@ebowwa/hetzner 0.2.1 → 0.3.0

package/bootstrap/kernel-hardening.test.ts

@@ -1,230 +0,0 @@
-/**
- * Kernel Hardening Module Tests
- *
- * Tests for kernel hardening cloud-init components.
- */
-
-import { test, expect } from "bun:test";
-import {
-  kernelHardeningPackages,
-  kernelHardeningWriteFiles,
-  kernelHardeningRunCmd,
-} from "./kernel-hardening";
-
-test("kernelHardeningPackages returns empty array (no packages needed)", () => {
-  const packages = kernelHardeningPackages();
-  expect(packages).toBeArray();
-  expect(packages).toHaveLength(0);
-});
-
-test("kernelHardeningWriteFiles returns sysctl configuration", () => {
-  const writeFiles = kernelHardeningWriteFiles();
-  expect(writeFiles).toBeArray();
-  expect(writeFiles.length).toBeGreaterThan(0);
-
-  // Check for key file path
-  const filesContent = writeFiles.join("\n");
-  expect(filesContent).toContain("/etc/sysctl.d/99-security-hardening.conf");
-  expect(filesContent).toContain("owner: root:root");
-  expect(filesContent).toContain("permissions: '0644'");
-
-  // Check for key security settings
-  expect(filesContent).toContain("net.ipv4.conf.all.rp_filter = 1");
-  expect(filesContent).toContain("net.ipv4.tcp_syncookies = 1");
-  expect(filesContent).toContain("kernel.randomize_va_space = 2");
-  expect(filesContent).toContain("fs.suid_dumpable = 0");
-  expect(filesContent).toContain("fs.protected_hardlinks = 1");
-  expect(filesContent).toContain("fs.protected_symlinks = 1");
-
-  // Check for 2026 best practices
-  expect(filesContent).toContain("kernel.dmesg_restrict = 1");
-  expect(filesContent).toContain("kernel.yama.ptrace_scope = 2");
-  expect(filesContent).toContain("kernel.unprivileged_bpf_disabled = 1");
-});
-
-test("kernelHardeningWriteFiles includes all security categories", () => {
-  const writeFiles = kernelHardeningWriteFiles();
-  const filesContent = writeFiles.join("\n");
-
-  // 1. IP Spoofing Protection
-  expect(filesContent).toContain("rp_filter");
-  expect(filesContent).toContain("log_martians");
-  expect(filesContent).toContain("accept_redirects");
-  expect(filesContent).toContain("secure_redirects");
-  expect(filesContent).toContain("send_redirects");
-
-  // 2. SYN Flood Protection
-  expect(filesContent).toContain("tcp_syncookies");
-  expect(filesContent).toContain("tcp_tw_reuse");
-  expect(filesContent).toContain("tcp_max_syn_backlog");
-  expect(filesContent).toContain("tcp_synack_retries");
-  expect(filesContent).toContain("tcp_syn_retries");
-
-  // 3. Network Stack Hardening
-  expect(filesContent).toContain("icmp_echo_ignore_broadcasts");
-  expect(filesContent).toContain("icmp_ignore_bogus_error_responses");
-  expect(filesContent).toContain("tcp_timestamps");
-  expect(filesContent).toContain("tcp_sack");
-
-  // 4. Core Dump Restrictions
-  expect(filesContent).toContain("suid_dumpable");
-  expect(filesContent).toContain("core_pattern");
-
-  // 5. Memory Protection (ASLR)
-  expect(filesContent).toContain("randomize_va_space");
-
-  // 6. Filesystem Protection
-  expect(filesContent).toContain("protected_hardlinks");
-  expect(filesContent).toContain("protected_symlinks");
-  expect(filesContent).toContain("protected_fifos");
-  expect(filesContent).toContain("protected_regular");
-
-  // 7. Network Behavior Tuning
-  expect(filesContent).toContain("tcp_fastopen");
-  expect(filesContent).toContain("accept_source_route");
-  expect(filesContent).toContain("tcp_window_scaling");
-
-  // 8. Security-Related Kernel Parameters
