=y +CONFIG_MEMCG_SWAP_QOS=y +CONFIG_MEMCG_KMEM=y +CONFIG_BLK_CGROUP=y +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_V1_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_QOS_SCHED=y +CONFIG_QOS_SCHED_SMT_EXPELLER=y +CONFIG_QOS_SCHED_PRIO_LB=y +CONFIG_QOS_SCHED_MULTILEVEL=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_RT_GROUP_SCHED=y +CONFIG_QOS_SCHED_DYNAMIC_AFFINITY=y +CONFIG_SCHED_SOFT_DOMAIN=y +CONFIG_QOS_SCHED_SMART_GRID=y +CONFIG_CGROUP_PIDS=y +CONFIG_CGROUP_RDMA=y +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_HUGETLB=y +CONFIG_CPUSETS=y +CONFIG_PROC_PID_CPUSET=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +CONFIG_CGROUP_BPF=y +CONFIG_CGROUP_MISC=y +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +CONFIG_CGROUP_V1_KILL=y +CONFIG_CGROUP_V1_STAT=y +CONFIG_CGROUP_FILES=y +# CONFIG_CGROUP_IFS is not set +CONFIG_UCOUNTS_PERCPU_COUNTER=y +CONFIG_NAMESPACES=y +CONFIG_UTS_NS=y +CONFIG_TIME_NS=y +CONFIG_IPC_NS=y +CONFIG_USER_NS=y +CONFIG_PID_NS=y +CONFIG_NET_NS=y +CONFIG_SCHED_STEAL=y +CONFIG_CHECKPOINT_RESTORE=y +CONFIG_SCHED_AUTOGROUP=y +CONFIG_RELAY=y +CONFIG_BLK_DEV_INITRD=y +CONFIG_INITRAMFS_SOURCE="" +CONFIG_RD_GZIP=y +CONFIG_RD_BZIP2=y +CONFIG_RD_LZMA=y +CONFIG_RD_XZ=y +CONFIG_RD_LZO=y +CONFIG_RD_LZ4=y +CONFIG_RD_ZSTD=y +CONFIG_INITRAMFS_FILE_METADATA="" +CONFIG_BOOT_CONFIG=y +# CONFIG_BOOT_CONFIG_FORCE is not set +# CONFIG_BOOT_CONFIG_EMBED is not set +# CONFIG_INITRAMFS_PRESERVE_MTIME is not set +CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y +# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set +CONFIG_LD_ORPHAN_WARN=y +CONFIG_LD_ORPHAN_WARN_LEVEL="warn" +CONFIG_SYSCTL=y +CONFIG_HAVE_UID16=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_EXPERT=y +CONFIG_UID16=y +CONFIG_MULTIUSER=y +# CONFIG_SGETMASK_SYSCALL is not set +CONFIG_SYSFS_SYSCALL=y +CONFIG_FHANDLE=y +CONFIG_POSIX_TIMERS=y +CONFIG_PRINTK=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_FUTEX_PI=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_IO_URING=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_MEMBARRIER=y +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_SELFTEST is not set +CONFIG_KALLSYMS_ALL=y +CONFIG_KALLSYMS_BASE_RELATIVE=y +CONFIG_KABI_COMPAT=y +CONFIG_KABI_RESERVE=y +CONFIG_KABI_SIZE_ALIGN_CHECKS=y +CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y +CONFIG_KCMP=y +CONFIG_RSEQ=y +CONFIG_CACHESTAT_SYSCALL=y +# CONFIG_DEBUG_RSEQ is not set +CONFIG_HAVE_PERF_EVENTS=y +CONFIG_GUEST_PERF_EVENTS=y +CONFIG_PERF_USE_VMALLOC=y +# CONFIG_PC104 is not set + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +CONFIG_DEBUG_PERF_USE_VMALLOC=y +# end of Kernel Performance Events And Counters + +CONFIG_SYSTEM_DATA_VERIFICATION=y +CONFIG_PROFILING=y + +# +# Kexec and crash features +# +CONFIG_CRASH_CORE=y +CONFIG_KEXEC_CORE=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +CONFIG_CRASH_DUMP=y +# end of Kexec and crash features +# end of General setup + +CONFIG_ARM64=y +CONFIG_GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS=y +CONFIG_64BIT=y +CONFIG_MMU=y +CONFIG_ARM64_PAGE_SHIFT=12 +CONFIG_ARM64_CONT_PTE_SHIFT=4 +CONFIG_ARM64_CONT_PMD_SHIFT=4 +CONFIG_ARCH_MMAP_RND_BITS_MIN=18 +CONFIG_ARCH_MMAP_RND_BITS_MAX=33 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=11 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_GENERIC_CSUM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_SMP=y +CONFIG_KERNEL_MODE_NEON=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_BUILTIN_RETURN_ADDRESS_STRIPS_PAC=y + +# +# Platform selection +# +# CONFIG_ARCH_ACTIONS is not set +# CONFIG_ARCH_SUNXI is not set +# CONFIG_ARCH_ALPINE is not set +# CONFIG_ARCH_APPLE is not set +# CONFIG_ARCH_BCM is not set +# CONFIG_ARCH_BERLIN is not set +# CONFIG_ARCH_BITMAIN is not set +# CONFIG_ARCH_EXYNOS is not set +# CONFIG_ARCH_SPARX5 is not set +# CONFIG_ARCH_K3 is not set +# CONFIG_ARCH_LG1K is not set +CONFIG_ARCH_HISI=y +# CONFIG_ARCH_KEEMBAY is not set +# CONFIG_ARCH_MEDIATEK is not set +# CONFIG_ARCH_MESON is not set +# CONFIG_ARCH_MVEBU is not set +# CONFIG_ARCH_NXP is not set +# CONFIG_ARCH_MA35 is not set +# CONFIG_ARCH_NPCM is not set +CONFIG_ARCH_PHYTIUM=y +CONFIG_ARCH_QCOM=y +# CONFIG_ARCH_REALTEK is not set +# CONFIG_ARCH_RENESAS is not set +# CONFIG_ARCH_ROCKCHIP is not set +CONFIG_ARCH_SEATTLE=y +# CONFIG_ARCH_INTEL_SOCFPGA is not set +# CONFIG_ARCH_STM32 is not set +# CONFIG_ARCH_SYNQUACER is not set +# CONFIG_ARCH_TEGRA is not set +# CONFIG_ARCH_SPRD is not set +CONFIG_ARCH_THUNDER=y +CONFIG_ARCH_THUNDER2=y +# CONFIG_ARCH_UNIPHIER is not set +CONFIG_ARCH_VEXPRESS=y +# CONFIG_ARCH_VISCONTI is not set +CONFIG_ARCH_XGENE=y +# CONFIG_ARCH_ZYNQMP is not set +# end of Platform selection + +CONFIG_HAVE_LIVEPATCH_WO_FTRACE=y + +# +# Enable Livepatch +# +# end of Enable Livepatch + +# +# Kernel Features +# + +# +# Turbo features selection +# +CONFIG_FAST_SYSCALL=y +CONFIG_FAST_IRQ=y +CONFIG_DEBUG_FEATURE_BYPASS=y +CONFIG_ACTLR_XCALL_XINT=y +# end of Turbo features selection + +# +# ARM errata workarounds via the alternatives framework +# +CONFIG_AMPERE_ERRATUM_AC03_CPU_38=y +CONFIG_ARM64_WORKAROUND_CLEAN_CACHE=y +CONFIG_ARM64_ERRATUM_826319=y +CONFIG_ARM64_ERRATUM_827319=y +CONFIG_ARM64_ERRATUM_824069=y +CONFIG_ARM64_ERRATUM_819472=y +CONFIG_ARM64_ERRATUM_832075=y +CONFIG_ARM64_ERRATUM_834220=y +CONFIG_ARM64_ERRATUM_1742098=y +CONFIG_ARM64_ERRATUM_845719=y +CONFIG_ARM64_ERRATUM_843419=y +CONFIG_ARM64_LD_HAS_FIX_ERRATUM_843419=y +CONFIG_ARM64_ERRATUM_1024718=y +CONFIG_ARM64_ERRATUM_1418040=y +CONFIG_ARM64_WORKAROUND_SPECULATIVE_AT=y +CONFIG_ARM64_ERRATUM_1165522=y +CONFIG_ARM64_ERRATUM_1319367=y +CONFIG_ARM64_ERRATUM_1530923=y +CONFIG_ARM64_WORKAROUND_REPEAT_TLBI=y +CONFIG_ARM64_ERRATUM_2441007=y +CONFIG_ARM64_ERRATUM_1286807=y +CONFIG_ARM64_ERRATUM_1463225=y +CONFIG_ARM64_ERRATUM_1542419=y +CONFIG_ARM64_ERRATUM_1508412=y +CONFIG_ARM64_WORKAROUND_TRBE_OVERWRITE_FILL_MODE=y +CONFIG_ARM64_ERRATUM_2051678=y +CONFIG_ARM64_ERRATUM_2077057=y +CONFIG_ARM64_ERRATUM_2658417=y +CONFIG_ARM64_ERRATUM_2119858=y +CONFIG_ARM64_ERRATUM_2139208=y +CONFIG_ARM64_WORKAROUND_TSB_FLUSH_FAILURE=y +CONFIG_ARM64_ERRATUM_2054223=y +CONFIG_ARM64_ERRATUM_2067961=y +CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE=y +CONFIG_ARM64_ERRATUM_2253138=y +CONFIG_ARM64_ERRATUM_2224489=y +CONFIG_ARM64_ERRATUM_2441009=y +CONFIG_ARM64_ERRATUM_2064142=y +CONFIG_ARM64_ERRATUM_2038923=y +CONFIG_ARM64_ERRATUM_1902691=y +CONFIG_ARM64_ERRATUM_2457168=y +CONFIG_ARM64_ERRATUM_2645198=y +CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD=y +CONFIG_ARM64_ERRATUM_2966298=y +CONFIG_ARM64_ERRATUM_3117295=y +CONFIG_ARM64_ERRATUM_3194386=y +CONFIG_CAVIUM_ERRATUM_22375=y +CONFIG_CAVIUM_ERRATUM_23144=y +CONFIG_CAVIUM_ERRATUM_23154=y +CONFIG_CAVIUM_ERRATUM_27456=y +CONFIG_CAVIUM_ERRATUM_30115=y +CONFIG_CAVIUM_TX2_ERRATUM_219=y +CONFIG_FUJITSU_ERRATUM_010001=y +CONFIG_HISILICON_ERRATUM_161600802=y +CONFIG_HISILICON_ERRATUM_162100125=y +# CONFIG_HISILICON_ERRATUM_1980005 is not set +CONFIG_HISILICON_ERRATUM_162100801=y +CONFIG_HISILICON_ERRATUM_162100602=y +CONFIG_HISILICON_ERRATUM_162102203=y +CONFIG_QCOM_FALKOR_ERRATUM_1003=y +CONFIG_QCOM_FALKOR_ERRATUM_1009=y +CONFIG_QCOM_QDF2400_ERRATUM_0065=y +CONFIG_QCOM_FALKOR_ERRATUM_E1041=y +CONFIG_NVIDIA_CARMEL_CNP_ERRATUM=y +CONFIG_ROCKCHIP_ERRATUM_3588001=y +CONFIG_SOCIONEXT_SYNQUACER_PREITS=y +CONFIG_HISILICON_ERRATUM_HIP08_RU_PREFETCH=y +# CONFIG_HISILICON_HIP08_RU_PREFETCH_DEFAULT_OFF is not set +# end of ARM errata workarounds via the alternatives framework + +CONFIG_ARM64_4K_PAGES=y +# CONFIG_ARM64_16K_PAGES is not set +# CONFIG_ARM64_64K_PAGES is not set +# CONFIG_ARM64_VA_BITS_39 is not set +CONFIG_ARM64_VA_BITS_48=y +CONFIG_ARM64_VA_BITS=48 +CONFIG_ARM64_PA_BITS_48=y +CONFIG_ARM64_PA_BITS=48 +# CONFIG_CPU_BIG_ENDIAN is not set +CONFIG_CPU_LITTLE_ENDIAN=y +CONFIG_SCHED_MC=y +CONFIG_SCHED_CLUSTER=y +CONFIG_SCHED_SMT=y +CONFIG_NR_CPUS=4096 +CONFIG_HOTPLUG_CPU=y +# CONFIG_ARM64_BOOTPARAM_HOTPLUG_CPU0 is not set +CONFIG_NUMA=y +CONFIG_NODES_SHIFT=8 +CONFIG_NUMA_AWARE_SPINLOCKS=y +# CONFIG_ARCH_CUSTOM_NUMA_DISTANCE is not set +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_HW_PERF_EVENTS=y +CONFIG_ARCH_LLC_128_LINE_SIZE=y +CONFIG_CC_HAVE_SHADOW_CALL_STACK=y +CONFIG_PARAVIRT=y +CONFIG_PARAVIRT_SCHED=y +CONFIG_PARAVIRT_TIME_ACCOUNTING=y +CONFIG_ARCH_SUPPORTS_KEXEC=y +CONFIG_ARCH_SUPPORTS_KEXEC_FILE=y +CONFIG_ARCH_SUPPORTS_KEXEC_SIG=y +CONFIG_ARCH_SUPPORTS_KEXEC_IMAGE_VERIFY_SIG=y +CONFIG_ARCH_DEFAULT_KEXEC_IMAGE_VERIFY_SIG=y +CONFIG_ARCH_SUPPORTS_CRASH_DUMP=y +CONFIG_TRANS_TABLE=y +# CONFIG_XEN is not set +CONFIG_ARCH_FORCE_MAX_ORDER=10 +CONFIG_UNMAP_KERNEL_AT_EL0=y +CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY=y +# CONFIG_RODATA_FULL_DEFAULT_ENABLED is not set +# CONFIG_ARM64_SW_TTBR0_PAN is not set +CONFIG_ARM64_TAGGED_ADDR_ABI=y +CONFIG_AARCH32_EL0=y +# CONFIG_KUSER_HELPERS is not set +# CONFIG_COMPAT_ALIGNMENT_FIXUPS is not set +# CONFIG_COMPAT_TASK_SIZE is not set +CONFIG_ARMV8_DEPRECATED=y +CONFIG_SWP_EMULATION=y +CONFIG_CP15_BARRIER_EMULATION=y +CONFIG_SETEND_EMULATION=y + +# +# ARMv8.1 architectural features +# +CONFIG_ARM64_HW_AFDBM=y +CONFIG_ARM64_PAN=y +CONFIG_AS_HAS_LSE_ATOMICS=y +CONFIG_ARM64_LSE_ATOMICS=y +CONFIG_ARM64_USE_LSE_ATOMICS=y +# end of ARMv8.1 architectural features + +# +# ARMv8.2 architectural features +# +CONFIG_AS_HAS_ARMV8_2=y +CONFIG_AS_HAS_SHA3=y +CONFIG_ARM64_PMEM=y +CONFIG_ARM64_RAS_EXTN=y +CONFIG_ARM64_CNP=y +# end of ARMv8.2 architectural features + +# +# ARMv8.3 architectural features +# +CONFIG_ARM64_PTR_AUTH=y +CONFIG_ARM64_PTR_AUTH_KERNEL=y +CONFIG_CC_HAS_BRANCH_PROT_PAC_RET=y +CONFIG_CC_HAS_SIGN_RETURN_ADDRESS=y +CONFIG_AS_HAS_ARMV8_3=y +CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y +CONFIG_AS_HAS_LDAPR=y +# end of ARMv8.3 architectural features + +# +# ARMv8.4 architectural features +# +CONFIG_ARM64_AMU_EXTN=y +CONFIG_AS_HAS_ARMV8_4=y +CONFIG_ARM64_TLB_RANGE=y +CONFIG_ARM64_MPAM=y +# end of ARMv8.4 architectural features + +# +# ARMv8.5 architectural features +# +CONFIG_AS_HAS_ARMV8_5=y +CONFIG_ARM64_BTI=y +CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI=y +CONFIG_ARM64_E0PD=y +CONFIG_ARM64_AS_HAS_MTE=y +CONFIG_ARM64_MTE=y +# end of ARMv8.5 architectural features + +# +# ARMv8.6 architectural features +# +CONFIG_ARM64_TWED=y +CONFIG_ARM64_LS64=y +# end of ARMv8.6 architectural features + +# +# ARMv8.7 architectural features +# +CONFIG_ARM64_EPAN=y +# end of ARMv8.7 architectural features + +# +# ARMv8.8 architectural features +# +CONFIG_ARM64_NMI=y +CONFIG_ARM64_HAFT=y +# end of ARMv8.8 architectural features + +# +# ARMv9.5 architectural features +# +CONFIG_ARM64_HDBSS=y +# end of ARMv9.5 architectural features + +CONFIG_ARM64_HISI_IPIV=y +CONFIG_ARM64_SVE=y +CONFIG_ARM64_PSEUDO_NMI=y +# CONFIG_ARM64_DEBUG_PRIORITY_MASKING is not set +CONFIG_IPI_AS_NMI=y +CONFIG_NON_NMI_IPI_BACKTRACE=y +CONFIG_RELOCATABLE=y +CONFIG_RANDOMIZE_BASE=y +CONFIG_RANDOMIZE_MODULE_REGION_FULL=y +CONFIG_KASLR_SKIP_MEM_RANGE=y +CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y +CONFIG_STACKPROTECTOR_PER_TASK=y +CONFIG_ARM64_CONTPTE=y +CONFIG_CLEAR_USER_WORKAROUND=y +# end of Kernel Features + +# +# Boot options +# +CONFIG_ARM64_ACPI_PARKING_PROTOCOL=y +CONFIG_CMDLINE="console=ttyAMA0" +CONFIG_CMDLINE_FROM_BOOTLOADER=y +# CONFIG_CMDLINE_FORCE is not set +CONFIG_EFI_STUB=y +CONFIG_EFI=y +CONFIG_DMI=y +# end of Boot options + +CONFIG_COMPAT=y +CONFIG_HISI_VIRTCCA_GUEST=y + +# +# Power management options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_SUSPEND_SKIP_SYNC is not set +CONFIG_HIBERNATE_CALLBACKS=y +CONFIG_HIBERNATION=y +CONFIG_HIBERNATION_SNAPSHOT_DEV=y +CONFIG_PM_STD_PARTITION="" +CONFIG_PM_SLEEP=y +CONFIG_PM_SLEEP_SMP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_USERSPACE_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +CONFIG_PM_DEBUG=y +# CONFIG_PM_ADVANCED_DEBUG is not set +# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_SLEEP_DEBUG=y +# CONFIG_DPM_WATCHDOG is not set +CONFIG_PM_CLK=y +CONFIG_PM_GENERIC_DOMAINS=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_PM_GENERIC_DOMAINS_SLEEP=y +CONFIG_PM_GENERIC_DOMAINS_OF=y +CONFIG_CPU_PM=y +# CONFIG_ENERGY_MODEL is not set +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_HIBERNATION_HEADER=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_CPUIDLE_HALTPOLL=y +# end of Power management options + +# +# CPU Power Management +# + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +# CONFIG_CPU_IDLE_GOV_LADDER is not set +CONFIG_CPU_IDLE_GOV_MENU=y +CONFIG_CPU_IDLE_GOV_TEO=y +CONFIG_CPU_IDLE_GOV_HALTPOLL=y + +# +# ARM CPU Idle Drivers +# +# CONFIG_ARM_PSCI_CPUIDLE is not set +# end of ARM CPU Idle Drivers + +CONFIG_HALTPOLL_CPUIDLE=y +# end of CPU Idle + +# +# CPU Frequency scaling +# +CONFIG_CPU_FREQ=y +CONFIG_CPU_FREQ_GOV_ATTR_SET=y +CONFIG_CPU_FREQ_GOV_COMMON=y +CONFIG_CPU_FREQ_STAT=y +CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y +# CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_USERSPACE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set +# CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set +CONFIG_CPU_FREQ_GOV_PERFORMANCE=y +CONFIG_CPU_FREQ_GOV_POWERSAVE=y +CONFIG_CPU_FREQ_GOV_USERSPACE=y +CONFIG_CPU_FREQ_GOV_ONDEMAND=y +CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y +CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y +CONFIG_CPU_FREQ_GOV_SEEP=m + +# +# CPU frequency scaling drivers +# +# CONFIG_CPUFREQ_DT is not set +# CONFIG_CPUFREQ_DT_PLATDEV is not set +CONFIG_ACPI_CPPC_CPUFREQ=m +CONFIG_CPPC_CPUFREQ_SYSFS_INTERFACE=y +CONFIG_ACPI_CPPC_CPUFREQ_FIE=y +CONFIG_ARM_SCPI_CPUFREQ=m +# CONFIG_ARM_QCOM_CPUFREQ_HW is not set +# end of CPU Frequency scaling +# end of CPU Power Management + +CONFIG_ARCH_SUPPORTS_ACPI=y +CONFIG_ACPI=y +CONFIG_ACPI_GENERIC_GSI=y +CONFIG_ACPI_CCA_REQUIRED=y +CONFIG_ACPI_TABLE_LIB=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_SPCR_TABLE=y +# CONFIG_ACPI_FPDT is not set +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_VIDEO=m +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_TAD is not set +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_MCFG=y +CONFIG_ACPI_CPPC_LIB=y +CONFIG_ACPI_PROCESSOR=y +CONFIG_ACPI_IPMI=m +CONFIG_ACPI_THERMAL=y +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +CONFIG_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_PCI_SLOT=y +CONFIG_ACPI_CONTAINER=y +CONFIG_ACPI_HOTPLUG_MEMORY=y +CONFIG_ACPI_HED=y +# CONFIG_ACPI_BGRT is not set +CONFIG_ACPI_REDUCED_HARDWARE_ONLY=y +CONFIG_ACPI_NFIT=m +# CONFIG_NFIT_SECURITY_DEBUG is not set +CONFIG_ACPI_NUMA=y +CONFIG_ACPI_HMAT=y +CONFIG_HAVE_ACPI_APEI=y +CONFIG_ACPI_APEI=y +CONFIG_ACPI_APEI_GHES=y +# CONFIG_ACPI_APEI_GHES_NOTIFY_ALL_RAS_ERR is not set +CONFIG_ACPI_APEI_PCIEAER=y +CONFIG_ACPI_APEI_SEA=y +CONFIG_ACPI_APEI_MEMORY_FAILURE=y +# CONFIG_ACPI_APEI_ERST_DEBUG is not set +# CONFIG_ACPI_CONFIGFS is not set +# CONFIG_ACPI_PFRUT is not set +CONFIG_ACPI_IORT=y +CONFIG_ACPI_GTDT=y +CONFIG_ACPI_AGDI=y +CONFIG_ACPI_APMT=y +CONFIG_ACPI_MPAM=y +CONFIG_ACPI_PPTT=y +CONFIG_ACPI_PCC=y +CONFIG_ACPI_FFH=y +# CONFIG_PMIC_OPREGION is not set +CONFIG_ACPI_PRMT=y +CONFIG_IRQ_BYPASS_MANAGER=y +CONFIG_HAVE_KVM=y +CONFIG_HAVE_KVM_IRQCHIP=y +CONFIG_HAVE_KVM_IRQFD=y +CONFIG_HAVE_KVM_IRQ_ROUTING=y +CONFIG_HAVE_KVM_DIRTY_RING=y +CONFIG_HAVE_KVM_DIRTY_RING_ACQ_REL=y +CONFIG_NEED_KVM_DIRTY_RING_WITH_BITMAP=y +CONFIG_HAVE_KVM_EVENTFD=y +CONFIG_KVM_MMIO=y +CONFIG_HAVE_KVM_MSI=y +CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y +CONFIG_KVM_VFIO=y +CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y +CONFIG_HAVE_KVM_IRQ_BYPASS=y +CONFIG_HAVE_KVM_VCPU_RUN_PID_CHANGE=y +CONFIG_KVM_XFER_TO_GUEST_WORK=y +CONFIG_KVM_GENERIC_HARDWARE_ENABLING=y +CONFIG_KVM_HISI_VIRT=y +CONFIG_VIRTUALIZATION=y +CONFIG_KVM=y +CONFIG_HISI_VIRTCCA_HOST=y +# CONFIG_NVHE_EL2_DEBUG is not set +CONFIG_KVM_ARM_MULTI_LPI_TRANSLATE_CACHE=y +CONFIG_ARCH_VCPU_STAT=y +CONFIG_VIRT_VTIMER_IRQ_BYPASS=y +CONFIG_CPU_MITIGATIONS=y + +# +# General architecture-dependent options +# +CONFIG_ARCH_HAS_SUBPAGE_FAULTS=y +CONFIG_HOTPLUG_SMT=y +CONFIG_HOTPLUG_CORE_SYNC=y +CONFIG_HOTPLUG_CORE_SYNC_DEAD=y +CONFIG_KPROBES=y +CONFIG_JUMP_LABEL=y +# CONFIG_STATIC_KEYS_SELFTEST is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_KRETPROBES=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_ARCH_CORRECT_STACKTRACE_ON_KRETPROBE=y +CONFIG_HAVE_FUNCTION_ERROR_INJECTION=y +CONFIG_HAVE_NMI=y +CONFIG_TRACE_IRQFLAGS_SUPPORT=y +CONFIG_TRACE_IRQFLAGS_NMI_SUPPORT=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_ARCH_HAS_OPTIMIZED_POLL=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_GENERIC_IDLE_POLL_SETUP=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_KEEPINITRD=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_ARCH_HAS_SET_DIRECT_MAP=y +CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y +CONFIG_ARCH_WANTS_NO_INSTR=y +CONFIG_HAVE_ASM_MODVERSIONS=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_RSEQ=y +CONFIG_HAVE_FUNCTION_ARG_ACCESS_API=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_HAVE_ARCH_JUMP_LABEL_RELATIVE=y +CONFIG_MMU_GATHER_TABLE_FREE=y +CONFIG_MMU_GATHER_RCU_TABLE_FREE=y +CONFIG_MMU_LAZY_TLB_REFCOUNT=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_ARCH_HAS_NMI_SAFE_THIS_CPU_OPS=y +CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y +CONFIG_HAVE_ARCH_SECCOMP=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP=y +CONFIG_SECCOMP_FILTER=y +# CONFIG_SECCOMP_CACHE_DEBUG is not set +CONFIG_HAVE_ARCH_STACKLEAK=y +CONFIG_HAVE_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR=y +CONFIG_STACKPROTECTOR_STRONG=y +CONFIG_ARCH_SUPPORTS_SHADOW_CALL_STACK=y +CONFIG_SHADOW_CALL_STACK=y +CONFIG_ARCH_SUPPORTS_LTO_CLANG=y +CONFIG_ARCH_SUPPORTS_LTO_CLANG_THIN=y +CONFIG_LTO_NONE=y +CONFIG_ARCH_SUPPORTS_CFI_CLANG=y +CONFIG_HAVE_CONTEXT_TRACKING_USER=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_MOVE_PUD=y +CONFIG_HAVE_MOVE_PMD=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_HUGE_VMALLOC=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_PMD_MKWRITE=y +CONFIG_HAVE_MOD_ARCH_SPECIFIC=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK=y +CONFIG_SOFTIRQ_ON_OWN_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_ARCH_MMAP_RND_BITS=18 +CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y +CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11 +CONFIG_PAGE_SIZE_LESS_THAN_64KB=y +CONFIG_PAGE_SIZE_LESS_THAN_256KB=y +CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y +CONFIG_CLONE_BACKWARDS=y +CONFIG_OLD_SIGSUSPEND3=y +CONFIG_COMPAT_OLD_SIGACTION=y +CONFIG_COMPAT_32BIT_TIME=y +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET=y +CONFIG_RANDOMIZE_KSTACK_OFFSET=y +CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +CONFIG_STRICT_MODULE_RWX=y +CONFIG_ARCH_HAS_CPU_RESCTRL=y +CONFIG_HAVE_ARCH_COMPILER_H=y +CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y +CONFIG_ARCH_USE_MEMREMAP_PROT=y +CONFIG_ARCH_HAS_RELR=y +CONFIG_HAVE_PREEMPT_DYNAMIC=y +CONFIG_HAVE_PREEMPT_DYNAMIC_KEY=y +CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_PAGE_TABLE_CHECK=y +CONFIG_ARCH_HAVE_TRACE_MMIO_ACCESS=y +CONFIG_ARCH_HAS_NONLEAF_PMD_YOUNG=y + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# end of GCOV-based kernel profiling + +# +# Profile Guided Optimization (PGO) +# +CONFIG_ARCH_SUPPORTS_PGO_CLANG=y +# end of Profile Guided Optimization (PGO) + +CONFIG_HAVE_GCC_PLUGINS=y +CONFIG_GCC_PLUGINS=y +CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y +CONFIG_FUNCTION_ALIGNMENT_4B=y +CONFIG_FUNCTION_ALIGNMENT=4 +# end of General architecture-dependent options + +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +CONFIG_MODULE_SIG_FORMAT=y +CONFIG_MODULES=y +CONFIG_MODULE_FORCE_LOAD=y +CONFIG_MODULE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set +# CONFIG_MODULE_UNLOAD_TAINT_TRACKING is not set +CONFIG_MODVERSIONS=y +CONFIG_ASM_MODVERSIONS=y +CONFIG_MODULE_SRCVERSION_ALL=y +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +# CONFIG_MODULE_SIG_SM3 is not set +CONFIG_MODULE_SIG_HASH="sha512" +CONFIG_MODULE_COMPRESS_NONE=y +# CONFIG_MODULE_COMPRESS_GZIP is not set +# CONFIG_MODULE_COMPRESS_XZ is not set +# CONFIG_MODULE_COMPRESS_ZSTD is not set +# CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set +CONFIG_MODPROBE_PATH="/sbin/modprobe" +CONFIG_TRIM_UNUSED_KSYMS=y +CONFIG_UNUSED_KSYMS_WHITELIST="" +CONFIG_MODULES_TREE_LOOKUP=y +CONFIG_BLOCK=y +CONFIG_BLOCK_LEGACY_AUTOLOAD=y +CONFIG_BLK_RQ_ALLOC_TIME=y +CONFIG_BLK_CGROUP_RWSTAT=y +CONFIG_BLK_CGROUP_PUNT_BIO=y +CONFIG_BLK_DEV_BSG_COMMON=y +CONFIG_BLK_ICQ=y +CONFIG_BLK_DEV_BSGLIB=y +CONFIG_BLK_DEV_INTEGRITY=y +CONFIG_BLK_DEV_INTEGRITY_T10=m +CONFIG_BLK_DEV_WRITE_MOUNTED=y +CONFIG_BLK_DEV_ZONED=y +CONFIG_BLK_DEV_THROTTLING=y +# CONFIG_BLK_DEV_THROTTLING_LOW is not set +CONFIG_BLK_DEV_SUPPORT_LEGACY_GLOBAL_LIMIT=y +CONFIG_BLK_WBT=y +CONFIG_BLK_WBT_MQ=y +# CONFIG_BLK_CGROUP_IOLATENCY is not set +# CONFIG_BLK_CGROUP_FC_APPID is not set +CONFIG_BLK_CGROUP_IOCOST=y +CONFIG_BLK_CGROUP_LEGACY_IOCOST=y +# CONFIG_BLK_CGROUP_IOPRIO is not set +# CONFIG_BLK_SED_OPAL is not set +# CONFIG_BLK_INLINE_ENCRYPTION is not set +CONFIG_BLK_DEV_DETECT_WRITING_PART0=y +CONFIG_BLK_DEV_WRITE_MOUNTED_DUMP=y +CONFIG_BLK_IO_HUNG_TASK_CHECK=y + +# +# Partition Types +# +CONFIG_PARTITION_ADVANCED=y +# CONFIG_ACORN_PARTITION is not set +# CONFIG_AIX_PARTITION is not set +CONFIG_OSF_PARTITION=y +CONFIG_AMIGA_PARTITION=y +# CONFIG_ATARI_PARTITION is not set +CONFIG_MAC_PARTITION=y +CONFIG_MSDOS_PARTITION=y +CONFIG_BSD_DISKLABEL=y +CONFIG_MINIX_SUBPARTITION=y +CONFIG_SOLARIS_X86_PARTITION=y +CONFIG_UNIXWARE_DISKLABEL=y +# CONFIG_LDM_PARTITION is not set +CONFIG_SGI_PARTITION=y +# CONFIG_ULTRIX_PARTITION is not set +CONFIG_SUN_PARTITION=y +CONFIG_KARMA_PARTITION=y +CONFIG_EFI_PARTITION=y +# CONFIG_SYSV68_PARTITION is not set +# CONFIG_CMDLINE_PARTITION is not set +# end of Partition Types + +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y +CONFIG_BLK_PM=y +CONFIG_BLOCK_HOLDER_DEPRECATED=y +CONFIG_BLK_MQ_STACKING=y + +# +# IO Schedulers +# +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +CONFIG_IOSCHED_BFQ=y +CONFIG_BFQ_GROUP_IOSCHED=y +# CONFIG_BFQ_CGROUP_DEBUG is not set +# end of IO Schedulers + +CONFIG_PREEMPT_NOTIFIERS=y +CONFIG_PADATA=y +CONFIG_ASN1=y +CONFIG_ARCH_INLINE_SPIN_TRYLOCK=y +CONFIG_ARCH_INLINE_SPIN_TRYLOCK_BH=y +CONFIG_ARCH_INLINE_SPIN_LOCK=y +CONFIG_ARCH_INLINE_SPIN_LOCK_BH=y +CONFIG_ARCH_INLINE_SPIN_LOCK_IRQ=y +CONFIG_ARCH_INLINE_SPIN_LOCK_IRQSAVE=y +CONFIG_ARCH_INLINE_SPIN_UNLOCK=y +CONFIG_ARCH_INLINE_SPIN_UNLOCK_BH=y +CONFIG_ARCH_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_ARCH_INLINE_SPIN_UNLOCK_IRQRESTORE=y +CONFIG_ARCH_INLINE_READ_LOCK=y +CONFIG_ARCH_INLINE_READ_LOCK_BH=y +CONFIG_ARCH_INLINE_READ_LOCK_IRQ=y +CONFIG_ARCH_INLINE_READ_LOCK_IRQSAVE=y +CONFIG_ARCH_INLINE_READ_UNLOCK=y +CONFIG_ARCH_INLINE_READ_UNLOCK_BH=y +CONFIG_ARCH_INLINE_READ_UNLOCK_IRQ=y +CONFIG_ARCH_INLINE_READ_UNLOCK_IRQRESTORE=y +CONFIG_ARCH_INLINE_WRITE_LOCK=y +CONFIG_ARCH_INLINE_WRITE_LOCK_BH=y +CONFIG_ARCH_INLINE_WRITE_LOCK_IRQ=y +CONFIG_ARCH_INLINE_WRITE_LOCK_IRQSAVE=y +CONFIG_ARCH_INLINE_WRITE_UNLOCK=y +CONFIG_ARCH_INLINE_WRITE_UNLOCK_BH=y +CONFIG_ARCH_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_INLINE_WRITE_UNLOCK_IRQRESTORE=y +CONFIG_INLINE_SPIN_TRYLOCK=y +CONFIG_INLINE_SPIN_TRYLOCK_BH=y +CONFIG_INLINE_SPIN_LOCK=y +CONFIG_INLINE_SPIN_LOCK_BH=y +CONFIG_INLINE_SPIN_LOCK_IRQ=y +CONFIG_INLINE_SPIN_LOCK_IRQSAVE=y +CONFIG_INLINE_SPIN_UNLOCK_BH=y +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_SPIN_UNLOCK_IRQRESTORE=y +CONFIG_INLINE_READ_LOCK=y +CONFIG_INLINE_READ_LOCK_BH=y +CONFIG_INLINE_READ_LOCK_IRQ=y +CONFIG_INLINE_READ_LOCK_IRQSAVE=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_BH=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK_IRQRESTORE=y +CONFIG_INLINE_WRITE_LOCK=y +CONFIG_INLINE_WRITE_LOCK_BH=y +CONFIG_INLINE_WRITE_LOCK_IRQ=y +CONFIG_INLINE_WRITE_LOCK_IRQSAVE=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_BH=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK_IRQRESTORE=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_MUTEX_SPIN_ON_OWNER=y +CONFIG_RWSEM_SPIN_ON_OWNER=y +CONFIG_LOCK_SPIN_ON_OWNER=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_QUEUED_RWLOCKS=y +CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE=y +CONFIG_ARCH_HAS_SYSCALL_WRAPPER=y +CONFIG_PID_MAX_PER_NAMESPACE=y +CONFIG_FREEZER=y + +# +# Executable file formats +# +CONFIG_BINFMT_ELF=y +CONFIG_ARCH_BINFMT_ELF_STATE=y +CONFIG_ARCH_BINFMT_ELF_EXTRA_PHDRS=y +CONFIG_ARCH_HAVE_ELF_PROT=y +CONFIG_ARCH_USE_GNU_PROPERTY=y +CONFIG_ELFCORE=y +CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y +CONFIG_BINFMT_SCRIPT=y +CONFIG_BINFMT_MISC=m +CONFIG_COREDUMP=y +# end of Executable file formats + +# +# Memory Management options +# +CONFIG_ZPOOL=y +CONFIG_SWAP=y +CONFIG_ZSWAP=y +# CONFIG_ZSWAP_DEFAULT_ON is not set +# CONFIG_ZSWAP_EXCLUSIVE_LOADS_DEFAULT_ON is not set +# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_DEFLATE is not set +CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZO=y +# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_842 is not set +# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZ4 is not set +# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_LZ4HC is not set +# CONFIG_ZSWAP_COMPRESSOR_DEFAULT_ZSTD is not set +CONFIG_ZSWAP_COMPRESSOR_DEFAULT="lzo" +# CONFIG_ZSWAP_ZPOOL_DEFAULT_ZBUD is not set +# CONFIG_ZSWAP_ZPOOL_DEFAULT_Z3FOLD_DEPRECATED is not set +CONFIG_ZSWAP_ZPOOL_DEFAULT_ZSMALLOC=y +CONFIG_ZSWAP_ZPOOL_DEFAULT="zsmalloc" +CONFIG_ZBUD=y +# CONFIG_Z3FOLD_DEPRECATED is not set +CONFIG_ZSMALLOC=y +# CONFIG_ZSMALLOC_STAT is not set +CONFIG_ZSMALLOC_CHAIN_SIZE=8 + +# +# SLAB allocator options +# +# CONFIG_SLAB_DEPRECATED is not set +CONFIG_SLUB=y +# CONFIG_SLUB_TINY is not set +CONFIG_SLAB_MERGE_DEFAULT=y +CONFIG_SLAB_FREELIST_RANDOM=y +# CONFIG_SLAB_FREELIST_HARDENED is not set +# CONFIG_SLUB_STATS is not set +CONFIG_SLUB_CPU_PARTIAL=y +# CONFIG_RANDOM_KMALLOC_CACHES is not set +# end of SLAB allocator options + +CONFIG_SHUFFLE_PAGE_ALLOCATOR=y +# CONFIG_COMPAT_BRK is not set +CONFIG_SPARSEMEM=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP=y +CONFIG_HAVE_FAST_GUP=y +CONFIG_ARCH_KEEP_MEMBLOCK=y +CONFIG_NUMA_KEEP_MEMINFO=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_EXCLUSIVE_SYSTEM_RAM=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_MHP_MEMMAP_ON_MEMORY=y +CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +CONFIG_BALLOON_COMPACTION=y +CONFIG_COMPACTION=y +CONFIG_COMPACT_UNEVICTABLE_DEFAULT=1 +CONFIG_PAGE_REPORTING=y +CONFIG_MIGRATION=y +CONFIG_DEVICE_MIGRATION=y +CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y +CONFIG_ARCH_ENABLE_THP_MIGRATION=y +CONFIG_CONTIG_ALLOC=y +CONFIG_PCP_BATCH_SCALE_MAX=5 +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_MMU_NOTIFIER=y +CONFIG_KSM=y +CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 +CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y +CONFIG_MEMORY_FAILURE=y +CONFIG_HWPOISON_INJECT=m +CONFIG_ARCH_WANTS_THP_SWAP=y +CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y +# CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set +CONFIG_THP_SWAP=y +CONFIG_READ_ONLY_THP_FOR_FS=y +CONFIG_PGTABLE_HAS_HUGE_LEAVES=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_USE_PERCPU_NUMA_NODE_ID=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_CMA=y +# CONFIG_CMA_DEBUG is not set +# CONFIG_CMA_SYSFS is not set +CONFIG_CMA_AREAS=7 +CONFIG_GENERIC_EARLY_IOREMAP=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set +CONFIG_PAGE_IDLE_FLAG=y +CONFIG_IDLE_PAGE_TRACKING=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_ARCH_HAS_CURRENT_STACK_POINTER=y +CONFIG_ARCH_HAS_PTE_DEVMAP=y +CONFIG_ARCH_HAS_ZONE_DMA_SET=y +CONFIG_ZONE_DMA=y +CONFIG_ZONE_DMA32=y +CONFIG_ZONE_DEVICE=y +CONFIG_ZONE_EXTMEM=y +CONFIG_HMM_MIRROR=y +CONFIG_GET_FREE_REGION=y +CONFIG_DEVICE_PRIVATE=y +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_USES_PG_ARCH_X=y +CONFIG_VM_EVENT_COUNTERS=y +# CONFIG_PERCPU_STATS is not set + +# +# GUP_TEST needs to have DEBUG_FS enabled +# +# CONFIG_DMAPOOL_TEST is not set +CONFIG_ARCH_HAS_PTE_SPECIAL=y +CONFIG_MEMFD_CREATE=y +CONFIG_SECRETMEM=y +# CONFIG_ANON_VMA_NAME is not set +# CONFIG_USERFAULTFD is not set +CONFIG_LRU_GEN=y +# CONFIG_LRU_GEN_ENABLED is not set +# CONFIG_LRU_GEN_STATS is not set +CONFIG_ARCH_SUPPORTS_PER_VMA_LOCK=y +CONFIG_PER_VMA_LOCK=y +CONFIG_LOCK_MM_AND_FIND_VMA=y +CONFIG_IOMMU_MM_DATA=y +# CONFIG_ASCEND_FEATURES is not set +CONFIG_PAGE_CACHE_LIMIT=y +# CONFIG_CLEAR_FREELIST_PAGE is not set +CONFIG_MEMORY_RELIABLE=y +CONFIG_DYNAMIC_POOL=y +CONFIG_ETMEM_SCAN=m +CONFIG_ETMEM_SWAP=m +CONFIG_ETMEM=y +# CONFIG_BPF_READAHEAD is not set +CONFIG_MEM_SAMPLING=y +CONFIG_NUMABALANCING_MEM_SAMPLING=y + +# +# Data Access Monitoring +# +CONFIG_DAMON=y +CONFIG_DAMON_VADDR=y +CONFIG_DAMON_MEM_SAMPLING=y +CONFIG_DAMON_PADDR=y +CONFIG_DAMON_SYSFS=y +CONFIG_DAMON_RECLAIM=y +CONFIG_DAMON_LRU_SORT=y +# end of Data Access Monitoring + +CONFIG_THP_CONTROL=y +# end of Memory Management options + +CONFIG_NET=y +CONFIG_COMPAT_NETLINK_MESSAGES=y +CONFIG_NET_INGRESS=y +CONFIG_NET_EGRESS=y +CONFIG_NET_XGRESS=y +CONFIG_NET_REDIRECT=y +CONFIG_SKB_EXTENSIONS=y + +# +# Networking options +# +CONFIG_PACKET=y +CONFIG_PACKET_DIAG=m +CONFIG_UNIX=y +CONFIG_UNIX_SCM=y +CONFIG_AF_UNIX_OOB=y +CONFIG_UNIX_DIAG=m +CONFIG_TLS=m +CONFIG_TLS_DEVICE=y +# CONFIG_TLS_TOE is not set +CONFIG_XFRM=y +CONFIG_XFRM_OFFLOAD=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +# CONFIG_XFRM_INTERFACE is not set +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_AH=m +CONFIG_XFRM_ESP=m +CONFIG_XFRM_IPCOMP=m +CONFIG_NET_KEY=m +CONFIG_NET_KEY_MIGRATE=y +CONFIG_SMC=m +CONFIG_SMC_DIAG=m +CONFIG_SMC_LO=y +CONFIG_XDP_SOCKETS=y +CONFIG_XDP_SOCKETS_DIAG=y +CONFIG_NET_HANDSHAKE=y +CONFIG_INET=y +CONFIG_IP_MULTICAST=y +CONFIG_IP_ADVANCED_ROUTER=y +CONFIG_IP_FIB_TRIE_STATS=y +CONFIG_IP_MULTIPLE_TABLES=y +CONFIG_IP_ROUTE_MULTIPATH=y +CONFIG_IP_ROUTE_VERBOSE=y +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +CONFIG_NET_IPIP=m +CONFIG_NET_IPGRE_DEMUX=m +CONFIG_NET_IP_TUNNEL=m +CONFIG_NET_IPGRE=m +CONFIG_NET_IPGRE_BROADCAST=y +CONFIG_IP_MROUTE_COMMON=y +CONFIG_IP_MROUTE=y +CONFIG_IP_MROUTE_MULTIPLE_TABLES=y +CONFIG_IP_PIMSM_V1=y +CONFIG_IP_PIMSM_V2=y +CONFIG_SYN_COOKIES=y +CONFIG_NET_IPVTI=m +CONFIG_NET_UDP_TUNNEL=m +# CONFIG_NET_FOU is not set +# CONFIG_NET_FOU_IP_TUNNELS is not set +CONFIG_INET_AH=m +CONFIG_INET_ESP=m +CONFIG_INET_ESP_OFFLOAD=m +# CONFIG_INET_ESPINTCP is not set +CONFIG_INET_IPCOMP=m +CONFIG_INET_TABLE_PERTURB_ORDER=16 +CONFIG_INET_XFRM_TUNNEL=m +CONFIG_INET_TUNNEL=m +CONFIG_INET_DIAG=m +CONFIG_INET_TCP_DIAG=m +CONFIG_INET_UDP_DIAG=m +CONFIG_INET_RAW_DIAG=m +# CONFIG_INET_DIAG_DESTROY is not set +CONFIG_TCP_CONG_ADVANCED=y +CONFIG_TCP_CONG_BIC=m +CONFIG_TCP_CONG_CUBIC=y +CONFIG_TCP_CONG_WESTWOOD=m +CONFIG_TCP_CONG_HTCP=m +CONFIG_TCP_CONG_HSTCP=m +CONFIG_TCP_CONG_HYBLA=m +CONFIG_TCP_CONG_VEGAS=m +CONFIG_TCP_CONG_NV=m +CONFIG_TCP_CONG_SCALABLE=m +CONFIG_TCP_CONG_LP=m +CONFIG_TCP_CONG_VENO=m +CONFIG_TCP_CONG_YEAH=m +CONFIG_TCP_CONG_ILLINOIS=m +CONFIG_TCP_CONG_DCTCP=m +# CONFIG_TCP_CONG_CDG is not set +CONFIG_TCP_CONG_BBR=m +CONFIG_DEFAULT_CUBIC=y +# CONFIG_DEFAULT_RENO is not set +CONFIG_DEFAULT_TCP_CONG="cubic" +CONFIG_TCP_MD5SIG=y +CONFIG_TCP_COMP=y +CONFIG_IPV6=y +CONFIG_IPV6_ROUTER_PREF=y +CONFIG_IPV6_ROUTE_INFO=y +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=m +CONFIG_INET6_ESP=m +CONFIG_INET6_ESP_OFFLOAD=m +# CONFIG_INET6_ESPINTCP is not set +CONFIG_INET6_IPCOMP=m +CONFIG_IPV6_MIP6=m +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=m +CONFIG_INET6_TUNNEL=m +CONFIG_IPV6_VTI=m +CONFIG_IPV6_SIT=m +CONFIG_IPV6_SIT_6RD=y +CONFIG_IPV6_NDISC_NODETYPE=y +CONFIG_IPV6_TUNNEL=m +CONFIG_IPV6_GRE=m +CONFIG_IPV6_MULTIPLE_TABLES=y +# CONFIG_IPV6_SUBTREES is not set +CONFIG_IPV6_MROUTE=y +CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y +CONFIG_IPV6_PIMSM_V2=y +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_IPV6_RPL_LWTUNNEL is not set +# CONFIG_IPV6_IOAM6_LWTUNNEL is not set +CONFIG_NETLABEL=y +CONFIG_MPTCP=y +CONFIG_INET_MPTCP_DIAG=m +CONFIG_MPTCP_IPV6=y +CONFIG_NETWORK_SECMARK=y +CONFIG_NET_PTP_CLASSIFY=y +CONFIG_NETWORK_PHY_TIMESTAMPING=y +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y +CONFIG_BRIDGE_NETFILTER=m + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_EGRESS=y +CONFIG_NETFILTER_SKIP_EGRESS=y +CONFIG_NETFILTER_NETLINK=m +CONFIG_NETFILTER_FAMILY_BRIDGE=y +CONFIG_NETFILTER_FAMILY_ARP=y +CONFIG_NETFILTER_BPF_LINK=y +# CONFIG_NETFILTER_NETLINK_HOOK is not set +CONFIG_NETFILTER_NETLINK_ACCT=m +CONFIG_NETFILTER_NETLINK_QUEUE=m +CONFIG_NETFILTER_NETLINK_LOG=m +CONFIG_NETFILTER_NETLINK_OSF=m +CONFIG_NF_CONNTRACK=m +CONFIG_NF_LOG_SYSLOG=m +CONFIG_NETFILTER_CONNCOUNT=m +CONFIG_NF_CONNTRACK_MARK=y +CONFIG_NF_CONNTRACK_SECMARK=y +CONFIG_NF_CONNTRACK_ZONES=y +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +CONFIG_NF_CONNTRACK_TIMEOUT=y +CONFIG_NF_CONNTRACK_TIMESTAMP=y +CONFIG_NF_CONNTRACK_LABELS=y +CONFIG_NF_CONNTRACK_OVS=y +CONFIG_NF_CT_PROTO_DCCP=y +CONFIG_NF_CT_PROTO_GRE=y +CONFIG_NF_CT_PROTO_SCTP=y +CONFIG_NF_CT_PROTO_UDPLITE=y +CONFIG_NF_CONNTRACK_AMANDA=m +CONFIG_NF_CONNTRACK_FTP=m +CONFIG_NF_CONNTRACK_H323=m +CONFIG_NF_CONNTRACK_IRC=m +CONFIG_NF_CONNTRACK_BROADCAST=m +CONFIG_NF_CONNTRACK_NETBIOS_NS=m +CONFIG_NF_CONNTRACK_SNMP=m +CONFIG_NF_CONNTRACK_PPTP=m +CONFIG_NF_CONNTRACK_SANE=m +CONFIG_NF_CONNTRACK_SIP=m +CONFIG_NF_CONNTRACK_TFTP=m +CONFIG_NF_CT_NETLINK=m +CONFIG_NF_CT_NETLINK_TIMEOUT=m +CONFIG_NF_CT_NETLINK_HELPER=m +CONFIG_NETFILTER_NETLINK_GLUE_CT=y +CONFIG_NF_NAT=m +CONFIG_NF_NAT_AMANDA=m +CONFIG_NF_NAT_FTP=m +CONFIG_NF_NAT_IRC=m +CONFIG_NF_NAT_SIP=m +CONFIG_NF_NAT_TFTP=m +CONFIG_NF_NAT_REDIRECT=y +CONFIG_NF_NAT_MASQUERADE=y +CONFIG_NF_NAT_OVS=y +CONFIG_NETFILTER_SYNPROXY=m +CONFIG_NF_TABLES=m +CONFIG_NF_TABLES_INET=y +CONFIG_NF_TABLES_NETDEV=y +CONFIG_NFT_NUMGEN=m +CONFIG_NFT_CT=m +# CONFIG_NFT_CONNLIMIT is not set +CONFIG_NFT_LOG=m +CONFIG_NFT_LIMIT=m +CONFIG_NFT_MASQ=m +CONFIG_NFT_REDIR=m +CONFIG_NFT_NAT=m +# CONFIG_NFT_TUNNEL is not set +CONFIG_NFT_QUEUE=m +CONFIG_NFT_QUOTA=m +CONFIG_NFT_REJECT=m +CONFIG_NFT_REJECT_INET=m +CONFIG_NFT_COMPAT=m +CONFIG_NFT_HASH=m +CONFIG_NFT_FIB=m +CONFIG_NFT_FIB_INET=m +# CONFIG_NFT_XFRM is not set +# CONFIG_NFT_SOCKET is not set +# CONFIG_NFT_OSF is not set +# CONFIG_NFT_TPROXY is not set +# CONFIG_NFT_SYNPROXY is not set +CONFIG_NF_DUP_NETDEV=m +CONFIG_NFT_DUP_NETDEV=m +CONFIG_NFT_FWD_NETDEV=m +CONFIG_NFT_FIB_NETDEV=m +# CONFIG_NFT_REJECT_NETDEV is not set +# CONFIG_NF_FLOW_TABLE is not set +CONFIG_NETFILTER_XTABLES=y +CONFIG_NETFILTER_XTABLES_COMPAT=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=m +CONFIG_NETFILTER_XT_CONNMARK=m +CONFIG_NETFILTER_XT_SET=m + +# +# Xtables targets +# +CONFIG_NETFILTER_XT_TARGET_AUDIT=m +CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m +CONFIG_NETFILTER_XT_TARGET_CONNMARK=m +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m +CONFIG_NETFILTER_XT_TARGET_CT=m +CONFIG_NETFILTER_XT_TARGET_DSCP=m +CONFIG_NETFILTER_XT_TARGET_HL=m +CONFIG_NETFILTER_XT_TARGET_HMARK=m +CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m +CONFIG_NETFILTER_XT_TARGET_LED=m +CONFIG_NETFILTER_XT_TARGET_LOG=m +CONFIG_NETFILTER_XT_TARGET_MARK=m +CONFIG_NETFILTER_XT_NAT=m +CONFIG_NETFILTER_XT_TARGET_NETMAP=m +CONFIG_NETFILTER_XT_TARGET_NFLOG=m +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m +CONFIG_NETFILTER_XT_TARGET_NOTRACK=m +CONFIG_NETFILTER_XT_TARGET_RATEEST=m +CONFIG_NETFILTER_XT_TARGET_REDIRECT=m +CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m +CONFIG_NETFILTER_XT_TARGET_TEE=m +CONFIG_NETFILTER_XT_TARGET_TPROXY=m +CONFIG_NETFILTER_XT_TARGET_TRACE=m +CONFIG_NETFILTER_XT_TARGET_SECMARK=m +CONFIG_NETFILTER_XT_TARGET_TCPMSS=m +CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m +CONFIG_NETFILTER_XT_MATCH_BPF=m +CONFIG_NETFILTER_XT_MATCH_CGROUP=m +CONFIG_NETFILTER_XT_MATCH_CLUSTER=m +CONFIG_NETFILTER_XT_MATCH_COMMENT=m +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m +CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m +CONFIG_NETFILTER_XT_MATCH_CONNMARK=m +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m +CONFIG_NETFILTER_XT_MATCH_CPU=m +CONFIG_NETFILTER_XT_MATCH_DCCP=m +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m +CONFIG_NETFILTER_XT_MATCH_DSCP=m +CONFIG_NETFILTER_XT_MATCH_ECN=m +CONFIG_NETFILTER_XT_MATCH_ESP=m +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m +CONFIG_NETFILTER_XT_MATCH_HELPER=m +CONFIG_NETFILTER_XT_MATCH_HL=m +CONFIG_NETFILTER_XT_MATCH_IPCOMP=m +CONFIG_NETFILTER_XT_MATCH_IPRANGE=m +CONFIG_NETFILTER_XT_MATCH_IPVS=m +CONFIG_NETFILTER_XT_MATCH_L2TP=m +CONFIG_NETFILTER_XT_MATCH_LENGTH=m +CONFIG_NETFILTER_XT_MATCH_LIMIT=m +CONFIG_NETFILTER_XT_MATCH_MAC=m +CONFIG_NETFILTER_XT_MATCH_MARK=m +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m +CONFIG_NETFILTER_XT_MATCH_NFACCT=m +CONFIG_NETFILTER_XT_MATCH_OSF=m +CONFIG_NETFILTER_XT_MATCH_OWNER=m +CONFIG_NETFILTER_XT_MATCH_POLICY=m +CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m +CONFIG_NETFILTER_XT_MATCH_QUOTA=m +CONFIG_NETFILTER_XT_MATCH_RATEEST=m +CONFIG_NETFILTER_XT_MATCH_REALM=m +CONFIG_NETFILTER_XT_MATCH_RECENT=m +CONFIG_NETFILTER_XT_MATCH_SCTP=m +CONFIG_NETFILTER_XT_MATCH_SOCKET=m +CONFIG_NETFILTER_XT_MATCH_STATE=m +CONFIG_NETFILTER_XT_MATCH_STATISTIC=m +CONFIG_NETFILTER_XT_MATCH_STRING=m +CONFIG_NETFILTER_XT_MATCH_TCPMSS=m +CONFIG_NETFILTER_XT_MATCH_TIME=m +CONFIG_NETFILTER_XT_MATCH_U32=m +# end of Core Netfilter Configuration + +CONFIG_IP_SET=m +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=m +CONFIG_IP_SET_BITMAP_IPMAC=m +CONFIG_IP_SET_BITMAP_PORT=m +CONFIG_IP_SET_HASH_IP=m +CONFIG_IP_SET_HASH_IPMARK=m +CONFIG_IP_SET_HASH_IPPORT=m +CONFIG_IP_SET_HASH_IPPORTIP=m +CONFIG_IP_SET_HASH_IPPORTNET=m +# CONFIG_IP_SET_HASH_IPMAC is not set +CONFIG_IP_SET_HASH_MAC=m +CONFIG_IP_SET_HASH_NETPORTNET=m +CONFIG_IP_SET_HASH_NET=m +CONFIG_IP_SET_HASH_NETNET=m +CONFIG_IP_SET_HASH_NETPORT=m +CONFIG_IP_SET_HASH_NETIFACE=m +CONFIG_IP_SET_LIST_SET=m +CONFIG_IP_VS=m +CONFIG_IP_VS_IPV6=y +# CONFIG_IP_VS_DEBUG is not set +CONFIG_IP_VS_TAB_BITS=12 + +# +# IPVS transport protocol load balancing support +# +CONFIG_IP_VS_PROTO_TCP=y +CONFIG_IP_VS_PROTO_UDP=y +CONFIG_IP_VS_PROTO_AH_ESP=y +CONFIG_IP_VS_PROTO_ESP=y +CONFIG_IP_VS_PROTO_AH=y +CONFIG_IP_VS_PROTO_SCTP=y + +# +# IPVS scheduler +# +CONFIG_IP_VS_RR=m +CONFIG_IP_VS_WRR=m +CONFIG_IP_VS_LC=m +CONFIG_IP_VS_WLC=m +CONFIG_IP_VS_FO=m +CONFIG_IP_VS_OVF=m +CONFIG_IP_VS_LBLC=m +CONFIG_IP_VS_LBLCR=m +CONFIG_IP_VS_DH=m +CONFIG_IP_VS_SH=m +# CONFIG_IP_VS_MH is not set +CONFIG_IP_VS_SED=m +CONFIG_IP_VS_NQ=m +# CONFIG_IP_VS_TWOS is not set + +# +# IPVS SH scheduler +# +CONFIG_IP_VS_SH_TAB_BITS=8 + +# +# IPVS MH scheduler +# +CONFIG_IP_VS_MH_TAB_INDEX=12 + +# +# IPVS application helper +# +CONFIG_IP_VS_FTP=m +CONFIG_IP_VS_NFCT=y +CONFIG_IP_VS_PE_SIP=m + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=m +CONFIG_NF_SOCKET_IPV4=m +CONFIG_NF_TPROXY_IPV4=m +CONFIG_NF_TABLES_IPV4=y +CONFIG_NFT_REJECT_IPV4=m +CONFIG_NFT_DUP_IPV4=m +CONFIG_NFT_FIB_IPV4=m +CONFIG_NF_TABLES_ARP=y +CONFIG_NF_DUP_IPV4=m +CONFIG_NF_LOG_ARP=m +CONFIG_NF_LOG_IPV4=m +CONFIG_NF_REJECT_IPV4=m +CONFIG_NF_NAT_SNMP_BASIC=m +CONFIG_NF_NAT_PPTP=m +CONFIG_NF_NAT_H323=m +CONFIG_IP_NF_IPTABLES=m +CONFIG_IP_NF_MATCH_AH=m +CONFIG_IP_NF_MATCH_ECN=m +CONFIG_IP_NF_MATCH_RPFILTER=m +CONFIG_IP_NF_MATCH_TTL=m +CONFIG_IP_NF_FILTER=m +CONFIG_IP_NF_TARGET_REJECT=m +CONFIG_IP_NF_TARGET_SYNPROXY=m +CONFIG_IP_NF_NAT=m +CONFIG_IP_NF_TARGET_MASQUERADE=m +CONFIG_IP_NF_TARGET_NETMAP=m +CONFIG_IP_NF_TARGET_REDIRECT=m +CONFIG_IP_NF_MANGLE=m +CONFIG_IP_NF_TARGET_ECN=m +CONFIG_IP_NF_TARGET_TTL=m +CONFIG_IP_NF_RAW=m +CONFIG_IP_NF_SECURITY=m +CONFIG_IP_NF_ARPTABLES=m +CONFIG_IP_NF_ARPFILTER=m +CONFIG_IP_NF_ARP_MANGLE=m +# end of IP: Netfilter Configuration + +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_SOCKET_IPV6=m +CONFIG_NF_TPROXY_IPV6=m +CONFIG_NF_TABLES_IPV6=y +CONFIG_NFT_REJECT_IPV6=m +CONFIG_NFT_DUP_IPV6=m +CONFIG_NFT_FIB_IPV6=m +CONFIG_NF_DUP_IPV6=m +CONFIG_NF_REJECT_IPV6=m +CONFIG_NF_LOG_IPV6=m +CONFIG_IP6_NF_IPTABLES=m +CONFIG_IP6_NF_MATCH_AH=m +CONFIG_IP6_NF_MATCH_EUI64=m +CONFIG_IP6_NF_MATCH_FRAG=m +CONFIG_IP6_NF_MATCH_OPTS=m +CONFIG_IP6_NF_MATCH_HL=m +CONFIG_IP6_NF_MATCH_IPV6HEADER=m +CONFIG_IP6_NF_MATCH_MH=m +CONFIG_IP6_NF_MATCH_RPFILTER=m +CONFIG_IP6_NF_MATCH_RT=m +# CONFIG_IP6_NF_MATCH_SRH is not set +# CONFIG_IP6_NF_TARGET_HL is not set +CONFIG_IP6_NF_FILTER=m +CONFIG_IP6_NF_TARGET_REJECT=m +CONFIG_IP6_NF_TARGET_SYNPROXY=m +CONFIG_IP6_NF_MANGLE=m +CONFIG_IP6_NF_RAW=m +CONFIG_IP6_NF_SECURITY=m +CONFIG_IP6_NF_NAT=m +CONFIG_IP6_NF_TARGET_MASQUERADE=m +CONFIG_IP6_NF_TARGET_NPT=m +# end of IPv6: Netfilter Configuration + +CONFIG_NF_DEFRAG_IPV6=m +CONFIG_NF_TABLES_BRIDGE=m +# CONFIG_NFT_BRIDGE_META is not set +CONFIG_NFT_BRIDGE_REJECT=m +# CONFIG_NF_CONNTRACK_BRIDGE is not set +CONFIG_BRIDGE_NF_EBTABLES=m +CONFIG_BRIDGE_EBT_BROUTE=m +CONFIG_BRIDGE_EBT_T_FILTER=m +CONFIG_BRIDGE_EBT_T_NAT=m +CONFIG_BRIDGE_EBT_802_3=m +CONFIG_BRIDGE_EBT_AMONG=m +CONFIG_BRIDGE_EBT_ARP=m +CONFIG_BRIDGE_EBT_IP=m +CONFIG_BRIDGE_EBT_IP6=m +CONFIG_BRIDGE_EBT_LIMIT=m +CONFIG_BRIDGE_EBT_MARK=m +CONFIG_BRIDGE_EBT_PKTTYPE=m +CONFIG_BRIDGE_EBT_STP=m +CONFIG_BRIDGE_EBT_VLAN=m +CONFIG_BRIDGE_EBT_ARPREPLY=m +CONFIG_BRIDGE_EBT_DNAT=m +CONFIG_BRIDGE_EBT_MARK_T=m +CONFIG_BRIDGE_EBT_REDIRECT=m +CONFIG_BRIDGE_EBT_SNAT=m +CONFIG_BRIDGE_EBT_LOG=m +CONFIG_BRIDGE_EBT_NFLOG=m +# CONFIG_BPFILTER is not set +# CONFIG_IP_DCCP is not set +CONFIG_IP_SCTP=m +# CONFIG_SCTP_DBG_OBJCNT is not set +# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5 is not set +CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y +# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set +CONFIG_SCTP_COOKIE_HMAC_MD5=y +CONFIG_SCTP_COOKIE_HMAC_SHA1=y +CONFIG_INET_SCTP_DIAG=m +# CONFIG_RDS is not set +CONFIG_TIPC=m +CONFIG_TIPC_MEDIA_IB=y +CONFIG_TIPC_MEDIA_UDP=y +CONFIG_TIPC_CRYPTO=y +CONFIG_TIPC_DIAG=m +CONFIG_ATM=m +CONFIG_ATM_CLIP=m +# CONFIG_ATM_CLIP_NO_ICMP is not set +CONFIG_ATM_LANE=m +# CONFIG_ATM_MPOA is not set +CONFIG_ATM_BR2684=m +# CONFIG_ATM_BR2684_IPFILTER is not set +CONFIG_L2TP=m +CONFIG_L2TP_V3=y +CONFIG_L2TP_IP=m +CONFIG_L2TP_ETH=m +CONFIG_STP=m +CONFIG_GARP=m +CONFIG_MRP=m +CONFIG_BRIDGE=m +CONFIG_BRIDGE_IGMP_SNOOPING=y +CONFIG_BRIDGE_VLAN_FILTERING=y +# CONFIG_BRIDGE_MRP is not set +# CONFIG_BRIDGE_CFM is not set +# CONFIG_NET_DSA is not set +CONFIG_VLAN_8021Q=m +CONFIG_VLAN_8021Q_GVRP=y +CONFIG_VLAN_8021Q_MVRP=y +CONFIG_LLC=m +# CONFIG_LLC2 is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +CONFIG_6LOWPAN=m +# CONFIG_6LOWPAN_NHC is not set +CONFIG_IEEE802154=m +# CONFIG_IEEE802154_NL802154_EXPERIMENTAL is not set +CONFIG_IEEE802154_SOCKET=m +# CONFIG_IEEE802154_6LOWPAN is not set +CONFIG_MAC802154=m +CONFIG_NET_SCHED=y + +# +# Queueing/Scheduling +# +CONFIG_NET_SCH_HTB=m +CONFIG_NET_SCH_HFSC=m +CONFIG_NET_SCH_PRIO=m +CONFIG_NET_SCH_MULTIQ=m +CONFIG_NET_SCH_RED=m +CONFIG_NET_SCH_SFB=m +CONFIG_NET_SCH_SFQ=m +CONFIG_NET_SCH_TEQL=m +CONFIG_NET_SCH_TBF=m +# CONFIG_NET_SCH_CBS is not set +# CONFIG_NET_SCH_ETF is not set +CONFIG_NET_SCH_MQPRIO_LIB=m +# CONFIG_NET_SCH_TAPRIO is not set +CONFIG_NET_SCH_GRED=m +CONFIG_NET_SCH_NETEM=m +CONFIG_NET_SCH_DRR=m +CONFIG_NET_SCH_MQPRIO=m +# CONFIG_NET_SCH_SKBPRIO is not set +CONFIG_NET_SCH_CHOKE=m +CONFIG_NET_SCH_QFQ=m +CONFIG_NET_SCH_CODEL=m +CONFIG_NET_SCH_FQ_CODEL=y +# CONFIG_NET_SCH_CAKE is not set +CONFIG_NET_SCH_FQ=m +CONFIG_NET_SCH_HHF=m +CONFIG_NET_SCH_PIE=m +# CONFIG_NET_SCH_FQ_PIE is not set +CONFIG_NET_SCH_INGRESS=m +CONFIG_NET_SCH_PLUG=m +# CONFIG_NET_SCH_ETS is not set +CONFIG_NET_SCH_DEFAULT=y +# CONFIG_DEFAULT_FQ is not set +# CONFIG_DEFAULT_CODEL is not set +CONFIG_DEFAULT_FQ_CODEL=y +# CONFIG_DEFAULT_SFQ is not set +# CONFIG_DEFAULT_PFIFO_FAST is not set +CONFIG_DEFAULT_NET_SCH="fq_codel" + +# +# Classification +# +CONFIG_NET_CLS=y +CONFIG_NET_CLS_BASIC=m +CONFIG_NET_CLS_ROUTE4=m +CONFIG_NET_CLS_FW=m +CONFIG_NET_CLS_U32=m +CONFIG_CLS_U32_PERF=y +CONFIG_CLS_U32_MARK=y +CONFIG_NET_CLS_FLOW=m +CONFIG_NET_CLS_CGROUP=y +CONFIG_NET_CLS_BPF=m +CONFIG_NET_CLS_FLOWER=m +CONFIG_NET_CLS_MATCHALL=m +CONFIG_NET_EMATCH=y +CONFIG_NET_EMATCH_STACK=32 +CONFIG_NET_EMATCH_CMP=m +CONFIG_NET_EMATCH_NBYTE=m +CONFIG_NET_EMATCH_U32=m +CONFIG_NET_EMATCH_META=m +CONFIG_NET_EMATCH_TEXT=m +# CONFIG_NET_EMATCH_CANID is not set +CONFIG_NET_EMATCH_IPSET=m +# CONFIG_NET_EMATCH_IPT is not set +CONFIG_NET_CLS_ACT=y +CONFIG_NET_ACT_POLICE=m +CONFIG_NET_ACT_GACT=m +CONFIG_GACT_PROB=y +CONFIG_NET_ACT_MIRRED=m +CONFIG_NET_ACT_SAMPLE=m +# CONFIG_NET_ACT_IPT is not set +CONFIG_NET_ACT_NAT=m +CONFIG_NET_ACT_PEDIT=m +CONFIG_NET_ACT_SIMP=m +CONFIG_NET_ACT_SKBEDIT=m +CONFIG_NET_ACT_CSUM=m +# CONFIG_NET_ACT_MPLS is not set +CONFIG_NET_ACT_VLAN=m +CONFIG_NET_ACT_BPF=m +# CONFIG_NET_ACT_CONNMARK is not set +# CONFIG_NET_ACT_CTINFO is not set +CONFIG_NET_ACT_SKBMOD=m +# CONFIG_NET_ACT_IFE is not set +CONFIG_NET_ACT_TUNNEL_KEY=m +# CONFIG_NET_ACT_GATE is not set +# CONFIG_NET_TC_SKB_EXT is not set +CONFIG_NET_SCH_FIFO=y +CONFIG_DCB=y +CONFIG_DNS_RESOLVER=m +# CONFIG_BATMAN_ADV is not set +CONFIG_OPENVSWITCH=m +CONFIG_OPENVSWITCH_GRE=m +CONFIG_OPENVSWITCH_VXLAN=m +CONFIG_OPENVSWITCH_GENEVE=m +CONFIG_VSOCKETS=m +CONFIG_VSOCKETS_DIAG=m +CONFIG_VSOCKETS_LOOPBACK=m +CONFIG_VIRTIO_VSOCKETS=m +CONFIG_VIRTIO_VSOCKETS_COMMON=m +CONFIG_NETLINK_DIAG=m +CONFIG_MPLS=y +CONFIG_NET_MPLS_GSO=m +# CONFIG_MPLS_ROUTING is not set +CONFIG_NET_NSH=m +# CONFIG_HSR is not set +CONFIG_NET_SWITCHDEV=y +CONFIG_NET_L3_MASTER_DEV=y +# CONFIG_QRTR is not set +# CONFIG_NET_NCSI is not set +CONFIG_PCPU_DEV_REFCNT=y +CONFIG_MAX_SKB_FRAGS=17 +CONFIG_RPS=y +CONFIG_RFS_ACCEL=y +CONFIG_SOCK_RX_QUEUE_MAPPING=y +CONFIG_XPS=y +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y +CONFIG_BPF_STREAM_PARSER=y +CONFIG_NET_FLOW_LIMIT=y + +# +# Network testing +# +CONFIG_NET_PKTGEN=m +# end of Network testing +# end of Networking options + +# CONFIG_HAMRADIO is not set +CONFIG_CAN=m +CONFIG_CAN_RAW=m +CONFIG_CAN_BCM=m +CONFIG_CAN_GW=m +# CONFIG_CAN_J1939 is not set +# CONFIG_CAN_ISOTP is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +CONFIG_STREAM_PARSER=y +# CONFIG_MCTP is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +CONFIG_WEXT_CORE=y +CONFIG_WEXT_PROC=y +CONFIG_CFG80211=m +# CONFIG_NL80211_TESTMODE is not set +# CONFIG_CFG80211_DEVELOPER_WARNINGS is not set +# CONFIG_CFG80211_CERTIFICATION_ONUS is not set +CONFIG_CFG80211_REQUIRE_SIGNED_REGDB=y +CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y +CONFIG_CFG80211_DEFAULT_PS=y +CONFIG_CFG80211_CRDA_SUPPORT=y +CONFIG_CFG80211_WEXT=y +CONFIG_MAC80211=m +CONFIG_MAC80211_HAS_RC=y +CONFIG_MAC80211_RC_MINSTREL=y +CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y +CONFIG_MAC80211_RC_DEFAULT="minstrel_ht" +# CONFIG_MAC80211_MESH is not set +CONFIG_MAC80211_LEDS=y +# CONFIG_MAC80211_DEBUG_MENU is not set +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +CONFIG_RFKILL=m +CONFIG_RFKILL_LEDS=y +CONFIG_RFKILL_INPUT=y +CONFIG_RFKILL_GPIO=m +CONFIG_NET_9P=m +CONFIG_NET_9P_FD=m +CONFIG_NET_9P_VIRTIO=m +# CONFIG_NET_9P_RDMA is not set +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +CONFIG_CEPH_LIB=m +# CONFIG_CEPH_LIB_PRETTYDEBUG is not set +CONFIG_CEPH_LIB_USE_DNS_RESOLVER=y +# CONFIG_NFC is not set +CONFIG_PSAMPLE=m +# CONFIG_NET_IFE is not set +CONFIG_LWTUNNEL=y +CONFIG_LWTUNNEL_BPF=y +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +CONFIG_SOCK_VALIDATE_XMIT=y +CONFIG_NET_SELFTESTS=y +CONFIG_NET_SOCK_MSG=y +CONFIG_NET_DEVLINK=y +CONFIG_PAGE_POOL=y +CONFIG_PAGE_POOL_STATS=y +CONFIG_FAILOVER=m +CONFIG_ETHTOOL_NETLINK=y +CONFIG_NETACC_BPF=y +CONFIG_NETACC_TERRACE=y +# CONFIG_ETH_CAQM is not set + +# +# Device Drivers +# +CONFIG_ARM_AMBA=y +CONFIG_HAVE_PCI=y +CONFIG_PCI=y +CONFIG_PCI_DOMAINS=y +CONFIG_PCI_DOMAINS_GENERIC=y +CONFIG_PCI_SYSCALL=y +CONFIG_PCIEPORTBUS=y +CONFIG_HOTPLUG_PCI_PCIE=y +CONFIG_PCIEAER=y +CONFIG_PCIEAER_INJECT=m +CONFIG_PCIEAER_CXL=y +CONFIG_PCIE_ECRC=y +CONFIG_PCIEASPM=y +CONFIG_PCIEASPM_DEFAULT=y +# CONFIG_PCIEASPM_POWERSAVE is not set +# CONFIG_PCIEASPM_POWER_SUPERSAVE is not set +# CONFIG_PCIEASPM_PERFORMANCE is not set +CONFIG_PCIE_PME=y +CONFIG_PCIE_DPC=y +# CONFIG_PCIE_PTM is not set +CONFIG_PCIE_EDR=y +CONFIG_PCI_MSI=y +CONFIG_PCI_QUIRKS=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +CONFIG_PCI_STUB=y +# CONFIG_PCI_PF_STUB is not set +CONFIG_PCI_ATS=y +CONFIG_PCI_DOE=y +CONFIG_PCI_ECAM=y +CONFIG_PCI_IOV=y +CONFIG_PCI_PRI=y +CONFIG_PCI_PASID=y +CONFIG_PCI_P2PDMA=y +CONFIG_PCI_LABEL=y +# CONFIG_PCI_DYNAMIC_OF_NODES is not set +# CONFIG_PCIE_BUS_TUNE_OFF is not set +CONFIG_PCIE_BUS_DEFAULT=y +# CONFIG_PCIE_BUS_SAFE is not set +# CONFIG_PCIE_BUS_PERFORMANCE is not set +# CONFIG_PCIE_BUS_PEER2PEER is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=64 +CONFIG_HOTPLUG_PCI=y +CONFIG_HOTPLUG_PCI_ACPI=y +CONFIG_HOTPLUG_PCI_ACPI_IBM=m +# CONFIG_HOTPLUG_PCI_CPCI is not set +CONFIG_HOTPLUG_PCI_SHPC=y + +# +# PCI controller drivers +# +# CONFIG_PCIE_ALTERA is not set +CONFIG_PCI_HOST_THUNDER_PEM=y +CONFIG_PCI_HOST_THUNDER_ECAM=y +# CONFIG_PCI_FTPCI100 is not set +CONFIG_PCI_HOST_COMMON=y +CONFIG_PCI_HOST_GENERIC=y +# CONFIG_PCIE_HISI_ERR is not set +# CONFIG_PCIE_MICROCHIP_HOST is not set +CONFIG_PCI_XGENE=y +CONFIG_PCI_XGENE_MSI=y +# CONFIG_PCIE_XILINX is not set + +# +# Cadence-based PCIe controllers +# +# CONFIG_PCIE_CADENCE_PLAT_HOST is not set +# CONFIG_PCI_J721E_HOST is not set +# end of Cadence-based PCIe controllers + +# +# DesignWare-based PCIe controllers +# +CONFIG_PCIE_DW=y +CONFIG_PCIE_DW_HOST=y +# CONFIG_PCIE_AL is not set +# CONFIG_PCI_MESON is not set +CONFIG_PCI_HISI=y +# CONFIG_PCIE_KIRIN is not set +# CONFIG_PCIE_HISI_STB is not set +# CONFIG_PCIE_DW_PLAT_HOST is not set +# CONFIG_PCIE_QCOM is not set +# end of DesignWare-based PCIe controllers + +# +# Mobiveil-based PCIe controllers +# +# end of Mobiveil-based PCIe controllers +# end of PCI controller drivers + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set +# end of PCI Endpoint + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +# end of PCI switch controller drivers + +CONFIG_CXL_BUS=m +CONFIG_CXL_PCI=m +# CONFIG_CXL_MEM_RAW_COMMANDS is not set +CONFIG_CXL_ACPI=m +CONFIG_CXL_PMEM=m +CONFIG_CXL_MEM=m +CONFIG_CXL_PORT=m +CONFIG_CXL_SUSPEND=y +CONFIG_CXL_REGION=y +# CONFIG_CXL_REGION_INVALIDATION_TEST is not set +CONFIG_CXL_PMU=m +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set + +# +# Generic Driver Options +# +CONFIG_AUXILIARY_BUS=y +# CONFIG_UEVENT_HELPER is not set +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +# CONFIG_DEVTMPFS_SAFE is not set +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y + +# +# Firmware loader +# +CONFIG_FW_LOADER=y +CONFIG_FW_LOADER_DEBUG=y +CONFIG_FW_LOADER_PAGED_BUF=y +CONFIG_FW_LOADER_SYSFS=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER is not set +# CONFIG_FW_LOADER_COMPRESS is not set +CONFIG_FW_CACHE=y +CONFIG_FW_UPLOAD=y +# end of Firmware loader + +CONFIG_WANT_DEV_COREDUMP=y +# CONFIG_ALLOW_DEV_COREDUMP is not set +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +CONFIG_HMEM_REPORTING=y +# CONFIG_TEST_ASYNC_DRIVER_PROBE is not set +CONFIG_GENERIC_CPU_DEVICES=y +CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y +CONFIG_SOC_BUS=y +CONFIG_REGMAP=y +CONFIG_REGMAP_I2C=m +CONFIG_REGMAP_SPI=m +CONFIG_REGMAP_MMIO=y +CONFIG_DMA_SHARED_BUFFER=y +# CONFIG_DMA_FENCE_TRACE is not set +CONFIG_GENERIC_ARCH_TOPOLOGY=y +CONFIG_GENERIC_ARCH_NUMA=y +# CONFIG_FW_DEVLINK_SYNC_STATE_TIMEOUT is not set +# end of Generic Driver Options + +# +# Bus devices +# +# CONFIG_BRCMSTB_GISB_ARB is not set +# CONFIG_MOXTET is not set +CONFIG_HISILICON_LPC=y +CONFIG_QCOM_EBI2=y +# CONFIG_QCOM_SSC_BLOCK_BUS is not set +CONFIG_VEXPRESS_CONFIG=y +# CONFIG_MHI_BUS is not set +# CONFIG_MHI_BUS_EP is not set +# end of Bus devices + +# +# Cache Drivers +# +# end of Cache Drivers + +CONFIG_CONNECTOR=y +CONFIG_PROC_EVENTS=y + +# +# Firmware Drivers +# + +# +# ARM System Control and Management Interface Protocol +# +# CONFIG_ARM_SCMI_PROTOCOL is not set +# end of ARM System Control and Management Interface Protocol + +CONFIG_ARM_SCPI_PROTOCOL=m +CONFIG_ARM_SCPI_POWER_DOMAIN=m +CONFIG_ARM_SDE_INTERFACE=y +# CONFIG_FIRMWARE_MEMMAP is not set +CONFIG_DMIID=y +CONFIG_DMI_SYSFS=y +# CONFIG_ISCSI_IBFT is not set +CONFIG_FW_CFG_SYSFS=y +# CONFIG_FW_CFG_SYSFS_CMDLINE is not set +CONFIG_QCOM_SCM=y +# CONFIG_QCOM_SCM_DOWNLOAD_MODE_DEFAULT is not set +CONFIG_SYSFB=y +# CONFIG_SYSFB_SIMPLEFB is not set +# CONFIG_ARM_FFA_TRANSPORT is not set +# CONFIG_GOOGLE_FIRMWARE is not set + +# +# EFI (Extensible Firmware Interface) Support +# +CONFIG_EFI_ESRT=y +CONFIG_EFI_VARS_PSTORE=y +CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y +CONFIG_EFI_SOFT_RESERVE=y +CONFIG_EFI_PARAMS_FROM_FDT=y +CONFIG_EFI_RUNTIME_WRAPPERS=y +CONFIG_EFI_GENERIC_STUB=y +# CONFIG_EFI_ZBOOT is not set +CONFIG_EFI_ARMSTUB_DTB_LOADER=y +# CONFIG_EFI_BOOTLOADER_CONTROL is not set +# CONFIG_EFI_CAPSULE_LOADER is not set +# CONFIG_EFI_TEST is not set +CONFIG_RESET_ATTACK_MITIGATION=y +CONFIG_EFI_DISABLE_PCI_DMA=y +CONFIG_EFI_EARLYCON=y +CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y +# CONFIG_EFI_DISABLE_RUNTIME is not set +# CONFIG_EFI_COCO_SECRET is not set +# end of EFI (Extensible Firmware Interface) Support + +CONFIG_UEFI_CPER=y +CONFIG_UEFI_CPER_ARM=y +CONFIG_ARM_PSCI_FW=y +# CONFIG_ARM_PSCI_CHECKER is not set +CONFIG_HAVE_ARM_SMCCC=y +CONFIG_HAVE_ARM_SMCCC_DISCOVERY=y +CONFIG_ARM_SMCCC_SOC_ID=y + +# +# Tegra firmware driver +# +# end of Tegra firmware driver +# end of Firmware Drivers + +# CONFIG_GNSS is not set +CONFIG_MTD=m +# CONFIG_MTD_TESTS is not set + +# +# Partition parsers +# +# CONFIG_MTD_AR7_PARTS is not set +CONFIG_MTD_CMDLINE_PARTS=m +CONFIG_MTD_OF_PARTS=m +# CONFIG_MTD_AFS_PARTS is not set +# CONFIG_MTD_REDBOOT_PARTS is not set +# end of Partition parsers + +# +# User Modules And Translation Layers +# +CONFIG_MTD_BLKDEVS=m +CONFIG_MTD_BLOCK=m +# CONFIG_MTD_BLOCK_RO is not set + +# +# Note that in some cases UBI block is preferred. See MTD_UBI_BLOCK. +# +# CONFIG_FTL is not set +# CONFIG_NFTL is not set +# CONFIG_INFTL is not set +# CONFIG_RFD_FTL is not set +# CONFIG_SSFDC is not set +# CONFIG_SM_FTL is not set +# CONFIG_MTD_OOPS is not set +# CONFIG_MTD_SWAP is not set +# CONFIG_MTD_PARTITIONED_MASTER is not set + +# +# RAM/ROM/Flash chip drivers +# +CONFIG_MTD_CFI=m +# CONFIG_MTD_JEDECPROBE is not set +CONFIG_MTD_GEN_PROBE=m +CONFIG_MTD_CFI_ADV_OPTIONS=y +CONFIG_MTD_CFI_NOSWAP=y +# CONFIG_MTD_CFI_BE_BYTE_SWAP is not set +# CONFIG_MTD_CFI_LE_BYTE_SWAP is not set +CONFIG_MTD_CFI_GEOMETRY=y +CONFIG_MTD_MAP_BANK_WIDTH_1=y +CONFIG_MTD_MAP_BANK_WIDTH_2=y +CONFIG_MTD_MAP_BANK_WIDTH_4=y +CONFIG_MTD_MAP_BANK_WIDTH_8=y +# CONFIG_MTD_MAP_BANK_WIDTH_16 is not set +# CONFIG_MTD_MAP_BANK_WIDTH_32 is not set +CONFIG_MTD_CFI_I1=y +CONFIG_MTD_CFI_I2=y +# CONFIG_MTD_CFI_I4 is not set +# CONFIG_MTD_CFI_I8 is not set +# CONFIG_MTD_OTP is not set +CONFIG_MTD_CFI_INTELEXT=m +CONFIG_MTD_CFI_AMDSTD=m +CONFIG_MTD_CFI_STAA=m +CONFIG_MTD_CFI_UTIL=m +# CONFIG_MTD_RAM is not set +# CONFIG_MTD_ROM is not set +# CONFIG_MTD_ABSENT is not set +# end of RAM/ROM/Flash chip drivers + +# +# Mapping drivers for chip access +# +# CONFIG_MTD_COMPLEX_MAPPINGS is not set +CONFIG_MTD_PHYSMAP=m +# CONFIG_MTD_PHYSMAP_COMPAT is not set +CONFIG_MTD_PHYSMAP_OF=y +# CONFIG_MTD_PHYSMAP_VERSATILE is not set +# CONFIG_MTD_PHYSMAP_GEMINI is not set +# CONFIG_MTD_INTEL_VR_NOR is not set +# CONFIG_MTD_PLATRAM is not set +# end of Mapping drivers for chip access + +# +# Self-contained MTD device drivers +# +# CONFIG_MTD_PMC551 is not set +# CONFIG_MTD_DATAFLASH is not set +# CONFIG_MTD_MCHP23K256 is not set +# CONFIG_MTD_MCHP48L640 is not set +# CONFIG_MTD_SST25L is not set +# CONFIG_MTD_SLRAM is not set +# CONFIG_MTD_PHRAM is not set +# CONFIG_MTD_MTDRAM is not set +CONFIG_MTD_BLOCK2MTD=m + +# +# Disk-On-Chip Device Drivers +# +# CONFIG_MTD_DOCG3 is not set +# end of Self-contained MTD device drivers + +# +# NAND +# +# CONFIG_MTD_ONENAND is not set +# CONFIG_MTD_RAW_NAND is not set +# CONFIG_MTD_SPI_NAND is not set + +# +# ECC engine support +# +# CONFIG_MTD_NAND_ECC_SW_HAMMING is not set +# CONFIG_MTD_NAND_ECC_SW_BCH is not set +# CONFIG_MTD_NAND_ECC_MXIC is not set +# end of ECC engine support +# end of NAND + +# +# LPDDR & LPDDR2 PCM memory drivers +# +# CONFIG_MTD_LPDDR is not set +# end of LPDDR & LPDDR2 PCM memory drivers + +CONFIG_MTD_SPI_NOR=m +CONFIG_MTD_SPI_NOR_USE_4K_SECTORS=y +# CONFIG_MTD_SPI_NOR_SWP_DISABLE is not set +CONFIG_MTD_SPI_NOR_SWP_DISABLE_ON_VOLATILE=y +# CONFIG_MTD_SPI_NOR_SWP_KEEP is not set +CONFIG_SPI_HISI_SFC=m +CONFIG_MTD_UBI=m +CONFIG_MTD_UBI_WL_THRESHOLD=4096 +CONFIG_MTD_UBI_BEB_LIMIT=20 +# CONFIG_MTD_UBI_FASTMAP is not set +CONFIG_MTD_UBI_GLUEBI=m +# CONFIG_MTD_UBI_BLOCK is not set +# CONFIG_MTD_HYPERBUS is not set +CONFIG_DTC=y +CONFIG_OF=y +# CONFIG_OF_UNITTEST is not set +CONFIG_OF_FLATTREE=y +CONFIG_OF_EARLY_FLATTREE=y +CONFIG_OF_KOBJ=y +CONFIG_OF_DYNAMIC=y +CONFIG_OF_ADDRESS=y +CONFIG_OF_IRQ=y +CONFIG_OF_RESERVED_MEM=y +CONFIG_OF_RESOLVE=y +CONFIG_OF_OVERLAY=y +CONFIG_OF_NUMA=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +CONFIG_BLK_DEV_NULL_BLK=m +CONFIG_CDROM=m +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +CONFIG_ZRAM=m +CONFIG_ZRAM_DEF_COMP_LZORLE=y +# CONFIG_ZRAM_DEF_COMP_ZSTD is not set +# CONFIG_ZRAM_DEF_COMP_LZ4 is not set +# CONFIG_ZRAM_DEF_COMP_LZO is not set +# CONFIG_ZRAM_DEF_COMP_LZ4HC is not set +CONFIG_ZRAM_DEF_COMP="lzo-rle" +CONFIG_ZRAM_WRITEBACK=y +CONFIG_ZRAM_MULTI_COMP=y +CONFIG_BLK_DEV_LOOP=m +CONFIG_BLK_DEV_LOOP_MIN_COUNT=0 +CONFIG_BLK_DEV_DRBD=m +# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_BLK_DEV_NBD=m +CONFIG_BLK_DEV_RAM=m +CONFIG_BLK_DEV_RAM_COUNT=16 +CONFIG_BLK_DEV_RAM_SIZE=16384 +CONFIG_CDROM_PKTCDVD=m +CONFIG_CDROM_PKTCDVD_BUFFERS=8 +# CONFIG_CDROM_PKTCDVD_WCACHE is not set +CONFIG_ATA_OVER_ETH=m +CONFIG_VIRTIO_BLK=m +CONFIG_BLK_DEV_RBD=m +# CONFIG_BLK_DEV_UBLK is not set + +# +# NVME Support +# +CONFIG_NVME_CORE=m +CONFIG_BLK_DEV_NVME=m +CONFIG_NVME_MULTIPATH=y +# CONFIG_NVME_VERBOSE_ERRORS is not set +# CONFIG_NVME_HWMON is not set +CONFIG_NVME_FABRICS=m +CONFIG_NVME_RDMA=m +CONFIG_NVME_FC=m +CONFIG_NVME_TCP=m +# CONFIG_NVME_AUTH is not set +CONFIG_NVME_TARGET=m +# CONFIG_NVME_TARGET_PASSTHRU is not set +CONFIG_NVME_TARGET_LOOP=m +CONFIG_NVME_TARGET_RDMA=m +CONFIG_NVME_TARGET_FC=m +CONFIG_NVME_TARGET_FCLOOP=m +CONFIG_NVME_TARGET_TCP=m +# CONFIG_NVME_TARGET_AUTH is not set +# end of NVME Support + +# +# Misc devices +# +CONFIG_SENSORS_LIS3LV02D=m +# CONFIG_AD525X_DPOT is not set +# CONFIG_DUMMY_IRQ is not set +# CONFIG_PHANTOM is not set +CONFIG_TIFM_CORE=m +CONFIG_TIFM_7XX1=m +# CONFIG_ICS932S401 is not set +CONFIG_ENCLOSURE_SERVICES=m +# CONFIG_HP_ILO is not set +CONFIG_APDS9802ALS=m +CONFIG_ISL29003=m +CONFIG_ISL29020=m +CONFIG_SENSORS_TSL2550=m +CONFIG_SENSORS_BH1770=m +CONFIG_SENSORS_APDS990X=m +# CONFIG_HMC6352 is not set +# CONFIG_DS1682 is not set +# CONFIG_LATTICE_ECP3_CONFIG is not set +# CONFIG_SRAM is not set +# CONFIG_DW_XDATA_PCIE is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_XILINX_SDFEC is not set +CONFIG_MISC_RTSX=m +# CONFIG_HISI_HIKEY_USB is not set +CONFIG_VIRT_PLAT_DEV=y +# CONFIG_OPEN_DICE is not set +# CONFIG_VCPU_STALL_DETECTOR is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_AT24 is not set +# CONFIG_EEPROM_AT25 is not set +CONFIG_EEPROM_LEGACY=m +CONFIG_EEPROM_MAX6875=m +CONFIG_EEPROM_93CX6=m +# CONFIG_EEPROM_93XX46 is not set +# CONFIG_EEPROM_IDT_89HPESX is not set +# CONFIG_EEPROM_EE1004 is not set +# end of EEPROM support + +CONFIG_CB710_CORE=m +# CONFIG_CB710_DEBUG is not set +CONFIG_CB710_DEBUG_ASSUMPTIONS=y + +# +# Texas Instruments shared transport line discipline +# +# CONFIG_TI_ST is not set +# end of Texas Instruments shared transport line discipline + +CONFIG_SENSORS_LIS3_I2C=m +CONFIG_ALTERA_STAPL=m +# CONFIG_VMWARE_VMCI is not set +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_BCM_VK is not set +# CONFIG_MISC_ALCOR_PCI is not set +CONFIG_MISC_RTSX_PCI=m +CONFIG_MISC_RTSX_USB=m +CONFIG_UACCE=m +CONFIG_PVPANIC=y +CONFIG_PVPANIC_MMIO=m +# CONFIG_PVPANIC_PCI is not set +# CONFIG_GP_PCI1XXXX is not set +# end of Misc devices + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +CONFIG_RAID_ATTRS=m +CONFIG_SCSI_COMMON=y +CONFIG_SCSI=y +CONFIG_SCSI_DMA=y +CONFIG_SCSI_NETLINK=y +CONFIG_SCSI_PROC_FS=y + +# +# SCSI support type (disk, tape, CD-ROM) +# +CONFIG_BLK_DEV_SD=m +CONFIG_CHR_DEV_ST=m +CONFIG_BLK_DEV_SR=m +CONFIG_CHR_DEV_SG=m +CONFIG_BLK_DEV_BSG=y +CONFIG_CHR_DEV_SCH=m +CONFIG_SCSI_ENCLOSURE=m +CONFIG_SCSI_CONSTANTS=y +CONFIG_SCSI_LOGGING=y +CONFIG_SCSI_SCAN_ASYNC=y + +# +# SCSI Transports +# +CONFIG_SCSI_SPI_ATTRS=m +CONFIG_SCSI_FC_ATTRS=m +CONFIG_SCSI_ISCSI_ATTRS=m +CONFIG_SCSI_SAS_ATTRS=m +CONFIG_SCSI_SAS_LIBSAS=m +CONFIG_SCSI_SAS_ATA=y +CONFIG_SCSI_SAS_HOST_SMP=y +CONFIG_SCSI_SRP_ATTRS=m +# end of SCSI Transports + +CONFIG_SCSI_LOWLEVEL=y +CONFIG_ISCSI_TCP=m +CONFIG_ISCSI_BOOT_SYSFS=m +# CONFIG_SCSI_CXGB3_ISCSI is not set +CONFIG_SCSI_CXGB4_ISCSI=m +CONFIG_SCSI_BNX2_ISCSI=m +CONFIG_SCSI_BNX2X_FCOE=m +CONFIG_BE2ISCSI=m +# CONFIG_BLK_DEV_3W_XXXX_RAID is not set +CONFIG_SCSI_HPSA=m +# CONFIG_SCSI_3W_9XXX is not set +# CONFIG_SCSI_3W_SAS is not set +# CONFIG_SCSI_ACARD is not set +CONFIG_SCSI_AACRAID=m +# CONFIG_SCSI_AIC7XXX is not set +# CONFIG_SCSI_AIC79XX is not set +# CONFIG_SCSI_AIC94XX is not set +CONFIG_SCSI_HISI_SAS=m +CONFIG_SCSI_HISI_SAS_PCI=m +CONFIG_SCSI_HISI_SAS_DEBUGFS_DEFAULT_ENABLE=y +# CONFIG_SCSI_MVSAS is not set +# CONFIG_SCSI_MVUMI is not set +# CONFIG_SCSI_ADVANSYS is not set +# CONFIG_SCSI_ARCMSR is not set +# CONFIG_SCSI_ESAS2R is not set +# CONFIG_MEGARAID_NEWGEN is not set +# CONFIG_MEGARAID_LEGACY is not set +CONFIG_MEGARAID_SAS=m +CONFIG_SCSI_MPT3SAS=m +CONFIG_SCSI_MPT2SAS_MAX_SGE=128 +CONFIG_SCSI_MPT3SAS_MAX_SGE=128 +CONFIG_SCSI_MPT2SAS=m +CONFIG_SCSI_PS3STOR=m +# CONFIG_SCSI_MPI3MR is not set +CONFIG_SCSI_3SNIC_SSSRAID=m +CONFIG_SCSI_LEAPIORAID=m +CONFIG_SCSI_SMARTPQI=m +CONFIG_SCSI_HISI_RAID=m +# CONFIG_SCSI_HPTIOP is not set +# CONFIG_SCSI_BUSLOGIC is not set +# CONFIG_SCSI_MYRB is not set +# CONFIG_SCSI_MYRS is not set +CONFIG_LIBFC=m +CONFIG_LIBFCOE=m +CONFIG_FCOE=m +# CONFIG_SCSI_SNIC is not set +# CONFIG_SCSI_DMX3191D is not set +# CONFIG_SCSI_FDOMAIN_PCI is not set +# CONFIG_SCSI_IPS is not set +# CONFIG_SCSI_INITIO is not set +# CONFIG_SCSI_INIA100 is not set +# CONFIG_SCSI_STEX is not set +# CONFIG_SCSI_SYM53C8XX_2 is not set +CONFIG_SCSI_IPR=m +CONFIG_SCSI_IPR_TRACE=y +CONFIG_SCSI_IPR_DUMP=y +# CONFIG_SCSI_QLOGIC_1280 is not set +CONFIG_SCSI_QLA_FC=m +# CONFIG_TCM_QLA2XXX is not set +CONFIG_SCSI_QLA_ISCSI=m +CONFIG_QEDI=m +CONFIG_QEDF=m +CONFIG_SCSI_LPFC=m +# CONFIG_SCSI_EFCT is not set +# CONFIG_SCSI_DC395x is not set +# CONFIG_SCSI_AM53C974 is not set +# CONFIG_SCSI_WD719X is not set +CONFIG_SCSI_DEBUG=m +# CONFIG_SCSI_PMCRAID is not set +# CONFIG_SCSI_PM8001 is not set +# CONFIG_SCSI_BFA_FC is not set +CONFIG_SCSI_VIRTIO=m +CONFIG_SCSI_CHELSIO_FCOE=m +CONFIG_SCSI_DH=y +CONFIG_SCSI_DH_RDAC=y +CONFIG_SCSI_DH_HP_SW=y +CONFIG_SCSI_DH_EMC=y +CONFIG_SCSI_DH_ALUA=y +# end of SCSI device support + +CONFIG_ATA=m +CONFIG_SATA_HOST=y +CONFIG_PATA_TIMINGS=y +CONFIG_ATA_VERBOSE_ERROR=y +CONFIG_ATA_FORCE=y +CONFIG_ATA_ACPI=y +# CONFIG_SATA_ZPODD is not set +CONFIG_SATA_PMP=y + +# +# Controllers with non-SFF native interface +# +CONFIG_SATA_AHCI=m +CONFIG_SATA_MOBILE_LPM_POLICY=0 +CONFIG_SATA_AHCI_PLATFORM=m +# CONFIG_AHCI_DWC is not set +# CONFIG_AHCI_CEVA is not set +CONFIG_AHCI_XGENE=m +CONFIG_SATA_AHCI_SEATTLE=m +# CONFIG_SATA_INIC162X is not set +# CONFIG_SATA_ACARD_AHCI is not set +# CONFIG_SATA_SIL24 is not set +CONFIG_ATA_SFF=y + +# +# SFF controllers with custom DMA interface +# +# CONFIG_PDC_ADMA is not set +# CONFIG_SATA_QSTOR is not set +# CONFIG_SATA_SX4 is not set +CONFIG_ATA_BMDMA=y + +# +# SATA SFF controllers with BMDMA +# +CONFIG_ATA_PIIX=m +# CONFIG_SATA_DWC is not set +# CONFIG_SATA_MV is not set +# CONFIG_SATA_NV is not set +# CONFIG_SATA_PROMISE is not set +# CONFIG_SATA_SIL is not set +# CONFIG_SATA_SIS is not set +# CONFIG_SATA_SVW is not set +# CONFIG_SATA_ULI is not set +# CONFIG_SATA_VIA is not set +# CONFIG_SATA_VITESSE is not set +# CONFIG_SATA_ZHAOXIN is not set + +# +# PATA SFF controllers with BMDMA +# +# CONFIG_PATA_ALI is not set +# CONFIG_PATA_AMD is not set +# CONFIG_PATA_ARTOP is not set +# CONFIG_PATA_ATIIXP is not set +# CONFIG_PATA_ATP867X is not set +# CONFIG_PATA_CMD64X is not set +# CONFIG_PATA_CYPRESS is not set +# CONFIG_PATA_EFAR is not set +# CONFIG_PATA_HPT366 is not set +# CONFIG_PATA_HPT37X is not set +# CONFIG_PATA_HPT3X2N is not set +# CONFIG_PATA_HPT3X3 is not set +# CONFIG_PATA_IT8213 is not set +# CONFIG_PATA_IT821X is not set +# CONFIG_PATA_JMICRON is not set +# CONFIG_PATA_MARVELL is not set +# CONFIG_PATA_NETCELL is not set +# CONFIG_PATA_NINJA32 is not set +# CONFIG_PATA_NS87415 is not set +# CONFIG_PATA_OLDPIIX is not set +# CONFIG_PATA_OPTIDMA is not set +# CONFIG_PATA_PDC2027X is not set +# CONFIG_PATA_PDC_OLD is not set +# CONFIG_PATA_RADISYS is not set +# CONFIG_PATA_RDC is not set +# CONFIG_PATA_SCH is not set +# CONFIG_PATA_SERVERWORKS is not set +# CONFIG_PATA_SIL680 is not set +# CONFIG_PATA_SIS is not set +# CONFIG_PATA_TOSHIBA is not set +# CONFIG_PATA_TRIFLEX is not set +# CONFIG_PATA_VIA is not set +# CONFIG_PATA_WINBOND is not set + +# +# PIO-only SFF controllers +# +# CONFIG_PATA_CMD640_PCI is not set +# CONFIG_PATA_MPIIX is not set +# CONFIG_PATA_NS87410 is not set +# CONFIG_PATA_OPTI is not set +# CONFIG_PATA_OF_PLATFORM is not set +# CONFIG_PATA_RZ1000 is not set + +# +# Generic fallback / legacy drivers +# +# CONFIG_PATA_ACPI is not set +CONFIG_ATA_GENERIC=m +# CONFIG_PATA_LEGACY is not set +CONFIG_MD=y +CONFIG_BLK_DEV_MD=y +CONFIG_MD_AUTODETECT=y +CONFIG_MD_BITMAP_FILE=y +CONFIG_MD_LINEAR=m +CONFIG_MD_RAID0=m +CONFIG_MD_RAID1=m +CONFIG_MD_RAID10=m +CONFIG_MD_RAID456=m +CONFIG_MD_MULTIPATH=m +CONFIG_MD_FAULTY=m +# CONFIG_MD_CLUSTER is not set +CONFIG_BCACHE=m +# CONFIG_BCACHE_DEBUG is not set +# CONFIG_BCACHE_CLOSURES_DEBUG is not set +# CONFIG_BCACHE_ASYNC_REGISTRATION is not set +CONFIG_BLK_DEV_DM_BUILTIN=y +CONFIG_BLK_DEV_DM=m +CONFIG_DM_DEBUG=y +CONFIG_DM_BUFIO=m +# CONFIG_DM_DEBUG_BLOCK_MANAGER_LOCKING is not set +CONFIG_DM_BIO_PRISON=m +CONFIG_DM_PERSISTENT_DATA=m +# CONFIG_DM_UNSTRIPED is not set +CONFIG_DM_CRYPT=m +CONFIG_DM_SNAPSHOT=m +CONFIG_DM_THIN_PROVISIONING=m +CONFIG_DM_CACHE=m +CONFIG_DM_CACHE_SMQ=m +# CONFIG_DM_WRITECACHE is not set +# CONFIG_DM_EBS is not set +CONFIG_DM_ERA=m +# CONFIG_DM_CLONE is not set +CONFIG_DM_MIRROR=m +CONFIG_DM_LOG_USERSPACE=m +CONFIG_DM_RAID=m +CONFIG_DM_ZERO=m +CONFIG_DM_MULTIPATH=m +CONFIG_DM_MULTIPATH_QL=m +CONFIG_DM_MULTIPATH_ST=m +# CONFIG_DM_MULTIPATH_HST is not set +# CONFIG_DM_MULTIPATH_IOA is not set +CONFIG_DM_DELAY=m +# CONFIG_DM_DUST is not set +CONFIG_DM_UEVENT=y +CONFIG_DM_FLAKEY=m +CONFIG_DM_VERITY=m +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG is not set +# CONFIG_DM_VERITY_FEC is not set +CONFIG_DM_SWITCH=m +CONFIG_DM_LOG_WRITES=m +CONFIG_DM_INTEGRITY=m +# CONFIG_DM_ZONED is not set +CONFIG_DM_AUDIT=y +CONFIG_TARGET_CORE=m +CONFIG_TCM_IBLOCK=m +CONFIG_TCM_FILEIO=m +CONFIG_TCM_PSCSI=m +CONFIG_TCM_USER2=m +CONFIG_LOOPBACK_TARGET=m +CONFIG_TCM_FC=m +CONFIG_ISCSI_TARGET=m +CONFIG_ISCSI_TARGET_CXGB4=m +# CONFIG_REMOTE_TARGET is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# end of IEEE 1394 (FireWire) support + +CONFIG_NETDEVICES=y +CONFIG_MII=m +CONFIG_NET_CORE=y +CONFIG_BONDING=m +CONFIG_DUMMY=m +# CONFIG_WIREGUARD is not set +# CONFIG_EQUALIZER is not set +CONFIG_NET_FC=y +CONFIG_IFB=m +CONFIG_NET_TEAM=m +CONFIG_NET_TEAM_MODE_BROADCAST=m +CONFIG_NET_TEAM_MODE_ROUNDROBIN=m +CONFIG_NET_TEAM_MODE_RANDOM=m +CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m +CONFIG_NET_TEAM_MODE_LOADBALANCE=m +CONFIG_MACVLAN=m +CONFIG_MACVTAP=m +CONFIG_IPVLAN_L2E=y +CONFIG_IPVLAN_L3S=y +CONFIG_IPVLAN=m +CONFIG_IPVTAP=m +CONFIG_VXLAN=m +CONFIG_GENEVE=m +# CONFIG_BAREUDP is not set +# CONFIG_GTP is not set +# CONFIG_AMT is not set +CONFIG_MACSEC=m +CONFIG_NETCONSOLE=m +CONFIG_NETCONSOLE_DYNAMIC=y +# CONFIG_NETCONSOLE_EXTENDED_LOG is not set +CONFIG_NETPOLL=y +CONFIG_NET_POLL_CONTROLLER=y +CONFIG_TUN=m +CONFIG_TAP=m +# CONFIG_TUN_VNET_CROSS_LE is not set +CONFIG_VETH=m +CONFIG_VIRTIO_NET=m +CONFIG_NLMON=m +CONFIG_NET_VRF=m +CONFIG_VSOCKMON=m +# CONFIG_ARCNET is not set +# CONFIG_ATM_DRIVERS is not set +CONFIG_ETHERNET=y +CONFIG_MDIO=m +# CONFIG_NET_VENDOR_3COM is not set +CONFIG_NET_VENDOR_3SNIC=y +CONFIG_SSSNIC=m +# CONFIG_NET_VENDOR_ADAPTEC is not set +# CONFIG_NET_VENDOR_AGERE is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +# CONFIG_NET_VENDOR_ALTEON is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +CONFIG_ENA_ETHERNET=m +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +CONFIG_AMD_XGBE=m +# CONFIG_AMD_XGBE_DCB is not set +# CONFIG_PDS_CORE is not set +CONFIG_NET_XGENE=y +CONFIG_NET_XGENE_V2=m +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +CONFIG_NET_VENDOR_ARC=y +CONFIG_NET_VENDOR_ASIX=y +# CONFIG_SPI_AX88796C is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +CONFIG_ATL1=m +CONFIG_ATL1E=m +CONFIG_ATL1C=m +CONFIG_ALX=m +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BCMGENET is not set +CONFIG_BNX2=m +CONFIG_CNIC=m +CONFIG_TIGON3=m +CONFIG_TIGON3_HWMON=y +CONFIG_BNX2X=m +CONFIG_BNX2X_SRIOV=y +# CONFIG_SYSTEMPORT is not set +CONFIG_BNXT=m +CONFIG_BNXT_SRIOV=y +CONFIG_BNXT_FLOWER_OFFLOAD=y +CONFIG_BNXT_DCB=y +# CONFIG_BNXT_HWMON is not set +# CONFIG_NET_VENDOR_CADENCE is not set +CONFIG_NET_VENDOR_CAVIUM=y +CONFIG_THUNDER_NIC_PF=m +CONFIG_THUNDER_NIC_VF=m +CONFIG_THUNDER_NIC_BGX=m +CONFIG_THUNDER_NIC_RGX=m +CONFIG_CAVIUM_PTP=y +CONFIG_LIQUIDIO_CORE=m +CONFIG_LIQUIDIO=m +CONFIG_LIQUIDIO_VF=m +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +CONFIG_CHELSIO_T4=m +# CONFIG_CHELSIO_T4_DCB is not set +CONFIG_CHELSIO_T4VF=m +CONFIG_CHELSIO_LIB=m +CONFIG_CHELSIO_INLINE_CRYPTO=y +CONFIG_CHELSIO_IPSEC_INLINE=m +CONFIG_CHELSIO_TLS_DEVICE=m +# CONFIG_NET_VENDOR_CISCO is not set +# CONFIG_NET_VENDOR_CORTINA is not set +CONFIG_NET_VENDOR_DAVICOM=y +# CONFIG_DM9051 is not set +CONFIG_DNET=m +# CONFIG_NET_VENDOR_DEC is not set +# CONFIG_NET_VENDOR_DLINK is not set +# CONFIG_NET_VENDOR_EMULEX is not set +CONFIG_NET_VENDOR_ENGLEDER=y +# CONFIG_TSNEP is not set +# CONFIG_NET_VENDOR_EZCHIP is not set +CONFIG_NET_VENDOR_FUNGIBLE=y +# CONFIG_FUN_ETH is not set +CONFIG_NET_VENDOR_GOOGLE=y +# CONFIG_GVE is not set +CONFIG_NET_VENDOR_HISILICON=y +# CONFIG_HIX5HD2_GMAC is not set +# CONFIG_HISI_FEMAC is not set +# CONFIG_HIP04_ETH is not set +CONFIG_HNS_MDIO=m +CONFIG_HNS=m +CONFIG_HNS_DSAF=m +CONFIG_HNS_ENET=m +CONFIG_HNS3=m +CONFIG_HNS3_HCLGE=m +CONFIG_HNS3_DCB=y +CONFIG_HNS3_HCLGEVF=m +CONFIG_HNS3_ENET=m +CONFIG_HIBMCGE=m +CONFIG_NET_VENDOR_HUAWEI=y +CONFIG_HINIC=m +CONFIG_HINIC3=m +CONFIG_BMA=m +CONFIG_HIBIFUR=m +# CONFIG_NET_VENDOR_I825XX is not set +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +CONFIG_E1000=m +CONFIG_E1000E=m +CONFIG_IGB=m +CONFIG_IGB_HWMON=y +CONFIG_IGBVF=m +CONFIG_IXGBE=m +CONFIG_IXGBE_HWMON=y +CONFIG_IXGBE_DCB=y +CONFIG_IXGBE_IPSEC=y +CONFIG_IXGBEVF=m +CONFIG_IXGBEVF_IPSEC=y +CONFIG_I40E=m +# CONFIG_I40E_DCB is not set +CONFIG_IAVF=m +CONFIG_I40EVF=m +CONFIG_ICE=m +CONFIG_ICE_SWITCHDEV=y +CONFIG_FM10K=m +# CONFIG_IGC is not set +CONFIG_NET_VENDOR_LINKDATA=y +CONFIG_SXE=m +CONFIG_SXE_VF=m +CONFIG_NET_VENDOR_MUCSE=y +CONFIG_MXGBE=m +CONFIG_MXGBE_FIX_VF_QUEUE=y +CONFIG_MXGBE_FIX_MAC_PADDING=y +# CONFIG_MXGBE_OPTM_WITH_LARGE is not set +CONFIG_MXGBE_MSIX_COUNT=64 +CONFIG_MXGBE_DCB=y +CONFIG_MXGBEVF=m +CONFIG_MXGBEVF_FIX_VF_QUEUE=y +CONFIG_MXGBEVF_FIX_MAC_PADDING=y +# CONFIG_MXGBEVF_OPTM_WITH_LARGE is not set +CONFIG_MXGBEM=m +CONFIG_MXGBEM_FIX_MAC_PADDING=y +# CONFIG_MXGBEM_OPTM_WITH_LARGE is not set +CONFIG_MGBE=m +# CONFIG_MGBE_OPTM_WITH_LARGE is not set +CONFIG_MGBE_MSIX_COUNT=26 +CONFIG_MGBEVF=m +# CONFIG_MGBEVF_OPTM_WITH_LARGE is not set +CONFIG_NET_VENDOR_YUNSILICON=y +CONFIG_YUNSILICON_XSC_ETH=m +CONFIG_YUNSILICON_XSC_PCI=m +# CONFIG_JME is not set +CONFIG_NET_VENDOR_ADI=y +# CONFIG_ADIN1110 is not set +CONFIG_NET_VENDOR_LITEX=y +# CONFIG_LITEX_LITEETH is not set +# CONFIG_NET_VENDOR_MARVELL is not set +CONFIG_NET_VENDOR_MELLANOX=y +CONFIG_MLX4_EN=m +CONFIG_MLX4_EN_DCB=y +CONFIG_MLX4_CORE=m +CONFIG_MLX4_DEBUG=y +# CONFIG_MLX4_CORE_GEN2 is not set +CONFIG_MLX5_CORE=m +# CONFIG_MLX5_FPGA is not set +CONFIG_MLX5_CORE_EN=y +CONFIG_MLX5_EN_ARFS=y +CONFIG_MLX5_EN_RXNFC=y +CONFIG_MLX5_MPFS=y +CONFIG_MLX5_ESWITCH=y +CONFIG_MLX5_BRIDGE=y +CONFIG_MLX5_CORE_EN_DCB=y +CONFIG_MLX5_CORE_IPOIB=y +# CONFIG_MLX5_MACSEC is not set +# CONFIG_MLX5_EN_IPSEC is not set +# CONFIG_MLX5_EN_TLS is not set +CONFIG_MLX5_SW_STEERING=y +# CONFIG_MLX5_SF is not set +CONFIG_MLXSW_CORE=m +CONFIG_MLXSW_CORE_HWMON=y +CONFIG_MLXSW_CORE_THERMAL=y +CONFIG_MLXSW_PCI=m +CONFIG_MLXSW_I2C=m +# CONFIG_MLXSW_SPECTRUM is not set +CONFIG_MLXSW_MINIMAL=m +CONFIG_MLXFW=m +# CONFIG_MLXBF_GIGE is not set +# CONFIG_NET_VENDOR_MICREL is not set +# CONFIG_NET_VENDOR_MICROCHIP is not set +CONFIG_NET_VENDOR_MICROSEMI=y +# CONFIG_MSCC_OCELOT_SWITCH is not set +CONFIG_NET_VENDOR_MICROSOFT=y +CONFIG_NET_VENDOR_MOTORCOMM=y +CONFIG_YT6801=m +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +# CONFIG_NET_VENDOR_NI is not set +# CONFIG_NET_VENDOR_NATSEMI is not set +# CONFIG_NET_VENDOR_NETERION is not set +CONFIG_NET_VENDOR_NETRONOME=y +CONFIG_NFP=m +CONFIG_NFP_APP_FLOWER=y +CONFIG_NFP_APP_ABM_NIC=y +CONFIG_NFP_NET_IPSEC=y +# CONFIG_NFP_DEBUG is not set +# CONFIG_NET_VENDOR_NVIDIA is not set +CONFIG_NET_VENDOR_OKI=y +CONFIG_ETHOC=m +# CONFIG_NET_VENDOR_PACKET_ENGINES is not set +CONFIG_NET_VENDOR_PENSANDO=y +# CONFIG_IONIC is not set +CONFIG_NET_VENDOR_QLOGIC=y +CONFIG_QLA3XXX=m +# CONFIG_QLCNIC is not set +CONFIG_NETXEN_NIC=m +CONFIG_QED=m +CONFIG_QED_LL2=y +CONFIG_QED_SRIOV=y +CONFIG_QEDE=m +CONFIG_QED_RDMA=y +CONFIG_QED_ISCSI=y +CONFIG_QED_FCOE=y +CONFIG_QED_OOO=y +# CONFIG_NET_VENDOR_BROCADE is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCA7000_SPI is not set +CONFIG_QCOM_EMAC=m +# CONFIG_RMNET is not set +# CONFIG_NET_VENDOR_RDC is not set +CONFIG_NET_VENDOR_REALTEK=y +CONFIG_8139CP=m +CONFIG_8139TOO=m +# CONFIG_8139TOO_PIO is not set +# CONFIG_8139TOO_TUNE_TWISTER is not set +CONFIG_8139TOO_8129=y +# CONFIG_8139_OLD_RX_RESET is not set +CONFIG_R8169=m +# CONFIG_NET_VENDOR_RENESAS is not set +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_ROCKER=m +# CONFIG_NET_VENDOR_SAMSUNG is not set +# CONFIG_NET_VENDOR_SEEQ is not set +# CONFIG_NET_VENDOR_SILAN is not set +# CONFIG_NET_VENDOR_SIS is not set +CONFIG_NET_VENDOR_SOLARFLARE=y +CONFIG_SFC=m +CONFIG_SFC_MTD=y +CONFIG_SFC_MCDI_MON=y +CONFIG_SFC_SRIOV=y +CONFIG_SFC_MCDI_LOGGING=y +# CONFIG_SFC_FALCON is not set +# CONFIG_SFC_SIENA is not set +CONFIG_NET_VENDOR_SMSC=y +CONFIG_SMC91X=m +CONFIG_EPIC100=m +CONFIG_SMSC911X=m +CONFIG_SMSC9420=m +# CONFIG_NET_VENDOR_SOCIONEXT is not set +# CONFIG_NET_VENDOR_STMICRO is not set +# CONFIG_NET_VENDOR_SUN is not set +# CONFIG_NET_VENDOR_SYNOPSYS is not set +# CONFIG_NET_VENDOR_TEHUTI is not set +# CONFIG_NET_VENDOR_TI is not set +CONFIG_NET_VENDOR_VERTEXCOM=y +# CONFIG_MSE102X is not set +# CONFIG_NET_VENDOR_VIA is not set +CONFIG_NET_VENDOR_WANGXUN=y +CONFIG_LIBWX=m +CONFIG_NGBE=m +CONFIG_TXGBE=m +# CONFIG_NET_VENDOR_WIZNET is not set +# CONFIG_NET_VENDOR_XILINX is not set +CONFIG_NET_VENDOR_BZWX=y +CONFIG_NCE=m +CONFIG_NE6X=m +CONFIG_NE6XVF=m +CONFIG_NET_VENDOR_NEBULA_MATRIX=y +CONFIG_NBL_CORE=m +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +CONFIG_PHYLINK=m +CONFIG_PHYLIB=y +CONFIG_SWPHY=y +# CONFIG_LED_TRIGGER_PHY is not set +CONFIG_PHYLIB_LEDS=y +CONFIG_FIXED_PHY=y +CONFIG_SFP=m + +# +# MII PHY device drivers +# +CONFIG_AMD_PHY=m +# CONFIG_ADIN_PHY is not set +# CONFIG_ADIN1100_PHY is not set +CONFIG_AQUANTIA_PHY=m +CONFIG_AX88796B_PHY=m +CONFIG_BROADCOM_PHY=m +# CONFIG_BCM54140_PHY is not set +# CONFIG_BCM7XXX_PHY is not set +# CONFIG_BCM84881_PHY is not set +CONFIG_BCM87XX_PHY=m +CONFIG_BCM_NET_PHYLIB=m +CONFIG_BCM_NET_PHYPTP=m +CONFIG_CICADA_PHY=m +# CONFIG_CORTINA_PHY is not set +CONFIG_DAVICOM_PHY=m +CONFIG_ICPLUS_PHY=m +CONFIG_LXT_PHY=m +# CONFIG_INTEL_XWAY_PHY is not set +CONFIG_LSI_ET1011C_PHY=m +CONFIG_MARVELL_PHY=m +CONFIG_MARVELL_10G_PHY=m +# CONFIG_MARVELL_88Q2XXX_PHY is not set +# CONFIG_MARVELL_88X2222_PHY is not set +# CONFIG_MAXLINEAR_GPHY is not set +# CONFIG_MEDIATEK_GE_PHY is not set +CONFIG_MICREL_PHY=m +# CONFIG_MICROCHIP_T1S_PHY is not set +CONFIG_MICROCHIP_PHY=m +# CONFIG_MICROCHIP_T1_PHY is not set +# CONFIG_MICROSEMI_PHY is not set +CONFIG_MOTORCOMM_PHY=m +CONFIG_NATIONAL_PHY=m +# CONFIG_NXP_CBTX_PHY is not set +# CONFIG_NXP_C45_TJA11XX_PHY is not set +# CONFIG_NXP_TJA11XX_PHY is not set +# CONFIG_NCN26000_PHY is not set +CONFIG_AT803X_PHY=m +CONFIG_QSEMI_PHY=m +CONFIG_REALTEK_PHY=m +# CONFIG_RENESAS_PHY is not set +# CONFIG_ROCKCHIP_PHY is not set +CONFIG_SMSC_PHY=m +CONFIG_STE10XP=m +CONFIG_TERANETICS_PHY=m +# CONFIG_DP83822_PHY is not set +# CONFIG_DP83TC811_PHY is not set +CONFIG_DP83848_PHY=m +CONFIG_DP83867_PHY=m +# CONFIG_DP83869_PHY is not set +# CONFIG_DP83TD510_PHY is not set +CONFIG_VITESSE_PHY=m +# CONFIG_XILINX_GMII2RGMII is not set +# CONFIG_MICREL_KS8995MA is not set +# CONFIG_PSE_CONTROLLER is not set +CONFIG_CAN_DEV=m +CONFIG_CAN_VCAN=m +# CONFIG_CAN_VXCAN is not set +CONFIG_CAN_NETLINK=y +CONFIG_CAN_CALC_BITTIMING=y +# CONFIG_CAN_CAN327 is not set +# CONFIG_CAN_FLEXCAN is not set +# CONFIG_CAN_GRCAN is not set +# CONFIG_CAN_KVASER_PCIEFD is not set +CONFIG_CAN_SLCAN=m +# CONFIG_CAN_XILINXCAN is not set +CONFIG_CAN_C_CAN=m +CONFIG_CAN_C_CAN_PLATFORM=m +CONFIG_CAN_C_CAN_PCI=m +CONFIG_CAN_CC770=m +# CONFIG_CAN_CC770_ISA is not set +CONFIG_CAN_CC770_PLATFORM=m +# CONFIG_CAN_CTUCANFD_PCI is not set +# CONFIG_CAN_CTUCANFD_PLATFORM is not set +# CONFIG_CAN_IFI_CANFD is not set +# CONFIG_CAN_M_CAN is not set +# CONFIG_CAN_PEAK_PCIEFD is not set +CONFIG_CAN_SJA1000=m +CONFIG_CAN_EMS_PCI=m +# CONFIG_CAN_F81601 is not set +CONFIG_CAN_KVASER_PCI=m +CONFIG_CAN_PEAK_PCI=m +CONFIG_CAN_PEAK_PCIEC=y +CONFIG_CAN_PLX_PCI=m +# CONFIG_CAN_SJA1000_ISA is not set +CONFIG_CAN_SJA1000_PLATFORM=m +CONFIG_CAN_SOFTING=m + +# +# CAN SPI interfaces +# +# CONFIG_CAN_HI311X is not set +# CONFIG_CAN_MCP251X is not set +# CONFIG_CAN_MCP251XFD is not set +# end of CAN SPI interfaces + +# +# CAN USB interfaces +# +CONFIG_CAN_8DEV_USB=m +CONFIG_CAN_EMS_USB=m +# CONFIG_CAN_ESD_USB is not set +# CONFIG_CAN_ETAS_ES58X is not set +# CONFIG_CAN_F81604 is not set +# CONFIG_CAN_GS_USB is not set +CONFIG_CAN_KVASER_USB=m +# CONFIG_CAN_MCBA_USB is not set +CONFIG_CAN_PEAK_USB=m +# CONFIG_CAN_UCAN is not set +# end of CAN USB interfaces + +# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_MDIO_DEVICE=y +CONFIG_MDIO_BUS=y +CONFIG_FWNODE_MDIO=y +CONFIG_OF_MDIO=y +CONFIG_ACPI_MDIO=y +CONFIG_MDIO_DEVRES=y +CONFIG_MDIO_XGENE=y +CONFIG_MDIO_BITBANG=m +CONFIG_MDIO_BCM_UNIMAC=m +CONFIG_MDIO_CAVIUM=m +CONFIG_MDIO_GPIO=m +# CONFIG_MDIO_HISI_FEMAC is not set +CONFIG_MDIO_I2C=m +# CONFIG_MDIO_MVUSB is not set +# CONFIG_MDIO_MSCC_MIIM is not set +CONFIG_MDIO_OCTEON=m +# CONFIG_MDIO_IPQ4019 is not set +# CONFIG_MDIO_IPQ8064 is not set +CONFIG_MDIO_THUNDER=m + +# +# MDIO Multiplexers +# +# CONFIG_MDIO_BUS_MUX_GPIO is not set +# CONFIG_MDIO_BUS_MUX_MULTIPLEXER is not set +# CONFIG_MDIO_BUS_MUX_MMIOREG is not set + +# +# PCS device drivers +# +CONFIG_PCS_XPCS=m +# end of PCS device drivers + +CONFIG_PPP=m +CONFIG_PPP_BSDCOMP=m +CONFIG_PPP_DEFLATE=m +CONFIG_PPP_FILTER=y +CONFIG_PPP_MPPE=m +CONFIG_PPP_MULTILINK=y +CONFIG_PPPOATM=m +CONFIG_PPPOE=m +# CONFIG_PPPOE_HASH_BITS_1 is not set +# CONFIG_PPPOE_HASH_BITS_2 is not set +CONFIG_PPPOE_HASH_BITS_4=y +# CONFIG_PPPOE_HASH_BITS_8 is not set +CONFIG_PPPOE_HASH_BITS=4 +CONFIG_PPTP=m +CONFIG_PPPOL2TP=m +CONFIG_PPP_ASYNC=m +CONFIG_PPP_SYNC_TTY=m +CONFIG_SLIP=m +CONFIG_SLHC=m +CONFIG_SLIP_COMPRESSED=y +CONFIG_SLIP_SMART=y +# CONFIG_SLIP_MODE_SLIP6 is not set +CONFIG_USB_NET_DRIVERS=y +CONFIG_USB_CATC=m +CONFIG_USB_KAWETH=m +CONFIG_USB_PEGASUS=m +CONFIG_USB_RTL8150=m +CONFIG_USB_RTL8152=m +CONFIG_USB_LAN78XX=m +CONFIG_USB_USBNET=m +CONFIG_USB_NET_AX8817X=m +CONFIG_USB_NET_AX88179_178A=m +CONFIG_USB_NET_CDCETHER=m +CONFIG_USB_NET_CDC_EEM=m +CONFIG_USB_NET_CDC_NCM=m +CONFIG_USB_NET_HUAWEI_CDC_NCM=m +CONFIG_USB_NET_CDC_MBIM=m +CONFIG_USB_NET_DM9601=m +CONFIG_USB_NET_SR9700=m +# CONFIG_USB_NET_SR9800 is not set +CONFIG_USB_NET_SMSC75XX=m +CONFIG_USB_NET_SMSC95XX=m +CONFIG_USB_NET_GL620A=m +CONFIG_USB_NET_NET1080=m +CONFIG_USB_NET_PLUSB=m +CONFIG_USB_NET_MCS7830=m +CONFIG_USB_NET_RNDIS_HOST=m +CONFIG_USB_NET_CDC_SUBSET_ENABLE=m +CONFIG_USB_NET_CDC_SUBSET=m +CONFIG_USB_ALI_M5632=y +CONFIG_USB_AN2720=y +CONFIG_USB_BELKIN=y +CONFIG_USB_ARMLINUX=y +CONFIG_USB_EPSON2888=y +CONFIG_USB_KC2190=y +CONFIG_USB_NET_ZAURUS=m +CONFIG_USB_NET_CX82310_ETH=m +CONFIG_USB_NET_KALMIA=m +CONFIG_USB_NET_QMI_WWAN=m +CONFIG_USB_HSO=m +CONFIG_USB_NET_INT51X1=m +CONFIG_USB_IPHETH=m +CONFIG_USB_SIERRA_NET=m +CONFIG_USB_VL600=m +CONFIG_USB_NET_CH9200=m +# CONFIG_USB_NET_AQC111 is not set +CONFIG_USB_RTL8153_ECM=m +CONFIG_WLAN=y +# CONFIG_WLAN_VENDOR_ADMTEK is not set +CONFIG_ATH_COMMON=m +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K is not set +# CONFIG_ATH5K_PCI is not set +# CONFIG_ATH9K is not set +# CONFIG_ATH9K_HTC is not set +# CONFIG_CARL9170 is not set +# CONFIG_ATH6KL is not set +# CONFIG_AR5523 is not set +# CONFIG_WIL6210 is not set +CONFIG_ATH10K=m +CONFIG_ATH10K_CE=y +CONFIG_ATH10K_PCI=m +# CONFIG_ATH10K_AHB is not set +# CONFIG_ATH10K_SDIO is not set +# CONFIG_ATH10K_USB is not set +# CONFIG_ATH10K_DEBUG is not set +# CONFIG_WCN36XX is not set +# CONFIG_ATH11K is not set +# CONFIG_ATH12K is not set +# CONFIG_WLAN_VENDOR_ATMEL is not set +# CONFIG_WLAN_VENDOR_BROADCOM is not set +# CONFIG_WLAN_VENDOR_CISCO is not set +# CONFIG_WLAN_VENDOR_INTEL is not set +# CONFIG_WLAN_VENDOR_INTERSIL is not set +# CONFIG_WLAN_VENDOR_MARVELL is not set +# CONFIG_WLAN_VENDOR_MEDIATEK is not set +CONFIG_WLAN_VENDOR_MICROCHIP=y +# CONFIG_WILC1000_SDIO is not set +# CONFIG_WILC1000_SPI is not set +CONFIG_WLAN_VENDOR_PURELIFI=y +# CONFIG_PLFXLC is not set +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_RT2X00=m +# CONFIG_RT2400PCI is not set +# CONFIG_RT2500PCI is not set +# CONFIG_RT61PCI is not set +# CONFIG_RT2800PCI is not set +# CONFIG_RT2500USB is not set +# CONFIG_RT73USB is not set +CONFIG_RT2800USB=m +CONFIG_RT2800USB_RT33XX=y +CONFIG_RT2800USB_RT35XX=y +# CONFIG_RT2800USB_RT3573 is not set +CONFIG_RT2800USB_RT53XX=y +# CONFIG_RT2800USB_RT55XX is not set +# CONFIG_RT2800USB_UNKNOWN is not set +CONFIG_RT2800_LIB=m +CONFIG_RT2X00_LIB_USB=m +CONFIG_RT2X00_LIB=m +CONFIG_RT2X00_LIB_FIRMWARE=y +CONFIG_RT2X00_LIB_CRYPTO=y +CONFIG_RT2X00_LIB_LEDS=y +# CONFIG_RT2X00_DEBUG is not set +# CONFIG_WLAN_VENDOR_REALTEK is not set +# CONFIG_WLAN_VENDOR_RSI is not set +CONFIG_WLAN_VENDOR_SILABS=y +# CONFIG_WFX is not set +# CONFIG_WLAN_VENDOR_ST is not set +# CONFIG_WLAN_VENDOR_TI is not set +# CONFIG_WLAN_VENDOR_ZYDAS is not set +# CONFIG_WLAN_VENDOR_QUANTENNA is not set +# CONFIG_USB_NET_RNDIS_WLAN is not set +# CONFIG_MAC80211_HWSIM is not set +# CONFIG_VIRT_WIFI is not set +CONFIG_WAN=y +CONFIG_HDLC=m +CONFIG_HDLC_RAW=m +# CONFIG_HDLC_RAW_ETH is not set +CONFIG_HDLC_CISCO=m +CONFIG_HDLC_FR=m +CONFIG_HDLC_PPP=m + +# +# X.25/LAPB support is disabled +# +# CONFIG_PCI200SYN is not set +# CONFIG_WANXL is not set +# CONFIG_PC300TOO is not set +# CONFIG_FARSYNC is not set +# CONFIG_IEEE802154_DRIVERS is not set + +# +# Wireless WAN +# +# CONFIG_WWAN is not set +# end of Wireless WAN + +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +CONFIG_USB4_NET=m +CONFIG_NET_FAILOVER=m +# CONFIG_ISDN is not set + +# +# Input device support +# +CONFIG_INPUT=y +CONFIG_INPUT_LEDS=y +CONFIG_INPUT_FF_MEMLESS=y +CONFIG_INPUT_SPARSEKMAP=m +# CONFIG_INPUT_MATRIXKMAP is not set +CONFIG_INPUT_VIVALDIFMAP=y + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +# CONFIG_INPUT_MOUSEDEV_PSAUX is not set +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +# CONFIG_KEYBOARD_ADP5588 is not set +# CONFIG_KEYBOARD_ADP5589 is not set +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_QT1050 is not set +# CONFIG_KEYBOARD_QT1070 is not set +# CONFIG_KEYBOARD_QT2160 is not set +# CONFIG_KEYBOARD_DLINK_DIR685 is not set +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_GPIO is not set +# CONFIG_KEYBOARD_GPIO_POLLED is not set +# CONFIG_KEYBOARD_TCA6416 is not set +# CONFIG_KEYBOARD_TCA8418 is not set +# CONFIG_KEYBOARD_MATRIX is not set +# CONFIG_KEYBOARD_LM8323 is not set +# CONFIG_KEYBOARD_LM8333 is not set +# CONFIG_KEYBOARD_MAX7359 is not set +# CONFIG_KEYBOARD_MCS is not set +# CONFIG_KEYBOARD_MPR121 is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_PINEPHONE is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_OMAP4 is not set +# CONFIG_KEYBOARD_TM2_TOUCHKEY is not set +# CONFIG_KEYBOARD_XTKBD is not set +# CONFIG_KEYBOARD_CAP11XX is not set +# CONFIG_KEYBOARD_BCM is not set +# CONFIG_KEYBOARD_CYPRESS_SF is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_SYNAPTICS_SMBUS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +CONFIG_MOUSE_PS2_ELANTECH=y +CONFIG_MOUSE_PS2_ELANTECH_SMBUS=y +CONFIG_MOUSE_PS2_SENTELIC=y +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +CONFIG_MOUSE_PS2_SMBUS=y +CONFIG_MOUSE_SERIAL=m +CONFIG_MOUSE_APPLETOUCH=m +CONFIG_MOUSE_BCM5974=m +CONFIG_MOUSE_CYAPA=m +# CONFIG_MOUSE_ELAN_I2C is not set +CONFIG_MOUSE_VSXXXAA=m +# CONFIG_MOUSE_GPIO is not set +CONFIG_MOUSE_SYNAPTICS_I2C=m +CONFIG_MOUSE_SYNAPTICS_USB=m +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +CONFIG_INPUT_MISC=y +# CONFIG_INPUT_AD714X is not set +# CONFIG_INPUT_ATMEL_CAPTOUCH is not set +# CONFIG_INPUT_BMA150 is not set +# CONFIG_INPUT_E3X0_BUTTON is not set +# CONFIG_INPUT_MMA8450 is not set +# CONFIG_INPUT_GPIO_BEEPER is not set +# CONFIG_INPUT_GPIO_DECODER is not set +# CONFIG_INPUT_GPIO_VIBRA is not set +# CONFIG_INPUT_ATI_REMOTE2 is not set +# CONFIG_INPUT_KEYSPAN_REMOTE is not set +# CONFIG_INPUT_KXTJ9 is not set +# CONFIG_INPUT_POWERMATE is not set +# CONFIG_INPUT_YEALINK is not set +# CONFIG_INPUT_CM109 is not set +# CONFIG_INPUT_REGULATOR_HAPTIC is not set +CONFIG_INPUT_UINPUT=m +# CONFIG_INPUT_PCF8574 is not set +# CONFIG_INPUT_PWM_BEEPER is not set +# CONFIG_INPUT_PWM_VIBRA is not set +# CONFIG_INPUT_GPIO_ROTARY_ENCODER is not set +# CONFIG_INPUT_DA7280_HAPTICS is not set +# CONFIG_INPUT_ADXL34X is not set +# CONFIG_INPUT_IBM_PANEL is not set +# CONFIG_INPUT_IMS_PCU is not set +# CONFIG_INPUT_IQS269A is not set +# CONFIG_INPUT_IQS626A is not set +# CONFIG_INPUT_IQS7222 is not set +# CONFIG_INPUT_CMA3000 is not set +# CONFIG_INPUT_DRV260X_HAPTICS is not set +# CONFIG_INPUT_DRV2665_HAPTICS is not set +# CONFIG_INPUT_DRV2667_HAPTICS is not set +# CONFIG_INPUT_HISI_POWERKEY is not set +CONFIG_RMI4_CORE=m +CONFIG_RMI4_I2C=m +CONFIG_RMI4_SPI=m +CONFIG_RMI4_SMB=m +CONFIG_RMI4_F03=y +CONFIG_RMI4_F03_SERIO=m +CONFIG_RMI4_2D_SENSOR=y +CONFIG_RMI4_F11=y +CONFIG_RMI4_F12=y +CONFIG_RMI4_F30=y +# CONFIG_RMI4_F34 is not set +# CONFIG_RMI4_F3A is not set +# CONFIG_RMI4_F54 is not set +# CONFIG_RMI4_F55 is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_SERIO_SERPORT=y +CONFIG_SERIO_AMBAKMI=y +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +CONFIG_SERIO_RAW=m +CONFIG_SERIO_ALTERA_PS2=m +# CONFIG_SERIO_PS2MULT is not set +CONFIG_SERIO_ARC_PS2=m +# CONFIG_SERIO_APBPS2 is not set +# CONFIG_SERIO_GPIO_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set +# end of Hardware I/O ports +# end of Input device support + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +CONFIG_VT_HW_CONSOLE_BINDING=y +CONFIG_UNIX98_PTYS=y +# CONFIG_LEGACY_PTYS is not set +CONFIG_LEGACY_TIOCSTI=y +CONFIG_LDISC_AUTOLOAD=y + +# +# Serial drivers +# +CONFIG_SERIAL_EARLYCON=y +CONFIG_SERIAL_8250=y +# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set +CONFIG_SERIAL_8250_PNP=y +CONFIG_SERIAL_8250_16550A_VARIANTS=y +# CONFIG_SERIAL_8250_FINTEK is not set +CONFIG_SERIAL_8250_CONSOLE=y +CONFIG_SERIAL_8250_DMA=y +CONFIG_SERIAL_8250_PCILIB=y +CONFIG_SERIAL_8250_PCI=y +CONFIG_SERIAL_8250_EXAR=y +CONFIG_SERIAL_8250_NR_UARTS=32 +CONFIG_SERIAL_8250_RUNTIME_UARTS=4 +CONFIG_SERIAL_8250_EXTENDED=y +CONFIG_SERIAL_8250_MANY_PORTS=y +# CONFIG_SERIAL_8250_PCI1XXXX is not set +CONFIG_SERIAL_8250_SHARE_IRQ=y +# CONFIG_SERIAL_8250_DETECT_IRQ is not set +CONFIG_SERIAL_8250_RSA=y +CONFIG_SERIAL_8250_DWLIB=y +CONFIG_SERIAL_8250_FSL=y +CONFIG_SERIAL_8250_DW=y +CONFIG_SERIAL_8250_RT288X=y +CONFIG_SERIAL_8250_PERICOM=y +CONFIG_SERIAL_OF_PLATFORM=y + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_AMBA_PL010 is not set +CONFIG_SERIAL_AMBA_PL011=y +CONFIG_SERIAL_AMBA_PL011_CONSOLE=y +# CONFIG_SERIAL_EARLYCON_SEMIHOST is not set +# CONFIG_SERIAL_MAX3100 is not set +# CONFIG_SERIAL_MAX310X is not set +# CONFIG_SERIAL_UARTLITE is not set +CONFIG_SERIAL_CORE=y +CONFIG_SERIAL_CORE_CONSOLE=y +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_MSM is not set +# CONFIG_SERIAL_SIFIVE is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_SC16IS7XX is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_XILINX_PS_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_FSL_LINFLEXUART is not set +# CONFIG_SERIAL_CONEXANT_DIGICOLOR is not set +# CONFIG_SERIAL_SPRD is not set +# end of Serial drivers + +CONFIG_SERIAL_MCTRL_GPIO=y +CONFIG_SERIAL_NONSTANDARD=y +# CONFIG_MOXA_INTELLIO is not set +# CONFIG_MOXA_SMARTIO is not set +CONFIG_N_HDLC=m +CONFIG_N_GSM=m +# CONFIG_NOZOMI is not set +# CONFIG_NULL_TTY is not set +CONFIG_HVC_DRIVER=y +# CONFIG_HVC_DCC is not set +# CONFIG_SERIAL_DEV_BUS is not set +# CONFIG_TTY_PRINTK is not set +CONFIG_VIRTIO_CONSOLE=m +CONFIG_IPMI_HANDLER=m +CONFIG_IPMI_DMI_DECODE=y +CONFIG_IPMI_PLAT_DATA=y +# CONFIG_IPMI_PANIC_EVENT is not set +CONFIG_IPMI_DEVICE_INTERFACE=m +CONFIG_IPMI_SI=m +CONFIG_IPMI_SSIF=m +# CONFIG_IPMI_IPMB is not set +CONFIG_IPMI_WATCHDOG=m +CONFIG_IPMI_POWEROFF=m +# CONFIG_SSIF_IPMI_BMC is not set +# CONFIG_IPMB_DEVICE_INTERFACE is not set +CONFIG_HW_RANDOM=y +CONFIG_HW_RANDOM_TIMERIOMEM=m +# CONFIG_HW_RANDOM_BA431 is not set +CONFIG_HW_RANDOM_VIRTIO=m +CONFIG_HW_RANDOM_HISI=y +# CONFIG_HW_RANDOM_HISTB is not set +CONFIG_HW_RANDOM_XGENE=y +CONFIG_HW_RANDOM_CAVIUM=y +# CONFIG_HW_RANDOM_CCTRNG is not set +# CONFIG_HW_RANDOM_XIPHERA is not set +# CONFIG_HW_RANDOM_ARM_SMCCC_TRNG is not set +# CONFIG_HW_RANDOM_CN10K is not set +# CONFIG_APPLICOM is not set +# CONFIG_DEVMEM is not set +# CONFIG_DEVPORT is not set +CONFIG_TCG_TPM=y +CONFIG_HW_RANDOM_TPM=y +CONFIG_TCG_TIS_CORE=y +CONFIG_TCG_TIS=y +CONFIG_TCG_TIS_SPI=y +# CONFIG_TCG_TIS_SPI_CR50 is not set +# CONFIG_TCG_TIS_I2C is not set +# CONFIG_TCG_TIS_I2C_CR50 is not set +CONFIG_TCG_TIS_I2C_ATMEL=m +CONFIG_TCG_TIS_I2C_INFINEON=m +CONFIG_TCG_TIS_I2C_NUVOTON=m +CONFIG_TCG_ATMEL=m +CONFIG_TCG_INFINEON=y +CONFIG_TCG_CRB=y +# CONFIG_TCG_VTPM_PROXY is not set +CONFIG_TCG_TIS_ST33ZP24=m +CONFIG_TCG_TIS_ST33ZP24_I2C=m +CONFIG_TCG_TIS_ST33ZP24_SPI=m +# CONFIG_XILLYBUS is not set +# CONFIG_XILLYUSB is not set +# end of Character devices + +# +# I2C support +# +CONFIG_I2C=y +CONFIG_ACPI_I2C_OPREGION=y +CONFIG_I2C_BOARDINFO=y +CONFIG_I2C_COMPAT=y +CONFIG_I2C_CHARDEV=m +CONFIG_I2C_MUX=m + +# +# Multiplexer I2C Chip support +# +CONFIG_I2C_ARB_GPIO_CHALLENGE=m +CONFIG_I2C_MUX_GPIO=m +# CONFIG_I2C_MUX_GPMUX is not set +# CONFIG_I2C_MUX_LTC4306 is not set +CONFIG_I2C_MUX_PCA9541=m +CONFIG_I2C_MUX_PCA954x=m +CONFIG_I2C_MUX_PINCTRL=m +# CONFIG_I2C_MUX_REG is not set +# CONFIG_I2C_DEMUX_PINCTRL is not set +CONFIG_I2C_MUX_MLXCPLD=m +# end of Multiplexer I2C Chip support + +# CONFIG_I2C_HELPER_AUTO is not set +CONFIG_I2C_SMBUS=m + +# +# I2C Algorithms +# +CONFIG_I2C_ALGOBIT=y +# CONFIG_I2C_ALGOPCF is not set +CONFIG_I2C_ALGOPCA=m +# end of I2C Algorithms + +# +# I2C Hardware Bus support +# + +# +# PC SMBus host controller drivers +# +# CONFIG_I2C_ALI1535 is not set +# CONFIG_I2C_ALI1563 is not set +# CONFIG_I2C_ALI15X3 is not set +# CONFIG_I2C_AMD756 is not set +# CONFIG_I2C_AMD8111 is not set +# CONFIG_I2C_AMD_MP2 is not set +# CONFIG_I2C_HIX5HD2 is not set +# CONFIG_I2C_I801 is not set +# CONFIG_I2C_ISCH is not set +# CONFIG_I2C_PIIX4 is not set +CONFIG_I2C_NFORCE2=m +# CONFIG_I2C_NVIDIA_GPU is not set +# CONFIG_I2C_SIS5595 is not set +# CONFIG_I2C_SIS630 is not set +# CONFIG_I2C_SIS96X is not set +# CONFIG_I2C_VIA is not set +# CONFIG_I2C_VIAPRO is not set + +# +# ACPI drivers +# +# CONFIG_I2C_SCMI is not set + +# +# I2C system bus drivers (mostly embedded / system-on-chip) +# +# CONFIG_I2C_CADENCE is not set +# CONFIG_I2C_CBUS_GPIO is not set +CONFIG_I2C_DESIGNWARE_CORE=m +# CONFIG_I2C_DESIGNWARE_SLAVE is not set +CONFIG_I2C_DESIGNWARE_PLATFORM=m +# CONFIG_I2C_DESIGNWARE_PCI is not set +# CONFIG_I2C_EMEV2 is not set +CONFIG_I2C_GPIO=m +# CONFIG_I2C_GPIO_FAULT_INJECTOR is not set +CONFIG_I2C_HISI=m +# CONFIG_I2C_NOMADIK is not set +# CONFIG_I2C_OCORES is not set +CONFIG_I2C_PCA_PLATFORM=m +# CONFIG_I2C_QCOM_CCI is not set +CONFIG_I2C_QUP=m +# CONFIG_I2C_RK3X is not set +CONFIG_I2C_SIMTEC=m +CONFIG_I2C_VERSATILE=m +CONFIG_I2C_THUNDERX=m +# CONFIG_I2C_XILINX is not set +CONFIG_I2C_XLP9XX=m + +# +# External I2C/SMBus adapter drivers +# +CONFIG_I2C_DIOLAN_U2C=m +# CONFIG_I2C_CP2615 is not set +# CONFIG_I2C_PCI1XXXX is not set +# CONFIG_I2C_ROBOTFUZZ_OSIF is not set +# CONFIG_I2C_TAOS_EVM is not set +CONFIG_I2C_TINY_USB=m + +# +# Other I2C/SMBus bus drivers +# +# CONFIG_I2C_MLXCPLD is not set +CONFIG_I2C_XGENE_SLIMPRO=m +# CONFIG_I2C_VIRTIO is not set +# end of I2C Hardware Bus support + +CONFIG_I2C_STUB=m +CONFIG_I2C_SLAVE=y +CONFIG_I2C_SLAVE_EEPROM=m +# CONFIG_I2C_SLAVE_TESTUNIT is not set +# CONFIG_I2C_DEBUG_CORE is not set +# CONFIG_I2C_DEBUG_ALGO is not set +# CONFIG_I2C_DEBUG_BUS is not set +# end of I2C support + +# CONFIG_I3C is not set +CONFIG_SPI=y +# CONFIG_SPI_DEBUG is not set +CONFIG_SPI_MASTER=y +CONFIG_SPI_MEM=y + +# +# SPI Master Controller Drivers +# +# CONFIG_SPI_ALTERA is not set +# CONFIG_SPI_AXI_SPI_ENGINE is not set +# CONFIG_SPI_BITBANG is not set +CONFIG_SPI_CADENCE=m +# CONFIG_SPI_CADENCE_QUADSPI is not set +# CONFIG_SPI_CADENCE_XSPI is not set +CONFIG_SPI_DESIGNWARE=y +# CONFIG_SPI_DW_DMA is not set +CONFIG_SPI_DW_PCI=m +CONFIG_SPI_DW_MMIO=y +CONFIG_SPI_HISI_KUNPENG=m +CONFIG_SPI_HISI_SFC_V3XX=m +# CONFIG_SPI_GPIO is not set +# CONFIG_SPI_FSL_SPI is not set +# CONFIG_SPI_MICROCHIP_CORE is not set +# CONFIG_SPI_MICROCHIP_CORE_QSPI is not set +# CONFIG_SPI_OC_TINY is not set +# CONFIG_SPI_PCI1XXXX is not set +CONFIG_SPI_PL022=m +# CONFIG_SPI_PXA2XX is not set +# CONFIG_SPI_QCOM_QSPI is not set +CONFIG_SPI_QUP=y +# CONFIG_SPI_SC18IS602 is not set +# CONFIG_SPI_SIFIVE is not set +# CONFIG_SPI_SN_F_OSPI is not set +# CONFIG_SPI_MXIC is not set +# CONFIG_SPI_THUNDERX is not set +# CONFIG_SPI_XCOMM is not set +# CONFIG_SPI_XILINX is not set +CONFIG_SPI_XLP=m +# CONFIG_SPI_ZYNQMP_GQSPI is not set +# CONFIG_SPI_AMD is not set + +# +# SPI Multiplexer support +# +# CONFIG_SPI_MUX is not set + +# +# SPI Protocol Masters +# +CONFIG_SPI_SPIDEV=m +# CONFIG_SPI_LOOPBACK_TEST is not set +# CONFIG_SPI_TLE62X0 is not set +# CONFIG_SPI_SLAVE is not set +CONFIG_SPI_DYNAMIC=y +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +CONFIG_PPS=y +# CONFIG_PPS_DEBUG is not set + +# +# PPS clients support +# +# CONFIG_PPS_CLIENT_KTIMER is not set +CONFIG_PPS_CLIENT_LDISC=m +CONFIG_PPS_CLIENT_GPIO=m + +# +# PPS generators support +# + +# +# PTP clock support +# +CONFIG_PTP_1588_CLOCK=y +CONFIG_PTP_1588_CLOCK_OPTIONAL=y +CONFIG_DP83640_PHY=m +# CONFIG_PTP_1588_CLOCK_INES is not set +CONFIG_PTP_1588_CLOCK_KVM=y +# CONFIG_PTP_1588_CLOCK_IDT82P33 is not set +# CONFIG_PTP_1588_CLOCK_IDTCM is not set +# CONFIG_PTP_1588_CLOCK_MOCK is not set +# CONFIG_PTP_1588_CLOCK_OCP is not set +CONFIG_PTP_HISI=m +# end of PTP clock support + +CONFIG_PINCTRL=y +CONFIG_PINMUX=y +CONFIG_PINCONF=y +CONFIG_GENERIC_PINCONF=y +# CONFIG_DEBUG_PINCTRL is not set +# CONFIG_PINCTRL_AMD is not set +# CONFIG_PINCTRL_CY8C95X0 is not set +# CONFIG_PINCTRL_MCP23S08 is not set +# CONFIG_PINCTRL_MICROCHIP_SGPIO is not set +# CONFIG_PINCTRL_OCELOT is not set +# CONFIG_PINCTRL_SINGLE is not set +# CONFIG_PINCTRL_STMFX is not set +# CONFIG_PINCTRL_SX150X is not set +CONFIG_PINCTRL_MSM=y +# CONFIG_PINCTRL_IPQ5018 is not set +# CONFIG_PINCTRL_IPQ5332 is not set +# CONFIG_PINCTRL_IPQ8074 is not set +# CONFIG_PINCTRL_IPQ6018 is not set +# CONFIG_PINCTRL_IPQ9574 is not set +# CONFIG_PINCTRL_MDM9607 is not set +# CONFIG_PINCTRL_MSM8916 is not set +# CONFIG_PINCTRL_MSM8953 is not set +# CONFIG_PINCTRL_MSM8976 is not set +# CONFIG_PINCTRL_MSM8994 is not set +# CONFIG_PINCTRL_MSM8996 is not set +# CONFIG_PINCTRL_MSM8998 is not set +# CONFIG_PINCTRL_QCM2290 is not set +# CONFIG_PINCTRL_QCS404 is not set +CONFIG_PINCTRL_QDF2XXX=y +# CONFIG_PINCTRL_QDU1000 is not set +# CONFIG_PINCTRL_SA8775P is not set +# CONFIG_PINCTRL_SC7180 is not set +# CONFIG_PINCTRL_SC7280 is not set +# CONFIG_PINCTRL_SC8180X is not set +# CONFIG_PINCTRL_SC8280XP is not set +# CONFIG_PINCTRL_SDM660 is not set +# CONFIG_PINCTRL_SDM670 is not set +# CONFIG_PINCTRL_SDM845 is not set +# CONFIG_PINCTRL_SDX75 is not set +# CONFIG_PINCTRL_SM6115 is not set +# CONFIG_PINCTRL_SM6125 is not set +# CONFIG_PINCTRL_SM6350 is not set +# CONFIG_PINCTRL_SM6375 is not set +# CONFIG_PINCTRL_SM7150 is not set +# CONFIG_PINCTRL_SM8150 is not set +# CONFIG_PINCTRL_SM8250 is not set +# CONFIG_PINCTRL_SM8350 is not set +# CONFIG_PINCTRL_SM8450 is not set +# CONFIG_PINCTRL_SM8550 is not set +# CONFIG_PINCTRL_QCOM_SSBI_PMIC is not set +# CONFIG_PINCTRL_LPASS_LPI is not set + +# +# Renesas pinctrl drivers +# +# end of Renesas pinctrl drivers + +CONFIG_GPIOLIB=y +CONFIG_GPIOLIB_FASTPATH_LIMIT=512 +CONFIG_OF_GPIO=y +CONFIG_GPIO_ACPI=y +CONFIG_GPIOLIB_IRQCHIP=y +# CONFIG_DEBUG_GPIO is not set +CONFIG_GPIO_SYSFS=y +CONFIG_GPIO_CDEV=y +CONFIG_GPIO_CDEV_V1=y +CONFIG_GPIO_GENERIC=y + +# +# Memory mapped GPIO drivers +# +# CONFIG_GPIO_74XX_MMIO is not set +# CONFIG_GPIO_ALTERA is not set +CONFIG_GPIO_AMDPT=m +# CONFIG_GPIO_CADENCE is not set +CONFIG_GPIO_DWAPB=y +# CONFIG_GPIO_EXAR is not set +# CONFIG_GPIO_FTGPIO010 is not set +CONFIG_GPIO_GENERIC_PLATFORM=m +# CONFIG_GPIO_GRGPIO is not set +CONFIG_GPIO_HISI=m +# CONFIG_GPIO_HLWD is not set +# CONFIG_GPIO_LOGICVC is not set +# CONFIG_GPIO_MB86S7X is not set +CONFIG_GPIO_PL061=y +# CONFIG_GPIO_SIFIVE is not set +# CONFIG_GPIO_SYSCON is not set +# CONFIG_GPIO_THUNDERX is not set +CONFIG_GPIO_XGENE=y +CONFIG_GPIO_XGENE_SB=m +# CONFIG_GPIO_XILINX is not set +CONFIG_GPIO_XLP=m +# CONFIG_GPIO_AMD_FCH is not set +# end of Memory mapped GPIO drivers + +# +# I2C GPIO expanders +# +# CONFIG_GPIO_ADNP is not set +# CONFIG_GPIO_FXL6408 is not set +# CONFIG_GPIO_DS4520 is not set +# CONFIG_GPIO_GW_PLD is not set +# CONFIG_GPIO_MAX7300 is not set +# CONFIG_GPIO_MAX732X is not set +# CONFIG_GPIO_PCA953X is not set +# CONFIG_GPIO_PCA9570 is not set +# CONFIG_GPIO_PCF857X is not set +# CONFIG_GPIO_TPIC2810 is not set +# end of I2C GPIO expanders + +# +# MFD GPIO expanders +# +# end of MFD GPIO expanders + +# +# PCI GPIO expanders +# +# CONFIG_GPIO_BT8XX is not set +# CONFIG_GPIO_PCI_IDIO_16 is not set +# CONFIG_GPIO_PCIE_IDIO_24 is not set +# CONFIG_GPIO_RDC321X is not set +# end of PCI GPIO expanders + +# +# SPI GPIO expanders +# +# CONFIG_GPIO_74X164 is not set +# CONFIG_GPIO_MAX3191X is not set +# CONFIG_GPIO_MAX7301 is not set +# CONFIG_GPIO_MC33880 is not set +# CONFIG_GPIO_PISOSR is not set +# CONFIG_GPIO_XRA1403 is not set +# end of SPI GPIO expanders + +# +# USB GPIO expanders +# +# end of USB GPIO expanders + +# +# Virtual GPIO drivers +# +# CONFIG_GPIO_AGGREGATOR is not set +# CONFIG_GPIO_LATCH is not set +# CONFIG_GPIO_MOCKUP is not set +# CONFIG_GPIO_VIRTIO is not set +# CONFIG_GPIO_SIM is not set +# end of Virtual GPIO drivers + +# CONFIG_W1 is not set +CONFIG_POWER_RESET=y +# CONFIG_POWER_RESET_BRCMSTB is not set +CONFIG_POWER_RESET_GPIO=y +CONFIG_POWER_RESET_GPIO_RESTART=y +CONFIG_POWER_RESET_HISI=y +# CONFIG_POWER_RESET_MSM is not set +# CONFIG_POWER_RESET_LTC2952 is not set +# CONFIG_POWER_RESET_REGULATOR is not set +CONFIG_POWER_RESET_RESTART=y +CONFIG_POWER_RESET_VEXPRESS=y +# CONFIG_POWER_RESET_XGENE is not set +CONFIG_POWER_RESET_SYSCON=y +# CONFIG_POWER_RESET_SYSCON_POWEROFF is not set +# CONFIG_SYSCON_REBOOT_MODE is not set +# CONFIG_NVMEM_REBOOT_MODE is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +CONFIG_POWER_SUPPLY_HWMON=y +# CONFIG_IP5XXX_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_CHARGER_ADP5061 is not set +# CONFIG_BATTERY_CW2015 is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_DS2782 is not set +# CONFIG_BATTERY_SAMSUNG_SDI is not set +# CONFIG_BATTERY_SBS is not set +# CONFIG_CHARGER_SBS is not set +# CONFIG_MANAGER_SBS is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_BATTERY_MAX17040 is not set +# CONFIG_BATTERY_MAX17042 is not set +# CONFIG_CHARGER_MAX8903 is not set +# CONFIG_CHARGER_LP8727 is not set +# CONFIG_CHARGER_GPIO is not set +# CONFIG_CHARGER_MANAGER is not set +# CONFIG_CHARGER_LT3651 is not set +# CONFIG_CHARGER_LTC4162L is not set +# CONFIG_CHARGER_DETECTOR_MAX14656 is not set +# CONFIG_CHARGER_MAX77976 is not set +# CONFIG_CHARGER_BQ2415X is not set +# CONFIG_CHARGER_BQ24190 is not set +# CONFIG_CHARGER_BQ24257 is not set +# CONFIG_CHARGER_BQ24735 is not set +# CONFIG_CHARGER_BQ2515X is not set +# CONFIG_CHARGER_BQ25890 is not set +# CONFIG_CHARGER_BQ25980 is not set +# CONFIG_CHARGER_BQ256XX is not set +CONFIG_CHARGER_SMB347=m +# CONFIG_BATTERY_GAUGE_LTC2941 is not set +# CONFIG_BATTERY_GOLDFISH is not set +# CONFIG_BATTERY_RT5033 is not set +# CONFIG_CHARGER_RT9455 is not set +# CONFIG_CHARGER_RT9467 is not set +# CONFIG_CHARGER_RT9471 is not set +# CONFIG_CHARGER_UCS1002 is not set +# CONFIG_CHARGER_BD99954 is not set +# CONFIG_BATTERY_UG3105 is not set +CONFIG_HWMON=y +CONFIG_HWMON_VID=m +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +CONFIG_SENSORS_AD7314=m +CONFIG_SENSORS_AD7414=m +CONFIG_SENSORS_AD7418=m +CONFIG_SENSORS_ADM1025=m +CONFIG_SENSORS_ADM1026=m +CONFIG_SENSORS_ADM1029=m +CONFIG_SENSORS_ADM1031=m +# CONFIG_SENSORS_ADM1177 is not set +CONFIG_SENSORS_ADM9240=m +CONFIG_SENSORS_ADT7X10=m +CONFIG_SENSORS_ADT7310=m +CONFIG_SENSORS_ADT7410=m +CONFIG_SENSORS_ADT7411=m +CONFIG_SENSORS_ADT7462=m +CONFIG_SENSORS_ADT7470=m +CONFIG_SENSORS_ADT7475=m +# CONFIG_SENSORS_AHT10 is not set +# CONFIG_SENSORS_AQUACOMPUTER_D5NEXT is not set +# CONFIG_SENSORS_AS370 is not set +CONFIG_SENSORS_ASC7621=m +# CONFIG_SENSORS_AXI_FAN_CONTROL is not set +CONFIG_SENSORS_ARM_SCPI=m +CONFIG_SENSORS_ATXP1=m +# CONFIG_SENSORS_CORSAIR_CPRO is not set +# CONFIG_SENSORS_CORSAIR_PSU is not set +# CONFIG_SENSORS_DRIVETEMP is not set +CONFIG_SENSORS_DS620=m +CONFIG_SENSORS_DS1621=m +# CONFIG_SENSORS_I5K_AMB is not set +CONFIG_SENSORS_F71805F=m +CONFIG_SENSORS_F71882FG=m +CONFIG_SENSORS_F75375S=m +# CONFIG_SENSORS_FTSTEUTATES is not set +CONFIG_SENSORS_GL518SM=m +CONFIG_SENSORS_GL520SM=m +CONFIG_SENSORS_G760A=m +CONFIG_SENSORS_G762=m +# CONFIG_SENSORS_GPIO_FAN is not set +# CONFIG_SENSORS_HIH6130 is not set +# CONFIG_SENSORS_HS3001 is not set +CONFIG_SENSORS_IBMAEM=m +CONFIG_SENSORS_IBMPEX=m +CONFIG_SENSORS_IT87=m +CONFIG_SENSORS_JC42=m +CONFIG_SENSORS_POWR1220=m +CONFIG_SENSORS_LINEAGE=m +CONFIG_SENSORS_LTC2945=m +# CONFIG_SENSORS_LTC2947_I2C is not set +# CONFIG_SENSORS_LTC2947_SPI is not set +# CONFIG_SENSORS_LTC2990 is not set +# CONFIG_SENSORS_LTC2992 is not set +CONFIG_SENSORS_LTC4151=m +CONFIG_SENSORS_LTC4215=m +CONFIG_SENSORS_LTC4222=m +CONFIG_SENSORS_LTC4245=m +CONFIG_SENSORS_LTC4260=m +CONFIG_SENSORS_LTC4261=m +CONFIG_SENSORS_MAX1111=m +# CONFIG_SENSORS_MAX127 is not set +CONFIG_SENSORS_MAX16065=m +CONFIG_SENSORS_MAX1619=m +CONFIG_SENSORS_MAX1668=m +CONFIG_SENSORS_MAX197=m +# CONFIG_SENSORS_MAX31722 is not set +# CONFIG_SENSORS_MAX31730 is not set +# CONFIG_SENSORS_MAX31760 is not set +# CONFIG_MAX31827 is not set +# CONFIG_SENSORS_MAX6620 is not set +# CONFIG_SENSORS_MAX6621 is not set +CONFIG_SENSORS_MAX6639=m +CONFIG_SENSORS_MAX6650=m +CONFIG_SENSORS_MAX6697=m +CONFIG_SENSORS_MAX31790=m +# CONFIG_SENSORS_MC34VR500 is not set +CONFIG_SENSORS_MCP3021=m +# CONFIG_SENSORS_TC654 is not set +# CONFIG_SENSORS_TPS23861 is not set +# CONFIG_SENSORS_MR75203 is not set +CONFIG_SENSORS_ADCXX=m +CONFIG_SENSORS_LM63=m +CONFIG_SENSORS_LM70=m +CONFIG_SENSORS_LM73=m +CONFIG_SENSORS_LM75=m +CONFIG_SENSORS_LM77=m +CONFIG_SENSORS_LM78=m +CONFIG_SENSORS_LM80=m +CONFIG_SENSORS_LM83=m +CONFIG_SENSORS_LM85=m +CONFIG_SENSORS_LM87=m +CONFIG_SENSORS_LM90=m +CONFIG_SENSORS_LM92=m +CONFIG_SENSORS_LM93=m +CONFIG_SENSORS_LM95234=m +CONFIG_SENSORS_LM95241=m +CONFIG_SENSORS_LM95245=m +CONFIG_SENSORS_PC87360=m +CONFIG_SENSORS_PC87427=m +CONFIG_SENSORS_NCT6683=m +CONFIG_SENSORS_NCT6775_CORE=m +CONFIG_SENSORS_NCT6775=m +# CONFIG_SENSORS_NCT6775_I2C is not set +CONFIG_SENSORS_NCT7802=m +CONFIG_SENSORS_NCT7904=m +# CONFIG_SENSORS_NPCM7XX is not set +# CONFIG_SENSORS_NZXT_KRAKEN2 is not set +# CONFIG_SENSORS_NZXT_SMART2 is not set +# CONFIG_SENSORS_OCC_P8_I2C is not set +CONFIG_SENSORS_PCF8591=m +CONFIG_PMBUS=m +CONFIG_SENSORS_PMBUS=m +# CONFIG_SENSORS_ACBEL_FSG032 is not set +# CONFIG_SENSORS_ADM1266 is not set +CONFIG_SENSORS_ADM1275=m +# CONFIG_SENSORS_BEL_PFE is not set +# CONFIG_SENSORS_BPA_RS600 is not set +# CONFIG_SENSORS_DELTA_AHE50DC_FAN is not set +# CONFIG_SENSORS_FSP_3Y is not set +# CONFIG_SENSORS_IBM_CFFPS is not set +# CONFIG_SENSORS_DPS920AB is not set +# CONFIG_SENSORS_INSPUR_IPSPS is not set +# CONFIG_SENSORS_IR35221 is not set +# CONFIG_SENSORS_IR36021 is not set +# CONFIG_SENSORS_IR38064 is not set +# CONFIG_SENSORS_IRPS5401 is not set +# CONFIG_SENSORS_ISL68137 is not set +CONFIG_SENSORS_LM25066=m +# CONFIG_SENSORS_LM25066_REGULATOR is not set +# CONFIG_SENSORS_LT7182S is not set +CONFIG_SENSORS_LTC2978=m +# CONFIG_SENSORS_LTC2978_REGULATOR is not set +CONFIG_SENSORS_LTC3815=m +# CONFIG_SENSORS_MAX15301 is not set +CONFIG_SENSORS_MAX16064=m +# CONFIG_SENSORS_MAX16601 is not set +# CONFIG_SENSORS_MAX20730 is not set +CONFIG_SENSORS_MAX20751=m +# CONFIG_SENSORS_MAX31785 is not set +CONFIG_SENSORS_MAX34440=m +CONFIG_SENSORS_MAX8688=m +# CONFIG_SENSORS_MP2888 is not set +# CONFIG_SENSORS_MP2975 is not set +# CONFIG_SENSORS_MP5023 is not set +# CONFIG_SENSORS_MPQ7932 is not set +# CONFIG_SENSORS_PIM4328 is not set +# CONFIG_SENSORS_PLI1209BC is not set +# CONFIG_SENSORS_PM6764TR is not set +# CONFIG_SENSORS_PXE1610 is not set +# CONFIG_SENSORS_Q54SJ108A2 is not set +# CONFIG_SENSORS_STPDDC60 is not set +# CONFIG_SENSORS_TDA38640 is not set +CONFIG_SENSORS_TPS40422=m +# CONFIG_SENSORS_TPS53679 is not set +# CONFIG_SENSORS_TPS546D24 is not set +CONFIG_SENSORS_UCD9000=m +CONFIG_SENSORS_UCD9200=m +# CONFIG_SENSORS_XDPE152 is not set +# CONFIG_SENSORS_XDPE122 is not set +CONFIG_SENSORS_ZL6100=m +CONFIG_SENSORS_PWM_FAN=m +# CONFIG_SENSORS_SBTSI is not set +# CONFIG_SENSORS_SBRMI is not set +CONFIG_SENSORS_SHT15=m +CONFIG_SENSORS_SHT21=m +# CONFIG_SENSORS_SHT3x is not set +# CONFIG_SENSORS_SHT4x is not set +CONFIG_SENSORS_SHTC1=m +CONFIG_SENSORS_SIS5595=m +CONFIG_SENSORS_DME1737=m +CONFIG_SENSORS_EMC1403=m +# CONFIG_SENSORS_EMC2103 is not set +# CONFIG_SENSORS_EMC2305 is not set +CONFIG_SENSORS_EMC6W201=m +CONFIG_SENSORS_SMSC47M1=m +CONFIG_SENSORS_SMSC47M192=m +CONFIG_SENSORS_SMSC47B397=m +CONFIG_SENSORS_SCH56XX_COMMON=m +CONFIG_SENSORS_SCH5627=m +CONFIG_SENSORS_SCH5636=m +# CONFIG_SENSORS_STTS751 is not set +CONFIG_SENSORS_ADC128D818=m +CONFIG_SENSORS_ADS7828=m +CONFIG_SENSORS_ADS7871=m +CONFIG_SENSORS_AMC6821=m +CONFIG_SENSORS_INA209=m +CONFIG_SENSORS_INA2XX=m +# CONFIG_SENSORS_INA238 is not set +# CONFIG_SENSORS_INA3221 is not set +CONFIG_SENSORS_TC74=m +CONFIG_SENSORS_THMC50=m +CONFIG_SENSORS_TMP102=m +CONFIG_SENSORS_TMP103=m +# CONFIG_SENSORS_TMP108 is not set +CONFIG_SENSORS_TMP401=m +CONFIG_SENSORS_TMP421=m +# CONFIG_SENSORS_TMP464 is not set +# CONFIG_SENSORS_TMP513 is not set +CONFIG_SENSORS_VEXPRESS=m +CONFIG_SENSORS_VIA686A=m +CONFIG_SENSORS_VT1211=m +CONFIG_SENSORS_VT8231=m +# CONFIG_SENSORS_W83773G is not set +CONFIG_SENSORS_W83781D=m +CONFIG_SENSORS_W83791D=m +CONFIG_SENSORS_W83792D=m +CONFIG_SENSORS_W83793=m +CONFIG_SENSORS_W83795=m +# CONFIG_SENSORS_W83795_FANCTRL is not set +CONFIG_SENSORS_W83L785TS=m +CONFIG_SENSORS_W83L786NG=m +CONFIG_SENSORS_W83627HF=m +CONFIG_SENSORS_W83627EHF=m +CONFIG_SENSORS_XGENE=m + +# +# ACPI drivers +# +CONFIG_SENSORS_ACPI_POWER=m +CONFIG_THERMAL=y +# CONFIG_THERMAL_NETLINK is not set +# CONFIG_THERMAL_STATISTICS is not set +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +CONFIG_THERMAL_OF=y +# CONFIG_THERMAL_WRITABLE_TRIPS is not set +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +CONFIG_THERMAL_GOV_FAIR_SHARE=y +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +CONFIG_THERMAL_GOV_USER_SPACE=y +CONFIG_CPU_THERMAL=y +CONFIG_CPU_FREQ_THERMAL=y +# CONFIG_DEVFREQ_THERMAL is not set +CONFIG_THERMAL_EMULATION=y +# CONFIG_THERMAL_MMIO is not set +CONFIG_HISI_THERMAL=m + +# +# Qualcomm thermal drivers +# +# CONFIG_QCOM_LMH is not set +# end of Qualcomm thermal drivers + +CONFIG_WATCHDOG=y +CONFIG_WATCHDOG_CORE=y +# CONFIG_WATCHDOG_NOWAYOUT is not set +CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED=y +CONFIG_WATCHDOG_OPEN_TIMEOUT=0 +CONFIG_WATCHDOG_SYSFS=y +# CONFIG_WATCHDOG_HRTIMER_PRETIMEOUT is not set + +# +# Watchdog Pretimeout Governors +# +# CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set + +# +# Watchdog Device Drivers +# +CONFIG_SOFT_WATCHDOG=m +CONFIG_GPIO_WATCHDOG=m +# CONFIG_WDAT_WDT is not set +# CONFIG_XILINX_WATCHDOG is not set +# CONFIG_XILINX_WINDOW_WATCHDOG is not set +# CONFIG_ZIIRAVE_WATCHDOG is not set +CONFIG_ARM_SP805_WATCHDOG=m +CONFIG_ARM_SBSA_WATCHDOG=m +# CONFIG_CADENCE_WATCHDOG is not set +# CONFIG_DW_WATCHDOG is not set +# CONFIG_MAX63XX_WATCHDOG is not set +# CONFIG_QCOM_WDT is not set +# CONFIG_ARM_SMC_WATCHDOG is not set +CONFIG_ALIM7101_WDT=m +CONFIG_I6300ESB_WDT=m +# CONFIG_HP_WATCHDOG is not set +CONFIG_MARVELL_GTI_WDT=y +# CONFIG_MEN_A21_WDT is not set + +# +# PCI-based Watchdog Cards +# +CONFIG_PCIPCWATCHDOG=m +CONFIG_WDTPCI=m + +# +# USB-based Watchdog Cards +# +CONFIG_USBPCWATCHDOG=m +CONFIG_SSB_POSSIBLE=y +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y +CONFIG_BCMA=m +CONFIG_BCMA_HOST_PCI_POSSIBLE=y +CONFIG_BCMA_HOST_PCI=y +# CONFIG_BCMA_HOST_SOC is not set +CONFIG_BCMA_DRIVER_PCI=y +CONFIG_BCMA_DRIVER_GMAC_CMN=y +CONFIG_BCMA_DRIVER_GPIO=y +# CONFIG_BCMA_DEBUG is not set + +# +# Multifunction device drivers +# +CONFIG_MFD_CORE=m +# CONFIG_MFD_ACT8945A is not set +# CONFIG_MFD_AS3711 is not set +# CONFIG_MFD_SMPRO is not set +# CONFIG_MFD_AS3722 is not set +# CONFIG_PMIC_ADP5520 is not set +# CONFIG_MFD_AAT2870_CORE is not set +# CONFIG_MFD_ATMEL_FLEXCOM is not set +# CONFIG_MFD_ATMEL_HLCDC is not set +# CONFIG_MFD_BCM590XX is not set +# CONFIG_MFD_BD9571MWV is not set +# CONFIG_MFD_AXP20X_I2C is not set +# CONFIG_MFD_CS42L43_I2C is not set +# CONFIG_MFD_MADERA is not set +# CONFIG_MFD_MAX5970 is not set +# CONFIG_PMIC_DA903X is not set +# CONFIG_MFD_DA9052_SPI is not set +# CONFIG_MFD_DA9052_I2C is not set +# CONFIG_MFD_DA9055 is not set +# CONFIG_MFD_DA9062 is not set +# CONFIG_MFD_DA9063 is not set +# CONFIG_MFD_DA9150 is not set +# CONFIG_MFD_DLN2 is not set +# CONFIG_MFD_GATEWORKS_GSC is not set +# CONFIG_MFD_MC13XXX_SPI is not set +# CONFIG_MFD_MC13XXX_I2C is not set +# CONFIG_MFD_MP2629 is not set +# CONFIG_MFD_HI6421_PMIC is not set +# CONFIG_MFD_HI655X_PMIC is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_IQS62X is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_88PM800 is not set +# CONFIG_MFD_88PM805 is not set +# CONFIG_MFD_88PM860X is not set +# CONFIG_MFD_MAX14577 is not set +# CONFIG_MFD_MAX77541 is not set +# CONFIG_MFD_MAX77620 is not set +# CONFIG_MFD_MAX77650 is not set +# CONFIG_MFD_MAX77686 is not set +# CONFIG_MFD_MAX77693 is not set +# CONFIG_MFD_MAX77714 is not set +# CONFIG_MFD_MAX77843 is not set +# CONFIG_MFD_MAX8907 is not set +# CONFIG_MFD_MAX8925 is not set +# CONFIG_MFD_MAX8997 is not set +# CONFIG_MFD_MAX8998 is not set +# CONFIG_MFD_MT6360 is not set +# CONFIG_MFD_MT6370 is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_MENF21BMC is not set +# CONFIG_MFD_OCELOT is not set +# CONFIG_EZX_PCAP is not set +# CONFIG_MFD_CPCAP is not set +# CONFIG_MFD_VIPERBOARD is not set +# CONFIG_MFD_NTXEC is not set +# CONFIG_MFD_RETU is not set +# CONFIG_MFD_PCF50633 is not set +# CONFIG_MFD_QCOM_RPM is not set +# CONFIG_MFD_SY7636A is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_RT4831 is not set +# CONFIG_MFD_RT5033 is not set +# CONFIG_MFD_RT5120 is not set +# CONFIG_MFD_RC5T583 is not set +# CONFIG_MFD_RK8XX_I2C is not set +# CONFIG_MFD_RK8XX_SPI is not set +# CONFIG_MFD_RN5T618 is not set +# CONFIG_MFD_SEC_CORE is not set +# CONFIG_MFD_SI476X_CORE is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_MFD_SKY81452 is not set +# CONFIG_MFD_STMPE is not set +CONFIG_MFD_SYSCON=y +# CONFIG_MFD_LP3943 is not set +# CONFIG_MFD_LP8788 is not set +# CONFIG_MFD_TI_LMU is not set +# CONFIG_MFD_PALMAS is not set +# CONFIG_TPS6105X is not set +# CONFIG_TPS65010 is not set +# CONFIG_TPS6507X is not set +# CONFIG_MFD_TPS65086 is not set +# CONFIG_MFD_TPS65090 is not set +# CONFIG_MFD_TPS65217 is not set +# CONFIG_MFD_TI_LP873X is not set +# CONFIG_MFD_TI_LP87565 is not set +# CONFIG_MFD_TPS65218 is not set +# CONFIG_MFD_TPS65219 is not set +# CONFIG_MFD_TPS6586X is not set +# CONFIG_MFD_TPS65910 is not set +# CONFIG_MFD_TPS65912_I2C is not set +# CONFIG_MFD_TPS65912_SPI is not set +# CONFIG_MFD_TPS6594_I2C is not set +# CONFIG_MFD_TPS6594_SPI is not set +# CONFIG_TWL4030_CORE is not set +# CONFIG_TWL6040_CORE is not set +# CONFIG_MFD_WL1273_CORE is not set +# CONFIG_MFD_LM3533 is not set +# CONFIG_MFD_TC3589X is not set +# CONFIG_MFD_TQMX86 is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_MFD_LOCHNAGAR is not set +# CONFIG_MFD_ARIZONA_I2C is not set +# CONFIG_MFD_ARIZONA_SPI is not set +# CONFIG_MFD_WM8400 is not set +# CONFIG_MFD_WM831X_I2C is not set +# CONFIG_MFD_WM831X_SPI is not set +# CONFIG_MFD_WM8350_I2C is not set +# CONFIG_MFD_WM8994 is not set +# CONFIG_MFD_ROHM_BD718XX is not set +# CONFIG_MFD_ROHM_BD71828 is not set +# CONFIG_MFD_ROHM_BD957XMUF is not set +# CONFIG_MFD_STPMIC1 is not set +# CONFIG_MFD_STMFX is not set +# CONFIG_MFD_ATC260X_I2C is not set +# CONFIG_MFD_QCOM_PM8008 is not set +# CONFIG_MFD_VEXPRESS_SYSREG is not set +# CONFIG_MFD_INTEL_M10_BMC_SPI is not set +# CONFIG_MFD_RSMU_I2C is not set +# CONFIG_MFD_RSMU_SPI is not set +# end of Multifunction device drivers + +CONFIG_REGULATOR=y +# CONFIG_REGULATOR_DEBUG is not set +# CONFIG_REGULATOR_FIXED_VOLTAGE is not set +# CONFIG_REGULATOR_VIRTUAL_CONSUMER is not set +# CONFIG_REGULATOR_USERSPACE_CONSUMER is not set +# CONFIG_REGULATOR_88PG86X is not set +# CONFIG_REGULATOR_ACT8865 is not set +# CONFIG_REGULATOR_AD5398 is not set +# CONFIG_REGULATOR_AW37503 is not set +# CONFIG_REGULATOR_DA9121 is not set +# CONFIG_REGULATOR_DA9210 is not set +# CONFIG_REGULATOR_DA9211 is not set +# CONFIG_REGULATOR_FAN53555 is not set +# CONFIG_REGULATOR_FAN53880 is not set +# CONFIG_REGULATOR_GPIO is not set +# CONFIG_REGULATOR_ISL9305 is not set +# CONFIG_REGULATOR_ISL6271A is not set +# CONFIG_REGULATOR_LP3971 is not set +# CONFIG_REGULATOR_LP3972 is not set +# CONFIG_REGULATOR_LP872X is not set +# CONFIG_REGULATOR_LP8755 is not set +# CONFIG_REGULATOR_LTC3589 is not set +# CONFIG_REGULATOR_LTC3676 is not set +# CONFIG_REGULATOR_MAX1586 is not set +# CONFIG_REGULATOR_MAX77857 is not set +# CONFIG_REGULATOR_MAX8649 is not set +# CONFIG_REGULATOR_MAX8660 is not set +# CONFIG_REGULATOR_MAX8893 is not set +# CONFIG_REGULATOR_MAX8952 is not set +# CONFIG_REGULATOR_MAX8973 is not set +# CONFIG_REGULATOR_MAX20086 is not set +# CONFIG_REGULATOR_MAX20411 is not set +# CONFIG_REGULATOR_MAX77826 is not set +# CONFIG_REGULATOR_MCP16502 is not set +# CONFIG_REGULATOR_MP5416 is not set +# CONFIG_REGULATOR_MP8859 is not set +# CONFIG_REGULATOR_MP886X is not set +# CONFIG_REGULATOR_MPQ7920 is not set +# CONFIG_REGULATOR_MT6311 is not set +# CONFIG_REGULATOR_PCA9450 is not set +# CONFIG_REGULATOR_PF8X00 is not set +# CONFIG_REGULATOR_PFUZE100 is not set +# CONFIG_REGULATOR_PV88060 is not set +# CONFIG_REGULATOR_PV88080 is not set +# CONFIG_REGULATOR_PV88090 is not set +# CONFIG_REGULATOR_PWM is not set +# CONFIG_REGULATOR_QCOM_REFGEN is not set +# CONFIG_REGULATOR_RAA215300 is not set +# CONFIG_REGULATOR_RASPBERRYPI_TOUCHSCREEN_ATTINY is not set +# CONFIG_REGULATOR_RT4801 is not set +# CONFIG_REGULATOR_RT4803 is not set +# CONFIG_REGULATOR_RT5190A is not set +# CONFIG_REGULATOR_RT5739 is not set +# CONFIG_REGULATOR_RT5759 is not set +# CONFIG_REGULATOR_RT6160 is not set +# CONFIG_REGULATOR_RT6190 is not set +# CONFIG_REGULATOR_RT6245 is not set +# CONFIG_REGULATOR_RTQ2134 is not set +# CONFIG_REGULATOR_RTMV20 is not set +# CONFIG_REGULATOR_RTQ6752 is not set +# CONFIG_REGULATOR_RTQ2208 is not set +# CONFIG_REGULATOR_SLG51000 is not set +# CONFIG_REGULATOR_SY8106A is not set +# CONFIG_REGULATOR_SY8824X is not set +# CONFIG_REGULATOR_SY8827N is not set +# CONFIG_REGULATOR_TPS51632 is not set +# CONFIG_REGULATOR_TPS62360 is not set +# CONFIG_REGULATOR_TPS6286X is not set +# CONFIG_REGULATOR_TPS6287X is not set +# CONFIG_REGULATOR_TPS65023 is not set +# CONFIG_REGULATOR_TPS6507X is not set +# CONFIG_REGULATOR_TPS65132 is not set +# CONFIG_REGULATOR_TPS6524X is not set +# CONFIG_REGULATOR_VCTRL is not set +# CONFIG_REGULATOR_VEXPRESS is not set +# CONFIG_REGULATOR_VQMMC_IPQ4019 is not set +# CONFIG_RC_CORE is not set + +# +# CEC support +# +# CONFIG_MEDIA_CEC_SUPPORT is not set +# end of CEC support + +CONFIG_MEDIA_SUPPORT=m +# CONFIG_MEDIA_SUPPORT_FILTER is not set +# CONFIG_MEDIA_SUBDRV_AUTOSELECT is not set + +# +# Media device types +# +CONFIG_MEDIA_CAMERA_SUPPORT=y +CONFIG_MEDIA_ANALOG_TV_SUPPORT=y +CONFIG_MEDIA_DIGITAL_TV_SUPPORT=y +CONFIG_MEDIA_RADIO_SUPPORT=y +CONFIG_MEDIA_SDR_SUPPORT=y +CONFIG_MEDIA_PLATFORM_SUPPORT=y +CONFIG_MEDIA_TEST_SUPPORT=y +# end of Media device types + +# +# Media core support +# +CONFIG_VIDEO_DEV=m +CONFIG_MEDIA_CONTROLLER=y +CONFIG_DVB_CORE=m +# end of Media core support + +# +# Video4Linux options +# +CONFIG_VIDEO_V4L2_I2C=y +CONFIG_VIDEO_V4L2_SUBDEV_API=y +# CONFIG_VIDEO_ADV_DEBUG is not set +CONFIG_VIDEO_FIXED_MINOR_RANGES=y +# CONFIG_V4L2_FLASH_LED_CLASS is not set +CONFIG_V4L2_FWNODE=m +CONFIG_V4L2_ASYNC=m +# end of Video4Linux options + +# +# Media controller options +# +# CONFIG_MEDIA_CONTROLLER_DVB is not set +# end of Media controller options + +# +# Digital TV options +# +# CONFIG_DVB_MMAP is not set +# CONFIG_DVB_NET is not set +CONFIG_DVB_MAX_ADAPTERS=16 +# CONFIG_DVB_DYNAMIC_MINORS is not set +# CONFIG_DVB_DEMUX_SECTION_LOSS_LOG is not set +# CONFIG_DVB_ULE_DEBUG is not set +# end of Digital TV options + +# +# Media drivers +# + +# +# Media drivers +# +CONFIG_MEDIA_USB_SUPPORT=y + +# +# Webcam devices +# +# CONFIG_USB_GSPCA is not set +# CONFIG_USB_PWC is not set +# CONFIG_USB_S2255 is not set +CONFIG_USB_VIDEO_CLASS=m +CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y + +# +# Analog TV USB devices +# +# CONFIG_VIDEO_HDPVR is not set +# CONFIG_VIDEO_PVRUSB2 is not set +# CONFIG_VIDEO_STK1160 is not set + +# +# Analog/digital TV USB devices +# +# CONFIG_VIDEO_AU0828 is not set +# CONFIG_VIDEO_CX231XX is not set + +# +# Digital TV USB devices +# +# CONFIG_DVB_AS102 is not set +# CONFIG_DVB_B2C2_FLEXCOP_USB is not set +# CONFIG_DVB_USB_V2 is not set +# CONFIG_SMS_USB_DRV is not set +# CONFIG_DVB_TTUSB_BUDGET is not set +# CONFIG_DVB_TTUSB_DEC is not set + +# +# Webcam, TV (analog/digital) USB devices +# +# CONFIG_VIDEO_EM28XX is not set + +# +# Software defined radio USB devices +# +# CONFIG_USB_AIRSPY is not set +# CONFIG_USB_HACKRF is not set +# CONFIG_USB_MSI2500 is not set +# CONFIG_MEDIA_PCI_SUPPORT is not set +CONFIG_RADIO_ADAPTERS=m +# CONFIG_RADIO_MAXIRADIO is not set +# CONFIG_RADIO_SAA7706H is not set +# CONFIG_RADIO_SHARK is not set +# CONFIG_RADIO_SHARK2 is not set +# CONFIG_RADIO_SI4713 is not set +# CONFIG_RADIO_TEA5764 is not set +# CONFIG_RADIO_TEF6862 is not set +# CONFIG_RADIO_WL1273 is not set +# CONFIG_USB_DSBR is not set +# CONFIG_USB_KEENE is not set +# CONFIG_USB_MA901 is not set +# CONFIG_USB_MR800 is not set +# CONFIG_USB_RAREMONO is not set +# CONFIG_RADIO_SI470X is not set +CONFIG_MEDIA_PLATFORM_DRIVERS=y +# CONFIG_V4L_PLATFORM_DRIVERS is not set +# CONFIG_SDR_PLATFORM_DRIVERS is not set +# CONFIG_DVB_PLATFORM_DRIVERS is not set +# CONFIG_V4L_MEM2MEM_DRIVERS is not set + +# +# Allegro DVT media platform drivers +# + +# +# Amlogic media platform drivers +# + +# +# Amphion drivers +# + +# +# Aspeed media platform drivers +# + +# +# Atmel media platform drivers +# + +# +# Cadence media platform drivers +# +# CONFIG_VIDEO_CADENCE_CSI2RX is not set +# CONFIG_VIDEO_CADENCE_CSI2TX is not set + +# +# Chips&Media media platform drivers +# + +# +# Intel media platform drivers +# + +# +# Marvell media platform drivers +# + +# +# Mediatek media platform drivers +# + +# +# Microchip Technology, Inc. media platform drivers +# + +# +# NVidia media platform drivers +# + +# +# NXP media platform drivers +# + +# +# Qualcomm media platform drivers +# + +# +# Renesas media platform drivers +# + +# +# Rockchip media platform drivers +# + +# +# Samsung media platform drivers +# + +# +# STMicroelectronics media platform drivers +# + +# +# Sunxi media platform drivers +# + +# +# Texas Instruments drivers +# + +# +# Verisilicon media platform drivers +# + +# +# VIA media platform drivers +# + +# +# Xilinx media platform drivers +# + +# +# MMC/SDIO DVB adapters +# +# CONFIG_SMS_SDIO_DRV is not set +# CONFIG_V4L_TEST_DRIVERS is not set +# CONFIG_DVB_TEST_DRIVERS is not set +CONFIG_UVC_COMMON=m +CONFIG_VIDEOBUF2_CORE=m +CONFIG_VIDEOBUF2_V4L2=m +CONFIG_VIDEOBUF2_MEMOPS=m +CONFIG_VIDEOBUF2_VMALLOC=m +# end of Media drivers + +# +# Media ancillary drivers +# +CONFIG_MEDIA_ATTACH=y +CONFIG_VIDEO_CAMERA_SENSOR=y +# CONFIG_VIDEO_AR0521 is not set +# CONFIG_VIDEO_HI556 is not set +# CONFIG_VIDEO_HI846 is not set +# CONFIG_VIDEO_HI847 is not set +# CONFIG_VIDEO_IMX208 is not set +# CONFIG_VIDEO_IMX214 is not set +# CONFIG_VIDEO_IMX219 is not set +# CONFIG_VIDEO_IMX258 is not set +# CONFIG_VIDEO_IMX274 is not set +# CONFIG_VIDEO_IMX290 is not set +# CONFIG_VIDEO_IMX296 is not set +# CONFIG_VIDEO_IMX319 is not set +# CONFIG_VIDEO_IMX334 is not set +# CONFIG_VIDEO_IMX335 is not set +# CONFIG_VIDEO_IMX355 is not set +# CONFIG_VIDEO_IMX412 is not set +# CONFIG_VIDEO_IMX415 is not set +# CONFIG_VIDEO_MT9M001 is not set +# CONFIG_VIDEO_MT9M111 is not set +# CONFIG_VIDEO_MT9P031 is not set +# CONFIG_VIDEO_MT9T112 is not set +# CONFIG_VIDEO_MT9V011 is not set +# CONFIG_VIDEO_MT9V032 is not set +# CONFIG_VIDEO_MT9V111 is not set +# CONFIG_VIDEO_OG01A1B is not set +# CONFIG_VIDEO_OV01A10 is not set +# CONFIG_VIDEO_OV02A10 is not set +# CONFIG_VIDEO_OV08D10 is not set +# CONFIG_VIDEO_OV08X40 is not set +# CONFIG_VIDEO_OV13858 is not set +# CONFIG_VIDEO_OV13B10 is not set +# CONFIG_VIDEO_OV2640 is not set +# CONFIG_VIDEO_OV2659 is not set +# CONFIG_VIDEO_OV2680 is not set +# CONFIG_VIDEO_OV2685 is not set +# CONFIG_VIDEO_OV2740 is not set +# CONFIG_VIDEO_OV4689 is not set +# CONFIG_VIDEO_OV5640 is not set +# CONFIG_VIDEO_OV5645 is not set +# CONFIG_VIDEO_OV5647 is not set +# CONFIG_VIDEO_OV5648 is not set +# CONFIG_VIDEO_OV5670 is not set +# CONFIG_VIDEO_OV5675 is not set +# CONFIG_VIDEO_OV5693 is not set +# CONFIG_VIDEO_OV5695 is not set +# CONFIG_VIDEO_OV6650 is not set +# CONFIG_VIDEO_OV7251 is not set +# CONFIG_VIDEO_OV7640 is not set +# CONFIG_VIDEO_OV7670 is not set +# CONFIG_VIDEO_OV772X is not set +# CONFIG_VIDEO_OV7740 is not set +# CONFIG_VIDEO_OV8856 is not set +# CONFIG_VIDEO_OV8858 is not set +# CONFIG_VIDEO_OV8865 is not set +# CONFIG_VIDEO_OV9282 is not set +# CONFIG_VIDEO_OV9640 is not set +# CONFIG_VIDEO_OV9650 is not set +# CONFIG_VIDEO_OV9734 is not set +# CONFIG_VIDEO_RDACM20 is not set +# CONFIG_VIDEO_RDACM21 is not set +# CONFIG_VIDEO_RJ54N1 is not set +# CONFIG_VIDEO_S5C73M3 is not set +# CONFIG_VIDEO_S5K5BAF is not set +# CONFIG_VIDEO_S5K6A3 is not set +# CONFIG_VIDEO_ST_VGXY61 is not set +# CONFIG_VIDEO_CCS is not set +# CONFIG_VIDEO_ET8EK8 is not set + +# +# Lens drivers +# +# CONFIG_VIDEO_AD5820 is not set +# CONFIG_VIDEO_AK7375 is not set +# CONFIG_VIDEO_DW9714 is not set +# CONFIG_VIDEO_DW9719 is not set +# CONFIG_VIDEO_DW9768 is not set +# CONFIG_VIDEO_DW9807_VCM is not set +# end of Lens drivers + +# +# Flash devices +# +# CONFIG_VIDEO_ADP1653 is not set +# CONFIG_VIDEO_LM3560 is not set +# CONFIG_VIDEO_LM3646 is not set +# end of Flash devices + +# +# Audio decoders, processors and mixers +# +# CONFIG_VIDEO_CS3308 is not set +# CONFIG_VIDEO_CS5345 is not set +# CONFIG_VIDEO_CS53L32A is not set +# CONFIG_VIDEO_MSP3400 is not set +# CONFIG_VIDEO_SONY_BTF_MPX is not set +# CONFIG_VIDEO_TDA7432 is not set +# CONFIG_VIDEO_TDA9840 is not set +# CONFIG_VIDEO_TEA6415C is not set +# CONFIG_VIDEO_TEA6420 is not set +# CONFIG_VIDEO_TLV320AIC23B is not set +# CONFIG_VIDEO_TVAUDIO is not set +# CONFIG_VIDEO_UDA1342 is not set +# CONFIG_VIDEO_VP27SMPX is not set +# CONFIG_VIDEO_WM8739 is not set +# CONFIG_VIDEO_WM8775 is not set +# end of Audio decoders, processors and mixers + +# +# RDS decoders +# +# CONFIG_VIDEO_SAA6588 is not set +# end of RDS decoders + +# +# Video decoders +# +# CONFIG_VIDEO_ADV7180 is not set +# CONFIG_VIDEO_ADV7183 is not set +# CONFIG_VIDEO_ADV748X is not set +# CONFIG_VIDEO_ADV7604 is not set +# CONFIG_VIDEO_ADV7842 is not set +# CONFIG_VIDEO_BT819 is not set +# CONFIG_VIDEO_BT856 is not set +# CONFIG_VIDEO_BT866 is not set +# CONFIG_VIDEO_ISL7998X is not set +# CONFIG_VIDEO_KS0127 is not set +# CONFIG_VIDEO_MAX9286 is not set +# CONFIG_VIDEO_ML86V7667 is not set +# CONFIG_VIDEO_SAA7110 is not set +# CONFIG_VIDEO_SAA711X is not set +# CONFIG_VIDEO_TC358743 is not set +# CONFIG_VIDEO_TC358746 is not set +# CONFIG_VIDEO_TVP514X is not set +# CONFIG_VIDEO_TVP5150 is not set +# CONFIG_VIDEO_TVP7002 is not set +# CONFIG_VIDEO_TW2804 is not set +# CONFIG_VIDEO_TW9903 is not set +# CONFIG_VIDEO_TW9906 is not set +# CONFIG_VIDEO_TW9910 is not set +# CONFIG_VIDEO_VPX3220 is not set + +# +# Video and audio decoders +# +# CONFIG_VIDEO_SAA717X is not set +# CONFIG_VIDEO_CX25840 is not set +# end of Video decoders + +# +# Video encoders +# +# CONFIG_VIDEO_ADV7170 is not set +# CONFIG_VIDEO_ADV7175 is not set +# CONFIG_VIDEO_ADV7343 is not set +# CONFIG_VIDEO_ADV7393 is not set +# CONFIG_VIDEO_ADV7511 is not set +# CONFIG_VIDEO_AK881X is not set +# CONFIG_VIDEO_SAA7127 is not set +# CONFIG_VIDEO_SAA7185 is not set +# CONFIG_VIDEO_THS8200 is not set +# end of Video encoders + +# +# Video improvement chips +# +# CONFIG_VIDEO_UPD64031A is not set +# CONFIG_VIDEO_UPD64083 is not set +# end of Video improvement chips + +# +# Audio/Video compression chips +# +# CONFIG_VIDEO_SAA6752HS is not set +# end of Audio/Video compression chips + +# +# SDR tuner chips +# +# CONFIG_SDR_MAX2175 is not set +# end of SDR tuner chips + +# +# Miscellaneous helper chips +# +# CONFIG_VIDEO_I2C is not set +# CONFIG_VIDEO_M52790 is not set +# CONFIG_VIDEO_ST_MIPID02 is not set +# CONFIG_VIDEO_THS7303 is not set +# end of Miscellaneous helper chips + +# +# Video serializers and deserializers +# +# CONFIG_VIDEO_DS90UB913 is not set +# CONFIG_VIDEO_DS90UB953 is not set +# CONFIG_VIDEO_DS90UB960 is not set +# end of Video serializers and deserializers + +# +# Media SPI Adapters +# +CONFIG_CXD2880_SPI_DRV=m +# CONFIG_VIDEO_GS1662 is not set +# end of Media SPI Adapters + +CONFIG_MEDIA_TUNER=m + +# +# Customize TV tuners +# +CONFIG_MEDIA_TUNER_E4000=m +CONFIG_MEDIA_TUNER_FC0011=m +CONFIG_MEDIA_TUNER_FC0012=m +CONFIG_MEDIA_TUNER_FC0013=m +CONFIG_MEDIA_TUNER_FC2580=m +CONFIG_MEDIA_TUNER_IT913X=m +CONFIG_MEDIA_TUNER_M88RS6000T=m +CONFIG_MEDIA_TUNER_MAX2165=m +CONFIG_MEDIA_TUNER_MC44S803=m +CONFIG_MEDIA_TUNER_MSI001=m +CONFIG_MEDIA_TUNER_MT2060=m +CONFIG_MEDIA_TUNER_MT2063=m +CONFIG_MEDIA_TUNER_MT20XX=m +CONFIG_MEDIA_TUNER_MT2131=m +CONFIG_MEDIA_TUNER_MT2266=m +CONFIG_MEDIA_TUNER_MXL301RF=m +CONFIG_MEDIA_TUNER_MXL5005S=m +CONFIG_MEDIA_TUNER_MXL5007T=m +CONFIG_MEDIA_TUNER_QM1D1B0004=m +CONFIG_MEDIA_TUNER_QM1D1C0042=m +CONFIG_MEDIA_TUNER_QT1010=m +CONFIG_MEDIA_TUNER_R820T=m +CONFIG_MEDIA_TUNER_SI2157=m +CONFIG_MEDIA_TUNER_SIMPLE=m +CONFIG_MEDIA_TUNER_TDA18212=m +CONFIG_MEDIA_TUNER_TDA18218=m +CONFIG_MEDIA_TUNER_TDA18250=m +CONFIG_MEDIA_TUNER_TDA18271=m +CONFIG_MEDIA_TUNER_TDA827X=m +CONFIG_MEDIA_TUNER_TDA8290=m +CONFIG_MEDIA_TUNER_TDA9887=m +CONFIG_MEDIA_TUNER_TEA5761=m +CONFIG_MEDIA_TUNER_TEA5767=m +CONFIG_MEDIA_TUNER_TUA9001=m +CONFIG_MEDIA_TUNER_XC2028=m +CONFIG_MEDIA_TUNER_XC4000=m +CONFIG_MEDIA_TUNER_XC5000=m +# end of Customize TV tuners + +# +# Customise DVB Frontends +# + +# +# Multistandard (satellite) frontends +# +CONFIG_DVB_M88DS3103=m +CONFIG_DVB_MXL5XX=m +CONFIG_DVB_STB0899=m +CONFIG_DVB_STB6100=m +CONFIG_DVB_STV090x=m +CONFIG_DVB_STV0910=m +CONFIG_DVB_STV6110x=m +CONFIG_DVB_STV6111=m + +# +# Multistandard (cable + terrestrial) frontends +# +CONFIG_DVB_DRXK=m +CONFIG_DVB_MN88472=m +CONFIG_DVB_MN88473=m +CONFIG_DVB_SI2165=m +CONFIG_DVB_TDA18271C2DD=m + +# +# DVB-S (satellite) frontends +# +CONFIG_DVB_CX24110=m +CONFIG_DVB_CX24116=m +CONFIG_DVB_CX24117=m +CONFIG_DVB_CX24120=m +CONFIG_DVB_CX24123=m +CONFIG_DVB_DS3000=m +CONFIG_DVB_MB86A16=m +CONFIG_DVB_MT312=m +CONFIG_DVB_S5H1420=m +CONFIG_DVB_SI21XX=m +CONFIG_DVB_STB6000=m +CONFIG_DVB_STV0288=m +CONFIG_DVB_STV0299=m +CONFIG_DVB_STV0900=m +CONFIG_DVB_STV6110=m +CONFIG_DVB_TDA10071=m +CONFIG_DVB_TDA10086=m +CONFIG_DVB_TDA8083=m +CONFIG_DVB_TDA8261=m +CONFIG_DVB_TDA826X=m +CONFIG_DVB_TS2020=m +CONFIG_DVB_TUA6100=m +CONFIG_DVB_TUNER_CX24113=m +CONFIG_DVB_TUNER_ITD1000=m +CONFIG_DVB_VES1X93=m +CONFIG_DVB_ZL10036=m +CONFIG_DVB_ZL10039=m + +# +# DVB-T (terrestrial) frontends +# +CONFIG_DVB_AF9013=m +CONFIG_DVB_CX22700=m +CONFIG_DVB_CX22702=m +CONFIG_DVB_CXD2820R=m +CONFIG_DVB_CXD2841ER=m +CONFIG_DVB_DIB3000MB=m +CONFIG_DVB_DIB3000MC=m +CONFIG_DVB_DIB7000M=m +CONFIG_DVB_DIB7000P=m +CONFIG_DVB_DIB9000=m +CONFIG_DVB_DRXD=m +CONFIG_DVB_EC100=m +CONFIG_DVB_L64781=m +CONFIG_DVB_MT352=m +CONFIG_DVB_NXT6000=m +CONFIG_DVB_RTL2830=m +CONFIG_DVB_RTL2832=m +CONFIG_DVB_RTL2832_SDR=m +CONFIG_DVB_S5H1432=m +CONFIG_DVB_SI2168=m +CONFIG_DVB_SP887X=m +CONFIG_DVB_STV0367=m +CONFIG_DVB_TDA10048=m +CONFIG_DVB_TDA1004X=m +CONFIG_DVB_ZD1301_DEMOD=m +CONFIG_DVB_ZL10353=m +CONFIG_DVB_CXD2880=m + +# +# DVB-C (cable) frontends +# +CONFIG_DVB_STV0297=m +CONFIG_DVB_TDA10021=m +CONFIG_DVB_TDA10023=m +CONFIG_DVB_VES1820=m + +# +# ATSC (North American/Korean Terrestrial/Cable DTV) frontends +# +CONFIG_DVB_AU8522=m +CONFIG_DVB_AU8522_DTV=m +CONFIG_DVB_AU8522_V4L=m +CONFIG_DVB_BCM3510=m +CONFIG_DVB_LG2160=m +CONFIG_DVB_LGDT3305=m +CONFIG_DVB_LGDT3306A=m +CONFIG_DVB_LGDT330X=m +CONFIG_DVB_MXL692=m +CONFIG_DVB_NXT200X=m +CONFIG_DVB_OR51132=m +CONFIG_DVB_OR51211=m +CONFIG_DVB_S5H1409=m +CONFIG_DVB_S5H1411=m + +# +# ISDB-T (terrestrial) frontends +# +CONFIG_DVB_DIB8000=m +CONFIG_DVB_MB86A20S=m +CONFIG_DVB_S921=m + +# +# ISDB-S (satellite) & ISDB-T (terrestrial) frontends +# +CONFIG_DVB_MN88443X=m +CONFIG_DVB_TC90522=m + +# +# Digital terrestrial only tuners/PLL +# +CONFIG_DVB_PLL=m +CONFIG_DVB_TUNER_DIB0070=m +CONFIG_DVB_TUNER_DIB0090=m + +# +# SEC control devices for DVB-S +# +CONFIG_DVB_A8293=m +CONFIG_DVB_AF9033=m +CONFIG_DVB_ASCOT2E=m +CONFIG_DVB_ATBM8830=m +CONFIG_DVB_HELENE=m +CONFIG_DVB_HORUS3A=m +CONFIG_DVB_ISL6405=m +CONFIG_DVB_ISL6421=m +CONFIG_DVB_ISL6423=m +CONFIG_DVB_IX2505V=m +CONFIG_DVB_LGS8GL5=m +CONFIG_DVB_LGS8GXX=m +CONFIG_DVB_LNBH25=m +CONFIG_DVB_LNBH29=m +CONFIG_DVB_LNBP21=m +CONFIG_DVB_LNBP22=m +CONFIG_DVB_M88RS2000=m +CONFIG_DVB_TDA665x=m +CONFIG_DVB_DRX39XYJ=m + +# +# Common Interface (EN50221) controller drivers +# +CONFIG_DVB_CXD2099=m +CONFIG_DVB_SP2=m +# end of Customise DVB Frontends + +# +# Tools to develop new frontends +# +# CONFIG_DVB_DUMMY_FE is not set +# end of Media ancillary drivers + +# +# Graphics support +# +CONFIG_APERTURE_HELPERS=y +CONFIG_SCREEN_INFO=y +CONFIG_VIDEO_CMDLINE=y +CONFIG_VIDEO_NOMODESET=y +CONFIG_AUXDISPLAY=y +# CONFIG_HD44780 is not set +# CONFIG_IMG_ASCII_LCD is not set +# CONFIG_HT16K33 is not set +# CONFIG_LCD2S is not set +# CONFIG_CHARLCD_BL_OFF is not set +# CONFIG_CHARLCD_BL_ON is not set +CONFIG_CHARLCD_BL_FLASH=y +CONFIG_DRM=m +CONFIG_DRM_KMS_HELPER=m +# CONFIG_DRM_DEBUG_DP_MST_TOPOLOGY_REFS is not set +# CONFIG_DRM_DEBUG_MODESET_LOCK is not set +CONFIG_DRM_FBDEV_EMULATION=y +CONFIG_DRM_FBDEV_OVERALLOC=100 +# CONFIG_DRM_FBDEV_LEAK_PHYS_SMEM is not set +CONFIG_DRM_LOAD_EDID_FIRMWARE=y +CONFIG_DRM_DISPLAY_HELPER=m +CONFIG_DRM_DISPLAY_DP_HELPER=y +CONFIG_DRM_DISPLAY_HDCP_HELPER=y +CONFIG_DRM_DISPLAY_HDMI_HELPER=y +CONFIG_DRM_DP_AUX_CHARDEV=y +# CONFIG_DRM_DP_CEC is not set +CONFIG_DRM_TTM=m +CONFIG_DRM_EXEC=m +CONFIG_DRM_BUDDY=m +CONFIG_DRM_VRAM_HELPER=m +CONFIG_DRM_TTM_HELPER=m +CONFIG_DRM_GEM_SHMEM_HELPER=m +CONFIG_DRM_SUBALLOC_HELPER=m +CONFIG_DRM_SCHED=m + +# +# I2C encoder or helper chips +# +CONFIG_DRM_I2C_CH7006=m +# CONFIG_DRM_I2C_SIL164 is not set +CONFIG_DRM_I2C_NXP_TDA998X=m +# CONFIG_DRM_I2C_NXP_TDA9950 is not set +# end of I2C encoder or helper chips + +# +# ARM devices +# +# CONFIG_DRM_HDLCD is not set +# CONFIG_DRM_MALI_DISPLAY is not set +# CONFIG_DRM_KOMEDA is not set +# end of ARM devices + +CONFIG_DRM_RADEON=m +CONFIG_DRM_RADEON_USERPTR=y +CONFIG_DRM_AMDGPU=m +# CONFIG_DRM_AMDGPU_SI is not set +CONFIG_DRM_AMDGPU_CIK=y +CONFIG_DRM_AMDGPU_USERPTR=y +# CONFIG_DRM_AMDGPU_WERROR is not set + +# +# ACP (Audio CoProcessor) Configuration +# +# CONFIG_DRM_AMD_ACP is not set +# end of ACP (Audio CoProcessor) Configuration + +# +# Display Engine Configuration +# +CONFIG_DRM_AMD_DC=y +CONFIG_DRM_AMD_DC_FP=y +# end of Display Engine Configuration + +# CONFIG_HSA_AMD is not set +CONFIG_DRM_NOUVEAU=m +CONFIG_NOUVEAU_DEBUG=5 +CONFIG_NOUVEAU_DEBUG_DEFAULT=3 +# CONFIG_NOUVEAU_DEBUG_MMU is not set +# CONFIG_NOUVEAU_DEBUG_PUSH is not set +CONFIG_DRM_NOUVEAU_BACKLIGHT=y +# CONFIG_DRM_VGEM is not set +# CONFIG_DRM_VKMS is not set +# CONFIG_DRM_VMWGFX is not set +CONFIG_DRM_UDL=m +CONFIG_DRM_AST=m +CONFIG_DRM_MGAG200=m +CONFIG_DRM_QXL=m +CONFIG_DRM_VIRTIO_GPU=m +CONFIG_DRM_VIRTIO_GPU_KMS=y +# CONFIG_DRM_MSM is not set +CONFIG_DRM_PANEL=y + +# +# Display Panels +# +# CONFIG_DRM_PANEL_ABT_Y030XX067A is not set +# CONFIG_DRM_PANEL_ARM_VERSATILE is not set +# CONFIG_DRM_PANEL_AUO_A030JTN01 is not set +# CONFIG_DRM_PANEL_LVDS is not set +# CONFIG_DRM_PANEL_SIMPLE is not set +# CONFIG_DRM_PANEL_EDP is not set +# CONFIG_DRM_PANEL_ILITEK_IL9322 is not set +# CONFIG_DRM_PANEL_ILITEK_ILI9341 is not set +# CONFIG_DRM_PANEL_INNOLUX_EJ030NA is not set +# CONFIG_DRM_PANEL_SAMSUNG_LD9040 is not set +# CONFIG_DRM_PANEL_LG_LB035Q02 is not set +# CONFIG_DRM_PANEL_LG_LG4573 is not set +# CONFIG_DRM_PANEL_NEC_NL8048HL11 is not set +# CONFIG_DRM_PANEL_NEWVISION_NV3052C is not set +# CONFIG_DRM_PANEL_NOVATEK_NT39016 is not set +# CONFIG_DRM_PANEL_OLIMEX_LCD_OLINUXINO is not set +# CONFIG_DRM_PANEL_ORISETECH_OTA5601A is not set +# CONFIG_DRM_PANEL_SAMSUNG_ATNA33XC20 is not set +# CONFIG_DRM_PANEL_SAMSUNG_DB7430 is not set +# CONFIG_DRM_PANEL_SAMSUNG_S6D27A1 is not set +# CONFIG_DRM_PANEL_SAMSUNG_S6D7AA0 is not set +# CONFIG_DRM_PANEL_SAMSUNG_S6E63M0 is not set +# CONFIG_DRM_PANEL_SAMSUNG_S6E88A0_AMS452EF01 is not set +# CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0 is not set +# CONFIG_DRM_PANEL_SEIKO_43WVF1G is not set +# CONFIG_DRM_PANEL_SHARP_LS037V7DW01 is not set +# CONFIG_DRM_PANEL_SITRONIX_ST7789V is not set +# CONFIG_DRM_PANEL_SONY_ACX565AKM is not set +# CONFIG_DRM_PANEL_TPO_TD028TTEC1 is not set +# CONFIG_DRM_PANEL_TPO_TD043MTEA1 is not set +# CONFIG_DRM_PANEL_TPO_TPG110 is not set +# CONFIG_DRM_PANEL_WIDECHIPS_WS2401 is not set +# end of Display Panels + +CONFIG_DRM_BRIDGE=y +CONFIG_DRM_PANEL_BRIDGE=y + +# +# Display Interface Bridges +# +# CONFIG_DRM_CHIPONE_ICN6211 is not set +# CONFIG_DRM_CHRONTEL_CH7033 is not set +# CONFIG_DRM_DISPLAY_CONNECTOR is not set +# CONFIG_DRM_ITE_IT6505 is not set +# CONFIG_DRM_LONTIUM_LT8912B is not set +# CONFIG_DRM_LONTIUM_LT9211 is not set +# CONFIG_DRM_LONTIUM_LT9611 is not set +# CONFIG_DRM_LONTIUM_LT9611UXC is not set +# CONFIG_DRM_ITE_IT66121 is not set +# CONFIG_DRM_LVDS_CODEC is not set +# CONFIG_DRM_MEGACHIPS_STDPXXXX_GE_B850V3_FW is not set +# CONFIG_DRM_NWL_MIPI_DSI is not set +# CONFIG_DRM_NXP_PTN3460 is not set +# CONFIG_DRM_PARADE_PS8622 is not set +# CONFIG_DRM_PARADE_PS8640 is not set +# CONFIG_DRM_SAMSUNG_DSIM is not set +# CONFIG_DRM_SIL_SII8620 is not set +# CONFIG_DRM_SII902X is not set +# CONFIG_DRM_SII9234 is not set +# CONFIG_DRM_SIMPLE_BRIDGE is not set +# CONFIG_DRM_THINE_THC63LVD1024 is not set +# CONFIG_DRM_TOSHIBA_TC358762 is not set +# CONFIG_DRM_TOSHIBA_TC358764 is not set +# CONFIG_DRM_TOSHIBA_TC358767 is not set +# CONFIG_DRM_TOSHIBA_TC358768 is not set +# CONFIG_DRM_TOSHIBA_TC358775 is not set +# CONFIG_DRM_TI_DLPC3433 is not set +# CONFIG_DRM_TI_TFP410 is not set +# CONFIG_DRM_TI_SN65DSI83 is not set +# CONFIG_DRM_TI_SN65DSI86 is not set +# CONFIG_DRM_TI_TPD12S015 is not set +# CONFIG_DRM_ANALOGIX_ANX6345 is not set +# CONFIG_DRM_ANALOGIX_ANX78XX is not set +# CONFIG_DRM_ANALOGIX_ANX7625 is not set +# CONFIG_DRM_I2C_ADV7511 is not set +# CONFIG_DRM_CDNS_DSI is not set +# CONFIG_DRM_CDNS_MHDP8546 is not set +# end of Display Interface Bridges + +# CONFIG_DRM_LOONGSON is not set +# CONFIG_DRM_ETNAVIV is not set +CONFIG_DRM_HISI_HIBMC=m +# CONFIG_DRM_HISI_KIRIN is not set +# CONFIG_DRM_LOGICVC is not set +# CONFIG_DRM_ARCPGU is not set +CONFIG_DRM_BOCHS=m +CONFIG_DRM_CIRRUS_QEMU=m +# CONFIG_DRM_GM12U320 is not set +# CONFIG_DRM_PANEL_MIPI_DBI is not set +# CONFIG_DRM_SIMPLEDRM is not set +# CONFIG_TINYDRM_HX8357D is not set +# CONFIG_TINYDRM_ILI9163 is not set +# CONFIG_TINYDRM_ILI9225 is not set +# CONFIG_TINYDRM_ILI9341 is not set +# CONFIG_TINYDRM_ILI9486 is not set +# CONFIG_TINYDRM_MI0283QT is not set +# CONFIG_TINYDRM_REPAPER is not set +# CONFIG_TINYDRM_ST7586 is not set +# CONFIG_TINYDRM_ST7735R is not set +# CONFIG_DRM_PL111 is not set +# CONFIG_DRM_LIMA is not set +# CONFIG_DRM_PANFROST is not set +# CONFIG_DRM_TIDSS is not set +# CONFIG_DRM_GUD is not set +# CONFIG_DRM_SSD130X is not set +CONFIG_DRM_PHYTIUM=m +# CONFIG_DRM_LEGACY is not set +CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y + +# +# Frame buffer Devices +# +CONFIG_FB=y +# CONFIG_FB_CIRRUS is not set +# CONFIG_FB_PM2 is not set +# CONFIG_FB_ARMCLCD is not set +# CONFIG_FB_CYBER2000 is not set +# CONFIG_FB_ASILIANT is not set +# CONFIG_FB_IMSTT is not set +# CONFIG_FB_UVESA is not set +CONFIG_FB_EFI=y +# CONFIG_FB_OPENCORES is not set +# CONFIG_FB_S1D13XXX is not set +# CONFIG_FB_NVIDIA is not set +# CONFIG_FB_RIVA is not set +# CONFIG_FB_I740 is not set +# CONFIG_FB_MATROX is not set +# CONFIG_FB_RADEON is not set +# CONFIG_FB_ATY128 is not set +# CONFIG_FB_ATY is not set +# CONFIG_FB_S3 is not set +# CONFIG_FB_SAVAGE is not set +# CONFIG_FB_SIS is not set +# CONFIG_FB_NEOMAGIC is not set +# CONFIG_FB_KYRO is not set +# CONFIG_FB_3DFX is not set +# CONFIG_FB_VOODOO1 is not set +# CONFIG_FB_VT8623 is not set +# CONFIG_FB_TRIDENT is not set +# CONFIG_FB_ARK is not set +# CONFIG_FB_PM3 is not set +# CONFIG_FB_CARMINE is not set +# CONFIG_FB_SMSCUFX is not set +# CONFIG_FB_UDL is not set +# CONFIG_FB_IBM_GXT4500 is not set +# CONFIG_FB_VIRTUAL is not set +# CONFIG_FB_METRONOME is not set +# CONFIG_FB_MB862XX is not set +CONFIG_FB_SIMPLE=y +CONFIG_FB_SSD1307=m +# CONFIG_FB_SM712 is not set +# CONFIG_FB_LS2K500 is not set +CONFIG_FB_CORE=y +CONFIG_FB_NOTIFY=y +# CONFIG_FIRMWARE_EDID is not set +CONFIG_FB_DEVICE=y +CONFIG_FB_CFB_FILLRECT=y +CONFIG_FB_CFB_COPYAREA=y +CONFIG_FB_CFB_IMAGEBLIT=y +CONFIG_FB_SYS_FILLRECT=y +CONFIG_FB_SYS_COPYAREA=y +CONFIG_FB_SYS_IMAGEBLIT=y +# CONFIG_FB_FOREIGN_ENDIAN is not set +CONFIG_FB_SYS_FOPS=y +CONFIG_FB_DEFERRED_IO=y +CONFIG_FB_IOMEM_FOPS=y +CONFIG_FB_IOMEM_HELPERS=y +CONFIG_FB_SYSMEM_HELPERS=y +CONFIG_FB_SYSMEM_HELPERS_DEFERRED=y +CONFIG_FB_BACKLIGHT=m +CONFIG_FB_MODE_HELPERS=y +CONFIG_FB_TILEBLITTING=y +# end of Frame buffer Devices + +# +# Backlight & LCD device support +# +CONFIG_LCD_CLASS_DEVICE=m +# CONFIG_LCD_L4F00242T03 is not set +# CONFIG_LCD_LMS283GF05 is not set +# CONFIG_LCD_LTV350QV is not set +# CONFIG_LCD_ILI922X is not set +# CONFIG_LCD_ILI9320 is not set +# CONFIG_LCD_TDO24M is not set +# CONFIG_LCD_VGG2432A4 is not set +CONFIG_LCD_PLATFORM=m +# CONFIG_LCD_AMS369FG06 is not set +# CONFIG_LCD_LMS501KF03 is not set +# CONFIG_LCD_HX8357 is not set +# CONFIG_LCD_OTM3225A is not set +CONFIG_BACKLIGHT_CLASS_DEVICE=y +# CONFIG_BACKLIGHT_KTD253 is not set +# CONFIG_BACKLIGHT_KTZ8866 is not set +CONFIG_BACKLIGHT_PWM=m +# CONFIG_BACKLIGHT_QCOM_WLED is not set +# CONFIG_BACKLIGHT_ADP8860 is not set +# CONFIG_BACKLIGHT_ADP8870 is not set +# CONFIG_BACKLIGHT_LM3630A is not set +# CONFIG_BACKLIGHT_LM3639 is not set +CONFIG_BACKLIGHT_LP855X=m +CONFIG_BACKLIGHT_GPIO=m +# CONFIG_BACKLIGHT_LV5207LP is not set +# CONFIG_BACKLIGHT_BD6107 is not set +# CONFIG_BACKLIGHT_ARCXCNN is not set +# CONFIG_BACKLIGHT_LED is not set +# end of Backlight & LCD device support + +CONFIG_HDMI=y + +# +# Console display driver support +# +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set +CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y +CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y +# CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set +# end of Console display driver support + +CONFIG_LOGO=y +# CONFIG_LOGO_LINUX_MONO is not set +# CONFIG_LOGO_LINUX_VGA16 is not set +CONFIG_LOGO_LINUX_CLUT224=y +# end of Graphics support + +# CONFIG_DRM_ACCEL is not set +CONFIG_SOUND=m +# CONFIG_SND is not set +CONFIG_HID_SUPPORT=y +CONFIG_HID=y +CONFIG_HID_BATTERY_STRENGTH=y +CONFIG_HIDRAW=y +CONFIG_UHID=m +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACCUTOUCH is not set +CONFIG_HID_ACRUX=m +# CONFIG_HID_ACRUX_FF is not set +CONFIG_HID_APPLE=y +CONFIG_HID_APPLEIR=m +# CONFIG_HID_ASUS is not set +CONFIG_HID_AUREAL=m +CONFIG_HID_BELKIN=y +CONFIG_HID_BETOP_FF=m +# CONFIG_HID_BIGBEN_FF is not set +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +CONFIG_HID_CORSAIR=m +# CONFIG_HID_COUGAR is not set +# CONFIG_HID_MACALLY is not set +# CONFIG_HID_CMEDIA is not set +# CONFIG_HID_CP2112 is not set +# CONFIG_HID_CREATIVE_SB0540 is not set +CONFIG_HID_CYPRESS=y +CONFIG_HID_DRAGONRISE=m +# CONFIG_DRAGONRISE_FF is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELAN is not set +CONFIG_HID_ELECOM=m +CONFIG_HID_ELO=m +# CONFIG_HID_EVISION is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_FT260 is not set +CONFIG_HID_GEMBIRD=m +CONFIG_HID_GFRM=m +# CONFIG_HID_GLORIOUS is not set +CONFIG_HID_HOLTEK=m +# CONFIG_HOLTEK_FF is not set +# CONFIG_HID_GOOGLE_STADIA_FF is not set +# CONFIG_HID_VIVALDI is not set +CONFIG_HID_GT683R=m +CONFIG_HID_KEYTOUCH=m +CONFIG_HID_KYE=m +CONFIG_HID_UCLOGIC=m +CONFIG_HID_WALTOP=m +# CONFIG_HID_VIEWSONIC is not set +# CONFIG_HID_VRC2 is not set +# CONFIG_HID_XIAOMI is not set +CONFIG_HID_GYRATION=m +CONFIG_HID_ICADE=m +CONFIG_HID_ITE=y +# CONFIG_HID_JABRA is not set +CONFIG_HID_TWINHAN=m +CONFIG_HID_KENSINGTON=y +CONFIG_HID_LCPOWER=m +CONFIG_HID_LED=m +CONFIG_HID_LENOVO=m +# CONFIG_HID_LETSKETCH is not set +CONFIG_HID_LOGITECH=y +CONFIG_HID_LOGITECH_DJ=m +CONFIG_HID_LOGITECH_HIDPP=m +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +CONFIG_HID_MAGICMOUSE=y +# CONFIG_HID_MALTRON is not set +# CONFIG_HID_MAYFLASH is not set +# CONFIG_HID_MEGAWORLD_FF is not set +# CONFIG_HID_REDRAGON is not set +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +CONFIG_HID_MULTITOUCH=m +# CONFIG_HID_NINTENDO is not set +# CONFIG_HID_NTI is not set +CONFIG_HID_NTRIG=y +CONFIG_HID_ORTEK=m +CONFIG_HID_PANTHERLORD=m +# CONFIG_PANTHERLORD_FF is not set +CONFIG_HID_PENMOUNT=m +CONFIG_HID_PETALYNX=m +CONFIG_HID_PICOLCD=m +CONFIG_HID_PICOLCD_FB=y +CONFIG_HID_PICOLCD_BACKLIGHT=y +CONFIG_HID_PICOLCD_LCD=y +CONFIG_HID_PICOLCD_LEDS=y +CONFIG_HID_PLANTRONICS=m +# CONFIG_HID_PXRC is not set +# CONFIG_HID_RAZER is not set +CONFIG_HID_PRIMAX=m +# CONFIG_HID_RETRODE is not set +CONFIG_HID_ROCCAT=m +CONFIG_HID_SAITEK=m +CONFIG_HID_SAMSUNG=m +# CONFIG_HID_SEMITEK is not set +# CONFIG_HID_SIGMAMICRO is not set +CONFIG_HID_SONY=m +CONFIG_SONY_FF=y +CONFIG_HID_SPEEDLINK=m +# CONFIG_HID_STEAM is not set +CONFIG_HID_STEELSERIES=m +CONFIG_HID_SUNPLUS=m +CONFIG_HID_RMI=m +CONFIG_HID_GREENASIA=m +# CONFIG_GREENASIA_FF is not set +CONFIG_HID_SMARTJOYPLUS=m +# CONFIG_SMARTJOYPLUS_FF is not set +CONFIG_HID_TIVO=m +CONFIG_HID_TOPSEED=m +# CONFIG_HID_TOPRE is not set +CONFIG_HID_THINGM=m +CONFIG_HID_THRUSTMASTER=m +# CONFIG_THRUSTMASTER_FF is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_U2FZERO is not set +CONFIG_HID_WACOM=m +CONFIG_HID_WIIMOTE=m +CONFIG_HID_XINMO=m +CONFIG_HID_ZEROPLUS=m +# CONFIG_ZEROPLUS_FF is not set +CONFIG_HID_ZYDACRON=m +CONFIG_HID_SENSOR_HUB=m +# CONFIG_HID_SENSOR_CUSTOM_SENSOR is not set +# CONFIG_HID_ALPS is not set +# CONFIG_HID_MCP2200 is not set +# CONFIG_HID_MCP2221 is not set +# end of Special HID drivers + +# +# HID-BPF support +# +# end of HID-BPF support + +# +# USB HID support +# +CONFIG_USB_HID=y +CONFIG_HID_PID=y +CONFIG_USB_HIDDEV=y +# end of USB HID support + +CONFIG_I2C_HID=m +# CONFIG_I2C_HID_ACPI is not set +# CONFIG_I2C_HID_OF is not set +# CONFIG_I2C_HID_OF_ELAN is not set +# CONFIG_I2C_HID_OF_GOODIX is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_COMMON=y +CONFIG_USB_LED_TRIG=y +CONFIG_USB_ULPI_BUS=m +# CONFIG_USB_CONN_GPIO is not set +CONFIG_USB_ARCH_HAS_HCD=y +CONFIG_USB=y +CONFIG_USB_PCI=y +CONFIG_USB_ANNOUNCE_NEW_DEVICES=y + +# +# Miscellaneous USB options +# +CONFIG_USB_DEFAULT_PERSIST=y +# CONFIG_USB_FEW_INIT_RETRIES is not set +# CONFIG_USB_DYNAMIC_MINORS is not set +# CONFIG_USB_OTG is not set +# CONFIG_USB_OTG_PRODUCTLIST is not set +# CONFIG_USB_OTG_DISABLE_EXTERNAL_HUB is not set +CONFIG_USB_LEDS_TRIGGER_USBPORT=m +CONFIG_USB_AUTOSUSPEND_DELAY=2 +CONFIG_USB_MON=y + +# +# USB Host Controller Drivers +# +# CONFIG_USB_C67X00_HCD is not set +CONFIG_USB_XHCI_HCD=y +# CONFIG_USB_XHCI_DBGCAP is not set +CONFIG_USB_XHCI_PCI=y +# CONFIG_USB_XHCI_PCI_RENESAS is not set +CONFIG_USB_XHCI_PLATFORM=m +# CONFIG_USB_XHCI_HISTB is not set +CONFIG_USB_EHCI_HCD=y +CONFIG_USB_EHCI_ROOT_HUB_TT=y +CONFIG_USB_EHCI_TT_NEWSCHED=y +CONFIG_USB_EHCI_PCI=y +# CONFIG_USB_EHCI_FSL is not set +CONFIG_USB_EHCI_HCD_PLATFORM=y +# CONFIG_USB_OXU210HP_HCD is not set +# CONFIG_USB_ISP116X_HCD is not set +# CONFIG_USB_MAX3421_HCD is not set +CONFIG_USB_OHCI_HCD=y +CONFIG_USB_OHCI_HCD_PCI=y +# CONFIG_USB_OHCI_HCD_PLATFORM is not set +CONFIG_USB_UHCI_HCD=y +# CONFIG_USB_SL811_HCD is not set +# CONFIG_USB_R8A66597_HCD is not set +# CONFIG_USB_HCD_BCMA is not set +# CONFIG_USB_HCD_TEST_MODE is not set + +# +# USB Device Class drivers +# +CONFIG_USB_ACM=m +CONFIG_USB_PRINTER=m +CONFIG_USB_WDM=m +CONFIG_USB_TMC=m + +# +# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may +# + +# +# also be needed; see USB_STORAGE Help for more info +# +CONFIG_USB_STORAGE=m +# CONFIG_USB_STORAGE_DEBUG is not set +CONFIG_USB_STORAGE_REALTEK=m +CONFIG_REALTEK_AUTOPM=y +CONFIG_USB_STORAGE_DATAFAB=m +CONFIG_USB_STORAGE_FREECOM=m +CONFIG_USB_STORAGE_ISD200=m +CONFIG_USB_STORAGE_USBAT=m +CONFIG_USB_STORAGE_SDDR09=m +CONFIG_USB_STORAGE_SDDR55=m +CONFIG_USB_STORAGE_JUMPSHOT=m +CONFIG_USB_STORAGE_ALAUDA=m +CONFIG_USB_STORAGE_ONETOUCH=m +CONFIG_USB_STORAGE_KARMA=m +CONFIG_USB_STORAGE_CYPRESS_ATACB=m +CONFIG_USB_STORAGE_ENE_UB6250=m +CONFIG_USB_UAS=m + +# +# USB Imaging devices +# +CONFIG_USB_MDC800=m +CONFIG_USB_MICROTEK=m +# CONFIG_USBIP_CORE is not set + +# +# USB dual-mode controller drivers +# +# CONFIG_USB_CDNS_SUPPORT is not set +# CONFIG_USB_MUSB_HDRC is not set +# CONFIG_USB_DWC3 is not set +# CONFIG_USB_DWC2 is not set +# CONFIG_USB_CHIPIDEA is not set +# CONFIG_USB_ISP1760 is not set + +# +# USB port drivers +# +CONFIG_USB_SERIAL=m +CONFIG_USB_SERIAL_GENERIC=y +CONFIG_USB_SERIAL_SIMPLE=m +CONFIG_USB_SERIAL_AIRCABLE=m +CONFIG_USB_SERIAL_ARK3116=m +CONFIG_USB_SERIAL_BELKIN=m +CONFIG_USB_SERIAL_CH341=m +CONFIG_USB_SERIAL_WHITEHEAT=m +CONFIG_USB_SERIAL_DIGI_ACCELEPORT=m +CONFIG_USB_SERIAL_CP210X=m +CONFIG_USB_SERIAL_CYPRESS_M8=m +CONFIG_USB_SERIAL_EMPEG=m +CONFIG_USB_SERIAL_FTDI_SIO=m +CONFIG_USB_SERIAL_VISOR=m +CONFIG_USB_SERIAL_IPAQ=m +CONFIG_USB_SERIAL_IR=m +CONFIG_USB_SERIAL_EDGEPORT=m +CONFIG_USB_SERIAL_EDGEPORT_TI=m +# CONFIG_USB_SERIAL_F81232 is not set +# CONFIG_USB_SERIAL_F8153X is not set +CONFIG_USB_SERIAL_GARMIN=m +CONFIG_USB_SERIAL_IPW=m +CONFIG_USB_SERIAL_IUU=m +CONFIG_USB_SERIAL_KEYSPAN_PDA=m +CONFIG_USB_SERIAL_KEYSPAN=m +CONFIG_USB_SERIAL_KLSI=m +CONFIG_USB_SERIAL_KOBIL_SCT=m +CONFIG_USB_SERIAL_MCT_U232=m +# CONFIG_USB_SERIAL_METRO is not set +CONFIG_USB_SERIAL_MOS7720=m +CONFIG_USB_SERIAL_MOS7840=m +# CONFIG_USB_SERIAL_MXUPORT is not set +CONFIG_USB_SERIAL_NAVMAN=m +CONFIG_USB_SERIAL_PL2303=m +CONFIG_USB_SERIAL_OTI6858=m +CONFIG_USB_SERIAL_QCAUX=m +CONFIG_USB_SERIAL_QUALCOMM=m +CONFIG_USB_SERIAL_SPCP8X5=m +CONFIG_USB_SERIAL_SAFE=m +CONFIG_USB_SERIAL_SAFE_PADDED=y +CONFIG_USB_SERIAL_SIERRAWIRELESS=m +CONFIG_USB_SERIAL_SYMBOL=m +CONFIG_USB_SERIAL_TI=m +CONFIG_USB_SERIAL_CYBERJACK=m +CONFIG_USB_SERIAL_WWAN=m +CONFIG_USB_SERIAL_OPTION=m +CONFIG_USB_SERIAL_OMNINET=m +CONFIG_USB_SERIAL_OPTICON=m +CONFIG_USB_SERIAL_XSENS_MT=m +# CONFIG_USB_SERIAL_WISHBONE is not set +CONFIG_USB_SERIAL_SSU100=m +CONFIG_USB_SERIAL_QT2=m +# CONFIG_USB_SERIAL_UPD78F0730 is not set +# CONFIG_USB_SERIAL_XR is not set +CONFIG_USB_SERIAL_DEBUG=m + +# +# USB Miscellaneous drivers +# +CONFIG_USB_EMI62=m +CONFIG_USB_EMI26=m +CONFIG_USB_ADUTUX=m +CONFIG_USB_SEVSEG=m +CONFIG_USB_LEGOTOWER=m +CONFIG_USB_LCD=m +# CONFIG_USB_CYPRESS_CY7C63 is not set +# CONFIG_USB_CYTHERM is not set +CONFIG_USB_IDMOUSE=m +CONFIG_USB_APPLEDISPLAY=m +# CONFIG_USB_QCOM_EUD is not set +# CONFIG_APPLE_MFI_FASTCHARGE is not set +CONFIG_USB_SISUSBVGA=m +CONFIG_USB_LD=m +# CONFIG_USB_TRANCEVIBRATOR is not set +CONFIG_USB_IOWARRIOR=m +# CONFIG_USB_TEST is not set +# CONFIG_USB_EHSET_TEST_FIXTURE is not set +CONFIG_USB_ISIGHTFW=m +# CONFIG_USB_YUREX is not set +CONFIG_USB_EZUSB_FX2=m +# CONFIG_USB_HUB_USB251XB is not set +CONFIG_USB_HSIC_USB3503=m +# CONFIG_USB_HSIC_USB4604 is not set +# CONFIG_USB_LINK_LAYER_TEST is not set +CONFIG_USB_CHAOSKEY=m +# CONFIG_USB_ONBOARD_HUB is not set +CONFIG_USB_ATM=m +# CONFIG_USB_SPEEDTOUCH is not set +CONFIG_USB_CXACRU=m +CONFIG_USB_UEAGLEATM=m +CONFIG_USB_XUSBATM=m + +# +# USB Physical Layer drivers +# +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GPIO_VBUS is not set +# CONFIG_USB_ISP1301 is not set +# CONFIG_USB_ULPI is not set +# end of USB Physical Layer drivers + +# CONFIG_USB_GADGET is not set +CONFIG_TYPEC=m +CONFIG_TYPEC_TCPM=m +CONFIG_TYPEC_TCPCI=m +# CONFIG_TYPEC_RT1711H is not set +# CONFIG_TYPEC_TCPCI_MAXIM is not set +# CONFIG_TYPEC_FUSB302 is not set +# CONFIG_TYPEC_QCOM_PMIC is not set +CONFIG_TYPEC_UCSI=m +# CONFIG_UCSI_CCG is not set +CONFIG_UCSI_ACPI=m +# CONFIG_UCSI_STM32G0 is not set +# CONFIG_TYPEC_TPS6598X is not set +# CONFIG_TYPEC_ANX7411 is not set +# CONFIG_TYPEC_RT1719 is not set +# CONFIG_TYPEC_HD3SS3220 is not set +# CONFIG_TYPEC_STUSB160X is not set +# CONFIG_TYPEC_WUSB3801 is not set + +# +# USB Type-C Multiplexer/DeMultiplexer Switch support +# +# CONFIG_TYPEC_MUX_FSA4480 is not set +# CONFIG_TYPEC_MUX_GPIO_SBU is not set +# CONFIG_TYPEC_MUX_PI3USB30532 is not set +# CONFIG_TYPEC_MUX_NB7VPQ904M is not set +# end of USB Type-C Multiplexer/DeMultiplexer Switch support + +# +# USB Type-C Alternate Mode drivers +# +CONFIG_TYPEC_DP_ALTMODE=m +# CONFIG_TYPEC_NVIDIA_ALTMODE is not set +# end of USB Type-C Alternate Mode drivers + +CONFIG_USB_ROLE_SWITCH=y +CONFIG_MMC=m +CONFIG_PWRSEQ_EMMC=m +CONFIG_PWRSEQ_SIMPLE=m +CONFIG_MMC_BLOCK=m +CONFIG_MMC_BLOCK_MINORS=8 +CONFIG_SDIO_UART=m +# CONFIG_MMC_TEST is not set + +# +# MMC/SD/SDIO Host Controller Drivers +# +# CONFIG_MMC_DEBUG is not set +CONFIG_MMC_ARMMMCI=m +CONFIG_MMC_STM32_SDMMC=y +CONFIG_MMC_SDHCI=m +CONFIG_MMC_SDHCI_IO_ACCESSORS=y +CONFIG_MMC_SDHCI_PCI=m +CONFIG_MMC_RICOH_MMC=y +CONFIG_MMC_SDHCI_ACPI=m +CONFIG_MMC_SDHCI_PLTFM=m +# CONFIG_MMC_SDHCI_OF_ARASAN is not set +# CONFIG_MMC_SDHCI_OF_AT91 is not set +# CONFIG_MMC_SDHCI_OF_DWCMSHC is not set +CONFIG_MMC_SDHCI_CADENCE=m +# CONFIG_MMC_SDHCI_F_SDH30 is not set +# CONFIG_MMC_SDHCI_MILBEAUT is not set +# CONFIG_MMC_SDHCI_MSM is not set +CONFIG_MMC_TIFM_SD=m +CONFIG_MMC_SPI=m +CONFIG_MMC_CB710=m +CONFIG_MMC_VIA_SDMMC=m +CONFIG_MMC_DW=m +CONFIG_MMC_DW_PLTFM=m +CONFIG_MMC_DW_BLUEFIELD=m +# CONFIG_MMC_DW_EXYNOS is not set +# CONFIG_MMC_DW_HI3798CV200 is not set +# CONFIG_MMC_DW_K3 is not set +# CONFIG_MMC_DW_PCI is not set +CONFIG_MMC_VUB300=m +CONFIG_MMC_USHC=m +# CONFIG_MMC_USDHI6ROL0 is not set +# CONFIG_MMC_REALTEK_PCI is not set +# CONFIG_MMC_REALTEK_USB is not set +CONFIG_MMC_CQHCI=m +# CONFIG_MMC_HSQ is not set +CONFIG_MMC_TOSHIBA_PCI=m +CONFIG_MMC_MTK=m +CONFIG_MMC_SDHCI_XENON=m +# CONFIG_SCSI_UFSHCD is not set +CONFIG_MEMSTICK=m +# CONFIG_MEMSTICK_DEBUG is not set + +# +# MemoryStick drivers +# +# CONFIG_MEMSTICK_UNSAFE_RESUME is not set +CONFIG_MSPRO_BLOCK=m +# CONFIG_MS_BLOCK is not set + +# +# MemoryStick Host Controller Drivers +# +CONFIG_MEMSTICK_TIFM_MS=m +CONFIG_MEMSTICK_JMICRON_38X=m +CONFIG_MEMSTICK_R592=m +# CONFIG_MEMSTICK_REALTEK_PCI is not set +# CONFIG_MEMSTICK_REALTEK_USB is not set +CONFIG_NEW_LEDS=y +CONFIG_LEDS_CLASS=y +CONFIG_LEDS_CLASS_FLASH=m +# CONFIG_LEDS_CLASS_MULTICOLOR is not set +# CONFIG_LEDS_BRIGHTNESS_HW_CHANGED is not set + +# +# LED drivers +# +# CONFIG_LEDS_AN30259A is not set +# CONFIG_LEDS_AW200XX is not set +# CONFIG_LEDS_AW2013 is not set +# CONFIG_LEDS_BCM6328 is not set +# CONFIG_LEDS_BCM6358 is not set +# CONFIG_LEDS_CR0014114 is not set +# CONFIG_LEDS_EL15203000 is not set +CONFIG_LEDS_LM3530=m +# CONFIG_LEDS_LM3532 is not set +# CONFIG_LEDS_LM3642 is not set +# CONFIG_LEDS_LM3692X is not set +# CONFIG_LEDS_PCA9532 is not set +# CONFIG_LEDS_GPIO is not set +CONFIG_LEDS_LP3944=m +# CONFIG_LEDS_LP3952 is not set +# CONFIG_LEDS_LP50XX is not set +# CONFIG_LEDS_LP55XX_COMMON is not set +# CONFIG_LEDS_LP8860 is not set +# CONFIG_LEDS_PCA955X is not set +# CONFIG_LEDS_PCA963X is not set +# CONFIG_LEDS_PCA995X is not set +# CONFIG_LEDS_DAC124S085 is not set +# CONFIG_LEDS_PWM is not set +# CONFIG_LEDS_REGULATOR is not set +# CONFIG_LEDS_BD2606MVV is not set +# CONFIG_LEDS_BD2802 is not set +CONFIG_LEDS_LT3593=m +# CONFIG_LEDS_TCA6507 is not set +# CONFIG_LEDS_TLC591XX is not set +# CONFIG_LEDS_LM355x is not set +# CONFIG_LEDS_IS31FL319X is not set +# CONFIG_LEDS_IS31FL32XX is not set + +# +# LED driver for blink(1) USB RGB LED is under Special HID drivers (HID_THINGM) +# +CONFIG_LEDS_BLINKM=m +# CONFIG_LEDS_SYSCON is not set +# CONFIG_LEDS_MLXREG is not set +# CONFIG_LEDS_USER is not set +# CONFIG_LEDS_SPI_BYTE is not set +# CONFIG_LEDS_LM3697 is not set + +# +# Flash and Torch LED drivers +# +# CONFIG_LEDS_AAT1290 is not set +# CONFIG_LEDS_AS3645A is not set +# CONFIG_LEDS_KTD2692 is not set +# CONFIG_LEDS_LM3601X is not set +# CONFIG_LEDS_RT4505 is not set +# CONFIG_LEDS_RT8515 is not set +# CONFIG_LEDS_SGM3140 is not set + +# +# RGB LED drivers +# + +# +# LED Triggers +# +CONFIG_LEDS_TRIGGERS=y +CONFIG_LEDS_TRIGGER_TIMER=m +CONFIG_LEDS_TRIGGER_ONESHOT=m +# CONFIG_LEDS_TRIGGER_DISK is not set +# CONFIG_LEDS_TRIGGER_MTD is not set +CONFIG_LEDS_TRIGGER_HEARTBEAT=m +CONFIG_LEDS_TRIGGER_BACKLIGHT=m +# CONFIG_LEDS_TRIGGER_CPU is not set +# CONFIG_LEDS_TRIGGER_ACTIVITY is not set +CONFIG_LEDS_TRIGGER_DEFAULT_ON=m + +# +# iptables trigger is under Netfilter config (LED target) +# +CONFIG_LEDS_TRIGGER_TRANSIENT=m +CONFIG_LEDS_TRIGGER_CAMERA=m +# CONFIG_LEDS_TRIGGER_PANIC is not set +# CONFIG_LEDS_TRIGGER_NETDEV is not set +# CONFIG_LEDS_TRIGGER_PATTERN is not set +# CONFIG_LEDS_TRIGGER_AUDIO is not set +# CONFIG_LEDS_TRIGGER_TTY is not set + +# +# Simple LED drivers +# +# CONFIG_ACCESSIBILITY is not set +CONFIG_INFINIBAND=m +CONFIG_INFINIBAND_USER_MAD=m +CONFIG_INFINIBAND_USER_ACCESS=m +CONFIG_INFINIBAND_USER_MEM=y +CONFIG_INFINIBAND_ON_DEMAND_PAGING=y +CONFIG_INFINIBAND_ADDR_TRANS=y +CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y +CONFIG_INFINIBAND_PEER_MEMORY=y +CONFIG_INFINIBAND_VIRT_DMA=y +CONFIG_INFINIBAND_BNXT_RE=m +CONFIG_INFINIBAND_CXGB4=m +# CONFIG_INFINIBAND_EFA is not set +# CONFIG_INFINIBAND_ERDMA is not set +CONFIG_INFINIBAND_HNS=m +CONFIG_INFINIBAND_HNS_HIP08=y +# CONFIG_INFINIBAND_IRDMA is not set +CONFIG_MLX4_INFINIBAND=m +CONFIG_MLX5_INFINIBAND=m +# CONFIG_INFINIBAND_MTHCA is not set +# CONFIG_INFINIBAND_OCRDMA is not set +CONFIG_INFINIBAND_QEDR=m +CONFIG_HIROCE3=m +CONFIG_INFINIBAND_XSC=m +CONFIG_RDMA_RXE=m +# CONFIG_RDMA_SIW is not set +CONFIG_INFINIBAND_IPOIB=m +CONFIG_INFINIBAND_IPOIB_CM=y +# CONFIG_INFINIBAND_IPOIB_DEBUG is not set +CONFIG_INFINIBAND_SRP=m +CONFIG_INFINIBAND_SRPT=m +CONFIG_INFINIBAND_ISER=m +CONFIG_INFINIBAND_ISERT=m +# CONFIG_INFINIBAND_RTRS_CLIENT is not set +# CONFIG_INFINIBAND_RTRS_SERVER is not set +CONFIG_EDAC_SUPPORT=y +CONFIG_EDAC=y +CONFIG_EDAC_LEGACY_SYSFS=y +# CONFIG_EDAC_DEBUG is not set +CONFIG_EDAC_GHES=y +CONFIG_EDAC_THUNDERX=m +CONFIG_EDAC_XGENE=m +# CONFIG_EDAC_DMC520 is not set +CONFIG_RTC_LIB=y +CONFIG_RTC_CLASS=y +CONFIG_RTC_HCTOSYS=y +CONFIG_RTC_HCTOSYS_DEVICE="rtc0" +CONFIG_RTC_SYSTOHC=y +CONFIG_RTC_SYSTOHC_DEVICE="rtc0" +# CONFIG_RTC_DEBUG is not set +CONFIG_RTC_NVMEM=y + +# +# RTC interfaces +# +CONFIG_RTC_INTF_SYSFS=y +CONFIG_RTC_INTF_PROC=y +CONFIG_RTC_INTF_DEV=y +# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set +# CONFIG_RTC_DRV_TEST is not set + +# +# I2C RTC drivers +# +CONFIG_RTC_DRV_ABB5ZES3=m +# CONFIG_RTC_DRV_ABEOZ9 is not set +CONFIG_RTC_DRV_ABX80X=m +CONFIG_RTC_DRV_DS1307=m +# CONFIG_RTC_DRV_DS1307_CENTURY is not set +CONFIG_RTC_DRV_DS1374=m +CONFIG_RTC_DRV_DS1374_WDT=y +CONFIG_RTC_DRV_DS1672=m +# CONFIG_RTC_DRV_HYM8563 is not set +CONFIG_RTC_DRV_MAX6900=m +# CONFIG_RTC_DRV_NCT3018Y is not set +CONFIG_RTC_DRV_RS5C372=m +CONFIG_RTC_DRV_ISL1208=m +CONFIG_RTC_DRV_ISL12022=m +# CONFIG_RTC_DRV_ISL12026 is not set +CONFIG_RTC_DRV_X1205=m +CONFIG_RTC_DRV_PCF8523=m +CONFIG_RTC_DRV_PCF85063=m +# CONFIG_RTC_DRV_PCF85363 is not set +CONFIG_RTC_DRV_PCF8563=m +CONFIG_RTC_DRV_PCF8583=m +CONFIG_RTC_DRV_M41T80=m +CONFIG_RTC_DRV_M41T80_WDT=y +CONFIG_RTC_DRV_BQ32K=m +# CONFIG_RTC_DRV_S35390A is not set +CONFIG_RTC_DRV_FM3130=m +CONFIG_RTC_DRV_RX8010=m +CONFIG_RTC_DRV_RX8581=m +CONFIG_RTC_DRV_RX8025=m +CONFIG_RTC_DRV_EM3027=m +# CONFIG_RTC_DRV_RV3028 is not set +# CONFIG_RTC_DRV_RV3032 is not set +CONFIG_RTC_DRV_RV8803=m +# CONFIG_RTC_DRV_SD3078 is not set + +# +# SPI RTC drivers +# +CONFIG_RTC_DRV_M41T93=m +CONFIG_RTC_DRV_M41T94=m +# CONFIG_RTC_DRV_DS1302 is not set +CONFIG_RTC_DRV_DS1305=m +CONFIG_RTC_DRV_DS1343=m +CONFIG_RTC_DRV_DS1347=m +CONFIG_RTC_DRV_DS1390=m +# CONFIG_RTC_DRV_MAX6916 is not set +CONFIG_RTC_DRV_R9701=m +CONFIG_RTC_DRV_RX4581=m +CONFIG_RTC_DRV_RS5C348=m +CONFIG_RTC_DRV_MAX6902=m +CONFIG_RTC_DRV_PCF2123=m +CONFIG_RTC_DRV_MCP795=m +CONFIG_RTC_I2C_AND_SPI=y + +# +# SPI and I2C RTC drivers +# +CONFIG_RTC_DRV_DS3232=m +CONFIG_RTC_DRV_DS3232_HWMON=y +CONFIG_RTC_DRV_PCF2127=m +CONFIG_RTC_DRV_RV3029C2=m +# CONFIG_RTC_DRV_RV3029_HWMON is not set +# CONFIG_RTC_DRV_RX6110 is not set + +# +# Platform RTC drivers +# +CONFIG_RTC_DRV_DS1286=m +CONFIG_RTC_DRV_DS1511=m +CONFIG_RTC_DRV_DS1553=m +CONFIG_RTC_DRV_DS1685_FAMILY=m +CONFIG_RTC_DRV_DS1685=y +# CONFIG_RTC_DRV_DS1689 is not set +# CONFIG_RTC_DRV_DS17285 is not set +# CONFIG_RTC_DRV_DS17485 is not set +# CONFIG_RTC_DRV_DS17885 is not set +CONFIG_RTC_DRV_DS1742=m +CONFIG_RTC_DRV_DS2404=m +CONFIG_RTC_DRV_EFI=y +CONFIG_RTC_DRV_STK17TA8=m +# CONFIG_RTC_DRV_M48T86 is not set +CONFIG_RTC_DRV_M48T35=m +CONFIG_RTC_DRV_M48T59=m +CONFIG_RTC_DRV_MSM6242=m +CONFIG_RTC_DRV_RP5C01=m +# CONFIG_RTC_DRV_ZYNQMP is not set + +# +# on-CPU RTC drivers +# +# CONFIG_RTC_DRV_PL030 is not set +CONFIG_RTC_DRV_PL031=y +# CONFIG_RTC_DRV_CADENCE is not set +# CONFIG_RTC_DRV_FTRTC010 is not set +# CONFIG_RTC_DRV_XGENE is not set +# CONFIG_RTC_DRV_R7301 is not set + +# +# HID Sensor RTC drivers +# +# CONFIG_RTC_DRV_GOLDFISH is not set +CONFIG_DMADEVICES=y +# CONFIG_DMADEVICES_DEBUG is not set + +# +# DMA Devices +# +CONFIG_DMA_ENGINE=y +CONFIG_DMA_ACPI=y +CONFIG_DMA_OF=y +# CONFIG_ALTERA_MSGDMA is not set +# CONFIG_AMBA_PL08X is not set +# CONFIG_BCM_SBA_RAID is not set +# CONFIG_DW_AXI_DMAC is not set +# CONFIG_FSL_EDMA is not set +# CONFIG_FSL_QDMA is not set +# CONFIG_HISI_DMA is not set +# CONFIG_INTEL_IDMA64 is not set +# CONFIG_K3_DMA is not set +# CONFIG_MV_XOR_V2 is not set +# CONFIG_PL330_DMA is not set +# CONFIG_PLX_DMA is not set +# CONFIG_XGENE_DMA is not set +# CONFIG_XILINX_DMA is not set +# CONFIG_XILINX_XDMA is not set +# CONFIG_XILINX_ZYNQMP_DMA is not set +# CONFIG_XILINX_ZYNQMP_DPDMA is not set +# CONFIG_QCOM_BAM_DMA is not set +# CONFIG_QCOM_GPI_DMA is not set +CONFIG_QCOM_HIDMA_MGMT=m +CONFIG_QCOM_HIDMA=m +CONFIG_DW_DMAC_CORE=m +CONFIG_DW_DMAC=m +CONFIG_DW_DMAC_PCI=m +# CONFIG_DW_EDMA is not set +# CONFIG_SF_PDMA is not set + +# +# DMA Clients +# +CONFIG_ASYNC_TX_DMA=y +# CONFIG_DMATEST is not set + +# +# DMABUF options +# +CONFIG_SYNC_FILE=y +# CONFIG_UDMABUF is not set +# CONFIG_DMABUF_MOVE_NOTIFY is not set +# CONFIG_DMABUF_DEBUG is not set +# CONFIG_DMABUF_SELFTESTS is not set +# CONFIG_DMABUF_HEAPS is not set +# CONFIG_DMABUF_SYSFS_STATS is not set +# end of DMABUF options + +CONFIG_UIO=m +CONFIG_UIO_CIF=m +CONFIG_UIO_PDRV_GENIRQ=m +# CONFIG_UIO_DMEM_GENIRQ is not set +CONFIG_UIO_AEC=m +CONFIG_UIO_SERCOS3=m +CONFIG_UIO_PCI_GENERIC=m +# CONFIG_UIO_NETX is not set +# CONFIG_UIO_PRUSS is not set +# CONFIG_UIO_MF624 is not set +CONFIG_VFIO=m +CONFIG_VFIO_DEVICE_CDEV=y +CONFIG_VFIO_GROUP=y +CONFIG_VFIO_CONTAINER=y +CONFIG_VFIO_IOMMU_TYPE1=m +CONFIG_VFIO_NOIOMMU=y +CONFIG_VFIO_VIRQFD=y + +# +# VFIO support for PCI devices +# +CONFIG_VFIO_PCI_CORE=m +CONFIG_VFIO_PCI_MMAP=y +CONFIG_VFIO_PCI_INTX=y +CONFIG_VFIO_PCI=m +# CONFIG_MLX5_VFIO_PCI is not set +CONFIG_HISI_ACC_VFIO_PCI=m +# end of VFIO support for PCI devices + +# +# VFIO support for platform devices +# +CONFIG_VFIO_PLATFORM_BASE=m +CONFIG_VFIO_PLATFORM=m +# CONFIG_VFIO_AMBA is not set + +# +# VFIO platform reset drivers +# +# CONFIG_VFIO_PLATFORM_CALXEDAXGMAC_RESET is not set +# CONFIG_VFIO_PLATFORM_AMDXGBE_RESET is not set +# end of VFIO platform reset drivers +# end of VFIO support for platform devices + +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO_ANCHOR=y +CONFIG_VIRTIO=m +CONFIG_VIRTIO_PCI_LIB=m +CONFIG_VIRTIO_PCI_LIB_LEGACY=m +CONFIG_VIRTIO_MENU=y +CONFIG_VIRTIO_PCI=m +CONFIG_VIRTIO_PCI_LEGACY=y +# CONFIG_VIRTIO_VDPA is not set +# CONFIG_VIRTIO_PMEM is not set +CONFIG_VIRTIO_BALLOON=m +CONFIG_VIRTIO_MEM=m +CONFIG_VIRTIO_INPUT=m +CONFIG_VIRTIO_MMIO=m +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set +CONFIG_VIRTIO_DMA_SHARED_BUFFER=m +CONFIG_VDPA=m +# CONFIG_VDPA_USER is not set +# CONFIG_IFCVF is not set +# CONFIG_MLX5_VDPA_NET is not set +# CONFIG_MLX5_VDPA_STEERING_DEBUG is not set +# CONFIG_VP_VDPA is not set +# CONFIG_SNET_VDPA is not set +CONFIG_VHOST_IOTLB=m +CONFIG_VHOST_TASK=y +CONFIG_VHOST=m +CONFIG_VHOST_MENU=y +CONFIG_VHOST_NET=m +CONFIG_VHOST_SCSI=m +CONFIG_VHOST_VSOCK=m +CONFIG_VHOST_VDPA=m +CONFIG_VHOST_VDPA_MIGRATION=y +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_HYPERV is not set +# end of Microsoft Hyper-V guest support + +# CONFIG_GREYBUS is not set +# CONFIG_COMEDI is not set +# CONFIG_STAGING is not set +# CONFIG_GOLDFISH is not set +CONFIG_CHROME_PLATFORMS=y +# CONFIG_CHROMEOS_ACPI is not set +# CONFIG_CHROMEOS_TBMC is not set +# CONFIG_CROS_EC is not set +# CONFIG_CROS_KBD_LED_BACKLIGHT is not set +# CONFIG_CROS_HPS_I2C is not set +# CONFIG_CHROMEOS_PRIVACY_SCREEN is not set +# CONFIG_MELLANOX_PLATFORM is not set +CONFIG_ARM_CPU_RESCTRL=y +CONFIG_SURFACE_PLATFORMS=y +# CONFIG_SURFACE_3_POWER_OPREGION is not set +# CONFIG_SURFACE_GPE is not set +# CONFIG_SURFACE_HOTPLUG is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +CONFIG_HAVE_CLK=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y + +# +# Clock driver for ARM Reference designs +# +# CONFIG_CLK_ICST is not set +CONFIG_CLK_SP810=y +CONFIG_CLK_VEXPRESS_OSC=y +# end of Clock driver for ARM Reference designs + +# CONFIG_LMK04832 is not set +# CONFIG_COMMON_CLK_MAX9485 is not set +CONFIG_COMMON_CLK_SCPI=m +# CONFIG_COMMON_CLK_SI5341 is not set +# CONFIG_COMMON_CLK_SI5351 is not set +# CONFIG_COMMON_CLK_SI514 is not set +# CONFIG_COMMON_CLK_SI544 is not set +# CONFIG_COMMON_CLK_SI570 is not set +# CONFIG_COMMON_CLK_CDCE706 is not set +# CONFIG_COMMON_CLK_CDCE925 is not set +# CONFIG_COMMON_CLK_CS2000_CP is not set +# CONFIG_COMMON_CLK_AXI_CLKGEN is not set +CONFIG_COMMON_CLK_XGENE=y +# CONFIG_COMMON_CLK_PWM is not set +# CONFIG_COMMON_CLK_RS9_PCIE is not set +# CONFIG_COMMON_CLK_SI521XX is not set +# CONFIG_COMMON_CLK_VC3 is not set +# CONFIG_COMMON_CLK_VC5 is not set +# CONFIG_COMMON_CLK_VC7 is not set +# CONFIG_COMMON_CLK_FIXED_MMIO is not set +CONFIG_COMMON_CLK_HI3516CV300=y +CONFIG_COMMON_CLK_HI3519=y +CONFIG_COMMON_CLK_HI3559A=y +CONFIG_COMMON_CLK_HI3660=y +CONFIG_COMMON_CLK_HI3670=y +CONFIG_COMMON_CLK_HI3798CV200=y +# CONFIG_COMMON_CLK_HI6220 is not set +CONFIG_RESET_HISI=y +CONFIG_STUB_CLK_HI3660=y +# CONFIG_COMMON_CLK_QCOM is not set +# CONFIG_XILINX_VCU is not set +# CONFIG_COMMON_CLK_XLNX_CLKWZRD is not set +CONFIG_HWSPINLOCK=y +# CONFIG_HWSPINLOCK_QCOM is not set + +# +# Clock Source drivers +# +CONFIG_TIMER_OF=y +CONFIG_TIMER_ACPI=y +CONFIG_TIMER_PROBE=y +CONFIG_CLKSRC_MMIO=y +CONFIG_ARM_ARCH_TIMER=y +CONFIG_ARM_ARCH_TIMER_EVTSTREAM=y +CONFIG_ARM_ARCH_TIMER_OOL_WORKAROUND=y +CONFIG_FSL_ERRATUM_A008585=y +CONFIG_HISILICON_ERRATUM_161010101=y +CONFIG_ARM64_ERRATUM_858921=y +CONFIG_ARM_TIMER_SP804=y +# CONFIG_ARM_ARCH_TIMER_WORKAROUND_IN_USERSPACE is not set +# end of Clock Source drivers + +CONFIG_MAILBOX=y +CONFIG_ARM_MHU=m +# CONFIG_ARM_MHU_V2 is not set +# CONFIG_PLATFORM_MHU is not set +# CONFIG_PL320_MBOX is not set +CONFIG_PCC=y +# CONFIG_ALTERA_MBOX is not set +CONFIG_HI3660_MBOX=y +CONFIG_HI6220_MBOX=y +# CONFIG_MAILBOX_TEST is not set +# CONFIG_QCOM_APCS_IPC is not set +CONFIG_XGENE_SLIMPRO_MBOX=m +# CONFIG_QCOM_IPCC is not set +CONFIG_IOMMU_IOVA=y +CONFIG_IOMMU_API=y +CONFIG_IOMMUFD_DRIVER=y +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +CONFIG_IOMMU_IO_PGTABLE=y +CONFIG_IOMMU_IO_PGTABLE_LPAE=y +# CONFIG_IOMMU_IO_PGTABLE_LPAE_SELFTEST is not set +# CONFIG_IOMMU_IO_PGTABLE_ARMV7S is not set +# CONFIG_IOMMU_IO_PGTABLE_DART is not set +# end of Generic IOMMU Pagetable Support + +CONFIG_IOMMU_DEFAULT_DMA_STRICT=y +# CONFIG_IOMMU_DEFAULT_DMA_LAZY is not set +# CONFIG_IOMMU_DEFAULT_PASSTHROUGH is not set +CONFIG_OF_IOMMU=y +CONFIG_IOMMU_DMA=y +CONFIG_IOMMU_SVA=y +CONFIG_IOMMU_IOPF=y +CONFIG_IOMMUFD_DRIVER_CORE=y +CONFIG_IOMMUFD=m +CONFIG_ARM_SMMU=y +# CONFIG_ARM_SMMU_LEGACY_DT_BINDINGS is not set +CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT=y +CONFIG_ARM_SMMU_QCOM=y +# CONFIG_ARM_SMMU_QCOM_DEBUG is not set +CONFIG_ARM_SMMU_V3=y +CONFIG_ARM_SMMU_V3_SVA=y +# CONFIG_ARM_SMMU_V3_PM is not set +CONFIG_ARM_SMMU_V3_HTTU=y +CONFIG_ARM_SMMU_V3_ECMDQ=y +CONFIG_ARM_SMMU_V3_IOMMUFD=y +# CONFIG_QCOM_IOMMU is not set +# CONFIG_VIRTIO_IOMMU is not set +CONFIG_SMMU_BYPASS_DEV=y + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set +# end of Remoteproc drivers + +# +# Rpmsg drivers +# +# CONFIG_RPMSG_QCOM_GLINK_RPM is not set +# CONFIG_RPMSG_VIRTIO is not set +# end of Rpmsg drivers + +# CONFIG_SOUNDWIRE is not set + +# +# SOC (System On Chip) specific Drivers +# + +# +# Amlogic SoC drivers +# +# end of Amlogic SoC drivers + +# +# Broadcom SoC drivers +# +# CONFIG_SOC_BRCMSTB is not set +# end of Broadcom SoC drivers + +# +# NXP/Freescale QorIQ SoC drivers +# +# CONFIG_QUICC_ENGINE is not set +# CONFIG_FSL_RCPM is not set +# end of NXP/Freescale QorIQ SoC drivers + +# +# fujitsu SoC drivers +# +# CONFIG_A64FX_DIAG is not set +# end of fujitsu SoC drivers + +# +# Hisilicon SoC drivers +# +# CONFIG_HISI_HBMDEV is not set +# CONFIG_HISI_HBMCACHE is not set +CONFIG_KUNPENG_HCCS=m +CONFIG_HISI_SOC_CACHE=m +CONFIG_HISI_SOC_HHA=m +# end of Hisilicon SoC drivers + +# +# i.MX SoC drivers +# +# end of i.MX SoC drivers + +# +# Enable LiteX SoC Builder specific drivers +# +# CONFIG_LITEX_SOC_CONTROLLER is not set +# end of Enable LiteX SoC Builder specific drivers + +# CONFIG_WPCM450_SOC is not set + +# +# Qualcomm SoC drivers +# +# CONFIG_QCOM_AOSS_QMP is not set +# CONFIG_QCOM_COMMAND_DB is not set +# CONFIG_QCOM_CPR is not set +# CONFIG_QCOM_GENI_SE is not set +# CONFIG_QCOM_GSBI is not set +# CONFIG_QCOM_LLCC is not set +CONFIG_QCOM_KRYO_L2_ACCESSORS=y +# CONFIG_QCOM_OCMEM is not set +# CONFIG_QCOM_RAMP_CTRL is not set +# CONFIG_QCOM_RMTFS_MEM is not set +# CONFIG_QCOM_RPM_MASTER_STATS is not set +# CONFIG_QCOM_RPMH is not set +# CONFIG_QCOM_SMEM is not set +# CONFIG_QCOM_SPM is not set +# CONFIG_QCOM_ICC_BWMON is not set +# end of Qualcomm SoC drivers + +# CONFIG_SOC_TI is not set + +# +# Xilinx SoC drivers +# +# end of Xilinx SoC drivers +# end of SOC (System On Chip) specific Drivers + +CONFIG_PM_DEVFREQ=y + +# +# DEVFREQ Governors +# +CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=y +CONFIG_DEVFREQ_GOV_PERFORMANCE=y +CONFIG_DEVFREQ_GOV_POWERSAVE=y +CONFIG_DEVFREQ_GOV_USERSPACE=y +# CONFIG_DEVFREQ_GOV_PASSIVE is not set + +# +# DEVFREQ Drivers +# +CONFIG_ARM_HISI_UNCORE_DEVFREQ=m +# CONFIG_PM_DEVFREQ_EVENT is not set +CONFIG_EXTCON=y + +# +# Extcon Device Drivers +# +# CONFIG_EXTCON_FSA9480 is not set +CONFIG_EXTCON_GPIO=m +# CONFIG_EXTCON_MAX3355 is not set +# CONFIG_EXTCON_PTN5150 is not set +# CONFIG_EXTCON_QCOM_SPMI_MISC is not set +# CONFIG_EXTCON_RT8973A is not set +# CONFIG_EXTCON_SM5502 is not set +# CONFIG_EXTCON_USB_GPIO is not set +# CONFIG_EXTCON_USBC_TUSB320 is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +CONFIG_NTB=m +# CONFIG_NTB_MSI is not set +# CONFIG_NTB_IDT is not set +# CONFIG_NTB_EPF is not set +# CONFIG_NTB_SWITCHTEC is not set +# CONFIG_NTB_PINGPONG is not set +# CONFIG_NTB_TOOL is not set +# CONFIG_NTB_PERF is not set +# CONFIG_NTB_TRANSPORT is not set +CONFIG_PWM=y +CONFIG_PWM_SYSFS=y +# CONFIG_PWM_DEBUG is not set +# CONFIG_PWM_ATMEL_TCB is not set +# CONFIG_PWM_CLK is not set +# CONFIG_PWM_DWC is not set +# CONFIG_PWM_FSL_FTM is not set +# CONFIG_PWM_HIBVT is not set +# CONFIG_PWM_PCA9685 is not set +# CONFIG_PWM_XILINX is not set + +# +# IRQ chip support +# +CONFIG_IRQCHIP=y +CONFIG_ARM_GIC=y +CONFIG_ARM_GIC_MAX_NR=1 +CONFIG_ARM_GIC_V2M=y +CONFIG_ARM_GIC_V3=y +CONFIG_ARM_GIC_V3_ITS=y +CONFIG_ARM_GIC_V3_ITS_PCI=y +CONFIG_ARM_GIC_PHYTIUM_2500=y +# CONFIG_AL_FIC is not set +CONFIG_HISILICON_IRQ_MBIGEN=y +CONFIG_IRQ_MBIGEN_ENABLE_SPI=y +# CONFIG_XILINX_INTC is not set +CONFIG_PARTITION_PERCPU=y +CONFIG_QCOM_IRQ_COMBINER=y +# CONFIG_QCOM_PDC is not set +# CONFIG_QCOM_MPM is not set +# end of IRQ chip support + +# CONFIG_IPACK_BUS is not set +CONFIG_RESET_CONTROLLER=y +# CONFIG_RESET_QCOM_AOSS is not set +# CONFIG_RESET_QCOM_PDC is not set +# CONFIG_RESET_SIMPLE is not set +# CONFIG_RESET_TI_SYSCON is not set +# CONFIG_RESET_TI_TPS380X is not set +CONFIG_COMMON_RESET_HI3660=y +CONFIG_COMMON_RESET_HI6220=y + +# +# PHY Subsystem +# +CONFIG_GENERIC_PHY=y +CONFIG_PHY_XGENE=y +# CONFIG_PHY_CAN_TRANSCEIVER is not set + +# +# PHY drivers for Broadcom platforms +# +# CONFIG_BCM_KONA_USB2_PHY is not set +# end of PHY drivers for Broadcom platforms + +# CONFIG_PHY_CADENCE_TORRENT is not set +# CONFIG_PHY_CADENCE_DPHY is not set +# CONFIG_PHY_CADENCE_DPHY_RX is not set +# CONFIG_PHY_CADENCE_SIERRA is not set +# CONFIG_PHY_CADENCE_SALVO is not set +CONFIG_PHY_HI6220_USB=m +# CONFIG_PHY_HI3660_USB is not set +# CONFIG_PHY_HI3670_USB is not set +# CONFIG_PHY_HI3670_PCIE is not set +# CONFIG_PHY_HISTB_COMBPHY is not set +# CONFIG_PHY_HISI_INNO_USB2 is not set +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_PHY_LAN966X_SERDES is not set +# CONFIG_PHY_MAPPHONE_MDM6600 is not set +# CONFIG_PHY_OCELOT_SERDES is not set +# CONFIG_PHY_QCOM_APQ8064_SATA is not set +# CONFIG_PHY_QCOM_EDP is not set +# CONFIG_PHY_QCOM_IPQ4019_USB is not set +# CONFIG_PHY_QCOM_IPQ806X_SATA is not set +# CONFIG_PHY_QCOM_PCIE2 is not set +# CONFIG_PHY_QCOM_QMP is not set +# CONFIG_PHY_QCOM_QUSB2 is not set +# CONFIG_PHY_QCOM_SNPS_EUSB2 is not set +# CONFIG_PHY_QCOM_EUSB2_REPEATER is not set +# CONFIG_PHY_QCOM_M31_USB is not set +# CONFIG_PHY_QCOM_USB_HS is not set +# CONFIG_PHY_QCOM_USB_SNPS_FEMTO_V2 is not set +# CONFIG_PHY_QCOM_USB_HSIC is not set +# CONFIG_PHY_QCOM_USB_HS_28NM is not set +# CONFIG_PHY_QCOM_USB_SS is not set +# CONFIG_PHY_QCOM_IPQ806X_USB is not set +# CONFIG_PHY_QCOM_SGMII_ETH is not set +# CONFIG_PHY_TUSB1210 is not set +# end of PHY Subsystem + +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# CONFIG_ARM_CCI_PMU is not set +CONFIG_ARM_CCN=y +# CONFIG_ARM_CMN is not set +CONFIG_ARM_PMU=y +CONFIG_ARM_PMU_ACPI=y +CONFIG_ARM_SMMU_V3_PMU=m +CONFIG_ARM_PMUV3=y +# CONFIG_ARM_DSU_PMU is not set +CONFIG_QCOM_L2_PMU=y +CONFIG_QCOM_L3_PMU=y +CONFIG_THUNDERX2_PMU=m +CONFIG_XGENE_PMU=y +CONFIG_ARM_SPE_PMU=m +CONFIG_ARM64_BRBE=y +# CONFIG_ARM_DMC620_PMU is not set +# CONFIG_MARVELL_CN10K_TAD_PMU is not set +# CONFIG_ALIBABA_UNCORE_DRW_PMU is not set +CONFIG_HISI_PMU=m +CONFIG_HISI_PCIE_PMU=m +CONFIG_HNS3_PMU=m +# CONFIG_MARVELL_CN10K_DDR_PMU is not set +# CONFIG_ARM_CORESIGHT_PMU_ARCH_SYSTEM_PMU is not set +# end of Performance monitor support + +CONFIG_RAS=y +CONFIG_RAS_ARM_EVENT_INFO=y +CONFIG_PAGE_EJECT=m +CONFIG_USB4=m +# CONFIG_USB4_DEBUGFS_WRITE is not set + +# +# Android +# +# CONFIG_ANDROID_BINDER_IPC is not set +# end of Android + +# +# Vendor Hooks +# +# end of Vendor Hooks + +CONFIG_LIBNVDIMM=m +CONFIG_BLK_DEV_PMEM=m +CONFIG_ND_CLAIM=y +CONFIG_ND_BTT=m +CONFIG_BTT=y +CONFIG_ND_PFN=m +CONFIG_NVDIMM_PFN=y +CONFIG_NVDIMM_DAX=y +CONFIG_OF_PMEM=m +CONFIG_NVDIMM_KEYS=y +# CONFIG_NVDIMM_SECURITY_TEST is not set +CONFIG_DAX=y +CONFIG_DEV_DAX=m +CONFIG_DEV_DAX_PMEM=m +CONFIG_DEV_DAX_HMEM=m +CONFIG_DEV_DAX_CXL=m +CONFIG_DEV_DAX_HMEM_DEVICES=y +CONFIG_DEV_DAX_KMEM=m +CONFIG_NVMEM=y +CONFIG_NVMEM_SYSFS=y + +# +# Layout Types +# +# CONFIG_NVMEM_LAYOUT_SL28_VPD is not set +# CONFIG_NVMEM_LAYOUT_ONIE_TLV is not set +# end of Layout Types + +# CONFIG_NVMEM_QCOM_QFPROM is not set +# CONFIG_NVMEM_QCOM_SEC_QFPROM is not set +# CONFIG_NVMEM_RMEM is not set +# CONFIG_NVMEM_U_BOOT_ENV is not set + +# +# HW tracing support +# +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set +CONFIG_HISI_PTT=m +# end of HW tracing support + +# CONFIG_FPGA is not set +# CONFIG_FSI is not set +CONFIG_TEE=m +# CONFIG_OPTEE is not set +CONFIG_PM_OPP=y +# CONFIG_SIOX is not set +# CONFIG_SLIMBUS is not set +# CONFIG_INTERCONNECT is not set +# CONFIG_COUNTER is not set +# CONFIG_MOST is not set +# CONFIG_PECI is not set +# CONFIG_HTE is not set +# CONFIG_CDX_BUS is not set + +# +# CPU Inspect +# +CONFIG_CPU_INSPECT=m +CONFIG_CPU_INSPECTOR_ATF=m +# end of CPU Inspect + +CONFIG_ROH=m +CONFIG_ROH_HNS=m +CONFIG_HISI_VIRTCCA_CODA=y +CONFIG_ARM_SPE_MEM_SAMPLING=y +# end of Device Drivers + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +# CONFIG_VALIDATE_FS_PARSER is not set +CONFIG_FS_IOMAP=y +CONFIG_FS_STACK=y +CONFIG_BUFFER_HEAD=y +CONFIG_LEGACY_DIRECT_IO=y +# CONFIG_EXT2_FS is not set +CONFIG_EXT3_FS=m +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=m +CONFIG_EXT4_USE_FOR_EXT2=y +CONFIG_EXT4_FS_POSIX_ACL=y +CONFIG_EXT4_FS_SECURITY=y +# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_ERROR_REPORT=y +# CONFIG_EXT4_DIOREAD_NOLOCK_PARAM is not set +CONFIG_JBD2=m +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=m +# CONFIG_REISERFS_FS is not set +# CONFIG_JFS_FS is not set +CONFIG_XFS_FS=m +CONFIG_XFS_SUPPORT_V4=y +CONFIG_XFS_SUPPORT_ASCII_CI=y +CONFIG_XFS_QUOTA=y +CONFIG_XFS_POSIX_ACL=y +# CONFIG_XFS_RT is not set +# CONFIG_XFS_ONLINE_SCRUB is not set +# CONFIG_XFS_WARN is not set +# CONFIG_XFS_DEBUG is not set +# CONFIG_GFS2_FS is not set +CONFIG_OCFS2_FS=m +CONFIG_OCFS2_FS_O2CB=m +CONFIG_OCFS2_FS_USERSPACE_CLUSTER=m +# CONFIG_OCFS2_DEBUG_MASKLOG is not set +# CONFIG_OCFS2_DEBUG_FS is not set +CONFIG_BTRFS_FS=m +CONFIG_BTRFS_FS_POSIX_ACL=y +# CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set +# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set +# CONFIG_BTRFS_DEBUG is not set +# CONFIG_BTRFS_ASSERT is not set +# CONFIG_BTRFS_FS_REF_VERIFY is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +# CONFIG_ZONEFS_FS is not set +CONFIG_FS_DAX=y +CONFIG_FS_DAX_PMD=y +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +CONFIG_EXPORTFS_BLOCK_OPS=y +CONFIG_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +# CONFIG_FS_VERITY is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +CONFIG_FANOTIFY=y +CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y +CONFIG_QUOTA=y +CONFIG_QUOTA_NETLINK_INTERFACE=y +# CONFIG_QUOTA_DEBUG is not set +CONFIG_QUOTA_TREE=y +# CONFIG_QFMT_V1 is not set +CONFIG_QFMT_V2=y +CONFIG_QUOTACTL=y +CONFIG_AUTOFS_FS=y +CONFIG_FUSE_FS=m +CONFIG_CUSE=m +CONFIG_VIRTIO_FS=m +CONFIG_FUSE_DAX=y +CONFIG_FUSE_PASSTHROUGH=y +CONFIG_OVERLAY_FS=m +# CONFIG_OVERLAY_FS_REDIRECT_DIR is not set +CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y +# CONFIG_OVERLAY_FS_INDEX is not set +# CONFIG_OVERLAY_FS_XINO_AUTO is not set +# CONFIG_OVERLAY_FS_METACOPY is not set +# CONFIG_OVERLAY_FS_DEBUG is not set + +# +# Caches +# +CONFIG_NETFS_SUPPORT=m +CONFIG_NETFS_STATS=y +CONFIG_FSCACHE=m +CONFIG_FSCACHE_STATS=y +# CONFIG_FSCACHE_DEBUG is not set +CONFIG_CACHEFILES=m +# CONFIG_CACHEFILES_DEBUG is not set +# CONFIG_CACHEFILES_ERROR_INJECTION is not set +CONFIG_CACHEFILES_ONDEMAND=y +# end of Caches + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=m +CONFIG_JOLIET=y +CONFIG_ZISOFS=y +CONFIG_UDF_FS=m +# end of CD-ROM/DVD Filesystems + +# +# DOS/FAT/EXFAT/NT Filesystems +# +CONFIG_FAT_FS=m +CONFIG_MSDOS_FS=m +CONFIG_VFAT_FS=m +CONFIG_FAT_DEFAULT_CODEPAGE=437 +CONFIG_FAT_DEFAULT_IOCHARSET="ascii" +# CONFIG_FAT_DEFAULT_UTF8 is not set +CONFIG_EXFAT_FS=m +CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8" +CONFIG_NTFS_FS=m +# CONFIG_NTFS_DEBUG is not set +# CONFIG_NTFS_RW is not set +CONFIG_NTFS3_FS=m +# CONFIG_NTFS3_64BIT_CLUSTER is not set +CONFIG_NTFS3_LZX_XPRESS=y +CONFIG_NTFS3_FS_POSIX_ACL=y +# end of DOS/FAT/EXFAT/NT Filesystems + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +# CONFIG_PROC_KCORE is not set +# CONFIG_PROC_VMCORE is not set +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +CONFIG_PROC_CHILDREN=y +CONFIG_PROC_CPU_RESCTRL=y +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_DIRTY_PAGES=y +CONFIG_TMPFS=y +CONFIG_TMPFS_POSIX_ACL=y +CONFIG_TMPFS_XATTR=y +# CONFIG_TMPFS_INODE64 is not set +# CONFIG_TMPFS_QUOTA is not set +CONFIG_ARCH_SUPPORTS_HUGETLBFS=y +CONFIG_HUGETLBFS=y +CONFIG_HUGETLB_PAGE=y +CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP=y +# CONFIG_HUGETLB_PAGE_OPTIMIZE_VMEMMAP_DEFAULT_ON is not set +CONFIG_HUGETLB_ALLOC_LIMIT=y +CONFIG_ARCH_HAS_GIGANTIC_PAGE=y +CONFIG_CONFIGFS_FS=y +CONFIG_EFIVAR_FS=y +# end of Pseudo filesystems + +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_ECRYPT_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_JFFS2_FS is not set +# CONFIG_UBIFS_FS is not set +CONFIG_CRAMFS=m +CONFIG_CRAMFS_BLOCKDEV=y +# CONFIG_CRAMFS_MTD is not set +CONFIG_SQUASHFS=m +CONFIG_SQUASHFS_FILE_CACHE=y +# CONFIG_SQUASHFS_FILE_DIRECT is not set +CONFIG_SQUASHFS_DECOMP_SINGLE=y +# CONFIG_SQUASHFS_CHOICE_DECOMP_BY_MOUNT is not set +CONFIG_SQUASHFS_COMPILE_DECOMP_SINGLE=y +# CONFIG_SQUASHFS_COMPILE_DECOMP_MULTI is not set +# CONFIG_SQUASHFS_COMPILE_DECOMP_MULTI_PERCPU is not set +CONFIG_SQUASHFS_XATTR=y +CONFIG_SQUASHFS_ZLIB=y +CONFIG_SQUASHFS_LZ4=y +CONFIG_SQUASHFS_LZO=y +CONFIG_SQUASHFS_XZ=y +# CONFIG_SQUASHFS_ZSTD is not set +# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set +# CONFIG_SQUASHFS_EMBEDDED is not set +CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3 +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +CONFIG_RESCTRL_FS=y +CONFIG_RESCTRL_RMID_DEPENDS_ON_CLOSID=y +CONFIG_RESCTRL_IOMMU=y +# CONFIG_ROMFS_FS is not set +CONFIG_PSTORE=y +CONFIG_PSTORE_DEFAULT_KMSG_BYTES=10240 +CONFIG_PSTORE_COMPRESS=y +# CONFIG_PSTORE_CONSOLE is not set +# CONFIG_PSTORE_PMSG is not set +CONFIG_PSTORE_RAM=m +# CONFIG_PSTORE_BLK is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +CONFIG_EROFS_FS=m +# CONFIG_EROFS_FS_DEBUG is not set +CONFIG_EROFS_FS_XATTR=y +CONFIG_EROFS_FS_POSIX_ACL=y +CONFIG_EROFS_FS_SECURITY=y +# CONFIG_EROFS_FS_ZIP is not set +CONFIG_EROFS_FS_ONDEMAND=y +CONFIG_NETWORK_FILESYSTEMS=y +CONFIG_NFS_FS=m +CONFIG_NFS_V2=m +CONFIG_NFS_V3=m +CONFIG_NFS_V3_ACL=y +CONFIG_NFS_V4=m +# CONFIG_NFS_SWAP is not set +CONFIG_NFS_V4_1=y +CONFIG_NFS_V4_2=y +CONFIG_PNFS_FILE_LAYOUT=m +CONFIG_PNFS_BLOCK=m +CONFIG_PNFS_FLEXFILE_LAYOUT=m +CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" +# CONFIG_NFS_V4_1_MIGRATION is not set +CONFIG_NFS_V4_SECURITY_LABEL=y +CONFIG_NFS_FSCACHE=y +# CONFIG_NFS_USE_LEGACY_DNS is not set +CONFIG_NFS_USE_KERNEL_DNS=y +# CONFIG_NFS_DISABLE_UDP_SUPPORT is not set +# CONFIG_NFS_V4_2_READ_PLUS is not set +CONFIG_ENFS=m +CONFIG_NFSD=m +# CONFIG_NFSD_V2 is not set +CONFIG_NFSD_V3_ACL=y +CONFIG_NFSD_V4=y +CONFIG_NFSD_PNFS=y +CONFIG_NFSD_BLOCKLAYOUT=y +CONFIG_NFSD_SCSILAYOUT=y +CONFIG_NFSD_FLEXFILELAYOUT=y +CONFIG_NFSD_V4_2_INTER_SSC=y +CONFIG_NFSD_V4_SECURITY_LABEL=y +CONFIG_GRACE_PERIOD=m +CONFIG_LOCKD=m +CONFIG_LOCKD_V4=y +CONFIG_NFS_ACL_SUPPORT=m +CONFIG_NFS_COMMON=y +CONFIG_NFS_V4_2_SSC_HELPER=y +CONFIG_SUNRPC=m +CONFIG_SUNRPC_GSS=m +CONFIG_SUNRPC_BACKCHANNEL=y +CONFIG_RPCSEC_GSS_KRB5=m +CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1=y +# CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA is not set +# CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 is not set +# CONFIG_SUNRPC_DEBUG is not set +CONFIG_SUNRPC_XPRT_RDMA=m +CONFIG_SUNRPC_ENFS=m +CONFIG_CEPH_FS=m +# CONFIG_CEPH_FSCACHE is not set +CONFIG_CEPH_FS_POSIX_ACL=y +# CONFIG_CEPH_FS_SECURITY_LABEL is not set +CONFIG_CIFS=m +# CONFIG_CIFS_STATS2 is not set +CONFIG_CIFS_ALLOW_INSECURE_LEGACY=y +CONFIG_CIFS_UPCALL=y +CONFIG_CIFS_XATTR=y +CONFIG_CIFS_POSIX=y +CONFIG_CIFS_DEBUG=y +# CONFIG_CIFS_DEBUG2 is not set +# CONFIG_CIFS_DEBUG_DUMP_KEYS is not set +CONFIG_CIFS_DFS_UPCALL=y +# CONFIG_CIFS_SWN_UPCALL is not set +# CONFIG_CIFS_SMB_DIRECT is not set +# CONFIG_CIFS_FSCACHE is not set +# CONFIG_SMB_SERVER is not set +CONFIG_SMBFS=m +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=m +CONFIG_9P_FSCACHE=y +CONFIG_9P_FS_POSIX_ACL=y +CONFIG_9P_FS_SECURITY=y +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="utf8" +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_CODEPAGE_737=m +CONFIG_NLS_CODEPAGE_775=m +CONFIG_NLS_CODEPAGE_850=m +CONFIG_NLS_CODEPAGE_852=m +CONFIG_NLS_CODEPAGE_855=m +CONFIG_NLS_CODEPAGE_857=m +CONFIG_NLS_CODEPAGE_860=m +CONFIG_NLS_CODEPAGE_861=m +CONFIG_NLS_CODEPAGE_862=m +CONFIG_NLS_CODEPAGE_863=m +CONFIG_NLS_CODEPAGE_864=m +CONFIG_NLS_CODEPAGE_865=m +CONFIG_NLS_CODEPAGE_866=m +CONFIG_NLS_CODEPAGE_869=m +CONFIG_NLS_CODEPAGE_936=m +CONFIG_NLS_CODEPAGE_950=m +CONFIG_NLS_CODEPAGE_932=m +CONFIG_NLS_CODEPAGE_949=m +CONFIG_NLS_CODEPAGE_874=m +CONFIG_NLS_ISO8859_8=m +CONFIG_NLS_CODEPAGE_1250=m +CONFIG_NLS_CODEPAGE_1251=m +CONFIG_NLS_ASCII=y +CONFIG_NLS_ISO8859_1=m +CONFIG_NLS_ISO8859_2=m +CONFIG_NLS_ISO8859_3=m +CONFIG_NLS_ISO8859_4=m +CONFIG_NLS_ISO8859_5=m +CONFIG_NLS_ISO8859_6=m +CONFIG_NLS_ISO8859_7=m +CONFIG_NLS_ISO8859_9=m +CONFIG_NLS_ISO8859_13=m +CONFIG_NLS_ISO8859_14=m +CONFIG_NLS_ISO8859_15=m +CONFIG_NLS_KOI8_R=m +CONFIG_NLS_KOI8_U=m +CONFIG_NLS_MAC_ROMAN=m +CONFIG_NLS_MAC_CELTIC=m +CONFIG_NLS_MAC_CENTEURO=m +CONFIG_NLS_MAC_CROATIAN=m +CONFIG_NLS_MAC_CYRILLIC=m +CONFIG_NLS_MAC_GAELIC=m +CONFIG_NLS_MAC_GREEK=m +CONFIG_NLS_MAC_ICELAND=m +CONFIG_NLS_MAC_INUIT=m +CONFIG_NLS_MAC_ROMANIAN=m +CONFIG_NLS_MAC_TURKISH=m +CONFIG_NLS_UTF8=m +CONFIG_NLS_UCS2_UTILS=m +CONFIG_DLM=m +# CONFIG_DLM_DEBUG is not set +CONFIG_UNICODE=y +# CONFIG_UNICODE_NORMALIZATION_SELFTEST is not set +CONFIG_IO_WQ=y +# end of File systems + +# +# Security options +# +CONFIG_KEYS=y +# CONFIG_KEYS_REQUEST_CACHE is not set +CONFIG_PERSISTENT_KEYRINGS=y +CONFIG_TRUSTED_KEYS=y +CONFIG_TRUSTED_KEYS_TPM=y +CONFIG_ENCRYPTED_KEYS=y +# CONFIG_USER_DECRYPTED_DATA is not set +# CONFIG_KEY_DH_OPERATIONS is not set +CONFIG_SECURITY_DMESG_RESTRICT=y +CONFIG_PROC_MEM_ALWAYS_FORCE=y +# CONFIG_PROC_MEM_FORCE_PTRACE is not set +# CONFIG_PROC_MEM_NO_FORCE is not set +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_INFINIBAND=y +CONFIG_SECURITY_NETWORK_XFRM=y +CONFIG_SECURITY_PATH=y +CONFIG_LSM_MMAP_MIN_ADDR=32768 +CONFIG_HARDENED_USERCOPY=y +CONFIG_FORTIFY_SOURCE=y +CONFIG_STATIC_USERMODEHELPER=y +CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper" +CONFIG_SECURITY_SELINUX=y +CONFIG_SECURITY_SELINUX_BOOTPARAM=y +CONFIG_SECURITY_SELINUX_DEVELOP=y +CONFIG_SECURITY_SELINUX_AVC_STATS=y +CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 +CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 +# CONFIG_SECURITY_SELINUX_DEBUG is not set +# CONFIG_SECURITY_SMACK is not set +# CONFIG_SECURITY_TOMOYO is not set +CONFIG_SECURITY_APPARMOR=y +# CONFIG_SECURITY_APPARMOR_DEBUG is not set +CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y +CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y +# CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_YAMA=y +# CONFIG_SECURITY_SAFESETID is not set +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +CONFIG_SECURITY_LANDLOCK=y +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +# CONFIG_INTEGRITY_MACHINE_KEYRING is not set +CONFIG_LOAD_UEFI_KEYS=y +CONFIG_INTEGRITY_AUDIT=y +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y +CONFIG_IMA_NG_TEMPLATE=y +# CONFIG_IMA_SIG_TEMPLATE is not set +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y +# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set +# CONFIG_IMA_DEFAULT_HASH_SM3 is not set +CONFIG_IMA_DEFAULT_HASH="sha256" +# CONFIG_IMA_WRITE_POLICY is not set +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_APPRAISE_MODSIG=y +# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y +CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y +# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set +# CONFIG_IMA_DISABLE_HTABLE is not set +CONFIG_IMA_DIGEST_LIST=y +CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists" +CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y +# CONFIG_IMA_MAX_DIGEST_DB_SIZE is not set +# CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set +CONFIG_IMA_DIGEST_DB_MEGABYTES=16 +CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists" +# CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS is not set +CONFIG_EVM=y +# CONFIG_EVM_DEFAULT_HASH_SHA1 is not set +CONFIG_EVM_DEFAULT_HASH_SHA256=y +# CONFIG_EVM_DEFAULT_HASH_SHA512 is not set +CONFIG_EVM_DEFAULT_HASH="sha256" +CONFIG_EVM_ATTR_FSUUID=y +# CONFIG_EVM_ADD_XATTRS is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" +CONFIG_DEFAULT_SECURITY_SELINUX=y +# CONFIG_DEFAULT_SECURITY_APPARMOR is not set +# CONFIG_DEFAULT_SECURITY_DAC is not set +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" + +# +# Kernel hardening options +# + +# +# Memory initialization +# +CONFIG_CC_HAS_AUTO_VAR_INIT_PATTERN=y +CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO_BARE=y +CONFIG_CC_HAS_AUTO_VAR_INIT_ZERO=y +CONFIG_INIT_STACK_NONE=y +# CONFIG_INIT_STACK_ALL_PATTERN is not set +# CONFIG_INIT_STACK_ALL_ZERO is not set +CONFIG_GCC_PLUGIN_STACKLEAK=y +# CONFIG_GCC_PLUGIN_STACKLEAK_VERBOSE is not set +CONFIG_STACKLEAK_TRACK_MIN_SIZE=100 +# CONFIG_STACKLEAK_METRICS is not set +# CONFIG_STACKLEAK_RUNTIME_DISABLE is not set +CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y +CONFIG_INIT_ON_FREE_DEFAULT_ON=y +CONFIG_CC_HAS_ZERO_CALL_USED_REGS=y +# CONFIG_ZERO_CALL_USED_REGS is not set +# end of Memory initialization + +# +# Hardening of kernel data structures +# +CONFIG_LIST_HARDENED=y +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# end of Hardening of kernel data structures + +CONFIG_RANDSTRUCT_NONE=y +# CONFIG_RANDSTRUCT_FULL is not set +# CONFIG_RANDSTRUCT_PERFORMANCE is not set +# end of Kernel hardening options +# end of Security options + +CONFIG_XOR_BLOCKS=m +CONFIG_ASYNC_CORE=m +CONFIG_ASYNC_MEMCPY=m +CONFIG_ASYNC_XOR=m +CONFIG_ASYNC_PQ=m +CONFIG_ASYNC_RAID6_RECOV=m +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_FIPS=y +CONFIG_CRYPTO_FIPS_NAME="Linux Kernel Cryptographic API" +# CONFIG_CRYPTO_FIPS_CUSTOM_VERSION is not set +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_SIG=y +CONFIG_CRYPTO_SIG2=y +CONFIG_CRYPTO_SKCIPHER=y +CONFIG_CRYPTO_SKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=m +CONFIG_CRYPTO_ACOMP2=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=m +# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set +# CONFIG_CRYPTO_MANAGER_EXTRA_TESTS is not set +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_PCRYPT=m +CONFIG_CRYPTO_CRYPTD=m +CONFIG_CRYPTO_AUTHENC=m +CONFIG_CRYPTO_TEST=m +CONFIG_CRYPTO_ENGINE=m +# end of Crypto core or helper + +# +# Public-key cryptography +# +CONFIG_CRYPTO_RSA=y +CONFIG_CRYPTO_DH=m +# CONFIG_CRYPTO_DH_RFC7919_GROUPS is not set +CONFIG_CRYPTO_ECC=m +CONFIG_CRYPTO_ECDH=m +# CONFIG_CRYPTO_ECDSA is not set +# CONFIG_CRYPTO_ECRDSA is not set +CONFIG_CRYPTO_SM2=y +CONFIG_CRYPTO_CURVE25519=m +# end of Public-key cryptography + +# +# Block ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_ANUBIS=m +# CONFIG_CRYPTO_ARIA is not set +CONFIG_CRYPTO_BLOWFISH=m +CONFIG_CRYPTO_BLOWFISH_COMMON=m +CONFIG_CRYPTO_CAMELLIA=m +CONFIG_CRYPTO_CAST_COMMON=m +CONFIG_CRYPTO_CAST5=m +CONFIG_CRYPTO_CAST6=m +CONFIG_CRYPTO_DES=m +CONFIG_CRYPTO_FCRYPT=m +CONFIG_CRYPTO_KHAZAD=m +CONFIG_CRYPTO_SEED=m +CONFIG_CRYPTO_SERPENT=m +CONFIG_CRYPTO_SM4=m +CONFIG_CRYPTO_SM4_GENERIC=m +CONFIG_CRYPTO_TEA=m +CONFIG_CRYPTO_TWOFISH=m +CONFIG_CRYPTO_TWOFISH_COMMON=m +# end of Block ciphers + +# +# Length-preserving ciphers and modes +# +# CONFIG_CRYPTO_ADIANTUM is not set +CONFIG_CRYPTO_ARC4=m +CONFIG_CRYPTO_CHACHA20=m +CONFIG_CRYPTO_CBC=y +# CONFIG_CRYPTO_CFB is not set +CONFIG_CRYPTO_CTR=y +CONFIG_CRYPTO_CTS=m +CONFIG_CRYPTO_ECB=y +# CONFIG_CRYPTO_HCTR2 is not set +# CONFIG_CRYPTO_KEYWRAP is not set +CONFIG_CRYPTO_LRW=m +# CONFIG_CRYPTO_OFB is not set +CONFIG_CRYPTO_PCBC=m +CONFIG_CRYPTO_XTS=m +CONFIG_CRYPTO_NHPOLY1305=m +# end of Length-preserving ciphers and modes + +# +# AEAD (authenticated encryption with associated data) ciphers +# +# CONFIG_CRYPTO_AEGIS128 is not set +CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CCM=m +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_GENIV=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=m +CONFIG_CRYPTO_ESSIV=m +# end of AEAD (authenticated encryption with associated data) ciphers + +# +# Hashes, digests, and MACs +# +CONFIG_CRYPTO_BLAKE2B=m +CONFIG_CRYPTO_CMAC=m +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_MD4=m +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=m +CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_RMD160=m +CONFIG_CRYPTO_SHA1=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_SM3=y +CONFIG_CRYPTO_SM3_GENERIC=y +# CONFIG_CRYPTO_STREEBOG is not set +CONFIG_CRYPTO_VMAC=m +CONFIG_CRYPTO_WP512=m +CONFIG_CRYPTO_XCBC=m +CONFIG_CRYPTO_XXHASH=m +# end of Hashes, digests, and MACs + +# +# CRCs (cyclic redundancy checks) +# +CONFIG_CRYPTO_CRC32C=y +CONFIG_CRYPTO_CRC32=m +CONFIG_CRYPTO_CRCT10DIF=y +CONFIG_CRYPTO_CRC64_ROCKSOFT=m +# end of CRCs (cyclic redundancy checks) + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +# CONFIG_CRYPTO_842 is not set +CONFIG_CRYPTO_LZ4=m +CONFIG_CRYPTO_LZ4HC=m +CONFIG_CRYPTO_ZSTD=y +# end of Compression + +# +# Random number generation +# +CONFIG_CRYPTO_ANSI_CPRNG=m +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +# CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE is not set +# end of Random number generation + +# +# Userspace interface +# +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +CONFIG_CRYPTO_USER_API_RNG=y +# CONFIG_CRYPTO_USER_API_RNG_CAVP is not set +CONFIG_CRYPTO_USER_API_AEAD=y +CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE=y +# CONFIG_CRYPTO_STATS is not set +# end of Userspace interface + +CONFIG_CRYPTO_HASH_INFO=y +CONFIG_CRYPTO_NHPOLY1305_NEON=m +CONFIG_CRYPTO_CHACHA20_NEON=m + +# +# Accelerated Cryptographic Algorithms for CPU (arm64) +# +CONFIG_CRYPTO_GHASH_ARM64_CE=m +CONFIG_CRYPTO_POLY1305_NEON=m +CONFIG_CRYPTO_SHA1_ARM64_CE=m +CONFIG_CRYPTO_SHA256_ARM64=m +CONFIG_CRYPTO_SHA2_ARM64_CE=m +CONFIG_CRYPTO_SHA512_ARM64=m +CONFIG_CRYPTO_SHA512_ARM64_CE=m +CONFIG_CRYPTO_SHA3_ARM64=m +# CONFIG_CRYPTO_SM3_NEON is not set +CONFIG_CRYPTO_SM3_ARM64_CE=m +# CONFIG_CRYPTO_POLYVAL_ARM64_CE is not set +CONFIG_CRYPTO_AES_ARM64=y +CONFIG_CRYPTO_AES_ARM64_CE=m +CONFIG_CRYPTO_AES_ARM64_CE_BLK=m +CONFIG_CRYPTO_AES_ARM64_NEON_BLK=m +CONFIG_CRYPTO_AES_ARM64_BS=m +CONFIG_CRYPTO_SM4_ARM64_CE=m +CONFIG_CRYPTO_SM4_ARM64_CE_BLK=m +CONFIG_CRYPTO_SM4_ARM64_NEON_BLK=m +CONFIG_CRYPTO_AES_ARM64_CE_CCM=m +# CONFIG_CRYPTO_SM4_ARM64_CE_CCM is not set +# CONFIG_CRYPTO_SM4_ARM64_CE_GCM is not set +CONFIG_CRYPTO_CRCT10DIF_ARM64_CE=m +# end of Accelerated Cryptographic Algorithms for CPU (arm64) + +CONFIG_CRYPTO_HW=y +# CONFIG_CRYPTO_DEV_ATMEL_ECC is not set +# CONFIG_CRYPTO_DEV_ATMEL_SHA204A is not set +CONFIG_CRYPTO_DEV_CCP=y +CONFIG_CRYPTO_DEV_CCP_DD=m +CONFIG_CRYPTO_DEV_SP_CCP=y +CONFIG_CRYPTO_DEV_CCP_CRYPTO=m +# CONFIG_CRYPTO_DEV_CCP_DEBUGFS is not set +CONFIG_CRYPTO_DEV_CPT=m +CONFIG_CAVIUM_CPT=m +# CONFIG_CRYPTO_DEV_NITROX_CNN55XX is not set +# CONFIG_CRYPTO_DEV_OCTEONTX_CPT is not set +# CONFIG_CRYPTO_DEV_QAT_DH895xCC is not set +# CONFIG_CRYPTO_DEV_QAT_C3XXX is not set +# CONFIG_CRYPTO_DEV_QAT_C62X is not set +# CONFIG_CRYPTO_DEV_QAT_4XXX is not set +# CONFIG_CRYPTO_DEV_QAT_420XX is not set +# CONFIG_CRYPTO_DEV_QAT_DH895xCCVF is not set +# CONFIG_CRYPTO_DEV_QAT_C3XXXVF is not set +# CONFIG_CRYPTO_DEV_QAT_C62XVF is not set +CONFIG_CRYPTO_DEV_CAVIUM_ZIP=m +# CONFIG_CRYPTO_DEV_QCE is not set +# CONFIG_CRYPTO_DEV_QCOM_RNG is not set +CONFIG_CRYPTO_DEV_CHELSIO=m +CONFIG_CRYPTO_DEV_VIRTIO=m +# CONFIG_CRYPTO_DEV_SAFEXCEL is not set +# CONFIG_CRYPTO_DEV_CCREE is not set +CONFIG_CRYPTO_DEV_HISI_SEC=m +CONFIG_CRYPTO_DEV_HISI_SEC2=m +CONFIG_CRYPTO_DEV_HISI_QM=m +CONFIG_CRYPTO_DEV_HISI_ZIP=m +CONFIG_CRYPTO_DEV_HISI_HPRE=m +CONFIG_CRYPTO_DEV_HISI_TRNG=m +# CONFIG_CRYPTO_DEV_AMLOGIC_GXL is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set +CONFIG_PKCS7_MESSAGE_PARSER=y +# CONFIG_PKCS7_TEST_KEY is not set +CONFIG_SIGNED_PE_FILE_VERIFICATION=y +# CONFIG_FIPS_SIGNATURE_SELFTEST is not set +CONFIG_PGP_LIBRARY=y +CONFIG_PGP_KEY_PARSER=y +CONFIG_PGP_PRELOAD=y + +# +# Certificates for signature checking +# +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_MODULE_SIG_KEY_TYPE_RSA=y +# CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +CONFIG_SECONDARY_TRUSTED_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" +CONFIG_SYSTEM_REVOCATION_LIST=y +CONFIG_SYSTEM_REVOCATION_KEYS="" +# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set +CONFIG_PGP_PRELOAD_PUBLIC_KEYS=y +# end of Certificates for signature checking + +CONFIG_BINARY_PRINTF=y + +# +# Library routines +# +CONFIG_RAID6_PQ=m +CONFIG_RAID6_PQ_BENCHMARK=y +CONFIG_LINEAR_RANGES=y +# CONFIG_PACKING is not set +CONFIG_BITREVERSE=y +CONFIG_HAVE_ARCH_BITREVERSE=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_CORDIC=m +# CONFIG_PRIME_NUMBERS is not set +CONFIG_RATIONAL=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_ARCH_USE_SYM_ANNOTATIONS=y +CONFIG_INDIRECT_PIO=y + +# +# Crypto library routines +# +CONFIG_CRYPTO_LIB_UTILS=y +CONFIG_CRYPTO_LIB_AES=y +CONFIG_CRYPTO_LIB_ARC4=m +CONFIG_CRYPTO_LIB_GF128MUL=y +CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y +CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m +CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m +# CONFIG_CRYPTO_LIB_CHACHA is not set +CONFIG_CRYPTO_LIB_CURVE25519_GENERIC=m +# CONFIG_CRYPTO_LIB_CURVE25519 is not set +CONFIG_CRYPTO_LIB_DES=m +CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9 +CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305=m +CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m +# CONFIG_CRYPTO_LIB_POLY1305 is not set +# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set +CONFIG_CRYPTO_LIB_SHA1=y +CONFIG_CRYPTO_LIB_SHA256=y +# end of Crypto library routines + +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +CONFIG_CRC_T10DIF=y +CONFIG_CRC64_ROCKSOFT=m +CONFIG_CRC_ITU_T=m +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +CONFIG_CRC64=m +# CONFIG_CRC4 is not set +CONFIG_CRC7=m +CONFIG_LIBCRC32C=m +CONFIG_CRC8=m +CONFIG_XXHASH=y +CONFIG_AUDIT_GENERIC=y +CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y +CONFIG_AUDIT_COMPAT_GENERIC=y +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=m +CONFIG_LZ4HC_COMPRESS=m +CONFIG_LZ4_DECOMPRESS=y +CONFIG_ZSTD_COMMON=y +CONFIG_ZSTD_COMPRESS=y +CONFIG_ZSTD_DECOMPRESS=y +CONFIG_XZ_DEC=y +CONFIG_XZ_DEC_X86=y +CONFIG_XZ_DEC_POWERPC=y +CONFIG_XZ_DEC_IA64=y +CONFIG_XZ_DEC_ARM=y +CONFIG_XZ_DEC_ARMTHUMB=y +CONFIG_XZ_DEC_SPARC=y +# CONFIG_XZ_DEC_MICROLZMA is not set +CONFIG_XZ_DEC_BCJ=y +# CONFIG_XZ_DEC_TEST is not set +CONFIG_DECOMPRESS_GZIP=y +CONFIG_DECOMPRESS_BZIP2=y +CONFIG_DECOMPRESS_LZMA=y +CONFIG_DECOMPRESS_XZ=y +CONFIG_DECOMPRESS_LZO=y +CONFIG_DECOMPRESS_LZ4=y +CONFIG_DECOMPRESS_ZSTD=y +CONFIG_GENERIC_ALLOCATOR=y +CONFIG_REED_SOLOMON=m +CONFIG_REED_SOLOMON_ENC8=y +CONFIG_REED_SOLOMON_DEC8=y +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=m +CONFIG_TEXTSEARCH_BM=m +CONFIG_TEXTSEARCH_FSM=m +CONFIG_BTREE=y +CONFIG_INTERVAL_TREE=y +CONFIG_INTERVAL_TREE_SPAN_ITER=y +CONFIG_XARRAY_MULTI=y +CONFIG_ASSOCIATIVE_ARRAY=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +CONFIG_DMA_OPS=y +CONFIG_NEED_SG_DMA_FLAGS=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_DMA_DECLARE_COHERENT=y +CONFIG_ARCH_HAS_SETUP_DMA_OPS=y +CONFIG_ARCH_HAS_TEARDOWN_DMA_OPS=y +CONFIG_ARCH_HAS_SYNC_DMA_FOR_DEVICE=y +CONFIG_ARCH_HAS_SYNC_DMA_FOR_CPU=y +CONFIG_ARCH_HAS_DMA_PREP_COHERENT=y +CONFIG_SWIOTLB=y +# CONFIG_SWIOTLB_DYNAMIC is not set +CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC=y +CONFIG_DMA_RESTRICTED_POOL=y +CONFIG_DMA_NONCOHERENT_MMAP=y +CONFIG_DMA_COHERENT_POOL=y +CONFIG_DMA_DIRECT_REMAP=y +CONFIG_DMA_CMA=y +# CONFIG_DMA_NUMA_CMA is not set + +# +# Default contiguous memory area size: +# +CONFIG_CMA_SIZE_MBYTES=0 +CONFIG_CMA_SIZE_SEL_MBYTES=y +# CONFIG_CMA_SIZE_SEL_PERCENTAGE is not set +# CONFIG_CMA_SIZE_SEL_MIN is not set +# CONFIG_CMA_SIZE_SEL_MAX is not set +CONFIG_CMA_ALIGNMENT=8 +# CONFIG_DMA_API_DEBUG is not set +CONFIG_SGL_ALLOC=y +CONFIG_CHECK_SIGNATURE=y +CONFIG_CPU_RMAP=y +CONFIG_DQL=y +CONFIG_GLOB=y +# CONFIG_GLOB_SELFTEST is not set +CONFIG_NLATTR=y +CONFIG_LRU_CACHE=m +CONFIG_CLZ_TAB=y +CONFIG_IRQ_POLL=y +CONFIG_MPILIB=y +CONFIG_SIGNATURE=y +CONFIG_DIMLIB=y +CONFIG_LIBFDT=y +CONFIG_OID_REGISTRY=y +CONFIG_UCS2_STRING=y +CONFIG_HAVE_GENERIC_VDSO=y +CONFIG_GENERIC_GETTIMEOFDAY=y +CONFIG_GENERIC_VDSO_TIME_NS=y +CONFIG_FONT_SUPPORT=y +# CONFIG_FONTS is not set +CONFIG_FONT_8x8=y +CONFIG_FONT_8x16=y +CONFIG_SG_SPLIT=y +CONFIG_SG_POOL=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_MEMREGION=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_ARCH_HAS_COPY_MC=y +CONFIG_ARCH_STACKWALK=y +CONFIG_STACKDEPOT=y +CONFIG_SBITMAP=y +# end of Library routines + +CONFIG_GENERIC_IOREMAP=y +CONFIG_GENERIC_LIB_DEVMEM_IS_ALLOWED=y +CONFIG_PLDMFW=y +CONFIG_ASN1_ENCODER=y + +# +# Kernel hacking +# + +# +# printk and dmesg options +# +CONFIG_PRINTK_TIME=y +CONFIG_PRINTK_CALLER=y +# CONFIG_STACKTRACE_BUILD_ID is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_CONSOLE_LOGLEVEL_QUIET=4 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +CONFIG_BOOT_PRINTK_DELAY=y +CONFIG_DYNAMIC_DEBUG=y +CONFIG_DYNAMIC_DEBUG_CORE=y +CONFIG_SYMBOLIC_ERRNAME=y +CONFIG_DEBUG_BUGVERBOSE=y +# end of printk and dmesg options + +CONFIG_DEBUG_KERNEL=y +CONFIG_DEBUG_MISC=y + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +CONFIG_AS_HAS_NON_CONST_LEB128=y +# CONFIG_DEBUG_INFO_NONE is not set +# CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT is not set +CONFIG_DEBUG_INFO_DWARF4=y +# CONFIG_DEBUG_INFO_DWARF5 is not set +# CONFIG_DEBUG_INFO_REDUCED is not set +CONFIG_DEBUG_INFO_COMPRESSED_NONE=y +# CONFIG_DEBUG_INFO_COMPRESSED_ZLIB is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +CONFIG_DEBUG_INFO_BTF=y +# CONFIG_GDB_SCRIPTS is not set +CONFIG_FRAME_WARN=2048 +CONFIG_STRIP_ASM_SYMS=y +# CONFIG_READABLE_ASM is not set +# CONFIG_HEADERS_INSTALL is not set +# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_DEBUG_SECTION_MISMATCH=y +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +# CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B is not set +CONFIG_ARCH_WANT_FRAME_POINTERS=y +CONFIG_FRAME_POINTER=y +# CONFIG_VMLINUX_MAP is not set +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# end of Compile-time checks and compiler options + +# +# Generic Kernel Debugging Instruments +# +# CONFIG_MAGIC_SYSRQ is not set +# CONFIG_DEBUG_FS is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_UBSAN is not set +CONFIG_HAVE_ARCH_KCSAN=y +CONFIG_HAVE_KCSAN_COMPILER=y +# CONFIG_KCSAN is not set +# end of Generic Kernel Debugging Instruments + +# +# Networking Debugging +# +# CONFIG_NET_DEV_REFCNT_TRACKER is not set +# CONFIG_NET_NS_REFCNT_TRACKER is not set +# CONFIG_DEBUG_NET is not set +# end of Networking Debugging + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +CONFIG_SLUB_DEBUG=y +# CONFIG_SLUB_DEBUG_ON is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_PAGE_TABLE_CHECK is not set +# CONFIG_PAGE_POISONING is not set +# CONFIG_DEBUG_RODATA_TEST is not set +CONFIG_ARCH_HAS_DEBUG_WX=y +CONFIG_DEBUG_WX=y +CONFIG_GENERIC_PTDUMP=y +CONFIG_PTDUMP_CORE=y +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_PER_VMA_LOCK_STATS is not set +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +CONFIG_ARCH_HAS_DEBUG_VM_PGTABLE=y +# CONFIG_DEBUG_VM is not set +# CONFIG_DEBUG_VM_PGTABLE is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_HAVE_ARCH_KASAN=y +CONFIG_HAVE_ARCH_KASAN_SW_TAGS=y +CONFIG_HAVE_ARCH_KASAN_HW_TAGS=y +CONFIG_HAVE_ARCH_KASAN_VMALLOC=y +CONFIG_CC_HAS_KASAN_GENERIC=y +CONFIG_CC_HAS_KASAN_SW_TAGS=y +CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y +# CONFIG_KASAN is not set +CONFIG_HAVE_ARCH_KFENCE=y +# CONFIG_KFENCE is not set +# end of Memory Debugging + +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Oops, Lockups and Hangs +# +CONFIG_PANIC_ON_OOPS=y +CONFIG_PANIC_ON_OOPS_VALUE=1 +CONFIG_PANIC_TIMEOUT=0 +CONFIG_LOCKUP_DETECTOR=y +CONFIG_SOFTLOCKUP_DETECTOR=y +# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set +CONFIG_HAVE_HARDLOCKUP_DETECTOR_BUDDY=y +CONFIG_SDEI_WATCHDOG=y +CONFIG_HARDLOCKUP_DETECTOR=y +# CONFIG_HARDLOCKUP_DETECTOR_PREFER_BUDDY is not set +CONFIG_HARDLOCKUP_DETECTOR_PERF=y +# CONFIG_HARDLOCKUP_DETECTOR_BUDDY is not set +# CONFIG_HARDLOCKUP_DETECTOR_ARCH is not set +CONFIG_HARDLOCKUP_DETECTOR_COUNTS_HRTIMER=y +CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +# CONFIG_WQ_WATCHDOG is not set +# CONFIG_WQ_CPU_INTENSIVE_REPORT is not set +# CONFIG_TEST_LOCKUP is not set +# end of Debug Oops, Lockups and Hangs + +# +# Scheduler Debugging +# +CONFIG_SCHED_INFO=y +CONFIG_SCHEDSTATS=y +# end of Scheduler Debugging + +# CONFIG_DEBUG_TIMEKEEPING is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +CONFIG_LOCK_DEBUGGING_SUPPORT=y +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_RWSEMS is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_SCF_TORTURE_TEST is not set +# CONFIG_CSD_LOCK_WAIT_DEBUG is not set +# end of Lock Debugging (spinlocks, mutexes, etc...) + +# CONFIG_DEBUG_IRQFLAGS is not set +CONFIG_STACKTRACE=y +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set + +# +# Debug kernel data structures +# +CONFIG_DEBUG_LIST=y +# CONFIG_DEBUG_PLIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_MAPLE_TREE is not set +# end of Debug kernel data structures + +# +# RCU Debugging +# +# CONFIG_RCU_SCALE_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_REF_SCALE_TEST is not set +CONFIG_RCU_CPU_STALL_TIMEOUT=60 +CONFIG_RCU_EXP_CPU_STALL_TIMEOUT=0 +# CONFIG_RCU_CPU_STALL_CPUTIME is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# end of RCU Debugging + +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_CPU_HOTPLUG_STATE_CONTROL is not set +# CONFIG_LATENCYTOP is not set +# CONFIG_DEBUG_CGROUP_REF is not set +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_RETVAL=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +# CONFIG_FTRACE is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y +CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y +# CONFIG_STRICT_DEVMEM is not set + +# +# arm64 Debugging +# +CONFIG_PID_IN_CONTEXTIDR=y +# CONFIG_DEBUG_EFI is not set +# CONFIG_ARM64_RELOC_TEST is not set +CONFIG_CORESIGHT=m +CONFIG_CORESIGHT_LINKS_AND_SINKS=m +CONFIG_CORESIGHT_LINK_AND_SINK_TMC=m +# CONFIG_CORESIGHT_CATU is not set +# CONFIG_CORESIGHT_SINK_TPIU is not set +# CONFIG_CORESIGHT_SINK_ETBV10 is not set +CONFIG_CORESIGHT_SOURCE_ETM4X=m +CONFIG_ETM4X_IMPDEF_FEATURE=y +# CONFIG_CORESIGHT_STM is not set +# CONFIG_CORESIGHT_CTI is not set +CONFIG_CORESIGHT_TRBE=m +CONFIG_ULTRASOC_SMB=m +# CONFIG_CORESIGHT_TPDM is not set +# CONFIG_CORESIGHT_TPDA is not set +# CONFIG_CORESIGHT_DUMMY is not set +# end of arm64 Debugging + +# +# Kernel Testing and Coverage +# +# CONFIG_KUNIT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +CONFIG_FUNCTION_ERROR_INJECTION=y +# CONFIG_FAULT_INJECTION is not set +CONFIG_ARCH_HAS_KCOV=y +CONFIG_CC_HAS_SANCOV_TRACE_PC=y +# CONFIG_KCOV is not set +# CONFIG_RUNTIME_TESTING_MENU is not set +CONFIG_ARCH_USE_MEMTEST=y +# CONFIG_MEMTEST is not set +# end of Kernel Testing and Coverage + +# +# Rust hacking +# +# end of Rust hacking +# end of Kernel hacking + +CONFIG_KWORKER_NUMA_AFFINITY=y -- Gitee From 7ed4a8763d4206335ae70830791f0b5812bdaaf9 Mon Sep 17 00:00:00 2001 From: zhaozixuan Date: Sat, 26 Jul 2025 09:59:23 +0800 Subject: [PATCH 003/109] add secure config scripts --- .../tools/disable_accept_redirect.sh | 24 ++++++++++ .../tools/disable_icmp_broadcast.sh | 19 ++++++++ os-harden-tools/tools/disable_ip_forward.sh | 20 +++++++++ os-harden-tools/tools/disable_kexec.sh | 19 ++++++++ os-harden-tools/tools/disable_proxy_arp.sh | 20 +++++++++ os-harden-tools/tools/disable_source_route.sh | 22 ++++++++++ os-harden-tools/tools/disable_ssh_no_pass.sh | 18 ++++++++ .../disable_ssh_permit_user_environment.sh | 18 ++++++++ .../tools/disable_ssh_root_login.sh | 18 ++++++++ .../tools/disable_ssh_tcp_forwarding.sh | 18 ++++++++ .../tools/disable_ssh_x11_forwarding.sh | 18 ++++++++ os-harden-tools/tools/disable_sysrq.sh | 19 ++++++++ .../tools/disable_tcp_timestamps.sh | 20 +++++++++ .../tools/disable_uncommon_network_module.sh | 31 +++++++++++++ .../tools/drop_forge_icmp_package.sh | 19 ++++++++ .../tools/enable_bpf_jit_harden.sh | 19 ++++++++ .../tools/enable_dmesg_restrict.sh | 19 ++++++++ os-harden-tools/tools/enable_firewall.sh | 18 ++++++++ os-harden-tools/tools/enable_kernel_aslr.sh | 19 ++++++++ .../tools/enable_kernel_module_sign.sh | 27 ++++++++++++ os-harden-tools/tools/enable_kptr_restrict.sh | 19 ++++++++ os-harden-tools/tools/enable_panic_on_oops.sh | 19 ++++++++ os-harden-tools/tools/enable_ptrace_scope.sh | 19 ++++++++ os-harden-tools/tools/enable_rp_filter.sh | 20 +++++++++ os-harden-tools/tools/enable_rsyslog.sh | 17 +++++++ .../tools/enable_selinux_enforce.sh | 17 +++++++ .../tools/enable_tcp_syn_cookies.sh | 19 ++++++++ os-harden-tools/tools/list.md | 44 +++++++++++++++++++ .../tools/minimal_file_permission.sh | 40 +++++++++++++++++ .../tools/set_ssh_max_auth_tries.sh | 18 ++++++++ os-harden-tools/tools/symlink_protection.sh | 20 +++++++++ os-harden-tools/tools/utils.sh | 40 +++++++++++++++++ 32 files changed, 697 insertions(+) create mode 100755 os-harden-tools/tools/disable_accept_redirect.sh create mode 100755 os-harden-tools/tools/disable_icmp_broadcast.sh create mode 100755 os-harden-tools/tools/disable_ip_forward.sh create mode 100755 os-harden-tools/tools/disable_kexec.sh create mode 100755 os-harden-tools/tools/disable_proxy_arp.sh create mode 100755 os-harden-tools/tools/disable_source_route.sh create mode 100755 os-harden-tools/tools/disable_ssh_no_pass.sh create mode 100755 os-harden-tools/tools/disable_ssh_permit_user_environment.sh create mode 100755 os-harden-tools/tools/disable_ssh_root_login.sh create mode 100755 os-harden-tools/tools/disable_ssh_tcp_forwarding.sh create mode 100755 os-harden-tools/tools/disable_ssh_x11_forwarding.sh create mode 100755 os-harden-tools/tools/disable_sysrq.sh create mode 100755 os-harden-tools/tools/disable_tcp_timestamps.sh create mode 100755 os-harden-tools/tools/disable_uncommon_network_module.sh create mode 100755 os-harden-tools/tools/drop_forge_icmp_package.sh create mode 100755 os-harden-tools/tools/enable_bpf_jit_harden.sh create mode 100755 os-harden-tools/tools/enable_dmesg_restrict.sh create mode 100755 os-harden-tools/tools/enable_firewall.sh create mode 100755 os-harden-tools/tools/enable_kernel_aslr.sh create mode 100755 os-harden-tools/tools/enable_kernel_module_sign.sh create mode 100755 os-harden-tools/tools/enable_kptr_restrict.sh create mode 100755 os-harden-tools/tools/enable_panic_on_oops.sh create mode 100755 os-harden-tools/tools/enable_ptrace_scope.sh create mode 100755 os-harden-tools/tools/enable_rp_filter.sh create mode 100755 os-harden-tools/tools/enable_rsyslog.sh create mode 100755 os-harden-tools/tools/enable_selinux_enforce.sh create mode 100755 os-harden-tools/tools/enable_tcp_syn_cookies.sh create mode 100755 os-harden-tools/tools/list.md create mode 100755 os-harden-tools/tools/minimal_file_permission.sh create mode 100755 os-harden-tools/tools/set_ssh_max_auth_tries.sh create mode 100755 os-harden-tools/tools/symlink_protection.sh create mode 100755 os-harden-tools/tools/utils.sh diff --git a/os-harden-tools/tools/disable_accept_redirect.sh b/os-harden-tools/tools/disable_accept_redirect.sh new file mode 100755 index 0000000..84c80ba --- /dev/null +++ b/os-harden-tools/tools/disable_accept_redirect.sh @@ -0,0 +1,24 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.ipv4.conf.all.accept_redirects" "0" +set_sysctl "net.ipv6.conf.all.accept_redirects" "0" +set_sysctl "net.ipv4.conf.all.secure_redirects" "0" +set_sysctl "net.ipv4.conf.default.secure_redirects" "0" +set_sysctl "net.ipv4.conf.all.send_redirects" "0" +set_sysctl "net.ipv4.conf.default.send_redirects" "0" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_icmp_broadcast.sh b/os-harden-tools/tools/disable_icmp_broadcast.sh new file mode 100755 index 0000000..2854eee --- /dev/null +++ b/os-harden-tools/tools/disable_icmp_broadcast.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.ipv4.icmp_echo_ignore_broadcasts" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ip_forward.sh b/os-harden-tools/tools/disable_ip_forward.sh new file mode 100755 index 0000000..abd13ea --- /dev/null +++ b/os-harden-tools/tools/disable_ip_forward.sh @@ -0,0 +1,20 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.ipv4.ip_forward" "0" +set_sysctl "net.ipv6.conf.all.forwarding" "0" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_kexec.sh b/os-harden-tools/tools/disable_kexec.sh new file mode 100755 index 0000000..edd9561 --- /dev/null +++ b/os-harden-tools/tools/disable_kexec.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "kernel.kexec_load_disabled" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_proxy_arp.sh b/os-harden-tools/tools/disable_proxy_arp.sh new file mode 100755 index 0000000..85021ca --- /dev/null +++ b/os-harden-tools/tools/disable_proxy_arp.sh @@ -0,0 +1,20 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.ipv4.conf.all.proxy_arp" "0" +set_sysctl "net.ipv4.conf.default.proxy_arp" "0" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_source_route.sh b/os-harden-tools/tools/disable_source_route.sh new file mode 100755 index 0000000..7987e8f --- /dev/null +++ b/os-harden-tools/tools/disable_source_route.sh @@ -0,0 +1,22 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.ipv4.conf.all.accept_source_route" 0 +set_sysctl "net.ipv4.conf.default.accept_source_route" 0 +set_sysctl "net.ipv6.conf.all.accept_source_route" 0 +set_sysctl "net.ipv6.conf.default.accept_source_route" 0 \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_no_pass.sh b/os-harden-tools/tools/disable_ssh_no_pass.sh new file mode 100755 index 0000000..2b26dc5 --- /dev/null +++ b/os-harden-tools/tools/disable_ssh_no_pass.sh @@ -0,0 +1,18 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### +source $(pwd)/utils.sh + +set_ssh "PermitEmptyPasswords" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_permit_user_environment.sh b/os-harden-tools/tools/disable_ssh_permit_user_environment.sh new file mode 100755 index 0000000..3c44930 --- /dev/null +++ b/os-harden-tools/tools/disable_ssh_permit_user_environment.sh @@ -0,0 +1,18 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### +source $(pwd)/utils.sh + +set_ssh "PermitUserEnvironment" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_root_login.sh b/os-harden-tools/tools/disable_ssh_root_login.sh new file mode 100755 index 0000000..a1023a1 --- /dev/null +++ b/os-harden-tools/tools/disable_ssh_root_login.sh @@ -0,0 +1,18 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### +source $(pwd)/utils.sh + +set_ssh "PermitRootLogin" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_tcp_forwarding.sh b/os-harden-tools/tools/disable_ssh_tcp_forwarding.sh new file mode 100755 index 0000000..6cbf998 --- /dev/null +++ b/os-harden-tools/tools/disable_ssh_tcp_forwarding.sh @@ -0,0 +1,18 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### +source $(pwd)/utils.sh + +set_ssh "AllowTcpForwarding" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_x11_forwarding.sh b/os-harden-tools/tools/disable_ssh_x11_forwarding.sh new file mode 100755 index 0000000..434b2f0 --- /dev/null +++ b/os-harden-tools/tools/disable_ssh_x11_forwarding.sh @@ -0,0 +1,18 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### +source $(pwd)/utils.sh + +set_ssh "X11Forwarding" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_sysrq.sh b/os-harden-tools/tools/disable_sysrq.sh new file mode 100755 index 0000000..b801cc6 --- /dev/null +++ b/os-harden-tools/tools/disable_sysrq.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "kernel.sysrq" "0" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_tcp_timestamps.sh b/os-harden-tools/tools/disable_tcp_timestamps.sh new file mode 100755 index 0000000..abd13ea --- /dev/null +++ b/os-harden-tools/tools/disable_tcp_timestamps.sh @@ -0,0 +1,20 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.ipv4.ip_forward" "0" +set_sysctl "net.ipv6.conf.all.forwarding" "0" \ No newline at end of file diff --git a/os-harden-tools/tools/disable_uncommon_network_module.sh b/os-harden-tools/tools/disable_uncommon_network_module.sh new file mode 100755 index 0000000..c691036 --- /dev/null +++ b/os-harden-tools/tools/disable_uncommon_network_module.sh @@ -0,0 +1,31 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +config_path="/etc/modprobe.d/disable_uncommon_network_module.conf" + +function setup_conf() { + conf=$1 + if [ ! -e ${config_path} ]; then + touch ${config_path} + fi + + if ! grep -q "${conf}" "${config_path}"; then + echo "${conf}" >> "${config_path}" + fi +} + +setup_conf "install sctp /bin/true" +setup_conf "install tipc /bin/true" \ No newline at end of file diff --git a/os-harden-tools/tools/drop_forge_icmp_package.sh b/os-harden-tools/tools/drop_forge_icmp_package.sh new file mode 100755 index 0000000..c14cbc7 --- /dev/null +++ b/os-harden-tools/tools/drop_forge_icmp_package.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.ipv4.icmp_ignore_bogus_error_responses" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/enable_bpf_jit_harden.sh b/os-harden-tools/tools/enable_bpf_jit_harden.sh new file mode 100755 index 0000000..605c59c --- /dev/null +++ b/os-harden-tools/tools/enable_bpf_jit_harden.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.core.bpf_jit_harden" "2" \ No newline at end of file diff --git a/os-harden-tools/tools/enable_dmesg_restrict.sh b/os-harden-tools/tools/enable_dmesg_restrict.sh new file mode 100755 index 0000000..25d93de --- /dev/null +++ b/os-harden-tools/tools/enable_dmesg_restrict.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "kernel.dmesg_restrict" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/enable_firewall.sh b/os-harden-tools/tools/enable_firewall.sh new file mode 100755 index 0000000..21aaa67 --- /dev/null +++ b/os-harden-tools/tools/enable_firewall.sh @@ -0,0 +1,18 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +service firewalld start +systemctl enable firewalld \ No newline at end of file diff --git a/os-harden-tools/tools/enable_kernel_aslr.sh b/os-harden-tools/tools/enable_kernel_aslr.sh new file mode 100755 index 0000000..26bb116 --- /dev/null +++ b/os-harden-tools/tools/enable_kernel_aslr.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +echo 2 > /proc/sys/kernel/randomize_va_space \ No newline at end of file diff --git a/os-harden-tools/tools/enable_kernel_module_sign.sh b/os-harden-tools/tools/enable_kernel_module_sign.sh new file mode 100755 index 0000000..5631b97 --- /dev/null +++ b/os-harden-tools/tools/enable_kernel_module_sign.sh @@ -0,0 +1,27 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +GRUB_CFG="/boot/efi/EFI/openEuler/grub.cfg" + +if ! grep -q 'module.sig_enforce' /proc/cmdline; then + if [ ! -f "${GRUB_CFG}" ]; then + echo "Cannot find ${GRUB_CFG}." + exit 1 + fi + + sed -i '/linuxefi/s/$/ module.sig_enforce/' "${GRUB_CFG}" + echo "GRUB config is updated, please reboot." +fi \ No newline at end of file diff --git a/os-harden-tools/tools/enable_kptr_restrict.sh b/os-harden-tools/tools/enable_kptr_restrict.sh new file mode 100755 index 0000000..9cf115f --- /dev/null +++ b/os-harden-tools/tools/enable_kptr_restrict.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "kernel.kptr_restrict" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/enable_panic_on_oops.sh b/os-harden-tools/tools/enable_panic_on_oops.sh new file mode 100755 index 0000000..ffe144d --- /dev/null +++ b/os-harden-tools/tools/enable_panic_on_oops.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "kernel.panic_on_oops" "2" \ No newline at end of file diff --git a/os-harden-tools/tools/enable_ptrace_scope.sh b/os-harden-tools/tools/enable_ptrace_scope.sh new file mode 100755 index 0000000..71ded97 --- /dev/null +++ b/os-harden-tools/tools/enable_ptrace_scope.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "kernel.yama.ptrace_scope" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/enable_rp_filter.sh b/os-harden-tools/tools/enable_rp_filter.sh new file mode 100755 index 0000000..a057566 --- /dev/null +++ b/os-harden-tools/tools/enable_rp_filter.sh @@ -0,0 +1,20 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.ipv4.conf.all.rp_filter" "1" +set_sysctl "net.ipv4.conf.default.rp_filter" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/enable_rsyslog.sh b/os-harden-tools/tools/enable_rsyslog.sh new file mode 100755 index 0000000..9876dc4 --- /dev/null +++ b/os-harden-tools/tools/enable_rsyslog.sh @@ -0,0 +1,17 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +systemctl start rsyslog.service \ No newline at end of file diff --git a/os-harden-tools/tools/enable_selinux_enforce.sh b/os-harden-tools/tools/enable_selinux_enforce.sh new file mode 100755 index 0000000..ac6a544 --- /dev/null +++ b/os-harden-tools/tools/enable_selinux_enforce.sh @@ -0,0 +1,17 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +setenforce 1 \ No newline at end of file diff --git a/os-harden-tools/tools/enable_tcp_syn_cookies.sh b/os-harden-tools/tools/enable_tcp_syn_cookies.sh new file mode 100755 index 0000000..b873d75 --- /dev/null +++ b/os-harden-tools/tools/enable_tcp_syn_cookies.sh @@ -0,0 +1,19 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "net.ipv4.tcp_syncookies" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/list.md b/os-harden-tools/tools/list.md new file mode 100755 index 0000000..14f99de --- /dev/null +++ b/os-harden-tools/tools/list.md @@ -0,0 +1,44 @@ +全栈完整性: +enable_kernel_module_sign.sh:启用内核模块签名。内核模块签名以一定格式在内核模块文件末尾添加签名信息,系统在加载内核模块时检查签名是否与内核中预设的公钥匹配。这样可以验证内核模块文件的真实性和完整性,防止系统加载未经认证的恶意内核模块。 + +网络保护: +disable_accept_redirect.sh: 禁止ICMP重定向报文。ICMP重定向消息是传递路由信息并告诉系统通过备用路径发送数据包。这是一种允许外部路由设备更新系统路由表的方法。攻击者可以利用伪造的ICMP重定向消息恶意更改系统路由表,使它们向错误的网络发送数据包,从而获取相应的敏感数据。 +disable_icmp_broadcast.sh:禁止系统响应ICMP广播报文。ICMP广播的目的地址就是广播地址。无论是哪台设备发送的报文,报文都会发送到网络上的每一台设备上去。如果源地址是伪造的,就可能会导致网络上所有的设备发送恶意的echo报文给受害者地址。 +disable_ip_forward.sh:禁止IP转发。如果该结点不作为网关服务器,则应禁用IP转发功能。否则攻击者可将此系统作为路由器使用。 +disable_proxy_arp.sh:禁止使用ARP代理。ARP代理允许系统代表连接到某个接口的主机向另一个接口上的ARP请求发送响应。禁用ARP代理不仅可以防止未经授权的信息共享还可以防止连接的网络区段之间寻址信息泄露。所以应关闭ARP代理以避免ARP报文攻击对系统造成影响。 +disable_source_route.sh:禁止报文源路由。源路由允许发送方部分或全部指定数据包通过网络的路由,而常规路由中,网络中的路由器根据数据包的目的地确定路径。大量报文被篡改后通过指定路由,则可以对内部网络进行定向攻击,可导致指定路由器负载过高,正常业务流量中断。 +drop_forge_icmp_package.sh:丢弃伪造的ICMP报文。一些攻击者会发送违反RFC-1122的ICMP报文,并试图用大量无用的错误信息填充日志文件系统。 +enable_firewall.sh:启用防火墙服务。如果系统中没有配置防火墙服务,可能会导致系统被外部攻击、内部数据被窃取或篡改,大量无效流量浪费带宽、访问一些存在安全风险或业务无关的网站导致信息泄露。 +enable_rp_filter.sh:启用反向地址过滤。强制Linux内核对接收到的数据包使用反向路径过滤,检查报文源地址的合法性,如果反查源地址的路由表,发现源地址下一跳的最佳出接口并不是收到报文的入接口,则将报文丢弃。 +enable_tcp_syn_cookies.sh:启用TCP-SYN cookie。攻击者使用SYN泛洪攻击时会快速耗尽内核中半开连接队列,阻止合法连接。如果启用SYN cookie,即使受到拒绝服务攻击仍允许系统继续接受合法连。 + +限制高危系统功能: +enable_dmesg_restrict.sh:配置dmesg访问权限。限制访问 dmesg 信息权限,无特权的用户无法查看系统信息,从而可以避免任何人从系统信息获取敏感信息。 +disable_kexec.sh:禁止开启kexec功能。kexec允许替换当前正在运行的内核,可能被攻击者利用加载恶意内核。若使用场景无内核升级需求,建议关闭kexec功能。 +enable_kptr_restrict.sh:限制内核符号读取权限。kptr_restrict的作用是保护内核符号地址,保护等级低时普通用户可以访问得到内核符号地址容易被攻击者利用,增加了攻击面降低了系统安全性。 +enable_ptrace_scope.sh:限制ptrace范围。ptrace是一种系统调用用于进程跟踪,提供了父进程可以观察并控制子进程的能力。无限制的ptrace使用可能导致攻击者劫持关键进程进行系统攻击。 +disable_uncommon_network_module.sh:禁用不常见网络服务。一些不常见的网络协议往往使用场景较少,社区发展较慢,安全问题不易被快速解决。如果未关闭这些并不使用的协议,可能导致攻击者利用协议或代码漏洞进行攻击。 + +启用安全服务: +enable_rsyslog.sh:启用rsyslog服务。若不开启rsyslog服务,系统日志无法转储到持久性存储设备,系统重启后,会导致日志丢失。 +enable_selinux_enforce.sh:Selinux启用enforce模式。SELinux是Linux发行版中内置的安全模块,通过细粒度的访问控制机制实现应用程序对资源的访问控制。SELinux只有工作在enforcing模式时才能有效启用并保护系统。 + +内核加固: +enable_bpf_jit_harden.sh:开启BPF加固功能。BFP代码支持JIT编译执行和解释执行。其中JIT编译执行面临JIT喷射攻击的风险,攻击者可能利用该风险攻击内核进行提权。BPF加固功能会对JIT编译执行进行加固,缓解某些类型的JIT喷射攻击,降低内核面临的攻击风险。 +enable_kernel_aslr.sh:启用内核ASLR。ASLR通过每次将栈的起始位置、函数库和程序本身移至随机位置,使得内存攻击时无法猜测正确的内存位置,导致攻击无法成功实施。 +enable_panic_on_oops.sh:确保内核触发错误后直接退出。系统内核在发现一些非致命错误时会触发oops,如果在oops发生后内核仍然继续运行,可能会导致错误依然存在并影响内核的稳定性和可靠性。因此,建议设置使能panic_on_oops,在发生oops后直接panic退出而不是继续运行。 + +权限最小化: +minimal_file_permission.sh:最小化文件权限。最小化系统中敏感文件的访问权限,防止因权限过大导致攻击者进行文件篡改攻击。 +symlink_protection.sh:启用链接文件保护。启用该保护后,如果目标文件和链接文件不是同属主的,且链接文件属主无权执行目标文件的,无论访问该链接的用户是谁,均拒绝访问。 + +登录认证: +disable_ssh_no_pass.sh:禁止空口令登录。若允许空口令登录,会增加空口令账号本身被攻击或被用来作为攻击账号的风险。 +disable_ssh_permit_user_environment.sh:禁止使用PermitUserEnvironment。PermitUserEnvironment允许用户设置SSH环境变量,则攻击者可以通过修改SSH环境变量绕过安全机制,或者执行攻击代码。 +disable_ssh_root_login.sh:禁用root用户通过SSH登录。要求系统管理员使用自己的个人账户进行SSH登录,然后通过sudo或 su提升权限到root。这样可在发生安全事件时提供清晰的审计线索。 +disable_ssh_tcp_forwarding.sh:禁用SSH的TCP转发功能。TCP端口转发是通过SSH隧道在本地主机和远程主机之间传输数据的功能。禁用该功能可以限制用户在SSH会话中的数据传输和访问范围,从而增强系统的安全性。 +disable_ssh_x11_forwarding.sh:禁止使用X11 Forwarding。SSH的X11 Forwarding功能允许在本地主机上执行远程主机的GUI程序。启用X11 Forwarding功能会扩大攻击面,存在被X11服务器端其他用户攻击的可能。如果业务场景中不需要,则建议禁止该功能。 +disable_sysrq.sh:禁止使用SysRq键。SysRq使得具有物理访问权限的用户能够访问计算机中危险的系统级命令,攻击者可以通过键盘触发SysRq的调用,直接发送命令到内核,对系统造成影响。 +disable_tcp_timestamps.sh:避免开启tcp_timestamps。tcp_timestamps用于记录TCP数据包的发送时间,可用于RTT测量(RTTM)和保护序号绕回(PAWS),启用该选项可能遭受拒绝服务攻击。 +set_ssh_max_auth_tries.sh:设置最大认证次数。如果该值配置比较大,则单次连接过程中客户端可以尝试多次认证失败,降低了攻击开销。 + diff --git a/os-harden-tools/tools/minimal_file_permission.sh b/os-harden-tools/tools/minimal_file_permission.sh new file mode 100755 index 0000000..b8d48f3 --- /dev/null +++ b/os-harden-tools/tools/minimal_file_permission.sh @@ -0,0 +1,40 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +function minimal() { + path=$1 + perm=$2 + if [ ! -e "$path" ]; then + return 0 + fi + + real_perm=$(stat -c '%04a' "${path}") + if [ "${perm}" != ${real_perm} ]; then + echo "Change ${path} file permission to ${perm}" + chmod ${path} ${perm} + fi +} + +minimal "/etc/passwd" 0644 +minimal "/etc/group" 0644 +minimal "/etc/shadow" 0000 +minimal "/etc/gshadow" 0000 +minimal "/etc/passwd" 0644 +minimal "/etc/shadow" 0000 +minimal "/etc/group" 0644 +minimal "/etc/gshadow" 0000 +minimal "/etc/ssh/sshd_config" 0600 +minimal "/etc/sudoers" 0440 \ No newline at end of file diff --git a/os-harden-tools/tools/set_ssh_max_auth_tries.sh b/os-harden-tools/tools/set_ssh_max_auth_tries.sh new file mode 100755 index 0000000..6ea3512 --- /dev/null +++ b/os-harden-tools/tools/set_ssh_max_auth_tries.sh @@ -0,0 +1,18 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### +source $(pwd)/utils.sh + +set_ssh "MaxAuthTries" "3" \ No newline at end of file diff --git a/os-harden-tools/tools/symlink_protection.sh b/os-harden-tools/tools/symlink_protection.sh new file mode 100755 index 0000000..9e968e2 --- /dev/null +++ b/os-harden-tools/tools/symlink_protection.sh @@ -0,0 +1,20 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +source $(pwd)/utils.sh + +set_sysctl "fs.protected_symlinks" "1" +set_sysctl "fs.protected_hardlinks" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/utils.sh b/os-harden-tools/tools/utils.sh new file mode 100755 index 0000000..c61c728 --- /dev/null +++ b/os-harden-tools/tools/utils.sh @@ -0,0 +1,40 @@ +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### +sysctl_conf_path="/etc/sysctl.conf" +sshd_conf_path="/etc/ssh/sshd_config" + +function set_sysctl() { + conf=$1 + value=$2 + if grep -q "^${conf}" ${sysctl_conf_path} > /dev/null; then + sed -i "s/^${conf}.*/${conf} = ${value}/" ${sysctl_conf_path} + else + echo "${conf} = ${value}" >> ${sysctl_conf_path} + fi + + sysctl -p /etc/sysctl.conf +} + +function set_ssh() { + conf=$1 + value=$2 + if grep -q "^${conf}\s*" "${sshd_conf_path}"; then + sed -i "s/^${conf}.*/${conf} ${value}/" ${sshd_conf_path} + else + echo "${conf} ${value}" >> "${sshd_conf_path}" + fi + systemctl restart sshd +} \ No newline at end of file -- Gitee From 4a596d0c554c87862621b257847c331f4b2c5b91 Mon Sep 17 00:00:00 2001 From: zhaozixuan Date: Sat, 26 Jul 2025 10:28:14 +0800 Subject: [PATCH 004/109] fix list.md --- os-harden-tools/tools/list.md | 44 +++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/os-harden-tools/tools/list.md b/os-harden-tools/tools/list.md index 14f99de..5d413c8 100755 --- a/os-harden-tools/tools/list.md +++ b/os-harden-tools/tools/list.md @@ -1,44 +1,74 @@ -全栈完整性: +## 全栈完整性: + enable_kernel_module_sign.sh:启用内核模块签名。内核模块签名以一定格式在内核模块文件末尾添加签名信息,系统在加载内核模块时检查签名是否与内核中预设的公钥匹配。这样可以验证内核模块文件的真实性和完整性,防止系统加载未经认证的恶意内核模块。 -网络保护: +## 网络保护: + disable_accept_redirect.sh: 禁止ICMP重定向报文。ICMP重定向消息是传递路由信息并告诉系统通过备用路径发送数据包。这是一种允许外部路由设备更新系统路由表的方法。攻击者可以利用伪造的ICMP重定向消息恶意更改系统路由表,使它们向错误的网络发送数据包,从而获取相应的敏感数据。 + disable_icmp_broadcast.sh:禁止系统响应ICMP广播报文。ICMP广播的目的地址就是广播地址。无论是哪台设备发送的报文,报文都会发送到网络上的每一台设备上去。如果源地址是伪造的,就可能会导致网络上所有的设备发送恶意的echo报文给受害者地址。 + disable_ip_forward.sh:禁止IP转发。如果该结点不作为网关服务器,则应禁用IP转发功能。否则攻击者可将此系统作为路由器使用。 + disable_proxy_arp.sh:禁止使用ARP代理。ARP代理允许系统代表连接到某个接口的主机向另一个接口上的ARP请求发送响应。禁用ARP代理不仅可以防止未经授权的信息共享还可以防止连接的网络区段之间寻址信息泄露。所以应关闭ARP代理以避免ARP报文攻击对系统造成影响。 + disable_source_route.sh:禁止报文源路由。源路由允许发送方部分或全部指定数据包通过网络的路由,而常规路由中,网络中的路由器根据数据包的目的地确定路径。大量报文被篡改后通过指定路由,则可以对内部网络进行定向攻击,可导致指定路由器负载过高,正常业务流量中断。 + drop_forge_icmp_package.sh:丢弃伪造的ICMP报文。一些攻击者会发送违反RFC-1122的ICMP报文,并试图用大量无用的错误信息填充日志文件系统。 + enable_firewall.sh:启用防火墙服务。如果系统中没有配置防火墙服务,可能会导致系统被外部攻击、内部数据被窃取或篡改,大量无效流量浪费带宽、访问一些存在安全风险或业务无关的网站导致信息泄露。 + enable_rp_filter.sh:启用反向地址过滤。强制Linux内核对接收到的数据包使用反向路径过滤,检查报文源地址的合法性,如果反查源地址的路由表,发现源地址下一跳的最佳出接口并不是收到报文的入接口,则将报文丢弃。 + enable_tcp_syn_cookies.sh:启用TCP-SYN cookie。攻击者使用SYN泛洪攻击时会快速耗尽内核中半开连接队列,阻止合法连接。如果启用SYN cookie,即使受到拒绝服务攻击仍允许系统继续接受合法连。 -限制高危系统功能: +## 限制高危系统功能: + enable_dmesg_restrict.sh:配置dmesg访问权限。限制访问 dmesg 信息权限,无特权的用户无法查看系统信息,从而可以避免任何人从系统信息获取敏感信息。 + disable_kexec.sh:禁止开启kexec功能。kexec允许替换当前正在运行的内核,可能被攻击者利用加载恶意内核。若使用场景无内核升级需求,建议关闭kexec功能。 + enable_kptr_restrict.sh:限制内核符号读取权限。kptr_restrict的作用是保护内核符号地址,保护等级低时普通用户可以访问得到内核符号地址容易被攻击者利用,增加了攻击面降低了系统安全性。 + enable_ptrace_scope.sh:限制ptrace范围。ptrace是一种系统调用用于进程跟踪,提供了父进程可以观察并控制子进程的能力。无限制的ptrace使用可能导致攻击者劫持关键进程进行系统攻击。 + disable_uncommon_network_module.sh:禁用不常见网络服务。一些不常见的网络协议往往使用场景较少,社区发展较慢,安全问题不易被快速解决。如果未关闭这些并不使用的协议,可能导致攻击者利用协议或代码漏洞进行攻击。 -启用安全服务: +## 启用安全服务: + enable_rsyslog.sh:启用rsyslog服务。若不开启rsyslog服务,系统日志无法转储到持久性存储设备,系统重启后,会导致日志丢失。 + enable_selinux_enforce.sh:Selinux启用enforce模式。SELinux是Linux发行版中内置的安全模块,通过细粒度的访问控制机制实现应用程序对资源的访问控制。SELinux只有工作在enforcing模式时才能有效启用并保护系统。 -内核加固: +## 内核加固: + enable_bpf_jit_harden.sh:开启BPF加固功能。BFP代码支持JIT编译执行和解释执行。其中JIT编译执行面临JIT喷射攻击的风险,攻击者可能利用该风险攻击内核进行提权。BPF加固功能会对JIT编译执行进行加固,缓解某些类型的JIT喷射攻击,降低内核面临的攻击风险。 + enable_kernel_aslr.sh:启用内核ASLR。ASLR通过每次将栈的起始位置、函数库和程序本身移至随机位置,使得内存攻击时无法猜测正确的内存位置,导致攻击无法成功实施。 + enable_panic_on_oops.sh:确保内核触发错误后直接退出。系统内核在发现一些非致命错误时会触发oops,如果在oops发生后内核仍然继续运行,可能会导致错误依然存在并影响内核的稳定性和可靠性。因此,建议设置使能panic_on_oops,在发生oops后直接panic退出而不是继续运行。 -权限最小化: +## 权限最小化: + minimal_file_permission.sh:最小化文件权限。最小化系统中敏感文件的访问权限,防止因权限过大导致攻击者进行文件篡改攻击。 + symlink_protection.sh:启用链接文件保护。启用该保护后,如果目标文件和链接文件不是同属主的,且链接文件属主无权执行目标文件的,无论访问该链接的用户是谁,均拒绝访问。 -登录认证: +## 登录认证: + disable_ssh_no_pass.sh:禁止空口令登录。若允许空口令登录,会增加空口令账号本身被攻击或被用来作为攻击账号的风险。 + disable_ssh_permit_user_environment.sh:禁止使用PermitUserEnvironment。PermitUserEnvironment允许用户设置SSH环境变量,则攻击者可以通过修改SSH环境变量绕过安全机制,或者执行攻击代码。 + disable_ssh_root_login.sh:禁用root用户通过SSH登录。要求系统管理员使用自己的个人账户进行SSH登录,然后通过sudo或 su提升权限到root。这样可在发生安全事件时提供清晰的审计线索。 + disable_ssh_tcp_forwarding.sh:禁用SSH的TCP转发功能。TCP端口转发是通过SSH隧道在本地主机和远程主机之间传输数据的功能。禁用该功能可以限制用户在SSH会话中的数据传输和访问范围,从而增强系统的安全性。 + disable_ssh_x11_forwarding.sh:禁止使用X11 Forwarding。SSH的X11 Forwarding功能允许在本地主机上执行远程主机的GUI程序。启用X11 Forwarding功能会扩大攻击面,存在被X11服务器端其他用户攻击的可能。如果业务场景中不需要,则建议禁止该功能。 + disable_sysrq.sh:禁止使用SysRq键。SysRq使得具有物理访问权限的用户能够访问计算机中危险的系统级命令,攻击者可以通过键盘触发SysRq的调用,直接发送命令到内核,对系统造成影响。 + disable_tcp_timestamps.sh:避免开启tcp_timestamps。tcp_timestamps用于记录TCP数据包的发送时间,可用于RTT测量(RTTM)和保护序号绕回(PAWS),启用该选项可能遭受拒绝服务攻击。 + set_ssh_max_auth_tries.sh:设置最大认证次数。如果该值配置比较大,则单次连接过程中客户端可以尝试多次认证失败,降低了攻击开销。 -- Gitee From ac6fd14ba455fd4e2ac29a66c84e66ccf2a11ed3 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Sat, 26 Jul 2025 18:02:03 +0800 Subject: [PATCH 005/109] add tool metadata --- os-harden-tools/VERSION | 1 + os-harden-tools/os-harden-tool.spec | 49 +++++ os-harden-tools/src/categories.schema.json | 29 +++ os-harden-tools/src/gendoc.py | 31 ++++ os-harden-tools/src/metadata.py | 98 ++++++++++ os-harden-tools/src/metadata.schema.json | 83 +++++++++ os-harden-tools/tools/categories.json | 6 + .../{ => int.01}/enable_kernel_module_sign.sh | 0 os-harden-tools/tools/int.01/metadata.json | 6 + os-harden-tools/tools/int.02/enforce_dim.sh | 86 +++++++++ os-harden-tools/tools/int.02/metadata.json | 12 ++ os-harden-tools/tools/int.03/enforce_ima.sh | 169 ++++++++++++++++++ os-harden-tools/tools/int.03/metadata.json | 25 +++ 13 files changed, 595 insertions(+) create mode 100644 os-harden-tools/VERSION create mode 100644 os-harden-tools/os-harden-tool.spec create mode 100644 os-harden-tools/src/categories.schema.json create mode 100644 os-harden-tools/src/gendoc.py create mode 100644 os-harden-tools/src/metadata.py create mode 100644 os-harden-tools/src/metadata.schema.json create mode 100644 os-harden-tools/tools/categories.json rename os-harden-tools/tools/{ => int.01}/enable_kernel_module_sign.sh (100%) create mode 100644 os-harden-tools/tools/int.01/metadata.json create mode 100644 os-harden-tools/tools/int.02/enforce_dim.sh create mode 100644 os-harden-tools/tools/int.02/metadata.json create mode 100644 os-harden-tools/tools/int.03/enforce_ima.sh create mode 100644 os-harden-tools/tools/int.03/metadata.json diff --git a/os-harden-tools/VERSION b/os-harden-tools/VERSION new file mode 100644 index 0000000..afaf360 --- /dev/null +++ b/os-harden-tools/VERSION @@ -0,0 +1 @@ +1.0.0 \ No newline at end of file diff --git a/os-harden-tools/os-harden-tool.spec b/os-harden-tools/os-harden-tool.spec new file mode 100644 index 0000000..3bb7094 --- /dev/null +++ b/os-harden-tools/os-harden-tool.spec @@ -0,0 +1,49 @@ +Summary: OS hardening toolkit +Name : os-harden-tools +Version: 1.0 +Release: 1.0 +Source0: src +Source1: conf +License: Mulan PSL v2 +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Requires: python3 python3-pyyaml python3-jsonschema + +%description +OS hardening toolkit + +%global debug_package %{nil} + +%prep + +%build + +%check + +%install +%{__install} -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/secharden +%{__install} -m0400 %{SOURCE1}/ $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf +%{__install} -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf.d +%{__install} -d -m0755 $RPM_BUILD_ROOT%{_usr}/local/secharden +%{__install} -m0500 %{SOURCE0} $RPM_BUILD_ROOT%{_usr}/local/secharden +%{__chmod} +x $RPM_BUILD_ROOT%{_usr}/local/secharden/main.py +%{__ln_s} ../secharden/main.py $RPM_BUILD_ROOT%{_usr}/local/bin/secharden + +%clean +rm -rf $RPM_BUILD_ROOT + +%pre + +%post + +%preun + +%postun + +%files +%defattr(-,root,root) +%attr(0400,root,root) %config %{_sysconfdir}/smcpd.conf +%attr(0500,root,root) %{_sbindir}/smcpd + +%changelog +* Fri Jul 25 2025 Tomahawkd - 1.0-1.0 +- inital os hardening toolkit \ No newline at end of file diff --git a/os-harden-tools/src/categories.schema.json b/os-harden-tools/src/categories.schema.json new file mode 100644 index 0000000..ec38742 --- /dev/null +++ b/os-harden-tools/src/categories.schema.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://json-schema.org/draft-04/schema", + "id": "./categories.schema.json", + "title": "Tool categories metadata Schema", + "description": "Schema file for tool categories specification", + "allOf": [ + { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "Unique identifier for the category" + }, + "name": { + "type": "string", + "description": "Name of the category" + }, + "description": { + "type": "string", + "description": "Description of the category" + } + }, + "required": ["id", "name"] + } + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/src/gendoc.py b/os-harden-tools/src/gendoc.py new file mode 100644 index 0000000..668d44a --- /dev/null +++ b/os-harden-tools/src/gendoc.py @@ -0,0 +1,31 @@ +import argparse +import logging +from pathlib import Path + +from metadata import generate_doc + + +class VersionReader(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + path = Path(values) + if not path.exists(): + raise argparse.ArgumentError(self, f"path {values} is not exist") + setattr(namespace, self.dest, path.resolve()) + + +def main(): + args = argparse.ArgumentParser(prog="docgen") + args.add_argument("-t", "--rule-dir", type=str, help="rule script directory", default=Path("../tools")) + args.add_argument('-f', '--force', action='store_true', help="force to generate doc, deleting existing doc files") + args.add_argument("-v", "--version", action="version", version="%(prog)s 1.0") + args = args.parse_args() + + try: + generate_doc(Path(args.rule_dir), overwrite=args.force) + except Exception as e: + logging.exception(e) + exit(1) + + +if __name__ == "__main__": + main() diff --git a/os-harden-tools/src/metadata.py b/os-harden-tools/src/metadata.py new file mode 100644 index 0000000..ef938dd --- /dev/null +++ b/os-harden-tools/src/metadata.py @@ -0,0 +1,98 @@ +import json +import logging +from io import TextIOWrapper +from pathlib import Path +from typing import List +import jsonschema + +TITLE = "配置工具" +METADATA_SCHEMA = json.loads(Path("metadata.schema.json").read_text('utf-8')) + + +def generate(rule: Path, output_stream: TextIOWrapper): + if not rule.joinpath("metadata.json").is_file(): + raise FileNotFoundError(f"Rule file {rule} does not exist") + + dirname = rule.name + metadata = json.loads(rule.joinpath("metadata.json").read_text('utf-8')) + + # schema check + jsonschema.validate(metadata, METADATA_SCHEMA) + + entry_path = rule.joinpath(metadata['entry']) + if not entry_path.is_file(): + raise FileNotFoundError(f"Entry file {entry_path} for {dirname} does not exist") + if not metadata['id'] == dirname: + raise ValueError(f"Metadata id {metadata['id']} does not match directory name {rule}") + + output_stream.write(f"### {metadata['id']} {metadata['name']}\n\n") + output_stream.write(f"{metadata['description']}\n\n") + output_stream.write(f"#### 参数\n\n") + if 'parameters' in metadata: + for param in metadata['parameters']: + output_stream.write(f"**{param['name']}**\n\n") + output_stream.write(f"{param['description']}\n\n") + else: + output_stream.write("无\n\n") + + if 'urls' in metadata: + output_stream.write("#### 参考文档\n\n") + for url in metadata['urls']: + output_stream.write(f"- [{url['title']}]({url['url']})\n") + output_stream.write("\n") + + +def verify_rule_id(rule_path: Path) -> bool: + rule_id = rule_path.name + if not '.' in rule_id: + logging.error(f"Rule directory {rule_path} does not follow naming convention (should be 'category_id.rule_id')") + return False + if not rule_id.split('.')[1].isdigit(): + logging.error(f"Rule directory {rule_path} does not have a valid numeric index after the category ID") + return False + return True + + +def generate_doc(root: Path, overwrite: bool): + categories_file = root.joinpath("categories.json") + if not categories_file.exists(): + raise FileNotFoundError(f"Categories file {categories_file} does not exist") + + categories = json.loads(categories_file.read_text('utf-8')) + jsonschema.validate(categories, json.loads(Path("categories.schema.json").read_text('utf-8'))) + + output = root.joinpath("README.md") + if output.exists(): + if overwrite: + logging.warning("force to generate doc, deleting existing doc files") + output.unlink() + else: + output.touch() + + output_stream = output.open(mode='wt', encoding='utf-8') + output_stream.write(f"# {TITLE}\n\n") + + for category in categories: + category_id = category["id"] + + # find all rules directories starting with category_id + rules: List[Path] = list(root.glob(f"{category_id}.*")) + if not rules: + logging.warning(f"No rules found for category {category_id}") + continue + + output_stream.write(f"## {category['name']}\n\n") + + if 'description' in category: + output_stream.write(f"{category['description']}\n\n") + + for rule in sorted(filter(verify_rule_id, rules), key=lambda r: int(r.name.split('.', 1)[1])): + try: + logging.info(f"Generating doc for dir: {rule.name}") + generate(rule, output_stream) + except Exception as e: + logging.error(f"Error generating doc for dir: {rule.name}") + logging.exception(e) + + output_stream.write("\n") + output_stream.close() diff --git a/os-harden-tools/src/metadata.schema.json b/os-harden-tools/src/metadata.schema.json new file mode 100644 index 0000000..adc19b2 --- /dev/null +++ b/os-harden-tools/src/metadata.schema.json @@ -0,0 +1,83 @@ +{ + "$schema": "https://json-schema.org/draft-04/schema", + "id": "./metadata.json", + "title": "Tool metadata Schema", + "description": "Schema file for tool declaration", + "allOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "rule id, use to identify specific rule" + }, + "name": { + "type": "string", + "description": "rule name" + }, + "description": { + "type": "string", + "description": "rule description" + }, + "entry": { + "type": "string", + "description": "rule entry script" + }, + "parameters": { + "type": "array", + "description": "parameters for entry script", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "parameters id, use to identify specific config" + }, + "name": { + "type": "string", + "description": "parameters name" + }, + "description": { + "type": "string", + "description": "parameter description" + }, + "type": { + "type": "string", + "description": "parameter type, use to convert config value to script argument" + }, + "cmdline": { + "type": "string", + "description": "command option for parameter to pass into the script, leave blank if no command option" + } + }, + "required": ["id", "name", "description", "type"] + } + }, + "urls": { + "type": "array", + "description": "reference urls", + "items": { + "type": "object", + "properties": { + "title": { + "type": "string", + "description": "url title" + }, + "url": { + "type": "string", + "description": "url link" + } + }, + "required": ["title", "url"] + } + } + }, + "required": [ + "id", + "name", + "description", + "entry" + ] + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tools/categories.json b/os-harden-tools/tools/categories.json new file mode 100644 index 0000000..074aa00 --- /dev/null +++ b/os-harden-tools/tools/categories.json @@ -0,0 +1,6 @@ +[ + { + "id": "int", + "name": "全栈完整性" + } +] \ No newline at end of file diff --git a/os-harden-tools/tools/enable_kernel_module_sign.sh b/os-harden-tools/tools/int.01/enable_kernel_module_sign.sh similarity index 100% rename from os-harden-tools/tools/enable_kernel_module_sign.sh rename to os-harden-tools/tools/int.01/enable_kernel_module_sign.sh diff --git a/os-harden-tools/tools/int.01/metadata.json b/os-harden-tools/tools/int.01/metadata.json new file mode 100644 index 0000000..7272d76 --- /dev/null +++ b/os-harden-tools/tools/int.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "int.01", + "name": "启用内核模块签名", + "description": "启用内核模块签名。内核模块签名以一定格式在内核模块文件末尾添加签名信息,系统在加载内核模块时检查签名是否与内核中预设的公钥匹配。这样可以验证内核模块文件的真实性和完整性,防止系统加载未经认证的恶意内核模块。", + "entry": "enable_kernel_module_sign.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/int.02/enforce_dim.sh b/os-harden-tools/tools/int.02/enforce_dim.sh new file mode 100644 index 0000000..ba5d948 --- /dev/null +++ b/os-harden-tools/tools/int.02/enforce_dim.sh @@ -0,0 +1,86 @@ +#!/bin/sh +####################################################################################### +# +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# security-tool licensed under the Mulan PSL v1. +# You can use this software according to the terms and conditions of the Mulan PSL v1. +# You may obtain a copy of Mulan PSL v1 at: +# http://license.coscl.org.cn/MulanPSL +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v1 for more details. +# Description: Configure dim. +# +####################################################################################### + +#============================================================================= +# Function Name: fn_dim_tool_main +# Description : dim tool main function +# Returns : 0 on success, otherwise on fail +#============================================================================= +function fn_dim_tool_main() +{ + # operator must be root + if [ `id -u` -ne 0 ]; then + echo "You must be logged in as root." + exit 1 + fi + + # init kernel baseline + fn_info "Initializing DIM kernel baseline..." + mkdir -p /etc/dim/digest_list + + if [ ! -f /boot/vmlinuz-$(uname -r) ]; then + fn_error "Kernel image /boot/vmlinuz-$(uname -r) does not exist." + fn_error "You have to measure your kernel manually." + return 1 + fi + + dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/kernel.hash /boot/vmlinuz-$(uname -r) + + if [ ! -f /etc/dim/policy ]; then + fn_info "Creating DIM policy at /etc/dim/policy." + echo "measure obj=KERNEL_TEXT" > /etc/dim/policy + fi + + # add dim kernel measurement to policy + if ! grep -q "measure obj=KERNEL_TEXT" /etc/dim/policy; then + echo "" >> /etc/dim/policy + echo "measure obj=KERNEL_TEXT" >> /etc/dim/policy + fn_info "Added kernel measurement to DIM policy." + else + fn_info "Kernel measurement already exists in DIM policy." + fi + + # install dim kernel module + fn_info "Installing dim kernel module..." + if ! lsmod | grep -q dim_core; then + if ! modprobe dim_core measure_interval=1; then + fn_error "Failed to install dim_core module." + return 1 + fi + fi + + if ! lsmod | grep -q dim_monitor; then + if ! modprobe dim_monitor; then + fn_error "Failed to install dim module." + return 1 + fi + fi + + # initialize dim baseline + echo 1 > /sys/kernel/security/dim/baseline_init + + local result="$(grep "$(uname -r)" /sys/kernel/security/dim/ascii_runtime_measurements | tail -n 1)" + # result not empty + if [ -z "$result" ]; then + fn_error "Failed to initialize DIM baseline for kernel" + return 1 + else + fn_info "DIM kernel baseline initialized:" + fn_info "$result" + fi +} + +fn_dim_tool_main \ No newline at end of file diff --git a/os-harden-tools/tools/int.02/metadata.json b/os-harden-tools/tools/int.02/metadata.json new file mode 100644 index 0000000..5067f61 --- /dev/null +++ b/os-harden-tools/tools/int.02/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "int.02", + "name": "启用DIM动态度量内核", + "description": "启用DIM动态度量内核。DIM特性通过在程序运行时对内存中的关键数据(如代码段、数据段)进行度量,并将度量结果和基准值进行对比,确定内存数据是否被篡改,从而检测攻击行为,并采取应对措施。", + "entry": "enforce_dim.sh", + "urls": [ + { + "title": "动态完整性度量 (DIM)", + "url": "https://docs.openeuler.org/en/docs/24.03_LTS_SP2/server/security/trusted_computing/dim.html" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tools/int.03/enforce_ima.sh b/os-harden-tools/tools/int.03/enforce_ima.sh new file mode 100644 index 0000000..e54284d --- /dev/null +++ b/os-harden-tools/tools/int.03/enforce_ima.sh @@ -0,0 +1,169 @@ +#!/bin/sh +####################################################################################### +# +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# security-tool licensed under the Mulan PSL v1. +# You can use this software according to the terms and conditions of the Mulan PSL v1. +# You may obtain a copy of Mulan PSL v1 at: +# http://license.coscl.org.cn/MulanPSL +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v1 for more details. +# Description: Configuration file for the ima mesurement tags. +# +####################################################################################### + +# ima policy generated patterns +# These patterns are used to identify the start and end of the generated area in the IMA policy file. +readonly IMA_POLICY_GENERATED_PATTERN_START='# Generated by security-tool' +readonly IMA_POLICY_GENERATED_PATTERN_END='# End of generated by security-tool' +# IMA policy file path +readonly IMA_POLICY_FILE='/etc/ima/ima-policy' + +#============================================================================= +# Function Name: _fn_reset_ima_policy +# Description : remove the generated area in the IMA policy file +# If the generated area is incomplete, it will only remove the patterns. +# If the generated area is complete, it will remove the lines between the patterns. +#============================================================================= +function _fn_reset_ima_policy() +{ + local start_pattern="$IMA_POLICY_GENERATED_PATTERN_START" + local end_pattern="$IMA_POLICY_GENERATED_PATTERN_END" + + # find generated area + # grep will output :, use cut to get the line number + local start_line=$(grep -n "$start_pattern" "$IMA_POLICY_FILE" | cut -d: -f1) + local end_line=$(grep -n "$end_pattern" "$IMA_POLICY_FILE" | cut -d: -f1) + + # if both patterns are not found, do nothing + if [ -z "$start_line" ] && [ -z "$end_line" ]; then + fn_info "No generated IMA policy found in $IMA_POLICY_FILE." + return 0 + fi + + # incomplete generated area, reamove pattern only + if [ -z "$start_line" ] || [ -z "$end_line" ]; then + fn_info "Incomplete generated IMA policy found in $IMA_POLICY_FILE. Removing patterns only." + sed -i "/$start_pattern/d" "$IMA_POLICY_FILE" + sed -i "/$end_pattern/d" "$IMA_POLICY_FILE" + return 0 + fi + + # remove lines between the patterns + local lines_to_remove=$(sed -n "${start_line},${end_line}p" "$IMA_POLICY_FILE" | wc -l) + if [ $lines_to_remove -gt 0 ]; then + fn_info "Removing $lines_to_remove lines from IMA policy." + sed -i "${start_line},${end_line}d" "$IMA_POLICY_FILE" + fi +} + +#============================================================================= +# Function Name: _fn_generate_from_config +# Description : generate IMA policy from the configuration file +# The configuration file should contain SELinux tags, one per line. +# Each line will be checked if the tag is present in SELinux. +# Parameter : config file path +#============================================================================= +function _fn_generate_from_config() +{ + local config_file="$1" + # if last line is not empty, add a new line + if [ -s $IMA_POLICY_FILE ] && [ "$(tail -c 1 $IMA_POLICY_FILE)" != "" ]; then + echo "" >> $IMA_POLICY_FILE + fi + echo "$IMA_POLICY_GENERATED_PATTERN_START" >> $IMA_POLICY_FILE + + grep -v '^#' $config_file| grep -v '^$'| grep -Ev '^[[:space:]]+'| while read line + do + # skip empty lines and comments + if [ -z "$line" ] || [[ "$line" =~ ^# ]]; then + continue + fi + + # check tag presence + if [ -z "$(seinfo -t "$line" --flat)" ]; then + fn_warn "SELinux tag $line is not present in selinux." + continue + fi + + # check if the tag is already present in the ima policy + if grep -q "measure func=FILE_CHECK obj_type=$line" "$IMA_POLICY_FILE"; then + fn_info "SELinux tag $line is already present in IMA policy." + continue + fi + + # append the line to the ima policy + echo "measure func=FILE_CHECK obj_type=$line" >> $IMA_POLICY_FILE + fn_info "Added SELinux tag $line to IMA policy." + done + unset line + echo "$IMA_POLICY_GENERATED_PATTERN_END" >> $IMA_POLICY_FILE +} + +#============================================================================= +# Function Name: _fn_activate_ima +# Description : import ima config to ima +#============================================================================= +function _fn_activate_ima() +{ + cat $IMA_POLICY_FILE > /sys/kernel/security/ima/policy + if [ $? -ne 0 ]; then + fn_warn "Failed to activate IMA policy. The kernel may not enable CONFIG_IMA_WRITE_POLICY." + fn_warn "You need reboot the system to apply the IMA policy." + else + fn_info "IMA policy activated successfully." + fi +} + +#============================================================================= +# Function Name: fn_ima_tool_main +# Description : ima tool main function +# Parameter : config file path +# Returns : 0 on success, otherwise on fail +#============================================================================= +function fn_ima_tool_main() +{ + if [ ! $# -eq 1 ]; then + echo "" + exit 1 + fi + + local config_file="$1" + # operator must be root + if [ `id -u` -ne 0 ]; then + echo "You must be logged in as root." + exit 1 + fi + + if [ ! -f /sys/kernel/security/ima/policy ]; then + fn_error "IMA is not enabled in the kernel. The IMA policy cannot be generated." + return 1 + fi + + if getenforce | grep -q "Disabled"; then + fn_warn "SELinux is not enabled. IMA policy config will remain unchanged." + return 1 + fi + + fn_info "Generating IMA policy..." + if [ ! -f $IMA_POLICY_FILE ]; then + fn_info "Creating IMA policy at $IMA_POLICY_FILE." + touch $IMA_POLICY_FILE + chmod 600 $IMA_POLICY_FILE + else + fn_info "Resetting existing IMA policy at $IMA_POLICY_FILE." + _fn_reset_ima_policy + fi + + # check if the config file exists + if [ ! -f "$config_file" ]; then + fn_error "ima configuration file $config_file does not exist." + return 1 + fi + _fn_generate_from_config "$config_file" + _fn_activate_ima +} + +fn_ima_tool_main \ No newline at end of file diff --git a/os-harden-tools/tools/int.03/metadata.json b/os-harden-tools/tools/int.03/metadata.json new file mode 100644 index 0000000..4a8966b --- /dev/null +++ b/os-harden-tools/tools/int.03/metadata.json @@ -0,0 +1,25 @@ +{ + "id": "int.03", + "name": "启用IMA度量关键文件", + "description": "启用IMA度量关键文件。IMA 度量是一个开源的可信计算组件。其维护了一个运行时度量列表,并在 TPM 设备存在时则针对该列表生成整体完整性度量值并记录到 TPM 中。", + "entry": "enforce_ima.sh", + "parameters": [ + { + "id": "selinux_tags", + "name": "selinux 标签列表文件", + "description": "该文件包含一个 selinux 标签列表,表示这些标签需要被 ima 度量。要求文件每行一个标签。", + "type": "file_list", + "cmdline": "%file" + } + ], + "urls": [ + { + "title": "Integrity Measurement Architecture (IMA) Wiki", + "url": "https://sourceforge.net/p/linux-ima/wiki/Home/" + }, + { + "title": "内核完整性度量(IMA)", + "url": "https://docs.openeuler.org/zh/docs/24.03_LTS_SP2/server/security/trusted_computing/ima.html" + } + ] +} \ No newline at end of file -- Gitee From 7d7a04403ea61c3483e9735871c4db61bdc73247 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 09:36:32 +0800 Subject: [PATCH 006/109] gendoc --- os-harden-tools/src/gendoc.py | 105 +++++++++++++++++++++++++++++--- os-harden-tools/src/metadata.py | 98 ----------------------------- 2 files changed, 97 insertions(+), 106 deletions(-) delete mode 100644 os-harden-tools/src/metadata.py diff --git a/os-harden-tools/src/gendoc.py b/os-harden-tools/src/gendoc.py index 668d44a..33eca8f 100644 --- a/os-harden-tools/src/gendoc.py +++ b/os-harden-tools/src/gendoc.py @@ -1,23 +1,112 @@ import argparse +import json import logging +from io import TextIOWrapper from pathlib import Path +from typing import List -from metadata import generate_doc +import jsonschema +TITLE = "安全 OS 配置工具" +METADATA_SCHEMA = json.loads(Path("metadata.schema.json").read_text('utf-8')) -class VersionReader(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - path = Path(values) - if not path.exists(): - raise argparse.ArgumentError(self, f"path {values} is not exist") - setattr(namespace, self.dest, path.resolve()) + +def generate(rule: Path, output_stream: TextIOWrapper): + if not rule.joinpath("metadata.json").is_file(): + raise FileNotFoundError(f"Rule file {rule} does not exist") + + dirname = rule.name + metadata = json.loads(rule.joinpath("metadata.json").read_text('utf-8')) + + # schema check + jsonschema.validate(metadata, METADATA_SCHEMA) + + entry_path = rule.joinpath(metadata['entry']) + if not entry_path.is_file(): + raise FileNotFoundError(f"Entry file {entry_path} for {dirname} does not exist") + if not metadata['id'] == dirname: + raise ValueError(f"Metadata id {metadata['id']} does not match directory name {rule}") + + output_stream.write(f"### {metadata['id']} {metadata['name']}\n\n") + output_stream.write(f"{metadata['description']}\n\n") + output_stream.write(f"#### 参数\n\n") + if 'parameters' in metadata: + for param in metadata['parameters']: + output_stream.write(f"**{param['name']}**\n\n") + output_stream.write(f"{param['description']}\n\n") + else: + output_stream.write("无\n\n") + + if 'urls' in metadata: + output_stream.write("#### 参考文档\n\n") + for url in metadata['urls']: + output_stream.write(f"- [{url['title']}]({url['url']})\n") + output_stream.write("\n") + + +def verify_rule_id(rule_path: Path) -> bool: + rule_id = rule_path.name + if not '.' in rule_id: + logging.error(f"Rule directory {rule_path} does not follow naming convention (should be 'category_id.rule_id')") + return False + if not rule_id.split('.')[1].isdigit(): + logging.error(f"Rule directory {rule_path} does not have a valid numeric index after the category ID") + return False + return True + + +def generate_doc(root: Path, overwrite: bool): + categories_file = root.joinpath("categories.json") + if not categories_file.exists(): + raise FileNotFoundError(f"Categories file {categories_file} does not exist") + + categories = json.loads(categories_file.read_text('utf-8')) + jsonschema.validate(categories, json.loads(Path("categories.schema.json").read_text('utf-8'))) + + output = root.joinpath("README.md") + if output.exists(): + if overwrite: + logging.warning("force to generate doc, deleting existing doc files") + output.unlink() + else: + output.touch() + + output_stream = output.open(mode='wt', encoding='utf-8') + output_stream.write(f"# {TITLE}\n\n") + + for category in categories: + category_id = category["id"] + + # find all rules directories starting with category_id + rules: List[Path] = list(root.glob(f"{category_id}.*")) + if not rules: + logging.warning(f"No rules found for category {category_id}") + continue + + output_stream.write(f"## {category['name']}\n\n") + + if 'description' in category: + output_stream.write(f"{category['description']}\n\n") + + for rule in sorted(filter(verify_rule_id, rules), key=lambda r: int(r.name.split('.', 1)[1])): + try: + logging.info(f"Generating doc for dir: {rule.name}") + generate(rule, output_stream) + except Exception as e: + logging.error(f"Error generating doc for dir: {rule.name}") + logging.exception(e) + + output_stream.write("\n") + output_stream.close() def main(): + logging.basicConfig(level=logging.INFO, format='%(asctime)s [%(levelname)8s] %(message)s') args = argparse.ArgumentParser(prog="docgen") args.add_argument("-t", "--rule-dir", type=str, help="rule script directory", default=Path("../tools")) args.add_argument('-f', '--force', action='store_true', help="force to generate doc, deleting existing doc files") - args.add_argument("-v", "--version", action="version", version="%(prog)s 1.0") + version_file = Path(__file__).parent.parent.resolve().joinpath("VERSION") + args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) args = args.parse_args() try: diff --git a/os-harden-tools/src/metadata.py b/os-harden-tools/src/metadata.py deleted file mode 100644 index ef938dd..0000000 --- a/os-harden-tools/src/metadata.py +++ /dev/null @@ -1,98 +0,0 @@ -import json -import logging -from io import TextIOWrapper -from pathlib import Path -from typing import List -import jsonschema - -TITLE = "配置工具" -METADATA_SCHEMA = json.loads(Path("metadata.schema.json").read_text('utf-8')) - - -def generate(rule: Path, output_stream: TextIOWrapper): - if not rule.joinpath("metadata.json").is_file(): - raise FileNotFoundError(f"Rule file {rule} does not exist") - - dirname = rule.name - metadata = json.loads(rule.joinpath("metadata.json").read_text('utf-8')) - - # schema check - jsonschema.validate(metadata, METADATA_SCHEMA) - - entry_path = rule.joinpath(metadata['entry']) - if not entry_path.is_file(): - raise FileNotFoundError(f"Entry file {entry_path} for {dirname} does not exist") - if not metadata['id'] == dirname: - raise ValueError(f"Metadata id {metadata['id']} does not match directory name {rule}") - - output_stream.write(f"### {metadata['id']} {metadata['name']}\n\n") - output_stream.write(f"{metadata['description']}\n\n") - output_stream.write(f"#### 参数\n\n") - if 'parameters' in metadata: - for param in metadata['parameters']: - output_stream.write(f"**{param['name']}**\n\n") - output_stream.write(f"{param['description']}\n\n") - else: - output_stream.write("无\n\n") - - if 'urls' in metadata: - output_stream.write("#### 参考文档\n\n") - for url in metadata['urls']: - output_stream.write(f"- [{url['title']}]({url['url']})\n") - output_stream.write("\n") - - -def verify_rule_id(rule_path: Path) -> bool: - rule_id = rule_path.name - if not '.' in rule_id: - logging.error(f"Rule directory {rule_path} does not follow naming convention (should be 'category_id.rule_id')") - return False - if not rule_id.split('.')[1].isdigit(): - logging.error(f"Rule directory {rule_path} does not have a valid numeric index after the category ID") - return False - return True - - -def generate_doc(root: Path, overwrite: bool): - categories_file = root.joinpath("categories.json") - if not categories_file.exists(): - raise FileNotFoundError(f"Categories file {categories_file} does not exist") - - categories = json.loads(categories_file.read_text('utf-8')) - jsonschema.validate(categories, json.loads(Path("categories.schema.json").read_text('utf-8'))) - - output = root.joinpath("README.md") - if output.exists(): - if overwrite: - logging.warning("force to generate doc, deleting existing doc files") - output.unlink() - else: - output.touch() - - output_stream = output.open(mode='wt', encoding='utf-8') - output_stream.write(f"# {TITLE}\n\n") - - for category in categories: - category_id = category["id"] - - # find all rules directories starting with category_id - rules: List[Path] = list(root.glob(f"{category_id}.*")) - if not rules: - logging.warning(f"No rules found for category {category_id}") - continue - - output_stream.write(f"## {category['name']}\n\n") - - if 'description' in category: - output_stream.write(f"{category['description']}\n\n") - - for rule in sorted(filter(verify_rule_id, rules), key=lambda r: int(r.name.split('.', 1)[1])): - try: - logging.info(f"Generating doc for dir: {rule.name}") - generate(rule, output_stream) - except Exception as e: - logging.error(f"Error generating doc for dir: {rule.name}") - logging.exception(e) - - output_stream.write("\n") - output_stream.close() -- Gitee From 3ee149fc5030ee576b3eaf47c69d1f6a688fd681 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 09:45:04 +0800 Subject: [PATCH 007/109] path fix --- .../{src => schema}/categories.schema.json | 0 .../{src => schema}/metadata.schema.json | 0 os-harden-tools/src/gendoc.py | 14 ++++++++++---- 3 files changed, 10 insertions(+), 4 deletions(-) rename os-harden-tools/{src => schema}/categories.schema.json (100%) rename os-harden-tools/{src => schema}/metadata.schema.json (100%) diff --git a/os-harden-tools/src/categories.schema.json b/os-harden-tools/schema/categories.schema.json similarity index 100% rename from os-harden-tools/src/categories.schema.json rename to os-harden-tools/schema/categories.schema.json diff --git a/os-harden-tools/src/metadata.schema.json b/os-harden-tools/schema/metadata.schema.json similarity index 100% rename from os-harden-tools/src/metadata.schema.json rename to os-harden-tools/schema/metadata.schema.json diff --git a/os-harden-tools/src/gendoc.py b/os-harden-tools/src/gendoc.py index 33eca8f..6590347 100644 --- a/os-harden-tools/src/gendoc.py +++ b/os-harden-tools/src/gendoc.py @@ -8,7 +8,8 @@ from typing import List import jsonschema TITLE = "安全 OS 配置工具" -METADATA_SCHEMA = json.loads(Path("metadata.schema.json").read_text('utf-8')) +METADATA_SCHEMA = {} +CATEGORIES_SCHEMA = {} def generate(rule: Path, output_stream: TextIOWrapper): @@ -61,7 +62,7 @@ def generate_doc(root: Path, overwrite: bool): raise FileNotFoundError(f"Categories file {categories_file} does not exist") categories = json.loads(categories_file.read_text('utf-8')) - jsonschema.validate(categories, json.loads(Path("categories.schema.json").read_text('utf-8'))) + jsonschema.validate(categories, CATEGORIES_SCHEMA) output = root.joinpath("README.md") if output.exists(): @@ -102,14 +103,19 @@ def generate_doc(root: Path, overwrite: bool): def main(): logging.basicConfig(level=logging.INFO, format='%(asctime)s [%(levelname)8s] %(message)s') + script_dir = Path(__file__).parent.parent.resolve() args = argparse.ArgumentParser(prog="docgen") - args.add_argument("-t", "--rule-dir", type=str, help="rule script directory", default=Path("../tools")) + args.add_argument("-t", "--rule-dir", type=str, help="rule script directory", default=script_dir.joinpath('tools')) args.add_argument('-f', '--force', action='store_true', help="force to generate doc, deleting existing doc files") - version_file = Path(__file__).parent.parent.resolve().joinpath("VERSION") + version_file = script_dir.joinpath("VERSION") args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) args = args.parse_args() try: + global METADATA_SCHEMA + METADATA_SCHEMA = json.loads(script_dir.joinpath('schema/metadata.schema.json').read_text('utf-8')) + global CATEGORIES_SCHEMA + CATEGORIES_SCHEMA = json.loads(script_dir.joinpath('schema/categories.schema.json').read_text('utf-8')) generate_doc(Path(args.rule_dir), overwrite=args.force) except Exception as e: logging.exception(e) -- Gitee From 50c01a5a7247d28fb0c1c29f801a29e1af3822bd Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 10:09:28 +0800 Subject: [PATCH 008/109] change to template --- os-harden-tools/schema/metadata.schema.json | 2 +- os-harden-tools/tools/int.03/metadata.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/os-harden-tools/schema/metadata.schema.json b/os-harden-tools/schema/metadata.schema.json index adc19b2..48b6810 100644 --- a/os-harden-tools/schema/metadata.schema.json +++ b/os-harden-tools/schema/metadata.schema.json @@ -45,7 +45,7 @@ "type": "string", "description": "parameter type, use to convert config value to script argument" }, - "cmdline": { + "cmd_template": { "type": "string", "description": "command option for parameter to pass into the script, leave blank if no command option" } diff --git a/os-harden-tools/tools/int.03/metadata.json b/os-harden-tools/tools/int.03/metadata.json index 4a8966b..1d48a64 100644 --- a/os-harden-tools/tools/int.03/metadata.json +++ b/os-harden-tools/tools/int.03/metadata.json @@ -9,7 +9,7 @@ "name": "selinux 标签列表文件", "description": "该文件包含一个 selinux 标签列表,表示这些标签需要被 ima 度量。要求文件每行一个标签。", "type": "file_list", - "cmdline": "%file" + "cmd_template": "%file" } ], "urls": [ -- Gitee From 54cc30134cb1c9be7db51002593554f78f5bc0c1 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 10:09:49 +0800 Subject: [PATCH 009/109] remove keep --- os-harden-tools/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 os-harden-tools/.gitkeep diff --git a/os-harden-tools/.gitkeep b/os-harden-tools/.gitkeep deleted file mode 100644 index e69de29..0000000 -- Gitee From 7b3556520da041c0e9af5f8fc79514568ad3ef0d Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 11:15:13 +0800 Subject: [PATCH 010/109] add verifier --- os-harden-tools/src/config/__init__.py | 2 + os-harden-tools/src/config/file_list.py | 38 ++++++++ os-harden-tools/src/config/generator.py | 112 ++++++++++++++++++++++++ os-harden-tools/src/gendoc.py | 16 +++- 4 files changed, 167 insertions(+), 1 deletion(-) create mode 100644 os-harden-tools/src/config/__init__.py create mode 100644 os-harden-tools/src/config/file_list.py create mode 100644 os-harden-tools/src/config/generator.py diff --git a/os-harden-tools/src/config/__init__.py b/os-harden-tools/src/config/__init__.py new file mode 100644 index 0000000..6079b13 --- /dev/null +++ b/os-harden-tools/src/config/__init__.py @@ -0,0 +1,2 @@ +from .generator import ExecuteConfig, ConfigConverter, CmdBuilder +from .file_list import FileListConverter \ No newline at end of file diff --git a/os-harden-tools/src/config/file_list.py b/os-harden-tools/src/config/file_list.py new file mode 100644 index 0000000..8fe56f2 --- /dev/null +++ b/os-harden-tools/src/config/file_list.py @@ -0,0 +1,38 @@ +from typing import Dict + +from .generator import ConfigConverter, ExecuteConfig + +from tempfile import NamedTemporaryFile + + +class FileListConverter(ConfigConverter): + def __init__(self): + super().__init__() + self.temp_file = None + + @property + def tool_id(self) -> str: + return "file_list" + + def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], config) -> ExecuteConfig: + self.temp_file = NamedTemporaryFile("wt", delete=False, suffix=".list") + self.temp_file.writelines(list(config)) + execute_config.add_variable("file", self.temp_file.name) + return execute_config + + def verify(self, execute_config: ExecuteConfig, metadata: Dict[str, str]): + place_holder = execute_config.variable_placeholder + if len(place_holder) != 1: + raise ValueError(f"Expected exactly one placeholder, found {len(place_holder)}") + if "file" not in place_holder: + raise ValueError("Placeholder 'file' not found in the execute config variables") + + def cleanup(self): + if self.temp_file: + try: + self.temp_file.close() + except Exception as e: + print(f"Error closing temp file: {e}") + finally: + import os + os.remove(self.temp_file.name) diff --git a/os-harden-tools/src/config/generator.py b/os-harden-tools/src/config/generator.py new file mode 100644 index 0000000..520a726 --- /dev/null +++ b/os-harden-tools/src/config/generator.py @@ -0,0 +1,112 @@ +import abc +import logging +from pathlib import Path +from typing import Dict, Optional, List, Any + + +class ExecuteConfig: + def __init__(self, cmd_template=None): + if cmd_template is None: + cmd_template = [] + if isinstance(cmd_template, str): + cmd_template = cmd_template.split(' ') + self._cmd_template: List[str] = cmd_template + self._cmd_variables: Dict[str, str] = {} + self._env: Dict[str, str] = {} + self._variable_index: Dict[str, int] = self._parse_cmd_template() + + def _parse_cmd_template(self) -> Dict[str, int]: + escape_indexes = [] + variable_index: Dict[str, int] = {} + for i, cmd in enumerate(self._cmd_template): + if cmd.startswith('%%'): + escape_indexes.append(i) + continue + if cmd.startswith('%'): + variable_id = cmd[1:] + if len(variable_id) == 0: + raise ValueError('invalid cmd template with no id') + if variable_id in variable_index: + raise ValueError(f'duplicate cmd template id') + variable_index[variable_id] = i + for i in escape_indexes: + # remove prefix escaping char % in %% + self._cmd_template[i] = self._cmd_template[i][1:] + return variable_index + + def add_variable(self, variable_id: str, value: str): + self._cmd_variables[variable_id] = value + + def add_env(self, name: str, value: str): + self._env[name] = value + + @property + def variable_placeholder(self): + return self._variable_index.copy() + + @property + def cmd_template(self) -> List[str]: + return self._cmd_template.copy() + + def generate_cmd(self) -> List[str]: + self._parse_cmd_template() + # make a copy here + cmd = self._cmd_template.copy() + for variable_id, value in self._cmd_variables.items(): + if variable_id not in self._variable_index: + logging.warning(f'variable {variable_id} not found in cmd template') + continue + index = self._variable_index[variable_id] + cmd[index] = value + return cmd + + +class ConfigConverter(abc.ABC): + def __init__(self): + pass + + @abc.abstractmethod + def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], config) -> ExecuteConfig: + pass + + def cleanup(self): + pass + + @abc.abstractmethod + def verify(self, execute_config: ExecuteConfig, metadata: Dict[str, str]): + pass + + @property + @abc.abstractmethod + def tool_id(self) -> str: + pass + + +class CmdBuilder: + def __init__(self): + self._converter: Dict[str, ConfigConverter] = {} + for cls in ConfigConverter.__subclasses__(): + converter_instance = cls() + self._converter[converter_instance.tool_id] = converter_instance + + def find_converter(self, converter_type: str) -> Optional[ConfigConverter]: + return self._converter.get(converter_type, None) + + def _generate(self, param_metadata: List[Dict[str, str]], config: Dict[str, Any]) -> List[ExecuteConfig]: + result = [] + for metadata in param_metadata: + execute_config = ExecuteConfig(cmd_template=metadata['cmd_template'] if 'cmd_template' in metadata else []) + + converter_type = metadata['type'] + converter = self.find_converter(converter_type) + if not converter: + raise NotImplementedError(f'converter of type {converter_type} is not implemented') + result.append(converter.generate(execute_config, metadata, config)) + return result + + def build(self, entry: Path, param_metadata: List[Dict[str, str]], config: Dict[str, Any]) -> List[str]: + execute_configs = self._generate(param_metadata, config) + cmd = [str(entry.absolute())] + for execute_config in execute_configs: + cmd.extend(execute_config.generate_cmd()) + return cmd diff --git a/os-harden-tools/src/gendoc.py b/os-harden-tools/src/gendoc.py index 6590347..fae5073 100644 --- a/os-harden-tools/src/gendoc.py +++ b/os-harden-tools/src/gendoc.py @@ -3,13 +3,26 @@ import json import logging from io import TextIOWrapper from pathlib import Path -from typing import List +from typing import List, Dict import jsonschema +from config import ExecuteConfig, CmdBuilder + TITLE = "安全 OS 配置工具" METADATA_SCHEMA = {} CATEGORIES_SCHEMA = {} +VERIFIER = CmdBuilder() + + +def verify_parameters(param_metadata: List[Dict[str, str]]): + for metadata in param_metadata: + execute_config = ExecuteConfig(cmd_template=metadata['cmd_template'] if 'cmd_template' in metadata else []) + converter_type = metadata['type'] + converter = VERIFIER.find_converter(converter_type) + if not converter: + raise NotImplementedError(f'converter of type {converter_type} is not implemented') + converter.verify(execute_config, metadata) def generate(rule: Path, output_stream: TextIOWrapper): @@ -32,6 +45,7 @@ def generate(rule: Path, output_stream: TextIOWrapper): output_stream.write(f"{metadata['description']}\n\n") output_stream.write(f"#### 参数\n\n") if 'parameters' in metadata: + verify_parameters(metadata['parameters']) for param in metadata['parameters']: output_stream.write(f"**{param['name']}**\n\n") output_stream.write(f"{param['description']}\n\n") -- Gitee From 0076c474f9ee9d91bcb295785025c1c977af452e Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 16:27:57 +0800 Subject: [PATCH 011/109] add rule manager to verify rules --- os-harden-tools/os-harden-tool.spec | 4 +- os-harden-tools/schema/metadata.schema.json | 2 +- os-harden-tools/src/config/__init__.py | 2 +- os-harden-tools/src/config/file_list.py | 4 +- os-harden-tools/src/config/generator.py | 37 ++++-- os-harden-tools/src/config_parser.py | 42 +++++++ os-harden-tools/src/gendoc.py | 84 +++---------- os-harden-tools/src/rules.py | 124 ++++++++++++++++++++ os-harden-tools/src/utils.py | 12 ++ 9 files changed, 232 insertions(+), 79 deletions(-) create mode 100644 os-harden-tools/src/config_parser.py create mode 100644 os-harden-tools/src/rules.py create mode 100644 os-harden-tools/src/utils.py diff --git a/os-harden-tools/os-harden-tool.spec b/os-harden-tools/os-harden-tool.spec index 3bb7094..bf3a61f 100644 --- a/os-harden-tools/os-harden-tool.spec +++ b/os-harden-tools/os-harden-tool.spec @@ -3,7 +3,9 @@ Name : os-harden-tools Version: 1.0 Release: 1.0 Source0: src -Source1: conf +Source1: schema +Source2: tools +Source3: VERSION License: Mulan PSL v2 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: python3 python3-pyyaml python3-jsonschema diff --git a/os-harden-tools/schema/metadata.schema.json b/os-harden-tools/schema/metadata.schema.json index 48b6810..59b6b53 100644 --- a/os-harden-tools/schema/metadata.schema.json +++ b/os-harden-tools/schema/metadata.schema.json @@ -50,7 +50,7 @@ "description": "command option for parameter to pass into the script, leave blank if no command option" } }, - "required": ["id", "name", "description", "type"] + "required": ["id", "name", "description", "type", "cmd_template"] } }, "urls": { diff --git a/os-harden-tools/src/config/__init__.py b/os-harden-tools/src/config/__init__.py index 6079b13..21d11c9 100644 --- a/os-harden-tools/src/config/__init__.py +++ b/os-harden-tools/src/config/__init__.py @@ -1,2 +1,2 @@ -from .generator import ExecuteConfig, ConfigConverter, CmdBuilder +from .generator import ExecuteConfig, ConfigConverter, ConverterManager from .file_list import FileListConverter \ No newline at end of file diff --git a/os-harden-tools/src/config/file_list.py b/os-harden-tools/src/config/file_list.py index 8fe56f2..45d6c38 100644 --- a/os-harden-tools/src/config/file_list.py +++ b/os-harden-tools/src/config/file_list.py @@ -14,9 +14,9 @@ class FileListConverter(ConfigConverter): def tool_id(self) -> str: return "file_list" - def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], config) -> ExecuteConfig: + def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], value: str) -> ExecuteConfig: self.temp_file = NamedTemporaryFile("wt", delete=False, suffix=".list") - self.temp_file.writelines(list(config)) + self.temp_file.writelines(value.split(",")) execute_config.add_variable("file", self.temp_file.name) return execute_config diff --git a/os-harden-tools/src/config/generator.py b/os-harden-tools/src/config/generator.py index 520a726..6c83eb7 100644 --- a/os-harden-tools/src/config/generator.py +++ b/os-harden-tools/src/config/generator.py @@ -1,7 +1,7 @@ import abc import logging from pathlib import Path -from typing import Dict, Optional, List, Any +from typing import Dict, Optional, List class ExecuteConfig: @@ -66,7 +66,7 @@ class ConfigConverter(abc.ABC): pass @abc.abstractmethod - def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], config) -> ExecuteConfig: + def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], config: str) -> ExecuteConfig: pass def cleanup(self): @@ -82,29 +82,52 @@ class ConfigConverter(abc.ABC): pass -class CmdBuilder: +class ConverterManager: + _instance = None + + def __new__(cls, *args, **kwargs): + if cls._instance is None: + cls._instance = super().__new__(cls) + return cls._instance + def __init__(self): self._converter: Dict[str, ConfigConverter] = {} for cls in ConfigConverter.__subclasses__(): converter_instance = cls() + tool_id = converter_instance.tool_id + if tool_id in self._converter: + raise ValueError(f'Converter with tool_id {tool_id} already exists') self._converter[converter_instance.tool_id] = converter_instance def find_converter(self, converter_type: str) -> Optional[ConfigConverter]: return self._converter.get(converter_type, None) - def _generate(self, param_metadata: List[Dict[str, str]], config: Dict[str, Any]) -> List[ExecuteConfig]: + def verify(self, param_metadata: List[Dict[str, str]]): + for metadata in param_metadata: + converter_type = metadata['type'] + converter = self.find_converter(converter_type) + if not converter: + raise NotImplementedError(f'converter of type {converter_type} is not implemented') + try: + converter.verify(ExecuteConfig(cmd_template=metadata['cmd_template']), metadata) + except Exception as e: + logging.error(f"Verification failed for parameter: {metadata['id']}") + logging.exception(e) + raise e + + def _generate(self, param_metadata: List[Dict[str, str]], config: Dict[str, str]) -> List[ExecuteConfig]: result = [] for metadata in param_metadata: - execute_config = ExecuteConfig(cmd_template=metadata['cmd_template'] if 'cmd_template' in metadata else []) + execute_config = ExecuteConfig(cmd_template=metadata['cmd_template']) converter_type = metadata['type'] converter = self.find_converter(converter_type) if not converter: raise NotImplementedError(f'converter of type {converter_type} is not implemented') - result.append(converter.generate(execute_config, metadata, config)) + result.append(converter.generate(execute_config, metadata, config[metadata['id']])) return result - def build(self, entry: Path, param_metadata: List[Dict[str, str]], config: Dict[str, Any]) -> List[str]: + def build_cmd(self, entry: Path, param_metadata: List[Dict[str, str]], config: Dict[str, str]) -> List[str]: execute_configs = self._generate(param_metadata, config) cmd = [str(entry.absolute())] for execute_config in execute_configs: diff --git a/os-harden-tools/src/config_parser.py b/os-harden-tools/src/config_parser.py new file mode 100644 index 0000000..5031de4 --- /dev/null +++ b/os-harden-tools/src/config_parser.py @@ -0,0 +1,42 @@ +import logging +from configparser import ConfigParser +from pathlib import Path +from typing import Dict, List + + +def verify_config_name(path: Path) -> bool: + name = path.name + if not '-' in name: + logging.error(f"Config {path} does not follow naming convention (should be 'priority.config_name')") + return False + if not name.split('-')[1].isdigit(): + logging.error(f"Config {path} does not have a valid priority index") + return False + return True + + +def parse_config(config_dir: Path) -> Dict[str, Dict[str, str]]: + baseline = config_dir.joinpath("secharden.conf") + user_config = config_dir.joinpath("secharden.conf.d") + + result: Dict[str, Dict[str, str]] = {} + file_collection = [] + if baseline.exists(): + file_collection.append(baseline) + + if user_config.exists() and user_config.is_dir(): + configs: List[Path] = list(user_config.glob(f"*-*.conf")) + file_collection.extend(sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[1]))) + + if len(file_collection) == 0: + raise FileNotFoundError(f"No config file found in {config_dir}") + + parser = ConfigParser() + parser.read(file_collection, encoding='utf-8') + for section in parser.sections(): + sub = parser[section] + config: Dict[str, str] = {} + for key, value in sub.items(): + config[key] = value + result[section] = config + return result diff --git a/os-harden-tools/src/gendoc.py b/os-harden-tools/src/gendoc.py index fae5073..13a47c8 100644 --- a/os-harden-tools/src/gendoc.py +++ b/os-harden-tools/src/gendoc.py @@ -1,51 +1,25 @@ +#!/usr/bin/python3 + import argparse import json import logging from io import TextIOWrapper from pathlib import Path -from typing import List, Dict - -import jsonschema -from config import ExecuteConfig, CmdBuilder +from rules import RuleManager +from utils import DirectoryPathVerifier TITLE = "安全 OS 配置工具" -METADATA_SCHEMA = {} -CATEGORIES_SCHEMA = {} -VERIFIER = CmdBuilder() - - -def verify_parameters(param_metadata: List[Dict[str, str]]): - for metadata in param_metadata: - execute_config = ExecuteConfig(cmd_template=metadata['cmd_template'] if 'cmd_template' in metadata else []) - converter_type = metadata['type'] - converter = VERIFIER.find_converter(converter_type) - if not converter: - raise NotImplementedError(f'converter of type {converter_type} is not implemented') - converter.verify(execute_config, metadata) - -def generate(rule: Path, output_stream: TextIOWrapper): +def generate_rule(rule: Path, output_stream: TextIOWrapper): if not rule.joinpath("metadata.json").is_file(): raise FileNotFoundError(f"Rule file {rule} does not exist") - - dirname = rule.name metadata = json.loads(rule.joinpath("metadata.json").read_text('utf-8')) - # schema check - jsonschema.validate(metadata, METADATA_SCHEMA) - - entry_path = rule.joinpath(metadata['entry']) - if not entry_path.is_file(): - raise FileNotFoundError(f"Entry file {entry_path} for {dirname} does not exist") - if not metadata['id'] == dirname: - raise ValueError(f"Metadata id {metadata['id']} does not match directory name {rule}") - output_stream.write(f"### {metadata['id']} {metadata['name']}\n\n") output_stream.write(f"{metadata['description']}\n\n") output_stream.write(f"#### 参数\n\n") if 'parameters' in metadata: - verify_parameters(metadata['parameters']) for param in metadata['parameters']: output_stream.write(f"**{param['name']}**\n\n") output_stream.write(f"{param['description']}\n\n") @@ -59,56 +33,34 @@ def generate(rule: Path, output_stream: TextIOWrapper): output_stream.write("\n") -def verify_rule_id(rule_path: Path) -> bool: - rule_id = rule_path.name - if not '.' in rule_id: - logging.error(f"Rule directory {rule_path} does not follow naming convention (should be 'category_id.rule_id')") - return False - if not rule_id.split('.')