KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

progress snapshot

Browse Source
This commit is contained in:
Charles N Wyble
2026-01-21 08:33:09 -05:00
parent 6c96f3c549
commit 1339705f9d
20 changed files with 3387 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
config/harden.sh
View File

@@ -3,7 +3,7 @@
# This script configures strict firewall with WireGuard-only access
# Implements CIS Debian Benchmark and CMMC/FedRAMP controls
set -e
set -euo pipefail
echo "Applying CIS Benchmark and CMMC/FedRAMP hardening..."
@@ -48,8 +48,8 @@ iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Only WireGuard on physical interface
iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP -p udp --dport $WG_ENDPOINT_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP -p udp --sport $WG_ENDPOINT_PORT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -d "$WG_ENDPOINT_IP" -p udp --dport "$WG_ENDPOINT_PORT" -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s "$WG_ENDPOINT_IP" -p udp --sport "$WG_ENDPOINT_PORT" -m state --state ESTABLISHED -j ACCEPT
# All traffic through WireGuard
iptables -A INPUT -i wg0 -j ACCEPT
@@ -328,7 +328,9 @@ systemctl enable apparmor 2>/dev/null || true
# Enforce AppArmor profiles for critical services
for profile in /etc/apparmor.d/*; do
[ -f "$profile" ] && aa-enforce "${profile##*/}" 2>/dev/null || true
if [ -f "$profile" ]; then
aa-enforce "${profile##*/}" 2>/dev/null || true
fi
done
# ============================================================================