KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
68ad78091ecb212bfccc3f2749fe3430ef79936b
football/config/hooks/installed/install-scripts.sh
reachableceo 9459c84fbc fix: resolve all audit findings in hooks, config, and package list 
Security/Functional Fixes:
- firewall-setup.sh: Added WireGuard allow, established/related, DHCP
  (was blocking ALL outbound including VPN - system was non-functional)
- disable-package-management.sh: Preserve /var/lib/dpkg/ for queries
  (was destroying dpkg database with rm -rf)
- encryption-validation.sh: Fixed inverted motd conditional
  (was creating file only if it already existed - backwards)
- kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only)
  Changed user.max_user_namespaces from 0 to 100
- sudo-hardening.sh: Removed Defaults requiretty
  (was breaking GUI-launched sudo via pkexec)
- encryption-setup.sh: Fixed conflicting stdin in luksAddKey
- install-scripts.sh: Fixed embedded firewall (same WireGuard bug)
  Replaced gutted security-hardening stub with real status checker
- GRUB config: Fixed serial_console → serial (invalid terminal name)
- Package list: Removed audispd-plugins (deprecated in Debian 13),
  removed duplicate wireguard/wireguard-tools entries

Reference: Full audit findings from Session 7 JOURNAL.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-07 08:41:52 -05:00

225 lines
6.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Install source scripts and configure system
set -euo pipefail
echo "Installing source scripts..."
# Install firewall-setup script (embedded - /workspace not available in installed system)
cat >/usr/local/bin/firewall-setup.sh <<'FIREWALL_SCRIPT'
#!/bin/bash
set -euo pipefail
parse_wg_endpoint() {
local wg_config="${1:-/etc/wireguard/wg0.conf}"
if [[ ! -f $wg_config ]]; then
echo "Error: WireGuard config not found at $wg_config"
return 1
fi
grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
echo "Error: Could not parse endpoint from WireGuard config"
return 1
}
}
generate_nftables_rules() {
local endpoint="$1"
local ip="${endpoint%:*}"
local port="${endpoint#*:}"
cat <<NFTCONF
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop
iif lo accept comment "Accept loopback"
ct state established,related accept comment "Accept established/related"
udp sport 67 udp dport 68 accept comment "Accept DHCP"
icmp type echo-request accept comment "Accept ping"
}
chain forward {
type filter hook forward priority 0; policy drop
}
chain output {
type filter hook output priority 0; policy drop
oif lo accept comment "Accept loopback"
ct state established,related accept comment "Accept established/related"
udp dport 67 accept comment "Allow DHCP"
udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
oifname "wg*" accept comment "Allow VPN tunnel traffic"
icmp type echo-request accept comment "Allow ping"
}
}
NFTCONF
}
apply_firewall() {
local wg_config="${1:-/etc/wireguard/wg0.conf}"
if [[ -f $wg_config ]]; then
endpoint=$(parse_wg_endpoint "$wg_config")
if [[ -n $endpoint ]]; then
generate_nftables_rules "$endpoint" >/etc/nftables.conf
systemctl enable nftables
systemctl restart nftables
echo "Firewall configured for endpoint: $endpoint"
else
echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
fi
else
echo "Warning: WireGuard config not found, using default deny policy"
fi
}
main() {
echo "Setting up dynamic firewall..."
apply_firewall "$@"
echo "Firewall setup completed."
}
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
main "$@"
fi
FIREWALL_SCRIPT
chmod +x /usr/local/bin/firewall-setup.sh
# Install security-hardening script (embedded)
cat >/usr/local/bin/security-hardening.sh <<'HARDENING_SCRIPT'
#!/bin/bash
# KNEL-Football Security Hardening Utility (installed system)
# Re-applies security hardening or checks current status
set -euo pipefail
check_encryption_status() {
echo "Checking encryption status..."
if command -v cryptsetup >/dev/null 2>&1; then
for dev in /dev/mapper/*; do
if [ -e "$dev" ]; then
echo "Encrypted device: $dev"
cryptsetup status "$dev" 2>/dev/null | head -5 || true
fi
done
else
echo "WARNING: cryptsetup not found"
fi
}
check_kernel_hardening() {
echo "Checking kernel hardening..."
local params="kernel.randomize_va_space kernel.yama.ptrace_scope kernel.kptr_restrict kernel.dmesg_restrict"
for param in $params; do
local val
val=$(sysctl -n "$param" 2>/dev/null || echo "N/A")
echo " $param = $val"
done
}
check_firewall() {
echo "Checking firewall status..."
if command -v nft >/dev/null 2>&1; then
nft list ruleset 2>/dev/null | head -20 || echo " No nftables rules loaded"
else
echo " WARNING: nft not found"
fi
}
check_services() {
echo "Checking disabled services..."
for svc in avahi-daemon cups bluetooth ModemManager; do
if systemctl is-enabled "$svc" 2>/dev/null | grep -q "masked\|disabled"; then
echo " $svc: DISABLED (OK)"
else
echo " $svc: WARNING - may be enabled"
fi
done
}
main() {
echo "KNEL-Football Security Hardening Utility"
echo "========================================="
echo ""
check_encryption_status
echo ""
check_kernel_hardening
echo ""
check_firewall
echo ""
check_services
echo ""
echo "Security check completed."
}
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
main "$@"
fi
HARDENING_SCRIPT
chmod +x /usr/local/bin/security-hardening.sh
# Create VPN configuration apply script
cat >/usr/local/bin/apply-vpn-config.sh <<'EOF'
#!/bin/bash
# Apply VPN configuration and update firewall
set -euo pipefail
# Apply firewall configuration
/usr/local/bin/firewall-setup.sh
# Start WireGuard if configuration exists
if [[ -f "/etc/wireguard/wg0.conf" ]]; then
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
echo "WireGuard started successfully."
else
echo "Warning: WireGuard configuration not found."
fi
echo "VPN configuration applied successfully."
EOF
chmod +x /usr/local/bin/apply-vpn-config.sh
# Create desktop shortcuts
mkdir -p /usr/share/applications
# WireGuard Configuration Editor shortcut
cat >/usr/share/applications/wg-config.desktop <<EOF
[Desktop Entry]
Name=WireGuard Configuration
Comment=Edit WireGuard configuration
Exec=pkexec mousepad /etc/wireguard/wg0.conf
Icon=network-vpn
Terminal=true
Type=Application
Categories=Network;System;
EOF
# VPN Configuration Apply shortcut
cat >/usr/share/applications/apply-vpn.desktop <<EOF
[Desktop Entry]
Name=Apply VPN Configuration
Comment=Apply WireGuard configuration and start VPN
Exec=pkexec /usr/local/bin/apply-vpn-config.sh
Icon=network-vpn
Terminal=true
Type=Application
Categories=Network;System;
EOF
# WireGuard QR Code Import shortcut
cat >/usr/share/applications/scan-wireguard-qr.desktop <<EOF
[Desktop Entry]
Name=Import WireGuard QR Code
Comment=Scan QR code to import WireGuard configuration
Exec=pkexec /usr/local/bin/scan-wireguard-qr.sh
Icon=camera-web
Terminal=true
Type=Application
Categories=Network;System;
EOF
# Create WireGuard configuration directory
mkdir -p /etc/wireguard
# Add football to appropriate groups
usermod -a -G sudo,audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true
echo "Source scripts installed successfully."
Reference in New Issue View Git Blame Copy Permalink