-  expect(filesContent).toContain("kernel.sysrq");
-  expect(filesContent).toContain("kernel.kexec_load");
-  expect(filesContent).toContain("user.max_user_namespaces");
-  expect(filesContent).toContain("kernel.unprivileged_bpf_disabled");
-
-  // 9. Additional Hardening (2026)
-  expect(filesContent).toContain("kernel.dmesg_restrict");
-  expect(filesContent).toContain("kernel.yama.ptrace_scope");
-
-  // 10. Performance Tuning
-  expect(filesContent).toContain("nf_conntrack_max");
-  expect(filesContent).toContain("tcp_keepalive_time");
-  expect(filesContent).toContain("tcp_keepalive_intvl");
-  expect(filesContent).toContain("tcp_keepalive_probes");
-});
-
-test("kernelHardeningRunCmd returns activation commands", () => {
-  const runCmd = kernelHardeningRunCmd();
-  expect(runCmd).toBeArray();
-  expect(runCmd.length).toBeGreaterThan(0);
-
-  const cmdContent = runCmd.join("\n");
-
-  // Check for sysctl application
-  expect(cmdContent).toContain("sysctl --system");
-
-  // Check for logging
-  expect(cmdContent).toContain("/var/log/kernel-hardening.log");
-
-  // Check for summary display
-  expect(cmdContent).toContain("Kernel Hardening Applied (2026)");
-  expect(cmdContent).toContain("IP Spoof Protection:");
-  expect(cmdContent).toContain("SYN Cookies:");
-  expect(cmdContent).toContain("ASLR Level:");
-  expect(cmdContent).toContain("SUID Core Dumps:");
-  expect(cmdContent).toContain("Hard Links Protected:");
-  expect(cmdContent).toContain("Ptrace Scope:");
-});
-
-test("kernelHardeningRunCmd includes verification commands", () => {
-  const runCmd = kernelHardeningRunCmd();
-  const cmdContent = runCmd.join("\n");
-
-  // Check for sysctl commands to verify settings
-  expect(cmdContent).toContain("sysctl -n net.ipv4.conf.all.rp_filter");
-  expect(cmdContent).toContain("sysctl -n net.ipv4.tcp_syncookies");
-  expect(cmdContent).toContain("sysctl -n kernel.randomize_va_space");
-  expect(cmdContent).toContain("sysctl -n fs.suid_dumpable");
-  expect(cmdContent).toContain("sysctl -n fs.protected_hardlinks");
-  expect(cmdContent).toContain("sysctl -n kernel.yama.ptrace_scope");
-});
-
-test("kernel hardening settings match CIS benchmarks", () => {
-  const writeFiles = kernelHardeningWriteFiles();
-  const filesContent = writeFiles.join("\n");
-
-  // CIS Benchmark 1.5.1: Ensure core dumps are restricted
-  expect(filesContent).toContain("fs.suid_dumpable = 0");
-
-  // CIS Benchmark 3.3.1: Ensure IP forwarding is disabled (not set by default)
-  // We don't set this as it may be needed for container workloads
-
-  // CIS Benchmark 3.3.2: Ensure send redirects is disabled
-  expect(filesContent).toContain("net.ipv4.conf.all.send_redirects = 0");
-
-  // CIS Benchmark 3.3.3: Ensure ICMP redirects are not accepted
-  expect(filesContent).toContain("net.ipv4.conf.all.accept_redirects = 0");
-
-  // CIS Benchmark 3.3.4: Ensure secure ICMP redirects are not accepted
-  expect(filesContent).toContain("net.ipv4.conf.all.secure_redirects = 0");
-
-  // CIS Benchmark 3.3.5: Ensure suspicious packets are logged
-  expect(filesContent).toContain("net.ipv4.conf.all.log_martians = 1");
-
-  // CIS Benchmark 3.3.6: Ensure broadcast ICMP requests are ignored
-  expect(filesContent).toContain("net.ipv4.icmp_echo_ignore_broadcasts = 1");
-
-  // CIS Benchmark 3.3.7: Ensure bogus ICMP responses are ignored
-  expect(filesContent).toContain("net.ipv4.icmp_ignore_bogus_error_responses = 1");
-
-  // CIS Benchmark 3.3.8: Ensure Reverse Path Filtering is enabled
