feat: implement CIS Debian Benchmark hardening controls

- Add kernel hardening via sysctl (network, system, ARP hardening) - Implement password quality requirements (14 char, complexity) - Configure password aging policies (90 day max) - Add PAM authentication hardening with faillock - Implement sudo restrictions and least privilege CIS Benchmark Controls Implemented: - Section 1: Filesystem Permissions - Section 3: Network Parameters - Section 4: Logging and Auditing - Section 5: Access Control Security Features: - Kernel parameter hardening (randomization, core dumps) - Strong password policies (complexity, aging, lockout) - Sudo access logging and restrictions - Authentication failure account lockout Compliance: - CIS Debian 13 Benchmark: Section 1, 3, 4, 5 - CMMC Level 3: AC, IA, CM domains - FedRAMP Moderate: AC, IA, CM controls 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:33:11 -05:00
parent 336089a1c5
commit 1d74ae7ff1
5 changed files with 297 additions and 0 deletions
--- a/chroot-overlay/etc/sysctl.d/99-cis-hardening.conf
+++ b/chroot-overlay/etc/sysctl.d/99-cis-hardening.conf
@@ -0,0 +1,111 @@
+# CIS Benchmark Kernel Hardening for Debian
+# Implements CIS Debian Benchmark controls related to kernel parameters
+
+# ============================================================================
+# Network Parameters
+# ============================================================================
+
+# Disable IP packet forwarding (not a router)
+net.ipv4.ip_forward = 0
+net.ipv6.conf.all.forwarding = 0
+
+# Disable source routing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+
+# Disable ICMP redirects
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+
+# Ignore ICMP broadcast requests
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# Ignore bogus ICMP error responses
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Enable TCP SYN cookies protection
+net.ipv4.tcp_syncookies = 1
+
+# Enable TCP reverse path filtering (source verification)
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Log martian packets
+net.ipv4.conf.all.log_martians = 1
+
+# Disable IPv6 if not used (enabled but strictly controlled via firewall)
+# net.ipv6.conf.all.disable_ipv6 = 1
+
+# ============================================================================
+# System Hardening
+# ============================================================================
+
+# Disable magic sysrq key
+kernel.sysrq = 0
+
+# Address space layout randomization
+kernel.randomize_va_space = 2
+
+# Restrict core dumps
+kernel.core_pattern = |/bin/false
+
+# Enable hard link and symlink protection
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# Enable ptrace restrictions (only allow ptrace from descendants)
+kernel.yama.ptrace_scope = 1
+
+# Disable unprivileged BPF
+kernel.unprivileged_bpf_disabled = 1
+
+# Disable user namespaces
+user.max_user_namespaces = 0
+
+# ============================================================================
+# Network Stack Hardening
+# ============================================================================
+
+# Enable TCP timestamps for protection against spoofing
+net.ipv4.tcp_timestamps = 1
+
+# Reduce TCP timeout for closing connections
+net.ipv4.tcp_fin_timeout = 30
+
+# Maximum number of SYN backlog queue
+net.ipv4.tcp_max_syn_backlog = 2048
+
+# Minimum, default, and maximum TCP buffer sizes
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
+
+# ============================================================================
+# ARP Hardening
+# ============================================================================
+
+# Ignore ARP requests on all interfaces
+net.ipv4.conf.all.arp_ignore = 1
+net.ipv4.conf.default.arp_ignore = 1
+
+# Enable ARP filtering
+net.ipv4.conf.all.arp_filter = 1
+net.ipv4.conf.default.arp_filter = 1
+
+# ============================================================================
+# ICMP Rate Limiting
+# ============================================================================
+
+# Rate limit ICMP messages
+net.ipv4.icmp_ratelimit = 100
+
+# ============================================================================
+# Memory Overcommit
+# ============================================================================
+
+# Disable overcommit (conservative memory allocation)
+vm.overcommit_memory = 2
+vm.overcommit_ratio = 80