KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport

Browse Source 
Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08,
M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes.

Changes:
- run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07),
  add module.sig_enforce to Docker-embedded UKI (H-08)
- usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05),
  restrict dmask/fmask, add input validation, add audit logging (M-08)
- security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01),
  remove sshd_config generation (H-02), expand WiFi blacklist (M-12)
- firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port
  range to 51820 only (M-05)
- firewall-setup.sh (src): Add ct state established,related (H-03)
- security-hardening.sh (src): Fix apply_security_hardening to call
  configure_ssh_client and configure_fim with separate output paths (M-01)
- install-scripts.sh: Remove football from sudo group (M-02)
- mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened
  even without existing fstab entries (M-07)
- encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic
  LUKS device discovery (H-06), fix recovery key generation (M-04),
  fix crypttab sed pattern
- qr-code-import.sh: Restrict temp file permissions (H-04)
- Tests updated to match new security posture

All 786+ tests pass. Zero shellcheck warnings.

Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through
H-08, M-01, M-02, M-05, M-07, M-08, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble - admin
2026-05-08 12:08:54 -05:00
parent e80725005f
commit 2b422cf62c
13 changed files with 199 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
config/hooks/installed/encryption-setup.sh
View File

@@ -31,7 +31,7 @@ EOF
if [ -f /etc/crypttab ]; then
echo "Verifying crypttab configuration..."
# Ensure crypttab has proper options
sed -i 's/luks$/luks,discard,cipher=aes-xts-plain64,key-size=512/g' /etc/crypttab
sed -i '/\/dev\/mapper\|^#/!s/\bluks\b/luks,discard,cipher=aes-xts-plain64,key-size=512/' /etc/crypttab
fi
# Configure initramfs to include necessary modules for decryption
@@ -99,8 +99,8 @@ Recovery Information:
Commands:
- Check encryption status: cryptsetup status cryptroot
- Add additional passphrase: cryptsetup luksAddKey /dev/sda3
- List key slots: cryptsetup luksDump /dev/sda3
- Add additional passphrase: cryptsetup luksAddKey $(find-luks-device.sh)
- List key slots: cryptsetup luksDump $(find-luks-device.sh)
WARNING: Losing the encryption passphrase will result in
permanent data loss. There is NO backdoor or recovery mechanism
@@ -138,11 +138,18 @@ for dev in /dev/mapper/*; do
done
echo ""
# Check LUKS container details
if [ -b /dev/sda3 ]; then
echo "LUKS Container Information:"
# Check LUKS container details (dynamic device discovery)
LUKS_DEV=""
for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
LUKS_DEV="$dev"
break
fi
done
if [ -n "$LUKS_DEV" ]; then
echo "LUKS Container Information ($LUKS_DEV):"
echo "---------------------------"
