KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
af03f2febad27a3655ca627baee08f065ffe7629
football/src/security-hardening.sh
Charles N Wyble 0807611efe feat: add FIM, comprehensive audit logging, SSH client-only for CIS/FedRAMP/CMMC 
Security enhancements for tier0 infrastructure access:
- Add AIDE for file integrity monitoring (CIS 1.4, FedRAMP AU-7, CMMC AU.3.059)
- Add comprehensive audit rules covering identity, network, boot, and privilege escalation
- Remove SSH server (openssh-server), add SSH client only (openssh-client)
- Add audispd-plugins for audit event processing
- Update security-hardening.sh with configure_fim() and configure_ssh_client()
- Update compliance tests for FIM, audit, and client-only architecture

Package changes:
- Remove: openssh-server, iptables
- Add: openssh-client, aide, aide-common, audispd-plugins

No inbound services - outbound VPN/SSH/RDP only for accessing privileged workstation.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-02-17 12:24:30 -05:00

308 lines
8.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Security hardening script
set -euo pipefail
# Function to create WiFi module blacklist
create_wifi_blacklist() {
local output_file="${1:-/etc/modprobe.d/blacklist-wifi.conf}"
cat >"$output_file" <<'EOF'
# WiFi module blacklisting
blacklist cfg80211
blacklist mac80211
blacklist brcmfmac
blacklist iwlwifi
blacklist ath9k
blacklist rt73usb
EOF
echo "WiFi blacklist created at $output_file"
}
# Function to create Bluetooth module blacklist
create_bluetooth_blacklist() {
local output_file="${1:-/etc/modprobe.d/blacklist-bluetooth.conf}"
cat >"$output_file" <<'EOF'
# Bluetooth module blacklisting
blacklist btusb
blacklist bluetooth
blacklist btrtl
blacklist btintel
blacklist btbcm
EOF
echo "Bluetooth blacklist created at $output_file"
}
# Function to configure SSH client (client only - no server)
# This system does NOT run an SSH server per security requirements
configure_ssh_client() {
local output_file="${1:-/etc/ssh/ssh_config}"
cat >"$output_file" <<'EOF'
# SSH Client Configuration
# Reference: PRD FR-006 - Client-only, no inbound SSH services
# Global defaults
Host *
# Security settings
PasswordAuthentication no
PubkeyAuthentication yes
# Key algorithms (modern, secure)
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Connection settings
ConnectTimeout 30
ServerAliveInterval 300
ServerAliveCountMax 2
# Strict host key checking
StrictHostKeyChecking ask
UserKnownHostsFile ~/.ssh/known_hosts
EOF
echo "SSH client configuration created at $output_file"
}
# Function to configure password policy
configure_password_policy() {
local output_file="${1:-/etc/security/pwquality.conf}"
cat >"$output_file" <<'EOF'
# KNEL-Football Password Quality Requirements (MANDATORY for tier0 security)
# Reference: NIST SP 800-63B, CIS Benchmarks for Debian
# All passwords/passphrases must meet these strict requirements
# Minimum length: 14 characters (strongly recommended: 20+ characters)
minlen = 14
# Minimum requirements (negative values = mandatory minimum counts)
dcredit = -1 # Require at least 1 digit (0-9)
ucredit = -1 # Require at least 1 uppercase letter (A-Z)
lcredit = -1 # Require at least 1 lowercase letter (a-z)
ocredit = -1 # Require at least 1 special character (!@#$%^&*)
# Additional complexity requirements
difok = 4 # Require at least 4 characters different from old password
maxrepeat = 2 # Max 2 consecutive identical characters
maxclassrepeat = 2 # Max 2 consecutive characters from same class
maxsequence = 2 # Max 2 monotonic character sequences (e.g., 123, abc)
# Security checks (all enabled)
usercheck = 1 # Check if password contains username
dictcheck = 1 # Check against common dictionary words
gecoscheck = 1 # Check against GECOS field information
enforcing = 1 # Reject weak passwords (for all users including root)
# Reject common weak patterns
badwords = password secret admin root knel football tier0 12345 qwerty
# Additional restrictions
minclass = 3 # Require at least 3 of 4 character classes
# Classes: digits, uppercase, lowercase, other characters
EOF
echo "Password policy configured at $output_file"
echo "Requirements: 14+ chars, 1 uppercase, 1 lowercase, 1 digit, 1 special char"
}
# Function to configure AIDE (File Integrity Monitoring)
# Reference: CIS 1.4, FedRAMP AC-6, CMMC AU.3.059
configure_fim() {
local aide_conf="${1:-/etc/aide/aide.conf}"
# Database location is configured in aide.conf below
# shellcheck disable=SC2034
local aide_db="${2:-/var/lib/aide/aide.db}"
cat >"$aide_conf" <<'EOF'
