feat: Add core build scripts

- Add build-iso.sh with validation and build functions - Add firewall-setup.sh with dynamic nftables configuration - Add security-hardening.sh with comprehensive hardening functions - All scripts follow strict mode and are executable These provide the core functionality for the secure ISO build process. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 10:24:11 -05:00
parent 01d1921dcf
commit ca08f9a259
3 changed files with 298 additions and 0 deletions
--- a/src/security-hardening.sh
+++ b/src/security-hardening.sh
@@ -0,0 +1,135 @@
+#!/bin/bash
+# Security hardening script
+set -euo pipefail
+
+# Function to create WiFi module blacklist
+create_wifi_blacklist() {
+    local output_file="${1:-/etc/modprobe.d/blacklist-wifi.conf}"
+    
+    cat > "$output_file" << 'EOF'
+# WiFi module blacklisting
+blacklist cfg80211
+blacklist mac80211
+blacklist brcmfmac
+blacklist iwlwifi
+blacklist ath9k
+blacklist rt73usb
+EOF
+    
+    echo "WiFi blacklist created at $output_file"
+}
+
+# Function to create Bluetooth module blacklist
+create_bluetooth_blacklist() {
+    local output_file="${1:-/etc/modprobe.d/blacklist-bluetooth.conf}"
+    
+    cat > "$output_file" << 'EOF'
+# Bluetooth module blacklisting
+blacklist btusb
+blacklist bluetooth
+blacklist btrtl
+blacklist btintel
+blacklist btbcm
+EOF
+    
+    echo "Bluetooth blacklist created at $output_file"
+}
+
+# Function to configure SSH
+configure_ssh() {
+    local output_file="${1:-/etc/ssh/sshd_config}"
+    
+    cat > "$output_file" << 'EOF'
+# SSH Security Configuration
+Protocol 2
+PermitRootLogin no
+PasswordAuthentication yes
+PubkeyAuthentication yes
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+X11Forwarding no
+MaxAuthTries 3
+ClientAliveInterval 300
+ClientAliveCountMax 2
+EOF
+    
+    echo "SSH configuration created at $output_file"
+}
+
+# Function to configure password policy
+configure_password_policy() {
+    local output_file="${1:-/etc/security/pwquality.conf}"
+    
+    cat > "$output_file" << 'EOF'
+# Password quality requirements
+minlen = 14
+dcredit = -1
+ucredit = -1
+lcredit = -1
+ocredit = -1
+difok = 4
+maxrepeat = 3
+usercheck = 1
+dictcheck = 1
+EOF
+    
+    echo "Password policy configured at $output_file"
+}
+
+# Function to configure system limits
+configure_system_limits() {
+    local output_file="${1:-/etc/security/limits.d/security.conf}"
+    
+    cat > "$output_file" << 'EOF'
+# System security limits
+* hard core 0
+* soft nproc 1024
+* hard nproc 2048
+EOF
+    
+    echo "System limits configured at $output_file"
+}
+
+# Function to configure audit rules
+configure_audit_rules() {
+    local output_file="${1:-/etc/audit/rules.d/audit.rules}"
+    
+    cat > "$output_file" << 'EOF'
+# Audit rules for security compliance
+-w /etc/passwd -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/sudoers -p wa -k identity
+-w /etc/ssh/sshd_config -p wa -k sshd_config
+-w /var/log/audit/ -p wa -k log_audit
+-w /var/log/secure -p wa -k log_secure
+-w /etc/wireguard/ -p wa -k wireguard_config
+EOF
+    
+    echo "Audit rules configured at $output_file"
+}
+
+# Function to apply all security configurations
+apply_security_hardening() {
+    echo "Applying security hardening..."
+    
+    create_wifi_blacklist
+    create_bluetooth_blacklist
+    configure_ssh
+    configure_password_policy
+    configure_system_limits
+    configure_audit_rules
+    
+    echo "Security hardening completed."
+}
+
+# Main execution
+main() {
+    echo "Starting KNEL-Football security hardening..."
+    apply_security_hardening
+    echo "Security hardening completed successfully!"
+}
+
+# Run main if script is executed directly
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    main "$@"
+fi