From 2b422cf62c4ea91d721f356a0700f6b9180dc5f7 Mon Sep 17 00:00:00 2001 From: reachableceo Date: Fri, 8 May 2026 12:08:54 -0500 Subject: [PATCH] fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes. Changes: - run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07), add module.sig_enforce to Docker-embedded UKI (H-08) - usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05), restrict dmask/fmask, add input validation, add audit logging (M-08) - security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01), remove sshd_config generation (H-02), expand WiFi blacklist (M-12) - firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port range to 51820 only (M-05) - firewall-setup.sh (src): Add ct state established,related (H-03) - security-hardening.sh (src): Fix apply_security_hardening to call configure_ssh_client and configure_fim with separate output paths (M-01) - install-scripts.sh: Remove football from sudo group (M-02) - mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened even without existing fstab entries (M-07) - encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic LUKS device discovery (H-06), fix recovery key generation (M-04), fix crypttab sed pattern - qr-code-import.sh: Restrict temp file permissions (H-04) - Tests updated to match new security posture All 786+ tests pass. Zero shellcheck warnings. Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through H-08, M-01, M-02, M-05, M-07, M-08, M-12 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush --- config/hooks/installed/encryption-setup.sh | 104 +++++++++++++++--- config/hooks/installed/install-scripts.sh | 4 +- config/hooks/installed/mount-hardening.sh | 61 +++++----- config/hooks/live/firewall-setup.sh | 8 +- config/hooks/live/qr-code-import.sh | 5 +- config/hooks/live/security-hardening.sh | 28 ++--- config/hooks/live/usb-automount.sh | 17 ++- run.sh | 20 ++-- src/firewall-setup.sh | 10 +- src/security-hardening.sh | 28 +++-- .../firewall-setup_comprehensive_test.bats | 5 +- tests/unit/firewall_test.bats | 5 +- ...security-hardening_comprehensive_test.bats | 2 +- 13 files changed, 199 insertions(+), 98 deletions(-) diff --git a/config/hooks/installed/encryption-setup.sh b/config/hooks/installed/encryption-setup.sh index 1a55c35..8fd4ddd 100755 --- a/config/hooks/installed/encryption-setup.sh +++ b/config/hooks/installed/encryption-setup.sh @@ -31,7 +31,7 @@ EOF if [ -f /etc/crypttab ]; then echo "Verifying crypttab configuration..." # Ensure crypttab has proper options - sed -i 's/luks$/luks,discard,cipher=aes-xts-plain64,key-size=512/g' /etc/crypttab + sed -i '/\/dev\/mapper\|^#/!s/\bluks\b/luks,discard,cipher=aes-xts-plain64,key-size=512/' /etc/crypttab fi # Configure initramfs to include necessary modules for decryption @@ -99,8 +99,8 @@ Recovery Information: Commands: - Check encryption status: cryptsetup status cryptroot -- Add additional passphrase: cryptsetup luksAddKey /dev/sda3 -- List key slots: cryptsetup luksDump /dev/sda3 +- Add additional passphrase: cryptsetup luksAddKey $(find-luks-device.sh) +- List key slots: cryptsetup luksDump $(find-luks-device.sh) WARNING: Losing the encryption passphrase will result in permanent data loss. There is NO backdoor or recovery mechanism @@ -138,11 +138,18 @@ for dev in /dev/mapper/*; do done echo "" -# Check LUKS container details -if [ -b /dev/sda3 ]; then - echo "LUKS Container Information:" +# Check LUKS container details (dynamic device discovery) +LUKS_DEV="" +for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do + if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then + LUKS_DEV="$dev" + break + fi +done +if [ -n "$LUKS_DEV" ]; then + echo "LUKS Container Information ($LUKS_DEV):" echo "---------------------------" - cryptsetup luksDump /dev/sda3 | head -20 + cryptsetup luksDump "$LUKS_DEV" | head -20 echo "" fi @@ -160,6 +167,45 @@ EOF chmod +x /usr/local/bin/check-encryption.sh +# Create LUKS device discovery helper +cat > /usr/local/bin/find-luks-device.sh <<'EOF' +#!