kastell 2.1.0 → 2.2.1

package/dist/core/lock/index.js

@@ -0,0 +1,247 @@
+export { buildLoginBannersCommand, buildSshCipherCommand, buildSshFineTuningCommand } from "./ssh.js";
+export { buildSysctlHardeningCommand, buildCloudMetaBlockCommand, buildDnsSecurityCommand, buildDnsRollbackCommand } from "./network.js";
+export { buildUnattendedUpgradesCommand, buildResourceLimitsCommand, buildServiceDisableCommand, buildAptValidationCommand, buildLogRetentionCommand, buildCronAccessCommand, buildBackupPermissionsCommand } from "./system.js";
+export { buildAccountLockCommand, buildPwqualityCommand, buildLoginDefsCommand, buildFaillockCommand, buildSudoHardeningCommand } from "./auth.js";
+export { buildAuditdCommand, buildAideInitCommand } from "./monitoring.js";
+export { buildDockerHardeningCommand } from "./docker.js";
+import { sshExec, assertValidIp } from "../../utils/ssh.js";
+import { buildHardeningCommand, buildFail2banCommand, buildKeyCheckCommand } from "../secure.js";
+import { buildFirewallSetupCommand } from "../firewall.js";
+import { runAudit } from "../audit/index.js";
+import { LOCK_FIREWALL_TIMEOUT_MS, LOCK_UPGRADES_TIMEOUT_MS, LOCK_PACKAGES_TIMEOUT_MS } from "../../constants.js";
+import { getErrorMessage } from "../../utils/errorMapper.js";
+import { buildLoginBannersCommand, buildSshCipherCommand, buildSshFineTuningCommand } from "./ssh.js";
+import { buildSysctlHardeningCommand, buildCloudMetaBlockCommand, buildDnsSecurityCommand, buildDnsRollbackCommand } from "./network.js";
+import { buildUnattendedUpgradesCommand, buildResourceLimitsCommand, buildServiceDisableCommand, buildAptValidationCommand, buildLogRetentionCommand, buildCronAccessCommand, buildBackupPermissionsCommand } from "./system.js";
+import { buildAccountLockCommand, buildPwqualityCommand, buildLoginDefsCommand, buildFaillockCommand, buildSudoHardeningCommand } from "./auth.js";
+import { buildAuditdCommand, buildAideInitCommand } from "./monitoring.js";
+import { buildDockerHardeningCommand } from "./docker.js";
+async function runLockStep(ip, command, opts) {
+    try {
+        await sshExec(ip, command, opts);
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, error: getErrorMessage(err) };
+    }
+}
+export async function applyLock(ip, name, platform, options) {
+    assertValidIp(ip);
+    const steps = {
+        sshHardening: false,
+        fail2ban: false,
+        banners: false,
+        accountLock: false,
+        sshCipher: false,
+        ufw: false,
+        cloudMeta: false,
+        dns: false,
+        sysctl: false,
+        unattendedUpgrades: false,
+        aptValidation: false,
+        resourceLimits: false,
+        serviceDisable: false,
+        backupPermissions: false,
+        pwquality: false,
+        dockerHardening: false,
+        auditd: false,
+        logRetention: false,
+        aide: false,
+        cronAccess: false,
+        sshFineTuning: false,
+        loginDefs: false,
+        faillock: false,
+        sudoHardening: false,
+    };
+    const stepErrors = {};
+    // Dry run: preview only, no SSH
+    if (options.dryRun) {
+        return {
+            success: true,
+            steps,
+        };
+    }
+    const auditPlatform = platform ?? "bare";
+    // Pre-audit (non-fatal)
+    let scoreBefore;
+    try {
+        const preAudit = await runAudit(ip, name, auditPlatform);
+        if (preAudit.success && preAudit.data) {
+            scoreBefore = preAudit.data.overallScore;
+        }
+    }
+    catch {
+        // Non-fatal — continue without score
+    }
+    // Step 0: SSH key check — abort if no keys
+    try {
+        const keyResult = await sshExec(ip, buildKeyCheckCommand());
+        const keyCount = parseInt(keyResult.stdout.trim(), 10);
+        if (isNaN(keyCount) || keyCount === 0) {
+            return {
+                success: false,
+                steps,
+                error: "No SSH keys found in /root/.ssh/authorized_keys. Cannot disable password authentication without SSH keys — this would permanently lock you out.",
+                hint: `Add an SSH key first: ssh-copy-id root@${ip}`,
+            };
+        }
+    }
+    catch (err) {
+        return {
+            success: false,
+            steps,
+            error: `SSH key check failed: ${getErrorMessage(err)}`,
+        };
+    }
+    // ── Group 1: SSH & Auth ──────────────────────────────────────────────────
+    // Step 1: SSH hardening (critical — determines overall success)
+    const sshResult = await runLockStep(ip, buildHardeningCommand());
+    steps.sshHardening = sshResult.ok;
+    if (!sshResult.ok)
+        stepErrors.sshHardening = sshResult.error;
+    // Step 2: fail2ban
+    const fail2banResult = await runLockStep(ip, buildFail2banCommand());
+    steps.fail2ban = fail2banResult.ok;
+    if (!fail2banResult.ok)
+        stepErrors.fail2ban = fail2banResult.error;
+    // Step 3: Login banners
+    const bannersResult = await runLockStep(ip, buildLoginBannersCommand());
+    steps.banners = bannersResult.ok;
+    if (!bannersResult.ok)
+        stepErrors.banners = bannersResult.error;
+    // Step 4: Account locking
