docs: add AGENTS.md with git commit guidelines

Add agent guidelines for AI assistants working on this repository:

- Document atomic commit requirements
- Specify conventional commit format with examples
- Require verbose, formatted commit messages
- Emphasize immediate commit/push behavior

🤖 Generated with [Crush](https://github.com/charmassociates/crush)

Assisted-by: GLM-5 via Crush <crush@charm.land>

AGENTS.md

@@ -0,0 +1,45 @@
+# Agent Guidelines
+
+## Git Commit Requirements
+
+When making changes to this repository, ALWAYS:
+
+1. **Commit atomically**: Each logical change should be its own commit
+2. **Use conventional commit format**:
+   - `feat(scope): description` - New feature
+   - `fix(scope): description` - Bug fix
+   - `docs: description` - Documentation changes
+   - `refactor(scope): description` - Code refactoring
+   - `test(scope): description` - Test additions/changes
+   - `chore: description` - Maintenance tasks
+3. **Write verbose, beautifully formatted messages**:
+   - Title line (50 chars max)
+   - Blank line
+   - Body explaining WHAT and WHY (not how)
+   - Reference related files/issues
+   - Include footer with attribution
+
+## Example Commit
+
+```
+feat(security-hardening): implement SCAP-STIG compliance logic
+
+Refactor apply script to implement comprehensive security hardening:
+
+- Add GRUB bootloader permission hardening (root:root, mode 0400)
+- Disable and remove autofs service per STIG requirements
+- Deploy modprobe configurations for kernel module blacklisting
+- Create STIG-compliant network protocol blacklist
+
+This ensures servers meet DoD security requirements for production
+deployment.
+
+🤖 Generated with [Crush](https://github.com/charmassociates/crush)
+
+Assisted-by: GLM-5 via Crush <crush@charm.land>
+```
+
+## Important
+
+**NEVER wait to be asked to commit and push your work.**
+**Commit immediately after each logical unit of work.**

MENTALMODEL.md

@@ -0,0 +1,55 @@
+# KNEL Configuration Management Mental Model
+
+## Architecture Overview
+
+### FetchApply - One-Time Provisioning
+- **Purpose:** Initial server setup and basic configuration
+- **When:** Runs once at first boot of newly provisioned system
+- **What:** System detection, package installation, security hardening, basic monitoring setup
+
+### Salt - Ongoing Configuration Management & Automation
+- **Purpose:** Day-to-day system configuration, automation, and orchestration
+- **When:** Continuously via Salt master/minion relationship
+- **What:** 
+  - Configuration management (file distribution, service management)
+  - Ad-hoc automation tasks
+  - System orchestration
+  - Application deployment
+  - Beszel client configuration and management
+  - Netbird client configuration and management (future)
+
+### Ansible - ComplianceAsCode Deployment
+- **Purpose:** Deploy and manage compliance as code content
+- **When:** Periodically or on-demand compliance deployment
+- **What:**
+  - Deploy https://github.com/ComplianceAsCode/content
+  - Apply compliance frameworks (CIS, STIG, etc.)
+  - Compliance validation and remediation
+  - Documentation generation
+
+### Network Services
+- **Tailscale:** Currently active VPN overlay network
+- **Netbird:** Future replacement (to be deployed via Salt)
+- **Beszel:** Future monitoring replacement (to be deployed via Salt)
+
+## Migration Path
+
+1. **Current State:** FetchApply + Manual Management
+2. **Transition State:** FetchApply + Salt + Ansible
+3. **Future State:** Salt + Ansible (FetchApply deprecated)
+
+## Tool Responsibilities
+
+| Tool | Primary Responsibility | Secondary Responsibilities |
+|-------|-------------------|------------------------|
+| FetchApply | Initial provisioning | Foundation setup |
+| Salt | Ongoing configuration | Automation, orchestration, client deployment |
+| Ansible | Compliance deployment | Documentation, validation |
+
+## Decision Matrix
+
+- **Use Salt for:** System configuration, automation, deployment, ongoing management
+- **Use Ansible for:** Compliance as code, security frameworks, documentation
+- **Use FetchApply for:** Initial server setup (temporary, to be replaced)
+
+This model ensures clear separation of concerns while providing comprehensive coverage of system lifecycle management.

README.md

@@ -2,13 +2,13 @@
 
 This repository contains the KNEL server configuration management system implemented with the FetchApply framework.
 
-**NOTE:** This is a one-time provisioning system. For ongoing configuration management, this will be replaced by:
+**NOTE:** This is a one-time provisioning system. For ongoing configuration management, this uses:
-- Ansible playbooks for configuration management
+- Salt for system configuration and automation
-- Salt for system orchestration
+- Ansible for ComplianceAsCode deployment
 
 ## Overview
 
-The KNEL FetchApply system provides automated server provisioning for Linux servers. It uses the FetchApply framework to apply initial configurations and then serves as a foundation for migrating to Ansible/Salt-based management.
+The KNEL FetchApply system provides automated server provisioning for Linux servers. It uses the FetchApply framework to apply initial configurations and then serves as a foundation for Salt/Ansible-based management.
 
 ## Repository Structure
 
@@ -29,6 +29,10 @@ The KNEL FetchApply system provides automated server provisioning for Linux serv
 │   ├── 2fa/              # Two-factor authentication setup
 │   ├── wazuh/            # Wazuh security monitoring
 │   ├── security-hardening/ # SCAP/STIG compliance
+│   ├── unattended-upgrades/ # Automatic security updates
+│   ├── dell-config/       # Dell server specific configurations
+│   ├── ssl-stack/         # SSL stack compilation (dev systems)
+│   ├── ldap-auth/         # LDAP authentication (placeholder)
 │   ├── salt-client/       # Salt minion configuration
 │   └── user-configuration/ # User shell settings
 ├── roles/                 # Groups of related initializers
@@ -83,7 +87,7 @@ The system automatically detects:
 
 ### Core Setup
 - **system-setup** - System detection and variable setup
-- **packages** - Package installation with conditional logic (includes ansible-core, salt-minion, tailscale)
+- **packages** - Package installation with conditional logic (includes build tools for SSL stack, ansible-core for ComplianceAsCode, salt-minion for ongoing management, tailscale for VPN)
 - **user-configuration** - Shell settings and user preferences
 
 ### Configuration
@@ -91,24 +95,38 @@ The system automatically detects:
 - **ssh-hardening** - SSH security hardening
 - **ssh-keys** - Deploy SSH authorized keys
 - **postfix** - Configure email delivery
-- **salt-client** - Configure Salt minion for configuration management
+- **salt-client** - Configure Salt minion for ongoing configuration management
 