[1].isdigit(): - logging.error(f"Rule directory {rule_path} does not have a valid numeric index after the category ID") - return False - return True - - def generate_doc(root: Path, overwrite: bool): - categories_file = root.joinpath("categories.json") - if not categories_file.exists(): - raise FileNotFoundError(f"Categories file {categories_file} does not exist") - - categories = json.loads(categories_file.read_text('utf-8')) - jsonschema.validate(categories, CATEGORIES_SCHEMA) + rules = RuleManager(root) output = root.joinpath("README.md") if output.exists(): if overwrite: logging.warning("force to generate doc, deleting existing doc files") output.unlink() + else: + raise FileExistsError(f"File {output} already exists") else: output.touch() output_stream = output.open(mode='wt', encoding='utf-8') output_stream.write(f"# {TITLE}\n\n") - for category in categories: - category_id = category["id"] - - # find all rules directories starting with category_id - rules: List[Path] = list(root.glob(f"{category_id}.*")) - if not rules: - logging.warning(f"No rules found for category {category_id}") - continue - + for category_id, category in rules.categories.items(): output_stream.write(f"## {category['name']}\n\n") if 'description' in category: output_stream.write(f"{category['description']}\n\n") - for rule in sorted(filter(verify_rule_id, rules), key=lambda r: int(r.name.split('.', 1)[1])): + for rule in rules.get_rules_by_category(category_id): try: - logging.info(f"Generating doc for dir: {rule.name}") - generate(rule, output_stream) + logging.info(f"Generating doc for rule: {rule}") + generate_rule(rules.get_rule_path(rule), output_stream) except Exception as e: - logging.error(f"Error generating doc for dir: {rule.name}") + logging.error(f"Error generating doc for rule: {rule}") logging.exception(e) output_stream.write("\n") @@ -119,17 +71,15 @@ def main(): logging.basicConfig(level=logging.INFO, format='%(asctime)s [%(levelname)8s] %(message)s') script_dir = Path(__file__).parent.parent.resolve() args = argparse.ArgumentParser(prog="docgen") - args.add_argument("-t", "--rule-dir", type=str, help="rule script directory", default=script_dir.joinpath('tools')) - args.add_argument('-f', '--force', action='store_true', help="force to generate doc, deleting existing doc files") + args.add_argument("-t", "--rule-dir", action=DirectoryPathVerifier, + help="rule script directory", default=script_dir.joinpath('tools')) + args.add_argument('-f', '--force', action='store_true', + help="force to generate doc, deleting existing doc files") version_file = script_dir.joinpath("VERSION") args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) args = args.parse_args() try: - global METADATA_SCHEMA - METADATA_SCHEMA = json.loads(script_dir.joinpath('schema/metadata.schema.json').read_text('utf-8')) - global CATEGORIES_SCHEMA - CATEGORIES_SCHEMA = json.loads(script_dir.joinpath('schema/categories.schema.json').read_text('utf-8')) generate_doc(Path(args.rule_dir), overwrite=args.force) except Exception as e: logging.exception(e) diff --git a/os-harden-tools/src/rules.py b/os-harden-tools/src/rules.py new file mode 100644 index 0000000..134dbe4 --- /dev/null +++ b/os-harden-tools/src/rules.py @@ -0,0 +1,124 @@ +import json +import logging +from pathlib import Path +from typing import Dict, Any, List + +import jsonschema + +from config import ConverterManager + + +def load_json_file(file_path: Path): + if not file_path.exists(): + raise FileNotFoundError(f"File not found: {file_path}") + return json.loads(file_path.read_text('utf-8')) + + +class RuleManager: + def __init__(self, rules_dir: Path): + self._dir = rules_dir.resolve() + if not self._dir.exists(): + raise FileNotFoundError(f"Rules directory does not exist: {self._dir}") + if not self._dir.is_dir(): + raise NotADirectoryError(f"Path is not a directory: {self._dir}") + + self._rules: List[str] = [] + self._categories: Dict[str, Dict[str, Any]] = {} + home_dir = Path(__file__).parent.parent.resolve() + self._metadata_schema = load_json_file(home_dir.joinpath('schema/metadata.schema.json')) + self._categories_schema = load_json_file(home_dir.joinpath('schema/categories.schema.json')) + + self.reload_rules() + + @property + def path(self) -> Path: + return self._dir + + @property + def categories(self) -> Dict[str, Dict[str, Any]]: + return self._categories.copy() + + @property + def rules(self) -> List[str]: + return self._rules + + def get_rules_by_category(self, category_id: str) -> List[str]: + if category_id not in self._categories: + raise KeyError(f"Category with ID {category_id} not found") + return [rule for rule in self._rules if rule.startswith(category_id + '.')] + + def get_rule_path(self, rule_id: str) -> Path: + if rule_id not in self._rules: + raise KeyError(f"Rule with ID {rule_id} not found") + return self._dir.joinpath(rule_id).resolve() + + def get_category_desc(self, category_id: str) -> Dict[str, Any]: + if category_id not in self._categories: + raise KeyError(f"Category with ID {category_id} not found") + return self._categories[category_id] + + def _verify_metadata(self, rule_path: Path) -> bool: + metadata = json.loads(rule_path.joinpath("metadata.json").read_text('utf-8')) + try: + jsonschema.validate(metadata, self._metadata_schema) + except Exception as e: + logging.error(f"Rule path {rule_path} does not contain a valid metadata.json file") + logging.exception(e) + return False + + entry_path = rule_path.joinpath(metadata['entry']) + if not entry_path.is_file(): + logging.error(f"Entry file {entry_path} for {rule_path.name} does not exist") + return False + if not metadata['id'] == rule_path.name: + logging.error(f"Metadata id {metadata['id']} does not match directory name {rule_path.name}") + return False + + if 'parameters' in metadata: + try: + ConverterManager().verify(metadata['parameters']) + except Exception as e: + logging.error(f"parameter verification failed for {rule_path.name}") + logging.exception(e) + return False + return True + + def _verify_rule_dir(self, rule_path: Path) -> bool: + rule_id = rule_path.name + if not '.' in rule_id: + logging.error( + f"Rule directory {rule_path} does not follow naming convention (should be 'category_id.rule_id')") + return False + if not rule_id.split('.')[1].isdigit(): + logging.error(f"Rule directory {rule_path} does not have a valid numeric index after the category ID") + return False + if not rule_path.joinpath("metadata.json").is_file(): + logging.error(f"Rule path {rule_path} does not contain a metadata.json file") + return False + + return self._verify_metadata(rule_path) + + def reload_rules(self): + categories: List[Dict[str, Any]] = load_json_file(self._dir.joinpath('categories.json')) + jsonschema.validate(categories, self._categories_schema) + + # id is verified by jsonschema + categories = sorted(categories, key=lambda c: c['id']) + for category in categories: + category_id = category["id"] + self._categories[category_id] = category + + # collect all valid rules + rules: List[Path] = [] + for rule_path in self._dir.glob(f"{category_id}.*"): + if not self._verify_rule_dir(rule_path): + logging.warning(f"Rule path {rule_path} is not valid") + continue + rules.append(rule_path) + + if len(rules) == 0: + logging.error(f"No rules found for category {category_id}") + continue + + for rule in sorted(rules, key=lambda r: int(r.name.split('.', 1)[1])): + self._rules.append(rule.name) diff --git a/os-harden-tools/src/utils.py b/os-harden-tools/src/utils.py new file mode 100644 index 0000000..a2aedaa --- /dev/null +++ b/os-harden-tools/src/utils.py @@ -0,0 +1,12 @@ +import argparse +from pathlib import Path + + +class DirectoryPathVerifier(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + p = Path(values) + if not p.exists(): + raise argparse.ArgumentTypeError(f"Directory '{values}' does not exist.") + if not p.is_dir(): + raise argparse.ArgumentTypeError(f"'{values}' is not a directory.") + setattr(namespace, self.dest, values) \ No newline at end of file -- Gitee From 40f7a087e17e078ac84b4c3ca10b407b7387482c Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 17:20:32 +0800 Subject: [PATCH 012/109] change to use yaml --- os-harden-tools/src/config/file_list.py | 6 +++-- os-harden-tools/src/config/generator.py | 19 +++++++++++---- os-harden-tools/src/config_parser.py | 31 +++++++++++++------------ os-harden-tools/src/utils.py | 7 ++++++ 4 files changed, 41 insertions(+), 22 deletions(-) diff --git a/os-harden-tools/src/config/file_list.py b/os-harden-tools/src/config/file_list.py index 45d6c38..16394aa 100644 --- a/os-harden-tools/src/config/file_list.py +++ b/os-harden-tools/src/config/file_list.py @@ -14,9 +14,11 @@ class FileListConverter(ConfigConverter): def tool_id(self) -> str: return "file_list" - def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], value: str) -> ExecuteConfig: + def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], value) -> ExecuteConfig: + if not isinstance(value, list): + raise ValueError("file_list value must be a list") self.temp_file = NamedTemporaryFile("wt", delete=False, suffix=".list") - self.temp_file.writelines(value.split(",")) + self.temp_file.writelines(value) execute_config.add_variable("file", self.temp_file.name) return execute_config diff --git a/os-harden-tools/src/config/generator.py b/os-harden-tools/src/config/generator.py index 6c83eb7..cbb4178 100644 --- a/os-harden-tools/src/config/generator.py +++ b/os-harden-tools/src/config/generator.py @@ -1,7 +1,7 @@ import abc import logging from pathlib import Path -from typing import Dict, Optional, List +from typing import Dict, Optional, List, Any class ExecuteConfig: @@ -66,7 +66,7 @@ class ConfigConverter(abc.ABC): pass @abc.abstractmethod - def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], config: str) -> ExecuteConfig: + def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], config) -> ExecuteConfig: pass def cleanup(self): @@ -115,7 +115,7 @@ class ConverterManager: logging.exception(e) raise e - def _generate(self, param_metadata: List[Dict[str, str]], config: Dict[str, str]) -> List[ExecuteConfig]: + def _generate_config(self, param_metadata: List[Dict[str, str]], config: Dict[str, Any]) -> List[ExecuteConfig]: result = [] for metadata in param_metadata: execute_config = ExecuteConfig(cmd_template=metadata['cmd_template']) @@ -127,9 +127,18 @@ class ConverterManager: result.append(converter.generate(execute_config, metadata, config[metadata['id']])) return result - def build_cmd(self, entry: Path, param_metadata: List[Dict[str, str]], config: Dict[str, str]) -> List[str]: - execute_configs = self._generate(param_metadata, config) + def build_cmd(self, entry: Path, param_metadata=None, config=None) -> List[str]: + if param_metadata is None: + param_metadata = [] + config = {} + else: + if config is None: + raise ValueError("config must be provided if param_metadata is given") + execute_configs = self._generate_config(param_metadata, config) cmd = [str(entry.absolute())] for execute_config in execute_configs: cmd.extend(execute_config.generate_cmd()) return cmd + + def cleanup(self): + pass \ No newline at end of file diff --git a/os-harden-tools/src/config_parser.py b/os-harden-tools/src/config_parser.py index 5031de4..7f967d7 100644 --- a/os-harden-tools/src/config_parser.py +++ b/os-harden-tools/src/config_parser.py @@ -1,7 +1,8 @@ import logging -from configparser import ConfigParser from pathlib import Path -from typing import Dict, List +from typing import Dict, List, Any + +import yaml def verify_config_name(path: Path) -> bool: @@ -9,34 +10,34 @@ def verify_config_name(path: Path) -> bool: if not '-' in name: logging.error(f"Config {path} does not follow naming convention (should be 'priority.config_name')") return False - if not name.split('-')[1].isdigit(): + if not name.split('-', 1)[0].isdigit(): logging.error(f"Config {path} does not have a valid priority index") return False return True -def parse_config(config_dir: Path) -> Dict[str, Dict[str, str]]: +def parse_config(config_dir: Path) -> Dict[str, Dict[str, Any]]: baseline = config_dir.joinpath("secharden.conf") user_config = config_dir.joinpath("secharden.conf.d") - result: Dict[str, Dict[str, str]] = {} - file_collection = [] + file_collection: List[Path] = [] if baseline.exists(): file_collection.append(baseline) if user_config.exists() and user_config.is_dir(): configs: List[Path] = list(user_config.glob(f"*-*.conf")) - file_collection.extend(sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[1]))) + file_collection.extend(sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[0]))) if len(file_collection) == 0: raise FileNotFoundError(f"No config file found in {config_dir}") - parser = ConfigParser() - parser.read(file_collection, encoding='utf-8') - for section in parser.sections(): - sub = parser[section] - config: Dict[str, str] = {} - for key, value in sub.items(): - config[key] = value - result[section] = config + result: Dict[str, Dict[str, Any]] = {} + for file in file_collection: + logging.debug(f"Parsing config file: {file}") + try: + yaml_data = yaml.safe_load(file.read_text('utf-8')) + except yaml.YAMLError as exc: + logging.error(f"Error parsing YAML file {file}: {exc}") + continue + result.update(yaml_data) return result diff --git a/os-harden-tools/src/utils.py b/os-harden-tools/src/utils.py index a2aedaa..bcaec51 100644 --- a/os-harden-tools/src/utils.py +++ b/os-harden-tools/src/utils.py @@ -1,7 +1,14 @@ import argparse +import json from pathlib import Path +def load_json_file(file_path: Path): + if not file_path.exists(): + raise FileNotFoundError(f"File not found: {file_path}") + return json.loads(file_path.read_text('utf-8')) + + class DirectoryPathVerifier(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): p = Path(values) -- Gitee From d5d336dbc237e15ac3b24b539331d34540ae588a Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 17:20:55 +0800 Subject: [PATCH 013/109] add get metadata func --- os-harden-tools/src/gendoc.py | 10 +++------- os-harden-tools/src/rules.py | 32 +++++++++++++++++++++++++------- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/os-harden-tools/src/gendoc.py b/os-harden-tools/src/gendoc.py index 13a47c8..5470bd4 100644 --- a/os-harden-tools/src/gendoc.py +++ b/os-harden-tools/src/gendoc.py @@ -1,21 +1,17 @@ #!/usr/bin/python3 import argparse -import json import logging from io import TextIOWrapper from pathlib import Path +from typing import Dict from rules import RuleManager from utils import DirectoryPathVerifier TITLE = "安全 OS 配置工具" -def generate_rule(rule: Path, output_stream: TextIOWrapper): - if not rule.joinpath("metadata.json").is_file(): - raise FileNotFoundError(f"Rule file {rule} does not exist") - metadata = json.loads(rule.joinpath("metadata.json").read_text('utf-8')) - +def generate_rule(metadata: Dict, output_stream: TextIOWrapper): output_stream.write(f"### {metadata['id']} {metadata['name']}\n\n") output_stream.write(f"{metadata['description']}\n\n") output_stream.write(f"#### 参数\n\n") @@ -58,7 +54,7 @@ def generate_doc(root: Path, overwrite: bool): for rule in rules.get_rules_by_category(category_id): try: logging.info(f"Generating doc for rule: {rule}") - generate_rule(rules.get_rule_path(rule), output_stream) + generate_rule(rules.get_rule_metadata(rule), output_stream) except Exception as e: logging.error(f"Error generating doc for rule: {rule}") logging.exception(e) diff --git a/os-harden-tools/src/rules.py b/os-harden-tools/src/rules.py index 134dbe4..f345835 100644 --- a/os-harden-tools/src/rules.py +++ b/os-harden-tools/src/rules.py @@ -7,11 +7,7 @@ import jsonschema from config import ConverterManager - -def load_json_file(file_path: Path): - if not file_path.exists(): - raise FileNotFoundError(f"File not found: {file_path}") - return json.loads(file_path.read_text('utf-8')) +from utils import load_json_file class RuleManager: @@ -42,15 +38,21 @@ class RuleManager: def rules(self) -> List[str]: return self._rules + def rule_exists(self, rule_id: str) -> bool: + return rule_id in self._rules + def get_rules_by_category(self, category_id: str) -> List[str]: if category_id not in self._categories: raise KeyError(f"Category with ID {category_id} not found") return [rule for rule in self._rules if rule.startswith(category_id + '.')] - def get_rule_path(self, rule_id: str) -> Path: + def get_rule_metadata(self, rule_id: str) -> Dict[str, Any]: if rule_id not in self._rules: raise KeyError(f"Rule with ID {rule_id} not found") - return self._dir.joinpath(rule_id).resolve() + rule = self._dir.joinpath(rule_id).resolve() + if not rule.joinpath("metadata.json").is_file(): + raise FileNotFoundError(f"Rule file {rule} does not exist") + return json.loads(rule.joinpath("metadata.json").read_text('utf-8')) def get_category_desc(self, category_id: str) -> Dict[str, Any]: if category_id not in self._categories: @@ -122,3 +124,19 @@ class RuleManager: for rule in sorted(rules, key=lambda r: int(r.name.split('.', 1)[1])): self._rules.append(rule.name) + + def apply_rule(self, rule: str, config: Dict[str, str]): + if self.rule_exists(rule): + raise ValueError(f"Rule {rule} not found.") + + # pop the 'enabled' key from config, if any + if not config.pop('enabled', True): + logging.debug(f"Rule {rule} is disabled in the configuration.") + return + + logging.debug(f"Applying rule: {rule} with config: {config}") + metadata = self.get_rule_metadata(rule) + entry = metadata["entry"] + if 'parameters' in metadata: + parameters = metadata['parameters'] + ConverterManager().build_cmd(entry, parameters, config) -- Gitee From b3e618b4ad8fc52a157a2401679d451e879567ca Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 19:54:55 +0800 Subject: [PATCH 014/109] add rule executor --- os-harden-tools/schema/metadata.schema.json | 6 +- os-harden-tools/src/config/generator.py | 144 --------------- .../src/{config => converter}/__init__.py | 2 +- os-harden-tools/src/converter/converter.py | 38 ++++ .../src/{config => converter}/file_list.py | 25 +-- os-harden-tools/src/executor.py | 87 +++++++++ os-harden-tools/src/rules.py | 172 +++++++++++++----- os-harden-tools/src/secharden.py | 40 ++++ os-harden-tools/src/utils.py | 2 + os-harden-tools/tools/int.03/metadata.json | 2 +- 10 files changed, 311 insertions(+), 207 deletions(-) delete mode 100644 os-harden-tools/src/config/generator.py rename os-harden-tools/src/{config => converter}/__init__.py (35%) create mode 100644 os-harden-tools/src/converter/converter.py rename os-harden-tools/src/{config => converter}/file_list.py (58%) create mode 100644 os-harden-tools/src/executor.py create mode 100644 os-harden-tools/src/secharden.py diff --git a/os-harden-tools/schema/metadata.schema.json b/os-harden-tools/schema/metadata.schema.json index 59b6b53..1c634a1 100644 --- a/os-harden-tools/schema/metadata.schema.json +++ b/os-harden-tools/schema/metadata.schema.json @@ -41,16 +41,16 @@ "type": "string", "description": "parameter description" }, - "type": { + "converter": { "type": "string", - "description": "parameter type, use to convert config value to script argument" + "description": "parameter converter, use to convert config value to script argument" }, "cmd_template": { "type": "string", "description": "command option for parameter to pass into the script, leave blank if no command option" } }, - "required": ["id", "name", "description", "type", "cmd_template"] + "required": ["id", "name", "description", "converter", "cmd_template"] } }, "urls": { diff --git a/os-harden-tools/src/config/generator.py b/os-harden-tools/src/config/generator.py deleted file mode 100644 index cbb4178..0000000 --- a/os-harden-tools/src/config/generator.py +++ /dev/null @@ -1,144 +0,0 @@ -import abc -import logging -from pathlib import Path -from typing import Dict, Optional, List, Any - - -class ExecuteConfig: - def __init__(self, cmd_template=None): - if cmd_template is None: - cmd_template = [] - if isinstance(cmd_template, str): - cmd_template = cmd_template.split(' ') - self._cmd_template: List[str] = cmd_template - self._cmd_variables: Dict[str, str] = {} - self._env: Dict[str, str] = {} - self._variable_index: Dict[str, int] = self._parse_cmd_template() - - def _parse_cmd_template(self) -> Dict[str, int]: - escape_indexes = [] - variable_index: Dict[str, int] = {} - for i, cmd in enumerate(self._cmd_template): - if cmd.startswith('%%'): - escape_indexes.append(i) - continue - if cmd.startswith('%'): - variable_id = cmd[1:] - if len(variable_id) == 0: - raise ValueError('invalid cmd template with no id') - if variable_id in variable_index: - raise ValueError(f'duplicate cmd template id') - variable_index[variable_id] = i - for i in escape_indexes: - # remove prefix escaping char % in %% - self._cmd_template[i] = self._cmd_template[i][1:] - return variable_index - - def add_variable(self, variable_id: str, value: str): - self._cmd_variables[variable_id] = value - - def add_env(self, name: str, value: str): - self._env[name] = value - - @property - def variable_placeholder(self): - return self._variable_index.copy() - - @property - def cmd_template(self) -> List[str]: - return self._cmd_template.copy() - - def generate_cmd(self) -> List[str]: - self._parse_cmd_template() - # make a copy here - cmd = self._cmd_template.copy() - for variable_id, value in self._cmd_variables.items(): - if variable_id not in self._variable_index: - logging.warning(f'variable {variable_id} not found in cmd template') - continue - index = self._variable_index[variable_id] - cmd[index] = value - return cmd - - -class ConfigConverter(abc.ABC): - def __init__(self): - pass - - @abc.abstractmethod - def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], config) -> ExecuteConfig: - pass - - def cleanup(self): - pass - - @abc.abstractmethod - def verify(self, execute_config: ExecuteConfig, metadata: Dict[str, str]): - pass - - @property - @abc.abstractmethod - def tool_id(self) -> str: - pass - - -class ConverterManager: - _instance = None - - def __new__(cls, *args, **kwargs): - if cls._instance is None: - cls._instance = super().__new__(cls) - return cls._instance - - def __init__(self): - self._converter: Dict[str, ConfigConverter] = {} - for cls in ConfigConverter.__subclasses__(): - converter_instance = cls() - tool_id = converter_instance.tool_id - if tool_id in self._converter: - raise ValueError(f'Converter with tool_id {tool_id} already exists') - self._converter[converter_instance.tool_id] = converter_instance - - def find_converter(self, converter_type: str) -> Optional[ConfigConverter]: - return self._converter.get(converter_type, None) - - def verify(self, param_metadata: List[Dict[str, str]]): - for metadata in param_metadata: - converter_type = metadata['type'] - converter = self.find_converter(converter_type) - if not converter: - raise NotImplementedError(f'converter of type {converter_type} is not implemented') - try: - converter.verify(ExecuteConfig(cmd_template=metadata['cmd_template']), metadata) - except Exception as e: - logging.error(f"Verification failed for parameter: {metadata['id']}") - logging.exception(e) - raise e - - def _generate_config(self, param_metadata: List[Dict[str, str]], config: Dict[str, Any]) -> List[ExecuteConfig]: - result = [] - for metadata in param_metadata: - execute_config = ExecuteConfig(cmd_template=metadata['cmd_template']) - - converter_type = metadata['type'] - converter = self.find_converter(converter_type) - if not converter: - raise NotImplementedError(f'converter of type {converter_type} is not implemented') - result.append(converter.generate(execute_config, metadata, config[metadata['id']])) - return result - - def build_cmd(self, entry: Path, param_metadata=None, config=None) -> List[str]: - if param_metadata is None: - param_metadata = [] - config = {} - else: - if config is None: - raise ValueError("config must be provided if param_metadata is given") - execute_configs = self._generate_config(param_metadata, config) - cmd = [str(entry.absolute())] - for execute_config in execute_configs: - cmd.extend(execute_config.generate_cmd()) - return cmd - - def cleanup(self): - pass \ No newline at end of file diff --git a/os-harden-tools/src/config/__init__.py b/os-harden-tools/src/converter/__init__.py similarity index 35% rename from os-harden-tools/src/config/__init__.py rename to os-harden-tools/src/converter/__init__.py index 21d11c9..3361927 100644 --- a/os-harden-tools/src/config/__init__.py +++ b/os-harden-tools/src/converter/__init__.py @@ -1,2 +1,2 @@ -from .generator import ExecuteConfig, ConfigConverter, ConverterManager +from .converter import CmdParameter, ConfigConverter, ConverterManager from .file_list import FileListConverter \ No newline at end of file diff --git a/os-harden-tools/src/converter/converter.py b/os-harden-tools/src/converter/converter.py new file mode 100644 index 0000000..da9ef23 --- /dev/null +++ b/os-harden-tools/src/converter/converter.py @@ -0,0 +1,38 @@ +import abc +from typing import Dict, Optional + +from ..rules import RuleParameter +from ..executor import CmdParameter + + +class ConfigConverter(abc.ABC): + def __init__(self): + pass + + @abc.abstractmethod + def generate(self, parameter: CmdParameter, config): + pass + + def cleanup(self): + pass + + @abc.abstractmethod + def verify(self, parameter: RuleParameter): + pass + + +class ConverterManager: + _instance = None + + def __new__(cls, *args, **kwargs): + if cls._instance is None: + cls._instance = super().__new__(cls) + return cls._instance + + def __init__(self): + self._converter: Dict[str, type[ConfigConverter]] = {} + for cls in ConfigConverter.__subclasses__(): + self._converter[cls.__name__] = cls + + def find_converter(self, converter_type: str) -> Optional[type[ConfigConverter]]: + return self._converter.get(converter_type, None) diff --git a/os-harden-tools/src/config/file_list.py b/os-harden-tools/src/converter/file_list.py similarity index 58% rename from os-harden-tools/src/config/file_list.py rename to os-harden-tools/src/converter/file_list.py index 16394aa..53d5775 100644 --- a/os-harden-tools/src/config/file_list.py +++ b/os-harden-tools/src/converter/file_list.py @@ -1,8 +1,7 @@ -from typing import Dict - -from .generator import ConfigConverter, ExecuteConfig - from tempfile import NamedTemporaryFile +import os +from .converter import ConfigConverter, CmdParameter +from ..rules import RuleParameter class FileListConverter(ConfigConverter): @@ -10,20 +9,15 @@ class FileListConverter(ConfigConverter): super().__init__() self.temp_file = None - @property - def tool_id(self) -> str: - return "file_list" - - def generate(self, execute_config: ExecuteConfig, metadata: Dict[str, str], value) -> ExecuteConfig: - if not isinstance(value, list): + def generate(self, parameter: CmdParameter, config): + if not isinstance(config, list): raise ValueError("file_list value must be a list") self.temp_file = NamedTemporaryFile("wt", delete=False, suffix=".list") - self.temp_file.writelines(value) - execute_config.add_variable("file", self.temp_file.name) - return execute_config + self.temp_file.writelines(config) + parameter.add_variable("file", self.temp_file.name) - def verify(self, execute_config: ExecuteConfig, metadata: Dict[str, str]): - place_holder = execute_config.variable_placeholder + def verify(self, parameter: RuleParameter): + place_holder = parameter.cmd_template.variable_index if len(place_holder) != 1: raise ValueError(f"Expected exactly one placeholder, found {len(place_holder)}") if "file" not in place_holder: @@ -36,5 +30,4 @@ class FileListConverter(ConfigConverter): except Exception as e: print(f"Error closing temp file: {e}") finally: - import os os.remove(self.temp_file.name) diff --git a/os-harden-tools/src/executor.py b/os-harden-tools/src/executor.py new file mode 100644 index 0000000..73b2d7c --- /dev/null +++ b/os-harden-tools/src/executor.py @@ -0,0 +1,87 @@ +from pathlib import Path +from typing import Dict, List + + +class CmdTemplate: + def __init__(self, template: str): + self._template = template.split(' ') + self._variable_index: Dict[str, int] = self._parse_cmd_template() + + def _parse_cmd_template(self) -> Dict[str, int]: + escape_indexes = [] + variable_index: Dict[str, int] = {} + for i, cmd in enumerate(self._template): + if cmd.startswith('%%'): + escape_indexes.append(i) + continue + if cmd.startswith('%'): + variable_id = cmd[1:] + if len(variable_id) == 0: + raise ValueError('invalid cmd template with no id') + if variable_id in variable_index: + raise ValueError(f'duplicate cmd template id') + variable_index[variable_id] = i + for i in escape_indexes: + # remove prefix escaping char % in %% + self._template[i] = self._template[i][1:] + return variable_index + + @property + def template(self) -> List[str]: + # make a copy so that other modules can modify the template without affecting the original + return self._template.copy() + + @property + def variable_index(self) -> Dict[str, int]: + return self._variable_index + + +class CmdParameter: + def __init__(self, template: CmdTemplate): + self._cmd_template = template + self._variables = {} + self._env = {} + + def add_variable(self, variable_id: str, value: str): + self._variables[variable_id] = value + + def add_env(self, name: str, value: str): + self._env[name] = value + + @property + def cmd(self) -> List[str]: + result = self._cmd_template.template + for var_id, index in self._cmd_template.variable_index.items(): + value = self._variables.get(var_id) + if value is None: + raise ValueError(f"Variable {var_id} not found in variable collection") + result[index] = value + return result + + @property + def env(self) -> Dict[str, str]: + return self._env + + +class CmdExecutor: + def __init__(self, entry: Path): + self._cmd = [str(entry)] + self._env = {} + + def add_args(self, args: CmdParameter): + self._cmd.extend(args.cmd) + self._env.update(args.env) + + def run(self): + import subprocess + import os + + env = os.environ.copy() + env.update(self._env) + + result = subprocess.run(self._cmd, env=env, capture_output=True, text=True) + + if result.returncode != 0: + raise RuntimeError(f"Command failed with error: {result.stderr}") + + return result.stdout diff --git a/os-harden-tools/src/rules.py b/os-harden-tools/src/rules.py index f345835..fe1c4a2 100644 --- a/os-harden-tools/src/rules.py +++ b/os-harden-tools/src/rules.py @@ -1,13 +1,99 @@ -import json import logging from pathlib import Path from typing import Dict, Any, List import jsonschema -from config import ConverterManager +from converter import ConverterManager, ConfigConverter +from executor import CmdExecutor, CmdParameter, CmdTemplate +from utils import load_json_file, HOME_DIR -from utils import load_json_file + +class RuleParameter: + def __init__(self, parameter: Dict[str, Any]): + self._id = parameter['id'] + self._name = parameter['name'] + self._description = parameter['description'] + converter = ConverterManager().find_converter(parameter['converter']) + if converter is None: + raise NotImplementedError(f'converter of type {parameter["converter"]} is not implemented') + self._converter: type[ConfigConverter] = converter + self._cmd_template: CmdTemplate = CmdTemplate(parameter['cmd_template']) + self._verify_rule_params() + + def _verify_rule_params(self): + try: + self._converter().verify(self) + except Exception as e: + logging.error(f"Verification failed for parameter: {self._id}") + logging.exception(e) + raise e + + @property + def id(self) -> str: + return self._id + + @property + def name(self) -> str: + return self._name + + @property + def description(self) -> str: + return self._description + + @property + def converter(self) -> type[ConfigConverter]: + return self._converter + + @property + def cmd_template(self) -> CmdTemplate: + return self._cmd_template + + +class RuleMetadata: + _metadata_schema = load_json_file(HOME_DIR.joinpath('schema/metadata.schema.json')) + + def __init__(self, root: Path): + data = load_json_file(root.joinpath("metadata.json")) + jsonschema.validate(data, RuleMetadata._metadata_schema) + + self._id: str = data['id'] + self._name: str = data['name'] + self._description: str = data['description'] + self._entry: Path = root.joinpath(data['entry']).resolve() + self._parameters: List[RuleParameter] = [RuleParameter(d) for d in data.get('parameters', [])] + self._urls = data.get('urls', []) + + if not self._entry.exists(): + raise FileNotFoundError(f"Entry file {self._entry} for {self._id} does not exist") + if not self._entry.is_file(): + raise ValueError(f"Entry file {self._entry} for {self._id} is not a regular file") + if not self._id == root.name: + raise ValueError(f"Metadata id {self._id} does not match directory name {root.name}") + + @property + def id(self) -> str: + return self._id + + @property + def name(self) -> str: + return self._name + + @property + def description(self) -> str: + return self._description + + @property + def entry(self) -> Path: + return self._entry + + @property + def parameters(self) -> List[RuleParameter]: + return self._parameters + + @property + def urls(self) -> List[str]: + return self._urls class RuleManager: @@ -20,10 +106,6 @@ class RuleManager: self._rules: List[str] = [] self._categories: Dict[str, Dict[str, Any]] = {} - home_dir = Path(__file__).parent.parent.resolve() - self._metadata_schema = load_json_file(home_dir.joinpath('schema/metadata.schema.json')) - self._categories_schema = load_json_file(home_dir.joinpath('schema/categories.schema.json')) - self.reload_rules() @property @@ -46,45 +128,19 @@ class RuleManager: raise KeyError(f"Category with ID {category_id} not found") return [rule for rule in self._rules if rule.startswith(category_id + '.')] - def get_rule_metadata(self, rule_id: str) -> Dict[str, Any]: + def get_rule_metadata(self, rule_id: str) -> RuleMetadata: if rule_id not in self._rules: raise KeyError(f"Rule with ID {rule_id} not found") rule = self._dir.joinpath(rule_id).resolve() if not rule.joinpath("metadata.json").is_file(): raise FileNotFoundError(f"Rule file {rule} does not exist") - return json.loads(rule.joinpath("metadata.json").read_text('utf-8')) + return RuleMetadata(rule) def get_category_desc(self, category_id: str) -> Dict[str, Any]: if category_id not in self._categories: raise KeyError(f"Category with ID {category_id} not found") return self._categories[category_id] - def _verify_metadata(self, rule_path: Path) -> bool: - metadata = json.loads(rule_path.joinpath("metadata.json").read_text('utf-8')) - try: - jsonschema.validate(metadata, self._metadata_schema) - except Exception as e: - logging.error(f"Rule path {rule_path} does not contain a valid metadata.json file") - logging.exception(e) - return False - - entry_path = rule_path.joinpath(metadata['entry']) - if not entry_path.is_file(): - logging.error(f"Entry file {entry_path} for {rule_path.name} does not exist") - return False - if not metadata['id'] == rule_path.name: - logging.error(f"Metadata id {metadata['id']} does not match directory name {rule_path.name}") - return False - - if 'parameters' in metadata: - try: - ConverterManager().verify(metadata['parameters']) - except Exception as e: - logging.error(f"parameter verification failed for {rule_path.name}") - logging.exception(e) - return False - return True - def _verify_rule_dir(self, rule_path: Path) -> bool: rule_id = rule_path.name if not '.' in rule_id: @@ -98,11 +154,17 @@ class RuleManager: logging.error(f"Rule path {rule_path} does not contain a metadata.json file") return False - return self._verify_metadata(rule_path) + try: + RuleMetadata(rule_path) + except Exception as e: + logging.error(f"Rule path {rule_path} does not contain a valid metadata.json file") + logging.exception(e) + return False + return True def reload_rules(self): categories: List[Dict[str, Any]] = load_json_file(self._dir.joinpath('categories.json')) - jsonschema.validate(categories, self._categories_schema) + jsonschema.validate(categories, load_json_file(HOME_DIR.joinpath('schema/categories.schema.json'))) # id is verified by jsonschema categories = sorted(categories, key=lambda c: c['id']) @@ -125,7 +187,9 @@ class RuleManager: for rule in sorted(rules, key=lambda r: int(r.name.split('.', 1)[1])): self._rules.append(rule.name) - def apply_rule(self, rule: str, config: Dict[str, str]): + def apply_rule(self, rule: str, config): + if config is None: + config = {} if self.rule_exists(rule): raise ValueError(f"Rule {rule} not found.") @@ -136,7 +200,31 @@ class RuleManager: logging.debug(f"Applying rule: {rule} with config: {config}") metadata = self.get_rule_metadata(rule) - entry = metadata["entry"] - if 'parameters' in metadata: - parameters = metadata['parameters'] - ConverterManager().build_cmd(entry, parameters, config) + + executor = CmdExecutor(metadata.entry) + converter_instances = [] + for param in metadata.parameters: + if param.id not in config: + raise ValueError(f"Parameter {param.id} is missing in the configuration for rule {rule}.") + converter = param.converter() + cmd_param = CmdParameter(param.cmd_template) + try: + converter.generate(cmd_param, config[param.id]) + except Exception as e: + # cleanup first + for instance in converter_instances: + instance.cleanup() + logging.error(f"Failed to generate command line on parameter {param.id}.") + logging.exception(e) + raise e + converter_instances.append(converter) + executor.add_args(cmd_param) + + try: + executor.run() + except Exception as e: + logging.error(f"Failed to execute command for rule {rule}.") + raise e + finally: + for instance in converter_instances: + instance.cleanup() diff --git a/os-harden-tools/src/secharden.py b/os-harden-tools/src/secharden.py new file mode 100644 index 0000000..71cd990 --- /dev/null +++ b/os-harden-tools/src/secharden.py @@ -0,0 +1,40 @@ +#!/usr/bin/python3 + +import argparse +import logging +from pathlib import Path + +from utils import DirectoryPathVerifier + +from config_parser import parse_config + +from rules import RuleManager + + +def main(): + script_dir = Path(__file__).parent.parent.resolve() + + args = argparse.ArgumentParser(prog="secharden") + version_file = Path(__file__).parent.parent.resolve().joinpath("VERSION") + args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) + args.add_argument("-r", "--rule-dir", action=DirectoryPathVerifier, + help="rule script directory", default=script_dir.joinpath('tools')) + args.add_argument("-d", "--debug", action='store_true', help="debug mode") + args.add_argument('-c', '--config', action=DirectoryPathVerifier, help="configuration path", + default=Path('/etc/secharden')) + args = args.parse_args() + + logging_level = logging.INFO + if args.debug: + logging_level = logging.DEBUG + + logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') + + rule_mgr = RuleManager(args.rule_dir) + config = parse_config(args.config) + for rule, rule_conf in config.items(): + rule_mgr.apply_rule(rule, rule_conf) + + +if __name__ == "__main__": + main() diff --git a/os-harden-tools/src/utils.py b/os-harden-tools/src/utils.py index bcaec51..1ea8932 100644 --- a/os-harden-tools/src/utils.py +++ b/os-harden-tools/src/utils.py @@ -2,6 +2,8 @@ import argparse import json from pathlib import Path +HOME_DIR = Path(__file__).parent.parent.resolve() + def load_json_file(file_path: Path): if not file_path.exists(): diff --git a/os-harden-tools/tools/int.03/metadata.json b/os-harden-tools/tools/int.03/metadata.json index 1d48a64..e1f817e 100644 --- a/os-harden-tools/tools/int.03/metadata.json +++ b/os-harden-tools/tools/int.03/metadata.json @@ -8,7 +8,7 @@ "id": "selinux_tags", "name": "selinux 标签列表文件", "description": "该文件包含一个 selinux 标签列表,表示这些标签需要被 ima 度量。要求文件每行一个标签。", - "type": "file_list", + "converter": "file_list", "cmd_template": "%file" } ], -- Gitee From c2a8d72881200a4b696577deb2cd636e9b5be011 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 28 Jul 2025 20:42:14 +0800 Subject: [PATCH 015/109] move converter to rules --- os-harden-tools/src/config_parser.py | 16 +- os-harden-tools/src/converter/__init__.py | 2 - os-harden-tools/src/converter/converter.py | 38 ----- os-harden-tools/src/gendoc.py | 23 ++- os-harden-tools/src/rules/__init__.py | 2 + .../src/rules/converters/__init__.py | 1 + .../converters}/file_list.py | 4 +- .../src/{rules.py => rules/manager.py} | 136 +++-------------- os-harden-tools/src/rules/metadata.py | 143 ++++++++++++++++++ os-harden-tools/tools/int.03/metadata.json | 2 +- 10 files changed, 187 insertions(+), 180 deletions(-) delete mode 100644 os-harden-tools/src/converter/__init__.py delete mode 100644 os-harden-tools/src/converter/converter.py create mode 100644 os-harden-tools/src/rules/__init__.py create mode 100644 os-harden-tools/src/rules/converters/__init__.py rename os-harden-tools/src/{converter => rules/converters}/file_list.py (92%) rename os-harden-tools/src/{rules.py => rules/manager.py} (50%) create mode 100644 os-harden-tools/src/rules/metadata.py diff --git a/os-harden-tools/src/config_parser.py b/os-harden-tools/src/config_parser.py index 7f967d7..0bb00cf 100644 --- a/os-harden-tools/src/config_parser.py +++ b/os-harden-tools/src/config_parser.py @@ -16,17 +16,19 @@ def verify_config_name(path: Path) -> bool: return True -def parse_config(config_dir: Path) -> Dict[str, Dict[str, Any]]: - baseline = config_dir.joinpath("secharden.conf") - user_config = config_dir.joinpath("secharden.conf.d") - +def parse_config(config_dir: Path, name: str = "secharden.conf", directory=True) -> Dict[str, Dict[str, Any]]: file_collection: List[Path] = [] + + baseline = config_dir.joinpath(name) if baseline.exists(): file_collection.append(baseline) - if user_config.exists() and user_config.is_dir(): - configs: List[Path] = list(user_config.glob(f"*-*.conf")) - file_collection.extend(sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[0]))) + if directory: + user_config = config_dir.joinpath(name + ".d") + if user_config.exists() and user_config.is_dir(): + configs: List[Path] = list(user_config.glob(f"*-*.conf")) + file_collection.extend( + sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[0]))) if len(file_collection) == 0: raise FileNotFoundError(f"No config file found in {config_dir}") diff --git a/os-harden-tools/src/converter/__init__.py b/os-harden-tools/src/converter/__init__.py deleted file mode 100644 index 3361927..0000000 --- a/os-harden-tools/src/converter/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -from .converter import CmdParameter, ConfigConverter, ConverterManager -from .file_list import FileListConverter \ No newline at end of file diff --git a/os-harden-tools/src/converter/converter.py b/os-harden-tools/src/converter/converter.py deleted file mode 100644 index da9ef23..0000000 --- a/os-harden-tools/src/converter/converter.py +++ /dev/null @@ -1,38 +0,0 @@ -import abc -from typing import Dict, Optional - -from ..rules import RuleParameter -from ..executor import CmdParameter - - -class ConfigConverter(abc.ABC): - def __init__(self): - pass - - @abc.abstractmethod - def generate(self, parameter: CmdParameter, config): - pass - - def cleanup(self): - pass - - @abc.abstractmethod - def verify(self, parameter: RuleParameter): - pass - - -class ConverterManager: - _instance = None - - def __new__(cls, *args, **kwargs): - if cls._instance is None: - cls._instance = super().__new__(cls) - return cls._instance - - def __init__(self): - self._converter: Dict[str, type[ConfigConverter]] = {} - for cls in ConfigConverter.__subclasses__(): - self._converter[cls.__name__] = cls - - def find_converter(self, converter_type: str) -> Optional[type[ConfigConverter]]: - return self._converter.get(converter_type, None) diff --git a/os-harden-tools/src/gendoc.py b/os-harden-tools/src/gendoc.py index 5470bd4..17f4ff6 100644 --- a/os-harden-tools/src/gendoc.py +++ b/os-harden-tools/src/gendoc.py @@ -4,28 +4,27 @@ import argparse import logging from io import TextIOWrapper from pathlib import Path -from typing import Dict -from rules import RuleManager +from rules import RuleManager, RuleMetadata from utils import DirectoryPathVerifier TITLE = "安全 OS 配置工具" -def generate_rule(metadata: Dict, output_stream: TextIOWrapper): - output_stream.write(f"### {metadata['id']} {metadata['name']}\n\n") - output_stream.write(f"{metadata['description']}\n\n") +def generate_rule(metadata: RuleMetadata, output_stream: TextIOWrapper): + output_stream.write(f"### {metadata.id} {metadata.name}\n\n") + output_stream.write(f"{metadata.description}\n\n") output_stream.write(f"#### 参数\n\n") - if 'parameters' in metadata: - for param in metadata['parameters']: - output_stream.write(f"**{param['name']}**\n\n") - output_stream.write(f"{param['description']}\n\n") + if len(metadata.parameters) > 0: + for param in metadata.parameters: + output_stream.write(f"**{param.name}**\n\n") + output_stream.write(f"{param.description}\n\n") else: output_stream.write("无\n\n") - if 'urls' in metadata: + if len(metadata.urls) > 0: output_stream.write("#### 参考文档\n\n") - for url in metadata['urls']: - output_stream.write(f"- [{url['title']}]({url['url']})\n") + for url in metadata.urls: + output_stream.write(f"- [{url.title}]({url.url})\n") output_stream.write("\n") diff --git a/os-harden-tools/src/rules/__init__.py b/os-harden-tools/src/rules/__init__.py new file mode 100644 index 0000000..a8c5bcc --- /dev/null +++ b/os-harden-tools/src/rules/__init__.py @@ -0,0 +1,2 @@ +from rules.metadata import RuleMetadata, RuleParameter, ConfigConverter, ConverterManager +from rules.manager import RuleManager diff --git a/os-harden-tools/src/rules/converters/__init__.py b/os-harden-tools/src/rules/converters/__init__.py new file mode 100644 index 0000000..a1890f3 --- /dev/null +++ b/os-harden-tools/src/rules/converters/__init__.py @@ -0,0 +1 @@ +from rules.converters.file_list import FileListConverter \ No newline at end of file diff --git a/os-harden-tools/src/converter/file_list.py b/os-harden-tools/src/rules/converters/file_list.py similarity index 92% rename from os-harden-tools/src/converter/file_list.py rename to os-harden-tools/src/rules/converters/file_list.py index 53d5775..e625546 100644 --- a/os-harden-tools/src/converter/file_list.py +++ b/os-harden-tools/src/rules/converters/file_list.py @@ -1,7 +1,7 @@ from tempfile import NamedTemporaryFile import os -from .converter import ConfigConverter, CmdParameter -from ..rules import RuleParameter +from executor import CmdParameter +from rules import RuleParameter, ConfigConverter class FileListConverter(ConfigConverter): diff --git a/os-harden-tools/src/rules.py b/os-harden-tools/src/rules/manager.py similarity index 50% rename from os-harden-tools/src/rules.py rename to os-harden-tools/src/rules/manager.py index fe1c4a2..0c8fe9e 100644 --- a/os-harden-tools/src/rules.py +++ b/os-harden-tools/src/rules/manager.py @@ -1,101 +1,14 @@ import logging from pathlib import Path -from typing import Dict, Any, List +from typing import List, Dict, Any import jsonschema -from converter import ConverterManager, ConfigConverter -from executor import CmdExecutor, CmdParameter, CmdTemplate +from executor import CmdExecutor, CmdParameter +from rules import RuleMetadata from utils import load_json_file, HOME_DIR -class RuleParameter: - def __init__(self, parameter: Dict[str, Any]): - self._id = parameter['id'] - self._name = parameter['name'] - self._description = parameter['description'] - converter = ConverterManager().find_converter(parameter['converter']) - if converter is None: - raise NotImplementedError(f'converter of type {parameter["converter"]} is not implemented') - self._converter: type[ConfigConverter] = converter - self._cmd_template: CmdTemplate = CmdTemplate(parameter['cmd_template']) - self._verify_rule_params() - - def _verify_rule_params(self): - try: - self._converter().verify(self) - except Exception as e: - logging.error(f"Verification failed for parameter: {self._id}") - logging.exception(e) - raise e - - @property - def id(self) -> str: - return self._id - - @property - def name(self) -> str: - return self._name - - @property - def description(self) -> str: - return self._description - - @property - def converter(self) -> type[ConfigConverter]: - return self._converter - - @property - def cmd_template(self) -> CmdTemplate: - return self._cmd_template - - -class RuleMetadata: - _metadata_schema = load_json_file(HOME_DIR.joinpath('schema/metadata.schema.json')) - - def __init__(self, root: Path): - data = load_json_file(root.joinpath("metadata.json")) - jsonschema.validate(data, RuleMetadata._metadata_schema) - - self._id: str = data['id'] - self._name: str = data['name'] - self._description: str = data['description'] - self._entry: Path = root.joinpath(data['entry']).resolve() - self._parameters: List[RuleParameter] = [RuleParameter(d) for d in data.get('parameters', [])] - self._urls = data.get('urls', []) - - if not self._entry.exists(): - raise FileNotFoundError(f"Entry file {self._entry} for {self._id} does not exist") - if not self._entry.is_file(): - raise ValueError(f"Entry file {self._entry} for {self._id} is not a regular file") - if not self._id == root.name: - raise ValueError(f"Metadata id {self._id} does not match directory name {root.name}") - - @property - def id(self) -> str: - return self._id - - @property - def name(self) -> str: - return self._name - - @property - def description(self) -> str: - return self._description - - @property - def entry(self) -> Path: - return self._entry - - @property - def parameters(self) -> List[RuleParameter]: - return self._parameters - - @property - def urls(self) -> List[str]: - return self._urls - - class RuleManager: def __init__(self, rules_dir: Path): self._dir = rules_dir.resolve() @@ -133,7 +46,7 @@ class RuleManager: raise KeyError(f"Rule with ID {rule_id} not found") rule = self._dir.joinpath(rule_id).resolve() if not rule.joinpath("metadata.json").is_file(): - raise FileNotFoundError(f"Rule file {rule} does not exist") + raise FileNotFoundError(f"Rule file {rule} is not a regular file") return RuleMetadata(rule) def get_category_desc(self, category_id: str) -> Dict[str, Any]: @@ -141,27 +54,6 @@ class RuleManager: raise KeyError(f"Category with ID {category_id} not found") return self._categories[category_id] - def _verify_rule_dir(self, rule_path: Path) -> bool: - rule_id = rule_path.name - if not '.' in rule_id: - logging.error( - f"Rule directory {rule_path} does not follow naming convention (should be 'category_id.rule_id')") - return False - if not rule_id.split('.')[1].isdigit(): - logging.error(f"Rule directory {rule_path} does not have a valid numeric index after the category ID") - return False - if not rule_path.joinpath("metadata.json").is_file(): - logging.error(f"Rule path {rule_path} does not contain a metadata.json file") - return False - - try: - RuleMetadata(rule_path) - except Exception as e: - logging.error(f"Rule path {rule_path} does not contain a valid metadata.json file") - logging.exception(e) - return False - return True - def reload_rules(self): categories: List[Dict[str, Any]] = load_json_file(self._dir.joinpath('categories.json')) jsonschema.validate(categories, load_json_file(HOME_DIR.joinpath('schema/categories.schema.json'))) @@ -173,19 +65,27 @@ class RuleManager: self._categories[category_id] = category # collect all valid rules - rules: List[Path] = [] + rules: List[str] = [] for rule_path in self._dir.glob(f"{category_id}.*"): - if not self._verify_rule_dir(rule_path): - logging.warning(f"Rule path {rule_path} is not valid") + if not rule_path.name.split('.', 1)[1].isdigit(): + logging.error( + f"Rule directory {rule_path.name} does not have a valid numeric index after the category") continue - rules.append(rule_path) + if not rule_path.joinpath("metadata.json").is_file(): + logging.error(f"Rule path {rule_path} does not contain a metadata.json file") + continue + try: + RuleMetadata(rule_path) + rules.append(rule_path.name) + except Exception as e: + logging.warning(f"Rule path {rule_path} is not valid") + logging.exception(e) if len(rules) == 0: logging.error(f"No rules found for category {category_id}") continue - for rule in sorted(rules, key=lambda r: int(r.name.split('.', 1)[1])): - self._rules.append(rule.name) + self._rules.extend(sorted(rules, key=lambda r: int(r.split('.', 1)[1]))) def apply_rule(self, rule: str, config): if config is None: diff --git a/os-harden-tools/src/rules/metadata.py b/os-harden-tools/src/rules/metadata.py new file mode 100644 index 0000000..48bf07d --- /dev/null +++ b/os-harden-tools/src/rules/metadata.py @@ -0,0 +1,143 @@ +import abc +import logging +from pathlib import Path +from typing import List, Dict, Any, Optional + +import jsonschema + +from executor import CmdTemplate, CmdParameter +from utils import load_json_file, HOME_DIR + +class RuleParameter: + def __init__(self, parameter: Dict[str, Any]): + self._id = parameter['id'] + self._name = parameter['name'] + self._description = parameter['description'] + converter = ConverterManager().find_converter(parameter['converter']) + if converter is None: + raise NotImplementedError(f'converter of type {parameter["converter"]} is not implemented') + self._converter: type['ConfigConverter'] = converter + self._cmd_template: CmdTemplate = CmdTemplate(parameter['cmd_template']) + self._verify_rule_params() + + def _verify_rule_params(self): + try: + self._converter().verify(self) + except Exception as e: + logging.error(f"Verification failed for parameter: {self._id}") + logging.exception(e) + raise e + + @property + def id(self) -> str: + return self._id + + @property + def name(self) -> str: + return self._name + + @property + def description(self) -> str: + return self._description + + @property + def converter(self) -> type['ConfigConverter']: + return self._converter + + @property + def cmd_template(self) -> CmdTemplate: + return self._cmd_template + +class ConfigConverter(abc.ABC): + def __init__(self): + pass + + @abc.abstractmethod + def generate(self, parameter: CmdParameter, config): + pass + + def cleanup(self): + pass + + @abc.abstractmethod + def verify(self, parameter: RuleParameter): + pass + + +class ConverterManager: + _instance = None + + def __new__(cls, *args, **kwargs): + if cls._instance is None: + cls._instance = super().__new__(cls) + return cls._instance + + def __init__(self): + # load all converters from rules.converters + import rules.converters + self._converter: Dict[str, type[ConfigConverter]] = {} + for cls in ConfigConverter.__subclasses__(): + self._converter[cls.__name__] = cls + + def find_converter(self, converter_type: str) -> Optional[type[ConfigConverter]]: + return self._converter.get(converter_type, None) + + +class UrlDescriptor: + def __init__(self, **kwargs): + self._url: str = kwargs['url'] + self._title: str = kwargs['title'] + + @property + def url(self) -> str: + return self._url + + @property + def title(self) -> str: + return self._title + + +class RuleMetadata: + _metadata_schema = load_json_file(HOME_DIR.joinpath('schema/metadata.schema.json')) + + def __init__(self, root: Path): + data = load_json_file(root.joinpath("metadata.json")) + jsonschema.validate(data, RuleMetadata._metadata_schema) + + self._id: str = data['id'] + self._name: str = data['name'] + self._description: str = data['description'] + self._entry: Path = root.joinpath(data['entry']).resolve() + self._parameters: List[RuleParameter] = [RuleParameter(d) for d in data.get('parameters', [])] + self._urls: List[UrlDescriptor] = [UrlDescriptor(**u) for u in data.get('urls', [])] + + if not self._entry.exists(): + raise FileNotFoundError(f"Entry file {self._entry} for {self._id} does not exist") + if not self._entry.is_file(): + raise ValueError(f"Entry file {self._entry} for {self._id} is not a regular file") + if not self._id == root.name: + raise ValueError(f"Metadata id {self._id} does not match directory name {root.name}") + + @property + def id(self) -> str: + return self._id + + @property + def name(self) -> str: + return self._name + + @property + def description(self) -> str: + return self._description + + @property + def entry(self) -> Path: + return self._entry + + @property + def parameters(self) -> List[RuleParameter]: + return self._parameters + + @property + def urls(self) -> List[UrlDescriptor]: + return self._urls diff --git a/os-harden-tools/tools/int.03/metadata.json b/os-harden-tools/tools/int.03/metadata.json index e1f817e..6b9e6be 100644 --- a/os-harden-tools/tools/int.03/metadata.json +++ b/os-harden-tools/tools/int.03/metadata.json @@ -8,7 +8,7 @@ "id": "selinux_tags", "name": "selinux 标签列表文件", "description": "该文件包含一个 selinux 标签列表,表示这些标签需要被 ima 度量。要求文件每行一个标签。", - "converter": "file_list", + "converter": "FileListConverter", "cmd_template": "%file" } ], -- Gitee From 0b9a49c4140f56f11e0544eb4390948ef3dbc21b Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 09:43:22 +0800 Subject: [PATCH 016/109] minor refactor --- os-harden-tools/.gitignore | 164 +++++++++++++++++++++++++++ os-harden-tools/src/config_parser.py | 30 ++--- os-harden-tools/src/gendoc.py | 14 ++- os-harden-tools/src/secharden.py | 13 +-- 4 files changed, 195 insertions(+), 26 deletions(-) create mode 100644 os-harden-tools/.gitignore diff --git a/os-harden-tools/.gitignore b/os-harden-tools/.gitignore new file mode 100644 index 0000000..dda4f8f --- /dev/null +++ b/os-harden-tools/.gitignore @@ -0,0 +1,164 @@ +### Python template +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/latest/usage/project/#working-with-version-control +.pdm.toml +.pdm-python +.pdm-build/ + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + diff --git a/os-harden-tools/src/config_parser.py b/os-harden-tools/src/config_parser.py index 0bb00cf..8276b9c 100644 --- a/os-harden-tools/src/config_parser.py +++ b/os-harden-tools/src/config_parser.py @@ -16,25 +16,29 @@ def verify_config_name(path: Path) -> bool: return True -def parse_config(config_dir: Path, name: str = "secharden.conf", directory=True) -> Dict[str, Dict[str, Any]]: +def collect_configs(config_dir: Path) -> List[Path]: + """ + Collects all configuration files from the specified directory. + It looks for a main config file and additional config files in a subdirectory. + """ file_collection: List[Path] = [] - baseline = config_dir.joinpath(name) - if baseline.exists(): - file_collection.append(baseline) + baseline = config_dir.joinpath("secharden.conf") + if not baseline.exists(): + raise FileNotFoundError(f"Config file is not found in {config_dir}") - if directory: - user_config = config_dir.joinpath(name + ".d") - if user_config.exists() and user_config.is_dir(): - configs: List[Path] = list(user_config.glob(f"*-*.conf")) - file_collection.extend( - sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[0]))) + user_config = config_dir.joinpath("secharden.conf.d") + if user_config.exists() and user_config.is_dir(): + configs: List[Path] = list(user_config.glob(f"*-*.conf")) + file_collection.extend( + sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[0]))) - if len(file_collection) == 0: - raise FileNotFoundError(f"No config file found in {config_dir}") + return file_collection + +def parse_config(configs: List[Path]) -> Dict[str, Dict[str, Any]]: result: Dict[str, Dict[str, Any]] = {} - for file in file_collection: + for file in configs: logging.debug(f"Parsing config file: {file}") try: yaml_data = yaml.safe_load(file.read_text('utf-8')) diff --git a/os-harden-tools/src/gendoc.py b/os-harden-tools/src/gendoc.py index 17f4ff6..0c81c65 100644 --- a/os-harden-tools/src/gendoc.py +++ b/os-harden-tools/src/gendoc.py @@ -6,7 +6,7 @@ from io import TextIOWrapper from pathlib import Path from rules import RuleManager, RuleMetadata -from utils import DirectoryPathVerifier +from utils import DirectoryPathVerifier, HOME_DIR TITLE = "安全 OS 配置工具" @@ -63,17 +63,21 @@ def generate_doc(root: Path, overwrite: bool): def main(): - logging.basicConfig(level=logging.INFO, format='%(asctime)s [%(levelname)8s] %(message)s') - script_dir = Path(__file__).parent.parent.resolve() args = argparse.ArgumentParser(prog="docgen") args.add_argument("-t", "--rule-dir", action=DirectoryPathVerifier, - help="rule script directory", default=script_dir.joinpath('tools')) + help="rule script directory", default=HOME_DIR.joinpath('tools')) args.add_argument('-f', '--force', action='store_true', help="force to generate doc, deleting existing doc files") - version_file = script_dir.joinpath("VERSION") + version_file = HOME_DIR.joinpath("VERSION") args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) + args.add_argument("-d", "--debug", action='store_true', help="debug mode") args = args.parse_args() + logging_level = logging.INFO + if args.debug: + logging_level = logging.DEBUG + logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') + try: generate_doc(Path(args.rule_dir), overwrite=args.force) except Exception as e: diff --git a/os-harden-tools/src/secharden.py b/os-harden-tools/src/secharden.py index 71cd990..380f784 100644 --- a/os-harden-tools/src/secharden.py +++ b/os-harden-tools/src/secharden.py @@ -4,21 +4,19 @@ import argparse import logging from pathlib import Path -from utils import DirectoryPathVerifier +from utils import DirectoryPathVerifier, HOME_DIR -from config_parser import parse_config +from config_parser import parse_config, collect_configs from rules import RuleManager def main(): - script_dir = Path(__file__).parent.parent.resolve() - args = argparse.ArgumentParser(prog="secharden") - version_file = Path(__file__).parent.parent.resolve().joinpath("VERSION") + version_file = HOME_DIR.joinpath("VERSION") args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) args.add_argument("-r", "--rule-dir", action=DirectoryPathVerifier, - help="rule script directory", default=script_dir.joinpath('tools')) + help="rule script directory", default=HOME_DIR.joinpath('tools')) args.add_argument("-d", "--debug", action='store_true', help="debug mode") args.add_argument('-c', '--config', action=DirectoryPathVerifier, help="configuration path", default=Path('/etc/secharden')) @@ -27,11 +25,10 @@ def main(): logging_level = logging.INFO if args.debug: logging_level = logging.DEBUG - logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') + config = parse_config(collect_configs(args.config)) rule_mgr = RuleManager(args.rule_dir) - config = parse_config(args.config) for rule, rule_conf in config.items(): rule_mgr.apply_rule(rule, rule_conf) -- Gitee From 91abe56ff50f75e20ebd18aac70be5d89c742420 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 10:13:56 +0800 Subject: [PATCH 017/109] project structure adjust and init testcase in uv --- os-harden-tools/.gitignore | 2 +- os-harden-tools/conf/secharden.conf | 5 + .../conf/secharden.conf.d/01-test.conf | 5 + os-harden-tools/{src => }/config_parser.py | 1 + os-harden-tools/{src => }/executor.py | 0 os-harden-tools/{src => }/gendoc.py | 2 +- os-harden-tools/pyproject.toml | 16 + os-harden-tools/rule_metadata/__init__.py | 2 + .../rule_metadata/converters/__init__.py | 1 + .../converters/file_list.py | 2 +- .../{src/rules => rule_metadata}/manager.py | 2 +- .../{src/rules => rule_metadata}/metadata.py | 2 +- os-harden-tools/{src => }/secharden.py | 2 +- os-harden-tools/src/rules/__init__.py | 2 - .../src/rules/converters/__init__.py | 1 - os-harden-tools/tests/__init__.py | 0 .../tests/config_parser/__init__.py | 0 .../collection_wrong_name/secharden.conf | 5 + .../secharden.conf.d/t-t.conf | 5 + .../collection/full_collection/secharden.conf | 5 + .../secharden.conf.d/01-test.conf | 5 + .../secharden.conf.d/01-test.conf | 5 + .../collection/single_file/secharden.conf | 5 + .../tests/config_parser/test_collection.py | 34 +++ os-harden-tools/tools/README.md | 40 +++ os-harden-tools/{src => }/utils.py | 2 +- os-harden-tools/uv.lock | 282 ++++++++++++++++++ 27 files changed, 423 insertions(+), 10 deletions(-) create mode 100644 os-harden-tools/conf/secharden.conf create mode 100644 os-harden-tools/conf/secharden.conf.d/01-test.conf rename os-harden-tools/{src => }/config_parser.py (97%) rename os-harden-tools/{src => }/executor.py (100%) rename os-harden-tools/{src => }/gendoc.py (98%) create mode 100644 os-harden-tools/pyproject.toml create mode 100644 os-harden-tools/rule_metadata/__init__.py create mode 100644 os-harden-tools/rule_metadata/converters/__init__.py rename os-harden-tools/{src/rules => rule_metadata}/converters/file_list.py (95%) rename os-harden-tools/{src/rules => rule_metadata}/manager.py (99%) rename os-harden-tools/{src/rules => rule_metadata}/metadata.py (99%) rename os-harden-tools/{src => }/secharden.py (97%) delete mode 100644 os-harden-tools/src/rules/__init__.py delete mode 100644 os-harden-tools/src/rules/converters/__init__.py create mode 100644 os-harden-tools/tests/__init__.py create mode 100644 os-harden-tools/tests/config_parser/__init__.py create mode 100644 os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf create mode 100644 os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/t-t.conf create mode 100644 os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf create mode 100644 os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf create mode 100644 os-harden-tools/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf create mode 100644 os-harden-tools/tests/config_parser/collection/single_file/secharden.conf create mode 100644 os-harden-tools/tests/config_parser/test_collection.py create mode 100644 os-harden-tools/tools/README.md rename os-harden-tools/{src => }/utils.py (92%) create mode 100644 os-harden-tools/uv.lock diff --git a/os-harden-tools/.gitignore b/os-harden-tools/.gitignore index dda4f8f..be88b56 100644 --- a/os-harden-tools/.gitignore +++ b/os-harden-tools/.gitignore @@ -86,7 +86,7 @@ ipython_config.py # pyenv # For a library or package, you might want to ignore these files since the code is # intended to run in multiple environments; otherwise, check them in: -# .python-version +.python-version # pipenv # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. diff --git a/os-harden-tools/conf/secharden.conf b/os-harden-tools/conf/secharden.conf new file mode 100644 index 0000000..c21d709 --- /dev/null +++ b/os-harden-tools/conf/secharden.conf @@ -0,0 +1,5 @@ +int.01: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/conf/secharden.conf.d/01-test.conf b/os-harden-tools/conf/secharden.conf.d/01-test.conf new file mode 100644 index 0000000..b024e73 --- /dev/null +++ b/os-harden-tools/conf/secharden.conf.d/01-test.conf @@ -0,0 +1,5 @@ +int.02: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/src/config_parser.py b/os-harden-tools/config_parser.py similarity index 97% rename from os-harden-tools/src/config_parser.py rename to os-harden-tools/config_parser.py index 8276b9c..819eea1 100644 --- a/os-harden-tools/src/config_parser.py +++ b/os-harden-tools/config_parser.py @@ -26,6 +26,7 @@ def collect_configs(config_dir: Path) -> List[Path]: baseline = config_dir.joinpath("secharden.conf") if not baseline.exists(): raise FileNotFoundError(f"Config file is not found in {config_dir}") + file_collection.append(baseline) user_config = config_dir.joinpath("secharden.conf.d") if user_config.exists() and user_config.is_dir(): diff --git a/os-harden-tools/src/executor.py b/os-harden-tools/executor.py similarity index 100% rename from os-harden-tools/src/executor.py rename to os-harden-tools/executor.py diff --git a/os-harden-tools/src/gendoc.py b/os-harden-tools/gendoc.py similarity index 98% rename from os-harden-tools/src/gendoc.py rename to os-harden-tools/gendoc.py index 0c81c65..401be05 100644 --- a/os-harden-tools/src/gendoc.py +++ b/os-harden-tools/gendoc.py @@ -5,7 +5,7 @@ import logging from io import TextIOWrapper from pathlib import Path -from rules import RuleManager, RuleMetadata +from rule_metadata import RuleManager, RuleMetadata from utils import DirectoryPathVerifier, HOME_DIR TITLE = "安全 OS 配置工具" diff --git a/os-harden-tools/pyproject.toml b/os-harden-tools/pyproject.toml new file mode 100644 index 0000000..12a05a5 --- /dev/null +++ b/os-harden-tools/pyproject.toml @@ -0,0 +1,16 @@ +[project] +name = "os-harden-tools" +version = "0.1.0" +description = "Add your description here" +readme = "README.md" +requires-python = ">=3.11" +dependencies = [ + "jsonschema>=4.25.0", + "pyyaml>=6.0.2", +] + +[dependency-groups] +dev = [ + "pytest>=8.4.1", +] + diff --git a/os-harden-tools/rule_metadata/__init__.py b/os-harden-tools/rule_metadata/__init__.py new file mode 100644 index 0000000..0652004 --- /dev/null +++ b/os-harden-tools/rule_metadata/__init__.py @@ -0,0 +1,2 @@ +from rule_metadata.metadata import RuleMetadata, RuleParameter, ConfigConverter, ConverterManager +from rule_metadata.manager import RuleManager diff --git a/os-harden-tools/rule_metadata/converters/__init__.py b/os-harden-tools/rule_metadata/converters/__init__.py new file mode 100644 index 0000000..8c33c72 --- /dev/null +++ b/os-harden-tools/rule_metadata/converters/__init__.py @@ -0,0 +1 @@ +from rule_metadata.converters.file_list import FileListConverter \ No newline at end of file diff --git a/os-harden-tools/src/rules/converters/file_list.py b/os-harden-tools/rule_metadata/converters/file_list.py similarity index 95% rename from os-harden-tools/src/rules/converters/file_list.py rename to os-harden-tools/rule_metadata/converters/file_list.py index e625546..03a4903 100644 --- a/os-harden-tools/src/rules/converters/file_list.py +++ b/os-harden-tools/rule_metadata/converters/file_list.py @@ -1,7 +1,7 @@ from tempfile import NamedTemporaryFile import os from executor import CmdParameter -from rules import RuleParameter, ConfigConverter +from rule_metadata import RuleParameter, ConfigConverter class FileListConverter(ConfigConverter): diff --git a/os-harden-tools/src/rules/manager.py b/os-harden-tools/rule_metadata/manager.py similarity index 99% rename from os-harden-tools/src/rules/manager.py rename to os-harden-tools/rule_metadata/manager.py index 0c8fe9e..4ef1c8d 100644 --- a/os-harden-tools/src/rules/manager.py +++ b/os-harden-tools/rule_metadata/manager.py @@ -5,7 +5,7 @@ from typing import List, Dict, Any import jsonschema from executor import CmdExecutor, CmdParameter -from rules import RuleMetadata +from rule_metadata import RuleMetadata from utils import load_json_file, HOME_DIR diff --git a/os-harden-tools/src/rules/metadata.py b/os-harden-tools/rule_metadata/metadata.py similarity index 99% rename from os-harden-tools/src/rules/metadata.py rename to os-harden-tools/rule_metadata/metadata.py index 48bf07d..78ad447 100644 --- a/os-harden-tools/src/rules/metadata.py +++ b/os-harden-tools/rule_metadata/metadata.py @@ -74,7 +74,7 @@ class ConverterManager: def __init__(self): # load all converters from rules.converters - import rules.converters + import rule_metadata.converters self._converter: Dict[str, type[ConfigConverter]] = {} for cls in ConfigConverter.__subclasses__(): self._converter[cls.__name__] = cls diff --git a/os-harden-tools/src/secharden.py b/os-harden-tools/secharden.py similarity index 97% rename from os-harden-tools/src/secharden.py rename to os-harden-tools/secharden.py index 380f784..02f1aa2 100644 --- a/os-harden-tools/src/secharden.py +++ b/os-harden-tools/secharden.py @@ -8,7 +8,7 @@ from utils import DirectoryPathVerifier, HOME_DIR from config_parser import parse_config, collect_configs -from rules import RuleManager +from rule_metadata import RuleManager def main(): diff --git a/os-harden-tools/src/rules/__init__.py b/os-harden-tools/src/rules/__init__.py deleted file mode 100644 index a8c5bcc..0000000 --- a/os-harden-tools/src/rules/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -from rules.metadata import RuleMetadata, RuleParameter, ConfigConverter, ConverterManager -from rules.manager import RuleManager diff --git a/os-harden-tools/src/rules/converters/__init__.py b/os-harden-tools/src/rules/converters/__init__.py deleted file mode 100644 index a1890f3..0000000 --- a/os-harden-tools/src/rules/converters/__init__.py +++ /dev/null @@ -1 +0,0 @@ -from rules.converters.file_list import FileListConverter \ No newline at end of file diff --git a/os-harden-tools/tests/__init__.py b/os-harden-tools/tests/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/tests/config_parser/__init__.py b/os-harden-tools/tests/config_parser/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf b/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf new file mode 100644 index 0000000..c21d709 --- /dev/null +++ b/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf @@ -0,0 +1,5 @@ +int.01: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/t-t.conf b/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/t-t.conf new file mode 100644 index 0000000..b024e73 --- /dev/null +++ b/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/t-t.conf @@ -0,0 +1,5 @@ +int.02: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf b/os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf new file mode 100644 index 0000000..c21d709 --- /dev/null +++ b/os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf @@ -0,0 +1,5 @@ +int.01: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf b/os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf new file mode 100644 index 0000000..b024e73 --- /dev/null +++ b/os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf @@ -0,0 +1,5 @@ +int.02: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf b/os-harden-tools/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf new file mode 100644 index 0000000..b024e73 --- /dev/null +++ b/os-harden-tools/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf @@ -0,0 +1,5 @@ +int.02: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/collection/single_file/secharden.conf b/os-harden-tools/tests/config_parser/collection/single_file/secharden.conf new file mode 100644 index 0000000..c21d709 --- /dev/null +++ b/os-harden-tools/tests/config_parser/collection/single_file/secharden.conf @@ -0,0 +1,5 @@ +int.01: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/test_collection.py b/os-harden-tools/tests/config_parser/test_collection.py new file mode 100644 index 0000000..8ac5b0c --- /dev/null +++ b/os-harden-tools/tests/config_parser/test_collection.py @@ -0,0 +1,34 @@ +from pathlib import Path + +import pytest + +from config_parser import collect_configs + +class TestConfigParser: + @pytest.fixture + def config_test_path(self, request): + return Path(request.path).parent.joinpath("collection").resolve() + + def test_empty(self, config_test_path): + with pytest.raises(FileNotFoundError): + collect_configs(config_test_path.joinpath("empty")) + + def test_single_file(self, config_test_path): + p = collect_configs(config_test_path.joinpath("single_file")) + assert len(p) == 1 + assert p[0].name == "secharden.conf" + + def test_collection_only(self, config_test_path): + with pytest.raises(FileNotFoundError): + collect_configs(config_test_path.joinpath("only_collection")) + + def test_full_collection(self, config_test_path): + p = collect_configs(config_test_path.joinpath("full_collection")) + assert len(p) == 2 + assert p[0].name == "secharden.conf" + assert p[1].name == "01-test.conf" + + def test_collection_wrong_name(self, config_test_path): + p = collect_configs(config_test_path.joinpath("collection_wrong_name")) + assert len(p) == 1 + assert p[0].name == "secharden.conf" \ No newline at end of file diff --git a/os-harden-tools/tools/README.md b/os-harden-tools/tools/README.md new file mode 100644 index 0000000..fd1042e --- /dev/null +++ b/os-harden-tools/tools/README.md @@ -0,0 +1,40 @@ +# 安全 OS 配置工具 + +## 全栈完整性 + +### int.01 启用内核模块签名 + +启用内核模块签名。内核模块签名以一定格式在内核模块文件末尾添加签名信息,系统在加载内核模块时检查签名是否与内核中预设的公钥匹配。这样可以验证内核模块文件的真实性和完整性,防止系统加载未经认证的恶意内核模块。 + +#### 参数 + +无 + +### int.02 启用DIM动态度量内核 + +启用DIM动态度量内核。DIM特性通过在程序运行时对内存中的关键数据(如代码段、数据段)进行度量,并将度量结果和基准值进行对比,确定内存数据是否被篡改,从而检测攻击行为,并采取应对措施。 + +#### 参数 + +无 + +#### 参考文档 + +- [动态完整性度量 (DIM)](https://docs.openeuler.org/en/docs/24.03_LTS_SP2/server/security/trusted_computing/dim.html) + +### int.03 启用IMA度量关键文件 + +启用IMA度量关键文件。IMA 度量是一个开源的可信计算组件。其维护了一个运行时度量列表,并在 TPM 设备存在时则针对该列表生成整体完整性度量值并记录到 TPM 中。 + +#### 参数 + +**selinux 标签列表文件** + +该文件包含一个 selinux 标签列表,表示这些标签需要被 ima 度量。要求文件每行一个标签。 + +#### 参考文档 + +- [Integrity Measurement Architecture (IMA) Wiki](https://sourceforge.net/p/linux-ima/wiki/Home/) +- [内核完整性度量(IMA)](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2/server/security/trusted_computing/ima.html) + + diff --git a/os-harden-tools/src/utils.py b/os-harden-tools/utils.py similarity index 92% rename from os-harden-tools/src/utils.py rename to os-harden-tools/utils.py index 1ea8932..c7247c2 100644 --- a/os-harden-tools/src/utils.py +++ b/os-harden-tools/utils.py @@ -2,7 +2,7 @@ import argparse import json from pathlib import Path -HOME_DIR = Path(__file__).parent.parent.resolve() +HOME_DIR = Path(__file__).parent.resolve() def load_json_file(file_path: Path): diff --git a/os-harden-tools/uv.lock b/os-harden-tools/uv.lock new file mode 100644 index 0000000..5ed23ff --- /dev/null +++ b/os-harden-tools/uv.lock @@ -0,0 +1,282 @@ +version = 1 +revision = 2 +requires-python = ">=3.11" + +[[package]] +name = "attrs" +version = "25.3.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/5a/b0/1367933a8532ee6ff8d63537de4f1177af4bff9f3e829baf7331f595bb24/attrs-25.3.0.tar.gz", hash = "sha256:75d7cefc7fb576747b2c81b4442d4d4a1ce0900973527c011d1030fd3bf4af1b", size = 812032, upload-time = "2025-03-13T11:10:22.779Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/77/06/bb80f5f86020c4551da315d78b3ab75e8228f89f0162f2c3a819e407941a/attrs-25.3.0-py3-none-any.whl", hash = "sha256:427318ce031701fea540783410126f03899a97ffc6f61596ad581ac2e40e3bc3", size = 63815, upload-time = "2025-03-13T11:10:21.14Z" }, +] + +[[package]] +name = "colorama" +version = "0.4.6" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44", size = 27697, upload-time = "2022-10-25T02:36:22.414Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" }, +] + +[[package]] +name = "iniconfig" +version = "2.1.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/f2/97/ebf4da567aa6827c909642694d71c9fcf53e5b504f2d96afea02718862f3/iniconfig-2.1.0.tar.gz", hash = "sha256:3abbd2e30b36733fee78f9c7f7308f2d0050e88f0087fd25c2645f63c773e1c7", size = 4793, upload-time = "2025-03-19T20:09:59.721Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/2c/e1/e6716421ea10d38022b952c159d5161ca1193197fb744506875fbb87ea7b/iniconfig-2.1.0-py3-none-any.whl", hash = "sha256:9deba5723312380e77435581c6bf4935c94cbfab9b1ed33ef8d238ea168eb760", size = 6050, upload-time = "2025-03-19T20:10:01.071Z" }, +] + +[[package]] +name = "jsonschema" +version = "4.25.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "attrs" }, + { name = "jsonschema-specifications" }, + { name = "referencing" }, + { name = "rpds-py" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/d5/00/a297a868e9d0784450faa7365c2172a7d6110c763e30ba861867c32ae6a9/jsonschema-4.25.0.tar.gz", hash = "sha256:e63acf5c11762c0e6672ffb61482bdf57f0876684d8d249c0fe2d730d48bc55f", size = 356830, upload-time = "2025-07-18T15:39:45.11Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/fe/54/c86cd8e011fe98803d7e382fd67c0df5ceab8d2b7ad8c5a81524f791551c/jsonschema-4.25.0-py3-none-any.whl", hash = "sha256:24c2e8da302de79c8b9382fee3e76b355e44d2a4364bb207159ce10b517bd716", size = 89184, upload-time = "2025-07-18T15:39:42.956Z" }, +] + +[[package]] +name = "jsonschema-specifications" +version = "2025.4.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "referencing" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/bf/ce/46fbd9c8119cfc3581ee5643ea49464d168028cfb5caff5fc0596d0cf914/jsonschema_specifications-2025.4.1.tar.gz", hash = "sha256:630159c9f4dbea161a6a2205c3011cc4f18ff381b189fff48bb39b9bf26ae608", size = 15513, upload-time = "2025-04-23T12:34:07.418Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/01/0e/b27cdbaccf30b890c40ed1da9fd4a3593a5cf94dae54fb34f8a4b74fcd3f/jsonschema_specifications-2025.4.1-py3-none-any.whl", hash = "sha256:4653bffbd6584f7de83a67e0d620ef16900b390ddc7939d56684d6c81e33f1af", size = 18437, upload-time = "2025-04-23T12:34:05.422Z" }, +] + +[[package]] +name = "os-harden-tools" +version = "0.1.0" +source = { virtual = "." } +dependencies = [ + { name = "jsonschema" }, + { name = "pyyaml" }, +] + +[package.dev-dependencies] +dev = [ + { name = "pytest" }, +] + +[package.metadata] +requires-dist = [ + { name = "jsonschema", specifier = ">=4.25.0" }, + { name = "pyyaml", specifier = ">=6.0.2" }, +] + +[package.metadata.requires-dev] +dev = [{ name = "pytest", specifier = ">=8.4.1" }] + +[[package]] +name = "packaging" +version = "25.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/a1/d4/1fc4078c65507b51b96ca8f8c3ba19e6a61c8253c72794544580a7b6c24d/packaging-25.0.tar.gz", hash = "sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f", size = 165727, upload-time = "2025-04-19T11:48:59.673Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/20/12/38679034af332785aac8774540895e234f4d07f7545804097de4b666afd8/packaging-25.0-py3-none-any.whl", hash = "sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484", size = 66469, upload-time = "2025-04-19T11:48:57.875Z" }, +] + +[[package]] +name = "pluggy" +version = "1.6.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/f9/e2/3e91f31a7d2b083fe6ef3fa267035b518369d9511ffab804f839851d2779/pluggy-1.6.0.tar.gz", hash = "sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3", size = 69412, upload-time = "2025-05-15T12:30:07.975Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/54/20/4d324d65cc6d9205fabedc306948156824eb9f0ee1633355a8f7ec5c66bf/pluggy-1.6.0-py3-none-any.whl", hash = "sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746", size = 20538, upload-time = "2025-05-15T12:30:06.134Z" }, +] + +[[package]] +name = "pygments" +version = "2.19.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/b0/77/a5b8c569bf593b0140bde72ea885a803b82086995367bf2037de0159d924/pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887", size = 4968631, upload-time = "2025-06-21T13:39:12.283Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b", size = 1225217, upload-time = "2025-06-21T13:39:07.939Z" }, +] + +[[package]] +name = "pytest" +version = "8.4.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "colorama", marker = "sys_platform == 'win32'" }, + { name = "iniconfig" }, + { name = "packaging" }, + { name = "pluggy" }, + { name = "pygments" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/08/ba/45911d754e8eba3d5a841a5ce61a65a685ff1798421ac054f85aa8747dfb/pytest-8.4.1.tar.gz", hash = "sha256:7c67fd69174877359ed9371ec3af8a3d2b04741818c51e5e99cc1742251fa93c", size = 1517714, upload-time = "2025-06-18T05:48:06.109Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/29/16/c8a903f4c4dffe7a12843191437d7cd8e32751d5de349d45d3fe69544e87/pytest-8.4.1-py3-none-any.whl", hash = "sha256:539c70ba6fcead8e78eebbf1115e8b589e7565830d7d006a8723f19ac8a0afb7", size = 365474, upload-time = "2025-06-18T05:48:03.955Z" }, +] + +[[package]] +name = "pyyaml" +version = "6.0.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/54/ed/79a089b6be93607fa5cdaedf301d7dfb23af5f25c398d5ead2525b063e17/pyyaml-6.0.2.tar.gz", hash = "sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e", size = 130631, upload-time = "2024-08-06T20:33:50.674Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/f8/aa/7af4e81f7acba21a4c6be026da38fd2b872ca46226673c89a758ebdc4fd2/PyYAML-6.0.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774", size = 184612, upload-time = "2024-08-06T20:32:03.408Z" }, + { url = "https://files.pythonhosted.org/packages/8b/62/b9faa998fd185f65c1371643678e4d58254add437edb764a08c5a98fb986/PyYAML-6.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee", size = 172040, upload-time = "2024-08-06T20:32:04.926Z" }, + { url = "https://files.pythonhosted.org/packages/ad/0c/c804f5f922a9a6563bab712d8dcc70251e8af811fce4524d57c2c0fd49a4/PyYAML-6.0.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c", size = 736829, upload-time = "2024-08-06T20:32:06.459Z" }, + { url = "https://files.pythonhosted.org/packages/51/16/6af8d6a6b210c8e54f1406a6b9481febf9c64a3109c541567e35a49aa2e7/PyYAML-6.0.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317", size = 764167, upload-time = "2024-08-06T20:32:08.338Z" }, + { url = "https://files.pythonhosted.org/packages/75/e4/2c27590dfc9992f73aabbeb9241ae20220bd9452df27483b6e56d3975cc5/PyYAML-6.0.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85", size = 762952, upload-time = "2024-08-06T20:32:14.124Z" }, + { url = "https://files.pythonhosted.org/packages/9b/97/ecc1abf4a823f5ac61941a9c00fe501b02ac3ab0e373c3857f7d4b83e2b6/PyYAML-6.0.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4", size = 735301, upload-time = "2024-08-06T20:32:16.17Z" }, + { url = "https://files.pythonhosted.org/packages/45/73/0f49dacd6e82c9430e46f4a027baa4ca205e8b0a9dce1397f44edc23559d/PyYAML-6.0.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e", size = 756638, upload-time = "2024-08-06T20:32:18.555Z" }, + { url = "https://files.pythonhosted.org/packages/22/5f/956f0f9fc65223a58fbc14459bf34b4cc48dec52e00535c79b8db361aabd/PyYAML-6.0.2-cp311-cp311-win32.whl", hash = "sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5", size = 143850, upload-time = "2024-08-06T20:32:19.889Z" }, + { url = "https://files.pythonhosted.org/packages/ed/23/8da0bbe2ab9dcdd11f4f4557ccaf95c10b9811b13ecced089d43ce59c3c8/PyYAML-6.0.2-cp311-cp311-win_amd64.whl", hash = "sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44", size = 161980, upload-time = "2024-08-06T20:32:21.273Z" }, + { url = "https://files.pythonhosted.org/packages/86/0c/c581167fc46d6d6d7ddcfb8c843a4de25bdd27e4466938109ca68492292c/PyYAML-6.0.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab", size = 183873, upload-time = "2024-08-06T20:32:25.131Z" }, + { url = "https://files.pythonhosted.org/packages/a8/0c/38374f5bb272c051e2a69281d71cba6fdb983413e6758b84482905e29a5d/PyYAML-6.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725", size = 173302, upload-time = "2024-08-06T20:32:26.511Z" }, + { url = "https://files.pythonhosted.org/packages/c3/93/9916574aa8c00aa06bbac729972eb1071d002b8e158bd0e83a3b9a20a1f7/PyYAML-6.0.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5", size = 739154, upload-time = "2024-08-06T20:32:28.363Z" }, + { url = "https://files.pythonhosted.org/packages/95/0f/b8938f1cbd09739c6da569d172531567dbcc9789e0029aa070856f123984/PyYAML-6.0.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425", size = 766223, upload-time = "2024-08-06T20:32:30.058Z" }, + { url = "https://files.pythonhosted.org/packages/b9/2b/614b4752f2e127db5cc206abc23a8c19678e92b23c3db30fc86ab731d3bd/PyYAML-6.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476", size = 767542, upload-time = "2024-08-06T20:32:31.881Z" }, + { url = "https://files.pythonhosted.org/packages/d4/00/dd137d5bcc7efea1836d6264f049359861cf548469d18da90cd8216cf05f/PyYAML-6.0.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48", size = 731164, upload-time = "2024-08-06T20:32:37.083Z" }, + { url = "https://files.pythonhosted.org/packages/c9/1f/4f998c900485e5c0ef43838363ba4a9723ac0ad73a9dc42068b12aaba4e4/PyYAML-6.0.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b", size = 756611, upload-time = "2024-08-06T20:32:38.898Z" }, + { url = "https://files.pythonhosted.org/packages/df/d1/f5a275fdb252768b7a11ec63585bc38d0e87c9e05668a139fea92b80634c/PyYAML-6.0.2-cp312-cp312-win32.whl", hash = "sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4", size = 140591, upload-time = "2024-08-06T20:32:40.241Z" }, + { url = "https://files.pythonhosted.org/packages/0c/e8/4f648c598b17c3d06e8753d7d13d57542b30d56e6c2dedf9c331ae56312e/PyYAML-6.0.2-cp312-cp312-win_amd64.whl", hash = "sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8", size = 156338, upload-time = "2024-08-06T20:32:41.93Z" }, + { url = "https://files.pythonhosted.org/packages/ef/e3/3af305b830494fa85d95f6d95ef7fa73f2ee1cc8ef5b495c7c3269fb835f/PyYAML-6.0.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba", size = 181309, upload-time = "2024-08-06T20:32:43.4Z" }, + { url = "https://files.pythonhosted.org/packages/45/9f/3b1c20a0b7a3200524eb0076cc027a970d320bd3a6592873c85c92a08731/PyYAML-6.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1", size = 171679, upload-time = "2024-08-06T20:32:44.801Z" }, + { url = "https://files.pythonhosted.org/packages/7c/9a/337322f27005c33bcb656c655fa78325b730324c78620e8328ae28b64d0c/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133", size = 733428, upload-time = "2024-08-06T20:32:46.432Z" }, + { url = "https://files.pythonhosted.org/packages/a3/69/864fbe19e6c18ea3cc196cbe5d392175b4cf3d5d0ac1403ec3f2d237ebb5/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484", size = 763361, upload-time = "2024-08-06T20:32:51.188Z" }, + { url = "https://files.pythonhosted.org/packages/04/24/b7721e4845c2f162d26f50521b825fb061bc0a5afcf9a386840f23ea19fa/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5", size = 759523, upload-time = "2024-08-06T20:32:53.019Z" }, + { url = "https://files.pythonhosted.org/packages/2b/b2/e3234f59ba06559c6ff63c4e10baea10e5e7df868092bf9ab40e5b9c56b6/PyYAML-6.0.2-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc", size = 726660, upload-time = "2024-08-06T20:32:54.708Z" }, + { url = "https://files.pythonhosted.org/packages/fe/0f/25911a9f080464c59fab9027482f822b86bf0608957a5fcc6eaac85aa515/PyYAML-6.0.2-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652", size = 751597, upload-time = "2024-08-06T20:32:56.985Z" }, + { url = "https://files.pythonhosted.org/packages/14/0d/e2c3b43bbce3cf6bd97c840b46088a3031085179e596d4929729d8d68270/PyYAML-6.0.2-cp313-cp313-win32.whl", hash = "sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183", size = 140527, upload-time = "2024-08-06T20:33:03.001Z" }, + { url = "https://files.pythonhosted.org/packages/fa/de/02b54f42487e3d3c6efb3f89428677074ca7bf43aae402517bc7cca949f3/PyYAML-6.0.2-cp313-cp313-win_amd64.whl", hash = "sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563", size = 156446, upload-time = "2024-08-06T20:33:04.33Z" }, +] + +[[package]] +name = "referencing" +version = "0.36.2" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "attrs" }, + { name = "rpds-py" }, + { name = "typing-extensions", marker = "python_full_version < '3.13'" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/2f/db/98b5c277be99dd18bfd91dd04e1b759cad18d1a338188c936e92f921c7e2/referencing-0.36.2.tar.gz", hash = "sha256:df2e89862cd09deabbdba16944cc3f10feb6b3e6f18e902f7cc25609a34775aa", size = 74744, upload-time = "2025-01-25T08:48:16.138Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c1/b1/3baf80dc6d2b7bc27a95a67752d0208e410351e3feb4eb78de5f77454d8d/referencing-0.36.2-py3-none-any.whl", hash = "sha256:e8699adbbf8b5c7de96d8ffa0eb5c158b3beafce084968e2ea8bb08c6794dcd0", size = 26775, upload-time = "2025-01-25T08:48:14.241Z" }, +] + +[[package]] +name = "rpds-py" +version = "0.26.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/a5/aa/4456d84bbb54adc6a916fb10c9b374f78ac840337644e4a5eda229c81275/rpds_py-0.26.0.tar.gz", hash = "sha256:20dae58a859b0906f0685642e591056f1e787f3a8b39c8e8749a45dc7d26bdb0", size = 27385, upload-time = "2025-07-01T15:57:13.958Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/09/4c/4ee8f7e512030ff79fda1df3243c88d70fc874634e2dbe5df13ba4210078/rpds_py-0.26.0-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:9e8cb77286025bdb21be2941d64ac6ca016130bfdcd228739e8ab137eb4406ed", size = 372610, upload-time = "2025-07-01T15:53:58.844Z" }, + { url = "https://files.pythonhosted.org/packages/fa/9d/3dc16be00f14fc1f03c71b1d67c8df98263ab2710a2fbd65a6193214a527/rpds_py-0.26.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5e09330b21d98adc8ccb2dbb9fc6cb434e8908d4c119aeaa772cb1caab5440a0", size = 358032, upload-time = "2025-07-01T15:53:59.985Z" }, + { url = "https://files.pythonhosted.org/packages/e7/5a/7f1bf8f045da2866324a08ae80af63e64e7bfaf83bd31f865a7b91a58601/rpds_py-0.26.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2c9c1b92b774b2e68d11193dc39620d62fd8ab33f0a3c77ecdabe19c179cdbc1", size = 381525, upload-time = "2025-07-01T15:54:01.162Z" }, + { url = "https://files.pythonhosted.org/packages/45/8a/04479398c755a066ace10e3d158866beb600867cacae194c50ffa783abd0/rpds_py-0.26.0-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:824e6d3503ab990d7090768e4dfd9e840837bae057f212ff9f4f05ec6d1975e7", size = 397089, upload-time = "2025-07-01T15:54:02.319Z" }, + { url = "https://files.pythonhosted.org/packages/72/88/9203f47268db488a1b6d469d69c12201ede776bb728b9d9f29dbfd7df406/rpds_py-0.26.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8ad7fd2258228bf288f2331f0a6148ad0186b2e3643055ed0db30990e59817a6", size = 514255, upload-time = "2025-07-01T15:54:03.38Z" }, + { url = "https://files.pythonhosted.org/packages/f5/b4/01ce5d1e853ddf81fbbd4311ab1eff0b3cf162d559288d10fd127e2588b5/rpds_py-0.26.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0dc23bbb3e06ec1ea72d515fb572c1fea59695aefbffb106501138762e1e915e", size = 402283, upload-time = "2025-07-01T15:54:04.923Z" }, + { url = "https://files.pythonhosted.org/packages/34/a2/004c99936997bfc644d590a9defd9e9c93f8286568f9c16cdaf3e14429a7/rpds_py-0.26.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d80bf832ac7b1920ee29a426cdca335f96a2b5caa839811803e999b41ba9030d", size = 383881, upload-time = "2025-07-01T15:54:06.482Z" }, + { url = "https://files.pythonhosted.org/packages/05/1b/ef5fba4a8f81ce04c427bfd96223f92f05e6cd72291ce9d7523db3b03a6c/rpds_py-0.26.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:0919f38f5542c0a87e7b4afcafab6fd2c15386632d249e9a087498571250abe3", size = 415822, upload-time = "2025-07-01T15:54:07.605Z" }, + { url = "https://files.pythonhosted.org/packages/16/80/5c54195aec456b292f7bd8aa61741c8232964063fd8a75fdde9c1e982328/rpds_py-0.26.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:d422b945683e409000c888e384546dbab9009bb92f7c0b456e217988cf316107", size = 558347, upload-time = "2025-07-01T15:54:08.591Z" }, + { url = "https://files.pythonhosted.org/packages/f2/1c/1845c1b1fd6d827187c43afe1841d91678d7241cbdb5420a4c6de180a538/rpds_py-0.26.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:77a7711fa562ba2da1aa757e11024ad6d93bad6ad7ede5afb9af144623e5f76a", size = 587956, upload-time = "2025-07-01T15:54:09.963Z" }, + { url = "https://files.pythonhosted.org/packages/2e/ff/9e979329dd131aa73a438c077252ddabd7df6d1a7ad7b9aacf6261f10faa/rpds_py-0.26.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:238e8c8610cb7c29460e37184f6799547f7e09e6a9bdbdab4e8edb90986a2318", size = 554363, upload-time = "2025-07-01T15:54:11.073Z" }, + { url = "https://files.pythonhosted.org/packages/00/8b/d78cfe034b71ffbe72873a136e71acc7a831a03e37771cfe59f33f6de8a2/rpds_py-0.26.0-cp311-cp311-win32.whl", hash = "sha256:893b022bfbdf26d7bedb083efeea624e8550ca6eb98bf7fea30211ce95b9201a", size = 220123, upload-time = "2025-07-01T15:54:12.382Z" }, + { url = "https://files.pythonhosted.org/packages/94/c1/3c8c94c7dd3905dbfde768381ce98778500a80db9924731d87ddcdb117e9/rpds_py-0.26.0-cp311-cp311-win_amd64.whl", hash = "sha256:87a5531de9f71aceb8af041d72fc4cab4943648d91875ed56d2e629bef6d4c03", size = 231732, upload-time = "2025-07-01T15:54:13.434Z" }, + { url = "https://files.pythonhosted.org/packages/67/93/e936fbed1b734eabf36ccb5d93c6a2e9246fbb13c1da011624b7286fae3e/rpds_py-0.26.0-cp311-cp311-win_arm64.whl", hash = "sha256:de2713f48c1ad57f89ac25b3cb7daed2156d8e822cf0eca9b96a6f990718cc41", size = 221917, upload-time = "2025-07-01T15:54:14.559Z" }, + { url = "https://files.pythonhosted.org/packages/ea/86/90eb87c6f87085868bd077c7a9938006eb1ce19ed4d06944a90d3560fce2/rpds_py-0.26.0-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:894514d47e012e794f1350f076c427d2347ebf82f9b958d554d12819849a369d", size = 363933, upload-time = "2025-07-01T15:54:15.734Z" }, + { url = "https://files.pythonhosted.org/packages/63/78/4469f24d34636242c924626082b9586f064ada0b5dbb1e9d096ee7a8e0c6/rpds_py-0.26.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fc921b96fa95a097add244da36a1d9e4f3039160d1d30f1b35837bf108c21136", size = 350447, upload-time = "2025-07-01T15:54:16.922Z" }, + { url = "https://files.pythonhosted.org/packages/ad/91/c448ed45efdfdade82348d5e7995e15612754826ea640afc20915119734f/rpds_py-0.26.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3e1157659470aa42a75448b6e943c895be8c70531c43cb78b9ba990778955582", size = 384711, upload-time = "2025-07-01T15:54:18.101Z" }, + { url = "https://files.pythonhosted.org/packages/ec/43/e5c86fef4be7f49828bdd4ecc8931f0287b1152c0bb0163049b3218740e7/rpds_py-0.26.0-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:521ccf56f45bb3a791182dc6b88ae5f8fa079dd705ee42138c76deb1238e554e", size = 400865, upload-time = "2025-07-01T15:54:19.295Z" }, + { url = "https://files.pythonhosted.org/packages/55/34/e00f726a4d44f22d5c5fe2e5ddd3ac3d7fd3f74a175607781fbdd06fe375/rpds_py-0.26.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9def736773fd56b305c0eef698be5192c77bfa30d55a0e5885f80126c4831a15", size = 517763, upload-time = "2025-07-01T15:54:20.858Z" }, + { url = "https://files.pythonhosted.org/packages/52/1c/52dc20c31b147af724b16104500fba13e60123ea0334beba7b40e33354b4/rpds_py-0.26.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cdad4ea3b4513b475e027be79e5a0ceac8ee1c113a1a11e5edc3c30c29f964d8", size = 406651, upload-time = "2025-07-01T15:54:22.508Z" }, + { url = "https://files.pythonhosted.org/packages/2e/77/87d7bfabfc4e821caa35481a2ff6ae0b73e6a391bb6b343db2c91c2b9844/rpds_py-0.26.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:82b165b07f416bdccf5c84546a484cc8f15137ca38325403864bfdf2b5b72f6a", size = 386079, upload-time = "2025-07-01T15:54:23.987Z" }, + { url = "https://files.pythonhosted.org/packages/e3/d4/7f2200c2d3ee145b65b3cddc4310d51f7da6a26634f3ac87125fd789152a/rpds_py-0.26.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d04cab0a54b9dba4d278fe955a1390da3cf71f57feb78ddc7cb67cbe0bd30323", size = 421379, upload-time = "2025-07-01T15:54:25.073Z" }, + { url = "https://files.pythonhosted.org/packages/ae/13/9fdd428b9c820869924ab62236b8688b122baa22d23efdd1c566938a39ba/rpds_py-0.26.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:79061ba1a11b6a12743a2b0f72a46aa2758613d454aa6ba4f5a265cc48850158", size = 562033, upload-time = "2025-07-01T15:54:26.225Z" }, + { url = "https://files.pythonhosted.org/packages/f3/e1/b69686c3bcbe775abac3a4c1c30a164a2076d28df7926041f6c0eb5e8d28/rpds_py-0.26.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:f405c93675d8d4c5ac87364bb38d06c988e11028a64b52a47158a355079661f3", size = 591639, upload-time = "2025-07-01T15:54:27.424Z" }, + { url = "https://files.pythonhosted.org/packages/5c/c9/1e3d8c8863c84a90197ac577bbc3d796a92502124c27092413426f670990/rpds_py-0.26.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:dafd4c44b74aa4bed4b250f1aed165b8ef5de743bcca3b88fc9619b6087093d2", size = 557105, upload-time = "2025-07-01T15:54:29.93Z" }, + { url = "https://files.pythonhosted.org/packages/9f/c5/90c569649057622959f6dcc40f7b516539608a414dfd54b8d77e3b201ac0/rpds_py-0.26.0-cp312-cp312-win32.whl", hash = "sha256:3da5852aad63fa0c6f836f3359647870e21ea96cf433eb393ffa45263a170d44", size = 223272, upload-time = "2025-07-01T15:54:31.128Z" }, + { url = "https://files.pythonhosted.org/packages/7d/16/19f5d9f2a556cfed454eebe4d354c38d51c20f3db69e7b4ce6cff904905d/rpds_py-0.26.0-cp312-cp312-win_amd64.whl", hash = "sha256:cf47cfdabc2194a669dcf7a8dbba62e37a04c5041d2125fae0233b720da6f05c", size = 234995, upload-time = "2025-07-01T15:54:32.195Z" }, + { url = "https://files.pythonhosted.org/packages/83/f0/7935e40b529c0e752dfaa7880224771b51175fce08b41ab4a92eb2fbdc7f/rpds_py-0.26.0-cp312-cp312-win_arm64.whl", hash = "sha256:20ab1ae4fa534f73647aad289003f1104092890849e0266271351922ed5574f8", size = 223198, upload-time = "2025-07-01T15:54:33.271Z" }, + { url = "https://files.pythonhosted.org/packages/6a/67/bb62d0109493b12b1c6ab00de7a5566aa84c0e44217c2d94bee1bd370da9/rpds_py-0.26.0-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:696764a5be111b036256c0b18cd29783fab22154690fc698062fc1b0084b511d", size = 363917, upload-time = "2025-07-01T15:54:34.755Z" }, + { url = "https://files.pythonhosted.org/packages/4b/f3/34e6ae1925a5706c0f002a8d2d7f172373b855768149796af87bd65dcdb9/rpds_py-0.26.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:1e6c15d2080a63aaed876e228efe4f814bc7889c63b1e112ad46fdc8b368b9e1", size = 350073, upload-time = "2025-07-01T15:54:36.292Z" }, + { url = "https://files.pythonhosted.org/packages/75/83/1953a9d4f4e4de7fd0533733e041c28135f3c21485faaef56a8aadbd96b5/rpds_py-0.26.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:390e3170babf42462739a93321e657444f0862c6d722a291accc46f9d21ed04e", size = 384214, upload-time = "2025-07-01T15:54:37.469Z" }, + { url = "https://files.pythonhosted.org/packages/48/0e/983ed1b792b3322ea1d065e67f4b230f3b96025f5ce3878cc40af09b7533/rpds_py-0.26.0-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7da84c2c74c0f5bc97d853d9e17bb83e2dcafcff0dc48286916001cc114379a1", size = 400113, upload-time = "2025-07-01T15:54:38.954Z" }, + { url = "https://files.pythonhosted.org/packages/69/7f/36c0925fff6f660a80be259c5b4f5e53a16851f946eb080351d057698528/rpds_py-0.26.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4c5fe114a6dd480a510b6d3661d09d67d1622c4bf20660a474507aaee7eeeee9", size = 515189, upload-time = "2025-07-01T15:54:40.57Z" }, + { url = "https://files.pythonhosted.org/packages/13/45/cbf07fc03ba7a9b54662c9badb58294ecfb24f828b9732970bd1a431ed5c/rpds_py-0.26.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3100b3090269f3a7ea727b06a6080d4eb7439dca4c0e91a07c5d133bb1727ea7", size = 406998, upload-time = "2025-07-01T15:54:43.025Z" }, + { url = "https://files.pythonhosted.org/packages/6c/b0/8fa5e36e58657997873fd6a1cf621285ca822ca75b4b3434ead047daa307/rpds_py-0.26.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2c03c9b0c64afd0320ae57de4c982801271c0c211aa2d37f3003ff5feb75bb04", size = 385903, upload-time = "2025-07-01T15:54:44.752Z" }, + { url = "https://files.pythonhosted.org/packages/4b/f7/b25437772f9f57d7a9fbd73ed86d0dcd76b4c7c6998348c070d90f23e315/rpds_py-0.26.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:5963b72ccd199ade6ee493723d18a3f21ba7d5b957017607f815788cef50eaf1", size = 419785, upload-time = "2025-07-01T15:54:46.043Z" }, + { url = "https://files.pythonhosted.org/packages/a7/6b/63ffa55743dfcb4baf2e9e77a0b11f7f97ed96a54558fcb5717a4b2cd732/rpds_py-0.26.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:9da4e873860ad5bab3291438525cae80169daecbfafe5657f7f5fb4d6b3f96b9", size = 561329, upload-time = "2025-07-01T15:54:47.64Z" }, + { url = "https://files.pythonhosted.org/packages/2f/07/1f4f5e2886c480a2346b1e6759c00278b8a69e697ae952d82ae2e6ee5db0/rpds_py-0.26.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:5afaddaa8e8c7f1f7b4c5c725c0070b6eed0228f705b90a1732a48e84350f4e9", size = 590875, upload-time = "2025-07-01T15:54:48.9Z" }, + { url = "https://files.pythonhosted.org/packages/cc/bc/e6639f1b91c3a55f8c41b47d73e6307051b6e246254a827ede730624c0f8/rpds_py-0.26.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:4916dc96489616a6f9667e7526af8fa693c0fdb4f3acb0e5d9f4400eb06a47ba", size = 556636, upload-time = "2025-07-01T15:54:50.619Z" }, + { url = "https://files.pythonhosted.org/packages/05/4c/b3917c45566f9f9a209d38d9b54a1833f2bb1032a3e04c66f75726f28876/rpds_py-0.26.0-cp313-cp313-win32.whl", hash = "sha256:2a343f91b17097c546b93f7999976fd6c9d5900617aa848c81d794e062ab302b", size = 222663, upload-time = "2025-07-01T15:54:52.023Z" }, + { url = "https://files.pythonhosted.org/packages/e0/0b/0851bdd6025775aaa2365bb8de0697ee2558184c800bfef8d7aef5ccde58/rpds_py-0.26.0-cp313-cp313-win_amd64.whl", hash = "sha256:0a0b60701f2300c81b2ac88a5fb893ccfa408e1c4a555a77f908a2596eb875a5", size = 234428, upload-time = "2025-07-01T15:54:53.692Z" }, + { url = "https://files.pythonhosted.org/packages/ed/e8/a47c64ed53149c75fb581e14a237b7b7cd18217e969c30d474d335105622/rpds_py-0.26.0-cp313-cp313-win_arm64.whl", hash = "sha256:257d011919f133a4746958257f2c75238e3ff54255acd5e3e11f3ff41fd14256", size = 222571, upload-time = "2025-07-01T15:54:54.822Z" }, + { url = "https://files.pythonhosted.org/packages/89/bf/3d970ba2e2bcd17d2912cb42874107390f72873e38e79267224110de5e61/rpds_py-0.26.0-cp313-cp313t-macosx_10_12_x86_64.whl", hash = "sha256:529c8156d7506fba5740e05da8795688f87119cce330c244519cf706a4a3d618", size = 360475, upload-time = "2025-07-01T15:54:56.228Z" }, + { url = "https://files.pythonhosted.org/packages/82/9f/283e7e2979fc4ec2d8ecee506d5a3675fce5ed9b4b7cb387ea5d37c2f18d/rpds_py-0.26.0-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:f53ec51f9d24e9638a40cabb95078ade8c99251945dad8d57bf4aabe86ecee35", size = 346692, upload-time = "2025-07-01T15:54:58.561Z" }, + { url = "https://files.pythonhosted.org/packages/e3/03/7e50423c04d78daf391da3cc4330bdb97042fc192a58b186f2d5deb7befd/rpds_py-0.26.0-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7ab504c4d654e4a29558eaa5bb8cea5fdc1703ea60a8099ffd9c758472cf913f", size = 379415, upload-time = "2025-07-01T15:54:59.751Z" }, + { url = "https://files.pythonhosted.org/packages/57/00/d11ee60d4d3b16808432417951c63df803afb0e0fc672b5e8d07e9edaaae/rpds_py-0.26.0-cp313-cp313t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:fd0641abca296bc1a00183fe44f7fced8807ed49d501f188faa642d0e4975b83", size = 391783, upload-time = "2025-07-01T15:55:00.898Z" }, + { url = "https://files.pythonhosted.org/packages/08/b3/1069c394d9c0d6d23c5b522e1f6546b65793a22950f6e0210adcc6f97c3e/rpds_py-0.26.0-cp313-cp313t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:69b312fecc1d017b5327afa81d4da1480f51c68810963a7336d92203dbb3d4f1", size = 512844, upload-time = "2025-07-01T15:55:02.201Z" }, + { url = "https://files.pythonhosted.org/packages/08/3b/c4fbf0926800ed70b2c245ceca99c49f066456755f5d6eb8863c2c51e6d0/rpds_py-0.26.0-cp313-cp313t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c741107203954f6fc34d3066d213d0a0c40f7bb5aafd698fb39888af277c70d8", size = 402105, upload-time = "2025-07-01T15:55:03.698Z" }, + { url = "https://files.pythonhosted.org/packages/1c/b0/db69b52ca07413e568dae9dc674627a22297abb144c4d6022c6d78f1e5cc/rpds_py-0.26.0-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fc3e55a7db08dc9a6ed5fb7103019d2c1a38a349ac41901f9f66d7f95750942f", size = 383440, upload-time = "2025-07-01T15:55:05.398Z" }, + { url = "https://files.pythonhosted.org/packages/4c/e1/c65255ad5b63903e56b3bb3ff9dcc3f4f5c3badde5d08c741ee03903e951/rpds_py-0.26.0-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:9e851920caab2dbcae311fd28f4313c6953993893eb5c1bb367ec69d9a39e7ed", size = 412759, upload-time = "2025-07-01T15:55:08.316Z" }, + { url = "https://files.pythonhosted.org/packages/e4/22/bb731077872377a93c6e93b8a9487d0406c70208985831034ccdeed39c8e/rpds_py-0.26.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:dfbf280da5f876d0b00c81f26bedce274e72a678c28845453885a9b3c22ae632", size = 556032, upload-time = "2025-07-01T15:55:09.52Z" }, + { url = "https://files.pythonhosted.org/packages/e0/8b/393322ce7bac5c4530fb96fc79cc9ea2f83e968ff5f6e873f905c493e1c4/rpds_py-0.26.0-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:1cc81d14ddfa53d7f3906694d35d54d9d3f850ef8e4e99ee68bc0d1e5fed9a9c", size = 585416, upload-time = "2025-07-01T15:55:11.216Z" }, + { url = "https://files.pythonhosted.org/packages/49/ae/769dc372211835bf759319a7aae70525c6eb523e3371842c65b7ef41c9c6/rpds_py-0.26.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:dca83c498b4650a91efcf7b88d669b170256bf8017a5db6f3e06c2bf031f57e0", size = 554049, upload-time = "2025-07-01T15:55:13.004Z" }, + { url = "https://files.pythonhosted.org/packages/6b/f9/4c43f9cc203d6ba44ce3146246cdc38619d92c7bd7bad4946a3491bd5b70/rpds_py-0.26.0-cp313-cp313t-win32.whl", hash = "sha256:4d11382bcaf12f80b51d790dee295c56a159633a8e81e6323b16e55d81ae37e9", size = 218428, upload-time = "2025-07-01T15:55:14.486Z" }, + { url = "https://files.pythonhosted.org/packages/7e/8b/9286b7e822036a4a977f2f1e851c7345c20528dbd56b687bb67ed68a8ede/rpds_py-0.26.0-cp313-cp313t-win_amd64.whl", hash = "sha256:ff110acded3c22c033e637dd8896e411c7d3a11289b2edf041f86663dbc791e9", size = 231524, upload-time = "2025-07-01T15:55:15.745Z" }, + { url = "https://files.pythonhosted.org/packages/55/07/029b7c45db910c74e182de626dfdae0ad489a949d84a468465cd0ca36355/rpds_py-0.26.0-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:da619979df60a940cd434084355c514c25cf8eb4cf9a508510682f6c851a4f7a", size = 364292, upload-time = "2025-07-01T15:55:17.001Z" }, + { url = "https://files.pythonhosted.org/packages/13/d1/9b3d3f986216b4d1f584878dca15ce4797aaf5d372d738974ba737bf68d6/rpds_py-0.26.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:ea89a2458a1a75f87caabefe789c87539ea4e43b40f18cff526052e35bbb4fdf", size = 350334, upload-time = "2025-07-01T15:55:18.922Z" }, + { url = "https://files.pythonhosted.org/packages/18/98/16d5e7bc9ec715fa9668731d0cf97f6b032724e61696e2db3d47aeb89214/rpds_py-0.26.0-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:feac1045b3327a45944e7dcbeb57530339f6b17baff154df51ef8b0da34c8c12", size = 384875, upload-time = "2025-07-01T15:55:20.399Z" }, + { url = "https://files.pythonhosted.org/packages/f9/13/aa5e2b1ec5ab0e86a5c464d53514c0467bec6ba2507027d35fc81818358e/rpds_py-0.26.0-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:b818a592bd69bfe437ee8368603d4a2d928c34cffcdf77c2e761a759ffd17d20", size = 399993, upload-time = "2025-07-01T15:55:21.729Z" }, + { url = "https://files.pythonhosted.org/packages/17/03/8021810b0e97923abdbab6474c8b77c69bcb4b2c58330777df9ff69dc559/rpds_py-0.26.0-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1a8b0dd8648709b62d9372fc00a57466f5fdeefed666afe3fea5a6c9539a0331", size = 516683, upload-time = "2025-07-01T15:55:22.918Z" }, + { url = "https://files.pythonhosted.org/packages/dc/b1/da8e61c87c2f3d836954239fdbbfb477bb7b54d74974d8f6fcb34342d166/rpds_py-0.26.0-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6d3498ad0df07d81112aa6ec6c95a7e7b1ae00929fb73e7ebee0f3faaeabad2f", size = 408825, upload-time = "2025-07-01T15:55:24.207Z" }, + { url = "https://files.pythonhosted.org/packages/38/bc/1fc173edaaa0e52c94b02a655db20697cb5fa954ad5a8e15a2c784c5cbdd/rpds_py-0.26.0-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:24a4146ccb15be237fdef10f331c568e1b0e505f8c8c9ed5d67759dac58ac246", size = 387292, upload-time = "2025-07-01T15:55:25.554Z" }, + { url = "https://files.pythonhosted.org/packages/7c/eb/3a9bb4bd90867d21916f253caf4f0d0be7098671b6715ad1cead9fe7bab9/rpds_py-0.26.0-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a9a63785467b2d73635957d32a4f6e73d5e4df497a16a6392fa066b753e87387", size = 420435, upload-time = "2025-07-01T15:55:27.798Z" }, + { url = "https://files.pythonhosted.org/packages/cd/16/e066dcdb56f5632713445271a3f8d3d0b426d51ae9c0cca387799df58b02/rpds_py-0.26.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:de4ed93a8c91debfd5a047be327b7cc8b0cc6afe32a716bbbc4aedca9e2a83af", size = 562410, upload-time = "2025-07-01T15:55:29.057Z" }, + { url = "https://files.pythonhosted.org/packages/60/22/ddbdec7eb82a0dc2e455be44c97c71c232983e21349836ce9f272e8a3c29/rpds_py-0.26.0-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:caf51943715b12af827696ec395bfa68f090a4c1a1d2509eb4e2cb69abbbdb33", size = 590724, upload-time = "2025-07-01T15:55:30.719Z" }, + { url = "https://files.pythonhosted.org/packages/2c/b4/95744085e65b7187d83f2fcb0bef70716a1ea0a9e5d8f7f39a86e5d83424/rpds_py-0.26.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:4a59e5bc386de021f56337f757301b337d7ab58baa40174fb150accd480bc953", size = 558285, upload-time = "2025-07-01T15:55:31.981Z" }, + { url = "https://files.pythonhosted.org/packages/37/37/6309a75e464d1da2559446f9c811aa4d16343cebe3dbb73701e63f760caa/rpds_py-0.26.0-cp314-cp314-win32.whl", hash = "sha256:92c8db839367ef16a662478f0a2fe13e15f2227da3c1430a782ad0f6ee009ec9", size = 223459, upload-time = "2025-07-01T15:55:33.312Z" }, + { url = "https://files.pythonhosted.org/packages/d9/6f/8e9c11214c46098b1d1391b7e02b70bb689ab963db3b19540cba17315291/rpds_py-0.26.0-cp314-cp314-win_amd64.whl", hash = "sha256:b0afb8cdd034150d4d9f53926226ed27ad15b7f465e93d7468caaf5eafae0d37", size = 236083, upload-time = "2025-07-01T15:55:34.933Z" }, + { url = "https://files.pythonhosted.org/packages/47/af/9c4638994dd623d51c39892edd9d08e8be8220a4b7e874fa02c2d6e91955/rpds_py-0.26.0-cp314-cp314-win_arm64.whl", hash = "sha256:ca3f059f4ba485d90c8dc75cb5ca897e15325e4e609812ce57f896607c1c0867", size = 223291, upload-time = "2025-07-01T15:55:36.202Z" }, + { url = "https://files.pythonhosted.org/packages/4d/db/669a241144460474aab03e254326b32c42def83eb23458a10d163cb9b5ce/rpds_py-0.26.0-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:5afea17ab3a126006dc2f293b14ffc7ef3c85336cf451564a0515ed7648033da", size = 361445, upload-time = "2025-07-01T15:55:37.483Z" }, + { url = "https://files.pythonhosted.org/packages/3b/2d/133f61cc5807c6c2fd086a46df0eb8f63a23f5df8306ff9f6d0fd168fecc/rpds_py-0.26.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:69f0c0a3df7fd3a7eec50a00396104bb9a843ea6d45fcc31c2d5243446ffd7a7", size = 347206, upload-time = "2025-07-01T15:55:38.828Z" }, + { url = "https://files.pythonhosted.org/packages/05/bf/0e8fb4c05f70273469eecf82f6ccf37248558526a45321644826555db31b/rpds_py-0.26.0-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:801a71f70f9813e82d2513c9a96532551fce1e278ec0c64610992c49c04c2dad", size = 380330, upload-time = "2025-07-01T15:55:40.175Z" }, + { url = "https://files.pythonhosted.org/packages/d4/a8/060d24185d8b24d3923322f8d0ede16df4ade226a74e747b8c7c978e3dd3/rpds_py-0.26.0-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:df52098cde6d5e02fa75c1f6244f07971773adb4a26625edd5c18fee906fa84d", size = 392254, upload-time = "2025-07-01T15:55:42.015Z" }, + { url = "https://files.pythonhosted.org/packages/b9/7b/7c2e8a9ee3e6bc0bae26bf29f5219955ca2fbb761dca996a83f5d2f773fe/rpds_py-0.26.0-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9bc596b30f86dc6f0929499c9e574601679d0341a0108c25b9b358a042f51bca", size = 516094, upload-time = "2025-07-01T15:55:43.603Z" }, + { url = "https://files.pythonhosted.org/packages/75/d6/f61cafbed8ba1499b9af9f1777a2a199cd888f74a96133d8833ce5eaa9c5/rpds_py-0.26.0-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9dfbe56b299cf5875b68eb6f0ebaadc9cac520a1989cac0db0765abfb3709c19", size = 402889, upload-time = "2025-07-01T15:55:45.275Z" }, + { url = "https://files.pythonhosted.org/packages/92/19/c8ac0a8a8df2dd30cdec27f69298a5c13e9029500d6d76718130f5e5be10/rpds_py-0.26.0-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ac64f4b2bdb4ea622175c9ab7cf09444e412e22c0e02e906978b3b488af5fde8", size = 384301, upload-time = "2025-07-01T15:55:47.098Z" }, + { url = "https://files.pythonhosted.org/packages/41/e1/6b1859898bc292a9ce5776016c7312b672da00e25cec74d7beced1027286/rpds_py-0.26.0-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:181ef9b6bbf9845a264f9aa45c31836e9f3c1f13be565d0d010e964c661d1e2b", size = 412891, upload-time = "2025-07-01T15:55:48.412Z" }, + { url = "https://files.pythonhosted.org/packages/ef/b9/ceb39af29913c07966a61367b3c08b4f71fad841e32c6b59a129d5974698/rpds_py-0.26.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:49028aa684c144ea502a8e847d23aed5e4c2ef7cadfa7d5eaafcb40864844b7a", size = 557044, upload-time = "2025-07-01T15:55:49.816Z" }, + { url = "https://files.pythonhosted.org/packages/2f/27/35637b98380731a521f8ec4f3fd94e477964f04f6b2f8f7af8a2d889a4af/rpds_py-0.26.0-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:e5d524d68a474a9688336045bbf76cb0def88549c1b2ad9dbfec1fb7cfbe9170", size = 585774, upload-time = "2025-07-01T15:55:51.192Z" }, + { url = "https://files.pythonhosted.org/packages/52/d9/3f0f105420fecd18551b678c9a6ce60bd23986098b252a56d35781b3e7e9/rpds_py-0.26.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:c1851f429b822831bd2edcbe0cfd12ee9ea77868f8d3daf267b189371671c80e", size = 554886, upload-time = "2025-07-01T15:55:52.541Z" }, + { url = "https://files.pythonhosted.org/packages/6b/c5/347c056a90dc8dd9bc240a08c527315008e1b5042e7a4cf4ac027be9d38a/rpds_py-0.26.0-cp314-cp314t-win32.whl", hash = "sha256:7bdb17009696214c3b66bb3590c6d62e14ac5935e53e929bcdbc5a495987a84f", size = 219027, upload-time = "2025-07-01T15:55:53.874Z" }, + { url = "https://files.pythonhosted.org/packages/75/04/5302cea1aa26d886d34cadbf2dc77d90d7737e576c0065f357b96dc7a1a6/rpds_py-0.26.0-cp314-cp314t-win_amd64.whl", hash = "sha256:f14440b9573a6f76b4ee4770c13f0b5921f71dde3b6fcb8dabbefd13b7fe05d7", size = 232821, upload-time = "2025-07-01T15:55:55.167Z" }, + { url = "https://files.pythonhosted.org/packages/51/f2/b5c85b758a00c513bb0389f8fc8e61eb5423050c91c958cdd21843faa3e6/rpds_py-0.26.0-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:f61a9326f80ca59214d1cceb0a09bb2ece5b2563d4e0cd37bfd5515c28510674", size = 373505, upload-time = "2025-07-01T15:56:34.716Z" }, + { url = "https://files.pythonhosted.org/packages/23/e0/25db45e391251118e915e541995bb5f5ac5691a3b98fb233020ba53afc9b/rpds_py-0.26.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:183f857a53bcf4b1b42ef0f57ca553ab56bdd170e49d8091e96c51c3d69ca696", size = 359468, upload-time = "2025-07-01T15:56:36.219Z" }, + { url = "https://files.pythonhosted.org/packages/0b/73/dd5ee6075bb6491be3a646b301dfd814f9486d924137a5098e61f0487e16/rpds_py-0.26.0-pp311-pypy311_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:941c1cfdf4799d623cf3aa1d326a6b4fdb7a5799ee2687f3516738216d2262fb", size = 382680, upload-time = "2025-07-01T15:56:37.644Z" }, + { url = "https://files.pythonhosted.org/packages/2f/10/84b522ff58763a5c443f5bcedc1820240e454ce4e620e88520f04589e2ea/rpds_py-0.26.0-pp311-pypy311_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:72a8d9564a717ee291f554eeb4bfeafe2309d5ec0aa6c475170bdab0f9ee8e88", size = 397035, upload-time = "2025-07-01T15:56:39.241Z" }, + { url = "https://files.pythonhosted.org/packages/06/ea/8667604229a10a520fcbf78b30ccc278977dcc0627beb7ea2c96b3becef0/rpds_py-0.26.0-pp311-pypy311_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:511d15193cbe013619dd05414c35a7dedf2088fcee93c6bbb7c77859765bd4e8", size = 514922, upload-time = "2025-07-01T15:56:40.645Z" }, + { url = "https://files.pythonhosted.org/packages/24/e6/9ed5b625c0661c4882fc8cdf302bf8e96c73c40de99c31e0b95ed37d508c/rpds_py-0.26.0-pp311-pypy311_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:aea1f9741b603a8d8fedb0ed5502c2bc0accbc51f43e2ad1337fe7259c2b77a5", size = 402822, upload-time = "2025-07-01T15:56:42.137Z" }, + { url = "https://files.pythonhosted.org/packages/8a/58/212c7b6fd51946047fb45d3733da27e2fa8f7384a13457c874186af691b1/rpds_py-0.26.0-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4019a9d473c708cf2f16415688ef0b4639e07abaa569d72f74745bbeffafa2c7", size = 384336, upload-time = "2025-07-01T15:56:44.239Z" }, + { url = "https://files.pythonhosted.org/packages/aa/f5/a40ba78748ae8ebf4934d4b88e77b98497378bc2c24ba55ebe87a4e87057/rpds_py-0.26.0-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:093d63b4b0f52d98ebae33b8c50900d3d67e0666094b1be7a12fffd7f65de74b", size = 416871, upload-time = "2025-07-01T15:56:46.284Z" }, + { url = "https://files.pythonhosted.org/packages/d5/a6/33b1fc0c9f7dcfcfc4a4353daa6308b3ece22496ceece348b3e7a7559a09/rpds_py-0.26.0-pp311-pypy311_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:2abe21d8ba64cded53a2a677e149ceb76dcf44284202d737178afe7ba540c1eb", size = 559439, upload-time = "2025-07-01T15:56:48.549Z" }, + { url = "https://files.pythonhosted.org/packages/71/2d/ceb3f9c12f8cfa56d34995097f6cd99da1325642c60d1b6680dd9df03ed8/rpds_py-0.26.0-pp311-pypy311_pp73-musllinux_1_2_i686.whl", hash = "sha256:4feb7511c29f8442cbbc28149a92093d32e815a28aa2c50d333826ad2a20fdf0", size = 588380, upload-time = "2025-07-01T15:56:50.086Z" }, + { url = "https://files.pythonhosted.org/packages/c8/ed/9de62c2150ca8e2e5858acf3f4f4d0d180a38feef9fdab4078bea63d8dba/rpds_py-0.26.0-pp311-pypy311_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:e99685fc95d386da368013e7fb4269dd39c30d99f812a8372d62f244f662709c", size = 555334, upload-time = "2025-07-01T15:56:51.703Z" }, +] + +[[package]] +name = "typing-extensions" +version = "4.14.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/98/5a/da40306b885cc8c09109dc2e1abd358d5684b1425678151cdaed4731c822/typing_extensions-4.14.1.tar.gz", hash = "sha256:38b39f4aeeab64884ce9f74c94263ef78f3c22467c8724005483154c26648d36", size = 107673, upload-time = "2025-07-04T13:28:34.16Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b5/00/d631e67a838026495268c2f6884f3711a15a9a2a96cd244fdaea53b823fb/typing_extensions-4.14.1-py3-none-any.whl", hash = "sha256:d1e1e3b58374dc93031d6eda2420a48ea44a36c2b4766a4fdeb3710755731d76", size = 43906, upload-time = "2025-07-04T13:28:32.743Z" }, +] -- Gitee From f402a123487158e9e7d713809038260de6d9bf64 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 10:44:41 +0800 Subject: [PATCH 018/109] add parser test --- os-harden-tools/config_parser.py | 18 +++++++- .../config_parser/parser/intersect/1.conf | 2 + .../config_parser/parser/intersect/2.conf | 2 + .../config_parser/parser/override/1.conf | 2 + .../config_parser/parser/override/2.conf | 2 + .../parser/single_file/secharden.conf | 5 +++ .../parser/wrong_file/secharden.conf | 5 +++ .../parser/wrong_file_in_collection/1.conf | 2 + .../parser/wrong_file_in_collection/2.conf | 2 + .../tests/config_parser/test_parser.py | 45 +++++++++++++++++++ 10 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 os-harden-tools/tests/config_parser/parser/intersect/1.conf create mode 100644 os-harden-tools/tests/config_parser/parser/intersect/2.conf create mode 100644 os-harden-tools/tests/config_parser/parser/override/1.conf create mode 100644 os-harden-tools/tests/config_parser/parser/override/2.conf create mode 100644 os-harden-tools/tests/config_parser/parser/single_file/secharden.conf create mode 100644 os-harden-tools/tests/config_parser/parser/wrong_file/secharden.conf create mode 100644 os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/1.conf create mode 100644 os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/2.conf create mode 100644 os-harden-tools/tests/config_parser/test_parser.py diff --git a/os-harden-tools/config_parser.py b/os-harden-tools/config_parser.py index 819eea1..f73b93f 100644 --- a/os-harden-tools/config_parser.py +++ b/os-harden-tools/config_parser.py @@ -3,6 +3,16 @@ from pathlib import Path from typing import Dict, List, Any import yaml +import jsonschema + +# just limit to dict is enough +CHECK_SCHEMA = { + "$schema": "https://json-schema.org/draft-04/schema", + "id": "./categories.schema.json", + "title": "Tool categories metadata Schema", + "description": "Schema file for tool categories specification", + "allOf": [{"type": "object"}] +} def verify_config_name(path: Path) -> bool: @@ -43,8 +53,12 @@ def parse_config(configs: List[Path]) -> Dict[str, Dict[str, Any]]: logging.debug(f"Parsing config file: {file}") try: yaml_data = yaml.safe_load(file.read_text('utf-8')) - except yaml.YAMLError as exc: - logging.error(f"Error parsing YAML file {file}: {exc}") + jsonschema.validate(yaml_data, CHECK_SCHEMA) + except yaml.YAMLError as e: + logging.error(f"Error parsing YAML file {file}: {e}") + continue + except jsonschema.ValidationError as e: + logging.error(f"Error parsing YAML file {file}: {e}") continue result.update(yaml_data) return result diff --git a/os-harden-tools/tests/config_parser/parser/intersect/1.conf b/os-harden-tools/tests/config_parser/parser/intersect/1.conf new file mode 100644 index 0000000..04512d3 --- /dev/null +++ b/os-harden-tools/tests/config_parser/parser/intersect/1.conf @@ -0,0 +1,2 @@ +int.01: + enabled: false diff --git a/os-harden-tools/tests/config_parser/parser/intersect/2.conf b/os-harden-tools/tests/config_parser/parser/intersect/2.conf new file mode 100644 index 0000000..8a85305 --- /dev/null +++ b/os-harden-tools/tests/config_parser/parser/intersect/2.conf @@ -0,0 +1,2 @@ +int.02: + enabled: true diff --git a/os-harden-tools/tests/config_parser/parser/override/1.conf b/os-harden-tools/tests/config_parser/parser/override/1.conf new file mode 100644 index 0000000..04512d3 --- /dev/null +++ b/os-harden-tools/tests/config_parser/parser/override/1.conf @@ -0,0 +1,2 @@ +int.01: + enabled: false diff --git a/os-harden-tools/tests/config_parser/parser/override/2.conf b/os-harden-tools/tests/config_parser/parser/override/2.conf new file mode 100644 index 0000000..f40f584 --- /dev/null +++ b/os-harden-tools/tests/config_parser/parser/override/2.conf @@ -0,0 +1,2 @@ +int.01: + enabled: true diff --git a/os-harden-tools/tests/config_parser/parser/single_file/secharden.conf b/os-harden-tools/tests/config_parser/parser/single_file/secharden.conf new file mode 100644 index 0000000..c21d709 --- /dev/null +++ b/os-harden-tools/tests/config_parser/parser/single_file/secharden.conf @@ -0,0 +1,5 @@ +int.01: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/parser/wrong_file/secharden.conf b/os-harden-tools/tests/config_parser/parser/wrong_file/secharden.conf new file mode 100644 index 0000000..75fded1 --- /dev/null +++ b/os-harden-tools/tests/config_parser/parser/wrong_file/secharden.conf @@ -0,0 +1,5 @@ +- int.01: +- int.03: +- selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/1.conf b/os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/1.conf new file mode 100644 index 0000000..04512d3 --- /dev/null +++ b/os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/1.conf @@ -0,0 +1,2 @@ +int.01: + enabled: false diff --git a/os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/2.conf b/os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/2.conf new file mode 100644 index 0000000..4bc0ba1 --- /dev/null +++ b/os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/2.conf @@ -0,0 +1,2 @@ +- int.01: + enabled: true \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/test_parser.py b/os-harden-tools/tests/config_parser/test_parser.py new file mode 100644 index 0000000..6b9f23b --- /dev/null +++ b/os-harden-tools/tests/config_parser/test_parser.py @@ -0,0 +1,45 @@ +from pathlib import Path + +import pytest + +from config_parser import parse_config + +class TestConfigParser: + @pytest.fixture + def config_test_path(self, request): + return Path(request.path).parent.joinpath("parser").resolve() + + def test_single_file(self, config_test_path): + d = parse_config([config_test_path.joinpath("single_file/secharden.conf")]) + assert d == {'int.01': None, 'int.03': None, 'selinux_tags': ['ima_t', 'ima2_t']} + + def test_wrong_file(self, config_test_path): + d = parse_config([config_test_path.joinpath("wrong_file/secharden.conf")]) + assert d == {} + + def test_wrong_file_in_collection(self, config_test_path): + d = parse_config([ + config_test_path.joinpath("wrong_file_in_collection/1.conf"), + config_test_path.joinpath("wrong_file_in_collection/2.conf"), + ]) + assert d == {'int.01': {'enabled': False}} + + def test_override(self, config_test_path): + d = parse_config([ + config_test_path.joinpath("override/1.conf"), + config_test_path.joinpath("override/2.conf"), + ]) + assert d == {'int.01': {'enabled': True}} + + d = parse_config([ + config_test_path.joinpath("override/2.conf"), + config_test_path.joinpath("override/1.conf"), + ]) + assert d == {'int.01': {'enabled': False}} + + def test_intersect(self, config_test_path): + d = parse_config([ + config_test_path.joinpath("intersect/1.conf"), + config_test_path.joinpath("intersect/2.conf"), + ]) + assert d == {'int.01': {'enabled': False}, 'int.02': {'enabled': True}} -- Gitee From 6da1406efe27026c3ab39d71dc841f5f8b63e4f5 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 11:23:04 +0800 Subject: [PATCH 019/109] format all tools --- os-harden-tools/gendoc.py | 1 + os-harden-tools/tools/README.md | 246 ++++++++++++++++++ os-harden-tools/tools/categories.json | 24 ++ .../{ => kern.01}/enable_bpf_jit_harden.sh | 0 os-harden-tools/tools/kern.01/metadata.json | 6 + .../tools/{ => kern.02}/enable_kernel_aslr.sh | 0 os-harden-tools/tools/kern.02/metadata.json | 6 + .../{ => kern.03}/enable_panic_on_oops.sh | 0 os-harden-tools/tools/kern.03/metadata.json | 6 + .../tools/{ => log.01}/disable_ssh_no_pass.sh | 0 os-harden-tools/tools/log.01/metadata.json | 6 + .../disable_ssh_permit_user_environment.sh | 0 os-harden-tools/tools/log.02/metadata.json | 6 + .../{ => log.03}/disable_ssh_root_login.sh | 0 os-harden-tools/tools/log.03/metadata.json | 6 + .../disable_ssh_tcp_forwarding.sh | 0 os-harden-tools/tools/log.04/metadata.json | 6 + .../disable_ssh_x11_forwarding.sh | 0 os-harden-tools/tools/log.05/metadata.json | 6 + .../tools/{ => log.06}/disable_sysrq.sh | 0 os-harden-tools/tools/log.06/metadata.json | 6 + .../{ => log.07}/disable_tcp_timestamps.sh | 0 os-harden-tools/tools/log.07/metadata.json | 6 + os-harden-tools/tools/log.08/metadata.json | 6 + .../{ => log.08}/set_ssh_max_auth_tries.sh | 0 .../{ => net.01}/disable_accept_redirect.sh | 0 os-harden-tools/tools/net.01/metadata.json | 6 + .../{ => net.02}/disable_icmp_broadcast.sh | 0 os-harden-tools/tools/net.02/metadata.json | 6 + .../tools/{ => net.03}/disable_ip_forward.sh | 0 os-harden-tools/tools/net.03/metadata.json | 6 + .../tools/{ => net.04}/disable_proxy_arp.sh | 0 os-harden-tools/tools/net.04/metadata.json | 6 + .../{ => net.05}/disable_source_route.sh | 0 os-harden-tools/tools/net.05/metadata.json | 6 + .../{ => net.06}/drop_forge_icmp_package.sh | 0 os-harden-tools/tools/net.06/metadata.json | 6 + .../tools/{ => net.07}/enable_firewall.sh | 0 os-harden-tools/tools/net.07/metadata.json | 6 + .../tools/{ => net.08}/enable_rp_filter.sh | 0 os-harden-tools/tools/net.08/metadata.json | 6 + .../{ => net.09}/enable_tcp_syn_cookies.sh | 0 os-harden-tools/tools/net.09/metadata.json | 6 + os-harden-tools/tools/priv.01/metadata.json | 6 + .../{ => priv.01}/minimal_file_permission.sh | 0 os-harden-tools/tools/priv.02/metadata.json | 6 + .../tools/{ => priv.02}/symlink_protection.sh | 0 .../tools/{ => serv.01}/enable_rsyslog.sh | 0 os-harden-tools/tools/serv.01/metadata.json | 6 + .../{ => serv.02}/enable_selinux_enforce.sh | 0 os-harden-tools/tools/serv.02/metadata.json | 6 + .../{ => sys.01}/enable_dmesg_restrict.sh | 0 os-harden-tools/tools/sys.01/metadata.json | 6 + .../tools/{ => sys.02}/disable_kexec.sh | 0 os-harden-tools/tools/sys.02/metadata.json | 6 + .../{ => sys.03}/enable_kptr_restrict.sh | 0 os-harden-tools/tools/sys.03/metadata.json | 6 + .../tools/{ => sys.04}/enable_ptrace_scope.sh | 0 os-harden-tools/tools/sys.04/metadata.json | 6 + .../disable_uncommon_network_module.sh | 0 os-harden-tools/tools/sys.05/metadata.json | 6 + 61 files changed, 445 insertions(+) rename os-harden-tools/tools/{ => kern.01}/enable_bpf_jit_harden.sh (100%) create mode 100644 os-harden-tools/tools/kern.01/metadata.json rename os-harden-tools/tools/{ => kern.02}/enable_kernel_aslr.sh (100%) create mode 100644 os-harden-tools/tools/kern.02/metadata.json rename os-harden-tools/tools/{ => kern.03}/enable_panic_on_oops.sh (100%) create mode 100644 os-harden-tools/tools/kern.03/metadata.json rename os-harden-tools/tools/{ => log.01}/disable_ssh_no_pass.sh (100%) create mode 100644 os-harden-tools/tools/log.01/metadata.json rename os-harden-tools/tools/{ => log.02}/disable_ssh_permit_user_environment.sh (100%) create mode 100644 os-harden-tools/tools/log.02/metadata.json rename os-harden-tools/tools/{ => log.03}/disable_ssh_root_login.sh (100%) create mode 100644 os-harden-tools/tools/log.03/metadata.json rename os-harden-tools/tools/{ => log.04}/disable_ssh_tcp_forwarding.sh (100%) create mode 100644 os-harden-tools/tools/log.04/metadata.json rename os-harden-tools/tools/{ => log.05}/disable_ssh_x11_forwarding.sh (100%) create mode 100644 os-harden-tools/tools/log.05/metadata.json rename os-harden-tools/tools/{ => log.06}/disable_sysrq.sh (100%) create mode 100644 os-harden-tools/tools/log.06/metadata.json rename os-harden-tools/tools/{ => log.07}/disable_tcp_timestamps.sh (100%) create mode 100644 os-harden-tools/tools/log.07/metadata.json create mode 100644 os-harden-tools/tools/log.08/metadata.json rename os-harden-tools/tools/{ => log.08}/set_ssh_max_auth_tries.sh (100%) rename os-harden-tools/tools/{ => net.01}/disable_accept_redirect.sh (100%) create mode 100644 os-harden-tools/tools/net.01/metadata.json rename os-harden-tools/tools/{ => net.02}/disable_icmp_broadcast.sh (100%) create mode 100644 os-harden-tools/tools/net.02/metadata.json rename os-harden-tools/tools/{ => net.03}/disable_ip_forward.sh (100%) create mode 100644 os-harden-tools/tools/net.03/metadata.json rename os-harden-tools/tools/{ => net.04}/disable_proxy_arp.sh (100%) create mode 100644 os-harden-tools/tools/net.04/metadata.json rename os-harden-tools/tools/{ => net.05}/disable_source_route.sh (100%) create mode 100644 os-harden-tools/tools/net.05/metadata.json rename os-harden-tools/tools/{ => net.06}/drop_forge_icmp_package.sh (100%) create mode 100644 os-harden-tools/tools/net.06/metadata.json rename os-harden-tools/tools/{ => net.07}/enable_firewall.sh (100%) create mode 100644 os-harden-tools/tools/net.07/metadata.json rename os-harden-tools/tools/{ => net.08}/enable_rp_filter.sh (100%) create mode 100644 os-harden-tools/tools/net.08/metadata.json rename os-harden-tools/tools/{ => net.09}/enable_tcp_syn_cookies.sh (100%) create mode 100644 os-harden-tools/tools/net.09/metadata.json create mode 100644 os-harden-tools/tools/priv.01/metadata.json rename os-harden-tools/tools/{ => priv.01}/minimal_file_permission.sh (100%) create mode 100644 os-harden-tools/tools/priv.02/metadata.json rename os-harden-tools/tools/{ => priv.02}/symlink_protection.sh (100%) rename os-harden-tools/tools/{ => serv.01}/enable_rsyslog.sh (100%) create mode 100644 os-harden-tools/tools/serv.01/metadata.json rename os-harden-tools/tools/{ => serv.02}/enable_selinux_enforce.sh (100%) create mode 100644 os-harden-tools/tools/serv.02/metadata.json rename os-harden-tools/tools/{ => sys.01}/enable_dmesg_restrict.sh (100%) create mode 100644 os-harden-tools/tools/sys.01/metadata.json rename os-harden-tools/tools/{ => sys.02}/disable_kexec.sh (100%) create mode 100644 os-harden-tools/tools/sys.02/metadata.json rename os-harden-tools/tools/{ => sys.03}/enable_kptr_restrict.sh (100%) create mode 100644 os-harden-tools/tools/sys.03/metadata.json rename os-harden-tools/tools/{ => sys.04}/enable_ptrace_scope.sh (100%) create mode 100644 os-harden-tools/tools/sys.04/metadata.json rename os-harden-tools/tools/{ => sys.05}/disable_uncommon_network_module.sh (100%) create mode 100644 os-harden-tools/tools/sys.05/metadata.json diff --git a/os-harden-tools/gendoc.py b/os-harden-tools/gendoc.py index 401be05..461cb55 100644 --- a/os-harden-tools/gendoc.py +++ b/os-harden-tools/gendoc.py @@ -59,6 +59,7 @@ def generate_doc(root: Path, overwrite: bool): logging.exception(e) output_stream.write("\n") + output_stream.write("> Generated By docgen tool.\n\n") output_stream.close() diff --git a/os-harden-tools/tools/README.md b/os-harden-tools/tools/README.md index fd1042e..d1d3c48 100644 --- a/os-harden-tools/tools/README.md +++ b/os-harden-tools/tools/README.md @@ -37,4 +37,250 @@ - [Integrity Measurement Architecture (IMA) Wiki](https://sourceforge.net/p/linux-ima/wiki/Home/) - [内核完整性度量(IMA)](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2/server/security/trusted_computing/ima.html) +## 内核加固 + +### kern.01 开启BPF加固功能 + +开启BPF加固功能。BFP代码支持JIT编译执行和解释执行。其中JIT编译执行面临JIT喷射攻击的风险,攻击者可能利用该风险攻击内核进行提权。BPF加固功能会对JIT编译执行进行加固,缓解某些类型的JIT喷射攻击,降低内核面临的攻击风险。 + +#### 参数 + +无 + +### kern.02 启用内核ASLR + +启用内核ASLR。ASLR通过每次将栈的起始位置、函数库和程序本身移至随机位置,使得内存攻击时无法猜测正确的内存位置,导致攻击无法成功实施。 + +#### 参数 + +无 + +### kern.03 确保内核触发错误后直接退出 + +确保内核触发错误后直接退出。系统内核在发现一些非致命错误时会触发oops,如果在oops发生后内核仍然继续运行,可能会导致错误依然存在并影响内核的稳定性和可靠性。因此,建议设置使能panic_on_oops,在发生oops后直接panic退出而不是继续运行。 + +#### 参数 + +无 + +## 登录认证 + +### log.01 禁止空口令登录 + +禁止空口令登录。若允许空口令登录,会增加空口令账号本身被攻击或被用来作为攻击账号的风险。 + +#### 参数 + +无 + +### log.02 禁止使用PermitUserEnvironment + +禁止使用PermitUserEnvironment。PermitUserEnvironment允许用户设置SSH环境变量,则攻击者可以通过修改SSH环境变量绕过安全机制,或者执行攻击代码。 + +#### 参数 + +无 + +### log.03 禁用root用户通过SSH登录 + +禁用root用户通过SSH登录。要求系统管理员使用自己的个人账户进行SSH登录,然后通过sudo或 su提升权限到root。这样可在发生安全事件时提供清晰的审计线索。 + +#### 参数 + +无 + +### log.04 禁用SSH的TCP转发功能 + +禁用SSH的TCP转发功能。TCP端口转发是通过SSH隧道在本地主机和远程主机之间传输数据的功能。禁用该功能可以限制用户在SSH会话中的数据传输和访问范围,从而增强系统的安全性。 + +#### 参数 + +无 + +### log.05 禁止使用X11 Forwarding + +禁止使用X11 Forwarding。SSH的X11 Forwarding功能允许在本地主机上执行远程主机的GUI程序。启用X11 Forwarding功能会扩大攻击面,存在被X11服务器端其他用户攻击的可能。如果业务场景中不需要,则建议禁止该功能。 + +#### 参数 + +无 + +### log.06 禁止使用SysRq键 + +禁止使用SysRq键。SysRq使得具有物理访问权限的用户能够访问计算机中危险的系统级命令,攻击者可以通过键盘触发SysRq的调用,直接发送命令到内核,对系统造成影响。 + +#### 参数 + +无 + +### log.07 避免开启tcp_timestamps + +避免开启tcp_timestamps。tcp_timestamps用于记录TCP数据包的发送时间,可用于RTT测量(RTTM)和保护序号绕回(PAWS),启用该选项可能遭受拒绝服务攻击。 + +#### 参数 + +无 + +### log.08 设置最大认证次数 + +设置最大认证次数。如果该值配置比较大,则单次连接过程中客户端可以尝试多次认证失败,降低了攻击开销。 + +#### 参数 + +无 + +## 网络保护 + +### net.01 禁止ICMP重定向报文 + +禁止ICMP重定向报文。ICMP重定向消息是传递路由信息并告诉系统通过备用路径发送数据包。这是一种允许外部路由设备更新系统路由表的方法。攻击者可以利用伪造的ICMP重定向消息恶意更改系统路由表,使它们向错误的网络发送数据包,从而获取相应的敏感数据。 + +#### 参数 + +无 + +### net.02 禁止系统响应ICMP广播报文 + +禁止系统响应ICMP广播报文。ICMP广播的目的地址就是广播地址。无论是哪台设备发送的报文,报文都会发送到网络上的每一台设备上去。如果源地址是伪造的,就可能会导致网络上所有的设备发送恶意的echo报文给受害者地址。 + +#### 参数 + +无 + +### net.03 禁止IP转发 + +禁止IP转发。如果该结点不作为网关服务器,则应禁用IP转发功能。否则攻击者可将此系统作为路由器使用。 + +#### 参数 + +无 + +### net.04 禁止使用ARP代理 + +禁止使用ARP代理。ARP代理允许系统代表连接到某个接口的主机向另一个接口上的ARP请求发送响应。禁用ARP代理不仅可以防止未经授权的信息共享还可以防止连接的网络区段之间寻址信息泄露。所以应关闭ARP代理以避免ARP报文攻击对系统造成影响。 + +#### 参数 + +无 + +### net.05 禁止报文源路由 + +禁止报文源路由。源路由允许发送方部分或全部指定数据包通过网络的路由,而常规路由中,网络中的路由器根据数据包的目的地确定路径。大量报文被篡改后通过指定路由,则可以对内部网络进行定向攻击,可导致指定路由器负载过高,正常业务流量中断。 + +#### 参数 + +无 + +### net.06 丢弃伪造的ICMP报文 + +丢弃伪造的ICMP报文。一些攻击者会发送违反RFC-1122的ICMP报文,并试图用大量无用的错误信息填充日志文件系统。 + +#### 参数 + +无 + +### net.07 启用防火墙服务 + +启用防火墙服务。如果系统中没有配置防火墙服务,可能会导致系统被外部攻击、内部数据被窃取或篡改,大量无效流量浪费带宽、访问一些存在安全风险或业务无关的网站导致信息泄露。 + +#### 参数 + +无 + +### net.08 启用反向地址过滤 + +启用反向地址过滤。强制Linux内核对接收到的数据包使用反向路径过滤,检查报文源地址的合法性,如果反查源地址的路由表,发现源地址下一跳的最佳出接口并不是收到报文的入接口,则将报文丢弃。 + +#### 参数 + +无 + +### net.09 启用TCP-SYN cookie + +启用TCP-SYN cookie。攻击者使用SYN泛洪攻击时会快速耗尽内核中半开连接队列,阻止合法连接。如果启用SYN cookie,即使受到拒绝服务攻击仍允许系统继续接受合法连。 + +#### 参数 + +无 + +## 权限最小化 + +### priv.01 最小化文件权限 + +最小化文件权限。最小化系统中敏感文件的访问权限,防止因权限过大导致攻击者进行文件篡改攻击。 + +#### 参数 + +无 + +### priv.02 启用链接文件保护 + +启用链接文件保护。启用该保护后,如果目标文件和链接文件不是同属主的,且链接文件属主无权执行目标文件的,无论访问该链接的用户是谁,均拒绝访问。 + +#### 参数 + +无 + +## 启用安全服务 + +### serv.01 启用rsyslog服务 + +启用rsyslog服务。若不开启rsyslog服务,系统日志无法转储到持久性存储设备,系统重启后,会导致日志丢失。 + +#### 参数 + +无 + +### serv.02 Selinux启用enforce模式 + +Selinux启用enforce模式。SELinux是Linux发行版中内置的安全模块,通过细粒度的访问控制机制实现应用程序对资源的访问控制。SELinux只有工作在enforcing模式时才能有效启用并保护系统。 + +#### 参数 + +无 + +## 限制高危系统功能 + +### sys.01 配置dmesg访问权限 + +配置dmesg访问权限。限制访问 dmesg 信息权限,无特权的用户无法查看系统信息,从而可以避免任何人从系统信息获取敏感信息。 + +#### 参数 + +无 + +### sys.02 禁止开启kexec功能 + +禁止开启kexec功能。kexec允许替换当前正在运行的内核,可能被攻击者利用加载恶意内核。若使用场景无内核升级需求,建议关闭kexec功能。 + +#### 参数 + +无 + +### sys.03 限制内核符号读取权限 + +限制内核符号读取权限。kptr_restrict的作用是保护内核符号地址,保护等级低时普通用户可以访问得到内核符号地址容易被攻击者利用,增加了攻击面降低了系统安全性。 + +#### 参数 + +无 + +### sys.04 限制ptrace范围 + +限制ptrace范围。ptrace是一种系统调用用于进程跟踪,提供了父进程可以观察并控制子进程的能力。无限制的ptrace使用可能导致攻击者劫持关键进程进行系统攻击。 + +#### 参数 + +无 + +### sys.05 禁用不常见网络服务 + +禁用不常见网络服务。一些不常见的网络协议往往使用场景较少,社区发展较慢,安全问题不易被快速解决。如果未关闭这些并不使用的协议,可能导致攻击者利用协议或代码漏洞进行攻击。 + +#### 参数 + +无 + + +> Generated By docgen tool. diff --git a/os-harden-tools/tools/categories.json b/os-harden-tools/tools/categories.json index 074aa00..05bbdbe 100644 --- a/os-harden-tools/tools/categories.json +++ b/os-harden-tools/tools/categories.json @@ -2,5 +2,29 @@ { "id": "int", "name": "全栈完整性" + }, + { + "id": "net", + "name": "网络保护" + }, + { + "id": "sys", + "name": "限制高危系统功能" + }, + { + "id": "serv", + "name": "启用安全服务" + }, + { + "id": "kern", + "name": "内核加固" + }, + { + "id": "priv", + "name": "权限最小化" + }, + { + "id": "log", + "name": "登录认证" } ] \ No newline at end of file diff --git a/os-harden-tools/tools/enable_bpf_jit_harden.sh b/os-harden-tools/tools/kern.01/enable_bpf_jit_harden.sh similarity index 100% rename from os-harden-tools/tools/enable_bpf_jit_harden.sh rename to os-harden-tools/tools/kern.01/enable_bpf_jit_harden.sh diff --git a/os-harden-tools/tools/kern.01/metadata.json b/os-harden-tools/tools/kern.01/metadata.json new file mode 100644 index 0000000..09d67fe --- /dev/null +++ b/os-harden-tools/tools/kern.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "kern.01", + "name": "开启BPF加固功能", + "description": "开启BPF加固功能。BFP代码支持JIT编译执行和解释执行。其中JIT编译执行面临JIT喷射攻击的风险,攻击者可能利用该风险攻击内核进行提权。BPF加固功能会对JIT编译执行进行加固,缓解某些类型的JIT喷射攻击,降低内核面临的攻击风险。", + "entry": "enable_bpf_jit_harden.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/enable_kernel_aslr.sh b/os-harden-tools/tools/kern.02/enable_kernel_aslr.sh similarity index 100% rename from os-harden-tools/tools/enable_kernel_aslr.sh rename to os-harden-tools/tools/kern.02/enable_kernel_aslr.sh diff --git a/os-harden-tools/tools/kern.02/metadata.json b/os-harden-tools/tools/kern.02/metadata.json new file mode 100644 index 0000000..da3e12a --- /dev/null +++ b/os-harden-tools/tools/kern.02/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "kern.02", + "name": "启用内核ASLR", + "description": "启用内核ASLR。ASLR通过每次将栈的起始位置、函数库和程序本身移至随机位置,使得内存攻击时无法猜测正确的内存位置,导致攻击无法成功实施。", + "entry": "enable_kernel_aslr.