diff --git a/initializers/security-hardening/apply b/initializers/security-hardening/apply index 34fe813..49b5efa 100755 --- a/initializers/security-hardening/apply +++ b/initializers/security-hardening/apply @@ -7,35 +7,101 @@ set -euo pipefail echo "Running security hardening initializer..." +# Source variables if available +if [[ -f ../../variables ]]; then + source ../../variables +fi + # Enable auditd systemctl --now enable auditd -# Configure auditd -if [[ -f ./ConfigFiles/AuditD/auditd.conf ]]; then - cp ./ConfigFiles/AuditD/auditd.conf /etc/audit/auditd.conf -fi - -# Configure systemd journal settings -if [[ -f ./ConfigFiles/Systemd/journald.conf ]]; then - cp ./ConfigFiles/Systemd/journald.conf /etc/systemd/journald.conf -fi - -# Configure logrotate -if [[ -f ./ConfigFiles/Logrotate/logrotate.conf ]]; then - cp ./ConfigFiles/Logrotate/logrotate.conf /etc/logrotate.conf -fi - # Configure sysctl security parameters if [[ -f ./configs/sysctl-hardening.conf ]]; then cp ./configs/sysctl-hardening.conf /etc/sysctl.d/99-security-hardening.conf sysctl -p /etc/sysctl.d/99-security-hardening.conf fi -# Configure core dumps +# Configure core dumps and resource limits if [[ -f ./configs/security-limits.conf ]]; then - cp ./configs/security-limits.conf /etc/security/limits.d/security-lening.conf + cp ./configs/security-limits.conf /etc/security/limits.d/security-hardening.conf fi +# SCAP-STIG Compliance: Fix GRUB permissions (skip on Raspberry Pi) +if [[ "${IS_RASPI:-0}" != "1" ]] && [[ -f /boot/grub/grub.cfg ]]; then + chown root:root /boot/grub/grub.cfg + chmod og-rwx /boot/grub/grub.cfg + chmod 0400 /boot/grub/grub.cfg + echo "GRUB permissions hardened" +fi + +# SCAP-STIG Compliance: Disable auto mounting +systemctl --now disable autofs 2>/dev/null || true +DEBIAN_FRONTEND="noninteractive" apt-get -y --purge remove autofs 2>/dev/null || true + +# SCAP-STIG Compliance: Deploy ModProbe security configs +for conf_file in ./configs/modprobe/*.conf; do + if [[ -f "$conf_file" ]]; then + cp "$conf_file" /etc/modprobe.d/ + fi +done + +# Deploy network filesystem blacklisting +cat > /etc/modprobe.d/stig-network.conf << 'EOF' +# STIG: Disable uncommon network protocols +install dccp /bin/true +install rds /bin/true +install sctp /bin/true +install tipc /bin/true +EOF + +# Deploy filesystem blacklisting +cat > /etc/modprobe.d/stig-filesystem.conf << 'EOF' +# STIG: Disable uncommon filesystem types +install cramfs /bin/true +install freevxfs /bin/true +install hfs /bin/true +install hfsplus /bin/true +install jffs2 /bin/true +install squashfs /bin/true +install udf /bin/true +EOF + +# Deploy USB storage blacklisting +cat > /etc/modprobe.d/usb_storage.conf << 'EOF' +# STIG: Disable USB storage +install usb-storage /bin/true +EOF + +# SCAP-STIG Compliance: Deploy security banners +if [[ -f ./configs/issue ]]; then + cp ./configs/issue /etc/issue +fi +if [[ -f ./configs/issue.net ]]; then + cp ./configs/issue.net /etc/issue.net +fi +if [[ -f ./configs/motd ]]; then + cp ./configs/motd /etc/motd +fi + +# SCAP-STIG Compliance: Cron permission hardening +rm -f /etc/cron.deny 2>/dev/null || true +touch /etc/cron.allow +chmod g-wx,o-rwx /etc/cron.allow +chown root:root /etc/cron.allow +chmod og-rwx /etc/crontab +chmod og-rwx /etc/cron.hourly/ +chmod og-rwx /etc/cron.daily/ +chmod og-rwx /etc/cron.weekly/ +chmod og-rwx /etc/cron.monthly/ +chown root:root /etc/cron.d/ +chmod og-rwx /etc/cron.d/ + +# SCAP-STIG Compliance: At permission hardening +rm -f /etc/at.deny 2>/dev/null || true +touch /etc/at.allow +chmod g-wx,o-rwx /etc/at.allow +chown root:root /etc/at.allow + # Set file permissions chmod 644 /etc/passwd chmod 600 /etc/shadow