football/config/hooks/live/sudo-hardening.sh

#!/bin/bash
# Sudo hardening - PRD FR-007 Access Control Layer
# Reference: CIS Benchmark 5.4, NIST SP 800-53 AC-6
set -euo pipefail

echo "Configuring sudo access controls..."

# Create sudoers configuration for restricted access
mkdir -p /etc/sudoers.d
chmod 750 /etc/sudoers.d

# Default sudoers hardening
cat >/etc/sudoers.d/99-knel-hardening <<'EOF'
# KNEL-Football Sudo Configuration
# Reference: PRD FR-007, CIS Benchmark 5.4, NIST SP 800-53 AC-6

# Lecture user on first sudo use
Defaults lecture = always
Defaults lecture_file = /etc/sudo.lecture

# Logging and timeout
Defaults logfile = "/var/log/sudo.log"
Defaults log_input
Defaults log_output
Defaults timestamp_timeout = 15

# Restrict which environment variables are preserved
Defaults env_reset
Defaults env_delete += "HOME"
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# football user can run specific admin commands
football ALL=(root) /usr/local/bin/apply-vpn-config.sh, /usr/local/bin/convert-luks-kdf.sh, /usr/bin/systemctl restart nftables, /usr/bin/systemctl restart wg-quick@wg0, /usr/local/bin/check-encryption.sh

# Root can run anything (standard)
root ALL=(ALL:ALL) ALL
EOF

chmod 440 /etc/sudoers.d/99-knel-hardening

# Create sudo lecture file
cat >/etc/sudo.lecture <<'EOF'
====================================================================
  KNEL-Football Secure OS - Privileged Access Warning
====================================================================

You are about to execute a command with elevated privileges.

All sudo commands are logged and audited.
Unauthorized use of privileged access is a security violation.

If you did not intend to run a privileged command, press Ctrl+C now.
====================================================================
EOF

# Ensure sudo.log exists with correct permissions (atomic create)
install -m 600 /dev/null /var/log/sudo.log 2>/dev/null || true

echo "Sudo hardening completed."