KNELConfigMgmt-FetchApply

KNEL/KNELConfigMgmt-FetchApply

Fork 0

Commit Graph

Author	SHA1	Message	Date
Charles N Wyble	8f44815d97	feat(security-hardening): add SCAP-STIG compliance configuration files Add security hardening configuration files implementing SCAP-STIG controls: - sysctl-hardening.conf: 75 kernel security parameters covering: * IP forwarding and redirect controls * Source routing and martian packet logging * TCP SYN cookies and timestamps * ExecShield and ASLR settings * Ptrace scope restrictions * Unprivileged BPF and userns restrictions - security-limits.conf: Resource limits for: * Core dump prevention (fork bomb protection) * Process count limits (4096 soft, 8192 hard) * File handle limits (1024 soft, 4096 hard) * Memory lock and file size restrictions - issue, issue.net, motd: Security warning banners for local and network login - modprobe/: Directory for kernel module blacklist configurations These configs implement CIS Benchmark and DISA STIG requirements for Linux server hardening. Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-scap-stig.sh	2026-02-17 16:32:14 -05:00
Charles N Wyble	1e506fed1d	feat: Complete port of all KNELServerBuild components to FetchApply - Add secharden-audit-agents functionality to security-hardening - Create unattended-upgrades initializer for automatic security updates - Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config - Port sslStackFromSource.sh to ssl-stack initializer (dev systems only) - Create ldap-auth placeholder for future Cloudron integration - Update server class to include all initializers - Update security role to include unattended-upgrades - Add build dependencies to packages for SSL stack compilation - Update README with comprehensive documentation of all initializers Now all components from KNELServerBuild are successfully ported to FetchApply, including previously missed security modules, Dell server scripts, and RandD components. Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>	2026-01-21 12:48:32 -05:00
Charles N Wyble	afe61cae9d	refactor: Remove librenms, add ansible/salt clients - Remove all librenms references from initializers and configuration - Keep tailscale as requested (remove netbird plans) - Add ansible-core (already present) and salt-minion packages - Create salt-client initializer for minion configuration - Update roles to replace librenms-agent with salt-client - Simplify oam initializer to only handle up2date script - Update README to reflect new architecture and tools Prepares infrastructure for migration to Salt configuration management while maintaining tailscale for VPN connectivity. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>	2026-01-21 11:43:35 -05:00

Author

SHA1

Message

Date

Charles N Wyble

8f44815d97

feat(security-hardening): add SCAP-STIG compliance configuration files

Add security hardening configuration files implementing SCAP-STIG
controls:

- sysctl-hardening.conf: 75 kernel security parameters covering:
  * IP forwarding and redirect controls
  * Source routing and martian packet logging
  * TCP SYN cookies and timestamps
  * ExecShield and ASLR settings
  * Ptrace scope restrictions
  * Unprivileged BPF and userns restrictions

- security-limits.conf: Resource limits for:
  * Core dump prevention (fork bomb protection)
  * Process count limits (4096 soft, 8192 hard)
  * File handle limits (1024 soft, 4096 hard)
  * Memory lock and file size restrictions

- issue, issue.net, motd: Security warning banners for local
  and network login

- modprobe/: Directory for kernel module blacklist configurations

These configs implement CIS Benchmark and DISA STIG requirements
for Linux server hardening.

Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-scap-stig.sh

2026-02-17 16:32:14 -05:00

Charles N Wyble

1e506fed1d

feat: Complete port of all KNELServerBuild components to FetchApply

- Add secharden-audit-agents functionality to security-hardening
- Create unattended-upgrades initializer for automatic security updates
- Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config
- Port sslStackFromSource.sh to ssl-stack initializer (dev systems only)
- Create ldap-auth placeholder for future Cloudron integration
- Update server class to include all initializers
- Update security role to include unattended-upgrades
- Add build dependencies to packages for SSL stack compilation
- Update README with comprehensive documentation of all initializers

Now all components from KNELServerBuild are successfully ported to FetchApply,
including previously missed security modules, Dell server scripts, and RandD components.

Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>

2026-01-21 12:48:32 -05:00

Charles N Wyble

afe61cae9d

refactor: Remove librenms, add ansible/salt clients

- Remove all librenms references from initializers and configuration
- Keep tailscale as requested (remove netbird plans)
- Add ansible-core (already present) and salt-minion packages
- Create salt-client initializer for minion configuration
- Update roles to replace librenms-agent with salt-client
- Simplify oam initializer to only handle up2date script
- Update README to reflect new architecture and tools

Prepares infrastructure for migration to Salt configuration management
while maintaining tailscale for VPN connectivity.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>

2026-01-21 11:43:35 -05:00

3 Commits