-  expect(filesContent).toContain("net.ipv4.conf.all.rp_filter = 1");
-
-  // CIS Benchmark 3.3.9: Ensure TCP SYN Cookies is enabled
-  expect(filesContent).toContain("net.ipv4.tcp_syncookies = 1");
-
-  // CIS Benchmark 3.3.10: Ensure IPv6 is disabled (optional, commented out)
-  // We don't disable IPv6 by default as it may be needed
-
-  // CIS Benchmark 1.5.2: Ensure address space layout randomization (ASLR) is enabled
-  expect(filesContent).toContain("kernel.randomize_va_space = 2");
-
-  // CIS Benchmark 1.5.3: Ensure prelink is disabled (package removal, not in sysctl)
-  // Not applicable to sysctl configuration
-
-  // CIS Benchmark 1.5.4: Ensure core dump backtraces are disabled
-  expect(filesContent).toContain("fs.suid_dumpable = 0");
-});
-
-test("kernel hardening includes 2026 best practices", () => {
-  const writeFiles = kernelHardeningWriteFiles();
-  const filesContent = writeFiles.join("\n");
-
-  // Modern kernel hardening (2026)
-  expect(filesContent).toContain("kernel.dmesg_restrict = 1");
-  expect(filesContent).toContain("kernel.yama.ptrace_scope = 2");
-  expect(filesContent).toContain("kernel.unprivileged_bpf_disabled = 1");
-  expect(filesContent).toContain("user.max_user_namespaces = 0");
-  expect(filesContent).toContain("kernel.kexec_load = 0");
-
-  // Filesystem hard links/symlinks protection (TOCTOU prevention)
-  expect(filesContent).toContain("fs.protected_hardlinks = 1");
-  expect(filesContent).toContain("fs.protected_symlinks = 1");
-  expect(filesContent).toContain("fs.protected_fifos = 2");
-  expect(filesContent).toContain("fs.protected_regular = 2");
-
-  // Performance tuning with security in mind
-  expect(filesContent).toContain("net.netfilter.nf_conntrack_max = 262144");
-  expect(filesContent).toContain("net.ipv4.tcp_keepalive_time = 600");
-});
-
-test("kernel hardening has proper documentation headers", () => {
-  const writeFiles = kernelHardeningWriteFiles();
-  const filesContent = writeFiles.join("\n");
-
-  // Check for documentation and headers
-  expect(filesContent).toContain("Kernel Security Hardening Configuration");
-  expect(filesContent).toContain("2026 best practices");
-  expect(filesContent).toContain("CIS Benchmark");
-  expect(filesContent).toContain("NIST");
-
-  // Check for section headers
-  expect(filesContent).toContain("IP SPOOFING PROTECTION");
-  expect(filesContent).toContain("SYN FLOOD PROTECTION");
-  expect(filesContent).toContain("NETWORK STACK HARDENING");
-  expect(filesContent).toContain("CORE DUMP RESTRICTIONS");
-  expect(filesContent).toContain("MEMORY PROTECTION (ASLR)");
-  expect(filesContent).toContain("FILESYSTEM PROTECTION");
-  expect(filesContent).toContain("NETWORK BEHAVIOR TUNING");
-  expect(filesContent).toContain("SECURITY-RELATED KERNEL PARAMETERS");
-  expect(filesContent).toContain("ADDITIONAL HARDENING (2026)");
-  expect(filesContent).toContain("PERFORMANCE TUNING");
-});

package/bootstrap/kernel-hardening.ts

@@ -1,272 +0,0 @@
-/**
- * Kernel Hardening Cloud-Init Components
- *
- * Composable cloud-init blocks for securing the Linux kernel on new servers.
- * Implements 2026 best practices for network stack hardening, IP spoofing
- * protection, SYN flood mitigation, and secure core dump policies.
- *
- * Background: Public-facing VPS servers are constantly probed and attacked.
- * Default Linux kernel settings prioritize compatibility over security. This
- * module applies CIS Benchmark-aligned hardening via /etc/sysctl.d/ which
- * persists across reboots and overrides defaults.
