KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
630358a20e1f0c0ec03f5373a903b2960aa28200
football/config/hooks/live/sudo-hardening.sh
reachableceo 62d20604a6 fix: resolve critical build bugs and add missing PRD requirements 
Critical fixes:
- Fix security-hardening.sh live hook: removed broken source from
  /build/src/ which doesn't exist during live-build; made hook
  self-contained by inlining all config generation
- Fix firewall-setup.sh live hook: removed broken source from
  /build/src/; hook already had inline nftables config
- Fix install-scripts.sh: replaced /workspace/src/ references with
  embedded inline scripts (installed system has no /workspace)
- Fix UKI cmdline in standalone uki_build(): added
  lockdown=confidentiality and module.sig_enforce=1 to match the
  inline Secure Boot hook
- Fix WiFi blacklist: expanded from 6 entries to 19, now covers all
  PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*)

Missing PRD requirements added:
- kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace
  restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID
  dumpable disabled, hardlink/symlink protection, network hardening
- service-hardening.sh (FR-007): disables and masks avahi-daemon,
  cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport
- sudo-hardening.sh (FR-007): requiretty, logging (input/output),
  timestamp timeout, env_reset, restricted football user commands
- mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp,
  nodev/nosuid on /home, /dev/shm hardening

Test improvements:
- Rewrote security-hardening_comprehensive_test.bats: tests now
  source scripts, call functions, and verify generated output files
- Rewrote firewall-setup_comprehensive_test.bats: tests now create
  WireGuard configs, call parse_wg_endpoint, verify nftables output
- Added new-hooks_test.bats: 42 tests for kernel hardening, service
  hardening, sudo hardening, mount hardening, self-containment
  verification, and WiFi blacklist completeness
- Total: 788 tests passing, 0 failures, 0 shellcheck warnings

Reference: docs/PRD.md FR-005, FR-007, security-model.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-01 09:50:15 -05:00

64 lines
2.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Sudo hardening - PRD FR-007 Access Control Layer
# Reference: CIS Benchmark 5.4, NIST SP 800-53 AC-6
set -euo pipefail
echo "Configuring sudo access controls..."
# Create sudoers configuration for restricted access
mkdir -p /etc/sudoers.d
chmod 750 /etc/sudoers.d
# Default sudoers hardening
cat >/etc/sudoers.d/99-knel-hardening <<'EOF'
# KNEL-Football Sudo Configuration
# Reference: PRD FR-007, CIS Benchmark 5.4, NIST SP 800-53 AC-6
# Require tty for sudo (prevents script injection)
Defaults requiretty
# Lecture user on first sudo use
Defaults lecture = always
Defaults lecture_file = /etc/sudo.lecture
# Logging and timeout
Defaults logfile = "/var/log/sudo.log"
Defaults log_input
Defaults log_output
Defaults timestamp_timeout = 15
# Restrict which environment variables are preserved
Defaults env_reset
Defaults env_delete += "HOME"
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# football user can run specific admin commands
football ALL=(root) /usr/local/bin/apply-vpn-config.sh, /usr/local/bin/convert-luks-kdf.sh, /usr/bin/systemctl restart nftables, /usr/bin/systemctl restart wg-quick@wg0, /usr/local/bin/check-encryption.sh
# Root can run anything (standard)
root ALL=(ALL:ALL) ALL
EOF
chmod 440 /etc/sudoers.d/99-knel-hardening
# Create sudo lecture file
cat >/etc/sudo.lecture <<'EOF'
====================================================================
KNEL-Football Secure OS - Privileged Access Warning
====================================================================
You are about to execute a command with elevated privileges.
All sudo commands are logged and audited.
Unauthorized use of privileged access is a security violation.
If you did not intend to run a privileged command, press Ctrl+C now.
====================================================================
EOF
# Ensure sudo.log exists with correct permissions
touch /var/log/sudo.log 2>/dev/null || true
chmod 600 /var/log/sudo.log 2>/dev/null || true
echo "Sudo hardening completed."
Reference in New Issue View Git Blame Copy Permalink