@ebowwa/hetzner 0.1.0

package/bootstrap/kernel-hardening.ts

@@ -0,0 +1,272 @@
+/**
+ * Kernel Hardening Cloud-Init Components
+ *
+ * Composable cloud-init blocks for securing the Linux kernel on new servers.
+ * Implements 2026 best practices for network stack hardening, IP spoofing
+ * protection, SYN flood mitigation, and secure core dump policies.
+ *
+ * Background: Public-facing VPS servers are constantly probed and attacked.
+ * Default Linux kernel settings prioritize compatibility over security. This
+ * module applies CIS Benchmark-aligned hardening via /etc/sysctl.d/ which
+ * persists across reboots and overrides defaults.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - kernelHardeningPackages()    → packages: section (currently empty, reserved)
+ *   - kernelHardeningWriteFiles()  → write_files: section (drops sysctl config)
+ *   - kernelHardeningRunCmd()      → runcmd: section (applies settings immediately)
+ *
+ * Security Measures Implemented:
+ * 1. Network Stack Hardening: SYN cookies, ICMP rate limits, martian packet logging
+ * 2. IP Spoofing Protection: Reverse path filtering, source address verification
+ * 3. SYN Flood Protection: TCP SYN cookies, reuse time_wait connections
+ * 4. Core Dump Restrictions: Disable setuid dumps, limit core dump size to 0
+ * 5. File Permissions: Hard links, symlinks, FIFO protection
+ * 6. Memory Protection: ASLR, randomize_va_space
+ *
+ * References:
+ * - CIS Benchmark for Ubuntu Linux 24.04
+ * - NIST SP 800-53 Revision 5
+ * - https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+ */
+
+/**
+ * Packages required for kernel hardening.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * Note: All kernel hardening is done via sysctl configuration, which uses
+ * built-in kernel functionality. No additional packages are required.
+ * This function is reserved for future expansion (e.g., auditd, kexec-tools).
+ */
+export function kernelHardeningPackages(): string[] {
+  return [
+    // Reserved for future packages (auditd, kexec-tools, etc.)
+    // Currently empty - all hardening via sysctl
+  ];
+}
+
+/**
+ * Kernel sysctl configuration file for comprehensive hardening.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops /etc/sysctl.d/99-security-hardening.conf which:
+ * - Takes precedence over /etc/sysctl.conf (99- prefix ensures last load)
+ * - Persists across reboots (sysctl.d files are applied on boot)
+ * - Can be applied immediately via `sysctl --system` (see runcmd)
+ *
+ * Settings organized by category:
+ * 1. IP Spoofing Protection: rp_filter, secure redirects
+ * 2. SYN Flood Protection: syncookies, tcp_tw_reuse
+ * 3. Network Stack: ICMP rate limits, martian logging, ignore broadcasts
+ * 4. Core Dumps: Disabled for setuid programs, limited for all processes
+ * 5. Memory Protection: ASLR, randomize_va_space
+ * 6. Filesystem: Hard link/symlink protection
+ */
+export function kernelHardeningWriteFiles(): string[] {
+  const lines: string[] = [];
+
+  lines.push("  # Kernel hardening: sysctl.d configuration for 2026 best practices");
+  lines.push("  # This file persists across reboots and overrides /etc/sysctl.conf");
+  lines.push("  - path: /etc/sysctl.d/99-security-hardening.conf");
+  lines.push("    owner: root:root");
+  lines.push("    permissions: '0644'");
+  lines.push("    content: |");
+  lines.push("      # =================================================================");
+  lines.push("      # Kernel Security Hardening Configuration");
+  lines.push("      # =================================================================");
+  lines.push("      # Applied via cloud-init for com.hetzner.codespaces");
+  lines.push("      # Version: 1.0.0 (2026 best practices)");
+  lines.push("      #");
+  lines.push("      # This configuration follows CIS Benchmark and NIST guidelines");
+  lines.push("      # See: /usr/share/doc/linux-doc/sysctl/ for parameter documentation");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 1. IP SPOOFING PROTECTION");
