Initial commit: VaultMesh Skills collection
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Vault Sovereign
170
node-hardening/SKILL.md
Normal file
170
node-hardening/SKILL.md
Normal file
@@ -0,0 +1,170 @@
|
||||
---
|
||||
name: node-hardening
|
||||
description: >
|
||||
Harden a Linux node for sovereign EU infrastructure without losing remote access.
|
||||
Implements UFW firewall, SSH hardening, fail2ban, and auditd with two-phase
|
||||
plan/apply workflow and DRY_RUN safety gates. Use when securing Node A after
|
||||
operator-bootstrap completes. Triggers: 'harden node', 'secure server',
|
||||
'configure firewall', 'harden SSH', 'set up fail2ban', 'enable auditd',
|
||||
'lock down node', 'security hardening'.
|
||||
version: 1.0.0
|
||||
---
|
||||
|
||||
# Node Hardening
|
||||
|
||||
High-risk Tier 1 skill for securing Linux nodes. All risky operations require explicit DRY_RUN=0 and confirmation phrase. Designed for full Linux servers (Ubuntu/Debian) with console/IPMI/VNC fallback access.
|
||||
|
||||
## Quick Start
|
||||
|
||||
```bash
|
||||
# Set required parameters (none required, but review defaults)
|
||||
export NODE_NAME="node-a"
|
||||
export SSH_PORT=22
|
||||
|
||||
# Run preflight check
|
||||
./scripts/00_preflight.sh
|
||||
|
||||
# Plan phases (safe to run, shows what WILL happen)
|
||||
./scripts/10_ufw_plan.sh
|
||||
./scripts/20_ssh_plan.sh
|
||||
|
||||
# Apply phases (REQUIRES DRY_RUN=0 and confirmation)
|
||||
export DRY_RUN=0
|
||||
./scripts/11_ufw_apply.sh # Type confirmation phrase
|
||||
./scripts/21_ssh_apply.sh # Type confirmation phrase
|
||||
|
||||
# Optional: fail2ban and auditd
|
||||
./scripts/30_fail2ban_setup.sh
|
||||
./scripts/40_auditd_setup.sh
|
||||
|
||||
# Verify and report
|
||||
./scripts/90_verify.sh
|
||||
./scripts/99_report.sh
|
||||
```
|
||||
|
||||
## Workflow
|
||||
|
||||
### Phase 0: Preflight (00)
|
||||
Check dependencies: sudo, systemctl, ufw, sshd, fail2ban, auditd.
|
||||
Detect SSH session and warn about keeping backup session open.
|
||||
|
||||
### Phase 1: UFW Firewall (10-11)
|
||||
**Two-phase operation with DRY_RUN gate.**
|
||||
|
||||
Plan phase shows:
|
||||
- Default deny incoming, allow outgoing
|
||||
- SSH port allowance (rate-limited if possible)
|
||||
- HTTP/HTTPS ports if enabled
|
||||
- Current client IP auto-whitelisted
|
||||
|
||||
Apply phase executes:
|
||||
- Backs up current iptables state
|
||||
- Resets and configures UFW
|
||||
- Enables firewall
|
||||
|
||||
Rollback: `./scripts/rollback/undo_ufw.sh`
|
||||
|
||||
### Phase 2: SSH Hardening (20-21)
|
||||
**Two-phase operation with DRY_RUN gate and CONFIRM_PHRASE.**
|
||||
|
||||
Plan phase shows:
|
||||
- Proposed sshd_config changes
|
||||
- PermitRootLogin, PasswordAuthentication settings
|
||||
- Cipher and MAC selections
|
||||
|
||||
Apply phase executes:
|
||||
- Backs up /etc/ssh/sshd_config
|
||||
- Renders hardened config from template
|
||||
- Validates with `sshd -t` before applying
|
||||
- Uses `reload` (not restart) to keep current session alive
|
||||
- **Auto-restores on validation failure**
|
||||
|
||||
Rollback: `./scripts/rollback/undo_ssh.sh`
|
||||
|
||||
### Phase 3: fail2ban (30)
|
||||
Optional intrusion detection.
