KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0fb9abe43e23d49e23a771044b3be31aa38f081a
football/config/hooks/installed/install-scripts.sh
reachableceo 62d20604a6 fix: resolve critical build bugs and add missing PRD requirements 
Critical fixes:
- Fix security-hardening.sh live hook: removed broken source from
  /build/src/ which doesn't exist during live-build; made hook
  self-contained by inlining all config generation
- Fix firewall-setup.sh live hook: removed broken source from
  /build/src/; hook already had inline nftables config
- Fix install-scripts.sh: replaced /workspace/src/ references with
  embedded inline scripts (installed system has no /workspace)
- Fix UKI cmdline in standalone uki_build(): added
  lockdown=confidentiality and module.sig_enforce=1 to match the
  inline Secure Boot hook
- Fix WiFi blacklist: expanded from 6 entries to 19, now covers all
  PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*)

Missing PRD requirements added:
- kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace
  restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID
  dumpable disabled, hardlink/symlink protection, network hardening
- service-hardening.sh (FR-007): disables and masks avahi-daemon,
  cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport
- sudo-hardening.sh (FR-007): requiretty, logging (input/output),
  timestamp timeout, env_reset, restricted football user commands
- mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp,
  nodev/nosuid on /home, /dev/shm hardening

Test improvements:
- Rewrote security-hardening_comprehensive_test.bats: tests now
  source scripts, call functions, and verify generated output files
- Rewrote firewall-setup_comprehensive_test.bats: tests now create
  WireGuard configs, call parse_wg_endpoint, verify nftables output
- Added new-hooks_test.bats: 42 tests for kernel hardening, service
  hardening, sudo hardening, mount hardening, self-containment
  verification, and WiFi blacklist completeness
- Total: 788 tests passing, 0 failures, 0 shellcheck warnings

Reference: docs/PRD.md FR-005, FR-007, security-model.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-01 09:50:15 -05:00

175 lines
4.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Install source scripts and configure system
set -euo pipefail
echo "Installing source scripts..."
# Install firewall-setup script (embedded - /workspace not available in installed system)
cat >/usr/local/bin/firewall-setup.sh <<'FIREWALL_SCRIPT'
#!/bin/bash
set -euo pipefail
parse_wg_endpoint() {
local wg_config="${1:-/etc/wireguard/wg0.conf}"
if [[ ! -f $wg_config ]]; then
echo "Error: WireGuard config not found at $wg_config"
return 1
fi
grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
echo "Error: Could not parse endpoint from WireGuard config"
return 1
}
}
generate_nftables_rules() {
local endpoint="$1"
local ip="${endpoint%:*}"
local port="${endpoint#*:}"
cat <<NFTCONF
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop
iif lo accept comment "Accept loopback"
icmp type echo-request accept comment "Accept ping"
}
chain forward {
type filter hook forward priority 0; policy drop
}
chain output {
type filter hook output priority 0; policy drop
oif lo accept comment "Accept loopback"
udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
icmp type echo-request accept comment "Allow ping"
}
}
NFTCONF
}
apply_firewall() {
local wg_config="${1:-/etc/wireguard/wg0.conf}"
if [[ -f $wg_config ]]; then
endpoint=$(parse_wg_endpoint "$wg_config")
if [[ -n $endpoint ]]; then
generate_nftables_rules "$endpoint" >/etc/nftables.conf
systemctl enable nftables
systemctl restart nftables
echo "Firewall configured for endpoint: $endpoint"
else
echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
fi
else
echo "Warning: WireGuard config not found, using default deny policy"
fi
}
main() {
echo "Setting up dynamic firewall..."
apply_firewall "$@"
echo "Firewall setup completed."
}
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
main "$@"
fi
FIREWALL_SCRIPT
chmod +x /usr/local/bin/firewall-setup.sh
# Install security-hardening script (embedded)
cat >/usr/local/bin/security-hardening.sh <<'HARDENING_SCRIPT'
#!/bin/bash
set -euo pipefail
check_encryption_status() {
echo "Checking encryption status..."
if command -v cryptsetup >/dev/null 2>&1; then
for dev in /dev/mapper/*; do
if [ -e "$dev" ]; then
echo "Encrypted device: $dev"
fi
done
fi
}
main() {
echo "KNEL-Football Security Hardening Utility"
check_encryption_status
}
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
main "$@"
fi
HARDENING_SCRIPT
chmod +x /usr/local/bin/security-hardening.sh
# Create VPN configuration apply script
cat >/usr/local/bin/apply-vpn-config.sh <<'EOF'
#!/bin/bash
# Apply VPN configuration and update firewall
set -euo pipefail
# Apply firewall configuration
/usr/local/bin/firewall-setup.sh
# Start WireGuard if configuration exists
if [[ -f "/etc/wireguard/wg0.conf" ]]; then
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
echo "WireGuard started successfully."
else
echo "Warning: WireGuard configuration not found."
fi
echo "VPN configuration applied successfully."
EOF
chmod +x /usr/local/bin/apply-vpn-config.sh
# Create desktop shortcuts
mkdir -p /usr/share/applications
# WireGuard Configuration Editor shortcut
cat >/usr/share/applications/wg-config.desktop <<EOF
[Desktop Entry]
Name=WireGuard Configuration
Comment=Edit WireGuard configuration
Exec=pkexec mousepad /etc/wireguard/wg0.conf
Icon=network-vpn
Terminal=true
Type=Application
Categories=Network;System;
EOF
# VPN Configuration Apply shortcut
cat >/usr/share/applications/apply-vpn.desktop <<EOF
[Desktop Entry]
Name=Apply VPN Configuration
Comment=Apply WireGuard configuration and start VPN
Exec=pkexec /usr/local/bin/apply-vpn-config.sh
Icon=network-vpn
Terminal=true
Type=Application
Categories=Network;System;
EOF
# WireGuard QR Code Import shortcut
cat >/usr/share/applications/scan-wireguard-qr.desktop <<EOF
[Desktop Entry]
Name=Import WireGuard QR Code
Comment=Scan QR code to import WireGuard configuration
Exec=pkexec /usr/local/bin/scan-wireguard-qr.sh
Icon=camera-web
Terminal=true
Type=Application
Categories=Network;System;
EOF
# Create WireGuard configuration directory
mkdir -p /etc/wireguard
# Add football to appropriate groups
usermod -a -G sudo,audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true
echo "Source scripts installed successfully."
Reference in New Issue View Git Blame Copy Permalink