fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport
Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes. Changes: - run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07), add module.sig_enforce to Docker-embedded UKI (H-08) - usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05), restrict dmask/fmask, add input validation, add audit logging (M-08) - security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01), remove sshd_config generation (H-02), expand WiFi blacklist (M-12) - firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port range to 51820 only (M-05) - firewall-setup.sh (src): Add ct state established,related (H-03) - security-hardening.sh (src): Fix apply_security_hardening to call configure_ssh_client and configure_fim with separate output paths (M-01) - install-scripts.sh: Remove football from sudo group (M-02) - mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened even without existing fstab entries (M-07) - encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic LUKS device discovery (H-06), fix recovery key generation (M-04), fix crypttab sed pattern - qr-code-import.sh: Restrict temp file permissions (H-04) - Tests updated to match new security posture All 786+ tests pass. Zero shellcheck warnings. Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through H-08, M-01, M-02, M-05, M-07, M-08, M-12 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
@@ -25,8 +25,7 @@ table inet filter {
|
||||
udp sport 67 udp dport 68 accept comment "Accept DHCP offers"
|
||||
udp sport 68 udp dport 67 accept comment "Accept DHCP requests"
|
||||
|
||||
# Accept ICMP ping
|
||||
icmp type echo-request accept comment "Accept ping"
|
||||
# Accept essential ICMP only
|
||||
icmp type destination-unreachable accept comment "Accept dest unreachable"
|
||||
icmp type time-exceeded accept comment "Accept time exceeded"
|
||||
|
||||
@@ -50,8 +49,9 @@ table inet filter {
|
||||
# Accept DHCP client requests (broadcast to find DHCP server)
|
||||
udp dport 67 accept comment "Allow DHCP client requests"
|
||||
|
||||
# Accept WireGuard UDP (any endpoint - config determines actual peer)
|
||||
udp dport 51820-51830 accept comment "Allow WireGuard VPN"
|
||||
# Accept WireGuard UDP (any endpoint - dynamic config determines actual peer)
|
||||
# Once WireGuard is configured, firewall-setup.sh locks to specific endpoint
|
||||
udp dport 51820 accept comment "Allow WireGuard VPN"
|
||||
|
||||
# Accept DNS over WireGuard tunnel interface
|
||||
oifname "wg*" accept comment "Accept all traffic via VPN tunnel"
|
||||
|
||||
@@ -21,9 +21,10 @@ if ! ls /dev/video* >/dev/null 2>&1; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create temporary file for QR data
|
||||
# Create temporary file for QR data with restricted permissions
|
||||
qr_data=$(mktemp)
|
||||
trap "rm -f $qr_data" EXIT
|
||||
chmod 600 "$qr_data"
|
||||
trap "rm -f \"$qr_data\"" EXIT
|
||||
|
||||
# Scan QR code
|
||||
echo "Scanning QR code..."
|
||||
|
||||
@@ -11,15 +11,22 @@ cat >/etc/modprobe.d/blacklist-wifi.conf <<'EOF'
|
||||
blacklist cfg80211
|
||||
blacklist mac80211
|
||||
blacklist brcmfmac
|
||||
blacklist brcmsmac
|
||||
blacklist brcm80211
|
||||
blacklist iwlwifi
|
||||
blacklist iwlmvm
|
||||
blacklist ath9k
|
||||
blacklist ath9k_htc
|
||||
blacklist ath10k_pci
|
||||