+  lines.push("      # =================================================================");
+  lines.push("      # Enable reverse path filtering (validates source addresses)");
+  lines.push("      # Prevents IP spoofing attacks by dropping packets with invalid sources");
+  lines.push("      net.ipv4.conf.all.rp_filter = 1");
+  lines.push("      net.ipv4.conf.default.rp_filter = 1");
+  lines.push("");
+  lines.push("      # Log martian packets (packets with impossible addresses)");
+  lines.push("      # Helps detect spoofing attempts and network misconfigurations");
+  lines.push("      net.ipv4.conf.all.log_martians = 1");
+  lines.push("");
+  lines.push("      # Disable ICMP redirect acceptance (prevent MITM attacks)");
+  lines.push("      net.ipv4.conf.all.accept_redirects = 0");
+  lines.push("      net.ipv4.conf.default.accept_redirects = 0");
+  lines.push("      net.ipv4.conf.all.secure_redirects = 0");
+  lines.push("      net.ipv4.conf.default.secure_redirects = 0");
+  lines.push("");
+  lines.push("      # Disable sending ICMP redirects");
+  lines.push("      net.ipv4.conf.all.send_redirects = 0");
+  lines.push("      net.ipv4.conf.default.send_redirects = 0");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 2. SYN FLOOD PROTECTION");
+  lines.push("      # =================================================================");
+  lines.push("      # Enable SYN cookies (protects against SYN flood attacks)");
+  lines.push("      # Allows server to continue accepting connections under SYN flood");
+  lines.push("      net.ipv4.tcp_syncookies = 1");
+  lines.push("");
+  lines.push("      # Reuse TIME_WAIT sockets for new connections (safer, faster)");
+  lines.push("      # Reduces connection table exhaustion under high load");
+  lines.push("      net.ipv4.tcp_tw_reuse = 1");
+  lines.push("");
+  lines.push("      # Reduce SYN backlog and timeouts for faster detection");
+  lines.push("      net.ipv4.tcp_max_syn_backlog = 2048");
+  lines.push("      net.ipv4.tcp_synack_retries = 2");
+  lines.push("      net.ipv4.tcp_syn_retries = 5");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 3. NETWORK STACK HARDENING");
+  lines.push("      # =================================================================");
+  lines.push("      # Disable ICMP redirect acceptance (IPv6)");
+  lines.push("      net.ipv6.conf.all.accept_redirects = 0");
+  lines.push("      net.ipv6.conf.default.accept_redirects = 0");
+  lines.push("");
+  lines.push("      # Ignore ICMP broadcasts (prevent smurf attacks)");
+  lines.push("      net.ipv4.icmp_echo_ignore_broadcasts = 1");
+  lines.push("");
+  lines.push("      # Ignore bogus ICMP error responses (prevent ICMP attacks)");
+  lines.push("      net.ipv4.icmp_ignore_bogus_error_responses = 1");
+  lines.push("");
+  lines.push("      # Enable TCP timestamps (RFC 1323) for better sequence handling");
+  lines.push("      # Also protects against wrapped sequence number attacks");
+  lines.push("      net.ipv4.tcp_timestamps = 1");
+  lines.push("");
+  lines.push("      # Enable TCP selective acknowledgments (better performance)");
+  lines.push("      net.ipv4.tcp_sack = 1");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 4. CORE DUMP RESTRICTIONS");
+  lines.push("      # =================================================================");
+  lines.push("      # Disable core dumps for setuid programs (prevent privilege escalation)");
+  lines.push("      fs.suid_dumpable = 0");
+  lines.push("");
+  lines.push("      # Limit core dump size to 0 (disable core dumps)");
+  lines.push("      # Override in /etc/security/limits.conf if needed for debugging");
+  lines.push("      kernel.core_pattern = |/bin/false");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 5. MEMORY PROTECTION (ASLR)");
+  lines.push("      # =================================================================");
+  lines.push("      # Enable Address Space Layout Randomization (full)");
+  lines.push("      # Makes exploitation of memory corruption vulnerabilities harder");
