@ebowwa/hetzner 0.1.0

package/bootstrap/kernel-hardening.js

@@ -0,0 +1,266 @@
+/**
+ * Kernel Hardening Cloud-Init Components
+ *
+ * Composable cloud-init blocks for securing the Linux kernel on new servers.
+ * Implements 2026 best practices for network stack hardening, IP spoofing
+ * protection, SYN flood mitigation, and secure core dump policies.
+ *
+ * Background: Public-facing VPS servers are constantly probed and attacked.
+ * Default Linux kernel settings prioritize compatibility over security. This
+ * module applies CIS Benchmark-aligned hardening via /etc/sysctl.d/ which
+ * persists across reboots and overrides defaults.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - kernelHardeningPackages()    → packages: section (currently empty, reserved)
+ *   - kernelHardeningWriteFiles()  → write_files: section (drops sysctl config)
+ *   - kernelHardeningRunCmd()      → runcmd: section (applies settings immediately)
+ *
+ * Security Measures Implemented:
+ * 1. Network Stack Hardening: SYN cookies, ICMP rate limits, martian packet logging
+ * 2. IP Spoofing Protection: Reverse path filtering, source address verification
+ * 3. SYN Flood Protection: TCP SYN cookies, reuse time_wait connections
+ * 4. Core Dump Restrictions: Disable setuid dumps, limit core dump size to 0
+ * 5. File Permissions: Hard links, symlinks, FIFO protection
+ * 6. Memory Protection: ASLR, randomize_va_space
+ *
+ * References:
+ * - CIS Benchmark for Ubuntu Linux 24.04
+ * - NIST SP 800-53 Revision 5
+ * - https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+ */
+/**
+ * Packages required for kernel hardening.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * Note: All kernel hardening is done via sysctl configuration, which uses
+ * built-in kernel functionality. No additional packages are required.
+ * This function is reserved for future expansion (e.g., auditd, kexec-tools).
+ */
+export function kernelHardeningPackages() {
+    return [
+    // Reserved for future packages (auditd, kexec-tools, etc.)
+    // Currently empty - all hardening via sysctl
+    ];
+}
+/**
+ * Kernel sysctl configuration file for comprehensive hardening.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops /etc/sysctl.d/99-security-hardening.conf which:
+ * - Takes precedence over /etc/sysctl.conf (99- prefix ensures last load)
+ * - Persists across reboots (sysctl.d files are applied on boot)
+ * - Can be applied immediately via `sysctl --system` (see runcmd)
+ *
+ * Settings organized by category:
+ * 1. IP Spoofing Protection: rp_filter, secure redirects
+ * 2. SYN Flood Protection: syncookies, tcp_tw_reuse
+ * 3. Network Stack: ICMP rate limits, martian logging, ignore broadcasts
+ * 4. Core Dumps: Disabled for setuid programs, limited for all processes
+ * 5. Memory Protection: ASLR, randomize_va_space
+ * 6. Filesystem: Hard link/symlink protection
+ */
+export function kernelHardeningWriteFiles() {
+    const lines = [];
+    lines.push("  # Kernel hardening: sysctl.d configuration for 2026 best practices");
+    lines.push("  # This file persists across reboots and overrides /etc/sysctl.conf");
+    lines.push("  - path: /etc/sysctl.d/99-security-hardening.conf");
+    lines.push("    owner: root:root");
+    lines.push("    permissions: '0644'");
+    lines.push("    content: |");
+    lines.push("      # =================================================================");
+    lines.push("      # Kernel Security Hardening Configuration");
+    lines.push("      # =================================================================");
+    lines.push("      # Applied via cloud-init for com.hetzner.codespaces");
+    lines.push("      # Version: 1.0.0 (2026 best practices)");
+    lines.push("      #");
+    lines.push("      # This configuration follows CIS Benchmark and NIST guidelines");
+    lines.push("      # See: /usr/share/doc/linux-doc/sysctl/ for parameter documentation");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 1. IP SPOOFING PROTECTION");
