#!/bin/bash
# Saikyo OS Server Hardening Script
# Copyright (c) 2025-2026 OOO "SAIKO"
# License: GPL-3.0

set -e

VERSION="1.0.0"

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

log_info() { echo -e "[${BLUE}INFO${NC}] $1"; }
log_ok() { echo -e "[${GREEN}OK${NC}] $1"; }
log_warn() { echo -e "[${YELLOW}WARN${NC}] $1"; }
log_error() { echo -e "[${RED}ERROR${NC}] $1"; }

check_root() {
    if [ "$(id -u)" -ne 0 ]; then
        log_error "Требуются права root. Используйте sudo."
        exit 1
    fi
}

harden_ssh() {
    log_info "Настройка SSH..."
    
    SSH_CONFIG="/etc/ssh/sshd_config"
    SSH_BACKUP="/etc/ssh/sshd_config.bak.$(date +%Y%m%d)"
    
    cp "$SSH_CONFIG" "$SSH_BACKUP"
    
    # Disable root login
    sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' "$SSH_CONFIG"
    
    # Disable password auth
    sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' "$SSH_CONFIG"
    
    # Enable pubkey auth
    sed -i 's/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/' "$SSH_CONFIG"
    
    # Disable empty passwords
    sed -i 's/^#*PermitEmptyPasswords.*/PermitEmptyPasswords no/' "$SSH_CONFIG"
    
    # Set max auth tries
    sed -i 's/^#*MaxAuthTries.*/MaxAuthTries 3/' "$SSH_CONFIG"
    
    # Set login grace time
    sed -i 's/^#*LoginGraceTime.*/LoginGraceTime 60/' "$SSH_CONFIG"
    
    systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || true
    
    log_ok "SSH настроен"
}

harden_passwords() {
    log_info "Настройка политики паролей..."
    
    PWQUALITY="/etc/security/pwquality.conf"
    
    cat > "$PWQUALITY" << 'EOF'
# Saikyo OS Server Password Policy
# Соответствует требованиям ПП РФ №1236

minlen = 12
minclass = 3
maxrepeat = 3
maxclassrepeat = 4
lcredit = -1
ucredit = -1
dcredit = -1
ocredit = -1
dictcheck = 1
usercheck = 1
enforcing = 1
EOF
    
    log_ok "Политика паролей настроена"
}

harden_kernel() {
    log_info "Настройка параметров ядра..."
    
    SYSCTL_CONF="/etc/sysctl.d/99-saikyo-security.conf"
    
    cat > "$SYSCTL_CONF" << 'EOF'
# Saikyo OS Server Kernel Security Settings
# Соответствует требованиям ПП РФ №1236

# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Enable TCP SYN cookies
net.ipv4.tcp_syncookies = 1

# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Restrict core dumps
fs.suid_dumpable = 0

# Randomize virtual address space
kernel.randomize_va_space = 2

# Restrict dmesg access
kernel.dmesg_restrict = 1

# Restrict kernel pointers
kernel.kptr_restrict = 2
EOF
    
    sysctl -p "$SYSCTL_CONF" > /dev/null 2>&1
    
    log_ok "Параметры ядра настроены"
}

enable_firewall() {
    log_info "Настройка firewall..."
    
    if command -v firewall-cmd &>/dev/null; then
        systemctl enable --now firewalld 2>/dev/null || true
        firewall-cmd --set-default-zone=drop 2>/dev/null || true
        firewall-cmd --permanent --add-service=ssh 2>/dev/null || true
        firewall-cmd --reload 2>/dev/null || true
        log_ok "Firewalld настроен"
    elif command -v ufw &>/dev/null; then
        ufw default deny incoming 2>/dev/null || true
        ufw default allow outgoing 2>/dev/null || true
        ufw allow ssh 2>/dev/null || true
        ufw --force enable 2>/dev/null || true
        log_ok "UFW настроен"
    else
        log_warn "Firewall не найден"
    fi
}

enable_fail2ban() {
    log_info "Настройка Fail2ban..."
    
    if command -v fail2ban-client &>/dev/null; then
        JAIL_LOCAL="/etc/fail2ban/jail.local"
        
        cat > "$JAIL_LOCAL" << 'EOF'
# Saikyo OS Server Fail2ban Configuration

[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
backend = systemd

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
EOF
        
        systemctl enable --now fail2ban 2>/dev/null || true
        log_ok "Fail2ban настроен"
    else
        log_warn "Fail2ban не установлен"
    fi
}

enable_auditd() {
    log_info "Настройка Auditd..."
    
    if command -v auditctl &>/dev/null; then
        AUDIT_RULES="/etc/audit/rules.d/saikyo-security.rules"
        
        cat > "$AUDIT_RULES" << 'EOF'
# Saikyo OS Server Audit Rules
# Соответствует требованиям ПП РФ №1236

# Delete all existing rules
-D

# Set buffer size
-b 8192

# Monitor authentication
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity

# Monitor sudo
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers

# Monitor SSH
-w /etc/ssh/sshd_config -p wa -k sshd

# Monitor system calls
-a always,exit -F arch=b64 -S execve -k exec

# Monitor kernel modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
EOF
        
        systemctl enable --now auditd 2>/dev/null || true
        augenrules --load 2>/dev/null || true
        log_ok "Auditd настроен"
    else
        log_warn "Auditd не установлен"
    fi
}

enable_apparmor() {
    log_info "Настройка AppArmor..."
    
    if command -v apparmor_status &>/dev/null; then
        systemctl enable --now apparmor 2>/dev/null || true
        log_ok "AppArmor включён"
    else
        log_warn "AppArmor не установлен"
    fi
}

main() {
    echo -e "${BLUE}================================================${NC}"
    echo -e "${BLUE}  Saikyo OS Server Hardening Script v${VERSION}${NC}"
    echo -e "${BLUE}  Разработка: ООО «САЙКО»${NC}"
    echo -e "${BLUE}================================================${NC}"
    echo ""
    
    check_root
    
    log_info "Начало усиления безопасности..."
    
    harden_ssh
    harden_passwords
    harden_kernel
    enable_firewall
    enable_fail2ban
    enable_auditd
    enable_apparmor
    
    echo ""
    log_ok "Усиление безопасности завершено!"
    log_info "Рекомендуется перезагрузить систему."
}

case "$1" in
    --version|-v)
        echo "saikyo-harden version $VERSION"
        ;;
    --help|-h)
        echo "Usage: saikyo-harden [OPTIONS]"
        echo ""
        echo "Saikyo OS Server Hardening Script"
        echo ""
        echo "Options:"
        echo "  -h, --help      Show this help"
        echo "  -v, --version   Show version"
        ;;
    *)
        main
        ;;
esac
