From c2b2471a7d58db64459a2606151e70d725229944 Mon Sep 17 00:00:00 2001
From: Sumit Mishra <sumitmishra@sumit.mishra's MacBook Pro>
Date: Thu, 26 Feb 2026 21:35:42 +0530
Subject: [PATCH 1/4] Add new CIS hardening controls with idempotent
 implementations

New CIS controls added:
- CIS 5.2.2, 5.2.3, 5.2.4: Sudo hardening (pty, logging, password policies)
- CIS 5.4.3.3: Default umask 027 configuration
- Service hardening: Mask apport and rpcbind services
- CIS 1.5.x: Coredump restrictions via systemd
- CIS 2.1.x: NTP time synchronization

All new functions use idempotent patterns (file overwrites or grep guards).

Preserves all existing main branch hardening including AppArmor,
rsyslog, AIDE, kernel hardening, and SSH Level 2 controls.

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 cis-harden/harden.sh | 148 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 147 insertions(+), 1 deletion(-)

diff --git a/cis-harden/harden.sh b/cis-harden/harden.sh
index db21f7c9..40b5e46b 100755
--- a/cis-harden/harden.sh
+++ b/cis-harden/harden.sh
@@ -49,6 +49,25 @@ update_config_files() {
 	return 0
 }
 
+##########################################################################
+#  Idempotent config update - removes old values and sets new one
+##########################################################################
+update_config_idempotent() {
+	local search_str="$1"
+	local new_value="$2"
+	local config_file="$3"
+
+	if [[ ! -f ${config_file} ]]; then
+		touch "${config_file}"
+	fi
+
+	# Remove all existing lines (commented or uncommented)
+	sed -i "/^[#[:space:]]*${search_str}/d" "${config_file}"
+
+	# Add the new value once
+	echo "${new_value}" >> "${config_file}"
+}
+
 
 ##########################################################################
 #  Determine the Operating system
@@ -781,6 +800,127 @@ harden_journald() {
 	return 0
 }
 
+##########################################################################
+#  CIS 5.2.2, 5.2.3, 5.2.4 - Configure sudo hardening
+##########################################################################
+configure_sudo() {
+	echo "Configuring sudo hardening with idempotent sudoers.d files"
+
+	# CIS 5.2.2 - Sudo use pty
+	echo "Defaults use_pty" > /etc/sudoers.d/10-cis-pty
+	chmod 440 /etc/sudoers.d/10-cis-pty
+
+	# CIS 5.2.3 - Sudo log file
+	echo "Defaults logfile=/var/log/sudo.log" > /etc/sudoers.d/10-cis-logfile
+	chmod 440 /etc/sudoers.d/10-cis-logfile
+
+	# CIS 5.2.4 - Require password for escalation
+	cat > /etc/sudoers.d/10-cis-password << 'EOF'
+Defaults !targetpw
+Defaults !rootpw
+Defaults !runaspw
+EOF
+	chmod 440 /etc/sudoers.d/10-cis-password
+
+	echo "Sudo hardening configured successfully"
+	return 0
+}
+
+##########################################################################
+#  CIS 5.4.3.3 - Configure default umask
+##########################################################################
+configure_umask() {
+	echo "Configuring default umask to 027"
+	local umask_line="umask 027"
+
+	# Configure /etc/profile
+	if [[ -f /etc/profile ]]; then
+		if ! grep -q "^umask 027" /etc/profile; then
+			sed -i '/^umask/d' /etc/profile
+			echo "$umask_line" >> /etc/profile
+		fi
+	fi
+
+	# Configure /etc/bash.bashrc
+	if [[ -f /etc/bash.bashrc ]]; then
+		if ! grep -q "^umask 027" /etc/bash.bashrc; then
+			sed -i '/^umask/d' /etc/bash.bashrc
+			echo "$umask_line" >> /etc/bash.bashrc
+		fi
+	fi
+
+	# Configure /etc/profile.d/umask.sh
+	echo "$umask_line" > /etc/profile.d/umask.sh
+	chmod 644 /etc/profile.d/umask.sh
+
+	echo "Default umask configured"
+	return 0
+}
+
+##########################################################################
+#  Disable unnecessary services (Ubuntu only)
+##########################################################################
+disable_services() {
+	if [[ ${OS_FLAVOUR} == "ubuntu" ]]; then
+		echo "Masking apport crash reporting service"
+		systemctl stop apport.service 2>/dev/null || true
+		systemctl disable apport.service 2>/dev/null || true
+		systemctl mask apport.service 2>/dev/null || true
+
+		echo "Masking rpcbind service"
+		systemctl stop rpcbind.service 2>/dev/null || true
+		systemctl stop rpcbind.socket 2>/dev/null || true
+		systemctl disable rpcbind.service 2>/dev/null || true
+		systemctl disable rpcbind.socket 2>/dev/null || true
+		systemctl mask rpcbind.service 2>/dev/null || true
+		systemctl mask rpcbind.socket 2>/dev/null || true
+	fi
+
+	return 0
+}
+
+##########################################################################
+#  Restrict coredumps via systemd
+##########################################################################
+harden_coredump() {
+	echo "Restricting coredumps via systemd"
+	mkdir -p /etc/systemd/coredump.conf.d
+	cat > /etc/systemd/coredump.conf.d/disable-coredump.conf << EOF
+[Coredump]
+Storage=none
+ProcessSizeMax=0
+EOF
+
+	return 0
+}
+
+##########################################################################
+#  Configure NTP time synchronization (Ubuntu only)
+##########################################################################
+harden_ntp() {
+	if [[ ${OS_FLAVOUR} != "ubuntu" ]]; then
+		return 0
+	fi
+
+	echo "Configuring NTP time synchronization"
+
+	# Ensure systemd-timesyncd is enabled
+	systemctl enable systemd-timesyncd 2>/dev/null || true
+
+	# Configure timesyncd if config dir exists
+	if [[ -d /etc/systemd/timesyncd.conf.d ]] || mkdir -p /etc/systemd/timesyncd.conf.d; then
+		cat > /etc/systemd/timesyncd.conf.d/99-cis.conf << 'EOF'
+[Time]
+NTP=time.nist.gov
+FallbackNTP=pool.ntp.org
+EOF
+		chmod 644 /etc/systemd/timesyncd.conf.d/99-cis.conf
+		echo "NTP configuration updated"
+	fi
+
+	return 0
+}
+
 ##########################################################################
 #  Login Banner
 ##########################################################################
@@ -1114,14 +1254,19 @@ cp /etc/os-release /etc/os-release.bak
 OS_FLAVOUR="linux"
 get_os
 upgrade_packages
+configure_sudo
+configure_umask
 harden_sysctl
 harden_ssh
 harden_boot
 harden_password_files
 harden_system
+disable_services
 remove_services
 disable_modules
+harden_coredump
 harden_journald
+harden_ntp
 harden_audit
 harden_banner
 harden_log
@@ -1130,4 +1275,5 @@ cleanup_cache
 
