fix: resolve all audit findings in hooks, config, and package list
Security/Functional Fixes: - firewall-setup.sh: Added WireGuard allow, established/related, DHCP (was blocking ALL outbound including VPN - system was non-functional) - disable-package-management.sh: Preserve /var/lib/dpkg/ for queries (was destroying dpkg database with rm -rf) - encryption-validation.sh: Fixed inverted motd conditional (was creating file only if it already existed - backwards) - kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only) Changed user.max_user_namespaces from 0 to 100 - sudo-hardening.sh: Removed Defaults requiretty (was breaking GUI-launched sudo via pkexec) - encryption-setup.sh: Fixed conflicting stdin in luksAddKey - install-scripts.sh: Fixed embedded firewall (same WireGuard bug) Replaced gutted security-hardening stub with real status checker - GRUB config: Fixed serial_console → serial (invalid terminal name) - Package list: Removed audispd-plugins (deprecated in Debian 13), removed duplicate wireguard/wireguard-tools entries Reference: Full audit findings from Session 7 JOURNAL.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
reachableceo
@@ -27,9 +27,6 @@ kernel.dmesg_restrict = 1
|
||||
# Restrict unprivileged use of BPF
|
||||
kernel.unprivileged_bpf_disabled = 1
|
||||
|
||||
# Enable ExecShield-like protection
|
||||
kernel.exec-shield = 1
|
||||
|
||||
# Restrict kernel profiling
|
||||
kernel.perf_event_paranoid = 3
|
||||
|
||||
@@ -40,7 +37,7 @@ kernel.kexec_load = 0
|
||||
dev.tty.ldisc_autoload = 0
|
||||
|
||||
# Restrict user namespaces
|
||||
user.max_user_namespaces = 0
|
||||
user.max_user_namespaces = 100
|
||||
|
||||
# Disable core dumps for SUID binaries
|
||||
fs.suid_dumpable = 0
|
||||
|
||||
Reference in New Issue
Block a user