Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
--- a/node-hardening/references/cis_benchmarks.md
+++ b/node-hardening/references/cis_benchmarks.md
@@ -0,0 +1,118 @@
+# CIS Benchmarks Reference
+
+## Overview
+
+This skill implements controls aligned with CIS (Center for Internet Security) Benchmarks for Linux. The following sections map skill operations to specific CIS controls.
+
+## CIS Ubuntu/Debian Linux Benchmark Mappings
+
+### 1. Initial Setup
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 1.1.1.x | Disable unused filesystems | Out of scope |
+| 1.5.x | Secure boot settings | Out of scope |
+
+### 2. Services
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 2.1.x | Disable inetd services | Out of scope |
+| 2.2.x | Special purpose services | fail2ban, auditd enabled |
+
+### 3. Network Configuration
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 3.1.1 | Disable IPv6 | Not disabled (optional) |
+| 3.2.x | Network parameters (host) | Handled by sysctl (future) |
+| 3.4.x | Firewall configuration | **UFW enabled** |
+
+### 4. Logging and Auditing
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 4.1.1 | Ensure auditing is enabled | **auditd installed** |
+| 4.1.2 | Configure audit log storage | Default settings |
+| 4.1.x | Audit rules | Basic rules via template |
+
+### 5. Access, Authentication, and Authorization
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 5.2.1 | Ensure sshd is running | Verified in preflight |
+| 5.2.2 | SSH Protocol version | Implicit (OpenSSH 7.4+) |
+| 5.2.3 | SSH LogLevel | **Set to VERBOSE** |
+| 5.2.4 | SSH X11Forwarding | **Disabled** |
+| 5.2.5 | SSH MaxAuthTries | **Set to 3** |
+| 5.2.6 | SSH IgnoreRhosts | **Set to yes** |
+| 5.2.7 | SSH HostbasedAuth | **Disabled** |
+| 5.2.8 | SSH PermitRootLogin | **Disabled** |
+| 5.2.9 | SSH PermitEmptyPasswords | **Disabled** |
+| 5.2.10 | SSH PermitUserEnvironment | **Disabled** |
+| 5.2.11 | SSH strong ciphers | **Configured** |
+| 5.2.12 | SSH strong MACs | **Configured** |
+| 5.2.13 | SSH strong KEX | **Configured** |
+| 5.2.14 | SSH Idle Timeout | **Set (ClientAliveInterval)** |
+| 5.2.15 | SSH LoginGraceTime | **Set to 20** |
+| 5.2.16 | SSH access restriction | Via AllowUsers (optional) |
+
+### 6. System Maintenance
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 6.1.x | System file permissions | Out of scope |
+| 6.2.x | User and group settings | Out of scope |
+
+## SSH Hardening Details
+
+The sshd_config template implements:
+
+```
+# CIS 5.2.4
+X11Forwarding no
+
+# CIS 5.2.5
+MaxAuthTries 3
+
+# CIS 5.2.6
+IgnoreRhosts yes
+
+# CIS 5.2.7
+HostbasedAuthentication no
+
+# CIS 5.2.8
+PermitRootLogin no
+
+# CIS 5.2.9
+PermitEmptyPasswords no
+
+# CIS 5.2.10
+PermitUserEnvironment no
+
+# CIS 5.2.11-13 - Strong crypto
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
+
+# CIS 5.2.14
+ClientAliveInterval 300
+ClientAliveCountMax 2
+
+# CIS 5.2.15
+LoginGraceTime 20
+```
+
+## Firewall Rules
+
+Default UFW policy:
+- Default deny incoming
+- Default allow outgoing
+- SSH port allowed (rate-limited if configured)
+- HTTP/HTTPS optional
+
+## References
+
+- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
+- [CIS Ubuntu Linux Benchmark](https://www.cisecurity.org/benchmark/ubuntu_linux)
+- [CIS Debian Linux Benchmark](https://www.cisecurity.org/benchmark/debian_linux)
--- a/node-hardening/references/recovery_procedures.md
+++ b/node-hardening/references/recovery_procedures.md
@@ -0,0 +1,123 @@
+# Recovery Procedures
+
+## Overview
+
+This document describes recovery procedures for when node-hardening changes cause loss of remote access or system instability.