 mv /etc/os-release.bak /etc/os-release
 
-exit 0
\ No newline at end of file
+echo "CIS hardening completed successfully"
+exit 0

From 1f4e8d977869a1dd151041890f2593a167d50523 Mon Sep 17 00:00:00 2001
From: Sumit Mishra <sumitmishra@sumit.mishra's MacBook Pro>
Date: Mon, 2 Mar 2026 09:49:28 +0530
Subject: [PATCH 2/4] Add CUSTOM_KUBEADM_PROVIDER_IMAGE support for custom
 provider testing

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 Earthfile | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/Earthfile b/Earthfile
index 16a266cf..c179b221 100644
--- a/Earthfile
+++ b/Earthfile
@@ -31,6 +31,8 @@ ARG AURORABOOT_VERSION=v0.16.0
 ARG AURORABOOT_IMAGE=quay.io/kairos/auroraboot:$AURORABOOT_VERSION
 ARG K3S_PROVIDER_VERSION=v4.7.1
 ARG KUBEADM_PROVIDER_VERSION=v4.7.3
+# Custom provider image override (set to override default provider-kubeadm image)
+ARG CUSTOM_KUBEADM_PROVIDER_IMAGE=
 ARG RKE2_PROVIDER_VERSION=v4.8.1
 ARG NODEADM_PROVIDER_VERSION=v4.6.0
 ARG CANONICAL_PROVIDER_VERSION=v1.3.0
@@ -658,9 +660,17 @@ stylus-package-image:
 
 kairos-provider-image:
     IF [ "$K8S_DISTRIBUTION" = "kubeadm" ]
-        ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-kubeadm:$KUBEADM_PROVIDER_VERSION
+        IF [ -n "$CUSTOM_KUBEADM_PROVIDER_IMAGE" ]
+            ARG PROVIDER_BASE=$CUSTOM_KUBEADM_PROVIDER_IMAGE
+        ELSE
+            ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-kubeadm:$KUBEADM_PROVIDER_VERSION
+        END
     ELSE IF [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ]
-        ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-kubeadm:$KUBEADM_PROVIDER_VERSION
+        IF [ -n "$CUSTOM_KUBEADM_PROVIDER_IMAGE" ]
+            ARG PROVIDER_BASE=$CUSTOM_KUBEADM_PROVIDER_IMAGE
+        ELSE
+            ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-kubeadm:$KUBEADM_PROVIDER_VERSION
+        END
     ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ]
         ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-k3s:$K3S_PROVIDER_VERSION
     ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] && $FIPS_ENABLED

From ee5ccf1d774aefc60c4d41e13be210c025629276 Mon Sep 17 00:00:00 2001
From: Sumit Mishra <sumitmishra@sumit.mishra's MacBook Pro>
Date: Mon, 2 Mar 2026 14:25:01 +0530
Subject: [PATCH 3/4] Remove NTP hardening from CIS controls

NTP configuration should be handled externally, not in image hardening.

