#!/bin/bash # Post-installation hardening script for football system # This script configures strict firewall with WireGuard-only access # Implements CIS Debian Benchmark and CMMC/FedRAMP controls set -e echo "Applying CIS Benchmark and CMMC/FedRAMP hardening..." # ============================================================================ # DISABLE AND REMOVE ALL REMOTE ACCESS SERVICES # ============================================================================ systemctl disable ssh 2>/dev/null || true systemctl disable sshd 2>/dev/null || true systemctl disable telnet 2>/dev/null || true systemctl disable rsh 2>/dev/null || true systemctl mask ssh 2>/dev/null || true systemctl mask sshd 2>/dev/null || true systemctl mask telnet 2>/dev/null || true systemctl mask rsh 2>/dev/null || true apt-get purge -y openssh-server telnetd rsh-server 2>/dev/null || true # ============================================================================ # STRICT FIREWALL RULES - WireGuard ONLY # ============================================================================ WG_ENDPOINT_IP="${WG_ENDPOINT_IP:-192.0.2.1}" WG_ENDPOINT_PORT="${WG_ENDPOINT_PORT:-51820}" echo "Configuring strict firewall: only WireGuard to $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT allowed on eth0" iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Allow loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Only WireGuard on physical interface iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP -p udp --dport $WG_ENDPOINT_PORT -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP -p udp --sport $WG_ENDPOINT_PORT -m state --state ESTABLISHED -j ACCEPT # All traffic through WireGuard iptables -A INPUT -i wg0 -j ACCEPT iptables -A OUTPUT -o wg0 -j ACCEPT # DHCP on eth0 iptables -A OUTPUT -o eth0 -p udp --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp --sport 67 -m state --state ESTABLISHED -j ACCEPT # Save rules mkdir -p /etc/iptables iptables-save > /etc/iptables/rules.v4 # IPv6 - block everything ip6tables -F 2>/dev/null || true ip6tables -X 2>/dev/null || true ip6tables -P INPUT DROP 2>/dev/null || true ip6tables -P FORWARD DROP 2>/dev/null || true ip6tables -P OUTPUT DROP 2>/dev/null || true ip6tables -A INPUT -i lo -j ACCEPT 2>/dev/null || true ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null || true ip6tables-save > /etc/iptables/rules.v6 2>/dev/null || true # ============================================================================ # CIS BENCHMARK: ACCOUNT AND ACCESS CONTROL # ============================================================================ echo "Applying CIS Benchmark account and access controls..." # Remove unnecessary accounts for user in games news uucp; do userdel -r "$user" 2>/dev/null || true done # Lock system accounts for user in daemon bin sys sync man lp mail; do usermod -L "$user" 2>/dev/null || true done # Ensure only wheel group can use sudo (configured in sudoers) groupadd wheel 2>/dev/null || true # ============================================================================ # CIS BENCHMARK: SYSTEM CONFIGURATION # ============================================================================ # Configure PAM with CIS password policy if [ -f /etc/pam.d/common-password-cis ]; then echo "Configuring PAM with CIS password policies..." cp /etc/pam.d/common-password-cis /etc/pam.d/common-password fi # Configure faillock for account lockout cat > /etc/security/faillock.conf << 'EOF' deny = 5 unlock_time = 900 even_deny_root root_unlock_time = 900 EOF # ============================================================================ # CIS BENCHMARK: KERNEL HARDENING # ============================================================================ echo "Applying kernel hardening parameters..." sysctl -p /etc/sysctl.d/99-cis-hardening.conf # Disable kernel module loading for non-privileged users cat > /etc/modprobe.d/disable-autoload.conf << 'EOF' disable autogenerated module loading blacklist sound-slot* blacklist snd-pcspkr blacklist pcspkr EOF # ============================================================================ # CIS BENCHMARK: FILE SYSTEM SECURITY # ============================================================================ echo "Applying file system security..." # Set secure permissions on critical directories chmod 700 /root chmod 755 /etc /etc/passwd /etc/shadow /etc/group /etc/gshadow # Set sticky bit on world-writable directories find /tmp /var/tmp -type d -exec chmod a+t {} \; 2>/dev/null || true # Remove world-writable permissions find / -type f -perm -0002 -exec chmod o-w {} \; 2>/dev/null || true find / -type d -perm -0002 -exec chmod o-w {} \; 2>/dev/null || true # Remove SUID/SGID from unnecessary binaries chmod a-s /bin/ping 2>/dev/null || true chmod a-s /bin/ping6 2>/dev/null || true # ============================================================================ # CIS BENCHMARK: AUDIT CONFIGURATION # ============================================================================ echo "Configuring audit system..." if [ -d /etc/audit/rules.d ]; then # Apply CIS audit rules augenrules --load 2>/dev/null || true # Ensure auditd is enabled and running systemctl enable auditd 2>/dev/null || true fi # ============================================================================ # CIS BENCHMARK: LOGGING CONFIGURATION # ============================================================================ echo "Configuring logging..." # Ensure log directories exist mkdir -p /var/log/audit mkdir -p /var/log/sudo chmod 750 /var/log/audit chmod 750 /var/log/sudo # Ensure rsyslog is enabled systemctl enable rsyslog 2>/dev/null || true # Configure fail2ban if [ -f /etc/fail2ban/jail.local ]; then cat > /etc/fail2ban/jail.local << 'EOF' [DEFAULT] bantime = 3600 findtime = 600 maxretry = 5 destemail = root sender = fail2ban@football.local action = %(action_)s [sshd] enabled = false EOF fi # ============================================================================ # CIS BENCHMARK: NETWORK CONFIGURATION # ============================================================================ echo "Applying network security configuration..." # Disable network filesystem mounts cat > /etc/modprobe.d/no-network-fs.conf << 'EOF' install nfs /bin/true install nfs4 /bin/true install cifs /bin/true install smbfs /bin/true EOF # Disable