v1.1.0

Author: fidpa

CHANGELOG.md

@@ -0,0 +1,59 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- CONTRIBUTING.md with development guidelines
+- CODE_OF_CONDUCT.md (Contributor Covenant v2.1)
+- SECURITY.md with vulnerability reporting process
+- This CHANGELOG.md
+
+## [1.0.0] - 2026-01-20
+
+### Added
+
+#### Core Components
+- **fail2ban/**: Intrusion prevention with 15+ jail configurations
+- **ssh-hardening/**: SSH hardening with secure sshd_config templates
+- **nftables/**: Modern firewall with modular rule sets
+- **ufw/**: Simplified firewall alternative
+- **aide/**: File integrity monitoring with systemd integration
+- **lynis/**: Security auditing with automation scripts
+- **rkhunter/**: Rootkit detection and prevention
+- **auditd/**: Kernel-level audit logging
+- **apparmor/**: Mandatory access control profiles
+
+#### Advanced Security
+- **kernel-hardening/**: sysctl security configurations
+- **boot-security/**: GRUB password protection
+- **usb-defense/**: USB device access control
+- **vaultwarden/**: Credential management integration
+- **security-monitoring/**: Prometheus exporters and Grafana dashboards
+
+#### Documentation
+- Comprehensive README with Quick Start guide
+- CIS Benchmark alignment documentation
+- Troubleshooting guide
+- Best practices documentation
+- Prometheus/Grafana integration guide
+
+### Security
+- All configurations aligned with CIS Ubuntu Benchmark
+- Defense-in-depth approach with 14 security layers
+- Secure defaults for all components
+
+---
+
+## Version History
+
+| Version | Date | Highlights |
+|---------|------|------------|
+| 1.0.0 | 2026-01-20 | Initial release with 14 security components |
+
+[Unreleased]: https://github.com/fidpa/ubuntu-server-security/compare/v1.0.0...HEAD
+[1.0.0]: https://github.com/fidpa/ubuntu-server-security/releases/tag/v1.0.0

CODE_OF_CONDUCT.md

@@ -0,0 +1,60 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes
+* Focusing on what is best not just for us as individuals, but for the community
+
+Examples of unacceptable behavior:
+
+* The use of sexualized language or imagery, and sexual attention of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information without explicit permission
+* Other conduct which could reasonably be considered inappropriate
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards
+of acceptable behavior and will take appropriate and fair corrective action
+in response to any behavior that they deem inappropriate, threatening,
+offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies
+when an individual is officially representing the community in public spaces.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+**security@fidpa.dev** or via GitHub Issues.
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html

