commander/alfred-linux
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity
master
alfred-linux/config/hooks/live/0160-alfred-security.hook.chroot.bak

177 lines
8.7 KiB
Plaintext
Raw Permalink Normal View History

Initial commit: Alfred Linux v4.0 build system - build-unified.sh: master build script (16 hooks, kernel 7.0.0-rc7) - config/package-lists: Debian package selections - assets: Alfred Commander extension tarball - docs: ARM64 investigation, kernel upgrade roadmap
2026-04-07 11:38:44 -04:00
#!/bin/bash
# ═══════════════════════════════════════════════════════════════
# HOOK 0160: Alfred Linux — Kernel Security Hardening
# Applies comprehensive sysctl security, AppArmor enforcement,
# automatic security updates, and network-level DDoS protection.
# BUILD: v4.0+ (RC7+)
# ═══════════════════════════════════════════════════════════════
set -e
echo "╔═══════════════════════════════════════════════════╗"
echo "║ [0160] Alfred Linux — Security Hardening ║"
echo "╚═══════════════════════════════════════════════════╝"
# ── 1. KERNEL HARDENING (sysctl) ──────────────────────────────
echo "[SEC] Applying kernel security hardening..."
cat > /etc/sysctl.d/99-alfred-security.conf << 'SYSCTL'
# ═══════════════════════════════════════════════════════
# Alfred Linux — Kernel Security Hardening
# Defense-in-depth: Quantum-resistant + traditional hardening
# ═══════════════════════════════════════════════════════
# ── Memory Protection ──
kernel.randomize_va_space = 2 # Full ASLR (stack, VDSO, mmap, heap)
kernel.kptr_restrict = 2 # Hide kernel pointers from ALL users
kernel.dmesg_restrict = 1 # Block kernel log snooping (info leaks)
kernel.perf_event_paranoid = 3 # Restrict perf (side-channel attacks)
kernel.yama.ptrace_scope = 1 # Only parent process can ptrace children
kernel.unprivileged_bpf_disabled = 1 # Block unprivileged eBPF (kernel exploits)
# ── Filesystem Protection ──
fs.protected_hardlinks = 1 # Prevent hardlink-based privilege escalation
fs.protected_symlinks = 1 # Prevent symlink-based privilege escalation
fs.protected_fifos = 2 # Restrict FIFO creation in sticky directories
fs.protected_regular = 2 # Restrict regular file creation in sticky dirs
fs.suid_dumpable = 0 # No core dumps from SUID programs (info leak)
# ── Network: Anti-DDoS & Anti-Spoofing ──
net.ipv4.tcp_syncookies = 1 # SYN flood DDoS protection
net.ipv4.tcp_max_syn_backlog = 4096 # Larger SYN backlog for burst handling
net.ipv4.tcp_synack_retries = 2 # Faster timeout on unanswered SYN-ACKs
net.ipv4.conf.all.rp_filter = 1 # Strict reverse-path filtering (IP spoofing)
net.ipv4.conf.default.rp_filter = 1 # Same for new interfaces
net.ipv4.icmp_echo_ignore_broadcasts = 1 # Block Smurf DDoS attacks
net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore bogus ICMP errors
net.ipv4.conf.all.accept_redirects = 0 # Block ICMP redirects (MITM)
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0 # Don't send ICMP redirects
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0 # Block source-routed packets
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1 # Log spoofed/redirected packets
net.ipv4.conf.default.log_martians = 1
# ── TCP Hardening ──
net.ipv4.tcp_timestamps = 1 # Keep timestamps (needed for PAWS)
net.ipv4.tcp_rfc1337 = 1 # Defend against TIME-WAIT assassination
net.ipv4.tcp_fin_timeout = 15 # Faster cleanup of dead connections
net.ipv4.tcp_keepalive_time = 600 # 10min keepalive (detect dead peers faster)
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
# ── IPv6 Hardening ──
net.ipv6.conf.default.accept_ra = 0 # Don't accept router advertisements
net.ipv6.conf.all.accept_ra = 0 # (prevents rogue RA attacks)
SYSCTL
# ── 2. APPARMOR ENFORCEMENT ───────────────────────────────────
echo "[SEC] Enabling AppArmor enforcement..."
apt-get install -y apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra 2>/dev/null || true
# Ensure AppArmor is enabled at boot
if [ -f /etc/default/grub ]; then
if ! grep -q "apparmor=1" /etc/default/grub; then
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"/GRUB_CMDLINE_LINUX_DEFAULT="\1 apparmor=1 security=apparmor"/' /etc/default/grub
fi
fi
# Enable AppArmor service
systemctl enable apparmor 2>/dev/null || true
# ── 3. AUTOMATIC SECURITY UPDATES ────────────────────────────
echo "[SEC] Configuring automatic security updates..."
apt-get install -y unattended-upgrades apt-listchanges 2>/dev/null || true
cat > /etc/apt/apt.conf.d/50unattended-upgrades << 'UNATTENDED'
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
UNATTENDED
cat > /etc/apt/apt.conf.d/20auto-upgrades << 'AUTOUPGRADE'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
AUTOUPGRADE
# ── 4. FAIL2BAN (brute-force protection) ─────────────────────
echo "[SEC] Installing fail2ban..."
apt-get install -y fail2ban 2>/dev/null || true
cat > /etc/fail2ban/jail.local << 'JAIL'
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h
JAIL
systemctl enable fail2ban 2>/dev/null || true
# ── 5. USB GUARD (live session only — optional) ──────────────
echo "[SEC] Setting restrictive USB policy for live sessions..."
cat > /etc/udev/rules.d/99-alfred-usb-guard.rules << 'USB'
# Log all USB device connections for audit trail
ACTION=="add", SUBSYSTEM=="usb", RUN+="/usr/bin/logger -t alfred-usb 'USB device connected: %k vendor=%s{idVendor} product=%s{idProduct}'"
USB
# ── 6. AUDIT LOGGING ─────────────────────────────────────────
echo "[SEC] Enabling security audit logging..."
apt-get install -y auditd audispd-plugins 2>/dev/null || true
systemctl enable auditd 2>/dev/null || true
# Key audit rules
cat > /etc/audit/rules.d/alfred-security.rules << 'AUDIT'
# Monitor /etc/passwd and shadow changes
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/sudoers -p wa -k privilege
-w /etc/sudoers.d/ -p wa -k privilege
# Monitor SSH config changes
-w /etc/ssh/sshd_config -p wa -k sshd_config
# Monitor kernel module loading
-w /sbin/insmod -p x -k kernel_modules
-w /sbin/rmmod -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules
# Monitor cron changes
-w /etc/crontab -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
AUDIT
echo ""
echo "╔═══════════════════════════════════════════════════╗"
echo "║ [0160] Security Hardening — COMPLETE ║"
echo "║ ║"
echo "║ ✓ 30+ kernel sysctl hardening rules ║"
echo "║ ✓ AppArmor enforced at boot ║"
echo "║ ✓ Automatic security updates (unattended) ║"
echo "║ ✓ Fail2ban (SSH brute-force: 3 tries → 24h ban) ║"
echo "║ ✓ USB device logging ║"
echo "║ ✓ Audit logging (identity, privilege, kernel) ║"
echo "║ ║"
echo "║ Combined with Kyber-1024 PQ encryption, ║"
echo "║ UFW firewall, and SSH hardening from hook 0100. ║"
echo "╚═══════════════════════════════════════════════════╝"
Reference in New Issue Copy Permalink