feat: add FIM, comprehensive audit logging, SSH client-only for CIS/FedRAMP/CMMC

Security enhancements for tier0 infrastructure access:
- Add AIDE for file integrity monitoring (CIS 1.4, FedRAMP AU-7, CMMC AU.3.059)
- Add comprehensive audit rules covering identity, network, boot, and privilege escalation
- Remove SSH server (openssh-server), add SSH client only (openssh-client)
- Add audispd-plugins for audit event processing
- Update security-hardening.sh with configure_fim() and configure_ssh_client()
- Update compliance tests for FIM, audit, and client-only architecture

Package changes:
- Remove: openssh-server, iptables
- Add: openssh-client, aide, aide-common, audispd-plugins

No inbound services - outbound VPN/SSH/RDP only for accessing privileged workstation.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

src/security-hardening.sh

@@ -35,26 +35,37 @@ EOF
   echo "Bluetooth blacklist created at $output_file"
 }
 
-# Function to configure SSH
-configure_ssh() {
-  local output_file="${1:-/etc/ssh/sshd_config}"
+# Function to configure SSH client (client only - no server)
+# This system does NOT run an SSH server per security requirements
+configure_ssh_client() {
+  local output_file="${1:-/etc/ssh/ssh_config}"
 
   cat >"$output_file" <<'EOF'
-# SSH Security Configuration
-# Reference: PRD FR-006 - Key-Based Authentication Only (no passwords)
-Protocol 2
-PermitRootLogin no
-PasswordAuthentication no
-PubkeyAuthentication yes
-PermitEmptyPasswords no
-ChallengeResponseAuthentication no
-X11Forwarding no
-MaxAuthTries 3
-ClientAliveInterval 300
-ClientAliveCountMax 2
+# SSH Client Configuration
+# Reference: PRD FR-006 - Client-only, no inbound SSH services
+
+# Global defaults
+Host *
+    # Security settings
+    PasswordAuthentication no
+    PubkeyAuthentication yes
+    
+    # Key algorithms (modern, secure)
+    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+    
+    # Connection settings
+    ConnectTimeout 30
+    ServerAliveInterval 300
+    ServerAliveCountMax 2
+    
+    # Strict host key checking
+    StrictHostKeyChecking ask
+    UserKnownHostsFile ~/.ssh/known_hosts
 EOF
 
-  echo "SSH configuration created at $output_file"
+  echo "SSH client configuration created at $output_file"
 }
 
 # Function to configure password policy
@@ -99,6 +110,81 @@ EOF
   echo "Requirements: 14+ chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char"
 }
 
+# Function to configure AIDE (File Integrity Monitoring)
+# Reference: CIS 1.4, FedRAMP AC-6, CMMC AU.3.059
+configure_fim() {
+  local aide_conf="${1:-/etc/aide/aide.conf}"
+  # Database location is configured in aide.conf below
+  # shellcheck disable=SC2034
+  local aide_db="${2:-/var/lib/aide/aide.db}"
+
+  cat >"$aide_conf" <<'EOF'
+# AIDE Configuration for KNEL-Football Secure OS
+# File Integrity Monitoring (FIM) - CIS/FedRAMP/CMMC Compliance
+# Reference: CIS Benchmark 1.4, FedRAMP AU-7, CMMC AU.3.059
+
+# Database locations
+database_out=file:/var/lib/aide/aide.db.new
+database=file:/var/lib/aide/aide.db
+
+# Report URL
+report_url=stdout
+
+# Custom group definitions for security-critical files
+SECURITY = p+u+g+s+m+c+md5+sha256+sha512
+
+# Monitor critical system directories
+/etc SECURITY
+/boot SECURITY
+/usr SECURITY
+/bin SECURITY
+/sbin SECURITY
+/lib SECURITY
+/lib64 SECURITY
+
+# Monitor SSH configurations
+/etc/ssh SECURITY
+
+# Monitor WireGuard configurations
+/etc/wireguard SECURITY
+
+# Monitor security configurations
+/etc/security SECURITY
+/etc/audit SECURITY
+/etc/modprobe.d SECURITY
+/etc/nftables.conf SECURITY
+
+# Monitor sudo and PAM
+/etc/sudoers SECURITY
+/etc/sudoers.d SECURITY
+/etc/pam.d SECURITY
+
+# Exclude paths that change legitimately
+!/proc
+!/sys
+!/dev
+!/run
+!/tmp
+!/var/log
+!/var/cache
+!/var/lib/aide
+!/var/tmp
+EOF
+
+  echo "FIM configuration created at $aide_conf"
+  echo "Run 'aideinit' to initialize the database after installation"
+}
+
+# Function to initialize AIDE database
+initialize_fim() {
+  if command -v aideinit >/dev/null 2>&1; then
+    aideinit --force
+    echo "AIDE database initialized"
+  else
+    echo "WARNING: aideinit not found, manual initialization required"
+  fi
+}
+
 # Function to configure system limits
 configure_system_limits() {
   local output_file="${1:-/etc/security/limits.d/security.conf}"
@@ -113,19 +199,79 @@ EOF
   echo "System limits configured at $output_file"
 }
 