 ### Security
 - **2fa** - Set up Google Authenticator for 2FA
 - **wazuh** - Deploy Wazuh security monitoring agent
-- **security-hardening** - SCAP/STIG compliance hardening
+- **security-hardening** - SCAP/STIG compliance hardening (includes auditd, systemd, logrotate configs)
+- **unattended-upgrades** - Configure automatic security updates
+
+### Specialized
+- **dell-config** - Dell server specific optimizations (CPU performance, OMSA tools)
+- **ssl-stack** - Compile OpenSSL, nghttp2, curl, APR, and Apache from source (dev systems only)
+- **ldap-auth** - LDAP authentication configuration (placeholder for Cloudron)
 
 ### Monitoring
 - **oam** - Operations and Maintenance tools (up2date script)
 
 ## Configuration Management Tools
 
-The system installs clients for future configuration management:
+The system installs clients for specific management purposes:
 
-- **Ansible Core** - Already installed for ad-hoc automation tasks
+- **Ansible Core** - For deploying ComplianceAsCode content from https://github.com/ComplianceAsCode/content
-- **Salt Minion** - Configured and ready for Salt master connection
+- **Salt Minion** - For ongoing system configuration, automation, and orchestration
 - **Tailscale** - VPN connectivity for secure remote access
 
+## Tool Responsibilities
+
+| Tool | Primary Responsibility | When Used |
+|-------|-------------------|-----------|
+| FetchApply | Initial server provisioning | Once at deployment |
+| Salt | Ongoing configuration & automation | Continuously |
+| Ansible | ComplianceAsCode deployment | Periodically/on-demand |
+
 ## Security Features
 
 - SSH key-based authentication only
@@ -116,14 +134,64 @@ The system installs clients for future configuration management:
 - Wazuh security monitoring
 - SCAP/STIG compliance hardening
 - AIDE file integrity monitoring
+- Automatic security updates
+
+## Specialized Configurations
+
+### Dell Servers
+- Automatic CPU performance tuning
+- Dell OpenManage Server Administrator setup
+- Ethernet configuration scripts
+
+### Development Workstations
+- SSL stack compilation (OpenSSL 1.1.0h, nghttp2, curl, APR, Apache)
+- HTTP/2 enabled Apache HTTPd
+- Custom SSL installations
+
+### Future Services
+- Beszel monitoring (to be deployed via Salt)
+- Netbird networking (to be deployed via Salt)
+- LDAP authentication (Cloudron integration)
 
 ## Migration Path
 
-This system is designed as an initial provisioning step. Future migration plans:
+This system provides a foundation for comprehensive management:
 
-1. **Ansible Playbooks** - Replace initializers with Ansible roles for configuration management
+1. **FetchApply** - Initial server provisioning (this repo)
-2. **Salt Configuration** - Use Salt master for ongoing configuration orchestration
+2. **Salt Master** - Ongoing configuration management and automation
-3. **Vault Integration** - Centralized secrets management
+3. **Ansible Playbooks** - ComplianceAsCode deployment and management
+4. **Future Services** - Beszel monitoring and Netbird networking via Salt
+
+## Compliance Management
+
+Ansible will be used specifically to deploy and manage:
+- Compliance frameworks from https://github.com/ComplianceAsCode/content
+- Security baselines and hardening rules
+- Compliance validation and reporting
+- Documentation generation
+
+## SSL Stack Compilation
+
+Available on development workstations or when `COMPILE_SSL_STACK=true`:
+- OpenSSL 1.1.0h with weak ciphers enabled (legacy compatibility)
+- nghttp2 for HTTP/2 support
+- curl with HTTP/2 and custom OpenSSL support
+- Apache HTTPd with HTTP/2 enabled
+- Custom installations at `/usr/local/custom-ssl/`
+
+## Validation
+
+The repository includes a validation script to verify structure and configuration:
+
+```bash
+./validate.sh
+```
+
+This checks:
+- Required top-level files and directories
+- Initializer directory structure
+- Apply script syntax
+- Path consistency between apply scripts and configs/scripts directories
 
 ## Troubleshooting
 
@@ -139,6 +207,12 @@ To run specific initializers:
 sudo fa run <initializer-name>
 ```
 
+To compile SSL stack:
+
+```bash
+COMPILE_SSL_STACK=true sudo fa run ssl-stack
+```
+
 To pause automatic runs during maintenance:
 
 ```bash
@@ -158,4 +232,4 @@ sudo fa resume
 
 ## License
 
-This project is licensed under terms specified in the LICENSE file.
+This project is licensed under the terms specified in the LICENSE file.

classes/server/initializers

@@ -9,6 +9,10 @@ postfix
 2fa
 wazuh
 security-hardening
+unattended-upgrades
+dell-config
+ssl-stack
+ldap-auth
 salt-client
 user-configuration
 

initializers/2fa/configs/sshd-2fa-config

@@ -0,0 +1,11 @@
+# KNEL SSH 2FA Configuration Additions
+# These settings enable two-factor authentication with SSH keys
+
+# Enable challenge-response authentication for 2FA
+ChallengeResponseAuthentication yes
+
+# Enable PAM
+UsePAM yes
+
+# Require both publickey AND keyboard-interactive (2FA)
+AuthenticationMethods publickey,keyboard-interactive

initializers/2fa/configs/sshd-pam

@@ -0,0 +1,32 @@
+# PAM configuration for SSH with 2FA
+# Standard Un*x authentication
+@include common-auth
+
+# Google Authenticator 2FA
+auth required pam_google_authenticator.so nullok
+
+# Standard Un*x authorization
+@include common-account
+
+# SELinux needs to be the first session rule
+session required pam_selinux.so close
+session required pam_loginuid.so
+
+# Standard Un*x session setup and teardown
+@include common-session
+
+# Print the message of the day upon successful login
+session optional pam_motd.so motd=/run/motd.dynamic
+session optional pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login
+session optional pam_mail.so standard noenv
+
+# Set up user limits from /etc/security/limits.conf
+session required pam_limits.so
+
+# SELinux needs to intervene at login time
+session required pam_selinux.so open
+
+# Standard Un*x password updating
+@include common-password

