{"id":42992155,"url":"https://github.com/sth8pwd5wx-max/barked","last_synced_at":"2026-04-01T21:57:14.600Z","repository":{"id":335580517,"uuid":"1146355157","full_name":"sth8pwd5wx-max/barked","owner":"sth8pwd5wx-max","description":"Tough outer layer for your system. Cross-platform security hardening for macOS, Linux, and Windows.","archived":false,"fork":false,"pushed_at":"2026-02-03T22:51:36.000Z","size":371,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-04T10:58:52.960Z","etag":null,"topics":["bash","firewall","hardening","linux","macos","powershell","privacy","security","windows"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sth8pwd5wx-max.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":"audits/audit-2026-01-29.md","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-31T00:54:00.000Z","updated_at":"2026-02-03T22:51:39.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sth8pwd5wx-max/barked","commit_stats":null,"previous_names":["sth8pwd5wx-max/barked"],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/sth8pwd5wx-max/barked","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sth8pwd5wx-max%2Fbarked","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sth8pwd5wx-max%2Fbarked/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sth8pwd5wx-max%2Fbarked/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sth8pwd5wx-max%2Fbarked/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sth8pwd5wx-max","download_url":"https://codeload.github.com/sth8pwd5wx-max/barked/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sth8pwd5wx-max%2Fbarked/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29105268,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-05T00:52:08.035Z","status":"ssl_error","status_checked_at":"2026-02-05T00:52:07.703Z","response_time":62,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","firewall","hardening","linux","macos","powershell","privacy","security","windows"],"created_at":"2026-01-31T03:07:46.349Z","updated_at":"2026-04-01T21:57:14.592Z","avatar_url":"https://github.com/sth8pwd5wx-max.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Barked\n\n**Tough outer layer for your system.**\n\nCross-platform security hardening for macOS, Linux, and Windows.\nOne script. No dependencies. Every change reversible.\n\n![macOS](https://img.shields.io/badge/macOS-supported-blue) ![Linux](https://img.shields.io/badge/Linux-supported-blue) ![Windows](https://img.shields.io/badge/Windows-supported-blue)\n\n## What This Does\n\nBarked wraps your system in a tough, protective layer. Pick a preset profile — Standard, High, or Paranoid — for fast deployment, or answer a short questionnaire to build a config matched to your threat model.\n\nUnder the bark:\n- **Idempotent** — checks before changing, skips what's already applied\n- **Reversible** — every change can be undone, previous values saved to state\n- **Zero dependencies** — just Bash (macOS/Linux) or PowerShell (Windows)\n\n## Get Barked\n\n**macOS / Linux:**\n```bash\ncurl -fsSL https://raw.githubusercontent.com/sth8pwd5wx-max/barked/main/install.sh | bash\n```\n\nInstalls to `~/.local/bin`. No sudo needed for install or updates.\n\n**Windows (PowerShell as Administrator):**\n```powershell\nirm https://raw.githubusercontent.com/sth8pwd5wx-max/barked/main/install.ps1 | iex\n```\n\nRun `barked` from anywhere. The wizard takes it from there.\n\n### Update\n\n```bash\nbarked --update                   # macOS / Linux\nbarked -Update                    # Windows\n```\n\nBarked also checks for updates after each run and notifies you if a new version is available.\n\n### Uninstall Barked\n\nTo remove barked itself from your system (not to revert hardening changes):\n```bash\nbarked --uninstall-self            # macOS / Linux\nbarked -UninstallSelf             # Windows\n```\n\n### Manual Install (from source)\n\n```bash\ngit clone https://github.com/sth8pwd5wx-max/barked\ncd barked\nchmod +x scripts/barked.sh\n./scripts/barked.sh\n```\n\nWindows:\n```powershell\ngit clone https://github.com/sth8pwd5wx-max/barked\ncd barked\n.