/bin/bash +# Discover the LUKS encrypted partition dynamically +set -euo pipefail + +# Method 1: Check crypttab for the root device +if [ -f /etc/crypttab ]; then + while read -r name device _ _; do + [ -z "$name" ] || [ "$name" = "#" ] && continue + if [ -b "$device" ] && cryptsetup isLuks "$device" 2>/dev/null; then + echo "$device" + exit 0 + fi + done < /etc/crypttab +fi + +# Method 2: Check common partition layouts +for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do + if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then + echo "$dev" + exit 0 + fi +done + +# Method 3: Scan all partitions with lsblk +if command -v lsblk >/dev/null 2>&1; then + while read -r dev; do + if cryptsetup isLuks "$dev" 2>/dev/null; then + echo "$dev" + exit 0 + fi + done < <(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1}') +fi + +exit 1 +EOF +chmod +x /usr/local/bin/find-luks-device.sh + # Create encryption key management script cat > /usr/local/bin/manage-encryption-keys.sh <<'EOF' #!/bin/bash @@ -201,13 +247,23 @@ case $choice in exit 1 fi - echo "$existing_pass" | cryptsetup luksAddKey /dev/sda3 <<< "$new_pass" + LUKS_DEV=$(/usr/local/bin/find-luks-device.sh) + if [ -z "$LUKS_DEV" ]; then + echo "ERROR: No LUKS device found" + exit 1 + fi + printf '%s\n' "$existing_pass" "$new_pass" | cryptsetup luksAddKey "$LUKS_DEV" echo "New passphrase added successfully" ;; 2) - cryptsetup luksDump /dev/sda3 | grep "Key Slot" + LUKS_DEV=$(/usr/local/bin/find-luks-device.sh) + if [ -z "$LUKS_DEV" ]; then + echo "ERROR: No LUKS device found" + exit 1 + fi + cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot" read -p "Enter key slot to remove: " slot - cryptsetup luksKillSlot /dev/sda3 "$slot" + cryptsetup luksKillSlot "$LUKS_DEV" "$slot" echo "Key slot removed successfully" ;; 3) @@ -225,19 +281,37 @@ case $choice in fi # This is complex and requires careful handling + LUKS_DEV=$(/usr/local/bin/find-luks-device.sh) + if [ -z "$LUKS_DEV" ]; then + echo "ERROR: No LUKS device found" + exit 1 + fi echo "This operation requires manual intervention" - echo "Please use: cryptsetup luksChangeKey /dev/sda3" + echo "Please use: cryptsetup luksChangeKey $LUKS_DEV" ;; 4) + LUKS_DEV=$(/usr/local/bin/find-luks-device.sh) + if [ -z "$LUKS_DEV" ]; then + echo "ERROR: No LUKS device found" + exit 1 + fi echo "Active key slots:" - cryptsetup luksDump /dev/sda3 | grep "Key Slot" | grep "ENABLED" + cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot" | grep "ENABLED" ;; 5) echo "Generating recovery key..." # Generate a strong random key - dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 > /var/backups/keys/recovery_key_$(date +%Y%m%d_%H%M%S).txt - chmod 600 /var/backups/keys/recovery_key_*.txt - echo "Recovery key generated and stored in /var/backups/keys/" + LUKS_DEV=$(/usr/local/bin/find-luks-device.sh) + if [ -z "$LUKS_DEV" ]; then + echo "ERROR: No LUKS device found" + exit 1 + fi + KEY_FILE="/var/backups/keys/recovery_key_$(date +%Y%m%d_%H%M%S).txt" + dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 > "$KEY_FILE" + chmod 600 "$KEY_FILE" + echo "Recovery key generated: $KEY_FILE" + echo "To add this key to a LUKS slot:" + echo " cryptsetup luksAddKey $LUKS_DEV $KEY_FILE" echo "WARNING: Store this key in a secure, offline location" ;; 0) diff --git a/config/hooks/installed/install-scripts.sh b/config/hooks/installed/install-scripts.sh index e5f20e3..567c6aa 