+    const accountLockResult = await runLockStep(ip, buildAccountLockCommand());
+    steps.accountLock = accountLockResult.ok;
+    if (!accountLockResult.ok)
+        stepErrors.accountLock = accountLockResult.error;
+    // Step 5: SSH cipher hardening — with sshd -t rollback
+    const sshCipherResult = await runLockStep(ip, buildSshCipherCommand());
+    steps.sshCipher = sshCipherResult.ok;
+    if (!sshCipherResult.ok)
+        stepErrors.sshCipher = sshCipherResult.error;
+    // ── Group 2: Firewall & Network ──────────────────────────────────────────
+    // Step 6: UFW firewall, 60s timeout for apt
+    const ufwResult = await runLockStep(ip, buildFirewallSetupCommand(platform), { timeoutMs: LOCK_FIREWALL_TIMEOUT_MS });
+    steps.ufw = ufwResult.ok;
+    if (!ufwResult.ok)
+        stepErrors.ufw = ufwResult.error;
+    // Step 7: Cloud metadata — conditional on UFW
+    if (steps.ufw) {
+        const cloudMetaResult = await runLockStep(ip, buildCloudMetaBlockCommand());
+        steps.cloudMeta = cloudMetaResult.ok;
+        if (!cloudMetaResult.ok)
+            stepErrors.cloudMeta = cloudMetaResult.error;
+    }
+    else {
+        stepErrors.cloudMeta = "UFW required";
+    }
+    // Step 8: DNS security — with rollback on failure
+    const dnsResult = await runLockStep(ip, buildDnsSecurityCommand(), { timeoutMs: 15_000 });
+    steps.dns = dnsResult.ok;
+    if (!dnsResult.ok) {
+        stepErrors.dns = dnsResult.error;
+        await runLockStep(ip, buildDnsRollbackCommand());
+    }
+    // ── Group 3: System ──────────────────────────────────────────────────────
+    // Step 9: sysctl hardening
+    const sysctlResult = await runLockStep(ip, buildSysctlHardeningCommand());
+    steps.sysctl = sysctlResult.ok;
+    if (!sysctlResult.ok)
+        stepErrors.sysctl = sysctlResult.error;
+    // Step 10: unattended-upgrades, 120s timeout for apt
+    const upgradesResult = await runLockStep(ip, buildUnattendedUpgradesCommand(), { timeoutMs: LOCK_UPGRADES_TIMEOUT_MS });
+    steps.unattendedUpgrades = upgradesResult.ok;
+    if (!upgradesResult.ok)
+        stepErrors.unattendedUpgrades = upgradesResult.error;
+    // Step 11: APT validation
+    const aptResult = await runLockStep(ip, buildAptValidationCommand());
+    steps.aptValidation = aptResult.ok;
+    if (!aptResult.ok)
+        stepErrors.aptValidation = aptResult.error;
+    // Step 12: Resource limits
+    const limitsResult = await runLockStep(ip, buildResourceLimitsCommand());
+    steps.resourceLimits = limitsResult.ok;
+    if (!limitsResult.ok)
+        stepErrors.resourceLimits = limitsResult.error;
+    // Step 13: Service disabling
+    const serviceResult = await runLockStep(ip, buildServiceDisableCommand());
+    steps.serviceDisable = serviceResult.ok;
+    if (!serviceResult.ok)
+        stepErrors.serviceDisable = serviceResult.error;
+    // Step 14: Backup permissions
+    const backupResult = await runLockStep(ip, buildBackupPermissionsCommand(), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
+    steps.backupPermissions = backupResult.ok;
+    if (!backupResult.ok)
+        stepErrors.backupPermissions = backupResult.error;
+    // Step 15: Password quality policy
+    const pwqualityResult = await runLockStep(ip, buildPwqualityCommand(), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
+    steps.pwquality = pwqualityResult.ok;
+    if (!pwqualityResult.ok)
+        stepErrors.pwquality = pwqualityResult.error;
+    // Step 16: Docker runtime hardening
+    const dockerResult = await runLockStep(ip, buildDockerHardeningCommand(platform), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
+    steps.dockerHardening = dockerResult.ok;
+    if (!dockerResult.ok)
+        stepErrors.dockerHardening = dockerResult.error;
+    // ── Group 4: Monitoring ──────────────────────────────────────────────────
+    // Step 17: auditd
+    const auditdResult = await runLockStep(ip, buildAuditdCommand(), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
+    steps.auditd = auditdResult.ok;
+    if (!auditdResult.ok)
+        stepErrors.auditd = auditdResult.error;
+    // Step 18: Log retention
+    const logResult = await runLockStep(ip, buildLogRetentionCommand());
+    steps.logRetention = logResult.ok;
+    if (!logResult.ok)
+        stepErrors.logRetention = logResult.error;
+    // Step 19: AIDE (fire-and-forget)
+    const aideResult = await runLockStep(ip, buildAideInitCommand(), { timeoutMs: LOCK_PACKAGES_TIMEOUT_MS });
+    steps.aide = aideResult.ok;
+    if (!aideResult.ok)
+        stepErrors.aide = aideResult.error;
+    // Step 20: Cron access control
+    const cronAccessResult = await runLockStep(ip, buildCronAccessCommand());
+    steps.cronAccess = cronAccessResult.ok;
+    if (!cronAccessResult.ok)
+        stepErrors.cronAccess = cronAccessResult.error;
+    // ── Group 5: Score Boost (P87) ─────────────────────────────────────────────
+    // Step 21: SSH fine-tuning — with sshd -t rollback
+    const sshFineTuneResult = await runLockStep(ip, buildSshFineTuningCommand());
+    steps.sshFineTuning = sshFineTuneResult.ok;
+    if (!sshFineTuneResult.ok)
+        stepErrors.sshFineTuning = sshFineTuneResult.error;
