fix: resolve remaining CRITICAL/HIGH/MEDIUM findings (batch 2)

Addresses C-01, C-03, C-04, M-03, M-06, L-01, L-05, L-07. Changes: - luks-kdf-configure.sh: Auto-attempt Argon2id conversion during installation instead of just creating a manual helper (C-01) - run.sh: Replace --privileged with fine-grained capabilities (SYS_ADMIN, MKNOD, NET_ADMIN, SYS_CHROOT, SETFCAP) (C-03) - run.sh: Restrict SB key directory to mode 700 and key files to mode 600 (C-04) - security-hardening.sh: Add PAM enforcement via common-password with enforce_for_root (M-03) - security-hardening.sh: Initialize AIDE database and create daily cron job for integrity checks (M-06) - sudo-hardening.sh: Use atomic install -m 600 instead of touch+chmod to avoid race condition (L-07) - preseed.cfg: Disable direct root login (L-01) - run.sh: Comment explaining KNEL_BUILD_MODE cannot be env-spoofed since it's set from command argument (L-05) All tests pass. Zero shellcheck warnings. STATUS.md updated with 22/28 findings resolved. 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-08 12:19:04 -05:00
parent 2b422cf62c
commit ae1344c57e
6 changed files with 140 additions and 48 deletions
--- a/config/hooks/live/security-hardening.sh
+++ b/config/hooks/live/security-hardening.sh
@@ -98,6 +98,16 @@ badwords = password secret admin root knel football tier0 12345 qwerty
 minclass = 3
 EOF

+# Enforce PAM password quality via common-password
+# Ensure pam_pwquality.so is the first password module with enforce_for_root
+if [ -f /etc/pam.d/common-password ]; then
+    if ! grep -q "pam_pwquality.so" /etc/pam.d/common-password 2>/dev/null; then
+        sed -i '/^password.*pam_unix.so/i password\trequisite\t\t\tpam_pwquality.so retry=3 enforce_for_root' /etc/pam.d/common-password
+    else
+        sed -i 's/pam_pwquality.so.*/pam_pwquality.so retry=3 enforce_for_root/' /etc/pam.d/common-password
+    fi
+fi
+
 # File Integrity Monitoring (AIDE) - CIS 1.4, FedRAMP AU-7, CMMC AU.3.059
 mkdir -p /etc/aide
 cat >/etc/aide/aide.conf <<'EOF'
@@ -192,4 +202,20 @@ EOF
 # Enable auditd service
 systemctl enable auditd

+# Initialize AIDE database
+if command -v aideinit >/dev/null 2>&1; then
+    aideinit --force 2>/dev/null || true
+fi
+
+# Create daily AIDE check cron job
+mkdir -p /etc/cron.daily
+cat > /etc/cron.daily/aide-check <<'AIDECRON'
+#!/bin/bash
+# Daily AIDE integrity check
+if command -v aide >/dev/null 2>&1; then
+    aide --check 2>&1 | logger -t aide-check
+fi
+AIDECRON
+chmod +x /etc/cron.daily/aide-check
+
 echo "Security hardening completed."
--- a/config/hooks/live/sudo-hardening.sh
+++ b/config/hooks/live/sudo-hardening.sh
@@ -53,8 +53,7 @@ If you did not intend to run a privileged command, press Ctrl+C now.
 ====================================================================
 EOF

-# Ensure sudo.log exists with correct permissions
-touch /var/log/sudo.log 2>/dev/null || true
-chmod 600 /var/log/sudo.log 2>/dev/null || true
+# Ensure sudo.log exists with correct permissions (atomic create)
+install -m 600 /dev/null /var/log/sudo.log 2>/dev/null || true

 echo "Sudo hardening completed."