cryptsetup luksDump /dev/sda3 | head -20
cryptsetup luksDump "$LUKS_DEV" | head -20
echo ""
fi
@@ -160,6 +167,45 @@ EOF
chmod +x /usr/local/bin/check-encryption.sh
# Create LUKS device discovery helper
cat > /usr/local/bin/find-luks-device.sh <<'EOF'
#!/bin/bash
# Discover the LUKS encrypted partition dynamically
set -euo pipefail
# Method 1: Check crypttab for the root device
if [ -f /etc/crypttab ]; then
while read -r name device _ _; do
[ -z "$name" ] || [ "$name" = "#" ] && continue
if [ -b "$device" ] && cryptsetup isLuks "$device" 2>/dev/null; then
echo "$device"
exit 0
fi
done < /etc/crypttab
fi
# Method 2: Check common partition layouts
for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
echo "$dev"
exit 0
fi
done
# Method 3: Scan all partitions with lsblk
if command -v lsblk >/dev/null 2>&1; then
while read -r dev; do
if cryptsetup isLuks "$dev" 2>/dev/null; then
echo "$dev"
exit 0
fi
done < <(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1}')
fi
exit 1
EOF
chmod +x /usr/local/bin/find-luks-device.sh
# Create encryption key management script
cat > /usr/local/bin/manage-encryption-keys.sh <<'EOF'
#!/bin/bash
@@ -201,13 +247,23 @@ case $choice in
exit 1
fi
echo "$existing_pass" | cryptsetup luksAddKey /dev/sda3 <<< "$new_pass"
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
printf '%s\n' "$existing_pass" "$new_pass" | cryptsetup luksAddKey "$LUKS_DEV"
echo "New passphrase added successfully"
;;
2)
cryptsetup luksDump /dev/sda3 | grep "Key Slot"
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot"
read -p "Enter key slot to remove: " slot
cryptsetup luksKillSlot /dev/sda3 "$slot"
cryptsetup luksKillSlot "$LUKS_DEV" "$slot"
echo "Key slot removed successfully"
;;
3)
@@ -225,19 +281,37 @@ case $choice in
fi
# This is complex and requires careful handling
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
echo "This operation requires manual intervention"
echo "Please use: cryptsetup luksChangeKey /dev/sda3"
echo "Please use: cryptsetup luksChangeKey $LUKS_DEV"
;;
4)
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
echo "Active key slots:"
cryptsetup luksDump /dev/sda3 | grep "Key Slot" | grep "ENABLED"
cryptsetup luksDump "$LUKS_DEV" | grep "Key Slot" | grep "ENABLED"
;;
5)
echo "Generating recovery key..."
# Generate a strong random key
dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 > /var/backups/keys/recovery_key_$(date +%Y%m%d_%H%M%S).txt
chmod 600 /var/backups/keys/recovery_key_*.txt
echo "Recovery key generated and stored in /var/backups/keys/"
LUKS_DEV=$(/usr/local/bin/find-luks-device.sh)
if [ -z "$LUKS_DEV" ]; then
echo "ERROR: No LUKS device found"
exit 1
fi
KEY_FILE="/var/backups/keys/recovery_key_$(date +%Y%m%d_%H%M%S).txt"
dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 > "$KEY_FILE"
chmod 600 "$KEY_FILE"
echo "Recovery key generated: $KEY_FILE"
echo "To add this key to a LUKS slot:"
echo " cryptsetup luksAddKey $LUKS_DEV $KEY_FILE"
echo "WARNING: Store this key in a secure, offline location"
;;
0)

