Update security

2026-02-19 17:06:37 +00:00 · 2026-02-10 18:28:43 +01:00
parent 06a3e6b472
commit cc34d33090
3 changed files with 1 additions and 243 deletions
--- a/AppImage/scripts/security_manager.py
+++ b/AppImage/scripts/security_manager.py
@@ -1855,69 +1855,3 @@ def parse_lynis_report():
    report["proxmox_context_applied"] = True

    return report
-
-
-# =================================================================
-# Root Access Hardening
-# =================================================================
-
-HARDENING_FLAG = "/root/.proxmenux/root_hardening.json"
-SSHD_CONFIG = "/etc/ssh/sshd_config"
-
-def get_root_hardening_status():
-    """
-    Check root hardening status: SSH root login, web access, admin user.
-    Returns dict with current state.
-    """
-    result = {
-        "hardening_applied": False,
-        "ssh_root_disabled": False,
-        "root_web_blocked": False,
-        "admin_user": "",
-        "pve_user_exists": False,
-    }
-
-    # Check SSH root login
-    try:
-        if os.path.isfile(SSHD_CONFIG):
-            with open(SSHD_CONFIG, 'r') as f:
-                for line in f:
-                    stripped = line.strip()
-                    if stripped and not stripped.startswith('#'):
-                        if stripped.lower().startswith('permitrootlogin'):
-                            val = stripped.split(None, 1)[1].strip().lower() if len(stripped.split(None, 1)) > 1 else ""
-                            result["ssh_root_disabled"] = val == "no"
-                            break
-    except Exception:
-        pass
-
-    # Check hardening flag
-    if os.path.isfile(HARDENING_FLAG):
-        try:
-            with open(HARDENING_FLAG, 'r') as f:
-                data = json.loads(f.read())
-            result["hardening_applied"] = True
-            result["admin_user"] = data.get("admin_user", "")
-            result["root_web_blocked"] = data.get("root_web_blocked", False)
-            result["ssh_root_disabled"] = data.get("ssh_root_disabled", result["ssh_root_disabled"])
-
-            # Verify admin user exists in PVE
-            if result["admin_user"]:
-                rc, out, _ = _run_cmd(["pveum", "user", "list", "--output-format", "json"])
-                if rc == 0 and out:
-                    try:
-                        users = json.loads(out)
-                        pam_user = f"{result['admin_user']}@pam"
-                        for u in users:
-                            if u.get("userid") == pam_user:
-                                result["pve_user_exists"] = True
-                                break
-                    except json.JSONDecodeError:
-                        # Fallback: grep approach
-                        rc2, out2, _ = _run_cmd(["pveum", "user", "list"])
-                        if rc2 == 0:
-                            result["pve_user_exists"] = f"{result['admin_user']}@pam" in out2
-        except Exception:
-            pass
-
-    return result