KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efb69887191b3f573f091ae86b34a660a99916f1
football/config/hooks/live/security-hardening.sh
reachableceo 3d2ef3d5c2 fix: honest remediation batch 3 - fix broken claims and real Argon2id 
Previous commits marked findings as  that were actually superficial or
broken. This commit fixes the real problems honestly.

Real fixes:
- Argon2id KDF: Fixed via preseed partman/early_command that patches
  partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id.
  Previous luks-kdf-configure.sh "auto-conversion" was dead code
  (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it).
  Now the hook is an honest verifier, not a fake converter.
- src/security-hardening.sh: Removed sshd_config generation entirely
  (was still generating it despite claiming client-only)
- AIDE init: Removed || true error swallowing, now reports failures
- COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets
  with honest explanation of what's missing (3PAO, org controls)
- VERIFICATION-REPORT.md: Added self-review warning about contradictions,
  fixed wrong preseed path (config/preseed.cfg → includes.installer/)
- Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md
- encryption-setup.sh: README now says "Argon2id (via early_command)"
  instead of bare "Argon2id" which was false
- demo.preseed.cfg: Added same Argon2id early_command
- Added .dockerignore (was missing)
- Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc)

Still remaining (honest assessment):
- C-06: Git history scrub (needs git-filter-repo, destructive)
- H-09: Build cache integrity (design work needed)
- M-11: Docker base digest pinning
- Phase 3: Test suite overhaul (85% grep-based, not behavioral)
- Phase 4: Documentation cleanup (threat model, etc)
- ISO NOT rebuilt since fixes

786 tests pass, 0 shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-08 12:51:20 -05:00

