KNELConfigMgmt-FetchApply/initializers/security-hardening/apply

#!/bin/bash

# KNEL Security Hardening Initializer
# Implements SCAP/STIG security compliance

set -euo pipefail

echo "Running security hardening initializer..."

# Source variables if available
if [[ -f ../../variables ]]; then
    source ../../variables
fi

# Enable auditd
systemctl --now enable auditd

# Configure sysctl security parameters
if [[ -f ./configs/sysctl-hardening.conf ]]; then
    cp ./configs/sysctl-hardening.conf /etc/sysctl.d/99-security-hardening.conf
    sysctl -p /etc/sysctl.d/99-security-hardening.conf
fi

# Configure core dumps and resource limits
if [[ -f ./configs/security-limits.conf ]]; then
    cp ./configs/security-limits.conf /etc/security/limits.d/security-hardening.conf
fi

# SCAP-STIG Compliance: Fix GRUB permissions (skip on Raspberry Pi)
if [[ "${IS_RASPI:-0}" != "1" ]] && [[ -f /boot/grub/grub.cfg ]]; then
    chown root:root /boot/grub/grub.cfg
    chmod og-rwx /boot/grub/grub.cfg
    chmod 0400 /boot/grub/grub.cfg
    echo "GRUB permissions hardened"
fi

# SCAP-STIG Compliance: Disable auto mounting
systemctl --now disable autofs 2>/dev/null || true
DEBIAN_FRONTEND="noninteractive" apt-get -y --purge remove autofs 2>/dev/null || true

# SCAP-STIG Compliance: Deploy ModProbe security configs
for conf_file in ./configs/modprobe/*.conf; do
    if [[ -f "$conf_file" ]]; then
        cp "$conf_file" /etc/modprobe.d/
    fi
done

# Deploy network filesystem blacklisting
cat > /etc/modprobe.d/stig-network.conf << 'EOF'
# STIG: Disable uncommon network protocols
install dccp /bin/true
install rds /bin/true
install sctp /bin/true
install tipc /bin/true
EOF

# Deploy filesystem blacklisting
cat > /etc/modprobe.d/stig-filesystem.conf << 'EOF'
# STIG: Disable uncommon filesystem types
install cramfs /bin/true
install freevxfs /bin/true
install hfs /bin/true
install hfsplus /bin/true
install jffs2 /bin/true
install squashfs /bin/true
install udf /bin/true
EOF

# Deploy USB storage blacklisting
cat > /etc/modprobe.d/usb_storage.conf << 'EOF'
# STIG: Disable USB storage
install usb-storage /bin/true
EOF

# SCAP-STIG Compliance: Deploy security banners
if [[ -f ./configs/issue ]]; then
    cp ./configs/issue /etc/issue
fi
if [[ -f ./configs/issue.net ]]; then
    cp ./configs/issue.net /etc/issue.net
fi
if [[ -f ./configs/motd ]]; then
    cp ./configs/motd /etc/motd
fi

# SCAP-STIG Compliance: Cron permission hardening
rm -f /etc/cron.deny 2>/dev/null || true
touch /etc/cron.allow
chmod g-wx,o-rwx /etc/cron.allow
chown root:root /etc/cron.allow
chmod og-rwx /etc/crontab
chmod og-rwx /etc/cron.hourly/
chmod og-rwx /etc/cron.daily/
chmod og-rwx /etc/cron.weekly/
chmod og-rwx /etc/cron.monthly/
chown root:root /etc/cron.d/
chmod og-rwx /etc/cron.d/

# SCAP-STIG Compliance: At permission hardening
rm -f /etc/at.deny 2>/dev/null || true
touch /etc/at.allow
chmod g-wx,o-rwx /etc/at.allow
chown root:root /etc/at.allow

# Set file permissions
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod 644 /etc/group
chmod 600 /etc/gshadow

# Remove dangerous packages
DEBIAN_FRONTEND="noninteractive" apt-get -y purge \
    telnetd \
    rsh-server \
    rsh-client \
    telnet \
    || true

# Install security tools
DEBIAN_FRONTEND="noninteractive" apt-get -y install \
    aide \
    lynis \
    chkrootkit \
    rkhunter \
    || true

# Initialize AIDE database
if [[ ! -f /var/lib/aide/aide.db ]]; then
    aideinit
fi

echo "Security hardening initializer completed"