PVE9-Harden-FinalVersion-v1.sh

#!/usr/bin/env bash
# PVE9-Harden-FinalVersion-v1.sh (Final Version)
# Modern interactive PVE hardening toolkit
# Features: Menu box modern, progress bar horizontal, modular framework
# Author: black_platoon23 | Ismail Djamhur

set -e
set -o pipefail
IFS=$'\n\t'

#########################################
# Global Configuration
#########################################
VERSION="1.0-FINAL"
LOG="/var/log/haqqsec_interactive.log"
BACKUP_DIR="/root/haqqsec_backups_$(date +%Y%m%d_%H%M%S)"
REPORT="/root/haqqsec_report_$(date +%Y%m%d_%H%M%S).html"
SEC_LEVEL="2"
DRY_RUN=false
VERBOSE=false

#########################################
# Color Palette (Bold & Modern)
#########################################
C_RESET='\033[0m'
C_BOLD='\033[1m'

C_RED='\033[1;31m'
C_GREEN='\033[1;32m'
C_YELLOW='\033[1;33m'
C_BLUE='\033[1;34m'
C_CYAN='\033[1;36m'
C_WHITE='\033[1;37m'

#########################################
# Logging
#########################################
log() {
    echo -e "[$(date +'%H:%M:%S')] $*" | tee -a "$LOG"
}
execute_command() {
    local description="$1"
    shift
    local command="$@"
    
    if [[ "${DRY_RUN}" == "true" ]]; then
        log INFO "[DRY RUN] ${description}: ${command}"
        return 0
    fi
    
    log INFO "${description}"
    eval "${command}"
}
backup_file() {
    local file="$1"
    if [[ -f "$file" ]]; then
        mkdir -p "${BACKUP_DIR}/$(dirname "$file")"
        cp "$file" "${BACKUP_DIR}/$file.$(date +%s)"
        log "INFO" "Backed up $file"
    fi
}
wait_for_apt() {
    local max_wait=300
    local waited=0
    
    while sudo fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1 || \
          sudo fuser /var/lib/apt/lists/lock >/dev/null 2>&1 || \
          sudo fuser /var/cache/apt/archives/lock >/dev/null 2>&1; do
        
        if [[ ${waited} -eq 0 ]]; then
            log WARNING "Waiting for other package managers to finish..."
        fi
        
        sleep 2
        waited=$((waited + 2))
        
        if [[ ${waited} -ge ${max_wait} ]]; then
            log ERROR "Timed out waiting for package manager"
            return 1
        fi
    done
    
    return 0
}
#########################################
# PROGRESS BAR HORIZONTAL
#########################################
progress_bar() {
    local progress=$1
    local total=$2

    # Hitung persentase
    local percent=$(( 100 * progress / total ))
    [[ $percent -gt 100 ]] && percent=100

    # Hitung panjang bar (50 karakter total)
    local filled=$(( percent / 2 ))
    local empty=$(( 50 - filled ))

    # Clear line dan draw bar
    tput el  # Clear sampai akhir baris
    echo -ne "${C_GREEN}["

    # Bagian terisi
    for ((i=0; i<filled; i++)); do
        echo -ne "█"
    done

    # Bagian kosong
    for ((i=0; i<empty; i++)); do
        echo -ne "░"
    done

    # Tampilkan persentase
    echo -ne "] ${percent}%${C_RESET}"
}

#########################################
# UI — BOX MENU MODERN WITH ASCII ART & DISCLAIMER
#########################################
draw_menu_box() {
    clear

    # ASCII Art untuk "Hardening" (bagian bawah)
    echo "  ██╗  ██╗ █████╗ ██████╗ ██████╗ ███████╗███╗   ██╗██╗███╗   ██╗ ██████╗ "
    echo "  ██║  ██║██╔══██╗██╔══██╗██╔══██╗██╔════╝████╗  ██║██║████╗  ██║██╔════╝ "
    echo "  ███████║███████║██████╔╝██║  ██║█████╗  ██╔██╗ ██║██║██╔██╗ ██║██║  ███╗"
    echo "  ██╔══██║██╔══██║██╔══██╗██║  ██║██╔══╝  ██║╚██╗██║██║██║╚██╗██║██║   ██║"
    echo "  ██║  ██║██║  ██║██║  ██║██████╔╝███████╗██║ ╚████║██║██║ ╚████║╚██████╔╝"
    echo "  ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝ ╚══════╝╚═╝  ╚═══╝╚═╝╚═╝  ╚═══╝ ╚═════╝ "
    echo "  PROMOX VE 9.1"
    echo -e "${C_RESET}"
    
    # Menu Box
    echo -e "${C_BLUE}${C_BOLD}"
    echo "┌───────────────────────────────────────┐"
    echo "│      Proxmox VE 9.1 Hardening         │"
    echo "├───────────────────────────────────────┤"
    echo "│ 1. Select Security Level              │"
    echo "│ 2. Select Modules Manually            │"
    echo "│ 3. Start Hardening                    │"
    echo "│ 4. List of Modules                    │"
    echo "│ 5. Exit                               │"
    echo "└───────────────────────────────────────┘"
    echo -e "${C_RESET}"
    
    # Disclaimer dengan format yang diminta
    echo ""
    echo -e "${C_RED}${C_BOLD}╔══════════════════════════════════════════════════════════════════════════════════════════╗${C_RESET}"
    echo -e "${C_RED}${C_BOLD}║                           DISCLAIMER AND USER ACKNOWLEDGMENT                             ║${C_RESET}"
    echo -e "${C_RED}${C_BOLD}╠══════════════════════════════════════════════════════════════════════════════════════════╣${C_RESET}"
    echo -e "${C_RED}║ By using this hardening script, you acknowledge and accept that the implementation of    ║${C_RESET}"
    echo -e "${C_RED}║ these security modules is undertaken voluntarily and at your own risk. You understand    ║${C_RESET}"
    echo -e "${C_RED}║ that applying security configurations carries inherent potential risks, including but    ║${C_RESET}"
    echo -e "${C_RED}║ not limited to system lockout, service disruption, performance degradation, data loss,   ║${C_RESET}"
    echo -e "${C_RED}║ or cluster failure. All consequences arising from the execution of this script, whether  ║${C_RESET}"
    echo -e "${C_RED}║ direct or indirect, are solely your responsibility as the user. The script author and    ║${C_RESET}"
    echo -e "${C_RED}║ contributors explicitly disclaim any liability for damages, downtime, operational issues,║${C_RESET}"
    echo -e "${C_RED}║ or compliance violations that may occur, given the unpredictable nature of individual    ║${C_RESET}"
    echo -e "${C_RED}║ system environments, custom configurations, and external factors beyond the developer's  ║${C_RESET}"
    echo -e "${C_RED}║ control.                                                                                 ║${C_RESET}"
    echo -e "${C_RED}${C_BOLD}╚══════════════════════════════════════════════════════════════════════════════════════════╝${C_RESET}"
    echo ""
}

#########################################
# READ INPUT SAFE (ANTI EXIT)
#########################################
safe_read() {
    set +e
    read -r "$1"
    set -e
}

#########################################
# MODULE STRUCTURE
#########################################
declare -A MODULE_LABELS
declare -A MODULE_LIST

MODULE_ORDER=(
  system_update
  audit
  secure_shared_memory
  ssh_hardening
  automatic_updates
  firewall
  sysctl
  password_policy
  ntp
  apparmor
  filesystems
  package_verification
  
)
#########################################
# DEFAULT SECURITY LEVEL
#########################################
# Jika user tidak memilih apa pun → Level 2
#SEC_LEVEL=2

#########################################
# MAPPING MODUL PER LEVEL SECURITY
#########################################

LEVEL1_MODULES=(
  system_update
  firewall
)

LEVEL2_MODULES=(
  system_update
  firewall
  ssh_hardening
  password_policy
  ntp
  audit
  
)

LEVEL3_MODULES=(
  system_update
  firewall
  ssh_hardening
  password_policy
  ntp
  audit
  sysctl
  filesystems
)

LEVEL4_MODULES=(
  system_update
  firewall
  ssh_hardening
  password_policy
  ntp
  audit
  sysctl
  filesystems
  automatic_updates
  
)