+    // Step 22: Login definitions
+    const loginDefsResult = await runLockStep(ip, buildLoginDefsCommand());
+    steps.loginDefs = loginDefsResult.ok;
+    if (!loginDefsResult.ok)
+        stepErrors.loginDefs = loginDefsResult.error;
+    // Step 23: Faillock
+    const faillockResult = await runLockStep(ip, buildFaillockCommand());
+    steps.faillock = faillockResult.ok;
+    if (!faillockResult.ok)
+        stepErrors.faillock = faillockResult.error;
+    // Step 24: Sudo hardening
+    const sudoHardeningResult = await runLockStep(ip, buildSudoHardeningCommand());
+    steps.sudoHardening = sudoHardeningResult.ok;
+    if (!sudoHardeningResult.ok)
+        stepErrors.sudoHardening = sudoHardeningResult.error;
+    // Post-audit (non-fatal)
+    let scoreAfter;
+    try {
+        const postAudit = await runAudit(ip, name, auditPlatform);
+        if (postAudit.success && postAudit.data) {
+            scoreAfter = postAudit.data.overallScore;
+        }
+    }
+    catch {
+        // Non-fatal
+    }
+    return {
+        success: steps.sshHardening,
+        steps,
+        ...(Object.keys(stepErrors).length > 0 && { stepErrors }),
+        scoreBefore,
+        scoreAfter,
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/core/lock/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/core/lock/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,yBAAyB,EAAE,MAAM,UAAU,CAAC;AACtG,OAAO,EAAE,2BAA2B,EAAE,0BAA0B,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AACzI,OAAO,EAAE,8BAA8B,EAAE,0BAA0B,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,6BAA6B,EAAE,MAAM,aAAa,CAAC;AACjO,OAAO,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,MAAM,WAAW,CAAC;AACnJ,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAE,2BAA2B,EAAE,MAAM,aAAa,CAAC;AAE1D,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACjG,OAAO,EAAE,yBAAyB,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAG7C,OAAO,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAClH,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAE7D,OAAO,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,yBAAyB,EAAE,MAAM,UAAU,CAAC;AACtG,OAAO,EAAE,2BAA2B,EAAE,0BAA0B,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AACzI,OAAO,EAAE,8BAA8B,EAAE,0BAA0B,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,6BAA6B,EAAE,MAAM,aAAa,CAAC;AACjO,OAAO,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,MAAM,WAAW,CAAC;AACnJ,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAE,2BAA2B,EAAE,MAAM,aAAa,CAAC;AAG1D,KAAK,UAAU,WAAW,CACxB,EAAU,EACV,OAAmB,EACnB,IAA6B;IAE7B,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;IACpD,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,EAAU,EACV,IAAY,EACZ,QAA8B,EAC9B,OAAoB;IAEpB,aAAa,CAAC,EAAE,CAAC,CAAC;IAElB,MAAM,KAAK,GAAmB;QAC5B,YAAY,EAAE,KAAK;QACnB,QAAQ,EAAE,KAAK;QACf,OAAO,EAAE,KAAK;QACd,WAAW,EAAE,KAAK;QAClB,SAAS,EAAE,KAAK;QAChB,GAAG,EAAE,KAAK;QACV,SAAS,EAAE,KAAK;QAChB,GAAG,EAAE,KAAK;QACV,MAAM,EAAE,KAAK;QACb,kBAAkB,EAAE,KAAK;QACzB,aAAa,EAAE,KAAK;QACpB,cAAc,EAAE,KAAK;QACrB,cAAc,EAAE,KAAK;QACrB,iBAAiB,EAAE,KAAK;QACxB,SAAS,EAAE,KAAK;QAChB,eAAe,EAAE,KAAK;QACtB,MAAM,EAAE,KAAK;QACb,YAAY,EAAE,KAAK;QACnB,IAAI,EAAE,KAAK;QACX,UAAU,EAAE,KAAK;QACjB,aAAa,EAAE,KAAK;QACpB,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,KAAK;QACf,aAAa,EAAE,KAAK;KACrB,CAAC;IAEF,MAAM,UAAU,GAAkD,EAAE,CAAC;IAErE,gCAAgC;IAChC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK;SACN,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,QAAQ,IAAI,MAAM,CAAC;IAEzC,wBAAwB;IACxB,IAAI,WAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;QACzD,IAAI,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YACtC,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC;QAC3C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,qCAAqC;IACvC,CAAC;IAED,2CAA2C;IAC3C,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,EAAE,EAAE,oBAAoB,EAAE,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;YACtC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK;gBACL,KAAK,EAAE,iJAAiJ;gBACxJ,IAAI,EAAE,0CAA0C,EAAE,EAAE;aACrD,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK;YACL,KAAK,EAAE,yBAAyB,eAAe,CAAC,GAAG,CAAC,EAAE;SACvD,CAAC;IACJ,CAAC;IAED,4EAA4E;IAE5E,gEAAgE;IAChE,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACjE,KAAK,CAAC,YAAY,GAAG,SAAS,CAAC,EAAE,CAAC;IAClC,IAAI,CAAC,SAAS,CAAC,EAAE;QAAE,UAAU,CAAC,YAAY,GAAG,SAAS,CAAC,KAAM,CAAC;IAE9D,mBAAmB;IACnB,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,oBAAoB,EAAE,CAAC,CAAC;IACrE,KAAK,CAAC,QAAQ,GAAG,cAAc,CAAC,EAAE,CAAC;IACnC,IAAI,CAAC,cAAc,CAAC,EAAE;QAAE,UAAU,CAAC,QAAQ,GAAG,cAAc,CAAC,KAAM,CAAC;IAEpE,wBAAwB;IACxB,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACxE,KAAK,CAAC,OAAO,GAAG,aAAa,CAAC,EAAE,CAAC;IACjC,IAAI,CAAC,aAAa,CAAC,EAAE;QAAE,UAAU,CAAC,OAAO,GAAG,aAAa,CAAC,KAAM,CAAC;IAEjE,0BAA0B;IAC1B,MAAM,iBAAiB,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,uBAAuB,EAAE,CAAC,CAAC;IAC3E,KAAK,CAAC,WAAW,GAAG,iBAAiB,CAAC,EAAE,CAAC;IACzC,IAAI,CAAC,iBAAiB,CAAC,EAAE;QAAE,UAAU,CAAC,WAAW,GAAG,iBAAiB,CAAC,KAAM,CAAC;IAE7E,uDAAuD;IACvD,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACvE,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC;IACrC,IAAI,CAAC,eAAe,CAAC,EAAE;QAAE,