100755 --- a/config/hooks/installed/install-scripts.sh +++ b/config/hooks/installed/install-scripts.sh @@ -218,7 +218,7 @@ EOF # Create WireGuard configuration directory mkdir -p /etc/wireguard -# Add football to appropriate groups -usermod -a -G sudo,audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true +# Add football to appropriate groups (NOT sudo - access via sudoers.d only) +usermod -a -G audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true echo "Source scripts installed successfully." diff --git a/config/hooks/installed/mount-hardening.sh b/config/hooks/installed/mount-hardening.sh index 440aa68..816653c 100755 --- a/config/hooks/installed/mount-hardening.sh +++ b/config/hooks/installed/mount-hardening.sh @@ -5,46 +5,35 @@ set -euo pipefail echo "Applying mount point hardening..." -# Create fstab security entries for temporary filesystems -# These are added via a systemd mount helper or tmpfiles.d -# since fstab is managed by the installer for the main partitions +FSTAB="/etc/fstab" -# Harden /tmp via tmpfiles.d (systemd-tmpfiles) -mkdir -p /etc/tmpfiles.d +# Ensure fstab exists +touch "$FSTAB" -cat >/etc/tmpfiles.d/knel-mount-hardening.conf <<'EOF' -# KNEL-Football Mount Hardening -# Ensure /tmp is mounted with nodev, nosuid, noexec -# This supplements the installer-created fstab -d /tmp 1777 root root 0d -EOF - -# Add security mount options to fstab if entries exist -if [ -f /etc/fstab ]; then - # Harden /tmp if present - if grep -q '/tmp' /etc/fstab 2>/dev/null; then - sed -i '/\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true - fi - - # Harden /var/tmp if present - if grep -q '/var/tmp' /etc/fstab 2>/dev/null; then - sed -i '/\/var\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true - fi - - # Harden /home if present - if grep -q '/home' /etc/fstab 2>/dev/null; then - sed -i '/\/home/s/defaults/defaults,nodev,nosuid/' /etc/fstab 2>/dev/null || true - fi - - # Harden /dev/shm if present - if grep -q '/dev/shm' /etc/fstab 2>/dev/null; then - sed -i '/\/dev\/shm/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true - fi +# Harden /tmp if present in fstab, otherwise add tmpfs entry +if grep -q '/tmp' "$FSTAB" 2>/dev/null; then + sed -i '/\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true +else + echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,size=2G 0 0" >> "$FSTAB" fi -# If /tmp is NOT in fstab, add a tmpfs entry with hardening -if ! grep -q '/tmp' /etc/fstab 2>/dev/null; then - echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,size=2G 0 0" >> /etc/fstab +# Harden /var/tmp if present, otherwise add tmpfs entry +if grep -q '/var/tmp' "$FSTAB" 2>/dev/null; then + sed -i '/\/var\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true +else + echo "tmpfs /var/tmp tmpfs defaults,nodev,nosuid,noexec,size=512M 0 0" >> "$FSTAB" +fi + +# Harden /dev/shm if present, otherwise add tmpfs entry +if grep -q '/dev/shm' "$FSTAB" 2>/dev/null; then + sed -i '/\/dev\/shm/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true +else + echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec,size=512M 0 0" >> "$FSTAB" +fi + +# Harden /home if it has its own partition +if grep -q '/home' "$FSTAB" 2>/dev/null; then + sed -i '/\/home/s/defaults/defaults,nodev,nosuid/' "$FSTAB" 2>/dev/null || true fi echo "Mount hardening completed." diff --git a/config/hooks/live/firewall-setup.sh b/config/hooks/live/firewall-setup.sh index ee9c2c9..9f8568b 100755 --- a/config/hooks/live/firewall-setup.sh +++ b/config/hooks/live/firewall-setup.sh @@ -25,8 +25,7 @@ table inet filter { udp sport 67 udp dport 68 accept comment "Accept DHCP offers" udp sport 68 udp dport 67 accept comment "Accept DHCP requests" - # Accept