#!/bin/bash

# KNEL Security Hardening Initializer
# Implements SCAP/STIG security compliance

set -euo pipefail

echo "Running security hardening initializer..."

# Enable auditd
systemctl --now enable auditd

# Configure auditd
if [[ -f ./ConfigFiles/AuditD/auditd.conf ]]; then
    cp ./ConfigFiles/AuditD/auditd.conf /etc/audit/auditd.conf
fi

# Configure systemd journal settings
if [[ -f ./ConfigFiles/Systemd/journald.conf ]]; then
    cp ./ConfigFiles/Systemd/journald.conf /etc/systemd/journald.conf
fi

# Configure logrotate
if [[ -f ./ConfigFiles/Logrotate/logrotate.conf ]]; then
    cp ./ConfigFiles/Logrotate/logrotate.conf /etc/logrotate.conf
fi

# Configure sysctl security parameters
if [[ -f ./configs/sysctl-hardening.conf ]]; then
    cp ./configs/sysctl-hardening.conf /etc/sysctl.d/99-security-hardening.conf
    sysctl -p /etc/sysctl.d/99-security-hardening.conf
fi

# Configure core dumps
if [[ -f ./configs/security-limits.conf ]]; then
    cp ./configs/security-limits.conf /etc/security/limits.d/security-lening.conf
fi

# Set file permissions
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod 644 /etc/group
chmod 600 /etc/gshadow

# Remove dangerous packages
DEBIAN_FRONTEND="noninteractive" apt-get -y purge \
    telnetd \
    rsh-server \
    rsh-client \
    telnet \
    || true

# Install security tools
DEBIAN_FRONTEND="noninteractive" apt-get -y install \
    aide \
    lynis \
    chkrootkit \
    rkhunter \
    || true

# Initialize AIDE database
if [[ ! -f /var/lib/aide/aide.db ]]; then
    aideinit
fi

echo "Security hardening initializer completed"