KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7665f59cfe8dbf33de5dbc191046cf6bd6d7cf2c
football/src/security-hardening.sh
reachableceo 62d20604a6 fix: resolve critical build bugs and add missing PRD requirements 
Critical fixes:
- Fix security-hardening.sh live hook: removed broken source from
  /build/src/ which doesn't exist during live-build; made hook
  self-contained by inlining all config generation
- Fix firewall-setup.sh live hook: removed broken source from
  /build/src/; hook already had inline nftables config
- Fix install-scripts.sh: replaced /workspace/src/ references with
  embedded inline scripts (installed system has no /workspace)
- Fix UKI cmdline in standalone uki_build(): added
  lockdown=confidentiality and module.sig_enforce=1 to match the
  inline Secure Boot hook
- Fix WiFi blacklist: expanded from 6 entries to 19, now covers all
  PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*)

Missing PRD requirements added:
- kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace
  restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID
  dumpable disabled, hardlink/symlink protection, network hardening
- service-hardening.sh (FR-007): disables and masks avahi-daemon,
  cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport
- sudo-hardening.sh (FR-007): requiretty, logging (input/output),
  timestamp timeout, env_reset, restricted football user commands
- mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp,
  nodev/nosuid on /home, /dev/shm hardening

Test improvements:
- Rewrote security-hardening_comprehensive_test.bats: tests now
  source scripts, call functions, and verify generated output files
- Rewrote firewall-setup_comprehensive_test.bats: tests now create
  WireGuard configs, call parse_wg_endpoint, verify nftables output
- Added new-hooks_test.bats: 42 tests for kernel hardening, service
  hardening, sudo hardening, mount hardening, self-containment
  verification, and WiFi blacklist completeness
- Total: 788 tests passing, 0 failures, 0 shellcheck warnings

Reference: docs/PRD.md FR-005, FR-007, security-model.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-01 09:50:15 -05:00

352 lines
9.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Security hardening script
set -euo pipefail
# Function to create WiFi module blacklist
create_wifi_blacklist() {
local output_file="${1:-/etc/modprobe.d/blacklist-wifi.conf}"
cat >"$output_file" <<'EOF'
# WiFi module blacklisting - PRD FR-005
blacklist cfg80211
blacklist mac80211
blacklist brcmfmac
blacklist iwlwifi
blacklist ath9k
blacklist ath9k_htc
blacklist ath10k_pci
blacklist rtl8188ee
blacklist rtl8192ce
blacklist rtl8192se
blacklist rtl8723ae
blacklist rtl8821ae
blacklist rt73usb
blacklist rt2800usb
blacklist rt2x00lib
blacklist rt2x00usb
blacklist mwifiex
blacklist mwifiex_pcie
blacklist mwifiex_sdio
EOF
echo "WiFi blacklist created at $output_file"
}
# Function to create Bluetooth module blacklist
create_bluetooth_blacklist() {
local output_file="${1:-/etc/modprobe.d/blacklist-bluetooth.conf}"
cat >"$output_file" <<'EOF'
# Bluetooth module blacklisting - PRD FR-005
blacklist btusb
blacklist bluetooth
blacklist btrtl
blacklist btintel
blacklist btbcm
blacklist bnep
blacklist rfcomm
blacklist hidp
EOF
echo "Bluetooth blacklist created at $output_file"
}
# Function to configure SSH client (client only - no server)
# This system does NOT run an SSH server per security requirements
configure_ssh_client() {
local output_file="${1:-/etc/ssh/ssh_config}"
cat >"$output_file" <<'EOF'
# SSH Client Configuration
# Reference: PRD FR-006 - Client-only, no inbound SSH services
# Global defaults
Host *
# Security settings
PasswordAuthentication no
PubkeyAuthentication yes
# Key algorithms (modern, secure)
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Connection settings
