feat(security-hardening): implement SCAP-STIG compliance logic
Refactor apply script to implement comprehensive security hardening: - Add GRUB bootloader permission hardening (root:root, mode 0400) - Disable and remove autofs service per STIG requirements - Deploy modprobe configurations for kernel module blacklisting - Create STIG-compliant network protocol blacklist (dccp, rds, sctp, tipc) - Create STIG-compliant filesystem blacklist (cramfs, freevxfs, hfs, etc.) - Create USB storage blacklist for removable media control - Deploy security banners (issue, issue.net, motd) - Harden cron and at permission controls (cron.allow, at.allow) - Fix typo in security-limits.conf destination path 🤖 Generated with [Crush](https://github.com/charmassociates/crush) Assisted-by: GLM-5 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
@@ -7,35 +7,101 @@ set -euo pipefail
|
||||
|
||||
echo "Running security hardening initializer..."
|
||||
|
||||
# Source variables if available
|
||||
if [[ -f ../../variables ]]; then
|
||||
source ../../variables
|
||||
fi
|
||||
|
||||
# Enable auditd
|
||||
systemctl --now enable auditd
|
||||
|
||||
# Configure auditd
|
||||
if [[ -f ./ConfigFiles/AuditD/auditd.conf ]]; then
|
||||
cp ./ConfigFiles/AuditD/auditd.conf /etc/audit/auditd.conf
|
||||
fi
|
||||
|
||||
# Configure systemd journal settings
|
||||
if [[ -f ./ConfigFiles/Systemd/journald.conf ]]; then
|
||||
cp ./ConfigFiles/Systemd/journald.conf /etc/systemd/journald.conf
|
||||
fi
|
||||
|
||||
# Configure logrotate
|
||||
if [[ -f ./ConfigFiles/Logrotate/logrotate.conf ]]; then
|
||||
cp ./ConfigFiles/Logrotate/logrotate.conf /etc/logrotate.conf
|
||||
fi
|
||||
|
||||
# Configure sysctl security parameters
|
||||
if [[ -f ./configs/sysctl-hardening.conf ]]; then
|
||||
cp ./configs/sysctl-hardening.conf /etc/sysctl.d/99-security-hardening.conf
|
||||
sysctl -p /etc/sysctl.d/99-security-hardening.conf
|
||||
fi
|
||||
|
||||
# Configure core dumps
|
||||
# Configure core dumps and resource limits
|
||||
if [[ -f ./configs/security-limits.conf ]]; then
|
||||
cp ./configs/security-limits.conf /etc/security/limits.d/security-lening.conf
|
||||
cp ./configs/security-limits.conf /etc/security/limits.d/security-hardening.conf
|
||||
fi
|
||||
|
||||
# SCAP-STIG Compliance: Fix GRUB permissions (skip on Raspberry Pi)
|
||||
if [[ "${IS_RASPI:-0}" != "1" ]] && [[ -f /boot/grub/grub.cfg ]]; then
|
||||
chown root:root /boot/grub/grub.cfg
|
||||
chmod og-rwx /boot/grub/grub.cfg
|
||||
chmod 0400 /boot/grub/grub.cfg
|
||||
echo "GRUB permissions hardened"
|
||||
fi
|
||||
|
||||
# SCAP-STIG Compliance: Disable auto mounting
|
||||
systemctl --now disable autofs 2>/dev/null || true
|
||||
DEBIAN_FRONTEND="noninteractive" apt-get -y --purge remove autofs 2>/dev/null || true
|
||||
|
||||
# SCAP-STIG Compliance: Deploy ModProbe security configs
|
||||
for conf_file in ./configs/modprobe/*.conf; do
|
||||
if [[ -f "$conf_file" ]]; then
|
||||
cp "$conf_file" /etc/modprobe.d/
|
||||
fi
|
||||
done
|
||||
|
||||
# Deploy network filesystem blacklisting
|
||||
cat > /etc/modprobe.d/stig-network.conf << 'EOF'
|
||||
# STIG: Disable uncommon network protocols
|
||||
install dccp /bin/true
|
||||
install rds /bin/true
|
||||
install sctp /bin/true
|
||||
install tipc /bin/true
|
||||
EOF
|
||||
|
||||
# Deploy filesystem blacklisting
|
||||
cat > /etc/modprobe.d/stig-filesystem.conf << 'EOF'
|
||||
# STIG: Disable uncommon filesystem types
|
||||
install cramfs /bin/true
|
||||
install freevxfs /bin/true
|
||||
install hfs /bin/true
|
||||
install hfsplus /bin/true
|
||||
install jffs2 /bin/true
|
||||
install squashfs /bin/true
|
||||
install udf /bin/true
|
||||
EOF
|
||||
|
||||
# Deploy USB storage blacklisting
|
||||
cat > /etc/modprobe.d/usb_storage.conf << 'EOF'
|
||||
# STIG: Disable USB storage
|
||||
install usb-storage /bin/true
|
||||
EOF
|
||||
|
||||
# SCAP-STIG Compliance: Deploy security banners
|
||||
if [[ -f ./configs/issue ]]; then
|
||||
cp ./configs/issue /etc/issue
|
||||
fi
|
||||
if [[ -f ./configs/issue.net ]]; then
|
||||
cp ./configs/issue.net /etc/issue.net
|
||||
fi
|
||||
if [[ -f ./configs/motd ]]; then
|
||||
cp ./configs/motd /etc/motd
|
||||
fi
|
||||
|
||||
# SCAP-STIG Compliance: Cron permission hardening
|
||||
rm -f /etc/cron.deny 2>/dev/null || true
|
||||
touch /etc/cron.allow
|
||||
chmod g-wx,o-rwx /etc/cron.allow
|
||||
chown root:root /etc/cron.allow
|
||||
chmod og-rwx /etc/crontab
|
||||
chmod og-rwx /etc/cron.hourly/
|
||||
chmod og-rwx /etc/cron.daily/
|
||||
chmod og-rwx /etc/cron.weekly/
|
||||
chmod og-rwx /etc/cron.monthly/
|
||||
chown root:root /etc/cron.d/
|
||||
chmod og-rwx /etc/cron.d/
|
||||
|
||||
# SCAP-STIG Compliance: At permission hardening
|
||||
rm -f /etc/at.deny 2>/dev/null || true
|
||||
touch /etc/at.allow
|
||||
chmod g-wx,o-rwx /etc/at.allow
|
||||
chown root:root /etc/at.allow
|
||||
|
||||
# Set file permissions
|
||||
chmod 644 /etc/passwd
|
||||
chmod 600 /etc/shadow
|
||||
|
||||
Reference in New Issue
Block a user