KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Complete directory cleanup

Browse Source 
Finalizes directory cleanup by removing obsolete files:
- All old debootstrap build scripts (docker-*.sh, final-simple-build.sh)
- All old documentation from root (BUILD-*.md, DOCKER-*.md)
- Obsolete Dockerfiles (Dockerfile, Dockerfile.build)
- Obsolete chroot-overlay/ directory (now using preseed.cfg)
- Old build.sh (replaced by scripts/build-iso.sh)

All files are now in proper directories:
- scripts/: Build and test scripts
- docs/: All documentation
- config/: Configuration files
- logs/: Log files
- keys/: WireGuard keys

Repository is clean and ready for production.

💘 Generated with Crush

Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-01-20 12:01:10 -05:00
parent 2225244ca3
commit 54d988477f
39 changed files with 3 additions and 7487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

155
chroot-overlay/etc/aide.conf
View File

@@ -1,155 +0,0 @@
# CIS Benchmark - AIDE Configuration
# File Integrity Monitoring for CMMC/FedRAMP compliance
# Database location
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
# Default configuration
All=p+i+n+u+g+s+m+c+md5+sha1+tiger+rmd160
# Define file types
Normal=p+i+n+u+g+s+m+c+md5+sha1
Binaries=p+i+n+u+g+s+m+c+md5+sha1+tiger+rmd160
Config=p+i+n+u+g+s+m+c+md5+sha1+acl+xattrs
Logs=p+i+n+u+g+s+m+c+md5+sha1+acl+xattrs+selinux
Dynamic=p+i+n+u+g+s+m+c+md5+sha1+acl+xattrs+selinux
# ============================================================================
# Directories to Monitor (CIS 4.2.2)
# ============================================================================
# System binaries
/bin All
/sbin All
/usr/bin All
/usr/sbin All
/usr/local/bin All
/usr/local/sbin All
# System configuration
/etc Config
# Libraries
/lib All
/lib64 All
/usr/lib All
/usr/lib64 All
/usr/local/lib All
# Kernel modules
/lib/modules Binaries
# Boot files
/boot Config
# System services
/etc/systemd Config
/lib/systemd Binaries
# Security configuration
/etc/pam.d Config
/etc/security Config
# Network configuration
/etc/network Config
/etc/wireguard Config
# Firewall rules
/etc/iptables Config
# Audit configuration
/etc/audit Config
# AppArmor profiles
/etc/apparmor Config
# Sudo configuration
/etc/sudoers Config
/etc/sudoers.d Config
# ============================================================================
# Directories to Exclude (due to high volatility)
# ============================================================================
!/proc
!/sys
!/dev
!/tmp
!/var/tmp
!/run
!/var/run
# Exclude logs (monitored separately)
!/var/log
# Exclude spool directories
!/var/spool
# Exclude cache
!/var/cache
# Exclude lock files
!/var/lock
# Exclude AIDE database
!/var/lib/aide/aide.db
# Exclude volatile system files
!/etc/mtab
!/etc/fstab.backup
# Exclude user-specific volatile files
!/home/user/.cache
!/home/user/.local/share/Trash
# Exclude IceWM and Remmina cache
!/home/user/.icewm/.cache
!/home/user/.local/share/remmina/*.log
# ============================================================================
# Monitor critical system files for compliance
# ============================================================================
# Password and shadow files
/etc/passwd Normal
/etc/shadow Config
/etc/group Normal
/etc/gshadow Config
# Login configuration
/etc/login.defs Config
/etc/securetty Config
# Hosts configuration
/etc/hosts Config
/etc/hostname Config
# Time configuration
/etc/localtime Config
/etc/timezone Config
# Cron configuration
/etc/crontab Config
# Startup scripts
/etc/init.d Config
# Package management
/var/lib/dpkg Config
# Kernel parameters
/etc/sysctl.d Config
# ============================================================================
# Additional Security Rules
# ============================================================================
# Monitor for SUID/SGID files
+s+a+xattr
# Monitor for world-writable files
+dir+w+u+g+s
# Monitor for SUID root files
All=p+i+n+u+g+s+m+c+md5+sha1+tiger+rmd160+xattrs