+    lines.push("      # =================================================================");
+    lines.push("      # Enable reverse path filtering (validates source addresses)");
+    lines.push("      # Prevents IP spoofing attacks by dropping packets with invalid sources");
+    lines.push("      net.ipv4.conf.all.rp_filter = 1");
+    lines.push("      net.ipv4.conf.default.rp_filter = 1");
+    lines.push("");
+    lines.push("      # Log martian packets (packets with impossible addresses)");
+    lines.push("      # Helps detect spoofing attempts and network misconfigurations");
+    lines.push("      net.ipv4.conf.all.log_martians = 1");
+    lines.push("");
+    lines.push("      # Disable ICMP redirect acceptance (prevent MITM attacks)");
+    lines.push("      net.ipv4.conf.all.accept_redirects = 0");
+    lines.push("      net.ipv4.conf.default.accept_redirects = 0");
+    lines.push("      net.ipv4.conf.all.secure_redirects = 0");
+    lines.push("      net.ipv4.conf.default.secure_redirects = 0");
+    lines.push("");
+    lines.push("      # Disable sending ICMP redirects");
+    lines.push("      net.ipv4.conf.all.send_redirects = 0");
+    lines.push("      net.ipv4.conf.default.send_redirects = 0");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 2. SYN FLOOD PROTECTION");
+    lines.push("      # =================================================================");
+    lines.push("      # Enable SYN cookies (protects against SYN flood attacks)");
+    lines.push("      # Allows server to continue accepting connections under SYN flood");
+    lines.push("      net.ipv4.tcp_syncookies = 1");
+    lines.push("");
+    lines.push("      # Reuse TIME_WAIT sockets for new connections (safer, faster)");
+    lines.push("      # Reduces connection table exhaustion under high load");
+    lines.push("      net.ipv4.tcp_tw_reuse = 1");
+    lines.push("");
+    lines.push("      # Reduce SYN backlog and timeouts for faster detection");
+    lines.push("      net.ipv4.tcp_max_syn_backlog = 2048");
+    lines.push("      net.ipv4.tcp_synack_retries = 2");
+    lines.push("      net.ipv4.tcp_syn_retries = 5");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 3. NETWORK STACK HARDENING");
+    lines.push("      # =================================================================");
+    lines.push("      # Disable ICMP redirect acceptance (IPv6)");
+    lines.push("      net.ipv6.conf.all.accept_redirects = 0");
+    lines.push("      net.ipv6.conf.default.accept_redirects = 0");
+    lines.push("");
+    lines.push("      # Ignore ICMP broadcasts (prevent smurf attacks)");
+    lines.push("      net.ipv4.icmp_echo_ignore_broadcasts = 1");
+    lines.push("");
+    lines.push("      # Ignore bogus ICMP error responses (prevent ICMP attacks)");
+    lines.push("      net.ipv4.icmp_ignore_bogus_error_responses = 1");
+    lines.push("");
+    lines.push("      # Enable TCP timestamps (RFC 1323) for better sequence handling");
+    lines.push("      # Also protects against wrapped sequence number attacks");
+    lines.push("      net.ipv4.tcp_timestamps = 1");
+    lines.push("");
+    lines.push("      # Enable TCP selective acknowledgments (better performance)");
+    lines.push("      net.ipv4.tcp_sack = 1");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 4. CORE DUMP RESTRICTIONS");
+    lines.push("      # =================================================================");
+    lines.push("      # Disable core dumps for setuid programs (prevent privilege escalation)");
+    lines.push("      fs.suid_dumpable = 0");
+    lines.push("");
+    lines.push("      # Limit core dump size to 0 (disable core dumps)");
+    lines.push("      # Override in /etc/security/limits.conf if needed for debugging");
+    lines.push("      kernel.core_pattern = |/bin/false");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 5. MEMORY PROTECTION (ASLR)");
+    lines.push("      # =================================================================");
+    lines.push("      # Enable Address Space Layout Randomization (full)");