# AIDE Configuration for KNEL-Football Secure OS
# File Integrity Monitoring (FIM) - CIS/FedRAMP/CMMC Compliance
# Reference: CIS Benchmark 1.4, FedRAMP AU-7, CMMC AU.3.059
# Database locations
database_out=file:/var/lib/aide/aide.db.new
database=file:/var/lib/aide/aide.db
# Report URL
report_url=stdout
# Custom group definitions for security-critical files
SECURITY = p+u+g+s+m+c+md5+sha256+sha512
# Monitor critical system directories
/etc SECURITY
/boot SECURITY
/usr SECURITY
/bin SECURITY
/sbin SECURITY
/lib SECURITY
/lib64 SECURITY
# Monitor SSH configurations
/etc/ssh SECURITY
# Monitor WireGuard configurations
/etc/wireguard SECURITY
# Monitor security configurations
/etc/security SECURITY
/etc/audit SECURITY
/etc/modprobe.d SECURITY
/etc/nftables.conf SECURITY
# Monitor sudo and PAM
/etc/sudoers SECURITY
/etc/sudoers.d SECURITY
/etc/pam.d SECURITY
# Exclude paths that change legitimately
!/proc
!/sys
!/dev
!/run
!/tmp
!/var/log
!/var/cache
!/var/lib/aide
!/var/tmp
EOF
echo "FIM configuration created at $aide_conf"
echo "Run 'aideinit' to initialize the database after installation"
}
# Function to initialize AIDE database
initialize_fim() {
if command -v aideinit >/dev/null 2>&1; then
aideinit --force
echo "AIDE database initialized"
else
echo "WARNING: aideinit not found, manual initialization required"
fi
}
# Function to configure system limits
configure_system_limits() {
local output_file="${1:-/etc/security/limits.d/security.conf}"
cat >"$output_file" <<'EOF'
# System security limits
* hard core 0
* soft nproc 1024
* hard nproc 2048
EOF
echo "System limits configured at $output_file"
}
# Function to configure audit rules (CIS 6.2, FedRAMP AU-2, CMMC AU.2.042)
configure_audit_rules() {
local output_file="${1:-/etc/audit/rules.d/audit.rules}"
cat >"$output_file" <<'EOF'
# Comprehensive Audit Rules for KNEL-Football Secure OS
# Reference: CIS Benchmark 6.2, FedRAMP AU-2/AU-3, CMMC AU.2.042/AU.3.059
## Identity and access management
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/sudoers -p wa -k privilege_escalation
-w /etc/sudoers.d/ -p wa -k privilege_escalation
## Authentication configuration
-w /etc/pam.d/ -p wa -k authentication
-w /etc/security/ -p wa -k authentication
-w /etc/login.defs -p wa -k authentication
-w /var/log/faillog -p wa -k authentication
-w /var/log/lastlog -p wa -k authentication
-w /var/log/tallylog -p wa -k authentication
## Network configuration
-w /etc/network/ -p wa -k network_config
-w /etc/hosts -p wa -k network_config
-w /etc/hostname -p wa -k network_config
-w /etc/resolv.conf -p wa -k network_config
-w /etc/nftables.conf -p wa -k firewall
-w /etc/wireguard/ -p wa -k wireguard_config
## SSH client configuration (no server - client only)
-w /etc/ssh/ssh_config -p wa -k ssh_config
## System configuration
-w /etc/fstab -p wa -k filesystem
-w /etc/crypttab -p wa -k encryption
-w /etc/modprobe.d/ -p wa -k kernel_modules
-w /etc/sysctl.conf -p wa -k kernel_parameters
-w /etc/sysctl.d/ -p wa -k kernel_parameters
## Boot configuration
-w /boot/ -p wa -k boot_config
-w /efi/ -p wa -k boot_config
-w /etc/default/grub -p wa -k boot_config
-w /etc/grub.d/ -p wa -k boot_config
## Audit subsystem (self-monitoring)
-w /etc/audit/ -p wa -k audit_config
-w /var/log/audit/ -p wa -k audit_logs
## Time synchronization
-w /etc/chrony/ -p wa -k time_sync
-w /etc/ntp.conf -p wa -k time_sync
## System administration
-w /usr/bin/sudo -p x -k privilege_escalation
-w /usr/bin/su -p x -k privilege_escalation
-w /usr/bin/passwd -p x -k password_change
-w /usr/bin/chsh -p x -k user_modification
-w /usr/bin/usermod -p x -k user_modification
## Session monitoring
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
## Module loading
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_modules
## File integrity monitoring alerts
-w /var/lib/aide/ -p wa -k file_integrity
EOF
echo "Audit rules configured at $output_file"
}
# Function to apply all security configurations
# shellcheck disable=SC2120
apply_security_hardening() {
echo "Applying security hardening..."
create_wifi_blacklist "${1:-}"
create_bluetooth_blacklist "${2:-}"
configure_ssh_client "${3:-}"
configure_password_policy "${4:-}"
configure_fim "${5:-}"
configure_system_limits "${6:-}"
configure_audit_rules "${7:-}"
echo "Security hardening completed."
echo "IMPORTANT: Run 'aideinit' to initialize file integrity database after installation"
}
# Main execution
main() {
echo "Starting KNEL-Football security hardening..."
apply_security_hardening
echo "Security hardening completed successfully!"
}
# Run main if script is executed directly
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
main "$@"
fi
Reference in New Issue View Git Blame Copy Permalink