🛡️ Add comprehensive Security Hardening Plan

- Created SECURITY-HARDENING-PLAN.md with 6 security levels
- Added setup-node1-security.sh for automated hardening
- Added scan-image.sh for pre-deployment image scanning
- Created docker-compose.secure.yml template
- Includes: Trivy, fail2ban, UFW, auditd, rkhunter, chkrootkit
- Network isolation, egress filtering, process monitoring
- Incident response procedures and recovery playbook

scripts/security/scan-image.sh

@@ -0,0 +1,120 @@
+#!/bin/bash
+# ============================================================
+# scan-image.sh — Сканування Docker образу перед використанням
+# ============================================================
+# Використання:
+#   ./scan-image.sh postgres:16-alpine
+#   ./scan-image.sh --pull postgres:16-alpine
+# ============================================================
+
+set -e
+
+# Кольори
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+# Параметри
+PULL=false
+IMAGE=""
+
+# Парсинг аргументів
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --pull|-p)
+            PULL=true
+            shift
+            ;;
+        *)
+            IMAGE="$1"
+            shift
+            ;;
+    esac
+done
+
+if [ -z "$IMAGE" ]; then
+    echo "Usage: $0 [--pull] <image_name>"
+    echo "Example: $0 postgres:16-alpine"
+    echo "         $0 --pull postgres:16-alpine"
+    exit 1
+fi
+
+echo -e "${CYAN}🔍 Scanning Docker Image: $IMAGE${NC}"
+echo "========================================"
+date
+echo ""
+
+# Перевірка Trivy
+if ! command -v trivy &> /dev/null; then
+    echo -e "${RED}❌ Trivy not installed!${NC}"
+    echo "Install: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin"
+    exit 1
+fi
+
+# Pull якщо потрібно
+if [ "$PULL" = true ]; then
+    echo -e "${YELLOW}📥 Pulling image...${NC}"
+    docker pull "$IMAGE"
+    echo ""
+fi
+
+# Отримати digest
+echo -e "${YELLOW}📋 Image Info:${NC}"
+DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE" 2>/dev/null || echo "N/A")
+echo "  Digest: $DIGEST"
+echo ""
+
+# Сканування на вразливості
+echo -e "${YELLOW}🔒 Scanning for vulnerabilities...${NC}"
+echo ""
+
+# Запуск Trivy
+trivy image --severity HIGH,CRITICAL "$IMAGE"
+SCAN_EXIT=$?
+
+echo ""
+echo "========================================"
+
+if [ $SCAN_EXIT -eq 0 ]; then
+    echo -e "${GREEN}✅ No HIGH/CRITICAL vulnerabilities found${NC}"
+    echo ""
+    echo -e "${GREEN}Safe to use:${NC}"
+    echo "  image: $IMAGE"
+    if [ "$DIGEST" != "N/A" ]; then
+        echo ""
+        echo -e "${GREEN}Recommended (pinned by digest):${NC}"
+        echo "  image: $DIGEST"
+    fi
+else
+    echo -e "${RED}❌ Vulnerabilities found!${NC}"
+    echo ""
+    echo "Options:"
+    echo "  1. Use a different image version"
+    echo "  2. Build custom image with patches"
+    echo "  3. Accept risk (not recommended)"
+    exit 1
+fi
+
+# Додаткова перевірка на malware
+echo ""
+echo -e "${YELLOW}🦠 Checking for known malware patterns...${NC}"
+
+# Запустити контейнер і перевірити /tmp
+MALWARE_CHECK=$(docker run --rm "$IMAGE" sh -c "ls -la /tmp 2>/dev/null | grep -E '(httpd|\.perf|mysql|xmrig|kdevtmp)' || echo 'clean'" 2>/dev/null || echo "check_failed")
+
+if [ "$MALWARE_CHECK" = "clean" ]; then
+    echo -e "${GREEN}✅ No known malware patterns in /tmp${NC}"
+elif [ "$MALWARE_CHECK" = "check_failed" ]; then
+    echo -e "${YELLOW}⚠️ Could not check /tmp (image may not have shell)${NC}"
+else
+    echo -e "${RED}❌ MALWARE DETECTED in /tmp!${NC}"
+    echo "$MALWARE_CHECK"
+    echo ""
+    echo -e "${RED}DO NOT USE THIS IMAGE!${NC}"
+    exit 1
+fi
+
+echo ""
+echo -e "${GREEN}🎉 Image scan complete!${NC}"