227 lines
6.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Security hardening hook for live system (self-contained)
# Reference: PRD FR-005, FR-006, FR-007
set -euo pipefail
echo "Applying security hardening..."
# WiFi module blacklist
cat >/etc/modprobe.d/blacklist-wifi.conf <<'EOF'
# WiFi module blacklisting - PRD FR-005
blacklist cfg80211
blacklist mac80211
blacklist brcmfmac
blacklist brcmsmac
blacklist brcm80211
blacklist iwlwifi
blacklist iwlmvm
blacklist ath9k
blacklist ath9k_htc
blacklist ath10k_pci
blacklist ath10k_sdio
blacklist ath11k_pci
blacklist ath11k_ahb
blacklist rtl8188ee
blacklist rtl8192ce
blacklist rtl8192se
blacklist rtl8723ae
blacklist rtl8821ae
blacklist rtl8xxxu
blacklist rt73usb
blacklist rt2800usb
blacklist rt2x00lib
blacklist rt2x00usb
blacklist mwifiex
blacklist mwifiex_pcie
blacklist mwifiex_sdio
blacklist r8188eu
blacklist r8723bs
EOF
# Bluetooth module blacklist
cat >/etc/modprobe.d/blacklist-bluetooth.conf <<'EOF'
# Bluetooth module blacklisting - PRD FR-005
blacklist btusb
blacklist bluetooth
blacklist btrtl
blacklist btintel
blacklist btbcm
blacklist bnep
blacklist rfcomm
blacklist hidp
EOF
# SSH client configuration (client only - no server per PRD FR-006)
mkdir -p /etc/ssh
cat >/etc/ssh/ssh_config <<'EOF'
# SSH Client Configuration
# Reference: PRD FR-006 - Client-only, no inbound SSH services
Host *
PasswordAuthentication no
PubkeyAuthentication yes
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
ConnectTimeout 30
ServerAliveInterval 300
ServerAliveCountMax 2
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
# SSH server is NOT installed per PRD FR-006
# Ensure no sshd_config exists to prevent accidental activation
rm -f /etc/ssh/sshd_config
touch /etc/ssh/sshd_config.disabled
echo "# SSH server disabled per PRD FR-006" > /etc/ssh/sshd_config.disabled
# Password policy - PRD FR-007, NIST SP 800-63B
mkdir -p /etc/security
cat >/etc/security/pwquality.conf <<'EOF'
# KNEL-Football Password Quality Requirements
# Reference: NIST SP 800-63B, CIS Benchmarks for Debian
minlen = 14
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
difok = 4
maxrepeat = 2
maxclassrepeat = 2
maxsequence = 2
usercheck = 1
dictcheck = 1
gecoscheck = 1
enforcing = 1
badwords = password secret admin root knel football tier0 12345 qwerty
minclass = 3
EOF
# Enforce PAM password quality via common-password
# Ensure pam_pwquality.so is the first password module with enforce_for_root
if [ -f /etc/pam.d/common-password ]; then
if ! grep -q "pam_pwquality.so" /etc/pam.d/common-password 2>/dev/null; then
sed -i '/^password.*pam_unix.so/i password\trequisite\t\t\tpam_pwquality.so retry=3 enforce_for_root' /etc/pam.d/common-password
else
sed -i 's/pam_pwquality.so.*/pam_pwquality.so retry=3 enforce_for_root/' /etc/pam.d/common-password
fi
fi
# File Integrity Monitoring (AIDE) - CIS 1.4, FedRAMP AU-7, CMMC AU.3.059
mkdir -p /etc/aide
cat >/etc/aide/aide.conf <<'EOF'
# AIDE Configuration - CIS/FedRAMP/CMMC Compliance
database_out=file:/var/lib/aide/aide.db.new
database=file:/var/lib/aide/aide.db
report_url=stdout
SECURITY = p+u+g+s+m+c+md5+sha256+sha512
/etc SECURITY
/boot SECURITY
/usr SECURITY
/bin SECURITY
/sbin SECURITY
/lib SECURITY
/lib64 SECURITY
/etc/ssh SECURITY
/etc/wireguard SECURITY
/etc/security SECURITY
/etc/audit SECURITY
/etc/modprobe.d SECURITY
/etc/nftables.conf SECURITY
/etc/sudoers SECURITY
/etc/sudoers.d SECURITY
/etc/pam.d SECURITY
!/proc
!/sys
!/dev
!/run
!/tmp
!/var/log
!/var/cache
!/var/lib/aide
!/var/tmp
EOF
# System resource limits
mkdir -p /etc/security/limits.d
cat >/etc/security/limits.d/security.conf <<'EOF'
* hard core 0
* soft nproc 1024
* hard nproc 2048
EOF
# Audit rules - CIS 6.2, FedRAMP AU-2, CMMC AU.2.042
mkdir -p /etc/audit/rules.d
cat >/etc/audit/rules.d/audit.rules <<'EOF'
# Comprehensive Audit Rules - CIS 6.2, FedRAMP AU-2, CMMC AU.2.042
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/sudoers -p wa -k privilege_escalation
-w /etc/sudoers.d/ -p wa -k privilege_escalation
-w /etc/pam.d/ -p wa -k authentication
-w /etc/security/ -p wa -k authentication
-w /etc/login.defs -p wa -k authentication
-w /var/log/faillog -p wa -k authentication
-w /var/log/lastlog -p wa -k authentication
-w /var/log/tallylog -p wa -k authentication
-w /etc/network/ -p wa -k network_config
-w /etc/hosts -p wa -k network_config
-w /etc/hostname -p wa -k network_config
-w /etc/resolv.conf -p wa -k network_config
-w /etc/nftables.conf -p wa -k firewall
-w /etc/wireguard/ -p wa -k wireguard_config
-w /etc/ssh/ssh_config -p wa -k ssh_config
-w /etc/fstab -p wa -k filesystem
-w /etc/crypttab -p wa -k encryption
-w /etc/modprobe.d/ -p wa -k kernel_modules
-w /etc/sysctl.conf -p wa -k kernel_parameters
-w /etc/sysctl.d/ -p wa -k kernel_parameters
-w /boot/ -p wa -k boot_config
-w /efi/ -p wa -k boot_config
-w /etc/default/grub -p wa -k boot_config
-w /etc/grub.d/ -p wa -k boot_config
-w /etc/audit/ -p wa -k audit_config
-w /var/log/audit/ -p wa -k audit_logs
-w /etc/chrony/ -p wa -k time_sync
-w /etc/ntp.conf -p wa -k time_sync
-w /usr/bin/sudo -p x -k privilege_escalation
-w /usr/bin/su -p x -k privilege_escalation
-w /usr/bin/passwd -p x -k password_change
-w /usr/bin/chsh -p x -k user_modification
-w /usr/bin/usermod -p x -k user_modification
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_modules
-w /var/lib/aide/ -p wa -k file_integrity
EOF
# Enable auditd service
systemctl enable auditd
# Initialize AIDE database
if command -v aideinit >/dev/null 2>&1; then
if aideinit --force; then
echo "AIDE database initialized successfully"
else
echo "WARNING: AIDE database initialization failed"
echo "Run 'aideinit --force' manually after installation"
fi
fi
# Create daily AIDE check cron job
mkdir -p /etc/cron.daily
cat > /etc/cron.daily/aide-check <<'AIDECRON'
#!/bin/bash
# Daily AIDE integrity check
if command -v aide >/dev/null 2>&1; then
aide --check 2>&1 | logger -t aide-check
fi
AIDECRON
chmod +x /etc/cron.daily/aide-check
echo "Security hardening completed."
Reference in New Issue View Git Blame Copy Permalink