fix: resolve critical build bugs and add missing PRD requirements
Critical fixes: - Fix security-hardening.sh live hook: removed broken source from /build/src/ which doesn't exist during live-build; made hook self-contained by inlining all config generation - Fix firewall-setup.sh live hook: removed broken source from /build/src/; hook already had inline nftables config - Fix install-scripts.sh: replaced /workspace/src/ references with embedded inline scripts (installed system has no /workspace) - Fix UKI cmdline in standalone uki_build(): added lockdown=confidentiality and module.sig_enforce=1 to match the inline Secure Boot hook - Fix WiFi blacklist: expanded from 6 entries to 19, now covers all PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*) Missing PRD requirements added: - kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID dumpable disabled, hardlink/symlink protection, network hardening - service-hardening.sh (FR-007): disables and masks avahi-daemon, cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport - sudo-hardening.sh (FR-007): requiretty, logging (input/output), timestamp timeout, env_reset, restricted football user commands - mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp, nodev/nosuid on /home, /dev/shm hardening Test improvements: - Rewrote security-hardening_comprehensive_test.bats: tests now source scripts, call functions, and verify generated output files - Rewrote firewall-setup_comprehensive_test.bats: tests now create WireGuard configs, call parse_wg_endpoint, verify nftables output - Added new-hooks_test.bats: 42 tests for kernel hardening, service hardening, sudo hardening, mount hardening, self-containment verification, and WiFi blacklist completeness - Total: 788 tests passing, 0 failures, 0 shellcheck warnings Reference: docs/PRD.md FR-005, FR-007, security-model.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
reachableceo
@@ -1,34 +1,191 @@
|
||||
#!/bin/bash
|
||||
# Security hardening hook for live system
|
||||
# Security hardening hook for live system (self-contained)
|
||||
# Reference: PRD FR-005, FR-006, FR-007
|
||||
set -euo pipefail
|
||||
|
||||
echo "Applying security hardening..."
|
||||
|
||||
# Apply security hardening functions from proper volume path
|
||||
# Note: Source path exists at build time in Docker container
|
||||
# shellcheck disable=SC1091
|
||||
source /build/src/security-hardening.sh
|
||||
# WiFi module blacklist
|
||||
cat >/etc/modprobe.d/blacklist-wifi.conf <<'EOF'
|
||||
# WiFi module blacklisting - PRD FR-005
|
||||
blacklist cfg80211
|
||||
blacklist mac80211
|
||||
blacklist brcmfmac
|
||||
blacklist iwlwifi
|
||||
blacklist ath9k
|
||||
blacklist ath9k_htc
|
||||
blacklist ath10k_pci
|
||||
blacklist rtl8188ee
|
||||
blacklist rtl8192ce
|
||||
blacklist rtl8192se
|
||||
blacklist rtl8723ae
|
||||
blacklist rtl8821ae
|
||||
blacklist rt73usb
|
||||
blacklist rt2800usb
|
||||
blacklist rt2x00lib
|
||||
blacklist rt2x00usb
|
||||
blacklist mwifiex
|
||||
blacklist mwifiex_pcie
|
||||
blacklist mwifiex_sdio
|
||||
EOF
|
||||
|
||||
# Create WiFi module blacklist
|
||||
create_wifi_blacklist
|
||||
# Bluetooth module blacklist
|
||||
cat >/etc/modprobe.d/blacklist-bluetooth.conf <<'EOF'
|
||||
# Bluetooth module blacklisting - PRD FR-005
|
||||
blacklist btusb
|
||||
blacklist bluetooth
|
||||
blacklist btrtl
|
||||
blacklist btintel
|
||||
blacklist btbcm
|
||||
blacklist bnep
|
||||
blacklist rfcomm
|
||||
blacklist hidp
|
||||
EOF
|
||||
|
||||
# Create Bluetooth module blacklist
|
||||
create_bluetooth_blacklist
|
||||
# SSH client configuration (client only - no server per PRD FR-006)
|
||||
mkdir -p /etc/ssh
|
||||
cat >/etc/ssh/ssh_config <<'EOF'
|
||||
# SSH Client Configuration
|
||||
# Reference: PRD FR-006 - Client-only, no inbound SSH services
|
||||
|
||||
# Configure SSH client (client only - no server per security requirements)
|
||||
configure_ssh_client
|
||||
Host *
|
||||
PasswordAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
ConnectTimeout 30
|
||||
ServerAliveInterval 300
|
||||
ServerAliveCountMax 2
|
||||
StrictHostKeyChecking ask
|
||||
UserKnownHostsFile ~/.ssh/known_hosts
|
||||
EOF
|
||||
|
||||
# Configure password policy
|
||||
configure_password_policy
|
||||
# SSH server config (defense-in-depth - sshd not installed per PRD FR-006)
|
||||
cat >/etc/ssh/sshd_config <<'EOF'
|
||||
# SSH Server Hardening (defense-in-depth)
|
||||
# Reference: PRD FR-006 - Client-only system, sshd not installed
|
||||
Protocol 2
