feat: initial setup for PVE security scanner VM

Scripts for deploying a hardened internal network security scanner on Proxmox VE:
- PVE-level firewall and VM creation
- System hardening (sysctl, auditd, AIDE)
- nftables firewall with dynamic IP blocking
- SSH hardening with fail2ban
- Security tools (OpenVAS, Nmap, Nuclei, httpx, Nikto, testssl, NetExec)
- Monitoring, logging, and Docker autostart

vm/01-system-harden.sh

@@ -0,0 +1,207 @@
+#!/bin/bash
+# =============================================================================
+# System Hardening for Security Scanner VM
+# Run this inside the VM as root
+# =============================================================================
+set -euo pipefail
+
+echo "============================================"
+echo " System Hardening - Security Scanner VM"
+echo "============================================"
+
+# --- 1. Update system ---
+echo "[+] Updating system packages..."
+apt update && apt upgrade -y
+apt install -y unattended-upgrades apt-listchanges
+
+# Enable automatic security updates
+cat > /etc/apt/apt.conf.d/50unattended-upgrades << 'EOF'
+Unattended-Upgrade::Allowed-Origins {
+    "${distro_id}:${distro_codename}-security";
+};
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Automatic-Reboot "false";
+EOF
+
+dpkg-reconfigure -f noninteractive unattended-upgrades
+
+# --- 2. Kernel hardening (sysctl) ---
+echo "[+] Applying kernel hardening..."
+cat > /etc/sysctl.d/99-security-scanner.conf << 'EOF'
+# --- Network hardening ---
+# Disable IP forwarding (scanner should not route traffic)
+net.ipv4.ip_forward = 0
+net.ipv6.conf.all.forwarding = 0
+
+# Ignore ICMP redirects
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# Don't send ICMP redirects
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+
+# Enable reverse path filtering (anti-spoofing)
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Ignore broadcast pings
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# Enable SYN flood protection
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_max_syn_backlog = 2048
+net.ipv4.tcp_synack_retries = 2
+
+# Log suspicious packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# Disable source routing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+
+# --- Memory protection ---
+# Restrict dmesg access
+kernel.dmesg_restrict = 1
+
+# Restrict kernel pointer exposure
+kernel.kptr_restrict = 2
+
+# Enable ASLR
+kernel.randomize_va_space = 2
+
+# Restrict ptrace
+kernel.yama.ptrace_scope = 2
+
+# --- File system ---
+# Restrict core dumps
+fs.suid_dumpable = 0
+EOF
+
+sysctl -p /etc/sysctl.d/99-security-scanner.conf
+
+# --- 3. Restrict core dumps ---
+echo "[+] Disabling core dumps..."
+cat > /etc/security/limits.d/99-no-core.conf << 'EOF'
+*    hard    core    0
+*    soft    core    0
+EOF
+
+# --- 4. Secure shared memory ---
+echo "[+] Securing shared memory..."
+if ! grep -q "tmpfs /dev/shm" /etc/fstab; then
+    echo "tmpfs /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0" >> /etc/fstab
+fi
+
+# --- 5. Set file permissions ---
+echo "[+] Hardening file permissions..."
+chmod 700 /root
+chmod 600 /etc/crontab
+chmod 700 /etc/cron.d
+chmod 700 /etc/cron.daily
+chmod 700 /etc/cron.hourly
+chmod 700 /etc/cron.weekly
+chmod 700 /etc/cron.monthly
+
+# --- 6. Disable unnecessary services ---
+echo "[+] Disabling unnecessary services..."
+DISABLE_SERVICES=(
+    "avahi-daemon"
+    "cups"
+    "rpcbind"
+    "bluetooth"
+)
+for svc in "${DISABLE_SERVICES[@]}"; do
+    if systemctl is-enabled "${svc}" 2>/dev/null; then
+        systemctl disable --now "${svc}"
+        echo "    Disabled: ${svc}"
+    fi
+done
+
+# --- 7. Install security tools ---
+echo "[+] Installing security audit tools..."
+apt install -y \
+    aide \
+    rkhunter \
+    lynis \
+    auditd \
+    audispd-plugins \
+    fail2ban \
+    logwatch
+
+# --- 8. Initialize AIDE (file integrity monitoring) ---
+echo "[!] Initializing AIDE database - this may take 10-20 minutes..."
+aideinit
+cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+# --- 9. Configure auditd ---
+echo "[+] Configuring audit rules..."
+cat > /etc/audit/rules.d/scanner-audit.rules << 'EOF'
+# Delete all existing rules
+-D
+
+# Buffer size
+-b 8192
+
+# Failure mode (1=printk, 2=panic)
+-f 1
+
+# Monitor /etc changes
+-w /etc/ -p wa -k etc_changes
+
+# Monitor authentication
+-w /var/log/auth.log -p wa -k auth_log
+-w /etc/passwd -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/group -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+
+# Monitor sudo usage
+-w /etc/sudoers -p wa -k sudoers
+-w /etc/sudoers.d/ -p wa -k sudoers
+
+# Monitor network config changes
+-w /etc/hosts -p wa -k network
+-w /etc/network/ -p wa -k network
+-w /etc/nftables.conf -p wa -k firewall
+
+# Monitor cron changes
+-w /etc/crontab -p wa -k cron
+-w /etc/cron.d/ -p wa -k cron
+
+# Monitor scanner tool configs
+-w /opt/greenbone/ -p wa -k scanner_config
+
+# Lock audit rules (requires reboot to change)
+-e 2
+EOF
+
+systemctl restart auditd
+
+# --- 10. Password policy ---
+echo "[+] Setting password policy..."
+apt install -y libpam-pwquality
+
+sed -i 's/^#\s*minlen.*/minlen = 12/' /etc/security/pwquality.conf
+sed -i 's/^#\s*minclass.*/minclass = 3/' /etc/security/pwquality.conf
+sed -i 's/^#\s*maxrepeat.*/maxrepeat = 3/' /etc/security/pwquality.conf
+
+# Verify settings were applied
+for setting in minlen minclass maxrepeat; do
+    if ! grep -q "^${setting}" /etc/security/pwquality.conf; then
+        echo "[!] WARNING: ${setting} was not set - appending to config"
+        case "${setting}" in
+            minlen)    echo "minlen = 12" >> /etc/security/pwquality.conf ;;
+            minclass)  echo "minclass = 3" >> /etc/security/pwquality.conf ;;
+            maxrepeat) echo "maxrepeat = 3" >> /etc/security/pwquality.conf ;;
+        esac
+    fi
+done
+
+echo ""
+echo "[+] System hardening complete."
+echo "[!] Reboot recommended: shutdown -r now"