+
+## Prerequisites
+
+- Console access via IPMI, VNC, or physical connection
+- Knowledge of backup file locations
+- Root or sudo access
+
+## Scenario 1: SSH Access Lost
+
+### Symptoms
+- Cannot SSH to the server
+- Connection refused or timeout
+
+### Recovery Steps
+
+1. **Access console** (IPMI/VNC/physical)
+
+2. **Run emergency restore**:
+   ```bash
+   cd ~/.claude/skills/node-hardening
+   ./scripts/rollback/emergency_restore.sh
+   ```
+
+3. **If emergency_restore fails**, manually restore:
+   ```bash
+   # Disable UFW
+   sudo ufw --force disable
+
+   # Restore SSH config
+   sudo cp /path/to/outputs/backups/sshd_config.before /etc/ssh/sshd_config
+
+   # Restart SSH
+   sudo systemctl restart ssh
+   # or
+   sudo systemctl restart sshd
+   ```
+
+4. **Verify from another terminal**:
+   ```bash
+   ssh user@server
+   ```
+
+## Scenario 2: Firewall Blocking All Traffic
+
+### Symptoms
+- All network services unreachable
+- SSH, HTTP, HTTPS all timeout
+
+### Recovery Steps
+
+1. **Access console** (IPMI/VNC/physical)
+
+2. **Disable UFW**:
+   ```bash
+   sudo ufw --force disable
+   ```
+
+3. **Verify rules**:
+   ```bash
+   sudo ufw status verbose
+   ```
+
+4. **Restore from backup if available**:
+   ```bash
+   sudo iptables-restore < /path/to/outputs/backups/iptables_rules_before.txt
+   ```
+
+## Scenario 3: fail2ban Blocking Legitimate Access
+
+### Symptoms
+- SSH works from some IPs but not others
+- Intermittent connection failures
+
+### Recovery Steps
+
+1. **Check banned IPs**:
+   ```bash
+   sudo fail2ban-client status sshd
+   ```
+
+2. **Unban IP**:
+   ```bash
+   sudo fail2ban-client set sshd unbanip <IP_ADDRESS>
+   ```
+
+3. **Whitelist operator IP** in `/etc/fail2ban/jail.local`:
+   ```ini
+   [DEFAULT]
+   ignoreip = 127.0.0.1/8 ::1 <OPERATOR_IP>
+   ```
+
+4. **Restart fail2ban**:
+   ```bash
+   sudo systemctl restart fail2ban
+   ```
+
+## Backup Locations
+
+| File | Description |
+|------|-------------|
+| `outputs/backups/sshd_config.before` | Original SSH configuration |
+| `outputs/backups/ufw_status_before.txt` | UFW state before changes |
+| `outputs/backups/iptables_rules_before.txt` | iptables rules before changes |
+
+## Prevention
+
+1. **Always keep a secondary SSH session open** during changes
+2. **Test from a different network** before closing sessions
+3. **Have console access ready** before running apply scripts
+4. **Review plan output** before running apply
+
+## Contact
+
+If recovery procedures fail, escalate to infrastructure team with:
+- Node name and IP
+- Time of last successful access
+- Changes that were applied
+- Error messages from recovery attempts
--- a/node-hardening/references/ssh_cipher_recommendations.md
+++ b/node-hardening/references/ssh_cipher_recommendations.md
@@ -0,0 +1,115 @@
+# SSH Cipher Recommendations
+
+## Overview
+
+This document explains the SSH cipher, MAC, and key exchange algorithm choices used in the node-hardening skill's sshd_config template.
