# Setec Labs Security Update — Debian 12 Bookworm
# Release: 2026-03
# Target: Debian 12 (Bookworm)
# Author: seteclabs.io
# Applied via: sec_updates.py parse_and_apply_cmd()

[packages]
# Critical security patches for March 2026
apt-get update -qq
apt-get install -y --only-upgrade openssl libssl3
apt-get install -y --only-upgrade libgnutls30
apt-get install -y --only-upgrade openssh-server openssh-client
apt-get install -y --only-upgrade curl libcurl4
apt-get install -y --only-upgrade sudo
apt-get install -y --only-upgrade systemd libsystemd0
apt-get install -y --only-upgrade linux-image-amd64
apt-get install -y --only-upgrade bind9-dnsutils bind9-host
apt-get install -y --only-upgrade nginx
apt-get install -y --only-upgrade python3 libpython3-stdlib
apt-get install -y --only-upgrade git
apt-get install -y --only-upgrade vim-common xxd

[sysctl]
# Harden network stack
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.randomize_va_space = 2
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
kernel.kptr_restrict = 1
kernel.dmesg_restrict = 1

[services]
systemctl restart ssh
systemctl restart nginx
systemctl daemon-reexec

[files]
chmod 600 /etc/ssh/sshd_config
chmod 700 /root/.ssh
chmod 644 /etc/sysctl.d/99-setec-update.conf
chown root:root /etc/sysctl.d/99-setec-update.conf

[custom]
# Cleanup old kernels
bash:-:apt-get autoremove -y --purge 2>&1
# Verify no known vulnerable packages remain
bash:-:apt-get -s upgrade 2>&1 | grep -c 'upgraded' || echo '0 remaining upgrades'