- *
- * Three composable functions return cloud-init line arrays for splicing into
- * the appropriate YAML sections:
- *   - kernelHardeningPackages()    → packages: section (currently empty, reserved)
- *   - kernelHardeningWriteFiles()  → write_files: section (drops sysctl config)
- *   - kernelHardeningRunCmd()      → runcmd: section (applies settings immediately)
- *
- * Security Measures Implemented:
- * 1. Network Stack Hardening: SYN cookies, ICMP rate limits, martian packet logging
- * 2. IP Spoofing Protection: Reverse path filtering, source address verification
- * 3. SYN Flood Protection: TCP SYN cookies, reuse time_wait connections
- * 4. Core Dump Restrictions: Disable setuid dumps, limit core dump size to 0
- * 5. File Permissions: Hard links, symlinks, FIFO protection
- * 6. Memory Protection: ASLR, randomize_va_space
- *
- * References:
- * - CIS Benchmark for Ubuntu Linux 24.04
- * - NIST SP 800-53 Revision 5
- * - https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
- */
-
-/**
- * Packages required for kernel hardening.
- * Returns cloud-init YAML lines for the `packages:` section.
- *
- * Note: All kernel hardening is done via sysctl configuration, which uses
- * built-in kernel functionality. No additional packages are required.
- * This function is reserved for future expansion (e.g., auditd, kexec-tools).
- */
-export function kernelHardeningPackages(): string[] {
-  return [
-    // Reserved for future packages (auditd, kexec-tools, etc.)
-    // Currently empty - all hardening via sysctl
-  ];
-}
-
-/**
- * Kernel sysctl configuration file for comprehensive hardening.
- * Returns cloud-init YAML lines for the `write_files:` section.
- *
- * Drops /etc/sysctl.d/99-security-hardening.conf which:
- * - Takes precedence over /etc/sysctl.conf (99- prefix ensures last load)
- * - Persists across reboots (sysctl.d files are applied on boot)
- * - Can be applied immediately via `sysctl --system` (see runcmd)
- *
- * Settings organized by category:
- * 1. IP Spoofing Protection: rp_filter, secure redirects
- * 2. SYN Flood Protection: syncookies, tcp_tw_reuse
- * 3. Network Stack: ICMP rate limits, martian logging, ignore broadcasts
- * 4. Core Dumps: Disabled for setuid programs, limited for all processes
- * 5. Memory Protection: ASLR, randomize_va_space
- * 6. Filesystem: Hard link/symlink protection
- */
-export function kernelHardeningWriteFiles(): string[] {
-  const lines: string[] = [];
-
-  lines.push("  # Kernel hardening: sysctl.d configuration for 2026 best practices");
-  lines.push("  # This file persists across reboots and overrides /etc/sysctl.conf");
-  lines.push("  - path: /etc/sysctl.d/99-security-hardening.conf");
-  lines.push("    owner: root:root");
-  lines.push("    permissions: '0644'");
-  lines.push("    content: |");
-  lines.push("      # =================================================================");
-  lines.push("      # Kernel Security Hardening Configuration");
-  lines.push("      # =================================================================");
-  lines.push("      # Applied via cloud-init for com.hetzner.codespaces");
-  lines.push("      # Version: 1.0.0 (2026 best practices)");
-  lines.push("      #");
-  lines.push("      # This configuration follows CIS Benchmark and NIST guidelines");
-  lines.push("      # See: /usr/share/doc/linux-doc/sysctl/ for parameter documentation");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 1. IP SPOOFING PROTECTION");
-  lines.push("      # =================================================================");
-  lines.push("      # Enable reverse path filtering (validates source addresses)");
-  lines.push("      # Prevents IP spoofing attacks by dropping packets with invalid sources");
-  lines.push("      net.ipv4.conf.all.rp_filter = 1");
-  lines.push("      net.ipv4.conf.default.rp_filter = 1");
-  lines.push("");
-  lines.push("      # Log martian packets (packets with impossible addresses)");