initializers/dell-config/apply

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# KNEL Dell Server Configuration Initializer
+# Applies Dell-specific optimizations and tools
+
+set -euo pipefail
+
+echo "Running Dell server configuration initializer..."
+
+# Only run on Dell physical servers
+if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then
+    echo "Dell physical hardware detected, applying Dell-specific configurations..."
+    
+    # CPU performance tuning (from fixcpuperf.sh)
+    if command -v cpufreq-set >/dev/null 2>&1; then
+        cpufreq-set -r -g performance
+        echo "Set CPU performance governor"
+    fi
+    
+    if command -v cpupower >/dev/null 2>&1; then
+        cpupower frequency-set --governor performance
+        echo "Set CPU frequency governor to performance"
+    fi
+    
+    # Copy Dell-specific scripts if they exist
+    mkdir -p /opt/dell-tools
+    
+    if [[ -f ./scripts/fixeth.sh ]]; then
+        cp ./scripts/fixeth.sh /opt/dell-tools/
+        chmod +x /opt/dell-tools/fixeth.sh
+        echo "Copied Ethernet fixing script"
+    fi
+    
+    if [[ -f ./scripts/omsa.sh ]]; then
+        cp ./scripts/omsa.sh /opt/dell-tools/
+        chmod +x /opt/dell-tools/omsa.sh
+        echo "Copied OMSA setup script"
+    fi
+    
+    # Install Dell OpenManage Server Administrator if available
+    if command -v apt >/dev/null 2>&1; then
+        # Add Dell repository if available
+        # This would need to be implemented when Dell repo access is available
+        echo "Dell OMSA installation would go here (requires Dell repo access)"
+    fi
+    
+else
+    echo "Not a Dell physical server, skipping Dell-specific configurations"
+fi
+
+echo "Dell server configuration initializer completed"

initializers/dell-config/scripts/fixcpuperf.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+#Script to set performance.
+
+
+
+cpufreq-set -r -g performance
+cpupower frequency-set --governor performance
+
+

initializers/dell-config/scripts/fixeth.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Dell Ethernet interface fix script
+# Fixes common issues with Dell NICs on Proxmox/Debian systems
+
+echo "Determining management interface..."
+export MAIN_INT=$(brctl show|grep vmbr0|awk '{print $NF}'|awk -F '.' '{print $1}')
+
+echo "Management interface is: $MAIN_INT"
+
+echo "Fixing management interface..."
+ethtool -K $MAIN_INT tso off 
+ethtool -K $MAIN_INT gro off 
+ethtool -K $MAIN_INT gso off
+ethtool -K $MAIN_INT tx off
+ethtool -K $MAIN_INT rx off
+
+# References:
+# https://forum.proxmox.com/threads/e1000-driver-hang.58284/
+# https://serverfault.com/questions/616485/e1000e-reset-adapter-unexpectedly-detected-hardware-unit-hang

initializers/dell-config/scripts/omsa.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Dell OpenManage Server Administrator (OMSA) installation script
+# Installs Dell OMSA for hardware monitoring and management
+
+# Add Dell GPG key
+gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-key 1285491434D8786F
+gpg -a --export 1285491434D8786F | apt-key add -
+
+# Add Dell repository
+echo "deb https://linux.dell.com/repo/community/openmanage/930/bionic bionic main" > /etc/apt/sources.list.d/linux.dell.com.sources.list
+
+# Download required dependencies
+wget https://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman-curl-client-transport1_2.6.5-0ubuntu3_amd64.deb
+wget https://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman-client4_2.6.5-0ubuntu3_amd64.deb
+wget https://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman1_2.6.5-0ubuntu3_amd64.deb
+wget https://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/libwsman-server1_2.6.5-0ubuntu3_amd64.deb
+wget https://archive.ubuntu.com/ubuntu/pool/universe/s/sblim-sfcc/libcimcclient0_2.2.8-0ubuntu2_amd64.deb
+wget https://archive.ubuntu.com/ubuntu/pool/universe/o/openwsman/openwsman_2.6.5-0ubuntu3_amd64.deb
+wget https://archive.ubuntu.com/ubuntu/pool/multiverse/c/cim-schema/cim-schema_2.48.0-0ubuntu1_all.deb
+wget https://archive.ubuntu.com/ubuntu/pool/universe/s/sblim-sfc-common/libsfcutil0_1.0.1-0ubuntu4_amd64.deb
+wget https://archive.ubuntu.com/ubuntu/pool/multiverse/s/sblim-sfcb/sfcb_1.4.9-0ubuntu5_amd64.deb
+wget https://archive.ubuntu.com/ubuntu/pool/universe/s/sblim-cmpi-devel/libcmpicppimpl0_2.0.3-0ubuntu2_amd64.deb
+
+# Install dependencies
+dpkg -i libwsman-curl-client-transport1_2.6.5-0ubuntu3_amd64.deb
+dpkg -i libwsman-client4_2.6.5-0ubuntu3_amd64.deb
+dpkg -i libwsman1_2.6.5-0ubuntu3_amd64.deb
+dpkg -i libwsman-server1_2.6.5-0ubuntu3_amd64.deb
+dpkg -i libcimcclient0_2.2.8-0ubuntu2_amd64.deb
+dpkg -i openwsman_2.6.5-0ubuntu3_amd64.deb
+dpkg -i cim-schema_2.48.0-0ubuntu1_all.deb
+dpkg -i libsfcutil0_1.0.1-0ubuntu4_amd64.deb
+dpkg -i sfcb_1.4.9-0ubuntu5_amd64.deb
+dpkg -i libcmpicppimpl0_2.0.3-0ubuntu2_amd64.deb
+
+# Install OMSA
+apt update
+apt -y install srvadmin-all
+touch /opt/dell/srvadmin/lib64/openmanage/IGNORE_GENERATION
+
+echo "OMSA installation complete"
+echo "Logout, login, then run: srvadmin-services.sh enable && srvadmin-services.sh start"

initializers/ldap-auth/apply

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# KNEL LDAP Authentication Initializer
+# Placeholder for future Cloudron LDAP authentication configuration
+
+set -euo pipefail
+
+echo "Running LDAP authentication initializer..."
+
+# This is a placeholder for future Cloudron LDAP integration
+# Currently, auth-cloudron-ldap.sh in KNELServerBuild is empty
+# When ready, this would:
+# 1. Configure PAM for LDAP authentication
+# 2. Set up nsswitch.conf for LDAP user lookups
+# 3. Configure SSH to use LDAP authentication
+# 4. Test LDAP connectivity
+
+# Create configs directory when ready
+# mkdir -p ./configs
+# cp ./configs/cloudron-ldap.conf /etc/ldap/ldap.conf
+
+echo "LDAP authentication initializer completed (placeholder - no actual configuration applied)"
+
+echo "To enable Cloudron LDAP when ready:"
+echo "1. Configure Cloudron LDAP settings"
+echo "2. Update this initializer with actual LDAP configuration"
+echo "3. Test authentication against Cloudron LDAP"

initializers/oam/apply

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # KNEL OAM Initializer
-# Sets up Operations and Maintenance tools
+# Sets up Operations and Maintenance tools including LibreNMS monitoring agents
 
 set -euo pipefail
 
@@ -13,4 +13,64 @@ if [[ -f ./scripts/up2date.sh ]]; then
     chmod +x /usr/local/bin/up2date.sh
 fi
 