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC,KAAM,CAAC;IAEvE,4EAA4E;IAE5E,4CAA4C;IAC5C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,yBAAyB,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACtH,KAAK,CAAC,GAAG,GAAG,SAAS,CAAC,EAAE,CAAC;IACzB,IAAI,CAAC,SAAS,CAAC,EAAE;QAAE,UAAU,CAAC,GAAG,GAAG,SAAS,CAAC,KAAM,CAAC;IAErD,8CAA8C;IAC9C,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;QACd,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,0BAA0B,EAAE,CAAC,CAAC;QAC5E,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC;QACrC,IAAI,CAAC,eAAe,CAAC,EAAE;YAAE,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC,KAAM,CAAC;IACzE,CAAC;SAAM,CAAC;QACN,UAAU,CAAC,SAAS,GAAG,cAAc,CAAC;IACxC,CAAC;IAED,kDAAkD;IAClD,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IAC1F,KAAK,CAAC,GAAG,GAAG,SAAS,CAAC,EAAE,CAAC;IACzB,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;QAClB,UAAU,CAAC,GAAG,GAAG,SAAS,CAAC,KAAM,CAAC;QAClC,MAAM,WAAW,CAAC,EAAE,EAAE,uBAAuB,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,4EAA4E;IAE5E,2BAA2B;IAC3B,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,2BAA2B,EAAE,CAAC,CAAC;IAC1E,KAAK,CAAC,MAAM,GAAG,YAAY,CAAC,EAAE,CAAC;IAC/B,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,MAAM,GAAG,YAAY,CAAC,KAAM,CAAC;IAE9D,qDAAqD;IACrD,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,8BAA8B,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACxH,KAAK,CAAC,kBAAkB,GAAG,cAAc,CAAC,EAAE,CAAC;IAC7C,IAAI,CAAC,cAAc,CAAC,EAAE;QAAE,UAAU,CAAC,kBAAkB,GAAG,cAAc,CAAC,KAAM,CAAC;IAE9E,0BAA0B;IAC1B,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,yBAAyB,EAAE,CAAC,CAAC;IACrE,KAAK,CAAC,aAAa,GAAG,SAAS,CAAC,EAAE,CAAC;IACnC,IAAI,CAAC,SAAS,CAAC,EAAE;QAAE,UAAU,CAAC,aAAa,GAAG,SAAS,CAAC,KAAM,CAAC;IAE/D,2BAA2B;IAC3B,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,0BAA0B,EAAE,CAAC,CAAC;IACzE,KAAK,CAAC,cAAc,GAAG,YAAY,CAAC,EAAE,CAAC;IACvC,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,cAAc,GAAG,YAAY,CAAC,KAAM,CAAC;IAEtE,6BAA6B;IAC7B,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC1E,KAAK,CAAC,cAAc,GAAG,aAAa,CAAC,EAAE,CAAC;IACxC,IAAI,CAAC,aAAa,CAAC,EAAE;QAAE,UAAU,CAAC,cAAc,GAAG,aAAa,CAAC,KAAM,CAAC;IAExE,8BAA8B;IAC9B,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,6BAA6B,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACrH,KAAK,CAAC,iBAAiB,GAAG,YAAY,CAAC,EAAE,CAAC;IAC1C,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,iBAAiB,GAAG,YAAY,CAAC,KAAM,CAAC;IAEzE,mCAAmC;IACnC,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,qBAAqB,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAChH,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC;IACrC,IAAI,CAAC,eAAe,CAAC,EAAE;QAAE,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC,KAAM,CAAC;IAEvE,oCAAoC;IACpC,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,2BAA2B,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAC3H,KAAK,CAAC,eAAe,GAAG,YAAY,CAAC,EAAE,CAAC;IACxC,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,eAAe,GAAG,YAAY,CAAC,KAAM,CAAC;IAEvE,4EAA4E;IAE5E,kBAAkB;IAClB,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAC1G,KAAK,CAAC,MAAM,GAAG,YAAY,CAAC,EAAE,CAAC;IAC/B,IAAI,CAAC,YAAY,CAAC,EAAE;QAAE,UAAU,CAAC,MAAM,GAAG,YAAY,CAAC,KAAM,CAAC;IAE9D,yBAAyB;IACzB,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,wBAAwB,EAAE,CAAC,CAAC;IACpE,KAAK,CAAC,YAAY,GAAG,SAAS,CAAC,EAAE,CAAC;IAClC,IAAI,CAAC,SAAS,CAAC,EAAE;QAAE,UAAU,CAAC,YAAY,GAAG,SAAS,CAAC,KAAM,CAAC;IAE9D,kCAAkC;IAClC,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE,SAAS,EAAE,wBAAwB,EAAE,CAAC,CAAC;IAC1G,KAAK,CAAC,IAAI,GAAG,UAAU,CAAC,EAAE,CAAC;IAC3B,IAAI,CAAC,UAAU,CAAC,EAAE;QAAE,UAAU,CAAC,IAAI,GAAG,UAAU,CAAC,KAAM,CAAC;IAExD,+BAA+B;IAC/B,MAAM,gBAAgB,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,sBAAsB,EAAE,CAAC,CAAC;IACzE,KAAK,CAAC,UAAU,GAAG,gBAAgB,CAAC,EAAE,CAAC;IACvC,IAAI,CAAC,gBAAgB,CAAC,EAAE;QAAE,UAAU,CAAC,UAAU,GAAG,gBAAgB,CAAC,KAAM,CAAC;IAE1E,8EAA8E;IAE9E,mDAAmD;IACnD,MAAM,iBAAiB,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAC7E,KAAK,CAAC,aAAa,GAAG,iBAAiB,CAAC,EAAE,CAAC;IAC3C,IAAI,CAAC,iBAAiB,CAAC,EAAE;QAAE,UAAU,CAAC,aAAa,GAAG,iBAAiB,CAAC,KAAM,CAAC;IAE/E,6BAA6B;IAC7B,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACvE,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC;IACrC,IAAI,CAAC,eAAe,CAAC,EAAE;QAAE,UAAU,CAAC,SAAS,GAAG,eAAe,CAAC,KAAM,CAAC;IAEvE,oBAAoB;IACpB,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,oBAAoB,EAAE,CAAC,CAAC;IACrE,KAAK,CAAC,QAAQ,GAAG,cAAc,CAAC,EAAE,CAAC;IACnC,IAAI,CAAC,cAAc,CAAC,EAAE;QAAE,UAAU,CAAC,QAAQ,GAAG,cAAc,CAAC,KAAM,CAAC;IAEpE,0BAA0B;IAC1B,MAAM,mBAAmB,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAC/E,KAAK,CAAC,aAAa,GAAG,mBAAmB,CAAC,EAAE,CAAC;IAC7C,IAAI,CAAC,mBAAmB,CAAC,EAAE;QAAE,UAAU,CAAC,aAAa,GAAG,mBAAmB,CAAC,KAAM,CAAC;IAEnF,yBAAyB;IACzB,IAAI,UAA8B,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,EAAE,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;QAC1D,IAAI,SAAS,CAAC,OAAO,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACxC,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC;QAC3C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,YAAY;QAC3B,KAAK;QACL,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,CAAC;QACzD,WAAW;QACX,UAAU;KACX,CAAC;AACJ,CAAC"}

