62d20604a6
Critical fixes: - Fix security-hardening.sh live hook: removed broken source from /build/src/ which doesn't exist during live-build; made hook self-contained by inlining all config generation - Fix firewall-setup.sh live hook: removed broken source from /build/src/; hook already had inline nftables config - Fix install-scripts.sh: replaced /workspace/src/ references with embedded inline scripts (installed system has no /workspace) - Fix UKI cmdline in standalone uki_build(): added lockdown=confidentiality and module.sig_enforce=1 to match the inline Secure Boot hook - Fix WiFi blacklist: expanded from 6 entries to 19, now covers all PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*) Missing PRD requirements added: - kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID dumpable disabled, hardlink/symlink protection, network hardening - service-hardening.sh (FR-007): disables and masks avahi-daemon, cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport - sudo-hardening.sh (FR-007): requiretty, logging (input/output), timestamp timeout, env_reset, restricted football user commands - mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp, nodev/nosuid on /home, /dev/shm hardening Test improvements: - Rewrote security-hardening_comprehensive_test.bats: tests now source scripts, call functions, and verify generated output files - Rewrote firewall-setup_comprehensive_test.bats: tests now create WireGuard configs, call parse_wg_endpoint, verify nftables output - Added new-hooks_test.bats: 42 tests for kernel hardening, service hardening, sudo hardening, mount hardening, self-containment verification, and WiFi blacklist completeness - Total: 788 tests passing, 0 failures, 0 shellcheck warnings Reference: docs/PRD.md FR-005, FR-007, security-model.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
36 lines
855 B
Bash
Executable File
36 lines
855 B
Bash
Executable File
#!/bin/bash
|
|
# Dynamic firewall setup hook
|
|
set -euo pipefail
|
|
|
|
echo "Setting up firewall configuration..."
|
|
|
|
# Install nftables rules (default deny policy)
|
|
cat >/etc/nftables.conf <<'EOF'
|
|
#!/usr/sbin/nft -f
|
|
# Default secure firewall rules for KNEL-Football
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop
|
|
iif lo accept comment "Accept loopback"
|
|
icmp type echo-request accept comment "Accept ping"
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy drop
|
|
oif lo accept comment "Accept loopback"
|
|
icmp type echo-request accept comment "Allow ping"
|
|
}
|
|
}
|
|
EOF
|
|
|
|
# Enable nftables service
|
|
systemctl enable nftables
|
|
|
|
echo "Firewall setup hook completed."
|