diff --git a/README.md b/README.md index b9a6a5b..dda0244 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,10 @@ The KNEL FetchApply system provides automated server provisioning for Linux serv │ ├── 2fa/ # Two-factor authentication setup │ ├── wazuh/ # Wazuh security monitoring │ ├── security-hardening/ # SCAP/STIG compliance +│ ├── unattended-upgrades/ # Automatic security updates +│ ├── dell-config/ # Dell server specific configurations +│ ├── ssl-stack/ # SSL stack compilation (dev systems) +│ ├── ldap-auth/ # LDAP authentication (placeholder) │ ├── salt-client/ # Salt minion configuration │ └── user-configuration/ # User shell settings ├── roles/ # Groups of related initializers @@ -83,7 +87,7 @@ The system automatically detects: ### Core Setup - **system-setup** - System detection and variable setup -- **packages** - Package installation with conditional logic (includes ansible-core for ComplianceAsCode, salt-minion for ongoing management, tailscale for VPN) +- **packages** - Package installation with conditional logic (includes build tools for SSL stack, ansible-core for ComplianceAsCode, salt-minion for ongoing management, tailscale for VPN) - **user-configuration** - Shell settings and user preferences ### Configuration @@ -96,7 +100,13 @@ The system automatically detects: ### Security - **2fa** - Set up Google Authenticator for 2FA - **wazuh** - Deploy Wazuh security monitoring agent -- **security-hardening** - SCAP/STIG compliance hardening +- **security-hardening** - SCAP/STIG compliance hardening (includes auditd, systemd, logrotate configs) +- **unattended-upgrades** - Configure automatic security updates + +### Specialized +- **dell-config** - Dell server specific optimizations (CPU performance, OMSA tools) +- **ssl-stack** - Compile OpenSSL, nghttp2, curl, APR, and Apache from source (dev systems only) +- **ldap-auth** - LDAP authentication configuration (placeholder for Cloudron) ### Monitoring - **oam** - Operations and Maintenance tools (up2date script) @@ -124,10 +134,28 @@ The system installs clients for specific management purposes: - Wazuh security monitoring - SCAP/STIG compliance hardening - AIDE file integrity monitoring +- Automatic security updates + +## Specialized Configurations + +### Dell Servers +- Automatic CPU performance tuning +- Dell OpenManage Server Administrator setup +- Ethernet configuration scripts + +### Development Workstations +- SSL stack compilation (OpenSSL 1.1.0h, nghttp2, curl, APR, Apache) +- HTTP/2 enabled Apache HTTPd +- Custom SSL installations + +### Future Services +- Beszel monitoring (to be deployed via Salt) +- Netbird networking (to be deployed via Salt) +- LDAP authentication (Cloudron integration) ## Migration Path -This system provides the foundation for comprehensive management: +This system provides a foundation for comprehensive management: 1. **FetchApply** - Initial server provisioning (this repo) 2. **Salt Master** - Ongoing configuration management and automation @@ -142,6 +170,15 @@ Ansible will be used specifically to deploy and manage: - Compliance validation and reporting - Documentation generation +## SSL Stack Compilation + +Available on development workstations or when `COMPILE_SSL_STACK=true`: +- OpenSSL 1.1.0h with weak ciphers enabled (legacy compatibility) +- nghttp2 for HTTP/2 support +- curl with HTTP/2 and custom OpenSSL support +- Apache HTTPd with HTTP/2 enabled +- Custom installations at `/usr/local/custom-ssl/` + ## Troubleshooting For detailed status information: @@ -156,6 +193,12 @@ To run specific initializers: sudo fa run ``` +To compile SSL stack: + +```bash +COMPILE_SSL_STACK=true sudo fa run ssl-stack +``` + To pause automatic runs during maintenance: ```bash @@ -175,4 +218,4 @@ sudo fa resume ## License -This project