KNELConfigMgmt-FetchApply/initializers/security-hardening/apply at main

Files

Charles N Wyble ee9f391951 feat(security-hardening): implement SCAP-STIG compliance logic

Refactor apply script to implement comprehensive security hardening:

- Add GRUB bootloader permission hardening (root:root, mode 0400)
- Disable and remove autofs service per STIG requirements
- Deploy modprobe configurations for kernel module blacklisting
- Create STIG-compliant network protocol blacklist (dccp, rds, sctp, tipc)
- Create STIG-compliant filesystem blacklist (cramfs, freevxfs, hfs, etc.)
- Create USB storage blacklist for removable media control
- Deploy security banners (issue, issue.net, motd)
- Harden cron and at permission controls (cron.allow, at.allow)
- Fix typo in security-limits.conf destination path

🤖 Generated with [Crush](https://github.com/charmassociates/crush)

Assisted-by: GLM-5 via Crush <crush@charm.land>

2026-02-17 17:06:03 -05:00

3.4 KiB

Executable File

Raw Permalink Blame History

View Raw

3.4 KiB Executable File Raw Permalink Blame History

3.4 KiB

Executable File

Raw Permalink Blame History