|
||||
PermitRootLogin no
|
||||
PermitEmptyPasswords no
|
||||
MaxAuthTries 3
|
||||
ClientAliveInterval 300
|
||||
ClientAliveCountMax 2
|
||||
X11Forwarding no
|
||||
EOF
|
||||
|
||||
# Configure File Integrity Monitoring (AIDE)
|
||||
configure_fim
|
||||
# Password policy - PRD FR-007, NIST SP 800-63B
|
||||
mkdir -p /etc/security
|
||||
cat >/etc/security/pwquality.conf <<'EOF'
|
||||
# KNEL-Football Password Quality Requirements
|
||||
# Reference: NIST SP 800-63B, CIS Benchmarks for Debian
|
||||
minlen = 14
|
||||
dcredit = -1
|
||||
ucredit = -1
|
||||
lcredit = -1
|
||||
ocredit = -1
|
||||
difok = 4
|
||||
maxrepeat = 2
|
||||
maxclassrepeat = 2
|
||||
maxsequence = 2
|
||||
usercheck = 1
|
||||
dictcheck = 1
|
||||
gecoscheck = 1
|
||||
enforcing = 1
|
||||
badwords = password secret admin root knel football tier0 12345 qwerty
|
||||
minclass = 3
|
||||
EOF
|
||||
|
||||
# Configure system limits
|
||||
configure_system_limits
|
||||
# File Integrity Monitoring (AIDE) - CIS 1.4, FedRAMP AU-7, CMMC AU.3.059
|
||||
mkdir -p /etc/aide
|
||||
cat >/etc/aide/aide.conf <<'EOF'
|
||||
# AIDE Configuration - CIS/FedRAMP/CMMC Compliance
|
||||
database_out=file:/var/lib/aide/aide.db.new
|
||||
database=file:/var/lib/aide/aide.db
|
||||
report_url=stdout
|
||||
SECURITY = p+u+g+s+m+c+md5+sha256+sha512
|
||||
/etc SECURITY
|
||||
/boot SECURITY
|
||||
/usr SECURITY
|
||||
/bin SECURITY
|
||||
/sbin SECURITY
|
||||
/lib SECURITY
|
||||
/lib64 SECURITY
|
||||
/etc/ssh SECURITY
|
||||
/etc/wireguard SECURITY
|
||||
/etc/security SECURITY
|
||||
/etc/audit SECURITY
|
||||
/etc/modprobe.d SECURITY
|
||||
/etc/nftables.conf SECURITY
|
||||
/etc/sudoers SECURITY
|
||||
/etc/sudoers.d SECURITY
|
||||
/etc/pam.d SECURITY
|
||||
!/proc
|
||||
!/sys
|
||||
!/dev
|
||||
!/run
|
||||
!/tmp
|
||||
!/var/log
|
||||
!/var/cache
|
||||
!/var/lib/aide
|
||||
!/var/tmp
|
||||
EOF
|
||||
|
||||
# Configure audit rules
|
||||
configure_audit_rules
|
||||
# System resource limits
|
||||
mkdir -p /etc/security/limits.d
|
||||
cat >/etc/security/limits.d/security.conf <<'EOF'
|
||||
* hard core 0
|
||||
* soft nproc 1024
|
||||
* hard nproc 2048
|
||||
EOF
|
||||
|
||||
# Audit rules - CIS 6.2, FedRAMP AU-2, CMMC AU.2.042
|
||||
mkdir -p /etc/audit/rules.d
|
||||
cat >/etc/audit/rules.d/audit.rules <<'EOF'
|
||||
# Comprehensive Audit Rules - CIS 6.2, FedRAMP AU-2, CMMC AU.2.042
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/shadow -p wa -k identity
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/gshadow -p wa -k identity
|
||||
-w /etc/sudoers -p wa -k privilege_escalation
|
||||
-w /etc/sudoers.d/ -p wa -k privilege_escalation
|
||||
-w /etc/pam.d/ -p wa -k authentication
|
||||
-w /etc/security/ -p wa -k authentication
|
||||
-w /etc/login.defs -p wa -k authentication
|
||||
-w /var/log/faillog -p wa -k authentication
|
||||
-w /var/log/lastlog -p wa -k authentication
|
||||
-w /var/log/tallylog -p wa -k authentication
|
||||
-w /etc/network/ -p wa -k network_config
|
||||
-w /etc/hosts -p wa -k network_config
|
||||
-w /etc/hostname -p wa -k network_config
|
||||
-w /etc/resolv.conf -p wa -k network_config
|
||||
-w /etc/nftables.conf -p wa -k firewall
|
||||
-w /etc/wireguard/ -p wa -k wireguard_config
|
||||
-w /etc/ssh/ssh_config -p wa -k ssh_config
|
||||
-w /etc/fstab -p wa -k filesystem
|
||||
-w /etc/crypttab -p wa -k encryption
|
||||
-w /etc/modprobe.d/ -p wa -k kernel_modules
|
||||
-w /etc/sysctl.conf -p wa -k kernel_parameters
|
||||
-w /etc/sysctl.d/ -p wa -k kernel_parameters
|
||||
-w /boot/ -p wa -k boot_config
|
||||
-w /efi/ -p wa -k boot_config
|
||||
-w /etc/default/grub -p wa -k boot_config
|
||||
-w /etc/grub.d/ -p wa -k boot_config
|
||||
-w /etc/audit/ -p wa -k audit_config
|
||||
-w /var/log/audit/ -p wa -k audit_logs
|
||||
-w /etc/chrony/ -p wa -k time_sync
|
||||
-w /etc/ntp.conf -p wa -k time_sync
|
||||
-w /usr/bin/sudo -p x -k privilege_escalation
|
||||
-w /usr/bin/su -p x -k privilege_escalation
|
||||
-w /usr/bin/passwd -p x -k password_change
|
||||
-w /usr/bin/chsh -p x -k user_modification
|
||||
-w /usr/bin/usermod -p x -k user_modification
|
||||
-w /var/run/utmp -p wa -k session
|
||||
-w /var/log/wtmp -p wa -k session
|
||||
-w /var/log/btmp -p wa -k session
|
||||
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_modules
|
||||
-w /var/lib/aide/ -p wa -k file_integrity
|
||||
EOF
|
||||
|
||||
# Enable auditd service
|
||||
systemctl enable auditd
|
||||
|
||||
Reference in New Issue
Block a user