vm-skills/node-hardening/SKILL.md

---
name: node-hardening
description: >
  Harden a Linux node for sovereign EU infrastructure without losing remote access.
  Implements UFW firewall, SSH hardening, fail2ban, and auditd with two-phase
  plan/apply workflow and DRY_RUN safety gates. Use when securing Node A after
  operator-bootstrap completes. Triggers: 'harden node', 'secure server',
  'configure firewall', 'harden SSH', 'set up fail2ban', 'enable auditd',
  'lock down node', 'security hardening'.
version: 1.0.0
---

# Node Hardening

High-risk Tier 1 skill for securing Linux nodes. All risky operations require explicit DRY_RUN=0 and confirmation phrase. Designed for full Linux servers (Ubuntu/Debian) with console/IPMI/VNC fallback access.

## Quick Start

```bash
# Set required parameters (none required, but review defaults)
export NODE_NAME="node-a"
export SSH_PORT=22

# Run preflight check
./scripts/00_preflight.sh

# Plan phases (safe to run, shows what WILL happen)
./scripts/10_ufw_plan.sh
./scripts/20_ssh_plan.sh

# Apply phases (REQUIRES DRY_RUN=0 and confirmation)
export DRY_RUN=0
./scripts/11_ufw_apply.sh    # Type confirmation phrase
./scripts/21_ssh_apply.sh    # Type confirmation phrase

# Optional: fail2ban and auditd
./scripts/30_fail2ban_setup.sh
./scripts/40_auditd_setup.sh

# Verify and report
./scripts/90_verify.sh
./scripts/99_report.sh
```

## Workflow

### Phase 0: Preflight (00)
Check dependencies: sudo, systemctl, ufw, sshd, fail2ban, auditd.
Detect SSH session and warn about keeping backup session open.

### Phase 1: UFW Firewall (10-11)
**Two-phase operation with DRY_RUN gate.**

Plan phase shows:
- Default deny incoming, allow outgoing
- SSH port allowance (rate-limited if possible)
- HTTP/HTTPS ports if enabled
- Current client IP auto-whitelisted

Apply phase executes:
- Backs up current iptables state
- Resets and configures UFW
- Enables firewall

Rollback: `./scripts/rollback/undo_ufw.sh`

### Phase 2: SSH Hardening (20-21)
**Two-phase operation with DRY_RUN gate and CONFIRM_PHRASE.**

Plan phase shows:
- Proposed sshd_config changes
- PermitRootLogin, PasswordAuthentication settings
- Cipher and MAC selections

Apply phase executes:
- Backs up /etc/ssh/sshd_config
- Renders hardened config from template
- Validates with `sshd -t` before applying
- Uses `reload` (not restart) to keep current session alive
- **Auto-restores on validation failure**

Rollback: `./scripts/rollback/undo_ssh.sh`

### Phase 3: fail2ban (30)
Optional intrusion detection.
- SSH jail configuration
- UFW integration
- Operator IP whitelisting

### Phase 4: auditd (40)
Optional audit logging.
- Monitor security-relevant files
- Kernel module loading
- User/group modifications

### Phase 5: Verification (90-99)
Generate JSON status matrix and markdown audit report.

## Inputs

| Parameter | Required | Default | Description |
|-----------|----------|---------|-------------|
| NODE_NAME | No | node-a | Hostname for this node |
| SSH_PORT | No | 22 | SSH port number |
| ALLOW_HTTP | No | true | Allow port 80 in UFW |
| ALLOW_HTTPS | No | true | Allow port 443 in UFW |
| ALLOW_ICMP | No | false | Allow ICMP (ping) |
| DRY_RUN | No | 1 | Set to 0 to enable apply scripts |
| REQUIRE_CONFIRM | No | 1 | Require confirmation phrase |
| CONFIRM_PHRASE | No | I UNDERSTAND THIS CAN LOCK ME OUT | Safety phrase |
| BACKUP_DIR | No | outputs/backups | Backup location |
| FAIL2BAN_ENABLE | No | true | Enable fail2ban setup |
| AUDITD_ENABLE | No | true | Enable auditd setup |

## Outputs

| File | Description |
|------|-------------|
| `outputs/backups/ufw_status_before.txt` | Pre-change UFW state |
| `outputs/backups/iptables_rules_before.txt` | Pre-change iptables |
| `outputs/backups/sshd_config.before` | Pre-change SSH config |
| `outputs/ufw_status_after.txt` | Post-change UFW state |
| `outputs/status_matrix.json` | Verification results |
| `outputs/audit_report.md` | Human-readable audit trail |

## Safety Guarantees

1. **DRY_RUN=1 by default** - Apply scripts refuse to run without explicit DRY_RUN=0
2. **CONFIRM_PHRASE required** - Must type exact phrase to proceed
3. **SSH reload (not restart)** - Keeps current session alive
4. **sshd -t validation** - Config validated before applying
5. **Auto-restore on failure** - Invalid config automatically reverted
6. **Backups before every change** - Full state preserved
7. **Emergency restore script** - Console-safe full recovery
8. **All scripts idempotent** - Safe to run multiple times

## Emergency Recovery

If you lose SSH access:

1. Access console via IPMI/VNC/physical
2. Run: `./scripts/rollback/emergency_restore.sh`

This will:
- Disable UFW
- Restore original sshd_config from backup
- Restart SSH service

## EU Compliance

| Aspect | Value |
|--------|-------|
| Data Residency | EU (Ireland - Dublin) |
| GDPR Applicable | Yes |
| Jurisdiction | Irish Law |
| Audit Logging | auditd (local only) |

## References

- [Recovery Procedures](references/recovery_procedures.md)
- [CIS Benchmarks](references/cis_benchmarks.md)
- [SSH Cipher Recommendations](references/ssh_cipher_recommendations.md)

## Next Steps

After completing node-hardening:
1. Verify SSH access from secondary session
2. Test rollback procedure (optional but recommended)
3. Proceed to **backup-sovereign** skill
4. Document hardening in LAWCHAIN (if applicable)