+  lines.push("      # 0: Disabled, 1: Conservative, 2: Full (default)");
+  lines.push("      kernel.randomize_va_space = 2");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 6. FILESYSTEM PROTECTION");
+  lines.push("      # =================================================================");
+  lines.push("      # Hard link/symlink protection (prevent time-of-check time-of-use)");
+  lines.push("      fs.protected_hardlinks = 1");
+  lines.push("      fs.protected_symlinks = 1");
+  lines.push("");
+  lines.push("      # FIFO protection (prevent FIFO attacks on world-writable directories)");
+  lines.push("      fs.protected_fifos = 2");
+  lines.push("");
+  lines.push("      # Regular file protection (prevent file overwrite attacks)");
+  lines.push("      fs.protected_regular = 2");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 7. NETWORK BEHAVIOR TUNING");
+  lines.push("      # =================================================================");
+  lines.push("      # Enable TCP Fast Open (TFO) for reduced latency");
+  lines.push("      net.ipv4.tcp_fastopen = 3");
+  lines.push("");
+  lines.push("      # Disable source routing (prevent packet routing manipulation)");
+  lines.push("      net.ipv4.conf.all.accept_source_route = 0");
+  lines.push("      net.ipv4.conf.default.accept_source_route = 0");
+  lines.push("      net.ipv6.conf.all.accept_source_route = 0");
+  lines.push("      net.ipv6.conf.default.accept_source_route = 0");
+  lines.push("");
+  lines.push("      # Enable TCP window scaling (RFC 7323) for high-bandwidth links");
+  lines.push("      net.ipv4.tcp_window_scaling = 1");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 8. SECURITY-RELATED KERNEL PARAMETERS");
+  lines.push("      # =================================================================");
+  lines.push("      # Disable magic sysrq key (prevent console-based attacks)");
+  lines.push("      # 0: Disabled, 1: Enable (for debugging only)");
+  lines.push("      kernel.sysrq = 0");
+  lines.push("");
+  lines.push("      # Disable kexec system call (prevent kernel replacement)");
+  lines.push("      # 0: Disabled, 1: Enabled");
+  lines.push("      kernel.kexec_load = 0");
+  lines.push("");
+  lines.push("      # Disable user namespaces (prevent container breakouts)");
+  lines.push("      # 0: Disabled, 1: Enabled");
+  lines.push("      user.max_user_namespaces = 0");
+  lines.push("");
+  lines.push("      # Enable unprivileged bpf disabled (prevent eBPF-based exploits)");
+  lines.push("      # 0: Disabled, 1: Enabled");
+  lines.push("      kernel.unprivileged_bpf_disabled = 1");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 9. ADDITIONAL HARDENING (2026)");
+  lines.push("      # =================================================================");
+  lines.push("      # Disable IPv6 if not needed (uncomment if IPv6 is disabled)");
+  lines.push("      # net.ipv6.conf.all.disable_ipv6 = 1");
+  lines.push("      # net.ipv6.conf.default.disable_ipv6 = 1");
+  lines.push("");
+  lines.push("      # Enable dmesg restriction (prevent kernel info leaks)");
+  lines.push("      kernel.dmesg_restrict = 1");
+  lines.push("");
+  lines.push("      # Restrict ptrace scope (prevent process tracing by non-parent)");
+  lines.push("      # 0: Traditional, 1: Restricted, 2: Admin-only, 3: No attach");
+  lines.push("      kernel.yama.ptrace_scope = 2");
+  lines.push("");
+  lines.push("      # =================================================================");
+  lines.push("      # 10. PERFORMANCE TUNING (safe defaults)");
+  lines.push("      # =================================================================");
+  lines.push("      # Increase connection tracking table size (for stateful firewalls)");
+  lines.push("      net.netfilter.nf_conntrack_max = 262144");
+  lines.push("");
+  lines.push("      # Reduce TCP keepalive timeouts for faster dead peer detection");
+  lines.push("      net.ipv4.tcp_keepalive_time = 600");