+# Deploy LibreNMS check_mk agent
+if [[ -f ./librenms/check_mk_agent ]]; then
+    # Create agent directories
+    mkdir -p /usr/lib/check_mk_agent/plugins
+    mkdir -p /usr/lib/check_mk_agent/local
+    mkdir -p /etc/check_mk
+    mkdir -p /var/lib/check_mk_agent
+    
+    # Deploy main agent
+    cp ./librenms/check_mk_agent /usr/bin/check_mk_agent
+    chmod +x /usr/bin/check_mk_agent
+    
+    # Deploy distro script for OS detection
+    if [[ -f ./librenms/distro ]]; then
+        cp ./librenms/distro /usr/bin/distro
+        chmod +x /usr/bin/distro
+    fi
+    
+    # Deploy systemd service files
+    if [[ -f ./librenms/check_mk.socket ]]; then
+        cp ./librenms/check_mk.socket /etc/systemd/system/check_mk.socket
+    fi
+    
+    if [[ -f ./librenms/check_mk@.service ]]; then
+        cp ./librenms/check_mk@.service /etc/systemd/system/check_mk@.service
+    fi
+    
+    # Deploy plugins
+    for plugin in ./librenms/*.sh ./librenms/*.py; do
+        if [[ -f "$plugin" ]]; then
+            plugin_name=$(basename "$plugin")
+            cp "$plugin" /usr/lib/check_mk_agent/plugins/
+            chmod +x "/usr/lib/check_mk_agent/plugins/$plugin_name"
+        fi
+    done
+    
+    # Deploy other plugins (without extensions)
+    for plugin in ./librenms/smart ./librenms/ntp-client ./librenms/ntp-server.sh \
+                  ./librenms/os-updates.sh ./librenms/postfix-queues ./librenms/postfixdetailed \
+                  ./librenms/ups-nut.sh; do
+        if [[ -f "$plugin" ]]; then
+            plugin_name=$(basename "$plugin")
+            cp "$plugin" /usr/lib/check_mk_agent/plugins/
+            chmod +x "/usr/lib/check_mk_agent/plugins/$plugin_name"
+        fi
+    done
+    
+    # Deploy smart config if present
+    if [[ -f ./librenms/smart.config ]]; then
+        cp ./librenms/smart.config /etc/check_mk/smart.config
+    fi
+    
+    # Reload systemd and enable check_mk socket
+    systemctl daemon-reload
+    systemctl enable check_mk.socket
+    systemctl start check_mk.socket
+    
+    echo "LibreNMS agent deployed and enabled"
+fi
+
 echo "OAM initializer completed"

initializers/packages/apply

@@ -37,6 +37,15 @@ apt-get --purge autoremove
 
 # Install desired packages
 apt-get -y -o Dpkg::Options::="--force-confold" install \
+    build-essential \
+    wget \
+    gcc \
+    make \
+    perl \
+    libpcre3 \
+    libpcre3-dev \
+    zlib1g \
+    zlib1g-dev \
     virt-what \
     auditd \
     audispd-plugins \

initializers/salt-client/configs/salt-minion

@@ -0,0 +1,53 @@
+# KNEL Salt Minion Configuration
+# Primary configuration for SaltStack client
+
+# Master server address
+master: salt-master.knownelement.com
+
+# Master port
+master_port: 4506
+
+# Unique ID for this minion (defaults to hostname)
+#id: 
+
+# User to run salt-minion as
+user: root
+
+# Root directory for minion
+root_dir: /
+
+# Directory for PID file
+pidfile: /var/run/salt-minion.pid
+
+# Directory for configuration files
+conf_file: /etc/salt/minion
+
+# Directory for minion modules
+pki_dir: /etc/salt/pki/minion
+
+# Cache directory
+cachedir: /var/cache/salt/minion
+
+# Append minion_id to the cache directory
+append_minionid_configdir: False
+
+# Verify master pubkey on initial connection
+verify_master_pubkey_sign: True
+
+# Keep cache files for
+keep_jobs: 24
+
+# Accept the master's public key on first connection
+acceptance_wait_time: 10
+
+# Retry connection to master
+retry_dns: 30
+
+# Logging options
+log_file: /var/log/salt/minion
+log_level: warning
+log_granular_levels:
+  salt: warning
+
+# Include additional configuration
+# include: /etc/salt/minion.d/*.conf

initializers/security-hardening/apply

@@ -1,11 +1,16 @@
 #!/bin/bash
 
-# KNEL Security Hardening Module
+# KNEL Security Hardening Initializer
 # Implements SCAP/STIG security compliance
 
 set -euo pipefail
 
-echo "Running security hardening module..."
+echo "Running security hardening initializer..."
+
+# Source variables if available
+if [[ -f ../../variables ]]; then
+    source ../../variables
+fi
 
 # Enable auditd
 systemctl --now enable auditd
@@ -16,11 +21,87 @@ if [[ -f ./configs/sysctl-hardening.conf ]]; then
     sysctl -p /etc/sysctl.d/99-security-hardening.conf
 fi
 
-# Configure core dumps
+# Configure core dumps and resource limits
 if [[ -f ./configs/security-limits.conf ]]; then
-    cp ./configs/security-limits.conf /etc/security/limits.d/security-lening.conf
+    cp ./configs/security-limits.conf /etc/security/limits.d/security-hardening.conf
 fi
 