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/enable_panic_on_oops.sh b/os-harden-tools/tools/kern.03/enable_panic_on_oops.sh similarity index 100% rename from os-harden-tools/tools/enable_panic_on_oops.sh rename to os-harden-tools/tools/kern.03/enable_panic_on_oops.sh diff --git a/os-harden-tools/tools/kern.03/metadata.json b/os-harden-tools/tools/kern.03/metadata.json new file mode 100644 index 0000000..136f686 --- /dev/null +++ b/os-harden-tools/tools/kern.03/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "kern.03", + "name": "确保内核触发错误后直接退出", + "description": "确保内核触发错误后直接退出。系统内核在发现一些非致命错误时会触发oops,如果在oops发生后内核仍然继续运行,可能会导致错误依然存在并影响内核的稳定性和可靠性。因此,建议设置使能panic_on_oops,在发生oops后直接panic退出而不是继续运行。", + "entry": "enable_panic_on_oops.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_no_pass.sh b/os-harden-tools/tools/log.01/disable_ssh_no_pass.sh similarity index 100% rename from os-harden-tools/tools/disable_ssh_no_pass.sh rename to os-harden-tools/tools/log.01/disable_ssh_no_pass.sh diff --git a/os-harden-tools/tools/log.01/metadata.json b/os-harden-tools/tools/log.01/metadata.json new file mode 100644 index 0000000..59e09b9 --- /dev/null +++ b/os-harden-tools/tools/log.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "log.01", + "name": "禁止空口令登录", + "description": "禁止空口令登录。若允许空口令登录,会增加空口令账号本身被攻击或被用来作为攻击账号的风险。", + "entry": "disable_ssh_no_pass.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_permit_user_environment.sh b/os-harden-tools/tools/log.02/disable_ssh_permit_user_environment.sh similarity index 100% rename from os-harden-tools/tools/disable_ssh_permit_user_environment.sh rename to os-harden-tools/tools/log.02/disable_ssh_permit_user_environment.sh diff --git a/os-harden-tools/tools/log.02/metadata.json b/os-harden-tools/tools/log.02/metadata.json new file mode 100644 index 0000000..fe54a3d --- /dev/null +++ b/os-harden-tools/tools/log.02/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "log.02", + "name": "禁止使用PermitUserEnvironment", + "description": "禁止使用PermitUserEnvironment。PermitUserEnvironment允许用户设置SSH环境变量,则攻击者可以通过修改SSH环境变量绕过安全机制,或者执行攻击代码。", + "entry": "disable_ssh_permit_user_environment.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_root_login.sh b/os-harden-tools/tools/log.03/disable_ssh_root_login.sh similarity index 100% rename from os-harden-tools/tools/disable_ssh_root_login.sh rename to os-harden-tools/tools/log.03/disable_ssh_root_login.sh diff --git a/os-harden-tools/tools/log.03/metadata.json b/os-harden-tools/tools/log.03/metadata.json new file mode 100644 index 0000000..8b36578 --- /dev/null +++ b/os-harden-tools/tools/log.03/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "log.03", + "name": "禁用root用户通过SSH登录", + "description": "禁用root用户通过SSH登录。要求系统管理员使用自己的个人账户进行SSH登录,然后通过sudo或 su提升权限到root。这样可在发生安全事件时提供清晰的审计线索。", + "entry": "disable_ssh_root_login.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_tcp_forwarding.sh b/os-harden-tools/tools/log.04/disable_ssh_tcp_forwarding.sh similarity index 100% rename from os-harden-tools/tools/disable_ssh_tcp_forwarding.sh rename to os-harden-tools/tools/log.04/disable_ssh_tcp_forwarding.sh diff --git a/os-harden-tools/tools/log.04/metadata.json b/os-harden-tools/tools/log.04/metadata.json new file mode 100644 index 0000000..441650f --- /dev/null +++ b/os-harden-tools/tools/log.04/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "log.04", + "name": "禁用SSH的TCP转发功能", + "description": "禁用SSH的TCP转发功能。TCP端口转发是通过SSH隧道在本地主机和远程主机之间传输数据的功能。禁用该功能可以限制用户在SSH会话中的数据传输和访问范围,从而增强系统的安全性。", + "entry": "disable_ssh_tcp_forwarding.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ssh_x11_forwarding.sh b/os-harden-tools/tools/log.05/disable_ssh_x11_forwarding.sh similarity index 100% rename from os-harden-tools/tools/disable_ssh_x11_forwarding.sh rename to os-harden-tools/tools/log.05/disable_ssh_x11_forwarding.sh diff --git a/os-harden-tools/tools/log.05/metadata.json b/os-harden-tools/tools/log.05/metadata.json new file mode 100644 index 0000000..46ec9d2 --- /dev/null +++ b/os-harden-tools/tools/log.05/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "log.05", + "name": "禁止使用X11 Forwarding", + "description": "禁止使用X11 Forwarding。SSH的X11 Forwarding功能允许在本地主机上执行远程主机的GUI程序。启用X11 Forwarding功能会扩大攻击面,存在被X11服务器端其他用户攻击的可能。如果业务场景中不需要,则建议禁止该功能。", + "entry": "disable_ssh_x11_forwarding.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_sysrq.sh b/os-harden-tools/tools/log.06/disable_sysrq.sh similarity index 100% rename from os-harden-tools/tools/disable_sysrq.sh rename to os-harden-tools/tools/log.06/disable_sysrq.sh diff --git a/os-harden-tools/tools/log.06/metadata.json b/os-harden-tools/tools/log.06/metadata.json new file mode 100644 index 0000000..7429ade --- /dev/null +++ b/os-harden-tools/tools/log.06/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "log.06", + "name": "禁止使用SysRq键", + "description": "禁止使用SysRq键。SysRq使得具有物理访问权限的用户能够访问计算机中危险的系统级命令,攻击者可以通过键盘触发SysRq的调用,直接发送命令到内核,对系统造成影响。", + "entry": "disable_sysrq.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_tcp_timestamps.sh b/os-harden-tools/tools/log.07/disable_tcp_timestamps.sh similarity index 100% rename from os-harden-tools/tools/disable_tcp_timestamps.sh rename to os-harden-tools/tools/log.07/disable_tcp_timestamps.sh diff --git a/os-harden-tools/tools/log.07/metadata.json b/os-harden-tools/tools/log.07/metadata.json new file mode 100644 index 0000000..71ead26 --- /dev/null +++ b/os-harden-tools/tools/log.07/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "log.07", + "name": "避免开启tcp_timestamps", + "description": "避免开启tcp_timestamps。tcp_timestamps用于记录TCP数据包的发送时间,可用于RTT测量(RTTM)和保护序号绕回(PAWS),启用该选项可能遭受拒绝服务攻击。", + "entry": "disable_tcp_timestamps.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/log.08/metadata.json b/os-harden-tools/tools/log.08/metadata.json new file mode 100644 index 0000000..09ca428 --- /dev/null +++ b/os-harden-tools/tools/log.08/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "log.08", + "name": "设置最大认证次数", + "description": "设置最大认证次数。如果该值配置比较大,则单次连接过程中客户端可以尝试多次认证失败,降低了攻击开销。", + "entry": "set_ssh_max_auth_tries.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/set_ssh_max_auth_tries.sh b/os-harden-tools/tools/log.08/set_ssh_max_auth_tries.sh similarity index 100% rename from os-harden-tools/tools/set_ssh_max_auth_tries.sh rename to os-harden-tools/tools/log.08/set_ssh_max_auth_tries.sh diff --git a/os-harden-tools/tools/disable_accept_redirect.sh b/os-harden-tools/tools/net.01/disable_accept_redirect.sh similarity index 100% rename from os-harden-tools/tools/disable_accept_redirect.sh rename to os-harden-tools/tools/net.01/disable_accept_redirect.sh diff --git a/os-harden-tools/tools/net.01/metadata.json b/os-harden-tools/tools/net.01/metadata.json new file mode 100644 index 0000000..42cdbf0 --- /dev/null +++ b/os-harden-tools/tools/net.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "net.01", + "name": "禁止ICMP重定向报文", + "description": "禁止ICMP重定向报文。ICMP重定向消息是传递路由信息并告诉系统通过备用路径发送数据包。这是一种允许外部路由设备更新系统路由表的方法。攻击者可以利用伪造的ICMP重定向消息恶意更改系统路由表,使它们向错误的网络发送数据包,从而获取相应的敏感数据。", + "entry": "disable_accept_redirect.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_icmp_broadcast.sh b/os-harden-tools/tools/net.02/disable_icmp_broadcast.sh similarity index 100% rename from os-harden-tools/tools/disable_icmp_broadcast.sh rename to os-harden-tools/tools/net.02/disable_icmp_broadcast.sh diff --git a/os-harden-tools/tools/net.02/metadata.json b/os-harden-tools/tools/net.02/metadata.json new file mode 100644 index 0000000..41e04c0 --- /dev/null +++ b/os-harden-tools/tools/net.02/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "net.02", + "name": "禁止系统响应ICMP广播报文", + "description": "禁止系统响应ICMP广播报文。ICMP广播的目的地址就是广播地址。无论是哪台设备发送的报文,报文都会发送到网络上的每一台设备上去。如果源地址是伪造的,就可能会导致网络上所有的设备发送恶意的echo报文给受害者地址。", + "entry": "disable_icmp_broadcast.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_ip_forward.sh b/os-harden-tools/tools/net.03/disable_ip_forward.sh similarity index 100% rename from os-harden-tools/tools/disable_ip_forward.sh rename to os-harden-tools/tools/net.03/disable_ip_forward.sh diff --git a/os-harden-tools/tools/net.03/metadata.json b/os-harden-tools/tools/net.03/metadata.json new file mode 100644 index 0000000..f530d95 --- /dev/null +++ b/os-harden-tools/tools/net.03/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "net.03", + "name": "禁止IP转发", + "description": "禁止IP转发。如果该结点不作为网关服务器,则应禁用IP转发功能。否则攻击者可将此系统作为路由器使用。", + "entry": "disable_ip_forward.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_proxy_arp.sh b/os-harden-tools/tools/net.04/disable_proxy_arp.sh similarity index 100% rename from os-harden-tools/tools/disable_proxy_arp.sh rename to os-harden-tools/tools/net.04/disable_proxy_arp.sh diff --git a/os-harden-tools/tools/net.04/metadata.json b/os-harden-tools/tools/net.04/metadata.json new file mode 100644 index 0000000..ec028c6 --- /dev/null +++ b/os-harden-tools/tools/net.04/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "net.04", + "name": "禁止使用ARP代理", + "description": "禁止使用ARP代理。ARP代理允许系统代表连接到某个接口的主机向另一个接口上的ARP请求发送响应。禁用ARP代理不仅可以防止未经授权的信息共享还可以防止连接的网络区段之间寻址信息泄露。所以应关闭ARP代理以避免ARP报文攻击对系统造成影响。", + "entry": "disable_proxy_arp.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_source_route.sh b/os-harden-tools/tools/net.05/disable_source_route.sh similarity index 100% rename from os-harden-tools/tools/disable_source_route.sh rename to os-harden-tools/tools/net.05/disable_source_route.sh diff --git a/os-harden-tools/tools/net.05/metadata.json b/os-harden-tools/tools/net.05/metadata.json new file mode 100644 index 0000000..26ec85c --- /dev/null +++ b/os-harden-tools/tools/net.05/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "net.05", + "name": "禁止报文源路由", + "description": "禁止报文源路由。源路由允许发送方部分或全部指定数据包通过网络的路由,而常规路由中,网络中的路由器根据数据包的目的地确定路径。大量报文被篡改后通过指定路由,则可以对内部网络进行定向攻击,可导致指定路由器负载过高,正常业务流量中断。", + "entry": "disable_source_route.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/drop_forge_icmp_package.sh b/os-harden-tools/tools/net.06/drop_forge_icmp_package.sh similarity index 100% rename from os-harden-tools/tools/drop_forge_icmp_package.sh rename to os-harden-tools/tools/net.06/drop_forge_icmp_package.sh diff --git a/os-harden-tools/tools/net.06/metadata.json b/os-harden-tools/tools/net.06/metadata.json new file mode 100644 index 0000000..372a0b7 --- /dev/null +++ b/os-harden-tools/tools/net.06/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "net.06", + "name": "丢弃伪造的ICMP报文", + "description": "丢弃伪造的ICMP报文。一些攻击者会发送违反RFC-1122的ICMP报文,并试图用大量无用的错误信息填充日志文件系统。", + "entry": "drop_forge_icmp_package.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/enable_firewall.sh b/os-harden-tools/tools/net.07/enable_firewall.sh similarity index 100% rename from os-harden-tools/tools/enable_firewall.sh rename to os-harden-tools/tools/net.07/enable_firewall.sh diff --git a/os-harden-tools/tools/net.07/metadata.json b/os-harden-tools/tools/net.07/metadata.json new file mode 100644 index 0000000..8767b4c --- /dev/null +++ b/os-harden-tools/tools/net.07/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "net.07", + "name": "启用防火墙服务", + "description": "启用防火墙服务。如果系统中没有配置防火墙服务,可能会导致系统被外部攻击、内部数据被窃取或篡改,大量无效流量浪费带宽、访问一些存在安全风险或业务无关的网站导致信息泄露。", + "entry": "enable_firewall.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/enable_rp_filter.sh b/os-harden-tools/tools/net.08/enable_rp_filter.sh similarity index 100% rename from os-harden-tools/tools/enable_rp_filter.sh rename to os-harden-tools/tools/net.08/enable_rp_filter.sh diff --git a/os-harden-tools/tools/net.08/metadata.json b/os-harden-tools/tools/net.08/metadata.json new file mode 100644 index 0000000..c3d462f --- /dev/null +++ b/os-harden-tools/tools/net.08/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "net.08", + "name": "启用反向地址过滤", + "description": "启用反向地址过滤。强制Linux内核对接收到的数据包使用反向路径过滤,检查报文源地址的合法性,如果反查源地址的路由表,发现源地址下一跳的最佳出接口并不是收到报文的入接口,则将报文丢弃。", + "entry": "enable_rp_filter.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/enable_tcp_syn_cookies.sh b/os-harden-tools/tools/net.09/enable_tcp_syn_cookies.sh similarity index 100% rename from os-harden-tools/tools/enable_tcp_syn_cookies.sh rename to os-harden-tools/tools/net.09/enable_tcp_syn_cookies.sh diff --git a/os-harden-tools/tools/net.09/metadata.json b/os-harden-tools/tools/net.09/metadata.json new file mode 100644 index 0000000..d94b9a0 --- /dev/null +++ b/os-harden-tools/tools/net.09/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "net.09", + "name": "启用TCP-SYN cookie", + "description": "启用TCP-SYN cookie。攻击者使用SYN泛洪攻击时会快速耗尽内核中半开连接队列,阻止合法连接。如果启用SYN cookie,即使受到拒绝服务攻击仍允许系统继续接受合法连。", + "entry": "enable_tcp_syn_cookies.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/priv.01/metadata.json b/os-harden-tools/tools/priv.01/metadata.json new file mode 100644 index 0000000..662aae0 --- /dev/null +++ b/os-harden-tools/tools/priv.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "priv.01", + "name": "最小化文件权限", + "description": "最小化文件权限。最小化系统中敏感文件的访问权限,防止因权限过大导致攻击者进行文件篡改攻击。", + "entry": "minimal_file_permission.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/minimal_file_permission.sh b/os-harden-tools/tools/priv.01/minimal_file_permission.sh similarity index 100% rename from os-harden-tools/tools/minimal_file_permission.sh rename to os-harden-tools/tools/priv.01/minimal_file_permission.sh diff --git a/os-harden-tools/tools/priv.02/metadata.json b/os-harden-tools/tools/priv.02/metadata.json new file mode 100644 index 0000000..f3b9c71 --- /dev/null +++ b/os-harden-tools/tools/priv.02/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "priv.02", + "name": "启用链接文件保护", + "description": "启用链接文件保护。启用该保护后,如果目标文件和链接文件不是同属主的,且链接文件属主无权执行目标文件的,无论访问该链接的用户是谁,均拒绝访问。", + "entry": "symlink_protection.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/symlink_protection.sh b/os-harden-tools/tools/priv.02/symlink_protection.sh similarity index 100% rename from os-harden-tools/tools/symlink_protection.sh rename to os-harden-tools/tools/priv.02/symlink_protection.sh diff --git a/os-harden-tools/tools/enable_rsyslog.sh b/os-harden-tools/tools/serv.01/enable_rsyslog.sh similarity index 100% rename from os-harden-tools/tools/enable_rsyslog.sh rename to os-harden-tools/tools/serv.01/enable_rsyslog.sh diff --git a/os-harden-tools/tools/serv.01/metadata.json b/os-harden-tools/tools/serv.01/metadata.json new file mode 100644 index 0000000..4d76cf9 --- /dev/null +++ b/os-harden-tools/tools/serv.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "serv.01", + "name": "启用rsyslog服务", + "description": "启用rsyslog服务。若不开启rsyslog服务,系统日志无法转储到持久性存储设备,系统重启后,会导致日志丢失。", + "entry": "enable_rsyslog.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/enable_selinux_enforce.sh b/os-harden-tools/tools/serv.02/enable_selinux_enforce.sh similarity index 100% rename from os-harden-tools/tools/enable_selinux_enforce.sh rename to os-harden-tools/tools/serv.02/enable_selinux_enforce.sh diff --git a/os-harden-tools/tools/serv.02/metadata.json b/os-harden-tools/tools/serv.02/metadata.json new file mode 100644 index 0000000..9fb68ad --- /dev/null +++ b/os-harden-tools/tools/serv.02/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "serv.02", + "name": "Selinux启用enforce模式", + "description": "Selinux启用enforce模式。SELinux是Linux发行版中内置的安全模块,通过细粒度的访问控制机制实现应用程序对资源的访问控制。SELinux只有工作在enforcing模式时才能有效启用并保护系统。", + "entry": "enable_selinux_enforce.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/enable_dmesg_restrict.sh b/os-harden-tools/tools/sys.01/enable_dmesg_restrict.sh similarity index 100% rename from os-harden-tools/tools/enable_dmesg_restrict.sh rename to os-harden-tools/tools/sys.01/enable_dmesg_restrict.sh diff --git a/os-harden-tools/tools/sys.01/metadata.json b/os-harden-tools/tools/sys.01/metadata.json new file mode 100644 index 0000000..a523a68 --- /dev/null +++ b/os-harden-tools/tools/sys.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "sys.01", + "name": "配置dmesg访问权限", + "description": "配置dmesg访问权限。限制访问 dmesg 信息权限,无特权的用户无法查看系统信息,从而可以避免任何人从系统信息获取敏感信息。", + "entry": "enable_dmesg_restrict.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_kexec.sh b/os-harden-tools/tools/sys.02/disable_kexec.sh similarity index 100% rename from os-harden-tools/tools/disable_kexec.sh rename to os-harden-tools/tools/sys.02/disable_kexec.sh diff --git a/os-harden-tools/tools/sys.02/metadata.json b/os-harden-tools/tools/sys.02/metadata.json new file mode 100644 index 0000000..72dc0ab --- /dev/null +++ b/os-harden-tools/tools/sys.02/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "sys.02", + "name": "禁止开启kexec功能", + "description": "禁止开启kexec功能。kexec允许替换当前正在运行的内核,可能被攻击者利用加载恶意内核。若使用场景无内核升级需求,建议关闭kexec功能。", + "entry": "disable_kexec.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/enable_kptr_restrict.sh b/os-harden-tools/tools/sys.03/enable_kptr_restrict.sh similarity index 100% rename from os-harden-tools/tools/enable_kptr_restrict.sh rename to os-harden-tools/tools/sys.03/enable_kptr_restrict.sh diff --git a/os-harden-tools/tools/sys.03/metadata.json b/os-harden-tools/tools/sys.03/metadata.json new file mode 100644 index 0000000..f813e53 --- /dev/null +++ b/os-harden-tools/tools/sys.03/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "sys.03", + "name": "限制内核符号读取权限", + "description": "限制内核符号读取权限。kptr_restrict的作用是保护内核符号地址,保护等级低时普通用户可以访问得到内核符号地址容易被攻击者利用,增加了攻击面降低了系统安全性。", + "entry": "enable_kptr_restrict.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/enable_ptrace_scope.sh b/os-harden-tools/tools/sys.04/enable_ptrace_scope.sh similarity index 100% rename from os-harden-tools/tools/enable_ptrace_scope.sh rename to os-harden-tools/tools/sys.04/enable_ptrace_scope.sh diff --git a/os-harden-tools/tools/sys.04/metadata.json b/os-harden-tools/tools/sys.04/metadata.json new file mode 100644 index 0000000..feb8948 --- /dev/null +++ b/os-harden-tools/tools/sys.04/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "sys.04", + "name": "限制ptrace范围", + "description": "限制ptrace范围。ptrace是一种系统调用用于进程跟踪,提供了父进程可以观察并控制子进程的能力。无限制的ptrace使用可能导致攻击者劫持关键进程进行系统攻击。", + "entry": "enable_ptrace_scope.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tools/disable_uncommon_network_module.sh b/os-harden-tools/tools/sys.05/disable_uncommon_network_module.sh similarity index 100% rename from os-harden-tools/tools/disable_uncommon_network_module.sh rename to os-harden-tools/tools/sys.05/disable_uncommon_network_module.sh diff --git a/os-harden-tools/tools/sys.05/metadata.json b/os-harden-tools/tools/sys.05/metadata.json new file mode 100644 index 0000000..04d85ab --- /dev/null +++ b/os-harden-tools/tools/sys.05/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "sys.05", + "name": "禁用不常见网络服务", + "description": "禁用不常见网络服务。一些不常见的网络协议往往使用场景较少,社区发展较慢,安全问题不易被快速解决。如果未关闭这些并不使用的协议,可能导致攻击者利用协议或代码漏洞进行攻击。", + "entry": "disable_uncommon_network_module.sh" +} \ No newline at end of file -- Gitee From 9d14a8bb5db0b0366086a88c83d08d72ae86ada7 Mon Sep 17 00:00:00 2001 From: zhaozixuan Date: Tue, 29 Jul 2025 11:36:53 +0800 Subject: [PATCH 020/109] adapt to new directory tree --- os-harden-tools/tools/kern.01/enable_bpf_jit_harden.sh | 2 +- os-harden-tools/tools/kern.02/enable_kernel_aslr.sh | 2 +- os-harden-tools/tools/kern.03/enable_panic_on_oops.sh | 2 +- os-harden-tools/tools/log.01/disable_ssh_no_pass.sh | 2 +- .../tools/log.02/disable_ssh_permit_user_environment.sh | 2 +- os-harden-tools/tools/log.03/disable_ssh_root_login.sh | 2 +- os-harden-tools/tools/log.04/disable_ssh_tcp_forwarding.sh | 2 +- os-harden-tools/tools/log.05/disable_ssh_x11_forwarding.sh | 2 +- os-harden-tools/tools/log.06/disable_sysrq.sh | 2 +- os-harden-tools/tools/log.07/disable_tcp_timestamps.sh | 2 +- os-harden-tools/tools/log.08/set_ssh_max_auth_tries.sh | 2 +- os-harden-tools/tools/net.01/disable_accept_redirect.sh | 2 +- os-harden-tools/tools/net.02/disable_icmp_broadcast.sh | 2 +- os-harden-tools/tools/net.03/disable_ip_forward.sh | 2 +- os-harden-tools/tools/net.04/disable_proxy_arp.sh | 2 +- os-harden-tools/tools/net.05/disable_source_route.sh | 2 +- os-harden-tools/tools/net.06/drop_forge_icmp_package.sh | 2 +- os-harden-tools/tools/net.08/enable_rp_filter.sh | 2 +- os-harden-tools/tools/net.09/enable_tcp_syn_cookies.sh | 2 +- os-harden-tools/tools/priv.02/symlink_protection.sh | 2 +- os-harden-tools/tools/sys.01/enable_dmesg_restrict.sh | 2 +- os-harden-tools/tools/sys.02/disable_kexec.sh | 2 +- os-harden-tools/tools/sys.03/enable_kptr_restrict.sh | 2 +- os-harden-tools/tools/sys.04/enable_ptrace_scope.sh | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/os-harden-tools/tools/kern.01/enable_bpf_jit_harden.sh b/os-harden-tools/tools/kern.01/enable_bpf_jit_harden.sh index 605c59c..088805a 100755 --- a/os-harden-tools/tools/kern.01/enable_bpf_jit_harden.sh +++ b/os-harden-tools/tools/kern.01/enable_bpf_jit_harden.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.core.bpf_jit_harden" "2" \ No newline at end of file diff --git a/os-harden-tools/tools/kern.02/enable_kernel_aslr.sh b/os-harden-tools/tools/kern.02/enable_kernel_aslr.sh index 26bb116..bce07c2 100755 --- a/os-harden-tools/tools/kern.02/enable_kernel_aslr.sh +++ b/os-harden-tools/tools/kern.02/enable_kernel_aslr.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh echo 2 > /proc/sys/kernel/randomize_va_space \ No newline at end of file diff --git a/os-harden-tools/tools/kern.03/enable_panic_on_oops.sh b/os-harden-tools/tools/kern.03/enable_panic_on_oops.sh index ffe144d..9e2e904 100755 --- a/os-harden-tools/tools/kern.03/enable_panic_on_oops.sh +++ b/os-harden-tools/tools/kern.03/enable_panic_on_oops.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "kernel.panic_on_oops" "2" \ No newline at end of file diff --git a/os-harden-tools/tools/log.01/disable_ssh_no_pass.sh b/os-harden-tools/tools/log.01/disable_ssh_no_pass.sh index 2b26dc5..cbe80fb 100755 --- a/os-harden-tools/tools/log.01/disable_ssh_no_pass.sh +++ b/os-harden-tools/tools/log.01/disable_ssh_no_pass.sh @@ -13,6 +13,6 @@ # Description: Security Baseline Check Script for 1.1.14 # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_ssh "PermitEmptyPasswords" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/log.02/disable_ssh_permit_user_environment.sh b/os-harden-tools/tools/log.02/disable_ssh_permit_user_environment.sh index 3c44930..31a4458 100755 --- a/os-harden-tools/tools/log.02/disable_ssh_permit_user_environment.sh +++ b/os-harden-tools/tools/log.02/disable_ssh_permit_user_environment.sh @@ -13,6 +13,6 @@ # Description: Security Baseline Check Script for 1.1.14 # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_ssh "PermitUserEnvironment" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/log.03/disable_ssh_root_login.sh b/os-harden-tools/tools/log.03/disable_ssh_root_login.sh index a1023a1..8845298 100755 --- a/os-harden-tools/tools/log.03/disable_ssh_root_login.sh +++ b/os-harden-tools/tools/log.03/disable_ssh_root_login.sh @@ -13,6 +13,6 @@ # Description: Security Baseline Check Script for 1.1.14 # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_ssh "PermitRootLogin" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/log.04/disable_ssh_tcp_forwarding.sh b/os-harden-tools/tools/log.04/disable_ssh_tcp_forwarding.sh index 6cbf998..428d813 100755 --- a/os-harden-tools/tools/log.04/disable_ssh_tcp_forwarding.sh +++ b/os-harden-tools/tools/log.04/disable_ssh_tcp_forwarding.sh @@ -13,6 +13,6 @@ # Description: Security Baseline Check Script for 1.1.14 # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_ssh "AllowTcpForwarding" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/log.05/disable_ssh_x11_forwarding.sh b/os-harden-tools/tools/log.05/disable_ssh_x11_forwarding.sh index 434b2f0..1d428b8 100755 --- a/os-harden-tools/tools/log.05/disable_ssh_x11_forwarding.sh +++ b/os-harden-tools/tools/log.05/disable_ssh_x11_forwarding.sh @@ -13,6 +13,6 @@ # Description: Security Baseline Check Script for 1.1.14 # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_ssh "X11Forwarding" "no" \ No newline at end of file diff --git a/os-harden-tools/tools/log.06/disable_sysrq.sh b/os-harden-tools/tools/log.06/disable_sysrq.sh index b801cc6..93d29bf 100755 --- a/os-harden-tools/tools/log.06/disable_sysrq.sh +++ b/os-harden-tools/tools/log.06/disable_sysrq.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "kernel.sysrq" "0" \ No newline at end of file diff --git a/os-harden-tools/tools/log.07/disable_tcp_timestamps.sh b/os-harden-tools/tools/log.07/disable_tcp_timestamps.sh index abd13ea..dca4770 100755 --- a/os-harden-tools/tools/log.07/disable_tcp_timestamps.sh +++ b/os-harden-tools/tools/log.07/disable_tcp_timestamps.sh @@ -14,7 +14,7 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.ipv4.ip_forward" "0" set_sysctl "net.ipv6.conf.all.forwarding" "0" \ No newline at end of file diff --git a/os-harden-tools/tools/log.08/set_ssh_max_auth_tries.sh b/os-harden-tools/tools/log.08/set_ssh_max_auth_tries.sh index 6ea3512..2ed5d1a 100755 --- a/os-harden-tools/tools/log.08/set_ssh_max_auth_tries.sh +++ b/os-harden-tools/tools/log.08/set_ssh_max_auth_tries.sh @@ -13,6 +13,6 @@ # Description: Security Baseline Check Script for 1.1.14 # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_ssh "MaxAuthTries" "3" \ No newline at end of file diff --git a/os-harden-tools/tools/net.01/disable_accept_redirect.sh b/os-harden-tools/tools/net.01/disable_accept_redirect.sh index 84c80ba..e4e8b08 100755 --- a/os-harden-tools/tools/net.01/disable_accept_redirect.sh +++ b/os-harden-tools/tools/net.01/disable_accept_redirect.sh @@ -14,7 +14,7 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.ipv4.conf.all.accept_redirects" "0" set_sysctl "net.ipv6.conf.all.accept_redirects" "0" diff --git a/os-harden-tools/tools/net.02/disable_icmp_broadcast.sh b/os-harden-tools/tools/net.02/disable_icmp_broadcast.sh index 2854eee..f7899ff 100755 --- a/os-harden-tools/tools/net.02/disable_icmp_broadcast.sh +++ b/os-harden-tools/tools/net.02/disable_icmp_broadcast.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.ipv4.icmp_echo_ignore_broadcasts" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/net.03/disable_ip_forward.sh b/os-harden-tools/tools/net.03/disable_ip_forward.sh index abd13ea..dca4770 100755 --- a/os-harden-tools/tools/net.03/disable_ip_forward.sh +++ b/os-harden-tools/tools/net.03/disable_ip_forward.sh @@ -14,7 +14,7 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.ipv4.ip_forward" "0" set_sysctl "net.ipv6.conf.all.forwarding" "0" \ No newline at end of file diff --git a/os-harden-tools/tools/net.04/disable_proxy_arp.sh b/os-harden-tools/tools/net.04/disable_proxy_arp.sh index 85021ca..bba4402 100755 --- a/os-harden-tools/tools/net.04/disable_proxy_arp.sh +++ b/os-harden-tools/tools/net.04/disable_proxy_arp.sh @@ -14,7 +14,7 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.ipv4.conf.all.proxy_arp" "0" set_sysctl "net.ipv4.conf.default.proxy_arp" "0" \ No newline at end of file diff --git a/os-harden-tools/tools/net.05/disable_source_route.sh b/os-harden-tools/tools/net.05/disable_source_route.sh index 7987e8f..9cde913 100755 --- a/os-harden-tools/tools/net.05/disable_source_route.sh +++ b/os-harden-tools/tools/net.05/disable_source_route.sh @@ -14,7 +14,7 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.ipv4.conf.all.accept_source_route" 0 set_sysctl "net.ipv4.conf.default.accept_source_route" 0 diff --git a/os-harden-tools/tools/net.06/drop_forge_icmp_package.sh b/os-harden-tools/tools/net.06/drop_forge_icmp_package.sh index c14cbc7..650432a 100755 --- a/os-harden-tools/tools/net.06/drop_forge_icmp_package.sh +++ b/os-harden-tools/tools/net.06/drop_forge_icmp_package.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.ipv4.icmp_ignore_bogus_error_responses" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/net.08/enable_rp_filter.sh b/os-harden-tools/tools/net.08/enable_rp_filter.sh index a057566..79e96e4 100755 --- a/os-harden-tools/tools/net.08/enable_rp_filter.sh +++ b/os-harden-tools/tools/net.08/enable_rp_filter.sh @@ -14,7 +14,7 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.ipv4.conf.all.rp_filter" "1" set_sysctl "net.ipv4.conf.default.rp_filter" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/net.09/enable_tcp_syn_cookies.sh b/os-harden-tools/tools/net.09/enable_tcp_syn_cookies.sh index b873d75..85f8a5a 100755 --- a/os-harden-tools/tools/net.09/enable_tcp_syn_cookies.sh +++ b/os-harden-tools/tools/net.09/enable_tcp_syn_cookies.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "net.ipv4.tcp_syncookies" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/priv.02/symlink_protection.sh b/os-harden-tools/tools/priv.02/symlink_protection.sh index 9e968e2..af21723 100755 --- a/os-harden-tools/tools/priv.02/symlink_protection.sh +++ b/os-harden-tools/tools/priv.02/symlink_protection.sh @@ -14,7 +14,7 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "fs.protected_symlinks" "1" set_sysctl "fs.protected_hardlinks" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/sys.01/enable_dmesg_restrict.sh b/os-harden-tools/tools/sys.01/enable_dmesg_restrict.sh index 25d93de..fde560e 100755 --- a/os-harden-tools/tools/sys.01/enable_dmesg_restrict.sh +++ b/os-harden-tools/tools/sys.01/enable_dmesg_restrict.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "kernel.dmesg_restrict" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/sys.02/disable_kexec.sh b/os-harden-tools/tools/sys.02/disable_kexec.sh index edd9561..98d48d0 100755 --- a/os-harden-tools/tools/sys.02/disable_kexec.sh +++ b/os-harden-tools/tools/sys.02/disable_kexec.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "kernel.kexec_load_disabled" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/sys.03/enable_kptr_restrict.sh b/os-harden-tools/tools/sys.03/enable_kptr_restrict.sh index 9cf115f..fe9d637 100755 --- a/os-harden-tools/tools/sys.03/enable_kptr_restrict.sh +++ b/os-harden-tools/tools/sys.03/enable_kptr_restrict.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "kernel.kptr_restrict" "1" \ No newline at end of file diff --git a/os-harden-tools/tools/sys.04/enable_ptrace_scope.sh b/os-harden-tools/tools/sys.04/enable_ptrace_scope.sh index 71ded97..bac3123 100755 --- a/os-harden-tools/tools/sys.04/enable_ptrace_scope.sh +++ b/os-harden-tools/tools/sys.04/enable_ptrace_scope.sh @@ -14,6 +14,6 @@ # # ####################################################################################### -source $(pwd)/utils.sh +source $(dirname $(realpath $0))/../utils.sh set_sysctl "kernel.yama.ptrace_scope" "1" \ No newline at end of file -- Gitee From 4771abf8c9996cc80e77775092d29ccefd6d4313 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 12:45:08 +0800 Subject: [PATCH 021/109] move doc gen to metadata class --- .../conf/secharden.conf.d/01-test.conf | 5 --- os-harden-tools/gendoc.py | 22 ++----------- os-harden-tools/rule_metadata/metadata.py | 20 ++++++++++++ os-harden-tools/secharden.py | 32 +++++++++++++++---- 4 files changed, 47 insertions(+), 32 deletions(-) delete mode 100644 os-harden-tools/conf/secharden.conf.d/01-test.conf diff --git a/os-harden-tools/conf/secharden.conf.d/01-test.conf b/os-harden-tools/conf/secharden.conf.d/01-test.conf deleted file mode 100644 index b024e73..0000000 --- a/os-harden-tools/conf/secharden.conf.d/01-test.conf +++ /dev/null @@ -1,5 +0,0 @@ -int.02: -int.03: -selinux_tags: - - ima_t - - ima2_t \ No newline at end of file diff --git a/os-harden-tools/gendoc.py b/os-harden-tools/gendoc.py index 461cb55..565bb48 100644 --- a/os-harden-tools/gendoc.py +++ b/os-harden-tools/gendoc.py @@ -2,31 +2,13 @@ import argparse import logging -from io import TextIOWrapper from pathlib import Path -from rule_metadata import RuleManager, RuleMetadata +from rule_metadata import RuleManager from utils import DirectoryPathVerifier, HOME_DIR TITLE = "安全 OS 配置工具" -def generate_rule(metadata: RuleMetadata, output_stream: TextIOWrapper): - output_stream.write(f"### {metadata.id} {metadata.name}\n\n") - output_stream.write(f"{metadata.description}\n\n") - output_stream.write(f"#### 参数\n\n") - if len(metadata.parameters) > 0: - for param in metadata.parameters: - output_stream.write(f"**{param.name}**\n\n") - output_stream.write(f"{param.description}\n\n") - else: - output_stream.write("无\n\n") - - if len(metadata.urls) > 0: - output_stream.write("#### 参考文档\n\n") - for url in metadata.urls: - output_stream.write(f"- [{url.title}]({url.url})\n") - output_stream.write("\n") - def generate_doc(root: Path, overwrite: bool): rules = RuleManager(root) @@ -53,7 +35,7 @@ def generate_doc(root: Path, overwrite: bool): for rule in rules.get_rules_by_category(category_id): try: logging.info(f"Generating doc for rule: {rule}") - generate_rule(rules.get_rule_metadata(rule), output_stream) + output_stream.write(rules.get_rule_metadata(rule).doc) except Exception as e: logging.error(f"Error generating doc for rule: {rule}") logging.exception(e) diff --git a/os-harden-tools/rule_metadata/metadata.py b/os-harden-tools/rule_metadata/metadata.py index 78ad447..45cfa3c 100644 --- a/os-harden-tools/rule_metadata/metadata.py +++ b/os-harden-tools/rule_metadata/metadata.py @@ -141,3 +141,23 @@ class RuleMetadata: @property def urls(self) -> List[UrlDescriptor]: return self._urls + + @property + def doc(self) -> str: + doc = "" + doc += f"### {self._id} {self._name}\n\n" + doc += f"{self._description}\n\n" + doc += f"#### 参数\n\n" + if len(self._parameters) > 0: + for param in self._parameters: + doc += f"**{param.name}**\n\n" + doc += f"{param.description}\n\n" + else: + doc += "无\n\n" + + if len(self._urls) > 0: + doc += "#### 参考文档\n\n" + for url in self._urls: + doc += f"- [{url.title}]({url.url})\n" + doc += "\n" + return doc \ No newline at end of file diff --git a/os-harden-tools/secharden.py b/os-harden-tools/secharden.py index 02f1aa2..fa52b0e 100644 --- a/os-harden-tools/secharden.py +++ b/os-harden-tools/secharden.py @@ -4,22 +4,42 @@ import argparse import logging from pathlib import Path +from config_parser import parse_config, collect_configs +from rule_metadata import RuleManager from utils import DirectoryPathVerifier, HOME_DIR -from config_parser import parse_config, collect_configs -from rule_metadata import RuleManager +def apply(args, rule_mgr): + config = parse_config(collect_configs(args.config)) + for rule, rule_conf in config.items(): + rule_mgr.apply_rule(rule, rule_conf) + + +def help_message(args, rule_mgr): + rule = args.rule[0] + metadata = rule_mgr.get_rule_metadata(rule) + print(metadata.doc) def main(): args = argparse.ArgumentParser(prog="secharden") + + # base args version_file = HOME_DIR.joinpath("VERSION") args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) args.add_argument("-r", "--rule-dir", action=DirectoryPathVerifier, help="rule script directory", default=HOME_DIR.joinpath('tools')) args.add_argument("-d", "--debug", action='store_true', help="debug mode") - args.add_argument('-c', '--config', action=DirectoryPathVerifier, help="configuration path", - default=Path('/etc/secharden')) + + subparser = args.add_subparsers(help="sub-commands") + apply_parser = subparser.add_parser("apply", help="apply config to system") + apply_parser.set_defaults(func=apply) + apply_parser.add_argument('-c', '--config', action=DirectoryPathVerifier, help="configuration path", + default=Path('/etc/secharden')) + + help_parser = subparser.add_parser("help", help="show rule help message") + help_parser.add_argument("rule", nargs=1, help="rule name to show help for") + help_parser.set_defaults(func=help_message) args = args.parse_args() logging_level = logging.INFO @@ -27,10 +47,8 @@ def main(): logging_level = logging.DEBUG logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') - config = parse_config(collect_configs(args.config)) rule_mgr = RuleManager(args.rule_dir) - for rule, rule_conf in config.items(): - rule_mgr.apply_rule(rule, rule_conf) + args.func(args, rule_mgr) if __name__ == "__main__": -- Gitee From 68657d1c999d1dab8463346b9f8da1d5dd3b12b1 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 14:53:54 +0800 Subject: [PATCH 022/109] add list and help for user --- os-harden-tools/secharden.py | 78 ++++++++++++++++++++++++++++++------ 1 file changed, 65 insertions(+), 13 deletions(-) diff --git a/os-harden-tools/secharden.py b/os-harden-tools/secharden.py index fa52b0e..94a5369 100644 --- a/os-harden-tools/secharden.py +++ b/os-harden-tools/secharden.py @@ -9,16 +9,52 @@ from rule_metadata import RuleManager from utils import DirectoryPathVerifier, HOME_DIR -def apply(args, rule_mgr): +def list_rules(args): + if args.category: + try: + rules = args.rules.get_rules_by_category(args.category) + except KeyError: + logging.error(f"Category {args.category} not found.") + print(f"Category {args.category} not found.") + return + print(f"Available rules for {args.category}:") + else: + rules = args.rules.rules + print("Available rules:") + for rule in rules: + metadata = args.rules.get_rule_metadata(rule) + print(f"\t{rule}: {metadata.name}") + + +def apply(args): config = parse_config(collect_configs(args.config)) for rule, rule_conf in config.items(): - rule_mgr.apply_rule(rule, rule_conf) + logging.debug("applying rule %s with config %s", rule, rule_conf) + args.rules.apply_rule(rule, rule_conf) -def help_message(args, rule_mgr): +def help_message(args): rule = args.rule[0] - metadata = rule_mgr.get_rule_metadata(rule) - print(metadata.doc) + try: + metadata = args.rules.get_rule_metadata(rule) + print(metadata.doc) + except KeyError: + logging.error(f"Rule '{rule}' not found.") + print(f"Rule '{rule}' not found. Use 'secharden list' to see available rules.") + except Exception as e: + logging.error(f"Exception while retrieving help for rule '{rule}'") + logging.exception(e) + print(f"Error retrieving help for rule '{rule}'") + + +class RuleManagerBuilder(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + p = Path(values) + if not p.exists(): + raise argparse.ArgumentTypeError(f"Directory '{values}' does not exist.") + if not p.is_dir(): + raise argparse.ArgumentTypeError(f"'{values}' is not a directory.") + setattr(namespace, self.dest, RuleManager(p)) def main(): @@ -27,28 +63,44 @@ def main(): # base args version_file = HOME_DIR.joinpath("VERSION") args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) - args.add_argument("-r", "--rule-dir", action=DirectoryPathVerifier, - help="rule script directory", default=HOME_DIR.joinpath('tools')) + args.add_argument("-r", "--rules", action=RuleManagerBuilder, + help="rule script directory", default=RuleManager(HOME_DIR.joinpath('tools'))) args.add_argument("-d", "--debug", action='store_true', help="debug mode") + args.add_argument('-l', '--logs', type=Path, help="log directory", default=Path('/var/log/secharden')) subparser = args.add_subparsers(help="sub-commands") + # apply config apply_parser = subparser.add_parser("apply", help="apply config to system") - apply_parser.set_defaults(func=apply) apply_parser.add_argument('-c', '--config', action=DirectoryPathVerifier, help="configuration path", default=Path('/etc/secharden')) + apply_parser.set_defaults(func=apply) + + # list rules + list_parser = subparser.add_parser("list", help="list available rules") + list_parser.add_argument("category", nargs='?', help="category of rule to list") + list_parser.set_defaults(func=list_rules) + # documentation for rules help_parser = subparser.add_parser("help", help="show rule help message") help_parser.add_argument("rule", nargs=1, help="rule name to show help for") help_parser.set_defaults(func=help_message) - args = args.parse_args() + try: + args = args.parse_args() + except: + print("Error parsing arguments. Use 'secharden --help' for usage information.") + return + + # setup logging logging_level = logging.INFO if args.debug: logging_level = logging.DEBUG - logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') - - rule_mgr = RuleManager(args.rule_dir) - args.func(args, rule_mgr) + if not args.logs.exists(): + args.logs.mkdir(parents=True, exist_ok=True) + logging.basicConfig(filename=args.logs.joinpath('secharden.log'), filemode='a', + level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') + logging.info(f"start secharden:{args.func.__name__}") + args.func(args) if __name__ == "__main__": -- Gitee From b11b2464e61bbe4effaff0734f30d6c31c82b037 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 16:21:06 +0800 Subject: [PATCH 023/109] add exception, support single placeholder in multi place --- os-harden-tools/executor.py | 19 ++++++++++++------- os-harden-tools/secharden.py | 9 +++++++-- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/os-harden-tools/executor.py b/os-harden-tools/executor.py index 73b2d7c..76f3018 100644 --- a/os-harden-tools/executor.py +++ b/os-harden-tools/executor.py @@ -1,15 +1,17 @@ from pathlib import Path from typing import Dict, List +import logging + class CmdTemplate: def __init__(self, template: str): self._template = template.split(' ') - self._variable_index: Dict[str, int] = self._parse_cmd_template() + self._variable_index: Dict[str, List[int]] = self._parse_cmd_template() - def _parse_cmd_template(self) -> Dict[str, int]: + def _parse_cmd_template(self) -> Dict[str, List[int]]: escape_indexes = [] - variable_index: Dict[str, int] = {} + variable_index: Dict[str, List[int]] = {} for i, cmd in enumerate(self._template): if cmd.startswith('%%'): escape_indexes.append(i) @@ -19,8 +21,9 @@ class CmdTemplate: if len(variable_id) == 0: raise ValueError('invalid cmd template with no id') if variable_id in variable_index: - raise ValueError(f'duplicate cmd template id') - variable_index[variable_id] = i + variable_index[variable_id].append(i) + else: + variable_index[variable_id] = [i] for i in escape_indexes: # remove prefix escaping char % in %% self._template[i] = self._template[i][1:] @@ -32,7 +35,7 @@ class CmdTemplate: return self._template.copy() @property - def variable_index(self) -> Dict[str, int]: + def variable_index(self) -> Dict[str, List[int]]: return self._variable_index @@ -54,8 +57,10 @@ class CmdParameter: for var_id, index in self._cmd_template.variable_index.items(): value = self._variables.get(var_id) if value is None: + logging.error(f"Variable {var_id} not found in variable collection") raise ValueError(f"Variable {var_id} not found in variable collection") - result[index] = value + for i in index: + result[i] = value return result @property diff --git a/os-harden-tools/secharden.py b/os-harden-tools/secharden.py index 94a5369..f010fa8 100644 --- a/os-harden-tools/secharden.py +++ b/os-harden-tools/secharden.py @@ -30,7 +30,12 @@ def apply(args): config = parse_config(collect_configs(args.config)) for rule, rule_conf in config.items(): logging.debug("applying rule %s with config %s", rule, rule_conf) - args.rules.apply_rule(rule, rule_conf) + try: + args.rules.apply_rule(rule, rule_conf) + except Exception as e: + logging.error(f"Exception while applying rule '{rule}' with config {rule_conf}") + logging.exception(e) + print(f"Error applying rule '{rule}': {e}") def help_message(args): @@ -87,7 +92,7 @@ def main(): try: args = args.parse_args() - except: + except argparse.ArgumentTypeError: print("Error parsing arguments. Use 'secharden --help' for usage information.") return -- Gitee From bd7ef51e0e4b6923058db88db9e415a342da0007 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 16:57:28 +0800 Subject: [PATCH 024/109] add parser testcases --- .../rule_metadata/converters/file_list.py | 3 +- os-harden-tools/schema/categories.schema.json | 1 - os-harden-tools/schema/metadata.schema.json | 1 - .../tests/rules/converter_sample.py | 22 ++ .../directory_name_mismatch/metadata.json | 6 + os-harden-tools/tests/rules/metadata/entry.sh | 1 + .../metadata/entry_not_file/metadata.json | 6 + .../rules/metadata/no_entry/metadata.json | 6 + .../metadata/param/cmd_escape/metadata.json | 15 ++ .../param/cmd_mismatch_id/metadata.json | 15 ++ .../param/cmd_multi_placeholder/metadata.json | 15 ++ .../param/cmd_no_placeholder/metadata.json | 15 ++ .../metadata/param/cmd_noid/metadata.json | 15 ++ .../param/cmd_placeholders/metadata.json | 15 ++ .../metadata/param/cmd_single/metadata.json | 15 ++ .../metadata/param/no_converter/metadata.json | 15 ++ .../tests/rules/metadata/valid/metadata.json | 6 + os-harden-tools/tests/rules/test_cmd.py | 54 +++++ os-harden-tools/tests/rules/test_converter.py | 45 ++++ os-harden-tools/tests/rules/test_metadata.py | 43 ++++ os-harden-tools/tests/rules/test_param.py | 68 ++++++ os-harden-tools/tests/rules/test_schema.py | 212 ++++++++++++++++++ 22 files changed, 591 insertions(+), 3 deletions(-) create mode 100644 os-harden-tools/tests/rules/converter_sample.py create mode 100644 os-harden-tools/tests/rules/metadata/directory_name_mismatch/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/entry.sh create mode 100644 os-harden-tools/tests/rules/metadata/entry_not_file/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/no_entry/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/param/cmd_escape/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/param/cmd_mismatch_id/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/param/cmd_no_placeholder/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/param/cmd_noid/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/param/cmd_placeholders/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/param/cmd_single/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/param/no_converter/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/valid/metadata.json create mode 100644 os-harden-tools/tests/rules/test_cmd.py create mode 100644 os-harden-tools/tests/rules/test_converter.py create mode 100644 os-harden-tools/tests/rules/test_metadata.py create mode 100644 os-harden-tools/tests/rules/test_param.py create mode 100644 os-harden-tools/tests/rules/test_schema.py diff --git a/os-harden-tools/rule_metadata/converters/file_list.py b/os-harden-tools/rule_metadata/converters/file_list.py index 03a4903..4184fca 100644 --- a/os-harden-tools/rule_metadata/converters/file_list.py +++ b/os-harden-tools/rule_metadata/converters/file_list.py @@ -13,7 +13,8 @@ class FileListConverter(ConfigConverter): if not isinstance(config, list): raise ValueError("file_list value must be a list") self.temp_file = NamedTemporaryFile("wt", delete=False, suffix=".list") - self.temp_file.writelines(config) + self.temp_file.writelines([str(i) for i in config]) + self.temp_file.flush() parameter.add_variable("file", self.temp_file.name) def verify(self, parameter: RuleParameter): diff --git a/os-harden-tools/schema/categories.schema.json b/os-harden-tools/schema/categories.schema.json index ec38742..5940556 100644 --- a/os-harden-tools/schema/categories.schema.json +++ b/os-harden-tools/schema/categories.schema.json @@ -1,5 +1,4 @@ { - "$schema": "https://json-schema.org/draft-04/schema", "id": "./categories.schema.json", "title": "Tool categories metadata Schema", "description": "Schema file for tool categories specification", diff --git a/os-harden-tools/schema/metadata.schema.json b/os-harden-tools/schema/metadata.schema.json index 1c634a1..40e328a 100644 --- a/os-harden-tools/schema/metadata.schema.json +++ b/os-harden-tools/schema/metadata.schema.json @@ -1,5 +1,4 @@ { - "$schema": "https://json-schema.org/draft-04/schema", "id": "./metadata.json", "title": "Tool metadata Schema", "description": "Schema file for tool declaration", diff --git a/os-harden-tools/tests/rules/converter_sample.py b/os-harden-tools/tests/rules/converter_sample.py new file mode 100644 index 0000000..38bbd4e --- /dev/null +++ b/os-harden-tools/tests/rules/converter_sample.py @@ -0,0 +1,22 @@ +from rule_metadata import ConfigConverter, RuleParameter +from executor import CmdParameter + +class TestConverter(ConfigConverter): + def __init__(self): + super().__init__() + self.temp_file = None + + def generate(self, parameter: CmdParameter, config): + parameter.add_variable("file1", config['file1']) + parameter.add_variable("file2", config['file2']) + if 'env1' in config: + parameter.add_env("env1", config['env1']) + + def verify(self, parameter: RuleParameter): + place_holder = parameter.cmd_template.variable_index + if len(place_holder) != 2: + raise ValueError(f"Expected exactly 2 placeholders, found {len(place_holder)}") + if "file1" not in place_holder: + raise ValueError("Placeholder 'file1' not found in the execute config variables") + if "file2" not in place_holder: + raise ValueError("Placeholder 'file2' not found in the execute config variables") \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/directory_name_mismatch/metadata.json b/os-harden-tools/tests/rules/metadata/directory_name_mismatch/metadata.json new file mode 100644 index 0000000..8dab42f --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/directory_name_mismatch/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "valid", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/entry.sh b/os-harden-tools/tests/rules/metadata/entry.sh new file mode 100644 index 0000000..9b75988 --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/entry.sh @@ -0,0 +1 @@ +echo "hello world" \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/entry_not_file/metadata.json b/os-harden-tools/tests/rules/metadata/entry_not_file/metadata.json new file mode 100644 index 0000000..d0f07bf --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/entry_not_file/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "entry_not_file", + "name": "valid metadata", + "description": "valid metadata", + "entry": "../entry_not_file" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/no_entry/metadata.json b/os-harden-tools/tests/rules/metadata/no_entry/metadata.json new file mode 100644 index 0000000..74f5e27 --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/no_entry/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "no_entry", + "name": "valid metadata", + "description": "valid metadata", + "entry": "no_entry.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_escape/metadata.json b/os-harden-tools/tests/rules/metadata/param/cmd_escape/metadata.json new file mode 100644 index 0000000..4f231c8 --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/param/cmd_escape/metadata.json @@ -0,0 +1,15 @@ +{ + "id": "cmd_escape", + "name": "xxx", + "description": "xxx", + "entry": "metadata.json", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "FileListConverter", + "cmd_template": "%file %%file" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_mismatch_id/metadata.json b/os-harden-tools/tests/rules/metadata/param/cmd_mismatch_id/metadata.json new file mode 100644 index 0000000..4dca69a --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/param/cmd_mismatch_id/metadata.json @@ -0,0 +1,15 @@ +{ + "id": "cmd_mismatch_id", + "name": "xxx", + "description": "xxx", + "entry": "metadata.json", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "FileListConverter", + "cmd_template": "%f" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json b/os-harden-tools/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json new file mode 100644 index 0000000..00f595d --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json @@ -0,0 +1,15 @@ +{ + "id": "cmd_multi_placeholder", + "name": "xxx", + "description": "xxx", + "entry": "metadata.json", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "FileListConverter", + "cmd_template": "%file %file" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_no_placeholder/metadata.json b/os-harden-tools/tests/rules/metadata/param/cmd_no_placeholder/metadata.json new file mode 100644 index 0000000..c6ac65d --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/param/cmd_no_placeholder/metadata.json @@ -0,0 +1,15 @@ +{ + "id": "cmd_no_placeholder", + "name": "xxx", + "description": "xxx", + "entry": "metadata.json", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "FileListConverter", + "cmd_template": "" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_noid/metadata.json b/os-harden-tools/tests/rules/metadata/param/cmd_noid/metadata.json new file mode 100644 index 0000000..e4a8f80 --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/param/cmd_noid/metadata.json @@ -0,0 +1,15 @@ +{ + "id": "cmd_noid", + "name": "xxx", + "description": "xxx", + "entry": "metadata.json", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "FileListConverter", + "cmd_template": "%" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_placeholders/metadata.json b/os-harden-tools/tests/rules/metadata/param/cmd_placeholders/metadata.json new file mode 100644 index 0000000..c581c1c --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/param/cmd_placeholders/metadata.json @@ -0,0 +1,15 @@ +{ + "id": "cmd_placeholders", + "name": "xxx", + "description": "xxx", + "entry": "metadata.json", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "TestConverter", + "cmd_template": "%file1 %file2" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_single/metadata.json b/os-harden-tools/tests/rules/metadata/param/cmd_single/metadata.json new file mode 100644 index 0000000..00c8e63 --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/param/cmd_single/metadata.json @@ -0,0 +1,15 @@ +{ + "id": "cmd_single", + "name": "xxx", + "description": "xxx", + "entry": "metadata.json", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "FileListConverter", + "cmd_template": "%file test" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/param/no_converter/metadata.json b/os-harden-tools/tests/rules/metadata/param/no_converter/metadata.json new file mode 100644 index 0000000..6605e57 --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/param/no_converter/metadata.json @@ -0,0 +1,15 @@ +{ + "id": "no_converter", + "name": "xxx", + "description": "xxx", + "entry": "metadata.json", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "NotFoundConverter", + "cmd_template": "%file" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/valid/metadata.json b/os-harden-tools/tests/rules/metadata/valid/metadata.json new file mode 100644 index 0000000..8dab42f --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/valid/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "valid", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/test_cmd.py b/os-harden-tools/tests/rules/test_cmd.py new file mode 100644 index 0000000..9c08283 --- /dev/null +++ b/os-harden-tools/tests/rules/test_cmd.py @@ -0,0 +1,54 @@ +from pathlib import Path + +import pytest + +from rule_metadata import RuleMetadata +from executor import CmdParameter + + +class TestCmdParam: + @pytest.fixture + def config_test_path(self, request): + return Path(request.path).parent.joinpath("metadata/param").resolve() + + def test_cmd_multi_placeholder(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_multi_placeholder")) + param = CmdParameter(r.parameters[0].cmd_template) + param.add_variable('file', 'cmd_multi_placeholder') + assert param.cmd == ['cmd_multi_placeholder', 'cmd_multi_placeholder'] + + def test_cmd_escape(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_escape")) + param = CmdParameter(r.parameters[0].cmd_template) + param.add_variable('file', 'cmd_escape') + assert param.cmd == ['cmd_escape', '%file'] + + def test_cmd_single(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_single")) + param = CmdParameter(r.parameters[0].cmd_template) + param.add_variable('file', 'cmd_single') + assert param.cmd == ['cmd_single', 'test'] + + def test_cmd_no_variable(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_single")) + param = CmdParameter(r.parameters[0].cmd_template) + with pytest.raises(ValueError) as e: + c = param.cmd + assert str(e.value) == "Variable file not found in variable collection" + + def test_cmd_placeholders(self, config_test_path): + from converter_sample import TestConverter + r = RuleMetadata(config_test_path.joinpath("cmd_placeholders")) + param = CmdParameter(r.parameters[0].cmd_template) + param.add_variable('file1', 'cmd_placeholders1') + param.add_variable('file2', 'cmd_placeholders2') + # unused variable is ignored + param.add_variable('file3', 'cmd_placeholders3') + assert param.cmd == ['cmd_placeholders1', 'cmd_placeholders2'] + + def test_cmd_env(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_single")) + param = CmdParameter(r.parameters[0].cmd_template) + param.add_variable('file', 'cmd_env') + param.add_env('cmd_env', 'test1') + assert param.env['cmd_env'] == 'test1' diff --git a/os-harden-tools/tests/rules/test_converter.py b/os-harden-tools/tests/rules/test_converter.py new file mode 100644 index 0000000..75841e6 --- /dev/null +++ b/os-harden-tools/tests/rules/test_converter.py @@ -0,0 +1,45 @@ +from pathlib import Path + +import pytest + +from rule_metadata import RuleMetadata +from executor import CmdParameter + + +class TestConverter: + @pytest.fixture + def config_test_path(self, request): + return Path(request.path).parent.joinpath("metadata/param").resolve() + + def test_file_list_converter(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_single")) + param = r.parameters[0] + converter = param.converter() + cmd_param = CmdParameter(param.cmd_template) + converter.generate(cmd_param, ['test_t']) + file = cmd_param._variables.get('file') + assert file is not None + assert Path(file).exists() + assert Path(file).read_text('utf-8') == 'test_t' + converter.cleanup() + + def test_file_list_converter_not_list(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_single")) + param = r.parameters[0] + converter = param.converter() + cmd_param = CmdParameter(param.cmd_template) + with pytest.raises(ValueError) as e: + converter.generate(cmd_param, 'not_list') + assert str(e.value) == "file_list value must be a list" + converter.cleanup() + + def test_cmd_placeholders(self, config_test_path): + from converter_sample import TestConverter + r = RuleMetadata(config_test_path.joinpath("cmd_placeholders")) + param = r.parameters[0] + converter = param.converter() + cmd_param = CmdParameter(param.cmd_template) + converter.generate(cmd_param, {'file1': 'test_t1', 'file2': 'test_t2', 'env1': 'test_env1'}) + assert cmd_param.cmd == ['test_t1', 'test_t2'] + assert cmd_param.env['env1'] == 'test_env1' + converter.cleanup() diff --git a/os-harden-tools/tests/rules/test_metadata.py b/os-harden-tools/tests/rules/test_metadata.py new file mode 100644 index 0000000..5017105 --- /dev/null +++ b/os-harden-tools/tests/rules/test_metadata.py @@ -0,0 +1,43 @@ +from pathlib import Path + +import pytest + +from rule_metadata import RuleMetadata + + +class TestMetadata: + @pytest.fixture + def config_test_path(self, request): + return Path(request.path).parent.joinpath("metadata").resolve() + + def test_valid(self, config_test_path): + path = config_test_path.joinpath("valid") + d = RuleMetadata(path) + assert d.id == 'valid' + assert d.name == 'valid metadata' + assert d.description == 'valid metadata' + assert d.entry == path.joinpath("metadata.json") + + def test_entry_not_file(self, config_test_path): + path = config_test_path.joinpath("entry_not_file") + with pytest.raises(ValueError) as excinfo: + RuleMetadata(path) + assert str(excinfo.value) == f"Entry file {path.resolve()} for entry_not_file is not a regular file" + + def test_no_entry(self, config_test_path): + path = config_test_path.joinpath("no_entry") + with pytest.raises(FileNotFoundError) as excinfo: + RuleMetadata(path) + assert str(excinfo.value) == f"Entry file {path.joinpath('no_entry.sh').resolve()} for no_entry does not exist" + + def test_no_metadata(self, config_test_path): + path = config_test_path.joinpath("no_metadata") + with pytest.raises(FileNotFoundError) as excinfo: + RuleMetadata(path) + assert str(excinfo.value) == f"File not found: {path.joinpath('metadata.json')}" + + def test_directory_name_mismatch(self, config_test_path): + dirname = "directory_name_mismatch" + with pytest.raises(ValueError) as excinfo: + RuleMetadata(config_test_path.joinpath(dirname)) + assert str(excinfo.value) == f"Metadata id valid does not match directory name {dirname}" diff --git a/os-harden-tools/tests/rules/test_param.py b/os-harden-tools/tests/rules/test_param.py new file mode 100644 index 0000000..e3aa65e --- /dev/null +++ b/os-harden-tools/tests/rules/test_param.py @@ -0,0 +1,68 @@ +from pathlib import Path + +import pytest + +from rule_metadata import RuleMetadata + + +class TestMetadataParam: + @pytest.fixture + def config_test_path(self, request): + return Path(request.path).parent.joinpath("metadata/param").resolve() + + def test_cmd_mismatch_id(self, config_test_path): + with pytest.raises(ValueError) as excinfo: + RuleMetadata(config_test_path.joinpath("cmd_mismatch_id")) + assert str(excinfo.value) == "Placeholder 'file' not found in the execute config variables" + + def test_cmd_multi_placeholder(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_multi_placeholder")) + assert r.parameters[0].id == 'xxx' + assert r.parameters[0].name == 'xxx' + assert r.parameters[0].description == 'xxx' + assert r.parameters[0].converter.__name__ == 'FileListConverter' + assert r.parameters[0].cmd_template.template == ['%file', '%file'] + assert r.parameters[0].cmd_template.variable_index == {'file': [0, 1]} + + def test_cmd_no_placeholder(self, config_test_path): + with pytest.raises(ValueError) as excinfo: + RuleMetadata(config_test_path.joinpath("cmd_no_placeholder")) + assert str(excinfo.value) == "Expected exactly one placeholder, found 0" + + def test_cmd_noid(self, config_test_path): + with pytest.raises(ValueError) as excinfo: + RuleMetadata(config_test_path.joinpath("cmd_noid")) + assert str(excinfo.value) == "invalid cmd template with no id" + + def test_no_converter(self, config_test_path): + with pytest.raises(NotImplementedError) as excinfo: + RuleMetadata(config_test_path.joinpath("no_converter")) + assert str(excinfo.value) == 'converter of type NotFoundConverter is not implemented' + + def test_cmd_escape(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_escape")) + assert r.parameters[0].id == 'xxx' + assert r.parameters[0].name == 'xxx' + assert r.parameters[0].description == 'xxx' + assert r.parameters[0].converter.__name__ == 'FileListConverter' + assert r.parameters[0].cmd_template.template == ['%file', '%file'] + assert r.parameters[0].cmd_template.variable_index == {'file': [0]} + + def test_cmd_single(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("cmd_single")) + assert r.parameters[0].id == 'xxx' + assert r.parameters[0].name == 'xxx' + assert r.parameters[0].description == 'xxx' + assert r.parameters[0].converter.__name__ == 'FileListConverter' + assert r.parameters[0].cmd_template.template == ['%file', 'test'] + assert r.parameters[0].cmd_template.variable_index == {'file': [0]} + + def test_cmd_placeholders(self, config_test_path): + from converter_sample import TestConverter + r = RuleMetadata(config_test_path.joinpath("cmd_placeholders")) + assert r.parameters[0].id == 'xxx' + assert r.parameters[0].name == 'xxx' + assert r.parameters[0].description == 'xxx' + assert r.parameters[0].converter.__name__ == 'TestConverter' + assert r.parameters[0].cmd_template.template == ['%file1', '%file2'] + assert r.parameters[0].cmd_template.variable_index == {'file1': [0], 'file2': [1]} diff --git a/os-harden-tools/tests/rules/test_schema.py b/os-harden-tools/tests/rules/test_schema.py new file mode 100644 index 0000000..95fe9a2 --- /dev/null +++ b/os-harden-tools/tests/rules/test_schema.py @@ -0,0 +1,212 @@ +import jsonschema +import pytest + +from rule_metadata import RuleMetadata + + +class TestSchema: + @pytest.fixture + def schema(self, request): + return RuleMetadata._metadata_schema + + def test_no_id(self, schema): + no_id = { + "name": "xxx", + "description": "xxx", + "entry": "xxx" + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(no_id, schema) + + def test_no_name(self, schema): + no_name = { + "id": "xxx", + "description": "xxx", + "entry": "xxx" + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(no_name, schema) + + def test_no_desc(self, schema): + no_desc = { + "id": "xxx", + "name": "xxx", + "entry": "../xxx" + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(no_desc, schema) + + def test_no_entry(self, schema): + no_entry = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(no_entry, schema) + + def test_url_no_url(self, schema): + url_no_url = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx", + "urls": [ + { + "title": "xxx" + } + ] + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(url_no_url, schema) + + def test_url_no_title(self, schema): + url_no_title = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx", + "urls": [ + { + "url": "xxx" + } + ] + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(url_no_title, schema) + + def test_parameter_no_id(self, schema): + parameter_no_id = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx", + "parameters": [ + { + "name": "xxx", + "description": "xxx", + "converter": "xxx", + "cmd_template": "xxx" + } + ] + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(parameter_no_id, schema) + + def test_parameter_no_name(self, schema): + parameter_no_name = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx", + "parameters": [ + { + "id": "xxx", + "description": "xxx", + "converter": "xxx", + "cmd_template": "xxx" + } + ] + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(parameter_no_name, schema) + + def test_parameter_no_desc(self, schema): + parameter_no_desc = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "converter": "xxx", + "cmd_template": "xxx" + } + ] + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(parameter_no_desc, schema) + + def test_parameter_no_conv(self, schema): + parameter_no_conv = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "cmd_template": "xxx" + } + ] + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(parameter_no_conv, schema) + + def test_parameter_no_temp(self, schema): + parameter_no_temp = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "xxx", + } + ] + } + with pytest.raises(jsonschema.ValidationError): + jsonschema.validate(parameter_no_temp, schema) + + def test_basic(self, schema): + basic = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx" + } + jsonschema.validate(basic, schema) + + def test_full(self, schema): + full = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "xxx", + "cmd_template": "xxx" + } + ], + "urls": [ + { + "url": "xxx", + "title": "xxx" + } + ] + } + jsonschema.validate(full, schema) + + def test_empty_arr(self, schema): + empty_arr = { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "entry": "xxx", + "parameters": [ + ], + "urls": [ + ] + } + jsonschema.validate(empty_arr, schema) \ No newline at end of file -- Gitee From f6cdc7a795337ff908e520f0e2ad840e44a65d30 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 17:24:16 +0800 Subject: [PATCH 025/109] bugfix, add coverage for pytest --- os-harden-tools/config_parser.py | 4 +- os-harden-tools/pyproject.toml | 1 + .../{t-t.conf => nodash.conf} | 0 .../secharden.conf.d/not-number.conf | 5 + .../parser/invalid_yaml/secharden.conf | 1 + .../tests/config_parser/test_parser.py | 4 + .../tests/rules/converter_sample.py | 9 +- os-harden-tools/tests/rules/metadata/entry.sh | 1 - .../rules/metadata/valid_full/metadata.json | 21 +++ os-harden-tools/tests/rules/test_metadata.py | 20 +++ os-harden-tools/uv.lock | 139 +++++++++++++++++- 11 files changed, 195 insertions(+), 10 deletions(-) rename os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/{t-t.conf => nodash.conf} (100%) create mode 100644 os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf create mode 100644 os-harden-tools/tests/config_parser/parser/invalid_yaml/secharden.conf delete mode 100644 os-harden-tools/tests/rules/metadata/entry.sh create mode 100644 os-harden-tools/tests/rules/metadata/valid_full/metadata.json diff --git a/os-harden-tools/config_parser.py b/os-harden-tools/config_parser.py index f73b93f..11a7e8a 100644 --- a/os-harden-tools/config_parser.py +++ b/os-harden-tools/config_parser.py @@ -18,7 +18,7 @@ CHECK_SCHEMA = { def verify_config_name(path: Path) -> bool: name = path.name if not '-' in name: - logging.error(f"Config {path} does not follow naming convention (should be 'priority.config_name')") + logging.error(f"Config {path} does not follow naming convention (should be 'priority-config_name')") return False if not name.split('-', 1)[0].isdigit(): logging.error(f"Config {path} does not have a valid priority index") @@ -40,7 +40,7 @@ def collect_configs(config_dir: Path) -> List[Path]: user_config = config_dir.joinpath("secharden.conf.d") if user_config.exists() and user_config.is_dir(): - configs: List[Path] = list(user_config.glob(f"*-*.conf")) + configs: List[Path] = list(user_config.glob(f"*.conf")) file_collection.extend( sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[0]))) diff --git a/os-harden-tools/pyproject.toml b/os-harden-tools/pyproject.toml index 12a05a5..6a14118 100644 --- a/os-harden-tools/pyproject.toml +++ b/os-harden-tools/pyproject.toml @@ -12,5 +12,6 @@ dependencies = [ [dependency-groups] dev = [ "pytest>=8.4.1", + "pytest-cov>=6.2.1", ] diff --git a/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/t-t.conf b/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf similarity index 100% rename from os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/t-t.conf rename to os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf diff --git a/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf b/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf new file mode 100644 index 0000000..b024e73 --- /dev/null +++ b/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf @@ -0,0 +1,5 @@ +int.02: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/parser/invalid_yaml/secharden.conf b/os-harden-tools/tests/config_parser/parser/invalid_yaml/secharden.conf new file mode 100644 index 0000000..22ded55 --- /dev/null +++ b/os-harden-tools/tests/config_parser/parser/invalid_yaml/secharden.conf @@ -0,0 +1 @@ +: \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/test_parser.py b/os-harden-tools/tests/config_parser/test_parser.py index 6b9f23b..712fb6f 100644 --- a/os-harden-tools/tests/config_parser/test_parser.py +++ b/os-harden-tools/tests/config_parser/test_parser.py @@ -17,6 +17,10 @@ class TestConfigParser: d = parse_config([config_test_path.joinpath("wrong_file/secharden.conf")]) assert d == {} + def test_invalid_yaml(self, config_test_path): + d = parse_config([config_test_path.joinpath("invalid_yaml/secharden.conf")]) + assert d == {} + def test_wrong_file_in_collection(self, config_test_path): d = parse_config([ config_test_path.joinpath("wrong_file_in_collection/1.conf"), diff --git a/os-harden-tools/tests/rules/converter_sample.py b/os-harden-tools/tests/rules/converter_sample.py index 38bbd4e..7a8e089 100644 --- a/os-harden-tools/tests/rules/converter_sample.py +++ b/os-harden-tools/tests/rules/converter_sample.py @@ -14,9 +14,6 @@ class TestConverter(ConfigConverter): def verify(self, parameter: RuleParameter): place_holder = parameter.cmd_template.variable_index - if len(place_holder) != 2: - raise ValueError(f"Expected exactly 2 placeholders, found {len(place_holder)}") - if "file1" not in place_holder: - raise ValueError("Placeholder 'file1' not found in the execute config variables") - if "file2" not in place_holder: - raise ValueError("Placeholder 'file2' not found in the execute config variables") \ No newline at end of file + assert len(place_holder) == 2 + assert "file1" in place_holder + assert "file2" in place_holder diff --git a/os-harden-tools/tests/rules/metadata/entry.sh b/os-harden-tools/tests/rules/metadata/entry.sh deleted file mode 100644 index 9b75988..0000000 --- a/os-harden-tools/tests/rules/metadata/entry.sh +++ /dev/null @@ -1 +0,0 @@ -echo "hello world" \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/valid_full/metadata.json b/os-harden-tools/tests/rules/metadata/valid_full/metadata.json new file mode 100644 index 0000000..702e06f --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/valid_full/metadata.json @@ -0,0 +1,21 @@ +{ + "id": "valid_full", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json", + "parameters": [ + { + "id": "xxx", + "name": "xxx", + "description": "xxx", + "converter": "FileListConverter", + "cmd_template": "%file test" + } + ], + "urls": [ + { + "url": "https://example.com", + "title": "example" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/test_metadata.py b/os-harden-tools/tests/rules/test_metadata.py index 5017105..47e2701 100644 --- a/os-harden-tools/tests/rules/test_metadata.py +++ b/os-harden-tools/tests/rules/test_metadata.py @@ -18,6 +18,26 @@ class TestMetadata: assert d.description == 'valid metadata' assert d.entry == path.joinpath("metadata.json") + def test_valid_full(self, config_test_path): + path = config_test_path.joinpath("valid_full") + d = RuleMetadata(path) + assert d.id == 'valid_full' + assert d.name == 'valid metadata' + assert d.description == 'valid metadata' + assert d.entry == path.joinpath("metadata.json") + assert len(d.parameters) == 1 + param = d.parameters[0] + assert param.id == 'xxx' + assert param.name == 'xxx' + assert param.description == 'xxx' + assert param.converter.__name__ == 'FileListConverter' + assert param.cmd_template.template == ['%file', 'test'] + assert param.cmd_template.variable_index == {'file': [0]} + urls = d.urls + assert len(urls) == 1 + assert urls[0].url == 'https://example.com' + assert urls[0].title == 'example' + def test_entry_not_file(self, config_test_path): path = config_test_path.joinpath("entry_not_file") with pytest.raises(ValueError) as excinfo: diff --git a/os-harden-tools/uv.lock b/os-harden-tools/uv.lock index 5ed23ff..134eb6d 100644 --- a/os-harden-tools/uv.lock +++ b/os-harden-tools/uv.lock @@ -20,6 +20,86 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" }, ] +[[package]] +name = "coverage" +version = "7.10.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/87/0e/66dbd4c6a7f0758a8d18044c048779ba21fb94856e1edcf764bd5403e710/coverage-7.10.1.tar.gz", hash = "sha256:ae2b4856f29ddfe827106794f3589949a57da6f0d38ab01e24ec35107979ba57", size = 819938, upload-time = "2025-07-27T14:13:39.045Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/20/8e/ef088112bd1b26e2aa931ee186992b3e42c222c64f33e381432c8ee52aae/coverage-7.10.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:b45e2f9d5b0b5c1977cb4feb5f594be60eb121106f8900348e29331f553a726f", size = 214747, upload-time = "2025-07-27T14:11:18.217Z" }, + { url = "https://files.pythonhosted.org/packages/2d/76/a1e46f3c6e0897758eb43af88bb3c763cb005f4950769f7b553e22aa5f89/coverage-7.10.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:3a7a4d74cb0f5e3334f9aa26af7016ddb94fb4bfa11b4a573d8e98ecba8c34f1", size = 215128, upload-time = "2025-07-27T14:11:19.706Z" }, + { url = "https://files.pythonhosted.org/packages/78/4d/903bafb371a8c887826ecc30d3977b65dfad0e1e66aa61b7e173de0828b0/coverage-7.10.1-cp311-cp311-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:d4b0aab55ad60ead26159ff12b538c85fbab731a5e3411c642b46c3525863437", size = 245140, upload-time = "2025-07-27T14:11:21.261Z" }, + { url = "https://files.pythonhosted.org/packages/55/f1/1f8f09536f38394a8698dd08a0e9608a512eacee1d3b771e2d06397f77bf/coverage-7.10.1-cp311-cp311-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:dcc93488c9ebd229be6ee1f0d9aad90da97b33ad7e2912f5495804d78a3cd6b7", size = 246977, upload-time = "2025-07-27T14:11:23.15Z" }, + { url = "https://files.pythonhosted.org/packages/57/cc/ed6bbc5a3bdb36ae1bca900bbbfdcb23b260ef2767a7b2dab38b92f61adf/coverage-7.10.1-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:aa309df995d020f3438407081b51ff527171cca6772b33cf8f85344b8b4b8770", size = 249140, upload-time = "2025-07-27T14:11:24.743Z" }, + { url = "https://files.pythonhosted.org/packages/10/f5/e881ade2d8e291b60fa1d93d6d736107e940144d80d21a0d4999cff3642f/coverage-7.10.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:cfb8b9d8855c8608f9747602a48ab525b1d320ecf0113994f6df23160af68262", size = 246869, upload-time = "2025-07-27T14:11:26.156Z" }, + { url = "https://files.pythonhosted.org/packages/53/b9/6a5665cb8996e3cd341d184bb11e2a8edf01d8dadcf44eb1e742186cf243/coverage-7.10.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:320d86da829b012982b414c7cdda65f5d358d63f764e0e4e54b33097646f39a3", size = 244899, upload-time = "2025-07-27T14:11:27.622Z" }, + { url = "https://files.pythonhosted.org/packages/27/11/24156776709c4e25bf8a33d6bb2ece9a9067186ddac19990f6560a7f8130/coverage-7.10.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:dc60ddd483c556590da1d9482a4518292eec36dd0e1e8496966759a1f282bcd0", size = 245507, upload-time = "2025-07-27T14:11:29.544Z" }, + { url = "https://files.pythonhosted.org/packages/43/db/a6f0340b7d6802a79928659c9a32bc778ea420e87a61b568d68ac36d45a8/coverage-7.10.1-cp311-cp311-win32.whl", hash = "sha256:4fcfe294f95b44e4754da5b58be750396f2b1caca8f9a0e78588e3ef85f8b8be", size = 217167, upload-time = "2025-07-27T14:11:31.349Z" }, + { url = "https://files.pythonhosted.org/packages/f5/6f/1990eb4fd05cea4cfabdf1d587a997ac5f9a8bee883443a1d519a2a848c9/coverage-7.10.1-cp311-cp311-win_amd64.whl", hash = "sha256:efa23166da3fe2915f8ab452dde40319ac84dc357f635737174a08dbd912980c", size = 218054, upload-time = "2025-07-27T14:11:33.202Z" }, + { url = "https://files.pythonhosted.org/packages/b4/4d/5e061d6020251b20e9b4303bb0b7900083a1a384ec4e5db326336c1c4abd/coverage-7.10.1-cp311-cp311-win_arm64.whl", hash = "sha256:d12b15a8c3759e2bb580ffa423ae54be4f184cf23beffcbd641f4fe6e1584293", size = 216483, upload-time = "2025-07-27T14:11:34.663Z" }, + { url = "https://files.pythonhosted.org/packages/a5/3f/b051feeb292400bd22d071fdf933b3ad389a8cef5c80c7866ed0c7414b9e/coverage-7.10.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:6b7dc7f0a75a7eaa4584e5843c873c561b12602439d2351ee28c7478186c4da4", size = 214934, upload-time = "2025-07-27T14:11:36.096Z" }, + { url = "https://files.pythonhosted.org/packages/f8/e4/a61b27d5c4c2d185bdfb0bfe9d15ab4ac4f0073032665544507429ae60eb/coverage-7.10.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:607f82389f0ecafc565813aa201a5cade04f897603750028dd660fb01797265e", size = 215173, upload-time = "2025-07-27T14:11:38.005Z" }, + { url = "https://files.pythonhosted.org/packages/8a/01/40a6ee05b60d02d0bc53742ad4966e39dccd450aafb48c535a64390a3552/coverage-7.10.1-cp312-cp312-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:f7da31a1ba31f1c1d4d5044b7c5813878adae1f3af8f4052d679cc493c7328f4", size = 246190, upload-time = "2025-07-27T14:11:39.887Z" }, + { url = "https://files.pythonhosted.org/packages/11/ef/a28d64d702eb583c377255047281305dc5a5cfbfb0ee36e721f78255adb6/coverage-7.10.1-cp312-cp312-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:51fe93f3fe4f5d8483d51072fddc65e717a175490804e1942c975a68e04bf97a", size = 248618, upload-time = "2025-07-27T14:11:41.841Z" }, + { url = "https://files.pythonhosted.org/packages/6a/ad/73d018bb0c8317725370c79d69b5c6e0257df84a3b9b781bda27a438a3be/coverage-7.10.1-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3e59d00830da411a1feef6ac828b90bbf74c9b6a8e87b8ca37964925bba76dbe", size = 250081, upload-time = "2025-07-27T14:11:43.705Z" }, + { url = "https://files.pythonhosted.org/packages/2d/dd/496adfbbb4503ebca5d5b2de8bed5ec00c0a76558ffc5b834fd404166bc9/coverage-7.10.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:924563481c27941229cb4e16eefacc35da28563e80791b3ddc5597b062a5c386", size = 247990, upload-time = "2025-07-27T14:11:45.244Z" }, + { url = "https://files.pythonhosted.org/packages/18/3c/a9331a7982facfac0d98a4a87b36ae666fe4257d0f00961a3a9ef73e015d/coverage-7.10.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:ca79146ee421b259f8131f153102220b84d1a5e6fb9c8aed13b3badfd1796de6", size = 246191, upload-time = "2025-07-27T14:11:47.093Z" }, + { url = "https://files.pythonhosted.org/packages/62/0c/75345895013b83f7afe92ec595e15a9a525ede17491677ceebb2ba5c3d85/coverage-7.10.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:2b225a06d227f23f386fdc0eab471506d9e644be699424814acc7d114595495f", size = 247400, upload-time = "2025-07-27T14:11:48.643Z" }, + { url = "https://files.pythonhosted.org/packages/e2/a9/98b268cfc5619ef9df1d5d34fee408ecb1542d9fd43d467e5c2f28668cd4/coverage-7.10.1-cp312-cp312-win32.whl", hash = "sha256:5ba9a8770effec5baaaab1567be916c87d8eea0c9ad11253722d86874d885eca", size = 217338, upload-time = "2025-07-27T14:11:50.258Z" }, + { url = "https://files.pythonhosted.org/packages/fe/31/22a5440e4d1451f253c5cd69fdcead65e92ef08cd4ec237b8756dc0b20a7/coverage-7.10.1-cp312-cp312-win_amd64.whl", hash = "sha256:9eb245a8d8dd0ad73b4062135a251ec55086fbc2c42e0eb9725a9b553fba18a3", size = 218125, upload-time = "2025-07-27T14:11:52.034Z" }, + { url = "https://files.pythonhosted.org/packages/d6/2b/40d9f0ce7ee839f08a43c5bfc9d05cec28aaa7c9785837247f96cbe490b9/coverage-7.10.1-cp312-cp312-win_arm64.whl", hash = "sha256:7718060dd4434cc719803a5e526838a5d66e4efa5dc46d2b25c21965a9c6fcc4", size = 216523, upload-time = "2025-07-27T14:11:53.965Z" }, + { url = "https://files.pythonhosted.org/packages/ef/72/135ff5fef09b1ffe78dbe6fcf1e16b2e564cd35faeacf3d63d60d887f12d/coverage-7.10.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:ebb08d0867c5a25dffa4823377292a0ffd7aaafb218b5d4e2e106378b1061e39", size = 214960, upload-time = "2025-07-27T14:11:55.959Z" }, + { url = "https://files.pythonhosted.org/packages/b1/aa/73a5d1a6fc08ca709a8177825616aa95ee6bf34d522517c2595484a3e6c9/coverage-7.10.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:f32a95a83c2e17422f67af922a89422cd24c6fa94041f083dd0bb4f6057d0bc7", size = 215220, upload-time = "2025-07-27T14:11:57.899Z" }, + { url = "https://files.pythonhosted.org/packages/8d/40/3124fdd45ed3772a42fc73ca41c091699b38a2c3bd4f9cb564162378e8b6/coverage-7.10.1-cp313-cp313-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:c4c746d11c8aba4b9f58ca8bfc6fbfd0da4efe7960ae5540d1a1b13655ee8892", size = 245772, upload-time = "2025-07-27T14:12:00.422Z" }, + { url = "https://files.pythonhosted.org/packages/42/62/a77b254822efa8c12ad59e8039f2bc3df56dc162ebda55e1943e35ba31a5/coverage-7.10.1-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:7f39edd52c23e5c7ed94e0e4bf088928029edf86ef10b95413e5ea670c5e92d7", size = 248116, upload-time = "2025-07-27T14:12:03.099Z" }, + { url = "https://files.pythonhosted.org/packages/1d/01/8101f062f472a3a6205b458d18ef0444a63ae5d36a8a5ed5dd0f6167f4db/coverage-7.10.1-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ab6e19b684981d0cd968906e293d5628e89faacb27977c92f3600b201926b994", size = 249554, upload-time = "2025-07-27T14:12:04.668Z" }, + { url = "https://files.pythonhosted.org/packages/8f/7b/e51bc61573e71ff7275a4f167aecbd16cb010aefdf54bcd8b0a133391263/coverage-7.10.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:5121d8cf0eacb16133501455d216bb5f99899ae2f52d394fe45d59229e6611d0", size = 247766, upload-time = "2025-07-27T14:12:06.234Z" }, + { url = "https://files.pythonhosted.org/packages/4b/71/1c96d66a51d4204a9d6d12df53c4071d87e110941a2a1fe94693192262f5/coverage-7.10.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:df1c742ca6f46a6f6cbcaef9ac694dc2cb1260d30a6a2f5c68c5f5bcfee1cfd7", size = 245735, upload-time = "2025-07-27T14:12:08.305Z" }, + { url = "https://files.pythonhosted.org/packages/13/d5/efbc2ac4d35ae2f22ef6df2ca084c60e13bd9378be68655e3268c80349ab/coverage-7.10.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:40f9a38676f9c073bf4b9194707aa1eb97dca0e22cc3766d83879d72500132c7", size = 247118, upload-time = "2025-07-27T14:12:09.903Z" }, + { url = "https://files.pythonhosted.org/packages/d1/22/073848352bec28ca65f2b6816b892fcf9a31abbef07b868487ad15dd55f1/coverage-7.10.1-cp313-cp313-win32.whl", hash = "sha256:2348631f049e884839553b9974f0821d39241c6ffb01a418efce434f7eba0fe7", size = 217381, upload-time = "2025-07-27T14:12:11.535Z" }, + { url = "https://files.pythonhosted.org/packages/b7/df/df6a0ff33b042f000089bd11b6bb034bab073e2ab64a56e78ed882cba55d/coverage-7.10.1-cp313-cp313-win_amd64.whl", hash = "sha256:4072b31361b0d6d23f750c524f694e1a417c1220a30d3ef02741eed28520c48e", size = 218152, upload-time = "2025-07-27T14:12:13.182Z" }, + { url = "https://files.pythonhosted.org/packages/30/e3/5085ca849a40ed6b47cdb8f65471c2f754e19390b5a12fa8abd25cbfaa8f/coverage-7.10.1-cp313-cp313-win_arm64.whl", hash = "sha256:3e31dfb8271937cab9425f19259b1b1d1f556790e98eb266009e7a61d337b6d4", size = 216559, upload-time = "2025-07-27T14:12:14.807Z" }, + { url = "https://files.pythonhosted.org/packages/cc/93/58714efbfdeb547909feaabe1d67b2bdd59f0597060271b9c548d5efb529/coverage-7.10.1-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:1c4f679c6b573a5257af6012f167a45be4c749c9925fd44d5178fd641ad8bf72", size = 215677, upload-time = "2025-07-27T14:12:16.68Z" }, + { url = "https://files.pythonhosted.org/packages/c0/0c/18eaa5897e7e8cb3f8c45e563e23e8a85686b4585e29d53cacb6bc9cb340/coverage-7.10.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:871ebe8143da284bd77b84a9136200bd638be253618765d21a1fce71006d94af", size = 215899, upload-time = "2025-07-27T14:12:18.758Z" }, + { url = "https://files.pythonhosted.org/packages/84/c1/9d1affacc3c75b5a184c140377701bbf14fc94619367f07a269cd9e4fed6/coverage-7.10.1-cp313-cp313t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:998c4751dabf7d29b30594af416e4bf5091f11f92a8d88eb1512c7ba136d1ed7", size = 257140, upload-time = "2025-07-27T14:12:20.357Z" }, + { url = "https://files.pythonhosted.org/packages/3d/0f/339bc6b8fa968c346df346068cca1f24bdea2ddfa93bb3dc2e7749730962/coverage-7.10.1-cp313-cp313t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:780f750a25e7749d0af6b3631759c2c14f45de209f3faaa2398312d1c7a22759", size = 259005, upload-time = "2025-07-27T14:12:22.007Z" }, + { url = "https://files.pythonhosted.org/packages/c8/22/89390864b92ea7c909079939b71baba7e5b42a76bf327c1d615bd829ba57/coverage-7.10.1-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:590bdba9445df4763bdbebc928d8182f094c1f3947a8dc0fc82ef014dbdd8324", size = 261143, upload-time = "2025-07-27T14:12:23.746Z" }, + { url = "https://files.pythonhosted.org/packages/2c/56/3d04d89017c0c41c7a71bd69b29699d919b6bbf2649b8b2091240b97dd6a/coverage-7.10.1-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:9b2df80cb6a2af86d300e70acb82e9b79dab2c1e6971e44b78dbfc1a1e736b53", size = 258735, upload-time = "2025-07-27T14:12:25.73Z" }, + { url = "https://files.pythonhosted.org/packages/cb/40/312252c8afa5ca781063a09d931f4b9409dc91526cd0b5a2b84143ffafa2/coverage-7.10.1-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:d6a558c2725bfb6337bf57c1cd366c13798bfd3bfc9e3dd1f4a6f6fc95a4605f", size = 256871, upload-time = "2025-07-27T14:12:27.767Z" }, + { url = "https://files.pythonhosted.org/packages/1f/2b/564947d5dede068215aaddb9e05638aeac079685101462218229ddea9113/coverage-7.10.1-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:e6150d167f32f2a54690e572e0a4c90296fb000a18e9b26ab81a6489e24e78dd", size = 257692, upload-time = "2025-07-27T14:12:29.347Z" }, + { url = "https://files.pythonhosted.org/packages/93/1b/c8a867ade85cb26d802aea2209b9c2c80613b9c122baa8c8ecea6799648f/coverage-7.10.1-cp313-cp313t-win32.whl", hash = "sha256:d946a0c067aa88be4a593aad1236493313bafaa27e2a2080bfe88db827972f3c", size = 218059, upload-time = "2025-07-27T14:12:31.076Z" }, + { url = "https://files.pythonhosted.org/packages/a1/fe/cd4ab40570ae83a516bf5e754ea4388aeedd48e660e40c50b7713ed4f930/coverage-7.10.1-cp313-cp313t-win_amd64.whl", hash = "sha256:e37c72eaccdd5ed1130c67a92ad38f5b2af66eeff7b0abe29534225db2ef7b18", size = 219150, upload-time = "2025-07-27T14:12:32.746Z" }, + { url = "https://files.pythonhosted.org/packages/8d/16/6e5ed5854be6d70d0c39e9cb9dd2449f2c8c34455534c32c1a508c7dbdb5/coverage-7.10.1-cp313-cp313t-win_arm64.whl", hash = "sha256:89ec0ffc215c590c732918c95cd02b55c7d0f569d76b90bb1a5e78aa340618e4", size = 217014, upload-time = "2025-07-27T14:12:34.406Z" }, + { url = "https://files.pythonhosted.org/packages/54/8e/6d0bfe9c3d7121cf936c5f8b03e8c3da1484fb801703127dba20fb8bd3c7/coverage-7.10.1-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:166d89c57e877e93d8827dac32cedae6b0277ca684c6511497311249f35a280c", size = 214951, upload-time = "2025-07-27T14:12:36.069Z" }, + { url = "https://files.pythonhosted.org/packages/f2/29/e3e51a8c653cf2174c60532aafeb5065cea0911403fa144c9abe39790308/coverage-7.10.1-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:bed4a2341b33cd1a7d9ffc47df4a78ee61d3416d43b4adc9e18b7d266650b83e", size = 215229, upload-time = "2025-07-27T14:12:37.759Z" }, + { url = "https://files.pythonhosted.org/packages/e0/59/3c972080b2fa18b6c4510201f6d4dc87159d450627d062cd9ad051134062/coverage-7.10.1-cp314-cp314-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:ddca1e4f5f4c67980533df01430184c19b5359900e080248bbf4ed6789584d8b", size = 245738, upload-time = "2025-07-27T14:12:39.453Z" }, + { url = "https://files.pythonhosted.org/packages/2e/04/fc0d99d3f809452654e958e1788454f6e27b34e43f8f8598191c8ad13537/coverage-7.10.1-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:37b69226001d8b7de7126cad7366b0778d36777e4d788c66991455ba817c5b41", size = 248045, upload-time = "2025-07-27T14:12:41.387Z" }, + { url = "https://files.pythonhosted.org/packages/5e/2e/afcbf599e77e0dfbf4c97197747250d13d397d27e185b93987d9eaac053d/coverage-7.10.1-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:b2f22102197bcb1722691296f9e589f02b616f874e54a209284dd7b9294b0b7f", size = 249666, upload-time = "2025-07-27T14:12:43.056Z" }, + { url = "https://files.pythonhosted.org/packages/6e/ae/bc47f7f8ecb7a06cbae2bf86a6fa20f479dd902bc80f57cff7730438059d/coverage-7.10.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:1e0c768b0f9ac5839dac5cf88992a4bb459e488ee8a1f8489af4cb33b1af00f1", size = 247692, upload-time = "2025-07-27T14:12:44.83Z" }, + { url = "https://files.pythonhosted.org/packages/b6/26/cbfa3092d31ccba8ba7647e4d25753263e818b4547eba446b113d7d1efdf/coverage-7.10.1-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:991196702d5e0b120a8fef2664e1b9c333a81d36d5f6bcf6b225c0cf8b0451a2", size = 245536, upload-time = "2025-07-27T14:12:46.527Z" }, + { url = "https://files.pythonhosted.org/packages/56/77/9c68e92500e6a1c83d024a70eadcc9a173f21aadd73c4675fe64c9c43fdf/coverage-7.10.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:ae8e59e5f4fd85d6ad34c2bb9d74037b5b11be072b8b7e9986beb11f957573d4", size = 246954, upload-time = "2025-07-27T14:12:49.279Z" }, + { url = "https://files.pythonhosted.org/packages/7f/a5/ba96671c5a669672aacd9877a5987c8551501b602827b4e84256da2a30a7/coverage-7.10.1-cp314-cp314-win32.whl", hash = "sha256:042125c89cf74a074984002e165d61fe0e31c7bd40ebb4bbebf07939b5924613", size = 217616, upload-time = "2025-07-27T14:12:51.214Z" }, + { url = "https://files.pythonhosted.org/packages/e7/3c/e1e1eb95fc1585f15a410208c4795db24a948e04d9bde818fe4eb893bc85/coverage-7.10.1-cp314-cp314-win_amd64.whl", hash = "sha256:a22c3bfe09f7a530e2c94c87ff7af867259c91bef87ed2089cd69b783af7b84e", size = 218412, upload-time = "2025-07-27T14:12:53.429Z" }, + { url = "https://files.pythonhosted.org/packages/b0/85/7e1e5be2cb966cba95566ba702b13a572ca744fbb3779df9888213762d67/coverage-7.10.1-cp314-cp314-win_arm64.whl", hash = "sha256:ee6be07af68d9c4fca4027c70cea0c31a0f1bc9cb464ff3c84a1f916bf82e652", size = 216776, upload-time = "2025-07-27T14:12:55.482Z" }, + { url = "https://files.pythonhosted.org/packages/62/0f/5bb8f29923141cca8560fe2217679caf4e0db643872c1945ac7d8748c2a7/coverage-7.10.1-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:d24fb3c0c8ff0d517c5ca5de7cf3994a4cd559cde0315201511dbfa7ab528894", size = 215698, upload-time = "2025-07-27T14:12:57.225Z" }, + { url = "https://files.pythonhosted.org/packages/80/29/547038ffa4e8e4d9e82f7dfc6d152f75fcdc0af146913f0ba03875211f03/coverage-7.10.1-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:1217a54cfd79be20512a67ca81c7da3f2163f51bbfd188aab91054df012154f5", size = 215902, upload-time = "2025-07-27T14:12:59.071Z" }, + { url = "https://files.pythonhosted.org/packages/e1/8a/7aaa8fbfaed900147987a424e112af2e7790e1ac9cd92601e5bd4e1ba60a/coverage-7.10.1-cp314-cp314t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:51f30da7a52c009667e02f125737229d7d8044ad84b79db454308033a7808ab2", size = 257230, upload-time = "2025-07-27T14:13:01.248Z" }, + { url = "https://files.pythonhosted.org/packages/e5/1d/c252b5ffac44294e23a0d79dd5acf51749b39795ccc898faeabf7bee903f/coverage-7.10.1-cp314-cp314t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:ed3718c757c82d920f1c94089066225ca2ad7f00bb904cb72b1c39ebdd906ccb", size = 259194, upload-time = "2025-07-27T14:13:03.247Z" }, + { url = "https://files.pythonhosted.org/packages/16/ad/6c8d9f83d08f3bac2e7507534d0c48d1a4f52c18e6f94919d364edbdfa8f/coverage-7.10.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:cc452481e124a819ced0c25412ea2e144269ef2f2534b862d9f6a9dae4bda17b", size = 261316, upload-time = "2025-07-27T14:13:04.957Z" }, + { url = "https://files.pythonhosted.org/packages/d6/4e/f9bbf3a36c061e2e0e0f78369c006d66416561a33d2bee63345aee8ee65e/coverage-7.10.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:9d6f494c307e5cb9b1e052ec1a471060f1dea092c8116e642e7a23e79d9388ea", size = 258794, upload-time = "2025-07-27T14:13:06.715Z" }, + { url = "https://files.pythonhosted.org/packages/87/82/e600bbe78eb2cb0541751d03cef9314bcd0897e8eea156219c39b685f869/coverage-7.10.1-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:fc0e46d86905ddd16b85991f1f4919028092b4e511689bbdaff0876bd8aab3dd", size = 256869, upload-time = "2025-07-27T14:13:08.933Z" }, + { url = "https://files.pythonhosted.org/packages/ce/5d/2fc9a9236c5268f68ac011d97cd3a5ad16cc420535369bedbda659fdd9b7/coverage-7.10.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:80b9ccd82e30038b61fc9a692a8dc4801504689651b281ed9109f10cc9fe8b4d", size = 257765, upload-time = "2025-07-27T14:13:10.778Z" }, + { url = "https://files.pythonhosted.org/packages/8a/05/b4e00b2bd48a2dc8e1c7d2aea7455f40af2e36484ab2ef06deb85883e9fe/coverage-7.10.1-cp314-cp314t-win32.whl", hash = "sha256:e58991a2b213417285ec866d3cd32db17a6a88061a985dbb7e8e8f13af429c47", size = 218420, upload-time = "2025-07-27T14:13:12.882Z" }, + { url = "https://files.pythonhosted.org/packages/77/fb/d21d05f33ea27ece327422240e69654b5932b0b29e7fbc40fbab3cf199bf/coverage-7.10.1-cp314-cp314t-win_amd64.whl", hash = "sha256:e88dd71e4ecbc49d9d57d064117462c43f40a21a1383507811cf834a4a620651", size = 219536, upload-time = "2025-07-27T14:13:14.718Z" }, + { url = "https://files.pythonhosted.org/packages/a6/68/7fea94b141281ed8be3d1d5c4319a97f2befc3e487ce33657fc64db2c45e/coverage-7.10.1-cp314-cp314t-win_arm64.whl", hash = "sha256:1aadfb06a30c62c2eb82322171fe1f7c288c80ca4156d46af0ca039052814bab", size = 217190, upload-time = "2025-07-27T14:13:16.85Z" }, + { url = "https://files.pythonhosted.org/packages/0f/64/922899cff2c0fd3496be83fa8b81230f5a8d82a2ad30f98370b133c2c83b/coverage-7.10.1-py3-none-any.whl", hash = "sha256:fa2a258aa6bf188eb9a8948f7102a83da7c430a0dce918dbd8b60ef8fcb772d7", size = 206597, upload-time = "2025-07-27T14:13:37.221Z" }, +] + +[package.optional-dependencies] +toml = [ + { name = "tomli", marker = "python_full_version <= '3.11'" }, +] + [[package]] name = "iniconfig" version = "2.1.0" @@ -68,6 +148,7 @@ dependencies = [ [package.dev-dependencies] dev = [ { name = "pytest" }, + { name = "pytest-cov" }, ] [package.metadata] @@ -77,7 +158,10 @@ requires-dist = [ ] [package.metadata.requires-dev] -dev = [{ name = "pytest", specifier = ">=8.4.1" }] +dev = [ + { name = "pytest", specifier = ">=8.4.1" }, + { name = "pytest-cov", specifier = ">=6.2.1" }, +] [[package]] name = "packaging" @@ -122,6 +206,20 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/29/16/c8a903f4c4dffe7a12843191437d7cd8e32751d5de349d45d3fe69544e87/pytest-8.4.1-py3-none-any.whl", hash = "sha256:539c70ba6fcead8e78eebbf1115e8b589e7565830d7d006a8723f19ac8a0afb7", size = 365474, upload-time = "2025-06-18T05:48:03.955Z" }, ] +[[package]] +name = "pytest-cov" +version = "6.2.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "coverage", extra = ["toml"] }, + { name = "pluggy" }, + { name = "pytest" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/18/99/668cade231f434aaa59bbfbf49469068d2ddd945000621d3d165d2e7dd7b/pytest_cov-6.2.1.tar.gz", hash = "sha256:25cc6cc0a5358204b8108ecedc51a9b57b34cc6b8c967cc2c01a4e00d8a67da2", size = 69432, upload-time = "2025-06-12T10:47:47.684Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/bc/16/4ea354101abb1287856baa4af2732be351c7bee728065aed451b678153fd/pytest_cov-6.2.1-py3-none-any.whl", hash = "sha256:f5bc4c23f42f1cdd23c70b1dab1bbaef4fc505ba950d53e0081d0730dd7e86d5", size = 24644, upload-time = "2025-06-12T10:47:45.932Z" }, +] + [[package]] name = "pyyaml" version = "6.0.2" @@ -272,6 +370,45 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/c8/ed/9de62c2150ca8e2e5858acf3f4f4d0d180a38feef9fdab4078bea63d8dba/rpds_py-0.26.0-pp311-pypy311_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:e99685fc95d386da368013e7fb4269dd39c30d99f812a8372d62f244f662709c", size = 555334, upload-time = "2025-07-01T15:56:51.703Z" }, ] +[[package]] +name = "tomli" +version = "2.2.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/18/87/302344fed471e44a87289cf4967697d07e532f2421fdaf868a303cbae4ff/tomli-2.2.1.tar.gz", hash = "sha256:cd45e1dc79c835ce60f7404ec8119f2eb06d38b1deba146f07ced3bbc44505ff", size = 17175, upload-time = "2024-11-27T22:38:36.873Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/43/ca/75707e6efa2b37c77dadb324ae7d9571cb424e61ea73fad7c56c2d14527f/tomli-2.2.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:678e4fa69e4575eb77d103de3df8a895e1591b48e740211bd1067378c69e8249", size = 131077, upload-time = "2024-11-27T22:37:54.956Z" }, + { url = "https://files.pythonhosted.org/packages/c7/16/51ae563a8615d472fdbffc43a3f3d46588c264ac4f024f63f01283becfbb/tomli-2.2.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:023aa114dd824ade0100497eb2318602af309e5a55595f76b626d6d9f3b7b0a6", size = 123429, upload-time = "2024-11-27T22:37:56.698Z" }, + { url = "https://files.pythonhosted.org/packages/f1/dd/4f6cd1e7b160041db83c694abc78e100473c15d54620083dbd5aae7b990e/tomli-2.2.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ece47d672db52ac607a3d9599a9d48dcb2f2f735c6c2d1f34130085bb12b112a", size = 226067, upload-time = "2024-11-27T22:37:57.63Z" }, + { url = "https://files.pythonhosted.org/packages/a9/6b/c54ede5dc70d648cc6361eaf429304b02f2871a345bbdd51e993d6cdf550/tomli-2.2.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6972ca9c9cc9f0acaa56a8ca1ff51e7af152a9f87fb64623e31d5c83700080ee", size = 236030, upload-time = "2024-11-27T22:37:59.344Z" }, + { url = "https://files.pythonhosted.org/packages/1f/47/999514fa49cfaf7a92c805a86c3c43f4215621855d151b61c602abb38091/tomli-2.2.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c954d2250168d28797dd4e3ac5cf812a406cd5a92674ee4c8f123c889786aa8e", size = 240898, upload-time = "2024-11-27T22:38:00.429Z" }, + { url = "https://files.pythonhosted.org/packages/73/41/0a01279a7ae09ee1573b423318e7934674ce06eb33f50936655071d81a24/tomli-2.2.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:8dd28b3e155b80f4d54beb40a441d366adcfe740969820caf156c019fb5c7ec4", size = 229894, upload-time = "2024-11-27T22:38:02.094Z" }, + { url = "https://files.pythonhosted.org/packages/55/18/5d8bc5b0a0362311ce4d18830a5d28943667599a60d20118074ea1b01bb7/tomli-2.2.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:e59e304978767a54663af13c07b3d1af22ddee3bb2fb0618ca1593e4f593a106", size = 245319, upload-time = "2024-11-27T22:38:03.206Z" }, + { url = "https://files.pythonhosted.org/packages/92/a3/7ade0576d17f3cdf5ff44d61390d4b3febb8a9fc2b480c75c47ea048c646/tomli-2.2.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:33580bccab0338d00994d7f16f4c4ec25b776af3ffaac1ed74e0b3fc95e885a8", size = 238273, upload-time = "2024-11-27T22:38:04.217Z" }, + { url = "https://files.pythonhosted.org/packages/72/6f/fa64ef058ac1446a1e51110c375339b3ec6be245af9d14c87c4a6412dd32/tomli-2.2.1-cp311-cp311-win32.whl", hash = "sha256:465af0e0875402f1d226519c9904f37254b3045fc5084697cefb9bdde1ff99ff", size = 98310, upload-time = "2024-11-27T22:38:05.908Z" }, + { url = "https://files.pythonhosted.org/packages/6a/1c/4a2dcde4a51b81be3530565e92eda625d94dafb46dbeb15069df4caffc34/tomli-2.2.1-cp311-cp311-win_amd64.whl", hash = "sha256:2d0f2fdd22b02c6d81637a3c95f8cd77f995846af7414c5c4b8d0545afa1bc4b", size = 108309, upload-time = "2024-11-27T22:38:06.812Z" }, + { url = "https://files.pythonhosted.org/packages/52/e1/f8af4c2fcde17500422858155aeb0d7e93477a0d59a98e56cbfe75070fd0/tomli-2.2.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:4a8f6e44de52d5e6c657c9fe83b562f5f4256d8ebbfe4ff922c495620a7f6cea", size = 132762, upload-time = "2024-11-27T22:38:07.731Z" }, + { url = "https://files.pythonhosted.org/packages/03/b8/152c68bb84fc00396b83e7bbddd5ec0bd3dd409db4195e2a9b3e398ad2e3/tomli-2.2.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8d57ca8095a641b8237d5b079147646153d22552f1c637fd3ba7f4b0b29167a8", size = 123453, upload-time = "2024-11-27T22:38:09.384Z" }, + { url = "https://files.pythonhosted.org/packages/c8/d6/fc9267af9166f79ac528ff7e8c55c8181ded34eb4b0e93daa767b8841573/tomli-2.2.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4e340144ad7ae1533cb897d406382b4b6fede8890a03738ff1683af800d54192", size = 233486, upload-time = "2024-11-27T22:38:10.329Z" }, + { url = "https://files.pythonhosted.org/packages/5c/51/51c3f2884d7bab89af25f678447ea7d297b53b5a3b5730a7cb2ef6069f07/tomli-2.2.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:db2b95f9de79181805df90bedc5a5ab4c165e6ec3fe99f970d0e302f384ad222", size = 242349, upload-time = "2024-11-27T22:38:11.443Z" }, + { url = "https://files.pythonhosted.org/packages/ab/df/bfa89627d13a5cc22402e441e8a931ef2108403db390ff3345c05253935e/tomli-2.2.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:40741994320b232529c802f8bc86da4e1aa9f413db394617b9a256ae0f9a7f77", size = 252159, upload-time = "2024-11-27T22:38:13.099Z" }, + { url = "https://files.pythonhosted.org/packages/9e/6e/fa2b916dced65763a5168c6ccb91066f7639bdc88b48adda990db10c8c0b/tomli-2.2.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:400e720fe168c0f8521520190686ef8ef033fb19fc493da09779e592861b78c6", size = 237243, upload-time = "2024-11-27T22:38:14.766Z" }, + { url = "https://files.pythonhosted.org/packages/b4/04/885d3b1f650e1153cbb93a6a9782c58a972b94ea4483ae4ac5cedd5e4a09/tomli-2.2.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:02abe224de6ae62c19f090f68da4e27b10af2b93213d36cf44e6e1c5abd19fdd", size = 259645, upload-time = "2024-11-27T22:38:15.843Z" }, + { url = "https://files.pythonhosted.org/packages/9c/de/6b432d66e986e501586da298e28ebeefd3edc2c780f3ad73d22566034239/tomli-2.2.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:b82ebccc8c8a36f2094e969560a1b836758481f3dc360ce9a3277c65f374285e", size = 244584, upload-time = "2024-11-27T22:38:17.645Z" }, + { url = "https://files.pythonhosted.org/packages/1c/9a/47c0449b98e6e7d1be6cbac02f93dd79003234ddc4aaab6ba07a9a7482e2/tomli-2.2.1-cp312-cp312-win32.whl", hash = "sha256:889f80ef92701b9dbb224e49ec87c645ce5df3fa2cc548664eb8a25e03127a98", size = 98875, upload-time = "2024-11-27T22:38:19.159Z" }, + { url = "https://files.pythonhosted.org/packages/ef/60/9b9638f081c6f1261e2688bd487625cd1e660d0a85bd469e91d8db969734/tomli-2.2.1-cp312-cp312-win_amd64.whl", hash = "sha256:7fc04e92e1d624a4a63c76474610238576942d6b8950a2d7f908a340494e67e4", size = 109418, upload-time = "2024-11-27T22:38:20.064Z" }, + { url = "https://files.pythonhosted.org/packages/04/90/2ee5f2e0362cb8a0b6499dc44f4d7d48f8fff06d28ba46e6f1eaa61a1388/tomli-2.2.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:f4039b9cbc3048b2416cc57ab3bda989a6fcf9b36cf8937f01a6e731b64f80d7", size = 132708, upload-time = "2024-11-27T22:38:21.659Z" }, + { url = "https://files.pythonhosted.org/packages/c0/ec/46b4108816de6b385141f082ba99e315501ccd0a2ea23db4a100dd3990ea/tomli-2.2.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:286f0ca2ffeeb5b9bd4fcc8d6c330534323ec51b2f52da063b11c502da16f30c", size = 123582, upload-time = "2024-11-27T22:38:22.693Z" }, + { url = "https://files.pythonhosted.org/packages/a0/bd/b470466d0137b37b68d24556c38a0cc819e8febe392d5b199dcd7f578365/tomli-2.2.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a92ef1a44547e894e2a17d24e7557a5e85a9e1d0048b0b5e7541f76c5032cb13", size = 232543, upload-time = "2024-11-27T22:38:24.367Z" }, + { url = "https://files.pythonhosted.org/packages/d9/e5/82e80ff3b751373f7cead2815bcbe2d51c895b3c990686741a8e56ec42ab/tomli-2.2.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9316dc65bed1684c9a98ee68759ceaed29d229e985297003e494aa825ebb0281", size = 241691, upload-time = "2024-11-27T22:38:26.081Z" }, + { url = "https://files.pythonhosted.org/packages/05/7e/2a110bc2713557d6a1bfb06af23dd01e7dde52b6ee7dadc589868f9abfac/tomli-2.2.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e85e99945e688e32d5a35c1ff38ed0b3f41f43fad8df0bdf79f72b2ba7bc5272", size = 251170, upload-time = "2024-11-27T22:38:27.921Z" }, + { url = "https://files.pythonhosted.org/packages/64/7b/22d713946efe00e0adbcdfd6d1aa119ae03fd0b60ebed51ebb3fa9f5a2e5/tomli-2.2.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:ac065718db92ca818f8d6141b5f66369833d4a80a9d74435a268c52bdfa73140", size = 236530, upload-time = "2024-11-27T22:38:29.591Z" }, + { url = "https://files.pythonhosted.org/packages/38/31/3a76f67da4b0cf37b742ca76beaf819dca0ebef26d78fc794a576e08accf/tomli-2.2.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:d920f33822747519673ee656a4b6ac33e382eca9d331c87770faa3eef562aeb2", size = 258666, upload-time = "2024-11-27T22:38:30.639Z" }, + { url = "https://files.pythonhosted.org/packages/07/10/5af1293da642aded87e8a988753945d0cf7e00a9452d3911dd3bb354c9e2/tomli-2.2.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:a198f10c4d1b1375d7687bc25294306e551bf1abfa4eace6650070a5c1ae2744", size = 243954, upload-time = "2024-11-27T22:38:31.702Z" }, + { url = "https://files.pythonhosted.org/packages/5b/b9/1ed31d167be802da0fc95020d04cd27b7d7065cc6fbefdd2f9186f60d7bd/tomli-2.2.1-cp313-cp313-win32.whl", hash = "sha256:d3f5614314d758649ab2ab3a62d4f2004c825922f9e370b29416484086b264ec", size = 98724, upload-time = "2024-11-27T22:38:32.837Z" }, + { url = "https://files.pythonhosted.org/packages/c7/32/b0963458706accd9afcfeb867c0f9175a741bf7b19cd424230714d722198/tomli-2.2.1-cp313-cp313-win_amd64.whl", hash = "sha256:a38aa0308e754b0e3c67e344754dff64999ff9b513e691d0e786265c93583c69", size = 109383, upload-time = "2024-11-27T22:38:34.455Z" }, + { url = "https://files.pythonhosted.org/packages/6e/c2/61d3e0f47e2b74ef40a68b9e6ad5984f6241a942f7cd3bbfbdbd03861ea9/tomli-2.2.1-py3-none-any.whl", hash = "sha256:cb55c73c5f4408779d0cf3eef9f762b9c9f147a77de7b258bef0a5628adc85cc", size = 14257, upload-time = "2024-11-27T22:38:35.385Z" }, +] + [[package]] name = "typing-extensions" version = "4.14.1" -- Gitee From e9dbe4e83a1638cfaa24dae62c24395c684940ed Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 17:29:11 +0800 Subject: [PATCH 026/109] add doc gen test --- os-harden-tools/tests/rules/test_metadata.py | 30 ++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/os-harden-tools/tests/rules/test_metadata.py b/os-harden-tools/tests/rules/test_metadata.py index 47e2701..6a45dc2 100644 --- a/os-harden-tools/tests/rules/test_metadata.py +++ b/os-harden-tools/tests/rules/test_metadata.py @@ -61,3 +61,33 @@ class TestMetadata: with pytest.raises(ValueError) as excinfo: RuleMetadata(config_test_path.joinpath(dirname)) assert str(excinfo.value) == f"Metadata id valid does not match directory name {dirname}" + + def test_valid_full_doc(self, config_test_path): + path = config_test_path.joinpath("valid_full") + assert RuleMetadata(path).doc == """### valid_full valid metadata + +valid metadata + +#### 参数 + +**xxx** + +xxx + +#### 参考文档 + +- [example](https://example.com) + +""" + + def test_valid_doc(self, config_test_path): + path = config_test_path.joinpath("valid") + assert RuleMetadata(path).doc == """### valid valid metadata + +valid metadata + +#### 参数 + +无 + +""" -- Gitee From 162512d6df21f90232301e4c199f0c9fc16b2325 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 17:45:22 +0800 Subject: [PATCH 027/109] add testcases --- os-harden-tools/tests/__init__.py | 0 .../tests/config_parser/__init__.py | 0 .../tests/config_parser/test_collection.py | 2 +- .../tests/executor/test_executor.py | 23 +++++++++++++++++++ 4 files changed, 24 insertions(+), 1 deletion(-) delete mode 100644 os-harden-tools/tests/__init__.py delete mode 100644 os-harden-tools/tests/config_parser/__init__.py create mode 100644 os-harden-tools/tests/executor/test_executor.py diff --git a/os-harden-tools/tests/__init__.py b/os-harden-tools/tests/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/os-harden-tools/tests/config_parser/__init__.py b/os-harden-tools/tests/config_parser/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/os-harden-tools/tests/config_parser/test_collection.py b/os-harden-tools/tests/config_parser/test_collection.py index 8ac5b0c..b3d8379 100644 --- a/os-harden-tools/tests/config_parser/test_collection.py +++ b/os-harden-tools/tests/config_parser/test_collection.py @@ -4,7 +4,7 @@ import pytest from config_parser import collect_configs -class TestConfigParser: +class TestConfigCollector: @pytest.fixture def config_test_path(self, request): return Path(request.path).parent.joinpath("collection").resolve() diff --git a/os-harden-tools/tests/executor/test_executor.py b/os-harden-tools/tests/executor/test_executor.py new file mode 100644 index 0000000..bf65ce8 --- /dev/null +++ b/os-harden-tools/tests/executor/test_executor.py @@ -0,0 +1,23 @@ +from pathlib import Path + +import pytest + +from executor import CmdExecutor, CmdTemplate, CmdParameter + + +class TestExecutor: + + def test_normal(self): + c = CmdExecutor(Path('echo')) + template = CmdTemplate('name') + param = CmdParameter(template) + c.add_args(param) + assert c.run() == 'name\n' + + def test_error(self): + c = CmdExecutor(Path('ls')) + template = CmdTemplate('/nonexistent_directory') + param = CmdParameter(template) + c.add_args(param) + with pytest.raises(RuntimeError): + c.run() -- Gitee From 420e7eb432ac53f69f81c1fabf6976691ecb266e Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 17:49:04 +0800 Subject: [PATCH 028/109] add empty test --- os-harden-tools/tests/rules/ruleset/categories.json | 0 os-harden-tools/tests/rules/test_rulemanager.py | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 os-harden-tools/tests/rules/ruleset/categories.json create mode 100644 os-harden-tools/tests/rules/test_rulemanager.py diff --git a/os-harden-tools/tests/rules/ruleset/categories.json b/os-harden-tools/tests/rules/ruleset/categories.json new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/tests/rules/test_rulemanager.py b/os-harden-tools/tests/rules/test_rulemanager.py new file mode 100644 index 0000000..e69de29 -- Gitee From 2e7c608fcf4f74516adeb53fb0f6bc929a5fadc1 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 12:29:10 +0000 Subject: [PATCH 029/109] add rule manager testcase --- os-harden-tools/rule_metadata/manager.py | 48 +++-- .../rules/ruleset/execution/categories.json | 6 + .../rules/ruleset/execution/test.01/entry.sh | 3 + .../ruleset/execution/test.01/metadata.json | 6 + .../rules/ruleset/execution/test.02/entry.sh | 2 + .../ruleset/execution/test.02/metadata.json | 6 + .../rules/ruleset/execution/test.03/entry.sh | 3 + .../ruleset/execution/test.03/metadata.json | 15 ++ .../rules/ruleset/naming/categories.json | 22 ++ .../ruleset/naming/invalid.01/metadata.json | 6 + .../ruleset/naming/nocat.01/metadata.json | 6 + .../{categories.json => naming/notdir.01} | 0 .../ruleset/naming/test-02/metadata.json | 6 + .../ruleset/naming/test.00/metadata.json | 6 + .../ruleset/naming/test.01/metadata.json | 6 + .../ruleset/naming/test.o3/metadata.json | 6 + .../ruleset/naming/test1.01/metadata.json | 6 + os-harden-tools/tests/rules/ruleset/not_a_dir | 0 .../tests/rules/test_rulemanager.py | 193 ++++++++++++++++++ 19 files changed, 328 insertions(+), 18 deletions(-) create mode 100644 os-harden-tools/tests/rules/ruleset/execution/categories.json create mode 100755 os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh create mode 100644 os-harden-tools/tests/rules/ruleset/execution/test.01/metadata.json create mode 100755 os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh create mode 100644 os-harden-tools/tests/rules/ruleset/execution/test.02/metadata.json create mode 100755 os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh create mode 100644 os-harden-tools/tests/rules/ruleset/execution/test.03/metadata.json create mode 100644 os-harden-tools/tests/rules/ruleset/naming/categories.json create mode 100644 os-harden-tools/tests/rules/ruleset/naming/invalid.01/metadata.json create mode 100644 os-harden-tools/tests/rules/ruleset/naming/nocat.01/metadata.json rename os-harden-tools/tests/rules/ruleset/{categories.json => naming/notdir.01} (100%) create mode 100644 os-harden-tools/tests/rules/ruleset/naming/test-02/metadata.json create mode 100644 os-harden-tools/tests/rules/ruleset/naming/test.00/metadata.json create mode 100644 os-harden-tools/tests/rules/ruleset/naming/test.01/metadata.json create mode 100644 os-harden-tools/tests/rules/ruleset/naming/test.o3/metadata.json create mode 100644 os-harden-tools/tests/rules/ruleset/naming/test1.01/metadata.json create mode 100644 os-harden-tools/tests/rules/ruleset/not_a_dir diff --git a/os-harden-tools/rule_metadata/manager.py b/os-harden-tools/rule_metadata/manager.py index 4ef1c8d..4ceba73 100644 --- a/os-harden-tools/rule_metadata/manager.py +++ b/os-harden-tools/rule_metadata/manager.py @@ -9,6 +9,23 @@ from rule_metadata import RuleMetadata from utils import load_json_file, HOME_DIR +def precheck(rule_path: Path) -> bool: + if not rule_path.is_dir(): + logging.error(f"Rule path {rule_path} is not a directory") + return False + if not rule_path.name.split('.', 1)[1].isdigit(): + logging.error( + f"Rule directory {rule_path.name} does not have a valid numeric index after the category") + return False + if int(rule_path.name.split('.', 1)[1]) <= 0: + logging.error(f"Rule directory {rule_path.name} has an invalid index (must be > 0)") + return False + if not rule_path.joinpath("metadata.json").is_file(): + logging.error(f"Rule path {rule_path} does not contain a metadata.json file") + return False + return True + + class RuleManager: def __init__(self, rules_dir: Path): self._dir = rules_dir.resolve() @@ -31,27 +48,25 @@ class RuleManager: @property def rules(self) -> List[str]: - return self._rules + return self._rules.copy() def rule_exists(self, rule_id: str) -> bool: return rule_id in self._rules def get_rules_by_category(self, category_id: str) -> List[str]: if category_id not in self._categories: - raise KeyError(f"Category with ID {category_id} not found") + raise ValueError(f"Category with ID {category_id} not found") return [rule for rule in self._rules if rule.startswith(category_id + '.')] def get_rule_metadata(self, rule_id: str) -> RuleMetadata: if rule_id not in self._rules: - raise KeyError(f"Rule with ID {rule_id} not found") + raise ValueError(f"Rule with ID {rule_id} not found") rule = self._dir.joinpath(rule_id).resolve() - if not rule.joinpath("metadata.json").is_file(): - raise FileNotFoundError(f"Rule file {rule} is not a regular file") return RuleMetadata(rule) def get_category_desc(self, category_id: str) -> Dict[str, Any]: if category_id not in self._categories: - raise KeyError(f"Category with ID {category_id} not found") + raise ValueError(f"Category with ID {category_id} not found") return self._categories[category_id] def reload_rules(self): @@ -62,17 +77,11 @@ class RuleManager: categories = sorted(categories, key=lambda c: c['id']) for category in categories: category_id = category["id"] - self._categories[category_id] = category # collect all valid rules rules: List[str] = [] for rule_path in self._dir.glob(f"{category_id}.*"): - if not rule_path.name.split('.', 1)[1].isdigit(): - logging.error( - f"Rule directory {rule_path.name} does not have a valid numeric index after the category") - continue - if not rule_path.joinpath("metadata.json").is_file(): - logging.error(f"Rule path {rule_path} does not contain a metadata.json file") + if not precheck(rule_path): continue try: RuleMetadata(rule_path) @@ -85,20 +94,21 @@ class RuleManager: logging.error(f"No rules found for category {category_id}") continue + self._categories[category_id] = category self._rules.extend(sorted(rules, key=lambda r: int(r.split('.', 1)[1]))) - def apply_rule(self, rule: str, config): + def apply_rule(self, rule: str, config=None): if config is None: config = {} - if self.rule_exists(rule): + if not self.rule_exists(rule): raise ValueError(f"Rule {rule} not found.") # pop the 'enabled' key from config, if any if not config.pop('enabled', True): - logging.debug(f"Rule {rule} is disabled in the configuration.") + logging.warning(f"Rule {rule} is disabled in the configuration.") return - logging.debug(f"Applying rule: {rule} with config: {config}") + logging.debug(f"Applying rule {rule} with config: {config}") metadata = self.get_rule_metadata(rule) executor = CmdExecutor(metadata.entry) @@ -121,7 +131,9 @@ class RuleManager: executor.add_args(cmd_param) try: - executor.run() + result = executor.run() + logging.info(f"rule {rule} applied with result:") + logging.info(result) except Exception as e: logging.error(f"Failed to execute command for rule {rule}.") raise e diff --git a/os-harden-tools/tests/rules/ruleset/execution/categories.json b/os-harden-tools/tests/rules/ruleset/execution/categories.json new file mode 100644 index 0000000..f99430a --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/execution/categories.json @@ -0,0 +1,6 @@ +[ + { + "id": "test", + "name": "Test Category" + } +] \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh b/os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh new file mode 100755 index 0000000..3fc11ce --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env sh +echo 'hello from entry.sh' +return 0 \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.01/metadata.json b/os-harden-tools/tests/rules/ruleset/execution/test.01/metadata.json new file mode 100644 index 0000000..a6c2da6 --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/execution/test.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "test.01", + "name": "valid metadata", + "description": "valid metadata", + "entry": "entry.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh b/os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh new file mode 100755 index 0000000..360ac43 --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env sh +return 1 \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.02/metadata.json b/os-harden-tools/tests/rules/ruleset/execution/test.02/metadata.json new file mode 100644 index 0000000..076a7c0 --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/execution/test.02/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "test.02", + "name": "valid metadata", + "description": "valid metadata", + "entry": "entry.sh" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh b/os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh new file mode 100755 index 0000000..67d0a45 --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env sh +echo "hello $1 $2" +return 0 \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.03/metadata.json b/os-harden-tools/tests/rules/ruleset/execution/test.03/metadata.json new file mode 100644 index 0000000..40abaa5 --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/execution/test.03/metadata.json @@ -0,0 +1,15 @@ +{ + "id": "test.03", + "name": "valid metadata", + "description": "valid metadata", + "entry": "entry.sh", + "parameters": [ + { + "id": "input", + "name": "input", + "description": "input parameter", + "converter": "TestConverter", + "cmd_template": "%file1 %file2" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/naming/categories.json b/os-harden-tools/tests/rules/ruleset/naming/categories.json new file mode 100644 index 0000000..dcfe10a --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/naming/categories.json @@ -0,0 +1,22 @@ +[ + { + "id": "nometa", + "name": "No Metadata" + }, + { + "id": "test", + "name": "Test Category" + }, + { + "id": "test1", + "name": "Test Category 1" + }, + { + "id": "notdir", + "name": "Not a Directory Category" + }, + { + "id": "invalid", + "name": "Invalid Category" + } +] \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/naming/invalid.01/metadata.json b/os-harden-tools/tests/rules/ruleset/naming/invalid.01/metadata.json new file mode 100644 index 0000000..262f4a1 --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/naming/invalid.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "valid.01", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/naming/nocat.01/metadata.json b/os-harden-tools/tests/rules/ruleset/naming/nocat.01/metadata.json new file mode 100644 index 0000000..1288e1f --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/naming/nocat.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "nocat.01", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/categories.json b/os-harden-tools/tests/rules/ruleset/naming/notdir.01 similarity index 100% rename from os-harden-tools/tests/rules/ruleset/categories.json rename to os-harden-tools/tests/rules/ruleset/naming/notdir.01 diff --git a/os-harden-tools/tests/rules/ruleset/naming/test-02/metadata.json b/os-harden-tools/tests/rules/ruleset/naming/test-02/metadata.json new file mode 100644 index 0000000..dc73f1c --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/naming/test-02/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "test-02", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/naming/test.00/metadata.json b/os-harden-tools/tests/rules/ruleset/naming/test.00/metadata.json new file mode 100644 index 0000000..c49d357 --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/naming/test.00/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "test.00", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/naming/test.01/metadata.json b/os-harden-tools/tests/rules/ruleset/naming/test.01/metadata.json new file mode 100644 index 0000000..87105ea --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/naming/test.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "test.01", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/naming/test.o3/metadata.json b/os-harden-tools/tests/rules/ruleset/naming/test.o3/metadata.json new file mode 100644 index 0000000..dd4a644 --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/naming/test.o3/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "test.o3", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/naming/test1.01/metadata.json b/os-harden-tools/tests/rules/ruleset/naming/test1.01/metadata.json new file mode 100644 index 0000000..a28febf --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/naming/test1.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "test1.01", + "name": "valid metadata", + "description": "valid metadata", + "entry": "metadata.json" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/not_a_dir b/os-harden-tools/tests/rules/ruleset/not_a_dir new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/tests/rules/test_rulemanager.py b/os-harden-tools/tests/rules/test_rulemanager.py index e69de29..c2cc77d 100644 --- a/os-harden-tools/tests/rules/test_rulemanager.py +++ b/os-harden-tools/tests/rules/test_rulemanager.py @@ -0,0 +1,193 @@ +import logging +from pathlib import Path + +import pytest +from rule_metadata.manager import RuleManager, precheck + + +class TestRuleManager: + @pytest.fixture + def rule_path(self, request): + return Path(request.path).parent.joinpath("ruleset").resolve() + + def test_precheck_not_dir(self, rule_path, caplog): + naming = rule_path.joinpath("naming") + + not_dir = naming.joinpath("notdir.01").resolve() + with caplog.at_level(logging.ERROR): + assert not precheck(not_dir) + assert f"Rule path {not_dir} is not a directory" in caplog.text + + def test_precheck_not_digit(self, rule_path, caplog): + naming = rule_path.joinpath("naming") + + not_digit = naming.joinpath("test.o3").resolve() + with caplog.at_level(logging.ERROR): + assert not precheck(not_digit) + assert f"Rule directory {not_digit.name} does not have a valid numeric index after the category" in caplog.text + + def test_precheck_not_positive(self, rule_path, caplog): + naming = rule_path.joinpath("naming") + + not_positive = naming.joinpath("test.00").resolve() + with caplog.at_level(logging.ERROR): + assert not precheck(not_positive) + assert f"Rule directory {not_positive.name} has an invalid index (must be > 0)" in caplog.text + + def test_precheck_no_metadata(self, rule_path, caplog): + naming = rule_path.joinpath("naming") + + no_metadata = naming.joinpath("nometa.01").resolve() + with caplog.at_level(logging.ERROR): + assert not precheck(no_metadata) + assert f"Rule path {no_metadata} does not contain a metadata.json file" in caplog.text + + def test_rule_manager_not_dir(self, rule_path): + with pytest.raises(NotADirectoryError) as e: + RuleManager(rule_path.joinpath("not_a_dir")) + assert str(e.value) == f"Path is not a directory: {rule_path.joinpath('not_a_dir').resolve()}" + + def test_rule_manager_not_found(self, rule_path): + with pytest.raises(FileNotFoundError) as e: + RuleManager(rule_path.joinpath("non_existent_dir")) + assert str(e.value) == f"Rules directory does not exist: {rule_path.joinpath('non_existent_dir').resolve()}" + + def test_rule_manager_no_categories(self, rule_path): + no_cat = rule_path.joinpath("no_categories").resolve() + with pytest.raises(FileNotFoundError) as e: + RuleManager(no_cat) + assert str(e.value) == f"File not found: {no_cat.joinpath('categories.json')}" + + def test_rule_manager_init(self, rule_path, caplog): + naming = rule_path.joinpath("naming").resolve() + caplog.set_level(logging.WARNING) + manager = RuleManager(naming) + assert f"Rule path {naming.joinpath('invalid.01')} is not valid" in caplog.text + assert f"No rules found for category nometa" in caplog.text + assert f"No rules found for category notdir" in caplog.text + assert f"No rules found for category invalid" in caplog.text + + assert manager.path == naming + categories = { + "test": {"id": "test", "name": "Test Category"}, + "test1": {"id": "test1", "name": "Test Category 1"} + } + assert manager.categories == categories + + rules = ["test.01", "test1.01"] + assert manager.rules == rules + + def test_rule_manager_rule_exists(self, rule_path): + naming = rule_path.joinpath("naming").resolve() + manager = RuleManager(naming) + + assert manager.rule_exists("test.01") + assert not manager.rule_exists("nonexistent.01") + + def test_rule_manager_get_rules_by_category(self, rule_path): + naming = rule_path.joinpath("naming").resolve() + manager = RuleManager(naming) + + assert manager.get_rules_by_category("test") == ["test.01"] + assert manager.get_rules_by_category("test1") == ["test1.01"] + with pytest.raises(ValueError) as e: + manager.get_rules_by_category("nonexistent") + assert str(e.value) == "Category with ID nonexistent not found" + + def test_rule_manager_get_rule_metadata(self, rule_path): + naming = rule_path.joinpath("naming").resolve() + manager = RuleManager(naming) + + metadata = manager.get_rule_metadata("test.01") + assert metadata.id == "test.01" + assert metadata.name == "valid metadata" + assert metadata.description == "valid metadata" + assert metadata.entry == naming.joinpath("test.01").joinpath("metadata.json").resolve() + + with pytest.raises(ValueError) as e: + manager.get_rule_metadata("nonexistent.01") + assert str(e.value) == "Rule with ID nonexistent.01 not found" + + # with pytest.raises(FileNotFoundError) as e: + # manager.get_rule_metadata("nometa.01") + # assert str(e.value) == f"Rule file {naming.joinpath('nometa.01').resolve()} is not a regular file" + + def test_rule_manager_get_category_desc(self, rule_path): + naming = rule_path.joinpath("naming").resolve() + manager = RuleManager(naming) + + desc = manager.get_category_desc("test") + assert desc == {"id": "test", "name": "Test Category"} + + with pytest.raises(ValueError) as e: + manager.get_category_desc("nonexistent") + assert str(e.value) == "Category with ID nonexistent not found" + + def test_rule_manager_apply_rule_non_exist(self, rule_path): + execution = rule_path.joinpath("execution").resolve() + manager = RuleManager(execution) + + with pytest.raises(ValueError) as e: + manager.apply_rule("nonexistent.01") + assert str(e.value) == "Rule nonexistent.01 not found." + + def test_rule_manager_apply_rule_not_enabled(self, rule_path, caplog): + execution = rule_path.joinpath("execution").resolve() + manager = RuleManager(execution) + + config = {"enabled": False} + with caplog.at_level(logging.WARNING): + manager.apply_rule("test.01", config) + assert "Rule test.01 is disabled in the configuration." in caplog.text + + def test_rule_manager_apply_rule(self, rule_path, caplog): + execution = rule_path.joinpath("execution").resolve() + manager = RuleManager(execution) + + config = {"enabled": True} + caplog.set_level(logging.DEBUG) + manager.apply_rule("test.01", config) + assert f"Applying rule test.01 with config: {config}" in caplog.text + assert f'rule test.01 applied with result:' + assert f'hello from entry.sh' + + def test_rule_manager_apply_rule_fail(self, rule_path, caplog): + execution = rule_path.joinpath("execution").resolve() + manager = RuleManager(execution) + + caplog.set_level(logging.ERROR) + with pytest.raises(RuntimeError) as e: + manager.apply_rule("test.02") + assert str(e.value) == "Command failed with error: " + assert "Failed to execute command for rule test.02." in caplog.text + + def test_rule_manager_apply_rule_miss_param(self, rule_path): + from converter_sample import TestConverter + execution = rule_path.joinpath("execution").resolve() + manager = RuleManager(execution) + + with pytest.raises(ValueError) as e: + manager.apply_rule("test.03") + assert str(e.value) == "Parameter input is missing in the configuration for rule test.03." + + def test_rule_manager_apply_rule_invalid_param(self, rule_path, caplog): + from converter_sample import TestConverter + execution = rule_path.joinpath("execution").resolve() + manager = RuleManager(execution) + + caplog.set_level(logging.ERROR) + with pytest.raises(Exception) as e: + manager.apply_rule("test.03", {'input': {'file1': 'file1.txt'}}) + assert "Failed to generate command line on parameter input." in caplog.text + + def test_rule_manager_apply_rule_with_param(self, rule_path, caplog): + from converter_sample import TestConverter + execution = rule_path.joinpath("execution").resolve() + manager = RuleManager(execution) + + config = {'input': {'file1': 'file1.txt', 'file2': 'file2.txt'}} + caplog.set_level(logging.DEBUG) + manager.apply_rule("test.03", config) + assert f"Applying rule test.03 with config: {config}" in caplog.text + assert f'rule test.03 applied with result:' + assert f'hello file1.txt file2.txt' -- Gitee From 96611b556df0751ce7f17e67ac7c5089835f5773 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 29 Jul 2025 12:38:52 +0000 Subject: [PATCH 030/109] add rule manager testcase --- .../rules/ruleset/execution/test.04/entry.sh | 3 +++ .../ruleset/execution/test.04/metadata.json | 22 +++++++++++++++++++ .../tests/rules/test_rulemanager.py | 20 ++++++++++++++--- 3 files changed, 42 insertions(+), 3 deletions(-) create mode 100755 os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh create mode 100644 os-harden-tools/tests/rules/ruleset/execution/test.04/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh b/os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh new file mode 100755 index 0000000..23077de --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env sh +echo "hello $1 $2 $3 $4" +return 0 \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.04/metadata.json b/os-harden-tools/tests/rules/ruleset/execution/test.04/metadata.json new file mode 100644 index 0000000..12dc255 --- /dev/null +++ b/os-harden-tools/tests/rules/ruleset/execution/test.04/metadata.json @@ -0,0 +1,22 @@ +{ + "id": "test.04", + "name": "valid metadata", + "description": "valid metadata", + "entry": "entry.sh", + "parameters": [ + { + "id": "input", + "name": "input", + "description": "input parameter", + "converter": "TestConverter", + "cmd_template": "%file1 %file2" + }, + { + "id": "input1", + "name": "input1", + "description": "input1 parameter", + "converter": "TestConverter", + "cmd_template": "%file1 %file2" + } + ] +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/test_rulemanager.py b/os-harden-tools/tests/rules/test_rulemanager.py index c2cc77d..2a7bf14 100644 --- a/os-harden-tools/tests/rules/test_rulemanager.py +++ b/os-harden-tools/tests/rules/test_rulemanager.py @@ -135,9 +135,8 @@ class TestRuleManager: execution = rule_path.joinpath("execution").resolve() manager = RuleManager(execution) - config = {"enabled": False} with caplog.at_level(logging.WARNING): - manager.apply_rule("test.01", config) + manager.apply_rule("test.01", {"enabled": False}) assert "Rule test.01 is disabled in the configuration." in caplog.text def test_rule_manager_apply_rule(self, rule_path, caplog): @@ -176,7 +175,7 @@ class TestRuleManager: manager = RuleManager(execution) caplog.set_level(logging.ERROR) - with pytest.raises(Exception) as e: + with pytest.raises(Exception): manager.apply_rule("test.03", {'input': {'file1': 'file1.txt'}}) assert "Failed to generate command line on parameter input." in caplog.text @@ -191,3 +190,18 @@ class TestRuleManager: assert f"Applying rule test.03 with config: {config}" in caplog.text assert f'rule test.03 applied with result:' assert f'hello file1.txt file2.txt' + + def test_rule_manager_apply_rule_invalid_param_second(self, rule_path, caplog): + from converter_sample import TestConverter + execution = rule_path.joinpath("execution").resolve() + manager = RuleManager(execution) + + config = { + 'input': {'file1': 'file1.txt', 'file2': 'file2.txt'}, + 'input1': {'file1': 'file1.txt'} + } + + caplog.set_level(logging.ERROR) + with pytest.raises(Exception): + manager.apply_rule("test.04", config) + assert "Failed to generate command line on parameter input1." in caplog.text \ No newline at end of file -- Gitee From 56bec5837fa1be97a357d3b2054af867495e17de Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 01:17:44 +0000 Subject: [PATCH 031/109] add empty dirs --- os-harden-tools/tests/rules/ruleset/naming/nometa.01/.gitkeep | 0 os-harden-tools/tests/rules/ruleset/no_categories/.gitkeep | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 os-harden-tools/tests/rules/ruleset/naming/nometa.01/.gitkeep create mode 100644 os-harden-tools/tests/rules/ruleset/no_categories/.gitkeep diff --git a/os-harden-tools/tests/rules/ruleset/naming/nometa.01/.gitkeep b/os-harden-tools/tests/rules/ruleset/naming/nometa.01/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/tests/rules/ruleset/no_categories/.gitkeep b/os-harden-tools/tests/rules/ruleset/no_categories/.gitkeep new file mode 100644 index 0000000..e69de29 -- Gitee From 03f6330e29b0e9098e3d9fe19cacf7944a638301 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 09:21:22 +0800 Subject: [PATCH 032/109] change to exit --- os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh | 2 +- os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh | 2 +- os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh | 2 +- os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh b/os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh index 3fc11ce..becd093 100755 --- a/os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh +++ b/os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh @@ -1,3 +1,3 @@ #!/usr/bin/env sh echo 'hello from entry.sh' -return 0 \ No newline at end of file +exit 0 \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh b/os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh index 360ac43..08ac2a0 100755 --- a/os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh +++ b/os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh @@ -1,2 +1,2 @@ #!/usr/bin/env sh -return 1 \ No newline at end of file +exit 1 \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh b/os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh index 67d0a45..1caecd4 100755 --- a/os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh +++ b/os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh @@ -1,3 +1,3 @@ #!/usr/bin/env sh echo "hello $1 $2" -return 0 \ No newline at end of file +exit 0 \ No newline at end of file diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh b/os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh index 23077de..2ace226 100755 --- a/os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh +++ b/os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh @@ -1,3 +1,3 @@ #!/usr/bin/env sh echo "hello $1 $2 $3 $4" -return 0 \ No newline at end of file +exit 0 \ No newline at end of file -- Gitee From 883fdb8f532d1ea0f3b18bbdf7de689ef318df06 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 09:48:51 +0800 Subject: [PATCH 033/109] add pydocs --- os-harden-tools/.gitignore | 1 + os-harden-tools/executor.py | 63 ++++++++ .../rule_metadata/converters/file_list.py | 13 ++ os-harden-tools/rule_metadata/manager.py | 60 +++++++- os-harden-tools/rule_metadata/metadata.py | 141 +++++++++++++++++- os-harden-tools/tools/list.md | 74 --------- os-harden-tools/utils.py | 6 + 7 files changed, 278 insertions(+), 80 deletions(-) delete mode 100755 os-harden-tools/tools/list.md diff --git a/os-harden-tools/.gitignore b/os-harden-tools/.gitignore index be88b56..28ca990 100644 --- a/os-harden-tools/.gitignore +++ b/os-harden-tools/.gitignore @@ -162,3 +162,4 @@ cython_debug/ # option (not recommended) you can uncomment the following to ignore the entire idea folder. #.idea/ +temp diff --git a/os-harden-tools/executor.py b/os-harden-tools/executor.py index 76f3018..a3b1348 100644 --- a/os-harden-tools/executor.py +++ b/os-harden-tools/executor.py @@ -5,7 +5,16 @@ import logging class CmdTemplate: + """ + A class to parse a command template and extract variable indexes. + """ def __init__(self, template: str): + """ + Initializes the CmdTemplate with a command template string. + The template can contain variables prefixed with % and escaped variables with %%. + :param template: The command template string. + :raises ValueError: If the template is invalid (e.g., contains a variable with no id). + """ self._template = template.split(' ') self._variable_index: Dict[str, List[int]] = self._parse_cmd_template() @@ -31,28 +40,61 @@ class CmdTemplate: @property def template(self) -> List[str]: + """ + Returns the command template as a list of strings. + """ # make a copy so that other modules can modify the template without affecting the original return self._template.copy() @property def variable_index(self) -> Dict[str, List[int]]: + """ + Returns the variable index mapping variable ids to their positions in the command template. + """ return self._variable_index class CmdParameter: + """ + A class to hold command parameters and environment variables. + It uses a CmdTemplate to manage command templates and allows adding variables and environment variables. + """ def __init__(self, template: CmdTemplate): + """ + Initializes the CmdParameter with a CmdTemplate. + """ self._cmd_template = template self._variables = {} self._env = {} def add_variable(self, variable_id: str, value: str): + """ + Adds a variable to the command parameters. + If the variable already exists, it will be overwritten. + :param variable_id: The identifier for the variable (without the % prefix). + :param value: The value of the variable. + :raises ValueError: If the variable_id is empty. + """ self._variables[variable_id] = value def add_env(self, name: str, value: str): + """ + Adds an environment variable to the command parameters. + If the variable already exists, it will be overwritten. + :param name: The name of the environment variable. + :param value: The value of the environment variable. + :raises ValueError: If the name is empty. + """ self._env[name] = value @property def cmd(self) -> List[str]: + """ + Returns the command as a list of strings, with variables replaced by their values. + If a variable is not found in the variable collection, it raises a ValueError. + :raises ValueError: If a variable is not found in the variable collection. + :return: The command with variables replaced. + """ result = self._cmd_template.template for var_id, index in self._cmd_template.variable_index.items(): value = self._variables.get(var_id) @@ -65,19 +107,40 @@ class CmdParameter: @property def env(self) -> Dict[str, str]: + """ + Returns the environment variables as a dictionary. + """ return self._env class CmdExecutor: + """ + A class to execute commands using a command template and parameters. + It allows adding arguments and environment variables, and runs the command in a subprocess. + """ def __init__(self, entry: Path): + """ + Initializes the CmdExecutor with a command entry point. + :param entry: The path to the command entry point. + """ self._cmd = [str(entry)] self._env = {} def add_args(self, args: CmdParameter): + """ + Adds command arguments and environment variables to the executor. + :param args: A CmdParameter instance containing command arguments and environment variables. + """ self._cmd.extend(args.cmd) self._env.update(args.env) def run(self): + """ + Executes the command with the provided arguments and environment variables. + It captures the output and returns it. + :raises RuntimeError: If the command execution fails. + :return: The output of the command execution. + """ import subprocess import os diff --git a/os-harden-tools/rule_metadata/converters/file_list.py b/os-harden-tools/rule_metadata/converters/file_list.py index 4184fca..353fe1c 100644 --- a/os-harden-tools/rule_metadata/converters/file_list.py +++ b/os-harden-tools/rule_metadata/converters/file_list.py @@ -5,11 +5,17 @@ from rule_metadata import RuleParameter, ConfigConverter class FileListConverter(ConfigConverter): + """ + Converts a list of files into a temporary file that can be used in command execution. + """ def __init__(self): super().