+    lines.push("      # Makes exploitation of memory corruption vulnerabilities harder");
+    lines.push("      # 0: Disabled, 1: Conservative, 2: Full (default)");
+    lines.push("      kernel.randomize_va_space = 2");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 6. FILESYSTEM PROTECTION");
+    lines.push("      # =================================================================");
+    lines.push("      # Hard link/symlink protection (prevent time-of-check time-of-use)");
+    lines.push("      fs.protected_hardlinks = 1");
+    lines.push("      fs.protected_symlinks = 1");
+    lines.push("");
+    lines.push("      # FIFO protection (prevent FIFO attacks on world-writable directories)");
+    lines.push("      fs.protected_fifos = 2");
+    lines.push("");
+    lines.push("      # Regular file protection (prevent file overwrite attacks)");
+    lines.push("      fs.protected_regular = 2");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 7. NETWORK BEHAVIOR TUNING");
+    lines.push("      # =================================================================");
+    lines.push("      # Enable TCP Fast Open (TFO) for reduced latency");
+    lines.push("      net.ipv4.tcp_fastopen = 3");
+    lines.push("");
+    lines.push("      # Disable source routing (prevent packet routing manipulation)");
+    lines.push("      net.ipv4.conf.all.accept_source_route = 0");
+    lines.push("      net.ipv4.conf.default.accept_source_route = 0");
+    lines.push("      net.ipv6.conf.all.accept_source_route = 0");
+    lines.push("      net.ipv6.conf.default.accept_source_route = 0");
+    lines.push("");
+    lines.push("      # Enable TCP window scaling (RFC 7323) for high-bandwidth links");
+    lines.push("      net.ipv4.tcp_window_scaling = 1");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 8. SECURITY-RELATED KERNEL PARAMETERS");
+    lines.push("      # =================================================================");
+    lines.push("      # Disable magic sysrq key (prevent console-based attacks)");
+    lines.push("      # 0: Disabled, 1: Enable (for debugging only)");
+    lines.push("      kernel.sysrq = 0");
+    lines.push("");
+    lines.push("      # Disable kexec system call (prevent kernel replacement)");
+    lines.push("      # 0: Disabled, 1: Enabled");
+    lines.push("      kernel.kexec_load = 0");
+    lines.push("");
+    lines.push("      # Disable user namespaces (prevent container breakouts)");
+    lines.push("      # 0: Disabled, 1: Enabled");
+    lines.push("      user.max_user_namespaces = 0");
+    lines.push("");
+    lines.push("      # Enable unprivileged bpf disabled (prevent eBPF-based exploits)");
+    lines.push("      # 0: Disabled, 1: Enabled");
+    lines.push("      kernel.unprivileged_bpf_disabled = 1");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 9. ADDITIONAL HARDENING (2026)");
+    lines.push("      # =================================================================");
+    lines.push("      # Disable IPv6 if not needed (uncomment if IPv6 is disabled)");
+    lines.push("      # net.ipv6.conf.all.disable_ipv6 = 1");
+    lines.push("      # net.ipv6.conf.default.disable_ipv6 = 1");
+    lines.push("");
+    lines.push("      # Enable dmesg restriction (prevent kernel info leaks)");
+    lines.push("      kernel.dmesg_restrict = 1");
+    lines.push("");
+    lines.push("      # Restrict ptrace scope (prevent process tracing by non-parent)");
+    lines.push("      # 0: Traditional, 1: Restricted, 2: Admin-only, 3: No attach");
+    lines.push("      kernel.yama.ptrace_scope = 2");
+    lines.push("");
+    lines.push("      # =================================================================");
+    lines.push("      # 10. PERFORMANCE TUNING (safe defaults)");
+    lines.push("      # =================================================================");
+    lines.push("      # Increase connection tracking table size (for stateful firewalls)");
+    lines.push("      net.netfilter.nf_conntrack_max = 262144");
+    lines.push("");