+# SCAP-STIG Compliance: Fix GRUB permissions (skip on Raspberry Pi)
+if [[ "${IS_RASPI:-0}" != "1" ]] && [[ -f /boot/grub/grub.cfg ]]; then
+    chown root:root /boot/grub/grub.cfg
+    chmod og-rwx /boot/grub/grub.cfg
+    chmod 0400 /boot/grub/grub.cfg
+    echo "GRUB permissions hardened"
+fi
+
+# SCAP-STIG Compliance: Disable auto mounting
+systemctl --now disable autofs 2>/dev/null || true
+DEBIAN_FRONTEND="noninteractive" apt-get -y --purge remove autofs 2>/dev/null || true
+
+# SCAP-STIG Compliance: Deploy ModProbe security configs
+for conf_file in ./configs/modprobe/*.conf; do
+    if [[ -f "$conf_file" ]]; then
+        cp "$conf_file" /etc/modprobe.d/
+    fi
+done
+
+# Deploy network filesystem blacklisting
+cat > /etc/modprobe.d/stig-network.conf << 'EOF'
+# STIG: Disable uncommon network protocols
+install dccp /bin/true
+install rds /bin/true
+install sctp /bin/true
+install tipc /bin/true
+EOF
+
+# Deploy filesystem blacklisting
+cat > /etc/modprobe.d/stig-filesystem.conf << 'EOF'
+# STIG: Disable uncommon filesystem types
+install cramfs /bin/true
+install freevxfs /bin/true
+install hfs /bin/true
+install hfsplus /bin/true
+install jffs2 /bin/true
+install squashfs /bin/true
+install udf /bin/true
+EOF
+
+# Deploy USB storage blacklisting
+cat > /etc/modprobe.d/usb_storage.conf << 'EOF'
+# STIG: Disable USB storage
+install usb-storage /bin/true
+EOF
+
+# SCAP-STIG Compliance: Deploy security banners
+if [[ -f ./configs/issue ]]; then
+    cp ./configs/issue /etc/issue
+fi
+if [[ -f ./configs/issue.net ]]; then
+    cp ./configs/issue.net /etc/issue.net
+fi
+if [[ -f ./configs/motd ]]; then
+    cp ./configs/motd /etc/motd
+fi
+
+# SCAP-STIG Compliance: Cron permission hardening
+rm -f /etc/cron.deny 2>/dev/null || true
+touch /etc/cron.allow
+chmod g-wx,o-rwx /etc/cron.allow
+chown root:root /etc/cron.allow
+chmod og-rwx /etc/crontab
+chmod og-rwx /etc/cron.hourly/
+chmod og-rwx /etc/cron.daily/
+chmod og-rwx /etc/cron.weekly/
+chmod og-rwx /etc/cron.monthly/
+chown root:root /etc/cron.d/
+chmod og-rwx /etc/cron.d/
+
+# SCAP-STIG Compliance: At permission hardening
+rm -f /etc/at.deny 2>/dev/null || true
+touch /etc/at.allow
+chmod g-wx,o-rwx /etc/at.allow
+chown root:root /etc/at.allow
+
 # Set file permissions
 chmod 644 /etc/passwd
 chmod 600 /etc/shadow
@@ -48,4 +129,4 @@ if [[ ! -f /var/lib/aide/aide.db ]]; then
     aideinit
 fi
 
-echo "Security hardening module completed"
+echo "Security hardening initializer completed"

initializers/security-hardening/configs/issue

@@ -0,0 +1,5 @@
+This system is the property of Known Element Enterprises LLC.
+
+Authorized uses only. All activity may be monitored and reported.
+
+All activities subject to monitoring/recording/review in real time and/or at a later time.

initializers/security-hardening/configs/issue.net

@@ -0,0 +1,5 @@
+This system is the property of Known Element Enterprises LLC.
+
+Authorized uses only. All activity may be monitored and reported.
+
+All activities subject to monitoring/recording/review in real time and/or at a later time.

initializers/security-hardening/configs/motd

@@ -0,0 +1,5 @@
+This system is the property of Known Element Enterprises LLC.
+
+Authorized uses only. All activity may be monitored and reported.
+
+All activities subject to monitoring/recording/review in real time and/or at a later time.

initializers/security-hardening/configs/security-limits.conf

@@ -0,0 +1,29 @@
+# KNEL Security Limits Configuration
+# SCAP/STIG compliant resource limits
+
+# Prevent core dumps for all users
+* hard core 0
+* soft core 0
+
+# Prevent core dumps for root
+root hard core 0
+root soft core 0
+
+# Limit max processes for users (fork bomb protection)
+* soft nproc 4096
+* hard nproc 8192
+
+# Limit max file handles
+* soft nofile 1024
+* hard nofile 4096
+
+# Limit max memory lock
+* hard memlock 64
+
+# Limit max file size
+* soft fsize 2097152
+* hard fsize 4194304
+
+# Stack size limit
+* soft stack 8192
+* hard stack 65536

initializers/security-hardening/configs/sysctl-hardening.conf

@@ -0,0 +1,75 @@
+# KNEL Kernel Security Hardening Configuration
+# SCAP/STIG compliant sysctl parameters
+
+# Disable IP forwarding
+net.ipv4.ip_forward = 0
+net.ipv6.conf.all.forwarding = 0
+
+# Disable send packet redirects
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+
+# Disable accept source routing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+
+# Disable accept redirects
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# Disable secure redirects
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+
+# Log martian packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# Enable TCP SYN cookies
+net.ipv4.tcp_syncookies = 1
+
+# Disable RFC1337 fix
+net.ipv4.tcp_rfc1337 = 1
+
+# Enable reverse path filtering
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Disable ICMP redirects
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Disable IP source routing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+
+# Enable TCP timestamps
+net.ipv4.tcp_timestamps = 1
+
+# Disable magic sysrq
+kernel.sysrq = 0
+
+# Disable core dumps for SUID programs
+fs.suid_dumpable = 0
+
+# Enable execshield protection
+kernel.exec-shield = 1
+
+# Randomize virtual address space
+kernel.randomize_va_space = 2
+
+# Disable coredumps
+kernel.core_pattern = |/bin/false
+
+# Restrict ptrace scope
+kernel.yama.ptrace_scope = 1
+
+# Disable unprivileged BPF
+kernel.unprivileged_bpf_disabled = 1
+
+# Restrict user namespaces
+kernel.unprivileged_userns_clone = 0

initializers/ssh-hardening/apply

@@ -42,13 +42,13 @@ fi
 # Deploy SSH configuration based on environment
 if [[ $DEV_WORKSTATION_CHECK -eq 0 ]]; then
     # Production SSH configuration
-    if [[ -f ./configs/sshd-config ]]; then
+    if [[ -f ./configs/tsys-sshd-config ]]; then
-        cp ./configs/sshd-config /etc/ssh/sshd_config
+        cp ./configs/tsys-sshd-config /etc/ssh/sshd_config
     fi
 else
     # Development workstation - more permissive settings
-    if [[ -f ./configs/sshd-dev-config ]]; then
+    if [[ -f ./configs/tsys-sshd-config ]]; then
-        cp ./configs/sshd-dev-config /etc/ssh/sshd_config
+        cp ./configs/tsys-sshd-config /etc/ssh/sshd_config
     fi
 fi
 

