reachableceo
2b422cf62c
Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes. Changes: - run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07), add module.sig_enforce to Docker-embedded UKI (H-08) - usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05), restrict dmask/fmask, add input validation, add audit logging (M-08) - security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01), remove sshd_config generation (H-02), expand WiFi blacklist (M-12) - firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port range to 51820 only (M-05) - firewall-setup.sh (src): Add ct state established,related (H-03) - security-hardening.sh (src): Fix apply_security_hardening to call configure_ssh_client and configure_fim with separate output paths (M-01) - install-scripts.sh: Remove football from sudo group (M-02) - mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened even without existing fstab entries (M-07) - encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic LUKS device discovery (H-06), fix recovery key generation (M-04), fix crypttab sed pattern - qr-code-import.sh: Restrict temp file permissions (H-04) - Tests updated to match new security posture All 786+ tests pass. Zero shellcheck warnings. Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through H-08, M-01, M-02, M-05, M-07, M-08, M-12 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2.7 KiB
Executable File
2.7 KiB
Executable File