+  lines.push("      net.ipv4.tcp_keepalive_intvl = 30");
+  lines.push("      net.ipv4.tcp_keepalive_probes = 3");
+  lines.push("");
+
+  return lines;
+}
+
+/**
+ * Commands to apply kernel hardening settings immediately at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Load all sysctl settings from /etc/sysctl.d/*.conf
+ *   2. Apply settings immediately (don't wait for reboot)
+ *   3. Log applied settings for audit trail
+ *   4. Display summary for cloud-init output verification
+ */
+export function kernelHardeningRunCmd(): string[] {
+  const lines: string[] = [];
+
+  lines.push("  # Kernel hardening: apply sysctl settings immediately");
+  lines.push("  # Settings are already in /etc/sysctl.d/99-security-hardening.conf");
+  lines.push("");
+  lines.push("  # Apply all sysctl settings (overrides defaults immediately)");
+  lines.push("  - sysctl --system");
+  lines.push("");
+  lines.push("  # Log applied settings for audit trail");
+  lines.push("  - sysctl -a | grep -E '(rp_filter|syncookies|randomize_va|suid_dump)' > /var/log/kernel-hardening.log 2>&1 || true");
+  lines.push("");
+  lines.push("  # Display summary of critical hardening settings");
+  lines.push("  - |");
+  lines.push("    echo '========================================'");
+  lines.push("    echo 'Kernel Hardening Applied (2026)'");
+  lines.push("    echo '========================================'");
+  lines.push("    echo 'IP Spoof Protection:    '$(sysctl -n net.ipv4.conf.all.rp_filter)");
+  lines.push("    echo 'SYN Cookies:            '$(sysctl -n net.ipv4.tcp_syncookies)");
+  lines.push("    echo 'ASLR Level:             '$(sysctl -n kernel.randomize_va_space)");
+  lines.push("    echo 'SUID Core Dumps:        '$(sysctl -n fs.suid_dumpable)");
+  lines.push("    echo 'Hard Links Protected:   '$(sysctl -n fs.protected_hardlinks)");
+  lines.push("    echo 'Ptrace Scope:           '$(sysctl -n kernel.yama.ptrace_scope)");
+  lines.push("    echo '========================================'");
+  lines.push("");
+
+  return lines;
+}

package/bootstrap/security-audit.js

@@ -0,0 +1,118 @@
+/**
+ * Security Audit Cloud-Init Components
+ *
+ * Composable cloud-init blocks for running post-bootstrap security audits.
+ * Generates comprehensive security reports for verification and compliance.
+ *
+ * This module runs LAST in the bootstrap sequence, after all other security
+ * hardening is applied. It captures the state of the system for verification.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - securityAuditPackages()    → packages: section
+ *   - securityAuditWriteFiles()  → write_files: section
+ *   - securityAuditRunCmd()      → runcmd: section
+ */
+/**
+ * Packages required for security auditing.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * - lynis: Comprehensive security auditing tool
+ */
+export function securityAuditPackages() {
+    return [
+        "  - lynis",
+    ];
+}
+/**
+ * Files to write at first boot for security auditing.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops 1 file onto the server:
+ *
+ * 1. /opt/monitoring/security-audit.sh
+ *    - Collects security metrics (UFW, fail2ban, sshd, sysctl)
+ *    - Runs Lynis audit with warnings-only output
+ *    - Generates JSON report at /var/log/security-audit.json
+ *    - Logs summary to /var/log/security-audit.log
+ */
+export function securityAuditWriteFiles() {
+    const lines = [];
+    // 1. Security audit script - comprehensive security check
+    lines.push("  # Security audit script - runs after all hardening");
+    lines.push("  - path: /opt/monitoring/security-audit.sh");
+    lines.push("    owner: root:root");
+    lines.push("    permissions: '0755'");
+    lines.push("    content: |");
+    lines.push("      #!/bin/bash");
+    lines.push("      set -euo pipefail");
+    lines.push("      LOGFILE=\"/var/log/security-audit.log\"");
+    lines.push("      REPORTFILE=\"/var/log/security-audit.json\"");
+    lines.push("      echo \"Security Audit started at $(date -Iseconds)\" | tee \"$LOGFILE\"");