is licensed under terms specified in the LICENSE file. \ No newline at end of file +This project is licensed under the terms specified in the LICENSE file. \ No newline at end of file diff --git a/classes/server/initializers b/classes/server/initializers index eea2f66..ca34098 100644 --- a/classes/server/initializers +++ b/classes/server/initializers @@ -9,6 +9,10 @@ postfix 2fa wazuh security-hardening +unattended-upgrades +dell-config +ssl-stack +ldap-auth salt-client user-configuration diff --git a/initializers/dell-config/apply b/initializers/dell-config/apply new file mode 100755 index 0000000..066c2c9 --- /dev/null +++ b/initializers/dell-config/apply @@ -0,0 +1,51 @@ +#!/bin/bash + +# KNEL Dell Server Configuration Initializer +# Applies Dell-specific optimizations and tools + +set -euo pipefail + +echo "Running Dell server configuration initializer..." + +# Only run on Dell physical servers +if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then + echo "Dell physical hardware detected, applying Dell-specific configurations..." + + # CPU performance tuning (from fixcpuperf.sh) + if command -v cpufreq-set >/dev/null 2>&1; then + cpufreq-set -r -g performance + echo "Set CPU performance governor" + fi + + if command -v cpupower >/dev/null 2>&1; then + cpupower frequency-set --governor performance + echo "Set CPU frequency governor to performance" + fi + + # Copy Dell-specific scripts if they exist + mkdir -p /opt/dell-tools + + if [[ -f ./scripts/fixeth.sh ]]; then + cp ./scripts/fixeth.sh /opt/dell-tools/ + chmod +x /opt/dell-tools/fixeth.sh + echo "Copied Ethernet fixing script" + fi + + if [[ -f ./scripts/omsa.sh ]]; then + cp ./scripts/omsa.sh /opt/dell-tools/ + chmod +x /opt/dell-tools/omsa.sh + echo "Copied OMSA setup script" + fi + + # Install Dell OpenManage Server Administrator if available + if command -v apt >/dev/null 2>&1; then + # Add Dell repository if available + # This would need to be implemented when Dell repo access is available + echo "Dell OMSA installation would go here (requires Dell repo access)" + fi + +else + echo "Not a Dell physical server, skipping Dell-specific configurations" +fi + +echo "Dell server configuration initializer completed" \ No newline at end of file diff --git a/initializers/dell-config/scripts/fixcpuperf.sh b/initializers/dell-config/scripts/fixcpuperf.sh new file mode 100644 index 0000000..e795119 --- /dev/null +++ b/initializers/dell-config/scripts/fixcpuperf.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +#Script to set performance. + + + +cpufreq-set -r -g performance +cpupower frequency-set --governor performance + + diff --git a/initializers/ldap-auth/apply b/initializers/ldap-auth/apply new file mode 100755 index 0000000..d9fc410 --- /dev/null +++ b/initializers/ldap-auth/apply @@ -0,0 +1,28 @@ +#!/bin/bash + +# KNEL LDAP Authentication Initializer +# Placeholder for future Cloudron LDAP authentication configuration + +set -euo pipefail + +echo "Running LDAP authentication initializer..." + +# This is a placeholder for future Cloudron LDAP integration +# Currently, auth-cloudron-ldap.sh in KNELServerBuild is empty +# When ready, this would: +# 1. Configure PAM for LDAP authentication +# 2. Set up nsswitch.conf for LDAP user lookups +# 3. Configure SSH to use LDAP authentication +# 4. Test LDAP connectivity + +if [[ -f ./configs/cloudron-ldap.conf ]]; then + cp ./configs/cloudron-ldap.conf /etc/ldap/ldap.conf + echo "LDAP configuration file deployed" +fi + +echo "LDAP authentication initializer completed (placeholder - no actual configuration applied)" + +echo "To enable Cloudron LDAP when ready:" +echo "1. Configure Cloudron LDAP settings" +echo "2. Update this initializer with actual LDAP configuration" +echo "3. Test authentication against Cloudron