#!/bin/bash
# Security hardening script
set -euo pipefail

# Function to create WiFi module blacklist
create_wifi_blacklist() {
  local output_file="${1:-/etc/modprobe.d/blacklist-wifi.conf}"

  cat >"$output_file" <<'EOF'
# WiFi module blacklisting
blacklist cfg80211
blacklist mac80211
blacklist brcmfmac
blacklist iwlwifi
blacklist ath9k
blacklist rt73usb
EOF

  echo "WiFi blacklist created at $output_file"
}

# Function to create Bluetooth module blacklist
create_bluetooth_blacklist() {
  local output_file="${1:-/etc/modprobe.d/blacklist-bluetooth.conf}"

  cat >"$output_file" <<'EOF'
# Bluetooth module blacklisting
blacklist btusb
blacklist bluetooth
blacklist btrtl
blacklist btintel
blacklist btbcm
EOF

  echo "Bluetooth blacklist created at $output_file"
}

# Function to configure SSH client (client only - no server)
# This system does NOT run an SSH server per security requirements
configure_ssh_client() {
  local output_file="${1:-/etc/ssh/ssh_config}"

  cat >"$output_file" <<'EOF'
# SSH Client Configuration
# Reference: PRD FR-006 - Client-only, no inbound SSH services

# Global defaults
Host *
    # Security settings
    PasswordAuthentication no
    PubkeyAuthentication yes
    
    # Key algorithms (modern, secure)
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
    
    # Connection settings
    ConnectTimeout 30
    ServerAliveInterval 300
    ServerAliveCountMax 2
    
    # Strict host key checking
    StrictHostKeyChecking ask
    UserKnownHostsFile ~/.ssh/known_hosts
EOF

  echo "SSH client configuration created at $output_file"
}

# Function to configure password policy
configure_password_policy() {
  local output_file="${1:-/etc/security/pwquality.conf}"

  cat >"$output_file" <<'EOF'
# KNEL-Football Password Quality Requirements (MANDATORY for tier0 security)
# Reference: NIST SP 800-63B, CIS Benchmarks for Debian
# All passwords/passphrases must meet these strict requirements

# Minimum length: 14 characters (strongly recommended: 20+ characters)
minlen = 14

# Minimum requirements (negative values = mandatory minimum counts)
dcredit = -1      # Require at least 1 digit (0-9)
ucredit = -1      # Require at least 1 uppercase letter (A-Z)
lcredit = -1      # Require at least 1 lowercase letter (a-z)
ocredit = -1      # Require at least 1 special character (!@#$%^&*)

# Additional complexity requirements
difok = 4         # Require at least 4 characters different from old password
maxrepeat = 2      # Max 2 consecutive identical characters
maxclassrepeat = 2 # Max 2 consecutive characters from same class
maxsequence = 2    # Max 2 monotonic character sequences (e.g., 123, abc)

# Security checks (all enabled)
usercheck = 1      # Check if password contains username
dictcheck = 1      # Check against common dictionary words
gecoscheck = 1     # Check against GECOS field information
enforcing = 1      # Reject weak passwords (for all users including root)

# Reject common weak patterns
badwords = password secret admin root knel football tier0 12345 qwerty

# Additional restrictions
minclass = 3      # Require at least 3 of 4 character classes
# Classes: digits, uppercase, lowercase, other characters
EOF

  echo "Password policy configured at $output_file"
  echo "Requirements: 14+ chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char"
}

# Function to configure AIDE (File Integrity Monitoring)
# Reference: CIS 1.4, FedRAMP AC-6, CMMC AU.3.059
configure_fim() {
  local aide_conf="${1:-/etc/aide/aide.conf}"
  # Database location is configured in aide.conf below
  # shellcheck disable=SC2034
  local aide_db="${2:-/var/lib/aide/aide.db}"

  cat >"$aide_conf" <<'EOF'
# AIDE Configuration for KNEL-Football Secure OS
# File Integrity Monitoring (FIM) - CIS/FedRAMP/CMMC Compliance
# Reference: CIS Benchmark 1.4, FedRAMP AU-7, CMMC AU.3.059

# Database locations
database_out=file:/var/lib/aide/aide.db.new
database=file:/var/lib/aide/aide.db

# Report URL
report_url=stdout

# Custom group definitions for security-critical files
SECURITY = p+u+g+s+m+c+md5+sha256+sha512

# Monitor critical system directories
/etc SECURITY
/boot SECURITY
/usr SECURITY
/bin SECURITY
/sbin SECURITY
/lib SECURITY
/lib64 SECURITY

