feat: Complete port of all KNELServerBuild components to FetchApply

- Add secharden-audit-agents functionality to security-hardening - Create unattended-upgrades initializer for automatic security updates - Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config - Port sslStackFromSource.sh to ssl-stack initializer (dev systems only) - Create ldap-auth placeholder for future Cloudron integration - Update server class to include all initializers - Update security role to include unattended-upgrades - Add build dependencies to packages for SSL stack compilation - Update README with comprehensive documentation of all initializers Now all components from KNELServerBuild are successfully ported to FetchApply, including previously missed security modules, Dell server scripts, and RandD components. Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 12:48:32 -05:00
parent c5a504f9c8
commit 1e506fed1d
10 changed files with 344 additions and 8 deletions
--- a/initializers/security-hardening/apply
+++ b/initializers/security-hardening/apply
@@ -1,15 +1,30 @@
 #!/bin/bash

-# KNEL Security Hardening Module
+# KNEL Security Hardening Initializer
 # Implements SCAP/STIG security compliance

 set -euo pipefail

-echo "Running security hardening module..."
+echo "Running security hardening initializer..."

 # Enable auditd
 systemctl --now enable auditd

+# Configure auditd
+if [[ -f ./ConfigFiles/AuditD/auditd.conf ]]; then
+    cp ./ConfigFiles/AuditD/auditd.conf /etc/audit/auditd.conf
+fi
+
+# Configure systemd journal settings
+if [[ -f ./ConfigFiles/Systemd/journald.conf ]]; then
+    cp ./ConfigFiles/Systemd/journald.conf /etc/systemd/journald.conf
+fi
+
+# Configure logrotate
+if [[ -f ./ConfigFiles/Logrotate/logrotate.conf ]]; then
+    cp ./ConfigFiles/Logrotate/logrotate.conf /etc/logrotate.conf
+fi
+
 # Configure sysctl security parameters
 if [[ -f ./configs/sysctl-hardening.conf ]]; then
    cp ./configs/sysctl-hardening.conf /etc/sysctl.d/99-security-hardening.conf
@@ -48,4 +63,4 @@ if [[ ! -f /var/lib/aide/aide.db ]]; then
    aideinit
 fi

-echo "Security hardening module completed"
+echo "Security hardening initializer completed"