ConnectTimeout 30
ServerAliveInterval 300
ServerAliveCountMax 2
# Strict host key checking
StrictHostKeyChecking ask
UserKnownHostsFile ~/.ssh/known_hosts
EOF
echo "SSH client configuration created at $output_file"
}
# Function to configure SSH hardening (server config as defense-in-depth)
# System is SSH client-only per PRD FR-006, but sshd_config is hardened defensively
configure_ssh() {
local output_file="${1:-/etc/ssh/sshd_config}"
cat >"$output_file" <<'EOF'
# SSH Server Hardening Configuration (defense-in-depth)
# Reference: PRD FR-006 - Client-only system, sshd not installed
# This config exists as a security baseline if sshd is ever installed
# Protocol
Protocol 2
# Authentication
PermitRootLogin no
PermitEmptyPasswords no
MaxAuthTries 3
# Session
ClientAliveInterval 300
ClientAliveCountMax 2
# Forwarding
X11Forwarding no
EOF
echo "SSH hardening configuration created at $output_file"
}
# Function to configure password policy
configure_password_policy() {
local output_file="${1:-/etc/security/pwquality.conf}"
cat >"$output_file" <<'EOF'
# KNEL-Football Password Quality Requirements (MANDATORY for tier0 security)
# Reference: NIST SP 800-63B, CIS Benchmarks for Debian
# All passwords/passphrases must meet these strict requirements
# Minimum length: 14 characters (strongly recommended: 20+ characters)
minlen = 14
# Minimum requirements (negative values = mandatory minimum counts)
dcredit = -1 # Require at least 1 digit (0-9)
ucredit = -1 # Require at least 1 uppercase letter (A-Z)
lcredit = -1 # Require at least 1 lowercase letter (a-z)
ocredit = -1 # Require at least 1 special character (!@#$%^&*)
# Additional complexity requirements
difok = 4 # Require at least 4 characters different from old password
maxrepeat = 2 # Max 2 consecutive identical characters
maxclassrepeat = 2 # Max 2 consecutive characters from same class
maxsequence = 2 # Max 2 monotonic character sequences (e.g., 123, abc)
# Security checks (all enabled)
usercheck = 1 # Check if password contains username
dictcheck = 1 # Check against common dictionary words
gecoscheck = 1 # Check against GECOS field information
enforcing = 1 # Reject weak passwords (for all users including root)
# Reject common weak patterns
badwords = password secret admin root knel football tier0 12345 qwerty
# Additional restrictions
minclass = 3 # Require at least 3 of 4 character classes
# Classes: digits, uppercase, lowercase, other characters
EOF
echo "Password policy configured at $output_file"
echo "Requirements: 14+ chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char"
}
# Function to configure AIDE (File Integrity Monitoring)
# Reference: CIS 1.4, FedRAMP AC-6, CMMC AU.3.059
configure_fim() {
local aide_conf="${1:-/etc/aide/aide.conf}"
# Database location is configured in aide.conf below
# shellcheck disable=SC2034
local aide_db="${2:-/var/lib/aide/aide.db}"
cat >"$aide_conf" <<'EOF'
# AIDE Configuration for KNEL-Football Secure OS
# File Integrity Monitoring (FIM) - CIS/FedRAMP/CMMC Compliance
# Reference: CIS Benchmark 1.4, FedRAMP AU-7, CMMC AU.3.059
# Database locations
database_out=file:/var/lib/aide/aide.db.new
database=file:/var/lib/aide/aide.db
# Report URL
report_url=stdout
# Custom group definitions for security-critical files
SECURITY = p+u+g+s+m+c+md5+sha256+sha512
# Monitor critical system directories
/etc SECURITY
/boot SECURITY
/usr SECURITY
/bin SECURITY
/sbin SECURITY
/lib SECURITY
/lib64 SECURITY
# Monitor SSH configurations
/etc/ssh SECURITY
# Monitor WireGuard configurations
/etc/wireguard SECURITY
# Monitor security configurations
/etc/security SECURITY
/etc/audit SECURITY
/etc/modprobe.d SECURITY
/etc/nftables.conf SECURITY
# Monitor sudo and PAM
/etc/sudoers SECURITY
/etc/sudoers.d SECURITY
/etc/pam.d SECURITY