__init__() self.temp_file = None def generate(self, parameter: CmdParameter, config): + """ + Generates a temporary file from the provided list of files and adds it to the command parameters. + """ if not isinstance(config, list): raise ValueError("file_list value must be a list") self.temp_file = NamedTemporaryFile("wt", delete=False, suffix=".list") @@ -18,6 +24,10 @@ class FileListConverter(ConfigConverter): parameter.add_variable("file", self.temp_file.name) def verify(self, parameter: RuleParameter): + """ + Verifies that the command template contains exactly one placeholder for 'file'. + Raises an error if the placeholder is missing or if there are multiple placeholders. + """ place_holder = parameter.cmd_template.variable_index if len(place_holder) != 1: raise ValueError(f"Expected exactly one placeholder, found {len(place_holder)}") @@ -25,6 +35,9 @@ class FileListConverter(ConfigConverter): raise ValueError("Placeholder 'file' not found in the execute config variables") def cleanup(self): + """ + Cleans up the temporary file created during the generation process. + """ if self.temp_file: try: self.temp_file.close() diff --git a/os-harden-tools/rule_metadata/manager.py b/os-harden-tools/rule_metadata/manager.py index 4ceba73..82ba835 100644 --- a/os-harden-tools/rule_metadata/manager.py +++ b/os-harden-tools/rule_metadata/manager.py @@ -10,6 +10,11 @@ from utils import load_json_file, HOME_DIR def precheck(rule_path: Path) -> bool: + """ + Pre-checks for a rule directory to ensure it meets the expected structure and naming conventions. + :param rule_path: Path to the rule directory + :return: True if the rule directory is valid, False otherwise + """ if not rule_path.is_dir(): logging.error(f"Rule path {rule_path} is not a directory") return False @@ -27,7 +32,18 @@ def precheck(rule_path: Path) -> bool: class RuleManager: + """ + RuleManager is responsible for managing rules and categories in a specified directory. + """ def __init__(self, rules_dir: Path): + """ + Initializes the RuleManager with the specified rules directory. + :param rules_dir: Path to the directory containing rule files + :raises FileNotFoundError: If the rules directory does not exist + :raises NotADirectoryError: If the specified path is not a directory + :raises ValueError: If the rules directory does not contain a valid categories.json file + :raises jsonschema.ValidationError: If the categories.json file does not conform to the schema + """ self._dir = rules_dir.resolve() if not self._dir.exists(): raise FileNotFoundError(f"Rules directory does not exist: {self._dir}") @@ -40,36 +56,69 @@ class RuleManager: @property def path(self) -> Path: + """ Returns the path to the rule base directory. """ return self._dir @property def categories(self) -> Dict[str, Dict[str, Any]]: + """ Returns a copy of the category information. """ return self._categories.copy() @property def rules(self) -> List[str]: + """ Returns a copy of the list of rules. """ return self._rules.copy() def rule_exists(self, rule_id: str) -> bool: + """ + Checks if a rule with the given ID exists in the manager. + :param rule_id: The ID of the rule to check + :return: True if the rule exists, False otherwise + """ return rule_id in self._rules def get_rules_by_category(self, category_id: str) -> List[str]: + """ + Retrieves all rules associated with a specific category ID. + :param category_id: The ID of the category to retrieve rules for + :return: A list of rule IDs associated with the specified category + :raises ValueError: If the category ID does not exist in the manager + """ if category_id not in self._categories: raise ValueError(f"Category with ID {category_id} not found") return [rule for rule in self._rules if rule.startswith(category_id + '.')] def get_rule_metadata(self, rule_id: str) -> RuleMetadata: + """ + Retrieves the metadata for a specific rule by its ID. + :param rule_id: The ID of the rule to retrieve metadata for + :return: An instance of RuleMetadata containing the rule's metadata + :raises ValueError: If the rule ID does not exist in the manager + """ if rule_id not in self._rules: raise ValueError(f"Rule with ID {rule_id} not found") rule = self._dir.joinpath(rule_id).resolve() return RuleMetadata(rule) def get_category_desc(self, category_id: str) -> Dict[str, Any]: + """ + Retrieves the description of a specific category by its ID. + :param category_id: The ID of the category to retrieve + :return: A dictionary containing the category's description and metadata + :raises ValueError: If the category ID does not exist in the manager + """ if category_id not in self._categories: raise ValueError(f"Category with ID {category_id} not found") return self._categories[category_id] def reload_rules(self): + """ + Reloads the rules and categories from the rules directory. + This method reads the categories.json file and validates it against the schema. + It then collects all valid rules for each category and stores them in the manager. + :raises jsonschema.ValidationError: If the categories.json file does not conform to the schema + :raises ValueError: If the rules directory does not contain a valid categories.json file + """ categories: List[Dict[str, Any]] = load_json_file(self._dir.joinpath('categories.json')) jsonschema.validate(categories, load_json_file(HOME_DIR.joinpath('schema/categories.schema.json'))) @@ -98,6 +147,13 @@ class RuleManager: self._rules.extend(sorted(rules, key=lambda r: int(r.split('.', 1)[1]))) def apply_rule(self, rule: str, config=None): + """ + Applies a rule with the given configuration. + :param rule: The ID of the rule to apply + :param config: A dictionary containing configuration parameters for the rule + :raises ValueError: If the rule does not exist or if required parameters are missing in the configuration + :raises Exception: If the command execution fails + """ if config is None: config = {} if not self.rule_exists(rule): @@ -110,8 +166,9 @@ class RuleManager: logging.debug(f"Applying rule {rule} with config: {config}") metadata = self.get_rule_metadata(rule) - executor = CmdExecutor(metadata.entry) + + # generate command line parameters converter_instances = [] for param in metadata.parameters: if param.id not in config: @@ -129,7 +186,6 @@ class RuleManager: raise e converter_instances.append(converter) executor.add_args(cmd_param) - try: result = executor.run() logging.info(f"rule {rule} applied with result:") diff --git a/os-harden-tools/rule_metadata/metadata.py b/os-harden-tools/rule_metadata/metadata.py index 45cfa3c..8268484 100644 --- a/os-harden-tools/rule_metadata/metadata.py +++ b/os-harden-tools/rule_metadata/metadata.py @@ -1,5 +1,6 @@ import abc import logging +import os from pathlib import Path from typing import List, Dict, Any, Optional @@ -8,8 +9,19 @@ import jsonschema from executor import CmdTemplate, CmdParameter from utils import load_json_file, HOME_DIR + class RuleParameter: + """ + Represents a rule parameter with its metadata and associated converter. + """ + def __init__(self, parameter: Dict[str, Any]): + """ + Initializes a RuleParameter instance. + :param parameter: A dictionary containing the parameter metadata. + :raises NotImplementedError: If the specified converter is not implemented. + :raises Exception: If the verification of the parameter fails. + """ self._id = parameter['id'] self._name = parameter['name'] self._description = parameter['description'] @@ -21,6 +33,10 @@ class RuleParameter: self._verify_rule_params() def _verify_rule_params(self): + """ + Verifies the rule parameters using the associated converter. + :raises Exception: If the verification fails. + """ try: self._converter().verify(self) except Exception as e: @@ -30,41 +46,79 @@ class RuleParameter: @property def id(self) -> str: + """ + Returns the unique identifier of the rule parameter. + """ return self._id @property def name(self) -> str: + """ + Returns the name of the rule parameter. + """ return self._name @property def description(self) -> str: + """ + Returns the description of the rule parameter. + """ return self._description @property def converter(self) -> type['ConfigConverter']: + """ + Returns the converter class associated with this rule parameter. + :return: The converter class. + """ return self._converter @property def cmd_template(self) -> CmdTemplate: + """ + Returns the command template associated with this rule parameter. + """ return self._cmd_template + class ConfigConverter(abc.ABC): + """ + Abstract base class for configuration converters. + """ + def __init__(self): pass @abc.abstractmethod def generate(self, parameter: CmdParameter, config): + """ + Generates a configuration based on the provided parameter and config. + :param parameter: The command parameter to apply to. + :param config: The configuration to convert. + """ pass def cleanup(self): + """ + Cleans up any resources used by the converter, if any. + Only triggered when the converter is generated parameter successfully. + """ pass @abc.abstractmethod def verify(self, parameter: RuleParameter): + """ + Verifies the rule parameter using the converter. + :param parameter: The rule parameter to verify. + """ pass class ConverterManager: + """ + Singleton class to manage configuration converters. + It loads all converters from the rules.converters module and provides a method to find a converter + """ _instance = None def __new__(cls, *args, **kwargs): @@ -80,70 +134,149 @@ class ConverterManager: self._converter[cls.__name__] = cls def find_converter(self, converter_type: str) -> Optional[type[ConfigConverter]]: + """ + Finds a converter by its type name. + :param converter_type: The type name of the converter to find. + :return: The converter class if found, otherwise None. + """ return self._converter.get(converter_type, None) class UrlDescriptor: + """ + Represents a URL descriptor with a title and URL. + """ + def __init__(self, **kwargs): + """ + Initializes a UrlDescriptor instance. + The args are not checked since they are checked using json schema. + :param kwargs: A dictionary containing 'url' and 'title'. + """ self._url: str = kwargs['url'] self._title: str = kwargs['title'] @property def url(self) -> str: + """ + Returns the URL associated with this descriptor. + """ return self._url @property def title(self) -> str: + """ + Returns the title associated with this URL descriptor. + """ return self._title class RuleMetadata: + """ + Represents the metadata of a rule, parsed data from metadata.json file. + """ _metadata_schema = load_json_file(HOME_DIR.joinpath('schema/metadata.schema.json')) def __init__(self, root: Path): + """ + Initializes a RuleMetadata instance by loading metadata from a JSON file. + :param root: The root directory containing the metadata.json file. + :raises FileNotFoundError: If the metadata.json file does not exist. + :raises ValueError: If the entry file does not match the expected format or if the metadata id does not match the directory name. + :raises jsonschema.ValidationError: If the metadata does not conform to the defined schema. + :raises NotImplementedError: If a specified converter is not implemented. + :raises Exception: If the verification of the rule parameters fails. + """ data = load_json_file(root.joinpath("metadata.json")) jsonschema.validate(data, RuleMetadata._metadata_schema) self._id: str = data['id'] self._name: str = data['name'] + self._root = root self._description: str = data['description'] - self._entry: Path = root.joinpath(data['entry']).resolve() + self._entry: Path = self._parse_entry(data['entry']) self._parameters: List[RuleParameter] = [RuleParameter(d) for d in data.get('parameters', [])] self._urls: List[UrlDescriptor] = [UrlDescriptor(**u) for u in data.get('urls', [])] - if not self._entry.exists(): - raise FileNotFoundError(f"Entry file {self._entry} for {self._id} does not exist") if not self._entry.is_file(): raise ValueError(f"Entry file {self._entry} for {self._id} is not a regular file") if not self._id == root.name: raise ValueError(f"Metadata id {self._id} does not match directory name {root.name}") + def _parse_entry(self, entry: str) -> Path: + # check if entry exists in root path + if self._root.joinpath(entry).exists(): + return self._root.joinpath(entry).resolve() + + # check if entry exists in PATH + paths = os.environ.get('PATH', '').split(':') + for p in paths: + path = Path(p) + # ignore invalid paths + if not path.is_dir() or not path.is_absolute() or not path.exists(): + continue + entry = path.joinpath(self._entry) + if entry.exists() and entry.is_file(): + return entry + + # finally raise not found error + raise FileNotFoundError( + f"Entry file {entry} for {self._id} does not exist in the root path or PATH environment variable") + @property def id(self) -> str: + """ + Returns the unique identifier of the rule metadata. + """ return self._id @property def name(self) -> str: + """ + Returns the name of the rule. + """ return self._name + @property + def rule_path(self) -> Path: + """ + Returns the root path of the rule metadata. + """ + return self._root + @property def description(self) -> str: + """ + Returns the description of the rule. + """ return self._description @property def entry(self) -> Path: + """ + Returns the entry file path for the rule. + """ return self._entry @property def parameters(self) -> List[RuleParameter]: + """ + Returns the list of rule parameters. + """ return self._parameters @property def urls(self) -> List[UrlDescriptor]: + """ + Returns the list of URL descriptors associated with the rule. + """ return self._urls @property def doc(self) -> str: + """ + Generates a markdown documentation string for the rule metadata. + """ doc = "" doc += f"### {self._id} {self._name}\n\n" doc += f"{self._description}\n\n" @@ -160,4 +293,4 @@ class RuleMetadata: for url in self._urls: doc += f"- [{url.title}]({url.url})\n" doc += "\n" - return doc \ No newline at end of file + return doc diff --git a/os-harden-tools/tools/list.md b/os-harden-tools/tools/list.md deleted file mode 100755 index 5d413c8..0000000 --- a/os-harden-tools/tools/list.md +++ /dev/null @@ -1,74 +0,0 @@ -## 全栈完整性: - -enable_kernel_module_sign.sh:启用内核模块签名。内核模块签名以一定格式在内核模块文件末尾添加签名信息,系统在加载内核模块时检查签名是否与内核中预设的公钥匹配。这样可以验证内核模块文件的真实性和完整性,防止系统加载未经认证的恶意内核模块。 - -## 网络保护: - -disable_accept_redirect.sh: 禁止ICMP重定向报文。ICMP重定向消息是传递路由信息并告诉系统通过备用路径发送数据包。这是一种允许外部路由设备更新系统路由表的方法。攻击者可以利用伪造的ICMP重定向消息恶意更改系统路由表,使它们向错误的网络发送数据包,从而获取相应的敏感数据。 - -disable_icmp_broadcast.sh:禁止系统响应ICMP广播报文。ICMP广播的目的地址就是广播地址。无论是哪台设备发送的报文,报文都会发送到网络上的每一台设备上去。如果源地址是伪造的,就可能会导致网络上所有的设备发送恶意的echo报文给受害者地址。 - -disable_ip_forward.sh:禁止IP转发。如果该结点不作为网关服务器,则应禁用IP转发功能。否则攻击者可将此系统作为路由器使用。 - -disable_proxy_arp.sh:禁止使用ARP代理。ARP代理允许系统代表连接到某个接口的主机向另一个接口上的ARP请求发送响应。禁用ARP代理不仅可以防止未经授权的信息共享还可以防止连接的网络区段之间寻址信息泄露。所以应关闭ARP代理以避免ARP报文攻击对系统造成影响。 - -disable_source_route.sh:禁止报文源路由。源路由允许发送方部分或全部指定数据包通过网络的路由,而常规路由中,网络中的路由器根据数据包的目的地确定路径。大量报文被篡改后通过指定路由,则可以对内部网络进行定向攻击,可导致指定路由器负载过高,正常业务流量中断。 - -drop_forge_icmp_package.sh:丢弃伪造的ICMP报文。一些攻击者会发送违反RFC-1122的ICMP报文,并试图用大量无用的错误信息填充日志文件系统。 - -enable_firewall.sh:启用防火墙服务。如果系统中没有配置防火墙服务,可能会导致系统被外部攻击、内部数据被窃取或篡改,大量无效流量浪费带宽、访问一些存在安全风险或业务无关的网站导致信息泄露。 - -enable_rp_filter.sh:启用反向地址过滤。强制Linux内核对接收到的数据包使用反向路径过滤,检查报文源地址的合法性,如果反查源地址的路由表,发现源地址下一跳的最佳出接口并不是收到报文的入接口,则将报文丢弃。 - -enable_tcp_syn_cookies.sh:启用TCP-SYN cookie。攻击者使用SYN泛洪攻击时会快速耗尽内核中半开连接队列,阻止合法连接。如果启用SYN cookie,即使受到拒绝服务攻击仍允许系统继续接受合法连。 - -## 限制高危系统功能: - -enable_dmesg_restrict.sh:配置dmesg访问权限。限制访问 dmesg 信息权限,无特权的用户无法查看系统信息,从而可以避免任何人从系统信息获取敏感信息。 - -disable_kexec.sh:禁止开启kexec功能。kexec允许替换当前正在运行的内核,可能被攻击者利用加载恶意内核。若使用场景无内核升级需求,建议关闭kexec功能。 - -enable_kptr_restrict.sh:限制内核符号读取权限。kptr_restrict的作用是保护内核符号地址,保护等级低时普通用户可以访问得到内核符号地址容易被攻击者利用,增加了攻击面降低了系统安全性。 - -enable_ptrace_scope.sh:限制ptrace范围。ptrace是一种系统调用用于进程跟踪,提供了父进程可以观察并控制子进程的能力。无限制的ptrace使用可能导致攻击者劫持关键进程进行系统攻击。 - -disable_uncommon_network_module.sh:禁用不常见网络服务。一些不常见的网络协议往往使用场景较少,社区发展较慢,安全问题不易被快速解决。如果未关闭这些并不使用的协议,可能导致攻击者利用协议或代码漏洞进行攻击。 - -## 启用安全服务: - -enable_rsyslog.sh:启用rsyslog服务。若不开启rsyslog服务,系统日志无法转储到持久性存储设备,系统重启后,会导致日志丢失。 - -enable_selinux_enforce.sh:Selinux启用enforce模式。SELinux是Linux发行版中内置的安全模块,通过细粒度的访问控制机制实现应用程序对资源的访问控制。SELinux只有工作在enforcing模式时才能有效启用并保护系统。 - -## 内核加固: - -enable_bpf_jit_harden.sh:开启BPF加固功能。BFP代码支持JIT编译执行和解释执行。其中JIT编译执行面临JIT喷射攻击的风险,攻击者可能利用该风险攻击内核进行提权。BPF加固功能会对JIT编译执行进行加固,缓解某些类型的JIT喷射攻击,降低内核面临的攻击风险。 - -enable_kernel_aslr.sh:启用内核ASLR。ASLR通过每次将栈的起始位置、函数库和程序本身移至随机位置,使得内存攻击时无法猜测正确的内存位置,导致攻击无法成功实施。 - -enable_panic_on_oops.sh:确保内核触发错误后直接退出。系统内核在发现一些非致命错误时会触发oops,如果在oops发生后内核仍然继续运行,可能会导致错误依然存在并影响内核的稳定性和可靠性。因此,建议设置使能panic_on_oops,在发生oops后直接panic退出而不是继续运行。 - -## 权限最小化: - -minimal_file_permission.sh:最小化文件权限。最小化系统中敏感文件的访问权限,防止因权限过大导致攻击者进行文件篡改攻击。 - -symlink_protection.sh:启用链接文件保护。启用该保护后,如果目标文件和链接文件不是同属主的,且链接文件属主无权执行目标文件的,无论访问该链接的用户是谁,均拒绝访问。 - -## 登录认证: - -disable_ssh_no_pass.sh:禁止空口令登录。若允许空口令登录,会增加空口令账号本身被攻击或被用来作为攻击账号的风险。 - -disable_ssh_permit_user_environment.sh:禁止使用PermitUserEnvironment。PermitUserEnvironment允许用户设置SSH环境变量,则攻击者可以通过修改SSH环境变量绕过安全机制,或者执行攻击代码。 - -disable_ssh_root_login.sh:禁用root用户通过SSH登录。要求系统管理员使用自己的个人账户进行SSH登录,然后通过sudo或 su提升权限到root。这样可在发生安全事件时提供清晰的审计线索。 - -disable_ssh_tcp_forwarding.sh:禁用SSH的TCP转发功能。TCP端口转发是通过SSH隧道在本地主机和远程主机之间传输数据的功能。禁用该功能可以限制用户在SSH会话中的数据传输和访问范围,从而增强系统的安全性。 - -disable_ssh_x11_forwarding.sh:禁止使用X11 Forwarding。SSH的X11 Forwarding功能允许在本地主机上执行远程主机的GUI程序。启用X11 Forwarding功能会扩大攻击面,存在被X11服务器端其他用户攻击的可能。如果业务场景中不需要,则建议禁止该功能。 - -disable_sysrq.sh:禁止使用SysRq键。SysRq使得具有物理访问权限的用户能够访问计算机中危险的系统级命令,攻击者可以通过键盘触发SysRq的调用,直接发送命令到内核,对系统造成影响。 - -disable_tcp_timestamps.sh:避免开启tcp_timestamps。tcp_timestamps用于记录TCP数据包的发送时间,可用于RTT测量(RTTM)和保护序号绕回(PAWS),启用该选项可能遭受拒绝服务攻击。 - -set_ssh_max_auth_tries.sh:设置最大认证次数。如果该值配置比较大,则单次连接过程中客户端可以尝试多次认证失败,降低了攻击开销。 - diff --git a/os-harden-tools/utils.py b/os-harden-tools/utils.py index c7247c2..87d878c 100644 --- a/os-harden-tools/utils.py +++ b/os-harden-tools/utils.py @@ -6,6 +6,12 @@ HOME_DIR = Path(__file__).parent.resolve() def load_json_file(file_path: Path): + """ + Load a JSON file from the given path. + :param file_path: Path to the JSON file. + :return: Parsed JSON data. + :raises FileNotFoundError: If the file does not exist. + """ if not file_path.exists(): raise FileNotFoundError(f"File not found: {file_path}") return json.loads(file_path.read_text('utf-8')) -- Gitee From a917004c014edfd1fa8208f0032b2ae77e0ebb29 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 09:57:46 +0800 Subject: [PATCH 034/109] testcase fix --- os-harden-tools/rule_metadata/metadata.py | 6 ++--- .../config_parser/collection/empty/.gitkeep | 0 .../metadata/entry_in_path/metadata.json | 6 +++++ .../tests/rules/metadata/no_metadata/.gitkeep | 0 os-harden-tools/tests/rules/test_metadata.py | 24 ++++++++++++++++++- 5 files changed, 32 insertions(+), 4 deletions(-) create mode 100644 os-harden-tools/tests/config_parser/collection/empty/.gitkeep create mode 100644 os-harden-tools/tests/rules/metadata/entry_in_path/metadata.json create mode 100644 os-harden-tools/tests/rules/metadata/no_metadata/.gitkeep diff --git a/os-harden-tools/rule_metadata/metadata.py b/os-harden-tools/rule_metadata/metadata.py index 8268484..82d61b5 100644 --- a/os-harden-tools/rule_metadata/metadata.py +++ b/os-harden-tools/rule_metadata/metadata.py @@ -215,9 +215,9 @@ class RuleMetadata: # ignore invalid paths if not path.is_dir() or not path.is_absolute() or not path.exists(): continue - entry = path.joinpath(self._entry) - if entry.exists() and entry.is_file(): - return entry + entry_path = path.joinpath(entry) + if entry_path.exists() and entry_path.is_file(): + return entry_path # finally raise not found error raise FileNotFoundError( diff --git a/os-harden-tools/tests/config_parser/collection/empty/.gitkeep b/os-harden-tools/tests/config_parser/collection/empty/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/tests/rules/metadata/entry_in_path/metadata.json b/os-harden-tools/tests/rules/metadata/entry_in_path/metadata.json new file mode 100644 index 0000000..6d6e3c3 --- /dev/null +++ b/os-harden-tools/tests/rules/metadata/entry_in_path/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "entry_in_path", + "name": "valid metadata", + "description": "valid metadata", + "entry": "python3" +} \ No newline at end of file diff --git a/os-harden-tools/tests/rules/metadata/no_metadata/.gitkeep b/os-harden-tools/tests/rules/metadata/no_metadata/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/tests/rules/test_metadata.py b/os-harden-tools/tests/rules/test_metadata.py index 6a45dc2..6f237cc 100644 --- a/os-harden-tools/tests/rules/test_metadata.py +++ b/os-harden-tools/tests/rules/test_metadata.py @@ -18,6 +18,27 @@ class TestMetadata: assert d.description == 'valid metadata' assert d.entry == path.joinpath("metadata.json") + def test_entry_in_path(self, config_test_path): + path = config_test_path.joinpath("entry_in_path") + d = RuleMetadata(path) + assert d.id == 'entry_in_path' + assert d.name == 'valid metadata' + assert d.description == 'valid metadata' + + # search python + import os + paths = os.environ.get('PATH', '').split(':') + paths.insert(0, "invalid_path") + for p in paths: + path = Path(p) + # ignore invalid paths + if not path.is_dir() or not path.is_absolute() or not path.exists(): + continue + entry_path = path.joinpath('python3') + if entry_path.exists() and entry_path.is_file(): + assert d.entry == entry_path + break + def test_valid_full(self, config_test_path): path = config_test_path.joinpath("valid_full") d = RuleMetadata(path) @@ -48,7 +69,8 @@ class TestMetadata: path = config_test_path.joinpath("no_entry") with pytest.raises(FileNotFoundError) as excinfo: RuleMetadata(path) - assert str(excinfo.value) == f"Entry file {path.joinpath('no_entry.sh').resolve()} for no_entry does not exist" + assert (str(excinfo.value) == + f"Entry file no_entry.sh for no_entry does not exist in the root path or PATH environment variable") def test_no_metadata(self, config_test_path): path = config_test_path.joinpath("no_metadata") -- Gitee From c53f22f67fabab07a0d568843c7cd731ad9826f8 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 09:59:56 +0800 Subject: [PATCH 035/109] change to echo --- os-harden-tools/tools/int.02/enforce_dim.sh | 24 ++++++++++----------- os-harden-tools/tools/int.03/enforce_ima.sh | 22 +++++++++---------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/os-harden-tools/tools/int.02/enforce_dim.sh b/os-harden-tools/tools/int.02/enforce_dim.sh index ba5d948..54eb6c5 100644 --- a/os-harden-tools/tools/int.02/enforce_dim.sh +++ b/os-harden-tools/tools/int.02/enforce_dim.sh @@ -28,19 +28,19 @@ function fn_dim_tool_main() fi # init kernel baseline - fn_info "Initializing DIM kernel baseline..." + echo "Initializing DIM kernel baseline..." mkdir -p /etc/dim/digest_list if [ ! -f /boot/vmlinuz-$(uname -r) ]; then - fn_error "Kernel image /boot/vmlinuz-$(uname -r) does not exist." - fn_error "You have to measure your kernel manually." + echo "Kernel image /boot/vmlinuz-$(uname -r) does not exist." >&2 + echo "You have to measure your kernel manually." >&2 return 1 fi dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/kernel.hash /boot/vmlinuz-$(uname -r) if [ ! -f /etc/dim/policy ]; then - fn_info "Creating DIM policy at /etc/dim/policy." + echo "Creating DIM policy at /etc/dim/policy." echo "measure obj=KERNEL_TEXT" > /etc/dim/policy fi @@ -48,23 +48,23 @@ function fn_dim_tool_main() if ! grep -q "measure obj=KERNEL_TEXT" /etc/dim/policy; then echo "" >> /etc/dim/policy echo "measure obj=KERNEL_TEXT" >> /etc/dim/policy - fn_info "Added kernel measurement to DIM policy." + echo "Added kernel measurement to DIM policy." else - fn_info "Kernel measurement already exists in DIM policy." + echo "Kernel measurement already exists in DIM policy." fi # install dim kernel module - fn_info "Installing dim kernel module..." + echo "Installing dim kernel module..." if ! lsmod | grep -q dim_core; then if ! modprobe dim_core measure_interval=1; then - fn_error "Failed to install dim_core module." + echo "Failed to install dim_core module." >&2 return 1 fi fi if ! lsmod | grep -q dim_monitor; then if ! modprobe dim_monitor; then - fn_error "Failed to install dim module." + echo "Failed to install dim module." >&2 return 1 fi fi @@ -75,11 +75,11 @@ function fn_dim_tool_main() local result="$(grep "$(uname -r)" /sys/kernel/security/dim/ascii_runtime_measurements | tail -n 1)" # result not empty if [ -z "$result" ]; then - fn_error "Failed to initialize DIM baseline for kernel" + echo "Failed to initialize DIM baseline for kernel" >&2 return 1 else - fn_info "DIM kernel baseline initialized:" - fn_info "$result" + echo "DIM kernel baseline initialized:" + echo "$result" fi } diff --git a/os-harden-tools/tools/int.03/enforce_ima.sh b/os-harden-tools/tools/int.03/enforce_ima.sh index e54284d..e784b80 100644 --- a/os-harden-tools/tools/int.03/enforce_ima.sh +++ b/os-harden-tools/tools/int.03/enforce_ima.sh @@ -39,13 +39,13 @@ function _fn_reset_ima_policy() # if both patterns are not found, do nothing if [ -z "$start_line" ] && [ -z "$end_line" ]; then - fn_info "No generated IMA policy found in $IMA_POLICY_FILE." + echo "No generated IMA policy found in $IMA_POLICY_FILE." return 0 fi # incomplete generated area, reamove pattern only if [ -z "$start_line" ] || [ -z "$end_line" ]; then - fn_info "Incomplete generated IMA policy found in $IMA_POLICY_FILE. Removing patterns only." + echo "Incomplete generated IMA policy found in $IMA_POLICY_FILE. Removing patterns only." sed -i "/$start_pattern/d" "$IMA_POLICY_FILE" sed -i "/$end_pattern/d" "$IMA_POLICY_FILE" return 0 @@ -54,7 +54,7 @@ function _fn_reset_ima_policy() # remove lines between the patterns local lines_to_remove=$(sed -n "${start_line},${end_line}p" "$IMA_POLICY_FILE" | wc -l) if [ $lines_to_remove -gt 0 ]; then - fn_info "Removing $lines_to_remove lines from IMA policy." + echo "Removing $lines_to_remove lines from IMA policy." sed -i "${start_line},${end_line}d" "$IMA_POLICY_FILE" fi } @@ -90,13 +90,13 @@ function _fn_generate_from_config() # check if the tag is already present in the ima policy if grep -q "measure func=FILE_CHECK obj_type=$line" "$IMA_POLICY_FILE"; then - fn_info "SELinux tag $line is already present in IMA policy." + echo "SELinux tag $line is already present in IMA policy." continue fi # append the line to the ima policy echo "measure func=FILE_CHECK obj_type=$line" >> $IMA_POLICY_FILE - fn_info "Added SELinux tag $line to IMA policy." + echo "Added SELinux tag $line to IMA policy." done unset line echo "$IMA_POLICY_GENERATED_PATTERN_END" >> $IMA_POLICY_FILE @@ -113,7 +113,7 @@ function _fn_activate_ima() fn_warn "Failed to activate IMA policy. The kernel may not enable CONFIG_IMA_WRITE_POLICY." fn_warn "You need reboot the system to apply the IMA policy." else - fn_info "IMA policy activated successfully." + echo "IMA policy activated successfully." fi } @@ -138,7 +138,7 @@ function fn_ima_tool_main() fi if [ ! -f /sys/kernel/security/ima/policy ]; then - fn_error "IMA is not enabled in the kernel. The IMA policy cannot be generated." + echo "IMA is not enabled in the kernel. The IMA policy cannot be generated." >&2 return 1 fi @@ -147,19 +147,19 @@ function fn_ima_tool_main() return 1 fi - fn_info "Generating IMA policy..." + echo "Generating IMA policy..." if [ ! -f $IMA_POLICY_FILE ]; then - fn_info "Creating IMA policy at $IMA_POLICY_FILE." + echo "Creating IMA policy at $IMA_POLICY_FILE." touch $IMA_POLICY_FILE chmod 600 $IMA_POLICY_FILE else - fn_info "Resetting existing IMA policy at $IMA_POLICY_FILE." + echo "Resetting existing IMA policy at $IMA_POLICY_FILE." _fn_reset_ima_policy fi # check if the config file exists if [ ! -f "$config_file" ]; then - fn_error "ima configuration file $config_file does not exist." + echo "ima configuration file $config_file does not exist." >&2 return 1 fi _fn_generate_from_config "$config_file" -- Gitee From 3e9e6f1786a67f647f62eb25b2a0c4954732d241 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 10:12:49 +0800 Subject: [PATCH 036/109] add full rules --- os-harden-tools/conf/secharden.conf | 32 ++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/os-harden-tools/conf/secharden.conf b/os-harden-tools/conf/secharden.conf index c21d709..724902a 100644 --- a/os-harden-tools/conf/secharden.conf +++ b/os-harden-tools/conf/secharden.conf @@ -1,5 +1,35 @@ int.01: +int.02: int.03: selinux_tags: - ima_t - - ima2_t \ No newline at end of file + - ima2_t +kern.01: +kern.02: +kern.03: +log.01: +log.02: +log.03: +log.04: +log.05: +log.06: +log.07: +log.08: +net.01: +net.02: +net.03: +net.04: +net.05: +net.06: +net.07: +net.08: +net.09: +priv.01: +priv.02: +serv.01: +serv.02: +sys.01: +sys.02: +sys.03: +sys.04: +sys.05: -- Gitee From b0c9f034c474eee2c704399819700faa159cbbb5 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 10:13:34 +0800 Subject: [PATCH 037/109] disable int.03, it is a user config --- os-harden-tools/conf/secharden.conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/os-harden-tools/conf/secharden.conf b/os-harden-tools/conf/secharden.conf index 724902a..b1bac29 100644 --- a/os-harden-tools/conf/secharden.conf +++ b/os-harden-tools/conf/secharden.conf @@ -1,9 +1,5 @@ int.01: int.02: -int.03: -selinux_tags: - - ima_t - - ima2_t kern.01: kern.02: kern.03: -- Gitee From 2eb22f626da2ca6039133f26e59c70a14e800872 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 11:36:33 +0800 Subject: [PATCH 038/109] adapt to uv structure --- os-harden-tools/os-harden-tool.spec | 49 +++++++++++++---- os-harden-tools/rule_metadata/__init__.py | 2 - .../rule_metadata/converters/__init__.py | 1 - .../empty/.gitkeep => secharden/README.md} | 0 .../{ => secharden}/pyproject.toml | 16 ++++-- .../{ => secharden/src/secharden}/VERSION | 0 .../src/secharden/__init__.py} | 0 .../src/secharden}/config_parser.py | 0 .../{ => secharden/src/secharden}/executor.py | 0 .../{ => secharden/src/secharden}/gendoc.py | 4 +- .../src/secharden/rule_metadata/__init__.py | 2 + .../rule_metadata/converters/__init__.py | 1 + .../rule_metadata/converters/file_list.py | 4 +- .../src/secharden}/rule_metadata/manager.py | 6 +-- .../src/secharden}/rule_metadata/metadata.py | 6 +-- .../secharden}/schema/categories.schema.json | 0 .../secharden}/schema/metadata.schema.json | 0 .../src/secharden}/secharden.py | 6 +-- .../{ => secharden/src/secharden}/utils.py | 0 .../collection_wrong_name/secharden.conf | 0 .../secharden.conf.d/nodash.conf | 0 .../secharden.conf.d/not-number.conf | 0 .../config_parser/collection/empty}/.gitkeep | 0 .../collection/full_collection/secharden.conf | 0 .../secharden.conf.d/01-test.conf | 0 .../secharden.conf.d/01-test.conf | 0 .../collection/single_file/secharden.conf | 0 .../config_parser/parser/intersect/1.conf | 0 .../config_parser/parser/intersect/2.conf | 0 .../parser/invalid_yaml/secharden.conf | 0 .../config_parser/parser/override/1.conf | 0 .../config_parser/parser/override/2.conf | 0 .../parser/single_file/secharden.conf | 0 .../parser/wrong_file/secharden.conf | 0 .../parser/wrong_file_in_collection/1.conf | 0 .../parser/wrong_file_in_collection/2.conf | 0 .../tests/config_parser/test_collection.py | 2 +- .../tests/config_parser/test_parser.py | 2 +- .../tests/executor/test_executor.py | 2 +- .../tests/rules/converter_sample.py | 4 +- .../directory_name_mismatch/metadata.json | 0 .../metadata/entry_in_path/metadata.json | 0 .../metadata/entry_not_file/metadata.json | 0 .../rules/metadata/no_entry/metadata.json | 0 .../rules/metadata/no_metadata}/.gitkeep | 0 .../metadata/param/cmd_escape/metadata.json | 0 .../param/cmd_mismatch_id/metadata.json | 0 .../param/cmd_multi_placeholder/metadata.json | 0 .../param/cmd_no_placeholder/metadata.json | 0 .../metadata/param/cmd_noid/metadata.json | 0 .../param/cmd_placeholders/metadata.json | 0 .../metadata/param/cmd_single/metadata.json | 0 .../metadata/param/no_converter/metadata.json | 0 .../tests/rules/metadata/valid/metadata.json | 0 .../rules/metadata/valid_full/metadata.json | 0 .../rules/ruleset/execution/categories.json | 0 .../rules/ruleset/execution/test.01/entry.sh | 0 .../ruleset/execution/test.01/metadata.json | 0 .../rules/ruleset/execution/test.02/entry.sh | 0 .../ruleset/execution/test.02/metadata.json | 0 .../rules/ruleset/execution/test.03/entry.sh | 0 .../ruleset/execution/test.03/metadata.json | 0 .../rules/ruleset/execution/test.04/entry.sh | 0 .../ruleset/execution/test.04/metadata.json | 0 .../rules/ruleset/naming/categories.json | 0 .../ruleset/naming/invalid.01/metadata.json | 0 .../ruleset/naming/nocat.01/metadata.json | 0 .../rules/ruleset/naming/nometa.01/.gitkeep} | 0 .../tests/rules/ruleset/naming/notdir.01} | 0 .../ruleset/naming/test-02/metadata.json | 0 .../ruleset/naming/test.00/metadata.json | 0 .../ruleset/naming/test.01/metadata.json | 0 .../ruleset/naming/test.o3/metadata.json | 0 .../ruleset/naming/test1.01/metadata.json | 0 .../rules/ruleset/no_categories/.gitkeep | 0 .../secharden/tests/rules/ruleset/not_a_dir | 0 .../{ => secharden}/tests/rules/test_cmd.py | 4 +- .../tests/rules/test_converter.py | 4 +- .../tests/rules/test_metadata.py | 2 +- .../{ => secharden}/tests/rules/test_param.py | 2 +- .../tests/rules/test_rulemanager.py | 2 +- .../tests/rules/test_schema.py | 2 +- os-harden-tools/{ => secharden}/uv.lock | 54 +++++++++---------- 83 files changed, 107 insertions(+), 70 deletions(-) delete mode 100644 os-harden-tools/rule_metadata/__init__.py delete mode 100644 os-harden-tools/rule_metadata/converters/__init__.py rename os-harden-tools/{tests/config_parser/collection/empty/.gitkeep => secharden/README.md} (100%) rename os-harden-tools/{ => secharden}/pyproject.toml (39%) rename os-harden-tools/{ => secharden/src/secharden}/VERSION (100%) rename os-harden-tools/{tests/rules/metadata/no_metadata/.gitkeep => secharden/src/secharden/__init__.py} (100%) rename os-harden-tools/{ => secharden/src/secharden}/config_parser.py (100%) rename os-harden-tools/{ => secharden/src/secharden}/executor.py (100%) rename os-harden-tools/{ => secharden/src/secharden}/gendoc.py (95%) create mode 100644 os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py create mode 100644 os-harden-tools/secharden/src/secharden/rule_metadata/converters/__init__.py rename os-harden-tools/{ => secharden/src/secharden}/rule_metadata/converters/file_list.py (94%) rename os-harden-tools/{ => secharden/src/secharden}/rule_metadata/manager.py (98%) rename os-harden-tools/{ => secharden/src/secharden}/rule_metadata/metadata.py (98%) rename os-harden-tools/{ => secharden/src/secharden}/schema/categories.schema.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/schema/metadata.schema.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/secharden.py (95%) rename os-harden-tools/{ => secharden/src/secharden}/utils.py (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/collection/collection_wrong_name/secharden.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf (100%) rename os-harden-tools/{tests/rules/ruleset/naming/nometa.01 => secharden/tests/config_parser/collection/empty}/.gitkeep (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/collection/full_collection/secharden.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/collection/single_file/secharden.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/parser/intersect/1.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/parser/intersect/2.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/parser/invalid_yaml/secharden.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/parser/override/1.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/parser/override/2.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/parser/single_file/secharden.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/parser/wrong_file/secharden.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/parser/wrong_file_in_collection/1.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/parser/wrong_file_in_collection/2.conf (100%) rename os-harden-tools/{ => secharden}/tests/config_parser/test_collection.py (95%) rename os-harden-tools/{ => secharden}/tests/config_parser/test_parser.py (97%) rename os-harden-tools/{ => secharden}/tests/executor/test_executor.py (88%) rename os-harden-tools/{ => secharden}/tests/rules/converter_sample.py (84%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/directory_name_mismatch/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/entry_in_path/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/entry_not_file/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/no_entry/metadata.json (100%) rename os-harden-tools/{tests/rules/ruleset/no_categories => secharden/tests/rules/metadata/no_metadata}/.gitkeep (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/param/cmd_escape/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/param/cmd_mismatch_id/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/param/cmd_no_placeholder/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/param/cmd_noid/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/param/cmd_placeholders/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/param/cmd_single/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/param/no_converter/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/valid/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/metadata/valid_full/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/execution/categories.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/execution/test.01/entry.sh (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/execution/test.01/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/execution/test.02/entry.sh (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/execution/test.02/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/execution/test.03/entry.sh (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/execution/test.03/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/execution/test.04/entry.sh (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/execution/test.04/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/naming/categories.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/naming/invalid.01/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/naming/nocat.01/metadata.json (100%) rename os-harden-tools/{tests/rules/ruleset/naming/notdir.01 => secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep} (100%) rename os-harden-tools/{tests/rules/ruleset/not_a_dir => secharden/tests/rules/ruleset/naming/notdir.01} (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/naming/test-02/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/naming/test.00/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/naming/test.01/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/naming/test.o3/metadata.json (100%) rename os-harden-tools/{ => secharden}/tests/rules/ruleset/naming/test1.01/metadata.json (100%) create mode 100644 os-harden-tools/secharden/tests/rules/ruleset/no_categories/.gitkeep create mode 100644 os-harden-tools/secharden/tests/rules/ruleset/not_a_dir rename os-harden-tools/{ => secharden}/tests/rules/test_cmd.py (96%) rename os-harden-tools/{ => secharden}/tests/rules/test_converter.py (94%) rename os-harden-tools/{ => secharden}/tests/rules/test_metadata.py (98%) rename os-harden-tools/{ => secharden}/tests/rules/test_param.py (98%) rename os-harden-tools/{ => secharden}/tests/rules/test_rulemanager.py (99%) rename os-harden-tools/{ => secharden}/tests/rules/test_schema.py (99%) rename os-harden-tools/{ => secharden}/uv.lock (99%) diff --git a/os-harden-tools/os-harden-tool.spec b/os-harden-tools/os-harden-tool.spec index bf3a61f..d4565bb 100644 --- a/os-harden-tools/os-harden-tool.spec +++ b/os-harden-tools/os-harden-tool.spec @@ -2,10 +2,15 @@ Summary: OS hardening toolkit Name : os-harden-tools Version: 1.0 Release: 1.0 -Source0: src -Source1: schema -Source2: tools -Source3: VERSION +Source0: secharden.py +Source1: executor.py +Source2: utils.py +Source3: config_parser.py +Source4: rule_metadata +Source5: tools +Source6: schema +Source7: conf +Source8: VERSION License: Mulan PSL v2 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: python3 python3-pyyaml python3-jsonschema @@ -22,13 +27,22 @@ OS hardening toolkit %check %install -%{__install} -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/secharden -%{__install} -m0400 %{SOURCE1}/ $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf -%{__install} -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf.d +# install scripts %{__install} -d -m0755 $RPM_BUILD_ROOT%{_usr}/local/secharden %{__install} -m0500 %{SOURCE0} $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__chmod} +x $RPM_BUILD_ROOT%{_usr}/local/secharden/main.py -%{__ln_s} ../secharden/main.py $RPM_BUILD_ROOT%{_usr}/local/bin/secharden +%{__install} -m0400 %{SOURCE1} $RPM_BUILD_ROOT%{_usr}/local/secharden +%{__install} -m0400 %{SOURCE2} $RPM_BUILD_ROOT%{_usr}/local/secharden +%{__install} -m0400 %{SOURCE3} $RPM_BUILD_ROOT%{_usr}/local/secharden +%{__install} -m0400 %{SOURCE4} $RPM_BUILD_ROOT%{_usr}/local/secharden +%{__install} -m0400 %{SOURCE5} $RPM_BUILD_ROOT%{_usr}/local/secharden +%{__install} -m0400 %{SOURCE6} $RPM_BUILD_ROOT%{_usr}/local/secharden +%{__install} -m0400 %{SOURCE8} $RPM_BUILD_ROOT%{_usr}/local/secharden +%{__ln_s} ../secharden/secharden.py $RPM_BUILD_ROOT%{_usr}/local/bin/secharden + +# install config files +%{__install} -d -m0755 $RPM_BUILD_ROOT%{_sysconfdir}/secharden +%{__install} -m0644 %{SOURCE7}/secharden.conf $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf +%{__install} -d -m0755 $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf.d %clean rm -rf $RPM_BUILD_ROOT @@ -43,8 +57,21 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) -%attr(0400,root,root) %config %{_sysconfdir}/smcpd.conf -%attr(0500,root,root) %{_sbindir}/smcpd +%attr(0500,root,root) %{_usr}/local/secharden/secharden.py +%attr(0400,root,root) %{_usr}/local/secharden/executor.py +%attr(0400,root,root) %{_usr}/local/secharden/utils.py +%attr(0400,root,root) %{_usr}/local/secharden/config_parser.py +%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/__init__.py +%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/manager.py +%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/metadata.py +%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/converters/__init__.py +%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/converters/file_list.py +%attr(0400,root,root) %{_usr}/local/secharden/schema/categories.schema.json +%attr(0400,root,root) %{_usr}/local/secharden/schema/metadata.schema.json +%attr(0400,root,root) %{_usr}/local/secharden/VERSION +%attr(0400,root,root) %config %{_sysconfdir}/secharden/secharden.conf +%attr(0400,root,root) %{_usr}/local/secharden/tools/categories.json +%attr(0500,root,root) %{_usr}/local/secharden/tools/utils.sh %changelog * Fri Jul 25 2025 Tomahawkd - 1.0-1.0 diff --git a/os-harden-tools/rule_metadata/__init__.py b/os-harden-tools/rule_metadata/__init__.py deleted file mode 100644 index 0652004..0000000 --- a/os-harden-tools/rule_metadata/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -from rule_metadata.metadata import RuleMetadata, RuleParameter, ConfigConverter, ConverterManager -from rule_metadata.manager import RuleManager diff --git a/os-harden-tools/rule_metadata/converters/__init__.py b/os-harden-tools/rule_metadata/converters/__init__.py deleted file mode 100644 index 8c33c72..0000000 --- a/os-harden-tools/rule_metadata/converters/__init__.py +++ /dev/null @@ -1 +0,0 @@ -from rule_metadata.converters.file_list import FileListConverter \ No newline at end of file diff --git a/os-harden-tools/tests/config_parser/collection/empty/.gitkeep b/os-harden-tools/secharden/README.md similarity index 100% rename from os-harden-tools/tests/config_parser/collection/empty/.gitkeep rename to os-harden-tools/secharden/README.md diff --git a/os-harden-tools/pyproject.toml b/os-harden-tools/secharden/pyproject.toml similarity index 39% rename from os-harden-tools/pyproject.toml rename to os-harden-tools/secharden/pyproject.toml index 6a14118..5b9f490 100644 --- a/os-harden-tools/pyproject.toml +++ b/os-harden-tools/secharden/pyproject.toml @@ -1,17 +1,27 @@ [project] -name = "os-harden-tools" +name = "secharden" version = "0.1.0" -description = "Add your description here" +description = "command line for os hardening configuration management" readme = "README.md" +authors = [ + { name = "Tomahawkd", email = "tomahawkd00@outlook.com" } +] requires-python = ">=3.11" dependencies = [ "jsonschema>=4.25.0", "pyyaml>=6.0.2", ] +[project.scripts] +secharden = "secharden.secharden:main" +gendoc = "secharden.gendoc:main" + +[build-system] +requires = ["uv_build>=0.8.0,<0.9"] +build-backend = "uv_build" + [dependency-groups] dev = [ "pytest>=8.4.1", "pytest-cov>=6.2.1", ] - diff --git a/os-harden-tools/VERSION b/os-harden-tools/secharden/src/secharden/VERSION similarity index 100% rename from os-harden-tools/VERSION rename to os-harden-tools/secharden/src/secharden/VERSION diff --git a/os-harden-tools/tests/rules/metadata/no_metadata/.gitkeep b/os-harden-tools/secharden/src/secharden/__init__.py similarity index 100% rename from os-harden-tools/tests/rules/metadata/no_metadata/.gitkeep rename to os-harden-tools/secharden/src/secharden/__init__.py diff --git a/os-harden-tools/config_parser.py b/os-harden-tools/secharden/src/secharden/config_parser.py similarity index 100% rename from os-harden-tools/config_parser.py rename to os-harden-tools/secharden/src/secharden/config_parser.py diff --git a/os-harden-tools/executor.py b/os-harden-tools/secharden/src/secharden/executor.py similarity index 100% rename from os-harden-tools/executor.py rename to os-harden-tools/secharden/src/secharden/executor.py diff --git a/os-harden-tools/gendoc.py b/os-harden-tools/secharden/src/secharden/gendoc.py similarity index 95% rename from os-harden-tools/gendoc.py rename to os-harden-tools/secharden/src/secharden/gendoc.py index 565bb48..acec7cf 100644 --- a/os-harden-tools/gendoc.py +++ b/os-harden-tools/secharden/src/secharden/gendoc.py @@ -4,8 +4,8 @@ import argparse import logging from pathlib import Path -from rule_metadata import RuleManager -from utils import DirectoryPathVerifier, HOME_DIR +from secharden.rule_metadata import RuleManager +from secharden.utils import DirectoryPathVerifier, HOME_DIR TITLE = "安全 OS 配置工具" diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py b/os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py new file mode 100644 index 0000000..8350519 --- /dev/null +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py @@ -0,0 +1,2 @@ +from secharden.rule_metadata.metadata import RuleMetadata, RuleParameter, ConfigConverter, ConverterManager +from secharden.rule_metadata.manager import RuleManager diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/converters/__init__.py b/os-harden-tools/secharden/src/secharden/rule_metadata/converters/__init__.py new file mode 100644 index 0000000..b3c6a38 --- /dev/null +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/converters/__init__.py @@ -0,0 +1 @@ +from secharden.rule_metadata.converters.file_list import FileListConverter \ No newline at end of file diff --git a/os-harden-tools/rule_metadata/converters/file_list.py b/os-harden-tools/secharden/src/secharden/rule_metadata/converters/file_list.py similarity index 94% rename from os-harden-tools/rule_metadata/converters/file_list.py rename to os-harden-tools/secharden/src/secharden/rule_metadata/converters/file_list.py index 353fe1c..9c5ff25 100644 --- a/os-harden-tools/rule_metadata/converters/file_list.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/converters/file_list.py @@ -1,7 +1,7 @@ from tempfile import NamedTemporaryFile import os -from executor import CmdParameter -from rule_metadata import RuleParameter, ConfigConverter +from secharden.executor import CmdParameter +from secharden.rule_metadata import RuleParameter, ConfigConverter class FileListConverter(ConfigConverter): diff --git a/os-harden-tools/rule_metadata/manager.py b/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py similarity index 98% rename from os-harden-tools/rule_metadata/manager.py rename to os-harden-tools/secharden/src/secharden/rule_metadata/manager.py index 82ba835..0474bc0 100644 --- a/os-harden-tools/rule_metadata/manager.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py @@ -4,9 +4,9 @@ from typing import List, Dict, Any import jsonschema -from executor import CmdExecutor, CmdParameter -from rule_metadata import RuleMetadata -from utils import load_json_file, HOME_DIR +from secharden.executor import CmdExecutor, CmdParameter +from secharden.rule_metadata import RuleMetadata +from secharden.utils import load_json_file, HOME_DIR def precheck(rule_path: Path) -> bool: diff --git a/os-harden-tools/rule_metadata/metadata.py b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py similarity index 98% rename from os-harden-tools/rule_metadata/metadata.py rename to os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py index 82d61b5..4b44782 100644 --- a/os-harden-tools/rule_metadata/metadata.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py @@ -6,8 +6,8 @@ from typing import List, Dict, Any, Optional import jsonschema -from executor import CmdTemplate, CmdParameter -from utils import load_json_file, HOME_DIR +from secharden.executor import CmdTemplate, CmdParameter +from secharden.utils import load_json_file, HOME_DIR class RuleParameter: @@ -128,7 +128,7 @@ class ConverterManager: def __init__(self): # load all converters from rules.converters - import rule_metadata.converters + import secharden.rule_metadata.converters self._converter: Dict[str, type[ConfigConverter]] = {} for cls in ConfigConverter.__subclasses__(): self._converter[cls.__name__] = cls diff --git a/os-harden-tools/schema/categories.schema.json b/os-harden-tools/secharden/src/secharden/schema/categories.schema.json similarity index 100% rename from os-harden-tools/schema/categories.schema.json rename to os-harden-tools/secharden/src/secharden/schema/categories.schema.json diff --git a/os-harden-tools/schema/metadata.schema.json b/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json similarity index 100% rename from os-harden-tools/schema/metadata.schema.json rename to os-harden-tools/secharden/src/secharden/schema/metadata.schema.json diff --git a/os-harden-tools/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py similarity index 95% rename from os-harden-tools/secharden.py rename to os-harden-tools/secharden/src/secharden/secharden.py index f010fa8..d360961 100644 --- a/os-harden-tools/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -4,9 +4,9 @@ import argparse import logging from pathlib import Path -from config_parser import parse_config, collect_configs -from rule_metadata import RuleManager -from utils import DirectoryPathVerifier, HOME_DIR +from secharden.config_parser import parse_config, collect_configs +from secharden.rule_metadata import RuleManager +from secharden.utils import DirectoryPathVerifier, HOME_DIR def list_rules(args): diff --git a/os-harden-tools/utils.py b/os-harden-tools/secharden/src/secharden/utils.py similarity index 100% rename from os-harden-tools/utils.py rename to os-harden-tools/secharden/src/secharden/utils.py diff --git a/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf b/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf similarity index 100% rename from os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf rename to os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf diff --git a/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf b/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf similarity index 100% rename from os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf rename to os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf diff --git a/os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf b/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf similarity index 100% rename from os-harden-tools/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf rename to os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf diff --git a/os-harden-tools/tests/rules/ruleset/naming/nometa.01/.gitkeep b/os-harden-tools/secharden/tests/config_parser/collection/empty/.gitkeep similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/nometa.01/.gitkeep rename to os-harden-tools/secharden/tests/config_parser/collection/empty/.gitkeep diff --git a/os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf b/os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf similarity index 100% rename from os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf rename to os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf diff --git a/os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf b/os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf similarity index 100% rename from os-harden-tools/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf rename to os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf diff --git a/os-harden-tools/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf b/os-harden-tools/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf similarity index 100% rename from os-harden-tools/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf rename to os-harden-tools/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf diff --git a/os-harden-tools/tests/config_parser/collection/single_file/secharden.conf b/os-harden-tools/secharden/tests/config_parser/collection/single_file/secharden.conf similarity index 100% rename from os-harden-tools/tests/config_parser/collection/single_file/secharden.conf rename to os-harden-tools/secharden/tests/config_parser/collection/single_file/secharden.conf diff --git a/os-harden-tools/tests/config_parser/parser/intersect/1.conf b/os-harden-tools/secharden/tests/config_parser/parser/intersect/1.conf similarity index 100% rename from os-harden-tools/tests/config_parser/parser/intersect/1.conf rename to os-harden-tools/secharden/tests/config_parser/parser/intersect/1.conf diff --git a/os-harden-tools/tests/config_parser/parser/intersect/2.conf b/os-harden-tools/secharden/tests/config_parser/parser/intersect/2.conf similarity index 100% rename from os-harden-tools/tests/config_parser/parser/intersect/2.conf rename to os-harden-tools/secharden/tests/config_parser/parser/intersect/2.conf diff --git a/os-harden-tools/tests/config_parser/parser/invalid_yaml/secharden.conf b/os-harden-tools/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf similarity index 100% rename from os-harden-tools/tests/config_parser/parser/invalid_yaml/secharden.conf rename to os-harden-tools/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf diff --git a/os-harden-tools/tests/config_parser/parser/override/1.conf b/os-harden-tools/secharden/tests/config_parser/parser/override/1.conf similarity index 100% rename from os-harden-tools/tests/config_parser/parser/override/1.conf rename to os-harden-tools/secharden/tests/config_parser/parser/override/1.conf diff --git a/os-harden-tools/tests/config_parser/parser/override/2.conf b/os-harden-tools/secharden/tests/config_parser/parser/override/2.conf similarity index 100% rename from os-harden-tools/tests/config_parser/parser/override/2.conf rename to os-harden-tools/secharden/tests/config_parser/parser/override/2.conf diff --git a/os-harden-tools/tests/config_parser/parser/single_file/secharden.conf b/os-harden-tools/secharden/tests/config_parser/parser/single_file/secharden.conf similarity index 100% rename from os-harden-tools/tests/config_parser/parser/single_file/secharden.conf rename to os-harden-tools/secharden/tests/config_parser/parser/single_file/secharden.conf diff --git a/os-harden-tools/tests/config_parser/parser/wrong_file/secharden.conf b/os-harden-tools/secharden/tests/config_parser/parser/wrong_file/secharden.conf similarity index 100% rename from os-harden-tools/tests/config_parser/parser/wrong_file/secharden.conf rename to os-harden-tools/secharden/tests/config_parser/parser/wrong_file/secharden.conf diff --git a/os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/1.conf b/os-harden-tools/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf similarity index 100% rename from os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/1.conf rename to os-harden-tools/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf diff --git a/os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/2.conf b/os-harden-tools/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf similarity index 100% rename from os-harden-tools/tests/config_parser/parser/wrong_file_in_collection/2.conf rename to os-harden-tools/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf diff --git a/os-harden-tools/tests/config_parser/test_collection.py b/os-harden-tools/secharden/tests/config_parser/test_collection.py similarity index 95% rename from os-harden-tools/tests/config_parser/test_collection.py rename to os-harden-tools/secharden/tests/config_parser/test_collection.py index b3d8379..ef75271 100644 --- a/os-harden-tools/tests/config_parser/test_collection.py +++ b/os-harden-tools/secharden/tests/config_parser/test_collection.py @@ -2,7 +2,7 @@ from pathlib import Path import pytest -from config_parser import collect_configs +from secharden.config_parser import collect_configs class TestConfigCollector: @pytest.fixture diff --git a/os-harden-tools/tests/config_parser/test_parser.py b/os-harden-tools/secharden/tests/config_parser/test_parser.py similarity index 97% rename from os-harden-tools/tests/config_parser/test_parser.py rename to os-harden-tools/secharden/tests/config_parser/test_parser.py index 712fb6f..5c10e78 100644 --- a/os-harden-tools/tests/config_parser/test_parser.py +++ b/os-harden-tools/secharden/tests/config_parser/test_parser.py @@ -2,7 +2,7 @@ from pathlib import Path import pytest -from config_parser import parse_config +from secharden.config_parser import parse_config class TestConfigParser: @pytest.fixture diff --git a/os-harden-tools/tests/executor/test_executor.py b/os-harden-tools/secharden/tests/executor/test_executor.py similarity index 88% rename from os-harden-tools/tests/executor/test_executor.py rename to os-harden-tools/secharden/tests/executor/test_executor.py index bf65ce8..0871890 100644 --- a/os-harden-tools/tests/executor/test_executor.py +++ b/os-harden-tools/secharden/tests/executor/test_executor.py @@ -2,7 +2,7 @@ from pathlib import Path import pytest -from executor import CmdExecutor, CmdTemplate, CmdParameter +from secharden.executor import CmdExecutor, CmdTemplate, CmdParameter class TestExecutor: diff --git a/os-harden-tools/tests/rules/converter_sample.py b/os-harden-tools/secharden/tests/rules/converter_sample.py similarity index 84% rename from os-harden-tools/tests/rules/converter_sample.py rename to os-harden-tools/secharden/tests/rules/converter_sample.py index 7a8e089..4107c44 100644 --- a/os-harden-tools/tests/rules/converter_sample.py +++ b/os-harden-tools/secharden/tests/rules/converter_sample.py @@ -1,5 +1,5 @@ -from rule_metadata import ConfigConverter, RuleParameter -from executor import CmdParameter +from secharden.rule_metadata import ConfigConverter, RuleParameter +from secharden.executor import CmdParameter class TestConverter(ConfigConverter): def __init__(self): diff --git a/os-harden-tools/tests/rules/metadata/directory_name_mismatch/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/directory_name_mismatch/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/entry_in_path/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/entry_in_path/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/entry_in_path/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/entry_in_path/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/entry_not_file/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/entry_not_file/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/entry_not_file/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/entry_not_file/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/no_entry/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/no_entry/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/no_entry/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/no_entry/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/no_categories/.gitkeep b/os-harden-tools/secharden/tests/rules/metadata/no_metadata/.gitkeep similarity index 100% rename from os-harden-tools/tests/rules/ruleset/no_categories/.gitkeep rename to os-harden-tools/secharden/tests/rules/metadata/no_metadata/.gitkeep diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_escape/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/param/cmd_escape/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/param/cmd_escape/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/param/cmd_escape/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_mismatch_id/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/param/cmd_mismatch_id/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_no_placeholder/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/param/cmd_no_placeholder/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_noid/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/param/cmd_noid/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/param/cmd_noid/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/param/cmd_noid/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_placeholders/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/param/cmd_placeholders/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/param/cmd_single/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/param/cmd_single/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/param/cmd_single/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/param/cmd_single/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/param/no_converter/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/param/no_converter/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/param/no_converter/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/param/no_converter/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/valid/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/valid/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/valid/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/valid/metadata.json diff --git a/os-harden-tools/tests/rules/metadata/valid_full/metadata.json b/os-harden-tools/secharden/tests/rules/metadata/valid_full/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/metadata/valid_full/metadata.json rename to os-harden-tools/secharden/tests/rules/metadata/valid_full/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/execution/categories.json b/os-harden-tools/secharden/tests/rules/ruleset/execution/categories.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/execution/categories.json rename to os-harden-tools/secharden/tests/rules/ruleset/execution/categories.json diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh b/os-harden-tools/secharden/tests/rules/ruleset/execution/test.01/entry.sh similarity index 100% rename from os-harden-tools/tests/rules/ruleset/execution/test.01/entry.sh rename to os-harden-tools/secharden/tests/rules/ruleset/execution/test.01/entry.sh diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.01/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/execution/test.01/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/execution/test.01/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/execution/test.01/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh b/os-harden-tools/secharden/tests/rules/ruleset/execution/test.02/entry.sh similarity index 100% rename from os-harden-tools/tests/rules/ruleset/execution/test.02/entry.sh rename to os-harden-tools/secharden/tests/rules/ruleset/execution/test.02/entry.sh diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.02/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/execution/test.02/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/execution/test.02/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/execution/test.02/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh b/os-harden-tools/secharden/tests/rules/ruleset/execution/test.03/entry.sh similarity index 100% rename from os-harden-tools/tests/rules/ruleset/execution/test.03/entry.sh rename to os-harden-tools/secharden/tests/rules/ruleset/execution/test.03/entry.sh diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.03/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/execution/test.03/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/execution/test.03/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/execution/test.03/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh b/os-harden-tools/secharden/tests/rules/ruleset/execution/test.04/entry.sh similarity index 100% rename from os-harden-tools/tests/rules/ruleset/execution/test.04/entry.sh rename to os-harden-tools/secharden/tests/rules/ruleset/execution/test.04/entry.sh diff --git a/os-harden-tools/tests/rules/ruleset/execution/test.04/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/execution/test.04/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/execution/test.04/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/execution/test.04/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/naming/categories.json b/os-harden-tools/secharden/tests/rules/ruleset/naming/categories.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/categories.json rename to os-harden-tools/secharden/tests/rules/ruleset/naming/categories.json diff --git a/os-harden-tools/tests/rules/ruleset/naming/invalid.01/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/invalid.01/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/naming/nocat.01/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/nocat.01/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/naming/notdir.01 b/os-harden-tools/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/notdir.01 rename to os-harden-tools/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep diff --git a/os-harden-tools/tests/rules/ruleset/not_a_dir b/os-harden-tools/secharden/tests/rules/ruleset/naming/notdir.01 similarity index 100% rename from os-harden-tools/tests/rules/ruleset/not_a_dir rename to os-harden-tools/secharden/tests/rules/ruleset/naming/notdir.01 diff --git a/os-harden-tools/tests/rules/ruleset/naming/test-02/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/naming/test-02/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/test-02/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/naming/test-02/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/naming/test.00/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/naming/test.00/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/test.00/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/naming/test.00/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/naming/test.01/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/naming/test.01/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/test.01/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/naming/test.01/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/naming/test.o3/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/naming/test.o3/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/test.o3/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/naming/test.o3/metadata.json diff --git a/os-harden-tools/tests/rules/ruleset/naming/test1.01/metadata.json b/os-harden-tools/secharden/tests/rules/ruleset/naming/test1.01/metadata.json similarity index 100% rename from os-harden-tools/tests/rules/ruleset/naming/test1.01/metadata.json rename to os-harden-tools/secharden/tests/rules/ruleset/naming/test1.01/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/no_categories/.gitkeep b/os-harden-tools/secharden/tests/rules/ruleset/no_categories/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/secharden/tests/rules/ruleset/not_a_dir b/os-harden-tools/secharden/tests/rules/ruleset/not_a_dir new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/tests/rules/test_cmd.py b/os-harden-tools/secharden/tests/rules/test_cmd.py similarity index 96% rename from os-harden-tools/tests/rules/test_cmd.py rename to os-harden-tools/secharden/tests/rules/test_cmd.py index 9c08283..31a0362 100644 --- a/os-harden-tools/tests/rules/test_cmd.py +++ b/os-harden-tools/secharden/tests/rules/test_cmd.py @@ -2,8 +2,8 @@ from pathlib import Path import pytest -from rule_metadata import RuleMetadata -from executor import CmdParameter +from secharden.rule_metadata import RuleMetadata +from secharden.executor import CmdParameter class TestCmdParam: diff --git a/os-harden-tools/tests/rules/test_converter.py b/os-harden-tools/secharden/tests/rules/test_converter.py similarity index 94% rename from os-harden-tools/tests/rules/test_converter.py rename to os-harden-tools/secharden/tests/rules/test_converter.py index 75841e6..2289364 100644 --- a/os-harden-tools/tests/rules/test_converter.py +++ b/os-harden-tools/secharden/tests/rules/test_converter.py @@ -2,8 +2,8 @@ from pathlib import Path import pytest -from rule_metadata import RuleMetadata -from executor import CmdParameter +from secharden.rule_metadata import RuleMetadata +from secharden.executor import CmdParameter class TestConverter: diff --git a/os-harden-tools/tests/rules/test_metadata.py b/os-harden-tools/secharden/tests/rules/test_metadata.py similarity index 98% rename from os-harden-tools/tests/rules/test_metadata.py rename to os-harden-tools/secharden/tests/rules/test_metadata.py index 6f237cc..012e95c 100644 --- a/os-harden-tools/tests/rules/test_metadata.py +++ b/os-harden-tools/secharden/tests/rules/test_metadata.py @@ -2,7 +2,7 @@ from pathlib import Path import pytest -from rule_metadata import RuleMetadata +from secharden.rule_metadata import RuleMetadata class TestMetadata: diff --git a/os-harden-tools/tests/rules/test_param.py b/os-harden-tools/secharden/tests/rules/test_param.py similarity index 98% rename from os-harden-tools/tests/rules/test_param.py rename to os-harden-tools/secharden/tests/rules/test_param.py index e3aa65e..6ee26a7 100644 --- a/os-harden-tools/tests/rules/test_param.py +++ b/os-harden-tools/secharden/tests/rules/test_param.py @@ -2,7 +2,7 @@ from pathlib import Path import pytest -from rule_metadata import RuleMetadata +from secharden.rule_metadata import RuleMetadata class TestMetadataParam: diff --git a/os-harden-tools/tests/rules/test_rulemanager.py b/os-harden-tools/secharden/tests/rules/test_rulemanager.py similarity index 99% rename from os-harden-tools/tests/rules/test_rulemanager.py rename to os-harden-tools/secharden/tests/rules/test_rulemanager.py index 2a7bf14..65669c1 100644 --- a/os-harden-tools/tests/rules/test_rulemanager.py +++ b/os-harden-tools/secharden/tests/rules/test_rulemanager.py @@ -2,7 +2,7 @@ import logging from pathlib import Path import pytest -from rule_metadata.manager import RuleManager, precheck +from secharden.rule_metadata.manager import RuleManager, precheck class TestRuleManager: diff --git a/os-harden-tools/tests/rules/test_schema.py b/os-harden-tools/secharden/tests/rules/test_schema.py similarity index 99% rename from os-harden-tools/tests/rules/test_schema.py rename to os-harden-tools/secharden/tests/rules/test_schema.py index 95fe9a2..2794e64 100644 --- a/os-harden-tools/tests/rules/test_schema.py +++ b/os-harden-tools/secharden/tests/rules/test_schema.py @@ -1,7 +1,7 @@ import jsonschema import pytest -from rule_metadata import RuleMetadata +from secharden.rule_metadata import RuleMetadata class TestSchema: diff --git a/os-harden-tools/uv.lock b/os-harden-tools/secharden/uv.lock similarity index 99% rename from os-harden-tools/uv.lock rename to os-harden-tools/secharden/uv.lock index 134eb6d..4187094 100644 --- a/os-harden-tools/uv.lock +++ b/os-harden-tools/secharden/uv.lock @@ -136,33 +136,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/01/0e/b27cdbaccf30b890c40ed1da9fd4a3593a5cf94dae54fb34f8a4b74fcd3f/jsonschema_specifications-2025.4.1-py3-none-any.whl", hash = "sha256:4653bffbd6584f7de83a67e0d620ef16900b390ddc7939d56684d6c81e33f1af", size = 18437, upload-time = "2025-04-23T12:34:05.422Z" }, ] -[[package]] -name = "os-harden-tools" -version = "0.1.0" -source = { virtual = "." } -dependencies = [ - { name = "jsonschema" }, - { name = "pyyaml" }, -] - -[package.dev-dependencies] -dev = [ - { name = "pytest" }, - { name = "pytest-cov" }, -] - -[package.metadata] -requires-dist = [ - { name = "jsonschema", specifier = ">=4.25.0" }, - { name = "pyyaml", specifier = ">=6.0.2" }, -] - -[package.metadata.requires-dev] -dev = [ - { name = "pytest", specifier = ">=8.4.1" }, - { name = "pytest-cov", specifier = ">=6.2.1" }, -] - [[package]] name = "packaging" version = "25.0" @@ -370,6 +343,33 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/c8/ed/9de62c2150ca8e2e5858acf3f4f4d0d180a38feef9fdab4078bea63d8dba/rpds_py-0.26.0-pp311-pypy311_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:e99685fc95d386da368013e7fb4269dd39c30d99f812a8372d62f244f662709c", size = 555334, upload-time = "2025-07-01T15:56:51.703Z" }, ] +[[package]] +name = "secharden" +version = "0.1.0" +source = { editable = "." } +dependencies = [ + { name = "jsonschema" }, + { name = "pyyaml" }, +] + +[package.dev-dependencies] +dev = [ + { name = "pytest" }, + { name = "pytest-cov" }, +] + +[package.metadata] +requires-dist = [ + { name = "jsonschema", specifier = ">=4.25.0" }, + { name = "pyyaml", specifier = ">=6.0.2" }, +] + +[package.metadata.requires-dev] +dev = [ + { name = "pytest", specifier = ">=8.4.1" }, + { name = "pytest-cov", specifier = ">=6.2.1" }, +] + [[package]] name = "tomli" version = "2.2.1" -- Gitee From 268de64a16d18186399913639792bed7e3b736e8 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 12:25:13 +0800 Subject: [PATCH 039/109] use draft07 as meta schema --- .../secharden/src/secharden/config_parser.py | 2 +- .../src/secharden/schema/categories.schema.json | 1 + .../src/secharden/schema/metadata.schema.json | 14 ++++++++++++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/config_parser.py b/os-harden-tools/secharden/src/secharden/config_parser.py index 11a7e8a..f7e65f6 100644 --- a/os-harden-tools/secharden/src/secharden/config_parser.py +++ b/os-harden-tools/secharden/src/secharden/config_parser.py @@ -7,7 +7,7 @@ import jsonschema # just limit to dict is enough CHECK_SCHEMA = { - "$schema": "https://json-schema.org/draft-04/schema", + "$schema": "http://json-schema.org/draft-07/schema#", "id": "./categories.schema.json", "title": "Tool categories metadata Schema", "description": "Schema file for tool categories specification", diff --git a/os-harden-tools/secharden/src/secharden/schema/categories.schema.json b/os-harden-tools/secharden/src/secharden/schema/categories.schema.json index 5940556..f478bce 100644 --- a/os-harden-tools/secharden/src/secharden/schema/categories.schema.json +++ b/os-harden-tools/secharden/src/secharden/schema/categories.schema.json @@ -1,4 +1,5 @@ { + "$schema": "http://json-schema.org/draft-07/schema#", "id": "./categories.schema.json", "title": "Tool categories metadata Schema", "description": "Schema file for tool categories specification", diff --git a/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json b/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json index 40e328a..1131890 100644 --- a/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json +++ b/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json @@ -1,4 +1,5 @@ { + "$schema": "http://json-schema.org/draft-07/schema#", "id": "./metadata.json", "title": "Tool metadata Schema", "description": "Schema file for tool declaration", @@ -49,7 +50,13 @@ "description": "command option for parameter to pass into the script, leave blank if no command option" } }, - "required": ["id", "name", "description", "converter", "cmd_template"] + "required": [ + "id", + "name", + "description", + "converter", + "cmd_template" + ] } }, "urls": { @@ -67,7 +74,10 @@ "description": "url link" } }, - "required": ["title", "url"] + "required": [ + "title", + "url" + ] } } }, -- Gitee From cf76d5339f5452b244bfc2abfddbfee813cc26d0 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 14:10:15 +0800 Subject: [PATCH 040/109] import using init.py --- .../secharden/src/secharden/rule_metadata/__init__.py | 1 + .../secharden/src/secharden/rule_metadata/metadata.py | 2 -- os-harden-tools/secharden/tests/rules/__init__.py | 1 + os-harden-tools/secharden/tests/rules/test_cmd.py | 1 - os-harden-tools/secharden/tests/rules/test_converter.py | 1 - os-harden-tools/secharden/tests/rules/test_param.py | 1 - os-harden-tools/secharden/tests/rules/test_rulemanager.py | 4 ---- 7 files changed, 2 insertions(+), 9 deletions(-) create mode 100644 os-harden-tools/secharden/tests/rules/__init__.py diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py b/os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py index 8350519..e98ed97 100644 --- a/os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py @@ -1,2 +1,3 @@ from secharden.rule_metadata.metadata import RuleMetadata, RuleParameter, ConfigConverter, ConverterManager from secharden.rule_metadata.manager import RuleManager +import secharden.rule_metadata.converters \ No newline at end of file diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py index 4b44782..d3159ad 100644 --- a/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py @@ -127,8 +127,6 @@ class ConverterManager: return cls._instance def __init__(self): - # load all converters from rules.converters - import secharden.rule_metadata.converters self._converter: Dict[str, type[ConfigConverter]] = {} for cls in ConfigConverter.__subclasses__(): self._converter[cls.__name__] = cls diff --git a/os-harden-tools/secharden/tests/rules/__init__.py b/os-harden-tools/secharden/tests/rules/__init__.py new file mode 100644 index 0000000..669a9e5 --- /dev/null +++ b/os-harden-tools/secharden/tests/rules/__init__.py @@ -0,0 +1 @@ +from rules.converter_sample import TestConverter \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/rules/test_cmd.py b/os-harden-tools/secharden/tests/rules/test_cmd.py index 31a0362..e9a42ed 100644 --- a/os-harden-tools/secharden/tests/rules/test_cmd.py +++ b/os-harden-tools/secharden/tests/rules/test_cmd.py @@ -37,7 +37,6 @@ class TestCmdParam: assert str(e.value) == "Variable file not found in variable collection" def test_cmd_placeholders(self, config_test_path): - from converter_sample import TestConverter r = RuleMetadata(config_test_path.joinpath("cmd_placeholders")) param = CmdParameter(r.parameters[0].cmd_template) param.add_variable('file1', 'cmd_placeholders1') diff --git a/os-harden-tools/secharden/tests/rules/test_converter.py b/os-harden-tools/secharden/tests/rules/test_converter.py index 2289364..5096005 100644 --- a/os-harden-tools/secharden/tests/rules/test_converter.py +++ b/os-harden-tools/secharden/tests/rules/test_converter.py @@ -34,7 +34,6 @@ class TestConverter: converter.cleanup() def test_cmd_placeholders(self, config_test_path): - from converter_sample import TestConverter r = RuleMetadata(config_test_path.joinpath("cmd_placeholders")) param = r.parameters[0] converter = param.converter() diff --git a/os-harden-tools/secharden/tests/rules/test_param.py b/os-harden-tools/secharden/tests/rules/test_param.py index 6ee26a7..9fce0e7 100644 --- a/os-harden-tools/secharden/tests/rules/test_param.py +++ b/os-harden-tools/secharden/tests/rules/test_param.py @@ -58,7 +58,6 @@ class TestMetadataParam: assert r.parameters[0].cmd_template.variable_index == {'file': [0]} def test_cmd_placeholders(self, config_test_path): - from converter_sample import TestConverter r = RuleMetadata(config_test_path.joinpath("cmd_placeholders")) assert r.parameters[0].id == 'xxx' assert r.parameters[0].name == 'xxx' diff --git a/os-harden-tools/secharden/tests/rules/test_rulemanager.py b/os-harden-tools/secharden/tests/rules/test_rulemanager.py index 65669c1..434d299 100644 --- a/os-harden-tools/secharden/tests/rules/test_rulemanager.py +++ b/os-harden-tools/secharden/tests/rules/test_rulemanager.py @@ -161,7 +161,6 @@ class TestRuleManager: assert "Failed to execute command for rule test.02." in caplog.text def test_rule_manager_apply_rule_miss_param(self, rule_path): - from converter_sample import TestConverter execution = rule_path.joinpath("execution").resolve() manager = RuleManager(execution) @@ -170,7 +169,6 @@ class TestRuleManager: assert str(e.value) == "Parameter input is missing in the configuration for rule test.03." def test_rule_manager_apply_rule_invalid_param(self, rule_path, caplog): - from converter_sample import TestConverter execution = rule_path.joinpath("execution").resolve() manager = RuleManager(execution) @@ -180,7 +178,6 @@ class TestRuleManager: assert "Failed to generate command line on parameter input." in caplog.text def test_rule_manager_apply_rule_with_param(self, rule_path, caplog): - from converter_sample import TestConverter execution = rule_path.joinpath("execution").resolve() manager = RuleManager(execution) @@ -192,7 +189,6 @@ class TestRuleManager: assert f'hello file1.txt file2.txt' def test_rule_manager_apply_rule_invalid_param_second(self, rule_path, caplog): - from converter_sample import TestConverter execution = rule_path.joinpath("execution").resolve() manager = RuleManager(execution) -- Gitee From c1a42b177eec8f9e6f9728bf52cd0ae4bca51263 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 14:48:12 +0800 Subject: [PATCH 041/109] minor adjust rule manager --- .../src/secharden/rule_metadata/manager.py | 13 ++++++++----- .../secharden/src/secharden/secharden.py | 5 +++-- .../secharden/tests/rules/test_rulemanager.py | 18 ++++++++++-------- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py b/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py index 0474bc0..2395db4 100644 --- a/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py @@ -35,6 +35,7 @@ class RuleManager: """ RuleManager is responsible for managing rules and categories in a specified directory. """ + def __init__(self, rules_dir: Path): """ Initializes the RuleManager with the specified rules directory. @@ -45,13 +46,15 @@ class RuleManager: :raises jsonschema.ValidationError: If the categories.json file does not conform to the schema """ self._dir = rules_dir.resolve() - if not self._dir.exists(): - raise FileNotFoundError(f"Rules directory does not exist: {self._dir}") - if not self._dir.is_dir(): - raise NotADirectoryError(f"Path is not a directory: {self._dir}") - self._rules: List[str] = [] self._categories: Dict[str, Dict[str, Any]] = {} + + if not self._dir.exists(): + logging.error(f"Rules directory does not exist: {self._dir}") + return + if not self._dir.is_dir(): + logging.error(f"Path is not a directory: {self._dir}") + return self.reload_rules() @property diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index d360961..7cbdec4 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -92,8 +92,9 @@ def main(): try: args = args.parse_args() - except argparse.ArgumentTypeError: - print("Error parsing arguments. Use 'secharden --help' for usage information.") + except argparse.ArgumentTypeError as e: + print(f"Error parsing arguments: {e}") + print("Use 'secharden --help' for usage information.") return # setup logging diff --git a/os-harden-tools/secharden/tests/rules/test_rulemanager.py b/os-harden-tools/secharden/tests/rules/test_rulemanager.py index 434d299..ff490e1 100644 --- a/os-harden-tools/secharden/tests/rules/test_rulemanager.py +++ b/os-harden-tools/secharden/tests/rules/test_rulemanager.py @@ -42,15 +42,17 @@ class TestRuleManager: assert not precheck(no_metadata) assert f"Rule path {no_metadata} does not contain a metadata.json file" in caplog.text - def test_rule_manager_not_dir(self, rule_path): - with pytest.raises(NotADirectoryError) as e: - RuleManager(rule_path.joinpath("not_a_dir")) - assert str(e.value) == f"Path is not a directory: {rule_path.joinpath('not_a_dir').resolve()}" + def test_rule_manager_not_dir(self, rule_path, caplog): + with caplog.at_level(logging.ERROR): + r = RuleManager(rule_path.joinpath("not_a_dir")) + assert f"Path is not a directory: {rule_path.joinpath('not_a_dir').resolve()}" in caplog.text + assert len(r.rules) == 0 - def test_rule_manager_not_found(self, rule_path): - with pytest.raises(FileNotFoundError) as e: - RuleManager(rule_path.joinpath("non_existent_dir")) - assert str(e.value) == f"Rules directory does not exist: {rule_path.joinpath('non_existent_dir').resolve()}" + def test_rule_manager_not_found(self, rule_path, caplog): + with caplog.at_level(logging.ERROR): + r = RuleManager(rule_path.joinpath("non_existent_dir")) + assert f"Rules directory does not exist: {rule_path.joinpath('non_existent_dir').resolve()}" in caplog.text + assert len(r.rules) == 0 def test_rule_manager_no_categories(self, rule_path): no_cat = rule_path.joinpath("no_categories").resolve() -- Gitee From 0f7dae4b7cfa40dc942c7fcc44fb5bcd1f70bde4 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 15:02:13 +0800 Subject: [PATCH 042/109] fix logging --- .../secharden/src/secharden/secharden.py | 47 ++++++++++--------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index 7cbdec4..a07f1c6 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -9,39 +9,39 @@ from secharden.rule_metadata import RuleManager from secharden.utils import DirectoryPathVerifier, HOME_DIR -def list_rules(args): +def list_rules(rule_mgr: RuleManager, args): if args.category: try: - rules = args.rules.get_rules_by_category(args.category) + rules = rule_mgr.get_rules_by_category(args.category) except KeyError: logging.error(f"Category {args.category} not found.") print(f"Category {args.category} not found.") return print(f"Available rules for {args.category}:") else: - rules = args.rules.rules + rules = rule_mgr.rules print("Available rules:") for rule in rules: - metadata = args.rules.get_rule_metadata(rule) + metadata = rule_mgr.get_rule_metadata(rule) print(f"\t{rule}: {metadata.name}") -def apply(args): +def apply(rule_mgr: RuleManager, args): config = parse_config(collect_configs(args.config)) for rule, rule_conf in config.items(): logging.debug("applying rule %s with config %s", rule, rule_conf) try: - args.rules.apply_rule(rule, rule_conf) + rule_mgr.apply_rule(rule, rule_conf) except Exception as e: logging.error(f"Exception while applying rule '{rule}' with config {rule_conf}") logging.exception(e) print(f"Error applying rule '{rule}': {e}") -def help_message(args): +def help_message(rule_mgr: RuleManager, args): rule = args.rule[0] try: - metadata = args.rules.get_rule_metadata(rule) + metadata = rule_mgr.get_rule_metadata(rule) print(metadata.doc) except KeyError: logging.error(f"Rule '{rule}' not found.") @@ -52,14 +52,8 @@ def help_message(args): print(f"Error retrieving help for rule '{rule}'") -class RuleManagerBuilder(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - p = Path(values) - if not p.exists(): - raise argparse.ArgumentTypeError(f"Directory '{values}' does not exist.") - if not p.is_dir(): - raise argparse.ArgumentTypeError(f"'{values}' is not a directory.") - setattr(namespace, self.dest, RuleManager(p)) +def hint(*_ignored): + print("Please specify a sub-command. Use 'secharden --help' for usage information.") def main(): @@ -68,10 +62,11 @@ def main(): # base args version_file = HOME_DIR.joinpath("VERSION") args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) - args.add_argument("-r", "--rules", action=RuleManagerBuilder, - help="rule script directory", default=RuleManager(HOME_DIR.joinpath('tools'))) + args.add_argument("-r", "--rules", type=Path, + help="rule script directory", default=HOME_DIR.joinpath('tools')) args.add_argument("-d", "--debug", action='store_true', help="debug mode") args.add_argument('-l', '--logs', type=Path, help="log directory", default=Path('/var/log/secharden')) + args.set_defaults(func=hint) subparser = args.add_subparsers(help="sub-commands") # apply config @@ -101,12 +96,18 @@ def main(): logging_level = logging.INFO if args.debug: logging_level = logging.DEBUG - if not args.logs.exists(): - args.logs.mkdir(parents=True, exist_ok=True) - logging.basicConfig(filename=args.logs.joinpath('secharden.log'), filemode='a', - level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') + try: + if not args.logs.exists(): + args.logs.mkdir(parents=True, exist_ok=True) + logging.basicConfig(filename=args.logs.joinpath('secharden.log'), filemode='a', + level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') + except Exception: + print("Error: Cannot create log directory. Using console output instead.") + logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') logging.info(f"start secharden:{args.func.__name__}") - args.func(args) + + # init rule manager after logging are set up + args.func(RuleManager(args.rules), args) if __name__ == "__main__": -- Gitee From 86801fd25ee71170144c87519f79cadf62035ee1 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 16:31:06 +0800 Subject: [PATCH 043/109] ready for python setup.py --- os-harden-tools/os-harden-tool.spec | 60 +++++++------------ os-harden-tools/secharden/MANIFEST.in | 2 + os-harden-tools/secharden/README.md | 21 +++++++ os-harden-tools/secharden/pyproject.toml | 15 +++-- os-harden-tools/secharden/setup.py | 4 ++ .../src/secharden}/tools/README.md | 0 .../src/secharden}/tools/categories.json | 0 .../tools/int.01/enable_kernel_module_sign.sh | 0 .../src/secharden}/tools/int.01/metadata.json | 0 .../secharden}/tools/int.02/enforce_dim.sh | 0 .../src/secharden}/tools/int.02/metadata.json | 0 .../secharden}/tools/int.03/enforce_ima.sh | 0 .../src/secharden}/tools/int.03/metadata.json | 0 .../tools/kern.01/enable_bpf_jit_harden.sh | 0 .../secharden}/tools/kern.01/metadata.json | 0 .../tools/kern.02/enable_kernel_aslr.sh | 0 .../secharden}/tools/kern.02/metadata.json | 0 .../tools/kern.03/enable_panic_on_oops.sh | 0 .../secharden}/tools/kern.03/metadata.json | 0 .../tools/log.01/disable_ssh_no_pass.sh | 0 .../src/secharden}/tools/log.01/metadata.json | 0 .../disable_ssh_permit_user_environment.sh | 0 .../src/secharden}/tools/log.02/metadata.json | 0 .../tools/log.03/disable_ssh_root_login.sh | 0 .../src/secharden}/tools/log.03/metadata.json | 0 .../log.04/disable_ssh_tcp_forwarding.sh | 0 .../src/secharden}/tools/log.04/metadata.json | 0 .../log.05/disable_ssh_x11_forwarding.sh | 0 .../src/secharden}/tools/log.05/metadata.json | 0 .../secharden}/tools/log.06/disable_sysrq.sh | 0 .../src/secharden}/tools/log.06/metadata.json | 0 .../tools/log.07/disable_tcp_timestamps.sh | 0 .../src/secharden}/tools/log.07/metadata.json | 0 .../src/secharden}/tools/log.08/metadata.json | 0 .../tools/log.08/set_ssh_max_auth_tries.sh | 0 .../tools/net.01/disable_accept_redirect.sh | 0 .../src/secharden}/tools/net.01/metadata.json | 0 .../tools/net.02/disable_icmp_broadcast.sh | 0 .../src/secharden}/tools/net.02/metadata.json | 0 .../tools/net.03/disable_ip_forward.sh | 0 .../src/secharden}/tools/net.03/metadata.json | 0 .../tools/net.04/disable_proxy_arp.sh | 0 .../src/secharden}/tools/net.04/metadata.json | 0 .../tools/net.05/disable_source_route.sh | 0 .../src/secharden}/tools/net.05/metadata.json | 0 .../tools/net.06/drop_forge_icmp_package.sh | 0 .../src/secharden}/tools/net.06/metadata.json | 0 .../tools/net.07/enable_firewall.sh | 0 .../src/secharden}/tools/net.07/metadata.json | 0 .../tools/net.08/enable_rp_filter.sh | 0 .../src/secharden}/tools/net.08/metadata.json | 0 .../tools/net.09/enable_tcp_syn_cookies.sh | 0 .../src/secharden}/tools/net.09/metadata.json | 0 .../secharden}/tools/priv.01/metadata.json | 0 .../tools/priv.01/minimal_file_permission.sh | 0 .../secharden}/tools/priv.02/metadata.json | 0 .../tools/priv.02/symlink_protection.sh | 0 .../tools/serv.01/enable_rsyslog.sh | 0 .../secharden}/tools/serv.01/metadata.json | 0 .../tools/serv.02/enable_selinux_enforce.sh | 0 .../secharden}/tools/serv.02/metadata.json | 0 .../tools/sys.01/enable_dmesg_restrict.sh | 0 .../src/secharden}/tools/sys.01/metadata.json | 0 .../secharden}/tools/sys.02/disable_kexec.sh | 0 .../src/secharden}/tools/sys.02/metadata.json | 0 .../tools/sys.03/enable_kptr_restrict.sh | 0 .../src/secharden}/tools/sys.03/metadata.json | 0 .../tools/sys.04/enable_ptrace_scope.sh | 0 .../src/secharden}/tools/sys.04/metadata.json | 0 .../sys.05/disable_uncommon_network_module.sh | 0 .../src/secharden}/tools/sys.05/metadata.json | 0 .../src/secharden}/tools/utils.sh | 0 os-harden-tools/secharden/uv.lock | 6 +- 73 files changed, 62 insertions(+), 46 deletions(-) create mode 100644 os-harden-tools/secharden/MANIFEST.in create mode 100644 os-harden-tools/secharden/setup.py rename os-harden-tools/{ => secharden/src/secharden}/tools/README.md (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/categories.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/int.01/enable_kernel_module_sign.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/int.01/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/int.02/enforce_dim.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/int.02/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/int.03/enforce_ima.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/int.03/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/kern.01/enable_bpf_jit_harden.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/kern.01/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/kern.02/enable_kernel_aslr.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/kern.02/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/kern.03/enable_panic_on_oops.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/kern.03/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.01/disable_ssh_no_pass.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.01/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.02/disable_ssh_permit_user_environment.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.02/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.03/disable_ssh_root_login.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.03/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.04/disable_ssh_tcp_forwarding.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.04/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.05/disable_ssh_x11_forwarding.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.05/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.06/disable_sysrq.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.06/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.07/disable_tcp_timestamps.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.07/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.08/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/log.08/set_ssh_max_auth_tries.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.01/disable_accept_redirect.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.01/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.02/disable_icmp_broadcast.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.02/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.03/disable_ip_forward.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.03/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.04/disable_proxy_arp.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.04/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.05/disable_source_route.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.05/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.06/drop_forge_icmp_package.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.06/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.07/enable_firewall.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.07/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.08/enable_rp_filter.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.08/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.09/enable_tcp_syn_cookies.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/net.09/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/priv.01/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/priv.01/minimal_file_permission.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/priv.02/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/priv.02/symlink_protection.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/serv.01/enable_rsyslog.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/serv.01/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/serv.02/enable_selinux_enforce.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/serv.02/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.01/enable_dmesg_restrict.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.01/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.02/disable_kexec.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.02/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.03/enable_kptr_restrict.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.03/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.04/enable_ptrace_scope.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.04/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.05/disable_uncommon_network_module.sh (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/sys.05/metadata.json (100%) rename os-harden-tools/{ => secharden/src/secharden}/tools/utils.sh (100%) diff --git a/os-harden-tools/os-harden-tool.spec b/os-harden-tools/os-harden-tool.spec index d4565bb..fc0d300 100644 --- a/os-harden-tools/os-harden-tool.spec +++ b/os-harden-tools/os-harden-tool.spec @@ -1,20 +1,18 @@ +%global python3_pkgversion 3.11 + Summary: OS hardening toolkit -Name : os-harden-tools +Name : python3-secharden Version: 1.0 Release: 1.0 -Source0: secharden.py -Source1: executor.py -Source2: utils.py -Source3: config_parser.py -Source4: rule_metadata -Source5: tools -Source6: schema -Source7: conf -Source8: VERSION +Source0: secharden +Source1: conf License: Mulan PSL v2 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: python3 python3-pyyaml python3-jsonschema +BuildArch: noarch +BuildRequires: python3-setuptools pyproject-rpm-macros python3-pytest + %description OS hardening toolkit @@ -23,25 +21,16 @@ OS hardening toolkit %prep %build +%py3_build %{SOURCE0} %check +%{pytest} %{SOURCE0} %install -# install scripts -%{__install} -d -m0755 $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__install} -m0500 %{SOURCE0} $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__install} -m0400 %{SOURCE1} $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__install} -m0400 %{SOURCE2} $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__install} -m0400 %{SOURCE3} $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__install} -m0400 %{SOURCE4} $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__install} -m0400 %{SOURCE5} $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__install} -m0400 %{SOURCE6} $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__install} -m0400 %{SOURCE8} $RPM_BUILD_ROOT%{_usr}/local/secharden -%{__ln_s} ../secharden/secharden.py $RPM_BUILD_ROOT%{_usr}/local/bin/secharden - +%py3_install %{SOURCE0} # install config files %{__install} -d -m0755 $RPM_BUILD_ROOT%{_sysconfdir}/secharden -%{__install} -m0644 %{SOURCE7}/secharden.conf $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf +%{__install} -m0644 %{SOURCE1}/secharden.conf $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf %{__install} -d -m0755 $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf.d %clean @@ -57,21 +46,16 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) -%attr(0500,root,root) %{_usr}/local/secharden/secharden.py -%attr(0400,root,root) %{_usr}/local/secharden/executor.py -%attr(0400,root,root) %{_usr}/local/secharden/utils.py -%attr(0400,root,root) %{_usr}/local/secharden/config_parser.py -%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/__init__.py -%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/manager.py -%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/metadata.py -%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/converters/__init__.py -%attr(0400,root,root) %{_usr}/local/secharden/rule_metadata/converters/file_list.py -%attr(0400,root,root) %{_usr}/local/secharden/schema/categories.schema.json -%attr(0400,root,root) %{_usr}/local/secharden/schema/metadata.schema.json -%attr(0400,root,root) %{_usr}/local/secharden/VERSION -%attr(0400,root,root) %config %{_sysconfdir}/secharden/secharden.conf -%attr(0400,root,root) %{_usr}/local/secharden/tools/categories.json -%attr(0500,root,root) %{_usr}/local/secharden/tools/utils.sh +%attr(0644,root,root) %config %{_sysconfdir}/secharden/secharden.conf + +%files -n python3-secharden +%doc README.md +%{_bindir}/secharden +%{_bindir}/gendoc +%{python3_sitelib}/secharden/ + +# The metadata files needed to be listed manually +%{python3_sitelib}/secharden-*.egg/ %changelog * Fri Jul 25 2025 Tomahawkd - 1.0-1.0 diff --git a/os-harden-tools/secharden/MANIFEST.in b/os-harden-tools/secharden/MANIFEST.in new file mode 100644 index 0000000..ff5291e --- /dev/null +++ b/os-harden-tools/secharden/MANIFEST.in @@ -0,0 +1,2 @@ +include src/secharden/schema/* +graft src/secharden/tools/* \ No newline at end of file diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index e69de29..0623ffd 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -0,0 +1,21 @@ +# secharden + +## 简介 + +secharden 是一个基于 python 的系统加固框架,用于管理和应用各种安全加固策略。 +它提供了一个灵活的方式来增强系统的安全性,支持多种加固策略的配置和执行。 + +## 安装 + +使用 pip 安装 secharden: + +```bash +python -m pip install . +``` + +## 使用 + +在安装完成后,可以通过以下方式使用 secharden: + +## 开发 + diff --git a/os-harden-tools/secharden/pyproject.toml b/os-harden-tools/secharden/pyproject.toml index 5b9f490..168f78a 100644 --- a/os-harden-tools/secharden/pyproject.toml +++ b/os-harden-tools/secharden/pyproject.toml @@ -12,16 +12,21 @@ dependencies = [ "pyyaml>=6.0.2", ] +classifiers = [ + "Environment :: Console", + "License :: OSI Approved :: Mulan Permissive Software License v2 (MulanPSL-2.0)", + "Operating System :: POSIX", + "Programming Language :: Python :: 3" +] + [project.scripts] secharden = "secharden.secharden:main" -gendoc = "secharden.gendoc:main" - -[build-system] -requires = ["uv_build>=0.8.0,<0.9"] -build-backend = "uv_build" [dependency-groups] dev = [ "pytest>=8.4.1", "pytest-cov>=6.2.1", ] + +[project.urls] +Homepage = "https://gitee.com/openeuler/secGear" \ No newline at end of file diff --git a/os-harden-tools/secharden/setup.py b/os-harden-tools/secharden/setup.py new file mode 100644 index 0000000..57c026b --- /dev/null +++ b/os-harden-tools/secharden/setup.py @@ -0,0 +1,4 @@ +from setuptools import setup + +if __name__ == "__main__": + setup() \ No newline at end of file diff --git a/os-harden-tools/tools/README.md b/os-harden-tools/secharden/src/secharden/tools/README.md similarity index 100% rename from os-harden-tools/tools/README.md rename to os-harden-tools/secharden/src/secharden/tools/README.md diff --git a/os-harden-tools/tools/categories.json b/os-harden-tools/secharden/src/secharden/tools/categories.json similarity index 100% rename from os-harden-tools/tools/categories.json rename to os-harden-tools/secharden/src/secharden/tools/categories.json diff --git a/os-harden-tools/tools/int.01/enable_kernel_module_sign.sh b/os-harden-tools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh similarity index 100% rename from os-harden-tools/tools/int.01/enable_kernel_module_sign.sh rename to os-harden-tools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh diff --git a/os-harden-tools/tools/int.01/metadata.json b/os-harden-tools/secharden/src/secharden/tools/int.01/metadata.json similarity index 100% rename from os-harden-tools/tools/int.01/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/int.01/metadata.json diff --git a/os-harden-tools/tools/int.02/enforce_dim.sh b/os-harden-tools/secharden/src/secharden/tools/int.02/enforce_dim.sh similarity index 100% rename from os-harden-tools/tools/int.02/enforce_dim.sh rename to os-harden-tools/secharden/src/secharden/tools/int.02/enforce_dim.sh diff --git a/os-harden-tools/tools/int.02/metadata.json b/os-harden-tools/secharden/src/secharden/tools/int.02/metadata.json similarity index 100% rename from os-harden-tools/tools/int.02/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/int.02/metadata.json diff --git a/os-harden-tools/tools/int.03/enforce_ima.sh b/os-harden-tools/secharden/src/secharden/tools/int.03/enforce_ima.sh similarity index 100% rename from os-harden-tools/tools/int.03/enforce_ima.sh rename to os-harden-tools/secharden/src/secharden/tools/int.03/enforce_ima.sh diff --git a/os-harden-tools/tools/int.03/metadata.json b/os-harden-tools/secharden/src/secharden/tools/int.03/metadata.json similarity index 100% rename from os-harden-tools/tools/int.03/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/int.03/metadata.json diff --git a/os-harden-tools/tools/kern.01/enable_bpf_jit_harden.sh b/os-harden-tools/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh similarity index 100% rename from os-harden-tools/tools/kern.01/enable_bpf_jit_harden.sh rename to os-harden-tools/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh diff --git a/os-harden-tools/tools/kern.01/metadata.json b/os-harden-tools/secharden/src/secharden/tools/kern.01/metadata.json similarity index 100% rename from os-harden-tools/tools/kern.01/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/kern.01/metadata.json diff --git a/os-harden-tools/tools/kern.02/enable_kernel_aslr.sh b/os-harden-tools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh similarity index 100% rename from os-harden-tools/tools/kern.02/enable_kernel_aslr.sh rename to os-harden-tools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh diff --git a/os-harden-tools/tools/kern.02/metadata.json b/os-harden-tools/secharden/src/secharden/tools/kern.02/metadata.json similarity index 100% rename from os-harden-tools/tools/kern.02/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/kern.02/metadata.json diff --git a/os-harden-tools/tools/kern.03/enable_panic_on_oops.sh b/os-harden-tools/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh similarity index 100% rename from os-harden-tools/tools/kern.03/enable_panic_on_oops.sh rename to os-harden-tools/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh diff --git a/os-harden-tools/tools/kern.03/metadata.json b/os-harden-tools/secharden/src/secharden/tools/kern.03/metadata.json similarity index 100% rename from os-harden-tools/tools/kern.03/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/kern.03/metadata.json diff --git a/os-harden-tools/tools/log.01/disable_ssh_no_pass.sh b/os-harden-tools/secharden/src/secharden/tools/log.01/disable_ssh_no_pass.sh similarity index 100% rename from os-harden-tools/tools/log.01/disable_ssh_no_pass.sh rename to os-harden-tools/secharden/src/secharden/tools/log.01/disable_ssh_no_pass.sh diff --git a/os-harden-tools/tools/log.01/metadata.json b/os-harden-tools/secharden/src/secharden/tools/log.01/metadata.json similarity index 100% rename from os-harden-tools/tools/log.01/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/log.01/metadata.json diff --git a/os-harden-tools/tools/log.02/disable_ssh_permit_user_environment.sh b/os-harden-tools/secharden/src/secharden/tools/log.02/disable_ssh_permit_user_environment.sh similarity index 100% rename from os-harden-tools/tools/log.02/disable_ssh_permit_user_environment.sh rename to os-harden-tools/secharden/src/secharden/tools/log.02/disable_ssh_permit_user_environment.sh diff --git a/os-harden-tools/tools/log.02/metadata.json b/os-harden-tools/secharden/src/secharden/tools/log.02/metadata.json similarity index 100% rename from os-harden-tools/tools/log.02/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/log.02/metadata.json diff --git a/os-harden-tools/tools/log.03/disable_ssh_root_login.sh b/os-harden-tools/secharden/src/secharden/tools/log.03/disable_ssh_root_login.sh similarity index 100% rename from os-harden-tools/tools/log.03/disable_ssh_root_login.sh rename to os-harden-tools/secharden/src/secharden/tools/log.03/disable_ssh_root_login.sh diff --git a/os-harden-tools/tools/log.03/metadata.json b/os-harden-tools/secharden/src/secharden/tools/log.03/metadata.json similarity index 100% rename from os-harden-tools/tools/log.03/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/log.03/metadata.json diff --git a/os-harden-tools/tools/log.04/disable_ssh_tcp_forwarding.sh b/os-harden-tools/secharden/src/secharden/tools/log.04/disable_ssh_tcp_forwarding.sh similarity index 100% rename from os-harden-tools/tools/log.04/disable_ssh_tcp_forwarding.sh rename to os-harden-tools/secharden/src/secharden/tools/log.04/disable_ssh_tcp_forwarding.sh diff --git a/os-harden-tools/tools/log.04/metadata.json b/os-harden-tools/secharden/src/secharden/tools/log.04/metadata.json similarity index 100% rename from os-harden-tools/tools/log.04/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/log.04/metadata.json diff --git a/os-harden-tools/tools/log.05/disable_ssh_x11_forwarding.sh b/os-harden-tools/secharden/src/secharden/tools/log.05/disable_ssh_x11_forwarding.sh similarity index 100% rename from os-harden-tools/tools/log.05/disable_ssh_x11_forwarding.sh rename to os-harden-tools/secharden/src/secharden/tools/log.05/disable_ssh_x11_forwarding.sh diff --git a/os-harden-tools/tools/log.05/metadata.json b/os-harden-tools/secharden/src/secharden/tools/log.05/metadata.json similarity index 100% rename from os-harden-tools/tools/log.05/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/log.05/metadata.json diff --git a/os-harden-tools/tools/log.06/disable_sysrq.sh b/os-harden-tools/secharden/src/secharden/tools/log.06/disable_sysrq.sh similarity index 100% rename from os-harden-tools/tools/log.06/disable_sysrq.sh rename to os-harden-tools/secharden/src/secharden/tools/log.06/disable_sysrq.sh diff --git a/os-harden-tools/tools/log.06/metadata.json b/os-harden-tools/secharden/src/secharden/tools/log.06/metadata.json similarity index 100% rename from os-harden-tools/tools/log.06/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/log.06/metadata.json diff --git a/os-harden-tools/tools/log.07/disable_tcp_timestamps.sh b/os-harden-tools/secharden/src/secharden/tools/log.07/disable_tcp_timestamps.sh similarity index 100% rename from os-harden-tools/tools/log.07/disable_tcp_timestamps.sh rename to os-harden-tools/secharden/src/secharden/tools/log.07/disable_tcp_timestamps.sh diff --git a/os-harden-tools/tools/log.07/metadata.json b/os-harden-tools/secharden/src/secharden/tools/log.07/metadata.json similarity index 100% rename from os-harden-tools/tools/log.07/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/log.07/metadata.json diff --git a/os-harden-tools/tools/log.08/metadata.json b/os-harden-tools/secharden/src/secharden/tools/log.08/metadata.json similarity index 100% rename from os-harden-tools/tools/log.08/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/log.08/metadata.json diff --git a/os-harden-tools/tools/log.08/set_ssh_max_auth_tries.sh b/os-harden-tools/secharden/src/secharden/tools/log.08/set_ssh_max_auth_tries.sh similarity index 100% rename from os-harden-tools/tools/log.08/set_ssh_max_auth_tries.sh rename to os-harden-tools/secharden/src/secharden/tools/log.08/set_ssh_max_auth_tries.sh diff --git a/os-harden-tools/tools/net.01/disable_accept_redirect.sh b/os-harden-tools/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh similarity index 100% rename from os-harden-tools/tools/net.01/disable_accept_redirect.sh rename to os-harden-tools/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh diff --git a/os-harden-tools/tools/net.01/metadata.json b/os-harden-tools/secharden/src/secharden/tools/net.01/metadata.json similarity index 100% rename from os-harden-tools/tools/net.01/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/net.01/metadata.json diff --git a/os-harden-tools/tools/net.02/disable_icmp_broadcast.sh b/os-harden-tools/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh similarity index 100% rename from os-harden-tools/tools/net.02/disable_icmp_broadcast.sh rename to os-harden-tools/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh diff --git a/os-harden-tools/tools/net.02/metadata.json b/os-harden-tools/secharden/src/secharden/tools/net.02/metadata.json similarity index 100% rename from os-harden-tools/tools/net.02/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/net.02/metadata.json diff --git a/os-harden-tools/tools/net.03/disable_ip_forward.sh b/os-harden-tools/secharden/src/secharden/tools/net.03/disable_ip_forward.sh similarity index 100% rename from os-harden-tools/tools/net.03/disable_ip_forward.sh rename to os-harden-tools/secharden/src/secharden/tools/net.03/disable_ip_forward.sh diff --git a/os-harden-tools/tools/net.03/metadata.json b/os-harden-tools/secharden/src/secharden/tools/net.03/metadata.json similarity index 100% rename from os-harden-tools/tools/net.03/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/net.03/metadata.json diff --git a/os-harden-tools/tools/net.04/disable_proxy_arp.sh b/os-harden-tools/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh similarity index 100% rename from os-harden-tools/tools/net.04/disable_proxy_arp.sh rename to os-harden-tools/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh diff --git a/os-harden-tools/tools/net.04/metadata.json b/os-harden-tools/secharden/src/secharden/tools/net.04/metadata.json similarity index 100% rename from os-harden-tools/tools/net.04/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/net.04/metadata.json diff --git a/os-harden-tools/tools/net.05/disable_source_route.sh b/os-harden-tools/secharden/src/secharden/tools/net.05/disable_source_route.sh similarity index 100% rename from os-harden-tools/tools/net.05/disable_source_route.sh rename to os-harden-tools/secharden/src/secharden/tools/net.05/disable_source_route.sh diff --git a/os-harden-tools/tools/net.05/metadata.json b/os-harden-tools/secharden/src/secharden/tools/net.05/metadata.json similarity index 100% rename from os-harden-tools/tools/net.05/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/net.05/metadata.json diff --git a/os-harden-tools/tools/net.06/drop_forge_icmp_package.sh b/os-harden-tools/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh similarity index 100% rename from os-harden-tools/tools/net.06/drop_forge_icmp_package.sh rename to os-harden-tools/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh diff --git a/os-harden-tools/tools/net.06/metadata.json b/os-harden-tools/secharden/src/secharden/tools/net.06/metadata.json similarity index 100% rename from os-harden-tools/tools/net.06/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/net.06/metadata.json diff --git a/os-harden-tools/tools/net.07/enable_firewall.sh b/os-harden-tools/secharden/src/secharden/tools/net.07/enable_firewall.sh similarity index 100% rename from os-harden-tools/tools/net.07/enable_firewall.sh rename to os-harden-tools/secharden/src/secharden/tools/net.07/enable_firewall.sh diff --git a/os-harden-tools/tools/net.07/metadata.json b/os-harden-tools/secharden/src/secharden/tools/net.07/metadata.json similarity index 100% rename from os-harden-tools/tools/net.07/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/net.07/metadata.json diff --git a/os-harden-tools/tools/net.08/enable_rp_filter.sh b/os-harden-tools/secharden/src/secharden/tools/net.08/enable_rp_filter.sh similarity index 100% rename from os-harden-tools/tools/net.08/enable_rp_filter.sh rename to os-harden-tools/secharden/src/secharden/tools/net.08/enable_rp_filter.sh diff --git a/os-harden-tools/tools/net.08/metadata.json b/os-harden-tools/secharden/src/secharden/tools/net.08/metadata.json similarity index 100% rename from os-harden-tools/tools/net.08/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/net.08/metadata.json diff --git a/os-harden-tools/tools/net.09/enable_tcp_syn_cookies.sh b/os-harden-tools/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh similarity index 100% rename from os-harden-tools/tools/net.09/enable_tcp_syn_cookies.sh rename to os-harden-tools/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh diff --git a/os-harden-tools/tools/net.09/metadata.json b/os-harden-tools/secharden/src/secharden/tools/net.09/metadata.json similarity index 100% rename from os-harden-tools/tools/net.09/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/net.09/metadata.json diff --git a/os-harden-tools/tools/priv.01/metadata.json b/os-harden-tools/secharden/src/secharden/tools/priv.01/metadata.json similarity index 100% rename from os-harden-tools/tools/priv.01/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/priv.01/metadata.json diff --git a/os-harden-tools/tools/priv.01/minimal_file_permission.sh b/os-harden-tools/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh similarity index 100% rename from os-harden-tools/tools/priv.01/minimal_file_permission.sh rename to os-harden-tools/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh diff --git a/os-harden-tools/tools/priv.02/metadata.json b/os-harden-tools/secharden/src/secharden/tools/priv.02/metadata.json similarity index 100% rename from os-harden-tools/tools/priv.02/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/priv.02/metadata.json diff --git a/os-harden-tools/tools/priv.02/symlink_protection.sh b/os-harden-tools/secharden/src/secharden/tools/priv.02/symlink_protection.sh similarity index 100% rename from os-harden-tools/tools/priv.02/symlink_protection.sh rename to os-harden-tools/secharden/src/secharden/tools/priv.02/symlink_protection.sh diff --git a/os-harden-tools/tools/serv.01/enable_rsyslog.sh b/os-harden-tools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh similarity index 100% rename from os-harden-tools/tools/serv.01/enable_rsyslog.sh rename to os-harden-tools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh diff --git a/os-harden-tools/tools/serv.01/metadata.json b/os-harden-tools/secharden/src/secharden/tools/serv.01/metadata.json similarity index 100% rename from os-harden-tools/tools/serv.01/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/serv.01/metadata.json diff --git a/os-harden-tools/tools/serv.02/enable_selinux_enforce.sh b/os-harden-tools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh similarity index 100% rename from os-harden-tools/tools/serv.02/enable_selinux_enforce.sh rename to os-harden-tools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh diff --git a/os-harden-tools/tools/serv.02/metadata.json b/os-harden-tools/secharden/src/secharden/tools/serv.02/metadata.json similarity index 100% rename from os-harden-tools/tools/serv.02/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/serv.02/metadata.json diff --git a/os-harden-tools/tools/sys.01/enable_dmesg_restrict.sh b/os-harden-tools/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh similarity index 100% rename from os-harden-tools/tools/sys.01/enable_dmesg_restrict.sh rename to os-harden-tools/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh diff --git a/os-harden-tools/tools/sys.01/metadata.json b/os-harden-tools/secharden/src/secharden/tools/sys.01/metadata.json similarity index 100% rename from os-harden-tools/tools/sys.01/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/sys.01/metadata.json diff --git a/os-harden-tools/tools/sys.02/disable_kexec.sh b/os-harden-tools/secharden/src/secharden/tools/sys.02/disable_kexec.sh similarity index 100% rename from os-harden-tools/tools/sys.02/disable_kexec.sh rename to os-harden-tools/secharden/src/secharden/tools/sys.02/disable_kexec.sh diff --git a/os-harden-tools/tools/sys.02/metadata.json b/os-harden-tools/secharden/src/secharden/tools/sys.02/metadata.json similarity index 100% rename from os-harden-tools/tools/sys.02/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/sys.02/metadata.json diff --git a/os-harden-tools/tools/sys.03/enable_kptr_restrict.sh b/os-harden-tools/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh similarity index 100% rename from os-harden-tools/tools/sys.03/enable_kptr_restrict.sh rename to os-harden-tools/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh diff --git a/os-harden-tools/tools/sys.03/metadata.json b/os-harden-tools/secharden/src/secharden/tools/sys.03/metadata.json similarity index 100% rename from os-harden-tools/tools/sys.03/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/sys.03/metadata.json diff --git a/os-harden-tools/tools/sys.04/enable_ptrace_scope.sh b/os-harden-tools/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh similarity index 100% rename from os-harden-tools/tools/sys.04/enable_ptrace_scope.sh rename to os-harden-tools/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh diff --git a/os-harden-tools/tools/sys.04/metadata.json b/os-harden-tools/secharden/src/secharden/tools/sys.04/metadata.json similarity index 100% rename from os-harden-tools/tools/sys.04/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/sys.04/metadata.json diff --git a/os-harden-tools/tools/sys.05/disable_uncommon_network_module.sh b/os-harden-tools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh similarity index 100% rename from os-harden-tools/tools/sys.05/disable_uncommon_network_module.sh rename to os-harden-tools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh diff --git a/os-harden-tools/tools/sys.05/metadata.json b/os-harden-tools/secharden/src/secharden/tools/sys.05/metadata.json similarity index 100% rename from os-harden-tools/tools/sys.05/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/sys.05/metadata.json diff --git a/os-harden-tools/tools/utils.sh b/os-harden-tools/secharden/src/secharden/tools/utils.sh similarity index 100% rename from os-harden-tools/tools/utils.sh rename to os-harden-tools/secharden/src/secharden/tools/utils.sh diff --git a/os-harden-tools/secharden/uv.lock b/os-harden-tools/secharden/uv.lock index 4187094..a60b048 100644 --- a/os-harden-tools/secharden/uv.lock +++ b/os-harden-tools/secharden/uv.lock @@ -346,7 +346,7 @@ wheels = [ [[package]] name = "secharden" version = "0.1.0" -source = { editable = "." } +source = { virtual = "." } dependencies = [ { name = "jsonschema" }, { name = "pyyaml" }, @@ -360,8 +360,8 @@ dev = [ [package.metadata] requires-dist = [ - { name = "jsonschema", specifier = ">=4.25.0" }, - { name = "pyyaml", specifier = ">=6.0.2" }, + { name = "jsonschema" }, + { name = "pyyaml" }, ] [package.metadata.requires-dev] -- Gitee From 54533e3c3cc34d707ad435bc7f93c55780a3722c Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 17:33:33 +0800 Subject: [PATCH 044/109] add to rpm spec --- os-harden-tools/.gitignore | 1 + ...-harden-tool.spec => os-harden-tools.spec} | 23 +++++++++---------- .../secharden/tests/config_parser/__init__.py | 0 .../secharden/tests/executor/__init__.py | 0 4 files changed, 12 insertions(+), 12 deletions(-) rename os-harden-tools/{os-harden-tool.spec => os-harden-tools.spec} (80%) create mode 100644 os-harden-tools/secharden/tests/config_parser/__init__.py create mode 100644 os-harden-tools/secharden/tests/executor/__init__.py diff --git a/os-harden-tools/.gitignore b/os-harden-tools/.gitignore index 28ca990..ca6b8af 100644 --- a/os-harden-tools/.gitignore +++ b/os-harden-tools/.gitignore @@ -163,3 +163,4 @@ cython_debug/ #.idea/ temp +!os-harden-tools.spec diff --git a/os-harden-tools/os-harden-tool.spec b/os-harden-tools/os-harden-tools.spec similarity index 80% rename from os-harden-tools/os-harden-tool.spec rename to os-harden-tools/os-harden-tools.spec index fc0d300..6b1a75b 100644 --- a/os-harden-tools/os-harden-tool.spec +++ b/os-harden-tools/os-harden-tools.spec @@ -11,7 +11,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: python3 python3-pyyaml python3-jsonschema BuildArch: noarch -BuildRequires: python3-setuptools pyproject-rpm-macros python3-pytest +BuildRequires: python3-setuptools pyproject-rpm-macros python3-pytest python3-wheel %description OS hardening toolkit @@ -19,15 +19,17 @@ OS hardening toolkit %global debug_package %{nil} %prep +rm -rf %{_builddir}/* %build -%py3_build %{SOURCE0} +%__cp -r %{SOURCE0}/* %_builddir +%pyproject_build %check -%{pytest} %{SOURCE0} +%{pytest} %install -%py3_install %{SOURCE0} +%pyproject_install # install config files %{__install} -d -m0755 $RPM_BUILD_ROOT%{_sysconfdir}/secharden %{__install} -m0644 %{SOURCE1}/secharden.conf $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf @@ -35,6 +37,7 @@ OS hardening toolkit %clean rm -rf $RPM_BUILD_ROOT +rm -rf %{_builddir}/* %pre @@ -44,18 +47,14 @@ rm -rf $RPM_BUILD_ROOT %postun -%files +%files -n python3-secharden %defattr(-,root,root) %attr(0644,root,root) %config %{_sysconfdir}/secharden/secharden.conf - -%files -n python3-secharden -%doc README.md -%{_bindir}/secharden -%{_bindir}/gendoc +%attr(0644,root,root) %doc README.md +%attr(0755,root,root) %{_bindir}/secharden %{python3_sitelib}/secharden/ -# The metadata files needed to be listed manually -%{python3_sitelib}/secharden-*.egg/ +%{python3_sitelib}/secharden-*.dist-info/ %changelog * Fri Jul 25 2025 Tomahawkd - 1.0-1.0 diff --git a/os-harden-tools/secharden/tests/config_parser/__init__.py b/os-harden-tools/secharden/tests/config_parser/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/os-harden-tools/secharden/tests/executor/__init__.py b/os-harden-tools/secharden/tests/executor/__init__.py new file mode 100644 index 0000000..e69de29 -- Gitee From b397075e3782605addd9a2d1efb7e3a6d42ec200 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 30 Jul 2025 17:49:17 +0800 Subject: [PATCH 045/109] add readme --- os-harden-tools/README.md | 34 ++++++++++++++++++++++++++++ os-harden-tools/os-harden-tools.spec | 1 - 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 os-harden-tools/README.md diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md new file mode 100644 index 0000000..5073130 --- /dev/null +++ b/os-harden-tools/README.md @@ -0,0 +1,34 @@ +# OS 加固配置工具 + +## 安装 + +本节描述的 os-harden-tools 构建可参考 +openeuler [rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2/server/development/application_dev/building_an_rpm_package.html)。 + +1. 初始化 rpmbuild 目录: + + ```shell + rpmdev-setuptree + ``` + +2. 下载 os-harden-tools 源码: + + ```shell + git clone https://gitee.com/openeuler/secGear + rm -rf $HOME/rpmbuild/SOURCES + ln -s ./secGear/os-harden-tools $HOME/rpmbuild/SOURCES + ``` + +3. 构建: + + ```shell + rpmbuild -ba $HOME/rpmbuild/SOURCES/os-harden-tools.spec + ``` + +构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/python3-secharden-*.noarch.rpm` 找到构建完成的 rpm 包。 +python3-secharden-*.noarch.rpm 包可以直接使用 `dnf install` 命令安装。 + +## 使用 + +os-harden-tools 提供了一个 python 的命令行工具 `secharden` 用于配置系统安全加固。 + diff --git a/os-harden-tools/os-harden-tools.spec b/os-harden-tools/os-harden-tools.spec index 6b1a75b..cf89f3b 100644 --- a/os-harden-tools/os-harden-tools.spec +++ b/os-harden-tools/os-harden-tools.spec @@ -53,7 +53,6 @@ rm -rf %{_builddir}/* %attr(0644,root,root) %doc README.md %attr(0755,root,root) %{_bindir}/secharden %{python3_sitelib}/secharden/ - %{python3_sitelib}/secharden-*.dist-info/ %changelog -- Gitee From 5fb24363d5cc79977ab1d4d4460b409c552f2b4c Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 10:50:18 +0800 Subject: [PATCH 046/109] minor fix and add uv package --- os-harden-tools/README.md | 27 +++++++++++++--- os-harden-tools/secharden/MANIFEST.in | 3 +- os-harden-tools/secharden/pyproject.toml | 5 ++- .../src/secharden/{ => devtools}/gendoc.py | 0 .../secharden/src/secharden/secharden.py | 31 ++++++++++++++----- os-harden-tools/secharden/uv.lock | 6 ++-- 6 files changed, 55 insertions(+), 17 deletions(-) rename os-harden-tools/secharden/src/secharden/{ => devtools}/gendoc.py (100%) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 5073130..2dd5564 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -1,6 +1,21 @@ -# OS 加固配置工具 +# OS 加固配置指南 -## 安装 +本指南提供了在 OpenEuler 操作系统上进行安全加固的工具和方法。它包括了对系统配置的建议和自动化脚本,旨在帮助用户提高系统的安全性。 + +## 目录结构 + +``` +os-harden-tools/ +├── README.md: 本文档 +├── os-harden-tools.spec:本指南随附工具的 RPM 包规范文件 +├── secharden:本指南随附的系统加固工具 +├── conf:包含系统加固工具的配置文件 +├── docs:最小安全系统配置指南,包含系统内核的配置文件以及最小化裁剪配置 +``` + +## secharden + +### 安装 本节描述的 os-harden-tools 构建可参考 openeuler [rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2/server/development/application_dev/building_an_rpm_package.html)。 @@ -15,6 +30,7 @@ openeuler [rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2 ```shell git clone https://gitee.com/openeuler/secGear + # 将源码目录通过软链接的形式关联到 rpmbuild 的 SOURCES 目录下,以便后续构建 rpm 包时使用 rm -rf $HOME/rpmbuild/SOURCES ln -s ./secGear/os-harden-tools $HOME/rpmbuild/SOURCES ``` @@ -28,7 +44,10 @@ openeuler [rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2 构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/python3-secharden-*.noarch.rpm` 找到构建完成的 rpm 包。 python3-secharden-*.noarch.rpm 包可以直接使用 `dnf install` 命令安装。 -## 使用 +### 使用 -os-harden-tools 提供了一个 python 的命令行工具 `secharden` 用于配置系统安全加固。 +安装后,`conf` 目录包含的配置会被安装至 `/etc/secharden/secharden.conf`,该配置文件包含了系统加固的相关配置选项。 +同时还会创建一个 `/etc/secharden/secharden.d/` 目录,用于存放用户自定义的配置文件。用户可以在该目录下创建自定义配置文件, +格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。这些配置文件会在系统加固时被加载。 +当配置完毕后,使用 `secharden apply` 命令应用加固配置。 diff --git a/os-harden-tools/secharden/MANIFEST.in b/os-harden-tools/secharden/MANIFEST.in index ff5291e..b569d9e 100644 --- a/os-harden-tools/secharden/MANIFEST.in +++ b/os-harden-tools/secharden/MANIFEST.in @@ -1,2 +1,3 @@ include src/secharden/schema/* -graft src/secharden/tools/* \ No newline at end of file +graft src/secharden/tools/* +prune src/secharden/devtools/* \ No newline at end of file diff --git a/os-harden-tools/secharden/pyproject.toml b/os-harden-tools/secharden/pyproject.toml index 168f78a..25fb59c 100644 --- a/os-harden-tools/secharden/pyproject.toml +++ b/os-harden-tools/secharden/pyproject.toml @@ -29,4 +29,7 @@ dev = [ ] [project.urls] -Homepage = "https://gitee.com/openeuler/secGear" \ No newline at end of file +Homepage = "https://gitee.com/openeuler/secGear" + +[tool.uv] +package = true \ No newline at end of file diff --git a/os-harden-tools/secharden/src/secharden/gendoc.py b/os-harden-tools/secharden/src/secharden/devtools/gendoc.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/gendoc.py rename to os-harden-tools/secharden/src/secharden/devtools/gendoc.py diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index a07f1c6..519f305 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -9,14 +9,14 @@ from secharden.rule_metadata import RuleManager from secharden.utils import DirectoryPathVerifier, HOME_DIR -def list_rules(rule_mgr: RuleManager, args): +def list_rules(rule_mgr: RuleManager, args) -> int: if args.category: try: rules = rule_mgr.get_rules_by_category(args.category) - except KeyError: + except ValueError: logging.error(f"Category {args.category} not found.") print(f"Category {args.category} not found.") - return + return 1 print(f"Available rules for {args.category}:") else: rules = rule_mgr.rules @@ -24,10 +24,19 @@ def list_rules(rule_mgr: RuleManager, args): for rule in rules: metadata = rule_mgr.get_rule_metadata(rule) print(f"\t{rule}: {metadata.name}") + return 0 -def apply(rule_mgr: RuleManager, args): - config = parse_config(collect_configs(args.config)) +def apply(rule_mgr: RuleManager, args) -> int: + try: + config = parse_config(collect_configs(args.config)) + except Exception as e: + logging.error(f"Exception while parsing configuration from {args.config}") + logging.exception(e) + print(f"Error parsing configuration: {e}") + return 1 + + code = 0 for rule, rule_conf in config.items(): logging.debug("applying rule %s with config %s", rule, rule_conf) try: @@ -36,24 +45,30 @@ def apply(rule_mgr: RuleManager, args): logging.error(f"Exception while applying rule '{rule}' with config {rule_conf}") logging.exception(e) print(f"Error applying rule '{rule}': {e}") + code = 1 + return code -def help_message(rule_mgr: RuleManager, args): +def help_message(rule_mgr: RuleManager, args) -> int: rule = args.rule[0] try: metadata = rule_mgr.get_rule_metadata(rule) print(metadata.doc) + return 0 except KeyError: logging.error(f"Rule '{rule}' not found.") print(f"Rule '{rule}' not found. Use 'secharden list' to see available rules.") + return 1 except Exception as e: logging.error(f"Exception while retrieving help for rule '{rule}'") logging.exception(e) print(f"Error retrieving help for rule '{rule}'") + return 1 -def hint(*_ignored): +def hint(*_ignored) -> int: print("Please specify a sub-command. Use 'secharden --help' for usage information.") + return 0 def main(): @@ -107,7 +122,7 @@ def main(): logging.info(f"start secharden:{args.func.__name__}") # init rule manager after logging are set up - args.func(RuleManager(args.rules), args) + return args.func(RuleManager(args.rules), args) if __name__ == "__main__": diff --git a/os-harden-tools/secharden/uv.lock b/os-harden-tools/secharden/uv.lock index a60b048..4187094 100644 --- a/os-harden-tools/secharden/uv.lock +++ b/os-harden-tools/secharden/uv.lock @@ -346,7 +346,7 @@ wheels = [ [[package]] name = "secharden" version = "0.1.0" -source = { virtual = "." } +source = { editable = "." } dependencies = [ { name = "jsonschema" }, { name = "pyyaml" }, @@ -360,8 +360,8 @@ dev = [ [package.metadata] requires-dist = [ - { name = "jsonschema" }, - { name = "pyyaml" }, + { name = "jsonschema", specifier = ">=4.25.0" }, + { name = "pyyaml", specifier = ">=6.0.2" }, ] [package.metadata.requires-dev] -- Gitee From c36280cc518614f0cea590673080df7e8c6fdfad Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 10:53:36 +0800 Subject: [PATCH 047/109] unify name to os harden tools --- os-harden-tools/README.md | 4 ++-- os-harden-tools/os-harden-tools.spec | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 2dd5564..a21c715 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -41,8 +41,8 @@ openeuler [rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2 rpmbuild -ba $HOME/rpmbuild/SOURCES/os-harden-tools.spec ``` -构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/python3-secharden-*.noarch.rpm` 找到构建完成的 rpm 包。 -python3-secharden-*.noarch.rpm 包可以直接使用 `dnf install` 命令安装。 +构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/os-harden-tools-*.noarch.rpm` 找到构建完成的 rpm 包。 +os-harden-tools-*.noarch.rpm 包可以直接使用 `dnf install` 命令安装。 ### 使用 diff --git a/os-harden-tools/os-harden-tools.spec b/os-harden-tools/os-harden-tools.spec index cf89f3b..4323a19 100644 --- a/os-harden-tools/os-harden-tools.spec +++ b/os-harden-tools/os-harden-tools.spec @@ -1,7 +1,7 @@ %global python3_pkgversion 3.11 Summary: OS hardening toolkit -Name : python3-secharden +Name : os-harden-tools Version: 1.0 Release: 1.0 Source0: secharden @@ -19,7 +19,7 @@ OS hardening toolkit %global debug_package %{nil} %prep -rm -rf %{_builddir}/* +%__rm -rf %{_builddir}/* %build %__cp -r %{SOURCE0}/* %_builddir @@ -36,8 +36,8 @@ rm -rf %{_builddir}/* %{__install} -d -m0755 $RPM_BUILD_ROOT%{_sysconfdir}/secharden/secharden.conf.d %clean -rm -rf $RPM_BUILD_ROOT -rm -rf %{_builddir}/* +%__rm -rf $RPM_BUILD_ROOT +%__rm -rf %{_builddir}/* %pre @@ -47,7 +47,7 @@ rm -rf %{_builddir}/* %postun -%files -n python3-secharden +%files -n os-harden-tools %defattr(-,root,root) %attr(0644,root,root) %config %{_sysconfdir}/secharden/secharden.conf %attr(0644,root,root) %doc README.md -- Gitee From 7dbdeba30f2676edc27dd81874bd49604984f266 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 10:59:13 +0800 Subject: [PATCH 048/109] add readme to project --- os-harden-tools/README.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index a21c715..4b875cd 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -41,13 +41,26 @@ openeuler [rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2 rpmbuild -ba $HOME/rpmbuild/SOURCES/os-harden-tools.spec ``` -构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/os-harden-tools-*.noarch.rpm` 找到构建完成的 rpm 包。 -os-harden-tools-*.noarch.rpm 包可以直接使用 `dnf install` 命令安装。 +构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/os-harden-tools-<版本>.noarch.rpm` 找到构建完成的 rpm 包。 +该 rpm 包可以直接使用 `dnf install` 命令安装。 ### 使用 安装后,`conf` 目录包含的配置会被安装至 `/etc/secharden/secharden.conf`,该配置文件包含了系统加固的相关配置选项。 -同时还会创建一个 `/etc/secharden/secharden.d/` 目录,用于存放用户自定义的配置文件。用户可以在该目录下创建自定义配置文件, -格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。这些配置文件会在系统加固时被加载。 +同时还会创建一个 `/etc/secharden/secharden.d/` 目录,用于存放用户自定义的配置文件。 + +用户可以在该目录下创建自定义配置文件, 格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。这些配置文件会在系统加固时被加载。 当配置完毕后,使用 `secharden apply` 命令应用加固配置。 + +> 详细使用说明参见 [secharden](./secharden/README.md)。 + +## 最小安全系统配置指南 + +``docs` 目录包含了最小安全系统配置指南,主要包括以下内容: + +- [配置指南](./docs/README.md) +- [系统内核的配置文件](./docs/openeuler_defconfig) +- [镜像构建使用的最小化裁剪配置文件](./docs/normal.xml) + +> 详细使用说明参见 [配置指南](./docs/README.md)。 -- Gitee From 144d2ed8093bcf38854db519d6068bbdbdc13081 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 11:45:35 +0800 Subject: [PATCH 049/109] add doc --- os-harden-tools/secharden/README.md | 121 +++++++++++++++++- .../src/secharden/devtools/gendoc.py | 2 +- .../secharden/src/secharden/secharden.py | 4 +- 3 files changed, 119 insertions(+), 8 deletions(-) diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 0623ffd..d44ad7b 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -2,20 +2,131 @@ ## 简介 -secharden 是一个基于 python 的系统加固框架,用于管理和应用各种安全加固策略。 -它提供了一个灵活的方式来增强系统的安全性,支持多种加固策略的配置和执行。 +secharden 是一个基于 python 的系统加固框架,用于管理和应用各种安全加固规则。 +它提供了一个灵活的方式来增强系统的安全性,支持多种加固规则的配置和执行。 ## 安装 使用 pip 安装 secharden: ```bash -python -m pip install . +python3 -m pip install . ``` -## 使用 +## 命令使用 -在安装完成后,可以通过以下方式使用 secharden: +在安装完成后,可以直接通过命令行使用 secharden。 + +secharden 命令提供了多种功能,包括应用新的加固规则、打印所有的加固规则、查看规则的帮助信息等。 + +### 基础命令 + +#### 版本信息 + +打印当前 secharden 的版本信息: + +```bash +secharden --version +``` + +#### 指定规则路径 + +如果需要指定规则路径,可以使用 `--rules` 或 `-r` 参数指定。默认值为工具目录中的 `tools` 目录: + +```bash +secharden --rules /path/to/rules +``` + +> 注意:指定的规则路径必须是一个目录。且该目录中必须包含 `categories.json` 描述规则类别,各个规则目录需满足以下要求: +> - 每个规则目录必须包含一个 `metadata.json` 文件,描述该规则的详细信息。 +> - 规则目录的名称必须为 <类别>.<序号>,例如 `system.01`、`network.02` 等。且类别必须与 `categories.json` 中的类别一致。 +> - 规则目录下的 `metadata.json` 文件必须满足工具目录中的 `schema/metadata.json` 规范。 + +工具会校验当前规则路径下的规则路径,若目录不符合要求,则不会加载到工具规则列表中。 +如果用户使用自定义的规则路径,建议使用以下命令来查看规则路径是否被加载到列表中: + +```bash +secharden -r /path/to/rules list +``` + +若不满足要求,查询工具 log 文件中的错误信息。 + +#### 指定 log 路径 + +如果需要指定 log 路径,可以使用 `--log` 或 `-l` 参数指定。默认值为 `/var/log/secharden`: + +```bash +secharden --log /path/to/log_directory +``` + +> 注意:指定的 log 路径必须是一个目录。 + +#### 开启 debug 模式 + +如果需要开启 debug 模式,可以使用 `--debug` 或 `-d` 参数: + +```bash +secharden --debug +``` + +开启后,工具会在 log 文件中输出更多的调试信息,帮助用户排查问题。 + +### 应用新的加固规则 + +如果需要指定规则路径可以在 `secharden apply` 后指定。默认值为 `/etc/secharden` 目录: + +```bash +secharden apply /path/to/config_path +``` + +> 注意:指定的规则路径必须是一个目录。且该目录中必须包含一个基础配置文件 `secharden.conf`。 + +### 查看规则的帮助信息 + +传入 rule_id 参数可以查看指定规则的帮助信息: + +```bash +secharden help rule_id +``` ## 开发 +本项目使用 uv 进行开发和管理。要开始开发,请确保安装了 uv: + +```bash +python3 -m pip install uv +``` + +安装 uv 后,可以使用以下命令同步开发依赖: + +```bash +uv sync +``` + +### 规则文档生成工具 + +`devtools` 提供了 `gendoc` 命令来生成规则文档。可以使用以下命令生成文档: + +```shell +uv run src/secharden/devtools/gendoc.py +``` + +#### 选项 + +- `--rules` 或 `-r`:指定规则路径,默认值为 `tools` 目录。文档会生成到该目录下。 +- `--force` 或 `-f`:强制覆盖已存在的文档。若不指定该选项,工具会检查文档是否已存在,若存在则会报错退出。 +- `--version` 或 `-v`:打印当前工具版本信息。 +- `--debug` 或 `-d`:开启调试模式,输出更多的调试信息。 + +### 单元测试 + +本项目使用 pytest 进行单元测试。相关依赖已通过 `uv sync` 安装。 + +要运行单元测试,请使用以下命令: + +```bash +uv run pytest +``` + +> pytest 相关使用说明参见 [pytest 官方文档](https://docs.pytest.org/en/stable/contents.html)。 + diff --git a/os-harden-tools/secharden/src/secharden/devtools/gendoc.py b/os-harden-tools/secharden/src/secharden/devtools/gendoc.py index acec7cf..1b4784f 100644 --- a/os-harden-tools/secharden/src/secharden/devtools/gendoc.py +++ b/os-harden-tools/secharden/src/secharden/devtools/gendoc.py @@ -47,7 +47,7 @@ def generate_doc(root: Path, overwrite: bool): def main(): args = argparse.ArgumentParser(prog="docgen") - args.add_argument("-t", "--rule-dir", action=DirectoryPathVerifier, + args.add_argument("-r", "--rules", action=DirectoryPathVerifier, help="rule script directory", default=HOME_DIR.joinpath('tools')) args.add_argument('-f', '--force', action='store_true', help="force to generate doc, deleting existing doc files") diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index 519f305..69e4b1b 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -79,14 +79,14 @@ def main(): args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) args.add_argument("-r", "--rules", type=Path, help="rule script directory", default=HOME_DIR.joinpath('tools')) - args.add_argument("-d", "--debug", action='store_true', help="debug mode") args.add_argument('-l', '--logs', type=Path, help="log directory", default=Path('/var/log/secharden')) + args.add_argument("-d", "--debug", action='store_true', help="debug mode") args.set_defaults(func=hint) subparser = args.add_subparsers(help="sub-commands") # apply config apply_parser = subparser.add_parser("apply", help="apply config to system") - apply_parser.add_argument('-c', '--config', action=DirectoryPathVerifier, help="configuration path", + apply_parser.add_argument('config', nargs='?', action=DirectoryPathVerifier, help="configuration path", default=Path('/etc/secharden')) apply_parser.set_defaults(func=apply) -- Gitee From e56ebffb65b4fedde772eeb79d3fe465e779a072 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 11:48:18 +0800 Subject: [PATCH 050/109] readme minor fix --- os-harden-tools/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 4b875cd..0ea1e94 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -18,7 +18,7 @@ os-harden-tools/ ### 安装 本节描述的 os-harden-tools 构建可参考 -openeuler [rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2/server/development/application_dev/building_an_rpm_package.html)。 +[openeuler rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2/server/development/application_dev/building_an_rpm_package.html)。 1. 初始化 rpmbuild 目录: @@ -57,7 +57,7 @@ openeuler [rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2 ## 最小安全系统配置指南 -``docs` 目录包含了最小安全系统配置指南,主要包括以下内容: +`docs` 目录包含了最小安全系统配置指南,主要包括以下内容: - [配置指南](./docs/README.md) - [系统内核的配置文件](./docs/openeuler_defconfig) -- Gitee From 64dfc7edb277031827ed099b2766301253261ff9 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 11:54:05 +0800 Subject: [PATCH 051/109] add config spec --- os-harden-tools/secharden/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index d44ad7b..f90a555 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -80,6 +80,10 @@ secharden apply /path/to/config_path ``` > 注意:指定的规则路径必须是一个目录。且该目录中必须包含一个基础配置文件 `secharden.conf`。 +> 所有配置文件格式为 yaml。 +> 用户还可以创建一个 `secharden.conf.d` 目录,在该目录下放置多个配置文件,工具会自动加载这些配置文件。该目录下的配置文件必须满足以下要求: +> - 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。 + ### 查看规则的帮助信息 -- Gitee From 8893ee1a289ef38ece89bfaf80a55cd84c6e7819 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 11:54:19 +0800 Subject: [PATCH 052/109] reformat --- os-harden-tools/secharden/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index f90a555..81ad0ee 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -84,7 +84,6 @@ secharden apply /path/to/config_path > 用户还可以创建一个 `secharden.conf.d` 目录,在该目录下放置多个配置文件,工具会自动加载这些配置文件。该目录下的配置文件必须满足以下要求: > - 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。 - ### 查看规则的帮助信息 传入 rule_id 参数可以查看指定规则的帮助信息: -- Gitee From a3c95d6fe857c6458fbd82cb03d8d70bea98a8ac Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 12:00:44 +0800 Subject: [PATCH 053/109] add rule list link --- os-harden-tools/README.md | 6 ++++++ os-harden-tools/secharden/README.md | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 0ea1e94..2afea8d 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -55,6 +55,12 @@ os-harden-tools/ > 详细使用说明参见 [secharden](./secharden/README.md)。 +## secharden 规则 + +secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 + +详细的规则文档参见:[安全 OS 配置工具](./secharden/src/secharden/tools/README.md) + ## 最小安全系统配置指南 `docs` 目录包含了最小安全系统配置指南,主要包括以下内容: diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 81ad0ee..8c47c99 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -92,6 +92,12 @@ secharden apply /path/to/config_path secharden help rule_id ``` +## 内置规则列表 + +secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 + +详细的规则文档参见:[安全 OS 配置工具](./secharden/src/secharden/tools/README.md) + ## 开发 本项目使用 uv 进行开发和管理。要开始开发,请确保安装了 uv: -- Gitee From b2b02147d5c4f4fd92e3b86534eef1ee56d7d2ea Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 12:03:19 +0800 Subject: [PATCH 054/109] fix link --- os-harden-tools/secharden/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 8c47c99..870120d 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -96,7 +96,7 @@ secharden help rule_id secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 -详细的规则文档参见:[安全 OS 配置工具](./secharden/src/secharden/tools/README.md) +详细的规则文档参见:[安全 OS 配置工具](./src/secharden/tools/README.md) ## 开发 -- Gitee From 4c2d7e952c32489229eac043ee90b4caa5daaac0 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 12:05:23 +0800 Subject: [PATCH 055/109] fix link --- os-harden-tools/README.md | 12 ++++++------ os-harden-tools/secharden/README.md | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 2afea8d..73e45bf 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -53,20 +53,20 @@ os-harden-tools/ 当配置完毕后,使用 `secharden apply` 命令应用加固配置。 -> 详细使用说明参见 [secharden](./secharden/README.md)。 +> 详细使用说明参见 [secharden](secharden/README.md)。 ## secharden 规则 secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 -详细的规则文档参见:[安全 OS 配置工具](./secharden/src/secharden/tools/README.md) +详细的规则文档参见:[安全 OS 配置工具](secharden/src/secharden/tools/README.md) ## 最小安全系统配置指南 `docs` 目录包含了最小安全系统配置指南,主要包括以下内容: -- [配置指南](./docs/README.md) -- [系统内核的配置文件](./docs/openeuler_defconfig) -- [镜像构建使用的最小化裁剪配置文件](./docs/normal.xml) +- [配置指南](docs/README.md) +- [系统内核的配置文件](docs/openeuler_defconfig) +- [镜像构建使用的最小化裁剪配置文件](docs/normal.xml) -> 详细使用说明参见 [配置指南](./docs/README.md)。 +> 详细使用说明参见 [配置指南](docs/README.md)。 diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 870120d..6b14619 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -96,7 +96,7 @@ secharden help rule_id secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 -详细的规则文档参见:[安全 OS 配置工具](./src/secharden/tools/README.md) +详细的规则文档参见:[安全 OS 配置工具](src/secharden/tools/README.md) ## 开发 -- Gitee From bcac828624684dd67847a9e5e3009a44fdd75863 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 12:12:33 +0800 Subject: [PATCH 056/109] add version, make dim sh executable --- os-harden-tools/secharden/MANIFEST.in | 1 + .../secharden/src/secharden/tools/int.02/enforce_dim.sh | 0 2 files changed, 1 insertion(+) mode change 100644 => 100755 os-harden-tools/secharden/src/secharden/tools/int.02/enforce_dim.sh diff --git a/os-harden-tools/secharden/MANIFEST.in b/os-harden-tools/secharden/MANIFEST.in index b569d9e..7f82ea0 100644 --- a/os-harden-tools/secharden/MANIFEST.in +++ b/os-harden-tools/secharden/MANIFEST.in @@ -1,3 +1,4 @@ include src/secharden/schema/* +include src/secharden/VERSION graft src/secharden/tools/* prune src/secharden/devtools/* \ No newline at end of file diff --git a/os-harden-tools/secharden/src/secharden/tools/int.02/enforce_dim.sh b/os-harden-tools/secharden/src/secharden/tools/int.02/enforce_dim.sh old mode 100644 new mode 100755 -- Gitee From 75234fa92c074aa8060dd222cd91202d9a3bad3e Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 15:00:04 +0800 Subject: [PATCH 057/109] minor fix on crlf and file inclusion, remove setup.py using pyproject instead --- os-harden-tools/secharden/MANIFEST.in | 6 ++-- os-harden-tools/secharden/setup.py | 4 --- .../secharden/tools/net.07/enable_firewall.sh | 34 +++++++++---------- 3 files changed, 20 insertions(+), 24 deletions(-) delete mode 100644 os-harden-tools/secharden/setup.py diff --git a/os-harden-tools/secharden/MANIFEST.in b/os-harden-tools/secharden/MANIFEST.in index 7f82ea0..0046f3b 100644 --- a/os-harden-tools/secharden/MANIFEST.in +++ b/os-harden-tools/secharden/MANIFEST.in @@ -1,4 +1,4 @@ -include src/secharden/schema/* +graft src/secharden/tools +graft src/secharden/schema include src/secharden/VERSION -graft src/secharden/tools/* -prune src/secharden/devtools/* \ No newline at end of file +prune src/secharden/devtools \ No newline at end of file diff --git a/os-harden-tools/secharden/setup.py b/os-harden-tools/secharden/setup.py deleted file mode 100644 index 57c026b..0000000 --- a/os-harden-tools/secharden/setup.py +++ /dev/null @@ -1,4 +0,0 @@ -from setuptools import setup - -if __name__ == "__main__": - setup() \ No newline at end of file diff --git a/os-harden-tools/secharden/src/secharden/tools/net.07/enable_firewall.sh b/os-harden-tools/secharden/src/secharden/tools/net.07/enable_firewall.sh index 21aaa67..c4875e0 100755 --- a/os-harden-tools/secharden/src/secharden/tools/net.07/enable_firewall.sh +++ b/os-harden-tools/secharden/src/secharden/tools/net.07/enable_firewall.sh @@ -1,18 +1,18 @@ -#!/bin/bash -## ####################################################################################### -# -# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. -# SecureGuardian is licensed under the Mulan PSL v2. -# You can use this software according to the terms and conditions of the Mulan PSL v2. -# You may obtain a copy of Mulan PSL v2 at: -# http://license.coscl.org.cn/MulanPSL2 -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v2 for more details. -# Description: Security Baseline Check Script for 1.1.14 -# -# ####################################################################################### - -service firewalld start +#!/bin/bash +## ####################################################################################### +# +# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. +# SecureGuardian is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. +# Description: Security Baseline Check Script for 1.1.14 +# +# ####################################################################################### + +service firewalld start systemctl enable firewalld \ No newline at end of file -- Gitee From 5a92244e00582bda2842e6db58c473d1c8278b22 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 15:06:12 +0800 Subject: [PATCH 058/109] rename log to login --- os-harden-tools/secharden/src/secharden/tools/categories.json | 2 +- .../secharden/tools/{log.01 => login.01}/disable_ssh_no_pass.sh | 0 .../src/secharden/tools/{log.01 => login.01}/metadata.json | 2 +- .../{log.02 => login.02}/disable_ssh_permit_user_environment.sh | 0 .../src/secharden/tools/{log.02 => login.02}/metadata.json | 2 +- .../tools/{log.03 => login.03}/disable_ssh_root_login.sh | 0 .../src/secharden/tools/{log.03 => login.03}/metadata.json | 2 +- .../tools/{log.04 => login.04}/disable_ssh_tcp_forwarding.sh | 0 .../src/secharden/tools/{log.04 => login.04}/metadata.json | 2 +- .../tools/{log.05 => login.05}/disable_ssh_x11_forwarding.sh | 0 .../src/secharden/tools/{log.05 => login.05}/metadata.json | 2 +- .../src/secharden/tools/{log.06 => login.06}/disable_sysrq.sh | 0 .../src/secharden/tools/{log.06 => login.06}/metadata.json | 2 +- .../tools/{log.07 => login.07}/disable_tcp_timestamps.sh | 0 .../src/secharden/tools/{log.07 => login.07}/metadata.json | 2 +- .../src/secharden/tools/{log.08 => login.08}/metadata.json | 2 +- .../tools/{log.08 => login.08}/set_ssh_max_auth_tries.sh | 0 17 files changed, 9 insertions(+), 9 deletions(-) rename os-harden-tools/secharden/src/secharden/tools/{log.01 => login.01}/disable_ssh_no_pass.sh (100%) rename os-harden-tools/secharden/src/secharden/tools/{log.01 => login.01}/metadata.json (91%) rename os-harden-tools/secharden/src/secharden/tools/{log.02 => login.02}/disable_ssh_permit_user_environment.sh (100%) rename os-harden-tools/secharden/src/secharden/tools/{log.02 => login.02}/metadata.json (93%) rename os-harden-tools/secharden/src/secharden/tools/{log.03 => login.03}/disable_ssh_root_login.sh (100%) rename os-harden-tools/secharden/src/secharden/tools/{log.03 => login.03}/metadata.json (94%) rename os-harden-tools/secharden/src/secharden/tools/{log.04 => login.04}/disable_ssh_tcp_forwarding.sh (100%) rename os-harden-tools/secharden/src/secharden/tools/{log.04 => login.04}/metadata.json (94%) rename os-harden-tools/secharden/src/secharden/tools/{log.05 => login.05}/disable_ssh_x11_forwarding.sh (100%) rename os-harden-tools/secharden/src/secharden/tools/{log.05 => login.05}/metadata.json (95%) rename os-harden-tools/secharden/src/secharden/tools/{log.06 => login.06}/disable_sysrq.sh (100%) rename os-harden-tools/secharden/src/secharden/tools/{log.06 => login.06}/metadata.json (93%) rename os-harden-tools/secharden/src/secharden/tools/{log.07 => login.07}/disable_tcp_timestamps.sh (100%) rename os-harden-tools/secharden/src/secharden/tools/{log.07 => login.07}/metadata.json (93%) rename os-harden-tools/secharden/src/secharden/tools/{log.08 => login.08}/metadata.json (92%) rename os-harden-tools/secharden/src/secharden/tools/{log.08 => login.08}/set_ssh_max_auth_tries.sh (100%) diff --git a/os-harden-tools/secharden/src/secharden/tools/categories.json b/os-harden-tools/secharden/src/secharden/tools/categories.json index 05bbdbe..16073cc 100644 --- a/os-harden-tools/secharden/src/secharden/tools/categories.json +++ b/os-harden-tools/secharden/src/secharden/tools/categories.json @@ -24,7 +24,7 @@ "name": "权限最小化" }, { - "id": "log", + "id": "login", "name": "登录认证" } ] \ No newline at end of file diff --git a/os-harden-tools/secharden/src/secharden/tools/log.01/disable_ssh_no_pass.sh b/os-harden-tools/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/log.01/disable_ssh_no_pass.sh rename to os-harden-tools/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/log.01/metadata.json b/os-harden-tools/secharden/src/secharden/tools/login.01/metadata.json similarity index 91% rename from os-harden-tools/secharden/src/secharden/tools/log.01/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/login.01/metadata.json index 59e09b9..8511855 100644 --- a/os-harden-tools/secharden/src/secharden/tools/log.01/metadata.json +++ b/os-harden-tools/secharden/src/secharden/tools/login.01/metadata.json @@ -1,5 +1,5 @@ { - "id": "log.01", + "id": "login.01", "name": "禁止空口令登录", "description": "禁止空口令登录。若允许空口令登录,会增加空口令账号本身被攻击或被用来作为攻击账号的风险。", "entry": "disable_ssh_no_pass.sh" diff --git a/os-harden-tools/secharden/src/secharden/tools/log.02/disable_ssh_permit_user_environment.sh b/os-harden-tools/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/log.02/disable_ssh_permit_user_environment.sh rename to os-harden-tools/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/log.02/metadata.json b/os-harden-tools/secharden/src/secharden/tools/login.02/metadata.json similarity index 93% rename from os-harden-tools/secharden/src/secharden/tools/log.02/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/login.02/metadata.json index fe54a3d..57bca75 100644 --- a/os-harden-tools/secharden/src/secharden/tools/log.02/metadata.json +++ b/os-harden-tools/secharden/src/secharden/tools/login.02/metadata.json @@ -1,5 +1,5 @@ { - "id": "log.02", + "id": "login.02", "name": "禁止使用PermitUserEnvironment", "description": "禁止使用PermitUserEnvironment。PermitUserEnvironment允许用户设置SSH环境变量,则攻击者可以通过修改SSH环境变量绕过安全机制,或者执行攻击代码。", "entry": "disable_ssh_permit_user_environment.sh" diff --git a/os-harden-tools/secharden/src/secharden/tools/log.03/disable_ssh_root_login.sh b/os-harden-tools/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/log.03/disable_ssh_root_login.sh rename to os-harden-tools/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/log.03/metadata.json b/os-harden-tools/secharden/src/secharden/tools/login.03/metadata.json similarity index 94% rename from os-harden-tools/secharden/src/secharden/tools/log.03/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/login.03/metadata.json index 8b36578..931da72 100644 --- a/os-harden-tools/secharden/src/secharden/tools/log.03/metadata.json +++ b/os-harden-tools/secharden/src/secharden/tools/login.03/metadata.json @@ -1,5 +1,5 @@ { - "id": "log.03", + "id": "login.03", "name": "禁用root用户通过SSH登录", "description": "禁用root用户通过SSH登录。要求系统管理员使用自己的个人账户进行SSH登录,然后通过sudo或 su提升权限到root。这样可在发生安全事件时提供清晰的审计线索。", "entry": "disable_ssh_root_login.sh" diff --git a/os-harden-tools/secharden/src/secharden/tools/log.04/disable_ssh_tcp_forwarding.sh b/os-harden-tools/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/log.04/disable_ssh_tcp_forwarding.sh rename to os-harden-tools/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/log.04/metadata.json b/os-harden-tools/secharden/src/secharden/tools/login.04/metadata.json similarity index 94% rename from os-harden-tools/secharden/src/secharden/tools/log.04/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/login.04/metadata.json index 441650f..553e52c 100644 --- a/os-harden-tools/secharden/src/secharden/tools/log.04/metadata.json +++ b/os-harden-tools/secharden/src/secharden/tools/login.04/metadata.json @@ -1,5 +1,5 @@ { - "id": "log.04", + "id": "login.04", "name": "禁用SSH的TCP转发功能", "description": "禁用SSH的TCP转发功能。TCP端口转发是通过SSH隧道在本地主机和远程主机之间传输数据的功能。禁用该功能可以限制用户在SSH会话中的数据传输和访问范围,从而增强系统的安全性。", "entry": "disable_ssh_tcp_forwarding.sh" diff --git a/os-harden-tools/secharden/src/secharden/tools/log.05/disable_ssh_x11_forwarding.sh b/os-harden-tools/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/log.05/disable_ssh_x11_forwarding.sh rename to os-harden-tools/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/log.05/metadata.json b/os-harden-tools/secharden/src/secharden/tools/login.05/metadata.json similarity index 95% rename from os-harden-tools/secharden/src/secharden/tools/log.05/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/login.05/metadata.json index 46ec9d2..27ce96e 100644 --- a/os-harden-tools/secharden/src/secharden/tools/log.05/metadata.json +++ b/os-harden-tools/secharden/src/secharden/tools/login.05/metadata.json @@ -1,5 +1,5 @@ { - "id": "log.05", + "id": "login.05", "name": "禁止使用X11 Forwarding", "description": "禁止使用X11 Forwarding。SSH的X11 Forwarding功能允许在本地主机上执行远程主机的GUI程序。启用X11 Forwarding功能会扩大攻击面,存在被X11服务器端其他用户攻击的可能。如果业务场景中不需要,则建议禁止该功能。", "entry": "disable_ssh_x11_forwarding.sh" diff --git a/os-harden-tools/secharden/src/secharden/tools/log.06/disable_sysrq.sh b/os-harden-tools/secharden/src/secharden/tools/login.06/disable_sysrq.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/log.06/disable_sysrq.sh rename to os-harden-tools/secharden/src/secharden/tools/login.06/disable_sysrq.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/log.06/metadata.json b/os-harden-tools/secharden/src/secharden/tools/login.06/metadata.json similarity index 93% rename from os-harden-tools/secharden/src/secharden/tools/log.06/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/login.06/metadata.json index 7429ade..ca3b060 100644 --- a/os-harden-tools/secharden/src/secharden/tools/log.06/metadata.json +++ b/os-harden-tools/secharden/src/secharden/tools/login.06/metadata.json @@ -1,5 +1,5 @@ { - "id": "log.06", + "id": "login.06", "name": "禁止使用SysRq键", "description": "禁止使用SysRq键。SysRq使得具有物理访问权限的用户能够访问计算机中危险的系统级命令,攻击者可以通过键盘触发SysRq的调用,直接发送命令到内核,对系统造成影响。", "entry": "disable_sysrq.sh" diff --git a/os-harden-tools/secharden/src/secharden/tools/log.07/disable_tcp_timestamps.sh b/os-harden-tools/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/log.07/disable_tcp_timestamps.sh rename to os-harden-tools/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/log.07/metadata.json b/os-harden-tools/secharden/src/secharden/tools/login.07/metadata.json similarity index 93% rename from os-harden-tools/secharden/src/secharden/tools/log.07/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/login.07/metadata.json index 71ead26..402927c 100644 --- a/os-harden-tools/secharden/src/secharden/tools/log.07/metadata.json +++ b/os-harden-tools/secharden/src/secharden/tools/login.07/metadata.json @@ -1,5 +1,5 @@ { - "id": "log.07", + "id": "login.07", "name": "避免开启tcp_timestamps", "description": "避免开启tcp_timestamps。tcp_timestamps用于记录TCP数据包的发送时间,可用于RTT测量(RTTM)和保护序号绕回(PAWS),启用该选项可能遭受拒绝服务攻击。", "entry": "disable_tcp_timestamps.sh" diff --git a/os-harden-tools/secharden/src/secharden/tools/log.08/metadata.json b/os-harden-tools/secharden/src/secharden/tools/login.08/metadata.json similarity index 92% rename from os-harden-tools/secharden/src/secharden/tools/log.08/metadata.json rename to os-harden-tools/secharden/src/secharden/tools/login.08/metadata.json index 09ca428..4b6ec5d 100644 --- a/os-harden-tools/secharden/src/secharden/tools/log.08/metadata.json +++ b/os-harden-tools/secharden/src/secharden/tools/login.08/metadata.json @@ -1,5 +1,5 @@ { - "id": "log.08", + "id": "login.08", "name": "设置最大认证次数", "description": "设置最大认证次数。如果该值配置比较大,则单次连接过程中客户端可以尝试多次认证失败,降低了攻击开销。", "entry": "set_ssh_max_auth_tries.sh" diff --git a/os-harden-tools/secharden/src/secharden/tools/log.08/set_ssh_max_auth_tries.sh b/os-harden-tools/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/log.08/set_ssh_max_auth_tries.sh rename to os-harden-tools/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh -- Gitee From 97422a4c345d2b431493aa43afdef85bced8c68a Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 15:11:39 +0800 Subject: [PATCH 059/109] rename log to login --- os-harden-tools/conf/secharden.conf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/os-harden-tools/conf/secharden.conf b/os-harden-tools/conf/secharden.conf index b1bac29..d3078bf 100644 --- a/os-harden-tools/conf/secharden.conf +++ b/os-harden-tools/conf/secharden.conf @@ -3,14 +3,14 @@ int.02: kern.01: kern.02: kern.03: -log.01: -log.02: -log.03: -log.04: -log.05: -log.06: -log.07: -log.08: +login.01: +login.02: +login.03: +login.04: +login.05: +login.06: +login.07: +login.08: net.01: net.02: net.03: -- Gitee From 6c766130a8c796098712dc3b247fe61a5b440b3a Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 15:18:21 +0800 Subject: [PATCH 060/109] fix using wait to avoid too many requests --- os-harden-tools/secharden/src/secharden/tools/utils.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os-harden-tools/secharden/src/secharden/tools/utils.sh b/os-harden-tools/secharden/src/secharden/tools/utils.sh index c61c728..6280858 100755 --- a/os-harden-tools/secharden/src/secharden/tools/utils.sh +++ b/os-harden-tools/secharden/src/secharden/tools/utils.sh @@ -36,5 +36,5 @@ function set_ssh() { else echo "${conf} ${value}" >> "${sshd_conf_path}" fi - systemctl restart sshd + systemctl restart sshd --wait } \ No newline at end of file -- Gitee From a7618f52ca2790738a7f5b4fd3f944ade070e7ed Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 15:27:20 +0800 Subject: [PATCH 061/109] fix using wait to avoid too many requests, add apply messages --- os-harden-tools/secharden/src/secharden/secharden.py | 1 + os-harden-tools/secharden/src/secharden/tools/utils.sh | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index 69e4b1b..5a03431 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -38,6 +38,7 @@ def apply(rule_mgr: RuleManager, args) -> int: code = 0 for rule, rule_conf in config.items(): + print(f"Applying rule: {rule}...") logging.debug("applying rule %s with config %s", rule, rule_conf) try: rule_mgr.apply_rule(rule, rule_conf) diff --git a/os-harden-tools/secharden/src/secharden/tools/utils.sh b/os-harden-tools/secharden/src/secharden/tools/utils.sh index 6280858..ce9a29d 100755 --- a/os-harden-tools/secharden/src/secharden/tools/utils.sh +++ b/os-harden-tools/secharden/src/secharden/tools/utils.sh @@ -36,5 +36,8 @@ function set_ssh() { else echo "${conf} ${value}" >> "${sshd_conf_path}" fi - systemctl restart sshd --wait + systemctl restart sshd + + # wait for fully restart + sleep 1 } \ No newline at end of file -- Gitee From 8eae7f7c3e0ec385795f1dd06829e7eb2a2598ef Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 15:46:19 +0800 Subject: [PATCH 062/109] readme, gendoc --- os-harden-tools/secharden/DEVELOPMENT.md | 40 +++++++++++++++++++ .../src/secharden/devtools/gendoc.py | 2 +- .../secharden/src/secharden/tools/README.md | 18 +++++---- .../src/secharden/tools/categories.json | 3 +- 4 files changed, 53 insertions(+), 10 deletions(-) create mode 100644 os-harden-tools/secharden/DEVELOPMENT.md diff --git a/os-harden-tools/secharden/DEVELOPMENT.md b/os-harden-tools/secharden/DEVELOPMENT.md new file mode 100644 index 0000000..4ead352 --- /dev/null +++ b/os-harden-tools/secharden/DEVELOPMENT.md @@ -0,0 +1,40 @@ +# secharden 开发文档 + +本项目使用 uv 进行开发和管理。要开始开发,请确保安装了 uv: + +```bash +python3 -m pip install uv +``` + +安装 uv 后,可以使用以下命令同步开发依赖: + +```bash +uv sync +``` + +## 规则文档生成工具 + +`devtools` 提供了 `gendoc` 命令来生成规则文档。可以使用以下命令生成文档: + +```shell +uv run src/secharden/devtools/gendoc.py +``` + +### 选项 + +- `--rules` 或 `-r`:指定规则路径,默认值为 `tools` 目录。文档会生成到该目录下。 +- `--force` 或 `-f`:强制覆盖已存在的文档。若不指定该选项,工具会检查文档是否已存在,若存在则会报错退出。 +- `--version` 或 `-v`:打印当前工具版本信息。 +- `--debug` 或 `-d`:开启调试模式,输出更多的调试信息。 + +## 单元测试 + +本项目使用 pytest 进行单元测试。相关依赖已通过 `uv sync` 安装。 + +要运行单元测试,请使用以下命令: + +```bash +uv run pytest +``` + +> pytest 相关使用说明参见 [pytest 官方文档](https://docs.pytest.org/en/stable/contents.html)。 diff --git a/os-harden-tools/secharden/src/secharden/devtools/gendoc.py b/os-harden-tools/secharden/src/secharden/devtools/gendoc.py index 1b4784f..737c09b 100644 --- a/os-harden-tools/secharden/src/secharden/devtools/gendoc.py +++ b/os-harden-tools/secharden/src/secharden/devtools/gendoc.py @@ -62,7 +62,7 @@ def main(): logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') try: - generate_doc(Path(args.rule_dir), overwrite=args.force) + generate_doc(Path(args.rules), overwrite=args.force) except Exception as e: logging.exception(e) exit(1) diff --git a/os-harden-tools/secharden/src/secharden/tools/README.md b/os-harden-tools/secharden/src/secharden/tools/README.md index d1d3c48..8c82603 100644 --- a/os-harden-tools/secharden/src/secharden/tools/README.md +++ b/os-harden-tools/secharden/src/secharden/tools/README.md @@ -2,6 +2,8 @@ ## 全栈完整性 +全栈完整性加固用于业务软件全生命周期不被篡改。 + ### int.01 启用内核模块签名 启用内核模块签名。内核模块签名以一定格式在内核模块文件末尾添加签名信息,系统在加载内核模块时检查签名是否与内核中预设的公钥匹配。这样可以验证内核模块文件的真实性和完整性,防止系统加载未经认证的恶意内核模块。 @@ -65,7 +67,7 @@ ## 登录认证 -### log.01 禁止空口令登录 +### login.01 禁止空口令登录 禁止空口令登录。若允许空口令登录,会增加空口令账号本身被攻击或被用来作为攻击账号的风险。 @@ -73,7 +75,7 @@ 无 -### log.02 禁止使用PermitUserEnvironment +### login.02 禁止使用PermitUserEnvironment 禁止使用PermitUserEnvironment。PermitUserEnvironment允许用户设置SSH环境变量,则攻击者可以通过修改SSH环境变量绕过安全机制,或者执行攻击代码。 @@ -81,7 +83,7 @@ 无 -### log.03 禁用root用户通过SSH登录 +### login.03 禁用root用户通过SSH登录 禁用root用户通过SSH登录。要求系统管理员使用自己的个人账户进行SSH登录,然后通过sudo或 su提升权限到root。这样可在发生安全事件时提供清晰的审计线索。 @@ -89,7 +91,7 @@ 无 -### log.04 禁用SSH的TCP转发功能 +### login.04 禁用SSH的TCP转发功能 禁用SSH的TCP转发功能。TCP端口转发是通过SSH隧道在本地主机和远程主机之间传输数据的功能。禁用该功能可以限制用户在SSH会话中的数据传输和访问范围,从而增强系统的安全性。 @@ -97,7 +99,7 @@ 无 -### log.05 禁止使用X11 Forwarding +### login.05 禁止使用X11 Forwarding 禁止使用X11 Forwarding。SSH的X11 Forwarding功能允许在本地主机上执行远程主机的GUI程序。启用X11 Forwarding功能会扩大攻击面,存在被X11服务器端其他用户攻击的可能。如果业务场景中不需要,则建议禁止该功能。 @@ -105,7 +107,7 @@ 无 -### log.06 禁止使用SysRq键 +### login.06 禁止使用SysRq键 禁止使用SysRq键。SysRq使得具有物理访问权限的用户能够访问计算机中危险的系统级命令,攻击者可以通过键盘触发SysRq的调用,直接发送命令到内核,对系统造成影响。 @@ -113,7 +115,7 @@ 无 -### log.07 避免开启tcp_timestamps +### login.07 避免开启tcp_timestamps 避免开启tcp_timestamps。tcp_timestamps用于记录TCP数据包的发送时间,可用于RTT测量(RTTM)和保护序号绕回(PAWS),启用该选项可能遭受拒绝服务攻击。 @@ -121,7 +123,7 @@ 无 -### log.08 设置最大认证次数 +### login.08 设置最大认证次数 设置最大认证次数。如果该值配置比较大,则单次连接过程中客户端可以尝试多次认证失败,降低了攻击开销。 diff --git a/os-harden-tools/secharden/src/secharden/tools/categories.json b/os-harden-tools/secharden/src/secharden/tools/categories.json index 16073cc..23449b7 100644 --- a/os-harden-tools/secharden/src/secharden/tools/categories.json +++ b/os-harden-tools/secharden/src/secharden/tools/categories.json @@ -1,7 +1,8 @@ [ { "id": "int", - "name": "全栈完整性" + "name": "全栈完整性", + "description": "全栈完整性加固用于业务软件全生命周期不被篡改。" }, { "id": "net", -- Gitee From b6e09ef846d8546cf077b179c7963000f79463cf Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 16:01:22 +0800 Subject: [PATCH 063/109] inital description on secharden rules --- os-harden-tools/secharden/README.md | 145 ++++++++++++++++++++++------ 1 file changed, 116 insertions(+), 29 deletions(-) diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 6b14619..82651dd 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -79,8 +79,18 @@ secharden --debug secharden apply /path/to/config_path ``` +配置文件使用 yaml 格式,内包含一个以规则 ID 为键的字典,值为规则的配置参数。例如: + +```yaml +int.01: + enabled: true +int.03: + selinux_tags: + - user_home_t + - var_log_t +``` + > 注意:指定的规则路径必须是一个目录。且该目录中必须包含一个基础配置文件 `secharden.conf`。 -> 所有配置文件格式为 yaml。 > 用户还可以创建一个 `secharden.conf.d` 目录,在该目录下放置多个配置文件,工具会自动加载这些配置文件。该目录下的配置文件必须满足以下要求: > - 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。 @@ -92,50 +102,127 @@ secharden apply /path/to/config_path secharden help rule_id ``` -## 内置规则列表 +## secharden 安全防护能力配置 secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 -详细的规则文档参见:[安全 OS 配置工具](src/secharden/tools/README.md) +详细的规则文档介绍参见:[安全 OS 配置工具](src/secharden/tools/README.md)。 -## 开发 +### 全栈完整性加固 -本项目使用 uv 进行开发和管理。要开始开发,请确保安装了 uv: +全栈完整性加固用于业务软件全生命周期不被篡改。目前支持以下几种安全配置: -```bash -python3 -m pip install uv -``` +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|---------------|------|-------| +| int.01 | 启用内核模块签名 | 内核模块 | 系统启动时 | +| int.02 | 启用 DIM 动态度量内核 | 内核代码 | 系统运行时 | +| int.03 | 启用 IMA 度量关键文件 | 用户文件 | 业务加载时 | -安装 uv 后,可以使用以下命令同步开发依赖: +结合 [openEuler安全启动](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/security/cert_signature/secure_boot.html), +启动时校验加载的系统镜像的完整性,实现全周期的系统防篡改。 -```bash -uv sync -``` +目前,int.01 与 int.02 已在默认配置中开启,int.03 可通过以下几个步骤完成本节全栈完整性加固操作: -### 规则文档生成工具 +1. IMA 标签设置 -`devtools` 提供了 `gendoc` 命令来生成规则文档。可以使用以下命令生成文档: + secharden 通过 selinux 标签来区分需要 IMA 保护的用户文件范围。用户可通过以下指令为文件关联一个 selinux 标签: -```shell -uv run src/secharden/devtools/gendoc.py -``` + ``` + semanage fcontext -a -t $type $file + restorecon -v $file + ``` -#### 选项 +2. 规则使能 -- `--rules` 或 `-r`:指定规则路径,默认值为 `tools` 目录。文档会生成到该目录下。 -- `--force` 或 `-f`:强制覆盖已存在的文档。若不指定该选项,工具会检查文档是否已存在,若存在则会报错退出。 -- `--version` 或 `-v`:打印当前工具版本信息。 -- `--debug` 或 `-d`:开启调试模式,输出更多的调试信息。 + 创建配置文件 `/etc/secharden/secharden.conf.d/01-ima_tags.conf`,内容如下: -### 单元测试 + ```yaml + int.03: + selinux_tags: + - <你的 selinux 标签,例如 user_home_t> + ``` -本项目使用 pytest 进行单元测试。相关依赖已通过 `uv sync` 安装。 +int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则。 -要运行单元测试,请使用以下命令: +### 内核加固 -```bash -uv run pytest -``` +内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|---------|---------------|------|-------| +| kern.01 | 开启 BPF 加固功能 | 内核模块 | 系统运行时 | +| kern.02 | 启用内核 ASLR | 内核代码 | 系统运行时 | +| kern.03 | 确保内核触发错误后直接退出 | 内核代码 | 错误发生时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 登录认证 + +登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|----------|----------------------------|------|-------| +| login.01 | 禁止空口令登录 | SSH | 系统运行时 | +| login.02 | 禁止使用 PermitUserEnvironment | SSH | 系统运行时 | +| login.03 | 禁用 root 用户通过 SSH 登录 | SSH | 系统运行时 | +| login.04 | 禁用 SSH 的 TCP 转发功能 | SSH | 系统运行时 | +| login.05 | 禁止使用 X11 Forwarding | SSH | 系统运行时 | +| login.06 | 禁止使用 SysRq 键 | 物理机 | 系统运行时 | +| login.07 | 避免开启 tcp_timestamps | 网络 | 系统运行时 | +| login.08 | 设置最大认证次数 | SSH | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 网络保护 + +网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|-------------------|------|-------| +| net.01 | 禁止 ICMP 重定向报文 | 网络 | 系统运行时 | +| net.02 | 禁止系统响应 ICMP 广播报文 | 网络 | 系统运行时 | +| net.03 | 禁止 IP 转发 | 网络 | 系统运行时 | +| net.04 | 禁止使用 ARP 代理 | 网络 | 系统运行时 | +| net.05 | 禁止报文源路由 | 网络 | 系统运行时 | +| net.06 | 丢弃伪造的 ICMP 报文 | 网络 | 系统运行时 | +| net.07 | 启用防火墙服务 | 网络 | 系统运行时 | +| net.08 | 启用反向地址过滤 | 网络 | 系统运行时 | +| net.09 | 启用 TCP-SYN cookie | 网络 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 权限最小化 + +权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|---------|----------|------|-------| +| priv.01 | 最小化文件权限 | 用户文件 | 系统运行时 | +| priv.02 | 启用链接文件保护 | 用户文件 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 启用安全服务 + +启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|---------|-----------------------|------|-------| +| serv.01 | 启用 rsyslog 服务 | 日志 | 系统运行时 | +| serv.02 | Selinux 启用 enforce 模式 | 用户文件 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 限制高危系统功能 + +限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。目前支持以下几种安全配置: -> pytest 相关使用说明参见 [pytest 官方文档](https://docs.pytest.org/en/stable/contents.html)。 +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|---------------|------|-------| +| sys.01 | 配置 dmesg 访问权限 | 内核模块 | 系统运行时 | +| sys.02 | 禁止开启 kexec 功能 | 内核模块 | 系统运行时 | +| sys.03 | 限制内核符号读取权限 | 内核模块 | 系统运行时 | +| sys.04 | 限制 ptrace 范围 | 内核模块 | 系统运行时 | +| sys.05 | 禁用不常见网络服务 | 内核模块 | 系统运行时 | +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 -- Gitee From 0234635d470097c55632e11fa94897cda02528a1 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 16:05:30 +0800 Subject: [PATCH 064/109] move to base readme --- os-harden-tools/README.md | 126 +++++++++++++++++++++++++++- os-harden-tools/secharden/README.md | 121 +------------------------- 2 files changed, 124 insertions(+), 123 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 73e45bf..57a65a7 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -46,7 +46,7 @@ os-harden-tools/ ### 使用 -安装后,`conf` 目录包含的配置会被安装至 `/etc/secharden/secharden.conf`,该配置文件包含了系统加固的相关配置选项。 +安装后,`conf` 目录包含的配置会被安装至 `/etc/secharden/secharden.conf`,该配置文件包含了系统加固的默认配置选项。 同时还会创建一个 `/etc/secharden/secharden.d/` 目录,用于存放用户自定义的配置文件。 用户可以在该目录下创建自定义配置文件, 格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。这些配置文件会在系统加固时被加载。 @@ -55,11 +55,131 @@ os-harden-tools/ > 详细使用说明参见 [secharden](secharden/README.md)。 -## secharden 规则 +## secharden 安全防护能力配置 secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 -详细的规则文档参见:[安全 OS 配置工具](secharden/src/secharden/tools/README.md) +详细的规则文档介绍参见:[安全 OS 配置工具](src/secharden/tools/README.md)。 + +### 全栈完整性加固 + +全栈完整性加固用于业务软件全生命周期不被篡改。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|---------------|------|-------| +| int.01 | 启用内核模块签名 | 内核模块 | 系统启动时 | +| int.02 | 启用 DIM 动态度量内核 | 内核代码 | 系统运行时 | +| int.03 | 启用 IMA 度量关键文件 | 用户文件 | 业务加载时 | + +结合 [openEuler安全启动](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/security/cert_signature/secure_boot.html), +启动时校验加载的系统镜像的完整性,实现全周期的系统防篡改。 + +目前,int.01 与 int.02 已在默认配置中开启,int.03 可通过以下几个步骤完成本节全栈完整性加固操作: + +1. IMA 标签设置 + + secharden 通过 selinux 标签来区分需要 IMA 保护的用户文件范围。用户可通过以下指令为文件关联一个 selinux 标签: + + ``` + semanage fcontext -a -t $type $file + restorecon -v $file + ``` + +2. 规则使能 + + 创建配置文件 `/etc/secharden/secharden.conf.d/01-ima_tags.conf`,内容如下: + + ```yaml + int.03: + selinux_tags: + - <你的 selinux 标签,例如 user_home_t> + ``` + +int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则。 + +### 内核加固 + +内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|---------|---------------|------|-------| +| kern.01 | 开启 BPF 加固功能 | 内核模块 | 系统运行时 | +| kern.02 | 启用内核 ASLR | 内核代码 | 系统运行时 | +| kern.03 | 确保内核触发错误后直接退出 | 内核代码 | 错误发生时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 登录认证 + +登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|----------|----------------------------|------|-------| +| login.01 | 禁止空口令登录 | SSH | 系统运行时 | +| login.02 | 禁止使用 PermitUserEnvironment | SSH | 系统运行时 | +| login.03 | 禁用 root 用户通过 SSH 登录 | SSH | 系统运行时 | +| login.04 | 禁用 SSH 的 TCP 转发功能 | SSH | 系统运行时 | +| login.05 | 禁止使用 X11 Forwarding | SSH | 系统运行时 | +| login.06 | 禁止使用 SysRq 键 | 物理机 | 系统运行时 | +| login.07 | 避免开启 tcp_timestamps | 网络 | 系统运行时 | +| login.08 | 设置最大认证次数 | SSH | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 网络保护 + +网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|-------------------|------|-------| +| net.01 | 禁止 ICMP 重定向报文 | 网络 | 系统运行时 | +| net.02 | 禁止系统响应 ICMP 广播报文 | 网络 | 系统运行时 | +| net.03 | 禁止 IP 转发 | 网络 | 系统运行时 | +| net.04 | 禁止使用 ARP 代理 | 网络 | 系统运行时 | +| net.05 | 禁止报文源路由 | 网络 | 系统运行时 | +| net.06 | 丢弃伪造的 ICMP 报文 | 网络 | 系统运行时 | +| net.07 | 启用防火墙服务 | 网络 | 系统运行时 | +| net.08 | 启用反向地址过滤 | 网络 | 系统运行时 | +| net.09 | 启用 TCP-SYN cookie | 网络 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 权限最小化 + +权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|---------|----------|------|-------| +| priv.01 | 最小化文件权限 | 用户文件 | 系统运行时 | +| priv.02 | 启用链接文件保护 | 用户文件 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 启用安全服务 + +启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|---------|-----------------------|------|-------| +| serv.01 | 启用 rsyslog 服务 | 日志 | 系统运行时 | +| serv.02 | Selinux 启用 enforce 模式 | 用户文件 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 限制高危系统功能 + +限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|---------------|------|-------| +| sys.01 | 配置 dmesg 访问权限 | 内核模块 | 系统运行时 | +| sys.02 | 禁止开启 kexec 功能 | 内核模块 | 系统运行时 | +| sys.03 | 限制内核符号读取权限 | 内核模块 | 系统运行时 | +| sys.04 | 限制 ptrace 范围 | 内核模块 | 系统运行时 | +| sys.05 | 禁用不常见网络服务 | 内核模块 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + ## 最小安全系统配置指南 diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 82651dd..bc72f5c 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -102,127 +102,8 @@ int.03: secharden help rule_id ``` -## secharden 安全防护能力配置 +## secharden 内置规则 secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 详细的规则文档介绍参见:[安全 OS 配置工具](src/secharden/tools/README.md)。 - -### 全栈完整性加固 - -全栈完整性加固用于业务软件全生命周期不被篡改。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|--------|---------------|------|-------| -| int.01 | 启用内核模块签名 | 内核模块 | 系统启动时 | -| int.02 | 启用 DIM 动态度量内核 | 内核代码 | 系统运行时 | -| int.03 | 启用 IMA 度量关键文件 | 用户文件 | 业务加载时 | - -结合 [openEuler安全启动](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/security/cert_signature/secure_boot.html), -启动时校验加载的系统镜像的完整性,实现全周期的系统防篡改。 - -目前,int.01 与 int.02 已在默认配置中开启,int.03 可通过以下几个步骤完成本节全栈完整性加固操作: - -1. IMA 标签设置 - - secharden 通过 selinux 标签来区分需要 IMA 保护的用户文件范围。用户可通过以下指令为文件关联一个 selinux 标签: - - ``` - semanage fcontext -a -t $type $file - restorecon -v $file - ``` - -2. 规则使能 - - 创建配置文件 `/etc/secharden/secharden.conf.d/01-ima_tags.conf`,内容如下: - - ```yaml - int.03: - selinux_tags: - - <你的 selinux 标签,例如 user_home_t> - ``` - -int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则。 - -### 内核加固 - -内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|---------|---------------|------|-------| -| kern.01 | 开启 BPF 加固功能 | 内核模块 | 系统运行时 | -| kern.02 | 启用内核 ASLR | 内核代码 | 系统运行时 | -| kern.03 | 确保内核触发错误后直接退出 | 内核代码 | 错误发生时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 登录认证 - -登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|----------|----------------------------|------|-------| -| login.01 | 禁止空口令登录 | SSH | 系统运行时 | -| login.02 | 禁止使用 PermitUserEnvironment | SSH | 系统运行时 | -| login.03 | 禁用 root 用户通过 SSH 登录 | SSH | 系统运行时 | -| login.04 | 禁用 SSH 的 TCP 转发功能 | SSH | 系统运行时 | -| login.05 | 禁止使用 X11 Forwarding | SSH | 系统运行时 | -| login.06 | 禁止使用 SysRq 键 | 物理机 | 系统运行时 | -| login.07 | 避免开启 tcp_timestamps | 网络 | 系统运行时 | -| login.08 | 设置最大认证次数 | SSH | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 网络保护 - -网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|--------|-------------------|------|-------| -| net.01 | 禁止 ICMP 重定向报文 | 网络 | 系统运行时 | -| net.02 | 禁止系统响应 ICMP 广播报文 | 网络 | 系统运行时 | -| net.03 | 禁止 IP 转发 | 网络 | 系统运行时 | -| net.04 | 禁止使用 ARP 代理 | 网络 | 系统运行时 | -| net.05 | 禁止报文源路由 | 网络 | 系统运行时 | -| net.06 | 丢弃伪造的 ICMP 报文 | 网络 | 系统运行时 | -| net.07 | 启用防火墙服务 | 网络 | 系统运行时 | -| net.08 | 启用反向地址过滤 | 网络 | 系统运行时 | -| net.09 | 启用 TCP-SYN cookie | 网络 | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 权限最小化 - -权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|---------|----------|------|-------| -| priv.01 | 最小化文件权限 | 用户文件 | 系统运行时 | -| priv.02 | 启用链接文件保护 | 用户文件 | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 启用安全服务 - -启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|---------|-----------------------|------|-------| -| serv.01 | 启用 rsyslog 服务 | 日志 | 系统运行时 | -| serv.02 | Selinux 启用 enforce 模式 | 用户文件 | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 限制高危系统功能 - -限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|--------|---------------|------|-------| -| sys.01 | 配置 dmesg 访问权限 | 内核模块 | 系统运行时 | -| sys.02 | 禁止开启 kexec 功能 | 内核模块 | 系统运行时 | -| sys.03 | 限制内核符号读取权限 | 内核模块 | 系统运行时 | -| sys.04 | 限制 ptrace 范围 | 内核模块 | 系统运行时 | -| sys.05 | 禁用不常见网络服务 | 内核模块 | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 -- Gitee From 9fd22ac4c9d6362f31e47491241055ba03de3ed2 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 16:11:23 +0800 Subject: [PATCH 065/109] add description --- .../secharden/src/secharden/tools/README.md | 12 ++++++++++++ .../src/secharden/tools/categories.json | 18 ++++++++++++------ 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/tools/README.md b/os-harden-tools/secharden/src/secharden/tools/README.md index 8c82603..fd6bb62 100644 --- a/os-harden-tools/secharden/src/secharden/tools/README.md +++ b/os-harden-tools/secharden/src/secharden/tools/README.md @@ -41,6 +41,8 @@ ## 内核加固 +内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。 + ### kern.01 开启BPF加固功能 开启BPF加固功能。BFP代码支持JIT编译执行和解释执行。其中JIT编译执行面临JIT喷射攻击的风险,攻击者可能利用该风险攻击内核进行提权。BPF加固功能会对JIT编译执行进行加固,缓解某些类型的JIT喷射攻击,降低内核面临的攻击风险。 @@ -67,6 +69,8 @@ ## 登录认证 +登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。 + ### login.01 禁止空口令登录 禁止空口令登录。若允许空口令登录,会增加空口令账号本身被攻击或被用来作为攻击账号的风险。 @@ -133,6 +137,8 @@ ## 网络保护 +网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。 + ### net.01 禁止ICMP重定向报文 禁止ICMP重定向报文。ICMP重定向消息是传递路由信息并告诉系统通过备用路径发送数据包。这是一种允许外部路由设备更新系统路由表的方法。攻击者可以利用伪造的ICMP重定向消息恶意更改系统路由表,使它们向错误的网络发送数据包,从而获取相应的敏感数据。 @@ -207,6 +213,8 @@ ## 权限最小化 +权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。 + ### priv.01 最小化文件权限 最小化文件权限。最小化系统中敏感文件的访问权限,防止因权限过大导致攻击者进行文件篡改攻击。 @@ -225,6 +233,8 @@ ## 启用安全服务 +启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。 + ### serv.01 启用rsyslog服务 启用rsyslog服务。若不开启rsyslog服务,系统日志无法转储到持久性存储设备,系统重启后,会导致日志丢失。 @@ -243,6 +253,8 @@ Selinux启用enforce模式。SELinux是Linux发行版中内置的安全模块, ## 限制高危系统功能 +限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。 + ### sys.01 配置dmesg访问权限 配置dmesg访问权限。限制访问 dmesg 信息权限,无特权的用户无法查看系统信息,从而可以避免任何人从系统信息获取敏感信息。 diff --git a/os-harden-tools/secharden/src/secharden/tools/categories.json b/os-harden-tools/secharden/src/secharden/tools/categories.json index 23449b7..e48b87d 100644 --- a/os-harden-tools/secharden/src/secharden/tools/categories.json +++ b/os-harden-tools/secharden/src/secharden/tools/categories.json @@ -6,26 +6,32 @@ }, { "id": "net", - "name": "网络保护" + "name": "网络保护", + "description": "网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。" }, { "id": "sys", - "name": "限制高危系统功能" + "name": "限制高危系统功能", + "description": "限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。" }, { "id": "serv", - "name": "启用安全服务" + "name": "启用安全服务", + "description": "启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。" }, { "id": "kern", - "name": "内核加固" + "name": "内核加固", + "description": "内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。" }, { "id": "priv", - "name": "权限最小化" + "name": "权限最小化", + "description": "权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。" }, { "id": "login", - "name": "登录认证" + "name": "登录认证", + "description": "登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。" } ] \ No newline at end of file -- Gitee From 3e7d4e2776f436addb75e1b607d9184456969305 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 16:20:28 +0800 Subject: [PATCH 066/109] move to secharen --- os-harden-tools/README.md | 126 ---------------------------- os-harden-tools/secharden/README.md | 121 +++++++++++++++++++++++++- 2 files changed, 120 insertions(+), 127 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 57a65a7..ed504eb 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -55,132 +55,6 @@ os-harden-tools/ > 详细使用说明参见 [secharden](secharden/README.md)。 -## secharden 安全防护能力配置 - -secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 - -详细的规则文档介绍参见:[安全 OS 配置工具](src/secharden/tools/README.md)。 - -### 全栈完整性加固 - -全栈完整性加固用于业务软件全生命周期不被篡改。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|--------|---------------|------|-------| -| int.01 | 启用内核模块签名 | 内核模块 | 系统启动时 | -| int.02 | 启用 DIM 动态度量内核 | 内核代码 | 系统运行时 | -| int.03 | 启用 IMA 度量关键文件 | 用户文件 | 业务加载时 | - -结合 [openEuler安全启动](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/security/cert_signature/secure_boot.html), -启动时校验加载的系统镜像的完整性,实现全周期的系统防篡改。 - -目前,int.01 与 int.02 已在默认配置中开启,int.03 可通过以下几个步骤完成本节全栈完整性加固操作: - -1. IMA 标签设置 - - secharden 通过 selinux 标签来区分需要 IMA 保护的用户文件范围。用户可通过以下指令为文件关联一个 selinux 标签: - - ``` - semanage fcontext -a -t $type $file - restorecon -v $file - ``` - -2. 规则使能 - - 创建配置文件 `/etc/secharden/secharden.conf.d/01-ima_tags.conf`,内容如下: - - ```yaml - int.03: - selinux_tags: - - <你的 selinux 标签,例如 user_home_t> - ``` - -int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则。 - -### 内核加固 - -内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|---------|---------------|------|-------| -| kern.01 | 开启 BPF 加固功能 | 内核模块 | 系统运行时 | -| kern.02 | 启用内核 ASLR | 内核代码 | 系统运行时 | -| kern.03 | 确保内核触发错误后直接退出 | 内核代码 | 错误发生时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 登录认证 - -登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|----------|----------------------------|------|-------| -| login.01 | 禁止空口令登录 | SSH | 系统运行时 | -| login.02 | 禁止使用 PermitUserEnvironment | SSH | 系统运行时 | -| login.03 | 禁用 root 用户通过 SSH 登录 | SSH | 系统运行时 | -| login.04 | 禁用 SSH 的 TCP 转发功能 | SSH | 系统运行时 | -| login.05 | 禁止使用 X11 Forwarding | SSH | 系统运行时 | -| login.06 | 禁止使用 SysRq 键 | 物理机 | 系统运行时 | -| login.07 | 避免开启 tcp_timestamps | 网络 | 系统运行时 | -| login.08 | 设置最大认证次数 | SSH | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 网络保护 - -网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|--------|-------------------|------|-------| -| net.01 | 禁止 ICMP 重定向报文 | 网络 | 系统运行时 | -| net.02 | 禁止系统响应 ICMP 广播报文 | 网络 | 系统运行时 | -| net.03 | 禁止 IP 转发 | 网络 | 系统运行时 | -| net.04 | 禁止使用 ARP 代理 | 网络 | 系统运行时 | -| net.05 | 禁止报文源路由 | 网络 | 系统运行时 | -| net.06 | 丢弃伪造的 ICMP 报文 | 网络 | 系统运行时 | -| net.07 | 启用防火墙服务 | 网络 | 系统运行时 | -| net.08 | 启用反向地址过滤 | 网络 | 系统运行时 | -| net.09 | 启用 TCP-SYN cookie | 网络 | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 权限最小化 - -权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|---------|----------|------|-------| -| priv.01 | 最小化文件权限 | 用户文件 | 系统运行时 | -| priv.02 | 启用链接文件保护 | 用户文件 | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 启用安全服务 - -启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|---------|-----------------------|------|-------| -| serv.01 | 启用 rsyslog 服务 | 日志 | 系统运行时 | -| serv.02 | Selinux 启用 enforce 模式 | 用户文件 | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - -### 限制高危系统功能 - -限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。目前支持以下几种安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|--------|---------------|------|-------| -| sys.01 | 配置 dmesg 访问权限 | 内核模块 | 系统运行时 | -| sys.02 | 禁止开启 kexec 功能 | 内核模块 | 系统运行时 | -| sys.03 | 限制内核符号读取权限 | 内核模块 | 系统运行时 | -| sys.04 | 限制 ptrace 范围 | 内核模块 | 系统运行时 | -| sys.05 | 禁用不常见网络服务 | 内核模块 | 系统运行时 | - -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 - - ## 最小安全系统配置指南 `docs` 目录包含了最小安全系统配置指南,主要包括以下内容: diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index bc72f5c..9b6b566 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -102,8 +102,127 @@ int.03: secharden help rule_id ``` -## secharden 内置规则 +## secharden 安全防护能力配置 secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 详细的规则文档介绍参见:[安全 OS 配置工具](src/secharden/tools/README.md)。 + +### 全栈完整性加固 + +全栈完整性加固用于业务软件全生命周期不被篡改。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|---------------|------|-------| +| int.01 | 启用内核模块签名 | 内核模块 | 系统启动时 | +| int.02 | 启用 DIM 动态度量内核 | 内核代码 | 系统运行时 | +| int.03 | 启用 IMA 度量关键文件 | 用户文件 | 业务加载时 | + +结合 [openEuler安全启动](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/security/cert_signature/secure_boot.html), +启动时校验加载的系统镜像的完整性,实现全周期的系统防篡改。 + +目前,int.01 与 int.02 已在默认配置中开启,int.03 可通过以下几个步骤完成本节全栈完整性加固操作: + +1. IMA 标签设置 + + secharden 通过 selinux 标签来区分需要 IMA 保护的用户文件范围。用户可通过以下指令为文件关联一个 selinux 标签: + + ``` + semanage fcontext -a -t $type $file + restorecon -v $file + ``` + +2. 规则使能 + + 创建配置文件 `/etc/secharden/secharden.conf.d/01-ima_tags.conf`,内容如下: + + ```yaml + int.03: + selinux_tags: + - <你的 selinux 标签,例如 user_home_t> + ``` + +int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则。 + +### 内核加固 + +内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|---------|---------------|------|-------| +| kern.01 | 开启 BPF 加固功能 | 内核模块 | 系统运行时 | +| kern.02 | 启用内核 ASLR | 内核代码 | 系统运行时 | +| kern.03 | 确保内核触发错误后直接退出 | 内核代码 | 错误发生时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 登录认证 + +登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|----------|----------------------------|------|-------| +| login.01 | 禁止空口令登录 | SSH | 系统运行时 | +| login.02 | 禁止使用 PermitUserEnvironment | SSH | 系统运行时 | +| login.03 | 禁用 root 用户通过 SSH 登录 | SSH | 系统运行时 | +| login.04 | 禁用 SSH 的 TCP 转发功能 | SSH | 系统运行时 | +| login.05 | 禁止使用 X11 Forwarding | SSH | 系统运行时 | +| login.06 | 禁止使用 SysRq 键 | 物理机 | 系统运行时 | +| login.07 | 避免开启 tcp_timestamps | 网络 | 系统运行时 | +| login.08 | 设置最大认证次数 | SSH | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 网络保护 + +网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|-------------------|------|-------| +| net.01 | 禁止 ICMP 重定向报文 | 网络 | 系统运行时 | +| net.02 | 禁止系统响应 ICMP 广播报文 | 网络 | 系统运行时 | +| net.03 | 禁止 IP 转发 | 网络 | 系统运行时 | +| net.04 | 禁止使用 ARP 代理 | 网络 | 系统运行时 | +| net.05 | 禁止报文源路由 | 网络 | 系统运行时 | +| net.06 | 丢弃伪造的 ICMP 报文 | 网络 | 系统运行时 | +| net.07 | 启用防火墙服务 | 网络 | 系统运行时 | +| net.08 | 启用反向地址过滤 | 网络 | 系统运行时 | +| net.09 | 启用 TCP-SYN cookie | 网络 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 权限最小化 + +权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|---------|----------|------|-------| +| priv.01 | 最小化文件权限 | 用户文件 | 系统运行时 | +| priv.02 | 启用链接文件保护 | 用户文件 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 启用安全服务 + +启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|---------|-----------------------|------|-------| +| serv.01 | 启用 rsyslog 服务 | 日志 | 系统运行时 | +| serv.02 | Selinux 启用 enforce 模式 | 用户文件 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 + +### 限制高危系统功能 + +限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|---------------|------|-------| +| sys.01 | 配置 dmesg 访问权限 | 内核模块 | 系统运行时 | +| sys.02 | 禁止开启 kexec 功能 | 内核模块 | 系统运行时 | +| sys.03 | 限制内核符号读取权限 | 内核模块 | 系统运行时 | +| sys.04 | 限制 ptrace 范围 | 内核模块 | 系统运行时 | +| sys.05 | 禁用不常见网络服务 | 内核模块 | 系统运行时 | + +目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 \ No newline at end of file -- Gitee From 256f9f94c7bf64c3e31805001ffdab7197fe02d1 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 16:21:49 +0800 Subject: [PATCH 067/109] remove redundant --- os-harden-tools/secharden/README.md | 82 ++++++++++++++--------------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 9b6b566..ad0845e 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -148,11 +148,11 @@ int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则 内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。目前支持以下几种安全配置: -| ID | 加固规则 | 保护范围 | 保护周期 | -|---------|---------------|------|-------| -| kern.01 | 开启 BPF 加固功能 | 内核模块 | 系统运行时 | -| kern.02 | 启用内核 ASLR | 内核代码 | 系统运行时 | -| kern.03 | 确保内核触发错误后直接退出 | 内核代码 | 错误发生时 | +| ID | 加固规则 | 保护范围 | +|---------|---------------|------| +| kern.01 | 开启 BPF 加固功能 | 内核模块 | +| kern.02 | 启用内核 ASLR | 内核代码 | +| kern.03 | 确保内核触发错误后直接退出 | 内核代码 | 目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 @@ -160,16 +160,16 @@ int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则 登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。目前支持以下几种安全配置: -| ID | 加固规则 | 保护范围 | 保护周期 | -|----------|----------------------------|------|-------| -| login.01 | 禁止空口令登录 | SSH | 系统运行时 | -| login.02 | 禁止使用 PermitUserEnvironment | SSH | 系统运行时 | -| login.03 | 禁用 root 用户通过 SSH 登录 | SSH | 系统运行时 | -| login.04 | 禁用 SSH 的 TCP 转发功能 | SSH | 系统运行时 | -| login.05 | 禁止使用 X11 Forwarding | SSH | 系统运行时 | -| login.06 | 禁止使用 SysRq 键 | 物理机 | 系统运行时 | -| login.07 | 避免开启 tcp_timestamps | 网络 | 系统运行时 | -| login.08 | 设置最大认证次数 | SSH | 系统运行时 | +| ID | 加固规则 | 保护范围 | +|----------|----------------------------|------| +| login.01 | 禁止空口令登录 | SSH | +| login.02 | 禁止使用 PermitUserEnvironment | SSH | +| login.03 | 禁用 root 用户通过 SSH 登录 | SSH | +| login.04 | 禁用 SSH 的 TCP 转发功能 | SSH | +| login.05 | 禁止使用 X11 Forwarding | SSH | +| login.06 | 禁止使用 SysRq 键 | 物理机 | +| login.07 | 避免开启 tcp_timestamps | 网络 | +| login.08 | 设置最大认证次数 | SSH | 目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 @@ -177,17 +177,17 @@ int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则 网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。目前支持以下几种安全配置: -| ID | 加固规则 | 保护范围 | 保护周期 | -|--------|-------------------|------|-------| -| net.01 | 禁止 ICMP 重定向报文 | 网络 | 系统运行时 | -| net.02 | 禁止系统响应 ICMP 广播报文 | 网络 | 系统运行时 | -| net.03 | 禁止 IP 转发 | 网络 | 系统运行时 | -| net.04 | 禁止使用 ARP 代理 | 网络 | 系统运行时 | -| net.05 | 禁止报文源路由 | 网络 | 系统运行时 | -| net.06 | 丢弃伪造的 ICMP 报文 | 网络 | 系统运行时 | -| net.07 | 启用防火墙服务 | 网络 | 系统运行时 | -| net.08 | 启用反向地址过滤 | 网络 | 系统运行时 | -| net.09 | 启用 TCP-SYN cookie | 网络 | 系统运行时 | +| ID | 加固规则 | 保护范围 | +|--------|-------------------|------| +| net.01 | 禁止 ICMP 重定向报文 | 网络 | +| net.02 | 禁止系统响应 ICMP 广播报文 | 网络 | +| net.03 | 禁止 IP 转发 | 网络 | +| net.04 | 禁止使用 ARP 代理 | 网络 | +| net.05 | 禁止报文源路由 | 网络 | +| net.06 | 丢弃伪造的 ICMP 报文 | 网络 | +| net.07 | 启用防火墙服务 | 网络 | +| net.08 | 启用反向地址过滤 | 网络 | +| net.09 | 启用 TCP-SYN cookie | 网络 | 目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 @@ -195,10 +195,10 @@ int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则 权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。目前支持以下几种安全配置: -| ID | 加固规则 | 保护范围 | 保护周期 | -|---------|----------|------|-------| -| priv.01 | 最小化文件权限 | 用户文件 | 系统运行时 | -| priv.02 | 启用链接文件保护 | 用户文件 | 系统运行时 | +| ID | 加固规则 | 保护范围 | +|---------|----------|------| +| priv.01 | 最小化文件权限 | 用户文件 | +| priv.02 | 启用链接文件保护 | 用户文件 | 目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 @@ -206,10 +206,10 @@ int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则 启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。目前支持以下几种安全配置: -| ID | 加固规则 | 保护范围 | 保护周期 | -|---------|-----------------------|------|-------| -| serv.01 | 启用 rsyslog 服务 | 日志 | 系统运行时 | -| serv.02 | Selinux 启用 enforce 模式 | 用户文件 | 系统运行时 | +| ID | 加固规则 | 保护范围 | +|---------|-----------------------|------| +| serv.01 | 启用 rsyslog 服务 | 日志 | +| serv.02 | Selinux 启用 enforce 模式 | 用户文件 | 目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 @@ -217,12 +217,12 @@ int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则 限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。目前支持以下几种安全配置: -| ID | 加固规则 | 保护范围 | 保护周期 | -|--------|---------------|------|-------| -| sys.01 | 配置 dmesg 访问权限 | 内核模块 | 系统运行时 | -| sys.02 | 禁止开启 kexec 功能 | 内核模块 | 系统运行时 | -| sys.03 | 限制内核符号读取权限 | 内核模块 | 系统运行时 | -| sys.04 | 限制 ptrace 范围 | 内核模块 | 系统运行时 | -| sys.05 | 禁用不常见网络服务 | 内核模块 | 系统运行时 | +| ID | 加固规则 | 保护范围 | +|--------|---------------|------| +| sys.01 | 配置 dmesg 访问权限 | 内核模块 | +| sys.02 | 禁止开启 kexec 功能 | 内核模块 | +| sys.03 | 限制内核符号读取权限 | 内核模块 | +| sys.04 | 限制 ptrace 范围 | 内核模块 | +| sys.05 | 禁用不常见网络服务 | 内核模块 | 目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 \ No newline at end of file -- Gitee From 750ced097de73af6a6215e382b39e5185e9414a2 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 16:30:00 +0800 Subject: [PATCH 068/109] add description to config file --- os-harden-tools/secharden/README.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index ad0845e..0ca0525 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -79,6 +79,14 @@ secharden --debug secharden apply /path/to/config_path ``` +> 注意:指定的规则路径必须是一个目录。且该目录中必须包含一个基础配置文件 `secharden.conf`。 + +用户还可以创建一个 `secharden.conf.d` 目录,在该目录下放置多个配置文件,工具会自动加载这些配置文件。该目录下的配置文件必须满足以下要求: + +- 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。 + +#### 配置文件格式 + 配置文件使用 yaml 格式,内包含一个以规则 ID 为键的字典,值为规则的配置参数。例如: ```yaml @@ -88,11 +96,19 @@ int.03: selinux_tags: - user_home_t - var_log_t +net.01: + enabled: false ``` -> 注意:指定的规则路径必须是一个目录。且该目录中必须包含一个基础配置文件 `secharden.conf`。 -> 用户还可以创建一个 `secharden.conf.d` 目录,在该目录下放置多个配置文件,工具会自动加载这些配置文件。该目录下的配置文件必须满足以下要求: -> - 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。 +上述配置文件表示启用 `int.01` 和 `int.03` 规则,并为 `int.03` 规则指定了 selinux 标签。该配置文件还显式禁用了 `net.01` 规则。 + +在每个规则中,都有一个特殊的 `enabled` 参数,用于启用或禁用该规则。默认情况下,所有规则都被启用。用户可以通过设置 +`enabled: false` 来禁用某个规则,例如: + +```yaml +int.01: + enabled: false +``` ### 查看规则的帮助信息 -- Gitee From fe2562d0e53af42c06e03138d37f598c07014dc9 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 17:45:36 +0800 Subject: [PATCH 069/109] update development readme --- os-harden-tools/secharden/DEVELOPMENT.md | 167 ++++++++++++++++++++++- 1 file changed, 166 insertions(+), 1 deletion(-) diff --git a/os-harden-tools/secharden/DEVELOPMENT.md b/os-harden-tools/secharden/DEVELOPMENT.md index 4ead352..28be1a6 100644 --- a/os-harden-tools/secharden/DEVELOPMENT.md +++ b/os-harden-tools/secharden/DEVELOPMENT.md @@ -12,9 +12,174 @@ python3 -m pip install uv uv sync ``` +## 项目架构 + +项目的目录结构如下: + +``` +secharden:主目录 +├── src:源码目录 +│ ├── secharden:secharden 包目录 +│ │ ├── devtools:开发工具目录 +│ │ │ └── gendoc.py:规则文档生成工具 +│ │ ├── rule_metadata:规则元数据解析 +│ │ │ ├── converters:配置转换器目录,用于将配置项转换为规则元数据定义的参数 +│ │ │ │ ├── __init__.py +│ │ │ │ └── file_list.py:将配置数组写入临时文件,并将文件路径作为参数传递给规则元数据定义的参数 +│ │ │ ├── __init__.py +│ │ │ ├── manager.py:规则元数据管理器,用于加载和解析规则元数据 +│ │ │ ├── metadata.py:规则元数据定义类,负责解析 metadata.json 文件 +│ │ ├── schema/ +│ │ │ ├── categories.schema.json:规则分类的 JSON Schema 定义 +│ │ │ └── metadata.schema.json:规则元数据的 JSON Schema 定义 +│ │ ├── tools/ +│ │ │ ├── categories.json:规则分类定义文件 +│ │ │ ├── README.md:规则分类说明文档 +│ │ │ ├── <类别>.<序号>:规则目录 +│ │ │ │ ├── metadata.json:规则元数据定义文件 +│ │ │ │ └── ... +│ │ │ └── ... +│ │ ├── __init__.py +│ │ ├── config_parser.py:配置解析器,用于解析 secharden 配置文件 +│ │ ├── executor.py:执行器,用于执行运行规则 +│ │ ├── secharden.py:secharden 包的入口文件,包含主逻辑 +│ │ ├── utils.py:工具函数集合 +├── tests:测试目录 +├── DEVELOPMENT.md:开发文档 +├── MANIFEST.in:清单文件,指定哪些文件需要包含在分发包中 +├── pyproject.toml:项目配置文件,包含依赖和构建信息 +├── README.md:项目说明文档 +└── uv.lock:uv 锁定文件,记录依赖版本信息 +``` + +## 新建规则集 + +新建规则集时,需要新建一个目录,并在该目录下创建 `categories.json` 文件,该文件用于定义规则分类。以下是一个示例 +`categories.json` 文件: + +```json +[ + { + "id": "int", + "name": "全栈完整性", + "description": "全栈完整性加固用于业务软件全生命周期不被篡改。" + } +] +``` + +该规则集为一个数组,每一个元素表示一个规则分类。每个分类包含以下字段: + +- `id`:规则分类的唯一标识符,格式为 `<类别>`,例如 `int`。 +- `name`:规则分类名称。 +- `description`(可选):规则分类描述。 + +### 新建规则 + +在新建的规则集目录中,创建一个规则目录,命名格式为 `<类别>.<序号>`,例如 `int.01`。 +在该目录下创建 `metadata.json` 文件,该文件用于定义规则元数据。以下是一个示例 `metadata.json` 文件: + +```json +{ + "id": "int.01", + "name": "启用IMA度量关键文件", + "description": "启用IMA度量关键文件。IMA 度量是一个开源的可信计算组件。其维护了一个运行时度量列表,并在 TPM 设备存在时则针对该列表生成整体完整性度量值并记录到 TPM 中。", + "entry": "enforce_ima.sh", + "parameters": [ + { + "id": "selinux_tags", + "name": "selinux 标签列表文件", + "description": "该文件包含一个 selinux 标签列表,表示这些标签需要被 ima 度量。要求文件每行一个标签。", + "converter": "FileListConverter", + "cmd_template": "%file" + } + ], + "urls": [ + { + "title": "Integrity Measurement Architecture (IMA) Wiki", + "url": "https://sourceforge.net/p/linux-ima/wiki/Home/" + } + ] +} +``` + +该规则元数据包含以下字段: + +- `id`:规则的唯一标识符,格式为 `<类别>.<序号>`,例如 `int.01`。 +- `name`:规则名称。 +- `description`:规则描述。 +- `entry`:规则的入口脚本文件名,也可以是一个可执行文件名。secharden 会搜索当前目录下的文件以及环境变量 `PATH` 中的可执行文件。 +- `parameters`(可选):规则参数列表。每个参数包含以下字段: + - `id`:参数的唯一标识符。 + - `name`:参数名称。 + - `description`:参数描述。 + - `converter`:参数转换器类名,用于将配置项转换为规则元数据定义的参数。 + - `cmd_template`:命令行模板,用于生成执行命令。该模板可以包含参数占位符,例如 `%file`。参数占位符需要配合 `converter` + 使用。 +- `urls`(可选):相关链接列表。每个链接包含以下字段: + - `title`:链接标题。 + - `url`:链接地址。 + +开发者还可以根据自身需求添加其他文件。 + +### 转换器开发 + +转换器用于将配置项转换为规则元数据定义的参数。转换器需要继承 `secharden.rule_metadata.metadata.Converter` 类, +并实现 `verify` 和 `generate` 方法,开发者还可以实现 `cleanup` 方法以完成生成后清理功能。 + +#### 转换器 `verify` 方法 + +`verify` 方法用于验证配置项是否符合规则元数据定义的参数要求,方法函数签名如下: + +```python +from secharden.rule_metadata import RuleParameter + + +def verify(self, parameter: RuleParameter): + pass +``` + +- `parameter`: `RuleParameter` 是一个包含规则参数信息的对象,开发者可以上述规则列表中 `parameters` 字段信息。 + +开发者应验证配置项是否符合规则元数据定义的参数要求,尤其是上述的 `cmd_template` 字段是否满足要求。如果验证不通过,需要抛出异常以提示框架。 + +#### 转换器 `generate` 方法 + +`generate` 方法用于将配置项转换为规则元数据定义的参数,方法函数签名如下: + +```python +from secharden.executor import CmdParameter + + +def generate(self, parameter: CmdParameter, config): + pass +``` + +- `parameter`: `CmdParameter` 是一个包含命令行参数信息的对象。该类除了包含 `RuleParameter` 的所有字段外, 还包含了 + `add_variable` 和 `add_env` 函数。 + - `add_variable(name, value)`:添加一个占位符键值对。框架根据 `cmd_template` 中的占位符生成命令行参数时会查询并替换为相应的 + `value`。 + - `add_env(name, value)`:添加一个环境变量。框架最终运行规则时会将该环境变量添加到执行环境中。 +- `config`: `config` 参数是由配置文件解析器解析后的配置项。开发者可以根据规则元数据定义的参数要求,从 `config` 中提取相应的值,并使用 + `CmdParameter`提供的上述函数添加到命令行参数中。 + +#### 转换器 `cleanup` 方法 + +`cleanup` 方法是一个可选方法,用于在规则执行后进行清理工作。方法函数签名如下: + +```python +def cleanup(self): + pass +``` + +`cleanup` 方法可以用于删除临时文件或其他清理工作。该方法在规则执行完成后被调用,开发者可以根据需要实现该方法。 + +> 注意:`cleanup` 方法仅会在 `generate` 方法成功执行后被调用。如果 `generate` 方法抛出异常,`cleanup` 方法将不会被调用。 + ## 规则文档生成工具 -`devtools` 提供了 `gendoc` 命令来生成规则文档。可以使用以下命令生成文档: +`devtools` 提供了 `gendoc` 命令来生成规则文档。该文档通过解析 `categories.json` 和 `metadata.json` 文件生成 `README.md` +文档。 +可以使用以下命令生成文档: ```shell uv run src/secharden/devtools/gendoc.py -- Gitee From 320b8efc33752ed9f4767564d329c2dc0657d684 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 19:07:30 +0800 Subject: [PATCH 070/109] change categories to dict --- .../src/secharden/rule_metadata/manager.py | 28 ++++++----- .../src/secharden/rule_metadata/metadata.py | 47 +++++++++++++++++++ .../secharden/schema/categories.schema.json | 10 ++-- .../secharden/src/secharden/secharden.py | 40 +++++++++------- .../src/secharden/tools/categories.json | 24 ++++------ .../rules/ruleset/execution/categories.json | 10 ++-- .../rules/ruleset/naming/categories.json | 34 +++++++------- .../secharden/tests/rules/test_metadata.py | 1 + .../secharden/tests/rules/test_rulemanager.py | 39 ++++++++++----- 9 files changed, 149 insertions(+), 84 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py b/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py index 2395db4..00d5b62 100644 --- a/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py @@ -6,6 +6,7 @@ import jsonschema from secharden.executor import CmdExecutor, CmdParameter from secharden.rule_metadata import RuleMetadata +from secharden.rule_metadata.metadata import CategoryMetadata from secharden.utils import load_json_file, HOME_DIR @@ -38,7 +39,7 @@ class RuleManager: def __init__(self, rules_dir: Path): """ - Initializes the RuleManager with the specified rules directory. + Initializes the RuleManager with the specified rule directory. :param rules_dir: Path to the directory containing rule files :raises FileNotFoundError: If the rules directory does not exist :raises NotADirectoryError: If the specified path is not a directory @@ -47,7 +48,7 @@ class RuleManager: """ self._dir = rules_dir.resolve() self._rules: List[str] = [] - self._categories: Dict[str, Dict[str, Any]] = {} + self._categories: List[str] = [] if not self._dir.exists(): logging.error(f"Rules directory does not exist: {self._dir}") @@ -63,7 +64,7 @@ class RuleManager: return self._dir @property - def categories(self) -> Dict[str, Dict[str, Any]]: + def categories(self) -> List[str]: """ Returns a copy of the category information. """ return self._categories.copy() @@ -80,6 +81,14 @@ class RuleManager: """ return rule_id in self._rules + def category_exists(self, category_id: str) -> bool: + """ + Checks if a category with the given ID exists in the manager. + :param category_id: The ID of the category to check + :return: True if the category exists, False otherwise + """ + return category_id in self._categories + def get_rules_by_category(self, category_id: str) -> List[str]: """ Retrieves all rules associated with a specific category ID. @@ -103,7 +112,7 @@ class RuleManager: rule = self._dir.joinpath(rule_id).resolve() return RuleMetadata(rule) - def get_category_desc(self, category_id: str) -> Dict[str, Any]: + def get_category_desc(self, category_id: str) -> CategoryMetadata: """ Retrieves the description of a specific category by its ID. :param category_id: The ID of the category to retrieve @@ -112,7 +121,7 @@ class RuleManager: """ if category_id not in self._categories: raise ValueError(f"Category with ID {category_id} not found") - return self._categories[category_id] + return CategoryMetadata(id=category_id, **load_json_file(self._dir.joinpath('categories.json'))[category_id]) def reload_rules(self): """ @@ -122,14 +131,11 @@ class RuleManager: :raises jsonschema.ValidationError: If the categories.json file does not conform to the schema :raises ValueError: If the rules directory does not contain a valid categories.json file """ - categories: List[Dict[str, Any]] = load_json_file(self._dir.joinpath('categories.json')) + categories: Dict[str, Dict[str, Any]] = load_json_file(self._dir.joinpath('categories.json')) jsonschema.validate(categories, load_json_file(HOME_DIR.joinpath('schema/categories.schema.json'))) # id is verified by jsonschema - categories = sorted(categories, key=lambda c: c['id']) - for category in categories: - category_id = category["id"] - + for category_id in sorted(categories.keys()): # collect all valid rules rules: List[str] = [] for rule_path in self._dir.glob(f"{category_id}.*"): @@ -146,7 +152,7 @@ class RuleManager: logging.error(f"No rules found for category {category_id}") continue - self._categories[category_id] = category + self._categories.append(category_id) self._rules.extend(sorted(rules, key=lambda r: int(r.split('.', 1)[1]))) def apply_rule(self, rule: str, config=None): diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py index d3159ad..4bdfeab 100644 --- a/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py @@ -292,3 +292,50 @@ class RuleMetadata: doc += f"- [{url.title}]({url.url})\n" doc += "\n" return doc + + +class CategoryMetadata: + """ + Represents the metadata of a category, parsed data from category.json file. + """ + + def __init__(self, **kwargs): + """ + Initializes a CategoryMetadata instance by loading metadata from a dictionary. + :param kwargs: A dictionary containing 'id', 'name', and 'description'. + """ + # these fields are not checked since they are checked using json schema + self._id: str = kwargs['id'] + self._name: str = kwargs['name'] + self._description: str = kwargs['description'] + + @property + def id(self) -> str: + """ + Returns the unique identifier of the category metadata. + """ + return self._id + + @property + def name(self) -> str: + """ + Returns the name of the category. + """ + return self._name + + @property + def description(self) -> str: + """ + Returns the description of the category. + """ + return self._description + + @property + def doc(self) -> str: + """ + Generates a markdown documentation string for the category metadata. + """ + doc = "" + doc += f"### {self._id} {self._name}\n\n" + doc += f"{self._description}\n\n" + return doc diff --git a/os-harden-tools/secharden/src/secharden/schema/categories.schema.json b/os-harden-tools/secharden/src/secharden/schema/categories.schema.json index f478bce..b280539 100644 --- a/os-harden-tools/secharden/src/secharden/schema/categories.schema.json +++ b/os-harden-tools/secharden/src/secharden/schema/categories.schema.json @@ -5,14 +5,10 @@ "description": "Schema file for tool categories specification", "allOf": [ { - "type": "array", - "items": { + "type": "object", + "additionalProperties": { "type": "object", "properties": { - "id": { - "type": "string", - "description": "Unique identifier for the category" - }, "name": { "type": "string", "description": "Name of the category" @@ -22,7 +18,7 @@ "description": "Description of the category" } }, - "required": ["id", "name"] + "required": ["name", "description"] } } ] diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index 5a03431..ca667ba 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -10,20 +10,19 @@ from secharden.utils import DirectoryPathVerifier, HOME_DIR def list_rules(rule_mgr: RuleManager, args) -> int: - if args.category: - try: - rules = rule_mgr.get_rules_by_category(args.category) - except ValueError: - logging.error(f"Category {args.category} not found.") - print(f"Category {args.category} not found.") - return 1 - print(f"Available rules for {args.category}:") - else: - rules = rule_mgr.rules - print("Available rules:") - for rule in rules: - metadata = rule_mgr.get_rule_metadata(rule) - print(f"\t{rule}: {metadata.name}") + categories = [args.category] if args.category else rule_mgr.categories + if args.category and not rule_mgr.category_exists(args.category): + logging.error(f"Category {args.category} not found.") + print(f"Category {args.category} not found.") + return 1 + + for category_id in categories: + category = rule_mgr.get_category_desc(category_id) + print(f"{category_id}: {category.name}") + rules = rule_mgr.get_rules_by_category(category_id) + for rule in rules: + metadata = rule_mgr.get_rule_metadata(rule) + print(f"\t{rule}: {metadata.name}") return 0 @@ -52,9 +51,18 @@ def apply(rule_mgr: RuleManager, args) -> int: def help_message(rule_mgr: RuleManager, args) -> int: rule = args.rule[0] + if not '.' in args.rule: + # treat it as category id + try: + print(rule_mgr.get_category_desc(rule).doc) + return 0 + except ValueError: + logging.error(f"Category '{rule}' not found.") + print(f"Category '{rule}' not found. Use 'secharden list' to see available categories.") + return 1 + try: - metadata = rule_mgr.get_rule_metadata(rule) - print(metadata.doc) + print(rule_mgr.get_rule_metadata(rule).doc) return 0 except KeyError: logging.error(f"Rule '{rule}' not found.") diff --git a/os-harden-tools/secharden/src/secharden/tools/categories.json b/os-harden-tools/secharden/src/secharden/tools/categories.json index e48b87d..afe280f 100644 --- a/os-harden-tools/secharden/src/secharden/tools/categories.json +++ b/os-harden-tools/secharden/src/secharden/tools/categories.json @@ -1,37 +1,31 @@ -[ - { +{ + "int": { "id": "int", "name": "全栈完整性", "description": "全栈完整性加固用于业务软件全生命周期不被篡改。" }, - { - "id": "net", + "net": { "name": "网络保护", "description": "网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。" }, - { - "id": "sys", + "sys": { "name": "限制高危系统功能", "description": "限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。" }, - { - "id": "serv", + "serv": { "name": "启用安全服务", "description": "启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。" }, - { - "id": "kern", + "kern": { "name": "内核加固", "description": "内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。" }, - { - "id": "priv", + "priv": { "name": "权限最小化", "description": "权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。" }, - { - "id": "login", + "login": { "name": "登录认证", "description": "登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。" } -] \ No newline at end of file +} \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/categories.json b/os-harden-tools/secharden/tests/rules/ruleset/execution/categories.json index f99430a..cf47d52 100644 --- a/os-harden-tools/secharden/tests/rules/ruleset/execution/categories.json +++ b/os-harden-tools/secharden/tests/rules/ruleset/execution/categories.json @@ -1,6 +1,6 @@ -[ - { - "id": "test", - "name": "Test Category" +{ + "test": { + "name": "Test Category", + "description": "This is a test category for demonstration purposes." } -] \ No newline at end of file +} \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/categories.json b/os-harden-tools/secharden/tests/rules/ruleset/naming/categories.json index dcfe10a..71a2965 100644 --- a/os-harden-tools/secharden/tests/rules/ruleset/naming/categories.json +++ b/os-harden-tools/secharden/tests/rules/ruleset/naming/categories.json @@ -1,22 +1,22 @@ -[ - { - "id": "nometa", - "name": "No Metadata" +{ + "nometa": { + "name": "No Metadata", + "description": "This category does not have metadata." }, - { - "id": "test", - "name": "Test Category" + "test": { + "name": "Test Category", + "description": "This is a test category with metadata." }, - { - "id": "test1", - "name": "Test Category 1" + "test1": { + "name": "Test Category 1", + "description": "This is another test category with metadata." }, - { - "id": "notdir", - "name": "Not a Directory Category" + "notdir": { + "name": "Not a Directory Category", + "description": "This category is not a directory" }, - { - "id": "invalid", - "name": "Invalid Category" + "invalid": { + "name": "Invalid Category", + "description": "This category has invalid metadata." } -] \ No newline at end of file +} \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/rules/test_metadata.py b/os-harden-tools/secharden/tests/rules/test_metadata.py index 012e95c..3416aa5 100644 --- a/os-harden-tools/secharden/tests/rules/test_metadata.py +++ b/os-harden-tools/secharden/tests/rules/test_metadata.py @@ -17,6 +17,7 @@ class TestMetadata: assert d.name == 'valid metadata' assert d.description == 'valid metadata' assert d.entry == path.joinpath("metadata.json") + assert d.rule_path == path def test_entry_in_path(self, config_test_path): path = config_test_path.joinpath("entry_in_path") diff --git a/os-harden-tools/secharden/tests/rules/test_rulemanager.py b/os-harden-tools/secharden/tests/rules/test_rulemanager.py index ff490e1..19cff4a 100644 --- a/os-harden-tools/secharden/tests/rules/test_rulemanager.py +++ b/os-harden-tools/secharden/tests/rules/test_rulemanager.py @@ -2,6 +2,7 @@ import logging from pathlib import Path import pytest + from secharden.rule_metadata.manager import RuleManager, precheck @@ -70,14 +71,8 @@ class TestRuleManager: assert f"No rules found for category invalid" in caplog.text assert manager.path == naming - categories = { - "test": {"id": "test", "name": "Test Category"}, - "test1": {"id": "test1", "name": "Test Category 1"} - } - assert manager.categories == categories - - rules = ["test.01", "test1.01"] - assert manager.rules == rules + assert manager.categories == ["test", "test1"] + assert manager.rules == ["test.01", "test1.01"] def test_rule_manager_rule_exists(self, rule_path): naming = rule_path.joinpath("naming").resolve() @@ -86,6 +81,13 @@ class TestRuleManager: assert manager.rule_exists("test.01") assert not manager.rule_exists("nonexistent.01") + def test_rule_manager_category_exists(self, rule_path): + naming = rule_path.joinpath("naming").resolve() + manager = RuleManager(naming) + + assert manager.category_exists("test") + assert not manager.category_exists("nonexistent") + def test_rule_manager_get_rules_by_category(self, rule_path): naming = rule_path.joinpath("naming").resolve() manager = RuleManager(naming) @@ -110,16 +112,18 @@ class TestRuleManager: manager.get_rule_metadata("nonexistent.01") assert str(e.value) == "Rule with ID nonexistent.01 not found" - # with pytest.raises(FileNotFoundError) as e: - # manager.get_rule_metadata("nometa.01") - # assert str(e.value) == f"Rule file {naming.joinpath('nometa.01').resolve()} is not a regular file" + with pytest.raises(ValueError) as e: + manager.get_rule_metadata("nometa.01") + assert str(e.value) == "Rule with ID nometa.01 not found" def test_rule_manager_get_category_desc(self, rule_path): naming = rule_path.joinpath("naming").resolve() manager = RuleManager(naming) desc = manager.get_category_desc("test") - assert desc == {"id": "test", "name": "Test Category"} + assert desc.id == "test" + assert desc.name == "Test Category" + assert desc.description == "This is a test category with metadata." with pytest.raises(ValueError) as e: manager.get_category_desc("nonexistent") @@ -202,4 +206,13 @@ class TestRuleManager: caplog.set_level(logging.ERROR) with pytest.raises(Exception): manager.apply_rule("test.04", config) - assert "Failed to generate command line on parameter input1." in caplog.text \ No newline at end of file + assert "Failed to generate command line on parameter input1." in caplog.text + + def test_category_doc(self, rule_path): + naming = rule_path.joinpath("naming") + manager = RuleManager(naming) + assert manager.get_category_desc("test").doc == """### test Test Category + +This is a test category with metadata. + +""" -- Gitee From af1f468f289578350756dcfb1e50177ddb12c184 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 19:09:39 +0800 Subject: [PATCH 071/109] update readme --- os-harden-tools/secharden/DEVELOPMENT.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/os-harden-tools/secharden/DEVELOPMENT.md b/os-harden-tools/secharden/DEVELOPMENT.md index 28be1a6..27fc5c5 100644 --- a/os-harden-tools/secharden/DEVELOPMENT.md +++ b/os-harden-tools/secharden/DEVELOPMENT.md @@ -58,20 +58,18 @@ secharden:主目录 `categories.json` 文件: ```json -[ - { - "id": "int", +{ + "int": { "name": "全栈完整性", "description": "全栈完整性加固用于业务软件全生命周期不被篡改。" } -] +} ``` -该规则集为一个数组,每一个元素表示一个规则分类。每个分类包含以下字段: +该规则集中,每一个键代表规则分类的唯一标识符,格式为 `<类别>`,例如 `int`。每个值需包含以下字段: -- `id`:规则分类的唯一标识符,格式为 `<类别>`,例如 `int`。 - `name`:规则分类名称。 -- `description`(可选):规则分类描述。 +- `description`:规则分类描述。 ### 新建规则 -- Gitee From d135879534ff86a5026a392843eda4b19c1b885b Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 19:15:54 +0800 Subject: [PATCH 072/109] when print help category, print rule list as well --- os-harden-tools/secharden/src/secharden/secharden.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index ca667ba..97fe34d 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -55,7 +55,8 @@ def help_message(rule_mgr: RuleManager, args) -> int: # treat it as category id try: print(rule_mgr.get_category_desc(rule).doc) - return 0 + args.category = rule + return list_rules(rule_mgr, args) except ValueError: logging.error(f"Category '{rule}' not found.") print(f"Category '{rule}' not found. Use 'secharden list' to see available categories.") @@ -105,8 +106,8 @@ def main(): list_parser.set_defaults(func=list_rules) # documentation for rules - help_parser = subparser.add_parser("help", help="show rule help message") - help_parser.add_argument("rule", nargs=1, help="rule name to show help for") + help_parser = subparser.add_parser("help", help="show help doc for rule or category") + help_parser.add_argument("rule", nargs=1, help="rule or category id to show help for") help_parser.set_defaults(func=help_message) try: -- Gitee From 37b17eeb21339f5b486af3dce35244b32560d9b0 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 21:01:10 +0800 Subject: [PATCH 073/109] add testcase for main program --- .../secharden/src/secharden/secharden.py | 43 +++---- .../secharden/src/secharden/utils.py | 2 +- .../secharden/tests/cmd/conf/secharden.conf | 1 + .../tests/cmd/rule_not_found/secharden.conf | 1 + .../tests/cmd/ruleset/categories.json | 10 ++ .../tests/cmd/ruleset/test.01/entry.sh | 3 + .../tests/cmd/ruleset/test.01/metadata.json | 6 + .../tests/cmd/ruleset/test1.01/entry.sh | 3 + .../tests/cmd/ruleset/test1.01/metadata.json | 6 + .../secharden/tests/cmd/test_main.py | 112 ++++++++++++++++++ 10 files changed, 160 insertions(+), 27 deletions(-) create mode 100644 os-harden-tools/secharden/tests/cmd/conf/secharden.conf create mode 100644 os-harden-tools/secharden/tests/cmd/rule_not_found/secharden.conf create mode 100644 os-harden-tools/secharden/tests/cmd/ruleset/categories.json create mode 100755 os-harden-tools/secharden/tests/cmd/ruleset/test.01/entry.sh create mode 100644 os-harden-tools/secharden/tests/cmd/ruleset/test.01/metadata.json create mode 100755 os-harden-tools/secharden/tests/cmd/ruleset/test1.01/entry.sh create mode 100644 os-harden-tools/secharden/tests/cmd/ruleset/test1.01/metadata.json create mode 100644 os-harden-tools/secharden/tests/cmd/test_main.py diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index 97fe34d..ad81da1 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -12,8 +12,8 @@ from secharden.utils import DirectoryPathVerifier, HOME_DIR def list_rules(rule_mgr: RuleManager, args) -> int: categories = [args.category] if args.category else rule_mgr.categories if args.category and not rule_mgr.category_exists(args.category): - logging.error(f"Category {args.category} not found.") - print(f"Category {args.category} not found.") + logging.error(f"Category '{args.category}' not found.") + print(f"Category '{args.category}' not found.") return 1 for category_id in categories: @@ -27,18 +27,11 @@ def list_rules(rule_mgr: RuleManager, args) -> int: def apply(rule_mgr: RuleManager, args) -> int: - try: - config = parse_config(collect_configs(args.config)) - except Exception as e: - logging.error(f"Exception while parsing configuration from {args.config}") - logging.exception(e) - print(f"Error parsing configuration: {e}") - return 1 - code = 0 + config = parse_config(collect_configs(args.config)) for rule, rule_conf in config.items(): print(f"Applying rule: {rule}...") - logging.debug("applying rule %s with config %s", rule, rule_conf) + logging.debug(f"applying rule '{rule}' with config {rule_conf}") try: rule_mgr.apply_rule(rule, rule_conf) except Exception as e: @@ -51,10 +44,10 @@ def apply(rule_mgr: RuleManager, args) -> int: def help_message(rule_mgr: RuleManager, args) -> int: rule = args.rule[0] - if not '.' in args.rule: + if not '.' in rule: # treat it as category id try: - print(rule_mgr.get_category_desc(rule).doc) + print(rule_mgr.get_category_desc(rule).doc, end='') args.category = rule return list_rules(rule_mgr, args) except ValueError: @@ -63,9 +56,9 @@ def help_message(rule_mgr: RuleManager, args) -> int: return 1 try: - print(rule_mgr.get_rule_metadata(rule).doc) + print(rule_mgr.get_rule_metadata(rule).doc, end='') return 0 - except KeyError: + except ValueError: logging.error(f"Rule '{rule}' not found.") print(f"Rule '{rule}' not found. Use 'secharden list' to see available rules.") return 1 @@ -78,10 +71,10 @@ def help_message(rule_mgr: RuleManager, args) -> int: def hint(*_ignored) -> int: print("Please specify a sub-command. Use 'secharden --help' for usage information.") - return 0 + return 1 -def main(): +def main(argv=None): args = argparse.ArgumentParser(prog="secharden") # base args @@ -111,11 +104,11 @@ def main(): help_parser.set_defaults(func=help_message) try: - args = args.parse_args() + args = args.parse_args(argv) except argparse.ArgumentTypeError as e: print(f"Error parsing arguments: {e}") print("Use 'secharden --help' for usage information.") - return + return 1 # setup logging logging_level = logging.INFO @@ -126,14 +119,12 @@ def main(): args.logs.mkdir(parents=True, exist_ok=True) logging.basicConfig(filename=args.logs.joinpath('secharden.log'), filemode='a', level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') - except Exception: - print("Error: Cannot create log directory. Using console output instead.") + except Exception as e: + print("Error: Cannot write to log directory. Using console output instead.") logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') - logging.info(f"start secharden:{args.func.__name__}") + logging.exception(e) + logging.debug("------ debug mode ------") + logging.info(f"start secharden: {args.func.__name__}") # init rule manager after logging are set up return args.func(RuleManager(args.rules), args) - - -if __name__ == "__main__": - main() diff --git a/os-harden-tools/secharden/src/secharden/utils.py b/os-harden-tools/secharden/src/secharden/utils.py index 87d878c..c5d98c5 100644 --- a/os-harden-tools/secharden/src/secharden/utils.py +++ b/os-harden-tools/secharden/src/secharden/utils.py @@ -24,4 +24,4 @@ class DirectoryPathVerifier(argparse.Action): raise argparse.ArgumentTypeError(f"Directory '{values}' does not exist.") if not p.is_dir(): raise argparse.ArgumentTypeError(f"'{values}' is not a directory.") - setattr(namespace, self.dest, values) \ No newline at end of file + setattr(namespace, self.dest, p) \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/cmd/conf/secharden.conf b/os-harden-tools/secharden/tests/cmd/conf/secharden.conf new file mode 100644 index 0000000..e830168 --- /dev/null +++ b/os-harden-tools/secharden/tests/cmd/conf/secharden.conf @@ -0,0 +1 @@ +test.01: \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/cmd/rule_not_found/secharden.conf b/os-harden-tools/secharden/tests/cmd/rule_not_found/secharden.conf new file mode 100644 index 0000000..6853ff0 --- /dev/null +++ b/os-harden-tools/secharden/tests/cmd/rule_not_found/secharden.conf @@ -0,0 +1 @@ +nonexistence.01: diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/categories.json b/os-harden-tools/secharden/tests/cmd/ruleset/categories.json new file mode 100644 index 0000000..0578bb6 --- /dev/null +++ b/os-harden-tools/secharden/tests/cmd/ruleset/categories.json @@ -0,0 +1,10 @@ +{ + "test": { + "name": "Test Category", + "description": "This is a test category for demonstration purposes." + }, + "test1": { + "name": "Test1 Category", + "description": "This is a test category for demonstration purposes." + } +} \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/test.01/entry.sh b/os-harden-tools/secharden/tests/cmd/ruleset/test.01/entry.sh new file mode 100755 index 0000000..becd093 --- /dev/null +++ b/os-harden-tools/secharden/tests/cmd/ruleset/test.01/entry.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env sh +echo 'hello from entry.sh' +exit 0 \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/test.01/metadata.json b/os-harden-tools/secharden/tests/cmd/ruleset/test.01/metadata.json new file mode 100644 index 0000000..a6c2da6 --- /dev/null +++ b/os-harden-tools/secharden/tests/cmd/ruleset/test.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "test.01", + "name": "valid metadata", + "description": "valid metadata", + "entry": "entry.sh" +} \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/test1.01/entry.sh b/os-harden-tools/secharden/tests/cmd/ruleset/test1.01/entry.sh new file mode 100755 index 0000000..becd093 --- /dev/null +++ b/os-harden-tools/secharden/tests/cmd/ruleset/test1.01/entry.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env sh +echo 'hello from entry.sh' +exit 0 \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/test1.01/metadata.json b/os-harden-tools/secharden/tests/cmd/ruleset/test1.01/metadata.json new file mode 100644 index 0000000..9a6edcf --- /dev/null +++ b/os-harden-tools/secharden/tests/cmd/ruleset/test1.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "test1.01", + "name": "valid metadata", + "description": "valid metadata", + "entry": "entry.sh" +} \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/cmd/test_main.py b/os-harden-tools/secharden/tests/cmd/test_main.py new file mode 100644 index 0000000..d1b93b7 --- /dev/null +++ b/os-harden-tools/secharden/tests/cmd/test_main.py @@ -0,0 +1,112 @@ +import logging +from pathlib import Path + +import pytest + +import secharden.secharden as secharden +from secharden.rule_metadata import RuleMetadata, RuleManager + + +class TestMainCmd: + @pytest.fixture + def rule_path(self, request): + return Path(request.path).parent.joinpath("ruleset").resolve() + + @pytest.fixture + def base_path(self, request): + return Path(request.path).parent.resolve() + + def test_hint(self, capsys, rule_path): + result = secharden.main(["-r", str(rule_path)]) + assert result == 1 + out, err = capsys.readouterr() + assert out == "Please specify a sub-command. Use 'secharden --help' for usage information.\n" + + def test_list(self, capsys, rule_path): + result = secharden.main(["-r", str(rule_path), "list"]) + assert result == 0 + out, err = capsys.readouterr() + assert (out == + "test: Test Category\n\ttest.01: valid metadata\ntest1: Test1 Category\n\ttest1.01: valid metadata\n") + + def test_list_category(self, capsys, rule_path): + result = secharden.main(["-r", str(rule_path), "list", "test"]) + assert result == 0 + out, err = capsys.readouterr() + assert out == "test: Test Category\n\ttest.01: valid metadata\n" + + def test_list_category_not_found(self, capsys, caplog, rule_path): + result = secharden.main(["-r", str(rule_path), "list", "test2"]) + assert result == 1 + out, err = capsys.readouterr() + assert out == "Category 'test2' not found.\n" + assert "Category 'test2' not found" in caplog.text + + + def test_help_category(self, capsys, rule_path): + result = secharden.main(["-r", str(rule_path), "help", "test"]) + assert result == 0 + out, err = capsys.readouterr() + r = RuleManager(rule_path) + c = r.get_category_desc("test") + assert out == c.doc + "test: Test Category\n\ttest.01: valid metadata\n" + + def test_help_category_not_found(self, capsys, caplog, rule_path): + with caplog.at_level(logging.ERROR): + result = secharden.main(["-r", str(rule_path), "help", "test2"]) + assert result == 1 + out, err = capsys.readouterr() + assert out == "Category 'test2' not found. Use 'secharden list' to see available categories.\n" + assert "Category 'test2' not found" in caplog.text + + def test_help_rule(self, capsys, rule_path): + result = secharden.main(["-r", str(rule_path), "help", "test.01"]) + assert result == 0 + out, err = capsys.readouterr() + assert out == RuleMetadata(rule_path.joinpath("test.01")).doc + + def test_help_rule_not_found(self, capsys, caplog, rule_path): + with caplog.at_level(logging.ERROR): + result = secharden.main(["-r", str(rule_path), "help", "test.02"]) + assert result == 1 + out, err = capsys.readouterr() + assert out == "Rule 'test.02' not found. Use 'secharden list' to see available rules.\n" + assert "Rule 'test.02' not found" in caplog.text + + def test_debug(self, caplog, rule_path): + with caplog.at_level(logging.DEBUG): + result = secharden.main(["-r", str(rule_path), "-d", "list"]) + assert result == 0 + assert "------ debug mode ------" in caplog.text + + def test_apply_nonexistent_dir(self, capsys, rule_path): + result = secharden.main(["-r", str(rule_path), "apply", "nonexistent_dir"]) + assert result == 1 + out, _ = capsys.readouterr() + assert "Error parsing arguments:" in out + assert "Use 'secharden --help' for usage information." in out + + def test_apply_not_dir(self, capsys, base_path, rule_path): + result = secharden.main(["-r", str(rule_path), "apply", str(base_path.joinpath("test_main.py"))]) + assert result == 1 + out, _ = capsys.readouterr() + assert "Error parsing arguments:" in out + assert "Use 'secharden --help' for usage information." in out + + def test_apply_rule_not_found(self, capsys, caplog, base_path, rule_path): + conf_path = str(base_path.joinpath("rule_not_found")) + with caplog.at_level(logging.ERROR): + result = secharden.main(["-r", str(rule_path), "apply", conf_path]) + assert result == 1 + out, _ = capsys.readouterr() + assert f"Error applying rule 'nonexistence.01':" in out + assert f"Exception while applying rule 'nonexistence.01' with config None" in caplog.text + + def test_apply_rule(self, capsys, caplog, base_path, rule_path): + conf_path = str(base_path.joinpath("conf")) + with caplog.at_level(logging.DEBUG): + result = secharden.main(["-r", str(rule_path), "apply", conf_path]) + assert result == 0 + out, _ = capsys.readouterr() + assert "applying rule 'test.01' with config None" in caplog.text + assert "Applying rule: test.01..." in out \ No newline at end of file -- Gitee From 4ca2e41d35763c13b5b65d2acfa9dcef0e0ef0cc Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 21:02:24 +0800 Subject: [PATCH 074/109] add redundant catch for main --- os-harden-tools/secharden/src/secharden/secharden.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index ad81da1..9878d27 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -27,8 +27,15 @@ def list_rules(rule_mgr: RuleManager, args) -> int: def apply(rule_mgr: RuleManager, args) -> int: + try: + config = parse_config(collect_configs(args.config)) + except Exception as e: + logging.error(f"Exception while parsing configuration from {args.config}") + logging.exception(e) + print(f"Error parsing configuration: {e}") + return 1 + code = 0 - config = parse_config(collect_configs(args.config)) for rule, rule_conf in config.items(): print(f"Applying rule: {rule}...") logging.debug(f"applying rule '{rule}' with config {rule_conf}") -- Gitee From dc683dcd61e15a40926edd2fc7382717fe434f96 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 14:32:48 +0000 Subject: [PATCH 075/109] deny additional properties --- .../src/secharden/schema/categories.schema.json | 3 ++- .../secharden/src/secharden/schema/metadata.schema.json | 9 ++++++--- .../secharden/src/secharden/tools/categories.json | 1 - 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/schema/categories.schema.json b/os-harden-tools/secharden/src/secharden/schema/categories.schema.json index b280539..3a5dad8 100644 --- a/os-harden-tools/secharden/src/secharden/schema/categories.schema.json +++ b/os-harden-tools/secharden/src/secharden/schema/categories.schema.json @@ -18,7 +18,8 @@ "description": "Description of the category" } }, - "required": ["name", "description"] + "required": ["name", "description"], + "additionalProperties": false } } ] diff --git a/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json b/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json index 1131890..ed6529c 100644 --- a/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json +++ b/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json @@ -56,7 +56,8 @@ "description", "converter", "cmd_template" - ] + ], + "additionalProperties": false } }, "urls": { @@ -77,7 +78,8 @@ "required": [ "title", "url" - ] + ], + "additionalProperties": false } } }, @@ -86,7 +88,8 @@ "name", "description", "entry" - ] + ], + "additionalProperties": false } ] } \ No newline at end of file diff --git a/os-harden-tools/secharden/src/secharden/tools/categories.json b/os-harden-tools/secharden/src/secharden/tools/categories.json index afe280f..709b474 100644 --- a/os-harden-tools/secharden/src/secharden/tools/categories.json +++ b/os-harden-tools/secharden/src/secharden/tools/categories.json @@ -1,6 +1,5 @@ { "int": { - "id": "int", "name": "全栈完整性", "description": "全栈完整性加固用于业务软件全生命周期不被篡改。" }, -- Gitee From 2bc5211ca36a1cad92461a7c03ab60fd05f7b1e6 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 15:00:29 +0000 Subject: [PATCH 076/109] minor fix and testcases --- .../secharden/src/secharden/secharden.py | 16 +++--- .../secharden/tests/cmd/test_main.py | 56 +++++++++++-------- 2 files changed, 42 insertions(+), 30 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index 9878d27..4eac18e 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -2,6 +2,7 @@ import argparse import logging +import sys from pathlib import Path from secharden.config_parser import parse_config, collect_configs @@ -32,7 +33,7 @@ def apply(rule_mgr: RuleManager, args) -> int: except Exception as e: logging.error(f"Exception while parsing configuration from {args.config}") logging.exception(e) - print(f"Error parsing configuration: {e}") + print(f"Error parsing configuration: {e}", file=sys.stderr) return 1 code = 0 @@ -44,7 +45,7 @@ def apply(rule_mgr: RuleManager, args) -> int: except Exception as e: logging.error(f"Exception while applying rule '{rule}' with config {rule_conf}") logging.exception(e) - print(f"Error applying rule '{rule}': {e}") + print(f"Error applying rule '{rule}': {e}", file=sys.stderr) code = 1 return code @@ -72,7 +73,7 @@ def help_message(rule_mgr: RuleManager, args) -> int: except Exception as e: logging.error(f"Exception while retrieving help for rule '{rule}'") logging.exception(e) - print(f"Error retrieving help for rule '{rule}'") + print(f"Error retrieving help for rule '{rule}'", file=sys.stderr) return 1 @@ -113,7 +114,7 @@ def main(argv=None): try: args = args.parse_args(argv) except argparse.ArgumentTypeError as e: - print(f"Error parsing arguments: {e}") + print(f"Error parsing arguments: {e}", file=sys.stderr) print("Use 'secharden --help' for usage information.") return 1 @@ -124,13 +125,14 @@ def main(argv=None): try: if not args.logs.exists(): args.logs.mkdir(parents=True, exist_ok=True) + if not args.logs.is_dir(): + raise ValueError(f"Log path {args.logs} is not a directory.") logging.basicConfig(filename=args.logs.joinpath('secharden.log'), filemode='a', level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') except Exception as e: - print("Error: Cannot write to log directory. Using console output instead.") - logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') + print("Error: Cannot write to log directory. Using console output instead.", file=sys.stderr) + logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s', stream=sys.stderr) logging.exception(e) - logging.debug("------ debug mode ------") logging.info(f"start secharden: {args.func.__name__}") # init rule manager after logging are set up diff --git a/os-harden-tools/secharden/tests/cmd/test_main.py b/os-harden-tools/secharden/tests/cmd/test_main.py index d1b93b7..287ac58 100644 --- a/os-harden-tools/secharden/tests/cmd/test_main.py +++ b/os-harden-tools/secharden/tests/cmd/test_main.py @@ -1,4 +1,5 @@ import logging +import tempfile from pathlib import Path import pytest @@ -19,26 +20,26 @@ class TestMainCmd: def test_hint(self, capsys, rule_path): result = secharden.main(["-r", str(rule_path)]) assert result == 1 - out, err = capsys.readouterr() + out, _ = capsys.readouterr() assert out == "Please specify a sub-command. Use 'secharden --help' for usage information.\n" def test_list(self, capsys, rule_path): result = secharden.main(["-r", str(rule_path), "list"]) assert result == 0 - out, err = capsys.readouterr() + out, _ = capsys.readouterr() assert (out == "test: Test Category\n\ttest.01: valid metadata\ntest1: Test1 Category\n\ttest1.01: valid metadata\n") def test_list_category(self, capsys, rule_path): result = secharden.main(["-r", str(rule_path), "list", "test"]) assert result == 0 - out, err = capsys.readouterr() + out, _ = capsys.readouterr() assert out == "test: Test Category\n\ttest.01: valid metadata\n" def test_list_category_not_found(self, capsys, caplog, rule_path): result = secharden.main(["-r", str(rule_path), "list", "test2"]) assert result == 1 - out, err = capsys.readouterr() + out, _ = capsys.readouterr() assert out == "Category 'test2' not found.\n" assert "Category 'test2' not found" in caplog.text @@ -46,7 +47,7 @@ class TestMainCmd: def test_help_category(self, capsys, rule_path): result = secharden.main(["-r", str(rule_path), "help", "test"]) assert result == 0 - out, err = capsys.readouterr() + out, _ = capsys.readouterr() r = RuleManager(rule_path) c = r.get_category_desc("test") assert out == c.doc + "test: Test Category\n\ttest.01: valid metadata\n" @@ -55,51 +56,45 @@ class TestMainCmd: with caplog.at_level(logging.ERROR): result = secharden.main(["-r", str(rule_path), "help", "test2"]) assert result == 1 - out, err = capsys.readouterr() + out, _ = capsys.readouterr() assert out == "Category 'test2' not found. Use 'secharden list' to see available categories.\n" assert "Category 'test2' not found" in caplog.text def test_help_rule(self, capsys, rule_path): result = secharden.main(["-r", str(rule_path), "help", "test.01"]) assert result == 0 - out, err = capsys.readouterr() + out, _ = capsys.readouterr() assert out == RuleMetadata(rule_path.joinpath("test.01")).doc def test_help_rule_not_found(self, capsys, caplog, rule_path): with caplog.at_level(logging.ERROR): result = secharden.main(["-r", str(rule_path), "help", "test.02"]) assert result == 1 - out, err = capsys.readouterr() + out, _ = capsys.readouterr() assert out == "Rule 'test.02' not found. Use 'secharden list' to see available rules.\n" assert "Rule 'test.02' not found" in caplog.text - def test_debug(self, caplog, rule_path): - with caplog.at_level(logging.DEBUG): - result = secharden.main(["-r", str(rule_path), "-d", "list"]) - assert result == 0 - assert "------ debug mode ------" in caplog.text - def test_apply_nonexistent_dir(self, capsys, rule_path): result = secharden.main(["-r", str(rule_path), "apply", "nonexistent_dir"]) assert result == 1 - out, _ = capsys.readouterr() - assert "Error parsing arguments:" in out - assert "Use 'secharden --help' for usage information." in out + out, err = capsys.readouterr() + assert "Error parsing arguments:" in err + assert "Use 'secharden --help' for usage information.\n" == out def test_apply_not_dir(self, capsys, base_path, rule_path): result = secharden.main(["-r", str(rule_path), "apply", str(base_path.joinpath("test_main.py"))]) assert result == 1 - out, _ = capsys.readouterr() - assert "Error parsing arguments:" in out - assert "Use 'secharden --help' for usage information." in out + out, err = capsys.readouterr() + assert "Error parsing arguments:" in err + assert "Use 'secharden --help' for usage information.\n" == out def test_apply_rule_not_found(self, capsys, caplog, base_path, rule_path): conf_path = str(base_path.joinpath("rule_not_found")) with caplog.at_level(logging.ERROR): result = secharden.main(["-r", str(rule_path), "apply", conf_path]) assert result == 1 - out, _ = capsys.readouterr() - assert f"Error applying rule 'nonexistence.01':" in out + out, err = capsys.readouterr() + assert f"Error applying rule 'nonexistence.01':" in err assert f"Exception while applying rule 'nonexistence.01' with config None" in caplog.text def test_apply_rule(self, capsys, caplog, base_path, rule_path): @@ -109,4 +104,19 @@ class TestMainCmd: assert result == 0 out, _ = capsys.readouterr() assert "applying rule 'test.01' with config None" in caplog.text - assert "Applying rule: test.01..." in out \ No newline at end of file + assert "Applying rule: test.01..." in out + + def test_log_create_failed(self, capsys, base_path, rule_path): + secharden.main(["-r", str(rule_path), "-l", str(base_path.joinpath("test_main.py"))]) + _, err = capsys.readouterr() + assert "Error: Cannot write to log directory. Using console output instead." in err + + def test_log_create_success(self, capsys, rule_path): + with tempfile.TemporaryDirectory() as temp_dir: + temp_path = Path(temp_dir).joinpath("secharden_logs") + secharden.main(["-r", str(rule_path), "-l", str(temp_path), "-d"]) + _, err = capsys.readouterr() + assert "Error: Cannot write to log directory. Using console output instead." not in err + # cannot assert log file here, may be pytest hijacking the logging module + # but we can check if the temp_path exists since it should have been created by secharden + assert temp_path.exists() -- Gitee From cfbe4be11c87fb3ef915bbbb037e86096d27a576 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 15:03:49 +0000 Subject: [PATCH 077/109] doc title fix --- .../secharden/src/secharden/devtools/gendoc.py | 8 ++------ .../secharden/src/secharden/rule_metadata/metadata.py | 2 +- os-harden-tools/secharden/tests/rules/test_rulemanager.py | 2 +- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/devtools/gendoc.py b/os-harden-tools/secharden/src/secharden/devtools/gendoc.py index 737c09b..c2c27d2 100644 --- a/os-harden-tools/secharden/src/secharden/devtools/gendoc.py +++ b/os-harden-tools/secharden/src/secharden/devtools/gendoc.py @@ -26,12 +26,8 @@ def generate_doc(root: Path, overwrite: bool): output_stream = output.open(mode='wt', encoding='utf-8') output_stream.write(f"# {TITLE}\n\n") - for category_id, category in rules.categories.items(): - output_stream.write(f"## {category['name']}\n\n") - - if 'description' in category: - output_stream.write(f"{category['description']}\n\n") - + for category_id in rules.categories: + output_stream.write(rules.get_category_desc(category_id).doc) for rule in rules.get_rules_by_category(category_id): try: logging.info(f"Generating doc for rule: {rule}") diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py index 4bdfeab..8ea2f55 100644 --- a/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py @@ -336,6 +336,6 @@ class CategoryMetadata: Generates a markdown documentation string for the category metadata. """ doc = "" - doc += f"### {self._id} {self._name}\n\n" + doc += f"## {self._id} {self._name}\n\n" doc += f"{self._description}\n\n" return doc diff --git a/os-harden-tools/secharden/tests/rules/test_rulemanager.py b/os-harden-tools/secharden/tests/rules/test_rulemanager.py index 19cff4a..8498f0a 100644 --- a/os-harden-tools/secharden/tests/rules/test_rulemanager.py +++ b/os-harden-tools/secharden/tests/rules/test_rulemanager.py @@ -211,7 +211,7 @@ class TestRuleManager: def test_category_doc(self, rule_path): naming = rule_path.joinpath("naming") manager = RuleManager(naming) - assert manager.get_category_desc("test").doc == """### test Test Category + assert manager.get_category_desc("test").doc == """## test Test Category This is a test category with metadata. -- Gitee From b0d6e6fb979f0be0f59e18b8ea61eb433250c6db Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Thu, 31 Jul 2025 15:28:55 +0000 Subject: [PATCH 078/109] add gendoc testcase --- os-harden-tools/os-harden-tools.spec | 2 +- .../src/secharden/devtools/gendoc.py | 13 +++-- .../secharden/tests/cmd/test_gendoc.py | 58 +++++++++++++++++++ 3 files changed, 67 insertions(+), 6 deletions(-) create mode 100644 os-harden-tools/secharden/tests/cmd/test_gendoc.py diff --git a/os-harden-tools/os-harden-tools.spec b/os-harden-tools/os-harden-tools.spec index 4323a19..d7f7fcb 100644 --- a/os-harden-tools/os-harden-tools.spec +++ b/os-harden-tools/os-harden-tools.spec @@ -26,7 +26,7 @@ OS hardening toolkit %pyproject_build %check -%{pytest} +%{pytest} --ignore=%{_builddir}/secharden/tests/cmd/test_gendoc.py %install %pyproject_install diff --git a/os-harden-tools/secharden/src/secharden/devtools/gendoc.py b/os-harden-tools/secharden/src/secharden/devtools/gendoc.py index c2c27d2..f59e418 100644 --- a/os-harden-tools/secharden/src/secharden/devtools/gendoc.py +++ b/os-harden-tools/secharden/src/secharden/devtools/gendoc.py @@ -2,6 +2,7 @@ import argparse import logging +import sys from pathlib import Path from secharden.rule_metadata import RuleManager @@ -34,14 +35,14 @@ def generate_doc(root: Path, overwrite: bool): output_stream.write(rules.get_rule_metadata(rule).doc) except Exception as e: logging.error(f"Error generating doc for rule: {rule}") - logging.exception(e) + raise e output_stream.write("\n") output_stream.write("> Generated By docgen tool.\n\n") output_stream.close() -def main(): +def main(argv=None): args = argparse.ArgumentParser(prog="docgen") args.add_argument("-r", "--rules", action=DirectoryPathVerifier, help="rule script directory", default=HOME_DIR.joinpath('tools')) @@ -50,7 +51,7 @@ def main(): version_file = HOME_DIR.joinpath("VERSION") args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) args.add_argument("-d", "--debug", action='store_true', help="debug mode") - args = args.parse_args() + args = args.parse_args(argv) logging_level = logging.INFO if args.debug: @@ -60,9 +61,11 @@ def main(): try: generate_doc(Path(args.rules), overwrite=args.force) except Exception as e: + logging.error(f"Error generating documentation: {e}") logging.exception(e) - exit(1) + return 1 + return 0 if __name__ == "__main__": - main() + sys.exit(main()) diff --git a/os-harden-tools/secharden/tests/cmd/test_gendoc.py b/os-harden-tools/secharden/tests/cmd/test_gendoc.py new file mode 100644 index 0000000..628733e --- /dev/null +++ b/os-harden-tools/secharden/tests/cmd/test_gendoc.py @@ -0,0 +1,58 @@ +import logging +import shutil +import tempfile +from pathlib import Path + +import pytest + +import secharden.devtools.gendoc as gendoc +from secharden.rule_metadata import RuleMetadata, RuleManager + + +class TestMainCmd: + @pytest.fixture + def rule_path(self, request): + return Path(request.path).parent.joinpath("ruleset").resolve() + + @pytest.fixture + def base_path(self, request): + return Path(request.path).parent.resolve() + + def test_wrong_rule_path(self, caplog, base_path): + with tempfile.TemporaryDirectory() as temp_dir: + with caplog.at_level(logging.ERROR): + result = gendoc.main(["-r", temp_dir]) + assert result == 1 + assert "Error generating documentation:" in caplog.text + + def test_gendoc(self, caplog, rule_path): + with tempfile.TemporaryDirectory() as temp_dir: + shutil.copytree(rule_path, temp_dir, dirs_exist_ok=True) + with caplog.at_level(logging.INFO): + result = gendoc.main(["-r", temp_dir, '-d']) + assert result == 0 + assert "Generating doc for rule: test.01" in caplog.text + assert "Generating doc for rule: test1.01" in caplog.text + # doc content already tested + assert Path(temp_dir).joinpath('README.md').exists() + + def test_gendoc_no_force(self, caplog, rule_path): + with tempfile.TemporaryDirectory() as temp_dir: + shutil.copytree(rule_path, temp_dir, dirs_exist_ok=True) + result = gendoc.main(["-r", temp_dir]) + assert result == 0 + with caplog.at_level(logging.ERROR): + result = gendoc.main(["-r", temp_dir]) + assert result == 1 + assert f"File {Path(temp_dir).joinpath('README.md')} already exists" in caplog.text + assert "Error generating documentation:" in caplog.text + + def test_gendoc_force(self, caplog, rule_path): + with tempfile.TemporaryDirectory() as temp_dir: + shutil.copytree(rule_path, temp_dir, dirs_exist_ok=True) + result = gendoc.main(["-r", temp_dir]) + assert result == 0 + caplog.set_level(logging.INFO) + result = gendoc.main(["-r", temp_dir, "-f"]) + assert result == 0 + assert "force to generate doc, deleting existing doc files" in caplog.text -- Gitee From 421dd73e4153b7803b9d2584700cfcc9b6382250 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 09:18:50 +0800 Subject: [PATCH 079/109] ignore gendoc testcase since it is devtool and not shipped --- os-harden-tools/os-harden-tools.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/os-harden-tools/os-harden-tools.spec b/os-harden-tools/os-harden-tools.spec index d7f7fcb..c338bea 100644 --- a/os-harden-tools/os-harden-tools.spec +++ b/os-harden-tools/os-harden-tools.spec @@ -26,7 +26,8 @@ OS hardening toolkit %pyproject_build %check -%{pytest} --ignore=%{_builddir}/secharden/tests/cmd/test_gendoc.py +%global __pytest_addopts --ignore=tests/cmd/test_gendoc.py +%{pytest} %install %pyproject_install -- Gitee From 1ec921d71ea831c0a0bb17b5d20baf83f7a4f9b8 Mon Sep 17 00:00:00 2001 From: zhaozixuan Date: Fri, 1 Aug 2025 09:49:11 +0800 Subject: [PATCH 080/109] add README.md description --- os-harden-tools/secharden/README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 0ca0525..af5eb9b 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -118,7 +118,7 @@ int.01: secharden help rule_id ``` -## secharden 安全防护能力配置 +## secharden 内置安全防护能力 secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 @@ -126,7 +126,7 @@ secharden 工具提供了一系列的安全加固规则,这些规则可以通 ### 全栈完整性加固 -全栈完整性加固用于业务软件全生命周期不被篡改。目前支持以下几种安全配置: +在系统启动运行的任何阶段都面临篡改的风险,对系统、业务软件的篡改将导致系统运行的不可信。全栈完整性加固通过全周期的安全校验检测是否发生篡改攻击,目前支持以下几种完整性安全配置: | ID | 加固规则 | 保护范围 | 保护周期 | |--------|---------------|------|-------| @@ -134,8 +134,7 @@ secharden 工具提供了一系列的安全加固规则,这些规则可以通 | int.02 | 启用 DIM 动态度量内核 | 内核代码 | 系统运行时 | | int.03 | 启用 IMA 度量关键文件 | 用户文件 | 业务加载时 | -结合 [openEuler安全启动](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/security/cert_signature/secure_boot.html), -启动时校验加载的系统镜像的完整性,实现全周期的系统防篡改。 +结合 [openEuler安全启动](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/security/cert_signature/secure_boot.html),启动时校验加载的系统镜像的完整性,实现全周期的系统防篡改。 目前,int.01 与 int.02 已在默认配置中开启,int.03 可通过以下几个步骤完成本节全栈完整性加固操作: -- Gitee From 1fee9e408268ebfea7c01e91c0dd75220f41a8b5 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 09:50:51 +0800 Subject: [PATCH 081/109] adjust search strategy --- .../secharden/src/secharden/secharden.py | 35 ++++++++-------- .../secharden/tests/cmd/test_main.py | 42 +++++++------------ 2 files changed, 32 insertions(+), 45 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/os-harden-tools/secharden/src/secharden/secharden.py index 4eac18e..cd6bc13 100644 --- a/os-harden-tools/secharden/src/secharden/secharden.py +++ b/os-harden-tools/secharden/src/secharden/secharden.py @@ -52,29 +52,30 @@ def apply(rule_mgr: RuleManager, args) -> int: def help_message(rule_mgr: RuleManager, args) -> int: rule = args.rule[0] - if not '.' in rule: - # treat it as category id + + if rule_mgr.category_exists(rule): try: print(rule_mgr.get_category_desc(rule).doc, end='') args.category = rule return list_rules(rule_mgr, args) - except ValueError: - logging.error(f"Category '{rule}' not found.") - print(f"Category '{rule}' not found. Use 'secharden list' to see available categories.") + except Exception as e: + logging.error(f"Exception while retrieving help for category '{rule}'") + logging.exception(e) + print(f"Error retrieving help for category '{rule}'", file=sys.stderr) return 1 - try: - print(rule_mgr.get_rule_metadata(rule).doc, end='') - return 0 - except ValueError: - logging.error(f"Rule '{rule}' not found.") - print(f"Rule '{rule}' not found. Use 'secharden list' to see available rules.") - return 1 - except Exception as e: - logging.error(f"Exception while retrieving help for rule '{rule}'") - logging.exception(e) - print(f"Error retrieving help for rule '{rule}'", file=sys.stderr) - return 1 + if rule_mgr.rule_exists(rule): + try: + print(rule_mgr.get_rule_metadata(rule).doc, end='') + return 0 + except Exception as e: + logging.error(f"Exception while retrieving help for rule '{rule}'") + logging.exception(e) + print(f"Error retrieving help for rule '{rule}'", file=sys.stderr) + return 1 + + print(f"'{rule}' not found. Use 'secharden list' to see available categories and rules.") + return 1 def hint(*_ignored) -> int: diff --git a/os-harden-tools/secharden/tests/cmd/test_main.py b/os-harden-tools/secharden/tests/cmd/test_main.py index 287ac58..eafee7c 100644 --- a/os-harden-tools/secharden/tests/cmd/test_main.py +++ b/os-harden-tools/secharden/tests/cmd/test_main.py @@ -18,72 +18,58 @@ class TestMainCmd: return Path(request.path).parent.resolve() def test_hint(self, capsys, rule_path): - result = secharden.main(["-r", str(rule_path)]) - assert result == 1 + assert secharden.main(["-r", str(rule_path)]) == 1 out, _ = capsys.readouterr() assert out == "Please specify a sub-command. Use 'secharden --help' for usage information.\n" def test_list(self, capsys, rule_path): - result = secharden.main(["-r", str(rule_path), "list"]) - assert result == 0 + assert secharden.main(["-r", str(rule_path), "list"]) == 0 out, _ = capsys.readouterr() assert (out == "test: Test Category\n\ttest.01: valid metadata\ntest1: Test1 Category\n\ttest1.01: valid metadata\n") def test_list_category(self, capsys, rule_path): - result = secharden.main(["-r", str(rule_path), "list", "test"]) - assert result == 0 + assert secharden.main(["-r", str(rule_path), "list", "test"]) == 0 out, _ = capsys.readouterr() assert out == "test: Test Category\n\ttest.01: valid metadata\n" def test_list_category_not_found(self, capsys, caplog, rule_path): - result = secharden.main(["-r", str(rule_path), "list", "test2"]) - assert result == 1 + assert secharden.main(["-r", str(rule_path), "list", "test2"]) == 1 out, _ = capsys.readouterr() assert out == "Category 'test2' not found.\n" assert "Category 'test2' not found" in caplog.text def test_help_category(self, capsys, rule_path): - result = secharden.main(["-r", str(rule_path), "help", "test"]) - assert result == 0 + assert secharden.main(["-r", str(rule_path), "help", "test"]) == 0 out, _ = capsys.readouterr() r = RuleManager(rule_path) c = r.get_category_desc("test") assert out == c.doc + "test: Test Category\n\ttest.01: valid metadata\n" - def test_help_category_not_found(self, capsys, caplog, rule_path): - with caplog.at_level(logging.ERROR): - result = secharden.main(["-r", str(rule_path), "help", "test2"]) - assert result == 1 + def test_help_category_not_found(self, capsys, rule_path): + assert secharden.main(["-r", str(rule_path), "help", "test2"]) == 1 out, _ = capsys.readouterr() - assert out == "Category 'test2' not found. Use 'secharden list' to see available categories.\n" - assert "Category 'test2' not found" in caplog.text + assert out == "'test2' not found. Use 'secharden list' to see available categories and rules.\n" def test_help_rule(self, capsys, rule_path): - result = secharden.main(["-r", str(rule_path), "help", "test.01"]) - assert result == 0 + assert secharden.main(["-r", str(rule_path), "help", "test.01"]) == 0 out, _ = capsys.readouterr() assert out == RuleMetadata(rule_path.joinpath("test.01")).doc - def test_help_rule_not_found(self, capsys, caplog, rule_path): - with caplog.at_level(logging.ERROR): - result = secharden.main(["-r", str(rule_path), "help", "test.02"]) - assert result == 1 + def test_help_rule_not_found(self, capsys, rule_path): + assert secharden.main(["-r", str(rule_path), "help", "test.02"]) == 1 out, _ = capsys.readouterr() - assert out == "Rule 'test.02' not found. Use 'secharden list' to see available rules.\n" - assert "Rule 'test.02' not found" in caplog.text + assert out == "'test.02' not found. Use 'secharden list' to see available categories and rules.\n" def test_apply_nonexistent_dir(self, capsys, rule_path): - result = secharden.main(["-r", str(rule_path), "apply", "nonexistent_dir"]) - assert result == 1 + assert secharden.main(["-r", str(rule_path), "apply", "nonexistent_dir"]) == 1 out, err = capsys.readouterr() assert "Error parsing arguments:" in err assert "Use 'secharden --help' for usage information.\n" == out def test_apply_not_dir(self, capsys, base_path, rule_path): - result = secharden.main(["-r", str(rule_path), "apply", str(base_path.joinpath("test_main.py"))]) - assert result == 1 + assert secharden.main(["-r", str(rule_path), "apply", str(base_path.joinpath("test_main.py"))]) == 1 out, err = capsys.readouterr() assert "Error parsing arguments:" in err assert "Use 'secharden --help' for usage information.\n" == out -- Gitee From 0963cacdf8cde9f0e95a2d0b2977c2279f85008e Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 10:22:20 +0800 Subject: [PATCH 082/109] config parser add number verification --- os-harden-tools/secharden/src/secharden/config_parser.py | 3 +++ .../secharden.conf.d/00-invalid_num.conf | 5 +++++ .../full_collection/secharden.conf.d/02-test2.conf | 5 +++++ .../secharden/tests/config_parser/test_collection.py | 3 ++- 4 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf create mode 100644 os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf diff --git a/os-harden-tools/secharden/src/secharden/config_parser.py b/os-harden-tools/secharden/src/secharden/config_parser.py index f7e65f6..ac1d26d 100644 --- a/os-harden-tools/secharden/src/secharden/config_parser.py +++ b/os-harden-tools/secharden/src/secharden/config_parser.py @@ -23,6 +23,9 @@ def verify_config_name(path: Path) -> bool: if not name.split('-', 1)[0].isdigit(): logging.error(f"Config {path} does not have a valid priority index") return False + if int(name.split('-', 1)[0]) <= 0: + logging.error(f"Config {path} has a priority index less than or equal to zero") + return False return True diff --git a/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf b/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf new file mode 100644 index 0000000..b024e73 --- /dev/null +++ b/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf @@ -0,0 +1,5 @@ +int.02: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf b/os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf new file mode 100644 index 0000000..b024e73 --- /dev/null +++ b/os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf @@ -0,0 +1,5 @@ +int.02: +int.03: +selinux_tags: + - ima_t + - ima2_t \ No newline at end of file diff --git a/os-harden-tools/secharden/tests/config_parser/test_collection.py b/os-harden-tools/secharden/tests/config_parser/test_collection.py index ef75271..05ed499 100644 --- a/os-harden-tools/secharden/tests/config_parser/test_collection.py +++ b/os-harden-tools/secharden/tests/config_parser/test_collection.py @@ -24,9 +24,10 @@ class TestConfigCollector: def test_full_collection(self, config_test_path): p = collect_configs(config_test_path.joinpath("full_collection")) - assert len(p) == 2 + assert len(p) == 3 assert p[0].name == "secharden.conf" assert p[1].name == "01-test.conf" + assert p[2].name == "02-test2.conf" def test_collection_wrong_name(self, config_test_path): p = collect_configs(config_test_path.joinpath("collection_wrong_name")) -- Gitee From b3077977569efa9ff4ce7a29b169d300cd7aa31c Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 10:48:34 +0800 Subject: [PATCH 083/109] add param id to doc --- .../secharden/src/secharden/rule_metadata/metadata.py | 2 +- os-harden-tools/secharden/tests/rules/test_metadata.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py index 8ea2f55..cf8330f 100644 --- a/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py +++ b/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py @@ -281,7 +281,7 @@ class RuleMetadata: doc += f"#### 参数\n\n" if len(self._parameters) > 0: for param in self._parameters: - doc += f"**{param.name}**\n\n" + doc += f"**{param.id}** {param.name}\n\n" doc += f"{param.description}\n\n" else: doc += "无\n\n" diff --git a/os-harden-tools/secharden/tests/rules/test_metadata.py b/os-harden-tools/secharden/tests/rules/test_metadata.py index 3416aa5..7f54f7d 100644 --- a/os-harden-tools/secharden/tests/rules/test_metadata.py +++ b/os-harden-tools/secharden/tests/rules/test_metadata.py @@ -93,7 +93,7 @@ valid metadata #### 参数 -**xxx** +**xxx** xxx xxx -- Gitee From 537bf6330d4c55936c2ed1659aa444001622d441 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 10:48:42 +0800 Subject: [PATCH 084/109] refactor docs --- os-harden-tools/README.md | 242 +++++++++++++++++++++++++++- os-harden-tools/secharden/README.md | 227 +++++++++----------------- 2 files changed, 314 insertions(+), 155 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index ed504eb..645816f 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -44,16 +44,246 @@ os-harden-tools/ 构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/os-harden-tools-<版本>.noarch.rpm` 找到构建完成的 rpm 包。 该 rpm 包可以直接使用 `dnf install` 命令安装。 -### 使用 +## 使用 -安装后,`conf` 目录包含的配置会被安装至 `/etc/secharden/secharden.conf`,该配置文件包含了系统加固的默认配置选项。 -同时还会创建一个 `/etc/secharden/secharden.d/` 目录,用于存放用户自定义的配置文件。 +> secharden 的参数使用说明详见 [命令行参数说明](USAGE.md) -用户可以在该目录下创建自定义配置文件, 格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。这些配置文件会在系统加固时被加载。 +secharden 提供了一个命令行工具,可以通过以下命令来应用安全加固规则: -当配置完毕后,使用 `secharden apply` 命令应用加固配置。 +```bash +secharden apply +``` + +### 配置文件说明 + +默认情况下,secharden 会在 `/etc/secharden` 目录中查找配置。该目录包含一个 `secharden.conf` 文件和一个 `secharden.conf.d` +目录。 + +`secharden.conf` 文件用于定义了全局配置和规则的启用状态。[secharden 安全防护能力配置](#secharden-安全防护能力配置) +一节描述的规则都可以在该文件中进行配置。用户可以通过编辑该文件来启用或禁用特定的安全加固规则。 + +建议用户还在 `secharden.conf.d` 目录中创建子配置文件,该目录下的配置文件会按优先级覆盖 `secharden.conf` +的配置项。该目录下的配置文件必须满足以下要求: + +- 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。 + 其中,`<优先级>` 是一个大于零的整数,表示配置文件的加载优先级,数字越大优先级越高。 + +配置文件使用 yaml 格式,内包含一个以规则 ID 为键的字典,值为规则的配置参数。例如: + +```yaml +int.01: + enabled: true +int.03: + selinux_tags: + - user_home_t + - var_log_t +net.01: + enabled: false +net.02: +``` + +上述配置文件表示启用 `int.01`、`int.03` 和 `net.02` 规则,并为 `int.03` 规则指定了 selinux 标签。该配置文件还显式禁用了 +`net.01` 规则。 + +在每个规则中,都有一个特殊的 `enabled` 参数,用于启用或禁用该规则。默认情况下,所有规则都被启用。用户可以通过设置 +`enabled: false` 来禁用某个规则,例如: + +```yaml +int.01: + enabled: false +``` + +## secharden 内置安全防护能力 + +secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 + +详细的规则文档介绍参见:[安全 OS 配置工具](src/secharden/tools/README.md)。 + +### 全栈完整性加固 + +在系统启动运行的任何阶段都面临篡改的风险,对系统、业务软件的篡改将导致系统运行的不可信。全栈完整性加固通过全周期的安全校验检测是否发生篡改攻击,目前支持以下几种完整性安全配置: + +| ID | 加固规则 | 保护范围 | 保护周期 | +|--------|---------------|------|-------| +| int.01 | 启用内核模块签名 | 内核模块 | 系统启动时 | +| int.02 | 启用 DIM 动态度量内核 | 内核代码 | 系统运行时 | +| int.03 | 启用 IMA 度量关键文件 | 用户文件 | 业务加载时 | + +结合 [openEuler安全启动](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/security/cert_signature/secure_boot.html) +,启动时校验加载的系统镜像的完整性,实现全周期的系统防篡改。 + +目前,int.01 与 int.02 已在 `secharden.conf` 配置文件中使用了下列字段开启: + +```yaml +int.01: +int.02: +``` + +规则 int.03 可通过以下几个步骤完成本节全栈完整性加固操作: + +1. IMA 标签设置 + + secharden 通过 selinux 标签来区分需要 IMA 保护的用户文件范围。用户可通过以下指令为文件关联一个 selinux 标签: + + ``` + semanage fcontext -a -t $type $file + restorecon -v $file + ``` + +2. 规则使能 + + 创建配置文件 `/etc/secharden/secharden.conf.d/01-ima_tags.conf`,内容如下: + + ```yaml + int.03: + selinux_tags: + - <你的 selinux 标签,例如 user_home_t> + ``` + +int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则。 + +### 内核加固 + +内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | +|---------|---------------|------| +| kern.01 | 开启 BPF 加固功能 | 内核模块 | +| kern.02 | 启用内核 ASLR | 内核代码 | +| kern.03 | 确保内核触发错误后直接退出 | 内核代码 | + +目前,上述规则已在 `secharden.conf` 配置文件中使用了下列字段开启: + +```yaml +kern.01: +kern.02: +kern.03: +``` + +用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 + +### 登录认证 + +登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | +|----------|----------------------------|------| +| login.01 | 禁止空口令登录 | SSH | +| login.02 | 禁止使用 PermitUserEnvironment | SSH | +| login.03 | 禁用 root 用户通过 SSH 登录 | SSH | +| login.04 | 禁用 SSH 的 TCP 转发功能 | SSH | +| login.05 | 禁止使用 X11 Forwarding | SSH | +| login.06 | 禁止使用 SysRq 键 | 物理机 | +| login.07 | 避免开启 tcp_timestamps | 网络 | +| login.08 | 设置最大认证次数 | SSH | + +目前,上述规则已在 `secharden.conf` 配置文件中使用了下列字段开启: + +```yaml +login.01: +login.02: +login.03: +login.04: +login.05: +login.06: +login.07: +login.08: +``` + +用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 + +### 网络保护 + +网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | +|--------|-------------------|------| +| net.01 | 禁止 ICMP 重定向报文 | 网络 | +| net.02 | 禁止系统响应 ICMP 广播报文 | 网络 | +| net.03 | 禁止 IP 转发 | 网络 | +| net.04 | 禁止使用 ARP 代理 | 网络 | +| net.05 | 禁止报文源路由 | 网络 | +| net.06 | 丢弃伪造的 ICMP 报文 | 网络 | +| net.07 | 启用防火墙服务 | 网络 | +| net.08 | 启用反向地址过滤 | 网络 | +| net.09 | 启用 TCP-SYN cookie | 网络 | + +目前,上述规则已在 `secharden.conf` 配置文件中使用了下列字段开启: + +```yaml +net.01: +net.02: +net.03: +net.04: +net.05: +net.06: +net.07: +net.08: +net.09: +``` + +用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 + +### 权限最小化 + +权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | +|---------|----------|------| +| priv.01 | 最小化文件权限 | 用户文件 | +| priv.02 | 启用链接文件保护 | 用户文件 | + +目前,上述规则已在 `secharden.conf` 配置文件中使用了下列字段开启: + +```yaml +priv.01: +priv.02: +``` + +用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 + +### 启用安全服务 + +启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | +|---------|-----------------------|------| +| serv.01 | 启用 rsyslog 服务 | 日志 | +| serv.02 | Selinux 启用 enforce 模式 | 用户文件 | + +目前,上述规则已在 `secharden.conf` 配置文件中使用了下列字段开启: + +```yaml +serv.01: +serv.02: +``` + +用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 + +### 限制高危系统功能 + +限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。目前支持以下几种安全配置: + +| ID | 加固规则 | 保护范围 | +|--------|---------------|------| +| sys.01 | 配置 dmesg 访问权限 | 内核模块 | +| sys.02 | 禁止开启 kexec 功能 | 内核模块 | +| sys.03 | 限制内核符号读取权限 | 内核模块 | +| sys.04 | 限制 ptrace 范围 | 内核模块 | +| sys.05 | 禁用不常见网络服务 | 内核模块 | + +目前,上述规则已在 `secharden.conf` 配置文件中使用了下列字段开启: + +```yaml +sys.01: +sys.02: +sys.03: +sys.04: +sys.05: +``` + +用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 -> 详细使用说明参见 [secharden](secharden/README.md)。 ## 最小安全系统配置指南 diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index af5eb9b..031aebf 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -13,79 +13,40 @@ secharden 是一个基于 python 的系统加固框架,用于管理和应用 python3 -m pip install . ``` -## 命令使用 +## 使用 -在安装完成后,可以直接通过命令行使用 secharden。 +secharden 命令提供了多种功能,包括应用加固规则、打印加固规则列表、查看规则的帮助信息等。 -secharden 命令提供了多种功能,包括应用新的加固规则、打印所有的加固规则、查看规则的帮助信息等。 +### 应用加固规则 -### 基础命令 +secharden 会读取配置文件并应用对应的加固规则。 -#### 版本信息 - -打印当前 secharden 的版本信息: - -```bash -secharden --version -``` - -#### 指定规则路径 - -如果需要指定规则路径,可以使用 `--rules` 或 `-r` 参数指定。默认值为工具目录中的 `tools` 目录: - -```bash -secharden --rules /path/to/rules -``` - -> 注意:指定的规则路径必须是一个目录。且该目录中必须包含 `categories.json` 描述规则类别,各个规则目录需满足以下要求: -> - 每个规则目录必须包含一个 `metadata.json` 文件,描述该规则的详细信息。 -> - 规则目录的名称必须为 <类别>.<序号>,例如 `system.01`、`network.02` 等。且类别必须与 `categories.json` 中的类别一致。 -> - 规则目录下的 `metadata.json` 文件必须满足工具目录中的 `schema/metadata.json` 规范。 - -工具会校验当前规则路径下的规则路径,若目录不符合要求,则不会加载到工具规则列表中。 -如果用户使用自定义的规则路径,建议使用以下命令来查看规则路径是否被加载到列表中: +如果用户没有指定规则路径,则会使用默认的 `/etc/secharden` 目录: ```bash -secharden -r /path/to/rules list +secharden apply ``` -若不满足要求,查询工具 log 文件中的错误信息。 - -#### 指定 log 路径 - -如果需要指定 log 路径,可以使用 `--log` 或 `-l` 参数指定。默认值为 `/var/log/secharden`: +如果用户需要指定规则路径可以在 `secharden apply` 后指定: ```bash -secharden --log /path/to/log_directory +secharden apply [/path/to/config_path] ``` -> 注意:指定的 log 路径必须是一个目录。 - -#### 开启 debug 模式 - -如果需要开启 debug 模式,可以使用 `--debug` 或 `-d` 参数: +secharden 会输出应用的规则,示例如下: -```bash -secharden --debug +```plaintext +Applying rule: int.01... ``` -开启后,工具会在 log 文件中输出更多的调试信息,帮助用户排查问题。 - -### 应用新的加固规则 +#### 配置文件目录 -如果需要指定规则路径可以在 `secharden apply` 后指定。默认值为 `/etc/secharden` 目录: - -```bash -secharden apply /path/to/config_path -``` - -> 注意:指定的规则路径必须是一个目录。且该目录中必须包含一个基础配置文件 `secharden.conf`。 +指定的规则路径必须是一个目录。且该目录中必须包含一个基础配置文件 `secharden.conf`。 用户还可以创建一个 `secharden.conf.d` 目录,在该目录下放置多个配置文件,工具会自动加载这些配置文件。该目录下的配置文件必须满足以下要求: - 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。 - -#### 配置文件格式 + 其中,`<优先级>` 是一个大于零的整数,表示配置文件的加载优先级,数字越大优先级越高。 配置文件使用 yaml 格式,内包含一个以规则 ID 为键的字典,值为规则的配置参数。例如: @@ -110,134 +71,102 @@ int.01: enabled: false ``` -### 查看规则的帮助信息 +### 打印加固规则列表 -传入 rule_id 参数可以查看指定规则的帮助信息: +用户可以使用 `secharden list` 命令打印当前加载的加固规则列表。该命令会列出所有可用的规则。用户也可以传入参数来查看指定类别的规则列表。 ```bash -secharden help rule_id +secharden list [类别 ID] ``` -## secharden 内置安全防护能力 - -secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 - -详细的规则文档介绍参见:[安全 OS 配置工具](src/secharden/tools/README.md)。 - -### 全栈完整性加固 - -在系统启动运行的任何阶段都面临篡改的风险,对系统、业务软件的篡改将导致系统运行的不可信。全栈完整性加固通过全周期的安全校验检测是否发生篡改攻击,目前支持以下几种完整性安全配置: - -| ID | 加固规则 | 保护范围 | 保护周期 | -|--------|---------------|------|-------| -| int.01 | 启用内核模块签名 | 内核模块 | 系统启动时 | -| int.02 | 启用 DIM 动态度量内核 | 内核代码 | 系统运行时 | -| int.03 | 启用 IMA 度量关键文件 | 用户文件 | 业务加载时 | - -结合 [openEuler安全启动](https://docs.openeuler.openatom.cn/zh/docs/24.03_LTS_SP2/server/security/cert_signature/secure_boot.html),启动时校验加载的系统镜像的完整性,实现全周期的系统防篡改。 - -目前,int.01 与 int.02 已在默认配置中开启,int.03 可通过以下几个步骤完成本节全栈完整性加固操作: - -1. IMA 标签设置 +结果示例如下: + +```plaintext +int: 全栈完整性 + int.01: 启用内核模块签名 + int.02: 启用DIM动态度量内核 + int.03: 启用IMA度量关键文件 +kern: 内核加固 + kern.01: 开启BPF加固功能 + kern.02: 启用内核ASLR + kern.03: 确保内核触发错误后直接退出 +``` - secharden 通过 selinux 标签来区分需要 IMA 保护的用户文件范围。用户可通过以下指令为文件关联一个 selinux 标签: +### 查看规则的帮助信息 - ``` - semanage fcontext -a -t $type $file - restorecon -v $file - ``` +传入参数可以查看指定类别或规则的帮助信息,用户可以传入规则 ID 或者类别 ID 查看相应的帮助信息。 -2. 规则使能 +```bash +secharden help <规则 ID 或 类别 ID> +``` - 创建配置文件 `/etc/secharden/secharden.conf.d/01-ima_tags.conf`,内容如下: +结果示例如下: - ```yaml - int.03: - selinux_tags: - - <你的 selinux 标签,例如 user_home_t> - ``` +```plaintext +### int.01 启用内核模块签名 -int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则。 +启用内核模块签名。内核模块签名以一定格式在内核模块文件末尾添加签名信息,系统在加载内核模块时检查签名是否与内核中预设的公钥匹配。这样可以验证内核模块文件的真实性和完整性,防止系统加载未经认证的恶意内核模块。 -### 内核加固 +#### 参数 -内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。目前支持以下几种安全配置: +无 -| ID | 加固规则 | 保护范围 | -|---------|---------------|------| -| kern.01 | 开启 BPF 加固功能 | 内核模块 | -| kern.02 | 启用内核 ASLR | 内核代码 | -| kern.03 | 确保内核触发错误后直接退出 | 内核代码 | +``` -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 +### 通用命令参数 -### 登录认证 +以下命令参数适用于所有 secharden 命令。这些命令必须在 `secharden` 命令后使用。例如: -登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。目前支持以下几种安全配置: +```bash +secharden --rules /path/to/rules apply /path/to/config_path +``` -| ID | 加固规则 | 保护范围 | -|----------|----------------------------|------| -| login.01 | 禁止空口令登录 | SSH | -| login.02 | 禁止使用 PermitUserEnvironment | SSH | -| login.03 | 禁用 root 用户通过 SSH 登录 | SSH | -| login.04 | 禁用 SSH 的 TCP 转发功能 | SSH | -| login.05 | 禁止使用 X11 Forwarding | SSH | -| login.06 | 禁止使用 SysRq 键 | 物理机 | -| login.07 | 避免开启 tcp_timestamps | 网络 | -| login.08 | 设置最大认证次数 | SSH | +#### 版本信息 -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 +打印当前 secharden 的版本信息: -### 网络保护 +```bash +secharden --version +``` -网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。目前支持以下几种安全配置: +#### 指定规则路径 -| ID | 加固规则 | 保护范围 | -|--------|-------------------|------| -| net.01 | 禁止 ICMP 重定向报文 | 网络 | -| net.02 | 禁止系统响应 ICMP 广播报文 | 网络 | -| net.03 | 禁止 IP 转发 | 网络 | -| net.04 | 禁止使用 ARP 代理 | 网络 | -| net.05 | 禁止报文源路由 | 网络 | -| net.06 | 丢弃伪造的 ICMP 报文 | 网络 | -| net.07 | 启用防火墙服务 | 网络 | -| net.08 | 启用反向地址过滤 | 网络 | -| net.09 | 启用 TCP-SYN cookie | 网络 | +如果需要指定规则路径,可以使用 `--rules` 或 `-r` 参数指定。默认值为工具目录中的 `tools` 目录: -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 +```bash +secharden --rules /path/to/rules +``` -### 权限最小化 +> 注意:指定的规则路径必须是一个目录。且该目录中必须包含 `categories.json` 描述规则类别,各个规则目录需满足以下要求: +> - 每个规则目录必须包含一个 `metadata.json` 文件,描述该规则的详细信息。 +> - 规则目录的名称必须为 <类别>.<序号>,例如 `system.01`、`network.02` 等。且类别必须与 `categories.json` 中的类别一致。 +> - 规则目录下的 `metadata.json` 文件必须满足工具目录中的 `schema/metadata.json` 规范。 -权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。目前支持以下几种安全配置: +工具会校验当前规则路径下的规则路径,若目录不符合要求,则不会加载到工具规则列表中。 +如果用户使用自定义的规则路径,建议使用以下命令来查看规则路径是否被加载到列表中: -| ID | 加固规则 | 保护范围 | -|---------|----------|------| -| priv.01 | 最小化文件权限 | 用户文件 | -| priv.02 | 启用链接文件保护 | 用户文件 | +```bash +secharden -r /path/to/rules list +``` -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 +若不满足要求,查询工具 log 文件中的错误信息。 -### 启用安全服务 +#### 指定 log 路径 -启用安全服务用于确保系统中安全服务的正常运行,防止攻击者通过关闭安全服务来降低系统的安全性。目前支持以下几种安全配置: +如果需要指定 log 路径,可以使用 `--log` 或 `-l` 参数指定。默认值为 `/var/log/secharden`: -| ID | 加固规则 | 保护范围 | -|---------|-----------------------|------| -| serv.01 | 启用 rsyslog 服务 | 日志 | -| serv.02 | Selinux 启用 enforce 模式 | 用户文件 | +```bash +secharden --log /path/to/log_directory +``` -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 +> 注意:指定的 log 路径必须是一个目录。 -### 限制高危系统功能 +#### 开启 debug 模式 -限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。目前支持以下几种安全配置: +如果需要开启 debug 模式,可以使用 `--debug` 或 `-d` 参数: -| ID | 加固规则 | 保护范围 | -|--------|---------------|------| -| sys.01 | 配置 dmesg 访问权限 | 内核模块 | -| sys.02 | 禁止开启 kexec 功能 | 内核模块 | -| sys.03 | 限制内核符号读取权限 | 内核模块 | -| sys.04 | 限制 ptrace 范围 | 内核模块 | -| sys.05 | 禁用不常见网络服务 | 内核模块 | +```bash +secharden --debug +``` -目前,上述所有规则已在默认配置中开启,用户可以直接使用 `secharden apply` 命令应用本节所有规则。 \ No newline at end of file +开启后,工具会在 log 文件中输出更多的调试信息,帮助用户排查问题。 -- Gitee From 189a02510a4f12256fb7e40f0491a8fb543399f1 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 10:50:10 +0800 Subject: [PATCH 085/109] fix title --- os-harden-tools/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 645816f..a37a57f 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -44,7 +44,7 @@ os-harden-tools/ 构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/os-harden-tools-<版本>.noarch.rpm` 找到构建完成的 rpm 包。 该 rpm 包可以直接使用 `dnf install` 命令安装。 -## 使用 +### 使用 > secharden 的参数使用说明详见 [命令行参数说明](USAGE.md) @@ -54,7 +54,7 @@ secharden 提供了一个命令行工具,可以通过以下命令来应用安 secharden apply ``` -### 配置文件说明 +#### 配置文件说明 默认情况下,secharden 会在 `/etc/secharden` 目录中查找配置。该目录包含一个 `secharden.conf` 文件和一个 `secharden.conf.d` 目录。 @@ -93,13 +93,13 @@ int.01: enabled: false ``` -## secharden 内置安全防护能力 +### secharden 内置安全防护能力 secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 详细的规则文档介绍参见:[安全 OS 配置工具](src/secharden/tools/README.md)。 -### 全栈完整性加固 +#### 全栈完整性加固 在系统启动运行的任何阶段都面临篡改的风险,对系统、业务软件的篡改将导致系统运行的不可信。全栈完整性加固通过全周期的安全校验检测是否发生篡改攻击,目前支持以下几种完整性安全配置: @@ -142,7 +142,7 @@ int.02: int.03 配置完成后,使用 `secharden apply` 命令应用本节所有规则。 -### 内核加固 +#### 内核加固 内核加固用于增强内核的安全性,防止攻击者通过内核漏洞进行攻击。目前支持以下几种安全配置: @@ -162,7 +162,7 @@ kern.03: 用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 -### 登录认证 +#### 登录认证 登录认证用于保护系统登录认证过程,防止攻击者通过暴力破解等方式获取用户凭据。目前支持以下几种安全配置: @@ -192,7 +192,7 @@ login.08: 用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 -### 网络保护 +#### 网络保护 网络保护用于保护系统的网络连接,防止攻击者通过网络进行攻击。目前支持以下几种安全配置: @@ -224,7 +224,7 @@ net.09: 用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 -### 权限最小化 +#### 权限最小化 权限最小化用于限制系统中用户和进程的权限,防止攻击者通过权限提升获取更高的权限。目前支持以下几种安全配置: @@ -260,7 +260,7 @@ serv.02: 用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 -### 限制高危系统功能 +#### 限制高危系统功能 限制高危系统功能用于防止攻击者通过滥用系统功能来获取更高的权限或进行其他恶意操作。目前支持以下几种安全配置: -- Gitee From 861c7a8fa46aef6cd317c00e0895ab8461512420 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 10:51:47 +0800 Subject: [PATCH 086/109] minor doc fix --- os-harden-tools/README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index a37a57f..7dfef35 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -15,6 +15,9 @@ os-harden-tools/ ## secharden +secharden 是一个基于 python 的系统加固框架,用于管理和应用各种安全加固规则。 +它提供了一个灵活的方式来增强系统的安全性,支持多种加固规则的配置和执行。 + ### 安装 本节描述的 os-harden-tools 构建可参考 @@ -46,7 +49,7 @@ os-harden-tools/ ### 使用 -> secharden 的参数使用说明详见 [命令行参数说明](USAGE.md) +> secharden 的参数使用说明详见 [命令行参数说明](secharden/README.md)。 secharden 提供了一个命令行工具,可以通过以下命令来应用安全加固规则: @@ -97,7 +100,7 @@ int.01: secharden 工具提供了一系列的安全加固规则,这些规则可以通过配置文件进行管理和应用。每个规则都包含了特定的安全措施,用户可以根据需要启用或禁用这些规则。 -详细的规则文档介绍参见:[安全 OS 配置工具](src/secharden/tools/README.md)。 +详细的规则文档介绍参见:[安全 OS 配置工具](secharden/src/secharden/tools/README.md)。 #### 全栈完整性加固 @@ -284,7 +287,6 @@ sys.05: 用户无需额外配置,直接使用 `secharden apply` 命令应用本节所有规则。 - ## 最小安全系统配置指南 `docs` 目录包含了最小安全系统配置指南,主要包括以下内容: -- Gitee From 79d0dc5bfbde04ad8533b31afc0851c4c1de32bb Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 11:00:54 +0800 Subject: [PATCH 087/109] update readme --- os-harden-tools/README.md | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 7dfef35..2f44ae8 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -45,18 +45,24 @@ secharden 是一个基于 python 的系统加固框架,用于管理和应用 ``` 构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/os-harden-tools-<版本>.noarch.rpm` 找到构建完成的 rpm 包。 -该 rpm 包可以直接使用 `dnf install` 命令安装。 +该 rpm 包可以直接使用 `dnf install` 命令安装: + +```shell +sudo dnf install $HOME/rpmbuild/RPMS/noarch/os-harden-tools-<版本>.noarch.rpm +``` ### 使用 -> secharden 的参数使用说明详见 [命令行参数说明](secharden/README.md)。 +> secharden 的使用需要 root 权限,因此请确保以 root 用户或使用 `sudo` 执行命令。 secharden 提供了一个命令行工具,可以通过以下命令来应用安全加固规则: -```bash +```shell secharden apply ``` +> secharden 的使用说明详见 [命令行参数说明](secharden/README.md)。 + #### 配置文件说明 默认情况下,secharden 会在 `/etc/secharden` 目录中查找配置。该目录包含一个 `secharden.conf` 文件和一个 `secharden.conf.d` @@ -68,8 +74,8 @@ secharden apply 建议用户还在 `secharden.conf.d` 目录中创建子配置文件,该目录下的配置文件会按优先级覆盖 `secharden.conf` 的配置项。该目录下的配置文件必须满足以下要求: -- 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。 - 其中,`<优先级>` 是一个大于零的整数,表示配置文件的加载优先级,数字越大优先级越高。 +- 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。其中,`<优先级>` + 是一个大于零的整数,表示配置文件的加载优先级,数字越大优先级越高。 配置文件使用 yaml 格式,内包含一个以规则 ID 为键的字典,值为规则的配置参数。例如: @@ -88,7 +94,13 @@ net.02: 上述配置文件表示启用 `int.01`、`int.03` 和 `net.02` 规则,并为 `int.03` 规则指定了 selinux 标签。该配置文件还显式禁用了 `net.01` 规则。 -在每个规则中,都有一个特殊的 `enabled` 参数,用于启用或禁用该规则。默认情况下,所有规则都被启用。用户可以通过设置 +上述配置文件中,`int.03` 规则的 `selinux_tags` 可以使用 `secharden` 提供的帮助文档,获取对应的参数配置信息,例如: + +```shell +secharden help int.03 +``` + +除了各个规则定义的参数以外,在每个规则中,都有一个特殊的 `enabled` 参数,用于启用或禁用该规则。默认情况下,所有规则都被启用。用户可以通过设置 `enabled: false` 来禁用某个规则,例如: ```yaml -- Gitee From 406051cd55f1aed7dd39b61b7f2e6d089ddb6348 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 11:05:37 +0800 Subject: [PATCH 088/109] reversed order to make small number higher priority --- os-harden-tools/README.md | 4 ++-- os-harden-tools/secharden/README.md | 4 ++-- os-harden-tools/secharden/src/secharden/config_parser.py | 2 +- .../secharden/tests/config_parser/test_collection.py | 5 +++-- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 2f44ae8..77f4e5d 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -71,11 +71,11 @@ secharden apply `secharden.conf` 文件用于定义了全局配置和规则的启用状态。[secharden 安全防护能力配置](#secharden-安全防护能力配置) 一节描述的规则都可以在该文件中进行配置。用户可以通过编辑该文件来启用或禁用特定的安全加固规则。 -建议用户还在 `secharden.conf.d` 目录中创建子配置文件,该目录下的配置文件会按优先级覆盖 `secharden.conf` +建议用户在 `secharden.conf.d` 目录中创建子配置文件,该目录下的配置文件会按优先级覆盖 `secharden.conf` 的配置项。该目录下的配置文件必须满足以下要求: - 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。其中,`<优先级>` - 是一个大于零的整数,表示配置文件的加载优先级,数字越大优先级越高。 + 是一个大于零的整数,表示配置文件的加载优先级,数字越小优先级越高。 配置文件使用 yaml 格式,内包含一个以规则 ID 为键的字典,值为规则的配置参数。例如: diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 031aebf..533865d 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -45,8 +45,8 @@ Applying rule: int.01... 用户还可以创建一个 `secharden.conf.d` 目录,在该目录下放置多个配置文件,工具会自动加载这些配置文件。该目录下的配置文件必须满足以下要求: -- 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。 - 其中,`<优先级>` 是一个大于零的整数,表示配置文件的加载优先级,数字越大优先级越高。 +- 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。其中,`<优先级>` + 是一个大于零的整数,表示配置文件的加载优先级,数字越小优先级越高。 配置文件使用 yaml 格式,内包含一个以规则 ID 为键的字典,值为规则的配置参数。例如: diff --git a/os-harden-tools/secharden/src/secharden/config_parser.py b/os-harden-tools/secharden/src/secharden/config_parser.py index ac1d26d..52b7631 100644 --- a/os-harden-tools/secharden/src/secharden/config_parser.py +++ b/os-harden-tools/secharden/src/secharden/config_parser.py @@ -45,7 +45,7 @@ def collect_configs(config_dir: Path) -> List[Path]: if user_config.exists() and user_config.is_dir(): configs: List[Path] = list(user_config.glob(f"*.conf")) file_collection.extend( - sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[0]))) + sorted(filter(verify_config_name, configs), key=lambda r: int(r.name.split('-', 1)[0]), reverse=True)) return file_collection diff --git a/os-harden-tools/secharden/tests/config_parser/test_collection.py b/os-harden-tools/secharden/tests/config_parser/test_collection.py index 05ed499..e55cec2 100644 --- a/os-harden-tools/secharden/tests/config_parser/test_collection.py +++ b/os-harden-tools/secharden/tests/config_parser/test_collection.py @@ -26,8 +26,9 @@ class TestConfigCollector: p = collect_configs(config_test_path.joinpath("full_collection")) assert len(p) == 3 assert p[0].name == "secharden.conf" - assert p[1].name == "01-test.conf" - assert p[2].name == "02-test2.conf" + # reversed, the 01 will override 02 + assert p[1].name == "02-test2.conf" + assert p[2].name == "01-test.conf" def test_collection_wrong_name(self, config_test_path): p = collect_configs(config_test_path.joinpath("collection_wrong_name")) -- Gitee From 399a6cdd33270e38707b0be3c6dabe2f180cd046 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 11:24:08 +0800 Subject: [PATCH 089/109] update readme --- os-harden-tools/README.md | 9 ++++++--- os-harden-tools/secharden/README.md | 7 ++++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/os-harden-tools/README.md b/os-harden-tools/README.md index 77f4e5d..f9c14cc 100644 --- a/os-harden-tools/README.md +++ b/os-harden-tools/README.md @@ -65,6 +65,8 @@ secharden apply #### 配置文件说明 +**配置文件目录结构** + 默认情况下,secharden 会在 `/etc/secharden` 目录中查找配置。