CONTRIBUTING.md

@@ -0,0 +1,148 @@
+# Contributing to Ubuntu Server Security
+
+First off, thank you for considering contributing to Ubuntu Server Security!
+
+## Table of Contents
+
+- [Code of Conduct](#code-of-conduct)
+- [Getting Started](#getting-started)
+- [How to Contribute](#how-to-contribute)
+- [Development Setup](#development-setup)
+- [Style Guidelines](#style-guidelines)
+- [Commit Messages](#commit-messages)
+- [Pull Request Process](#pull-request-process)
+
+## Code of Conduct
+
+This project adheres to the [Contributor Covenant Code of Conduct](CODE_OF_CONDUCT.md).
+By participating, you are expected to uphold this code.
+
+## Getting Started
+
+- Make sure you have a [GitHub account](https://github.com/signup)
+- Check existing [issues](https://github.com/fidpa/ubuntu-server-security/issues) before creating new ones
+- Fork the repository on GitHub
+
+## How to Contribute
+
+### Reporting Bugs
+
+Before creating bug reports, please check existing issues.
+
+**Great bug reports include:**
+- A clear, descriptive title
+- Steps to reproduce the issue
+- Expected vs actual behavior
+- System information (Ubuntu version, shell version)
+- Relevant logs or error messages
+
+### Suggesting Features
+
+Feature suggestions are welcome! Please:
+- Check if the feature was already requested
+- Describe the use case clearly
+- Explain why this would benefit users
+
+### Security Vulnerabilities
+
+**DO NOT** open public issues for security vulnerabilities.
+
+See [SECURITY.md](SECURITY.md) for responsible disclosure.
+
+### Pull Requests
+
+1. Fork the repo and create your branch from `main`
+2. Make your changes
+3. Test on Ubuntu 22.04 or 24.04
+4. Ensure all scripts pass `shellcheck`
+5. Update documentation if needed
+6. Submit a pull request
+
+## Development Setup
+
+```bash
+# Clone your fork
+git clone https://github.com/YOUR_USERNAME/ubuntu-server-security.git
+cd ubuntu-server-security
+
+# Verify shellcheck is installed
+shellcheck --version
+
+# Run shellcheck on all scripts
+find . -name "*.sh" -exec shellcheck {} \;
+```
+
+### Testing Environment
+
+Recommended: Use a VM or container for testing security configurations.
+
+```bash
+# Example with LXD
+lxc launch ubuntu:22.04 security-test
+lxc exec security-test -- bash
+```
+
+## Style Guidelines
+
+### Bash Scripts
+
+- Use `shellcheck` for linting
+- Follow `set -uo pipefail` pattern
+- Use lowercase for variables, UPPERCASE for constants
+- Quote variables: `"$var"` not `$var`
+- Add comments for complex logic
+
+### Configuration Files
+
+- Include comments explaining each setting
+- Provide safe defaults
+- Document security implications
+
+### Documentation
+
+- Use Markdown
+- Include code examples
+- Keep lines under 100 characters
+- Add TL;DR for long documents
+
+## Commit Messages
+
+Follow conventional format:
+```
+type: short description
+
+Longer explanation if needed.
+
+Fixes #123
+```
+
+Types: `feat`, `fix`, `docs`, `style`, `refactor`, `test`, `chore`
+
+**Examples:**
+- `feat: add fail2ban jail for postfix`
+- `fix: correct sshd_config permissions`
+- `docs: update nftables examples`
+
+## Pull Request Process
+
+1. Update README.md if needed
+2. Update CHANGELOG.md with your changes
+3. PRs require one maintainer approval
+4. Squash commits before merging
+
+### PR Checklist
+
+- [ ] Code follows style guidelines
+- [ ] Shellcheck passes without errors
+- [ ] Tested on Ubuntu 22.04 or 24.04
+- [ ] Documentation updated
+- [ ] CHANGELOG.md updated
+
+## Questions?
+
+- Open a [Discussion](https://github.com/fidpa/ubuntu-server-security/discussions)
+- Check existing documentation
+
+---
+
+Thank you for contributing to Ubuntu Server Security!

SECURITY.md

@@ -0,0 +1,75 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+We take security vulnerabilities seriously. If you discover a security issue,
+please report it responsibly.
+
+### DO NOT
+
+- Open a public GitHub issue for security vulnerabilities
+- Disclose the vulnerability publicly before it's fixed
+- Exploit the vulnerability beyond what's necessary to demonstrate it
+
+### How to Report
+
+1. **Email**: Send details to **security@fidpa.dev**
+2. **GitHub**: Use [Private Vulnerability Reporting](https://github.com/fidpa/ubuntu-server-security/security/advisories/new)
+
+### What to Include
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+### What to Expect
+
+- **Acknowledgment**: Within 48 hours
+- **Initial Assessment**: Within 7 days
+- **Resolution Timeline**: Depends on severity
+  - Critical: 24-72 hours
+  - High: 1-2 weeks
+  - Medium: 2-4 weeks
+  - Low: Next release
+
+### After Resolution
+
+- You will be credited in the release notes (unless you prefer anonymity)
+- A security advisory will be published
+- Fixed versions will be clearly documented
+
+## Security Best Practices
+
+When using this repository:
+
+1. **Always test in a non-production environment first**
+2. **Review all configurations before applying**
+3. **Keep your system updated**
+4. **Monitor logs after applying security configurations**
+5. **Have a rollback plan**
+
+## Scope
+
+This security policy covers:
+
+- All configuration files in this repository
+- All scripts and automation tools
+- Documentation that could lead to misconfigurations
+
+## Out of Scope
+
+- Vulnerabilities in Ubuntu itself (report to [Ubuntu Security](https://ubuntu.com/security))
+- Third-party tools (fail2ban, nftables, etc.) - report to respective projects
+- Issues caused by user modifications
+
+---
+
+Thank you for helping keep Ubuntu Server Security safe!