# Exclude paths that change legitimately
!/proc
!/sys
!/dev
!/run
!/tmp
!/var/log
!/var/cache
!/var/lib/aide
!/var/tmp
EOF
echo "FIM configuration created at $aide_conf"
echo "Run 'aideinit' to initialize the database after installation"
}
# Function to initialize AIDE database
initialize_fim() {
if command -v aideinit >/dev/null 2>&1; then
aideinit --force
echo "AIDE database initialized"
else
echo "WARNING: aideinit not found, manual initialization required"
fi
}
# Function to configure system limits
configure_system_limits() {
local output_file="${1:-/etc/security/limits.d/security.conf}"
cat >"$output_file" <<'EOF'
# System security limits
* hard core 0
* soft nproc 1024
* hard nproc 2048
EOF
echo "System limits configured at $output_file"
}
# Function to configure audit rules (CIS 6.2, FedRAMP AU-2, CMMC AU.2.042)
configure_audit_rules() {
local output_file="${1:-/etc/audit/rules.d/audit.rules}"
cat >"$output_file" <<'EOF'
# Comprehensive Audit Rules for KNEL-Football Secure OS
# Reference: CIS Benchmark 6.2, FedRAMP AU-2/AU-3, CMMC AU.2.042/AU.3.059
## Identity and access management
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/sudoers -p wa -k privilege_escalation
-w /etc/sudoers.d/ -p wa -k privilege_escalation
## Authentication configuration
-w /etc/pam.d/ -p wa -k authentication
-w /etc/security/ -p wa -k authentication
-w /etc/login.defs -p wa -k authentication
-w /var/log/faillog -p wa -k authentication
-w /var/log/lastlog -p wa -k authentication
-w /var/log/tallylog -p wa -k authentication
## Network configuration
-w /etc/network/ -p wa -k network_config
-w /etc/hosts -p wa -k network_config
-w /etc/hostname -p wa -k network_config
-w /etc/resolv.conf -p wa -k network_config
-w /etc/nftables.conf -p wa -k firewall
-w /etc/wireguard/ -p wa -k wireguard_config
## SSH client configuration (no server - client only)
-w /etc/ssh/ssh_config -p wa -k ssh_config
## System configuration
-w /etc/fstab -p wa -k filesystem
-w /etc/crypttab -p wa -k encryption
-w /etc/modprobe.d/ -p wa -k kernel_modules
-w /etc/sysctl.conf -p wa -k kernel_parameters
-w /etc/sysctl.d/ -p wa -k kernel_parameters
## Boot configuration
-w /boot/ -p wa -k boot_config
-w /efi/ -p wa -k boot_config
-w /etc/default/grub -p wa -k boot_config
-w /etc/grub.d/ -p wa -k boot_config
## Audit subsystem (self-monitoring)
-w /etc/audit/ -p wa -k audit_config
-w /var/log/audit/ -p wa -k audit_logs
## Time synchronization
-w /etc/chrony/ -p wa -k time_sync
-w /etc/ntp.conf -p wa -k time_sync
## System administration
-w /usr/bin/sudo -p x -k privilege_escalation
-w /usr/bin/su -p x -k privilege_escalation
-w /usr/bin/passwd -p x -k password_change
-w /usr/bin/chsh -p x -k user_modification
-w /usr/bin/usermod -p x -k user_modification
## Session monitoring
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
## Module loading
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_modules
## File integrity monitoring alerts
-w /var/lib/aide/ -p wa -k file_integrity
EOF
echo "Audit rules configured at $output_file"
}
# Function to apply all security configurations
# shellcheck disable=SC2120
apply_security_hardening() {
echo "Applying security hardening..."
create_wifi_blacklist "${1:-}"
create_bluetooth_blacklist "${1:-}"
configure_ssh "${1:-}"
configure_password_policy "${1:-}"
configure_system_limits "${1:-}"
configure_audit_rules "${1:-}"
echo "Security hardening completed."
echo "IMPORTANT: Run 'aideinit' to initialize file integrity database after installation"
}
# Main execution
main() {
echo "Starting KNEL-Football security hardening..."
apply_security_hardening "$@"
echo "Security hardening completed successfully!"
}
# Run main if script is executed directly
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
main "$@"
fi
Reference in New Issue View Git Blame Copy Permalink