-  lines.push("      # Helps detect spoofing attempts and network misconfigurations");
-  lines.push("      net.ipv4.conf.all.log_martians = 1");
-  lines.push("");
-  lines.push("      # Disable ICMP redirect acceptance (prevent MITM attacks)");
-  lines.push("      net.ipv4.conf.all.accept_redirects = 0");
-  lines.push("      net.ipv4.conf.default.accept_redirects = 0");
-  lines.push("      net.ipv4.conf.all.secure_redirects = 0");
-  lines.push("      net.ipv4.conf.default.secure_redirects = 0");
-  lines.push("");
-  lines.push("      # Disable sending ICMP redirects");
-  lines.push("      net.ipv4.conf.all.send_redirects = 0");
-  lines.push("      net.ipv4.conf.default.send_redirects = 0");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 2. SYN FLOOD PROTECTION");
-  lines.push("      # =================================================================");
-  lines.push("      # Enable SYN cookies (protects against SYN flood attacks)");
-  lines.push("      # Allows server to continue accepting connections under SYN flood");
-  lines.push("      net.ipv4.tcp_syncookies = 1");
-  lines.push("");
-  lines.push("      # Reuse TIME_WAIT sockets for new connections (safer, faster)");
-  lines.push("      # Reduces connection table exhaustion under high load");
-  lines.push("      net.ipv4.tcp_tw_reuse = 1");
-  lines.push("");
-  lines.push("      # Reduce SYN backlog and timeouts for faster detection");
-  lines.push("      net.ipv4.tcp_max_syn_backlog = 2048");
-  lines.push("      net.ipv4.tcp_synack_retries = 2");
-  lines.push("      net.ipv4.tcp_syn_retries = 5");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 3. NETWORK STACK HARDENING");
-  lines.push("      # =================================================================");
-  lines.push("      # Disable ICMP redirect acceptance (IPv6)");
-  lines.push("      net.ipv6.conf.all.accept_redirects = 0");
-  lines.push("      net.ipv6.conf.default.accept_redirects = 0");
-  lines.push("");
-  lines.push("      # Ignore ICMP broadcasts (prevent smurf attacks)");
-  lines.push("      net.ipv4.icmp_echo_ignore_broadcasts = 1");
-  lines.push("");
-  lines.push("      # Ignore bogus ICMP error responses (prevent ICMP attacks)");
-  lines.push("      net.ipv4.icmp_ignore_bogus_error_responses = 1");
-  lines.push("");
-  lines.push("      # Enable TCP timestamps (RFC 1323) for better sequence handling");
-  lines.push("      # Also protects against wrapped sequence number attacks");
-  lines.push("      net.ipv4.tcp_timestamps = 1");
-  lines.push("");
-  lines.push("      # Enable TCP selective acknowledgments (better performance)");
-  lines.push("      net.ipv4.tcp_sack = 1");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 4. CORE DUMP RESTRICTIONS");
-  lines.push("      # =================================================================");
-  lines.push("      # Disable core dumps for setuid programs (prevent privilege escalation)");
-  lines.push("      fs.suid_dumpable = 0");
-  lines.push("");
-  lines.push("      # Limit core dump size to 0 (disable core dumps)");
-  lines.push("      # Override in /etc/security/limits.conf if needed for debugging");
-  lines.push("      kernel.core_pattern = |/bin/false");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 5. MEMORY PROTECTION (ASLR)");
-  lines.push("      # =================================================================");
-  lines.push("      # Enable Address Space Layout Randomization (full)");
-  lines.push("      # Makes exploitation of memory corruption vulnerabilities harder");
-  lines.push("      # 0: Disabled, 1: Conservative, 2: Full (default)");
-  lines.push("      kernel.randomize_va_space = 2");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 6. FILESYSTEM PROTECTION");
-  lines.push("      # =================================================================");
-  lines.push("      # Hard link/symlink protection (prevent time-of-check time-of-use)");
