KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ccab1e2b1907fde8e890db707cdd92d47a9bcc1e
football/config/hooks/live/kernel-hardening.sh
reachableceo 9459c84fbc fix: resolve all audit findings in hooks, config, and package list 
Security/Functional Fixes:
- firewall-setup.sh: Added WireGuard allow, established/related, DHCP
  (was blocking ALL outbound including VPN - system was non-functional)
- disable-package-management.sh: Preserve /var/lib/dpkg/ for queries
  (was destroying dpkg database with rm -rf)
- encryption-validation.sh: Fixed inverted motd conditional
  (was creating file only if it already existed - backwards)
- kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only)
  Changed user.max_user_namespaces from 0 to 100
- sudo-hardening.sh: Removed Defaults requiretty
  (was breaking GUI-launched sudo via pkexec)
- encryption-setup.sh: Fixed conflicting stdin in luksAddKey
- install-scripts.sh: Fixed embedded firewall (same WireGuard bug)
  Replaced gutted security-hardening stub with real status checker
- GRUB config: Fixed serial_console → serial (invalid terminal name)
- Package list: Removed audispd-plugins (deprecated in Debian 13),
  removed duplicate wireguard/wireguard-tools entries

Reference: Full audit findings from Session 7 JOURNAL.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-07 08:41:52 -05:00

77 lines
2.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Kernel parameter hardening - PRD FR-007
# Reference: CIS Benchmark, NIST SP 800-53, PRD security-model.md
set -euo pipefail
echo "Applying kernel hardening parameters..."
# Configure sysctl security parameters
mkdir -p /etc/sysctl.d
cat >/etc/sysctl.d/99-knel-security.conf <<'EOF'
# KNEL-Football Kernel Security Parameters
# Reference: PRD FR-007, CIS Benchmark 3.1-3.4, NIST SP 800-53
# Enable ASLR (Address Space Layout Randomization)
kernel.randomize_va_space = 2
# Restrict ptrace (prevent process inspection by unprivileged users)
kernel.yama.ptrace_scope = 2
# Restrict access to kernel pointer addresses
kernel.kptr_restrict = 2
# Restrict dmesg to privileged users
kernel.dmesg_restrict = 1
# Restrict unprivileged use of BPF
kernel.unprivileged_bpf_disabled = 1
# Restrict kernel profiling
kernel.perf_event_paranoid = 3
# Disable kexec (prevent kernel replacement)
kernel.kexec_load = 0
# Restrict access to kernel logs
dev.tty.ldisc_autoload = 0
# Restrict user namespaces
user.max_user_namespaces = 100
# Disable core dumps for SUID binaries
fs.suid_dumpable = 0
# Protect hardlinks and symlinks
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2
# Network security
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
EOF
# Apply sysctl settings
sysctl --system 2>/dev/null || true
echo "Kernel hardening completed."
Reference in New Issue View Git Blame Copy Permalink