LEVEL5_MODULES=(
  system_update
  firewall
  ssh_hardening
  password_policy
  ntp
  audit
  sysctl
  filesystems
  automatic_updates
  secure_shared_memory
  package_verification
  
)


#########################################
# Define module names & descriptions
#########################################
MODULES=(
  system_update
  audit
  secure_shared_memory
  ssh_hardening
  automatic_updates
  firewall
  sysctl
  password_policy
  ntp
  apparmor
  filesystems
  package_verification
  
)

declare -A MODULE_LABELS=(
  [system_update]="System update & upgrade"
  [audit]="Auditd rules"
  [secure_shared_memory]="/dev/shm Hardening"
  [ssh_hardening]="SSH hardening"
  [automatic_updates]="Unattended upgrades"
  [firewall]="Firewall PVE/NFT"
  [sysctl]="Kernel hardening"
  [password_policy]="Password policy"
  [ntp]="Time sync (Chrony)"
  [apparmor]="AppArmor enable"
  [filesystems]="Disable unused FS"
  [package_verification]="Package verification"
  
)

#########################################
# Show Module
#########################################
show_modules() {
    echo -e "\nList of Hardening Modules PVE 9.1"
    echo "=================================\n"

    local index=1
    for mod in "${MODULES[@]}"; do
        printf "%2d) %-22s - %s\n" \
            "$index" "$mod" "${MODULE_LABELS[$mod]}"
        index=$((index+1))
    done

    echo -e "\n  0) Back"
    read -r input

        [[ "$input" == "0" ]] && return
}

#########################################
# Define Maturity Security Level
#########################################
choose_security_level() {
    clear
    echo -e "${C_CYAN}${C_BOLD}Choose Security Level:${C_RESET}"
    echo "1. Level 1 (Very minimum compliance security)"
    echo "2. Level 2 (Minimum compliance security)"
    echo "3. Level 3 (Security compliance enough)"
    echo "4. Level 4 (Security compliance near fully)"
    echo "5. Level 5 (Security compliance fully)"
    echo "0. Back to main menu"
    echo -n "Choose: "
    safe_read lvl

    case "$lvl" in
        1)
            SEC_LEVEL=1
            MODULE_ORDER=("${LEVEL1_MODULES[@]}")
            ;;
        2)
            SEC_LEVEL=2
            MODULE_ORDER=("${LEVEL2_MODULES[@]}")
            ;;
        3)
            SEC_LEVEL=3
            MODULE_ORDER=("${LEVEL3_MODULES[@]}")
            ;;
        4)
            SEC_LEVEL=4
            MODULE_ORDER=("${LEVEL4_MODULES[@]}")
            ;;
        5)
            SEC_LEVEL=5
            MODULE_ORDER=("${LEVEL5_MODULES[@]}")
            ;;
        0)
            # Kembali ke menu tanpa mengubah apapun
            return 0
            ;;
        *)
            echo -e "${C_YELLOW}Invalid choice, using default Level 2${C_RESET}"
            SEC_LEVEL=2
            MODULE_ORDER=("${LEVEL2_MODULES[@]}")
            sleep 1
            ;;
    esac

    # clear
    # echo -e "${C_GREEN}${C_BOLD}Set Security level to: Level $SEC_LEVEL${C_RESET}"
    # echo -e "\nModules to be executed:"
    # for m in "${MODULE_ORDER[@]}"; do
    #     echo " - $m (${MODULE_LABELS[$m]})"
    # done
    # echo ""
    # echo "Press Enter to return to the menu..."
    # read
    if [[ "$lvl" != "0" ]]; then
        clear
        echo -e "${C_GREEN}${C_BOLD}Security level set to: Level $SEC_LEVEL${C_RESET}"
        echo -e "\nModules to be executed:"
        for m in "${MODULE_ORDER[@]}"; do
            echo " - $m (${MODULE_LABELS[$m]})"
        done
        echo ""
        #echo "Press Enter to return to the menu..."
        #read

        run_hardening
    fi
}


#########################################
# MODULE IMPLEMENTATIONS
#########################################

mod_system_update() {
    log "Running system update"
   
    wait_for_apt
    
    execute_command "Refreshing package lists" \
        "sudo apt-get update"
    
    if [[ "${SECURITY_LEVEL}" == "5" ]]; then
        execute_command "Upgrading all packages (full upgrade)" \
            "sudo DEBIAN_FRONTEND=noninteractive apt-get full-upgrade -y"
    else
        execute_command "Upgrading packages (safe upgrade)" \
            "sudo DEBIAN_FRONTEND=noninteractive apt-get upgrade -y"
    fi
    
    log SUCCESS "System packages updated"
    return 0
}


mod_audit() {
    log "Configuring auditd"
     execute_command "Installing auditd" \
        "sudo apt-get install -y auditd audispd-plugins"
    
    local audit_rules="/etc/audit/rules.d/haqqsec.rules"
    
    if [[ "${DRY_RUN}" == "false" ]]; then
        sudo tee "${audit_rules}" > /dev/null << 'EOF'
# HaqqSecTools-PVE9-Harden.sh - Audit Rules

# Delete all existing rules
-D

# Buffer size
-b 8192

# Failure mode (1 = print, 2 = panic)
-f 1

# Authentication and authorization
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions

# Login and logout
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins

# Network configuration
-w /etc/hosts -p wa -k network
-w /etc/network/ -p wa -k network
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k network

# Discretionary access control
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod

# Unauthorized access attempts
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S open -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S open -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

# System administration
-w /var/log/sudo.log -p wa -k actions

# Kernel module loading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

# Make configuration immutable (requires reboot to change)
-e 2
EOF
        
        execute_command "Loading audit rules" \
            "sudo augenrules --load"
        
        execute_command "Enabling auditd" \
            "sudo systemctl enable auditd && sudo systemctl restart auditd"
        
        log SUCCESS "Audit logging configured"
    else
        log INFO "[DRY RUN] Would configure audit logging"
    fi
    
    return 0
}

mod_secure_shared_memory() {
   local fstab="/etc/fstab"
    local is_ceph_node="false"
    local is_pve_node="false"
    local ceph_version=""

    # Detect Proxmox VE (case-insensitive)
    if grep -qi "pve" /etc/os-release 2>/dev/null || command -v pveversion >/dev/null 2>&1; then
        is_pve_node="true"
        log INFO "Proxmox VE detected"
    fi

    # Detect Ceph installation (binary present + services active)
    if command -v ceph >/dev/null 2>&1; then
        # Try to get a version string (tolerant)
        ceph_version=$(ceph --version 2>/dev/null | awk '{print $3}' || true)
        # If ceph binary exists, check that Ceph services are active
        if systemctl is-active --quiet ceph.target 2>/dev/null || systemctl is-active --quiet ceph-mon@* 2>/dev/null; then
            is_ceph_node="true"
            log INFO "Ceph detected: version ${ceph_version:-unknown}"
            log INFO "Ceph services appear active"
        else
            log WARNING "Ceph binary present but Ceph services not active; treating as non-Ceph node for safety"
            is_ceph_node="false"
        fi
    fi

    # Check if /dev/shm contains Ceph-specific entries (safe check)
    local shm_ceph_usage="false"
    if [[ "${is_ceph_node}" == "true" ]]; then
        # Use shell globbing check safely (avoid ls failures)
        shopt -s nullglob 2>/dev/null || true
        local ceph_shm_items=(/dev/shm/ceph-*)
        if [[ ${#ceph_shm_items[@]} -gt 0 ]]; then
            shm_ceph_usage="true"
            log INFO "Ceph appears to be using /dev/shm (found ${#ceph_shm_items[@]} entries)"
            # Show sizes but ignore errors
            du -sh /dev/shm/ceph-* 2>/dev/null || true
        else
            log INFO "No Ceph-specific files found under /dev/shm"
        fi
        shopt -u nullglob 2>/dev/null || true
    fi

    # Backup fstab before changes
    backup_file "${fstab}"

    if [[ "${DRY_RUN}" == "false" ]]; then
        # Remove any existing /dev/shm and /run/shm lines to avoid duplicates
        sudo sed -i.bak -E '/[[:space:]]+\/dev\/shm[[:space:]]/d' "${fstab}" 2>/dev/null || true
        sudo sed -i -E '/[[:space:]]+\/run\/shm[[:space:]]/d' "${fstab}" 2>/dev/null || true