4
config/hooks/installed/install-scripts.sh
View File

@@ -218,7 +218,7 @@ EOF
# Create WireGuard configuration directory
mkdir -p /etc/wireguard
# Add football to appropriate groups
usermod -a -G sudo,audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true
# Add football to appropriate groups (NOT sudo - access via sudoers.d only)
usermod -a -G audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true
echo "Source scripts installed successfully."

61
config/hooks/installed/mount-hardening.sh
View File

@@ -5,46 +5,35 @@ set -euo pipefail
echo "Applying mount point hardening..."
# Create fstab security entries for temporary filesystems
# These are added via a systemd mount helper or tmpfiles.d
# since fstab is managed by the installer for the main partitions
FSTAB="/etc/fstab"
# Harden /tmp via tmpfiles.d (systemd-tmpfiles)
mkdir -p /etc/tmpfiles.d
# Ensure fstab exists
touch "$FSTAB"
cat >/etc/tmpfiles.d/knel-mount-hardening.conf <<'EOF'
# KNEL-Football Mount Hardening
# Ensure /tmp is mounted with nodev, nosuid, noexec
# This supplements the installer-created fstab
d /tmp 1777 root root 0d
EOF
# Add security mount options to fstab if entries exist
if [ -f /etc/fstab ]; then
# Harden /tmp if present
if grep -q '/tmp' /etc/fstab 2>/dev/null; then
sed -i '/\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
fi
# Harden /var/tmp if present
if grep -q '/var/tmp' /etc/fstab 2>/dev/null; then
sed -i '/\/var\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
fi
# Harden /home if present
if grep -q '/home' /etc/fstab 2>/dev/null; then
sed -i '/\/home/s/defaults/defaults,nodev,nosuid/' /etc/fstab 2>/dev/null || true
fi
# Harden /dev/shm if present
if grep -q '/dev/shm' /etc/fstab 2>/dev/null; then
sed -i '/\/dev\/shm/s/defaults/defaults,nodev,nosuid,noexec/' /etc/fstab 2>/dev/null || true
fi
# Harden /tmp if present in fstab, otherwise add tmpfs entry
if grep -q '/tmp' "$FSTAB" 2>/dev/null; then
sed -i '/\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true
else
echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,size=2G 0 0" >> "$FSTAB"
fi
# If /tmp is NOT in fstab, add a tmpfs entry with hardening
if ! grep -q '/tmp' /etc/fstab 2>/dev/null; then
echo "tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec,size=2G 0 0" >> /etc/fstab
# Harden /var/tmp if present, otherwise add tmpfs entry
if grep -q '/var/tmp' "$FSTAB" 2>/dev/null; then
sed -i '/\/var\/tmp/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true
else
echo "tmpfs /var/tmp tmpfs defaults,nodev,nosuid,noexec,size=512M 0 0" >> "$FSTAB"
fi
# Harden /dev/shm if present, otherwise add tmpfs entry
if grep -q '/dev/shm' "$FSTAB" 2>/dev/null; then
sed -i '/\/dev\/shm/s/defaults/defaults,nodev,nosuid,noexec/' "$FSTAB" 2>/dev/null || true
else
echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec,size=512M 0 0" >> "$FSTAB"
fi
# Harden /home if it has its own partition
if grep -q '/home' "$FSTAB" 2>/dev/null; then
sed -i '/\/home/s/defaults/defaults,nodev,nosuid/' "$FSTAB" 2>/dev/null || true
fi
echo "Mount hardening completed."

8
config/hooks/live/firewall-setup.sh
View File

@@ -25,8 +25,7 @@ table inet filter {
udp sport 67 udp dport 68 accept comment "Accept DHCP offers"
udp sport 68 udp dport 67 accept comment "Accept DHCP requests"
# Accept ICMP ping
icmp type echo-request accept comment "Accept ping"
# Accept essential ICMP only
icmp type destination-unreachable accept comment "Accept dest unreachable"
icmp type time-exceeded accept comment "Accept time exceeded"
@@ -50,8 +49,9 @@ table inet filter {
# Accept DHCP client requests (broadcast to find DHCP server)
udp dport 67 accept comment "Allow DHCP client requests"
# Accept WireGuard UDP (any endpoint - config determines actual peer)
udp dport 51820-51830 accept comment "Allow WireGuard VPN"
# Accept WireGuard UDP (any endpoint - dynamic config determines actual peer)
# Once WireGuard is configured, firewall-setup.sh locks to specific endpoint
udp dport 51820 accept comment "Allow WireGuard VPN"
# Accept DNS over WireGuard tunnel interface
oifname "wg*" accept comment "Accept all traffic via VPN tunnel"

5
config/hooks/live/qr-code-import.sh
View File

@@ -21,9 +21,10 @@ if ! ls /dev/video* >/dev/null 2>&1; then
exit 1
fi
# Create temporary file for QR data
# Create temporary file for QR data with restricted permissions
qr_data=$(mktemp)
trap "rm -f $qr_data" EXIT
chmod 600 "$qr_data"
trap "rm -f \"$qr_data\"" EXIT
# Scan QR code
echo "Scanning QR code..."

