feat: implement CIS Debian Benchmark hardening controls

- Add kernel hardening via sysctl (network, system, ARP hardening)
- Implement password quality requirements (14 char, complexity)
- Configure password aging policies (90 day max)
- Add PAM authentication hardening with faillock
- Implement sudo restrictions and least privilege

CIS Benchmark Controls Implemented:
- Section 1: Filesystem Permissions
- Section 3: Network Parameters
- Section 4: Logging and Auditing
- Section 5: Access Control

Security Features:
- Kernel parameter hardening (randomization, core dumps)
- Strong password policies (complexity, aging, lockout)
- Sudo access logging and restrictions
- Authentication failure account lockout

Compliance:
- CIS Debian 13 Benchmark: Section 1, 3, 4, 5
- CMMC Level 3: AC, IA, CM domains
- FedRAMP Moderate: AC, IA, CM controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

chroot-overlay/etc/pam.d/common-password-cis

@@ -0,0 +1,25 @@
+# CIS Benchmark PAM Password Configuration
+# This file enforces password quality requirements
+
+# Enforce strong passwords
+password required pam_pwquality.so retry=3 enforce_for_root
+
+# Use SHA512 for password hashing
+password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+
+# Lock account after failed attempts
+auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900
+auth [success=1 default=bad] pam_unix.so nullok_secure
+auth required pam_faillock.so authfail audit deny=5 unlock_time=900
+
+# Last successful login display
+session required pam_lastlog.so showfailed
+
+# Limit resource usage
+session required pam_limits.so
+
+# Set secure umask
+session optional pam_umask.so umask=077
+
+# No delay for successful login, delay for failed
+auth optional pam_faildelay.so delay=4000000