+    lines.push("");
+    lines.push("      # Firewall status");
+    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+    lines.push("      echo \"=== UFW Firewall Status ===\" | tee -a \"$LOGFILE\"");
+    lines.push("      ufw status verbose | tee -a \"$LOGFILE\" || true");
+    lines.push("");
+    lines.push("      # Fail2ban status");
+    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+    lines.push("      echo \"=== Fail2ban Status ===\" | tee -a \"$LOGFILE\"");
+    lines.push("      systemctl status fail2ban --no-pager | tee -a \"$LOGFILE\" || true");
+    lines.push("      fail2ban-client status sshd | tee -a \"$LOGFILE\" || true");
+    lines.push("");
+    lines.push("      # SSHd status");
+    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+    lines.push("      echo \"=== SSHd Status ===\" | tee -a \"$LOGFILE\"");
+    lines.push("      systemctl status ssh --no-pager | tee -a \"$LOGFILE\" || true");
+    lines.push("      sshd -T | grep -E '(PasswordAuthentication|PermitRootLogin|MaxStartups)' | tee -a \"$LOGFILE\" || true");
+    lines.push("");
+    lines.push("      # Kernel hardening status");
+    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+    lines.push("      echo \"=== Kernel Hardening Status ===\" | tee -a \"$LOGFILE\"");
+    lines.push("      sysctl randomize_va_space kptr_restrict tcp_syncookies | tee -a \"$LOGFILE\" || true");
+    lines.push("");
+    lines.push("      # Lynis audit (warnings only, non-interactive)");
+    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+    lines.push("      echo \"=== Lynis Security Audit ===\" | tee -a \"$LOGFILE\"");
+    lines.push("      lynis audit system --warnings-only --quiet 2>&1 | tee -a \"$LOGFILE\" || true");
+    lines.push("");
+    lines.push("      # Generate JSON report");
+    lines.push("      timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)");
+    lines.push("      ufw_active=$(ufw status | grep -c \"Status: active\" || echo \"0\")");
+    lines.push("      fail2ban_active=$(systemctl is-active fail2ban 2>/dev/null || echo \"inactive\")");
+    lines.push("      sshd_active=$(systemctl is-active ssh 2>/dev/null || echo \"inactive\")");
+    lines.push("      aslr_enabled=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null || echo \"0\")");
+    lines.push("      cat > \"$REPORTFILE\" <<AUDEOF");
+    lines.push("      {");
+    lines.push("        \"timestamp\": \"$timestamp\",");
+    lines.push("        \"firewall\": { \"active\": $ufw_active },");
+    lines.push("        \"fail2ban\": { \"active\": \"$fail2ban_active\" },");
+    lines.push("        \"sshd\": { \"active\": \"$sshd_active\" },");
+    lines.push("        \"kernel_hardening\": { \"aslr_enabled\": $aslr_enabled }");
+    lines.push("      }");
+    lines.push("      AUDEOF");
+    lines.push("      echo \"Security Audit completed at $(date -Iseconds)\" | tee -a \"$LOGFILE\"");
+    lines.push("      echo \"Report saved to $REPORTFILE\" | tee -a \"$LOGFILE\"");
+    lines.push("");
+    return lines;
+}
+/**
+ * Commands to run security audit at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Create /opt/monitoring directory (audit script target)
+ *   2. Run security audit script (captures state after all hardening)
+ *   3. Log audit completion for verification
+ */
+export function securityAuditRunCmd() {
+    const lines = [];
+    lines.push("  # Security audit: run comprehensive security check");
+    lines.push("  - mkdir -p /opt/monitoring");
+    lines.push("  - /opt/monitoring/security-audit.sh");
+    lines.push("  - echo \"Security audit completed at $(date -Iseconds)\" | tee -a /root/.bootstrap-status");
+    lines.push("");
+    return lines;
+}
+//# sourceMappingURL=security-audit.js.map

package/bootstrap/security-audit.ts

@@ -0,0 +1,124 @@
+/**
+ * Security Audit Cloud-Init Components
+ *
+ * Composable cloud-init blocks for running post-bootstrap security audits.
+ * Generates comprehensive security reports for verification and compliance.