该目录包含一个 `secharden.conf` 文件和一个 `secharden.conf.d` 目录。 @@ -77,6 +79,8 @@ secharden apply - 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。其中,`<优先级>` 是一个大于零的整数,表示配置文件的加载优先级,数字越小优先级越高。 +**配置文件格式** + 配置文件使用 yaml 格式,内包含一个以规则 ID 为键的字典,值为规则的配置参数。例如: ```yaml @@ -91,10 +95,9 @@ net.01: net.02: ``` -上述配置文件表示启用 `int.01`、`int.03` 和 `net.02` 规则,并为 `int.03` 规则指定了 selinux 标签。该配置文件还显式禁用了 -`net.01` 规则。 +上述配置文件表示启用 `int.01`、`int.03` 和 `net.02` 规则,显式禁用了 `net.01` 规则,并为 `int.03` 规则指定了 selinux 标签。 -上述配置文件中,`int.03` 规则的 `selinux_tags` 可以使用 `secharden` 提供的帮助文档,获取对应的参数配置信息,例如: +用户可以通过 `secharden` 提供的帮助文档,获取对应的规则信息,例如 上述规则中的 `int.03` 规则可以使用如下命令查看规则信息: ```shell secharden help int.03 diff --git a/os-harden-tools/secharden/README.md b/os-harden-tools/secharden/README.md index 533865d..f26c742 100644 --- a/os-harden-tools/secharden/README.md +++ b/os-harden-tools/secharden/README.md @@ -41,6 +41,8 @@ Applying rule: int.01... #### 配置文件目录 +**配置文件目录结构** + 指定的规则路径必须是一个目录。且该目录中必须包含一个基础配置文件 `secharden.conf`。 用户还可以创建一个 `secharden.conf.d` 目录,在该目录下放置多个配置文件,工具会自动加载这些配置文件。该目录下的配置文件必须满足以下要求: @@ -48,6 +50,8 @@ Applying rule: int.01... - 配置文件命名格式为 `<优先级>-<名称>.conf`,例如 `01-disable_ptrace.conf`。其中,`<优先级>` 是一个大于零的整数,表示配置文件的加载优先级,数字越小优先级越高。 +**配置文件格式** + 配置文件使用 yaml 格式,内包含一个以规则 ID 为键的字典,值为规则的配置参数。例如: ```yaml @@ -59,9 +63,10 @@ int.03: - var_log_t net.01: enabled: false +net.02: ``` -上述配置文件表示启用 `int.01` 和 `int.03` 规则,并为 `int.03` 规则指定了 selinux 标签。该配置文件还显式禁用了 `net.01` 规则。 +上述配置文件表示启用 `int.01`、`int.03` 和 `net.02` 规则,显式禁用了 `net.01` 规则,并为 `int.03` 规则指定了 selinux 标签。 在每个规则中,都有一个特殊的 `enabled` 参数,用于启用或禁用该规则。默认情况下,所有规则都被启用。用户可以通过设置 `enabled: false` 来禁用某个规则,例如: -- Gitee From ac08a2cdc806fc2b6a146a5bbacf4dafd1a29b63 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 11:36:29 +0800 Subject: [PATCH 090/109] rename dir --- {os-harden-tools => ccos}/.gitignore | 0 {os-harden-tools => ccos}/README.md | 0 {os-harden-tools => ccos}/conf/secharden.conf | 0 {os-harden-tools => ccos}/docs/README.md | 0 {os-harden-tools => ccos}/docs/normal.xml | 0 {os-harden-tools => ccos}/docs/openeuler_defconfig | 0 {os-harden-tools => ccos}/os-harden-tools.spec | 0 {os-harden-tools => ccos}/secharden/DEVELOPMENT.md | 0 {os-harden-tools => ccos}/secharden/MANIFEST.in | 0 {os-harden-tools => ccos}/secharden/README.md | 0 {os-harden-tools => ccos}/secharden/pyproject.toml | 0 {os-harden-tools => ccos}/secharden/src/secharden/VERSION | 0 {os-harden-tools => ccos}/secharden/src/secharden/__init__.py | 0 .../secharden/src/secharden/config_parser.py | 0 .../secharden/src/secharden/devtools/gendoc.py | 0 {os-harden-tools => ccos}/secharden/src/secharden/executor.py | 0 .../secharden/src/secharden/rule_metadata/__init__.py | 0 .../secharden/src/secharden/rule_metadata/converters/__init__.py | 0 .../secharden/src/secharden/rule_metadata/converters/file_list.py | 0 .../secharden/src/secharden/rule_metadata/manager.py | 0 .../secharden/src/secharden/rule_metadata/metadata.py | 0 .../secharden/src/secharden/schema/categories.schema.json | 0 .../secharden/src/secharden/schema/metadata.schema.json | 0 {os-harden-tools => ccos}/secharden/src/secharden/secharden.py | 0 {os-harden-tools => ccos}/secharden/src/secharden/tools/README.md | 0 .../secharden/src/secharden/tools/categories.json | 0 .../src/secharden/tools/int.01/enable_kernel_module_sign.sh | 0 .../secharden/src/secharden/tools/int.01/metadata.json | 0 .../secharden/src/secharden/tools/int.02/enforce_dim.sh | 0 .../secharden/src/secharden/tools/int.02/metadata.json | 0 .../secharden/src/secharden/tools/int.03/enforce_ima.sh | 0 .../secharden/src/secharden/tools/int.03/metadata.json | 0 .../src/secharden/tools/kern.01/enable_bpf_jit_harden.sh | 0 .../secharden/src/secharden/tools/kern.01/metadata.json | 0 .../secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh | 0 .../secharden/src/secharden/tools/kern.02/metadata.json | 0 .../secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh | 0 .../secharden/src/secharden/tools/kern.03/metadata.json | 0 .../secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh | 0 .../secharden/src/secharden/tools/login.01/metadata.json | 0 .../tools/login.02/disable_ssh_permit_user_environment.sh | 0 .../secharden/src/secharden/tools/login.02/metadata.json | 0 .../src/secharden/tools/login.03/disable_ssh_root_login.sh | 0 .../secharden/src/secharden/tools/login.03/metadata.json | 0 .../src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh | 0 .../secharden/src/secharden/tools/login.04/metadata.json | 0 .../src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh | 0 .../secharden/src/secharden/tools/login.05/metadata.json | 0 .../secharden/src/secharden/tools/login.06/disable_sysrq.sh | 0 .../secharden/src/secharden/tools/login.06/metadata.json | 0 .../src/secharden/tools/login.07/disable_tcp_timestamps.sh | 0 .../secharden/src/secharden/tools/login.07/metadata.json | 0 .../secharden/src/secharden/tools/login.08/metadata.json | 0 .../src/secharden/tools/login.08/set_ssh_max_auth_tries.sh | 0 .../src/secharden/tools/net.01/disable_accept_redirect.sh | 0 .../secharden/src/secharden/tools/net.01/metadata.json | 0 .../src/secharden/tools/net.02/disable_icmp_broadcast.sh | 0 .../secharden/src/secharden/tools/net.02/metadata.json | 0 .../secharden/src/secharden/tools/net.03/disable_ip_forward.sh | 0 .../secharden/src/secharden/tools/net.03/metadata.json | 0 .../secharden/src/secharden/tools/net.04/disable_proxy_arp.sh | 0 .../secharden/src/secharden/tools/net.04/metadata.json | 0 .../secharden/src/secharden/tools/net.05/disable_source_route.sh | 0 .../secharden/src/secharden/tools/net.05/metadata.json | 0 .../src/secharden/tools/net.06/drop_forge_icmp_package.sh | 0 .../secharden/src/secharden/tools/net.06/metadata.json | 0 .../secharden/src/secharden/tools/net.07/enable_firewall.sh | 0 .../secharden/src/secharden/tools/net.07/metadata.json | 0 .../secharden/src/secharden/tools/net.08/enable_rp_filter.sh | 0 .../secharden/src/secharden/tools/net.08/metadata.json | 0 .../src/secharden/tools/net.09/enable_tcp_syn_cookies.sh | 0 .../secharden/src/secharden/tools/net.09/metadata.json | 0 .../secharden/src/secharden/tools/priv.01/metadata.json | 0 .../src/secharden/tools/priv.01/minimal_file_permission.sh | 0 .../secharden/src/secharden/tools/priv.02/metadata.json | 0 .../secharden/src/secharden/tools/priv.02/symlink_protection.sh | 0 .../secharden/src/secharden/tools/serv.01/enable_rsyslog.sh | 0 .../secharden/src/secharden/tools/serv.01/metadata.json | 0 .../src/secharden/tools/serv.02/enable_selinux_enforce.sh | 0 .../secharden/src/secharden/tools/serv.02/metadata.json | 0 .../secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh | 0 .../secharden/src/secharden/tools/sys.01/metadata.json | 0 .../secharden/src/secharden/tools/sys.02/disable_kexec.sh | 0 .../secharden/src/secharden/tools/sys.02/metadata.json | 0 .../secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh | 0 .../secharden/src/secharden/tools/sys.03/metadata.json | 0 .../secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh | 0 .../secharden/src/secharden/tools/sys.04/metadata.json | 0 .../src/secharden/tools/sys.05/disable_uncommon_network_module.sh | 0 .../secharden/src/secharden/tools/sys.05/metadata.json | 0 {os-harden-tools => ccos}/secharden/src/secharden/tools/utils.sh | 0 {os-harden-tools => ccos}/secharden/src/secharden/utils.py | 0 {os-harden-tools => ccos}/secharden/tests/cmd/conf/secharden.conf | 0 .../secharden/tests/cmd/rule_not_found/secharden.conf | 0 .../secharden/tests/cmd/ruleset/categories.json | 0 .../secharden/tests/cmd/ruleset/test.01/entry.sh | 0 .../secharden/tests/cmd/ruleset/test.01/metadata.json | 0 .../secharden/tests/cmd/ruleset/test1.01/entry.sh | 0 .../secharden/tests/cmd/ruleset/test1.01/metadata.json | 0 {os-harden-tools => ccos}/secharden/tests/cmd/test_gendoc.py | 0 {os-harden-tools => ccos}/secharden/tests/cmd/test_main.py | 0 .../secharden/tests/config_parser/__init__.py | 0 .../config_parser/collection/collection_wrong_name/secharden.conf | 0 .../collection_wrong_name/secharden.conf.d/00-invalid_num.conf | 0 .../collection/collection_wrong_name/secharden.conf.d/nodash.conf | 0 .../collection_wrong_name/secharden.conf.d/not-number.conf | 0 .../secharden/tests/config_parser/collection/empty/.gitkeep | 0 .../tests/config_parser/collection/full_collection/secharden.conf | 0 .../collection/full_collection/secharden.conf.d/01-test.conf | 0 .../collection/full_collection/secharden.conf.d/02-test2.conf | 0 .../collection/only_collection/secharden.conf.d/01-test.conf | 0 .../tests/config_parser/collection/single_file/secharden.conf | 0 .../secharden/tests/config_parser/parser/intersect/1.conf | 0 .../secharden/tests/config_parser/parser/intersect/2.conf | 0 .../tests/config_parser/parser/invalid_yaml/secharden.conf | 0 .../secharden/tests/config_parser/parser/override/1.conf | 0 .../secharden/tests/config_parser/parser/override/2.conf | 0 .../tests/config_parser/parser/single_file/secharden.conf | 0 .../tests/config_parser/parser/wrong_file/secharden.conf | 0 .../tests/config_parser/parser/wrong_file_in_collection/1.conf | 0 .../tests/config_parser/parser/wrong_file_in_collection/2.conf | 0 .../secharden/tests/config_parser/test_collection.py | 0 .../secharden/tests/config_parser/test_parser.py | 0 {os-harden-tools => ccos}/secharden/tests/executor/__init__.py | 0 .../secharden/tests/executor/test_executor.py | 0 {os-harden-tools => ccos}/secharden/tests/rules/__init__.py | 0 .../secharden/tests/rules/converter_sample.py | 0 .../tests/rules/metadata/directory_name_mismatch/metadata.json | 0 .../secharden/tests/rules/metadata/entry_in_path/metadata.json | 0 .../secharden/tests/rules/metadata/entry_not_file/metadata.json | 0 .../secharden/tests/rules/metadata/no_entry/metadata.json | 0 .../secharden/tests/rules/metadata/no_metadata/.gitkeep | 0 .../secharden/tests/rules/metadata/param/cmd_escape/metadata.json | 0 .../tests/rules/metadata/param/cmd_mismatch_id/metadata.json | 0 .../rules/metadata/param/cmd_multi_placeholder/metadata.json | 0 .../tests/rules/metadata/param/cmd_no_placeholder/metadata.json | 0 .../secharden/tests/rules/metadata/param/cmd_noid/metadata.json | 0 .../tests/rules/metadata/param/cmd_placeholders/metadata.json | 0 .../secharden/tests/rules/metadata/param/cmd_single/metadata.json | 0 .../tests/rules/metadata/param/no_converter/metadata.json | 0 .../secharden/tests/rules/metadata/valid/metadata.json | 0 .../secharden/tests/rules/metadata/valid_full/metadata.json | 0 .../secharden/tests/rules/ruleset/execution/categories.json | 0 .../secharden/tests/rules/ruleset/execution/test.01/entry.sh | 0 .../secharden/tests/rules/ruleset/execution/test.01/metadata.json | 0 .../secharden/tests/rules/ruleset/execution/test.02/entry.sh | 0 .../secharden/tests/rules/ruleset/execution/test.02/metadata.json | 0 .../secharden/tests/rules/ruleset/execution/test.03/entry.sh | 0 .../secharden/tests/rules/ruleset/execution/test.03/metadata.json | 0 .../secharden/tests/rules/ruleset/execution/test.04/entry.sh | 0 .../secharden/tests/rules/ruleset/execution/test.04/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/categories.json | 0 .../secharden/tests/rules/ruleset/naming/invalid.01/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/nocat.01/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep | 0 .../secharden/tests/rules/ruleset/naming/notdir.01 | 0 .../secharden/tests/rules/ruleset/naming/test-02/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/test.00/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/test.01/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/test.o3/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/test1.01/metadata.json | 0 .../secharden/tests/rules/ruleset/no_categories/.gitkeep | 0 {os-harden-tools => ccos}/secharden/tests/rules/ruleset/not_a_dir | 0 {os-harden-tools => ccos}/secharden/tests/rules/test_cmd.py | 0 {os-harden-tools => ccos}/secharden/tests/rules/test_converter.py | 0 {os-harden-tools => ccos}/secharden/tests/rules/test_metadata.py | 0 {os-harden-tools => ccos}/secharden/tests/rules/test_param.py | 0 .../secharden/tests/rules/test_rulemanager.py | 0 {os-harden-tools => ccos}/secharden/tests/rules/test_schema.py | 0 {os-harden-tools => ccos}/secharden/uv.lock | 0 170 files changed, 0 insertions(+), 0 deletions(-) rename {os-harden-tools => ccos}/.gitignore (100%) rename {os-harden-tools => ccos}/README.md (100%) rename {os-harden-tools => ccos}/conf/secharden.conf (100%) rename {os-harden-tools => ccos}/docs/README.md (100%) rename {os-harden-tools => ccos}/docs/normal.xml (100%) rename {os-harden-tools => ccos}/docs/openeuler_defconfig (100%) rename {os-harden-tools => ccos}/os-harden-tools.spec (100%) rename {os-harden-tools => ccos}/secharden/DEVELOPMENT.md (100%) rename {os-harden-tools => ccos}/secharden/MANIFEST.in (100%) rename {os-harden-tools => ccos}/secharden/README.md (100%) rename {os-harden-tools => ccos}/secharden/pyproject.toml (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/VERSION (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/__init__.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/config_parser.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/devtools/gendoc.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/executor.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/rule_metadata/__init__.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/rule_metadata/converters/__init__.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/rule_metadata/converters/file_list.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/rule_metadata/manager.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/rule_metadata/metadata.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/schema/categories.schema.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/schema/metadata.schema.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/secharden.py (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/README.md (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/categories.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/int.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/int.02/enforce_dim.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/int.02/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/int.03/enforce_ima.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/int.03/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/kern.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/kern.02/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/kern.03/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.02/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.03/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.04/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.05/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.06/disable_sysrq.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.06/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.07/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.08/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.02/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.03/disable_ip_forward.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.03/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.04/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.05/disable_source_route.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.05/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.06/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.07/enable_firewall.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.07/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.08/enable_rp_filter.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.08/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/net.09/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/priv.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/priv.02/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/priv.02/symlink_protection.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/serv.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/serv.02/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.02/disable_kexec.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.02/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.03/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.04/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/sys.05/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/tools/utils.sh (100%) rename {os-harden-tools => ccos}/secharden/src/secharden/utils.py (100%) rename {os-harden-tools => ccos}/secharden/tests/cmd/conf/secharden.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/cmd/rule_not_found/secharden.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/cmd/ruleset/categories.json (100%) rename {os-harden-tools => ccos}/secharden/tests/cmd/ruleset/test.01/entry.sh (100%) rename {os-harden-tools => ccos}/secharden/tests/cmd/ruleset/test.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/cmd/ruleset/test1.01/entry.sh (100%) rename {os-harden-tools => ccos}/secharden/tests/cmd/ruleset/test1.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/cmd/test_gendoc.py (100%) rename {os-harden-tools => ccos}/secharden/tests/cmd/test_main.py (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/__init__.py (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/empty/.gitkeep (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/full_collection/secharden.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/collection/single_file/secharden.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/parser/intersect/1.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/parser/intersect/2.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/parser/override/1.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/parser/override/2.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/parser/single_file/secharden.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/parser/wrong_file/secharden.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/test_collection.py (100%) rename {os-harden-tools => ccos}/secharden/tests/config_parser/test_parser.py (100%) rename {os-harden-tools => ccos}/secharden/tests/executor/__init__.py (100%) rename {os-harden-tools => ccos}/secharden/tests/executor/test_executor.py (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/__init__.py (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/converter_sample.py (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/entry_in_path/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/entry_not_file/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/no_entry/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/no_metadata/.gitkeep (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/param/cmd_escape/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/param/cmd_noid/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/param/cmd_single/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/param/no_converter/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/valid/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/metadata/valid_full/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/execution/categories.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/execution/test.01/entry.sh (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/execution/test.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/execution/test.02/entry.sh (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/execution/test.02/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/execution/test.03/entry.sh (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/execution/test.03/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/execution/test.04/entry.sh (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/execution/test.04/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/categories.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/notdir.01 (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/test-02/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/test.00/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/test.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/test.o3/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/naming/test1.01/metadata.json (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/no_categories/.gitkeep (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/ruleset/not_a_dir (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/test_cmd.py (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/test_converter.py (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/test_metadata.py (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/test_param.py (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/test_rulemanager.py (100%) rename {os-harden-tools => ccos}/secharden/tests/rules/test_schema.py (100%) rename {os-harden-tools => ccos}/secharden/uv.lock (100%) diff --git a/os-harden-tools/.gitignore b/ccos/.gitignore similarity index 100% rename from os-harden-tools/.gitignore rename to ccos/.gitignore diff --git a/os-harden-tools/README.md b/ccos/README.md similarity index 100% rename from os-harden-tools/README.md rename to ccos/README.md diff --git a/os-harden-tools/conf/secharden.conf b/ccos/conf/secharden.conf similarity index 100% rename from os-harden-tools/conf/secharden.conf rename to ccos/conf/secharden.conf diff --git a/os-harden-tools/docs/README.md b/ccos/docs/README.md similarity index 100% rename from os-harden-tools/docs/README.md rename to ccos/docs/README.md diff --git a/os-harden-tools/docs/normal.xml b/ccos/docs/normal.xml similarity index 100% rename from os-harden-tools/docs/normal.xml rename to ccos/docs/normal.xml diff --git a/os-harden-tools/docs/openeuler_defconfig b/ccos/docs/openeuler_defconfig similarity index 100% rename from os-harden-tools/docs/openeuler_defconfig rename to ccos/docs/openeuler_defconfig diff --git a/os-harden-tools/os-harden-tools.spec b/ccos/os-harden-tools.spec similarity index 100% rename from os-harden-tools/os-harden-tools.spec rename to ccos/os-harden-tools.spec diff --git a/os-harden-tools/secharden/DEVELOPMENT.md b/ccos/secharden/DEVELOPMENT.md similarity index 100% rename from os-harden-tools/secharden/DEVELOPMENT.md rename to ccos/secharden/DEVELOPMENT.md diff --git a/os-harden-tools/secharden/MANIFEST.in b/ccos/secharden/MANIFEST.in similarity index 100% rename from os-harden-tools/secharden/MANIFEST.in rename to ccos/secharden/MANIFEST.in diff --git a/os-harden-tools/secharden/README.md b/ccos/secharden/README.md similarity index 100% rename from os-harden-tools/secharden/README.md rename to ccos/secharden/README.md diff --git a/os-harden-tools/secharden/pyproject.toml b/ccos/secharden/pyproject.toml similarity index 100% rename from os-harden-tools/secharden/pyproject.toml rename to ccos/secharden/pyproject.toml diff --git a/os-harden-tools/secharden/src/secharden/VERSION b/ccos/secharden/src/secharden/VERSION similarity index 100% rename from os-harden-tools/secharden/src/secharden/VERSION rename to ccos/secharden/src/secharden/VERSION diff --git a/os-harden-tools/secharden/src/secharden/__init__.py b/ccos/secharden/src/secharden/__init__.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/__init__.py rename to ccos/secharden/src/secharden/__init__.py diff --git a/os-harden-tools/secharden/src/secharden/config_parser.py b/ccos/secharden/src/secharden/config_parser.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/config_parser.py rename to ccos/secharden/src/secharden/config_parser.py diff --git a/os-harden-tools/secharden/src/secharden/devtools/gendoc.py b/ccos/secharden/src/secharden/devtools/gendoc.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/devtools/gendoc.py rename to ccos/secharden/src/secharden/devtools/gendoc.py diff --git a/os-harden-tools/secharden/src/secharden/executor.py b/ccos/secharden/src/secharden/executor.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/executor.py rename to ccos/secharden/src/secharden/executor.py diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py b/ccos/secharden/src/secharden/rule_metadata/__init__.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/rule_metadata/__init__.py rename to ccos/secharden/src/secharden/rule_metadata/__init__.py diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/converters/__init__.py b/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/rule_metadata/converters/__init__.py rename to ccos/secharden/src/secharden/rule_metadata/converters/__init__.py diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/converters/file_list.py b/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/rule_metadata/converters/file_list.py rename to ccos/secharden/src/secharden/rule_metadata/converters/file_list.py diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/manager.py b/ccos/secharden/src/secharden/rule_metadata/manager.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/rule_metadata/manager.py rename to ccos/secharden/src/secharden/rule_metadata/manager.py diff --git a/os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py b/ccos/secharden/src/secharden/rule_metadata/metadata.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/rule_metadata/metadata.py rename to ccos/secharden/src/secharden/rule_metadata/metadata.py diff --git a/os-harden-tools/secharden/src/secharden/schema/categories.schema.json b/ccos/secharden/src/secharden/schema/categories.schema.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/schema/categories.schema.json rename to ccos/secharden/src/secharden/schema/categories.schema.json diff --git a/os-harden-tools/secharden/src/secharden/schema/metadata.schema.json b/ccos/secharden/src/secharden/schema/metadata.schema.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/schema/metadata.schema.json rename to ccos/secharden/src/secharden/schema/metadata.schema.json diff --git a/os-harden-tools/secharden/src/secharden/secharden.py b/ccos/secharden/src/secharden/secharden.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/secharden.py rename to ccos/secharden/src/secharden/secharden.py diff --git a/os-harden-tools/secharden/src/secharden/tools/README.md b/ccos/secharden/src/secharden/tools/README.md similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/README.md rename to ccos/secharden/src/secharden/tools/README.md diff --git a/os-harden-tools/secharden/src/secharden/tools/categories.json b/ccos/secharden/src/secharden/tools/categories.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/categories.json rename to ccos/secharden/src/secharden/tools/categories.json diff --git a/os-harden-tools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh b/ccos/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh rename to ccos/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/int.01/metadata.json b/ccos/secharden/src/secharden/tools/int.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/int.01/metadata.json rename to ccos/secharden/src/secharden/tools/int.01/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/int.02/enforce_dim.sh b/ccos/secharden/src/secharden/tools/int.02/enforce_dim.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/int.02/enforce_dim.sh rename to ccos/secharden/src/secharden/tools/int.02/enforce_dim.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/int.02/metadata.json b/ccos/secharden/src/secharden/tools/int.02/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/int.02/metadata.json rename to ccos/secharden/src/secharden/tools/int.02/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/int.03/enforce_ima.sh b/ccos/secharden/src/secharden/tools/int.03/enforce_ima.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/int.03/enforce_ima.sh rename to ccos/secharden/src/secharden/tools/int.03/enforce_ima.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/int.03/metadata.json b/ccos/secharden/src/secharden/tools/int.03/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/int.03/metadata.json rename to ccos/secharden/src/secharden/tools/int.03/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh b/ccos/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh rename to ccos/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/kern.01/metadata.json b/ccos/secharden/src/secharden/tools/kern.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/kern.01/metadata.json rename to ccos/secharden/src/secharden/tools/kern.01/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh b/ccos/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh rename to ccos/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/kern.02/metadata.json b/ccos/secharden/src/secharden/tools/kern.02/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/kern.02/metadata.json rename to ccos/secharden/src/secharden/tools/kern.02/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh b/ccos/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh rename to ccos/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/kern.03/metadata.json b/ccos/secharden/src/secharden/tools/kern.03/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/kern.03/metadata.json rename to ccos/secharden/src/secharden/tools/kern.03/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh b/ccos/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh rename to ccos/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/login.01/metadata.json b/ccos/secharden/src/secharden/tools/login.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.01/metadata.json rename to ccos/secharden/src/secharden/tools/login.01/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh b/ccos/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh rename to ccos/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/login.02/metadata.json b/ccos/secharden/src/secharden/tools/login.02/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.02/metadata.json rename to ccos/secharden/src/secharden/tools/login.02/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh b/ccos/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh rename to ccos/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/login.03/metadata.json b/ccos/secharden/src/secharden/tools/login.03/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.03/metadata.json rename to ccos/secharden/src/secharden/tools/login.03/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh b/ccos/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh rename to ccos/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/login.04/metadata.json b/ccos/secharden/src/secharden/tools/login.04/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.04/metadata.json rename to ccos/secharden/src/secharden/tools/login.04/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh b/ccos/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh rename to ccos/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/login.05/metadata.json b/ccos/secharden/src/secharden/tools/login.05/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.05/metadata.json rename to ccos/secharden/src/secharden/tools/login.05/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/login.06/disable_sysrq.sh b/ccos/secharden/src/secharden/tools/login.06/disable_sysrq.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.06/disable_sysrq.sh rename to ccos/secharden/src/secharden/tools/login.06/disable_sysrq.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/login.06/metadata.json b/ccos/secharden/src/secharden/tools/login.06/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.06/metadata.json rename to ccos/secharden/src/secharden/tools/login.06/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh b/ccos/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh rename to ccos/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/login.07/metadata.json b/ccos/secharden/src/secharden/tools/login.07/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.07/metadata.json rename to ccos/secharden/src/secharden/tools/login.07/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/login.08/metadata.json b/ccos/secharden/src/secharden/tools/login.08/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.08/metadata.json rename to ccos/secharden/src/secharden/tools/login.08/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh b/ccos/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh rename to ccos/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh b/ccos/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh rename to ccos/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.01/metadata.json b/ccos/secharden/src/secharden/tools/net.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.01/metadata.json rename to ccos/secharden/src/secharden/tools/net.01/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh b/ccos/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh rename to ccos/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.02/metadata.json b/ccos/secharden/src/secharden/tools/net.02/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.02/metadata.json rename to ccos/secharden/src/secharden/tools/net.02/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/net.03/disable_ip_forward.sh b/ccos/secharden/src/secharden/tools/net.03/disable_ip_forward.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.03/disable_ip_forward.sh rename to ccos/secharden/src/secharden/tools/net.03/disable_ip_forward.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.03/metadata.json b/ccos/secharden/src/secharden/tools/net.03/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.03/metadata.json rename to ccos/secharden/src/secharden/tools/net.03/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh b/ccos/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh rename to ccos/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.04/metadata.json b/ccos/secharden/src/secharden/tools/net.04/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.04/metadata.json rename to ccos/secharden/src/secharden/tools/net.04/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/net.05/disable_source_route.sh b/ccos/secharden/src/secharden/tools/net.05/disable_source_route.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.05/disable_source_route.sh rename to ccos/secharden/src/secharden/tools/net.05/disable_source_route.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.05/metadata.json b/ccos/secharden/src/secharden/tools/net.05/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.05/metadata.json rename to ccos/secharden/src/secharden/tools/net.05/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh b/ccos/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh rename to ccos/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.06/metadata.json b/ccos/secharden/src/secharden/tools/net.06/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.06/metadata.json rename to ccos/secharden/src/secharden/tools/net.06/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/net.07/enable_firewall.sh b/ccos/secharden/src/secharden/tools/net.07/enable_firewall.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.07/enable_firewall.sh rename to ccos/secharden/src/secharden/tools/net.07/enable_firewall.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.07/metadata.json b/ccos/secharden/src/secharden/tools/net.07/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.07/metadata.json rename to ccos/secharden/src/secharden/tools/net.07/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/net.08/enable_rp_filter.sh b/ccos/secharden/src/secharden/tools/net.08/enable_rp_filter.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.08/enable_rp_filter.sh rename to ccos/secharden/src/secharden/tools/net.08/enable_rp_filter.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.08/metadata.json b/ccos/secharden/src/secharden/tools/net.08/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.08/metadata.json rename to ccos/secharden/src/secharden/tools/net.08/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh b/ccos/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh rename to ccos/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/net.09/metadata.json b/ccos/secharden/src/secharden/tools/net.09/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/net.09/metadata.json rename to ccos/secharden/src/secharden/tools/net.09/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/priv.01/metadata.json b/ccos/secharden/src/secharden/tools/priv.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/priv.01/metadata.json rename to ccos/secharden/src/secharden/tools/priv.01/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh b/ccos/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh rename to ccos/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/priv.02/metadata.json b/ccos/secharden/src/secharden/tools/priv.02/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/priv.02/metadata.json rename to ccos/secharden/src/secharden/tools/priv.02/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/priv.02/symlink_protection.sh b/ccos/secharden/src/secharden/tools/priv.02/symlink_protection.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/priv.02/symlink_protection.sh rename to ccos/secharden/src/secharden/tools/priv.02/symlink_protection.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh b/ccos/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh rename to ccos/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/serv.01/metadata.json b/ccos/secharden/src/secharden/tools/serv.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/serv.01/metadata.json rename to ccos/secharden/src/secharden/tools/serv.01/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh b/ccos/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh rename to ccos/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/serv.02/metadata.json b/ccos/secharden/src/secharden/tools/serv.02/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/serv.02/metadata.json rename to ccos/secharden/src/secharden/tools/serv.02/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh b/ccos/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh rename to ccos/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.01/metadata.json b/ccos/secharden/src/secharden/tools/sys.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.01/metadata.json rename to ccos/secharden/src/secharden/tools/sys.01/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.02/disable_kexec.sh b/ccos/secharden/src/secharden/tools/sys.02/disable_kexec.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.02/disable_kexec.sh rename to ccos/secharden/src/secharden/tools/sys.02/disable_kexec.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.02/metadata.json b/ccos/secharden/src/secharden/tools/sys.02/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.02/metadata.json rename to ccos/secharden/src/secharden/tools/sys.02/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh b/ccos/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh rename to ccos/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.03/metadata.json b/ccos/secharden/src/secharden/tools/sys.03/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.03/metadata.json rename to ccos/secharden/src/secharden/tools/sys.03/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh b/ccos/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh rename to ccos/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.04/metadata.json b/ccos/secharden/src/secharden/tools/sys.04/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.04/metadata.json rename to ccos/secharden/src/secharden/tools/sys.04/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh b/ccos/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh rename to ccos/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh diff --git a/os-harden-tools/secharden/src/secharden/tools/sys.05/metadata.json b/ccos/secharden/src/secharden/tools/sys.05/metadata.json similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/sys.05/metadata.json rename to ccos/secharden/src/secharden/tools/sys.05/metadata.json diff --git a/os-harden-tools/secharden/src/secharden/tools/utils.sh b/ccos/secharden/src/secharden/tools/utils.sh similarity index 100% rename from os-harden-tools/secharden/src/secharden/tools/utils.sh rename to ccos/secharden/src/secharden/tools/utils.sh diff --git a/os-harden-tools/secharden/src/secharden/utils.py b/ccos/secharden/src/secharden/utils.py similarity index 100% rename from os-harden-tools/secharden/src/secharden/utils.py rename to ccos/secharden/src/secharden/utils.py diff --git a/os-harden-tools/secharden/tests/cmd/conf/secharden.conf b/ccos/secharden/tests/cmd/conf/secharden.conf similarity index 100% rename from os-harden-tools/secharden/tests/cmd/conf/secharden.conf rename to ccos/secharden/tests/cmd/conf/secharden.conf diff --git a/os-harden-tools/secharden/tests/cmd/rule_not_found/secharden.conf b/ccos/secharden/tests/cmd/rule_not_found/secharden.conf similarity index 100% rename from os-harden-tools/secharden/tests/cmd/rule_not_found/secharden.conf rename to ccos/secharden/tests/cmd/rule_not_found/secharden.conf diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/categories.json b/ccos/secharden/tests/cmd/ruleset/categories.json similarity index 100% rename from os-harden-tools/secharden/tests/cmd/ruleset/categories.json rename to ccos/secharden/tests/cmd/ruleset/categories.json diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/test.01/entry.sh b/ccos/secharden/tests/cmd/ruleset/test.01/entry.sh similarity index 100% rename from os-harden-tools/secharden/tests/cmd/ruleset/test.01/entry.sh rename to ccos/secharden/tests/cmd/ruleset/test.01/entry.sh diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/test.01/metadata.json b/ccos/secharden/tests/cmd/ruleset/test.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/cmd/ruleset/test.01/metadata.json rename to ccos/secharden/tests/cmd/ruleset/test.01/metadata.json diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/test1.01/entry.sh b/ccos/secharden/tests/cmd/ruleset/test1.01/entry.sh similarity index 100% rename from os-harden-tools/secharden/tests/cmd/ruleset/test1.01/entry.sh rename to ccos/secharden/tests/cmd/ruleset/test1.01/entry.sh diff --git a/os-harden-tools/secharden/tests/cmd/ruleset/test1.01/metadata.json b/ccos/secharden/tests/cmd/ruleset/test1.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/cmd/ruleset/test1.01/metadata.json rename to ccos/secharden/tests/cmd/ruleset/test1.01/metadata.json diff --git a/os-harden-tools/secharden/tests/cmd/test_gendoc.py b/ccos/secharden/tests/cmd/test_gendoc.py similarity index 100% rename from os-harden-tools/secharden/tests/cmd/test_gendoc.py rename to ccos/secharden/tests/cmd/test_gendoc.py diff --git a/os-harden-tools/secharden/tests/cmd/test_main.py b/ccos/secharden/tests/cmd/test_main.py similarity index 100% rename from os-harden-tools/secharden/tests/cmd/test_main.py rename to ccos/secharden/tests/cmd/test_main.py diff --git a/os-harden-tools/secharden/tests/config_parser/__init__.py b/ccos/secharden/tests/config_parser/__init__.py similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/__init__.py rename to ccos/secharden/tests/config_parser/__init__.py diff --git a/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf b/ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf rename to ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf diff --git a/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf b/ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf rename to ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf diff --git a/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf b/ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf rename to ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf diff --git a/os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf b/ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf rename to ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf diff --git a/os-harden-tools/secharden/tests/config_parser/collection/empty/.gitkeep b/ccos/secharden/tests/config_parser/collection/empty/.gitkeep similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/empty/.gitkeep rename to ccos/secharden/tests/config_parser/collection/empty/.gitkeep diff --git a/os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf b/ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf rename to ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf diff --git a/os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf b/ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf rename to ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf diff --git a/os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf b/ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf rename to ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf diff --git a/os-harden-tools/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf b/ccos/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf rename to ccos/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf diff --git a/os-harden-tools/secharden/tests/config_parser/collection/single_file/secharden.conf b/ccos/secharden/tests/config_parser/collection/single_file/secharden.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/collection/single_file/secharden.conf rename to ccos/secharden/tests/config_parser/collection/single_file/secharden.conf diff --git a/os-harden-tools/secharden/tests/config_parser/parser/intersect/1.conf b/ccos/secharden/tests/config_parser/parser/intersect/1.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/parser/intersect/1.conf rename to ccos/secharden/tests/config_parser/parser/intersect/1.conf diff --git a/os-harden-tools/secharden/tests/config_parser/parser/intersect/2.conf b/ccos/secharden/tests/config_parser/parser/intersect/2.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/parser/intersect/2.conf rename to ccos/secharden/tests/config_parser/parser/intersect/2.conf diff --git a/os-harden-tools/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf b/ccos/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf rename to ccos/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf diff --git a/os-harden-tools/secharden/tests/config_parser/parser/override/1.conf b/ccos/secharden/tests/config_parser/parser/override/1.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/parser/override/1.conf rename to ccos/secharden/tests/config_parser/parser/override/1.conf diff --git a/os-harden-tools/secharden/tests/config_parser/parser/override/2.conf b/ccos/secharden/tests/config_parser/parser/override/2.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/parser/override/2.conf rename to ccos/secharden/tests/config_parser/parser/override/2.conf diff --git a/os-harden-tools/secharden/tests/config_parser/parser/single_file/secharden.conf b/ccos/secharden/tests/config_parser/parser/single_file/secharden.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/parser/single_file/secharden.conf rename to ccos/secharden/tests/config_parser/parser/single_file/secharden.conf diff --git a/os-harden-tools/secharden/tests/config_parser/parser/wrong_file/secharden.conf b/ccos/secharden/tests/config_parser/parser/wrong_file/secharden.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/parser/wrong_file/secharden.conf rename to ccos/secharden/tests/config_parser/parser/wrong_file/secharden.conf diff --git a/os-harden-tools/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf b/ccos/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf rename to ccos/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf diff --git a/os-harden-tools/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf b/ccos/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf rename to ccos/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf diff --git a/os-harden-tools/secharden/tests/config_parser/test_collection.py b/ccos/secharden/tests/config_parser/test_collection.py similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/test_collection.py rename to ccos/secharden/tests/config_parser/test_collection.py diff --git a/os-harden-tools/secharden/tests/config_parser/test_parser.py b/ccos/secharden/tests/config_parser/test_parser.py similarity index 100% rename from os-harden-tools/secharden/tests/config_parser/test_parser.py rename to ccos/secharden/tests/config_parser/test_parser.py diff --git a/os-harden-tools/secharden/tests/executor/__init__.py b/ccos/secharden/tests/executor/__init__.py similarity index 100% rename from os-harden-tools/secharden/tests/executor/__init__.py rename to ccos/secharden/tests/executor/__init__.py diff --git a/os-harden-tools/secharden/tests/executor/test_executor.py b/ccos/secharden/tests/executor/test_executor.py similarity index 100% rename from os-harden-tools/secharden/tests/executor/test_executor.py rename to ccos/secharden/tests/executor/test_executor.py diff --git a/os-harden-tools/secharden/tests/rules/__init__.py b/ccos/secharden/tests/rules/__init__.py similarity index 100% rename from os-harden-tools/secharden/tests/rules/__init__.py rename to ccos/secharden/tests/rules/__init__.py diff --git a/os-harden-tools/secharden/tests/rules/converter_sample.py b/ccos/secharden/tests/rules/converter_sample.py similarity index 100% rename from os-harden-tools/secharden/tests/rules/converter_sample.py rename to ccos/secharden/tests/rules/converter_sample.py diff --git a/os-harden-tools/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json b/ccos/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json rename to ccos/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/entry_in_path/metadata.json b/ccos/secharden/tests/rules/metadata/entry_in_path/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/entry_in_path/metadata.json rename to ccos/secharden/tests/rules/metadata/entry_in_path/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/entry_not_file/metadata.json b/ccos/secharden/tests/rules/metadata/entry_not_file/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/entry_not_file/metadata.json rename to ccos/secharden/tests/rules/metadata/entry_not_file/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/no_entry/metadata.json b/ccos/secharden/tests/rules/metadata/no_entry/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/no_entry/metadata.json rename to ccos/secharden/tests/rules/metadata/no_entry/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/no_metadata/.gitkeep b/ccos/secharden/tests/rules/metadata/no_metadata/.gitkeep similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/no_metadata/.gitkeep rename to ccos/secharden/tests/rules/metadata/no_metadata/.gitkeep diff --git a/os-harden-tools/secharden/tests/rules/metadata/param/cmd_escape/metadata.json b/ccos/secharden/tests/rules/metadata/param/cmd_escape/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/param/cmd_escape/metadata.json rename to ccos/secharden/tests/rules/metadata/param/cmd_escape/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json b/ccos/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json rename to ccos/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json b/ccos/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json rename to ccos/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json b/ccos/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json rename to ccos/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/param/cmd_noid/metadata.json b/ccos/secharden/tests/rules/metadata/param/cmd_noid/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/param/cmd_noid/metadata.json rename to ccos/secharden/tests/rules/metadata/param/cmd_noid/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json b/ccos/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json rename to ccos/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/param/cmd_single/metadata.json b/ccos/secharden/tests/rules/metadata/param/cmd_single/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/param/cmd_single/metadata.json rename to ccos/secharden/tests/rules/metadata/param/cmd_single/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/param/no_converter/metadata.json b/ccos/secharden/tests/rules/metadata/param/no_converter/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/param/no_converter/metadata.json rename to ccos/secharden/tests/rules/metadata/param/no_converter/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/valid/metadata.json b/ccos/secharden/tests/rules/metadata/valid/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/valid/metadata.json rename to ccos/secharden/tests/rules/metadata/valid/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/metadata/valid_full/metadata.json b/ccos/secharden/tests/rules/metadata/valid_full/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/metadata/valid_full/metadata.json rename to ccos/secharden/tests/rules/metadata/valid_full/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/categories.json b/ccos/secharden/tests/rules/ruleset/execution/categories.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/execution/categories.json rename to ccos/secharden/tests/rules/ruleset/execution/categories.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/test.01/entry.sh b/ccos/secharden/tests/rules/ruleset/execution/test.01/entry.sh similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/execution/test.01/entry.sh rename to ccos/secharden/tests/rules/ruleset/execution/test.01/entry.sh diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/test.01/metadata.json b/ccos/secharden/tests/rules/ruleset/execution/test.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/execution/test.01/metadata.json rename to ccos/secharden/tests/rules/ruleset/execution/test.01/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/test.02/entry.sh b/ccos/secharden/tests/rules/ruleset/execution/test.02/entry.sh similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/execution/test.02/entry.sh rename to ccos/secharden/tests/rules/ruleset/execution/test.02/entry.sh diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/test.02/metadata.json b/ccos/secharden/tests/rules/ruleset/execution/test.02/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/execution/test.02/metadata.json rename to ccos/secharden/tests/rules/ruleset/execution/test.02/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/test.03/entry.sh b/ccos/secharden/tests/rules/ruleset/execution/test.03/entry.sh similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/execution/test.03/entry.sh rename to ccos/secharden/tests/rules/ruleset/execution/test.03/entry.sh diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/test.03/metadata.json b/ccos/secharden/tests/rules/ruleset/execution/test.03/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/execution/test.03/metadata.json rename to ccos/secharden/tests/rules/ruleset/execution/test.03/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/test.04/entry.sh b/ccos/secharden/tests/rules/ruleset/execution/test.04/entry.sh similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/execution/test.04/entry.sh rename to ccos/secharden/tests/rules/ruleset/execution/test.04/entry.sh diff --git a/os-harden-tools/secharden/tests/rules/ruleset/execution/test.04/metadata.json b/ccos/secharden/tests/rules/ruleset/execution/test.04/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/execution/test.04/metadata.json rename to ccos/secharden/tests/rules/ruleset/execution/test.04/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/categories.json b/ccos/secharden/tests/rules/ruleset/naming/categories.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/categories.json rename to ccos/secharden/tests/rules/ruleset/naming/categories.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json b/ccos/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json rename to ccos/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json b/ccos/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json rename to ccos/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep b/ccos/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep rename to ccos/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/notdir.01 b/ccos/secharden/tests/rules/ruleset/naming/notdir.01 similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/notdir.01 rename to ccos/secharden/tests/rules/ruleset/naming/notdir.01 diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/test-02/metadata.json b/ccos/secharden/tests/rules/ruleset/naming/test-02/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/test-02/metadata.json rename to ccos/secharden/tests/rules/ruleset/naming/test-02/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/test.00/metadata.json b/ccos/secharden/tests/rules/ruleset/naming/test.00/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/test.00/metadata.json rename to ccos/secharden/tests/rules/ruleset/naming/test.00/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/test.01/metadata.json b/ccos/secharden/tests/rules/ruleset/naming/test.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/test.01/metadata.json rename to ccos/secharden/tests/rules/ruleset/naming/test.01/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/test.o3/metadata.json b/ccos/secharden/tests/rules/ruleset/naming/test.o3/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/test.o3/metadata.json rename to ccos/secharden/tests/rules/ruleset/naming/test.o3/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/naming/test1.01/metadata.json b/ccos/secharden/tests/rules/ruleset/naming/test1.01/metadata.json similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/naming/test1.01/metadata.json rename to ccos/secharden/tests/rules/ruleset/naming/test1.01/metadata.json diff --git a/os-harden-tools/secharden/tests/rules/ruleset/no_categories/.gitkeep b/ccos/secharden/tests/rules/ruleset/no_categories/.gitkeep similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/no_categories/.gitkeep rename to ccos/secharden/tests/rules/ruleset/no_categories/.gitkeep diff --git a/os-harden-tools/secharden/tests/rules/ruleset/not_a_dir b/ccos/secharden/tests/rules/ruleset/not_a_dir similarity index 100% rename from os-harden-tools/secharden/tests/rules/ruleset/not_a_dir rename to ccos/secharden/tests/rules/ruleset/not_a_dir diff --git a/os-harden-tools/secharden/tests/rules/test_cmd.py b/ccos/secharden/tests/rules/test_cmd.py similarity index 100% rename from os-harden-tools/secharden/tests/rules/test_cmd.py rename to ccos/secharden/tests/rules/test_cmd.py diff --git a/os-harden-tools/secharden/tests/rules/test_converter.py b/ccos/secharden/tests/rules/test_converter.py similarity index 100% rename from os-harden-tools/secharden/tests/rules/test_converter.py rename to ccos/secharden/tests/rules/test_converter.py diff --git a/os-harden-tools/secharden/tests/rules/test_metadata.py b/ccos/secharden/tests/rules/test_metadata.py similarity index 100% rename from os-harden-tools/secharden/tests/rules/test_metadata.py rename to ccos/secharden/tests/rules/test_metadata.py diff --git a/os-harden-tools/secharden/tests/rules/test_param.py b/ccos/secharden/tests/rules/test_param.py similarity index 100% rename from os-harden-tools/secharden/tests/rules/test_param.py rename to ccos/secharden/tests/rules/test_param.py diff --git a/os-harden-tools/secharden/tests/rules/test_rulemanager.py b/ccos/secharden/tests/rules/test_rulemanager.py similarity index 100% rename from os-harden-tools/secharden/tests/rules/test_rulemanager.py rename to ccos/secharden/tests/rules/test_rulemanager.py diff --git a/os-harden-tools/secharden/tests/rules/test_schema.py b/ccos/secharden/tests/rules/test_schema.py similarity index 100% rename from os-harden-tools/secharden/tests/rules/test_schema.py rename to ccos/secharden/tests/rules/test_schema.py diff --git a/os-harden-tools/secharden/uv.lock b/ccos/secharden/uv.lock similarity index 100% rename from os-harden-tools/secharden/uv.lock rename to ccos/secharden/uv.lock -- Gitee From 5d6d599bc2c95a5d60a523d42af9d273b38e3e36 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 11:37:49 +0800 Subject: [PATCH 091/109] change name --- ccos/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccos/README.md b/ccos/README.md index f9c14cc..b9c7be0 100644 --- a/ccos/README.md +++ b/ccos/README.md @@ -1,4 +1,4 @@ -# OS 加固配置指南 +# 安全 OS 加固配置指南 本指南提供了在 OpenEuler 操作系统上进行安全加固的工具和方法。它包括了对系统配置的建议和自动化脚本,旨在帮助用户提高系统的安全性。 -- Gitee From e5b7b7697e62118ef0f9cf2f2a161b64829b532b Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 12:32:44 +0800 Subject: [PATCH 092/109] add license --- ccos/secharden/src/secharden/__init__.py | 9 +++++++++ ccos/secharden/src/secharden/config_parser.py | 10 ++++++++++ ccos/secharden/src/secharden/devtools/gendoc.py | 10 +++++++++- ccos/secharden/src/secharden/executor.py | 13 +++++++++++++ .../src/secharden/rule_metadata/__init__.py | 12 +++++++++++- .../secharden/rule_metadata/converters/__init__.py | 12 +++++++++++- .../secharden/rule_metadata/converters/file_list.py | 11 +++++++++++ .../src/secharden/rule_metadata/manager.py | 10 ++++++++++ .../src/secharden/rule_metadata/metadata.py | 10 ++++++++++ ccos/secharden/src/secharden/secharden.py | 10 +++++++++- ccos/secharden/src/secharden/utils.py | 12 +++++++++++- ccos/secharden/tests/cmd/__init__.py | 9 +++++++++ ccos/secharden/tests/cmd/test_gendoc.py | 11 ++++++++++- ccos/secharden/tests/cmd/test_main.py | 11 ++++++++++- ccos/secharden/tests/config_parser/__init__.py | 9 +++++++++ .../tests/config_parser/test_collection.py | 13 ++++++++++++- ccos/secharden/tests/config_parser/test_parser.py | 11 +++++++++++ ccos/secharden/tests/executor/__init__.py | 9 +++++++++ ccos/secharden/tests/executor/test_executor.py | 10 ++++++++++ ccos/secharden/tests/rules/__init__.py | 12 +++++++++++- ccos/secharden/tests/rules/converter_sample.py | 11 +++++++++++ ccos/secharden/tests/rules/test_cmd.py | 10 ++++++++++ ccos/secharden/tests/rules/test_converter.py | 10 ++++++++++ ccos/secharden/tests/rules/test_metadata.py | 10 ++++++++++ ccos/secharden/tests/rules/test_param.py | 10 ++++++++++ ccos/secharden/tests/rules/test_rulemanager.py | 10 ++++++++++ ccos/secharden/tests/rules/test_schema.py | 12 +++++++++++- 27 files changed, 277 insertions(+), 10 deletions(-) create mode 100644 ccos/secharden/tests/cmd/__init__.py diff --git a/ccos/secharden/src/secharden/__init__.py b/ccos/secharden/src/secharden/__init__.py index e69de29..73f4bd1 100644 --- a/ccos/secharden/src/secharden/__init__.py +++ b/ccos/secharden/src/secharden/__init__.py @@ -0,0 +1,9 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. diff --git a/ccos/secharden/src/secharden/config_parser.py b/ccos/secharden/src/secharden/config_parser.py index 52b7631..2bbfbf7 100644 --- a/ccos/secharden/src/secharden/config_parser.py +++ b/ccos/secharden/src/secharden/config_parser.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + import logging from pathlib import Path from typing import Dict, List, Any diff --git a/ccos/secharden/src/secharden/devtools/gendoc.py b/ccos/secharden/src/secharden/devtools/gendoc.py index f59e418..3a991e0 100644 --- a/ccos/secharden/src/secharden/devtools/gendoc.py +++ b/ccos/secharden/src/secharden/devtools/gendoc.py @@ -1,4 +1,12 @@ -#!/usr/bin/python3 +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. import argparse import logging diff --git a/ccos/secharden/src/secharden/executor.py b/ccos/secharden/src/secharden/executor.py index a3b1348..6dc0854 100644 --- a/ccos/secharden/src/secharden/executor.py +++ b/ccos/secharden/src/secharden/executor.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from pathlib import Path from typing import Dict, List @@ -8,6 +18,7 @@ class CmdTemplate: """ A class to parse a command template and extract variable indexes. """ + def __init__(self, template: str): """ Initializes the CmdTemplate with a command template string. @@ -59,6 +70,7 @@ class CmdParameter: A class to hold command parameters and environment variables. It uses a CmdTemplate to manage command templates and allows adding variables and environment variables. """ + def __init__(self, template: CmdTemplate): """ Initializes the CmdParameter with a CmdTemplate. @@ -118,6 +130,7 @@ class CmdExecutor: A class to execute commands using a command template and parameters. It allows adding arguments and environment variables, and runs the command in a subprocess. """ + def __init__(self, entry: Path): """ Initializes the CmdExecutor with a command entry point. diff --git a/ccos/secharden/src/secharden/rule_metadata/__init__.py b/ccos/secharden/src/secharden/rule_metadata/__init__.py index e98ed97..22095bd 100644 --- a/ccos/secharden/src/secharden/rule_metadata/__init__.py +++ b/ccos/secharden/src/secharden/rule_metadata/__init__.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from secharden.rule_metadata.metadata import RuleMetadata, RuleParameter, ConfigConverter, ConverterManager from secharden.rule_metadata.manager import RuleManager -import secharden.rule_metadata.converters \ No newline at end of file +import secharden.rule_metadata.converters diff --git a/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py b/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py index b3c6a38..9dbcefa 100644 --- a/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py +++ b/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py @@ -1 +1,11 @@ -from secharden.rule_metadata.converters.file_list import FileListConverter \ No newline at end of file +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +from secharden.rule_metadata.converters.file_list import FileListConverter diff --git a/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py b/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py index 9c5ff25..017f9df 100644 --- a/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py +++ b/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from tempfile import NamedTemporaryFile import os from secharden.executor import CmdParameter @@ -8,6 +18,7 @@ class FileListConverter(ConfigConverter): """ Converts a list of files into a temporary file that can be used in command execution. """ + def __init__(self): super().__init__() self.temp_file = None diff --git a/ccos/secharden/src/secharden/rule_metadata/manager.py b/ccos/secharden/src/secharden/rule_metadata/manager.py index 00d5b62..7a7ddd2 100644 --- a/ccos/secharden/src/secharden/rule_metadata/manager.py +++ b/ccos/secharden/src/secharden/rule_metadata/manager.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + import logging from pathlib import Path from typing import List, Dict, Any diff --git a/ccos/secharden/src/secharden/rule_metadata/metadata.py b/ccos/secharden/src/secharden/rule_metadata/metadata.py index cf8330f..58c1ac4 100644 --- a/ccos/secharden/src/secharden/rule_metadata/metadata.py +++ b/ccos/secharden/src/secharden/rule_metadata/metadata.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + import abc import logging import os diff --git a/ccos/secharden/src/secharden/secharden.py b/ccos/secharden/src/secharden/secharden.py index cd6bc13..c8bd697 100644 --- a/ccos/secharden/src/secharden/secharden.py +++ b/ccos/secharden/src/secharden/secharden.py @@ -1,4 +1,12 @@ -#!/usr/bin/python3 +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. import argparse import logging diff --git a/ccos/secharden/src/secharden/utils.py b/ccos/secharden/src/secharden/utils.py index c5d98c5..88dd186 100644 --- a/ccos/secharden/src/secharden/utils.py +++ b/ccos/secharden/src/secharden/utils.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + import argparse import json from pathlib import Path @@ -24,4 +34,4 @@ class DirectoryPathVerifier(argparse.Action): raise argparse.ArgumentTypeError(f"Directory '{values}' does not exist.") if not p.is_dir(): raise argparse.ArgumentTypeError(f"'{values}' is not a directory.") - setattr(namespace, self.dest, p) \ No newline at end of file + setattr(namespace, self.dest, p) diff --git a/ccos/secharden/tests/cmd/__init__.py b/ccos/secharden/tests/cmd/__init__.py new file mode 100644 index 0000000..73f4bd1 --- /dev/null +++ b/ccos/secharden/tests/cmd/__init__.py @@ -0,0 +1,9 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. diff --git a/ccos/secharden/tests/cmd/test_gendoc.py b/ccos/secharden/tests/cmd/test_gendoc.py index 628733e..f1ba79c 100644 --- a/ccos/secharden/tests/cmd/test_gendoc.py +++ b/ccos/secharden/tests/cmd/test_gendoc.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + import logging import shutil import tempfile @@ -6,7 +16,6 @@ from pathlib import Path import pytest import secharden.devtools.gendoc as gendoc -from secharden.rule_metadata import RuleMetadata, RuleManager class TestMainCmd: diff --git a/ccos/secharden/tests/cmd/test_main.py b/ccos/secharden/tests/cmd/test_main.py index eafee7c..0eca36b 100644 --- a/ccos/secharden/tests/cmd/test_main.py +++ b/ccos/secharden/tests/cmd/test_main.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + import logging import tempfile from pathlib import Path @@ -39,7 +49,6 @@ class TestMainCmd: assert out == "Category 'test2' not found.\n" assert "Category 'test2' not found" in caplog.text - def test_help_category(self, capsys, rule_path): assert secharden.main(["-r", str(rule_path), "help", "test"]) == 0 out, _ = capsys.readouterr() diff --git a/ccos/secharden/tests/config_parser/__init__.py b/ccos/secharden/tests/config_parser/__init__.py index e69de29..73f4bd1 100644 --- a/ccos/secharden/tests/config_parser/__init__.py +++ b/ccos/secharden/tests/config_parser/__init__.py @@ -0,0 +1,9 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. diff --git a/ccos/secharden/tests/config_parser/test_collection.py b/ccos/secharden/tests/config_parser/test_collection.py index e55cec2..b6a01b5 100644 --- a/ccos/secharden/tests/config_parser/test_collection.py +++ b/ccos/secharden/tests/config_parser/test_collection.py @@ -1,9 +1,20 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from pathlib import Path import pytest from secharden.config_parser import collect_configs + class TestConfigCollector: @pytest.fixture def config_test_path(self, request): @@ -33,4 +44,4 @@ class TestConfigCollector: def test_collection_wrong_name(self, config_test_path): p = collect_configs(config_test_path.joinpath("collection_wrong_name")) assert len(p) == 1 - assert p[0].name == "secharden.conf" \ No newline at end of file + assert p[0].name == "secharden.conf" diff --git a/ccos/secharden/tests/config_parser/test_parser.py b/ccos/secharden/tests/config_parser/test_parser.py index 5c10e78..b689a4f 100644 --- a/ccos/secharden/tests/config_parser/test_parser.py +++ b/ccos/secharden/tests/config_parser/test_parser.py @@ -1,9 +1,20 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from pathlib import Path import pytest from secharden.config_parser import parse_config + class TestConfigParser: @pytest.fixture def config_test_path(self, request): diff --git a/ccos/secharden/tests/executor/__init__.py b/ccos/secharden/tests/executor/__init__.py index e69de29..73f4bd1 100644 --- a/ccos/secharden/tests/executor/__init__.py +++ b/ccos/secharden/tests/executor/__init__.py @@ -0,0 +1,9 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. diff --git a/ccos/secharden/tests/executor/test_executor.py b/ccos/secharden/tests/executor/test_executor.py index 0871890..ac3bb07 100644 --- a/ccos/secharden/tests/executor/test_executor.py +++ b/ccos/secharden/tests/executor/test_executor.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from pathlib import Path import pytest diff --git a/ccos/secharden/tests/rules/__init__.py b/ccos/secharden/tests/rules/__init__.py index 669a9e5..45ca4f5 100644 --- a/ccos/secharden/tests/rules/__init__.py +++ b/ccos/secharden/tests/rules/__init__.py @@ -1 +1,11 @@ -from rules.converter_sample import TestConverter \ No newline at end of file +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +from rules.converter_sample import TestConverter diff --git a/ccos/secharden/tests/rules/converter_sample.py b/ccos/secharden/tests/rules/converter_sample.py index 4107c44..e6ce1d2 100644 --- a/ccos/secharden/tests/rules/converter_sample.py +++ b/ccos/secharden/tests/rules/converter_sample.py @@ -1,6 +1,17 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from secharden.rule_metadata import ConfigConverter, RuleParameter from secharden.executor import CmdParameter + class TestConverter(ConfigConverter): def __init__(self): super().__init__() diff --git a/ccos/secharden/tests/rules/test_cmd.py b/ccos/secharden/tests/rules/test_cmd.py index e9a42ed..1707de8 100644 --- a/ccos/secharden/tests/rules/test_cmd.py +++ b/ccos/secharden/tests/rules/test_cmd.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from pathlib import Path import pytest diff --git a/ccos/secharden/tests/rules/test_converter.py b/ccos/secharden/tests/rules/test_converter.py index 5096005..330bc35 100644 --- a/ccos/secharden/tests/rules/test_converter.py +++ b/ccos/secharden/tests/rules/test_converter.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from pathlib import Path import pytest diff --git a/ccos/secharden/tests/rules/test_metadata.py b/ccos/secharden/tests/rules/test_metadata.py index 7f54f7d..b3984dc 100644 --- a/ccos/secharden/tests/rules/test_metadata.py +++ b/ccos/secharden/tests/rules/test_metadata.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from pathlib import Path import pytest diff --git a/ccos/secharden/tests/rules/test_param.py b/ccos/secharden/tests/rules/test_param.py index 9fce0e7..9a4fc53 100644 --- a/ccos/secharden/tests/rules/test_param.py +++ b/ccos/secharden/tests/rules/test_param.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + from pathlib import Path import pytest diff --git a/ccos/secharden/tests/rules/test_rulemanager.py b/ccos/secharden/tests/rules/test_rulemanager.py index 8498f0a..0d66423 100644 --- a/ccos/secharden/tests/rules/test_rulemanager.py +++ b/ccos/secharden/tests/rules/test_rulemanager.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + import logging from pathlib import Path diff --git a/ccos/secharden/tests/rules/test_schema.py b/ccos/secharden/tests/rules/test_schema.py index 2794e64..f4d9061 100644 --- a/ccos/secharden/tests/rules/test_schema.py +++ b/ccos/secharden/tests/rules/test_schema.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + import jsonschema import pytest @@ -209,4 +219,4 @@ class TestSchema: "urls": [ ] } - jsonschema.validate(empty_arr, schema) \ No newline at end of file + jsonschema.validate(empty_arr, schema) -- Gitee From 3267ad1b1fb53964131399a4fd029520af4ff5ab Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 12:37:58 +0800 Subject: [PATCH 093/109] move dir --- ccos/secharden/tests/{cmd => tool_entry}/__init__.py | 0 ccos/secharden/tests/{cmd => tool_entry}/conf/secharden.conf | 0 .../tests/{cmd => tool_entry}/rule_not_found/secharden.conf | 0 ccos/secharden/tests/{cmd => tool_entry}/ruleset/categories.json | 0 ccos/secharden/tests/{cmd => tool_entry}/ruleset/test.01/entry.sh | 0 .../tests/{cmd => tool_entry}/ruleset/test.01/metadata.json | 0 .../secharden/tests/{cmd => tool_entry}/ruleset/test1.01/entry.sh | 0 .../tests/{cmd => tool_entry}/ruleset/test1.01/metadata.json | 0 ccos/secharden/tests/{cmd => tool_entry}/test_gendoc.py | 0 ccos/secharden/tests/{cmd => tool_entry}/test_main.py | 0 10 files changed, 0 insertions(+), 0 deletions(-) rename ccos/secharden/tests/{cmd => tool_entry}/__init__.py (100%) rename ccos/secharden/tests/{cmd => tool_entry}/conf/secharden.conf (100%) rename ccos/secharden/tests/{cmd => tool_entry}/rule_not_found/secharden.conf (100%) rename ccos/secharden/tests/{cmd => tool_entry}/ruleset/categories.json (100%) rename ccos/secharden/tests/{cmd => tool_entry}/ruleset/test.01/entry.sh (100%) rename ccos/secharden/tests/{cmd => tool_entry}/ruleset/test.01/metadata.json (100%) rename ccos/secharden/tests/{cmd => tool_entry}/ruleset/test1.01/entry.sh (100%) rename ccos/secharden/tests/{cmd => tool_entry}/ruleset/test1.01/metadata.json (100%) rename ccos/secharden/tests/{cmd => tool_entry}/test_gendoc.py (100%) rename ccos/secharden/tests/{cmd => tool_entry}/test_main.py (100%) diff --git a/ccos/secharden/tests/cmd/__init__.py b/ccos/secharden/tests/tool_entry/__init__.py similarity index 100% rename from ccos/secharden/tests/cmd/__init__.py rename to ccos/secharden/tests/tool_entry/__init__.py diff --git a/ccos/secharden/tests/cmd/conf/secharden.conf b/ccos/secharden/tests/tool_entry/conf/secharden.conf similarity index 100% rename from ccos/secharden/tests/cmd/conf/secharden.conf rename to ccos/secharden/tests/tool_entry/conf/secharden.conf diff --git a/ccos/secharden/tests/cmd/rule_not_found/secharden.conf b/ccos/secharden/tests/tool_entry/rule_not_found/secharden.conf similarity index 100% rename from ccos/secharden/tests/cmd/rule_not_found/secharden.conf rename to ccos/secharden/tests/tool_entry/rule_not_found/secharden.conf diff --git a/ccos/secharden/tests/cmd/ruleset/categories.json b/ccos/secharden/tests/tool_entry/ruleset/categories.json similarity index 100% rename from ccos/secharden/tests/cmd/ruleset/categories.json rename to ccos/secharden/tests/tool_entry/ruleset/categories.json diff --git a/ccos/secharden/tests/cmd/ruleset/test.01/entry.sh b/ccos/secharden/tests/tool_entry/ruleset/test.01/entry.sh similarity index 100% rename from ccos/secharden/tests/cmd/ruleset/test.01/entry.sh rename to ccos/secharden/tests/tool_entry/ruleset/test.01/entry.sh diff --git a/ccos/secharden/tests/cmd/ruleset/test.01/metadata.json b/ccos/secharden/tests/tool_entry/ruleset/test.01/metadata.json similarity index 100% rename from ccos/secharden/tests/cmd/ruleset/test.01/metadata.json rename to ccos/secharden/tests/tool_entry/ruleset/test.01/metadata.json diff --git a/ccos/secharden/tests/cmd/ruleset/test1.01/entry.sh b/ccos/secharden/tests/tool_entry/ruleset/test1.01/entry.sh similarity index 100% rename from ccos/secharden/tests/cmd/ruleset/test1.01/entry.sh rename to ccos/secharden/tests/tool_entry/ruleset/test1.01/entry.sh diff --git a/ccos/secharden/tests/cmd/ruleset/test1.01/metadata.json b/ccos/secharden/tests/tool_entry/ruleset/test1.01/metadata.json similarity index 100% rename from ccos/secharden/tests/cmd/ruleset/test1.01/metadata.json rename to ccos/secharden/tests/tool_entry/ruleset/test1.01/metadata.json diff --git a/ccos/secharden/tests/cmd/test_gendoc.py b/ccos/secharden/tests/tool_entry/test_gendoc.py similarity index 100% rename from ccos/secharden/tests/cmd/test_gendoc.py rename to ccos/secharden/tests/tool_entry/test_gendoc.py diff --git a/ccos/secharden/tests/cmd/test_main.py b/ccos/secharden/tests/tool_entry/test_main.py similarity index 100% rename from ccos/secharden/tests/cmd/test_main.py rename to ccos/secharden/tests/tool_entry/test_main.py -- Gitee From 4b1737f394357572694c596ecfbe9e231f556bc7 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 14:07:07 +0800 Subject: [PATCH 094/109] add dim install hint --- ccos/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ccos/README.md b/ccos/README.md index b9c7be0..26b0771 100644 --- a/ccos/README.md +++ b/ccos/README.md @@ -137,6 +137,11 @@ int.01: int.02: ``` +> 注意:int.02 规则依赖 dim 模块,用户需要使用以下命令安装 dim 模块: +> ```shell +> sudo yum install dim dim_tools +> ``` + 规则 int.03 可通过以下几个步骤完成本节全栈完整性加固操作: 1. IMA 标签设置 -- Gitee From 8ab1d92321089511b6b12bf99a60ec9e907f4464 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 14:19:32 +0800 Subject: [PATCH 095/109] change year --- ccos/secharden/src/secharden/__init__.py | 2 +- ccos/secharden/src/secharden/config_parser.py | 2 +- ccos/secharden/src/secharden/devtools/gendoc.py | 2 +- ccos/secharden/src/secharden/executor.py | 2 +- ccos/secharden/src/secharden/rule_metadata/__init__.py | 2 +- .../src/secharden/rule_metadata/converters/__init__.py | 2 +- .../src/secharden/rule_metadata/converters/file_list.py | 2 +- ccos/secharden/src/secharden/rule_metadata/manager.py | 2 +- ccos/secharden/src/secharden/rule_metadata/metadata.py | 2 +- ccos/secharden/src/secharden/secharden.py | 2 +- ccos/secharden/src/secharden/utils.py | 2 +- ccos/secharden/tests/config_parser/__init__.py | 2 +- ccos/secharden/tests/config_parser/test_collection.py | 2 +- ccos/secharden/tests/config_parser/test_parser.py | 2 +- ccos/secharden/tests/executor/__init__.py | 2 +- ccos/secharden/tests/executor/test_executor.py | 2 +- ccos/secharden/tests/rules/__init__.py | 2 +- ccos/secharden/tests/rules/converter_sample.py | 2 +- ccos/secharden/tests/rules/test_cmd.py | 2 +- ccos/secharden/tests/rules/test_converter.py | 2 +- ccos/secharden/tests/rules/test_metadata.py | 2 +- ccos/secharden/tests/rules/test_param.py | 2 +- ccos/secharden/tests/rules/test_rulemanager.py | 2 +- ccos/secharden/tests/rules/test_schema.py | 2 +- ccos/secharden/tests/tool_entry/__init__.py | 2 +- ccos/secharden/tests/tool_entry/test_gendoc.py | 2 +- ccos/secharden/tests/tool_entry/test_main.py | 2 +- 27 files changed, 27 insertions(+), 27 deletions(-) diff --git a/ccos/secharden/src/secharden/__init__.py b/ccos/secharden/src/secharden/__init__.py index 73f4bd1..b8da5e6 100644 --- a/ccos/secharden/src/secharden/__init__.py +++ b/ccos/secharden/src/secharden/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/config_parser.py b/ccos/secharden/src/secharden/config_parser.py index 2bbfbf7..553af41 100644 --- a/ccos/secharden/src/secharden/config_parser.py +++ b/ccos/secharden/src/secharden/config_parser.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/devtools/gendoc.py b/ccos/secharden/src/secharden/devtools/gendoc.py index 3a991e0..8433579 100644 --- a/ccos/secharden/src/secharden/devtools/gendoc.py +++ b/ccos/secharden/src/secharden/devtools/gendoc.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/executor.py b/ccos/secharden/src/secharden/executor.py index 6dc0854..c5c4103 100644 --- a/ccos/secharden/src/secharden/executor.py +++ b/ccos/secharden/src/secharden/executor.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/rule_metadata/__init__.py b/ccos/secharden/src/secharden/rule_metadata/__init__.py index 22095bd..addfd6c 100644 --- a/ccos/secharden/src/secharden/rule_metadata/__init__.py +++ b/ccos/secharden/src/secharden/rule_metadata/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py b/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py index 9dbcefa..2900c4a 100644 --- a/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py +++ b/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py b/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py index 017f9df..8823e49 100644 --- a/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py +++ b/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/rule_metadata/manager.py b/ccos/secharden/src/secharden/rule_metadata/manager.py index 7a7ddd2..5c52b0a 100644 --- a/ccos/secharden/src/secharden/rule_metadata/manager.py +++ b/ccos/secharden/src/secharden/rule_metadata/manager.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/rule_metadata/metadata.py b/ccos/secharden/src/secharden/rule_metadata/metadata.py index 58c1ac4..e5f5411 100644 --- a/ccos/secharden/src/secharden/rule_metadata/metadata.py +++ b/ccos/secharden/src/secharden/rule_metadata/metadata.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/secharden.py b/ccos/secharden/src/secharden/secharden.py index c8bd697..d513ae8 100644 --- a/ccos/secharden/src/secharden/secharden.py +++ b/ccos/secharden/src/secharden/secharden.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/src/secharden/utils.py b/ccos/secharden/src/secharden/utils.py index 88dd186..e3f23d7 100644 --- a/ccos/secharden/src/secharden/utils.py +++ b/ccos/secharden/src/secharden/utils.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/config_parser/__init__.py b/ccos/secharden/tests/config_parser/__init__.py index 73f4bd1..b8da5e6 100644 --- a/ccos/secharden/tests/config_parser/__init__.py +++ b/ccos/secharden/tests/config_parser/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/config_parser/test_collection.py b/ccos/secharden/tests/config_parser/test_collection.py index b6a01b5..3a6725f 100644 --- a/ccos/secharden/tests/config_parser/test_collection.py +++ b/ccos/secharden/tests/config_parser/test_collection.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/config_parser/test_parser.py b/ccos/secharden/tests/config_parser/test_parser.py index b689a4f..ea74f2d 100644 --- a/ccos/secharden/tests/config_parser/test_parser.py +++ b/ccos/secharden/tests/config_parser/test_parser.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/executor/__init__.py b/ccos/secharden/tests/executor/__init__.py index 73f4bd1..b8da5e6 100644 --- a/ccos/secharden/tests/executor/__init__.py +++ b/ccos/secharden/tests/executor/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/executor/test_executor.py b/ccos/secharden/tests/executor/test_executor.py index ac3bb07..bba5034 100644 --- a/ccos/secharden/tests/executor/test_executor.py +++ b/ccos/secharden/tests/executor/test_executor.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/rules/__init__.py b/ccos/secharden/tests/rules/__init__.py index 45ca4f5..3bc9a77 100644 --- a/ccos/secharden/tests/rules/__init__.py +++ b/ccos/secharden/tests/rules/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/rules/converter_sample.py b/ccos/secharden/tests/rules/converter_sample.py index e6ce1d2..3a69799 100644 --- a/ccos/secharden/tests/rules/converter_sample.py +++ b/ccos/secharden/tests/rules/converter_sample.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/rules/test_cmd.py b/ccos/secharden/tests/rules/test_cmd.py index 1707de8..961dfc0 100644 --- a/ccos/secharden/tests/rules/test_cmd.py +++ b/ccos/secharden/tests/rules/test_cmd.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/rules/test_converter.py b/ccos/secharden/tests/rules/test_converter.py index 330bc35..e196890 100644 --- a/ccos/secharden/tests/rules/test_converter.py +++ b/ccos/secharden/tests/rules/test_converter.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/rules/test_metadata.py b/ccos/secharden/tests/rules/test_metadata.py index b3984dc..1239393 100644 --- a/ccos/secharden/tests/rules/test_metadata.py +++ b/ccos/secharden/tests/rules/test_metadata.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/rules/test_param.py b/ccos/secharden/tests/rules/test_param.py index 9a4fc53..f512a0f 100644 --- a/ccos/secharden/tests/rules/test_param.py +++ b/ccos/secharden/tests/rules/test_param.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/rules/test_rulemanager.py b/ccos/secharden/tests/rules/test_rulemanager.py index 0d66423..6ab4806 100644 --- a/ccos/secharden/tests/rules/test_rulemanager.py +++ b/ccos/secharden/tests/rules/test_rulemanager.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/rules/test_schema.py b/ccos/secharden/tests/rules/test_schema.py index f4d9061..6a5c55a 100644 --- a/ccos/secharden/tests/rules/test_schema.py +++ b/ccos/secharden/tests/rules/test_schema.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/tool_entry/__init__.py b/ccos/secharden/tests/tool_entry/__init__.py index 73f4bd1..b8da5e6 100644 --- a/ccos/secharden/tests/tool_entry/__init__.py +++ b/ccos/secharden/tests/tool_entry/__init__.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/tool_entry/test_gendoc.py b/ccos/secharden/tests/tool_entry/test_gendoc.py index f1ba79c..5b7ee53 100644 --- a/ccos/secharden/tests/tool_entry/test_gendoc.py +++ b/ccos/secharden/tests/tool_entry/test_gendoc.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: diff --git a/ccos/secharden/tests/tool_entry/test_main.py b/ccos/secharden/tests/tool_entry/test_main.py index 0eca36b..bc8dc35 100644 --- a/ccos/secharden/tests/tool_entry/test_main.py +++ b/ccos/secharden/tests/tool_entry/test_main.py @@ -1,4 +1,4 @@ -# Copyright (c) Huawei Technologies Co., Ltd. 2020. All rights reserved. +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. # secGear is licensed under the Mulan PSL v2. # You can use this software according to the terms and conditions of the Mulan PSL v2. # You may obtain a copy of Mulan PSL v2 at: -- Gitee From b4c1dbe24b119eb8ce09d31c1da260dfc776f3d2 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Fri, 1 Aug 2025 17:26:44 +0800 Subject: [PATCH 096/109] rename dir --- {ccos => secTools}/.gitignore | 0 {ccos => secTools}/README.md | 0 {ccos => secTools}/conf/secharden.conf | 0 {ccos => secTools}/docs/README.md | 0 {ccos => secTools}/docs/normal.xml | 0 {ccos => secTools}/docs/openeuler_defconfig | 0 {ccos => secTools}/os-harden-tools.spec | 0 {ccos => secTools}/secharden/DEVELOPMENT.md | 0 {ccos => secTools}/secharden/MANIFEST.in | 0 {ccos => secTools}/secharden/README.md | 0 {ccos => secTools}/secharden/pyproject.toml | 0 {ccos => secTools}/secharden/src/secharden/VERSION | 0 {ccos => secTools}/secharden/src/secharden/__init__.py | 0 {ccos => secTools}/secharden/src/secharden/config_parser.py | 0 {ccos => secTools}/secharden/src/secharden/devtools/gendoc.py | 0 {ccos => secTools}/secharden/src/secharden/executor.py | 0 .../secharden/src/secharden/rule_metadata/__init__.py | 0 .../secharden/src/secharden/rule_metadata/converters/__init__.py | 0 .../secharden/src/secharden/rule_metadata/converters/file_list.py | 0 .../secharden/src/secharden/rule_metadata/manager.py | 0 .../secharden/src/secharden/rule_metadata/metadata.py | 0 .../secharden/src/secharden/schema/categories.schema.json | 0 .../secharden/src/secharden/schema/metadata.schema.json | 0 {ccos => secTools}/secharden/src/secharden/secharden.py | 0 {ccos => secTools}/secharden/src/secharden/tools/README.md | 0 {ccos => secTools}/secharden/src/secharden/tools/categories.json | 0 .../src/secharden/tools/int.01/enable_kernel_module_sign.sh | 0 .../secharden/src/secharden/tools/int.01/metadata.json | 0 .../secharden/src/secharden/tools/int.02/enforce_dim.sh | 0 .../secharden/src/secharden/tools/int.02/metadata.json | 0 .../secharden/src/secharden/tools/int.03/enforce_ima.sh | 0 .../secharden/src/secharden/tools/int.03/metadata.json | 0 .../src/secharden/tools/kern.01/enable_bpf_jit_harden.sh | 0 .../secharden/src/secharden/tools/kern.01/metadata.json | 0 .../secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh | 0 .../secharden/src/secharden/tools/kern.02/metadata.json | 0 .../secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh | 0 .../secharden/src/secharden/tools/kern.03/metadata.json | 0 .../secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh | 0 .../secharden/src/secharden/tools/login.01/metadata.json | 0 .../tools/login.02/disable_ssh_permit_user_environment.sh | 0 .../secharden/src/secharden/tools/login.02/metadata.json | 0 .../src/secharden/tools/login.03/disable_ssh_root_login.sh | 0 .../secharden/src/secharden/tools/login.03/metadata.json | 0 .../src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh | 0 .../secharden/src/secharden/tools/login.04/metadata.json | 0 .../src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh | 0 .../secharden/src/secharden/tools/login.05/metadata.json | 0 .../secharden/src/secharden/tools/login.06/disable_sysrq.sh | 0 .../secharden/src/secharden/tools/login.06/metadata.json | 0 .../src/secharden/tools/login.07/disable_tcp_timestamps.sh | 0 .../secharden/src/secharden/tools/login.07/metadata.json | 0 .../secharden/src/secharden/tools/login.08/metadata.json | 0 .../src/secharden/tools/login.08/set_ssh_max_auth_tries.sh | 0 .../src/secharden/tools/net.01/disable_accept_redirect.sh | 0 .../secharden/src/secharden/tools/net.01/metadata.json | 0 .../src/secharden/tools/net.02/disable_icmp_broadcast.sh | 0 .../secharden/src/secharden/tools/net.02/metadata.json | 0 .../secharden/src/secharden/tools/net.03/disable_ip_forward.sh | 0 .../secharden/src/secharden/tools/net.03/metadata.json | 0 .../secharden/src/secharden/tools/net.04/disable_proxy_arp.sh | 0 .../secharden/src/secharden/tools/net.04/metadata.json | 0 .../secharden/src/secharden/tools/net.05/disable_source_route.sh | 0 .../secharden/src/secharden/tools/net.05/metadata.json | 0 .../src/secharden/tools/net.06/drop_forge_icmp_package.sh | 0 .../secharden/src/secharden/tools/net.06/metadata.json | 0 .../secharden/src/secharden/tools/net.07/enable_firewall.sh | 0 .../secharden/src/secharden/tools/net.07/metadata.json | 0 .../secharden/src/secharden/tools/net.08/enable_rp_filter.sh | 0 .../secharden/src/secharden/tools/net.08/metadata.json | 0 .../src/secharden/tools/net.09/enable_tcp_syn_cookies.sh | 0 .../secharden/src/secharden/tools/net.09/metadata.json | 0 .../secharden/src/secharden/tools/priv.01/metadata.json | 0 .../src/secharden/tools/priv.01/minimal_file_permission.sh | 0 .../secharden/src/secharden/tools/priv.02/metadata.json | 0 .../secharden/src/secharden/tools/priv.02/symlink_protection.sh | 0 .../secharden/src/secharden/tools/serv.01/enable_rsyslog.sh | 0 .../secharden/src/secharden/tools/serv.01/metadata.json | 0 .../src/secharden/tools/serv.02/enable_selinux_enforce.sh | 0 .../secharden/src/secharden/tools/serv.02/metadata.json | 0 .../secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh | 0 .../secharden/src/secharden/tools/sys.01/metadata.json | 0 .../secharden/src/secharden/tools/sys.02/disable_kexec.sh | 0 .../secharden/src/secharden/tools/sys.02/metadata.json | 0 .../secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh | 0 .../secharden/src/secharden/tools/sys.03/metadata.json | 0 .../secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh | 0 .../secharden/src/secharden/tools/sys.04/metadata.json | 0 .../src/secharden/tools/sys.05/disable_uncommon_network_module.sh | 0 .../secharden/src/secharden/tools/sys.05/metadata.json | 0 {ccos => secTools}/secharden/src/secharden/tools/utils.sh | 0 {ccos => secTools}/secharden/src/secharden/utils.py | 0 {ccos => secTools}/secharden/tests/config_parser/__init__.py | 0 .../config_parser/collection/collection_wrong_name/secharden.conf | 0 .../collection_wrong_name/secharden.conf.d/00-invalid_num.conf | 0 .../collection/collection_wrong_name/secharden.conf.d/nodash.conf | 0 .../collection_wrong_name/secharden.conf.d/not-number.conf | 0 .../secharden/tests/config_parser/collection/empty/.gitkeep | 0 .../tests/config_parser/collection/full_collection/secharden.conf | 0 .../collection/full_collection/secharden.conf.d/01-test.conf | 0 .../collection/full_collection/secharden.conf.d/02-test2.conf | 0 .../collection/only_collection/secharden.conf.d/01-test.conf | 0 .../tests/config_parser/collection/single_file/secharden.conf | 0 .../secharden/tests/config_parser/parser/intersect/1.conf | 0 .../secharden/tests/config_parser/parser/intersect/2.conf | 0 .../tests/config_parser/parser/invalid_yaml/secharden.conf | 0 .../secharden/tests/config_parser/parser/override/1.conf | 0 .../secharden/tests/config_parser/parser/override/2.conf | 0 .../tests/config_parser/parser/single_file/secharden.conf | 0 .../tests/config_parser/parser/wrong_file/secharden.conf | 0 .../tests/config_parser/parser/wrong_file_in_collection/1.conf | 0 .../tests/config_parser/parser/wrong_file_in_collection/2.conf | 0 .../secharden/tests/config_parser/test_collection.py | 0 {ccos => secTools}/secharden/tests/config_parser/test_parser.py | 0 {ccos => secTools}/secharden/tests/executor/__init__.py | 0 {ccos => secTools}/secharden/tests/executor/test_executor.py | 0 {ccos => secTools}/secharden/tests/rules/__init__.py | 0 {ccos => secTools}/secharden/tests/rules/converter_sample.py | 0 .../tests/rules/metadata/directory_name_mismatch/metadata.json | 0 .../secharden/tests/rules/metadata/entry_in_path/metadata.json | 0 .../secharden/tests/rules/metadata/entry_not_file/metadata.json | 0 .../secharden/tests/rules/metadata/no_entry/metadata.json | 0 .../secharden/tests/rules/metadata/no_metadata/.gitkeep | 0 .../secharden/tests/rules/metadata/param/cmd_escape/metadata.json | 0 .../tests/rules/metadata/param/cmd_mismatch_id/metadata.json | 0 .../rules/metadata/param/cmd_multi_placeholder/metadata.json | 0 .../tests/rules/metadata/param/cmd_no_placeholder/metadata.json | 0 .../secharden/tests/rules/metadata/param/cmd_noid/metadata.json | 0 .../tests/rules/metadata/param/cmd_placeholders/metadata.json | 0 .../secharden/tests/rules/metadata/param/cmd_single/metadata.json | 0 .../tests/rules/metadata/param/no_converter/metadata.json | 0 .../secharden/tests/rules/metadata/valid/metadata.json | 0 .../secharden/tests/rules/metadata/valid_full/metadata.json | 0 .../secharden/tests/rules/ruleset/execution/categories.json | 0 .../secharden/tests/rules/ruleset/execution/test.01/entry.sh | 0 .../secharden/tests/rules/ruleset/execution/test.01/metadata.json | 0 .../secharden/tests/rules/ruleset/execution/test.02/entry.sh | 0 .../secharden/tests/rules/ruleset/execution/test.02/metadata.json | 0 .../secharden/tests/rules/ruleset/execution/test.03/entry.sh | 0 .../secharden/tests/rules/ruleset/execution/test.03/metadata.json | 0 .../secharden/tests/rules/ruleset/execution/test.04/entry.sh | 0 .../secharden/tests/rules/ruleset/execution/test.04/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/categories.json | 0 .../secharden/tests/rules/ruleset/naming/invalid.01/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/nocat.01/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep | 0 {ccos => secTools}/secharden/tests/rules/ruleset/naming/notdir.01 | 0 .../secharden/tests/rules/ruleset/naming/test-02/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/test.00/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/test.01/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/test.o3/metadata.json | 0 .../secharden/tests/rules/ruleset/naming/test1.01/metadata.json | 0 .../secharden/tests/rules/ruleset/no_categories/.gitkeep | 0 {ccos => secTools}/secharden/tests/rules/ruleset/not_a_dir | 0 {ccos => secTools}/secharden/tests/rules/test_cmd.py | 0 {ccos => secTools}/secharden/tests/rules/test_converter.py | 0 {ccos => secTools}/secharden/tests/rules/test_metadata.py | 0 {ccos => secTools}/secharden/tests/rules/test_param.py | 0 {ccos => secTools}/secharden/tests/rules/test_rulemanager.py | 0 {ccos => secTools}/secharden/tests/rules/test_schema.py | 0 {ccos => secTools}/secharden/tests/tool_entry/__init__.py | 0 {ccos => secTools}/secharden/tests/tool_entry/conf/secharden.conf | 0 .../secharden/tests/tool_entry/rule_not_found/secharden.conf | 0 .../secharden/tests/tool_entry/ruleset/categories.json | 0 .../secharden/tests/tool_entry/ruleset/test.01/entry.sh | 0 .../secharden/tests/tool_entry/ruleset/test.01/metadata.json | 0 .../secharden/tests/tool_entry/ruleset/test1.01/entry.sh | 0 .../secharden/tests/tool_entry/ruleset/test1.01/metadata.json | 0 {ccos => secTools}/secharden/tests/tool_entry/test_gendoc.py | 0 {ccos => secTools}/secharden/tests/tool_entry/test_main.py | 0 {ccos => secTools}/secharden/uv.lock | 0 171 files changed, 0 insertions(+), 0 deletions(-) rename {ccos => secTools}/.gitignore (100%) rename {ccos => secTools}/README.md (100%) rename {ccos => secTools}/conf/secharden.conf (100%) rename {ccos => secTools}/docs/README.md (100%) rename {ccos => secTools}/docs/normal.xml (100%) rename {ccos => secTools}/docs/openeuler_defconfig (100%) rename {ccos => secTools}/os-harden-tools.spec (100%) rename {ccos => secTools}/secharden/DEVELOPMENT.md (100%) rename {ccos => secTools}/secharden/MANIFEST.in (100%) rename {ccos => secTools}/secharden/README.md (100%) rename {ccos => secTools}/secharden/pyproject.toml (100%) rename {ccos => secTools}/secharden/src/secharden/VERSION (100%) rename {ccos => secTools}/secharden/src/secharden/__init__.py (100%) rename {ccos => secTools}/secharden/src/secharden/config_parser.py (100%) rename {ccos => secTools}/secharden/src/secharden/devtools/gendoc.py (100%) rename {ccos => secTools}/secharden/src/secharden/executor.py (100%) rename {ccos => secTools}/secharden/src/secharden/rule_metadata/__init__.py (100%) rename {ccos => secTools}/secharden/src/secharden/rule_metadata/converters/__init__.py (100%) rename {ccos => secTools}/secharden/src/secharden/rule_metadata/converters/file_list.py (100%) rename {ccos => secTools}/secharden/src/secharden/rule_metadata/manager.py (100%) rename {ccos => secTools}/secharden/src/secharden/rule_metadata/metadata.py (100%) rename {ccos => secTools}/secharden/src/secharden/schema/categories.schema.json (100%) rename {ccos => secTools}/secharden/src/secharden/schema/metadata.schema.json (100%) rename {ccos => secTools}/secharden/src/secharden/secharden.py (100%) rename {ccos => secTools}/secharden/src/secharden/tools/README.md (100%) rename {ccos => secTools}/secharden/src/secharden/tools/categories.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/int.01/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/int.02/enforce_dim.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/int.02/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/int.03/enforce_ima.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/int.03/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/kern.01/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/kern.02/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/kern.03/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.01/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.02/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.03/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.04/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.05/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.06/disable_sysrq.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.06/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.07/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.08/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.01/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.02/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.03/disable_ip_forward.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.03/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.04/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.05/disable_source_route.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.05/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.06/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.07/enable_firewall.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.07/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.08/enable_rp_filter.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.08/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/net.09/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/priv.01/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/priv.02/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/priv.02/symlink_protection.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/serv.01/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/serv.02/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.01/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.02/disable_kexec.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.02/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.03/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.04/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh (100%) rename {ccos => secTools}/secharden/src/secharden/tools/sys.05/metadata.json (100%) rename {ccos => secTools}/secharden/src/secharden/tools/utils.sh (100%) rename {ccos => secTools}/secharden/src/secharden/utils.py (100%) rename {ccos => secTools}/secharden/tests/config_parser/__init__.py (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/empty/.gitkeep (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/full_collection/secharden.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/collection/single_file/secharden.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/parser/intersect/1.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/parser/intersect/2.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/parser/override/1.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/parser/override/2.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/parser/single_file/secharden.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/parser/wrong_file/secharden.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf (100%) rename {ccos => secTools}/secharden/tests/config_parser/test_collection.py (100%) rename {ccos => secTools}/secharden/tests/config_parser/test_parser.py (100%) rename {ccos => secTools}/secharden/tests/executor/__init__.py (100%) rename {ccos => secTools}/secharden/tests/executor/test_executor.py (100%) rename {ccos => secTools}/secharden/tests/rules/__init__.py (100%) rename {ccos => secTools}/secharden/tests/rules/converter_sample.py (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/entry_in_path/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/entry_not_file/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/no_entry/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/no_metadata/.gitkeep (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/param/cmd_escape/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/param/cmd_noid/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/param/cmd_single/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/param/no_converter/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/valid/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/metadata/valid_full/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/execution/categories.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/execution/test.01/entry.sh (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/execution/test.01/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/execution/test.02/entry.sh (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/execution/test.02/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/execution/test.03/entry.sh (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/execution/test.03/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/execution/test.04/entry.sh (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/execution/test.04/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/categories.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/notdir.01 (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/test-02/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/test.00/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/test.01/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/test.o3/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/naming/test1.01/metadata.json (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/no_categories/.gitkeep (100%) rename {ccos => secTools}/secharden/tests/rules/ruleset/not_a_dir (100%) rename {ccos => secTools}/secharden/tests/rules/test_cmd.py (100%) rename {ccos => secTools}/secharden/tests/rules/test_converter.py (100%) rename {ccos => secTools}/secharden/tests/rules/test_metadata.py (100%) rename {ccos => secTools}/secharden/tests/rules/test_param.py (100%) rename {ccos => secTools}/secharden/tests/rules/test_rulemanager.py (100%) rename {ccos => secTools}/secharden/tests/rules/test_schema.py (100%) rename {ccos => secTools}/secharden/tests/tool_entry/__init__.py (100%) rename {ccos => secTools}/secharden/tests/tool_entry/conf/secharden.conf (100%) rename {ccos => secTools}/secharden/tests/tool_entry/rule_not_found/secharden.conf (100%) rename {ccos => secTools}/secharden/tests/tool_entry/ruleset/categories.json (100%) rename {ccos => secTools}/secharden/tests/tool_entry/ruleset/test.01/entry.sh (100%) rename {ccos => secTools}/secharden/tests/tool_entry/ruleset/test.01/metadata.json (100%) rename {ccos => secTools}/secharden/tests/tool_entry/ruleset/test1.01/entry.sh (100%) rename {ccos => secTools}/secharden/tests/tool_entry/ruleset/test1.01/metadata.json (100%) rename {ccos => secTools}/secharden/tests/tool_entry/test_gendoc.py (100%) rename {ccos => secTools}/secharden/tests/tool_entry/test_main.py (100%) rename {ccos => secTools}/secharden/uv.lock (100%) diff --git a/ccos/.gitignore b/secTools/.gitignore similarity index 100% rename from ccos/.gitignore rename to secTools/.gitignore diff --git a/ccos/README.md b/secTools/README.md similarity index 100% rename from ccos/README.md rename to secTools/README.md diff --git a/ccos/conf/secharden.conf b/secTools/conf/secharden.conf similarity index 100% rename from ccos/conf/secharden.conf rename to secTools/conf/secharden.conf diff --git a/ccos/docs/README.md b/secTools/docs/README.md similarity index 100% rename from ccos/docs/README.md rename to secTools/docs/README.md diff --git a/ccos/docs/normal.xml b/secTools/docs/normal.xml similarity index 100% rename from ccos/docs/normal.xml rename to secTools/docs/normal.xml diff --git a/ccos/docs/openeuler_defconfig b/secTools/docs/openeuler_defconfig similarity index 100% rename from ccos/docs/openeuler_defconfig rename to secTools/docs/openeuler_defconfig diff --git a/ccos/os-harden-tools.spec b/secTools/os-harden-tools.spec similarity index 100% rename from ccos/os-harden-tools.spec rename to secTools/os-harden-tools.spec diff --git a/ccos/secharden/DEVELOPMENT.md b/secTools/secharden/DEVELOPMENT.md similarity index 100% rename from ccos/secharden/DEVELOPMENT.md rename to secTools/secharden/DEVELOPMENT.md diff --git a/ccos/secharden/MANIFEST.in b/secTools/secharden/MANIFEST.in similarity index 100% rename from ccos/secharden/MANIFEST.in rename to secTools/secharden/MANIFEST.in diff --git a/ccos/secharden/README.md b/secTools/secharden/README.md similarity index 100% rename from ccos/secharden/README.md rename to secTools/secharden/README.md diff --git a/ccos/secharden/pyproject.toml b/secTools/secharden/pyproject.toml similarity index 100% rename from ccos/secharden/pyproject.toml rename to secTools/secharden/pyproject.toml diff --git a/ccos/secharden/src/secharden/VERSION b/secTools/secharden/src/secharden/VERSION similarity index 100% rename from ccos/secharden/src/secharden/VERSION rename to secTools/secharden/src/secharden/VERSION diff --git a/ccos/secharden/src/secharden/__init__.py b/secTools/secharden/src/secharden/__init__.py similarity index 100% rename from ccos/secharden/src/secharden/__init__.py rename to secTools/secharden/src/secharden/__init__.py diff --git a/ccos/secharden/src/secharden/config_parser.py b/secTools/secharden/src/secharden/config_parser.py similarity index 100% rename from ccos/secharden/src/secharden/config_parser.py rename to secTools/secharden/src/secharden/config_parser.py diff --git a/ccos/secharden/src/secharden/devtools/gendoc.py b/secTools/secharden/src/secharden/devtools/gendoc.py similarity index 100% rename from ccos/secharden/src/secharden/devtools/gendoc.py rename to secTools/secharden/src/secharden/devtools/gendoc.py diff --git a/ccos/secharden/src/secharden/executor.py b/secTools/secharden/src/secharden/executor.py similarity index 100% rename from ccos/secharden/src/secharden/executor.py rename to secTools/secharden/src/secharden/executor.py diff --git a/ccos/secharden/src/secharden/rule_metadata/__init__.py b/secTools/secharden/src/secharden/rule_metadata/__init__.py similarity index 100% rename from ccos/secharden/src/secharden/rule_metadata/__init__.py rename to secTools/secharden/src/secharden/rule_metadata/__init__.py diff --git a/ccos/secharden/src/secharden/rule_metadata/converters/__init__.py b/secTools/secharden/src/secharden/rule_metadata/converters/__init__.py similarity index 100% rename from ccos/secharden/src/secharden/rule_metadata/converters/__init__.py rename to secTools/secharden/src/secharden/rule_metadata/converters/__init__.py diff --git a/ccos/secharden/src/secharden/rule_metadata/converters/file_list.py b/secTools/secharden/src/secharden/rule_metadata/converters/file_list.py similarity index 100% rename from ccos/secharden/src/secharden/rule_metadata/converters/file_list.py rename to secTools/secharden/src/secharden/rule_metadata/converters/file_list.py diff --git a/ccos/secharden/src/secharden/rule_metadata/manager.py b/secTools/secharden/src/secharden/rule_metadata/manager.py similarity index 100% rename from ccos/secharden/src/secharden/rule_metadata/manager.py rename to secTools/secharden/src/secharden/rule_metadata/manager.py diff --git a/ccos/secharden/src/secharden/rule_metadata/metadata.py b/secTools/secharden/src/secharden/rule_metadata/metadata.py similarity index 100% rename from ccos/secharden/src/secharden/rule_metadata/metadata.py rename to secTools/secharden/src/secharden/rule_metadata/metadata.py diff --git a/ccos/secharden/src/secharden/schema/categories.schema.json b/secTools/secharden/src/secharden/schema/categories.schema.json similarity index 100% rename from ccos/secharden/src/secharden/schema/categories.schema.json rename to secTools/secharden/src/secharden/schema/categories.schema.json diff --git a/ccos/secharden/src/secharden/schema/metadata.schema.json b/secTools/secharden/src/secharden/schema/metadata.schema.json similarity index 100% rename from ccos/secharden/src/secharden/schema/metadata.schema.json rename to secTools/secharden/src/secharden/schema/metadata.schema.json diff --git a/ccos/secharden/src/secharden/secharden.py b/secTools/secharden/src/secharden/secharden.py similarity index 100% rename from ccos/secharden/src/secharden/secharden.py rename to secTools/secharden/src/secharden/secharden.py diff --git a/ccos/secharden/src/secharden/tools/README.md b/secTools/secharden/src/secharden/tools/README.md similarity index 100% rename from ccos/secharden/src/secharden/tools/README.md rename to secTools/secharden/src/secharden/tools/README.md diff --git a/ccos/secharden/src/secharden/tools/categories.json b/secTools/secharden/src/secharden/tools/categories.json similarity index 100% rename from ccos/secharden/src/secharden/tools/categories.json rename to secTools/secharden/src/secharden/tools/categories.json diff --git a/ccos/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh b/secTools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh rename to secTools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh diff --git a/ccos/secharden/src/secharden/tools/int.01/metadata.json b/secTools/secharden/src/secharden/tools/int.01/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/int.01/metadata.json rename to secTools/secharden/src/secharden/tools/int.01/metadata.json diff --git a/ccos/secharden/src/secharden/tools/int.02/enforce_dim.sh b/secTools/secharden/src/secharden/tools/int.02/enforce_dim.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/int.02/enforce_dim.sh rename to secTools/secharden/src/secharden/tools/int.02/enforce_dim.sh diff --git a/ccos/secharden/src/secharden/tools/int.02/metadata.json b/secTools/secharden/src/secharden/tools/int.02/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/int.02/metadata.json rename to secTools/secharden/src/secharden/tools/int.02/metadata.json diff --git a/ccos/secharden/src/secharden/tools/int.03/enforce_ima.sh b/secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/int.03/enforce_ima.sh rename to secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh diff --git a/ccos/secharden/src/secharden/tools/int.03/metadata.json b/secTools/secharden/src/secharden/tools/int.03/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/int.03/metadata.json rename to secTools/secharden/src/secharden/tools/int.03/metadata.json diff --git a/ccos/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh b/secTools/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh rename to secTools/secharden/src/secharden/tools/kern.01/enable_bpf_jit_harden.sh diff --git a/ccos/secharden/src/secharden/tools/kern.01/metadata.json b/secTools/secharden/src/secharden/tools/kern.01/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/kern.01/metadata.json rename to secTools/secharden/src/secharden/tools/kern.01/metadata.json diff --git a/ccos/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh b/secTools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh rename to secTools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh diff --git a/ccos/secharden/src/secharden/tools/kern.02/metadata.json b/secTools/secharden/src/secharden/tools/kern.02/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/kern.02/metadata.json rename to secTools/secharden/src/secharden/tools/kern.02/metadata.json diff --git a/ccos/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh b/secTools/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh rename to secTools/secharden/src/secharden/tools/kern.03/enable_panic_on_oops.sh diff --git a/ccos/secharden/src/secharden/tools/kern.03/metadata.json b/secTools/secharden/src/secharden/tools/kern.03/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/kern.03/metadata.json rename to secTools/secharden/src/secharden/tools/kern.03/metadata.json diff --git a/ccos/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh b/secTools/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh rename to secTools/secharden/src/secharden/tools/login.01/disable_ssh_no_pass.sh diff --git a/ccos/secharden/src/secharden/tools/login.01/metadata.json b/secTools/secharden/src/secharden/tools/login.01/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/login.01/metadata.json rename to secTools/secharden/src/secharden/tools/login.01/metadata.json diff --git a/ccos/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh b/secTools/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh rename to secTools/secharden/src/secharden/tools/login.02/disable_ssh_permit_user_environment.sh diff --git a/ccos/secharden/src/secharden/tools/login.02/metadata.json b/secTools/secharden/src/secharden/tools/login.02/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/login.02/metadata.json rename to secTools/secharden/src/secharden/tools/login.02/metadata.json diff --git a/ccos/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh b/secTools/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh rename to secTools/secharden/src/secharden/tools/login.03/disable_ssh_root_login.sh diff --git a/ccos/secharden/src/secharden/tools/login.03/metadata.json b/secTools/secharden/src/secharden/tools/login.03/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/login.03/metadata.json rename to secTools/secharden/src/secharden/tools/login.03/metadata.json diff --git a/ccos/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh b/secTools/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh rename to secTools/secharden/src/secharden/tools/login.04/disable_ssh_tcp_forwarding.sh diff --git a/ccos/secharden/src/secharden/tools/login.04/metadata.json b/secTools/secharden/src/secharden/tools/login.04/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/login.04/metadata.json rename to secTools/secharden/src/secharden/tools/login.04/metadata.json diff --git a/ccos/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh b/secTools/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh rename to secTools/secharden/src/secharden/tools/login.05/disable_ssh_x11_forwarding.sh diff --git a/ccos/secharden/src/secharden/tools/login.05/metadata.json b/secTools/secharden/src/secharden/tools/login.05/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/login.05/metadata.json rename to secTools/secharden/src/secharden/tools/login.05/metadata.json diff --git a/ccos/secharden/src/secharden/tools/login.06/disable_sysrq.sh b/secTools/secharden/src/secharden/tools/login.06/disable_sysrq.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/login.06/disable_sysrq.sh rename to secTools/secharden/src/secharden/tools/login.06/disable_sysrq.sh diff --git a/ccos/secharden/src/secharden/tools/login.06/metadata.json b/secTools/secharden/src/secharden/tools/login.06/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/login.06/metadata.json rename to secTools/secharden/src/secharden/tools/login.06/metadata.json diff --git a/ccos/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh b/secTools/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh rename to secTools/secharden/src/secharden/tools/login.07/disable_tcp_timestamps.sh diff --git a/ccos/secharden/src/secharden/tools/login.07/metadata.json b/secTools/secharden/src/secharden/tools/login.07/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/login.07/metadata.json rename to secTools/secharden/src/secharden/tools/login.07/metadata.json diff --git a/ccos/secharden/src/secharden/tools/login.08/metadata.json b/secTools/secharden/src/secharden/tools/login.08/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/login.08/metadata.json rename to secTools/secharden/src/secharden/tools/login.08/metadata.json diff --git a/ccos/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh b/secTools/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh rename to secTools/secharden/src/secharden/tools/login.08/set_ssh_max_auth_tries.sh diff --git a/ccos/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh b/secTools/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh rename to secTools/secharden/src/secharden/tools/net.01/disable_accept_redirect.sh diff --git a/ccos/secharden/src/secharden/tools/net.01/metadata.json b/secTools/secharden/src/secharden/tools/net.01/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/net.01/metadata.json rename to secTools/secharden/src/secharden/tools/net.01/metadata.json diff --git a/ccos/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh b/secTools/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh rename to secTools/secharden/src/secharden/tools/net.02/disable_icmp_broadcast.sh diff --git a/ccos/secharden/src/secharden/tools/net.02/metadata.json b/secTools/secharden/src/secharden/tools/net.02/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/net.02/metadata.json rename to secTools/secharden/src/secharden/tools/net.02/metadata.json diff --git a/ccos/secharden/src/secharden/tools/net.03/disable_ip_forward.sh b/secTools/secharden/src/secharden/tools/net.03/disable_ip_forward.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/net.03/disable_ip_forward.sh rename to secTools/secharden/src/secharden/tools/net.03/disable_ip_forward.sh diff --git a/ccos/secharden/src/secharden/tools/net.03/metadata.json b/secTools/secharden/src/secharden/tools/net.03/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/net.03/metadata.json rename to secTools/secharden/src/secharden/tools/net.03/metadata.json diff --git a/ccos/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh b/secTools/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh rename to secTools/secharden/src/secharden/tools/net.04/disable_proxy_arp.sh diff --git a/ccos/secharden/src/secharden/tools/net.04/metadata.json b/secTools/secharden/src/secharden/tools/net.04/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/net.04/metadata.json rename to secTools/secharden/src/secharden/tools/net.04/metadata.json diff --git a/ccos/secharden/src/secharden/tools/net.05/disable_source_route.sh b/secTools/secharden/src/secharden/tools/net.05/disable_source_route.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/net.05/disable_source_route.sh rename to secTools/secharden/src/secharden/tools/net.05/disable_source_route.sh diff --git a/ccos/secharden/src/secharden/tools/net.05/metadata.json b/secTools/secharden/src/secharden/tools/net.05/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/net.05/metadata.json rename to secTools/secharden/src/secharden/tools/net.05/metadata.json diff --git a/ccos/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh b/secTools/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh rename to secTools/secharden/src/secharden/tools/net.06/drop_forge_icmp_package.sh diff --git a/ccos/secharden/src/secharden/tools/net.06/metadata.json b/secTools/secharden/src/secharden/tools/net.06/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/net.06/metadata.json rename to secTools/secharden/src/secharden/tools/net.06/metadata.json diff --git a/ccos/secharden/src/secharden/tools/net.07/enable_firewall.sh b/secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/net.07/enable_firewall.sh rename to secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh diff --git a/ccos/secharden/src/secharden/tools/net.07/metadata.json b/secTools/secharden/src/secharden/tools/net.07/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/net.07/metadata.json rename to secTools/secharden/src/secharden/tools/net.07/metadata.json diff --git a/ccos/secharden/src/secharden/tools/net.08/enable_rp_filter.sh b/secTools/secharden/src/secharden/tools/net.08/enable_rp_filter.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/net.08/enable_rp_filter.sh rename to secTools/secharden/src/secharden/tools/net.08/enable_rp_filter.sh diff --git a/ccos/secharden/src/secharden/tools/net.08/metadata.json b/secTools/secharden/src/secharden/tools/net.08/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/net.08/metadata.json rename to secTools/secharden/src/secharden/tools/net.08/metadata.json diff --git a/ccos/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh b/secTools/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh rename to secTools/secharden/src/secharden/tools/net.09/enable_tcp_syn_cookies.sh diff --git a/ccos/secharden/src/secharden/tools/net.09/metadata.json b/secTools/secharden/src/secharden/tools/net.09/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/net.09/metadata.json rename to secTools/secharden/src/secharden/tools/net.09/metadata.json diff --git a/ccos/secharden/src/secharden/tools/priv.01/metadata.json b/secTools/secharden/src/secharden/tools/priv.01/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/priv.01/metadata.json rename to secTools/secharden/src/secharden/tools/priv.01/metadata.json diff --git a/ccos/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh b/secTools/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh rename to secTools/secharden/src/secharden/tools/priv.01/minimal_file_permission.sh diff --git a/ccos/secharden/src/secharden/tools/priv.02/metadata.json b/secTools/secharden/src/secharden/tools/priv.02/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/priv.02/metadata.json rename to secTools/secharden/src/secharden/tools/priv.02/metadata.json diff --git a/ccos/secharden/src/secharden/tools/priv.02/symlink_protection.sh b/secTools/secharden/src/secharden/tools/priv.02/symlink_protection.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/priv.02/symlink_protection.sh rename to secTools/secharden/src/secharden/tools/priv.02/symlink_protection.sh diff --git a/ccos/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh b/secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh rename to secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh diff --git a/ccos/secharden/src/secharden/tools/serv.01/metadata.json b/secTools/secharden/src/secharden/tools/serv.01/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/serv.01/metadata.json rename to secTools/secharden/src/secharden/tools/serv.01/metadata.json diff --git a/ccos/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh b/secTools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh rename to secTools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh diff --git a/ccos/secharden/src/secharden/tools/serv.02/metadata.json b/secTools/secharden/src/secharden/tools/serv.02/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/serv.02/metadata.json rename to secTools/secharden/src/secharden/tools/serv.02/metadata.json diff --git a/ccos/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh b/secTools/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh rename to secTools/secharden/src/secharden/tools/sys.01/enable_dmesg_restrict.sh diff --git a/ccos/secharden/src/secharden/tools/sys.01/metadata.json b/secTools/secharden/src/secharden/tools/sys.01/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.01/metadata.json rename to secTools/secharden/src/secharden/tools/sys.01/metadata.json diff --git a/ccos/secharden/src/secharden/tools/sys.02/disable_kexec.sh b/secTools/secharden/src/secharden/tools/sys.02/disable_kexec.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.02/disable_kexec.sh rename to secTools/secharden/src/secharden/tools/sys.02/disable_kexec.sh diff --git a/ccos/secharden/src/secharden/tools/sys.02/metadata.json b/secTools/secharden/src/secharden/tools/sys.02/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.02/metadata.json rename to secTools/secharden/src/secharden/tools/sys.02/metadata.json diff --git a/ccos/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh b/secTools/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh rename to secTools/secharden/src/secharden/tools/sys.03/enable_kptr_restrict.sh diff --git a/ccos/secharden/src/secharden/tools/sys.03/metadata.json b/secTools/secharden/src/secharden/tools/sys.03/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.03/metadata.json rename to secTools/secharden/src/secharden/tools/sys.03/metadata.json diff --git a/ccos/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh b/secTools/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh rename to secTools/secharden/src/secharden/tools/sys.04/enable_ptrace_scope.sh diff --git a/ccos/secharden/src/secharden/tools/sys.04/metadata.json b/secTools/secharden/src/secharden/tools/sys.04/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.04/metadata.json rename to secTools/secharden/src/secharden/tools/sys.04/metadata.json diff --git a/ccos/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh b/secTools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh rename to secTools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh diff --git a/ccos/secharden/src/secharden/tools/sys.05/metadata.json b/secTools/secharden/src/secharden/tools/sys.05/metadata.json similarity index 100% rename from ccos/secharden/src/secharden/tools/sys.05/metadata.json rename to secTools/secharden/src/secharden/tools/sys.05/metadata.json diff --git a/ccos/secharden/src/secharden/tools/utils.sh b/secTools/secharden/src/secharden/tools/utils.sh similarity index 100% rename from ccos/secharden/src/secharden/tools/utils.sh rename to secTools/secharden/src/secharden/tools/utils.sh diff --git a/ccos/secharden/src/secharden/utils.py b/secTools/secharden/src/secharden/utils.py similarity index 100% rename from ccos/secharden/src/secharden/utils.py rename to secTools/secharden/src/secharden/utils.py diff --git a/ccos/secharden/tests/config_parser/__init__.py b/secTools/secharden/tests/config_parser/__init__.py similarity index 100% rename from ccos/secharden/tests/config_parser/__init__.py rename to secTools/secharden/tests/config_parser/__init__.py diff --git a/ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf b/secTools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf similarity index 100% rename from ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf rename to secTools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf diff --git a/ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf b/secTools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf similarity index 100% rename from ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf rename to secTools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/00-invalid_num.conf diff --git a/ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf b/secTools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf similarity index 100% rename from ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf rename to secTools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/nodash.conf diff --git a/ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf b/secTools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf similarity index 100% rename from ccos/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf rename to secTools/secharden/tests/config_parser/collection/collection_wrong_name/secharden.conf.d/not-number.conf diff --git a/ccos/secharden/tests/config_parser/collection/empty/.gitkeep b/secTools/secharden/tests/config_parser/collection/empty/.gitkeep similarity index 100% rename from ccos/secharden/tests/config_parser/collection/empty/.gitkeep rename to secTools/secharden/tests/config_parser/collection/empty/.gitkeep diff --git a/ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf b/secTools/secharden/tests/config_parser/collection/full_collection/secharden.conf similarity index 100% rename from ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf rename to secTools/secharden/tests/config_parser/collection/full_collection/secharden.conf diff --git a/ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf b/secTools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf similarity index 100% rename from ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf rename to secTools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/01-test.conf diff --git a/ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf b/secTools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf similarity index 100% rename from ccos/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf rename to secTools/secharden/tests/config_parser/collection/full_collection/secharden.conf.d/02-test2.conf diff --git a/ccos/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf b/secTools/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf similarity index 100% rename from ccos/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf rename to secTools/secharden/tests/config_parser/collection/only_collection/secharden.conf.d/01-test.conf diff --git a/ccos/secharden/tests/config_parser/collection/single_file/secharden.conf b/secTools/secharden/tests/config_parser/collection/single_file/secharden.conf similarity index 100% rename from ccos/secharden/tests/config_parser/collection/single_file/secharden.conf rename to secTools/secharden/tests/config_parser/collection/single_file/secharden.conf diff --git a/ccos/secharden/tests/config_parser/parser/intersect/1.conf b/secTools/secharden/tests/config_parser/parser/intersect/1.conf similarity index 100% rename from ccos/secharden/tests/config_parser/parser/intersect/1.conf rename to secTools/secharden/tests/config_parser/parser/intersect/1.conf diff --git a/ccos/secharden/tests/config_parser/parser/intersect/2.conf b/secTools/secharden/tests/config_parser/parser/intersect/2.conf similarity index 100% rename from ccos/secharden/tests/config_parser/parser/intersect/2.conf rename to secTools/secharden/tests/config_parser/parser/intersect/2.conf diff --git a/ccos/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf b/secTools/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf similarity index 100% rename from ccos/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf rename to secTools/secharden/tests/config_parser/parser/invalid_yaml/secharden.conf diff --git a/ccos/secharden/tests/config_parser/parser/override/1.conf b/secTools/secharden/tests/config_parser/parser/override/1.conf similarity index 100% rename from ccos/secharden/tests/config_parser/parser/override/1.conf rename to secTools/secharden/tests/config_parser/parser/override/1.conf diff --git a/ccos/secharden/tests/config_parser/parser/override/2.conf b/secTools/secharden/tests/config_parser/parser/override/2.conf similarity index 100% rename from ccos/secharden/tests/config_parser/parser/override/2.conf rename to secTools/secharden/tests/config_parser/parser/override/2.conf diff --git a/ccos/secharden/tests/config_parser/parser/single_file/secharden.conf b/secTools/secharden/tests/config_parser/parser/single_file/secharden.conf similarity index 100% rename from ccos/secharden/tests/config_parser/parser/single_file/secharden.conf rename to secTools/secharden/tests/config_parser/parser/single_file/secharden.conf diff --git a/ccos/secharden/tests/config_parser/parser/wrong_file/secharden.conf b/secTools/secharden/tests/config_parser/parser/wrong_file/secharden.conf similarity index 100% rename from ccos/secharden/tests/config_parser/parser/wrong_file/secharden.conf rename to secTools/secharden/tests/config_parser/parser/wrong_file/secharden.conf diff --git a/ccos/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf b/secTools/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf similarity index 100% rename from ccos/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf rename to secTools/secharden/tests/config_parser/parser/wrong_file_in_collection/1.conf diff --git a/ccos/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf b/secTools/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf similarity index 100% rename from ccos/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf rename to secTools/secharden/tests/config_parser/parser/wrong_file_in_collection/2.conf diff --git a/ccos/secharden/tests/config_parser/test_collection.py b/secTools/secharden/tests/config_parser/test_collection.py similarity index 100% rename from ccos/secharden/tests/config_parser/test_collection.py rename to secTools/secharden/tests/config_parser/test_collection.py diff --git a/ccos/secharden/tests/config_parser/test_parser.py b/secTools/secharden/tests/config_parser/test_parser.py similarity index 100% rename from ccos/secharden/tests/config_parser/test_parser.py rename to secTools/secharden/tests/config_parser/test_parser.py diff --git a/ccos/secharden/tests/executor/__init__.py b/secTools/secharden/tests/executor/__init__.py similarity index 100% rename from ccos/secharden/tests/executor/__init__.py rename to secTools/secharden/tests/executor/__init__.py diff --git a/ccos/secharden/tests/executor/test_executor.py b/secTools/secharden/tests/executor/test_executor.py similarity index 100% rename from ccos/secharden/tests/executor/test_executor.py rename to secTools/secharden/tests/executor/test_executor.py diff --git a/ccos/secharden/tests/rules/__init__.py b/secTools/secharden/tests/rules/__init__.py similarity index 100% rename from ccos/secharden/tests/rules/__init__.py rename to secTools/secharden/tests/rules/__init__.py diff --git a/ccos/secharden/tests/rules/converter_sample.py b/secTools/secharden/tests/rules/converter_sample.py similarity index 100% rename from ccos/secharden/tests/rules/converter_sample.py rename to secTools/secharden/tests/rules/converter_sample.py diff --git a/ccos/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json b/secTools/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json rename to secTools/secharden/tests/rules/metadata/directory_name_mismatch/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/entry_in_path/metadata.json b/secTools/secharden/tests/rules/metadata/entry_in_path/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/entry_in_path/metadata.json rename to secTools/secharden/tests/rules/metadata/entry_in_path/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/entry_not_file/metadata.json b/secTools/secharden/tests/rules/metadata/entry_not_file/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/entry_not_file/metadata.json rename to secTools/secharden/tests/rules/metadata/entry_not_file/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/no_entry/metadata.json b/secTools/secharden/tests/rules/metadata/no_entry/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/no_entry/metadata.json rename to secTools/secharden/tests/rules/metadata/no_entry/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/no_metadata/.gitkeep b/secTools/secharden/tests/rules/metadata/no_metadata/.gitkeep similarity index 100% rename from ccos/secharden/tests/rules/metadata/no_metadata/.gitkeep rename to secTools/secharden/tests/rules/metadata/no_metadata/.gitkeep diff --git a/ccos/secharden/tests/rules/metadata/param/cmd_escape/metadata.json b/secTools/secharden/tests/rules/metadata/param/cmd_escape/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/param/cmd_escape/metadata.json rename to secTools/secharden/tests/rules/metadata/param/cmd_escape/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json b/secTools/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json rename to secTools/secharden/tests/rules/metadata/param/cmd_mismatch_id/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json b/secTools/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json rename to secTools/secharden/tests/rules/metadata/param/cmd_multi_placeholder/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json b/secTools/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json rename to secTools/secharden/tests/rules/metadata/param/cmd_no_placeholder/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/param/cmd_noid/metadata.json b/secTools/secharden/tests/rules/metadata/param/cmd_noid/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/param/cmd_noid/metadata.json rename to secTools/secharden/tests/rules/metadata/param/cmd_noid/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json b/secTools/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json rename to secTools/secharden/tests/rules/metadata/param/cmd_placeholders/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/param/cmd_single/metadata.json b/secTools/secharden/tests/rules/metadata/param/cmd_single/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/param/cmd_single/metadata.json rename to secTools/secharden/tests/rules/metadata/param/cmd_single/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/param/no_converter/metadata.json b/secTools/secharden/tests/rules/metadata/param/no_converter/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/param/no_converter/metadata.json rename to secTools/secharden/tests/rules/metadata/param/no_converter/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/valid/metadata.json b/secTools/secharden/tests/rules/metadata/valid/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/valid/metadata.json rename to secTools/secharden/tests/rules/metadata/valid/metadata.json diff --git a/ccos/secharden/tests/rules/metadata/valid_full/metadata.json b/secTools/secharden/tests/rules/metadata/valid_full/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/metadata/valid_full/metadata.json rename to secTools/secharden/tests/rules/metadata/valid_full/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/execution/categories.json b/secTools/secharden/tests/rules/ruleset/execution/categories.