#!/bin/bash # Disable package management after installation - PRD FR-009 # Removes ability to install/remove packages while preserving dpkg query capability set -euo pipefail echo "Disabling package management..." # Remove execute permissions from package management tools chmod -x /usr/bin/apt /usr/bin/apt-get /usr/bin/dpkg 2>/dev/null || true chmod -x /usr/bin/apt-cache /usr/bin/apt-key /usr/bin/dpkg-deb 2>/dev/null || true chmod -x /usr/bin/dpkg-query /usr/bin/dpkg-split /usr/bin/dpkg-trigger 2>/dev/null || true chmod -x /usr/bin/aptitude /usr/bin/synaptic /usr/bin/software-center 2>/dev/null || true # Make package management binaries immutable (prevent restoring permissions) chattr +i /usr/bin/apt /usr/bin/apt-get /usr/bin/dpkg 2>/dev/null || true chattr +i /usr/bin/apt-cache /usr/bin/apt-key /usr/bin/dpkg-deb 2>/dev/null || true chattr +i /usr/bin/dpkg-query /usr/bin/dpkg-split /usr/bin/dpkg-trigger 2>/dev/null || true # Remove APT cache and lists (safe to remove - these are downloadable metadata) rm -rf /var/cache/apt/* rm -rf /var/lib/apt/lists/* # Create immutable APT directories to prevent apt update mkdir -p /var/cache/apt/archives/partial mkdir -p /var/lib/apt/lists/partial chattr +i /var/cache/apt/archives 2>/dev/null || true chattr +i /var/lib/apt/lists 2>/dev/null || true # Preserve /var/lib/dpkg/ - needed for: # - dpkg-query (checking installed packages) # - audit tools that query package database # - security scanners that check package versions # Create a wrapper that blocks package changes but allows queries cat > /usr/local/sbin/knel-package-guard.sh <<'GUARD' #!/bin/bash # KNEL-Football Package Guard # Blocks any package installation/removal attempts echo "ERROR: Package management is disabled on KNEL-Football Secure OS." echo " System updates are performed via ISO rebuild only." echo " Reference: PRD FR-009 (System Immutability)" exit 1 GUARD chmod +x /usr/local/sbin/knel-package-guard.sh echo "Package management disabled successfully." echo "Package queries (dpkg-query) remain available for auditing."