package/dist/core/lock/monitoring.d.ts

@@ -0,0 +1,4 @@
+import { type SshCommand } from "../../utils/sshCommand.js";
+export declare function buildAuditdCommand(): SshCommand;
+export declare function buildAideInitCommand(): SshCommand;
+//# sourceMappingURL=monitoring.d.ts.map

package/dist/core/lock/monitoring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"monitoring.d.ts","sourceRoot":"","sources":["../../../src/core/lock/monitoring.ts"],"names":[],"mappings":"AAAA,OAAO,EAAO,KAAK,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAEjE,wBAAgB,kBAAkB,IAAI,UAAU,CA8C/C;AAED,wBAAgB,oBAAoB,IAAI,UAAU,CAWjD"}

package/dist/core/lock/monitoring.js

@@ -0,0 +1,55 @@
+import { raw } from "../../utils/sshCommand.js";
+export function buildAuditdCommand() {
+    // Deep rules go in 50-kastell-deep.rules (sorts BEFORE 99-kastell.rules -e 2 immutability)
+    const deepRules = [
+        "# Identity — file integrity",
+        "-w /etc/passwd -p wa -k identity",
+        "-w /etc/shadow -p wa -k identity",
+        "-w /etc/group -p wa -k identity",
+        "-w /etc/gshadow -p wa -k identity",
+        "# Privilege escalation",
+        "-w /etc/sudoers -p wa -k privilege",
+        "-w /etc/sudoers.d/ -p wa -k privilege",
+        "-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k privilege",
+        "# Time change",
+        "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time-change",
+        "-w /etc/localtime -p wa -k time-change",
+        "# Login and session",
+        "-w /var/log/lastlog -p wa -k logins",
+        "-w /var/run/faillock/ -p wa -k logins",
+        "-w /var/run/utmp -p wa -k session",
+        "-w /var/log/wtmp -p wa -k session",
+        "-w /var/log/btmp -p wa -k session",
+        "# Network changes",
+        "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network-change",
+        "-w /etc/hostname -p wa -k network-change",
+        "-w /etc/hosts -p wa -k network-change",
+        "-w /etc/sysconfig/network -p wa -k network-change",
+        "# Kernel modules",
+        "-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k kernel-module",
+        "-w /sbin/insmod -p x -k kernel-module",
+        "-w /sbin/modprobe -p x -k kernel-module",
+        "-w /sbin/rmmod -p x -k kernel-module",
+    ].join("\\n");
+    // Immutability directive in 99 — sorts AFTER 50
+    const immutableRule = "-e 2";
+    return raw([
+        "DEBIAN_FRONTEND=noninteractive apt-get install -y auditd audispd-plugins",
+        "systemctl enable auditd && systemctl start auditd",
+        `printf '${deepRules}\\n' > /etc/audit/rules.d/50-kastell-deep.rules`,
+        `printf '${immutableRule}\\n' > /etc/audit/rules.d/99-kastell.rules`,
+        "augenrules --load 2>/dev/null || true",
+        "service auditd restart 2>/dev/null || systemctl restart auditd 2>/dev/null || true",
+    ].join(" && "));
+}
+export function buildAideInitCommand() {
+    const cronScript = "#!/bin/bash\\n/usr/sbin/aide --check 2>/dev/null || true";
+    return raw([
+        "DEBIAN_FRONTEND=noninteractive apt-get install -y aide",
+        "rm -f /etc/cron.d/kastell-aide",
+        `printf '${cronScript}\\n' > /etc/cron.daily/aide-check`,
+        "chmod 755 /etc/cron.daily/aide-check",
+        "nohup aide --init > /var/log/aide-init.log 2>&1 &",
+    ].join(" && "));
+}
+//# sourceMappingURL=monitoring.js.map

package/dist/core/lock/monitoring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"monitoring.js","sourceRoot":"","sources":["../../../src/core/lock/monitoring.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAmB,MAAM,2BAA2B,CAAC;AAEjE,MAAM,UAAU,kBAAkB;IAChC,2FAA2F;IAC3F,MAAM,SAAS,GAAG;QAChB,6BAA6B;QAC7B,kCAAkC;QAClC,kCAAkC;QAClC,iCAAiC;QACjC,mCAAmC;QACnC,wBAAwB;QACxB,oCAAoC;QACpC,uCAAuC;QACvC,qFAAqF;QACrF,eAAe;QACf,wFAAwF;QACxF,wCAAwC;QACxC,qBAAqB;QACrB,qCAAqC;QACrC,uCAAuC;QACvC,mCAAmC;QACnC,mCAAmC;QACnC,mCAAmC;QACnC,mBAAmB;QACnB,8EAA8E;QAC9E,0CAA0C;QAC1C,uCAAuC;QACvC,mDAAmD;QACnD,kBAAkB;QAClB,6FAA6F;QAC7F,uCAAuC;QACvC,yCAAyC;QACzC,sCAAsC;KACvC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,gDAAgD;IAChD,MAAM,aAAa,GAAG,MAAM,CAAC;IAE7B,OAAO,GAAG,CACR;QACE,0EAA0E;QAC1E,mDAAmD;QACnD,WAAW,SAAS,iDAAiD;QACrE,WAAW,aAAa,4CAA4C;QACpE,uCAAuC;QACvC,oFAAoF;KACrF,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,MAAM,UAAU,GAAG,0DAA0D,CAAC;IAC9E,OAAO,GAAG,CACR;QACE,wDAAwD;QACxD,gCAAgC;QAChC,WAAW,UAAU,mCAAmC;QACxD,sCAAsC;QACtC,mDAAmD;KACpD,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC"}

package/dist/core/lock/network.d.ts

@@ -0,0 +1,6 @@
+import { type SshCommand } from "../../utils/sshCommand.js";
+export declare function buildSysctlHardeningCommand(): SshCommand;
+export declare function buildCloudMetaBlockCommand(): SshCommand;
+export declare function buildDnsSecurityCommand(): SshCommand;
+export declare function buildDnsRollbackCommand(): SshCommand;
+//# sourceMappingURL=network.d.ts.map

package/dist/core/lock/network.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.d.ts","sourceRoot":"","sources":["../../../src/core/lock/network.ts"],"names":[],"mappings":"AAAA,OAAO,EAAO,KAAK,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAEjE,wBAAgB,2BAA2B,IAAI,UAAU,CAqCxD;AAED,wBAAgB,0BAA0B,IAAI,UAAU,CAOvD;AAED,wBAAgB,uBAAuB,IAAI,UAAU,CAYpD;AAED,wBAAgB,uBAAuB,IAAI,UAAU,CAOpD"}