+    lines.push("      # Reduce TCP keepalive timeouts for faster dead peer detection");
+    lines.push("      net.ipv4.tcp_keepalive_time = 600");
+    lines.push("      net.ipv4.tcp_keepalive_intvl = 30");
+    lines.push("      net.ipv4.tcp_keepalive_probes = 3");
+    lines.push("");
+    return lines;
+}
+/**
+ * Commands to apply kernel hardening settings immediately at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Load all sysctl settings from /etc/sysctl.d/*.conf
+ *   2. Apply settings immediately (don't wait for reboot)
+ *   3. Log applied settings for audit trail
+ *   4. Display summary for cloud-init output verification
+ */
+export function kernelHardeningRunCmd() {
+    const lines = [];
+    lines.push("  # Kernel hardening: apply sysctl settings immediately");
+    lines.push("  # Settings are already in /etc/sysctl.d/99-security-hardening.conf");
+    lines.push("");
+    lines.push("  # Apply all sysctl settings (overrides defaults immediately)");
+    lines.push("  - sysctl --system");
+    lines.push("");
+    lines.push("  # Log applied settings for audit trail");
+    lines.push("  - sysctl -a | grep -E '(rp_filter|syncookies|randomize_va|suid_dump)' > /var/log/kernel-hardening.log 2>&1 || true");
+    lines.push("");
+    lines.push("  # Display summary of critical hardening settings");
+    lines.push("  - |");
+    lines.push("    echo '========================================'");
+    lines.push("    echo 'Kernel Hardening Applied (2026)'");
+    lines.push("    echo '========================================'");
+    lines.push("    echo 'IP Spoof Protection:    '$(sysctl -n net.ipv4.conf.all.rp_filter)");
+    lines.push("    echo 'SYN Cookies:            '$(sysctl -n net.ipv4.tcp_syncookies)");
+    lines.push("    echo 'ASLR Level:             '$(sysctl -n kernel.randomize_va_space)");
+    lines.push("    echo 'SUID Core Dumps:        '$(sysctl -n fs.suid_dumpable)");
+    lines.push("    echo 'Hard Links Protected:   '$(sysctl -n fs.protected_hardlinks)");
+    lines.push("    echo 'Ptrace Scope:           '$(sysctl -n kernel.yama.ptrace_scope)");
+    lines.push("    echo '========================================'");
+    lines.push("");
+    return lines;
+}
+//# sourceMappingURL=kernel-hardening.js.map

package/bootstrap/kernel-hardening.test.ts

@@ -0,0 +1,230 @@
+/**
+ * Kernel Hardening Module Tests
+ *
+ * Tests for kernel hardening cloud-init components.
+ */
+
+import { test, expect } from "bun:test";
+import {
+  kernelHardeningPackages,
+  kernelHardeningWriteFiles,
+  kernelHardeningRunCmd,
+} from "./kernel-hardening";
+
+test("kernelHardeningPackages returns empty array (no packages needed)", () => {
+  const packages = kernelHardeningPackages();
+  expect(packages).toBeArray();
+  expect(packages).toHaveLength(0);
+});
+
+test("kernelHardeningWriteFiles returns sysctl configuration", () => {
+  const writeFiles = kernelHardeningWriteFiles();
+  expect(writeFiles).toBeArray();
+  expect(writeFiles.length).toBeGreaterThan(0);
+
+  // Check for key file path
+  const filesContent = writeFiles.join("\n");
+  expect(filesContent).toContain("/etc/sysctl.d/99-security-hardening.conf");
+  expect(filesContent).toContain("owner: root:root");
+  expect(filesContent).toContain("permissions: '0644'");
+
+  // Check for key security settings
+  expect(filesContent).toContain("net.ipv4.conf.all.rp_filter = 1");
+  expect(filesContent).toContain("net.ipv4.tcp_syncookies = 1");
+  expect(filesContent).toContain("kernel.randomize_va_space = 2");
+  expect(filesContent).toContain("fs.suid_dumpable = 0");
+  expect(filesContent).toContain("fs.protected_hardlinks = 1");
+  expect(filesContent).toContain("fs.protected_symlinks = 1");
+
+  // Check for 2026 best practices
+  expect(filesContent).toContain("kernel.dmesg_restrict = 1");
+  expect(filesContent).toContain("kernel.yama.ptrace_scope = 2");
+  expect(filesContent).toContain("kernel.unprivileged_bpf_disabled = 1");
+});
+
+test("kernelHardeningWriteFiles includes all security categories", () => {
