vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
009e93a80b3c58bbfaa2ceb153e3fba32a6efc3c
vm-skills/node-hardening/scripts/99_report.sh
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

200 lines
4.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# === METADATA ===
SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
# === CONFIGURATION ===
: "${NODE_NAME:=node-a}"
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${BACKUP_DIR:=$OUTPUT_DIR/backups}"
# === FUNCTIONS ===
log_info() { echo "[INFO] $(date -Iseconds) $*"; }
get_ufw_status() {
if command -v ufw &>/dev/null; then
if sudo ufw status 2>/dev/null | grep -q "Status: active"; then
echo "Active"
else
echo "Inactive"
fi
else
echo "Not installed"
fi
}
get_ssh_status() {
if systemctl is-active ssh &>/dev/null || systemctl is-active sshd &>/dev/null; then
echo "Running"
else
echo "Not running"
fi
}
get_fail2ban_status() {
if command -v fail2ban-client &>/dev/null; then
if systemctl is-active fail2ban &>/dev/null; then
echo "Active"
else
echo "Inactive"
fi
else
echo "Not installed"
fi
}
get_auditd_status() {
if command -v auditctl &>/dev/null; then
if systemctl is-active auditd &>/dev/null; then
echo "Active"
else
echo "Inactive"
fi
else
echo "Not installed"
fi
}
list_backups() {
if [[ -d "$BACKUP_DIR" ]]; then
ls -1 "$BACKUP_DIR" 2>/dev/null | while read -r f; do
echo "| $f | $(stat -c%s "$BACKUP_DIR/$f" 2>/dev/null || echo "?") bytes |"
done
else
echo "| (no backups) | - |"
fi
}
main() {
mkdir -p "$OUTPUT_DIR"
log_info "Starting $SCRIPT_NAME..."
local report="$OUTPUT_DIR/audit_report.md"
local status_file="$OUTPUT_DIR/status_matrix.json"
cat > "$report" <<EOF
# Node Hardening Audit Report
**Generated:** $(date -Iseconds)
**Node:** $NODE_NAME
**Skill Version:** 1.0.0
---
## Executive Summary
This report documents the hardening operations performed on **$NODE_NAME**
for sovereign EU infrastructure security.
---
## Components Status
### 1. Firewall (UFW)
| Component | Status |
|-----------|--------|
| UFW | $(get_ufw_status) |
### 2. SSH Service
| Component | Status |
|-----------|--------|
| SSH Daemon | $(get_ssh_status) |
| Config Backup | $([ -f "$BACKUP_DIR/sshd_config.before" ] && echo "Present" || echo "Not found") |
### 3. Intrusion Detection (fail2ban)
| Component | Status |
|-----------|--------|
| fail2ban | $(get_fail2ban_status) |
### 4. Audit Logging (auditd)
| Component | Status |
|-----------|--------|
| auditd | $(get_auditd_status) |
---
## Backups
| File | Size |
|------|------|
$(list_backups)
---
## Verification Results
$(if [[ -f "$status_file" ]]; then
echo '```json'
cat "$status_file"
echo '```'
else
echo "Status matrix not found. Run 90_verify.sh first."
fi)
---
## EU Compliance Declaration
| Aspect | Value |
|--------|-------|
| Data Residency | EU (Ireland - Dublin) |
| GDPR Applicable | Yes |
| Jurisdiction | Irish Law |
| Audit Logging | auditd (local only) |
---
## Rollback Procedures
If access is lost or changes need to be reverted:
1. **Emergency Restore (console):** \`./scripts/rollback/emergency_restore.sh\`
2. **Undo SSH:** \`./scripts/rollback/undo_ssh.sh\`
3. **Undo UFW:** \`./scripts/rollback/undo_ufw.sh\`
---
## Next Steps
1. Verify SSH access from a secondary session
2. Test emergency rollback procedure (recommended)
3. Proceed to **backup-sovereign** skill
4. Document hardening in LAWCHAIN (if applicable)
---
## Artifact Locations
| Artifact | Path |
|----------|------|
| UFW Status (before) | $BACKUP_DIR/ufw_status_before.txt |
| iptables Rules (before) | $BACKUP_DIR/iptables_rules_before.txt |
| sshd_config (before) | $BACKUP_DIR/sshd_config.before |
| UFW Status (after) | $OUTPUT_DIR/ufw_status_after.txt |
| Status Matrix | $OUTPUT_DIR/status_matrix.json |
| This Report | $OUTPUT_DIR/audit_report.md |
---
*Report generated by node-hardening skill v1.0.0*
*$(date -Iseconds)*
EOF
log_info "Audit report written to $report"
# Display the report
echo ""
cat "$report"
log_info "Completed $SCRIPT_NAME"
}
[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"
Reference in New Issue View Git Blame Copy Permalink