package/dist/core/lock/network.js

@@ -0,0 +1,59 @@
+import { raw } from "../../utils/sshCommand.js";
+export function buildSysctlHardeningCommand() {
+    const settings = [
+        // Existing baseline settings
+        "net.ipv4.conf.all.accept_redirects=0",
+        "net.ipv4.conf.default.accept_redirects=0",
+        "net.ipv4.conf.all.accept_source_route=0",
+        "net.ipv4.conf.default.accept_source_route=0",
+        "net.ipv4.conf.all.log_martians=1",
+        "net.ipv4.tcp_syncookies=1",
+        "kernel.randomize_va_space=2",
+        "net.ipv4.icmp_echo_ignore_broadcasts=1",
+        // Deep kernel hardening (CIS L2)
+        "kernel.dmesg_restrict=1",
+        "kernel.kptr_restrict=1",
+        "fs.suid_dumpable=0",
+        "net.core.bpf_jit_harden=1",
+        "kernel.unprivileged_bpf_disabled=1",
+        // Reverse path filter — loose mode (2) to not break Docker bridge networking
+        "net.ipv4.conf.all.rp_filter=2",
+        "net.ipv4.conf.default.rp_filter=2",
+        // Disable ICMP redirect sending
+        "net.ipv4.conf.all.send_redirects=0",
+        "net.ipv4.conf.default.send_redirects=0",
+        // Disable secure redirects
+        "net.ipv4.conf.all.secure_redirects=0",
+        "net.ipv4.conf.default.secure_redirects=0",
+        // IPv6 redirect hardening
+        "net.ipv6.conf.all.accept_redirects=0",
+        "net.ipv6.conf.default.accept_redirects=0",
+    ].join("\\n");
+    return raw([
+        `printf '${settings}\\n' > /etc/sysctl.d/99-kastell.conf`,
+        "sysctl -p /etc/sysctl.d/99-kastell.conf 2>/dev/null || true",
+    ].join(" && "));
+}
+export function buildCloudMetaBlockCommand() {
+    return raw([
+        "ufw deny out to 169.254.169.254",
+        "ufw deny in from 169.254.169.254",
+    ].join(" && "));
+}
+export function buildDnsSecurityCommand() {
+    const dropinContent = ["[Resolve]", "DNSSEC=yes", "DNSOverTLS=opportunistic"].join("\\n");
+    return raw([
+        "cp /etc/systemd/resolved.conf /etc/systemd/resolved.conf.kastell.bak 2>/dev/null || true",
+        "mkdir -p /etc/systemd/resolved.conf.d",
+        `printf '${dropinContent}\\n' > /etc/systemd/resolved.conf.d/99-kastell-dns.conf`,
+        "systemctl restart systemd-resolved",
+        "dig google.com +timeout=5 +tries=1 @127.0.0.53 >/dev/null 2>&1",
+    ].join(" && "));
+}
+export function buildDnsRollbackCommand() {
+    return raw([
+        "rm -f /etc/systemd/resolved.conf.d/99-kastell-dns.conf",
+        "systemctl restart systemd-resolved",
+    ].join(" && "));
+}
+//# sourceMappingURL=network.js.map

package/dist/core/lock/network.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.js","sourceRoot":"","sources":["../../../src/core/lock/network.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAmB,MAAM,2BAA2B,CAAC;AAEjE,MAAM,UAAU,2BAA2B;IACzC,MAAM,QAAQ,GAAG;QACf,6BAA6B;QAC7B,sCAAsC;QACtC,0CAA0C;QAC1C,yCAAyC;QACzC,6CAA6C;QAC7C,kCAAkC;QAClC,2BAA2B;QAC3B,6BAA6B;QAC7B,wCAAwC;QACxC,iCAAiC;QACjC,yBAAyB;QACzB,wBAAwB;QACxB,oBAAoB;QACpB,2BAA2B;QAC3B,oCAAoC;QACpC,6EAA6E;QAC7E,+BAA+B;QAC/B,mCAAmC;QACnC,gCAAgC;QAChC,oCAAoC;QACpC,wCAAwC;QACxC,2BAA2B;QAC3B,sCAAsC;QACtC,0CAA0C;QAC1C,0BAA0B;QAC1B,sCAAsC;QACtC,0CAA0C;KAC3C,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CACR;QACE,WAAW,QAAQ,sCAAsC;QACzD,6DAA6D;KAC9D,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,OAAO,GAAG,CACR;QACE,iCAAiC;QACjC,kCAAkC;KACnC,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,MAAM,aAAa,GAAG,CAAC,WAAW,EAAE,YAAY,EAAE,0BAA0B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAE1F,OAAO,GAAG,CACR;QACE,0FAA0F;QAC1F,uCAAuC;QACvC,WAAW,aAAa,yDAAyD;QACjF,oCAAoC;QACpC,gEAAgE;KACjE,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,GAAG,CACR;QACE,wDAAwD;QACxD,oCAAoC;KACrC,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC"}

package/dist/core/lock/ssh.d.ts

@@ -0,0 +1,5 @@
+import { type SshCommand } from "../../utils/sshCommand.js";
+export declare function buildLoginBannersCommand(): SshCommand;
+export declare function buildSshCipherCommand(): SshCommand;
+export declare function buildSshFineTuningCommand(): SshCommand;
+//# sourceMappingURL=ssh.d.ts.map

package/dist/core/lock/ssh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh.d.ts","sourceRoot":"","sources":["../../../src/core/lock/ssh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAO,KAAK,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAGjE,wBAAgB,wBAAwB,IAAI,UAAU,CAWrD;AAED,wBAAgB,qBAAqB,IAAI,UAAU,CAalD;AAED,wBAAgB,yBAAyB,IAAI,UAAU,CA6BtD"}

package/dist/core/lock/ssh.js

@@ -0,0 +1,49 @@
+import { raw } from "../../utils/sshCommand.js";
+import { WEAK_CIPHERS, WEAK_MACS, WEAK_KEX } from "../../constants.js";
+export function buildLoginBannersCommand() {
+    const bannerText = "Authorized access only. All activity is monitored and logged.";
+    return raw([
+        `printf '${bannerText}\\n' > /etc/issue`,
+        `printf '${bannerText}\\n' > /etc/issue.net`,
+        `printf '${bannerText}\\n' > /etc/motd`,
+        `grep -qE '^Banner' /etc/ssh/sshd_config || echo 'Banner /etc/issue.net' >> /etc/ssh/sshd_config`,
+        "systemctl restart ssh 2>/dev/null || systemctl restart sshd",
+    ].join(" && "));
+}
+export function buildSshCipherCommand() {
+    const cipherBlacklist = WEAK_CIPHERS.map((c) => `-${c}`).join(",");
+    const macBlacklist = WEAK_MACS.map((m) => `-${m}`).join(",");
+    const kexBlacklist = WEAK_KEX.map((k) => `-${k}`).join(",");
+    return raw([
+        "cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak-cipher",
+        "sed -i '/^Ciphers[ \\t]/d; /^MACs[ \\t]/d; /^KexAlgorithms[ \\t]/d' /etc/ssh/sshd_config",
+        `printf '\\nCiphers ${cipherBlacklist}\\nMACs ${macBlacklist}\\nKexAlgorithms ${kexBlacklist}\\n' >> /etc/ssh/sshd_config`,
+        "if sshd -t; then systemctl restart sshd; else cp /etc/ssh/sshd_config.bak-cipher /etc/ssh/sshd_config && echo 'SSH cipher hardening rolled back: sshd -t failed' >&2 && exit 1; fi",
+    ].join(" && "));
+}
+export function buildSshFineTuningCommand() {
+    const directives = [
+        ["ClientAliveInterval", "300"],
+        ["ClientAliveCountMax", "3"],
+        ["LoginGraceTime", "60"],
+        ["AllowAgentForwarding", "no"],
+        ["X11Forwarding", "no"],
+        ["MaxStartups", "10:30:60"],
+        ["StrictModes", "yes"],
+        ["PermitUserEnvironment", "no"],
+        ["LogLevel", "VERBOSE"],
+        ["UseDNS", "no"],
+        ["PrintMotd", "no"],
+        ["IgnoreRhosts", "yes"],
+        ["HostbasedAuthentication", "no"],
+        ["MaxSessions", "10"],
+        ["PermitEmptyPasswords", "no"],
+    ];
+    const sedLines = directives.map(([key, val]) => `grep -qE '^#?${key}' /etc/ssh/sshd_config && sed -i 's/^#\\?${key}.*/${key} ${val}/' /etc/ssh/sshd_config || echo '${key} ${val}' >> /etc/ssh/sshd_config`);
+    return raw([
+        "cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak-finetune",
+        ...sedLines,
+        "if sshd -t; then systemctl restart sshd 2>/dev/null || systemctl restart ssh; else cp /etc/ssh/sshd_config.bak-finetune /etc/ssh/sshd_config && echo 'SSH fine-tuning rolled back' >&2 && exit 1; fi",
+    ].join(" && "));
+}
+//# sourceMappingURL=ssh.js.map