aide/README.md

@@ -54,3 +54,10 @@ sudo aideinit
 - ✅ **Database Servers** - Track PostgreSQL configuration changes
 - ✅ **Compliance** - Generate file integrity audit reports
 - ✅ **Defense-in-Depth** - Complement rkhunter and auditd monitoring
+
+## See Also
+
+- [← Back to Repository Root](../README.md)
+- [rkhunter](../rkhunter/) - Rootkit detection (complementary tool)
+- [auditd](../auditd/) - Kernel-level audit logging
+- [security-monitoring](../security-monitoring/) - Unified security event monitoring

apparmor/README.md

@@ -62,3 +62,10 @@ sudo aa-enforce /etc/apparmor.d/usr.lib.postgresql.16.bin.postgres
 - [Ubuntu AppArmor Wiki](https://wiki.ubuntu.com/AppArmor)
 - [CIS Ubuntu Linux Benchmark](https://www.cisecurity.org/benchmark/ubuntu_linux)
 - [PostgreSQL AppArmor Wiki](https://wiki.postgresql.org/wiki/AppArmor)
+
+## See Also
+
+- [← Back to Repository Root](../README.md)
+- [kernel-hardening](../kernel-hardening/) - Kernel security parameters
+- [auditd](../auditd/) - Audit AppArmor denials
+- [lynis](../lynis/) - Validates AppArmor configuration

auditd/README.md

@@ -63,3 +63,10 @@ sudo systemctl restart auditd
 - [Linux Audit Documentation](https://github.com/linux-audit/audit-documentation)
 - [CIS Ubuntu Linux Benchmark](https://www.cisecurity.org/benchmark/ubuntu_linux)
 - [Red Hat auditd Guide](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing)
+
+## See Also
+
+- [← Back to Repository Root](../README.md)
+- [aide](../aide/) - File integrity monitoring
+- [rkhunter](../rkhunter/) - Rootkit detection
+- [lynis](../lynis/) - Security auditing and compliance

boot-security/README.md

@@ -60,3 +60,10 @@ sudo ./scripts/setup-grub-password.sh
 - [GRUB Manual - Security](https://www.gnu.org/software/grub/manual/grub/html_node/Security.html)
 - [CIS Ubuntu Linux Benchmark](https://www.cisecurity.org/benchmark/ubuntu_linux)
 - [Ubuntu GRUB2 Documentation](https://help.ubuntu.com/community/Grub2)
+
+## See Also
+
+- [← Back to Repository Root](../README.md)
+- [usb-defense](../usb-defense/) - USB attack prevention
+- [kernel-hardening](../kernel-hardening/) - Kernel security parameters
+- [vaultwarden](../vaultwarden/) - Secure GRUB password storage

docs/BEST_PRACTICES.md

@@ -1,5 +1,7 @@
 # AIDE Best Practices
 
+> **TL;DR**: Never auto-update AIDE database (review changes first), keep offsite backups, test updates in staging, and use `_aide` group for non-root monitoring access.
+
 Production recommendations based on servers with 100% CIS Benchmark compliance.
 
 ## Database Management