initializers/ssl-stack/apply

@@ -0,0 +1,149 @@
+#!/bin/bash
+
+# KNEL SSL Stack Compilation Initializer
+# Compiles OpenSSL, nghttp2, curl, APR, and Apache HTTPd from source
+# Made from instructions at https://www.tunetheweb.com/performance/http2/
+
+set -euo pipefail
+
+echo "Running SSL stack compilation initializer..."
+
+# Only run on specific systems or if explicitly requested
+# This is a resource-intensive operation
+if [[ $DEV_WORKSTATION_CHECK -gt 0 ]] || [[ "${COMPILE_SSL_STACK:-}" == "true" ]]; then
+    echo "Compiling SSL stack from source..."
+    
+    # Base URLs and files (using original versions from KNELServerBuild)
+    OPENSSL_URL_BASE="https://www.openssl.org/source/"
+    OPENSSL_FILE="openssl-1.1.0h.tar.gz"
+    
+    NGHTTP_URL_BASE="https://github.com/nghttp2/nghttp2/releases/download/v1.31.0/"
+    NGHTTP_FILE="nghttp2-1.31.0.tar.gz"
+    
+    APR_URL_BASE="https://archive.apache.org/dist/apr/"
+    APR_FILE="apr-1.6.3.tar.gz"
+    
+    APR_UTIL_URL_BASE="https://archive.apache.org/dist/apr/"
+    APR_UTIL_FILE="apr-util-1.6.1.tar.gz"
+    
+    APACHE_URL_BASE="https://archive.apache.org/dist/httpd/"
+    APACHE_FILE="httpd-2.4.33.tar.gz"
+    
+    CURL_URL_BASE="https://curl.haxx.se/download/"
+    CURL_FILE="curl-7.60.0.tar.gz"
+    
+    # Create build directory
+    BUILD_DIR="/tmp/ssl-stack-build"
+    mkdir -p "$BUILD_DIR"
+    cd "$BUILD_DIR"
+    
+    # Install build dependencies
+    DEBIAN_FRONTEND="noninteractive" apt-get -y install \
+        build-essential \
+        wget \
+        gcc \
+        make \
+        perl \
+        libpcre3 \
+        libpcre3-dev \
+        zlib1g \
+        zlib1g-dev \
+        || true
+    
+    # Download and compile OpenSSL
+    echo "Compiling OpenSSL..."
+    wget $OPENSSL_URL_BASE/$OPENSSL_FILE
+    tar xzf $OPENSSL_FILE
+    cd openssl-1.1.0h
+    ./config enable-weak-ssl-ciphers shared zlib-dynamic -DOPENSSL_TLS_SECURITY_LEVEL=0 --prefix=/usr/local/custom-ssl/openssl-1.1.0h
+    make
+    make install
+    ln -sf /usr/local/custom-ssl/openssl-1.1.0h /usr/local/openssl
+    cd -
+    
+    # Download and compile nghttp2
+    echo "Compiling nghttp2..."
+    wget $NGHTTP_URL_BASE/$NGHTTP_FILE
+    tar xzf $NGHTTP_FILE
+    cd nghttp2-1.31.0
+    ./configure --prefix=/usr/local/custom-ssl/nghttp
+    make
+    make install
+    cd -
+    
+    # Update ldconfig for custom SSL
+    cat <<EOF > /etc/ld.so.conf.d/custom-ssl.conf
+/usr/local/custom-ssl/openssl-1.1.0h/lib
+/usr/local/custom-ssl/nghttp/lib
+EOF
+    ldconfig
+    
+    # Download and compile curl
+    echo "Compiling curl..."
+    wget $CURL_URL_BASE/$CURL_FILE
+    tar xzf $CURL_FILE
+    cd curl-7.60.0
+    ./configure --prefix=/usr/local/custom-ssl/curl --with-nghttp2=/usr/local/custom-ssl/nghttp/ --with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/
+    make
+    make install
+    cd -
+    
+    # Download and compile APR
+    echo "Compiling APR..."
+    wget $APR_URL_BASE/$APR_FILE
+    tar xzf $APR_FILE
+    cd apr-1.6.3
+    ./configure --prefix=/usr/local/custom-ssl/apr
+    make
+    make install
+    cd -
+    
+    # Download and compile APR-util
+    echo "Compiling APR-util..."
+    wget $APR_UTIL_URL_BASE/$APR_UTIL_FILE
+    tar xzf $APR_UTIL_FILE
+    tar xzf $APR_UTIL_FILE
+    cd apr-util-1.6.1
+    ./configure --prefix=/usr/local/custom-ssl/apr-util --with-apr=/usr/local/custom-ssl/apr
+    make
+    make install
+    cd -
+    
+    # Download and compile Apache HTTPd
+    echo "Compiling Apache HTTPd..."
+    wget $APACHE_URL_BASE/$APACHE_FILE
+    tar xzf $APACHE_FILE
+    cd httpd-2.4.33
+    cp -r ../apr-1.6.3 srclib/apr
+    cp -r ../apr-util-1.6.1 srclib/apr-util
+    ./configure --prefix=/usr/local/custom-ssl/apache \
+        --with-ssl=/usr/local/custom-ssl/openssl-1.1.0h/ \
+        --with-pcre=/usr/bin/pcre-config \
+        --enable-unique-id \
+        --enable-ssl \
+        --enable-so \
+        --with-included-apr \
+        --enable-http2 \
+        --with-nghttp2=/usr/local/custom-ssl/nghttp/
+    make
+    make install
+    ln -sf /usr/local/custom-ssl/apache /usr/local/apache
+    cd -
+    
+    # Cleanup
+    cd /
+    rm -rf "$BUILD_DIR"
+    
+    echo "SSL stack compilation completed"
+    echo "Custom installations available at:"
+    echo "  OpenSSL: /usr/local/custom-ssl/openssl-1.1.0h"
+    echo "  nghttp2: /usr/local/custom-ssl/nghttp"
+    echo "  curl:    /usr/local/custom-ssl/curl"
+    echo "  APR:     /usr/local/custom-ssl/apr"
+    echo "  Apache:  /usr/local/custom-ssl/apache"
+    
+else
+    echo "Skipping SSL stack compilation (only runs on dev workstations or when COMPILE_SSL_STACK=true)"
+fi
+
+echo "SSL stack compilation initializer completed"

initializers/system-config/apply

@@ -11,30 +11,30 @@ echo "Running system configuration initializer..."
 mkdir -p $ROOT_SSH_DIR
 
 # Deploy system configuration files from copied templates
-if [[ -f ./ConfigFiles/ZSH/tsys-zshrc ]]; then
+if [[ -f ./ZSH/tsys-zshrc ]]; then
-    cp ./ConfigFiles/ZSH/tsys-zshrc /etc/zshrc
+    cp ./ZSH/tsys-zshrc /etc/zshrc
 fi
 
-if [[ -f ./ConfigFiles/SMTP/aliases ]]; then
+if [[ -f ./SMTP/aliases ]]; then
-    cp ./ConfigFiles/SMTP/aliases /etc/aliases
+    cp ./SMTP/aliases /etc/aliases
     newaliases
 fi
 