+  const writeFiles = kernelHardeningWriteFiles();
+  const filesContent = writeFiles.join("\n");
+
+  // 1. IP Spoofing Protection
+  expect(filesContent).toContain("rp_filter");
+  expect(filesContent).toContain("log_martians");
+  expect(filesContent).toContain("accept_redirects");
+  expect(filesContent).toContain("secure_redirects");
+  expect(filesContent).toContain("send_redirects");
+
+  // 2. SYN Flood Protection
+  expect(filesContent).toContain("tcp_syncookies");
+  expect(filesContent).toContain("tcp_tw_reuse");
+  expect(filesContent).toContain("tcp_max_syn_backlog");
+  expect(filesContent).toContain("tcp_synack_retries");
+  expect(filesContent).toContain("tcp_syn_retries");
+
+  // 3. Network Stack Hardening
+  expect(filesContent).toContain("icmp_echo_ignore_broadcasts");
+  expect(filesContent).toContain("icmp_ignore_bogus_error_responses");
+  expect(filesContent).toContain("tcp_timestamps");
+  expect(filesContent).toContain("tcp_sack");
+
+  // 4. Core Dump Restrictions
+  expect(filesContent).toContain("suid_dumpable");
+  expect(filesContent).toContain("core_pattern");
+
+  // 5. Memory Protection (ASLR)
+  expect(filesContent).toContain("randomize_va_space");
+
+  // 6. Filesystem Protection
+  expect(filesContent).toContain("protected_hardlinks");
+  expect(filesContent).toContain("protected_symlinks");
+  expect(filesContent).toContain("protected_fifos");
+  expect(filesContent).toContain("protected_regular");
+
+  // 7. Network Behavior Tuning
+  expect(filesContent).toContain("tcp_fastopen");
+  expect(filesContent).toContain("accept_source_route");
+  expect(filesContent).toContain("tcp_window_scaling");
+
+  // 8. Security-Related Kernel Parameters
+  expect(filesContent).toContain("kernel.sysrq");
+  expect(filesContent).toContain("kernel.kexec_load");
+  expect(filesContent).toContain("user.max_user_namespaces");
+  expect(filesContent).toContain("kernel.unprivileged_bpf_disabled");
+
+  // 9. Additional Hardening (2026)
+  expect(filesContent).toContain("kernel.dmesg_restrict");
+  expect(filesContent).toContain("kernel.yama.ptrace_scope");
+
+  // 10. Performance Tuning
+  expect(filesContent).toContain("nf_conntrack_max");
+  expect(filesContent).toContain("tcp_keepalive_time");
+  expect(filesContent).toContain("tcp_keepalive_intvl");
+  expect(filesContent).toContain("tcp_keepalive_probes");
+});
+
+test("kernelHardeningRunCmd returns activation commands", () => {
+  const runCmd = kernelHardeningRunCmd();
+  expect(runCmd).toBeArray();
+  expect(runCmd.length).toBeGreaterThan(0);
+
+  const cmdContent = runCmd.join("\n");
+
+  // Check for sysctl application
+  expect(cmdContent).toContain("sysctl --system");
+
+  // Check for logging
+  expect(cmdContent).toContain("/var/log/kernel-hardening.log");
+
+  // Check for summary display
+  expect(cmdContent).toContain("Kernel Hardening Applied (2026)");
+  expect(cmdContent).toContain("IP Spoof Protection:");
+  expect(cmdContent).toContain("SYN Cookies:");
+  expect(cmdContent).toContain("ASLR Level:");
+  expect(cmdContent).toContain("SUID Core Dumps:");
+  expect(cmdContent).toContain("Hard Links Protected:");
+  expect(cmdContent).toContain("Ptrace Scope:");
+});
+
+test("kernelHardeningRunCmd includes verification commands", () => {
+  const runCmd = kernelHardeningRunCmd();
+  const cmdContent = runCmd.join("\n");
+
+  // Check for sysctl commands to verify settings
+  expect(cmdContent).toContain("sysctl -n net.ipv4.conf.all.rp_filter");
+  expect(cmdContent).toContain("sysctl -n net.ipv4.tcp_syncookies");
+  expect(cmdContent).toContain("sysctl -n kernel.randomize_va_space");
+  expect(cmdContent).toContain("sysctl -n fs.suid_dumpable");
+  expect(cmdContent).toContain("sysctl -n fs.protected_hardlinks");
+  expect(cmdContent).toContain("sysctl -n kernel.yama.ptrace_scope");
+});
+
+test("kernel hardening settings match CIS benchmarks", () => {
+  const writeFiles = kernelHardeningWriteFiles();
+  const filesContent = writeFiles.join("\n");
+
+  // CIS Benchmark 1.5.1: Ensure core dumps are restricted