# Monitor SSH configurations
/etc/ssh SECURITY

# Monitor WireGuard configurations
/etc/wireguard SECURITY

# Monitor security configurations
/etc/security SECURITY
/etc/audit SECURITY
/etc/modprobe.d SECURITY
/etc/nftables.conf SECURITY

# Monitor sudo and PAM
/etc/sudoers SECURITY
/etc/sudoers.d SECURITY
/etc/pam.d SECURITY

# Exclude paths that change legitimately
!/proc
!/sys
!/dev
!/run
!/tmp
!/var/log
!/var/cache
!/var/lib/aide
!/var/tmp
EOF

  echo "FIM configuration created at $aide_conf"
  echo "Run 'aideinit' to initialize the database after installation"
}

# Function to initialize AIDE database
initialize_fim() {
  if command -v aideinit >/dev/null 2>&1; then
    aideinit --force
    echo "AIDE database initialized"
  else
    echo "WARNING: aideinit not found, manual initialization required"
  fi
}

# Function to configure system limits
configure_system_limits() {
  local output_file="${1:-/etc/security/limits.d/security.conf}"

  cat >"$output_file" <<'EOF'
# System security limits
* hard core 0
* soft nproc 1024
* hard nproc 2048
EOF

  echo "System limits configured at $output_file"
}

# Function to configure audit rules (CIS 6.2, FedRAMP AU-2, CMMC AU.2.042)
configure_audit_rules() {
  local output_file="${1:-/etc/audit/rules.d/audit.rules}"

  cat >"$output_file" <<'EOF'
# Comprehensive Audit Rules for KNEL-Football Secure OS
# Reference: CIS Benchmark 6.2, FedRAMP AU-2/AU-3, CMMC AU.2.042/AU.3.059

## Identity and access management
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/sudoers -p wa -k privilege_escalation
-w /etc/sudoers.d/ -p wa -k privilege_escalation

## Authentication configuration
-w /etc/pam.d/ -p wa -k authentication
-w /etc/security/ -p wa -k authentication
-w /etc/login.defs -p wa -k authentication
-w /var/log/faillog -p wa -k authentication
-w /var/log/lastlog -p wa -k authentication
-w /var/log/tallylog -p wa -k authentication

## Network configuration
-w /etc/network/ -p wa -k network_config
-w /etc/hosts -p wa -k network_config
-w /etc/hostname -p wa -k network_config
-w /etc/resolv.conf -p wa -k network_config
-w /etc/nftables.conf -p wa -k firewall
-w /etc/wireguard/ -p wa -k wireguard_config

## SSH client configuration (no server - client only)
-w /etc/ssh/ssh_config -p wa -k ssh_config

## System configuration
-w /etc/fstab -p wa -k filesystem
-w /etc/crypttab -p wa -k encryption
-w /etc/modprobe.d/ -p wa -k kernel_modules
-w /etc/sysctl.conf -p wa -k kernel_parameters
-w /etc/sysctl.d/ -p wa -k kernel_parameters

## Boot configuration
-w /boot/ -p wa -k boot_config
-w /efi/ -p wa -k boot_config
-w /etc/default/grub -p wa -k boot_config
-w /etc/grub.d/ -p wa -k boot_config

## Audit subsystem (self-monitoring)
-w /etc/audit/ -p wa -k audit_config
-w /var/log/audit/ -p wa -k audit_logs

## Time synchronization
-w /etc/chrony/ -p wa -k time_sync
-w /etc/ntp.conf -p wa -k time_sync

## System administration
-w /usr/bin/sudo -p x -k privilege_escalation
-w /usr/bin/su -p x -k privilege_escalation
-w /usr/bin/passwd -p x -k password_change
-w /usr/bin/chsh -p x -k user_modification
-w /usr/bin/usermod -p x -k user_modification

## Session monitoring
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

## Module loading
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_modules

## File integrity monitoring alerts
-w /var/lib/aide/ -p wa -k file_integrity
EOF

  echo "Audit rules configured at $output_file"
}

# Function to apply all security configurations
# shellcheck disable=SC2120
apply_security_hardening() {
  echo "Applying security hardening..."

  create_wifi_blacklist "${1:-}"
  create_bluetooth_blacklist "${2:-}"
  configure_ssh_client "${3:-}"
  configure_password_policy "${4:-}"
  configure_fim "${5:-}"
  configure_system_limits "${6:-}"
  configure_audit_rules "${7:-}"

  echo "Security hardening completed."
  echo "IMPORTANT: Run 'aideinit' to initialize file integrity database after installation"
}

# Main execution
main() {
  echo "Starting KNEL-Football security hardening..."
  apply_security_hardening
  echo "Security hardening completed successfully!"
}

# Run main if script is executed directly
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
  main "$@"
fi