-if [[ -f ./ConfigFiles/Syslog/rsyslog.conf ]]; then
+if [[ -f ./Syslog/rsyslog.conf ]]; then
-    cp ./ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf
+    cp ./Syslog/rsyslog.conf /etc/rsyslog.conf
 fi
 
 # Configure DHCP client
-if [[ -f ./ConfigFiles/DHCP/dhclient.conf ]]; then
+if [[ -f ./DHCP/dhclient.conf ]]; then
-    cp ./ConfigFiles/DHCP/dhclient.conf > /etc/dhcp/dhclient.conf
+    cp ./DHCP/dhclient.conf /etc/dhcp/dhclient.conf
 fi
 
 # Configure SNMP
 systemctl stop snmpd 2>/dev/null || true
 /etc/init.d/snmpd stop 2>/dev/null || true
 
-if [[ -f ./ConfigFiles/SNMP/snmp-sudo.conf ]]; then
+if [[ -f ./SNMP/snmp-sudo.conf ]]; then
-    cp ./ConfigFiles/SNMP/snmp-sudo.conf > /etc/sudoers.d/Debian-snmp
+    cp ./SNMP/snmp-sudo.conf /etc/sudoers.d/Debian-snmp
 fi
 
 # Adjust SNMP service for log verbosity
@@ -47,29 +47,29 @@ else
     export IS_RASPI="0"
 fi
 
-if [[ $IS_RASPI -eq 1 ]] && [[ -f ./ConfigFiles/SNMP/snmpd-rpi.conf ]]; then
+if [[ $IS_RASPI -eq 1 ]] && [[ -f ./SNMP/snmpd-rpi.conf ]]; then
-    cp ./ConfigFiles/SNMP/snmpd-rpi.conf /etc/snmp/snmpd.conf
+    cp ./SNMP/snmpd-rpi.conf /etc/snmp/snmpd.conf
-elif [[ $IS_PHYSICAL_HOST -eq 1 ]] && [[ -f ./ConfigFiles/SNMP/snmpd-physicalhost.conf ]]; then
+elif [[ $IS_PHYSICAL_HOST -eq 1 ]] && [[ -f ./SNMP/snmpd-physicalhost.conf ]]; then
-    cp ./ConfigFiles/SNMP/snmpd-physicalhost.conf /etc/snmp/snmpd.conf
+    cp ./SNMP/snmpd-physicalhost.conf /etc/snmp/snmpd.conf
-elif [[ $IS_VIRT_GUEST -eq 1 ]] && [[ -f ./ConfigFiles/SNMP/snmpd.conf ]]; then
+elif [[ $IS_VIRT_GUEST -eq 1 ]] && [[ -f ./SNMP/snmpd.conf ]]; then
-    cp ./ConfigFiles/SNMP/snmpd.conf /etc/snmp/snmpd.conf
+    cp ./SNMP/snmpd.conf /etc/snmp/snmpd.conf
 fi
 
 # Configure lldpd
-if [[ -f ./ConfigFiles/NetworkDiscovery/lldpd ]]; then
+if [[ -f ./NetworkDiscovery/lldpd ]]; then
-    cp ./ConfigFiles/NetworkDiscovery/lldpd /etc/default/lldpd
+    cp ./NetworkDiscovery/lldpd /etc/default/lldpd
     systemctl restart lldpd
 fi
 
 # Configure Cockpit
-if [[ -f ./ConfigFiles/Cockpit/disallowed-users ]]; then
+if [[ -f ./Cockpit/disallowed-users ]]; then
-    cp ./ConfigFiles/Cockpit/disallowed-users /etc/cockpit/disallowed-users
+    cp ./Cockpit/disallowed-users /etc/cockpit/disallowed-users
     systemctl restart cockpit
 fi
 
 # Configure NTP for non-NTP servers
-if [[ $NTP_SERVER_CHECK -eq 0 ]] && [[ -f ./ConfigFiles/NTP/ntp.conf ]]; then
+if [[ $NTP_SERVER_CHECK -eq 0 ]] && [[ -f ./NTP/ntp.conf ]]; then
-    cp ./ConfigFiles/NTP/ntp.conf /etc/ntpsec/ntp.conf
+    cp ./NTP/ntp.conf /etc/ntpsec/ntp.conf
     systemctl restart ntpsec.service
 fi
 

initializers/unattended-upgrades/apply

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# KNEL Unattended Upgrades Initializer
+# Configures automatic security updates based on Debian unattended-upgrades
+
+set -euo pipefail
+
+echo "Running unattended upgrades initializer..."
+
+# Install unattended-upgrades
+DEBIAN_FRONTEND="noninteractive" apt-get -y install unattended-upgrades
+
+# Configure unattended-upgrades
+if [[ -f ./configs/50unattended-upgrades ]]; then
+    cp ./configs/50unattended-upgrades /etc/apt/apt.conf.d/50unattended-upgrades
+fi
+
+# Copy auto-upgrades configuration template
+if [[ -f ./configs/auto-upgrades ]]; then
+    cp ./configs/auto-upgrades /etc/apt/apt.conf.d/auto-upgrades
+fi
+
+# Enable unattended-upgrades service
+dpkg-reconfigure -f noninteractive unattended-upgrades
+
+echo "Unattended upgrades initializer completed"

initializers/unattended-upgrades/configs/50unattended-upgrades

@@ -0,0 +1,46 @@
+// KNEL Unattended-Upgrades Configuration
+// Automatically install security updates
+
+Unattended-Upgrade {
+    // Automatically upgrade packages from these origins
+    Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+        "${distro_id}:${distro_codename}-security";
+        "${distro_id}ESMApps:${distro_codename}-apps-security";
+        "${distro_id}ESM:${distro_codename}-infra-security";
+    };
+
+    // Package blacklist - never auto-upgrade these
+    Package-Blacklist {
+    };
+
+    // Send email to this address for problems or packages upgrades
+    // Uncomment and set to a valid email address for notifications
+    //Unattended-Upgrade::Mail "admin@knownelement.com";
+
+    // Remove unused automatically installed kernel-related packages
+    Remove-Unused-Kernel-Packages "true";
+
+    // Do automatic removal of newly unused dependencies after the upgrade
+    Remove-New-Unused-Dependencies "true";
+
+    // Remove unused dependencies
+    Remove-Unused-Dependencies "true";
+
+    // Automatically reboot *WITHOUT CONFIRMATION* if the file
+    // /var/run/reboot-required is found after the upgrade
+    Automatic-Reboot "false";
+
+    // If automatic reboot is enabled and the system needs to reboot,
+    // reboot at the specific time instead of immediately
+    //Automatic-Reboot-Time "02:00";
+
+    // Use apt bandwidth limit feature
+    //Acquire::http::Dl-Limit "70";
+
+    // Enable logging to syslog
+    SyslogEnable "true";
+
+    // Syslog facility
+    SyslogFacility "daemon";
+};