+  expect(filesContent).toContain("fs.suid_dumpable = 0");
+
+  // CIS Benchmark 3.3.1: Ensure IP forwarding is disabled (not set by default)
+  // We don't set this as it may be needed for container workloads
+
+  // CIS Benchmark 3.3.2: Ensure send redirects is disabled
+  expect(filesContent).toContain("net.ipv4.conf.all.send_redirects = 0");
+
+  // CIS Benchmark 3.3.3: Ensure ICMP redirects are not accepted
+  expect(filesContent).toContain("net.ipv4.conf.all.accept_redirects = 0");
+
+  // CIS Benchmark 3.3.4: Ensure secure ICMP redirects are not accepted
+  expect(filesContent).toContain("net.ipv4.conf.all.secure_redirects = 0");
+
+  // CIS Benchmark 3.3.5: Ensure suspicious packets are logged
+  expect(filesContent).toContain("net.ipv4.conf.all.log_martians = 1");
+
+  // CIS Benchmark 3.3.6: Ensure broadcast ICMP requests are ignored
+  expect(filesContent).toContain("net.ipv4.icmp_echo_ignore_broadcasts = 1");
+
+  // CIS Benchmark 3.3.7: Ensure bogus ICMP responses are ignored
+  expect(filesContent).toContain("net.ipv4.icmp_ignore_bogus_error_responses = 1");
+
+  // CIS Benchmark 3.3.8: Ensure Reverse Path Filtering is enabled
+  expect(filesContent).toContain("net.ipv4.conf.all.rp_filter = 1");
+
+  // CIS Benchmark 3.3.9: Ensure TCP SYN Cookies is enabled
+  expect(filesContent).toContain("net.ipv4.tcp_syncookies = 1");
+
+  // CIS Benchmark 3.3.10: Ensure IPv6 is disabled (optional, commented out)
+  // We don't disable IPv6 by default as it may be needed
+
+  // CIS Benchmark 1.5.2: Ensure address space layout randomization (ASLR) is enabled
+  expect(filesContent).toContain("kernel.randomize_va_space = 2");
+
+  // CIS Benchmark 1.5.3: Ensure prelink is disabled (package removal, not in sysctl)
+  // Not applicable to sysctl configuration
+
+  // CIS Benchmark 1.5.4: Ensure core dump backtraces are disabled
+  expect(filesContent).toContain("fs.suid_dumpable = 0");
+});
+
+test("kernel hardening includes 2026 best practices", () => {
+  const writeFiles = kernelHardeningWriteFiles();
+  const filesContent = writeFiles.join("\n");
+
+  // Modern kernel hardening (2026)
+  expect(filesContent).toContain("kernel.dmesg_restrict = 1");
+  expect(filesContent).toContain("kernel.yama.ptrace_scope = 2");
+  expect(filesContent).toContain("kernel.unprivileged_bpf_disabled = 1");
+  expect(filesContent).toContain("user.max_user_namespaces = 0");
+  expect(filesContent).toContain("kernel.kexec_load = 0");
+
+  // Filesystem hard links/symlinks protection (TOCTOU prevention)
+  expect(filesContent).toContain("fs.protected_hardlinks = 1");
+  expect(filesContent).toContain("fs.protected_symlinks = 1");
+  expect(filesContent).toContain("fs.protected_fifos = 2");
+  expect(filesContent).toContain("fs.protected_regular = 2");
+
+  // Performance tuning with security in mind
+  expect(filesContent).toContain("net.netfilter.nf_conntrack_max = 262144");
+  expect(filesContent).toContain("net.ipv4.tcp_keepalive_time = 600");
+});
+
+test("kernel hardening has proper documentation headers", () => {
+  const writeFiles = kernelHardeningWriteFiles();
+  const filesContent = writeFiles.join("\n");
+
+  // Check for documentation and headers
+  expect(filesContent).toContain("Kernel Security Hardening Configuration");
+  expect(filesContent).toContain("2026 best practices");
+  expect(filesContent).toContain("CIS Benchmark");
+  expect(filesContent).toContain("NIST");
+
+  // Check for section headers
+  expect(filesContent).toContain("IP SPOOFING PROTECTION");
+  expect(filesContent).toContain("SYN FLOOD PROTECTION");
+  expect(filesContent).toContain("NETWORK STACK HARDENING");
+  expect(filesContent).toContain("CORE DUMP RESTRICTIONS");
+  expect(filesContent).toContain("MEMORY PROTECTION (ASLR)");
+  expect(filesContent).toContain("FILESYSTEM PROTECTION");
+  expect(filesContent).toContain("NETWORK BEHAVIOR TUNING");
+  expect(filesContent).toContain("SECURITY-RELATED KERNEL PARAMETERS");
+  expect(filesContent).toContain("ADDITIONAL HARDENING (2026)");
+  expect(filesContent).toContain("PERFORMANCE TUNING");
+});