KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
1e506fed1d5e559c113c52f2544c413687d78402
KNELConfigMgmt-FetchApply/initializers/security-hardening/apply
Charles N Wyble 1e506fed1d feat: Complete port of all KNELServerBuild components to FetchApply 
- Add secharden-audit-agents functionality to security-hardening
- Create unattended-upgrades initializer for automatic security updates
- Port Dell-specific scripts (fixcpuperf, fixeth, omsa) to dell-config
- Port sslStackFromSource.sh to ssl-stack initializer (dev systems only)
- Create ldap-auth placeholder for future Cloudron integration
- Update server class to include all initializers
- Update security role to include unattended-upgrades
- Add build dependencies to packages for SSL stack compilation
- Update README with comprehensive documentation of all initializers

Now all components from KNELServerBuild are successfully ported to FetchApply,
including previously missed security modules, Dell server scripts, and RandD components.

Future migration path clear: Salt for ongoing management, Ansible for ComplianceAsCode.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 12:48:32 -05:00

66 lines
1.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# KNEL Security Hardening Initializer
# Implements SCAP/STIG security compliance
set -euo pipefail
echo "Running security hardening initializer..."
# Enable auditd
systemctl --now enable auditd
# Configure auditd
if [[ -f ./ConfigFiles/AuditD/auditd.conf ]]; then
cp ./ConfigFiles/AuditD/auditd.conf /etc/audit/auditd.conf
fi
# Configure systemd journal settings
if [[ -f ./ConfigFiles/Systemd/journald.conf ]]; then
cp ./ConfigFiles/Systemd/journald.conf /etc/systemd/journald.conf
fi
# Configure logrotate
if [[ -f ./ConfigFiles/Logrotate/logrotate.conf ]]; then
cp ./ConfigFiles/Logrotate/logrotate.conf /etc/logrotate.conf
fi
# Configure sysctl security parameters
if [[ -f ./configs/sysctl-hardening.conf ]]; then
cp ./configs/sysctl-hardening.conf /etc/sysctl.d/99-security-hardening.conf
sysctl -p /etc/sysctl.d/99-security-hardening.conf
fi
# Configure core dumps
if [[ -f ./configs/security-limits.conf ]]; then
cp ./configs/security-limits.conf /etc/security/limits.d/security-lening.conf
fi
# Set file permissions
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod 644 /etc/group
chmod 600 /etc/gshadow
# Remove dangerous packages
DEBIAN_FRONTEND="noninteractive" apt-get -y purge \
telnetd \
rsh-server \
rsh-client \
telnet \
|| true
# Install security tools
DEBIAN_FRONTEND="noninteractive" apt-get -y install \
aide \
lynis \
chkrootkit \
rkhunter \
|| true
# Initialize AIDE database
if [[ ! -f /var/lib/aide/aide.db ]]; then
aideinit
fi
echo "Security hardening initializer completed"
View Git Blame Copy Permalink