Bluetooth echo "disable bluetooth" > /etc/modprobe.d/disable-bluetooth.conf echo "install bluetooth /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf echo "install btusb /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf systemctl disable bluetooth 2>/dev/null || true systemctl mask bluetooth 2>/dev/null || true # Disable wireless echo "disable wireless" > /etc/modprobe.d/disable-wireless.conf echo "install cfg80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf echo "install mac80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf # ============================================================================ # CIS BENCHMARK: SUDO CONFIGURATION # ============================================================================ echo "Configuring sudo..." # Secure sudo configuration chmod 0440 /etc/sudoers chmod 0440 /etc/sudoers.d/* # Create sudo lecture file cat > /etc/sudoers.d/lecture << 'EOF' Use sudo only for necessary administrative tasks. All sudo actions are logged and audited. Unauthorized use will result in disciplinary action. EOF # ============================================================================ # CIS BENCHMARK: SYSTEM ISSUE CONFIGURATION # ============================================================================ cat > /etc/issue << 'EOF' Football Secure Access System No remote access is permitted on this system. Local console access only. All network traffic must pass through WireGuard VPN. WARNING: All actions are logged and monitored. EOF cat > /etc/issue.net << 'EOF' WARNING: Remote access is disabled on this system. Local console access only. EOF # ============================================================================ # CIS BENCHMARK: SECURE UMASK # ============================================================================ echo "Setting secure umask..." echo "umask 077" >> /etc/profile echo "umask 077" >> /etc/bash.bashrc # ============================================================================ # CIS BENCHMARK: CORE DUMP DISABLING # ============================================================================ cat > /etc/security/limits.conf << 'EOF' * hard core 0 * soft core 0 EOF # Disable core dumps in kernel configuration echo "kernel.core_pattern = |/bin/false" > /etc/sysctl.d/99-disable-coredumps.conf sysctl -p /etc/sysctl.d/99-disable-coredumps.conf # ============================================================================ # CIS BENCHMARK: FILE INTEGRITY MONITORING (AIDE) # ============================================================================ echo "Configuring file integrity monitoring..." if command -v aide >/dev/null 2>&1; then # Initialize AIDE database aide --init || true mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db 2>/dev/null || true # Create AIDE check service cat > /etc/systemd/system/aide-check.service << 'EOF' [Unit] Description=Check file integrity with AIDE After=network.target [Service] Type=oneshot ExecStart=/usr/bin/aide --check ExecStartPost=/usr/bin/logger -t aide "File integrity check completed" [Install] WantedBy=multi-user.target EOF # Create AIDE check timer (run daily) cat > /etc/systemd/system/aide-check.timer << 'EOF' [Unit] Description=Daily AIDE file integrity check [Timer] OnCalendar=daily Persistent=true [Install] WantedBy=timers.target EOF systemctl enable aide-check.timer 2>/dev/null || true fi # ============================================================================ # CIS BENCHMARK: APPARMOR CONFIGURATION # ============================================================================ echo "Configuring AppArmor..." # Ensure AppArmor is enabled systemctl enable apparmor 2>/dev/null || true # Enforce AppArmor profiles for critical services for profile in /etc/apparmor.d/*; do [ -f "$profile" ] && aa-enforce "${profile##*/}" 2>/dev/null || true done # ============================================================================ # CIS BENCHMARK: SSH CONFIGURATION (Even though SSH is disabled) # ============================================================================ mkdir -p /etc/ssh cat > /etc/ssh/sshd_config.d/99-hardening.conf << 'EOF' PasswordAuthentication no PermitRootLogin no PubkeyAuthentication yes X11Forwarding no AllowTcpForwarding no GatewayPorts no MaxAuthTries 3 ClientAliveInterval 300 ClientAliveCountMax 0 AllowUsers user EOF chmod 600 /etc/ssh/sshd_config.d/99-hardening.conf # ============================================================================ # CMMC/FEDRAMP: SECURITY CONFIGURATION # ============================================================================ echo "Applying CMMC/FedRAMP security controls..." # Create log directories for compliance mkdir -p /var/log/security mkdir -p /var/log/compliance chmod 750 /var/log/security /var/log/compliance # Enable audit logging for CMMC echo "Audit logging enabled for CMMC Level 3 compliance" >> /var/log/security/compliance.log # Create compliance marker file cat > /etc/security/compliance.txt << 'EOF' Football Secure Access System - Compliance Information ======================================================== Standards Implemented: - CIS Debian 13 Benchmark - NIST SP 800-53 Moderate (FedRAMP) - CMMC Level 3 - NIST SP 800-171 Build Date: $(date) System Type: Tier0 Infrastructure Protection Security Classification: Controlled Unclassified Information For compliance documentation, see /usr/share/doc/compliance/ EOF # ============================================================================ # ENABLE SECURITY SERVICES # ============================================================================ echo "Enabling security services..." systemctl enable auditd 2>/dev/null || true systemctl enable apparmor 2>/dev/null || true systemctl enable fail2ban 2>/dev/null || true systemctl enable rsyslog 2>/dev/null || true echo "" echo "===========================================" echo "CIS Benchmark hardening complete" echo "CMMC/FedRAMP controls applied" echo "===========================================" echo "" echo "Security Summary:" echo " - Remote access: DISABLED" echo " - WireGuard-only networking: ENABLED" echo " - Firewall: STRICT (WireGuard only)" echo " - Audit logging: ENABLED" echo " - File integrity monitoring: ENABLED" echo " - Kernel hardening: APPLIED" echo " - Password policies: ENFORCED" echo "" echo "System is ready for deployment."