diff --git a/src/build-iso.sh b/src/build-iso.sh new file mode 100755 index 0000000..36012a8 --- /dev/null +++ b/src/build-iso.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# Main ISO build script +set -euo pipefail + +# Configuration variables +readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +readonly PROJECT_ROOT="$(dirname "$SCRIPT_DIR")" +readonly OUTPUT_DIR="${PROJECT_ROOT}/output" +readonly CONFIG_DIR="${PROJECT_ROOT}/config" + +# Function to validate environment +validate_environment() { + echo "Validating build environment..." + + # Check for required tools + local required_tools=("lb" "debootstrap" "mksquashfs") + for tool in "${required_tools[@]}"; do + if ! command -v "$tool" > /dev/null 2>&1; then + echo "Error: Required tool '$tool' not found" + exit 1 + fi + done + + # Verify configuration directory + if [[ ! -d "$CONFIG_DIR" ]]; then + echo "Error: Configuration directory not found at $CONFIG_DIR" + exit 1 + fi + + echo "Environment validation successful." +} + +# Function to prepare build environment +prepare_build() { + echo "Preparing build environment..." + + # Create output directory + mkdir -p "$OUTPUT_DIR" + + # Initialize live-build configuration + lb clean --purge + lb config + + echo "Build environment prepared." +} + +# Function to build ISO +build_iso() { + echo "Building secure Debian ISO..." + + # Execute live-build + lb build + + # Move output files to output directory + if [[ -f "binary.hybrid.iso" ]]; then + mv "binary.hybrid.iso" "${OUTPUT_DIR}/knel-football.iso" + else + echo "Error: ISO file not generated" + exit 1 + fi + + # Generate checksum + cd "$OUTPUT_DIR" + sha256sum "knel-football.iso" > "knel-football.iso.sha256" + cd - > /dev/null + + echo "ISO build completed successfully." + echo "Output: ${OUTPUT_DIR}/knel-football.iso" +} + +# Main execution +main() { + echo "Starting KNEL-Football secure ISO build..." + + validate_environment + prepare_build + build_iso + + echo "Build process completed successfully!" +} + +main "$@" \ No newline at end of file diff --git a/src/firewall-setup.sh b/src/firewall-setup.sh new file mode 100755 index 0000000..89f4454 --- /dev/null +++ b/src/firewall-setup.sh @@ -0,0 +1,81 @@ +#!/bin/bash +# Dynamic firewall setup script +set -euo pipefail + +# Function to parse WireGuard endpoint +parse_wg_endpoint() { + local wg_config="${1:-/etc/wireguard/wg0.conf}" + + if [[ ! -f "$wg_config" ]]; then + echo "Error: WireGuard config not found at $wg_config" + return 1 + fi + + grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || { + echo "Error: Could not parse endpoint from WireGuard config" + return 1 + } +} + +# Function to generate nftables rules +generate_nftables_rules() { + local endpoint="$1" + local ip="${endpoint%:*}" + local port="${endpoint#*:}" + + cat << EOF +#!/usr/sbin/nft -f +# Secure firewall rules for WireGuard-only access +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop + iif lo accept comment "Accept loopback" + icmp type echo-request accept comment "Accept ping" + } + + chain forward { + type filter hook forward priority 0; policy drop + } + + chain output { + type filter hook output priority 0; policy drop + oif lo accept comment "Accept loopback" + udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic" + icmp type echo-request accept comment "Allow ping" + } +} +EOF +} + +# Function to apply firewall configuration +apply_firewall() { + local wg_config="${1:-/etc/wireguard/wg0.conf}" + + if [[ -f "$wg_config" ]]; then + endpoint=$(parse_wg_endpoint "$wg_config") + if [[ -n "$endpoint" ]]; then + generate_nftables_rules "$endpoint" > /etc/nftables.conf + systemctl enable nftables + systemctl restart nftables + echo "Firewall configured for endpoint: $endpoint" + else + echo "Warning: Could not parse WireGuard endpoint, using default deny policy" + fi + else + echo "Warning: WireGuard config not found, using default deny policy" + fi +} + +# Main setup +main() { + echo "Setting up dynamic firewall..." + apply_firewall + echo "Firewall setup completed." +} + +# Run main if script is executed directly +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + main "$@" +fi \ No newline at end of file diff --git a/src/security-hardening.sh b/src/security-hardening.sh new file mode 100755 index 0000000..155ed34 --- /dev/null +++ b/src/security-hardening.sh @@ -0,0 +1,135 @@ +#!/bin/bash +# Security hardening script +set -euo pipefail + +# Function to create WiFi module blacklist +create_wifi_blacklist() { + local output_file="${1:-/etc/modprobe.d/blacklist-wifi.conf}" + + cat > "$output_file" << 'EOF' +# WiFi module blacklisting +blacklist cfg80211 +blacklist mac80211 +blacklist brcmfmac +blacklist iwlwifi +blacklist ath9k +blacklist rt73usb +EOF + + echo "WiFi blacklist created at $output_file" +} + +# Function to create Bluetooth module blacklist +create_bluetooth_blacklist() { + local output_file="${1:-/etc/modprobe.d/blacklist-bluetooth.conf}" + + cat > "$output_file" << 'EOF' +# Bluetooth module blacklisting +blacklist btusb +blacklist bluetooth +blacklist btrtl +blacklist btintel +blacklist btbcm +EOF + + echo "Bluetooth blacklist created at $output_file" +} + +# Function to configure SSH +configure_ssh() { + local output_file="${1:-/etc/ssh/sshd_config}" + + cat > "$output_file" << 'EOF' +# SSH Security Configuration +Protocol 2 +PermitRootLogin no +PasswordAuthentication yes +PubkeyAuthentication yes +PermitEmptyPasswords no +ChallengeResponseAuthentication no +X11Forwarding no +MaxAuthTries 3 +ClientAliveInterval 300 +ClientAliveCountMax 2 +EOF + + echo "SSH configuration created at $output_file" +} + +# Function to configure password policy +configure_password_policy() { + local output_file="${1:-/etc/security/pwquality.conf}" + + cat > "$output_file" << 'EOF' +# Password quality requirements +minlen = 14 +dcredit = -1 +ucredit = -1 +lcredit = -1 +ocredit = -1 +difok = 4 +maxrepeat = 3 +usercheck = 1 +dictcheck = 1 +EOF + + echo "Password policy configured at $output_file" +} + +# Function to configure system limits +configure_system_limits() { + local output_file="${1:-/etc/security/limits.d/security.conf}" + + cat > "$output_file" << 'EOF' +# System security limits +* hard core 0 +* soft nproc 1024 +* hard nproc 2048 +EOF + + echo "System limits configured at $output_file" +} + +# Function to configure audit rules +configure_audit_rules() { + local output_file="${1:-/etc/audit/rules.d/audit.rules}" + + cat > "$output_file" << 'EOF' +# Audit rules for security compliance +-w /etc/passwd -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/sudoers -p wa -k identity +-w /etc/ssh/sshd_config -p wa -k sshd_config +-w /var/log/audit/ -p wa -k log_audit +-w /var/log/secure -p wa -k log_secure +-w /etc/wireguard/ -p wa -k wireguard_config +EOF + + echo "Audit rules configured at $output_file" +} + +# Function to apply all security configurations +apply_security_hardening() { + echo "Applying security hardening..." + + create_wifi_blacklist + create_bluetooth_blacklist + configure_ssh + configure_password_policy + configure_system_limits + configure_audit_rules + + echo "Security hardening completed." +} + +# Main execution +main() { + echo "Starting KNEL-Football security hardening..." + apply_security_hardening + echo "Security hardening completed successfully!" +} + +# Run main if script is executed directly +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + main "$@" +fi \ No newline at end of file