#!/bin/bash
# ═══════════════════════════════════════════════════════════════
# HOOK 0160: Alfred Linux — Kernel Security Hardening
# Applies comprehensive sysctl security, AppArmor enforcement,
# automatic security updates, and network-level DDoS protection.
# BUILD: v4.0+ (RC7+)
# ═══════════════════════════════════════════════════════════════
set -e
echo "╔═══════════════════════════════════════════════════╗"
echo "║  [0160] Alfred Linux — Security Hardening         ║"
echo "╚═══════════════════════════════════════════════════╝"

# ── 1. KERNEL HARDENING (sysctl) ──────────────────────────────
echo "[SEC] Applying kernel security hardening..."
cat > /etc/sysctl.d/99-alfred-security.conf << 'SYSCTL'
# ═══════════════════════════════════════════════════════
# Alfred Linux — Kernel Security Hardening
# Defense-in-depth: Quantum-resistant + traditional hardening
# ═══════════════════════════════════════════════════════

# ── Memory Protection ──
kernel.randomize_va_space = 2          # Full ASLR (stack, VDSO, mmap, heap)
kernel.kptr_restrict = 2               # Hide kernel pointers from ALL users
kernel.dmesg_restrict = 1              # Block kernel log snooping (info leaks)
kernel.perf_event_paranoid = 3         # Restrict perf (side-channel attacks)
kernel.yama.ptrace_scope = 1           # Only parent process can ptrace children
kernel.unprivileged_bpf_disabled = 1   # Block unprivileged eBPF (kernel exploits)

# ── Filesystem Protection ──
fs.protected_hardlinks = 1             # Prevent hardlink-based privilege escalation
fs.protected_symlinks = 1              # Prevent symlink-based privilege escalation
fs.protected_fifos = 2                 # Restrict FIFO creation in sticky directories
fs.protected_regular = 2               # Restrict regular file creation in sticky dirs
fs.suid_dumpable = 0                   # No core dumps from SUID programs (info leak)

# ── Network: Anti-DDoS & Anti-Spoofing ──
net.ipv4.tcp_syncookies = 1            # SYN flood DDoS protection
net.ipv4.tcp_max_syn_backlog = 4096    # Larger SYN backlog for burst handling
net.ipv4.tcp_synack_retries = 2        # Faster timeout on unanswered SYN-ACKs
net.ipv4.conf.all.rp_filter = 1        # Strict reverse-path filtering (IP spoofing)
net.ipv4.conf.default.rp_filter = 1    # Same for new interfaces
net.ipv4.icmp_echo_ignore_broadcasts = 1  # Block Smurf DDoS attacks
net.ipv4.icmp_ignore_bogus_error_responses = 1  # Ignore bogus ICMP errors
net.ipv4.conf.all.accept_redirects = 0       # Block ICMP redirects (MITM)
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0         # Don't send ICMP redirects
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0    # Block source-routed packets
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1            # Log spoofed/redirected packets
net.ipv4.conf.default.log_martians = 1

# ── TCP Hardening ──
net.ipv4.tcp_timestamps = 1            # Keep timestamps (needed for PAWS)
net.ipv4.tcp_rfc1337 = 1               # Defend against TIME-WAIT assassination
net.ipv4.tcp_fin_timeout = 15          # Faster cleanup of dead connections
net.ipv4.tcp_keepalive_time = 600      # 10min keepalive (detect dead peers faster)
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15

# ── IPv6 Hardening ──
net.ipv6.conf.default.accept_ra = 0    # Don't accept router advertisements
net.ipv6.conf.all.accept_ra = 0        # (prevents rogue RA attacks)
SYSCTL

# ── 2. APPARMOR ENFORCEMENT ───────────────────────────────────
echo "[SEC] Enabling AppArmor enforcement..."
apt-get install -y apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra 2>/dev/null || true

# Ensure AppArmor is enabled at boot
if [ -f /etc/default/grub ]; then
    if ! grep -q "apparmor=1" /etc/default/grub; then
        sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="\(.*\)"/GRUB_CMDLINE_LINUX_DEFAULT="\1 apparmor=1 security=apparmor"/' /etc/default/grub
    fi
fi

# Enable AppArmor service
systemctl enable apparmor 2>/dev/null || true

# ── 3. AUTOMATIC SECURITY UPDATES ────────────────────────────
echo "[SEC] Configuring automatic security updates..."
apt-get install -y unattended-upgrades apt-listchanges 2>/dev/null || true

cat > /etc/apt/apt.conf.d/50unattended-upgrades << 'UNATTENDED'
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
UNATTENDED

cat > /etc/apt/apt.conf.d/20auto-upgrades << 'AUTOUPGRADE'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
AUTOUPGRADE

# ── 4. FAIL2BAN (brute-force protection) ─────────────────────
echo "[SEC] Installing fail2ban..."
apt-get install -y fail2ban 2>/dev/null || true

cat > /etc/fail2ban/jail.local << 'JAIL'
[DEFAULT]
bantime  = 1h
findtime = 10m
maxretry = 5

[sshd]
enabled = true
port    = ssh
filter  = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime  = 24h
JAIL

systemctl enable fail2ban 2>/dev/null || true

# ── 5. USB GUARD (live session only — optional) ──────────────
echo "[SEC] Setting restrictive USB policy for live sessions..."
cat > /etc/udev/rules.d/99-alfred-usb-guard.rules << 'USB'
# Log all USB device connections for audit trail
ACTION=="add", SUBSYSTEM=="usb", RUN+="/usr/bin/logger -t alfred-usb 'USB device connected: %k vendor=%s{idVendor} product=%s{idProduct}'"
USB

# ── 6. AUDIT LOGGING ─────────────────────────────────────────
echo "[SEC] Enabling security audit logging..."
apt-get install -y auditd audispd-plugins 2>/dev/null || true
systemctl enable auditd 2>/dev/null || true

# Key audit rules
cat > /etc/audit/rules.d/alfred-security.rules << 'AUDIT'
# Monitor /etc/passwd and shadow changes
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/sudoers -p wa -k privilege
-w /etc/sudoers.d/ -p wa -k privilege

# Monitor SSH config changes
-w /etc/ssh/sshd_config -p wa -k sshd_config

# Monitor kernel module loading
-w /sbin/insmod -p x -k kernel_modules
-w /sbin/rmmod -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules

# Monitor cron changes
-w /etc/crontab -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
AUDIT

echo ""
echo "╔═══════════════════════════════════════════════════╗"
echo "║  [0160] Security Hardening — COMPLETE             ║"
echo "║                                                   ║"
echo "║  ✓ 30+ kernel sysctl hardening rules              ║"
echo "║  ✓ AppArmor enforced at boot                      ║"
echo "║  ✓ Automatic security updates (unattended)        ║"
echo "║  ✓ Fail2ban (SSH brute-force: 3 tries → 24h ban)  ║"
echo "║  ✓ USB device logging                             ║"
echo "║  ✓ Audit logging (identity, privilege, kernel)     ║"
echo "║                                                   ║"
echo "║  Combined with Kyber-1024 PQ encryption,          ║"
echo "║  UFW firewall, and SSH hardening from hook 0100.   ║"
echo "╚═══════════════════════════════════════════════════╝"