fix: resolve all audit findings in hooks, config, and package list

Security/Functional Fixes:
- firewall-setup.sh: Added WireGuard allow, established/related, DHCP
  (was blocking ALL outbound including VPN - system was non-functional)
- disable-package-management.sh: Preserve /var/lib/dpkg/ for queries
  (was destroying dpkg database with rm -rf)
- encryption-validation.sh: Fixed inverted motd conditional
  (was creating file only if it already existed - backwards)
- kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only)
  Changed user.max_user_namespaces from 0 to 100
- sudo-hardening.sh: Removed Defaults requiretty
  (was breaking GUI-launched sudo via pkexec)
- encryption-setup.sh: Fixed conflicting stdin in luksAddKey
- install-scripts.sh: Fixed embedded firewall (same WireGuard bug)
  Replaced gutted security-hardening stub with real status checker
- GRUB config: Fixed serial_console → serial (invalid terminal name)
- Package list: Removed audispd-plugins (deprecated in Debian 13),
  removed duplicate wireguard/wireguard-tools entries

Reference: Full audit findings from Session 7 JOURNAL.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

config/hooks/live/firewall-setup.sh

@@ -1,35 +1,71 @@
 #!/bin/bash
-# Dynamic firewall setup hook
+# Dynamic firewall setup hook - PRD FR-004
+# Default deny with WireGuard VPN allow, DNS via VPN, DHCP on LAN
 set -euo pipefail
 
 echo "Setting up firewall configuration..."
 
-# Install nftables rules (default deny policy)
 cat >/etc/nftables.conf <<'EOF'
 #!/usr/sbin/nft -f
-# Default secure firewall rules for KNEL-Football
+# KNEL-Football Secure Firewall - PRD FR-004
+# Default deny, WireGuard VPN outbound only, DNS through VPN tunnel
 flush ruleset
 
 table inet filter {
     chain input {
         type filter hook input priority 0; policy drop
+
+        # Accept loopback
         iif lo accept comment "Accept loopback"
+
+        # Accept established/related connections
+        ct state established,related accept comment "Accept established/related"
+
+        # Accept DHCP (client requests)
+        udp sport 67 udp dport 68 accept comment "Accept DHCP offers"
+        udp sport 68 udp dport 67 accept comment "Accept DHCP requests"
+
+        # Accept ICMP ping
         icmp type echo-request accept comment "Accept ping"
+        icmp type destination-unreachable accept comment "Accept dest unreachable"
+        icmp type time-exceeded accept comment "Accept time exceeded"
+
+        # Drop invalid
+        ct state invalid drop comment "Drop invalid packets"
     }
-    
+
     chain forward {
         type filter hook forward priority 0; policy drop
     }
-    
+
     chain output {
         type filter hook output priority 0; policy drop
+
+        # Accept loopback
         oif lo accept comment "Accept loopback"
+
+        # Accept established/related connections (return traffic)
+        ct state established,related accept comment "Accept established/related"
+
+        # Accept DHCP client requests (broadcast to find DHCP server)
+        udp dport 67 accept comment "Allow DHCP client requests"
+
+        # Accept WireGuard UDP (any endpoint - config determines actual peer)
+        udp dport 51820-51830 accept comment "Allow WireGuard VPN"
+
+        # Accept DNS over WireGuard tunnel interface
+        oifname "wg*" accept comment "Accept all traffic via VPN tunnel"
+
+        # Accept ICMP
         icmp type echo-request accept comment "Allow ping"
+        icmp type destination-unreachable accept comment "Allow dest unreachable"
+
+        # Drop invalid
+        ct state invalid drop comment "Drop invalid packets"
     }
 }
 EOF
 
-# Enable nftables service
 systemctl enable nftables
 
 echo "Firewall setup hook completed."