LDAP" \ No newline at end of file diff --git a/initializers/packages/apply b/initializers/packages/apply index ba4fc3a..f0bc139 100755 --- a/initializers/packages/apply +++ b/initializers/packages/apply @@ -37,6 +37,15 @@ apt-get --purge autoremove # Install desired packages apt-get -y -o Dpkg::Options::="--force-confold" install \ + build-essential \ + wget \ + gcc \ + make \ + perl \ + libpcre3 \ + libpcre3-dev \ + zlib1g \ + zlib1g-dev \ virt-what \ auditd \ audispd-plugins \ diff --git a/initializers/security-hardening/apply b/initializers/security-hardening/apply index 6097632..34fe813 100755 --- a/initializers/security-hardening/apply +++ b/initializers/security-hardening/apply @@ -1,15 +1,30 @@ #!/bin/bash -# KNEL Security Hardening Module +# KNEL Security Hardening Initializer # Implements SCAP/STIG security compliance set -euo pipefail -echo "Running security hardening module..." +echo "Running security hardening initializer..." # Enable auditd systemctl --now enable auditd +# Configure auditd +if [[ -f ./ConfigFiles/AuditD/auditd.conf ]]; then + cp ./ConfigFiles/AuditD/auditd.conf /etc/audit/auditd.conf +fi + +# Configure systemd journal settings +if [[ -f ./ConfigFiles/Systemd/journald.conf ]]; then + cp ./ConfigFiles/Systemd/journald.conf /etc/systemd/journald.conf +fi + +# Configure logrotate +if [[ -f ./ConfigFiles/Logrotate/logrotate.conf ]]; then + cp ./ConfigFiles/Logrotate/logrotate.conf /etc/logrotate.conf +fi + # Configure sysctl security parameters if [[ -f ./configs/sysctl-hardening.conf ]]; then cp ./configs/sysctl-hardening.conf /etc/sysctl.d/99-security-hardening.conf @@ -48,4 +63,4 @@ if [[ ! -f /var/lib/aide/aide.db ]]; then aideinit fi -echo "Security hardening module completed" \ No newline at end of file +echo "Security hardening initializer completed" \ No newline at end of file diff --git a/initializers/ssl-stack/apply b/initializers/ssl-stack/apply new file mode 100755 index 0000000..ba28fe2 --- /dev/null +++ b/initializers/ssl-stack/apply @@ -0,0 +1,149 @@ +#!/bin/bash + +# KNEL SSL Stack Compilation Initializer +# Compiles OpenSSL, nghttp2, curl, APR, and Apache HTTPd from source +# Made from instructions at https://www.tunetheweb.com/performance/http2/ + +set -euo pipefail + +echo "Running SSL stack compilation initializer..." + +# Only run on specific systems or if explicitly requested +# This is a resource-intensive operation +if [[ $DEV_WORKSTATION_CHECK -gt 0 ]] || [[ "${COMPILE_SSL_STACK:-}" == "true" ]]; then + echo "Compiling SSL stack from source..." + + # Base URLs and files (using original versions from KNELServerBuild) + OPENSSL_URL_BASE="https://www.openssl.org/source/" + OPENSSL_FILE="openssl-1.1.0h.tar.gz" + + NGHTTP_URL_BASE="https://github.com/nghttp2/nghttp2/releases/download/v1.31.0/" + NGHTTP_FILE="nghttp2-1.31.0.tar.gz" + + APR_URL_BASE="https://archive.apache.org/dist/apr/" + APR_FILE="apr-1.6.3.tar.gz" + + APR_UTIL_URL_BASE="https://archive.apache.org/dist/apr/" + APR_UTIL_FILE="apr-util-1.6.1.tar.gz" + + APACHE_URL_BASE="https://archive.apache.org/dist/httpd/" + APACHE_FILE="httpd-2.4.33.tar.gz" + + CURL_URL_BASE="https://curl.haxx.se/download/" + CURL_FILE="curl-7.60.0.tar.gz" + + # Create build directory + BUILD_DIR="/tmp/ssl-stack-build" + mkdir -p "$BUILD_DIR" + cd "$BUILD_DIR" + + # Install build dependencies + DEBIAN_FRONTEND="noninteractive" apt-get -y install \ + build-essential \ + wget \ + gcc \ + make \ + perl \ + libpcre3 \ + libpcre3-dev \ + zlib1g \ + zlib1g-dev \ + || true + + # Download and compile OpenSSL + echo "Compiling OpenSSL..." + wget $OPENSSL_URL_BASE/$OPENSSL_FILE + tar xzf $OPENSSL_FILE + cd openssl-1.1.0h + ./config enable-weak-ssl-ciphers shared zlib-dynamic -DOPENSSL_TLS_SECURITY_LEVEL=0 --prefix=/usr/local/custom-ssl/openssl-1.1.0h + make + make install + ln -sf /usr/local/custom-ssl/openssl-1.1.0h /usr/local/openssl + cd - + + # Download and compile nghttp2 + echo "Compiling nghttp2..." + wget $NGHTTP_URL_BASE/$NGHTTP_FILE + tar xzf $NGHTTP_FILE + cd nghttp2-1.31.0 + ./configure --prefix=/usr/local/custom-ssl/nghttp + make + make install + cd - + + # Update ldconfig for custom SSL + cat < /etc/ld.so.conf.d/custom-ssl.conf +/usr/local/custom-ssl/openssl-1.1.0h/lib +/usr/local/custom-ssl/nghttp/lib +EOF + ldconfig + + # Download and compile curl + echo "Compiling curl..." + wget $CURL_URL_BASE/$CURL_FILE + tar xzf $CURL_FILE + cd curl-7.60.0 + ./configure --prefix=/usr/local/custom-ssl/curl --with-nghttp2=/usr/local/custom-ssl/nghttp/ --with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/ + make + make install + cd - + + # Download and compile APR + echo "Compiling APR..." + wget $APR_URL_BASE/$APR_FILE + tar xzf $APR_FILE + cd apr-1.6.3 + ./configure --prefix=/usr/local/custom-ssl/apr + make + make install + cd - + + # Download and compile APR-util + echo "Compiling APR-util..." + wget $APR_UTIL_URL_BASE/$APR_UTIL_FILE + tar xzf $APR_UTIL_FILE + tar xzf $APR_UTIL_FILE + cd apr-util-1.6.1 + ./configure --prefix=/usr/local/custom-ssl/apr-util --with-apr=/usr/local/custom-ssl/apr + make + make install + cd - + + # Download and compile Apache HTTPd + echo "Compiling Apache HTTPd..." + wget $APACHE_URL_BASE/$APACHE_FILE + tar xzf $APACHE_FILE + cd httpd-2.4.33 + cp -r ../apr-1.6.3 srclib/apr + cp -r ../apr-util-1.6.1 srclib/apr-util + ./configure --prefix=/usr/local/custom-ssl/apache \ + --with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/ \ + --with-pcre=/usr/bin/pcre-config \ + --enable-unique-id \ + --enable-ssl \ + --enable-so \ + --with-included-apr \ + --enable-http2 \ + --with-nghttp2=/usr/local/custom-ssl/nghttp/ + make + make install + ln -sf /usr/local/custom-ssl/apache /usr/local/apache + cd - + + # Cleanup + cd / + rm -rf "$BUILD_DIR" + + echo "SSL stack compilation completed" + echo "Custom installations available at:" + echo " OpenSSL: /usr/local/custom-ssl/openssl-1.1.0h" + echo " nghttp2: /usr/local/custom-ssl/nghttp" + echo " curl: /usr/local/custom-ssl/curl" + echo " APR: /usr/local/custom-ssl/apr" + echo " Apache: /usr/local/custom-ssl/apache" + +else + echo "Skipping SSL stack compilation (only runs on dev workstations or when COMPILE_SSL_STACK=true)" +fi + +echo "SSL stack compilation initializer completed" \ No newline at end of file diff --git a/initializers/unattended-upgrades/apply b/initializers/unattended-upgrades/apply new file mode 100755 index 0000000..7a2a71a --- /dev/null +++ b/initializers/unattended-upgrades/apply @@ -0,0 +1,26 @@ +#!/bin/bash + +# KNEL Unattended Upgrades Initializer +# Configures automatic security updates based on Debian unattended-upgrades + +set -euo pipefail + +echo "Running unattended upgrades initializer..." + +# Install unattended-upgrades +DEBIAN_FRONTEND="noninteractive" apt-get -y install unattended-upgrades + +# Configure unattended-upgrades +if [[ -f ./configs/50unattended-upgrades ]]; then + cp ./configs/50unattended-upgrades /etc/apt/apt.conf.d/50unattended-upgrades +fi + +# Copy auto-upgrades configuration template +if [[ -f ./configs/auto-upgrades ]]; then + cp ./configs/auto-upgrades /etc/apt/apt.conf.d/auto-upgrades +fi + +# Enable unattended-upgrades service +dpkg-reconfigure -f noninteractive unattended-upgrades + +echo "Unattended upgrades initializer completed" \ No newline at end of file diff --git a/roles/security b/roles/security index 5ec2508..fa3e5ac 100644 --- a/roles/security +++ b/roles/security @@ -5,4 +5,5 @@ ssh-hardening 2fa wazuh -security-hardening \ No newline at end of file +security-hardening +unattended-upgrades \ No newline at end of file