ICMP ping - icmp type echo-request accept comment "Accept ping" + # Accept essential ICMP only icmp type destination-unreachable accept comment "Accept dest unreachable" icmp type time-exceeded accept comment "Accept time exceeded" @@ -50,8 +49,9 @@ table inet filter { # Accept DHCP client requests (broadcast to find DHCP server) udp dport 67 accept comment "Allow DHCP client requests" - # Accept WireGuard UDP (any endpoint - config determines actual peer) - udp dport 51820-51830 accept comment "Allow WireGuard VPN" + # Accept WireGuard UDP (any endpoint - dynamic config determines actual peer) + # Once WireGuard is configured, firewall-setup.sh locks to specific endpoint + udp dport 51820 accept comment "Allow WireGuard VPN" # Accept DNS over WireGuard tunnel interface oifname "wg*" accept comment "Accept all traffic via VPN tunnel" diff --git a/config/hooks/live/qr-code-import.sh b/config/hooks/live/qr-code-import.sh index dc588e0..55af061 100755 --- a/config/hooks/live/qr-code-import.sh +++ b/config/hooks/live/qr-code-import.sh @@ -21,9 +21,10 @@ if ! ls /dev/video* >/dev/null 2>&1; then exit 1 fi -# Create temporary file for QR data +# Create temporary file for QR data with restricted permissions qr_data=$(mktemp) -trap "rm -f $qr_data" EXIT +chmod 600 "$qr_data" +trap "rm -f \"$qr_data\"" EXIT # Scan QR code echo "Scanning QR code..." diff --git a/config/hooks/live/security-hardening.sh b/config/hooks/live/security-hardening.sh index b4977f2..fee913d 100755 --- a/config/hooks/live/security-hardening.sh +++ b/config/hooks/live/security-hardening.sh @@ -11,15 +11,22 @@ cat >/etc/modprobe.d/blacklist-wifi.conf <<'EOF' blacklist cfg80211 blacklist mac80211 blacklist brcmfmac +blacklist brcmsmac +blacklist brcm80211 blacklist iwlwifi +blacklist iwlmvm blacklist ath9k blacklist ath9k_htc blacklist ath10k_pci +blacklist ath10k_sdio +blacklist ath11k_pci +blacklist ath11k_ahb blacklist rtl8188ee blacklist rtl8192ce blacklist rtl8192se blacklist rtl8723ae blacklist rtl8821ae +blacklist rtl8xxxu blacklist rt73usb blacklist rt2800usb blacklist rt2x00lib @@ -27,6 +34,8 @@ blacklist rt2x00usb blacklist mwifiex blacklist mwifiex_pcie blacklist mwifiex_sdio +blacklist r8188eu +blacklist r8723bs EOF # Bluetooth module blacklist @@ -57,22 +66,15 @@ Host * ConnectTimeout 30 ServerAliveInterval 300 ServerAliveCountMax 2 - StrictHostKeyChecking ask + StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF -# SSH server config (defense-in-depth - sshd not installed per PRD FR-006) -cat >/etc/ssh/sshd_config <<'EOF' -# SSH Server Hardening (defense-in-depth) -# Reference: PRD FR-006 - Client-only system, sshd not installed -Protocol 2 -PermitRootLogin no -PermitEmptyPasswords no -MaxAuthTries 3 -ClientAliveInterval 300 -ClientAliveCountMax 2 -X11Forwarding no -EOF +# SSH server is NOT installed per PRD FR-006 +# Ensure no sshd_config exists to prevent accidental activation +rm -f /etc/ssh/sshd_config +touch /etc/ssh/sshd_config.disabled +echo "# SSH server disabled per PRD FR-006" > /etc/ssh/sshd_config.disabled # Password policy - PRD FR-007, NIST SP 800-63B mkdir -p /etc/security diff --git a/config/hooks/live/usb-automount.sh b/config/hooks/live/usb-automount.sh index 1b7fc96..a9dd4d9 100755 --- a/config/hooks/live/usb-automount.sh +++ b/config/hooks/live/usb-automount.sh @@ -23,20 +23,29 @@ DEVICE="/dev/${1}" DEVICE_NAME="${1}" MOUNT_BASE="/media/usb-${DEVICE_NAME}" +# Validate device name to prevent injection +if [[ ! "${DEVICE_NAME}" =~ ^[a-zA-Z0-9]+$ ]]; then + echo "Invalid device name" >&2 + exit 1 +fi + # Create mount point if it doesn't exist mkdir -p "${MOUNT_BASE}" # Determine filesystem type and mount with appropriate options +# PRD FR-008: noexec,nosuid,nodev mandatory for USB security if blkid "${DEVICE}" | grep -q "TYPE=\"vfat\""; then - mount -t vfat -o rw,uid=1000,gid=1000,dmask=000,fmask=111 "${DEVICE}" "${MOUNT_BASE}" + mount -t vfat -o rw,noexec,nosuid,nodev,uid=1000,gid=1000,dmask=077,fmask=177 "${DEVICE}" "${MOUNT_BASE}" elif blkid "${DEVICE}" | grep -q "TYPE=\"ntfs\""; then - mount -t ntfs-3g -o rw,uid=1000,gid=1000,dmask=000,fmask=111 "${DEVICE}" "${MOUNT_BASE}" + mount -t ntfs-3g -o rw,noexec,nosuid,nodev,uid=1000,gid=1000,dmask=077,fmask=177 "${DEVICE}" "${MOUNT_BASE}" elif blkid "${DEVICE}" | grep -q "TYPE=\"ext4\""; then - mount -t ext4 -o rw "${DEVICE}" "${MOUNT_BASE}" + mount -t ext4 -o rw,noexec,nosuid,nodev "${DEVICE}" "${MOUNT_BASE}" else - mount -t auto -o rw,uid=1000,gid=1000 "${DEVICE}" "${MOUNT_BASE}" + mount -t auto -o rw,noexec,nosuid,nodev,uid=1000,gid=1000 "${DEVICE}" "${MOUNT_BASE}" fi +# Audit log USB mount event +logger -t usb-automount "USB device ${DEVICE} mounted at ${MOUNT_BASE} (noexec,nosuid,nodev)" echo "USB device ${DEVICE} mounted at ${MOUNT_BASE}" EOF diff --git a/run.sh b/run.sh index 909f502..07ceada 100755 --- a/run.sh +++ b/run.sh @@ -697,8 +697,8 @@ uki_sign() { log_info "UKI signed successfully" return 0 else - log_warn "UKI signed but verification uncertain" - return 0 + log_error "UKI signature verification FAILED" + return 1 fi } @@ -840,7 +840,7 @@ sb_docker_build_uki() { local cmdline="${build_dir}/cmdline.txt" # Create cmdline - echo "quiet splash lockdown=confidentiality" > "$cmdline" + echo "quiet splash lockdown=confidentiality module.sig_enforce=1" > "$cmdline" # Build UKI echo "[SecureBoot] Bundling kernel+initrd+cmdline..." @@ -861,8 +861,8 @@ sb_docker_build_uki() { echo "[SecureBoot] UKI signed and verified: $uki_file" return 0 else - echo "[SecureBoot] WARNING: UKI verification uncertain" - return 0 + echo "[SecureBoot] ERROR: UKI signature verification FAILED" + return 1 fi } @@ -1055,8 +1055,11 @@ main() { KNEL_BUILD_MODE="production" log_info "Build mode: PRODUCTION (prompts for credentials during install)" fi - log_warn "Host FDE check: ${KNEL_BUILD_MODE} build on potentially unencrypted host" - log_warn "PRD FR-011 requires host FDE - proceeding with build anyway" + if ! check_host_fde; then + log_error "Host FDE check FAILED - cannot build on unencrypted host" + log_error "See PRD FR-011: Host FDE is MANDATORY" + exit 1 + fi echo "Building KNEL-Football secure ISO..." echo "ALL operations run inside Docker container" echo "Timezone: America/Chicago" @@ -1252,7 +1255,8 @@ echo "[SB] Verifying UKI signature..." if sbverify "$UKI_FILE" 2>&1 | grep -q "Signature verification"; then echo "[SB] UKI signature verified successfully" else - echo "[SB] WARNING: UKI signature verification uncertain" + echo "[SB] ERROR: UKI signature verification FAILED" + exit 1 fi # Copy keys to ISO for installation enrollment diff --git a/src/firewall-setup.sh b/src/firewall-setup.sh index a7844be..6815aad 100755 --- a/src/firewall-setup.sh +++ b/src/firewall-setup.sh @@ -32,7 +32,10 @@ table inet filter { chain input { type filter hook input priority 0; policy drop iif lo accept comment "Accept loopback" - icmp type echo-request accept comment "Accept ping" + ct state established,related accept comment "Accept established/related" + udp sport 67 udp dport 68 accept comment "Accept DHCP offers" + icmp type destination-unreachable accept + icmp type time-exceeded accept } chain forward { @@ -42,8 +45,11 @@ table inet filter { chain output { type filter hook output priority 0; policy drop oif lo accept comment "Accept loopback" + ct state established,related accept comment "Accept established/related" + udp dport 67 accept comment "Allow DHCP client