package/dist/core/lock/ssh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../src/core/lock/ssh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAmB,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAEvE,MAAM,UAAU,wBAAwB;IACtC,MAAM,UAAU,GAAG,+DAA+D,CAAC;IACnF,OAAO,GAAG,CACR;QACE,WAAW,UAAU,mBAAmB;QACxC,WAAW,UAAU,uBAAuB;QAC5C,WAAW,UAAU,kBAAkB;QACvC,iGAAiG;QACjG,6DAA6D;KAC9D,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,MAAM,eAAe,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnE,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAE5D,OAAO,GAAG,CACR;QACE,yDAAyD;QACzD,0FAA0F;QAC1F,sBAAsB,eAAe,WAAW,YAAY,oBAAoB,YAAY,8BAA8B;QAC1H,oLAAoL;KACrL,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,MAAM,UAAU,GAAuB;QACrC,CAAC,qBAAqB,EAAE,KAAK,CAAC;QAC9B,CAAC,qBAAqB,EAAE,GAAG,CAAC;QAC5B,CAAC,gBAAgB,EAAE,IAAI,CAAC;QACxB,CAAC,sBAAsB,EAAE,IAAI,CAAC;QAC9B,CAAC,eAAe,EAAE,IAAI,CAAC;QACvB,CAAC,aAAa,EAAE,UAAU,CAAC;QAC3B,CAAC,aAAa,EAAE,KAAK,CAAC;QACtB,CAAC,uBAAuB,EAAE,IAAI,CAAC;QAC/B,CAAC,UAAU,EAAE,SAAS,CAAC;QACvB,CAAC,QAAQ,EAAE,IAAI,CAAC;QAChB,CAAC,WAAW,EAAE,IAAI,CAAC;QACnB,CAAC,cAAc,EAAE,KAAK,CAAC;QACvB,CAAC,yBAAyB,EAAE,IAAI,CAAC;QACjC,CAAC,aAAa,EAAE,IAAI,CAAC;QACrB,CAAC,sBAAsB,EAAE,IAAI,CAAC;KAC/B,CAAC;IACF,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAC7B,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CACb,gBAAgB,GAAG,4CAA4C,GAAG,MAAM,GAAG,IAAI,GAAG,oCAAoC,GAAG,IAAI,GAAG,2BAA2B,CAC9J,CAAC;IACF,OAAO,GAAG,CACR;QACE,2DAA2D;QAC3D,GAAG,QAAQ;QACX,sMAAsM;KACvM,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC"}

package/dist/core/lock/system.d.ts

@@ -0,0 +1,9 @@
+import { type SshCommand } from "../../utils/sshCommand.js";
+export declare function buildUnattendedUpgradesCommand(): SshCommand;
+export declare function buildResourceLimitsCommand(): SshCommand;
+export declare function buildServiceDisableCommand(): SshCommand;
+export declare function buildAptValidationCommand(): SshCommand;
+export declare function buildLogRetentionCommand(): SshCommand;
+export declare function buildCronAccessCommand(): SshCommand;
+export declare function buildBackupPermissionsCommand(): SshCommand;
+//# sourceMappingURL=system.d.ts.map

package/dist/core/lock/system.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"system.d.ts","sourceRoot":"","sources":["../../../src/core/lock/system.ts"],"names":[],"mappings":"AAAA,OAAO,EAAO,KAAK,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAEjE,wBAAgB,8BAA8B,IAAI,UAAU,CAa3D;AAED,wBAAgB,0BAA0B,IAAI,UAAU,CAWvD;AAED,wBAAgB,0BAA0B,IAAI,UAAU,CASvD;AAED,wBAAgB,yBAAyB,IAAI,UAAU,CAQtD;AAED,wBAAgB,wBAAwB,IAAI,UAAU,CAyBrD;AAED,wBAAgB,sBAAsB,IAAI,UAAU,CAWnD;AAED,wBAAgB,6BAA6B,IAAI,UAAU,CAS1D"}

