KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efb69887191b3f573f091ae86b34a660a99916f1
football/config/hooks/installed/install-scripts.sh
reachableceo 2b422cf62c fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport 
Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08,
M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes.

Changes:
- run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07),
  add module.sig_enforce to Docker-embedded UKI (H-08)
- usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05),
  restrict dmask/fmask, add input validation, add audit logging (M-08)
- security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01),
  remove sshd_config generation (H-02), expand WiFi blacklist (M-12)
- firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port
  range to 51820 only (M-05)
- firewall-setup.sh (src): Add ct state established,related (H-03)
- security-hardening.sh (src): Fix apply_security_hardening to call
  configure_ssh_client and configure_fim with separate output paths (M-01)
- install-scripts.sh: Remove football from sudo group (M-02)
- mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened
  even without existing fstab entries (M-07)
- encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic
  LUKS device discovery (H-06), fix recovery key generation (M-04),
  fix crypttab sed pattern
- qr-code-import.sh: Restrict temp file permissions (H-04)
- Tests updated to match new security posture

All 786+ tests pass. Zero shellcheck warnings.

Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through
H-08, M-01, M-02, M-05, M-07, M-08, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-08 12:08:54 -05:00

225 lines
6.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Install source scripts and configure system
set -euo pipefail
echo "Installing source scripts..."
# Install firewall-setup script (embedded - /workspace not available in installed system)
cat >/usr/local/bin/firewall-setup.sh <<'FIREWALL_SCRIPT'
#!/bin/bash
set -euo pipefail
parse_wg_endpoint() {
local wg_config="${1:-/etc/wireguard/wg0.conf}"
if [[ ! -f $wg_config ]]; then
echo "Error: WireGuard config not found at $wg_config"
return 1
fi
grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
echo "Error: Could not parse endpoint from WireGuard config"
return 1
}
}
generate_nftables_rules() {
local endpoint="$1"
local ip="${endpoint%:*}"
local port="${endpoint#*:}"
cat <<NFTCONF
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop
iif lo accept comment "Accept loopback"
ct state established,related accept comment "Accept established/related"
udp sport 67 udp dport 68 accept comment "Accept DHCP"
icmp type echo-request accept comment "Accept ping"
}
chain forward {
type filter hook forward priority 0; policy drop
}
chain output {
type filter hook output priority 0; policy drop
oif lo accept comment "Accept loopback"
ct state established,related accept comment "Accept established/related"
udp dport 67 accept comment "Allow DHCP"
udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
oifname "wg*" accept comment "Allow VPN tunnel traffic"
icmp type echo-request accept comment "Allow ping"
}
}
NFTCONF
}
apply_firewall() {
local wg_config="${1:-/etc/wireguard/wg0.conf}"
if [[ -f $wg_config ]]; then
endpoint=$(parse_wg_endpoint "$wg_config")
if [[ -n $endpoint ]]; then
generate_nftables_rules "$endpoint" >/etc/nftables.conf
systemctl enable nftables
systemctl restart nftables
echo "Firewall configured for endpoint: $endpoint"
else
echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
fi
else
echo "Warning: WireGuard config not found, using default deny policy"
fi
}
main() {
echo "Setting up dynamic firewall..."
apply_firewall "$@"
echo "Firewall setup completed."
}
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
main "$@"
fi
FIREWALL_SCRIPT
chmod +x /usr/local/bin/firewall-setup.sh
# Install security-hardening script (embedded)
cat >/usr/local/bin/security-hardening.sh <<'HARDENING_SCRIPT'
#!/bin/bash
# KNEL-Football Security Hardening Utility (installed system)
# Re-applies security hardening or checks current status
set -euo pipefail
check_encryption_status() {
echo "Checking encryption status..."
if command -v cryptsetup >/dev/null 2>&1; then
for dev in /dev/mapper/*; do
if [ -e "$dev" ]; then
echo "Encrypted device: $dev"
cryptsetup status "$dev" 2>/dev/null | head -5 || true
fi
done
else
echo "WARNING: cryptsetup not found"
fi
}
check_kernel_hardening() {
echo "Checking kernel hardening..."
local params="kernel.randomize_va_space kernel.yama.ptrace_scope kernel.kptr_restrict kernel.dmesg_restrict"
for param in $params; do
local val
val=$(sysctl -n "$param" 2>/dev/null || echo "N/A")
echo " $param = $val"
done
}
check_firewall() {
echo "Checking firewall status..."
if command -v nft >/dev/null 2>&1; then
nft list ruleset 2>/dev/null | head -20 || echo " No nftables rules loaded"
else
echo " WARNING: nft not found"
fi
}
check_services() {
echo "Checking disabled services..."
for svc in avahi-daemon cups bluetooth ModemManager; do
if systemctl is-enabled "$svc" 2>/dev/null | grep -q "masked\|disabled"; then
echo " $svc: DISABLED (OK)"
else
echo " $svc: WARNING - may be enabled"
fi
done
}
main() {
echo "KNEL-Football Security Hardening Utility"
echo "========================================="
echo ""
check_encryption_status
echo ""
check_kernel_hardening
echo ""
check_firewall
echo ""
check_services
echo ""
echo "Security check completed."
}
if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
main "$@"
fi
HARDENING_SCRIPT
chmod +x /usr/local/bin/security-hardening.sh
# Create VPN configuration apply script
cat >/usr/local/bin/apply-vpn-config.sh <<'EOF'
#!/bin/bash
# Apply VPN configuration and update firewall
set -euo pipefail
# Apply firewall configuration
/usr/local/bin/firewall-setup.sh
# Start WireGuard if configuration exists
if [[ -f "/etc/wireguard/wg0.conf" ]]; then
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
echo "WireGuard started successfully."
else
echo "Warning: WireGuard configuration not found."
fi
echo "VPN configuration applied successfully."
EOF
chmod +x /usr/local/bin/apply-vpn-config.sh
# Create desktop shortcuts
mkdir -p /usr/share/applications
# WireGuard Configuration Editor shortcut
cat >/usr/share/applications/wg-config.desktop <<EOF
[Desktop Entry]
Name=WireGuard Configuration
Comment=Edit WireGuard configuration
Exec=pkexec mousepad /etc/wireguard/wg0.conf
Icon=network-vpn
Terminal=true
Type=Application
Categories=Network;System;
EOF
# VPN Configuration Apply shortcut
cat >/usr/share/applications/apply-vpn.desktop <<EOF
[Desktop Entry]
Name=Apply VPN Configuration
Comment=Apply WireGuard configuration and start VPN
Exec=pkexec /usr/local/bin/apply-vpn-config.sh
Icon=network-vpn
Terminal=true
Type=Application
Categories=Network;System;
EOF
# WireGuard QR Code Import shortcut
cat >/usr/share/applications/scan-wireguard-qr.desktop <<EOF
[Desktop Entry]
Name=Import WireGuard QR Code
Comment=Scan QR code to import WireGuard configuration
Exec=pkexec /usr/local/bin/scan-wireguard-qr.sh
Icon=camera-web
Terminal=true
Type=Application
Categories=Network;System;
EOF
# Create WireGuard configuration directory
mkdir -p /etc/wireguard
# Add football to appropriate groups (NOT sudo - access via sudoers.d only)
usermod -a -G audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true
echo "Source scripts installed successfully."
Reference in New Issue View Git Blame Copy Permalink