blacklist ath10k_sdio
|
||||
blacklist ath11k_pci
|
||||
blacklist ath11k_ahb
|
||||
blacklist rtl8188ee
|
||||
blacklist rtl8192ce
|
||||
blacklist rtl8192se
|
||||
blacklist rtl8723ae
|
||||
blacklist rtl8821ae
|
||||
blacklist rtl8xxxu
|
||||
blacklist rt73usb
|
||||
blacklist rt2800usb
|
||||
blacklist rt2x00lib
|
||||
@@ -27,6 +34,8 @@ blacklist rt2x00usb
|
||||
blacklist mwifiex
|
||||
blacklist mwifiex_pcie
|
||||
blacklist mwifiex_sdio
|
||||
blacklist r8188eu
|
||||
blacklist r8723bs
|
||||
EOF
|
||||
|
||||
# Bluetooth module blacklist
|
||||
@@ -57,22 +66,15 @@ Host *
|
||||
ConnectTimeout 30
|
||||
ServerAliveInterval 300
|
||||
ServerAliveCountMax 2
|
||||
StrictHostKeyChecking ask
|
||||
StrictHostKeyChecking yes
|
||||
UserKnownHostsFile ~/.ssh/known_hosts
|
||||
EOF
|
||||
|
||||
# SSH server config (defense-in-depth - sshd not installed per PRD FR-006)
|
||||
cat >/etc/ssh/sshd_config <<'EOF'
|
||||
# SSH Server Hardening (defense-in-depth)
|
||||
# Reference: PRD FR-006 - Client-only system, sshd not installed
|
||||
Protocol 2
|
||||
PermitRootLogin no
|
||||
PermitEmptyPasswords no
|
||||
MaxAuthTries 3
|
||||
ClientAliveInterval 300
|
||||
ClientAliveCountMax 2
|
||||
X11Forwarding no
|
||||
EOF
|
||||
# SSH server is NOT installed per PRD FR-006
|
||||
# Ensure no sshd_config exists to prevent accidental activation
|
||||
rm -f /etc/ssh/sshd_config
|
||||
touch /etc/ssh/sshd_config.disabled
|
||||
echo "# SSH server disabled per PRD FR-006" > /etc/ssh/sshd_config.disabled
|
||||
|
||||
# Password policy - PRD FR-007, NIST SP 800-63B
|
||||
mkdir -p /etc/security
|
||||
|
||||
@@ -23,20 +23,29 @@ DEVICE="/dev/${1}"
|
||||
DEVICE_NAME="${1}"
|
||||
MOUNT_BASE="/media/usb-${DEVICE_NAME}"
|
||||
|
||||
# Validate device name to prevent injection
|
||||
if [[ ! "${DEVICE_NAME}" =~ ^[a-zA-Z0-9]+$ ]]; then
|
||||
echo "Invalid device name" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create mount point if it doesn't exist
|
||||
mkdir -p "${MOUNT_BASE}"
|
||||
|
||||
# Determine filesystem type and mount with appropriate options
|
||||
# PRD FR-008: noexec,nosuid,nodev mandatory for USB security
|
||||
if blkid "${DEVICE}" | grep -q "TYPE=\"vfat\""; then
|
||||
mount -t vfat -o rw,uid=1000,gid=1000,dmask=000,fmask=111 "${DEVICE}" "${MOUNT_BASE}"
|
||||
mount -t vfat -o rw,noexec,nosuid,nodev,uid=1000,gid=1000,dmask=077,fmask=177 "${DEVICE}" "${MOUNT_BASE}"
|
||||
elif blkid "${DEVICE}" | grep -q "TYPE=\"ntfs\""; then
|
||||
mount -t ntfs-3g -o rw,uid=1000,gid=1000,dmask=000,fmask=111 "${DEVICE}" "${MOUNT_BASE}"
|
||||
mount -t ntfs-3g -o rw,noexec,nosuid,nodev,uid=1000,gid=1000,dmask=077,fmask=177 "${DEVICE}" "${MOUNT_BASE}"
|
||||
elif blkid "${DEVICE}" | grep -q "TYPE=\"ext4\""; then
|
||||
mount -t ext4 -o rw "${DEVICE}" "${MOUNT_BASE}"
|
||||
mount -t ext4 -o rw,noexec,nosuid,nodev "${DEVICE}" "${MOUNT_BASE}"
|
||||
else
|
||||
mount -t auto -o rw,uid=1000,gid=1000 "${DEVICE}" "${MOUNT_BASE}"
|
||||
mount -t auto -o rw,noexec,nosuid,nodev,uid=1000,gid=1000 "${DEVICE}" "${MOUNT_BASE}"
|
||||
fi
|
||||
|
||||
# Audit log USB mount event
|
||||
logger -t usb-automount "USB device ${DEVICE} mounted at ${MOUNT_BASE} (noexec,nosuid,nodev)"
|
||||
echo "USB device ${DEVICE} mounted at ${MOUNT_BASE}"
|
||||
EOF
|
||||
|
||||
|
||||
Reference in New Issue
Block a user