fix: resolve all audit findings in hooks, config, and package list

Security/Functional Fixes:
- firewall-setup.sh: Added WireGuard allow, established/related, DHCP
  (was blocking ALL outbound including VPN - system was non-functional)
- disable-package-management.sh: Preserve /var/lib/dpkg/ for queries
  (was destroying dpkg database with rm -rf)
- encryption-validation.sh: Fixed inverted motd conditional
  (was creating file only if it already existed - backwards)
- kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only)
  Changed user.max_user_namespaces from 0 to 100
- sudo-hardening.sh: Removed Defaults requiretty
  (was breaking GUI-launched sudo via pkexec)
- encryption-setup.sh: Fixed conflicting stdin in luksAddKey
- install-scripts.sh: Fixed embedded firewall (same WireGuard bug)
  Replaced gutted security-hardening stub with real status checker
- GRUB config: Fixed serial_console → serial (invalid terminal name)
- Package list: Removed audispd-plugins (deprecated in Debian 13),
  removed duplicate wireguard/wireguard-tools entries

Reference: Full audit findings from Session 7 JOURNAL.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

config/hooks/installed/install-scripts.sh

@@ -32,6 +32,8 @@ table inet filter {
     chain input {
         type filter hook input priority 0; policy drop
         iif lo accept comment "Accept loopback"
+        ct state established,related accept comment "Accept established/related"
+        udp sport 67 udp dport 68 accept comment "Accept DHCP"
         icmp type echo-request accept comment "Accept ping"
     }
     chain forward {
@@ -40,7 +42,10 @@ table inet filter {
     chain output {
         type filter hook output priority 0; policy drop
         oif lo accept comment "Accept loopback"
+        ct state established,related accept comment "Accept established/related"
+        udp dport 67 accept comment "Allow DHCP"
         udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
+        oifname "wg*" accept comment "Allow VPN tunnel traffic"
         icmp type echo-request accept comment "Allow ping"
     }
 }
@@ -79,6 +84,8 @@ chmod +x /usr/local/bin/firewall-setup.sh
 # Install security-hardening script (embedded)
 cat >/usr/local/bin/security-hardening.sh <<'HARDENING_SCRIPT'
 #!/bin/bash
+# KNEL-Football Security Hardening Utility (installed system)
+# Re-applies security hardening or checks current status
 set -euo pipefail
 
 check_encryption_status() {
@@ -87,14 +94,57 @@ check_encryption_status() {
     for dev in /dev/mapper/*; do
       if [ -e "$dev" ]; then
         echo "Encrypted device: $dev"
+        cryptsetup status "$dev" 2>/dev/null | head -5 || true
       fi
     done
+  else
+    echo "WARNING: cryptsetup not found"
   fi
 }
 
+check_kernel_hardening() {
+  echo "Checking kernel hardening..."
+  local params="kernel.randomize_va_space kernel.yama.ptrace_scope kernel.kptr_restrict kernel.dmesg_restrict"
+  for param in $params; do
+    local val
+    val=$(sysctl -n "$param" 2>/dev/null || echo "N/A")
+    echo "  $param = $val"
+  done
+}
+
+check_firewall() {
+  echo "Checking firewall status..."
+  if command -v nft >/dev/null 2>&1; then
+    nft list ruleset 2>/dev/null | head -20 || echo "  No nftables rules loaded"
+  else
+    echo "  WARNING: nft not found"
+  fi
+}
+
+check_services() {
+  echo "Checking disabled services..."
+  for svc in avahi-daemon cups bluetooth ModemManager; do
+    if systemctl is-enabled "$svc" 2>/dev/null | grep -q "masked\|disabled"; then
+      echo "  $svc: DISABLED (OK)"
+    else
+      echo "  $svc: WARNING - may be enabled"
+    fi
+  done
+}
+
 main() {
   echo "KNEL-Football Security Hardening Utility"
+  echo "========================================="
+  echo ""
   check_encryption_status
+  echo ""
+  check_kernel_hardening
+  echo ""
+  check_firewall
+  echo ""
+  check_services
+  echo ""
+  echo "Security check completed."
 }
 
 if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then