#!/bin/bash
# Security Hardening Script
# Generated by Axiom - Autonomous System Administrator

echo "=== Axiom Security Hardening Report ==="
echo "Timestamp: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""

# Check SSH configuration
echo "--- SSH Security ---"
if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config 2>/dev/null; then
    echo "[OK] Root login disabled"
else
    echo "[INFO] Root login may be enabled (check SSH config)"
fi

if grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config 2>/dev/null; then
    echo "[OK] Password authentication disabled"
else
    echo "[INFO] Password authentication may be enabled"
fi

if grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
    echo "[OK] Public key authentication enabled"
fi
echo ""

# Check firewall status
echo "--- Firewall Status ---"
if systemctl is-active --quiet firewalld; then
    echo "[OK] Firewalld is active"
    echo "Open services: $(firewall-cmd --list-services)"
    echo "Open ports: $(firewall-cmd --list-ports)"
else
    echo "[WARNING] Firewalld not active"
fi
echo ""

# Check fail2ban status
echo "--- Fail2Ban Status ---"
if systemctl is-active --quiet fail2ban; then
    echo "[OK] Fail2ban is active"
    echo "Active jails:"
    fail2ban-client status 2>/dev/null | grep "Jail list" || echo "No jails configured"
else
    echo "[WARNING] Fail2ban not active"
fi
echo ""

# Check for unattended security updates
echo "--- Security Updates ---"
UPDATES=$(dnf check-update --security -q 2>/dev/null | tail -n +2 | wc -l)
echo "Pending security updates: $UPDATES"
if [ "$UPDATES" -gt 0 ]; then
    echo "[INFO] Security updates available"
    dnf check-update --security -q 2>/dev/null | tail -5
fi
echo ""

# Check SELinux status
echo "--- SELinux Status ---"
if command -v getenforce &> /dev/null; then
    STATUS=$(getenforce)
    echo "SELinux status: $STATUS"
    if [ "$STATUS" = "Enforcing" ]; then
        echo "[OK] SELinux is enforcing"
    else
        echo "[INFO] SELinux is not enforcing"
    fi
else
    echo "[INFO] SELinux tools not available"
fi
echo ""

# Check listening ports
echo "--- Open Ports ---"
echo "Listening services:"
ss -tulpn | grep LISTEN
echo ""

# File permission checks
echo "--- Critical File Permissions ---"
for file in /etc/passwd /etc/shadow /etc/ssh/sshd_config; do
    if [ -f "$file" ]; then
        PERMS=$(stat -c "%a" "$file")
        echo "$file: $PERMS"
    fi
done
echo ""

echo "=== Security Hardening Report Complete ==="