113
chroot-overlay/etc/audit/rules.d/cis-audit.rules
View File

@@ -1,113 +0,0 @@
# CIS Benchmark - System Audit Rules
# Implements CIS Debian Benchmark Section 4.1.2-4.1.17
# Delete all existing rules
-D
# Set buffer size
-b 8192
# Set failure mode
-f 1
# ============================================================================
# Monitor System Calls (CIS 4.1.10-4.1.17)
# ============================================================================
# Monitor for use of administration commands (CIS 4.1.10)
-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd
-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd
# Monitor for unauthorized access attempts to files (CIS 4.1.11)
-a always,exit -F arch=b64 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
# Monitor for use of privileged commands (CIS 4.1.12)
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
# Monitor for changes to system network configuration (CIS 4.1.13)
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b64 -S /etc/issue -k system-locale
-a always,exit -F path=/etc/hosts -F perm=wa -k system-locale
-a always,exit -F path=/etc/network/ -F perm=wa -k system-locale
# Monitor for changes to user/group information (CIS 4.1.14)
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# Monitor for changes to sudoers files (CIS 4.1.15)
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity
# Monitor for changes to system scheduling (CIS 4.1.16)
-w /etc/crontab -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /var/spool/cron/ -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
# Monitor for changes to time settings (CIS 4.1.17)
-w /etc/localtime -p wa -k time-change
-w /etc/timezone -p wa -k time-change
# ============================================================================
# Monitor for File Deletion by User
# ============================================================================
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
# ============================================================================
# Monitor for kernel module loading
# ============================================================================
-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules
-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules
# ============================================================================
# Monitor for changes to login configuration
# ============================================================================
-w /etc/login.defs -p wa -k logins
-w /etc/securetty -p wa -k logins
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
# ============================================================================
# Monitor for system initialization
# ============================================================================
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
-w /etc/systemd/ -p wa -k init
# ============================================================================
# Monitor for mandatory access control (MAC) events
# ============================================================================
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
# ============================================================================
# Audit Log Configuration
# ============================================================================
# Prevent auditd from being killed
-a never,exit -F arch=b64 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd
-a never,exit -F arch=b32 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd
# Monitor for changes to audit configuration
-w /etc/audit/ -p wa -k audit_config
-w /etc/libaudit.conf -p wa -k audit_config
-w /etc/audisp/ -p wa -k audit_config

18
chroot-overlay/etc/default/rcS
View File

@@ -1,18 +0,0 @@
# Football Secure Access System
# Minimal Debian image for privileged access workstation operations
# Local user setup
export LC_ALL=C
# Minimal systemd target - graphical only
default graphical.target
# Disable remote access services
ssh: NO
telnet: NO
ftp: NO
smtp: NO
# Enable only necessary services
network-manager: YES
display-manager: NO # We'll use startx manually

65
chroot-overlay/etc/login.defs
View File

@@ -1,65 +0,0 @@
# CIS Benchmark Login Configuration
# Implements CIS Debian Benchmark Section 5.4.2
# ============================================================================
# Password Aging
# ============================================================================
# Maximum password age (days)
PASS_MAX_DAYS 90
# Minimum password age (days)
PASS_MIN_DAYS 1
# Password warning period (days)
PASS_WARN_AGE 7
# ============================================================================
# Login Settings
# ============================================================================
# Number of failed logins before account lock
FAILLOG_ENAB yes
# Maximum number of login retries
LOGIN_RETRIES 5
# Delay in seconds before next login after failure
LOGIN_TIMEOUT 60
# Enable lastlog
LASTLOG_ENAB yes
# ============================================================================
# UID/GID Settings
# ============================================================================
# System user range
SYS_UID_MIN 100
SYS_UID_MAX 999
SYS_GID_MIN 100
SYS_GID_MAX 999
# ============================================================================
# Home Directory
# ============================================================================
# Create home directory if it doesn't exist
CREATE_HOME yes
# Default umask
UMASK 077
# ============================================================================
# Other Security Settings
# ============================================================================
# Enable logging
LOG_UNKFAIL_ENAB yes
LOG_OK_LOGINS yes
# Silence last login message
HUSHLOGIN_FILE .hushlogin
# Use SHA512 for password hashes
ENCRYPT_METHOD SHA512

