fix: restore lost functions and sections from rebase conflict resolution
Three issues caused by the rebase onto origin/main: 1. encryption-setup.sh: restore aes_xts, xts, sha512 initramfs modules that were lost when resolving whitespace conflict 2. security-hardening.sh: add missing configure_ssh() function that creates hardened sshd_config as defense-in-depth (FR-006 client-only) 3. AGENTS.md: fix section headings to match test expectations (MANDATORY SECURITY REQUIREMENTS, DOCKER-ONLY WORKFLOW, AGENT WORKFLOW) All 830 tests now pass (was 815 pass / 15 fail). 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit is contained in:
reachableceo
@@ -133,7 +133,7 @@ output/ # Build artifacts
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Agent Workflow (MANDATORY)
|
## AGENT WORKFLOW (MANDATORY)
|
||||||
|
|
||||||
### 1. Start Up
|
### 1. Start Up
|
||||||
```bash
|
```bash
|
||||||
@@ -208,7 +208,7 @@ git push origin main
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Mandatory Security Requirements
|
## MANDATORY SECURITY REQUIREMENTS
|
||||||
|
|
||||||
### Full Disk Encryption (FDE)
|
### Full Disk Encryption (FDE)
|
||||||
**Requirement**: ALL systems MUST use LUKS2 encryption
|
**Requirement**: ALL systems MUST use LUKS2 encryption
|
||||||
@@ -235,7 +235,7 @@ git push origin main
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Docker Workflow
|
## DOCKER-ONLY WORKFLOW
|
||||||
|
|
||||||
### Why Docker?
|
### Why Docker?
|
||||||
- Reproducible builds
|
- Reproducible builds
|
||||||
|
|||||||
@@ -49,6 +49,9 @@ EOF
|
|||||||
# Add cryptsetup and dm-crypt to initramfs modules
|
# Add cryptsetup and dm-crypt to initramfs modules
|
||||||
{
|
{
|
||||||
echo "dm_crypt"
|
echo "dm_crypt"
|
||||||
|
echo "aes_xts"
|
||||||
|
echo "xts"
|
||||||
|
echo "sha512"
|
||||||
} >> /etc/initramfs-tools/modules
|
} >> /etc/initramfs-tools/modules
|
||||||
|
|
||||||
# Configure kernel command line for encrypted root
|
# Configure kernel command line for encrypted root
|
||||||
|
|||||||
@@ -68,6 +68,35 @@ EOF
|
|||||||
echo "SSH client configuration created at $output_file"
|
echo "SSH client configuration created at $output_file"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Function to configure SSH hardening (server config as defense-in-depth)
|
||||||
|
# System is SSH client-only per PRD FR-006, but sshd_config is hardened defensively
|
||||||
|
configure_ssh() {
|
||||||
|
local output_file="${1:-/etc/ssh/sshd_config}"
|
||||||
|
|
||||||
|
cat >"$output_file" <<'EOF'
|
||||||
|
# SSH Server Hardening Configuration (defense-in-depth)
|
||||||
|
# Reference: PRD FR-006 - Client-only system, sshd not installed
|
||||||
|
# This config exists as a security baseline if sshd is ever installed
|
||||||
|
|
||||||
|
# Protocol
|
||||||
|
Protocol 2
|
||||||
|
|
||||||
|
# Authentication
|
||||||
|
PermitRootLogin no
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
MaxAuthTries 3
|
||||||
|
|
||||||
|
# Session
|
||||||
|
ClientAliveInterval 300
|
||||||
|
ClientAliveCountMax 2
|
||||||
|
|
||||||
|
# Forwarding
|
||||||
|
X11Forwarding no
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "SSH hardening configuration created at $output_file"
|
||||||
|
}
|
||||||
|
|
||||||
# Function to configure password policy
|
# Function to configure password policy
|
||||||
configure_password_policy() {
|
configure_password_policy() {
|
||||||
local output_file="${1:-/etc/security/pwquality.conf}"
|
local output_file="${1:-/etc/security/pwquality.conf}"
|
||||||
|
|||||||
Reference in New Issue
Block a user