        # Add explanatory header
        {
            echo ""
            echo "# HaqqSecTools-PVE9-Harden.sh - Shared Memory Hardening"
            echo "# Applied: $(date '+%Y-%m-%d %H:%M:%S')"
        } | sudo tee -a "${fstab}" >/dev/null

        if [[ "${is_ceph_node}" == "true" ]]; then
            # Ceph detected - Progressive Hardening Approach
            {
                echo "# Proxmox VE with Ceph detected - using progressive hardening"
                echo "# Phase 1: nosuid + nodev (ACTIVE - safe)"
                echo "# Phase 2: Add noexec after verification (see instructions below)"
                echo ""
                echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid 0 0"
                echo "# After Ceph verification (24-48h), uncomment the line below and comment the line above:"
                echo "# tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0"
            } | sudo tee -a "${fstab}" >/dev/null

            log WARNING "Ceph-aware hardening applied (Phase 1)"
            log INFO "  /dev/shm: nosuid,nodev (Phase 1 - Conservative)"

        elif [[ "${is_pve_node}" == "true" ]]; then
            # PVE without Ceph - still use conservative approach
            {
                echo "# Proxmox VE detected (no Ceph) - using conservative hardening"
                echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid 0 0"
                echo "# Optional: Add noexec after testing VM/CT operations:"
                echo "# tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0"
            } | sudo tee -a "${fstab}" >/dev/null

            log INFO "PVE hardening applied (conservative)"
            log INFO "  /dev/shm: nosuid,nodev"

        else
            # Non-PVE system - full hardening
            {
                echo "# Standard system - full hardening"
                echo "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0"
            } | sudo tee -a "${fstab}" >/dev/null

            log INFO "Full hardening applied"
            log INFO "  /dev/shm: nosuid,nodev,noexec"
        fi

        # Always harden /run/shm fully (not used by Ceph or PVE)
        {
            echo ""
            echo "# /run/shm - Full hardening (not used by Ceph/PVE)"
            echo "tmpfs /run/shm tmpfs defaults,nodev,nosuid,noexec 0 0"
        } | sudo tee -a "${fstab}" >/dev/null

        # Apply Phase 1 settings immediately (remount appropriately)
        if [[ "${is_ceph_node}" == "true" ]] || [[ "${is_pve_node}" == "true" ]]; then
            execute_command "Remounting /dev/shm (Phase 1: nosuid,nodev)" \
                "sudo mount -o remount,nodev,nosuid /dev/shm 2>/dev/null || true"
        else
            execute_command "Remounting /dev/shm with full security" \
                "sudo mount -o remount,nodev,nosuid,noexec /dev/shm 2>/dev/null || true"
        fi

        execute_command "Remounting /run/shm with full security" \
            "sudo mount -o remount,nodev,nosuid,noexec /run/shm 2>/dev/null || true"

        # Verify mount options and display to user
        echo ""
        log SUCCESS "Shared memory hardening applied"
        echo ""
        log INFO "Current mount options:"
        mount | grep -E "/dev/shm|/run/shm" | sed 's/^/  /'
        echo ""
    else
        log INFO "[DRY RUN] Would apply shared memory hardening (no changes made)"
    fi

    return 0
}

mod_ssh_hardening() {
    log "Hardening SSH"

    local ssh_config="/etc/ssh/sshd_config"

    # Check if SSH is installed
    if ! command -v sshd &>/dev/null; then
        log "WARNING" "SSH server not installed - skipping SSH hardening"
        return 0
    fi

    # Safety check: Ensure key-based auth exists before disabling password auth
    # Check if there are any authorized_keys files
    local has_keys=false
    if [[ -f ~/.ssh/authorized_keys ]] && [[ -s ~/.ssh/authorized_keys ]]; then
        has_keys=true
    fi
    
    # Check for any root authorized_keys
    if [[ -f /root/.ssh/authorized_keys ]] && [[ -s /root/.ssh/authorized_keys ]]; then
        has_keys=true
    fi

    if [[ "$has_keys" == "false" ]]; then
        log "WARNING" "No SSH keys detected. Skipping SSH hardening to prevent lockout."
        log "INFO" "To setup SSH keys:"
        log "INFO" "  1. On client: ssh-keygen -t ed25519"
        log "INFO" "  2. Copy to server: ssh-copy-id user@hostname"
        log "INFO" "  3. Test connection, then run this module again"
        return 0
    fi

    # Backup current SSH config
    if [[ -f "$ssh_config" ]]; then
        local backup_file="${BACKUP_DIR}/etc/ssh/sshd_config"
        mkdir -p "$(dirname "$backup_file")"
        cp "$ssh_config" "$backup_file"
        log "INFO" "Backed up SSH config to: $backup_file"
    fi

    if [[ "$DRY_RUN" == "false" ]]; then
        # Write hardened SSH config
        sudo tee "$ssh_config" > /dev/null << 'EOF'
# HaqqSecTools-PVE9-Harden.sh SSH Configuration
# Strong security, key-based authentication only

# Authentication
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes

# Strong cryptography (compatible with OpenSSH 8/9)
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# Connection settings
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30
MaxAuthTries 3
MaxSessions 10

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Security settings
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
EOF

        # Validate SSH configuration
        if sudo sshd -t 2>/dev/null; then
            execute_command "Restarting SSH service" \
                "sudo systemctl restart sshd"
            log "SUCCESS" "SSH hardened - password authentication disabled"
        else
            log "ERROR" "SSH configuration validation failed - restoring backup"
            
            # Restore backup
            if [[ -f "${BACKUP_DIR}/etc/ssh/sshd_config" ]]; then
                sudo cp "${BACKUP_DIR}/etc/ssh/sshd_config" "$ssh_config"
                sudo systemctl restart sshd
                log "INFO" "SSH configuration restored from backup"
            fi
            return 1
        fi
    else
        log "INFO" "[DRY RUN] Would configure SSH hardening"
    fi
    
    return 0
}

mod_automatic_updates() {
    execute_command "Installing unattended-upgrades" \
        "sudo apt-get install -y unattended-upgrades apt-listchanges"
    
    local auto_upgrades="/etc/apt/apt.conf.d/20auto-upgrades"
    local unattended_conf="/etc/apt/apt.conf.d/50unattended-upgrades"
    
    if [[ "${DRY_RUN}" == "false" ]]; then
        sudo tee "${auto_upgrades}" > /dev/null << 'EOF'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
        
        # Configure unattended upgrades
        sudo tee "${unattended_conf}" > /dev/null << 'EOF'
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};

Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
EOF
        
        execute_command "Enabling automatic updates" \
            "sudo systemctl enable unattended-upgrades && sudo systemctl start unattended-upgrades"
        
        log SUCCESS "Automatic security updates enabled"
    else
        log INFO "[DRY RUN] Would enable automatic security updates"
    fi
    
    return 0
}
mod_firewall() {
 log "[APPLY firewall-pve] SAFE MODE for PVE 9.1"
    NODE=$(hostname)

    log "1. Enable PVE Firewall (cluster + node)"
    pvesh set /cluster/firewall/options --enable 1
    pvesh set /nodes/$NODE/firewall/options --enable 1

    log "2. Add mandatory allow rules (SSH, GUI, SPICE)"

    # Add node-level rules
    add_rule() {
        local COMMENT="$1"
        shift
        if ! pvesh get /nodes/$NODE/firewall/rules | grep -q "$COMMENT"; then
            pvesh create /nodes/$NODE/firewall/rules "$@" --enable 1 --comment "$COMMENT"
            log "Added NODE rule: $COMMENT"
        else
            log "Node rule already exists: $COMMENT"
        fi
    }

    # Add datacenter-level rules
    add_dc_rule() {
        local COMMENT="$1"
        shift
        if ! pvesh get /cluster/firewall/rules | grep -q "$COMMENT"; then
            pvesh create /cluster/firewall/rules "$@" --enable 1 --comment "$COMMENT"
            log "Added DC rule: $COMMENT"
        else
            log "DC rule already exists: $COMMENT"
        fi
    }

