KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0eea7305d3c2df4a7196fd3938deffe80db44886
football/config/hooks/live/sudo-hardening.sh
reachableceo 9459c84fbc fix: resolve all audit findings in hooks, config, and package list 
Security/Functional Fixes:
- firewall-setup.sh: Added WireGuard allow, established/related, DHCP
  (was blocking ALL outbound including VPN - system was non-functional)
- disable-package-management.sh: Preserve /var/lib/dpkg/ for queries
  (was destroying dpkg database with rm -rf)
- encryption-validation.sh: Fixed inverted motd conditional
  (was creating file only if it already existed - backwards)
- kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only)
  Changed user.max_user_namespaces from 0 to 100
- sudo-hardening.sh: Removed Defaults requiretty
  (was breaking GUI-launched sudo via pkexec)
- encryption-setup.sh: Fixed conflicting stdin in luksAddKey
- install-scripts.sh: Fixed embedded firewall (same WireGuard bug)
  Replaced gutted security-hardening stub with real status checker
- GRUB config: Fixed serial_console → serial (invalid terminal name)
- Package list: Removed audispd-plugins (deprecated in Debian 13),
  removed duplicate wireguard/wireguard-tools entries

Reference: Full audit findings from Session 7 JOURNAL.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-07 08:41:52 -05:00

61 lines
1.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Sudo hardening - PRD FR-007 Access Control Layer
# Reference: CIS Benchmark 5.4, NIST SP 800-53 AC-6
set -euo pipefail
echo "Configuring sudo access controls..."
# Create sudoers configuration for restricted access
mkdir -p /etc/sudoers.d
chmod 750 /etc/sudoers.d
# Default sudoers hardening
cat >/etc/sudoers.d/99-knel-hardening <<'EOF'
# KNEL-Football Sudo Configuration
# Reference: PRD FR-007, CIS Benchmark 5.4, NIST SP 800-53 AC-6
# Lecture user on first sudo use
Defaults lecture = always
Defaults lecture_file = /etc/sudo.lecture
# Logging and timeout
Defaults logfile = "/var/log/sudo.log"
Defaults log_input
Defaults log_output
Defaults timestamp_timeout = 15
# Restrict which environment variables are preserved
Defaults env_reset
Defaults env_delete += "HOME"
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# football user can run specific admin commands
football ALL=(root) /usr/local/bin/apply-vpn-config.sh, /usr/local/bin/convert-luks-kdf.sh, /usr/bin/systemctl restart nftables, /usr/bin/systemctl restart wg-quick@wg0, /usr/local/bin/check-encryption.sh
# Root can run anything (standard)
root ALL=(ALL:ALL) ALL
EOF
chmod 440 /etc/sudoers.d/99-knel-hardening
# Create sudo lecture file
cat >/etc/sudo.lecture <<'EOF'
====================================================================
KNEL-Football Secure OS - Privileged Access Warning
====================================================================
You are about to execute a command with elevated privileges.
All sudo commands are logged and audited.
Unauthorized use of privileged access is a security violation.
If you did not intend to run a privileged command, press Ctrl+C now.
====================================================================
EOF
# Ensure sudo.log exists with correct permissions
touch /var/log/sudo.log 2>/dev/null || true
chmod 600 /var/log/sudo.log 2>/dev/null || true
echo "Sudo hardening completed."
Reference in New Issue View Git Blame Copy Permalink