feat: add FIM, comprehensive audit logging, SSH client-only for CIS/FedRAMP/CMMC

Security enhancements for tier0 infrastructure access:
- Add AIDE for file integrity monitoring (CIS 1.4, FedRAMP AU-7, CMMC AU.3.059)
- Add comprehensive audit rules covering identity, network, boot, and privilege escalation
- Remove SSH server (openssh-server), add SSH client only (openssh-client)
- Add audispd-plugins for audit event processing
- Update security-hardening.sh with configure_fim() and configure_ssh_client()
- Update compliance tests for FIM, audit, and client-only architecture

Package changes:
- Remove: openssh-server, iptables
- Add: openssh-client, aide, aide-common, audispd-plugins

No inbound services - outbound VPN/SSH/RDP only for accessing privileged workstation.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

config/package-lists/knel-football.list.chroot

@@ -27,15 +27,19 @@ wireguard-tools
 zbar-tools
 pcmanfm
 
-# System utilities
+# Network utilities (client only - NO inbound services)
+openssh-client
+wireguard
+wireguard-tools
 nftables
-iptables
-openssh-server
-sudo
 
 # Security tools
 auditd
+audispd-plugins
+aide
+aide-common
 rsyslog
+sudo
 
 # Filesystem support
 e2fsprogs

src/security-hardening.sh

@@ -35,26 +35,37 @@ EOF
   echo "Bluetooth blacklist created at $output_file"
 }
 
-# Function to configure SSH
+# Function to configure SSH client (client only - no server)
-configure_ssh() {
+# This system does NOT run an SSH server per security requirements
-  local output_file="${1:-/etc/ssh/sshd_config}"
+configure_ssh_client() {
+  local output_file="${1:-/etc/ssh/ssh_config}"
 
   cat >"$output_file" <<'EOF'
-# SSH Security Configuration
+# SSH Client Configuration
-# Reference: PRD FR-006 - Key-Based Authentication Only (no passwords)
+# Reference: PRD FR-006 - Client-only, no inbound SSH services
-Protocol 2
+
-PermitRootLogin no
+# Global defaults
-PasswordAuthentication no
+Host *
-PubkeyAuthentication yes
+    # Security settings
-PermitEmptyPasswords no
+    PasswordAuthentication no
-ChallengeResponseAuthentication no
+    PubkeyAuthentication yes
-X11Forwarding no
+    
-MaxAuthTries 3
+    # Key algorithms (modern, secure)
-ClientAliveInterval 300
+    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-ClientAliveCountMax 2
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+    
+    # Connection settings
+    ConnectTimeout 30
+    ServerAliveInterval 300
+    ServerAliveCountMax 2
+    
+    # Strict host key checking
+    StrictHostKeyChecking ask
+    UserKnownHostsFile ~/.ssh/known_hosts
 EOF
 
-  echo "SSH configuration created at $output_file"
+  echo "SSH client configuration created at $output_file"
 }
 
 # Function to configure password policy
@@ -99,6 +110,81 @@ EOF
   echo "Requirements: 14+ chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char"
 }
 
+# Function to configure AIDE (File Integrity Monitoring)
+# Reference: CIS 1.4, FedRAMP AC-6, CMMC AU.3.059
+configure_fim() {
+  local aide_conf="${1:-/etc/aide/aide.conf}"
+  # Database location is configured in aide.conf below
+  # shellcheck disable=SC2034
+  local aide_db="${2:-/var/lib/aide/aide.db}"
+
+  cat >"$aide_conf" <<'EOF'
+# AIDE Configuration for KNEL-Football Secure OS
+# File Integrity Monitoring (FIM) - CIS/FedRAMP/CMMC Compliance
+# Reference: CIS Benchmark 1.4, FedRAMP AU-7, CMMC AU.3.059
+
+# Database locations
+database_out=file:/var/lib/aide/aide.db.new
+database=file:/var/lib/aide/aide.db
+
+# Report URL
+report_url=stdout
+
+# Custom group definitions for security-critical files
+SECURITY = p+u+g+s+m+c+md5+sha256+sha512
+
+# Monitor critical system directories
+/etc SECURITY
+/boot SECURITY
+/usr SECURITY
+/bin SECURITY
+/sbin SECURITY
+/lib SECURITY
+/lib64 SECURITY
+
+# Monitor SSH configurations
+/etc/ssh SECURITY
+
+# Monitor WireGuard configurations
+/etc/wireguard SECURITY
+
+# Monitor security configurations
+/etc/security SECURITY
+/etc/audit SECURITY
+/etc/modprobe.d SECURITY
+/etc/nftables.conf SECURITY
+
+# Monitor sudo and PAM
+/etc/sudoers SECURITY
+/etc/sudoers.d SECURITY
+/etc/pam.d SECURITY
+
+# Exclude paths that change legitimately
+!/proc
+!/sys
+!/dev
+!/run
+!/tmp
+!/var/log
+!/var/cache
+!/var/lib/aide
+!/var/tmp
+EOF
+
+  echo "FIM configuration created at $aide_conf"
+  echo "Run 'aideinit' to initialize the database after installation"
+}
+
+# Function to initialize AIDE database
+initialize_fim() {
+  if command -v aideinit >/dev/null 2>&1; then
+    aideinit --force
+    echo "AIDE database initialized"
+  else
+    echo "WARNING: aideinit not found, manual initialization required"
+  fi
+}
+
 # Function to configure system limits
 configure_system_limits() {
   local output_file="${1:-/etc/security/limits.d/security.conf}"
@@ -113,19 +199,79 @@ EOF
   echo "System limits configured at $output_file"
 }
 