+
+## Current Recommendations (2024)
+
+### Ciphers (Encryption)
+
+| Cipher | Recommendation | Notes |
+|--------|----------------|-------|
+| chacha20-poly1305@openssh.com | **Recommended** | Modern, fast, constant-time |
+| aes256-gcm@openssh.com | **Recommended** | Strong, hardware-accelerated |
+| aes128-gcm@openssh.com | **Acceptable** | Fast, hardware-accelerated |
+| aes256-ctr | Acceptable | Legacy compatibility |
+| aes128-ctr | Acceptable | Legacy compatibility |
+| 3des-cbc | **Avoid** | Deprecated, slow |
+| arcfour | **Avoid** | Broken |
+
+### MACs (Message Authentication)
+
+| MAC | Recommendation | Notes |
+|-----|----------------|-------|
+| hmac-sha2-512-etm@openssh.com | **Recommended** | Encrypt-then-MAC, strongest |
+| hmac-sha2-256-etm@openssh.com | **Recommended** | Encrypt-then-MAC |
+| umac-128-etm@openssh.com | Acceptable | Fast, Encrypt-then-MAC |
+| hmac-sha2-512 | Acceptable | No ETM |
+| hmac-sha2-256 | Acceptable | No ETM |
+| hmac-sha1 | **Avoid** | Deprecated |
+| hmac-md5 | **Avoid** | Broken |
+
+### Key Exchange (KEX)
+
+| KEX Algorithm | Recommendation | Notes |
+|---------------|----------------|-------|
+| curve25519-sha256 | **Recommended** | Modern, safe curve |
+| curve25519-sha256@libssh.org | **Recommended** | Same, legacy name |
+| diffie-hellman-group16-sha512 | Acceptable | 4096-bit DH |
+| diffie-hellman-group18-sha512 | Acceptable | 8192-bit DH |
+| diffie-hellman-group14-sha256 | Acceptable | 2048-bit DH |
+| diffie-hellman-group1-sha1 | **Avoid** | Weak, deprecated |
+| diffie-hellman-group-exchange-sha1 | **Avoid** | SHA1 deprecated |
+
+### Host Key Algorithms
+
+| Algorithm | Recommendation | Notes |
+|-----------|----------------|-------|
+| ssh-ed25519 | **Recommended** | Modern, compact |
+| rsa-sha2-512 | **Recommended** | RSA with SHA2 |
+| rsa-sha2-256 | **Recommended** | RSA with SHA2 |
+| ecdsa-sha2-nistp256 | Acceptable | NIST curve concerns |
+| ssh-rsa | **Avoid** | SHA1 deprecated |
+| ssh-dss | **Avoid** | Weak |
+
+## Template Configuration
+
+The sshd_config template uses:
+
+```
+# Strong ciphers only
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+
+# Encrypt-then-MAC only
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+
+# Modern key exchange
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
+
+# Preferred host key algorithms
+HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+```
+
+## Compatibility Notes
+
+### Minimum Client Versions
+
+These settings require:
+- OpenSSH 7.3+ (released 2016)
+- PuTTY 0.68+ (released 2017)
+
+### Legacy Client Support
+
+If you need to support older clients, add fallback options:
+
+```
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256
+KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512
+```
+
+## Testing Configuration
+
+After applying changes, test with:
+
+```bash
+# Check server offerings
+ssh -Q cipher
+ssh -Q mac
+ssh -Q kex
+
+# Test connection with verbose output
+ssh -vvv user@server
+
+# Audit with ssh-audit (recommended)
+pip install ssh-audit
+ssh-audit localhost
+```
+
+## References
+
+- [Mozilla SSH Guidelines](https://infosec.mozilla.org/guidelines/openssh)
+- [ssh-audit](https://github.com/jtesta/ssh-audit)
+- [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)
+- [OpenSSH Manual](https://man.openbsd.org/sshd_config)