    # List of essential ports (node + datacenter)
    RULES=(
        "Allow SSH|tcp|22"
        "Allow PVE Web GUI|tcp|8006"
        "Allow SPICE console|tcp|3128"
        "Allow VNC Console|tcp|5900:5999"
        "Allow ICMP ping|icmp|"
    )

    for R in "${RULES[@]}"; do
        COMMENT="${R%%|*}"
        PROTO_PORT="${R#*|}"
        PROTO="${PROTO_PORT%%|*}"
        PORT="${PROTO_PORT#*|}"

        # Node-level
        if [ "$PROTO" = "icmp" ]; then
            add_rule "$COMMENT" --type in --action ACCEPT --proto icmp
            add_dc_rule "$COMMENT" --type in --action ACCEPT --proto icmp
        else
            add_rule "$COMMENT" --type in --action ACCEPT --proto "$PROTO" --dport "$PORT"
            add_dc_rule "$COMMENT" --type in --action ACCEPT --proto "$PROTO" --dport "$PORT"
        fi
    done

    log "3. Detecting Cluster (Corosync) & Ceph"

    if systemctl is-active --quiet corosync || [ -f /etc/pve/corosync.conf ]; then
        for PORT in 5404 5405 5406 5407; do
            add_rule "Corosync $PORT" --type in --action ACCEPT --proto udp --dport "$PORT"
            add_dc_rule "Corosync $PORT" --type in --action ACCEPT --proto udp --dport "$PORT"
        done
    fi

    if command -v ceph >/dev/null 2>&1; then
        add_rule "Ceph MON 3300" --type in --action ACCEPT --proto tcp --dport 3300
        add_dc_rule "Ceph MON 3300" --type in --action ACCEPT --proto tcp --dport 3300

        add_rule "Ceph MON 6789" --type in --action ACCEPT --proto tcp --dport 6789
        add_dc_rule "Ceph MON 6789" --type in --action ACCEPT --proto tcp --dport 6789

        add_rule "Ceph OSD/MGR 6800-7300" --type in --action ACCEPT --proto tcp --dport 6800:7300
        add_dc_rule "Ceph OSD/MGR 6800-7300" --type in --action ACCEPT --proto tcp --dport 6800:7300
    fi

    log "4. Apply default cluster firewall policy"
    CFG="/etc/pve/firewall/cluster.fw"

    if [ ! -f "$CFG" ]; then
        cat <<EOF > "$CFG"
[OPTIONS]
enable: 1
policy_in: DROP
policy_out: ACCEPT
policy_forward: DROP
EOF
    else
        grep -q "enable:" "$CFG" || echo "enable: 1" >> "$CFG"
        grep -q "policy_in:" "$CFG" || echo "policy_in: DROP" >> "$CFG"
        grep -q "policy_out:" "$CFG" || echo "policy_out: ACCEPT" >> "$CFG"
        grep -q "policy_forward:" "$CFG" || echo "policy_forward: DROP" >> "$CFG"
    fi

    log "5. Compile firewall"
    pve-firewall compile

    log "SAFE FIREWALL APPLIED for PVE 9.1"
}


mod_sysctl() {
    log "Configuring kernel security parameters"
    
    local final_conf="/etc/sysctl.d/99-haqqsec.conf"
    local tmp_conf="/tmp/99-haqqsec.conf.tmp.$$"

    # Check if running in dry run mode
    if [[ "${DRY_RUN}" == "true" ]]; then
        log "INFO" "[DRY RUN] Would configure kernel security parameters"
        return 0
    fi

    # Backup existing config if it exists
    if [[ -f "$final_conf" ]]; then
        local backup_file="${BACKUP_DIR}/etc/sysctl.d/99-haqqsec.conf.backup"
        mkdir -p "$(dirname "$backup_file")"
        cp "$final_conf" "$backup_file"
        log "INFO" "Backed up existing sysctl config to: $backup_file"
    fi

    # Write new config to temp file
    cat > "${tmp_conf}" << 'EOF'
#########################################################################
# HaqqSecTools-PVE9-Harden.sh - Hardened sysctl (CIS Debian 13 compatible)
# Safe for Proxmox VE 9.1
#########################################################################

# Network security
net.ipv4.tcp_syncookies = 1

# Reverse path filtering - mode 2 (loose mode) safer for Proxmox cluster
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Disable ICMP redirects (ALL) - safe for Proxmox
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Disable secure redirects
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Disable send_redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# ICMP protections
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Logging packets with suspicious source addresses
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# IP forwarding (enabled for Proxmox VM/CT networking)
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

# Memory protection
kernel.randomize_va_space = 2
kernel.kptr_restrict = 1

# Core dump restrictions
kernel.core_uses_pid = 1
fs.suid_dumpable = 0

# Process restrictions
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
EOF

    # Verify temp file was created and is not empty
    if [[ ! -f "${tmp_conf}" ]] || [[ ! -s "${tmp_conf}" ]]; then
        log "ERROR" "Temporary sysctl file is empty or not created"
        rm -f "${tmp_conf}"
        return 1
    fi

    # Validate syntax (all lines should contain '=' or be comments/empty)
    if ! grep -qE '^[a-z].*=.*$' "${tmp_conf}"; then
        log "ERROR" "Syntax error in sysctl temp file - no valid entries found"
        rm -f "${tmp_conf}"
        return 1
    fi

    # Test the configuration before applying
    local test_output
    test_output=$(sudo sysctl -p "${tmp_conf}" 2>&1)
    local test_exit=$?
    
    if [[ $test_exit -ne 0 ]]; then
        log "ERROR" "Sysctl validation failed:"
        echo "$test_output" | head -10
        rm -f "${tmp_conf}"
        
        # Restore backup if exists
        if [[ -f "${BACKUP_DIR}/etc/sysctl.d/99-haqqsec.conf.backup" ]]; then
            sudo cp "${BACKUP_DIR}/etc/sysctl.d/99-haqqsec.conf.backup" "$final_conf"
            sudo sysctl --system > /dev/null 2>&1
            log "INFO" "Restored previous sysctl configuration"
        fi
        return 1
    fi

    # Move temp file to final location (atomic)
    sudo mkdir -p "$(dirname "$final_conf")"
    sudo mv "${tmp_conf}" "${final_conf}"
    
    if [[ $? -ne 0 ]]; then
        log "ERROR" "Failed to move sysctl config to final location"
        rm -f "${tmp_conf}"
        return 1
    fi

    log "INFO" "Sysctl config applied to ${final_conf}"

    # Apply all sysctl settings
    if sudo sysctl --system > /dev/null 2>&1; then
        log "SUCCESS" "Kernel security parameters configured successfully"
    else
        log "ERROR" "Failed to apply sysctl settings - restoring backup"
        
        # Restore backup
        if [[ -f "${BACKUP_DIR}/etc/sysctl.d/99-haqqsec.conf.backup" ]]; then
            sudo cp "${BACKUP_DIR}/etc/sysctl.d/99-haqqsec.conf.backup" "$final_conf"
            sudo sysctl --system > /dev/null 2>&1
            log "INFO" "Restored previous sysctl configuration"
        fi
        return 1
    fi
    
    return 0
}

mod_password_policy() {

    execute_command "Installing password quality tools" \
        "sudo apt-get install -y libpam-pwquality"
    
    local pwquality_conf="/etc/security/pwquality.conf"
    backup_file "${pwquality_conf}"
    
    if [[ "${DRY_RUN}" == "false" ]]; then
        sudo tee "${pwquality_conf}" > /dev/null << 'EOF'
# HaqqSecTools-PVE9-Harden.sh - Password Quality Requirements

# Minimum password length
minlen = 12

# Require at least one digit
dcredit = -1

# Require at least one uppercase
ucredit = -1

# Require at least one lowercase
lcredit = -1

# Require at least one special character
ocredit = -1

# Remember last 5 passwords
remember = 5

# Maximum consecutive characters
maxrepeat = 3

# Reject passwords with username
usercheck = 1

# Enforce for root too
enforce_for_root
EOF
        
        log SUCCESS "Password policy configured"
    else
        log INFO "[DRY RUN] Would configure password policy"
    fi
    
    return 0
}

mod_ntp() {
    log INFO "Checking for Proxmox VE..."

    if command -v pveversion &>/dev/null; then
        log INFO "Proxmox detected — using chrony (recommended)"

        # Remove systemd-timesyncd remnants if any
        if systemctl list-unit-files | grep -q timesyncd; then
            log INFO "Disabling systemd-timesyncd (not used on PVE)"
            sudo systemctl disable --now systemd-timesyncd.service 2>/dev/null || true
        fi