177
chroot-overlay/etc/logrotate.d/cis-logs
View File

@@ -1,177 +0,0 @@
# CIS Benchmark - Logrotate Configuration
# Implements CIS Debian Benchmark Section 4.2.1.3
# Rotate daily
daily
# Keep logs for 365 days (CMMC/FedRAMP requirement)
rotate 365
# Create new log files
create
# Compress old logs
compress
# Use gzip compression
compresscmd /usr/bin/gzip
# Uncompress with gunzip
uncompresscmd /usr/bin/gunzip
# Compression options
compressoptions -9
# Don't compress if recent
delaycompress
# Don't compress empty logs
notifempty
# Don't rotate if missing
missingok
# Rotate if size exceeds 100M
size 100M
# ============================================================================
# Specific Log Rotation Rules
# ============================================================================
# System logs
/var/log/auth.log
/var/log/kern.log
/var/log/syslog
/var/log/messages
/var/log/debug
/var/log/user.log
{
rotate 90
daily
compress
delaycompress
missingok
notifempty
create 0640 root adm
sharedscripts
postrotate
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# Security logs (keep longer for compliance)
/var/log/audit/audit.log
/var/log/security.log
/var/log/access.log
/var/log/change.log
/var/log/admin.log
{
rotate 365
daily
compress
delaycompress
missingok
notifempty
create 0640 root adm
sharedscripts
postrotate
systemctl reload auditd > /dev/null 2>&1 || true
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# Sudo logs
/var/log/sudo.log
{
rotate 365
monthly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Firewall and network logs
/var/log/firewall.log
/var/log/wireguard.log
/var/log/network.log
{
rotate 90
daily
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Cron logs
/var/log/cron.log
{
rotate 60
weekly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Boot logs
/var/log/boot.log
{
rotate 30
weekly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Package manager logs
/var/log/dpkg.log
/var/log/apt/
{
rotate 90
monthly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# System startup/shutdown logs
/var/log/wtmp
{
rotate 30
monthly
compress
missingok
notifempty
create 0644 root utmp
}
# Failed login attempts
/var/log/btmp
{
rotate 90
monthly
compress
missingok
notifempty
create 0640 root utmp
}
# Last login logs
/var/log/lastlog
{
rotate 30
monthly
compress
missingok
notifempty
create 0640 root utmp
}

12
chroot-overlay/etc/network/interfaces
View File

@@ -1,12 +0,0 @@
# Network interfaces configuration for football system
# Minimal setup - only physical interface for WireGuard
# Physical interface - use NetworkManager or static
# This interface is ONLY for WireGuard connection
# Example for DHCP (NetworkManager managed):
# Physical interface will be configured by NetworkManager
# No other network services allowed
# WireGuard interface (tunnel - all traffic goes here)
# This interface will be brought up by wg-quick

25
chroot-overlay/etc/pam.d/common-password-cis
View File

@@ -1,25 +0,0 @@
# CIS Benchmark PAM Password Configuration
# This file enforces password quality requirements
# Enforce strong passwords
password required pam_pwquality.so retry=3 enforce_for_root
# Use SHA512 for password hashing
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
# Lock account after failed attempts
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so nullok_secure
auth required pam_faillock.so authfail audit deny=5 unlock_time=900
# Last successful login display
session required pam_lastlog.so showfailed
# Limit resource usage
session required pam_limits.so
# Set secure umask
session optional pam_umask.so umask=077
# No delay for successful login, delay for failed
auth optional pam_faildelay.so delay=4000000