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/execution/categories.json rename to secTools/secharden/tests/rules/ruleset/execution/categories.json diff --git a/ccos/secharden/tests/rules/ruleset/execution/test.01/entry.sh b/secTools/secharden/tests/rules/ruleset/execution/test.01/entry.sh similarity index 100% rename from ccos/secharden/tests/rules/ruleset/execution/test.01/entry.sh rename to secTools/secharden/tests/rules/ruleset/execution/test.01/entry.sh diff --git a/ccos/secharden/tests/rules/ruleset/execution/test.01/metadata.json b/secTools/secharden/tests/rules/ruleset/execution/test.01/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/execution/test.01/metadata.json rename to secTools/secharden/tests/rules/ruleset/execution/test.01/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/execution/test.02/entry.sh b/secTools/secharden/tests/rules/ruleset/execution/test.02/entry.sh similarity index 100% rename from ccos/secharden/tests/rules/ruleset/execution/test.02/entry.sh rename to secTools/secharden/tests/rules/ruleset/execution/test.02/entry.sh diff --git a/ccos/secharden/tests/rules/ruleset/execution/test.02/metadata.json b/secTools/secharden/tests/rules/ruleset/execution/test.02/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/execution/test.02/metadata.json rename to secTools/secharden/tests/rules/ruleset/execution/test.02/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/execution/test.03/entry.sh b/secTools/secharden/tests/rules/ruleset/execution/test.03/entry.sh similarity index 100% rename from ccos/secharden/tests/rules/ruleset/execution/test.03/entry.sh rename to secTools/secharden/tests/rules/ruleset/execution/test.03/entry.sh diff --git a/ccos/secharden/tests/rules/ruleset/execution/test.03/metadata.json b/secTools/secharden/tests/rules/ruleset/execution/test.03/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/execution/test.03/metadata.json rename to secTools/secharden/tests/rules/ruleset/execution/test.03/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/execution/test.04/entry.sh b/secTools/secharden/tests/rules/ruleset/execution/test.04/entry.sh similarity index 100% rename from ccos/secharden/tests/rules/ruleset/execution/test.04/entry.sh rename to secTools/secharden/tests/rules/ruleset/execution/test.04/entry.sh diff --git a/ccos/secharden/tests/rules/ruleset/execution/test.04/metadata.json b/secTools/secharden/tests/rules/ruleset/execution/test.04/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/execution/test.04/metadata.json rename to secTools/secharden/tests/rules/ruleset/execution/test.04/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/naming/categories.json b/secTools/secharden/tests/rules/ruleset/naming/categories.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/categories.json rename to secTools/secharden/tests/rules/ruleset/naming/categories.json diff --git a/ccos/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json b/secTools/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json rename to secTools/secharden/tests/rules/ruleset/naming/invalid.01/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json b/secTools/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json rename to secTools/secharden/tests/rules/ruleset/naming/nocat.01/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep b/secTools/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep rename to secTools/secharden/tests/rules/ruleset/naming/nometa.01/.gitkeep diff --git a/ccos/secharden/tests/rules/ruleset/naming/notdir.01 b/secTools/secharden/tests/rules/ruleset/naming/notdir.01 similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/notdir.01 rename to secTools/secharden/tests/rules/ruleset/naming/notdir.01 diff --git a/ccos/secharden/tests/rules/ruleset/naming/test-02/metadata.json b/secTools/secharden/tests/rules/ruleset/naming/test-02/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/test-02/metadata.json rename to secTools/secharden/tests/rules/ruleset/naming/test-02/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/naming/test.00/metadata.json b/secTools/secharden/tests/rules/ruleset/naming/test.00/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/test.00/metadata.json rename to secTools/secharden/tests/rules/ruleset/naming/test.00/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/naming/test.01/metadata.json b/secTools/secharden/tests/rules/ruleset/naming/test.01/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/test.01/metadata.json rename to secTools/secharden/tests/rules/ruleset/naming/test.01/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/naming/test.o3/metadata.json b/secTools/secharden/tests/rules/ruleset/naming/test.o3/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/test.o3/metadata.json rename to secTools/secharden/tests/rules/ruleset/naming/test.o3/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/naming/test1.01/metadata.json b/secTools/secharden/tests/rules/ruleset/naming/test1.01/metadata.json similarity index 100% rename from ccos/secharden/tests/rules/ruleset/naming/test1.01/metadata.json rename to secTools/secharden/tests/rules/ruleset/naming/test1.01/metadata.json diff --git a/ccos/secharden/tests/rules/ruleset/no_categories/.gitkeep b/secTools/secharden/tests/rules/ruleset/no_categories/.gitkeep similarity index 100% rename from ccos/secharden/tests/rules/ruleset/no_categories/.gitkeep rename to secTools/secharden/tests/rules/ruleset/no_categories/.gitkeep diff --git a/ccos/secharden/tests/rules/ruleset/not_a_dir b/secTools/secharden/tests/rules/ruleset/not_a_dir similarity index 100% rename from ccos/secharden/tests/rules/ruleset/not_a_dir rename to secTools/secharden/tests/rules/ruleset/not_a_dir diff --git a/ccos/secharden/tests/rules/test_cmd.py b/secTools/secharden/tests/rules/test_cmd.py similarity index 100% rename from ccos/secharden/tests/rules/test_cmd.py rename to secTools/secharden/tests/rules/test_cmd.py diff --git a/ccos/secharden/tests/rules/test_converter.py b/secTools/secharden/tests/rules/test_converter.py similarity index 100% rename from ccos/secharden/tests/rules/test_converter.py rename to secTools/secharden/tests/rules/test_converter.py diff --git a/ccos/secharden/tests/rules/test_metadata.py b/secTools/secharden/tests/rules/test_metadata.py similarity index 100% rename from ccos/secharden/tests/rules/test_metadata.py rename to secTools/secharden/tests/rules/test_metadata.py diff --git a/ccos/secharden/tests/rules/test_param.py b/secTools/secharden/tests/rules/test_param.py similarity index 100% rename from ccos/secharden/tests/rules/test_param.py rename to secTools/secharden/tests/rules/test_param.py diff --git a/ccos/secharden/tests/rules/test_rulemanager.py b/secTools/secharden/tests/rules/test_rulemanager.py similarity index 100% rename from ccos/secharden/tests/rules/test_rulemanager.py rename to secTools/secharden/tests/rules/test_rulemanager.py diff --git a/ccos/secharden/tests/rules/test_schema.py b/secTools/secharden/tests/rules/test_schema.py similarity index 100% rename from ccos/secharden/tests/rules/test_schema.py rename to secTools/secharden/tests/rules/test_schema.py diff --git a/ccos/secharden/tests/tool_entry/__init__.py b/secTools/secharden/tests/tool_entry/__init__.py similarity index 100% rename from ccos/secharden/tests/tool_entry/__init__.py rename to secTools/secharden/tests/tool_entry/__init__.py diff --git a/ccos/secharden/tests/tool_entry/conf/secharden.conf b/secTools/secharden/tests/tool_entry/conf/secharden.conf similarity index 100% rename from ccos/secharden/tests/tool_entry/conf/secharden.conf rename to secTools/secharden/tests/tool_entry/conf/secharden.conf diff --git a/ccos/secharden/tests/tool_entry/rule_not_found/secharden.conf b/secTools/secharden/tests/tool_entry/rule_not_found/secharden.conf similarity index 100% rename from ccos/secharden/tests/tool_entry/rule_not_found/secharden.conf rename to secTools/secharden/tests/tool_entry/rule_not_found/secharden.conf diff --git a/ccos/secharden/tests/tool_entry/ruleset/categories.json b/secTools/secharden/tests/tool_entry/ruleset/categories.json similarity index 100% rename from ccos/secharden/tests/tool_entry/ruleset/categories.json rename to secTools/secharden/tests/tool_entry/ruleset/categories.json diff --git a/ccos/secharden/tests/tool_entry/ruleset/test.01/entry.sh b/secTools/secharden/tests/tool_entry/ruleset/test.01/entry.sh similarity index 100% rename from ccos/secharden/tests/tool_entry/ruleset/test.01/entry.sh rename to secTools/secharden/tests/tool_entry/ruleset/test.01/entry.sh diff --git a/ccos/secharden/tests/tool_entry/ruleset/test.01/metadata.json b/secTools/secharden/tests/tool_entry/ruleset/test.01/metadata.json similarity index 100% rename from ccos/secharden/tests/tool_entry/ruleset/test.01/metadata.json rename to secTools/secharden/tests/tool_entry/ruleset/test.01/metadata.json diff --git a/ccos/secharden/tests/tool_entry/ruleset/test1.01/entry.sh b/secTools/secharden/tests/tool_entry/ruleset/test1.01/entry.sh similarity index 100% rename from ccos/secharden/tests/tool_entry/ruleset/test1.01/entry.sh rename to secTools/secharden/tests/tool_entry/ruleset/test1.01/entry.sh diff --git a/ccos/secharden/tests/tool_entry/ruleset/test1.01/metadata.json b/secTools/secharden/tests/tool_entry/ruleset/test1.01/metadata.json similarity index 100% rename from ccos/secharden/tests/tool_entry/ruleset/test1.01/metadata.json rename to secTools/secharden/tests/tool_entry/ruleset/test1.01/metadata.json diff --git a/ccos/secharden/tests/tool_entry/test_gendoc.py b/secTools/secharden/tests/tool_entry/test_gendoc.py similarity index 100% rename from ccos/secharden/tests/tool_entry/test_gendoc.py rename to secTools/secharden/tests/tool_entry/test_gendoc.py diff --git a/ccos/secharden/tests/tool_entry/test_main.py b/secTools/secharden/tests/tool_entry/test_main.py similarity index 100% rename from ccos/secharden/tests/tool_entry/test_main.py rename to secTools/secharden/tests/tool_entry/test_main.py diff --git a/ccos/secharden/uv.lock b/secTools/secharden/uv.lock similarity index 100% rename from ccos/secharden/uv.lock rename to secTools/secharden/uv.lock -- Gitee From 69958f6928c8dcbf8ef5437672704f2c15b57f13 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 4 Aug 2025 09:12:09 +0800 Subject: [PATCH 097/109] update readme --- secTools/README.md | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/secTools/README.md b/secTools/README.md index 26b0771..e16d4bf 100644 --- a/secTools/README.md +++ b/secTools/README.md @@ -61,6 +61,11 @@ secharden 提供了一个命令行工具,可以通过以下命令来应用安 secharden apply ``` +**注意事项**: + +1. 当使用 `secharden apply` 应用配置文件加固配置后,删除对应加固项并重新使用 `secharden apply` 并不能清除之前已生效的配置。 +2. 安全加固操作记录在日志文件 `/var/log/secharden/secharden.log` 中。 + > secharden 的使用说明详见 [命令行参数说明](secharden/README.md)。 #### 配置文件说明 @@ -97,18 +102,28 @@ net.02: 上述配置文件表示启用 `int.01`、`int.03` 和 `net.02` 规则,显式禁用了 `net.01` 规则,并为 `int.03` 规则指定了 selinux 标签。 -用户可以通过 `secharden` 提供的帮助文档,获取对应的规则信息,例如 上述规则中的 `int.03` 规则可以使用如下命令查看规则信息: +除了各个规则定义的参数以外,在每个规则中,都有一个特殊的 `enabled` 参数,用于启用或禁用该规则,未显式指定 `enable` +参数的规则会默认开启。用户可以通过设置 `enabled: false` 来禁用某个规则,例如: + +```yaml +int.01: + enabled: false +``` + +**规则帮助信息** + +用户可以通过 `secharden` 提供的帮助文档,获取对应的规则信息。 + +获取规则列表可以使用如下命令: ```shell -secharden help int.03 +secharden list ``` -除了各个规则定义的参数以外,在每个规则中,都有一个特殊的 `enabled` 参数,用于启用或禁用该规则。默认情况下,所有规则都被启用。用户可以通过设置 -`enabled: false` 来禁用某个规则,例如: +用户还可以获取详细的规则描述,例如若要获取上述 `int.03` 规则可以使用如下命令查看规则信息: -```yaml -int.01: - enabled: false +```shell +secharden help int.03 ``` ### secharden 内置安全防护能力 -- Gitee From 0cebf9acd912c934b821b5ae01e68b48633deb34 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 4 Aug 2025 10:37:23 +0800 Subject: [PATCH 098/109] fine-grained log and prints --- .../src/secharden/rule_metadata/manager.py | 15 +++++--- secTools/secharden/src/secharden/secharden.py | 18 ++++++--- .../secharden/tests/rules/test_rulemanager.py | 14 +++---- .../tool_entry/error_conf/secharden.conf | 1 + .../tests/tool_entry/ruleset/categories.json | 4 ++ .../tool_entry/ruleset/error.01/entry.sh | 3 ++ .../tool_entry/ruleset/error.01/metadata.json | 6 +++ .../secharden/tests/tool_entry/test_main.py | 37 +++++++++++++++---- 8 files changed, 71 insertions(+), 27 deletions(-) create mode 100644 secTools/secharden/tests/tool_entry/error_conf/secharden.conf create mode 100755 secTools/secharden/tests/tool_entry/ruleset/error.01/entry.sh create mode 100644 secTools/secharden/tests/tool_entry/ruleset/error.01/metadata.json diff --git a/secTools/secharden/src/secharden/rule_metadata/manager.py b/secTools/secharden/src/secharden/rule_metadata/manager.py index 5c52b0a..a03bada 100644 --- a/secTools/secharden/src/secharden/rule_metadata/manager.py +++ b/secTools/secharden/src/secharden/rule_metadata/manager.py @@ -165,13 +165,13 @@ class RuleManager: self._categories.append(category_id) self._rules.extend(sorted(rules, key=lambda r: int(r.split('.', 1)[1]))) - def apply_rule(self, rule: str, config=None): + def apply_rule(self, rule: str, config=None) -> bool: """ Applies a rule with the given configuration. :param rule: The ID of the rule to apply :param config: A dictionary containing configuration parameters for the rule :raises ValueError: If the rule does not exist or if required parameters are missing in the configuration - :raises Exception: If the command execution fails + :return: True if the rule was applied successfully, False otherwise """ if config is None: config = {} @@ -181,7 +181,7 @@ class RuleManager: # pop the 'enabled' key from config, if any if not config.pop('enabled', True): logging.warning(f"Rule {rule} is disabled in the configuration.") - return + return True logging.debug(f"Applying rule {rule} with config: {config}") metadata = self.get_rule_metadata(rule) @@ -202,16 +202,19 @@ class RuleManager: instance.cleanup() logging.error(f"Failed to generate command line on parameter {param.id}.") logging.exception(e) - raise e + return False converter_instances.append(converter) executor.add_args(cmd_param) try: + logging.info(f"====== Rule {rule} command execution ======") result = executor.run() - logging.info(f"rule {rule} applied with result:") logging.info(result) + return True except Exception as e: logging.error(f"Failed to execute command for rule {rule}.") - raise e + logging.exception(e) + return False finally: + logging.info(f"====== End of rule {rule} command execution ======") for instance in converter_instances: instance.cleanup() diff --git a/secTools/secharden/src/secharden/secharden.py b/secTools/secharden/src/secharden/secharden.py index d513ae8..82b4f6c 100644 --- a/secTools/secharden/src/secharden/secharden.py +++ b/secTools/secharden/src/secharden/secharden.py @@ -46,15 +46,23 @@ def apply(rule_mgr: RuleManager, args) -> int: code = 0 for rule, rule_conf in config.items(): - print(f"Applying rule: {rule}...") + print(f"Applying rule: {rule}...", end='') + logging.info(f"====== Rule {rule} ======") logging.debug(f"applying rule '{rule}' with config {rule_conf}") try: - rule_mgr.apply_rule(rule, rule_conf) - except Exception as e: - logging.error(f"Exception while applying rule '{rule}' with config {rule_conf}") - logging.exception(e) + if not rule_mgr.apply_rule(rule, rule_conf): + print('err') + logging.error(f"Exception while applying rule '{rule}' with config {rule_conf}") + code = 1 + print('ok') + except ValueError as e: + print('err') print(f"Error applying rule '{rule}': {e}", file=sys.stderr) + logging.error(f"Rule '{rule}' not found or invalid configuration: {rule_conf}") + logging.exception(e) code = 1 + finally: + logging.info(f"====== End of rule {rule} ======") return code diff --git a/secTools/secharden/tests/rules/test_rulemanager.py b/secTools/secharden/tests/rules/test_rulemanager.py index 6ab4806..3237d30 100644 --- a/secTools/secharden/tests/rules/test_rulemanager.py +++ b/secTools/secharden/tests/rules/test_rulemanager.py @@ -170,11 +170,11 @@ class TestRuleManager: execution = rule_path.joinpath("execution").resolve() manager = RuleManager(execution) - caplog.set_level(logging.ERROR) - with pytest.raises(RuntimeError) as e: - manager.apply_rule("test.02") - assert str(e.value) == "Command failed with error: " + caplog.set_level(logging.INFO) + assert not manager.apply_rule("test.02") + assert "====== Rule test.02 command execution ======" in caplog.text assert "Failed to execute command for rule test.02." in caplog.text + assert "====== End of rule test.02 command execution ======" in caplog.text def test_rule_manager_apply_rule_miss_param(self, rule_path): execution = rule_path.joinpath("execution").resolve() @@ -189,8 +189,7 @@ class TestRuleManager: manager = RuleManager(execution) caplog.set_level(logging.ERROR) - with pytest.raises(Exception): - manager.apply_rule("test.03", {'input': {'file1': 'file1.txt'}}) + assert not manager.apply_rule("test.03", {'input': {'file1': 'file1.txt'}}) assert "Failed to generate command line on parameter input." in caplog.text def test_rule_manager_apply_rule_with_param(self, rule_path, caplog): @@ -214,8 +213,7 @@ class TestRuleManager: } caplog.set_level(logging.ERROR) - with pytest.raises(Exception): - manager.apply_rule("test.04", config) + assert not manager.apply_rule("test.04", config) assert "Failed to generate command line on parameter input1." in caplog.text def test_category_doc(self, rule_path): diff --git a/secTools/secharden/tests/tool_entry/error_conf/secharden.conf b/secTools/secharden/tests/tool_entry/error_conf/secharden.conf new file mode 100644 index 0000000..bd62a39 --- /dev/null +++ b/secTools/secharden/tests/tool_entry/error_conf/secharden.conf @@ -0,0 +1 @@ +error.01: \ No newline at end of file diff --git a/secTools/secharden/tests/tool_entry/ruleset/categories.json b/secTools/secharden/tests/tool_entry/ruleset/categories.json index 0578bb6..00f4a72 100644 --- a/secTools/secharden/tests/tool_entry/ruleset/categories.json +++ b/secTools/secharden/tests/tool_entry/ruleset/categories.json @@ -6,5 +6,9 @@ "test1": { "name": "Test1 Category", "description": "This is a test category for demonstration purposes." + }, + "error": { + "name": "Error Category", + "description": "This is a test category with error" } } \ No newline at end of file diff --git a/secTools/secharden/tests/tool_entry/ruleset/error.01/entry.sh b/secTools/secharden/tests/tool_entry/ruleset/error.01/entry.sh new file mode 100755 index 0000000..0e2486e --- /dev/null +++ b/secTools/secharden/tests/tool_entry/ruleset/error.01/entry.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env sh +echo 'hello from entry.sh' +exit 1 \ No newline at end of file diff --git a/secTools/secharden/tests/tool_entry/ruleset/error.01/metadata.json b/secTools/secharden/tests/tool_entry/ruleset/error.01/metadata.json new file mode 100644 index 0000000..6be9ab3 --- /dev/null +++ b/secTools/secharden/tests/tool_entry/ruleset/error.01/metadata.json @@ -0,0 +1,6 @@ +{ + "id": "error.01", + "name": "valid metadata", + "description": "valid metadata", + "entry": "entry.sh" +} \ No newline at end of file diff --git a/secTools/secharden/tests/tool_entry/test_main.py b/secTools/secharden/tests/tool_entry/test_main.py index bc8dc35..d71e406 100644 --- a/secTools/secharden/tests/tool_entry/test_main.py +++ b/secTools/secharden/tests/tool_entry/test_main.py @@ -36,7 +36,7 @@ class TestMainCmd: assert secharden.main(["-r", str(rule_path), "list"]) == 0 out, _ = capsys.readouterr() assert (out == - "test: Test Category\n\ttest.01: valid metadata\ntest1: Test1 Category\n\ttest1.01: valid metadata\n") + "error: Error Category\n\terror.01: valid metadata\ntest: Test Category\n\ttest.01: valid metadata\ntest1: Test1 Category\n\ttest1.01: valid metadata\n") def test_list_category(self, capsys, rule_path): assert secharden.main(["-r", str(rule_path), "list", "test"]) == 0 @@ -77,6 +77,13 @@ class TestMainCmd: assert "Error parsing arguments:" in err assert "Use 'secharden --help' for usage information.\n" == out + def test_apply_no_config(self, capsys, caplog, rule_path): + with caplog.at_level(logging.ERROR): + assert secharden.main(["-r", str(rule_path), "apply", str(rule_path)]) == 1 + out, err = capsys.readouterr() + assert f"Exception while parsing configuration from {str(rule_path)}" in caplog.text + assert "Error parsing configuration: " in err + def test_apply_not_dir(self, capsys, base_path, rule_path): assert secharden.main(["-r", str(rule_path), "apply", str(base_path.joinpath("test_main.py"))]) == 1 out, err = capsys.readouterr() @@ -85,21 +92,35 @@ class TestMainCmd: def test_apply_rule_not_found(self, capsys, caplog, base_path, rule_path): conf_path = str(base_path.joinpath("rule_not_found")) - with caplog.at_level(logging.ERROR): - result = secharden.main(["-r", str(rule_path), "apply", conf_path]) - assert result == 1 + with caplog.at_level(logging.INFO): + assert secharden.main(["-r", str(rule_path), "apply", conf_path]) == 1 out, err = capsys.readouterr() + assert "====== Rule nonexistence.01 ======" in caplog.text + assert "Applying rule: nonexistence.01...err" in out assert f"Error applying rule 'nonexistence.01':" in err - assert f"Exception while applying rule 'nonexistence.01' with config None" in caplog.text + assert f"Rule 'nonexistence.01' not found or invalid configuration: None" in caplog.text + assert "====== End of rule nonexistence.01 ======" in caplog.text def test_apply_rule(self, capsys, caplog, base_path, rule_path): conf_path = str(base_path.joinpath("conf")) with caplog.at_level(logging.DEBUG): - result = secharden.main(["-r", str(rule_path), "apply", conf_path]) - assert result == 0 + assert secharden.main(["-r", str(rule_path), "apply", conf_path]) == 0 out, _ = capsys.readouterr() + assert "====== Rule test.01 ======" in caplog.text assert "applying rule 'test.01' with config None" in caplog.text - assert "Applying rule: test.01..." in out + assert "Applying rule: test.01...ok" in out + assert "====== End of rule test.01 ======" in caplog.text + + def test_apply_error_rule(self, capsys, caplog, base_path, rule_path): + conf_path = str(base_path.joinpath("error_conf")) + with caplog.at_level(logging.DEBUG): + assert secharden.main(["-r", str(rule_path), "apply", conf_path]) == 1 + out, _ = capsys.readouterr() + assert "====== Rule error.01 ======" in caplog.text + assert "applying rule 'error.01' with config None" in caplog.text + assert "Applying rule: error.01...err" in out + assert "Exception while applying rule 'error.01' with config None" in caplog.text + assert "====== End of rule error.01 ======" in caplog.text def test_log_create_failed(self, capsys, base_path, rule_path): secharden.main(["-r", str(rule_path), "-l", str(base_path.joinpath("test_main.py"))]) -- Gitee From 8ecba40cb0bd578a0e466cfaa945706ded6cc979 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 4 Aug 2025 10:53:35 +0800 Subject: [PATCH 099/109] fine-grained output logs and rotating log --- .../secharden/src/secharden/rule_metadata/manager.py | 5 +++-- secTools/secharden/src/secharden/secharden.py | 10 ++++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/secTools/secharden/src/secharden/rule_metadata/manager.py b/secTools/secharden/src/secharden/rule_metadata/manager.py index a03bada..692133a 100644 --- a/secTools/secharden/src/secharden/rule_metadata/manager.py +++ b/secTools/secharden/src/secharden/rule_metadata/manager.py @@ -207,8 +207,9 @@ class RuleManager: executor.add_args(cmd_param) try: logging.info(f"====== Rule {rule} command execution ======") - result = executor.run() - logging.info(result) + result = executor.run().splitlines() + for line in result: + logging.info(line) return True except Exception as e: logging.error(f"Failed to execute command for rule {rule}.") diff --git a/secTools/secharden/src/secharden/secharden.py b/secTools/secharden/src/secharden/secharden.py index 82b4f6c..6ee501f 100644 --- a/secTools/secharden/src/secharden/secharden.py +++ b/secTools/secharden/src/secharden/secharden.py @@ -11,6 +11,7 @@ import argparse import logging import sys +from logging.handlers import TimedRotatingFileHandler from pathlib import Path from secharden.config_parser import parse_config, collect_configs @@ -144,8 +145,13 @@ def main(argv=None): args.logs.mkdir(parents=True, exist_ok=True) if not args.logs.is_dir(): raise ValueError(f"Log path {args.logs} is not a directory.") - logging.basicConfig(filename=args.logs.joinpath('secharden.log'), filemode='a', - level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') + + handlers = [ + logging.handlers.TimedRotatingFileHandler(filename=args.logs.joinpath('secharden.log'), when='D', + encoding='utf-8') + ] + logging.basicConfig(handlers=handlers, filemode='a', level=logging_level, + format='%(asctime)s [%(levelname)8s] %(message)s') except Exception as e: print("Error: Cannot write to log directory. Using console output instead.", file=sys.stderr) logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s', stream=sys.stderr) -- Gitee From b5a0d6a2466b186253f95ec0ff40fd8cf668952c Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 4 Aug 2025 10:56:11 +0800 Subject: [PATCH 100/109] remove file mode --- secTools/secharden/src/secharden/secharden.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/secTools/secharden/src/secharden/secharden.py b/secTools/secharden/src/secharden/secharden.py index 6ee501f..68c3dc5 100644 --- a/secTools/secharden/src/secharden/secharden.py +++ b/secTools/secharden/src/secharden/secharden.py @@ -150,8 +150,7 @@ def main(argv=None): logging.handlers.TimedRotatingFileHandler(filename=args.logs.joinpath('secharden.log'), when='D', encoding='utf-8') ] - logging.basicConfig(handlers=handlers, filemode='a', level=logging_level, - format='%(asctime)s [%(levelname)8s] %(message)s') + logging.basicConfig(handlers=handlers, level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') except Exception as e: print("Error: Cannot write to log directory. Using console output instead.", file=sys.stderr) logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s', stream=sys.stderr) -- Gitee From 9ce501b2a0011786f12cde935aac998b212aebcb Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 4 Aug 2025 15:26:40 +0800 Subject: [PATCH 101/109] add logs --- secTools/secharden/src/secharden/executor.py | 6 ++- secTools/secharden/src/secharden/secharden.py | 4 +- .../tools/int.01/enable_kernel_module_sign.sh | 5 +- .../src/secharden/tools/int.02/enforce_dim.sh | 2 +- .../tools/kern.02/enable_kernel_aslr.sh | 3 +- .../secharden/tools/net.07/enable_firewall.sh | 13 ++++- .../secharden/tools/serv.01/enable_rsyslog.sh | 8 +++- .../tools/serv.02/enable_selinux_enforce.sh | 8 +++- .../sys.05/disable_uncommon_network_module.sh | 4 ++ .../secharden/src/secharden/tools/utils.sh | 47 +++++++++++++++---- 10 files changed, 82 insertions(+), 18 deletions(-) diff --git a/secTools/secharden/src/secharden/executor.py b/secTools/secharden/src/secharden/executor.py index c5c4103..78b5f50 100644 --- a/secTools/secharden/src/secharden/executor.py +++ b/secTools/secharden/src/secharden/executor.py @@ -163,6 +163,10 @@ class CmdExecutor: result = subprocess.run(self._cmd, env=env, capture_output=True, text=True) if result.returncode != 0: - raise RuntimeError(f"Command failed with error: {result.stderr}") + logging.error(f"Command execution failed with return code {result.returncode}") + logging.error(f"Command output: {result.stdout}") + err = result.stderr + logging.error("Command output: {err}") + raise RuntimeError(f"Command failed with error: {err}") return result.stdout diff --git a/secTools/secharden/src/secharden/secharden.py b/secTools/secharden/src/secharden/secharden.py index 68c3dc5..3b6366e 100644 --- a/secTools/secharden/src/secharden/secharden.py +++ b/secTools/secharden/src/secharden/secharden.py @@ -47,7 +47,8 @@ def apply(rule_mgr: RuleManager, args) -> int: code = 0 for rule, rule_conf in config.items(): - print(f"Applying rule: {rule}...", end='') + print(f"Applying rule: {rule}...", end='', flush=True) + logging.info(f"====== Rule {rule} ======") logging.debug(f"applying rule '{rule}' with config {rule_conf}") try: @@ -55,6 +56,7 @@ def apply(rule_mgr: RuleManager, args) -> int: print('err') logging.error(f"Exception while applying rule '{rule}' with config {rule_conf}") code = 1 + continue print('ok') except ValueError as e: print('err') diff --git a/secTools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh b/secTools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh index 5631b97..035bbe2 100755 --- a/secTools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh +++ b/secTools/secharden/src/secharden/tools/int.01/enable_kernel_module_sign.sh @@ -23,5 +23,8 @@ if ! grep -q 'module.sig_enforce' /proc/cmdline; then fi sed -i '/linuxefi/s/$/ module.sig_enforce/' "${GRUB_CFG}" - echo "GRUB config is updated, please reboot." + echo "added module.sig_enforce to ${GRUB_CFG}." + echo "Please reboot the system to apply the changes." +else + echo "module.sig_enforce is already enabled." fi \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/int.02/enforce_dim.sh b/secTools/secharden/src/secharden/tools/int.02/enforce_dim.sh index 54eb6c5..560b327 100755 --- a/secTools/secharden/src/secharden/tools/int.02/enforce_dim.sh +++ b/secTools/secharden/src/secharden/tools/int.02/enforce_dim.sh @@ -48,7 +48,7 @@ function fn_dim_tool_main() if ! grep -q "measure obj=KERNEL_TEXT" /etc/dim/policy; then echo "" >> /etc/dim/policy echo "measure obj=KERNEL_TEXT" >> /etc/dim/policy - echo "Added kernel measurement to DIM policy." + echo "Added kernel measurement (measure obj=KERNEL_TEXT) to DIM policy." else echo "Kernel measurement already exists in DIM policy." fi diff --git a/secTools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh b/secTools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh index bce07c2..ecfcf44 100755 --- a/secTools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh +++ b/secTools/secharden/src/secharden/tools/kern.02/enable_kernel_aslr.sh @@ -16,4 +16,5 @@ source $(dirname $(realpath $0))/../utils.sh -echo 2 > /proc/sys/kernel/randomize_va_space \ No newline at end of file +echo 2 > /proc/sys/kernel/randomize_va_space +echo "change /proc/sys/kernel/randomize_va_space to 2" \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh b/secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh index c4875e0..151905e 100755 --- a/secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh +++ b/secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh @@ -15,4 +15,15 @@ # ####################################################################################### service firewalld start -systemctl enable firewalld \ No newline at end of file +if [[ ! "$(systemctl is-active firewalld)x" == "activex" ]]; then + echo "firewalld service is not started, please check" +else + echo "firewalld service is started successfully" +fi + +systemctl enable firewalld +if [[ ! "$(systemctl is-enabled firewalld)x" == "activex" ]]; then + echo "firewalld service is not enabled, please check" +else + echo "firewalld service is enabled successfully" +fi diff --git a/secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh b/secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh index 9876dc4..2c234b7 100755 --- a/secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh +++ b/secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh @@ -14,4 +14,10 @@ # # ####################################################################################### -systemctl start rsyslog.service \ No newline at end of file +systemctl start rsyslog.service +if [[ ! "$(systemctl is-active rsyslog)x" == "activex" ]]; then + echo "rsyslog service is not running, please check it." + exit 1 +else + echo "rsyslog service started" +fi diff --git a/secTools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh b/secTools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh index ac6a544..d1f276e 100755 --- a/secTools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh +++ b/secTools/secharden/src/secharden/tools/serv.02/enable_selinux_enforce.sh @@ -14,4 +14,10 @@ # # ####################################################################################### -setenforce 1 \ No newline at end of file +setenforce 1 +if [[ ! "$(getenforce)x" == "Enforcingx" ]]; then + echo "Failed to set SELinux to enforcing mode" + exit 1 +else + echo "SELinux is set to enforcing mode" +fi \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh b/secTools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh index c691036..ed07ad4 100755 --- a/secTools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh +++ b/secTools/secharden/src/secharden/tools/sys.05/disable_uncommon_network_module.sh @@ -20,10 +20,14 @@ function setup_conf() { conf=$1 if [ ! -e ${config_path} ]; then touch ${config_path} + echo "Created configuration file: ${config_path}" fi if ! grep -q "${conf}" "${config_path}"; then echo "${conf}" >> "${config_path}" + echo "Added configuration: ${conf} to ${config_path}" + else + echo "Configuration: ${conf} already exists in ${config_path}" fi } diff --git a/secTools/secharden/src/secharden/tools/utils.sh b/secTools/secharden/src/secharden/tools/utils.sh index ce9a29d..50f5b70 100755 --- a/secTools/secharden/src/secharden/tools/utils.sh +++ b/secTools/secharden/src/secharden/tools/utils.sh @@ -13,31 +13,58 @@ # Description: Security Baseline Check Script for 1.1.14 # # ####################################################################################### -sysctl_conf_path="/etc/sysctl.conf" -sshd_conf_path="/etc/ssh/sshd_config" +# Function to set sysctl configuration +# Arguments: +# $1: Configuration option (e.g., "net.ipv4.ip_forward") +# $2: Value to set for the configuration option (e.g., "0") function set_sysctl() { - conf=$1 - value=$2 + local conf=$1 + local value=$2 + local sysctl_conf_path="/etc/sysctl.conf" + if grep -q "^${conf}" ${sysctl_conf_path} > /dev/null; then sed -i "s/^${conf}.*/${conf} = ${value}/" ${sysctl_conf_path} + echo "Updated ${conf} to ${value} in ${sysctl_conf_path}" else echo "${conf} = ${value}" >> ${sysctl_conf_path} + echo "Added ${conf} with value ${value} to ${sysctl_conf_path}" fi - sysctl -p /etc/sysctl.conf + sysctl -p ${sysctl_conf_path} --quiet } +# Function to set SSH configuration +# Arguments: +# $1: Configuration option (e.g., "PermitRootLogin") +# $2: Value to set for the configuration option (e.g., "no") +# Returns: +# 0 on success, 1 on failure function set_ssh() { - conf=$1 - value=$2 + local conf=$1 + local value=$2 + local sshd_conf_path="/etc/ssh/sshd_config" + if grep -q "^${conf}\s*" "${sshd_conf_path}"; then sed -i "s/^${conf}.*/${conf} ${value}/" ${sshd_conf_path} + echo "Updated ${conf} to ${value} in ${sshd_conf_path}" else echo "${conf} ${value}" >> "${sshd_conf_path}" + echo "Added ${conf} with value ${value} to ${sshd_conf_path}" fi - systemctl restart sshd - # wait for fully restart - sleep 1 + local retries=1 + while [[ $retries -lt 6 ]]; do + systemctl restart sshd + if [[ ! "$(systemctl is-active sshd)x" == "activex" ]]; then + echo "sshd service is not restarted, wait for ${retries}s and retrying..." + sleep $retries + retries=$((retries + 1)) + else + echo "sshd service restarted" + return 0 + fi + done + echo "Failed to restart sshd service after ${retries} attempts" + return 1 } \ No newline at end of file -- Gitee From 60d91ffc14bfd9852bb8d374026335062e4c1c3f Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Mon, 4 Aug 2025 16:13:32 +0800 Subject: [PATCH 102/109] change name --- secTools/.gitignore | 2 +- secTools/README.md | 18 +++++++++--------- .../{os-harden-tools.spec => secharden.spec} | 10 +++++----- 3 files changed, 15 insertions(+), 15 deletions(-) rename secTools/{os-harden-tools.spec => secharden.spec} (87%) diff --git a/secTools/.gitignore b/secTools/.gitignore index ca6b8af..baee8ed 100644 --- a/secTools/.gitignore +++ b/secTools/.gitignore @@ -163,4 +163,4 @@ cython_debug/ #.idea/ temp -!os-harden-tools.spec +!secharden.spec diff --git a/secTools/README.md b/secTools/README.md index e16d4bf..6ef6eaf 100644 --- a/secTools/README.md +++ b/secTools/README.md @@ -1,13 +1,13 @@ # 安全 OS 加固配置指南 -本指南提供了在 OpenEuler 操作系统上进行安全加固的工具和方法。它包括了对系统配置的建议和自动化脚本,旨在帮助用户提高系统的安全性。 +本指南提供了在 openEuler 操作系统上进行安全加固的工具和方法。它包括了对系统配置的建议和自动化脚本,旨在帮助用户提高系统的安全性。 ## 目录结构 ``` -os-harden-tools/ +secTools/ ├── README.md: 本文档 -├── os-harden-tools.spec:本指南随附工具的 RPM 包规范文件 +├── secharden.spec:本指南随附工具的 RPM 包规范文件 ├── secharden:本指南随附的系统加固工具 ├── conf:包含系统加固工具的配置文件 ├── docs:最小安全系统配置指南,包含系统内核的配置文件以及最小化裁剪配置 @@ -20,7 +20,7 @@ secharden 是一个基于 python 的系统加固框架,用于管理和应用 ### 安装 -本节描述的 os-harden-tools 构建可参考 +本节描述的 secharden 构建可参考 [openeuler rpm 包构建文档](https://docs.openeuler.org/zh/docs/24.03_LTS_SP2/server/development/application_dev/building_an_rpm_package.html)。 1. 初始化 rpmbuild 目录: @@ -29,26 +29,26 @@ secharden 是一个基于 python 的系统加固框架,用于管理和应用 rpmdev-setuptree ``` -2. 下载 os-harden-tools 源码: +2. 下载 secharden 源码: ```shell git clone https://gitee.com/openeuler/secGear # 将源码目录通过软链接的形式关联到 rpmbuild 的 SOURCES 目录下,以便后续构建 rpm 包时使用 rm -rf $HOME/rpmbuild/SOURCES - ln -s ./secGear/os-harden-tools $HOME/rpmbuild/SOURCES + ln -s ./secGear/secharden $HOME/rpmbuild/SOURCES ``` 3. 构建: ```shell - rpmbuild -ba $HOME/rpmbuild/SOURCES/os-harden-tools.spec + rpmbuild -ba $HOME/rpmbuild/SOURCES/secharden.spec ``` -构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/os-harden-tools-<版本>.noarch.rpm` 找到构建完成的 rpm 包。 +构建后,可以在 `$HOME/rpmbuild/RPMS/noarch/secharden-<版本>.noarch.rpm` 找到构建完成的 rpm 包。 该 rpm 包可以直接使用 `dnf install` 命令安装: ```shell -sudo dnf install $HOME/rpmbuild/RPMS/noarch/os-harden-tools-<版本>.noarch.rpm +sudo dnf install $HOME/rpmbuild/RPMS/noarch/secharden-<版本>.noarch.rpm ``` ### 使用 diff --git a/secTools/os-harden-tools.spec b/secTools/secharden.spec similarity index 87% rename from secTools/os-harden-tools.spec rename to secTools/secharden.spec index c338bea..721efc2 100644 --- a/secTools/os-harden-tools.spec +++ b/secTools/secharden.spec @@ -1,7 +1,7 @@ %global python3_pkgversion 3.11 -Summary: OS hardening toolkit -Name : os-harden-tools +Summary: Security Hardening Toolkit +Name : secharden Version: 1.0 Release: 1.0 Source0: secharden @@ -14,7 +14,7 @@ BuildArch: noarch BuildRequires: python3-setuptools pyproject-rpm-macros python3-pytest python3-wheel %description -OS hardening toolkit +Security Hardening Toolkit, a set of tools to help secure and harden systems. %global debug_package %{nil} @@ -48,7 +48,7 @@ OS hardening toolkit %postun -%files -n os-harden-tools +%files -n secharden %defattr(-,root,root) %attr(0644,root,root) %config %{_sysconfdir}/secharden/secharden.conf %attr(0644,root,root) %doc README.md @@ -58,4 +58,4 @@ OS hardening toolkit %changelog * Fri Jul 25 2025 Tomahawkd - 1.0-1.0 -- inital os hardening toolkit \ No newline at end of file +- inital Security Hardening Toolkit \ No newline at end of file -- Gitee From 1f188ef358a7a58acc7c3bf6a9db7635a2b599d6 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 5 Aug 2025 14:29:48 +0800 Subject: [PATCH 103/109] add service management, refactor main entry commands --- secTools/secharden.spec | 2 +- secTools/secharden/pyproject.toml | 5 +- .../secharden/src/secharden/cmd/__init__.py | 15 ++ secTools/secharden/src/secharden/cmd/apply.py | 101 ++++++++++++ .../secharden/src/secharden/cmd/command.py | 73 +++++++++ secTools/secharden/src/secharden/cmd/core.py | 41 +++++ secTools/secharden/src/secharden/cmd/help.py | 41 +++++ secTools/secharden/src/secharden/cmd/list.py | 51 ++++++ .../secharden/src/secharden/config_parser.py | 15 +- .../src/secharden/devtools/gendoc.py | 9 +- .../src/secharden/exceptions/__init__.py | 20 +++ secTools/secharden/src/secharden/executor.py | 18 +-- .../rule_metadata/converters/file_list.py | 20 +-- .../src/secharden/rule_metadata/manager.py | 72 ++------- .../src/secharden/rule_metadata/metadata.py | 89 ++++++++--- .../src/secharden/schema/metadata.schema.json | 8 + secTools/secharden/src/secharden/secharden.py | 145 ++--------------- .../secharden/tools/login.01/metadata.json | 3 +- .../secharden/tools/login.02/metadata.json | 3 +- .../secharden/tools/login.03/metadata.json | 3 +- .../secharden/tools/login.04/metadata.json | 3 +- .../secharden/tools/login.05/metadata.json | 3 +- .../secharden/tools/login.08/metadata.json | 3 +- .../secharden/src/secharden/tools/utils.sh | 15 -- secTools/secharden/src/secharden/utils.py | 45 +++++- secTools/secharden/tests/__init__.py | 11 ++ .../tests/config_parser/test_collection.py | 5 +- .../tests/config_parser/test_parser.py | 9 +- .../tests/{rules => }/converter_sample.py | 0 .../secharden/tests/executor/test_executor.py | 9 +- secTools/secharden/tests/rules/__init__.py | 2 - .../exec_with_param}/entry.sh | 0 .../exec_with_param}/metadata.json | 2 +- .../fail_exec}/metadata.json | 4 +- .../test.01 => metadata/normal_exec}/entry.sh | 0 .../normal_exec}/metadata.json | 2 +- .../rules/ruleset/execution/categories.json | 6 - .../rules/ruleset/execution/test.02/entry.sh | 2 - .../secharden/tests/rules/test_converter.py | 19 ++- .../secharden/tests/rules/test_metadata.py | 68 +++++++- secTools/secharden/tests/rules/test_param.py | 9 +- .../secharden/tests/rules/test_rulemanager.py | 82 +--------- .../tool_entry/invalid_conf/secharden.conf | 1 + .../tool_entry/not_enable/secharden.conf | 2 + .../ruleset/test.02}/entry.sh | 0 .../ruleset/test.02}/metadata.json | 2 +- .../tool_entry/ruleset/test.03/metadata.json | 7 + .../tests/tool_entry/service/secharden.conf | 1 + .../secharden/tests/tool_entry/test_apply.py | 149 ++++++++++++++++++ .../secharden/tests/tool_entry/test_help.py | 48 ++++++ .../secharden/tests/tool_entry/test_list.py | 49 ++++++ .../secharden/tests/tool_entry/test_main.py | 92 ----------- secTools/secharden/uv.lock | 16 +- 53 files changed, 921 insertions(+), 479 deletions(-) create mode 100644 secTools/secharden/src/secharden/cmd/__init__.py create mode 100644 secTools/secharden/src/secharden/cmd/apply.py create mode 100644 secTools/secharden/src/secharden/cmd/command.py create mode 100644 secTools/secharden/src/secharden/cmd/core.py create mode 100644 secTools/secharden/src/secharden/cmd/help.py create mode 100644 secTools/secharden/src/secharden/cmd/list.py create mode 100644 secTools/secharden/src/secharden/exceptions/__init__.py create mode 100644 secTools/secharden/tests/__init__.py rename secTools/secharden/tests/{rules => }/converter_sample.py (100%) rename secTools/secharden/tests/rules/{ruleset/execution/test.03 => metadata/exec_with_param}/entry.sh (100%) rename secTools/secharden/tests/rules/{ruleset/execution/test.03 => metadata/exec_with_param}/metadata.json (91%) rename secTools/secharden/tests/rules/{ruleset/execution/test.02 => metadata/fail_exec}/metadata.json (61%) rename secTools/secharden/tests/rules/{ruleset/execution/test.01 => metadata/normal_exec}/entry.sh (100%) rename secTools/secharden/tests/rules/{ruleset/execution/test.01 => metadata/normal_exec}/metadata.json (79%) delete mode 100644 secTools/secharden/tests/rules/ruleset/execution/categories.json delete mode 100755 secTools/secharden/tests/rules/ruleset/execution/test.02/entry.sh create mode 100644 secTools/secharden/tests/tool_entry/invalid_conf/secharden.conf create mode 100644 secTools/secharden/tests/tool_entry/not_enable/secharden.conf rename secTools/secharden/tests/{rules/ruleset/execution/test.04 => tool_entry/ruleset/test.02}/entry.sh (100%) rename secTools/secharden/tests/{rules/ruleset/execution/test.04 => tool_entry/ruleset/test.02}/metadata.json (95%) create mode 100644 secTools/secharden/tests/tool_entry/ruleset/test.03/metadata.json create mode 100644 secTools/secharden/tests/tool_entry/service/secharden.conf create mode 100644 secTools/secharden/tests/tool_entry/test_apply.py create mode 100644 secTools/secharden/tests/tool_entry/test_help.py create mode 100644 secTools/secharden/tests/tool_entry/test_list.py diff --git a/secTools/secharden.spec b/secTools/secharden.spec index 721efc2..2195492 100644 --- a/secTools/secharden.spec +++ b/secTools/secharden.spec @@ -11,7 +11,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: python3 python3-pyyaml python3-jsonschema BuildArch: noarch -BuildRequires: python3-setuptools pyproject-rpm-macros python3-pytest python3-wheel +BuildRequires: python3-setuptools pyproject-rpm-macros python3-pytest python3-pytest-mock python3-wheel %description Security Hardening Toolkit, a set of tools to help secure and harden systems. diff --git a/secTools/secharden/pyproject.toml b/secTools/secharden/pyproject.toml index 25fb59c..df3ed10 100644 --- a/secTools/secharden/pyproject.toml +++ b/secTools/secharden/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "secharden" -version = "0.1.0" +version = "1.0.0" description = "command line for os hardening configuration management" readme = "README.md" authors = [ @@ -26,10 +26,11 @@ secharden = "secharden.secharden:main" dev = [ "pytest>=8.4.1", "pytest-cov>=6.2.1", + "pytest-mock>=3.14.1", ] [project.urls] Homepage = "https://gitee.com/openeuler/secGear" [tool.uv] -package = true \ No newline at end of file +package = true diff --git a/secTools/secharden/src/secharden/cmd/__init__.py b/secTools/secharden/src/secharden/cmd/__init__.py new file mode 100644 index 0000000..b21884c --- /dev/null +++ b/secTools/secharden/src/secharden/cmd/__init__.py @@ -0,0 +1,15 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +from secharden.cmd.command import Command +from secharden.cmd.help import HelpCmd +from secharden.cmd.list import ListCmd +from secharden.cmd.apply import ApplyCmd +from secharden.cmd.core import CoreCmd diff --git a/secTools/secharden/src/secharden/cmd/apply.py b/secTools/secharden/src/secharden/cmd/apply.py new file mode 100644 index 0000000..a91fb34 --- /dev/null +++ b/secTools/secharden/src/secharden/cmd/apply.py @@ -0,0 +1,101 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +import logging +import os +import sys +from pathlib import Path + +from secharden.cmd import Command +from secharden.config_parser import collect_configs, parse_config +from secharden.exceptions import InvalidException, RuntimeException +from secharden.executor import CmdExecutor +from secharden.rule_metadata import RuleManager +from secharden.utils import DirectoryPathVerifier + + +class ApplyCmd(Command): + def __init__(self): + super().__init__('apply', 'Apply security rules from configuration files') + self._service_collector = set() + + def _add_arguments(self, parser): + parser.add_argument('config', nargs='?', action=DirectoryPathVerifier, help="configuration path", + default=Path('/etc/secharden')) + parser.add_argument('-f', '--force', action='store_true', + help="force apply rules without checking root privileges") + + def _apply_rule(self, rule: str, rule_conf: dict, rule_mgr: RuleManager): + """ + Apply a single rule with its configuration. + Returns True if the rule was applied successfully, False otherwise. + """ + if not rule_mgr.rule_exists(rule): + print(f"Error: Rule '{rule}' does not exist.", file=sys.stderr) + logging.error(f"Rule '{rule}' does not exist.") + raise InvalidException(f"Rule '{rule}' does not exist.") + + if not rule_conf.pop('enabled', True): + logging.info(f"Rule {rule} is disabled in the configuration.") + return + + metadata = rule_mgr.get_rule_metadata(rule) + print(f"Applying rule: {rule}...", end='', flush=True) + + logging.info(f"====== Rule {rule} ======") + logging.debug(f"applying rule '{rule}' with configuration: {rule_conf}") + try: + metadata.apply(rule_conf) + print('ok') + + # record services that need to be restarted + self._service_collector.update(metadata.services) + except InvalidException: + print('invalid configuration') + logging.error(f"Rule '{rule}' has invalid configuration: {rule_conf}") + except RuntimeException: + print('runtime error') + logging.error(f"Error applying rule '{rule}' with configuration: {rule_conf}") + finally: + logging.info(f"====== End of rule {rule} ======") + + def _execute(self, rule_mgr: RuleManager, args): + if not args.force and not os.geteuid() == 0: + print( + "Error: This command requires root privileges. Please run as root or use --force to bypass this check.", + file=sys.stderr) + logging.error("This command requires root privileges.") + self._return_code = 1 + return + + try: + config = parse_config(collect_configs(args.config)) + except InvalidException as e: + logging.error(f"Exception while parsing configuration from {args.config}") + print(f"Error parsing configuration: {e}", file=sys.stderr) + self._return_code = 1 + return + + for rule, rule_conf in config.items(): + if rule_conf is None: + rule_conf = {} + self._apply_rule(rule, rule_conf, rule_mgr) + + # restart services if any rules were applied + for service in self._service_collector: + print(f"Restarting service: {service}...", end='', flush=True) + try: + executor = CmdExecutor(['systemctl', 'restart', service]) + executor.run() + print('ok') + except RuntimeException as e: + print('failed') + logging.error(f"Error restarting service '{service}': {e}") + print(f"Error restarting service '{service}': {e}", file=sys.stderr) diff --git a/secTools/secharden/src/secharden/cmd/command.py b/secTools/secharden/src/secharden/cmd/command.py new file mode 100644 index 0000000..b915ed3 --- /dev/null +++ b/secTools/secharden/src/secharden/cmd/command.py @@ -0,0 +1,73 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +import abc +import logging +from typing import final + +from secharden.rule_metadata import RuleManager + + +class Command(abc.ABC): + def __init__(self, name: str, description: str): + self._name = name + self._description = description + self._return_code = 0 + + @abc.abstractmethod + def _execute(self, rule_mgr: RuleManager, args): + """ + Execute the command with the given arguments. + :param rule_mgr: An instance of RuleManager to manage rules. + :param args: Arguments for the command. + """ + raise NotImplementedError() + + @final + def execute(self, rule_mgr: RuleManager, args) -> int: + """ + Execute the command and return the result. + :param rule_mgr: An instance of RuleManager to manage rules. + :param args: Arguments for the command. + :return: The result of the command execution. + """ + try: + self._execute(rule_mgr, args) + except Exception as e: + logging.fatal(f"uncaught exception in command {self._name} with exception {type(e).__name__}:") + logging.exception(e) + if self._return_code == 0: + self._return_code = 1 + return self._return_code + + @abc.abstractmethod + def _add_arguments(self, parser): + """ + Add common arguments to the parser. + :param parser: The parser to which common arguments will be added. + """ + raise NotImplementedError() + + def add_parser(self, subparser): + """ + Add command-specific arguments to the parser. + :param subparser: The subparser to which command-specific arguments will be added. + """ + command_parser = subparser.add_parser(self._name, help=self._description) + self._add_arguments(command_parser) + command_parser.set_defaults(command=self) + + @property + def name(self) -> str: + """ + Get the name of the command. + :return: The name of the command. + """ + return self._name diff --git a/secTools/secharden/src/secharden/cmd/core.py b/secTools/secharden/src/secharden/cmd/core.py new file mode 100644 index 0000000..5d47a8f --- /dev/null +++ b/secTools/secharden/src/secharden/cmd/core.py @@ -0,0 +1,41 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +from pathlib import Path + +from secharden.cmd import Command +from secharden.rule_metadata import RuleManager +from secharden.utils import HOME_DIR + + +class CoreCmd(Command): + """ + Core command for handling basic functionalities. + """ + + def __init__(self): + super().__init__("hint", "Core command for handling basic functionalities.") + + def _add_arguments(self, parser): + pass + + def add_parser(self, args): + # do not add sub-command here since it is the core command + version_file = HOME_DIR.joinpath("VERSION") + args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) + args.add_argument("-r", "--rules", type=Path, + help="rule script directory", default=HOME_DIR.joinpath('tools')) + args.add_argument('-l', '--logs', type=Path, help="log directory", default=Path('/var/log/secharden')) + args.add_argument("-d", "--debug", action='store_true', help="debug mode") + args.set_defaults(command=self) + + def _execute(self, rule_mgr: RuleManager, args): + print("Please specify a sub-command. Use 'secharden --help' for usage information.") + self._return_code = 1 diff --git a/secTools/secharden/src/secharden/cmd/help.py b/secTools/secharden/src/secharden/cmd/help.py new file mode 100644 index 0000000..a2413f8 --- /dev/null +++ b/secTools/secharden/src/secharden/cmd/help.py @@ -0,0 +1,41 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +from secharden.cmd import Command +from secharden.cmd.list import list_rules +from secharden.rule_metadata import RuleManager + + +class HelpCmd(Command): + def __init__(self): + super().__init__("help", "Show help doc for rule or category") + + def _add_arguments(self, parser): + parser.add_argument("rule", nargs=1, help="rule or category id to show help for") + + def _execute(self, rule_mgr: RuleManager, args): + """ + Execute the help command to show documentation for a specific rule or category. + :param rule_mgr: RuleManager instance to access rules and categories. + :param args: Parsed arguments containing the rule or category to show help for. + """ + rule = args.rule[0] + + if rule_mgr.category_exists(rule): + print(rule_mgr.get_category_desc(rule).doc, end='') + self._return_code = list_rules(rule_mgr, rule) + return + + if rule_mgr.rule_exists(rule): + print(rule_mgr.get_rule_metadata(rule).doc, end='') + return + + print(f"'{rule}' not found. Use 'secharden list' to see available categories and rules.") + self._return_code = 1 diff --git a/secTools/secharden/src/secharden/cmd/list.py b/secTools/secharden/src/secharden/cmd/list.py new file mode 100644 index 0000000..16ce1bf --- /dev/null +++ b/secTools/secharden/src/secharden/cmd/list.py @@ -0,0 +1,51 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +import logging +from typing import Optional + +from secharden.cmd import Command +from secharden.rule_metadata import RuleManager + + +def list_rules(rule_mgr: RuleManager, category: Optional[str] = None) -> int: + """ + List available rules in the specified category or all categories. + If a category is specified, it will list rules only in that category. + If no category is specified, it will list rules in all categories. + :param rule_mgr: RuleManager instance to manage rules + :param category: Category to list rules for + :return: 0 if successful, 1 if the category does not exist + """ + categories = [category] if category else rule_mgr.categories + if category and not rule_mgr.category_exists(category): + logging.error(f"Category '{category}' not found.") + print(f"Category '{category}' not found.") + return 1 + + for category_id in categories: + category = rule_mgr.get_category_desc(category_id) + print(f"{category_id}: {category.name}") + rules = rule_mgr.get_rules_by_category(category_id) + for rule in rules: + metadata = rule_mgr.get_rule_metadata(rule) + print(f"\t{rule}: {metadata.name}") + return 0 + + +class ListCmd(Command): + def __init__(self): + super().__init__("list", "List available rules") + + def _add_arguments(self, parser): + parser.add_argument("category", nargs='?', help="category of rule to list") + + def _execute(self, rule_mgr: RuleManager, args): + self._return_code = list_rules(rule_mgr, args.category) diff --git a/secTools/secharden/src/secharden/config_parser.py b/secTools/secharden/src/secharden/config_parser.py index 553af41..e924e97 100644 --- a/secTools/secharden/src/secharden/config_parser.py +++ b/secTools/secharden/src/secharden/config_parser.py @@ -15,6 +15,8 @@ from typing import Dict, List, Any import yaml import jsonschema +from secharden.exceptions import InvalidException + # just limit to dict is enough CHECK_SCHEMA = { "$schema": "http://json-schema.org/draft-07/schema#", @@ -43,12 +45,15 @@ def collect_configs(config_dir: Path) -> List[Path]: """ Collects all configuration files from the specified directory. It looks for a main config file and additional config files in a subdirectory. + :param config_dir: Path to the directory containing configuration files. + :return: A list of Paths to the configuration files. + :raises InvalidException: If the main config file is not found. """ file_collection: List[Path] = [] baseline = config_dir.joinpath("secharden.conf") if not baseline.exists(): - raise FileNotFoundError(f"Config file is not found in {config_dir}") + raise InvalidException(f"Config file is not found in {config_dir}") file_collection.append(baseline) user_config = config_dir.joinpath("secharden.conf.d") @@ -67,11 +72,11 @@ def parse_config(configs: List[Path]) -> Dict[str, Dict[str, Any]]: try: yaml_data = yaml.safe_load(file.read_text('utf-8')) jsonschema.validate(yaml_data, CHECK_SCHEMA) - except yaml.YAMLError as e: - logging.error(f"Error parsing YAML file {file}: {e}") - continue - except jsonschema.ValidationError as e: + except Exception as e: logging.error(f"Error parsing YAML file {file}: {e}") continue result.update(yaml_data) + if len(result) == 0: + logging.error(f"No valid configuration found in the provided files: {configs}") + raise InvalidException("No valid configuration found in the provided files.") return result diff --git a/secTools/secharden/src/secharden/devtools/gendoc.py b/secTools/secharden/src/secharden/devtools/gendoc.py index 8433579..b10859e 100644 --- a/secTools/secharden/src/secharden/devtools/gendoc.py +++ b/secTools/secharden/src/secharden/devtools/gendoc.py @@ -38,13 +38,8 @@ def generate_doc(root: Path, overwrite: bool): for category_id in rules.categories: output_stream.write(rules.get_category_desc(category_id).doc) for rule in rules.get_rules_by_category(category_id): - try: - logging.info(f"Generating doc for rule: {rule}") - output_stream.write(rules.get_rule_metadata(rule).doc) - except Exception as e: - logging.error(f"Error generating doc for rule: {rule}") - raise e - + logging.info(f"Generating doc for rule: {rule}") + output_stream.write(rules.get_rule_metadata(rule).doc) output_stream.write("\n") output_stream.write("> Generated By docgen tool.\n\n") output_stream.close() diff --git a/secTools/secharden/src/secharden/exceptions/__init__.py b/secTools/secharden/src/secharden/exceptions/__init__.py new file mode 100644 index 0000000..fa262c1 --- /dev/null +++ b/secTools/secharden/src/secharden/exceptions/__init__.py @@ -0,0 +1,20 @@ +import logging + + +class InvalidException(Exception): + """Invalid data exception.""" + + def __init__(self, message=None): + if message is None: + message = "Invalid Exception" + super().__init__(message) + logging.exception(message) + +class RuntimeException(Exception): + """Runtime error exception.""" + + def __init__(self, message=None): + if message is None: + message = "Runtime Exception" + super().__init__(message) + logging.exception(message) diff --git a/secTools/secharden/src/secharden/executor.py b/secTools/secharden/src/secharden/executor.py index 78b5f50..0037950 100644 --- a/secTools/secharden/src/secharden/executor.py +++ b/secTools/secharden/src/secharden/executor.py @@ -8,10 +8,10 @@ # PURPOSE. # See the Mulan PSL v2 for more details. -from pathlib import Path +import logging from typing import Dict, List -import logging +from secharden.exceptions import InvalidException, RuntimeException class CmdTemplate: @@ -24,7 +24,7 @@ class CmdTemplate: Initializes the CmdTemplate with a command template string. The template can contain variables prefixed with % and escaped variables with %%. :param template: The command template string. - :raises ValueError: If the template is invalid (e.g., contains a variable with no id). + :raises InvalidException: If the template is invalid (e.g., contains a variable with no id). """ self._template = template.split(' ') self._variable_index: Dict[str, List[int]] = self._parse_cmd_template() @@ -39,7 +39,7 @@ class CmdTemplate: if cmd.startswith('%'): variable_id = cmd[1:] if len(variable_id) == 0: - raise ValueError('invalid cmd template with no id') + raise InvalidException('invalid cmd template with no id') if variable_id in variable_index: variable_index[variable_id].append(i) else: @@ -131,12 +131,12 @@ class CmdExecutor: It allows adding arguments and environment variables, and runs the command in a subprocess. """ - def __init__(self, entry: Path): + def __init__(self, entry: List[str]): """ Initializes the CmdExecutor with a command entry point. :param entry: The path to the command entry point. """ - self._cmd = [str(entry)] + self._cmd = entry.copy() self._env = {} def add_args(self, args: CmdParameter): @@ -164,9 +164,9 @@ class CmdExecutor: if result.returncode != 0: logging.error(f"Command execution failed with return code {result.returncode}") - logging.error(f"Command output: {result.stdout}") + logging.error(f"Command stdout: {result.stdout}") err = result.stderr - logging.error("Command output: {err}") - raise RuntimeError(f"Command failed with error: {err}") + logging.error(f"Command stderr: {err}") + raise RuntimeException(f"Command failed with error: {err}") return result.stdout diff --git a/secTools/secharden/src/secharden/rule_metadata/converters/file_list.py b/secTools/secharden/src/secharden/rule_metadata/converters/file_list.py index 8823e49..69fdec4 100644 --- a/secTools/secharden/src/secharden/rule_metadata/converters/file_list.py +++ b/secTools/secharden/src/secharden/rule_metadata/converters/file_list.py @@ -7,7 +7,7 @@ # IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR # PURPOSE. # See the Mulan PSL v2 for more details. - +import logging from tempfile import NamedTemporaryFile import os from secharden.executor import CmdParameter @@ -21,7 +21,7 @@ class FileListConverter(ConfigConverter): def __init__(self): super().__init__() - self.temp_file = None + self._temp_file = None def generate(self, parameter: CmdParameter, config): """ @@ -29,10 +29,10 @@ class FileListConverter(ConfigConverter): """ if not isinstance(config, list): raise ValueError("file_list value must be a list") - self.temp_file = NamedTemporaryFile("wt", delete=False, suffix=".list") - self.temp_file.writelines([str(i) for i in config]) - self.temp_file.flush() - parameter.add_variable("file", self.temp_file.name) + self._temp_file = NamedTemporaryFile("wt", delete=False, suffix=".list") + self._temp_file.writelines([str(i) for i in config]) + self._temp_file.flush() + parameter.add_variable("file", self._temp_file.name) def verify(self, parameter: RuleParameter): """ @@ -49,10 +49,10 @@ class FileListConverter(ConfigConverter): """ Cleans up the temporary file created during the generation process. """ - if self.temp_file: + if self._temp_file: try: - self.temp_file.close() + self._temp_file.close() except Exception as e: - print(f"Error closing temp file: {e}") + logging.error(f"Error closing temp file: {e}") finally: - os.remove(self.temp_file.name) + os.remove(self._temp_file.name) diff --git a/secTools/secharden/src/secharden/rule_metadata/manager.py b/secTools/secharden/src/secharden/rule_metadata/manager.py index 692133a..90c7dcf 100644 --- a/secTools/secharden/src/secharden/rule_metadata/manager.py +++ b/secTools/secharden/src/secharden/rule_metadata/manager.py @@ -14,7 +14,7 @@ from typing import List, Dict, Any import jsonschema -from secharden.executor import CmdExecutor, CmdParameter +from secharden.exceptions import InvalidException from secharden.rule_metadata import RuleMetadata from secharden.rule_metadata.metadata import CategoryMetadata from secharden.utils import load_json_file, HOME_DIR @@ -138,11 +138,14 @@ class RuleManager: Reloads the rules and categories from the rules directory. This method reads the categories.json file and validates it against the schema. It then collects all valid rules for each category and stores them in the manager. - :raises jsonschema.ValidationError: If the categories.json file does not conform to the schema + :raises InvalidException: If the categories.json file not found or does not conform to the schema :raises ValueError: If the rules directory does not contain a valid categories.json file """ - categories: Dict[str, Dict[str, Any]] = load_json_file(self._dir.joinpath('categories.json')) - jsonschema.validate(categories, load_json_file(HOME_DIR.joinpath('schema/categories.schema.json'))) + try: + categories: Dict[str, Dict[str, Any]] = load_json_file(self._dir.joinpath('categories.json')) + jsonschema.validate(categories, load_json_file(HOME_DIR.joinpath('schema/categories.schema.json'))) + except Exception as e: + raise InvalidException(e) # id is verified by jsonschema for category_id in sorted(categories.keys()): @@ -150,13 +153,13 @@ class RuleManager: rules: List[str] = [] for rule_path in self._dir.glob(f"{category_id}.*"): if not precheck(rule_path): + logging.warning(f"Skipping invalid rule path: {rule_path}") continue try: RuleMetadata(rule_path) rules.append(rule_path.name) - except Exception as e: - logging.warning(f"Rule path {rule_path} is not valid") - logging.exception(e) + except InvalidException: + logging.error(f"Rule dir {rule_path} is not valid") if len(rules) == 0: logging.error(f"No rules found for category {category_id}") @@ -164,58 +167,3 @@ class RuleManager: self._categories.append(category_id) self._rules.extend(sorted(rules, key=lambda r: int(r.split('.', 1)[1]))) - - def apply_rule(self, rule: str, config=None) -> bool: - """ - Applies a rule with the given configuration. - :param rule: The ID of the rule to apply - :param config: A dictionary containing configuration parameters for the rule - :raises ValueError: If the rule does not exist or if required parameters are missing in the configuration - :return: True if the rule was applied successfully, False otherwise - """ - if config is None: - config = {} - if not self.rule_exists(rule): - raise ValueError(f"Rule {rule} not found.") - - # pop the 'enabled' key from config, if any - if not config.pop('enabled', True): - logging.warning(f"Rule {rule} is disabled in the configuration.") - return True - - logging.debug(f"Applying rule {rule} with config: {config}") - metadata = self.get_rule_metadata(rule) - executor = CmdExecutor(metadata.entry) - - # generate command line parameters - converter_instances = [] - for param in metadata.parameters: - if param.id not in config: - raise ValueError(f"Parameter {param.id} is missing in the configuration for rule {rule}.") - converter = param.converter() - cmd_param = CmdParameter(param.cmd_template) - try: - converter.generate(cmd_param, config[param.id]) - except Exception as e: - # cleanup first - for instance in converter_instances: - instance.cleanup() - logging.error(f"Failed to generate command line on parameter {param.id}.") - logging.exception(e) - return False - converter_instances.append(converter) - executor.add_args(cmd_param) - try: - logging.info(f"====== Rule {rule} command execution ======") - result = executor.run().splitlines() - for line in result: - logging.info(line) - return True - except Exception as e: - logging.error(f"Failed to execute command for rule {rule}.") - logging.exception(e) - return False - finally: - logging.info(f"====== End of rule {rule} command execution ======") - for instance in converter_instances: - instance.cleanup() diff --git a/secTools/secharden/src/secharden/rule_metadata/metadata.py b/secTools/secharden/src/secharden/rule_metadata/metadata.py index e5f5411..3774ff8 100644 --- a/secTools/secharden/src/secharden/rule_metadata/metadata.py +++ b/secTools/secharden/src/secharden/rule_metadata/metadata.py @@ -16,7 +16,8 @@ from typing import List, Dict, Any, Optional import jsonschema -from secharden.executor import CmdTemplate, CmdParameter +from secharden.exceptions import InvalidException, RuntimeException +from secharden.executor import CmdTemplate, CmdParameter, CmdExecutor from secharden.utils import load_json_file, HOME_DIR @@ -29,15 +30,14 @@ class RuleParameter: """ Initializes a RuleParameter instance. :param parameter: A dictionary containing the parameter metadata. - :raises NotImplementedError: If the specified converter is not implemented. - :raises Exception: If the verification of the parameter fails. + :raises InvalidException: If the verification of the parameter fails. """ self._id = parameter['id'] self._name = parameter['name'] self._description = parameter['description'] converter = ConverterManager().find_converter(parameter['converter']) if converter is None: - raise NotImplementedError(f'converter of type {parameter["converter"]} is not implemented') + raise InvalidException(f'converter of type {parameter["converter"]} is not implemented') self._converter: type['ConfigConverter'] = converter self._cmd_template: CmdTemplate = CmdTemplate(parameter['cmd_template']) self._verify_rule_params() @@ -51,8 +51,7 @@ class RuleParameter: self._converter().verify(self) except Exception as e: logging.error(f"Verification failed for parameter: {self._id}") - logging.exception(e) - raise e + raise InvalidException(e) @property def id(self) -> str: @@ -106,7 +105,7 @@ class ConfigConverter(abc.ABC): :param parameter: The command parameter to apply to. :param config: The configuration to convert. """ - pass + raise NotImplementedError() def cleanup(self): """ @@ -121,7 +120,7 @@ class ConfigConverter(abc.ABC): Verifies the rule parameter using the converter. :param parameter: The rule parameter to verify. """ - pass + raise NotImplementedError() class ConverterManager: @@ -189,14 +188,13 @@ class RuleMetadata: """ Initializes a RuleMetadata instance by loading metadata from a JSON file. :param root: The root directory containing the metadata.json file. - :raises FileNotFoundError: If the metadata.json file does not exist. - :raises ValueError: If the entry file does not match the expected format or if the metadata id does not match the directory name. - :raises jsonschema.ValidationError: If the metadata does not conform to the defined schema. - :raises NotImplementedError: If a specified converter is not implemented. - :raises Exception: If the verification of the rule parameters fails. + :raises InvalidException: If the metadata file is invalid or if required fields are missing. """ - data = load_json_file(root.joinpath("metadata.json")) - jsonschema.validate(data, RuleMetadata._metadata_schema) + try: + data = load_json_file(root.joinpath("metadata.json")) + jsonschema.validate(data, RuleMetadata._metadata_schema) + except Exception as e: + raise InvalidException(e) self._id: str = data['id'] self._name: str = data['name'] @@ -205,11 +203,12 @@ class RuleMetadata: self._entry: Path = self._parse_entry(data['entry']) self._parameters: List[RuleParameter] = [RuleParameter(d) for d in data.get('parameters', [])] self._urls: List[UrlDescriptor] = [UrlDescriptor(**u) for u in data.get('urls', [])] + self._service: List[str] = data.get('services', []) if not self._entry.is_file(): - raise ValueError(f"Entry file {self._entry} for {self._id} is not a regular file") + raise InvalidException(f"Entry file {self._entry} for {self._id} is not a regular file") if not self._id == root.name: - raise ValueError(f"Metadata id {self._id} does not match directory name {root.name}") + raise InvalidException(f"Metadata id {self._id} does not match directory name {root.name}") def _parse_entry(self, entry: str) -> Path: # check if entry exists in root path @@ -228,9 +227,56 @@ class RuleMetadata: return entry_path # finally raise not found error - raise FileNotFoundError( + raise InvalidException( f"Entry file {entry} for {self._id} does not exist in the root path or PATH environment variable") + def apply(self, config=None): + """ + Applies a rule with the given configuration. + :param config: A dictionary containing configuration parameters for the rule + :raises InvalidException: If the rule does not exist or if required parameters are missing in the configuration + :raises RuntimeException: If the command execution fails + """ + if config is None: + config = {} + + # pop the 'enabled' key from config, if any + rule = self._id + logging.debug(f"Applying rule {rule} with config: {config}") + executor = CmdExecutor([str(self._entry)]) + + # generate command line parameters + converter_instances = [] + for param in self._parameters: + if param.id not in config: + raise InvalidException(f"Parameter {param.id} is missing in the configuration for rule {rule}.") + converter = param.converter() + cmd_param = CmdParameter(param.cmd_template) + try: + converter.generate(cmd_param, config[param.id]) + except Exception as e: + # cleanup first + for instance in converter_instances: + instance.cleanup() + logging.error(f"Failed to generate command line on parameter {param.id}.") + raise RuntimeException(e) + converter_instances.append(converter) + executor.add_args(cmd_param) + + # execute the command + try: + logging.info(f"====== Rule {rule} command execution ======") + result = executor.run().splitlines() + for line in result: + logging.info(line) + except Exception as e: + logging.error(f"Failed to execute command for rule {rule}.") + raise RuntimeException(e) + finally: + logging.info(f"====== End of rule {rule} command execution ======") + for instance in converter_instances: + instance.cleanup() + @property def id(self) -> str: """ @@ -273,6 +319,13 @@ class RuleMetadata: """ return self._parameters + @property + def services(self) -> List[str]: + """ + Returns the list of services associated with the rule. + """ + return self._service + @property def urls(self) -> List[UrlDescriptor]: """ diff --git a/secTools/secharden/src/secharden/schema/metadata.schema.json b/secTools/secharden/src/secharden/schema/metadata.schema.json index ed6529c..685e866 100644 --- a/secTools/secharden/src/secharden/schema/metadata.schema.json +++ b/secTools/secharden/src/secharden/schema/metadata.schema.json @@ -60,6 +60,14 @@ "additionalProperties": false } }, + "services": { + "type": "array", + "description": "services to be restart after rule execution", + "items": { + "type": "string", + "description": "service name to be restarted" + } + }, "urls": { "type": "array", "description": "reference urls", diff --git a/secTools/secharden/src/secharden/secharden.py b/secTools/secharden/src/secharden/secharden.py index 3b6366e..ec5c3b5 100644 --- a/secTools/secharden/src/secharden/secharden.py +++ b/secTools/secharden/src/secharden/secharden.py @@ -11,125 +11,30 @@ import argparse import logging import sys -from logging.handlers import TimedRotatingFileHandler -from pathlib import Path -from secharden.config_parser import parse_config, collect_configs +from secharden.cmd import CoreCmd, ApplyCmd, ListCmd, HelpCmd from secharden.rule_metadata import RuleManager -from secharden.utils import DirectoryPathVerifier, HOME_DIR - - -def list_rules(rule_mgr: RuleManager, args) -> int: - categories = [args.category] if args.category else rule_mgr.categories - if args.category and not rule_mgr.category_exists(args.category): - logging.error(f"Category '{args.category}' not found.") - print(f"Category '{args.category}' not found.") - return 1 - - for category_id in categories: - category = rule_mgr.get_category_desc(category_id) - print(f"{category_id}: {category.name}") - rules = rule_mgr.get_rules_by_category(category_id) - for rule in rules: - metadata = rule_mgr.get_rule_metadata(rule) - print(f"\t{rule}: {metadata.name}") - return 0 - - -def apply(rule_mgr: RuleManager, args) -> int: - try: - config = parse_config(collect_configs(args.config)) - except Exception as e: - logging.error(f"Exception while parsing configuration from {args.config}") - logging.exception(e) - print(f"Error parsing configuration: {e}", file=sys.stderr) - return 1 - - code = 0 - for rule, rule_conf in config.items(): - print(f"Applying rule: {rule}...", end='', flush=True) - - logging.info(f"====== Rule {rule} ======") - logging.debug(f"applying rule '{rule}' with config {rule_conf}") - try: - if not rule_mgr.apply_rule(rule, rule_conf): - print('err') - logging.error(f"Exception while applying rule '{rule}' with config {rule_conf}") - code = 1 - continue - print('ok') - except ValueError as e: - print('err') - print(f"Error applying rule '{rule}': {e}", file=sys.stderr) - logging.error(f"Rule '{rule}' not found or invalid configuration: {rule_conf}") - logging.exception(e) - code = 1 - finally: - logging.info(f"====== End of rule {rule} ======") - return code - - -def help_message(rule_mgr: RuleManager, args) -> int: - rule = args.rule[0] - - if rule_mgr.category_exists(rule): - try: - print(rule_mgr.get_category_desc(rule).doc, end='') - args.category = rule - return list_rules(rule_mgr, args) - except Exception as e: - logging.error(f"Exception while retrieving help for category '{rule}'") - logging.exception(e) - print(f"Error retrieving help for category '{rule}'", file=sys.stderr) - return 1 - - if rule_mgr.rule_exists(rule): - try: - print(rule_mgr.get_rule_metadata(rule).doc, end='') - return 0 - except Exception as e: - logging.error(f"Exception while retrieving help for rule '{rule}'") - logging.exception(e) - print(f"Error retrieving help for rule '{rule}'", file=sys.stderr) - return 1 - - print(f"'{rule}' not found. Use 'secharden list' to see available categories and rules.") - return 1 - - -def hint(*_ignored) -> int: - print("Please specify a sub-command. Use 'secharden --help' for usage information.") - return 1 +from secharden.utils import setup_logger def main(argv=None): args = argparse.ArgumentParser(prog="secharden") # base args - version_file = HOME_DIR.joinpath("VERSION") - args.add_argument('-v', '--version', action='version', version=version_file.read_text('utf-8').strip()) - args.add_argument("-r", "--rules", type=Path, - help="rule script directory", default=HOME_DIR.joinpath('tools')) - args.add_argument('-l', '--logs', type=Path, help="log directory", default=Path('/var/log/secharden')) - args.add_argument("-d", "--debug", action='store_true', help="debug mode") - args.set_defaults(func=hint) + CoreCmd().add_parser(args) subparser = args.add_subparsers(help="sub-commands") - # apply config - apply_parser = subparser.add_parser("apply", help="apply config to system") - apply_parser.add_argument('config', nargs='?', action=DirectoryPathVerifier, help="configuration path", - default=Path('/etc/secharden')) - apply_parser.set_defaults(func=apply) - - # list rules - list_parser = subparser.add_parser("list", help="list available rules") - list_parser.add_argument("category", nargs='?', help="category of rule to list") - list_parser.set_defaults(func=list_rules) - - # documentation for rules - help_parser = subparser.add_parser("help", help="show help doc for rule or category") - help_parser.add_argument("rule", nargs=1, help="rule or category id to show help for") - help_parser.set_defaults(func=help_message) + commands = [ + # apply rule configs + ApplyCmd(), + # list rules + ListCmd(), + # rule help messages + HelpCmd() + ] + + for cmd in commands: + cmd.add_parser(subparser) try: args = args.parse_args(argv) @@ -139,25 +44,9 @@ def main(argv=None): return 1 # setup logging - logging_level = logging.INFO - if args.debug: - logging_level = logging.DEBUG - try: - if not args.logs.exists(): - args.logs.mkdir(parents=True, exist_ok=True) - if not args.logs.is_dir(): - raise ValueError(f"Log path {args.logs} is not a directory.") + setup_logger(args.logs, args.debug) - handlers = [ - logging.handlers.TimedRotatingFileHandler(filename=args.logs.joinpath('secharden.log'), when='D', - encoding='utf-8') - ] - logging.basicConfig(handlers=handlers, level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') - except Exception as e: - print("Error: Cannot write to log directory. Using console output instead.", file=sys.stderr) - logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s', stream=sys.stderr) - logging.exception(e) - logging.info(f"start secharden: {args.func.__name__}") + logging.info(f"start secharden: {args.command.name}") # init rule manager after logging are set up - return args.func(RuleManager(args.rules), args) + return args.command.execute(RuleManager(args.rules), args) diff --git a/secTools/secharden/src/secharden/tools/login.01/metadata.json b/secTools/secharden/src/secharden/tools/login.01/metadata.json index 8511855..4bf6d3e 100644 --- a/secTools/secharden/src/secharden/tools/login.01/metadata.json +++ b/secTools/secharden/src/secharden/tools/login.01/metadata.json @@ -2,5 +2,6 @@ "id": "login.01", "name": "禁止空口令登录", "description": "禁止空口令登录。若允许空口令登录,会增加空口令账号本身被攻击或被用来作为攻击账号的风险。", - "entry": "disable_ssh_no_pass.sh" + "entry": "disable_ssh_no_pass.sh", + "services": ["sshd"] } \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/login.02/metadata.json b/secTools/secharden/src/secharden/tools/login.02/metadata.json index 57bca75..e7c6243 100644 --- a/secTools/secharden/src/secharden/tools/login.02/metadata.json +++ b/secTools/secharden/src/secharden/tools/login.02/metadata.json @@ -2,5 +2,6 @@ "id": "login.02", "name": "禁止使用PermitUserEnvironment", "description": "禁止使用PermitUserEnvironment。PermitUserEnvironment允许用户设置SSH环境变量,则攻击者可以通过修改SSH环境变量绕过安全机制,或者执行攻击代码。", - "entry": "disable_ssh_permit_user_environment.sh" + "entry": "disable_ssh_permit_user_environment.sh", + "services": ["sshd"] } \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/login.03/metadata.json b/secTools/secharden/src/secharden/tools/login.03/metadata.json index 931da72..a2fa8e5 100644 --- a/secTools/secharden/src/secharden/tools/login.03/metadata.json +++ b/secTools/secharden/src/secharden/tools/login.03/metadata.json @@ -2,5 +2,6 @@ "id": "login.03", "name": "禁用root用户通过SSH登录", "description": "禁用root用户通过SSH登录。要求系统管理员使用自己的个人账户进行SSH登录,然后通过sudo或 su提升权限到root。这样可在发生安全事件时提供清晰的审计线索。", - "entry": "disable_ssh_root_login.sh" + "entry": "disable_ssh_root_login.sh", + "services": ["sshd"] } \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/login.04/metadata.json b/secTools/secharden/src/secharden/tools/login.04/metadata.json index 553e52c..e11fdf7 100644 --- a/secTools/secharden/src/secharden/tools/login.04/metadata.json +++ b/secTools/secharden/src/secharden/tools/login.04/metadata.json @@ -2,5 +2,6 @@ "id": "login.04", "name": "禁用SSH的TCP转发功能", "description": "禁用SSH的TCP转发功能。TCP端口转发是通过SSH隧道在本地主机和远程主机之间传输数据的功能。禁用该功能可以限制用户在SSH会话中的数据传输和访问范围,从而增强系统的安全性。", - "entry": "disable_ssh_tcp_forwarding.sh" + "entry": "disable_ssh_tcp_forwarding.sh", + "services": ["sshd"] } \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/login.05/metadata.json b/secTools/secharden/src/secharden/tools/login.05/metadata.json index 27ce96e..d72818a 100644 --- a/secTools/secharden/src/secharden/tools/login.05/metadata.json +++ b/secTools/secharden/src/secharden/tools/login.05/metadata.json @@ -2,5 +2,6 @@ "id": "login.05", "name": "禁止使用X11 Forwarding", "description": "禁止使用X11 Forwarding。SSH的X11 Forwarding功能允许在本地主机上执行远程主机的GUI程序。启用X11 Forwarding功能会扩大攻击面,存在被X11服务器端其他用户攻击的可能。如果业务场景中不需要,则建议禁止该功能。", - "entry": "disable_ssh_x11_forwarding.sh" + "entry": "disable_ssh_x11_forwarding.sh", + "services": ["sshd"] } \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/login.08/metadata.json b/secTools/secharden/src/secharden/tools/login.08/metadata.json index 4b6ec5d..921c947 100644 --- a/secTools/secharden/src/secharden/tools/login.08/metadata.json +++ b/secTools/secharden/src/secharden/tools/login.08/metadata.json @@ -2,5 +2,6 @@ "id": "login.08", "name": "设置最大认证次数", "description": "设置最大认证次数。如果该值配置比较大,则单次连接过程中客户端可以尝试多次认证失败,降低了攻击开销。", - "entry": "set_ssh_max_auth_tries.sh" + "entry": "set_ssh_max_auth_tries.sh", + "services": ["sshd"] } \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/utils.sh b/secTools/secharden/src/secharden/tools/utils.sh index 50f5b70..a72ad75 100755 --- a/secTools/secharden/src/secharden/tools/utils.sh +++ b/secTools/secharden/src/secharden/tools/utils.sh @@ -52,19 +52,4 @@ function set_ssh() { echo "${conf} ${value}" >> "${sshd_conf_path}" echo "Added ${conf} with value ${value} to ${sshd_conf_path}" fi - - local retries=1 - while [[ $retries -lt 6 ]]; do - systemctl restart sshd - if [[ ! "$(systemctl is-active sshd)x" == "activex" ]]; then - echo "sshd service is not restarted, wait for ${retries}s and retrying..." - sleep $retries - retries=$((retries + 1)) - else - echo "sshd service restarted" - return 0 - fi - done - echo "Failed to restart sshd service after ${retries} attempts" - return 1 } \ No newline at end of file diff --git a/secTools/secharden/src/secharden/utils.py b/secTools/secharden/src/secharden/utils.py index e3f23d7..3566e04 100644 --- a/secTools/secharden/src/secharden/utils.py +++ b/secTools/secharden/src/secharden/utils.py @@ -10,11 +10,24 @@ import argparse import json +import logging +from logging.handlers import TimedRotatingFileHandler +import sys from pathlib import Path HOME_DIR = Path(__file__).parent.resolve() +class DirectoryPathVerifier(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + p = Path(values) + if not p.exists(): + raise argparse.ArgumentTypeError(f"Directory '{values}' does not exist.") + if not p.is_dir(): + raise argparse.ArgumentTypeError(f"'{values}' is not a directory.") + setattr(namespace, self.dest, p) + + def load_json_file(file_path: Path): """ Load a JSON file from the given path. @@ -27,11 +40,27 @@ def load_json_file(file_path: Path): return json.loads(file_path.read_text('utf-8')) -class DirectoryPathVerifier(argparse.Action): - def __call__(self, parser, namespace, values, option_string=None): - p = Path(values) - if not p.exists(): - raise argparse.ArgumentTypeError(f"Directory '{values}' does not exist.") - if not p.is_dir(): - raise argparse.ArgumentTypeError(f"'{values}' is not a directory.") - setattr(namespace, self.dest, p) +def setup_logger(log_root: Path, debug: bool = False): + """ + Configure the logger for the application. + :param log_root: The root directory where logs will be stored. + :param debug: If True, set the logger to debug level; otherwise, set to info level. + """ + logging_level = logging.INFO + if debug: + logging_level = logging.DEBUG + try: + if not log_root.exists(): + log_root.mkdir(parents=True, exist_ok=True) + if not log_root.is_dir(): + raise ValueError(f"Log path {log_root} is not a directory.") + + handlers = [ + logging.handlers.TimedRotatingFileHandler(filename=log_root.joinpath('secharden.log'), when='D', + encoding='utf-8') + ] + logging.basicConfig(handlers=handlers, level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s') + except Exception as e: + print("Error: Cannot write to log directory. Using console output instead.", file=sys.stderr) + logging.basicConfig(level=logging_level, format='%(asctime)s [%(levelname)8s] %(message)s', stream=sys.stderr) + logging.exception(e) diff --git a/secTools/secharden/tests/__init__.py b/secTools/secharden/tests/__init__.py new file mode 100644 index 0000000..119336c --- /dev/null +++ b/secTools/secharden/tests/__init__.py @@ -0,0 +1,11 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +from .converter_sample import TestConverter \ No newline at end of file diff --git a/secTools/secharden/tests/config_parser/test_collection.py b/secTools/secharden/tests/config_parser/test_collection.py index 3a6725f..5a90451 100644 --- a/secTools/secharden/tests/config_parser/test_collection.py +++ b/secTools/secharden/tests/config_parser/test_collection.py @@ -13,6 +13,7 @@ from pathlib import Path import pytest from secharden.config_parser import collect_configs +from secharden.exceptions import InvalidException class TestConfigCollector: @@ -21,7 +22,7 @@ class TestConfigCollector: return Path(request.path).parent.joinpath("collection").resolve() def test_empty(self, config_test_path): - with pytest.raises(FileNotFoundError): + with pytest.raises(InvalidException): collect_configs(config_test_path.joinpath("empty")) def test_single_file(self, config_test_path): @@ -30,7 +31,7 @@ class TestConfigCollector: assert p[0].name == "secharden.conf" def test_collection_only(self, config_test_path): - with pytest.raises(FileNotFoundError): + with pytest.raises(InvalidException): collect_configs(config_test_path.joinpath("only_collection")) def test_full_collection(self, config_test_path): diff --git a/secTools/secharden/tests/config_parser/test_parser.py b/secTools/secharden/tests/config_parser/test_parser.py index ea74f2d..07f47b0 100644 --- a/secTools/secharden/tests/config_parser/test_parser.py +++ b/secTools/secharden/tests/config_parser/test_parser.py @@ -13,6 +13,7 @@ from pathlib import Path import pytest from secharden.config_parser import parse_config +from secharden.exceptions import InvalidException class TestConfigParser: @@ -25,12 +26,12 @@ class TestConfigParser: assert d == {'int.01': None, 'int.03': None, 'selinux_tags': ['ima_t', 'ima2_t']} def test_wrong_file(self, config_test_path): - d = parse_config([config_test_path.joinpath("wrong_file/secharden.conf")]) - assert d == {} + with pytest.raises(InvalidException): + parse_config([config_test_path.joinpath("wrong_file/secharden.conf")]) def test_invalid_yaml(self, config_test_path): - d = parse_config([config_test_path.joinpath("invalid_yaml/secharden.conf")]) - assert d == {} + with pytest.raises(InvalidException): + parse_config([config_test_path.joinpath("invalid_yaml/secharden.conf")]) def test_wrong_file_in_collection(self, config_test_path): d = parse_config([ diff --git a/secTools/secharden/tests/rules/converter_sample.py b/secTools/secharden/tests/converter_sample.py similarity index 100% rename from secTools/secharden/tests/rules/converter_sample.py rename to secTools/secharden/tests/converter_sample.py diff --git a/secTools/secharden/tests/executor/test_executor.py b/secTools/secharden/tests/executor/test_executor.py index bba5034..04b3de7 100644 --- a/secTools/secharden/tests/executor/test_executor.py +++ b/secTools/secharden/tests/executor/test_executor.py @@ -8,26 +8,25 @@ # PURPOSE. # See the Mulan PSL v2 for more details. -from pathlib import Path - import pytest +from secharden.exceptions import RuntimeException from secharden.executor import CmdExecutor, CmdTemplate, CmdParameter class TestExecutor: def test_normal(self): - c = CmdExecutor(Path('echo')) + c = CmdExecutor(['echo']) template = CmdTemplate('name') param = CmdParameter(template) c.add_args(param) assert c.run() == 'name\n' def test_error(self): - c = CmdExecutor(Path('ls')) + c = CmdExecutor(['ls']) template = CmdTemplate('/nonexistent_directory') param = CmdParameter(template) c.add_args(param) - with pytest.raises(RuntimeError): + with pytest.raises(RuntimeException): c.run() diff --git a/secTools/secharden/tests/rules/__init__.py b/secTools/secharden/tests/rules/__init__.py index 3bc9a77..b8da5e6 100644 --- a/secTools/secharden/tests/rules/__init__.py +++ b/secTools/secharden/tests/rules/__init__.py @@ -7,5 +7,3 @@ # IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR # PURPOSE. # See the Mulan PSL v2 for more details. - -from rules.converter_sample import TestConverter diff --git a/secTools/secharden/tests/rules/ruleset/execution/test.03/entry.sh b/secTools/secharden/tests/rules/metadata/exec_with_param/entry.sh similarity index 100% rename from secTools/secharden/tests/rules/ruleset/execution/test.03/entry.sh rename to secTools/secharden/tests/rules/metadata/exec_with_param/entry.sh diff --git a/secTools/secharden/tests/rules/ruleset/execution/test.03/metadata.json b/secTools/secharden/tests/rules/metadata/exec_with_param/metadata.json similarity index 91% rename from secTools/secharden/tests/rules/ruleset/execution/test.03/metadata.json rename to secTools/secharden/tests/rules/metadata/exec_with_param/metadata.json index 40abaa5..ef9e36e 100644 --- a/secTools/secharden/tests/rules/ruleset/execution/test.03/metadata.json +++ b/secTools/secharden/tests/rules/metadata/exec_with_param/metadata.json @@ -1,5 +1,5 @@ { - "id": "test.03", + "id": "exec_with_param", "name": "valid metadata", "description": "valid metadata", "entry": "entry.sh", diff --git a/secTools/secharden/tests/rules/ruleset/execution/test.02/metadata.json b/secTools/secharden/tests/rules/metadata/fail_exec/metadata.json similarity index 61% rename from secTools/secharden/tests/rules/ruleset/execution/test.02/metadata.json rename to secTools/secharden/tests/rules/metadata/fail_exec/metadata.json index 076a7c0..0eb5674 100644 --- a/secTools/secharden/tests/rules/ruleset/execution/test.02/metadata.json +++ b/secTools/secharden/tests/rules/metadata/fail_exec/metadata.json @@ -1,6 +1,6 @@ { - "id": "test.02", + "id": "fail_exec", "name": "valid metadata", "description": "valid metadata", - "entry": "entry.sh" + "entry": "false" } \ No newline at end of file diff --git a/secTools/secharden/tests/rules/ruleset/execution/test.01/entry.sh b/secTools/secharden/tests/rules/metadata/normal_exec/entry.sh similarity index 100% rename from secTools/secharden/tests/rules/ruleset/execution/test.01/entry.sh rename to secTools/secharden/tests/rules/metadata/normal_exec/entry.sh diff --git a/secTools/secharden/tests/rules/ruleset/execution/test.01/metadata.json b/secTools/secharden/tests/rules/metadata/normal_exec/metadata.json similarity index 79% rename from secTools/secharden/tests/rules/ruleset/execution/test.01/metadata.json rename to secTools/secharden/tests/rules/metadata/normal_exec/metadata.json index a6c2da6..5315c6d 100644 --- a/secTools/secharden/tests/rules/ruleset/execution/test.01/metadata.json +++ b/secTools/secharden/tests/rules/metadata/normal_exec/metadata.json @@ -1,5 +1,5 @@ { - "id": "test.01", + "id": "normal_exec", "name": "valid metadata", "description": "valid metadata", "entry": "entry.sh" diff --git a/secTools/secharden/tests/rules/ruleset/execution/categories.json b/secTools/secharden/tests/rules/ruleset/execution/categories.json deleted file mode 100644 index cf47d52..0000000 --- a/secTools/secharden/tests/rules/ruleset/execution/categories.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "test": { - "name": "Test Category", - "description": "This is a test category for demonstration purposes." - } -} \ No newline at end of file diff --git a/secTools/secharden/tests/rules/ruleset/execution/test.02/entry.sh b/secTools/secharden/tests/rules/ruleset/execution/test.02/entry.sh deleted file mode 100755 index 08ac2a0..0000000 --- a/secTools/secharden/tests/rules/ruleset/execution/test.02/entry.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env sh -exit 1 \ No newline at end of file diff --git a/secTools/secharden/tests/rules/test_converter.py b/secTools/secharden/tests/rules/test_converter.py index e196890..36689f5 100644 --- a/secTools/secharden/tests/rules/test_converter.py +++ b/secTools/secharden/tests/rules/test_converter.py @@ -7,10 +7,11 @@ # IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR # PURPOSE. # See the Mulan PSL v2 for more details. - +import logging from pathlib import Path import pytest +from pytest_mock import MockFixture from secharden.rule_metadata import RuleMetadata from secharden.executor import CmdParameter @@ -52,3 +53,19 @@ class TestConverter: assert cmd_param.cmd == ['test_t1', 'test_t2'] assert cmd_param.env['env1'] == 'test_env1' converter.cleanup() + + def test_file_list_cleanup(self, config_test_path, caplog, mocker: MockFixture): + r = RuleMetadata(config_test_path.joinpath("cmd_single")) + param = r.parameters[0] + converter = param.converter() + cmd_param = CmdParameter(param.cmd_template) + converter.generate(cmd_param, ['test_t']) + + # mock to throw an exception when closing the temp file + klass = converter._temp_file.__class__ + module = klass.__module__ + mocker.patch(f'{module + "." + klass.__qualname__}.close', + side_effect=Exception("Mocked close exception")) + with caplog.at_level(logging.ERROR): + converter.cleanup() + assert 'Error closing temp file:' in caplog.text \ No newline at end of file diff --git a/secTools/secharden/tests/rules/test_metadata.py b/secTools/secharden/tests/rules/test_metadata.py index 1239393..1f94236 100644 --- a/secTools/secharden/tests/rules/test_metadata.py +++ b/secTools/secharden/tests/rules/test_metadata.py @@ -7,11 +7,12 @@ # IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR # PURPOSE. # See the Mulan PSL v2 for more details. - +import logging from pathlib import Path import pytest +from secharden.exceptions import InvalidException, RuntimeException from secharden.rule_metadata import RuleMetadata @@ -72,29 +73,86 @@ class TestMetadata: def test_entry_not_file(self, config_test_path): path = config_test_path.joinpath("entry_not_file") - with pytest.raises(ValueError) as excinfo: + with pytest.raises(InvalidException) as excinfo: RuleMetadata(path) assert str(excinfo.value) == f"Entry file {path.resolve()} for entry_not_file is not a regular file" def test_no_entry(self, config_test_path): path = config_test_path.joinpath("no_entry") - with pytest.raises(FileNotFoundError) as excinfo: + with pytest.raises(InvalidException) as excinfo: RuleMetadata(path) assert (str(excinfo.value) == f"Entry file no_entry.sh for no_entry does not exist in the root path or PATH environment variable") def test_no_metadata(self, config_test_path): path = config_test_path.joinpath("no_metadata") - with pytest.raises(FileNotFoundError) as excinfo: + with pytest.raises(InvalidException) as excinfo: RuleMetadata(path) assert str(excinfo.value) == f"File not found: {path.joinpath('metadata.json')}" def test_directory_name_mismatch(self, config_test_path): dirname = "directory_name_mismatch" - with pytest.raises(ValueError) as excinfo: + with pytest.raises(InvalidException) as excinfo: RuleMetadata(config_test_path.joinpath(dirname)) assert str(excinfo.value) == f"Metadata id valid does not match directory name {dirname}" + def test_rule_apply_rule(self, config_test_path, caplog): + r = RuleMetadata(config_test_path.joinpath("normal_exec").resolve()) + caplog.set_level(logging.DEBUG) + r.apply() + assert "Applying rule normal_exec with config: {}" in caplog.text + assert "====== Rule normal_exec command execution ======" in caplog.text + assert "hello from entry.sh" in caplog.text + assert "====== End of rule normal_exec command execution ======" in caplog.text + + def test_rule_apply_rule_fail(self, config_test_path, caplog): + r = RuleMetadata(config_test_path.joinpath("fail_exec").resolve()) + + caplog.set_level(logging.INFO) + with pytest.raises(RuntimeException): + r.apply() + assert "====== Rule fail_exec command execution ======" in caplog.text + assert "Failed to execute command for rule fail_exec." in caplog.text + assert "====== End of rule fail_exec command execution ======" in caplog.text + + def test_rule_apply_rule_miss_param(self, config_test_path): + r = RuleMetadata(config_test_path.joinpath("exec_with_param").resolve()) + with pytest.raises(InvalidException) as e: + r.apply() + assert str(e.value) == "Parameter input is missing in the configuration for rule exec_with_param." + + def test_rule_apply_rule_invalid_param(self, config_test_path, caplog): + r = RuleMetadata(config_test_path.joinpath("exec_with_param").resolve()) + + caplog.set_level(logging.ERROR) + with pytest.raises(RuntimeException): + assert r.apply({'input': {'file1': 'file1.txt'}}) + assert "Failed to generate command line on parameter input." in caplog.text + + def test_rule_apply_rule_with_param(self, config_test_path, caplog): + r = RuleMetadata(config_test_path.joinpath("exec_with_param").resolve()) + + config = {'input': {'file1': 'file1.txt', 'file2': 'file2.txt'}} + caplog.set_level(logging.DEBUG) + r.apply(config) + assert f"Applying rule exec_with_param with config: {config}" in caplog.text + assert "====== Rule exec_with_param command execution ======" in caplog.text + assert "hello file1.txt file2.txt" in caplog.text + assert "====== End of rule exec_with_param command execution ======" in caplog.text + + # def test_rule_manager_apply_rule_invalid_param_second(self, config_test_path, caplog): + # execution = config_test_path.joinpath("execution").resolve() + # manager = RuleManager(execution) + # + # config = { + # 'input': {'file1': 'file1.txt', 'file2': 'file2.txt'}, + # 'input1': {'file1': 'file1.txt'} + # } + # + # caplog.set_level(logging.ERROR) + # assert not manager.apply_rule("test.04", config) + # assert "Failed to generate command line on parameter input1." in caplog.text + def test_valid_full_doc(self, config_test_path): path = config_test_path.joinpath("valid_full") assert RuleMetadata(path).doc == """### valid_full valid metadata diff --git a/secTools/secharden/tests/rules/test_param.py b/secTools/secharden/tests/rules/test_param.py index f512a0f..81c7f02 100644 --- a/secTools/secharden/tests/rules/test_param.py +++ b/secTools/secharden/tests/rules/test_param.py @@ -12,6 +12,7 @@ from pathlib import Path import pytest +from secharden.exceptions import InvalidException from secharden.rule_metadata import RuleMetadata @@ -21,7 +22,7 @@ class TestMetadataParam: return Path(request.path).parent.joinpath("metadata/param").resolve() def test_cmd_mismatch_id(self, config_test_path): - with pytest.raises(ValueError) as excinfo: + with pytest.raises(InvalidException) as excinfo: RuleMetadata(config_test_path.joinpath("cmd_mismatch_id")) assert str(excinfo.value) == "Placeholder 'file' not found in the execute config variables" @@ -35,17 +36,17 @@ class TestMetadataParam: assert r.parameters[0].cmd_template.variable_index == {'file': [0, 1]} def test_cmd_no_placeholder(self, config_test_path): - with pytest.raises(ValueError) as excinfo: + with pytest.raises(InvalidException) as excinfo: RuleMetadata(config_test_path.joinpath("cmd_no_placeholder")) assert str(excinfo.value) == "Expected exactly one placeholder, found 0" def test_cmd_noid(self, config_test_path): - with pytest.raises(ValueError) as excinfo: + with pytest.raises(InvalidException) as excinfo: RuleMetadata(config_test_path.joinpath("cmd_noid")) assert str(excinfo.value) == "invalid cmd template with no id" def test_no_converter(self, config_test_path): - with pytest.raises(NotImplementedError) as excinfo: + with pytest.raises(InvalidException) as excinfo: RuleMetadata(config_test_path.joinpath("no_converter")) assert str(excinfo.value) == 'converter of type NotFoundConverter is not implemented' diff --git a/secTools/secharden/tests/rules/test_rulemanager.py b/secTools/secharden/tests/rules/test_rulemanager.py index 3237d30..7456836 100644 --- a/secTools/secharden/tests/rules/test_rulemanager.py +++ b/secTools/secharden/tests/rules/test_rulemanager.py @@ -13,6 +13,7 @@ from pathlib import Path import pytest +from secharden.exceptions import InvalidException from secharden.rule_metadata.manager import RuleManager, precheck @@ -67,7 +68,7 @@ class TestRuleManager: def test_rule_manager_no_categories(self, rule_path): no_cat = rule_path.joinpath("no_categories").resolve() - with pytest.raises(FileNotFoundError) as e: + with pytest.raises(InvalidException) as e: RuleManager(no_cat) assert str(e.value) == f"File not found: {no_cat.joinpath('categories.json')}" @@ -75,7 +76,7 @@ class TestRuleManager: naming = rule_path.joinpath("naming").resolve() caplog.set_level(logging.WARNING) manager = RuleManager(naming) - assert f"Rule path {naming.joinpath('invalid.01')} is not valid" in caplog.text + assert f"Rule dir {naming.joinpath('invalid.01')} is not valid" in caplog.text assert f"No rules found for category nometa" in caplog.text assert f"No rules found for category notdir" in caplog.text assert f"No rules found for category invalid" in caplog.text @@ -139,83 +140,6 @@ class TestRuleManager: manager.get_category_desc("nonexistent") assert str(e.value) == "Category with ID nonexistent not found" - def test_rule_manager_apply_rule_non_exist(self, rule_path): - execution = rule_path.joinpath("execution").resolve() - manager = RuleManager(execution) - - with pytest.raises(ValueError) as e: - manager.apply_rule("nonexistent.01") - assert str(e.value) == "Rule nonexistent.01 not found." - - def test_rule_manager_apply_rule_not_enabled(self, rule_path, caplog): - execution = rule_path.joinpath("execution").resolve() - manager = RuleManager(execution) - - with caplog.at_level(logging.WARNING): - manager.apply_rule("test.01", {"enabled": False}) - assert "Rule test.01 is disabled in the configuration." in caplog.text - - def test_rule_manager_apply_rule(self, rule_path, caplog): - execution = rule_path.joinpath("execution").resolve() - manager = RuleManager(execution) - - config = {"enabled": True} - caplog.set_level(logging.DEBUG) - manager.apply_rule("test.01", config) - assert f"Applying rule test.01 with config: {config}" in caplog.text - assert f'rule test.01 applied with result:' - assert f'hello from entry.sh' - - def test_rule_manager_apply_rule_fail(self, rule_path, caplog): - execution = rule_path.joinpath("execution").resolve() - manager = RuleManager(execution) - - caplog.set_level(logging.INFO) - assert not manager.apply_rule("test.02") - assert "====== Rule test.02 command execution ======" in caplog.text - assert "Failed to execute command for rule test.02." in caplog.text - assert "====== End of rule test.02 command execution ======" in caplog.text - - def test_rule_manager_apply_rule_miss_param(self, rule_path): - execution = rule_path.joinpath("execution").resolve() - manager = RuleManager(execution) - - with pytest.raises(ValueError) as e: - manager.apply_rule("test.03") - assert str(e.value) == "Parameter input is missing in the configuration for rule test.03." - - def test_rule_manager_apply_rule_invalid_param(self, rule_path, caplog): - execution = rule_path.joinpath("execution").resolve() - manager = RuleManager(execution) - - caplog.set_level(logging.ERROR) - assert not manager.apply_rule("test.03", {'input': {'file1': 'file1.txt'}}) - assert "Failed to generate command line on parameter input." in caplog.text - - def test_rule_manager_apply_rule_with_param(self, rule_path, caplog): - execution = rule_path.joinpath("execution").resolve() - manager = RuleManager(execution) - - config = {'input': {'file1': 'file1.txt', 'file2': 'file2.txt'}} - caplog.set_level(logging.DEBUG) - manager.apply_rule("test.03", config) - assert f"Applying rule test.03 with config: {config}" in caplog.text - assert f'rule test.03 applied with result:' - assert f'hello file1.txt file2.txt' - - def test_rule_manager_apply_rule_invalid_param_second(self, rule_path, caplog): - execution = rule_path.joinpath("execution").resolve() - manager = RuleManager(execution) - - config = { - 'input': {'file1': 'file1.txt', 'file2': 'file2.txt'}, - 'input1': {'file1': 'file1.txt'} - } - - caplog.set_level(logging.ERROR) - assert not manager.apply_rule("test.04", config) - assert "Failed to generate command line on parameter input1." in caplog.text - def test_category_doc(self, rule_path): naming = rule_path.joinpath("naming") manager = RuleManager(naming) diff --git a/secTools/secharden/tests/tool_entry/invalid_conf/secharden.conf b/secTools/secharden/tests/tool_entry/invalid_conf/secharden.conf new file mode 100644 index 0000000..c52ec57 --- /dev/null +++ b/secTools/secharden/tests/tool_entry/invalid_conf/secharden.conf @@ -0,0 +1 @@ +test.02: \ No newline at end of file diff --git a/secTools/secharden/tests/tool_entry/not_enable/secharden.conf b/secTools/secharden/tests/tool_entry/not_enable/secharden.conf new file mode 100644 index 0000000..b6e2f2f --- /dev/null +++ b/secTools/secharden/tests/tool_entry/not_enable/secharden.conf @@ -0,0 +1,2 @@ +test.01: + enabled: false \ No newline at end of file diff --git a/secTools/secharden/tests/rules/ruleset/execution/test.04/entry.sh b/secTools/secharden/tests/tool_entry/ruleset/test.02/entry.sh similarity index 100% rename from secTools/secharden/tests/rules/ruleset/execution/test.04/entry.sh rename to secTools/secharden/tests/tool_entry/ruleset/test.02/entry.sh diff --git a/secTools/secharden/tests/rules/ruleset/execution/test.04/metadata.json b/secTools/secharden/tests/tool_entry/ruleset/test.02/metadata.json similarity index 95% rename from secTools/secharden/tests/rules/ruleset/execution/test.04/metadata.json rename to secTools/secharden/tests/tool_entry/ruleset/test.02/metadata.json index 12dc255..e4d9f90 100644 --- a/secTools/secharden/tests/rules/ruleset/execution/test.04/metadata.json +++ b/secTools/secharden/tests/tool_entry/ruleset/test.02/metadata.json @@ -1,5 +1,5 @@ { - "id": "test.04", + "id": "test.02", "name": "valid metadata", "description": "valid metadata", "entry": "entry.sh", diff --git a/secTools/secharden/tests/tool_entry/ruleset/test.03/metadata.json b/secTools/secharden/tests/tool_entry/ruleset/test.03/metadata.json new file mode 100644 index 0000000..147c5a5 --- /dev/null +++ b/secTools/secharden/tests/tool_entry/ruleset/test.03/metadata.json @@ -0,0 +1,7 @@ +{ + "id": "test.03", + "name": "valid metadata", + "description": "valid metadata", + "entry": "true", + "services": ["sshd"] +} \ No newline at end of file diff --git a/secTools/secharden/tests/tool_entry/service/secharden.conf b/secTools/secharden/tests/tool_entry/service/secharden.conf new file mode 100644 index 0000000..e2259f9 --- /dev/null +++ b/secTools/secharden/tests/tool_entry/service/secharden.conf @@ -0,0 +1 @@ +test.03: \ No newline at end of file diff --git a/secTools/secharden/tests/tool_entry/test_apply.py b/secTools/secharden/tests/tool_entry/test_apply.py new file mode 100644 index 0000000..570949a --- /dev/null +++ b/secTools/secharden/tests/tool_entry/test_apply.py @@ -0,0 +1,149 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +import logging +from pathlib import Path +from subprocess import CompletedProcess + +import pytest +from pytest_mock import MockerFixture + +import secharden.secharden as secharden + + +def mock_subprocess_run(args, **_): + # hijack restart command + if args == ['systemctl', 'restart', 'sshd']: + return CompletedProcess(args, 1, "Service restart failed", "Service restart failed") + return CompletedProcess(args, 0, "", "") + + +class TestApplyCmd: + @pytest.fixture + def rule_path(self, request): + return Path(request.path).parent.joinpath("ruleset").resolve() + + @pytest.fixture + def base_path(self, request): + return Path(request.path).parent.resolve() + + def test_apply_nonexistent_dir(self, capsys, rule_path): + assert secharden.main(["-r", str(rule_path), "apply", "nonexistent_dir", "-f"]) == 1 + out, err = capsys.readouterr() + assert "Error parsing arguments:" in err + assert "Use 'secharden --help' for usage information.\n" == out + + def test_apply_no_config(self, capsys, caplog, rule_path): + with caplog.at_level(logging.ERROR): + assert secharden.main(["-r", str(rule_path), "apply", str(rule_path), "-f"]) == 1 + out, err = capsys.readouterr() + assert f"Exception while parsing configuration from {str(rule_path)}" in caplog.text + assert "Error parsing configuration: " in err + + def test_apply_not_dir(self, capsys, base_path, rule_path): + assert secharden.main(["-r", str(rule_path), "apply", str(base_path.joinpath("test_main.py")), "-f"]) == 1 + out, err = capsys.readouterr() + assert "Error parsing arguments:" in err + assert "Use 'secharden --help' for usage information.\n" == out + + def test_apply_rule_not_found(self, capsys, caplog, base_path, rule_path): + conf_path = str(base_path.joinpath("rule_not_found")) + with caplog.at_level(logging.ERROR): + assert secharden.main(["-r", str(rule_path), "apply", conf_path, "-f"]) == 1 + out, err = capsys.readouterr() + assert "Error: Rule 'nonexistence.01' does not exist." in err + assert "Rule 'nonexistence.01' does not exist." in caplog.text + assert "uncaught exception in command apply with exception InvalidException:" in caplog.text + + def test_apply_rule(self, capsys, caplog, base_path, rule_path): + conf_path = str(base_path.joinpath("conf")) + with caplog.at_level(logging.DEBUG): + assert secharden.main(["-r", str(rule_path), "apply", conf_path, "-f"]) == 0 + out, _ = capsys.readouterr() + assert "====== Rule test.01 ======" in caplog.text + assert "applying rule 'test.01' with configuration: {}" in caplog.text + assert "Applying rule: test.01...ok" in out + assert "====== End of rule test.01 ======" in caplog.text + + def test_apply_not_enabled(self, capsys, caplog, base_path, rule_path): + conf_path = str(base_path.joinpath("not_enable")) + with caplog.at_level(logging.INFO): + assert secharden.main(["-r", str(rule_path), "apply", conf_path, "-f"]) == 0 + assert "Rule test.01 is disabled in the configuration." in caplog.text + + def test_apply_rule_invalid_conf(self, capsys, caplog, base_path, rule_path): + conf_path = str(base_path.joinpath("invalid_conf")) + with caplog.at_level(logging.DEBUG): + assert secharden.main(["-r", str(rule_path), "apply", conf_path, "-f"]) == 0 + out, _ = capsys.readouterr() + assert "====== Rule test.02 ======" in caplog.text + assert "applying rule 'test.02' with configuration: {}" in caplog.text + assert "Applying rule: test.02...invalid configuration" in out + assert "Rule 'test.02' has invalid configuration: {}" in caplog.text + assert "====== End of rule test.02 ======" in caplog.text + + def test_apply_error_rule(self, capsys, caplog, base_path, rule_path): + conf_path = str(base_path.joinpath("error_conf")) + with caplog.at_level(logging.DEBUG): + assert secharden.main(["-r", str(rule_path), "apply", conf_path, "-f"]) == 0 + out, _ = capsys.readouterr() + assert "====== Rule error.01 ======" in caplog.text + assert "applying rule 'error.01' with configuration: {}" in caplog.text + assert "Applying rule: error.01...runtime error" in out + assert "Error applying rule 'error.01' with configuration: " in caplog.text + assert "====== End of rule error.01 ======" in caplog.text + + def test_apply_non_root_check(self, mocker: MockerFixture, capsys, caplog, base_path, rule_path): + # mock os.geteuid to simulate non-root user + mocker.patch("os.geteuid", return_value=1000) + conf_path = str(base_path.joinpath("conf")) + with caplog.at_level(logging.DEBUG): + assert secharden.main(["-r", str(rule_path), "apply", conf_path]) == 1 + _, err = capsys.readouterr() + assert ("Error: This command requires root privileges. Please run as root or use --force to bypass this check." + in err) + assert "This command requires root privileges." in caplog.text + + def test_apply_root_check(self, mocker: MockerFixture, capsys, caplog, base_path, rule_path): + mocker.patch("os.geteuid", return_value=0) + conf_path = str(base_path.joinpath("conf")) + with caplog.at_level(logging.DEBUG): + assert secharden.main(["-r", str(rule_path), "apply", conf_path]) == 0 + out, _ = capsys.readouterr() + assert "====== Rule test.01 ======" in caplog.text + assert "applying rule 'test.01' with configuration: {}" in caplog.text + assert "Applying rule: test.01...ok" in out + assert "====== End of rule test.01 ======" in caplog.text + + def test_service_restart(self, mocker: MockerFixture, capsys, caplog, base_path, rule_path): + mocker.patch("secharden.executor.CmdExecutor.run", return_value="") + conf_path = str(base_path.joinpath("service")) + with caplog.at_level(logging.DEBUG): + assert secharden.main(["-r", str(rule_path), "apply", conf_path, "-f"]) == 0 + out, _ = capsys.readouterr() + assert "====== Rule test.03 ======" in caplog.text + assert "applying rule 'test.03' with configuration: {}" in caplog.text + assert "Applying rule: test.03...ok" in out + assert "====== End of rule test.03 ======" in caplog.text + assert "Restarting service: sshd...ok" in out + + def test_service_restart_failed(self, mocker: MockerFixture, capsys, caplog, base_path, rule_path): + mocker.patch("subprocess.run", side_effect=mock_subprocess_run) + conf_path = str(base_path.joinpath("service")) + with caplog.at_level(logging.DEBUG): + assert secharden.main(["-r", str(rule_path), "apply", conf_path, "-f"]) == 0 + out, err = capsys.readouterr() + assert "====== Rule test.03 ======" in caplog.text + assert "applying rule 'test.03' with configuration: {}" in caplog.text + assert "Applying rule: test.03...ok" in out + assert "====== End of rule test.03 ======" in caplog.text + assert "Restarting service: sshd...failed" in out + assert "Error restarting service 'sshd'" in caplog.text + assert "Error restarting service 'sshd'" in err diff --git a/secTools/secharden/tests/tool_entry/test_help.py b/secTools/secharden/tests/tool_entry/test_help.py new file mode 100644 index 0000000..c17ea86 --- /dev/null +++ b/secTools/secharden/tests/tool_entry/test_help.py @@ -0,0 +1,48 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +from pathlib import Path + +import pytest + +import secharden.secharden as secharden +from secharden.rule_metadata import RuleManager, RuleMetadata + + +class TestHelpCmd: + @pytest.fixture + def rule_path(self, request): + return Path(request.path).parent.joinpath("ruleset").resolve() + + def test_help_category(self, capsys, rule_path): + assert secharden.main(["-r", str(rule_path), "help", "test"]) == 0 + out, _ = capsys.readouterr() + r = RuleManager(rule_path) + c = r.get_category_desc("test") + assert out == c.doc + """test: Test Category +\ttest.01: valid metadata +\ttest.02: valid metadata +\ttest.03: valid metadata +""" + + def test_help_category_not_found(self, capsys, rule_path): + assert secharden.main(["-r", str(rule_path), "help", "test2"]) == 1 + out, _ = capsys.readouterr() + assert out == "'test2' not found. Use 'secharden list' to see available categories and rules.\n" + + def test_help_rule(self, capsys, rule_path): + assert secharden.main(["-r", str(rule_path), "help", "test.01"]) == 0 + out, _ = capsys.readouterr() + assert out == RuleMetadata(rule_path.joinpath("test.01")).doc + + def test_help_rule_not_found(self, capsys, rule_path): + assert secharden.main(["-r", str(rule_path), "help", "notfound.02"]) == 1 + out, _ = capsys.readouterr() + assert out == "'notfound.02' not found. Use 'secharden list' to see available categories and rules.\n" diff --git a/secTools/secharden/tests/tool_entry/test_list.py b/secTools/secharden/tests/tool_entry/test_list.py new file mode 100644 index 0000000..cba7482 --- /dev/null +++ b/secTools/secharden/tests/tool_entry/test_list.py @@ -0,0 +1,49 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +from pathlib import Path + +import pytest + +import secharden.secharden as secharden + + +class TestListCmd: + @pytest.fixture + def rule_path(self, request): + return Path(request.path).parent.joinpath("ruleset").resolve() + + def test_list(self, capsys, rule_path): + assert secharden.main(["-r", str(rule_path), "list"]) == 0 + out, _ = capsys.readouterr() + assert out == """error: Error Category +\terror.01: valid metadata +test: Test Category +\ttest.01: valid metadata +\ttest.02: valid metadata +\ttest.03: valid metadata +test1: Test1 Category +\ttest1.01: valid metadata +""" + + def test_list_category(self, capsys, rule_path): + assert secharden.main(["-r", str(rule_path), "list", "test"]) == 0 + out, _ = capsys.readouterr() + assert out == """test: Test Category +\ttest.01: valid metadata +\ttest.02: valid metadata +\ttest.03: valid metadata +""" + + def test_list_category_not_found(self, capsys, caplog, rule_path): + assert secharden.main(["-r", str(rule_path), "list", "test2"]) == 1 + out, _ = capsys.readouterr() + assert out == "Category 'test2' not found.\n" + assert "Category 'test2' not found" in caplog.text diff --git a/secTools/secharden/tests/tool_entry/test_main.py b/secTools/secharden/tests/tool_entry/test_main.py index d71e406..e0777c7 100644 --- a/secTools/secharden/tests/tool_entry/test_main.py +++ b/secTools/secharden/tests/tool_entry/test_main.py @@ -8,14 +8,12 @@ # PURPOSE. # See the Mulan PSL v2 for more details. -import logging import tempfile from pathlib import Path import pytest import secharden.secharden as secharden -from secharden.rule_metadata import RuleMetadata, RuleManager class TestMainCmd: @@ -32,96 +30,6 @@ class TestMainCmd: out, _ = capsys.readouterr() assert out == "Please specify a sub-command. Use 'secharden --help' for usage information.\n" - def test_list(self, capsys, rule_path): - assert secharden.main(["-r", str(rule_path), "list"]) == 0 - out, _ = capsys.readouterr() - assert (out == - "error: Error Category\n\terror.01: valid metadata\ntest: Test Category\n\ttest.01: valid metadata\ntest1: Test1 Category\n\ttest1.01: valid metadata\n") - - def test_list_category(self, capsys, rule_path): - assert secharden.main(["-r", str(rule_path), "list", "test"]) == 0 - out, _ = capsys.readouterr() - assert out == "test: Test Category\n\ttest.01: valid metadata\n" - - def test_list_category_not_found(self, capsys, caplog, rule_path): - assert secharden.main(["-r", str(rule_path), "list", "test2"]) == 1 - out, _ = capsys.readouterr() - assert out == "Category 'test2' not found.\n" - assert "Category 'test2' not found" in caplog.text - - def test_help_category(self, capsys, rule_path): - assert secharden.main(["-r", str(rule_path), "help", "test"]) == 0 - out, _ = capsys.readouterr() - r = RuleManager(rule_path) - c = r.get_category_desc("test") - assert out == c.doc + "test: Test Category\n\ttest.01: valid metadata\n" - - def test_help_category_not_found(self, capsys, rule_path): - assert secharden.main(["-r", str(rule_path), "help", "test2"]) == 1 - out, _ = capsys.readouterr() - assert out == "'test2' not found. Use 'secharden list' to see available categories and rules.\n" - - def test_help_rule(self, capsys, rule_path): - assert secharden.main(["-r", str(rule_path), "help", "test.01"]) == 0 - out, _ = capsys.readouterr() - assert out == RuleMetadata(rule_path.joinpath("test.01")).doc - - def test_help_rule_not_found(self, capsys, rule_path): - assert secharden.main(["-r", str(rule_path), "help", "test.02"]) == 1 - out, _ = capsys.readouterr() - assert out == "'test.02' not found. Use 'secharden list' to see available categories and rules.\n" - - def test_apply_nonexistent_dir(self, capsys, rule_path): - assert secharden.main(["-r", str(rule_path), "apply", "nonexistent_dir"]) == 1 - out, err = capsys.readouterr() - assert "Error parsing arguments:" in err - assert "Use 'secharden --help' for usage information.\n" == out - - def test_apply_no_config(self, capsys, caplog, rule_path): - with caplog.at_level(logging.ERROR): - assert secharden.main(["-r", str(rule_path), "apply", str(rule_path)]) == 1 - out, err = capsys.readouterr() - assert f"Exception while parsing configuration from {str(rule_path)}" in caplog.text - assert "Error parsing configuration: " in err - - def test_apply_not_dir(self, capsys, base_path, rule_path): - assert secharden.main(["-r", str(rule_path), "apply", str(base_path.joinpath("test_main.py"))]) == 1 - out, err = capsys.readouterr() - assert "Error parsing arguments:" in err - assert "Use 'secharden --help' for usage information.\n" == out - - def test_apply_rule_not_found(self, capsys, caplog, base_path, rule_path): - conf_path = str(base_path.joinpath("rule_not_found")) - with caplog.at_level(logging.INFO): - assert secharden.main(["-r", str(rule_path), "apply", conf_path]) == 1 - out, err = capsys.readouterr() - assert "====== Rule nonexistence.01 ======" in caplog.text - assert "Applying rule: nonexistence.01...err" in out - assert f"Error applying rule 'nonexistence.01':" in err - assert f"Rule 'nonexistence.01' not found or invalid configuration: None" in caplog.text - assert "====== End of rule nonexistence.01 ======" in caplog.text - - def test_apply_rule(self, capsys, caplog, base_path, rule_path): - conf_path = str(base_path.joinpath("conf")) - with caplog.at_level(logging.DEBUG): - assert secharden.main(["-r", str(rule_path), "apply", conf_path]) == 0 - out, _ = capsys.readouterr() - assert "====== Rule test.01 ======" in caplog.text - assert "applying rule 'test.01' with config None" in caplog.text - assert "Applying rule: test.01...ok" in out - assert "====== End of rule test.01 ======" in caplog.text - - def test_apply_error_rule(self, capsys, caplog, base_path, rule_path): - conf_path = str(base_path.joinpath("error_conf")) - with caplog.at_level(logging.DEBUG): - assert secharden.main(["-r", str(rule_path), "apply", conf_path]) == 1 - out, _ = capsys.readouterr() - assert "====== Rule error.01 ======" in caplog.text - assert "applying rule 'error.01' with config None" in caplog.text - assert "Applying rule: error.01...err" in out - assert "Exception while applying rule 'error.01' with config None" in caplog.text - assert "====== End of rule error.01 ======" in caplog.text - def test_log_create_failed(self, capsys, base_path, rule_path): secharden.main(["-r", str(rule_path), "-l", str(base_path.joinpath("test_main.py"))]) _, err = capsys.readouterr() diff --git a/secTools/secharden/uv.lock b/secTools/secharden/uv.lock index 4187094..a7ccb13 100644 --- a/secTools/secharden/uv.lock +++ b/secTools/secharden/uv.lock @@ -193,6 +193,18 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/bc/16/4ea354101abb1287856baa4af2732be351c7bee728065aed451b678153fd/pytest_cov-6.2.1-py3-none-any.whl", hash = "sha256:f5bc4c23f42f1cdd23c70b1dab1bbaef4fc505ba950d53e0081d0730dd7e86d5", size = 24644, upload-time = "2025-06-12T10:47:45.932Z" }, ] +[[package]] +name = "pytest-mock" +version = "3.14.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "pytest" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/71/28/67172c96ba684058a4d24ffe144d64783d2a270d0af0d9e792737bddc75c/pytest_mock-3.14.1.tar.gz", hash = "sha256:159e9edac4c451ce77a5cdb9fc5d1100708d2dd4ba3c3df572f14097351af80e", size = 33241, upload-time = "2025-05-26T13:58:45.167Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b2/05/77b60e520511c53d1c1ca75f1930c7dd8e971d0c4379b7f4b3f9644685ba/pytest_mock-3.14.1-py3-none-any.whl", hash = "sha256:178aefcd11307d874b4cd3100344e7e2d888d9791a6a1d9bfe90fbc1b74fd1d0", size = 9923, upload-time = "2025-05-26T13:58:43.487Z" }, +] + [[package]] name = "pyyaml" version = "6.0.2" @@ -345,7 +357,7 @@ wheels = [ [[package]] name = "secharden" -version = "0.1.0" +version = "1.0.0" source = { editable = "." } dependencies = [ { name = "jsonschema" }, @@ -356,6 +368,7 @@ dependencies = [ dev = [ { name = "pytest" }, { name = "pytest-cov" }, + { name = "pytest-mock" }, ] [package.metadata] @@ -368,6 +381,7 @@ requires-dist = [ dev = [ { name = "pytest", specifier = ">=8.4.1" }, { name = "pytest-cov", specifier = ">=6.2.1" }, + { name = "pytest-mock", specifier = ">=3.14.1" }, ] [[package]] -- Gitee From e47e3200f05df6a40c2089b8d4d3b7f2868f8895 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 5 Aug 2025 19:06:58 +0800 Subject: [PATCH 104/109] add service management --- secTools/secharden/pyproject.toml | 11 ++++----- .../secharden/tools/net.07/enable_firewall.sh | 7 ------ .../src/secharden/tools/net.07/metadata.json | 3 ++- .../secharden/tools/serv.01/enable_rsyslog.sh | 23 ------------------- .../src/secharden/tools/serv.01/metadata.json | 3 ++- secTools/secharden/uv.lock | 10 ++++---- 6 files changed, 14 insertions(+), 43 deletions(-) delete mode 100755 secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh diff --git a/secTools/secharden/pyproject.toml b/secTools/secharden/pyproject.toml index df3ed10..11ace34 100644 --- a/secTools/secharden/pyproject.toml +++ b/secTools/secharden/pyproject.toml @@ -6,10 +6,9 @@ readme = "README.md" authors = [ { name = "Tomahawkd", email = "tomahawkd00@outlook.com" } ] -requires-python = ">=3.11" dependencies = [ - "jsonschema>=4.25.0", - "pyyaml>=6.0.2", + "jsonschema", + "pyyaml", ] classifiers = [ @@ -24,9 +23,9 @@ secharden = "secharden.secharden:main" [dependency-groups] dev = [ - "pytest>=8.4.1", - "pytest-cov>=6.2.1", - "pytest-mock>=3.14.1", + "pytest", + "pytest-cov", + "pytest-mock", ] [project.urls] diff --git a/secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh b/secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh index 151905e..8c01e4b 100755 --- a/secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh +++ b/secTools/secharden/src/secharden/tools/net.07/enable_firewall.sh @@ -14,13 +14,6 @@ # # ####################################################################################### -service firewalld start -if [[ ! "$(systemctl is-active firewalld)x" == "activex" ]]; then - echo "firewalld service is not started, please check" -else - echo "firewalld service is started successfully" -fi - systemctl enable firewalld if [[ ! "$(systemctl is-enabled firewalld)x" == "activex" ]]; then echo "firewalld service is not enabled, please check" diff --git a/secTools/secharden/src/secharden/tools/net.07/metadata.json b/secTools/secharden/src/secharden/tools/net.07/metadata.json index 8767b4c..6ff4dab 100644 --- a/secTools/secharden/src/secharden/tools/net.07/metadata.json +++ b/secTools/secharden/src/secharden/tools/net.07/metadata.json @@ -2,5 +2,6 @@ "id": "net.07", "name": "启用防火墙服务", "description": "启用防火墙服务。如果系统中没有配置防火墙服务,可能会导致系统被外部攻击、内部数据被窃取或篡改,大量无效流量浪费带宽、访问一些存在安全风险或业务无关的网站导致信息泄露。", - "entry": "enable_firewall.sh" + "entry": "enable_firewall.sh", + "services": ["firewalld"] } \ No newline at end of file diff --git a/secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh b/secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh deleted file mode 100755 index 2c234b7..0000000 --- a/secTools/secharden/src/secharden/tools/serv.01/enable_rsyslog.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -## ####################################################################################### -# -# Copyright (c) KylinSoft Co., Ltd. 2024. All rights reserved. -# SecureGuardian is licensed under the Mulan PSL v2. -# You can use this software according to the terms and conditions of the Mulan PSL v2. -# You may obtain a copy of Mulan PSL v2 at: -# http://license.coscl.org.cn/MulanPSL2 -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v2 for more details. -# Description: Security Baseline Check Script for 1.1.14 -# -# ####################################################################################### - -systemctl start rsyslog.service -if [[ ! "$(systemctl is-active rsyslog)x" == "activex" ]]; then - echo "rsyslog service is not running, please check it." - exit 1 -else - echo "rsyslog service started" -fi diff --git a/secTools/secharden/src/secharden/tools/serv.01/metadata.json b/secTools/secharden/src/secharden/tools/serv.01/metadata.json index 4d76cf9..7304f50 100644 --- a/secTools/secharden/src/secharden/tools/serv.01/metadata.json +++ b/secTools/secharden/src/secharden/tools/serv.01/metadata.json @@ -2,5 +2,6 @@ "id": "serv.01", "name": "启用rsyslog服务", "description": "启用rsyslog服务。若不开启rsyslog服务,系统日志无法转储到持久性存储设备,系统重启后,会导致日志丢失。", - "entry": "enable_rsyslog.sh" + "entry": "/bin/true", + "services": ["rsyslog"] } \ No newline at end of file diff --git a/secTools/secharden/uv.lock b/secTools/secharden/uv.lock index a7ccb13..3ca1588 100644 --- a/secTools/secharden/uv.lock +++ b/secTools/secharden/uv.lock @@ -373,15 +373,15 @@ dev = [ [package.metadata] requires-dist = [ - { name = "jsonschema", specifier = ">=4.25.0" }, - { name = "pyyaml", specifier = ">=6.0.2" }, + { name = "jsonschema" }, + { name = "pyyaml" }, ] [package.metadata.requires-dev] dev = [ - { name = "pytest", specifier = ">=8.4.1" }, - { name = "pytest-cov", specifier = ">=6.2.1" }, - { name = "pytest-mock", specifier = ">=3.14.1" }, + { name = "pytest" }, + { name = "pytest-cov" }, + { name = "pytest-mock" }, ] [[package]] -- Gitee From c63e98817bb98d43a53af34c322c4391109f63a7 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Tue, 5 Aug 2025 19:28:17 +0800 Subject: [PATCH 105/109] add copyright --- .../secharden/src/secharden/exceptions/__init__.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/secTools/secharden/src/secharden/exceptions/__init__.py b/secTools/secharden/src/secharden/exceptions/__init__.py index fa262c1..d33dcbc 100644 --- a/secTools/secharden/src/secharden/exceptions/__init__.py +++ b/secTools/secharden/src/secharden/exceptions/__init__.py @@ -1,3 +1,13 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + import logging @@ -10,6 +20,7 @@ class InvalidException(Exception): super().__init__(message) logging.exception(message) + class RuntimeException(Exception): """Runtime error exception.""" -- Gitee From bf49c3a26f612074c6cb339c51155e475e058430 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 6 Aug 2025 11:28:43 +0800 Subject: [PATCH 106/109] add dry-run mode to test config file, add comment to default config file --- secTools/conf/secharden.conf | 49 +++++++++++++++++++ secTools/secharden/src/secharden/cmd/apply.py | 12 +++-- secTools/secharden/src/secharden/executor.py | 8 +++ .../src/secharden/rule_metadata/metadata.py | 5 +- .../secharden/tests/tool_entry/test_apply.py | 11 +++++ 5 files changed, 79 insertions(+), 6 deletions(-) diff --git a/secTools/conf/secharden.conf b/secTools/conf/secharden.conf index d3078bf..295abae 100644 --- a/secTools/conf/secharden.conf +++ b/secTools/conf/secharden.conf @@ -1,31 +1,80 @@ +# Copyright (c) Huawei Technologies Co., Ltd. 2025. All rights reserved. +# secGear is licensed under the Mulan PSL v2. +# You can use this software according to the terms and conditions of the Mulan PSL v2. +# You may obtain a copy of Mulan PSL v2 at: +# http://license.coscl.org.cn/MulanPSL2 +# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR +# PURPOSE. +# See the Mulan PSL v2 for more details. + +# 规则详细信息请使用 secharden help <规则编号> 命令查看 +# 全栈完整性 +## int.01 启用内核模块签名 int.01: +## int.02 启用DIM动态度量内核 int.02: +# 内核加固 +## kern.01 开启BPF加固功能 kern.01: +## kern.02 启用内核ASLR kern.02: +## kern.03 确保内核触发错误后直接退出 kern.03: +# 登录认证 +## login.01 禁止空口令登录 login.01: +## login.02 禁止使用PermitUserEnvironment login.02: +## login.03 禁用root用户通过SSH登录 login.03: +## login.04 禁用SSH的TCP转发功能 login.04: +## login.05 禁止使用X11 Forwarding login.05: +## login.06 禁止使用SysRq键 login.06: +## login.07 避免开启tcp_timestamps login.07: +## login.08 设置最大认证次数 login.08: +# 网络保护 +## net.01 禁止ICMP重定向报文 net.01: +## net.02 禁止系统响应ICMP广播报文 net.02: +## net.03 禁止IP转发 net.03: +## net.04 禁止使用ARP代理 net.04: +## net.05 禁止报文源路由 net.05: +## net.06 丢弃伪造的ICMP报文 net.06: +## net.07 启用防火墙服务 net.07: +## net.08 启用反向地址过滤 net.08: +## net.09 启用TCP-SYN cookie net.09: +# 权限最小化 +## priv.01 最小化文件权限 priv.01: +## priv.02 启用链接文件保护 priv.02: +# 启用安全服务 +## serv.01 启用rsyslog服务 serv.01: +## serv.02 Selinux启用enforce模式 serv.02: +# 限制高危系统功能 +## sys.01 配置dmesg访问权限 sys.01: +## sys.02 禁止开启kexec功能 sys.02: +## sys.03 限制内核符号读取权限 sys.03: +## sys.04 限制ptrace范围 sys.04: +## sys.05 禁用不常见网络服务 sys.05: diff --git a/secTools/secharden/src/secharden/cmd/apply.py b/secTools/secharden/src/secharden/cmd/apply.py index a91fb34..f7dcbb2 100644 --- a/secTools/secharden/src/secharden/cmd/apply.py +++ b/secTools/secharden/src/secharden/cmd/apply.py @@ -31,8 +31,9 @@ class ApplyCmd(Command): default=Path('/etc/secharden')) parser.add_argument('-f', '--force', action='store_true', help="force apply rules without checking root privileges") + parser.add_argument("--dry-run", action='store_true', help="dry run mode, do not execute commands") - def _apply_rule(self, rule: str, rule_conf: dict, rule_mgr: RuleManager): + def _apply_rule(self, rule: str, rule_conf: dict, rule_mgr: RuleManager, args): """ Apply a single rule with its configuration. Returns True if the rule was applied successfully, False otherwise. @@ -52,7 +53,7 @@ class ApplyCmd(Command): logging.info(f"====== Rule {rule} ======") logging.debug(f"applying rule '{rule}' with configuration: {rule_conf}") try: - metadata.apply(rule_conf) + metadata.apply(rule_conf, dry_run=args.dry_run) print('ok') # record services that need to be restarted @@ -86,14 +87,15 @@ class ApplyCmd(Command): for rule, rule_conf in config.items(): if rule_conf is None: rule_conf = {} - self._apply_rule(rule, rule_conf, rule_mgr) + self._apply_rule(rule, rule_conf, rule_mgr, args) # restart services if any rules were applied for service in self._service_collector: print(f"Restarting service: {service}...", end='', flush=True) try: - executor = CmdExecutor(['systemctl', 'restart', service]) - executor.run() + if not args.dry_run: + executor = CmdExecutor(['systemctl', 'restart', service]) + executor.run() print('ok') except RuntimeException as e: print('failed') diff --git a/secTools/secharden/src/secharden/executor.py b/secTools/secharden/src/secharden/executor.py index 0037950..94bc394 100644 --- a/secTools/secharden/src/secharden/executor.py +++ b/secTools/secharden/src/secharden/executor.py @@ -139,6 +139,14 @@ class CmdExecutor: self._cmd = entry.copy() self._env = {} + @property + def cmdline(self) -> List[str]: + """ + Returns the command line as a list of strings. + This includes the command entry point and any added arguments. + """ + return self._cmd.copy() + def add_args(self, args: CmdParameter): """ Adds command arguments and environment variables to the executor. diff --git a/secTools/secharden/src/secharden/rule_metadata/metadata.py b/secTools/secharden/src/secharden/rule_metadata/metadata.py index 3774ff8..3529cdf 100644 --- a/secTools/secharden/src/secharden/rule_metadata/metadata.py +++ b/secTools/secharden/src/secharden/rule_metadata/metadata.py @@ -230,7 +230,7 @@ class RuleMetadata: raise InvalidException( f"Entry file {entry} for {self._id} does not exist in the root path or PATH environment variable") - def apply(self, config=None): + def apply(self, config=None, dry_run=False): """ Applies a rule with the given configuration. :param config: A dictionary containing configuration parameters for the rule @@ -265,6 +265,9 @@ class RuleMetadata: # execute the command try: + if dry_run: + logging.info(f"Dry run mode enabled. Command for rule '{rule}': {executor.cmdline}") + return logging.info(f"====== Rule {rule} command execution ======") result = executor.run().splitlines() for line in result: diff --git a/secTools/secharden/tests/tool_entry/test_apply.py b/secTools/secharden/tests/tool_entry/test_apply.py index 570949a..3bb69b0 100644 --- a/secTools/secharden/tests/tool_entry/test_apply.py +++ b/secTools/secharden/tests/tool_entry/test_apply.py @@ -72,6 +72,17 @@ class TestApplyCmd: assert "Applying rule: test.01...ok" in out assert "====== End of rule test.01 ======" in caplog.text + def test_apply_rule_dry_run(self, capsys, caplog, base_path, rule_path): + conf_path = str(base_path.joinpath("conf")) + with caplog.at_level(logging.DEBUG): + assert secharden.main(["-r", str(rule_path), "apply", conf_path, "-f", "--dry-run"]) == 0 + out, _ = capsys.readouterr() + assert "====== Rule test.01 ======" in caplog.text + assert "applying rule 'test.01' with configuration: {}" in caplog.text + assert "Dry run mode enabled. Command for rule 'test.01':" in caplog.text + assert "Applying rule: test.01...ok" in out + assert "====== End of rule test.01 ======" in caplog.text + def test_apply_not_enabled(self, capsys, caplog, base_path, rule_path): conf_path = str(base_path.joinpath("not_enable")) with caplog.at_level(logging.INFO): -- Gitee From c388cb0c5507369f69ee7fa8a70ef0cb6af67f84 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 6 Aug 2025 15:53:59 +0800 Subject: [PATCH 107/109] add execute permission --- secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh diff --git a/secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh b/secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh old mode 100644 new mode 100755 -- Gitee From ec92d9a40ef1828d58abe5c0442c500a319753c0 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 6 Aug 2025 15:58:43 +0800 Subject: [PATCH 108/109] fix ima script --- secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh b/secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh index e784b80..7af7f47 100755 --- a/secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh +++ b/secTools/secharden/src/secharden/tools/int.03/enforce_ima.sh @@ -126,7 +126,7 @@ function _fn_activate_ima() function fn_ima_tool_main() { if [ ! $# -eq 1 ]; then - echo "" + echo "Please provide the configuration file path as an argument." exit 1 fi @@ -166,4 +166,4 @@ function fn_ima_tool_main() _fn_activate_ima } -fn_ima_tool_main \ No newline at end of file +fn_ima_tool_main $@ -- Gitee From aa55bf9aab484f24858d92652f4f10b278c2f543 Mon Sep 17 00:00:00 2001 From: Tomahawkd Date: Wed, 6 Aug 2025 16:05:44 +0800 Subject: [PATCH 109/109] add requirements for int.02 and int.03 --- secTools/secharden.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secTools/secharden.spec b/secTools/secharden.spec index 2195492..f7cbe56 100644 --- a/secTools/secharden.spec +++ b/secTools/secharden.spec @@ -8,7 +8,7 @@ Source0: secharden Source1: conf License: Mulan PSL v2 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Requires: python3 python3-pyyaml python3-jsonschema +Requires: python3 python3-pyyaml python3-jsonschema coreutils setools-console libselinux dim dim_tools BuildArch: noarch BuildRequires: python3-setuptools pyproject-rpm-macros python3-pytest python3-pytest-mock python3-wheel -- Gitee