package/dist/core/lock/system.js

@@ -0,0 +1,80 @@
+import { raw } from "../../utils/sshCommand.js";
+export function buildUnattendedUpgradesCommand() {
+    const periodicConfig = [
+        'APT::Periodic::Update-Package-Lists "1";',
+        'APT::Periodic::Unattended-Upgrade "1";',
+        'APT::Periodic::AutocleanInterval "7";',
+    ].join("\\n");
+    return raw([
+        "DEBIAN_FRONTEND=noninteractive apt-get install -y unattended-upgrades",
+        `printf '${periodicConfig}\\n' > /etc/apt/apt.conf.d/20auto-upgrades`,
+    ].join(" && "));
+}
+export function buildResourceLimitsCommand() {
+    const limitsContent = [
+        "* soft nproc 1024",
+        "* hard nproc 2048",
+        "* soft nofile 65536",
+        "* hard nofile 65536",
+        "root soft nproc unlimited",
+        "root hard nproc unlimited",
+    ].join("\\n");
+    return raw(`printf '${limitsContent}\\n' > /etc/security/limits.d/99-kastell.conf`);
+}
+export function buildServiceDisableCommand() {
+    const services = ["bluetooth", "avahi-daemon", "cups", "rpcbind"];
+    const disableScript = services
+        .map((s) => `systemctl list-unit-files '${s}.service' 2>/dev/null | grep -q '${s}' && systemctl stop ${s} && systemctl disable ${s} 2>/dev/null || true`)
+        .join("; ");
+    return raw(disableScript);
+}
+export function buildAptValidationCommand() {
+    const aptConf = [
+        'APT::Get::AllowUnauthenticated "false";',
+        'Acquire::AllowInsecureRepositories "false";',
+        'Acquire::AllowDowngradeToInsecureRepositories "false";',
+    ].join("\\n");
+    return raw(`printf '${aptConf}\\n' > /etc/apt/apt.conf.d/99-kastell-apt.conf`);
+}
+export function buildLogRetentionCommand() {
+    const logrotateConf = [
+        "/var/log/syslog",
+        "{",
+        "    daily",
+        "    missingok",
+        "    rotate 90",
+        "    compress",
+        "    delaycompress",
+        "    notifempty",
+        "    postrotate",
+        "        /usr/lib/rsyslog/rsyslog-rotate",
+        "    endscript",
+        "}",
+    ].join("\\n");
+    return raw([
+        "DEBIAN_FRONTEND=noninteractive apt-get install -y logrotate",
+        "systemctl enable rsyslog 2>/dev/null || true",
+        "systemctl start rsyslog 2>/dev/null || true",
+        `printf '${logrotateConf}\\n' > /etc/logrotate.d/99-kastell-syslog`,
+        "systemctl enable logrotate.timer 2>/dev/null || true",
+    ].join(" && "));
+}
+export function buildCronAccessCommand() {
+    return raw([
+        "echo root > /etc/cron.allow",
+        "chmod 600 /etc/cron.allow",
+        "echo root > /etc/at.allow",
+        "chmod 600 /etc/at.allow",
+        "touch /etc/at.deny",
+        "chmod 600 /etc/at.deny",
+    ].join(" && "));
+}
+export function buildBackupPermissionsCommand() {
+    return raw([
+        "DEBIAN_FRONTEND=noninteractive apt-get install -y rsync",
+        "mkdir -p /var/backups",
+        "chmod 700 /var/backups",
+        "chown root:root /var/backups",
+    ].join(" && "));
+}
+//# sourceMappingURL=system.js.map

package/dist/core/lock/system.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"system.js","sourceRoot":"","sources":["../../../src/core/lock/system.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAmB,MAAM,2BAA2B,CAAC;AAEjE,MAAM,UAAU,8BAA8B;IAC5C,MAAM,cAAc,GAAG;QACrB,0CAA0C;QAC1C,wCAAwC;QACxC,uCAAuC;KACxC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CACR;QACE,uEAAuE;QACvE,WAAW,cAAc,4CAA4C;KACtE,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,MAAM,aAAa,GAAG;QACpB,mBAAmB;QACnB,mBAAmB;QACnB,qBAAqB;QACrB,qBAAqB;QACrB,2BAA2B;QAC3B,2BAA2B;KAC5B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CAAC,WAAW,aAAa,+CAA+C,CAAC,CAAC;AACtF,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,MAAM,QAAQ,GAAG,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,QAAQ;SAC3B,GAAG,CACF,CAAC,CAAC,EAAE,EAAE,CACJ,8BAA8B,CAAC,oCAAoC,CAAC,uBAAuB,CAAC,yBAAyB,CAAC,sBAAsB,CAC/I;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,OAAO,GAAG,CAAC,aAAa,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,yBAAyB;IACvC,MAAM,OAAO,GAAG;QACd,yCAAyC;QACzC,6CAA6C;QAC7C,wDAAwD;KACzD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CAAC,WAAW,OAAO,gDAAgD,CAAC,CAAC;AACjF,CAAC;AAED,MAAM,UAAU,wBAAwB;IACtC,MAAM,aAAa,GAAG;QACpB,iBAAiB;QACjB,GAAG;QACH,WAAW;QACX,eAAe;QACf,eAAe;QACf,cAAc;QACd,mBAAmB;QACnB,gBAAgB;QAChB,gBAAgB;QAChB,yCAAyC;QACzC,eAAe;QACf,GAAG;KACJ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEd,OAAO,GAAG,CACR;QACE,6DAA6D;QAC7D,8CAA8C;QAC9C,6CAA6C;QAC7C,WAAW,aAAa,2CAA2C;QACnE,sDAAsD;KACvD,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO,GAAG,CACR;QACE,6BAA6B;QAC7B,2BAA2B;QAC3B,2BAA2B;QAC3B,yBAAyB;QACzB,oBAAoB;QACpB,wBAAwB;KACzB,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,6BAA6B;IAC3C,OAAO,GAAG,CACR;QACE,yDAAyD;QACzD,uBAAuB;QACvB,wBAAwB;QACxB,8BAA8B;KAC/B,CAAC,IAAI,CAAC,MAAM,CAAC,CACf,CAAC;AACJ,CAAC"}

package/dist/core/lock/types.d.ts

@@ -0,0 +1,41 @@
+export interface LockOptions {
+    production?: boolean;
+    dryRun?: boolean;
+    force?: boolean;
+}
+export interface LockStepResult {
+    sshHardening: boolean;
+    fail2ban: boolean;
+    banners: boolean;
+    accountLock: boolean;
+    sshCipher: boolean;
+    ufw: boolean;
+    cloudMeta: boolean;
+    dns: boolean;
+    sysctl: boolean;
+    unattendedUpgrades: boolean;
+    aptValidation: boolean;
+    resourceLimits: boolean;
+    serviceDisable: boolean;
+    backupPermissions: boolean;
+    pwquality: boolean;
+    dockerHardening: boolean;
+    auditd: boolean;
+    logRetention: boolean;
+    aide: boolean;
+    cronAccess: boolean;
+    sshFineTuning: boolean;
+    loginDefs: boolean;
+    faillock: boolean;
+    sudoHardening: boolean;
+}
+export interface LockResult {
+    success: boolean;
+    steps: LockStepResult;
+    stepErrors?: Partial<Record<keyof LockStepResult, string>>;
+    scoreBefore?: number;
+    scoreAfter?: number;
+    error?: string;
+    hint?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/core/lock/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/core/lock/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAE7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IAEnB,GAAG,EAAE,OAAO,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,GAAG,EAAE,OAAO,CAAC;IAEb,MAAM,EAAE,OAAO,CAAC;IAChB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,aAAa,EAAE,OAAO,CAAC;IACvB,cAAc,EAAE,OAAO,CAAC;IACxB,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,SAAS,EAAE,OAAO,CAAC;IACnB,eAAe,EAAE,OAAO,CAAC;IAEzB,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,EAAE,OAAO,CAAC;IACtB,IAAI,EAAE,OAAO,CAAC;IACd,UAAU,EAAE,OAAO,CAAC;IAEpB,aAAa,EAAE,OAAO,CAAC;IACvB,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;IAClB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,cAAc,CAAC;IACtB,UAAU,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf"}

package/dist/core/lock/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/core/lock/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/core/lock/types.ts"],"names":[],"mappings":""}