119
chroot-overlay/etc/rsyslog.d/50-cis-logging.conf
View File

@@ -1,119 +0,0 @@
# CIS Benchmark - Centralized Logging Configuration
# Implements CIS Debian Benchmark Section 4.2
# ============================================================================
# Global Directives
# ============================================================================
# Use RFC 5424 format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Set file permissions
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
# Rate limiting to prevent log flooding
$SystemLogRateLimitInterval 5
$SystemLogRateLimitBurst 500
# ============================================================================
# Modules
# ============================================================================
# Load kernel module
$ModLoad imklog
# Load Mark module for periodic timestamps
$ModLoad immark
# Load UDP module for remote logging (disabled for security)
# $ModLoad imudp
# Load TCP module for remote logging (disabled for security)
# $ModLoad imtcp
# ============================================================================
# Log Destinations (Local Only - Remote Logging Disabled)
# ============================================================================
# Kernel messages
kern.* -/var/log/kern.log
# Authentication logs (CIS 4.2.1)
auth,authpriv.* -/var/log/auth.log
# System mail
mail.* -/var/log/mail.log
# Cron logs
cron.* -/var/log/cron.log
# User messages
*.=info;*.=notice;*.=warn -/var/log/messages
# Emergency messages
*.emerg :omusrmsg:*
# ============================================================================
# Security-Specific Logging
# ============================================================================
# Sudo command logging
if $programname == 'sudo' then -/var/log/sudo.log
& stop
# Audit logging
if $programname == 'auditd' then -/var/log/audit/audit.log
& stop
# Security events
if $programname contains 'security' then -/var/log/security.log
& stop
# Network events
if $programname contains 'network' then -/var/log/network.log
& stop
# WireGuard logs
if $programname == 'wg-quick' or $programname == 'wireguard' then -/var/log/wireguard.log
& stop
# Firewall logs
if $programname == 'iptables' then -/var/log/firewall.log
& stop
# ============================================================================
# Compliance Logging (CMMC/FedRAMP Requirements)
# ============================================================================
# All administrative actions
if $syslogseverity-text == 'info' and $msg contains 'user' then -/var/log/admin.log
& stop
# Failed access attempts
if $msg contains 'failure' or $msg contains 'failed' or $msg contains 'denied' then -/var/log/access.log
& stop
# System changes
if $msg contains 'changed' or $msg contains 'modified' then -/var/log/change.log
& stop
# ============================================================================
# Rate Limiting Per Facility
# ============================================================================
# Rate limit syslog messages
$Ruleset remote
$ActionQueueType LinkedList
$ActionQueueSize 100000
*.* :omusrmsg:*
# ============================================================================
# Discard Messages
# ============================================================================
# Discard debug messages
*.=debug ~

42
chroot-overlay/etc/security/pwquality.conf
View File

@@ -1,42 +0,0 @@
# CIS Benchmark Password Policy
# Implements CIS Debian Benchmark Section 5.4.1
# ============================================================================
# PAM Quality Requirements
# ============================================================================
# Minimum password length
minlen = 14
# Minimum number of lowercase characters
lcredit = -1
# Minimum number of uppercase characters
ucredit = -1
# Minimum number of digits
dcredit = -1
# Minimum number of special characters
ocredit = -1
# Maximum number of consecutive characters
maxclassrepeat = 3
# Maximum number of same consecutive characters
maxrepeat = 3
# Reject passwords containing the username
usercheck = 1
# Reject passwords containing common patterns
enforce_for_root
# Minimum number of character changes
difok = 3
# Check for common passwords
dictcheck = 1
# Reject passwords in dictionary
authtok_type =

54
chroot-overlay/etc/sudoers.d/cis-hardening
View File

@@ -1,54 +0,0 @@
# CIS Benchmark Sudo Configuration
# Implements least privilege principle
# ============================================================================
# Defaults
# ============================================================================
# Use lecture mode
Defaults lecture = always
Defaults lecture_file = /etc/sudoers.d/lecture
# Log all sudo commands
Defaults logfile = /var/log/sudo.log
Defaults log_input, log_output
# Secure path
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Ignore duplicate passwords in terminal
Defaults !tty_tickets
# Require password for sudo
Defaults !targetpw
# Set timestamp timeout (5 minutes)
Defaults timestamp_timeout = 5
# Require authentication
Defaults !authenticate
# No insults
Defaults !insults
# ============================================================================
# User Permissions
# ============================================================================
# User account can run sudo with password
user ALL=(ALL:ALL) ALL
# ============================================================================
# Security Restrictions
# ============================================================================
# No root login via sudo
root ALL=(ALL) ALL
# Disable ability to run commands as other users without password
Defaults env_reset
Defaults env_delete = "EDITOR VISUAL PAGER DISPLAY XAUTHORITY"
Defaults !env_editor
# Disable running as specific users
Defaults!/usr/bin/su !root

