Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
--- a/node-hardening/references/cis_benchmarks.md
+++ b/node-hardening/references/cis_benchmarks.md
@@ -0,0 +1,118 @@
+# CIS Benchmarks Reference
+
+## Overview
+
+This skill implements controls aligned with CIS (Center for Internet Security) Benchmarks for Linux. The following sections map skill operations to specific CIS controls.
+
+## CIS Ubuntu/Debian Linux Benchmark Mappings
+
+### 1. Initial Setup
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 1.1.1.x | Disable unused filesystems | Out of scope |
+| 1.5.x | Secure boot settings | Out of scope |
+
+### 2. Services
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 2.1.x | Disable inetd services | Out of scope |
+| 2.2.x | Special purpose services | fail2ban, auditd enabled |
+
+### 3. Network Configuration
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 3.1.1 | Disable IPv6 | Not disabled (optional) |
+| 3.2.x | Network parameters (host) | Handled by sysctl (future) |
+| 3.4.x | Firewall configuration | **UFW enabled** |
+
+### 4. Logging and Auditing
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 4.1.1 | Ensure auditing is enabled | **auditd installed** |
+| 4.1.2 | Configure audit log storage | Default settings |
+| 4.1.x | Audit rules | Basic rules via template |
+
+### 5. Access, Authentication, and Authorization
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 5.2.1 | Ensure sshd is running | Verified in preflight |
+| 5.2.2 | SSH Protocol version | Implicit (OpenSSH 7.4+) |
+| 5.2.3 | SSH LogLevel | **Set to VERBOSE** |
+| 5.2.4 | SSH X11Forwarding | **Disabled** |
+| 5.2.5 | SSH MaxAuthTries | **Set to 3** |
+| 5.2.6 | SSH IgnoreRhosts | **Set to yes** |
+| 5.2.7 | SSH HostbasedAuth | **Disabled** |
+| 5.2.8 | SSH PermitRootLogin | **Disabled** |
+| 5.2.9 | SSH PermitEmptyPasswords | **Disabled** |
+| 5.2.10 | SSH PermitUserEnvironment | **Disabled** |
+| 5.2.11 | SSH strong ciphers | **Configured** |
+| 5.2.12 | SSH strong MACs | **Configured** |
+| 5.2.13 | SSH strong KEX | **Configured** |
+| 5.2.14 | SSH Idle Timeout | **Set (ClientAliveInterval)** |
+| 5.2.15 | SSH LoginGraceTime | **Set to 20** |
+| 5.2.16 | SSH access restriction | Via AllowUsers (optional) |
+
+### 6. System Maintenance
+
+| CIS Control | Description | Skill Implementation |
+|-------------|-------------|----------------------|
+| 6.1.x | System file permissions | Out of scope |
+| 6.2.x | User and group settings | Out of scope |
+
+## SSH Hardening Details
+
+The sshd_config template implements:
+
+```
+# CIS 5.2.4
+X11Forwarding no
+
+# CIS 5.2.5
+MaxAuthTries 3
+
+# CIS 5.2.6
+IgnoreRhosts yes
+
+# CIS 5.2.7
+HostbasedAuthentication no
+
+# CIS 5.2.8
+PermitRootLogin no
+
+# CIS 5.2.9
+PermitEmptyPasswords no
+
+# CIS 5.2.10
+PermitUserEnvironment no
+
+# CIS 5.2.11-13 - Strong crypto
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
+
+# CIS 5.2.14
+ClientAliveInterval 300
+ClientAliveCountMax 2
+
+# CIS 5.2.15
+LoginGraceTime 20
+```
+
+## Firewall Rules
+
+Default UFW policy:
+- Default deny incoming
+- Default allow outgoing
+- SSH port allowed (rate-limited if configured)
+- HTTP/HTTPS optional
+
+## References
+
+- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
+- [CIS Ubuntu Linux Benchmark](https://www.cisecurity.org/benchmark/ubuntu_linux)
+- [CIS Debian Linux Benchmark](https://www.cisecurity.org/benchmark/debian_linux)