        # Install chrony
        execute_command "Installing chrony" "apt-get install -y chrony"

        # Enable chrony
        execute_command "Enabling chrony" "systemctl enable --now chrony"

        log SUCCESS "Chrony active and time sync configured"
        return 0
    fi

    # Non-Proxmox systems → fallback ke systemd-timesyncd
    if systemctl list-unit-files | grep -q systemd-timesyncd.service; then
        execute_command "Enable systemd-timesyncd" \
            "systemctl enable --now systemd-timesyncd.service"
        log SUCCESS "Time synchronization via systemd-timesyncd enabled"
    else
        log WARNING "No time sync service detected — install chrony?"
    fi
}

mod_apparmor() {
    execute_command "Installing AppArmor utilities" \
        "sudo apt-get install -y apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra"
    
    if [[ "${DRY_RUN}" == "false" ]]; then
        # Enable AppArmor
        execute_command "Enabling AppArmor" \
            "sudo systemctl enable apparmor && sudo systemctl start apparmor"
        
        # Set all profiles to enforce mode
        sudo aa-enforce /etc/apparmor.d/* 2>/dev/null || true
        
        log SUCCESS "AppArmor configured and enforcing"
        
        if [[ "${VERBOSE}" == "true" ]]; then
            echo ""
            sudo aa-status
            echo ""
        fi
    else
        log_INFO "[DRY RUN] Would configure AppArmor"
    fi
    
    return 0
}

mod_filesystems() {
    local modprobe_conf="/etc/modprobe.d/haqqsec-filesystems.conf"
    
    if [[ "${DRY_RUN}" == "false" ]]; then
        sudo tee "${modprobe_conf}" > /dev/null << 'EOF'
# HaqqSecTools-PVE9-Harden.sh - Disable Unused Filesystems

install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install udf /bin/true
EOF
        
        log SUCCESS "Unused filesystems disabled"
    else
        log INFO "[DRY RUN] Would disable unused filesystems"
    fi
    
    return 0
}

mod_package_verification() {
    log INFO "Running package verification (this may take a while)..."
    
    local verify_report="${TEMP_DIR}/package_verification.txt"
    
    if [[ "${DRY_RUN}" == "false" ]]; then
        # Verify all packages
        dpkg --verify > "${verify_report}" 2>&1 || true
        
        if [[ -s "${verify_report}" ]]; then
            local anomaly_count=$(wc -l < "${verify_report}")
            log WARNING "Found ${anomaly_count} package file anomalies"
            log INFO "Verification report: ${verify_report}"
            
            # Save to permanent location
            sudo cp "${verify_report}" "/var/log/haqqsec_package_verification_$(date +%Y%m%d).txt"
            
            if [[ "${anomaly_count}" -gt 100 ]]; then
                log WARNING "High number of anomalies - may indicate system issues"
                log INFO "Review the report carefully"
            fi
            
            # Show a sample
            if [[ "${VERBOSE}" == "true" ]]; then
                echo ""
                echo "Sample anomalies (first 10):"
                head -10 "${verify_report}"
                echo ""
            fi
        else
            log SUCCESS "All package files verified successfully"
        fi
        
        # Create verification cron job
        local cron_script="/etc/cron.weekly/haqqsec-verify-packages"
        sudo tee "${cron_script}" > /dev/null << 'CRONEOF'
#!/bin/bash
# HaqqSecTools-PVE9-Harden.sh - Weekly package verification

REPORT="/var/log/haqqsec_package_verification_$(date +%Y%m%d).txt"
dpkg --verify > "${REPORT}" 2>&1 || true

if [[ -s "${REPORT}" ]]; then
    ANOMALIES=$(wc -l < "${REPORT}")
    logger -t haqqsec "Package verification found ${ANOMALIES} anomalies - check ${REPORT}"
fi
CRONEOF
        
        sudo chmod +x "${cron_script}"
        log SUCCESS "Weekly package verification cron job created"
    else
        log INFO "[DRY RUN] Would verify all package integrity"
    fi
    
    return 0
}

#########################################
# EXECUTOR + PROGRESS BAR PER MODULE (FIXED VERSION)
#########################################
run_hardening() {
    
    # Tracking module failures
    failed_modules=0
    failed_list=""
    declare -A MODULE_STATUS   # store per-module status: success/failed

    # Jika ada parameter, gunakan sebagai module list
    if [[ $# -gt 0 ]]; then
        MODULE_ORDER=( "$@" )
    fi

    clear
    echo -e "${C_CYAN}${C_BOLD}╔════════════════════════════════════════╗${C_RESET}"
    echo -e "${C_CYAN}${C_BOLD}║  Starting Hardening Level ${SEC_LEVEL} ║${C_RESET}"
    echo -e "${C_CYAN}${C_BOLD}╚════════════════════════════════════════╝${C_RESET}"
    echo ""

    local total_modules=${#MODULE_ORDER[@]}
    local current_module=0

    for module in "${MODULE_ORDER[@]}"; do
        current_module=$((current_module + 1))
        
        echo -e "${C_BLUE}${C_BOLD}▶ Modul [$current_module/$total_modules]: ${module}${C_RESET}"
        echo -e "${C_WHITE}   ${MODULE_LABELS[$module]}${C_RESET}"
        echo -e "${C_BLUE}────────────────────────────────────────${C_RESET}"
        echo ""

        # Initialize progress tracking
        local step=0
        local TOTAL_STEPS=100
        
        # Create temporary files for output and exit code
        local temp_output=$(mktemp /tmp/haqqsec_output.XXXXXX)
        local temp_exit=$(mktemp /tmp/haqqsec_exit.XXXXXX)
        
        # Calculate terminal dimensions
        local term_lines=$(tput lines)
        local term_cols=$(tput cols)
        local verbose_line=$((term_lines - 3))
        local progress_line=$((term_lines - 1))
        
        # Draw initial progress bar at bottom
        tput cup $progress_line 0
        progress_bar 0 "$TOTAL_STEPS"

        if ! declare -F "mod_$module" >/dev/null 2>&1; then
            echo -e "${C_RED}${C_BOLD}✗ Module '$module' NOT FOUND${C_RESET}"

            MODULE_STATUS["$module"]="failed"
            failed_modules=$((failed_modules+1))
            failed_list+="${failed_list:+, }$module"

            # lanjut ke module berikutnya
            continue
        fi


        # Execute module in background with output capture
        (
            # Run module and capture output
            set +e
            mod_"$module" 2>&1
            local exit_code=$?
            echo "$exit_code" > "$temp_exit"
            exit $exit_code
        ) | while IFS= read -r line; do
            
            # Append full line to temp file
            echo "$line" >> "$temp_output"
            
            # Truncate display line if too long
            local display_line="$line"
            local max_width=$((term_cols - 5))
            if [[ ${#display_line} -gt $max_width ]]; then
                display_line="${display_line:0:$max_width}..."
            fi
            
            # Update verbose line (above progress bar)
            tput cup $verbose_line 0
            tput el  # Clear line
            echo -ne "${C_WHITE}│ ${display_line}${C_RESET}"
            
            # Update progress
            step=$((step + 1))
            [[ $step -gt $TOTAL_STEPS ]] && step=$TOTAL_STEPS
            
            # Update progress bar
            tput cup $progress_line 0
            progress_bar "$step" "$TOTAL_STEPS"
            
            # Small delay for visual effect
            sleep 0.01
        done
        
        # Read exit code from temp file
        local module_exit=0
        if [[ -f "$temp_exit" ]] && [[ -s "$temp_exit" ]]; then
            module_exit=$(cat "$temp_exit")
        else
            module_exit=1
        fi

       # ---- HARD FAILURE DETECTION ----
        hard_fail=false

        # 1. Exit code non-numeric atau tidak valid
        if ! [[ "$module_exit" =~ ^[0-9]+$ ]]; then
            hard_fail=true
        fi

        # 2. Exit code > 0 (gagal normal)
        if [[ "$module_exit" -ne 0 ]]; then
            hard_fail=true
        fi

        # 3. Module tidak menghasilkan output → kemungkinan crash
        if [[ ! -s "$temp_output" ]]; then
            hard_fail=true
        fi

