feat(security-hardening): add SCAP-STIG compliance configuration files

Add security hardening configuration files implementing SCAP-STIG
controls:

- sysctl-hardening.conf: 75 kernel security parameters covering:
  * IP forwarding and redirect controls
  * Source routing and martian packet logging
  * TCP SYN cookies and timestamps
  * ExecShield and ASLR settings
  * Ptrace scope restrictions
  * Unprivileged BPF and userns restrictions

- security-limits.conf: Resource limits for:
  * Core dump prevention (fork bomb protection)
  * Process count limits (4096 soft, 8192 hard)
  * File handle limits (1024 soft, 4096 hard)
  * Memory lock and file size restrictions

- issue, issue.net, motd: Security warning banners for local
  and network login

- modprobe/: Directory for kernel module blacklist configurations

These configs implement CIS Benchmark and DISA STIG requirements
for Linux server hardening.

Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-scap-stig.sh

initializers/security-hardening/configs/issue

@@ -0,0 +1,5 @@
+This system is the property of Known Element Enterprises LLC.
+
+Authorized uses only. All activity may be monitored and reported.
+
+All activities subject to monitoring/recording/review in real time and/or at a later time.

initializers/security-hardening/configs/issue.net

@@ -0,0 +1,5 @@
+This system is the property of Known Element Enterprises LLC.
+
+Authorized uses only. All activity may be monitored and reported.
+
+All activities subject to monitoring/recording/review in real time and/or at a later time.

initializers/security-hardening/configs/motd

@@ -0,0 +1,5 @@
+This system is the property of Known Element Enterprises LLC.
+
+Authorized uses only. All activity may be monitored and reported.
+
+All activities subject to monitoring/recording/review in real time and/or at a later time.

initializers/security-hardening/configs/security-limits.conf

@@ -0,0 +1,29 @@
+# KNEL Security Limits Configuration
+# SCAP/STIG compliant resource limits
+
+# Prevent core dumps for all users
+* hard core 0
+* soft core 0
+
+# Prevent core dumps for root
+root hard core 0
+root soft core 0
+
+# Limit max processes for users (fork bomb protection)
+* soft nproc 4096
+* hard nproc 8192
+
+# Limit max file handles
+* soft nofile 1024
+* hard nofile 4096
+
+# Limit max memory lock
+* hard memlock 64
+
+# Limit max file size
+* soft fsize 2097152
+* hard fsize 4194304
+
+# Stack size limit
+* soft stack 8192
+* hard stack 65536

initializers/security-hardening/configs/sysctl-hardening.conf

@@ -0,0 +1,75 @@
+# KNEL Kernel Security Hardening Configuration
+# SCAP/STIG compliant sysctl parameters
+
+# Disable IP forwarding
+net.ipv4.ip_forward = 0
+net.ipv6.conf.all.forwarding = 0
+
+# Disable send packet redirects
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+
+# Disable accept source routing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+
+# Disable accept redirects
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# Disable secure redirects
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+
+# Log martian packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# Enable TCP SYN cookies
+net.ipv4.tcp_syncookies = 1
+
+# Disable RFC1337 fix
+net.ipv4.tcp_rfc1337 = 1
+
+# Enable reverse path filtering
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Disable ICMP redirects
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Disable IP source routing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+
+# Enable TCP timestamps
+net.ipv4.tcp_timestamps = 1
+
+# Disable magic sysrq
+kernel.sysrq = 0
+
+# Disable core dumps for SUID programs
+fs.suid_dumpable = 0
+
+# Enable execshield protection
+kernel.exec-shield = 1
+
+# Randomize virtual address space
+kernel.randomize_va_space = 2
+
+# Disable coredumps
+kernel.core_pattern = |/bin/false
+
+# Restrict ptrace scope
+kernel.yama.ptrace_scope = 1
+
+# Disable unprivileged BPF
+kernel.unprivileged_bpf_disabled = 1
+
+# Restrict user namespaces
+kernel.unprivileged_userns_clone = 0