initializers/unattended-upgrades/configs/auto-upgrades

@@ -0,0 +1,7 @@
+// KNEL Auto-Upgrades Configuration
+// Enable unattended-upgrades
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";

initializers/wazuh/configs/wazuh-agent.conf

@@ -0,0 +1,118 @@
+<!-- KNEL Wazuh Agent Configuration -->
+<ossec_config>
+  <client>
+    <server>
+      <address>tsys-nsm.knel.net</address>
+      <port>1514</port>
+      <protocol>tcp</protocol>
+    </server>
+    <config-profile>ubuntu, ubuntu20, ubuntu20.04</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_unixaudit>yes</check_unixaudit>
+    <frequency>43200</frequency>
+  </rootcheck>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+    <frequency>43200</frequency>
+    <scan_on_start>yes</scan_on_start>
+    <alert_new_files>yes</alert_new_files>
+    <auto_ignore>no</auto_ignore>
+
+    <!-- Directories to monitor -->
+    <directories check_all="yes">/etc,/usr/bin,/usr/sbin,/bin,/sbin</directories>
+    <directories check_all="yes">/usr/local/bin,/usr/local/sbin</directories>
+
+    <!-- Files to monitor -->
+    <files>/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow</files>
+    <files>/etc/ssh/sshd_config,/etc/ssh/ssh_config</files>
+
+    <!-- Ignore these files -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>COMMAND</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/:::/:/g' | sed 's/::/:/g' | sed 's/0\.0\.0\.0/:/g' | sed 's/127\.0\.0\.1/:/g' | sort</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dmesg</location>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+  </active-response>
+
+  <!-- Labels -->
+  <labels>
+    <label key="environment">production</label>
+    <label key="organization">KnownElement</label>
+  </labels>
+</ossec_config>

roles/security

@@ -5,4 +5,5 @@
 ssh-hardening
 2fa
 wazuh
-security-hardening
+security-hardening
+unattended-upgrades

validate.sh

@@ -0,0 +1,143 @@
+#!/bin/bash
+
+# FetchApply Validation Script
+# Validates the FetchApply repository structure and configuration
+
+set -euo pipefail
+
+ERRORS=0
+WARNINGS=0
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+pass() {
+    echo -e "${GREEN}✓${NC} $1"
+}
+
+fail() {
+    echo -e "${RED}✗${NC} $1"
+    ((ERRORS++))
+}
+
+warn() {
+    echo -e "${YELLOW}!${NC} $1"
+    ((WARNINGS++))
+}
+
+echo "=== FetchApply Repository Validation ==="
+echo ""
+
+# Check required top-level files
+echo "Checking top-level files..."
+for file in variables classes/server/initializers classes/server/roles; do
+    if [[ -f "$file" ]]; then
+        pass "$file exists"
+    else
+        fail "$file missing"
+    fi
+done
+
+# Check roles directory
+echo ""
+echo "Checking roles..."
+for role in security monitoring; do
+    if [[ -f "roles/$role" ]]; then
+        pass "roles/$role exists"
+    else
+        fail "roles/$role missing"
+    fi
+done
+
+# Check initializers
+echo ""
+echo "Checking initializers..."
+INITIALIZERS=$(grep -v '^#' classes/server/initializers | grep -v '^$')
+
+for init in $INITIALIZERS; do
+    # Skip role references
+    if [[ "$init" == "security" ]] || [[ "$init" == "monitoring" ]]; then
+        continue
+    fi
+    
+    if [[ -d "initializers/$init" ]]; then
+        if [[ -x "initializers/$init/apply" ]]; then
+            pass "initializers/$init/apply is executable"
+        else
+            warn "initializers/$init/apply exists but not executable"
+        fi
+        
+        # Check for configs or scripts directories
+        if [[ -d "initializers/$init/configs" ]]; then
+            config_count=$(find "initializers/$init/configs" -type f | wc -l)
+            pass "initializers/$init has configs/ ($config_count files)"
+        fi
+        
+        if [[ -d "initializers/$init/scripts" ]]; then
+            script_count=$(find "initializers/$init/scripts" -type f | wc -l)
+            pass "initializers/$init has scripts/ ($script_count files)"
+        fi
+    else
+        fail "initializers/$init directory missing"
+    fi
+done
+
+# Check for bash syntax in apply scripts
+echo ""
+echo "Checking apply script syntax..."
+for init in $INITIALIZERS; do
+    if [[ -f "initializers/$init/apply" ]]; then
+        if bash -n "initializers/$init/apply" 2>/dev/null; then
+            pass "initializers/$init/apply has valid bash syntax"
+        else
+            fail "initializers/$init/apply has syntax errors"
+        fi
+    fi
+done
+
+# Check for path consistency in apply scripts
+echo ""
+echo "Checking path consistency in apply scripts..."
+for init in $INITIALIZERS; do
+    apply_file="initializers/$init/apply"
+    if [[ -f "$apply_file" ]]; then
+        # Check for ./configs/ references (excluding comments)
+        if grep -v '^[[:space:]]*#' "$apply_file" | grep -q './configs/'; then
+            if [[ ! -d "initializers/$init/configs" ]]; then
+                fail "$apply_file references ./configs/ but no configs/ directory exists"
+            fi
+        fi
+        
+        # Check for ./scripts/ references (excluding comments)
+        if grep -v '^[[:space:]]*#' "$apply_file" | grep -q './scripts/'; then
+            if [[ ! -d "initializers/$init/scripts" ]]; then
+                fail "$apply_file references ./scripts/ but no scripts/ directory exists"
+            fi
+        fi
+        
+        # Check for ConfigFiles references (deprecated pattern)
+        if grep -v '^[[:space:]]*#' "$apply_file" | grep -q 'ConfigFiles'; then
+            warn "$apply_file contains 'ConfigFiles' reference - should use direct paths"
+        fi
+    fi
+done
+
+# Summary
+echo ""
+echo "=== Validation Summary ==="
+echo -e "Errors: ${RED}$ERRORS${NC}"
+echo -e "Warnings: ${YELLOW}$WARNINGS${NC}"
+
+if [[ $ERRORS -gt 0 ]]; then
+    echo -e "${RED}Validation FAILED${NC}"
+    exit 1
+else
+    echo -e "${GREEN}Validation PASSED${NC}"
+    if [[ $WARNINGS -gt 0 ]]; then
+        echo "Please review warnings above"
+    fi
+    exit 0
+fi