requests" udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic" - icmp type echo-request accept comment "Allow ping" + oifname "wg*" accept comment "Allow VPN tunnel traffic" + icmp type destination-unreachable accept } } EOF diff --git a/src/security-hardening.sh b/src/security-hardening.sh index be29334..b5d5961 100755 --- a/src/security-hardening.sh +++ b/src/security-hardening.sh @@ -77,7 +77,7 @@ Host * ServerAliveCountMax 2 # Strict host key checking - StrictHostKeyChecking ask + StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF @@ -327,12 +327,26 @@ EOF apply_security_hardening() { echo "Applying security hardening..." - create_wifi_blacklist "${1:-}" - create_bluetooth_blacklist "${1:-}" - configure_ssh "${1:-}" - configure_password_policy "${1:-}" - configure_system_limits "${1:-}" - configure_audit_rules "${1:-}" + local output_dir="${1:-}" + if [[ -n "$output_dir" && "$output_dir" != "" ]]; then + mkdir -p "$output_dir" + create_wifi_blacklist "${output_dir}/blacklist-wifi.conf" + create_bluetooth_blacklist "${output_dir}/blacklist-bluetooth.conf" + configure_ssh_client "${output_dir}/ssh_config" + configure_password_policy "${output_dir}/pwquality.conf" + configure_system_limits "${output_dir}/security-limits.conf" + configure_fim "${output_dir}/aide.conf" + configure_audit_rules "${output_dir}/audit.rules" + else + create_wifi_blacklist + create_bluetooth_blacklist + configure_ssh_client + configure_password_policy + configure_system_limits + configure_fim + initialize_fim + configure_audit_rules + fi echo "Security hardening completed." echo "IMPORTANT: Run 'aideinit' to initialize file integrity database after installation" diff --git a/tests/unit/firewall-setup_comprehensive_test.bats b/tests/unit/firewall-setup_comprehensive_test.bats index 8865502..a05ecf7 100644 --- a/tests/unit/firewall-setup_comprehensive_test.bats +++ b/tests/unit/firewall-setup_comprehensive_test.bats @@ -91,10 +91,11 @@ EOF echo "$result" | grep -q "51820" } -@test "Firewall allows ICMP ping" { +@test "Firewall blocks outbound ICMP ping (reduced attack surface)" { source /workspace/src/firewall-setup.sh result=$(generate_nftables_rules "203.0.113.1:51820") - echo "$result" | grep -q "echo-request" + echo "$result" | grep -q "destination-unreachable" + ! echo "$result" | grep -q "echo-request accept" } @test "generate_nftables_rules extracts IP and port correctly" { diff --git a/tests/unit/firewall_test.bats b/tests/unit/firewall_test.bats index b75da97..9d77326 100644 --- a/tests/unit/firewall_test.bats +++ b/tests/unit/firewall_test.bats @@ -77,8 +77,9 @@ grep -q "oif lo accept" /workspace/src/firewall-setup.sh } -@test "firewall-setup.sh accepts ICMP ping" { - grep -q "icmp type echo-request accept" /workspace/src/firewall-setup.sh +@test "firewall-setup.sh blocks ICMP ping (security hardening)" { + ! grep -q "icmp type echo-request accept" /workspace/src/firewall-setup.sh + grep -q "destination-unreachable" /workspace/src/firewall-setup.sh } @test "firewall-setup.sh allows WireGuard traffic" { diff --git a/tests/unit/security-hardening_comprehensive_test.bats b/tests/unit/security-hardening_comprehensive_test.bats index 0342cee..7a09fe8 100644 --- a/tests/unit/security-hardening_comprehensive_test.bats +++ b/tests/unit/security-hardening_comprehensive_test.bats @@ -94,7 +94,7 @@ teardown() { @test "SSH client enables strict host key checking" { source /workspace/src/security-hardening.sh configure_ssh_client "$TEST_TMPDIR/ssh_config" - grep -q "StrictHostKeyChecking ask" "$TEST_TMPDIR/ssh_config" + grep -q "StrictHostKeyChecking yes" "$TEST_TMPDIR/ssh_config" } # =============================================================================