-  lines.push("      fs.protected_hardlinks = 1");
-  lines.push("      fs.protected_symlinks = 1");
-  lines.push("");
-  lines.push("      # FIFO protection (prevent FIFO attacks on world-writable directories)");
-  lines.push("      fs.protected_fifos = 2");
-  lines.push("");
-  lines.push("      # Regular file protection (prevent file overwrite attacks)");
-  lines.push("      fs.protected_regular = 2");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 7. NETWORK BEHAVIOR TUNING");
-  lines.push("      # =================================================================");
-  lines.push("      # Enable TCP Fast Open (TFO) for reduced latency");
-  lines.push("      net.ipv4.tcp_fastopen = 3");
-  lines.push("");
-  lines.push("      # Disable source routing (prevent packet routing manipulation)");
-  lines.push("      net.ipv4.conf.all.accept_source_route = 0");
-  lines.push("      net.ipv4.conf.default.accept_source_route = 0");
-  lines.push("      net.ipv6.conf.all.accept_source_route = 0");
-  lines.push("      net.ipv6.conf.default.accept_source_route = 0");
-  lines.push("");
-  lines.push("      # Enable TCP window scaling (RFC 7323) for high-bandwidth links");
-  lines.push("      net.ipv4.tcp_window_scaling = 1");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 8. SECURITY-RELATED KERNEL PARAMETERS");
-  lines.push("      # =================================================================");
-  lines.push("      # Disable magic sysrq key (prevent console-based attacks)");
-  lines.push("      # 0: Disabled, 1: Enable (for debugging only)");
-  lines.push("      kernel.sysrq = 0");
-  lines.push("");
-  lines.push("      # Disable kexec system call (prevent kernel replacement)");
-  lines.push("      # 0: Disabled, 1: Enabled");
-  lines.push("      kernel.kexec_load = 0");
-  lines.push("");
-  lines.push("      # Disable user namespaces (prevent container breakouts)");
-  lines.push("      # 0: Disabled, 1: Enabled");
-  lines.push("      user.max_user_namespaces = 0");
-  lines.push("");
-  lines.push("      # Enable unprivileged bpf disabled (prevent eBPF-based exploits)");
-  lines.push("      # 0: Disabled, 1: Enabled");
-  lines.push("      kernel.unprivileged_bpf_disabled = 1");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 9. ADDITIONAL HARDENING (2026)");
-  lines.push("      # =================================================================");
-  lines.push("      # Disable IPv6 if not needed (uncomment if IPv6 is disabled)");
-  lines.push("      # net.ipv6.conf.all.disable_ipv6 = 1");
-  lines.push("      # net.ipv6.conf.default.disable_ipv6 = 1");
-  lines.push("");
-  lines.push("      # Enable dmesg restriction (prevent kernel info leaks)");
-  lines.push("      kernel.dmesg_restrict = 1");
-  lines.push("");
-  lines.push("      # Restrict ptrace scope (prevent process tracing by non-parent)");
-  lines.push("      # 0: Traditional, 1: Restricted, 2: Admin-only, 3: No attach");
-  lines.push("      kernel.yama.ptrace_scope = 2");
-  lines.push("");
-  lines.push("      # =================================================================");
-  lines.push("      # 10. PERFORMANCE TUNING (safe defaults)");
-  lines.push("      # =================================================================");
-  lines.push("      # Increase connection tracking table size (for stateful firewalls)");
-  lines.push("      net.netfilter.nf_conntrack_max = 262144");
-  lines.push("");
-  lines.push("      # Reduce TCP keepalive timeouts for faster dead peer detection");
-  lines.push("      net.ipv4.tcp_keepalive_time = 600");
-  lines.push("      net.ipv4.tcp_keepalive_intvl = 30");
-  lines.push("      net.ipv4.tcp_keepalive_probes = 3");
-  lines.push("");
-
-  return lines;
-}
-
-/**
- * Commands to apply kernel hardening settings immediately at first boot.
- * Returns cloud-init YAML lines for the `runcmd:` section.
