0b9ede5f84
- fix(shellcheck): SC2016 in encryption-setup.sh - remove non-expanding $(blkid...) - fix(shellcheck): SC1091 in firewall-setup.sh and security-hardening.sh - add disable directives - security: SSH PasswordAuthentication yes -> no (PRD FR-006 violation) - fix: date expansion in encryption-validation.sh heredoc - docs: create SDLC.md with TDD workflow and security requirements - docs: update AGENTS.md to reference SDLC.md - chore: update STATUS.md with build completion - chore: minor build-iso.sh output formatting All 78 tests pass (63 run, 15 skip for libvirt). Zero shellcheck warnings. 💘 Generated with Crush Assisted-by: GLM-5 via Crush <crush@charm.land>
34 lines
691 B
Bash
Executable File
34 lines
691 B
Bash
Executable File
#!/bin/bash
|
|
# Security hardening hook for live system
|
|
set -euo pipefail
|
|
|
|
echo "Applying security hardening..."
|
|
|
|
# Apply security hardening functions from proper volume path
|
|
# Note: Source path exists at build time in Docker container
|
|
# shellcheck disable=SC1091
|
|
source /build/src/security-hardening.sh
|
|
|
|
# Create WiFi module blacklist
|
|
create_wifi_blacklist
|
|
|
|
# Create Bluetooth module blacklist
|
|
create_bluetooth_blacklist
|
|
|
|
# Configure SSH
|
|
configure_ssh
|
|
|
|
# Configure password policy
|
|
configure_password_policy
|
|
|
|
# Configure system limits
|
|
configure_system_limits
|
|
|
|
# Configure audit rules
|
|
configure_audit_rules
|
|
|
|
# Enable auditd service
|
|
systemctl enable auditd
|
|
|
|
echo "Security hardening completed."
|