        # 4. Output berisi error fatal
        if grep -qiE "command not found|syntax error|No such file|Segmentation fault|traceback|abort|panic" "$temp_output"; then
            hard_fail=true
        fi

        # Ensure progress reaches 100%
        tput cup $progress_line 0
        progress_bar "$TOTAL_STEPS" "$TOTAL_STEPS"
        
        # Move cursor below progress bar and clear space
        tput cup $((progress_line + 1)) 0
        echo ""
        echo ""


        # Show module status with color coding
        if [[ "$hard_fail" == true ]]; then
            # FAIL
            echo -e "${C_RED}${C_BOLD}✗ Module '${module}' FAILED${C_RESET}"

            MODULE_STATUS["$module"]="failed"
            failed_modules=$((failed_modules + 1))

            # Save module to failed list
            if [[ -z "$failed_list" ]]; then
                failed_list="$module"
            else
                failed_list="$failed_list, $module"
            fi
        else
           # SUCCESS
            echo -e "${C_GREEN}${C_BOLD}✓ Module '${module}' completed successfully${C_RESET}"

            MODULE_STATUS["$module"]="success"
            
            # Show last 10 lines of output for debugging
            if [[ -f "$temp_output" ]] && [[ -s "$temp_output" ]]; then
                echo ""
                echo -e "${C_YELLOW}━━━ Last 10 output lines ━━━${C_RESET}"
                tail -10 "$temp_output" | sed 's/^/  /'
                echo -e "${C_YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━${C_RESET}"
                echo ""
                
                # Offer to show full log with timeout
                echo -en "${C_CYAN}Show full output log? (y/N - auto-skip in 5s): ${C_RESET}"
                if read -t 5 -r show_full </dev/tty; then
                    if [[ "$show_full" =~ ^[Yy]$ ]]; then
                        echo ""
                        echo -e "${C_CYAN}╔════════════════════════════════════════╗${C_RESET}"
                        echo -e "${C_CYAN}║         FULL MODULE OUTPUT             ║${C_RESET}"
                        echo -e "${C_CYAN}╚════════════════════════════════════════╝${C_RESET}"
                        echo ""
                        cat "$temp_output"
                        echo ""
                        echo -e "${C_CYAN}════════════════════════════════════════${C_RESET}"
                        echo ""
                        read -p "Press Enter to continue..." </dev/tty
                    fi
                else
                    echo ""
                fi
            fi
        fi
        
        # Cleanup temp files
        rm -f "$temp_output" "$temp_exit"
        
        echo ""

        # Ask for confirmation to continue (OUTSIDE pipe - direct TTY read)
        if [[ $current_module -lt $total_modules ]]; then
            echo -en "${C_YELLOW}${C_BOLD}Continue with remaining modules? (Y/n): ${C_RESET}"
            read -r ans </dev/tty
            echo ""
            
            if [[ "$ans" =~ ^[nN]$ ]]; then
                echo -e "${C_RED}${C_BOLD}⚠ Hardening was stopped by the user${C_RESET}"
                echo -e "${C_YELLOW}Completed: $current_module of $total_modules modules${C_RESET}"
                return 1
            fi

            echo -e "${C_CYAN}Proceeding to the next module...${C_RESET}"
            sleep 0.5
            clear
        fi
    done
   
     # Generate report
    generate_report "$total_modules" "$failed_modules" "$failed_list" "$BACKUP_DIR" "$LOG"

    # Final summary
    echo ""
    echo -e "${C_GREEN}${C_BOLD}╔════════════════════════════════════════╗${C_RESET}"
    echo -e "${C_GREEN}${C_BOLD}║     ✓ HARDENING COMPLETED!             ║${C_RESET}"
    echo -e "${C_GREEN}${C_BOLD}╚════════════════════════════════════════╝${C_RESET}"
    echo -e "${C_GREEN}Total modules completed: $total_modules${C_RESET}"
    echo -e "${C_CYAN}Log file: $LOG${C_RESET}"
    echo -e "${C_CYAN}Backup directory: $BACKUP_DIR${C_RESET}"
    echo -e "${C_CYAN}Report file: $REPORT${C_RESET}"
 
    echo ""

     # TAMBAHKAN PROMPT UNTUK KEMBALI KE MENU
    echo -e "${C_CYAN}${C_BOLD}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${C_RESET}"
    echo -en "${C_YELLOW}Press Enter to return to the menu...${C_RESET}"
    read -r </dev/tty
    
    return 0
}

#########################################
# CHOOSE MODULE MANUALLY
#########################################
choose_manual_modules() {
    while true; do
        clear
        echo -e "${C_CYAN}${C_BOLD}Select Modules Manually:${C_RESET}\n"

        #########################################
        # Tampilkan daftar modul
        #########################################
        echo -e "List of Hardening PVE 9.1 Modules"
        echo -e "=================================\n"

        i=1
        for mod in "${MODULES[@]}"; do
            printf " %2d) %-22s - %s\n" \
                "$i" "$mod" "${MODULE_LABELS[$mod]}"
            ((i++))
        done

        echo -e "\n  0) Back"
        echo -ne "\nPlease enter the module numbers (e.g., 1,3,5 or 2–4): "
        read -r input

        # Trim spasi dari input
        input=$(echo "$input" | tr -d '[:space:]')
        
        [[ "$input" == "0" ]] && return
        [[ -z "$input" ]] && continue  # Skip jika input kosong

        #########################################
        # Parsing input multi-select - PERBAIKAN
        #########################################
        # Ganti koma dengan spasi, lalu split
        IFS=',' read -ra parts <<< "$input"
        selection=()

        for part in "${parts[@]}"; do
            # Trim spasi dari setiap bagian
            part=$(echo "$part" | tr -d '[:space:]')
            [[ -z "$part" ]] && continue
            
            # Cek apakah ini range (contoh: "2-4")
            if [[ "$part" =~ ^([0-9]+)-([0-9]+)$ ]]; then
                start="${BASH_REMATCH[1]}"
                end="${BASH_REMATCH[2]}"
                
                # Validasi range
                if [[ $start -le $end ]] && [[ $end -le ${#MODULES[@]} ]]; then
                    for ((n=start; n<=end; n++)); do
                        selection+=("$n")
                    done
                else
                    echo -e "${C_RED}The specified range is invalid: '$part'${C_RESET}"
                    sleep 2
                    continue 2  # Kembali ke menu
                fi
                
            # Cek apakah ini angka tunggal
            elif [[ "$part" =~ ^[0-9]+$ ]]; then
                # Validasi angka
                if [[ $part -ge 1 ]] && [[ $part -le ${#MODULES[@]} ]]; then
                    selection+=("$part")
                else
                    echo -e "${C_RED}The specified Number is invalid.: '$part'${C_RESET}"
                    sleep 2
                    continue 2  # Kembali ke menu
                fi
            else
                echo -e "${C_RED}Invalid format: '$part'${C_RESET}"
                sleep 2
                continue 2  # Kembali ke menu
            fi
        done

        if [[ ${#selection[@]} -eq 0 ]]; then
            echo -e "${C_RED}No valid module has been selected.${C_RESET}"
            sleep 2
            continue
        fi

        #########################################
        # Konversi nomor → nama modul
        #########################################
        MODULE_ORDER=()
        DISPLAY_LIST=()

        for num in "${selection[@]}"; do
            index=$((num - 1))
            selected="${MODULES[$index]}"

            if [[ -n "$selected" ]]; then
                MODULE_ORDER+=("$selected")
                DISPLAY_LIST+=("$num|$selected")
            else
                echo -e "${C_YELLOW}Number $num is not valid, skipping...${C_RESET}"
            fi
        done

        #########################################
        # Tampilkan daftar modul yang dipilih
        #########################################
        echo -e "\n${C_GREEN}${C_BOLD}Selected Modules:${C_RESET}"

        for item in "${DISPLAY_LIST[@]}"; do
            idx="${item%%|*}"
            name="${item##*|}"
            printf "  %2d) %s\n" "$idx" "$name"
        done