- *
- * Order matters:
- *   1. Load all sysctl settings from /etc/sysctl.d/*.conf
- *   2. Apply settings immediately (don't wait for reboot)
- *   3. Log applied settings for audit trail
- *   4. Display summary for cloud-init output verification
- */
-export function kernelHardeningRunCmd(): string[] {
-  const lines: string[] = [];
-
-  lines.push("  # Kernel hardening: apply sysctl settings immediately");
-  lines.push("  # Settings are already in /etc/sysctl.d/99-security-hardening.conf");
-  lines.push("");
-  lines.push("  # Apply all sysctl settings (overrides defaults immediately)");
-  lines.push("  - sysctl --system");
-  lines.push("");
-  lines.push("  # Log applied settings for audit trail");
-  lines.push("  - sysctl -a | grep -E '(rp_filter|syncookies|randomize_va|suid_dump)' > /var/log/kernel-hardening.log 2>&1 || true");
-  lines.push("");
-  lines.push("  # Display summary of critical hardening settings");
-  lines.push("  - |");
-  lines.push("    echo '========================================'");
-  lines.push("    echo 'Kernel Hardening Applied (2026)'");
-  lines.push("    echo '========================================'");
-  lines.push("    echo 'IP Spoof Protection:    '$(sysctl -n net.ipv4.conf.all.rp_filter)");
-  lines.push("    echo 'SYN Cookies:            '$(sysctl -n net.ipv4.tcp_syncookies)");
-  lines.push("    echo 'ASLR Level:             '$(sysctl -n kernel.randomize_va_space)");
-  lines.push("    echo 'SUID Core Dumps:        '$(sysctl -n fs.suid_dumpable)");
-  lines.push("    echo 'Hard Links Protected:   '$(sysctl -n fs.protected_hardlinks)");
-  lines.push("    echo 'Ptrace Scope:           '$(sysctl -n kernel.yama.ptrace_scope)");
-  lines.push("    echo '========================================'");
-  lines.push("");
-
-  return lines;
-}

package/bootstrap/security-audit.js

@@ -1,122 +0,0 @@
-"use strict";
-/**
- * Security Audit Cloud-Init Components
- *
- * Composable cloud-init blocks for running post-bootstrap security audits.
- * Generates comprehensive security reports for verification and compliance.
- *
- * This module runs LAST in the bootstrap sequence, after all other security
- * hardening is applied. It captures the state of the system for verification.
- *
- * Three composable functions return cloud-init line arrays for splicing into
- * the appropriate YAML sections:
- *   - securityAuditPackages()    → packages: section
- *   - securityAuditWriteFiles()  → write_files: section
- *   - securityAuditRunCmd()      → runcmd: section
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.securityAuditPackages = securityAuditPackages;
-exports.securityAuditWriteFiles = securityAuditWriteFiles;
-exports.securityAuditRunCmd = securityAuditRunCmd;
-/**
- * Packages required for security auditing.
- * Returns cloud-init YAML lines for the `packages:` section.
- *
- * - lynis: Comprehensive security auditing tool
- */
-function securityAuditPackages() {
-    return [
-        "  - lynis",
-    ];
-}
-/**
- * Files to write at first boot for security auditing.
- * Returns cloud-init YAML lines for the `write_files:` section.