-# Function to configure audit rules
+# Function to configure audit rules (CIS 6.2, FedRAMP AU-2, CMMC AU.2.042)
 configure_audit_rules() {
   local output_file="${1:-/etc/audit/rules.d/audit.rules}"
 
   cat >"$output_file" <<'EOF'
-# Audit rules for security compliance
+# Comprehensive Audit Rules for KNEL-Football Secure OS
+# Reference: CIS Benchmark 6.2, FedRAMP AU-2/AU-3, CMMC AU.2.042/AU.3.059
+
+## Identity and access management
 -w /etc/passwd -p wa -k identity
 -w /etc/shadow -p wa -k identity
--w /etc/sudoers -p wa -k identity
--w /etc/ssh/sshd_config -p wa -k sshd_config
--w /var/log/audit/ -p wa -k log_audit
--w /var/log/secure -p wa -k log_secure
+-w /etc/group -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/sudoers -p wa -k privilege_escalation
+-w /etc/sudoers.d/ -p wa -k privilege_escalation
+
+## Authentication configuration
+-w /etc/pam.d/ -p wa -k authentication
+-w /etc/security/ -p wa -k authentication
+-w /etc/login.defs -p wa -k authentication
+-w /var/log/faillog -p wa -k authentication
+-w /var/log/lastlog -p wa -k authentication
+-w /var/log/tallylog -p wa -k authentication
+
+## Network configuration
+-w /etc/network/ -p wa -k network_config
+-w /etc/hosts -p wa -k network_config
+-w /etc/hostname -p wa -k network_config
+-w /etc/resolv.conf -p wa -k network_config
+-w /etc/nftables.conf -p wa -k firewall
 -w /etc/wireguard/ -p wa -k wireguard_config
+
+## SSH client configuration (no server - client only)
+-w /etc/ssh/ssh_config -p wa -k ssh_config
+
+## System configuration
+-w /etc/fstab -p wa -k filesystem
+-w /etc/crypttab -p wa -k encryption
+-w /etc/modprobe.d/ -p wa -k kernel_modules
+-w /etc/sysctl.conf -p wa -k kernel_parameters
+-w /etc/sysctl.d/ -p wa -k kernel_parameters
+
+## Boot configuration
+-w /boot/ -p wa -k boot_config
+-w /efi/ -p wa -k boot_config
+-w /etc/default/grub -p wa -k boot_config
+-w /etc/grub.d/ -p wa -k boot_config
+
+## Audit subsystem (self-monitoring)
+-w /etc/audit/ -p wa -k audit_config
+-w /var/log/audit/ -p wa -k audit_logs
+
+## Time synchronization
+-w /etc/chrony/ -p wa -k time_sync
+-w /etc/ntp.conf -p wa -k time_sync
+
+## System administration
+-w /usr/bin/sudo -p x -k privilege_escalation
+-w /usr/bin/su -p x -k privilege_escalation
+-w /usr/bin/passwd -p x -k password_change
+-w /usr/bin/chsh -p x -k user_modification
+-w /usr/bin/usermod -p x -k user_modification
+
+## Session monitoring
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+
+## Module loading
+-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_modules
+
+## File integrity monitoring alerts
+-w /var/lib/aide/ -p wa -k file_integrity
 EOF
 
   echo "Audit rules configured at $output_file"
@@ -138,12 +284,14 @@ apply_security_hardening() {
 
   create_wifi_blacklist "${1:-}"
   create_bluetooth_blacklist "${2:-}"
-  configure_ssh "${3:-}"
+  configure_ssh_client "${3:-}"
   configure_password_policy "${4:-}"
-  configure_system_limits "${5:-}"
-  configure_audit_rules "${6:-}"
+  configure_fim "${5:-}"
+  configure_system_limits "${6:-}"
+  configure_audit_rules "${7:-}"
 
   echo "Security hardening completed."
+  echo "IMPORTANT: Run 'aideinit' to initialize file integrity database after installation"
 }
 
 # Main execution