        #########################################
        # Hitung Security Level
        #########################################

        count_selected=${#MODULE_ORDER[@]}

        if [[ $count_selected -ge 1 && $count_selected -le 2 ]]; then
            SEC_LEVEL=1
        elif [[ $count_selected -ge 3 && $count_selected -le 6 ]]; then
            SEC_LEVEL=2
        elif [[ $count_selected -ge 7 && $count_selected -le 8 ]]; then
            SEC_LEVEL=3
        elif [[ $count_selected -ge 9 && $count_selected -le 10 ]]; then
            SEC_LEVEL=4
        else
            SEC_LEVEL=5
        fi

        echo -e "${C_BLUE}${C_BOLD}Security Level: LEVEL $SEC_LEVEL${C_RESET}"

        echo ""

        #########################################
        # Konfirmasi sebelum menjalankan
        #########################################
        echo -ne "${C_YELLOW}Run the hardening process with the modules above? (Y/n): ${C_RESET}"
        read -r confirm
        confirm=$(echo "$confirm" | tr '[:upper:]' '[:lower:]')
        
        if [[ "$confirm" == "n" ]] || [[ "$confirm" == "no" ]]; then
            echo -e "${C_YELLOW}Canceled by user.${C_RESET}"
            sleep 1
            continue
        fi

        #########################################
        # Jalankan hardening
        #########################################
        run_hardening
        echo -e "\n${C_CYAN}Press Enter to select modules again...${C_RESET}"
        read
    done
}

#=============================================================================
# REPORTING
#=============================================================================
generate_report() {
    local total_modules=$1
    local failed_modules=$2
    local failed_list=$3
    local backup_dir=$4
    local log_file=$5
    
    # Map modules to CIS references and risks (based on template)
    declare -A CIS_MAP=(
        ["system_update"]="1.2.2.1 Ensure updates, patches, and additional security software are installed"
        ["firewall"]="4.1 Ensure single firewall utility<br>4.3 nftables configuration"
        ["audit"]="6.2 System Auditing"
        ["ssh_hardening"]="5.1 Configure SSH Server"
        ["ntp"]="2.3.3 Configure chrony"
        ["password_policy"]="5.3.1 Configure PAM software packages<br>5.4 User Accounts and Environment"
        ["sysctl"]="3.1.3.6 Network Configuration"
        ["filesystems"]="1.1.1 Disable unused filesystems"
        ["apparmor"]="1.6.1 Configure AppArmor"
        ["automatic_updates"]="1.2.2.1 Ensure automatic updates are enabled"
        ["secure_shared_memory"]="1.1.2 Secure shared memory"
        ["package_verification"]="1.2.1 Verify package integrity"
        
    )
    
    declare -A VALUE_MAP=(
        ["system_update"]="apt-get update && apt-get upgrade"
        ["firewall"]="PVE Firewall via pvesh: SSH(22), GUI(8006), SPICE(3128), VNC(5900-5999), Corosync(5404-5407), Ceph(3300,6789,6800-7300)"
        ["audit"]="/etc/audit/rules.d/haqqsec.rules dengan audit rules untuk login, file access, sudo"
        ["ssh_hardening"]="/etc/ssh/sshd_config: PasswordAuthentication no, PubkeyAuthentication yes, strong ciphers"
        ["ntp"]="chrony service enabled untuk PVE (bukan systemd-timesyncd)"
        ["password_policy"]="/etc/security/pwquality.conf: minlen=12, complexity requirements"
        ["sysctl"]="/etc/sysctl.d/99-haqqsec.conf: network security, memory protection, core dump restrictions"
        ["filesystems"]="/etc/modprobe.d/haqqsec-filesystems.conf: disable cramfs, freevxfs, jffs2, hfs, hfsplus, udf"
        ["apparmor"]="apparmor service enabled, all profiles in enforce mode"
        ["automatic_updates"]="unattended-upgrades configured for security updates"
        ["secure_shared_memory"]="/etc/fstab: /dev/shm with nosuid,nodev,noexec"
        ["package_verification"]="dpkg --verify with weekly cron job"
        
    )
    
    declare -A RISK_MAP=(
        ["system_update"]="Sistem rentan terhadap exploit known vulnerabilities, tidak compliance"
        ["firewall"]="Unrestricted network access, port scanning berhasil, melanggar Pasal 57 & 58 - ancaman sistem elektronik"
        ["audit"]="Deteksi kebocoran"
        ["ssh_hardening"]="Password brute force berhasil, unauthorized remote access, melanggar UU PDP tentang keamanan data"
        ["ntp"]="Log timestamps tidak akurat forensik gagal, Ceph clock skew errors, cluster instability"
        ["password_policy"]="Weak passwords mudah di-crack, credential stuffing berhasil, melanggar UU PDP"
        ["sysctl"]="Kernel-level attacks berhasil (ICMP redirect, IP spoofing), memory disclosure via core dumps"
        ["filesystems"]="Exploit via unused filesystem modules, kernel compromise"
        ["apparmor"]="Application-level attacks berhasil, container escape"
        ["automatic_updates"]="Delayed security patches, known vulnerabilities unpatched"
        ["secure_shared_memory"]="Shared memory attacks, privilege escalation"
        ["package_verification"]="Tampered packages, backdoor installation"
        
    )
    
    # Create HTML report with exact format from image
    cat > "$REPORT" << 'EOF'
<!DOCTYPE html>
<html>
<head>
    <title>Hardening Report - HaqqSec</title>
    <style>
        @page {
            size: A4;
            margin: 15mm;
        }
        
        * {
            margin: 0;
            padding: 0;
            box-sizing: border-box;
        }
        
        body { 
            font-family: 'Arial', sans-serif; 
            background-color: white;
            color: #000;
            font-size: 11pt;
            line-height: 1.4;
            padding: 20px;
        }
        
        /* Header - Dark blue rounded box */
        .header-box {
            background-color: #1a2332;
            color: white;
            text-align: center;
            padding: 15px;
            border-radius: 25px;
            margin-bottom: 20px;
        }
        
        .header-box h1 {
            font-size: 28pt;
            font-weight: bold;
            letter-spacing: 2px;
            margin: 0;
        }
        
        /* Info Table */
        .info-table {
            width: 100%;
            border-collapse: collapse;
            margin-bottom: 20px;
        }
        
        .info-table td {
            padding: 8px 12px;
            border: 1px solid #000;
            font-size: 10pt;
        }
        
        .info-label {
            font-weight: bold;
            background-color: white;
            width: 100px;
        }
        
        .info-value {
            background-color: white;
            width: 150px;
        }
        
        /* Security Maturity Level - Dark blue header */
        .maturity-header {
            background-color: #1a5490;
            color: white;
            font-weight: bold;
            text-align: center;
            padding: 8px;
            font-size: 11pt;
        }
        
        .maturity-value {
            background-color: white;
            text-align: center;
            font-size: 42pt;
            font-weight: bold;
            padding: 15px;
        }

        td.maturity-value {
        font-size: 40pt !important;
        }
        /* Module Table */
        .module-table {
            width: 100%;
            border-collapse: collapse;
            margin-top: 20px;
            margin-bottom: 20px;
        }
        
        .module-table th {
            background-color: #1a5490;
            color: white;
            font-weight: bold;
            padding: 10px 8px;
            border: 1px solid #000;
            text-align: center;
            font-size: 11pt;
        }
        
        .module-table td {
            padding: 8px;
            border: 1px solid #000;
            vertical-align: top;
            font-size: 9pt;
            line-height: 1.3;
        }
        
        .col-module {
            width: 12%;
            font-weight: bold;
            background-color: #f8f9fa;
        }
        
        .col-value {
            width: 28%;
            background-color: white;
        }
        
        .col-cis {
            width: 23%;
            background-color: white;
        }
        
        .col-risk {
            width: 27%;
            background-color: white;
        }
        
        .col-status {
            width: 10%;
            text-align: center;
            font-weight: bold;
            background-color: white;
        }
        
        .status-apply {
            color: white;
            background-color: #28a745;
            padding: 4px 12px;
            border-radius: 3px;
            display: inline-block;
            font-size: 10pt;
        }
        
        /* Footer Section */
        .footer-container {
            display: table;
            width: 100%;
            margin-top: 25px;
            border-top: 2px solid #000;
            padding-top: 15px;
        }
        
        .footer-left {
            display: table-cell;
            width: 55%;
            vertical-align: top;
            padding-right: 20px;
        }
        
        .footer-right {
            display: table-cell;
            width: 45%;
            vertical-align: top;
            text-align: center;
            border-left: 1px solid #ccc;
            padding-left: 20px;
        }
        