\\scripts\\barked.ps1\n```\n\n## How It Works\n\nEvery module follows four rings of protection:\n\n```\ncheck_state ──→ apply ──→ verify ──→ (revert)\n     │                       │\n     │ already applied       │ failed\n     ▼                       ▼\n  [SKIP]                 [LOG ERROR]\n```\n\n1. **Check** — Already applied? Skip.\n2. **Apply** — Make the change. Save previous value to state.\n3. **Verify** — Confirm it took effect.\n4. **Revert** — Undo it, restore previous value.\n\nAll actions logged to `audits/hardening-log-YYYY-MM-DD.txt`.\n\n## Profiles\n\n**Standard** — Essential baseline security.\nDisk encryption verification, inbound firewall, encrypted DNS (Quad9), automatic security updates, guest account disabled, lock screen hardening, basic browser hardening.\n\n**High** — Standard + active defense.\nStealth mode firewall, outbound firewall (LuLu / ufw / WF), generic hostname, SSH hardening, Git commit signing, telemetry disabled, monitoring tools (Objective-See / auditd+aide / Sysmon), privacy permissions audit.\n\n**Paranoid** — High + obfuscation and operational security.\nMAC address rotation, VPN kill switch, traffic obfuscation (DAITA/Tor), browser fingerprint resistance, metadata stripping, dev environment isolation, weekly automated audits, encrypted backup guidance, border crossing prep, Bluetooth disabled when unused.\n\n**Advanced** — Custom questionnaire that maps your threat model, use case, travel habits, and maintenance preferences to the right set of modules.\n\n## Modules\n\n### Disk \u0026 Boot\n- `disk-encrypt` — FileVault / LUKS / BitLocker verification\n\n### Firewall\n- `firewall-inbound` — Block all incoming connections\n- `firewall-stealth` — Stealth mode / drop ICMP\n- `firewall-outbound` — Outbound firewall (LuLu / ufw / WF)\n\n### Network \u0026 DNS\n- `dns-secure` — Encrypted DNS (Quad9)\n- `vpn-killswitch` — VPN always-on, block non-VPN traffic\n- `hostname-scrub` — Generic hostname\n\n### Privacy \u0026 Obfuscation\n- `mac-rotate` — MAC address rotation\n- `telemetry-disable` — OS and browser telemetry off\n- `traffic-obfuscation` — DAITA, Tor guidance\n- `metadata-strip` — exiftool / mat2\n\n### Browser\n- `browser-basic` — Block trackers, HTTPS-only, disable safe-open\n- `browser-fingerprint` — Resist fingerprinting, clear-on-quit\n\n### Access Control\n- `guest-disable` — Disable guest account\n- `lock-screen` — Screensaver password, zero delay, timeout\n- `bluetooth-disable` — Disable when unused\n\n### Dev Tools\n- `git-harden` — SSH signing, credential helper\n- `dev-isolation` — Docker hardening, VM setup guidance\n\n### Auth \u0026 SSH\n- `ssh-harden` — Ed25519 keys, strict config\n\n### Monitoring\n- `monitoring-tools` — Objective-See / auditd+aide / Sysmon\n- `permissions-audit` — List granted privacy/security permissions\n- `audit-script` — Weekly automated audit + baseline snapshot\n\n### Maintenance\n- `auto-updates` — Automatic security updates\n- `backup-guidance` — Encrypted backup strategy\n- `border-prep` — Travel protocol, nuke checklist\n\nFor platform-specific implementation details, see [docs/plans/2026-01-29-hardening-wizard-design.md](docs/plans/2026-01-29-hardening-wizard-design.md).\n\n## System Cleaner\n\nShed the dead wood. Built-in system cleaner for privacy and disk hygiene.\n\n```bash\nbarked --clean                   # Interactive cleaning wizard\nbarked --clean --dry-run         # Preview what would be cleaned\nbarked --clean --force           # Skip confirmation prompt\n```\n\nWindows:\n```powershell\n.\\barked.ps1 -Clean              # Interactive cleaning wizard\n.\\barked.ps1 -Clean -DryRun     # Preview what would be cleaned\n.\\barked.ps1 -Clean -Force      # Skip confirmation prompt\n```\n\n**Categories:** System Caches \u0026 Logs, User Caches \u0026 Logs, Browser Data, Privacy Traces, Developer Cruft, Trash \u0026 Downloads, Mail \u0026 Messages\n\n**Features:**\n- Two-level picker: select categories, then optionally drill into individual targets\n- Auto-detects installed browsers and dev tools\n- Size-estimated preview before any deletion\n- Safety guardrails: no symlink following, skips in-use files, warns about running browsers\n- Cleanliness score with severity-weighted scoring\n- Full logging to `audits/clean-log-YYYY-MM-DD.txt`\n\n## Automated Scheduled Cleaning\n\nSet up automated cleaning to run on a schedule (daily, weekly, or custom).