#!/bin/bash # Security hardening hook for live system (self-contained) # Reference: PRD FR-005, FR-006, FR-007 set -euo pipefail echo "Applying security hardening..." # WiFi module blacklist cat >/etc/modprobe.d/blacklist-wifi.conf <<'EOF' # WiFi module blacklisting - PRD FR-005 blacklist cfg80211 blacklist mac80211 blacklist brcmfmac blacklist brcmsmac blacklist brcm80211 blacklist iwlwifi blacklist iwlmvm blacklist ath9k blacklist ath9k_htc blacklist ath10k_pci blacklist ath10k_sdio blacklist ath11k_pci blacklist ath11k_ahb blacklist rtl8188ee blacklist rtl8192ce blacklist rtl8192se blacklist rtl8723ae blacklist rtl8821ae blacklist rtl8xxxu blacklist rt73usb blacklist rt2800usb blacklist rt2x00lib blacklist rt2x00usb blacklist mwifiex blacklist mwifiex_pcie blacklist mwifiex_sdio blacklist r8188eu blacklist r8723bs EOF # Bluetooth module blacklist cat >/etc/modprobe.d/blacklist-bluetooth.conf <<'EOF' # Bluetooth module blacklisting - PRD FR-005 blacklist btusb blacklist bluetooth blacklist btrtl blacklist btintel blacklist btbcm blacklist bnep blacklist rfcomm blacklist hidp EOF # SSH client configuration (client only - no server per PRD FR-006) mkdir -p /etc/ssh cat >/etc/ssh/ssh_config <<'EOF' # SSH Client Configuration # Reference: PRD FR-006 - Client-only, no inbound SSH services Host * PasswordAuthentication no PubkeyAuthentication yes KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com ConnectTimeout 30 ServerAliveInterval 300 ServerAliveCountMax 2 StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF # SSH server is NOT installed per PRD FR-006 # Ensure no sshd_config exists to prevent accidental activation rm -f /etc/ssh/sshd_config touch /etc/ssh/sshd_config.disabled echo "# SSH server disabled per PRD FR-006" > /etc/ssh/sshd_config.disabled # Password policy - PRD FR-007, NIST SP 800-63B mkdir -p /etc/security cat >/etc/security/pwquality.conf <<'EOF' # KNEL-Football Password Quality Requirements # Reference: NIST SP 800-63B, CIS Benchmarks for Debian minlen = 14 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 difok = 4 maxrepeat = 2 maxclassrepeat = 2 maxsequence = 2 usercheck = 1 dictcheck = 1 gecoscheck = 1 enforcing = 1 badwords = password secret admin root knel football tier0 12345 qwerty minclass = 3 EOF # File Integrity Monitoring (AIDE) - CIS 1.4, FedRAMP AU-7, CMMC AU.3.059 mkdir -p /etc/aide cat >/etc/aide/aide.conf <<'EOF' # AIDE Configuration - CIS/FedRAMP/CMMC Compliance database_out=file:/var/lib/aide/aide.db.new database=file:/var/lib/aide/aide.db report_url=stdout SECURITY = p+u+g+s+m+c+md5+sha256+sha512 /etc SECURITY /boot SECURITY /usr SECURITY /bin SECURITY /sbin SECURITY /lib SECURITY /lib64 SECURITY /etc/ssh SECURITY /etc/wireguard SECURITY /etc/security SECURITY /etc/audit SECURITY /etc/modprobe.d SECURITY /etc/nftables.conf SECURITY /etc/sudoers SECURITY /etc/sudoers.d SECURITY /etc/pam.d SECURITY !/proc !/sys !/dev !/run !/tmp !/var/log !/var/cache !/var/lib/aide !/var/tmp EOF # System resource limits mkdir -p /etc/security/limits.d cat >/etc/security/limits.d/security.conf <<'EOF' * hard core 0 * soft nproc 1024 * hard nproc 2048 EOF # Audit rules - CIS 6.2, FedRAMP AU-2, CMMC AU.2.042 mkdir -p /etc/audit/rules.d cat >/etc/audit/rules.d/audit.rules <<'EOF' # Comprehensive Audit Rules - CIS 6.2, FedRAMP AU-2, CMMC AU.2.042 -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/sudoers -p wa -k privilege_escalation -w /etc/sudoers.d/ -p wa -k privilege_escalation -w /etc/pam.d/ -p wa -k authentication -w /etc/security/ -p wa -k authentication -w /etc/login.defs -p wa -k authentication -w /var/log/faillog -p wa -k authentication -w /var/log/lastlog -p wa -k authentication -w /var/log/tallylog -p wa -k authentication -w /etc/network/ -p wa -k network_config -w /etc/hosts -p wa -k network_config -w /etc/hostname -p wa -k network_config -w /etc/resolv.conf -p wa -k network_config -w /etc/nftables.conf -p wa -k firewall -w /etc/wireguard/ -p wa -k wireguard_config -w /etc/ssh/ssh_config -p wa -k ssh_config -w /etc/fstab -p wa -k filesystem -w /etc/crypttab -p wa -k encryption -w /etc/modprobe.d/ -p wa -k kernel_modules -w /etc/sysctl.conf -p wa -k kernel_parameters -w /etc/sysctl.d/ -p wa -k kernel_parameters -w /boot/ -p wa -k boot_config -w /efi/ -p wa -k boot_config -w /etc/default/grub -p wa -k boot_config -w /etc/grub.d/ -p wa -k boot_config -w /etc/audit/ -p wa -k audit_config -w /var/log/audit/ -p wa -k audit_logs -w /etc/chrony/ -p wa -k time_sync -w /etc/ntp.conf -p wa -k time_sync -w /usr/bin/sudo -p x -k privilege_escalation -w /usr/bin/su -p x -k privilege_escalation -w /usr/bin/passwd -p x -k password_change -w /usr/bin/chsh -p x -k user_modification -w /usr/bin/usermod -p x -k user_modification -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session -a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_modules -w /var/lib/aide/ -p wa -k file_integrity EOF # Enable auditd service systemctl enable auditd echo "Security hardening completed."