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 cis-harden/harden.sh | 28 ----------------------------
 1 file changed, 28 deletions(-)

diff --git a/cis-harden/harden.sh b/cis-harden/harden.sh
index 40b5e46b..e56b39f5 100755
--- a/cis-harden/harden.sh
+++ b/cis-harden/harden.sh
@@ -894,33 +894,6 @@ EOF
 	return 0
 }
 
-##########################################################################
-#  Configure NTP time synchronization (Ubuntu only)
-##########################################################################
-harden_ntp() {
-	if [[ ${OS_FLAVOUR} != "ubuntu" ]]; then
-		return 0
-	fi
-
-	echo "Configuring NTP time synchronization"
-
-	# Ensure systemd-timesyncd is enabled
-	systemctl enable systemd-timesyncd 2>/dev/null || true
-
-	# Configure timesyncd if config dir exists
-	if [[ -d /etc/systemd/timesyncd.conf.d ]] || mkdir -p /etc/systemd/timesyncd.conf.d; then
-		cat > /etc/systemd/timesyncd.conf.d/99-cis.conf << 'EOF'
-[Time]
-NTP=time.nist.gov
-FallbackNTP=pool.ntp.org
-EOF
-		chmod 644 /etc/systemd/timesyncd.conf.d/99-cis.conf
-		echo "NTP configuration updated"
-	fi
-
-	return 0
-}
-
 ##########################################################################
 #  Login Banner
 ##########################################################################
@@ -1266,7 +1239,6 @@ remove_services
 disable_modules
 harden_coredump
 harden_journald
-harden_ntp
 harden_audit
 harden_banner
 harden_log

From 683534bababbec81b77f703e90227b4f46a9e4b5 Mon Sep 17 00:00:00 2001
From: Sumit Mishra <sumitmishra@sumit.mishra's MacBook Pro>
Date: Mon, 2 Mar 2026 21:24:22 +0530
Subject: [PATCH 4/4] Remove CUSTOM_KUBEADM_PROVIDER_IMAGE override

No longer needed - using standard provider-kubeadm image.

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 Earthfile | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/Earthfile b/Earthfile
index c179b221..16a266cf 100644
--- a/Earthfile
+++ b/Earthfile
@@ -31,8 +31,6 @@ ARG AURORABOOT_VERSION=v0.16.0
 ARG AURORABOOT_IMAGE=quay.io/kairos/auroraboot:$AURORABOOT_VERSION
 ARG K3S_PROVIDER_VERSION=v4.7.1
 ARG KUBEADM_PROVIDER_VERSION=v4.7.3
-# Custom provider image override (set to override default provider-kubeadm image)
-ARG CUSTOM_KUBEADM_PROVIDER_IMAGE=
 ARG RKE2_PROVIDER_VERSION=v4.8.1
 ARG NODEADM_PROVIDER_VERSION=v4.6.0
 ARG CANONICAL_PROVIDER_VERSION=v1.3.0
@@ -660,17 +658,9 @@ stylus-package-image:
 
 kairos-provider-image:
     IF [ "$K8S_DISTRIBUTION" = "kubeadm" ]
-        IF [ -n "$CUSTOM_KUBEADM_PROVIDER_IMAGE" ]
-            ARG PROVIDER_BASE=$CUSTOM_KUBEADM_PROVIDER_IMAGE
-        ELSE
-            ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-kubeadm:$KUBEADM_PROVIDER_VERSION
-        END
+        ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-kubeadm:$KUBEADM_PROVIDER_VERSION
     ELSE IF [ "$K8S_DISTRIBUTION" = "kubeadm-fips" ]
-        IF [ -n "$CUSTOM_KUBEADM_PROVIDER_IMAGE" ]
-            ARG PROVIDER_BASE=$CUSTOM_KUBEADM_PROVIDER_IMAGE
-        ELSE
-            ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-kubeadm:$KUBEADM_PROVIDER_VERSION
-        END
+        ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-kubeadm:$KUBEADM_PROVIDER_VERSION
     ELSE IF [ "$K8S_DISTRIBUTION" = "k3s" ]
         ARG PROVIDER_BASE=$SPECTRO_PUB_REPO/edge/kairos-io/provider-k3s:$K3S_PROVIDER_VERSION
     ELSE IF [ "$K8S_DISTRIBUTION" = "rke2" ] && $FIPS_ENABLED