\n\n```bash\nbarked --clean-schedule          # macOS / Linux\n```\n\n**Setup wizard:**\n1. Select cleaning categories\n2. Choose schedule frequency (Daily, Weekly, Custom)\n3. Enable/disable notifications\n4. Review and confirm\n\nThe schedule is installed to run automatically:\n- **macOS**: launchd (`~/Library/LaunchAgents/com.barked.scheduled-clean.plist`)\n- **Linux**: cron (`crontab -l` to view)\n\n**Remove schedule:**\n```bash\nbarked --clean-unschedule        # macOS / Linux\n```\n\n**Manage from menu:**\nIn the wizard, select `[S] Schedule` to set up or modify automated cleaning.\n\n## Peel It Back\n\n**Full uninstall** — revert all changes:\n```bash\nbarked --uninstall               # macOS / Linux\n.\\barked.ps1 -Uninstall          # Windows\n```\n\n**Modify** — add or remove individual modules:\n```bash\nbarked --modify                  # macOS / Linux\n.\\barked.ps1 -Modify             # Windows\n```\n\nBoth options are also available from the wizard menu (`[U]` Uninstall, `[M]` Modify).\n\n## User-Space Only (No Sudo)\n\nRun only modules that don't require root privileges:\n\n```bash\nbarked --no-sudo                 # Skip all root-requiring modules\nbarked --auto standard --no-sudo # Combine with profiles\n```\n\nUseful for:\n- Managed machines where you don't have sudo\n- Quick partial hardening without elevation\n- Testing user-space modules in isolation\n\nThe scripts track applied changes in a state file:\n| Platform | User (primary) | Project (copy) |\n|---|---|---|\n| macOS / Linux | `~/.config/barked/state.json` | `state/hardening-state.json` |\n| Windows | `%LOCALAPPDATA%\\barked\\state.json` | `state\\hardening-state.json` |\n\nLegacy state files (`/etc/hardening-state.json`, `C:\\ProgramData\\hardening-state.json`) are automatically migrated to userspace on first run. If no state file is found, the scripts detect applied hardening from live system state.\n\n## File Structure\n\n```\nbarked/\n├── install.sh                # macOS/Linux installer\n├── install.ps1               # Windows installer\n├── scripts/\n│   ├── barked.sh              # macOS + Linux wizard\n│   ├── barked.ps1             # Windows wizard\n│   └── weekly-audit.sh        # macOS weekly audit\n├── gui/\n│   ├── Barked/                # SwiftUI macOS menubar app (macOS 13+)\n│   └── build.sh               # Build Barked.app bundle\n├── docs/plans/                # Design documents\n├── audits/                    # Audit reports\n├── baseline/                  # Known-good system snapshots\n└── state/                     # Hardening state files\n```\n\n## Releasing\n\nBoth scripts and their SHA256 checksums must be published together. The update and install flows verify downloads against these checksums.\n\n```bash\n# 1. Bump versions\n#    scripts/barked.sh  → readonly VERSION=\"X.Y.Z\"\n#    scripts/barked.ps1 → $script:VERSION = \"X.Y.Z\"\n\n# 2. Commit and push\ngit add scripts/barked.sh scripts/barked.ps1\ngit commit -m \"chore: bump versions to vX.Y.Z (bash) and vX.Y.Z (ps1)\"\ngit push\n\n# 3. Generate checksums\nshasum -a 256 scripts/barked.sh \u003e barked.sh.sha256\nshasum -a 256 scripts/barked.ps1 \u003e barked.ps1.sha256\n\n# 4. Create release with all four assets\ngh release create vX.Y.Z \\\n  scripts/barked.sh \\\n  scripts/barked.ps1 \\\n  barked.sh.sha256 \\\n  barked.ps1.sha256 \\\n  --title \"Barked vX.Y.Z\" \\\n  --notes \"Release notes here\"\n```\n\nThe release **must** include all four files. Without the `.sha256` files, update and install will fail checksum verification and abort.\n\n## License\n\nTBD\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsth8pwd5wx-max%2Fbarked","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsth8pwd5wx-max%2Fbarked","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsth8pwd5wx-max%2Fbarked/lists"}