- *
- * Drops 1 file onto the server:
- *
- * 1. /opt/monitoring/security-audit.sh
- *    - Collects security metrics (UFW, fail2ban, sshd, sysctl)
- *    - Runs Lynis audit with warnings-only output
- *    - Generates JSON report at /var/log/security-audit.json
- *    - Logs summary to /var/log/security-audit.log
- */
-function securityAuditWriteFiles() {
-    var lines = [];
-    // 1. Security audit script - comprehensive security check
-    lines.push("  # Security audit script - runs after all hardening");
-    lines.push("  - path: /opt/monitoring/security-audit.sh");
-    lines.push("    owner: root:root");
-    lines.push("    permissions: '0755'");
-    lines.push("    content: |");
-    lines.push("      #!/bin/bash");
-    lines.push("      set -euo pipefail");
-    lines.push("      LOGFILE=\"/var/log/security-audit.log\"");
-    lines.push("      REPORTFILE=\"/var/log/security-audit.json\"");
-    lines.push("      echo \"Security Audit started at $(date -Iseconds)\" | tee \"$LOGFILE\"");
-    lines.push("");
-    lines.push("      # Firewall status");
-    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
-    lines.push("      echo \"=== UFW Firewall Status ===\" | tee -a \"$LOGFILE\"");
-    lines.push("      ufw status verbose | tee -a \"$LOGFILE\" || true");
-    lines.push("");
-    lines.push("      # Fail2ban status");
-    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
-    lines.push("      echo \"=== Fail2ban Status ===\" | tee -a \"$LOGFILE\"");
-    lines.push("      systemctl status fail2ban --no-pager | tee -a \"$LOGFILE\" || true");
-    lines.push("      fail2ban-client status sshd | tee -a \"$LOGFILE\" || true");
-    lines.push("");
-    lines.push("      # SSHd status");
-    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
-    lines.push("      echo \"=== SSHd Status ===\" | tee -a \"$LOGFILE\"");
-    lines.push("      systemctl status ssh --no-pager | tee -a \"$LOGFILE\" || true");
-    lines.push("      sshd -T | grep -E '(PasswordAuthentication|PermitRootLogin|MaxStartups)' | tee -a \"$LOGFILE\" || true");
-    lines.push("");
-    lines.push("      # Kernel hardening status");
-    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
-    lines.push("      echo \"=== Kernel Hardening Status ===\" | tee -a \"$LOGFILE\"");
-    lines.push("      sysctl randomize_va_space kptr_restrict tcp_syncookies | tee -a \"$LOGFILE\" || true");
-    lines.push("");
-    lines.push("      # Lynis audit (warnings only, non-interactive)");
-    lines.push("      echo \"\" | tee -a \"$LOGFILE\"");
-    lines.push("      echo \"=== Lynis Security Audit ===\" | tee -a \"$LOGFILE\"");
-    lines.push("      lynis audit system --warnings-only --quiet 2>&1 | tee -a \"$LOGFILE\" || true");
-    lines.push("");
-    lines.push("      # Generate JSON report");
-    lines.push("      timestamp=$(date -u +%Y-%m-%dT%H:%M:%SZ)");
-    lines.push("      ufw_active=$(ufw status | grep -c \"Status: active\" || echo \"0\")");
-    lines.push("      fail2ban_active=$(systemctl is-active fail2ban 2>/dev/null || echo \"inactive\")");
-    lines.push("      sshd_active=$(systemctl is-active ssh 2>/dev/null || echo \"inactive\")");
-    lines.push("      aslr_enabled=$(cat /proc/sys/kernel/randomize_va_space 2>/dev/null || echo \"0\")");
-    lines.push("      cat > \"$REPORTFILE\" <<AUDEOF");
-    lines.push("      {");
-    lines.push("        \"timestamp\": \"$timestamp\",");
-    lines.push("        \"firewall\": { \"active\": $ufw_active },");
-    lines.push("        \"fail2ban\": { \"active\": \"$fail2ban_active\" },");
-    lines.push("        \"sshd\": { \"active\": \"$sshd_active\" },");
-    lines.push("        \"kernel_hardening\": { \"aslr_enabled\": $aslr_enabled }");
-    lines.push("      }");
-    lines.push("      AUDEOF");
-    lines.push("      echo \"Security Audit completed at $(date -Iseconds)\" | tee -a \"$LOGFILE\"");
-    lines.push("      echo \"Report saved to $REPORTFILE\" | tee -a \"$LOGFILE\"");
-    lines.push("");
-    return lines;
-}
-/**
- * Commands to run security audit at first boot.
- * Returns cloud-init YAML lines for the `runcmd:` section.
- *
- * Order matters:
- *   1. Create /opt/monitoring directory (audit script target)
- *   2. Run security audit script (captures state after all hardening)
- *   3. Log audit completion for verification
- */
-function securityAuditRunCmd() {
-    var lines = [];
-    lines.push("  # Security audit: run comprehensive security check");
-    lines.push("  - mkdir -p /opt/monitoring");
-    lines.push("  - /opt/monitoring/security-audit.sh");
-    lines.push("  - echo \"Security audit completed at $(date -Iseconds)\" | tee -a /root/.bootstrap-status");
-    lines.push("");
-    return lines;
-}