|
||||
- SSH jail configuration
|
||||
- UFW integration
|
||||
- Operator IP whitelisting
|
||||
|
||||
### Phase 4: auditd (40)
|
||||
Optional audit logging.
|
||||
- Monitor security-relevant files
|
||||
- Kernel module loading
|
||||
- User/group modifications
|
||||
|
||||
### Phase 5: Verification (90-99)
|
||||
Generate JSON status matrix and markdown audit report.
|
||||
|
||||
## Inputs
|
||||
|
||||
| Parameter | Required | Default | Description |
|
||||
|-----------|----------|---------|-------------|
|
||||
| NODE_NAME | No | node-a | Hostname for this node |
|
||||
| SSH_PORT | No | 22 | SSH port number |
|
||||
| ALLOW_HTTP | No | true | Allow port 80 in UFW |
|
||||
| ALLOW_HTTPS | No | true | Allow port 443 in UFW |
|
||||
| ALLOW_ICMP | No | false | Allow ICMP (ping) |
|
||||
| DRY_RUN | No | 1 | Set to 0 to enable apply scripts |
|
||||
| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
|
||||
| CONFIRM_PHRASE | No | I UNDERSTAND THIS CAN LOCK ME OUT | Safety phrase |
|
||||
| BACKUP_DIR | No | outputs/backups | Backup location |
|
||||
| FAIL2BAN_ENABLE | No | true | Enable fail2ban setup |
|
||||
| AUDITD_ENABLE | No | true | Enable auditd setup |
|
||||
|
||||
## Outputs
|
||||
|
||||
| File | Description |
|
||||
|------|-------------|
|
||||
| `outputs/backups/ufw_status_before.txt` | Pre-change UFW state |
|
||||
| `outputs/backups/iptables_rules_before.txt` | Pre-change iptables |
|
||||
| `outputs/backups/sshd_config.before` | Pre-change SSH config |
|
||||
| `outputs/ufw_status_after.txt` | Post-change UFW state |
|
||||
| `outputs/status_matrix.json` | Verification results |
|
||||
| `outputs/audit_report.md` | Human-readable audit trail |
|
||||
|
||||
## Safety Guarantees
|
||||
|
||||
1. **DRY_RUN=1 by default** - Apply scripts refuse to run without explicit DRY_RUN=0
|
||||
2. **CONFIRM_PHRASE required** - Must type exact phrase to proceed
|
||||
3. **SSH reload (not restart)** - Keeps current session alive
|
||||
4. **sshd -t validation** - Config validated before applying
|
||||
5. **Auto-restore on failure** - Invalid config automatically reverted
|
||||
6. **Backups before every change** - Full state preserved
|
||||
7. **Emergency restore script** - Console-safe full recovery
|
||||
8. **All scripts idempotent** - Safe to run multiple times
|
||||
|
||||
## Emergency Recovery
|
||||
|
||||
If you lose SSH access:
|
||||
|
||||
1. Access console via IPMI/VNC/physical
|
||||
2. Run: `./scripts/rollback/emergency_restore.sh`
|
||||
|
||||
This will:
|
||||
- Disable UFW
|
||||
- Restore original sshd_config from backup
|
||||
- Restart SSH service
|
||||
|
||||
## EU Compliance
|
||||
|
||||
| Aspect | Value |
|
||||
|--------|-------|
|
||||
| Data Residency | EU (Ireland - Dublin) |
|
||||
| GDPR Applicable | Yes |
|
||||
| Jurisdiction | Irish Law |
|
||||
| Audit Logging | auditd (local only) |
|
||||
|
||||
## References
|
||||
|
||||
- [Recovery Procedures](references/recovery_procedures.md)
|
||||
- [CIS Benchmarks](references/cis_benchmarks.md)
|
||||
- [SSH Cipher Recommendations](references/ssh_cipher_recommendations.md)
|
||||
|
||||
## Next Steps
|
||||
|
||||
After completing node-hardening:
|
||||
1. Verify SSH access from secondary session
|
||||
2. Test rollback procedure (optional but recommended)
|
||||
3. Proceed to **backup-sovereign** skill
|
||||
4. Document hardening in LAWCHAIN (if applicable)
|
||||
Reference in New Issue
Block a user