        .note-header {
            background-color: #1a5490;
            color: white;
            font-weight: bold;
            padding: 8px 12px;
            margin-bottom: 10px;
            font-size: 11pt;
        }
        
        .note-content {
            font-size: 9pt;
            line-height: 1.6;
        }
        
        .note-content div {
            margin-bottom: 5px;
        }
        
        .note-label {
            font-weight: bold;
            display: inline-block;
            width: 150px;
        }
        
        .approved-header {
            background-color: #1a5490;
            color: white;
            font-weight: bold;
            padding: 8px 12px;
            margin-bottom: 15px;
            font-size: 11pt;
        }
        
        .signature-space {
            height: 80px;
            margin: 20px 0;
        }
        
        .signature-line {
            border-top: 2px solid #000;
            margin: 10px 30px 5px 30px;
        }
        
        .customer-name {
            font-size: 10pt;
            margin-top: 5px;
        }
        
        /* Script Footer */
        .script-footer {
            text-align: center;
            margin-top: 30px;
            padding-top: 15px;
            border-top: 1px solid #ccc;
            color: #666;
            font-size: 9pt;
        }
        
        .script-name {
            font-weight: bold;
            font-size: 10pt;
            color: #333;
        }
    </style>
</head>
<body>

<!-- Header -->
<div class="header-box">
    <h1>HARDENING REPORT</h1>
</div>

<!-- Info Table -->
<table class="info-table">
    <tr>
        <td class="info-label">Date</td>
        <td class="info-value">DATE_PLACEHOLDER</td>
        <td colspan="1" class="maturity-header">Security Maturity Level</td>
    </tr>
    <tr>
        <td class="info-label">Time</td>
        <td class="info-value">TIME_PLACEHOLDER</td>
        <td rowspan="2" class="maturity-value">MATURITY_PLACEHOLDER</td>
    </tr>
    <tr>
        <td class="info-label">Hostname</td>
        <td class="info-value">HOSTNAME_PLACEHOLDER</td>
    </tr>
</table>

<!-- Module Table -->
<table class="module-table">
    <thead>
        <tr>
            <th class="col-module">Modul</th>
            <th class="col-value">Value</th>
            <th class="col-cis">CIS</th>
            <th class="col-risk">Risk</th>
            <th class="col-status">Status</th>
        </tr>
    </thead>
    <tbody>
MODULE_ROWS_PLACEHOLDER
    </tbody>
</table>

<!-- Footer Section -->
<div class="footer-container">
    <div class="footer-left">
        <div class="note-header">Note</div>
        <div class="note-content">
            <div><span class="note-label">Total Modules Executed:</span> TOTAL_MODULES_PLACEHOLDER</div>
            <div><span class="note-label">Failed Modules:</span> FAILED_MODULES_PLACEHOLDER</div>
            <div><span class="note-label">Failed:</span> FAILED_LIST_PLACEHOLDER</div>
            <div><span class="note-label">Backup Directory:</span> BACKUP_DIR_PLACEHOLDER</div>
            <div><span class="note-label">Log File:</span> LOG_FILE_PLACEHOLDER</div>
            <div><span class="note-label">Report Generated:</span> REPORT_TIME_PLACEHOLDER</div>
        </div>
    </div>
    
    <div class="footer-right">
        <div class="approved-header">APPROVED BY</div>
        <div class="signature-space"></div>
        <div class="signature-line"></div>
        <div class="customer-name">CUSTOMER NAME / COMPANY</div>
    </div>
</div>

<!-- Script Footer -->
<div class="script-footer">
    <div class="script-name">HaqqSec-PVE9-Harden.sh VERSION_PLACEHOLDER</div>
    <div>Proxmox VE 9.1 Security Hardening Script</div>
</div>

</body>
</html>
EOF

    # Replace placeholders
    sed -i "s/DATE_PLACEHOLDER/$(date +%Y-%m-%d)/g" "$REPORT"
    sed -i "s/TIME_PLACEHOLDER/$(date +%H:%M:%S)/g" "$REPORT"
    sed -i "s/HOSTNAME_PLACEHOLDER/$(hostname)/g" "$REPORT"
    sed -i "s/MATURITY_PLACEHOLDER/$SEC_LEVEL/g" "$REPORT"
    sed -i "s/TOTAL_MODULES_PLACEHOLDER/$total_modules/g" "$REPORT"
    sed -i "s/FAILED_MODULES_PLACEHOLDER/$failed_modules/g" "$REPORT"
    sed -i "s/FAILED_LIST_PLACEHOLDER/$failed_list/g" "$REPORT"
    sed -i "s|BACKUP_DIR_PLACEHOLDER|$backup_dir|g" "$REPORT"
    sed -i "s|LOG_FILE_PLACEHOLDER|$log_file|g" "$REPORT"
    sed -i "s/REPORT_TIME_PLACEHOLDER/$(date '+%Y-%m-%d %H:%M:%S')/g" "$REPORT"
    sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" "$REPORT"
    
    # Generate module rows
    local module_rows=""
    for module in "${MODULE_ORDER[@]}"; do
        local value="${VALUE_MAP[$module]:-${MODULE_LABELS[$module]}}"
        local cis="${CIS_MAP[$module]:-Not mapped to CIS}"
        local risk="${RISK_MAP[$module]:-Risk assessment not available}"
        
    module_rows+="        <tr>
                <td class=\"col-module\">$module</td>
                <td class=\"col-value\">$value</td>
                <td class=\"col-cis\">$cis</td>
                <td class=\"col-risk\">$risk</td>
                <td class=\"col-status\">
                    <span class=\"status-apply\" style=\"background-color:$( [[ ${MODULE_STATUS[$module]} == success ]] && echo '#28a745' || echo '#dc3545' );\">
                        $( [[ ${MODULE_STATUS[$module]} == success ]] && echo "Applied" || echo "Not Applied" )
                    </span>
                </td>
            </tr>
    "


    done
    
    # Insert module rows (using awk to handle multi-line replacement)
    awk -v rows="$module_rows" '{
        if ($0 ~ /MODULE_ROWS_PLACEHOLDER/) {
            print rows
        } else {
            print $0
        }
    }' "$REPORT" > "${REPORT}.tmp" && mv "${REPORT}.tmp" "$REPORT"
    
    # Create PDF version if wkhtmltopdf is available
    if command -v wkhtmltopdf &>/dev/null; then
        local pdf_report="${REPORT%.html}.pdf"
        wkhtmltopdf --quiet --enable-local-file-access --page-size A4 --margin-top 10mm --margin-bottom 10mm --margin-left 10mm --margin-right 10mm "$REPORT" "$pdf_report" 2>/dev/null
        if [[ -f "$pdf_report" ]]; then
            log "PDF report generated: $pdf_report"
            echo -e "${C_GREEN}✓ PDF report generated: $pdf_report${C_RESET}"
        fi
    fi
    
    log "HTML report generated: $REPORT"
    echo -e "${C_GREEN}✓ Report generated successfully${C_RESET}"
    echo -e "${C_CYAN}Report location: $REPORT${C_RESET}"
    
    # Offer to open report in browser
    echo ""
    echo -en "${C_YELLOW}Open report in browser? (y/N): ${C_RESET}"
    read -t 10 -r open_browser </dev/tty || open_browser="N"
    if [[ "$open_browser" =~ ^[Yy]$ ]]; then
        if command -v xdg-open &>/dev/null; then
            xdg-open "$REPORT" 2>/dev/null &
        elif command -v open &>/dev/null; then
            open "$REPORT" 2>/dev/null &
        else
            echo -e "${C_YELLOW}Browser open command not available${C_RESET}"
        fi
    fi
}

#########################################
# MENU LOGIC
#########################################
menu_loop() {
    while true; do
        draw_menu_box
        echo -n "Select an option: "
        safe_read choice

        case "$choice" in
            1) choose_security_level ;;
            2) choose_manual_modules ;;
            3) SEC_LEVEL=2
               MODULE_ORDER=("${LEVEL2_MODULES[@]}")
               run_hardening ;;
            4) show_modules ;;
            5) echo "Exit..."; return 0 ;;
            *) echo "Invalid choice"; sleep 1 ;;
        esac
    done
}

#########################################
# MAIN PROGRAM
#########################################
touch "$LOG"
menu_loop
exit 0