feat: add FIM, comprehensive audit logging, SSH client-only for CIS/FedRAMP/CMMC
Security enhancements for tier0 infrastructure access:
- Add AIDE for file integrity monitoring (CIS 1.4, FedRAMP AU-7, CMMC AU.3.059)
- Add comprehensive audit rules covering identity, network, boot, and privilege escalation
- Remove SSH server (openssh-server), add SSH client only (openssh-client)
- Add audispd-plugins for audit event processing
- Update security-hardening.sh with configure_fim() and configure_ssh_client()
- Update compliance tests for FIM, audit, and client-only architecture
Package changes:
- Remove: openssh-server, iptables
- Add: openssh-client, aide, aide-common, audispd-plugins
No inbound services - outbound VPN/SSH/RDP only for accessing privileged workstation.
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
0807611efe