-# Function to configure audit rules
+# Function to configure audit rules (CIS 6.2, FedRAMP AU-2, CMMC AU.2.042)
 configure_audit_rules() {
   local output_file="${1:-/etc/audit/rules.d/audit.rules}"
 
   cat >"$output_file" <<'EOF'
-# Audit rules for security compliance
+# Comprehensive Audit Rules for KNEL-Football Secure OS
+# Reference: CIS Benchmark 6.2, FedRAMP AU-2/AU-3, CMMC AU.2.042/AU.3.059
+
+## Identity and access management
 -w /etc/passwd -p wa -k identity
 -w /etc/shadow -p wa -k identity
--w /etc/sudoers -p wa -k identity
+-w /etc/group -p wa -k identity
--w /etc/ssh/sshd_config -p wa -k sshd_config
+-w /etc/gshadow -p wa -k identity
--w /var/log/audit/ -p wa -k log_audit
+-w /etc/sudoers -p wa -k privilege_escalation
--w /var/log/secure -p wa -k log_secure
+-w /etc/sudoers.d/ -p wa -k privilege_escalation
+
+## Authentication configuration
+-w /etc/pam.d/ -p wa -k authentication
+-w /etc/security/ -p wa -k authentication
+-w /etc/login.defs -p wa -k authentication
+-w /var/log/faillog -p wa -k authentication
+-w /var/log/lastlog -p wa -k authentication
+-w /var/log/tallylog -p wa -k authentication
+
+## Network configuration
+-w /etc/network/ -p wa -k network_config
+-w /etc/hosts -p wa -k network_config
+-w /etc/hostname -p wa -k network_config
+-w /etc/resolv.conf -p wa -k network_config
+-w /etc/nftables.conf -p wa -k firewall
 -w /etc/wireguard/ -p wa -k wireguard_config
+
+## SSH client configuration (no server - client only)
+-w /etc/ssh/ssh_config -p wa -k ssh_config
+
+## System configuration
+-w /etc/fstab -p wa -k filesystem
+-w /etc/crypttab -p wa -k encryption
+-w /etc/modprobe.d/ -p wa -k kernel_modules
+-w /etc/sysctl.conf -p wa -k kernel_parameters
+-w /etc/sysctl.d/ -p wa -k kernel_parameters
+
+## Boot configuration
+-w /boot/ -p wa -k boot_config
+-w /efi/ -p wa -k boot_config
+-w /etc/default/grub -p wa -k boot_config
+-w /etc/grub.d/ -p wa -k boot_config
+
+## Audit subsystem (self-monitoring)
+-w /etc/audit/ -p wa -k audit_config
+-w /var/log/audit/ -p wa -k audit_logs
+
+## Time synchronization
+-w /etc/chrony/ -p wa -k time_sync
+-w /etc/ntp.conf -p wa -k time_sync
+
+## System administration
+-w /usr/bin/sudo -p x -k privilege_escalation
+-w /usr/bin/su -p x -k privilege_escalation
+-w /usr/bin/passwd -p x -k password_change
+-w /usr/bin/chsh -p x -k user_modification
+-w /usr/bin/usermod -p x -k user_modification
+
+## Session monitoring
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+
+## Module loading
+-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_modules
+
+## File integrity monitoring alerts
+-w /var/lib/aide/ -p wa -k file_integrity
 EOF
 
   echo "Audit rules configured at $output_file"
@@ -138,12 +284,14 @@ apply_security_hardening() {
 
   create_wifi_blacklist "${1:-}"
   create_bluetooth_blacklist "${2:-}"
-  configure_ssh "${3:-}"
+  configure_ssh_client "${3:-}"
   configure_password_policy "${4:-}"
-  configure_system_limits "${5:-}"
+  configure_fim "${5:-}"
-  configure_audit_rules "${6:-}"
+  configure_system_limits "${6:-}"
+  configure_audit_rules "${7:-}"
 
   echo "Security hardening completed."
+  echo "IMPORTANT: Run 'aideinit' to initialize file integrity database after installation"
 }
 
 # Main execution

tests/security/compliance_comprehensive_test.bats

@@ -1,5 +1,6 @@
 #!/usr/bin/env bats
 # Comprehensive security compliance tests
+# Reference: CIS Benchmark, FedRAMP, CMMC
 
 @test "Full Disk Encryption configured" {
     grep -q "crypto" /workspace/config/preseed.cfg
@@ -21,11 +22,143 @@
     grep -q "nftables" /workspace/config/package-lists/knel-football.list.chroot
 }
 