28
config/hooks/live/security-hardening.sh
View File

@@ -11,15 +11,22 @@ cat >/etc/modprobe.d/blacklist-wifi.conf <<'EOF'
blacklist cfg80211
blacklist mac80211
blacklist brcmfmac
blacklist brcmsmac
blacklist brcm80211
blacklist iwlwifi
blacklist iwlmvm
blacklist ath9k
blacklist ath9k_htc
blacklist ath10k_pci
blacklist ath10k_sdio
blacklist ath11k_pci
blacklist ath11k_ahb
blacklist rtl8188ee
blacklist rtl8192ce
blacklist rtl8192se
blacklist rtl8723ae
blacklist rtl8821ae
blacklist rtl8xxxu
blacklist rt73usb
blacklist rt2800usb
blacklist rt2x00lib
@@ -27,6 +34,8 @@ blacklist rt2x00usb
blacklist mwifiex
blacklist mwifiex_pcie
blacklist mwifiex_sdio
blacklist r8188eu
blacklist r8723bs
EOF
# Bluetooth module blacklist
@@ -57,22 +66,15 @@ Host *
ConnectTimeout 30
ServerAliveInterval 300
ServerAliveCountMax 2
StrictHostKeyChecking ask
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
# SSH server config (defense-in-depth - sshd not installed per PRD FR-006)
cat >/etc/ssh/sshd_config <<'EOF'
# SSH Server Hardening (defense-in-depth)
# Reference: PRD FR-006 - Client-only system, sshd not installed
Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
EOF
# SSH server is NOT installed per PRD FR-006
# Ensure no sshd_config exists to prevent accidental activation
rm -f /etc/ssh/sshd_config
touch /etc/ssh/sshd_config.disabled
echo "# SSH server disabled per PRD FR-006" > /etc/ssh/sshd_config.disabled
# Password policy - PRD FR-007, NIST SP 800-63B
mkdir -p /etc/security

17
config/hooks/live/usb-automount.sh
View File

@@ -23,20 +23,29 @@ DEVICE="/dev/${1}"
DEVICE_NAME="${1}"
MOUNT_BASE="/media/usb-${DEVICE_NAME}"
# Validate device name to prevent injection
if [[ ! "${DEVICE_NAME}" =~ ^[a-zA-Z0-9]+$ ]]; then
echo "Invalid device name" >&2
exit 1
fi
# Create mount point if it doesn't exist
mkdir -p "${MOUNT_BASE}"
# Determine filesystem type and mount with appropriate options
# PRD FR-008: noexec,nosuid,nodev mandatory for USB security
if blkid "${DEVICE}" | grep -q "TYPE=\"vfat\""; then
mount -t vfat -o rw,uid=1000,gid=1000,dmask=000,fmask=111 "${DEVICE}" "${MOUNT_BASE}"
mount -t vfat -o rw,noexec,nosuid,nodev,uid=1000,gid=1000,dmask=077,fmask=177 "${DEVICE}" "${MOUNT_BASE}"
elif blkid "${DEVICE}" | grep -q "TYPE=\"ntfs\""; then
mount -t ntfs-3g -o rw,uid=1000,gid=1000,dmask=000,fmask=111 "${DEVICE}" "${MOUNT_BASE}"
mount -t ntfs-3g -o rw,noexec,nosuid,nodev,uid=1000,gid=1000,dmask=077,fmask=177 "${DEVICE}" "${MOUNT_BASE}"
elif blkid "${DEVICE}" | grep -q "TYPE=\"ext4\""; then
mount -t ext4 -o rw "${DEVICE}" "${MOUNT_BASE}"
mount -t ext4 -o rw,noexec,nosuid,nodev "${DEVICE}" "${MOUNT_BASE}"
else
mount -t auto -o rw,uid=1000,gid=1000 "${DEVICE}" "${MOUNT_BASE}"
mount -t auto -o rw,noexec,nosuid,nodev,uid=1000,gid=1000 "${DEVICE}" "${MOUNT_BASE}"
fi
# Audit log USB mount event
logger -t usb-automount "USB device ${DEVICE} mounted at ${MOUNT_BASE} (noexec,nosuid,nodev)"
echo "USB device ${DEVICE} mounted at ${MOUNT_BASE}"
EOF