+ *
+ * This module runs LAST in the bootstrap sequence, after all other security
+ * hardening is applied. It captures the state of the system for verification.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - securityAuditPackages()    → packages: section
+ *   - securityAuditWriteFiles()  → write_files: section
+ *   - securityAuditRunCmd()      → runcmd: section
+ */
+
+/**
+ * Packages required for security auditing.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * - lynis: Comprehensive security auditing tool
+ */
+export function securityAuditPackages(): string[] {
+  return [
+    "  - lynis",
+  ];
+}
+
+/**
+ * Files to write at first boot for security auditing.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops 1 file onto the server:
+ *
+ * 1. /opt/monitoring/security-audit.sh
+ *    - Collects security metrics (UFW, fail2ban, sshd, sysctl)
+ *    - Runs Lynis audit with warnings-only output
+ *    - Generates JSON report at /var/log/security-audit.json
+ *    - Logs summary to /var/log/security-audit.log
+ */
+export function securityAuditWriteFiles(): string[] {
+  const lines: string[] = [];
+
+  // 1. Security audit script - comprehensive security check
+  lines.push("  # Security audit script - runs after all hardening");
+  lines.push("  - path: /opt/monitoring/security-audit.sh");
+  lines.push("    owner: root:root");
+  lines.push("    permissions: '0755'");
+  lines.push("    content: |");
+  lines.push("      #!/bin/bash");
+  lines.push("      set -euo pipefail");
+  lines.push("      LOGFILE=\"/var/log/security-audit.log\"");
+  lines.push("      REPORTFILE=\"/var/log/security-audit.json\"");
+  lines.push("      echo \"Security Audit started at $(date -Iseconds)\" | tee \"$LOGFILE\"");
+  lines.push("");
+  lines.push("      # Firewall status");
+  lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+  lines.push("      echo \"=== UFW Firewall Status ===\" | tee -a \"$LOGFILE\"");
+  lines.push("      ufw status verbose | tee -a \"$LOGFILE\" || true");
+  lines.push("");
+  lines.push("      # Fail2ban status");
+  lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+  lines.push("      echo \"=== Fail2ban Status ===\" | tee -a \"$LOGFILE\"");
+  lines.push("      systemctl status fail2ban --no-pager | tee -a \"$LOGFILE\" || true");
+  lines.push("      fail2ban-client status sshd | tee -a \"$LOGFILE\" || true");
+  lines.push("");
+  lines.push("      # SSHd status");
+  lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+  lines.push("      echo \"=== SSHd Status ===\" | tee -a \"$LOGFILE\"");
+  lines.push("      systemctl status ssh --no-pager | tee -a \"$LOGFILE\" || true");
+  lines.push("      sshd -T | grep -E '(PasswordAuthentication|PermitRootLogin|MaxStartups)' | tee -a \"$LOGFILE\" || true");
+  lines.push("");
+  lines.push("      # Kernel hardening status");
+  lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+  lines.push("      echo \"=== Kernel Hardening Status ===\" | tee -a \"$LOGFILE\"");
+  lines.push("      sysctl randomize_va_space kptr_restrict tcp_syncookies | tee -a \"$LOGFILE\" || true");
+  lines.push("");
+  lines.push("      # Lynis audit (warnings only, non-interactive)");
+  lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
+  lines.push("      echo \"=== Lynis Security Audit ===\" | tee -a \"$LOGFILE\"");
+  lines.push("      lynis audit system --warnings-only --quiet 2>&1 | tee -a \"$LOGFILE\" || true");
+  lines.push("");
+  lines.push("      # Generate JSON report");
+  lines.push("      timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)");
+  lines.push("      ufw_active=$(ufw status | grep -c \"Status: active\" || echo \"0\")");
+  lines.push("      fail2ban_active=$(systemctl is-active fail2ban 2>/dev/null || echo \"inactive\")");
+  lines.push("      sshd_active=$(systemctl is-active ssh 2>/dev/null || echo \"inactive\")");
+  lines.push("      aslr_enabled=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null || echo \"0\")");
+  lines.push("      cat > \"$REPORTFILE\" <<AUDEOF");
+  lines.push("      {");
+  lines.push("        \"timestamp\": \"$timestamp\",");
+  lines.push("        \"firewall\": { \"active\": $ufw_active },");
+  lines.push("        \"fail2ban\": { \"active\": \"$fail2ban_active\" },");
+  lines.push("        \"sshd\": { \"active\": \"$sshd_active\" },");
+  lines.push("        \"kernel_hardening\": { \"aslr_enabled\": $aslr_enabled }");
+  lines.push("      }");
+  lines.push("      AUDEOF");
+  lines.push("      echo \"Security Audit completed at $(date -Iseconds)\" | tee -a \"$LOGFILE\"");
+  lines.push("      echo \"Report saved to $REPORTFILE\" | tee -a \"$LOGFILE\"");
+  lines.push("");
+
+  return lines;
+}
+
+/**
+ * Commands to run security audit at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Create /opt/monitoring directory (audit script target)
+ *   2. Run security audit script (captures state after all hardening)
+ *   3. Log audit completion for verification
+ */
+export function securityAuditRunCmd(): string[] {
+  const lines: string[] = [];
+
+  lines.push("  # Security audit: run comprehensive security check");
+  lines.push("  - mkdir -p /opt/monitoring");
+  lines.push("  - /opt/monitoring/security-audit.sh");
+  lines.push("  - echo \"Security audit completed at $(date -Iseconds)\" | tee -a /root/.bootstrap-status");
+  lines.push("");
+
+  return lines;
+}