-# FR-006: SSH Access - Key-Based Authentication Only
+# FR-006: SSH Access - Client Only (no inbound services)
-@test "SSH password authentication disabled" {
+@test "SSH client only (no server)" {
+    ! grep -q "openssh-server" /workspace/config/package-lists/knel-football.list.chroot
+}
+
+@test "SSH client installed" {
+    grep -q "openssh-client" /workspace/config/package-lists/knel-football.list.chroot
+}
+
+@test "SSH client configuration exists" {
+    grep -q "configure_ssh_client" /workspace/src/security-hardening.sh
+}
+
+@test "SSH client disables password auth" {
     grep -q "PasswordAuthentication no" /workspace/src/security-hardening.sh
 }
 
-@test "SSH root login disabled" {
+# CIS 1.4 - File Integrity Monitoring (FIM)
-    grep -q "PermitRootLogin no" /workspace/src/security-hardening.sh
+@test "CIS 1.4/FedRAMP AU-7/CMMC AU.3.059: AIDE package installed" {
+    grep -q "aide" /workspace/config/package-lists/knel-football.list.chroot
+}
+
+@test "CIS 1.4: FIM configuration function exists" {
+    grep -q "configure_fim" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 1.4: FIM monitors /etc" {
+    grep -q "/etc SECURITY" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 1.4: FIM monitors /boot" {
+    grep -q "/boot SECURITY" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 1.4: FIM monitors /usr" {
+    grep -q "/usr SECURITY" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 1.4: FIM uses SHA256/SHA512" {
+    grep -q "sha256\|sha512" /workspace/src/security-hardening.sh
+}
+
+# CIS 5.3 - System Resource Limits
+@test "CIS 5.3: System resource limits configured" {
+    grep -q "hard core 0" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 5.3: Process limits configured" {
+    grep -q "nproc" /workspace/src/security-hardening.sh
+}
+
+# CIS 6.2 - Audit Configuration (Comprehensive)
+@test "CIS 6.2/FedRAMP AU-2/CMMC AU.2.042: Audit daemon installed" {
+    grep -q "auditd" /workspace/config/package-lists/knel-football.list.chroot
+}
+
+@test "CIS 6.2: Audit rules function exists" {
+    grep -q "configure_audit_rules" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit watches /etc/passwd" {
+    grep -q "/etc/passwd.*-k identity" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit watches /etc/shadow" {
+    grep -q "/etc/shadow.*-k identity" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit watches /etc/sudoers" {
+    grep -q "/etc/sudoers.*-k privilege" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit watches authentication files" {
+    grep -q "/etc/pam.d" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit watches network config" {
+    grep -q "/etc/hosts" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit watches WireGuard config" {
+    grep -q "/etc/wireguard" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit watches boot configuration" {
+    grep -q "/boot/" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit watches kernel modules" {
+    grep -q "init_module\|delete_module" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit monitors privilege escalation" {
+    grep -q "/usr/bin/sudo.*-k privilege" /workspace/src/security-hardening.sh
+}
+
+@test "CIS 6.2: Audit monitors password changes" {
+    grep -q "/usr/bin/passwd" /workspace/src/security-hardening.sh
+}
+
+# CIS 2.1 - Package Management Disabled
+@test "CIS 2.1: Package management disable script exists" {
+    [ -f "/workspace/config/hooks/installed/disable-package-management.sh" ]
+}
+
+@test "CIS 2.1: Package management disables apt" {
+    grep -q "chmod -x.*apt" /workspace/config/hooks/installed/disable-package-management.sh
+}
+
+@test "CIS 2.1: Package management disables dpkg" {
+    grep -q "chmod -x.*dpkg" /workspace/config/hooks/installed/disable-package-management.sh
+}
+
+@test "CIS 2.1: Package management makes tools immutable" {
+    grep -q "chattr +i" /workspace/config/hooks/installed/disable-package-management.sh
+}
+
+# CIS 5.4 - Sudo Configuration
+@test "CIS 5.4: Sudo package installed" {
+    grep -q "sudo" /workspace/config/package-lists/knel-football.list.chroot
+}
+
+# Network Security - WireGuard
+@test "WireGuard installed for VPN access" {
+    grep -q "wireguard" /workspace/config/package-lists/knel-football.list.chroot
+}
+
+@test "Remmina RDP client installed" {
+    grep -q "remmina" /workspace/config/package-lists/knel-football.list.chroot
+}
+
+# CIS 5.7 - Display Manager Privacy
+@test "CIS 5.7: Display manager privacy configured" {
+    grep -q "greeter-hide-users\|hide-users" /workspace/config/hooks/live/desktop-environment.sh
+}
+
+@test "CIS 5.7: No auto-login configured" {
+    grep -q "autologin-user=\|auto-login" /workspace/config/hooks/live/desktop-environment.sh || \
+    grep -q "# autologin" /workspace/config/hooks/live/desktop-environment.sh
 }