Check running services (e.g. FTP, RDP, Telnet, UPnP, Remote Registry, etc...)

Implement a better way of checking/installing cracklib

The win32net module isn't availlible on Linux, so something needs to be done about only loading it for Windows

I belive the remove software will work on debian, as the code is based on the apt package manager

• Minimum password length
• Max password age
• Min password age
• Lockout policy

Enable warnings when installing add-ons, block dangerous downloads, automatically update, etc...

Add needed software and remove banned software

/etc/shadow, /etc/passwd...

Ensure any files that currently use the legacy back up system are moved to the newer system

Remove backdoors

Currently the file resides in payloads/security_policy.inf

Enable, update definitions, automatic scans, etc...

e.g. if we wanted to back up a home directory, it might contain 'illegal stuff', so archiving will remove any possibility of that being detected.
Also home directories might be quite big, so it might be a good idea to compress as well

e.g. ASLR is enabled

Switch to secure desktop when prompting for elevation

• Firewall on

Ask for list of accounts to create and whether they need to be admin or not. Then create users in the list, remove users not in the list and promote/demote users.

/tmp sometimes gets cleaned after a reboot and this means that you loose access to the backups

Install and configure security

Automatically create Windows and Linux binaries

This needs a custom installation at the moment:
python -m pip install pywin32
Navigate to the python install folder
python Scripts/pywin32_postinstall.py -install

IPv4 and IPv6 hardening, secure firewall...

Implement an easy way to backup files that payloads will change

Hide surname, and require ctrl-alt-del to logon

Create logging and input common functions to replace logzero.

e.g. common.run_full("for usr in $(cut -d: -f1 /etc/shadow); do [[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo \"$usr :$(chage --list $usr | g rep '^Last password change' | cut -d: -f2)\"; done")

• Minimum password length
• Max password age
• Min password age
• Lockout policy

Instead of keeping it in the repo, clone it
https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js

Detect all services running, and prompt user whether to disable them or not.
e.g. samba, avahi, ftp...

Allowed users, network level authentication, etc...

e.g.

[?] (8/368) Would you like to keep the program 'alacarte' (y/n/i)? i
alacarte/oldoldstable,now 3.11.91-2 all [installed]
  easy GNOME menu editing tool
[?] (8/368) Would you like to keep the program 'alacarte' (y/n/i)?

or even just the easy GNOME menu editing tool bit

The current way of generating binaries doesn't work very well because they only work on the exact OS that they were built on (e.g. binary built on Ubuntu 19.10 doesn't work on Ubuntu 16.04). So instead have 2 installer scripts (Windows and Linux) which:

• Install Python
• Install dependencies (e.g. git)
• Clone repository to a folder
• Add files to path

Ask for list of accounts to create and whether they need to be admin or not. Then create users in the list, remove users not in the list and promote/demote users. Also change passwords where appropriate

For /etc/login.defs

After Round 3, this probably wants to be made public so the documentation needs cleaning up and removing.

Linux and Windows issue where the default user changed password doesn't work

Need to check these out!

Delete files ending in a list of extensions. For example: .mp3, .mp4, .ogg, .wav, etc...

Disable root login

Disallow users from changing system time