diff --git a/AGENTS.md b/AGENTS.md index d500574..a674656 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -133,7 +133,7 @@ output/ # Build artifacts --- -## Agent Workflow (MANDATORY) +## AGENT WORKFLOW (MANDATORY) ### 1. Start Up ```bash @@ -208,7 +208,7 @@ git push origin main --- -## Mandatory Security Requirements +## MANDATORY SECURITY REQUIREMENTS ### Full Disk Encryption (FDE) **Requirement**: ALL systems MUST use LUKS2 encryption @@ -235,7 +235,7 @@ git push origin main --- -## Docker Workflow +## DOCKER-ONLY WORKFLOW ### Why Docker? - Reproducible builds diff --git a/config/hooks/installed/encryption-setup.sh b/config/hooks/installed/encryption-setup.sh index 0ebc00d..50fe0ed 100755 --- a/config/hooks/installed/encryption-setup.sh +++ b/config/hooks/installed/encryption-setup.sh @@ -49,6 +49,9 @@ EOF # Add cryptsetup and dm-crypt to initramfs modules { echo "dm_crypt" + echo "aes_xts" + echo "xts" + echo "sha512" } >> /etc/initramfs-tools/modules # Configure kernel command line for encrypted root diff --git a/src/security-hardening.sh b/src/security-hardening.sh index ce3b015..74760eb 100755 --- a/src/security-hardening.sh +++ b/src/security-hardening.sh @@ -68,6 +68,35 @@ EOF echo "SSH client configuration created at $output_file" } +# Function to configure SSH hardening (server config as defense-in-depth) +# System is SSH client-only per PRD FR-006, but sshd_config is hardened defensively +configure_ssh() { + local output_file="${1:-/etc/ssh/sshd_config}" + + cat >"$output_file" <<'EOF' +# SSH Server Hardening Configuration (defense-in-depth) +# Reference: PRD FR-006 - Client-only system, sshd not installed +# This config exists as a security baseline if sshd is ever installed + +# Protocol +Protocol 2 + +# Authentication +PermitRootLogin no +PermitEmptyPasswords no +MaxAuthTries 3 + +# Session +ClientAliveInterval 300 +ClientAliveCountMax 2 + +# Forwarding +X11Forwarding no +EOF + + echo "SSH hardening configuration created at $output_file" +} + # Function to configure password policy configure_password_policy() { local output_file="${1:-/etc/security/pwquality.conf}"