111
chroot-overlay/etc/sysctl.d/99-cis-hardening.conf
View File

@@ -1,111 +0,0 @@
# CIS Benchmark Kernel Hardening for Debian
# Implements CIS Debian Benchmark controls related to kernel parameters
# ============================================================================
# Network Parameters
# ============================================================================
# Disable IP packet forwarding (not a router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable TCP SYN cookies protection
net.ipv4.tcp_syncookies = 1
# Enable TCP reverse path filtering (source verification)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
# Disable IPv6 if not used (enabled but strictly controlled via firewall)
# net.ipv6.conf.all.disable_ipv6 = 1
# ============================================================================
# System Hardening
# ============================================================================
# Disable magic sysrq key
kernel.sysrq = 0
# Address space layout randomization
kernel.randomize_va_space = 2
# Restrict core dumps
kernel.core_pattern = |/bin/false
# Enable hard link and symlink protection
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Enable ptrace restrictions (only allow ptrace from descendants)
kernel.yama.ptrace_scope = 1
# Disable unprivileged BPF
kernel.unprivileged_bpf_disabled = 1
# Disable user namespaces
user.max_user_namespaces = 0
# ============================================================================
# Network Stack Hardening
# ============================================================================
# Enable TCP timestamps for protection against spoofing
net.ipv4.tcp_timestamps = 1
# Reduce TCP timeout for closing connections
net.ipv4.tcp_fin_timeout = 30
# Maximum number of SYN backlog queue
net.ipv4.tcp_max_syn_backlog = 2048
# Minimum, default, and maximum TCP buffer sizes
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# ============================================================================
# ARP Hardening
# ============================================================================
# Ignore ARP requests on all interfaces
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.default.arp_ignore = 1
# Enable ARP filtering
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1
# ============================================================================
# ICMP Rate Limiting
# ============================================================================
# Rate limit ICMP messages
net.ipv4.icmp_ratelimit = 100
# ============================================================================
# Memory Overcommit
# ============================================================================
# Disable overcommit (conservative memory allocation)
vm.overcommit_memory = 2
vm.overcommit_ratio = 80

14
chroot-overlay/etc/systemd/system/block-remote-access.service
View File

@@ -1,14 +0,0 @@
[Unit]
Description=Apply strict firewall - WireGuard only
After=network.target wg-quick@wg0.service
[Service]
Type=oneshot
ExecStart=/bin/systemctl mask ssh.service sshd.service telnet.socket 2>/dev/null || true
ExecStart=/bin/systemctl stop ssh.service sshd.service 2>/dev/null || true
ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 2>/dev/null || true
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

12
chroot-overlay/etc/systemd/system/getty@tty1.service.d/override.conf
View File

@@ -1,12 +0,0 @@
[Unit]
Description=Autologin user session for IceWM
After=systemd-user-sessions.service
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin user --noclear tty1 %I $TERM
Type=idle
Restart=always
[Install]
WantedBy=getty.target

13
chroot-overlay/etc/systemd/system/iptables-block-remote.service
View File

@@ -1,13 +0,0 @@
[Unit]
Description=Firewall Rules to Block Remote Access
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

19
chroot-overlay/etc/wireguard/wg0.conf.template
View File

@@ -1,19 +0,0 @@
# WireGuard configuration for football system
# ALL TRAFFIC MUST GO THROUGH THIS TUNNEL
# Template - will be configured during build
[Interface]
# Private key - MUST be set during deployment
PrivateKey = <PRIVATE_KEY_PLACEHOLDER>
# WireGuard interface IP (within the VPN)
Address = 10.100.0.2/24
# DNS via VPN
DNS = 10.100.0.1
[Peer]
# VPN server endpoint
PublicKey = <PUBLIC_KEY_PLACEHOLDER>
Endpoint = <ENDPOINT_IP>:<ENDPOINT_PORT>
AllowedIPs = 0.0.0.0/0, ::/0
# Keep connection alive
PersistentKeepalive = 25

26
chroot-overlay/home/user/.bashrc
View File

@@ -1,26 +0,0 @@
# ~/.bashrc - Football secure access system
# This script automatically starts IceWM and Remmina
# Start X with IceWM on login
if [ -z "$DISPLAY" ] && [ "$XDG_VTNR" = "1" ]; then
exec startx
fi
# Security aliases
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# PATH additions
export PATH=$PATH:/usr/local/bin
# Display security notice on login
echo ""
echo "================================================================"
echo " FOOTBALL - SECURE ACCESS SYSTEM"
echo "================================================================"
echo " Remote access to this system is DISABLED."
echo " Local console access only."
echo " System is automatically starting IceWM + Remmina."
echo "================================================================"
echo ""

27
chroot-overlay/home/user/.icewm/preferences
View File

@@ -1,27 +0,0 @@
# IceWM configuration for football system
# Window placement
TaskBarShowClock=1
TaskBarShowStartMenu=1
TaskBarShowWindowListMenu=1
TaskBarShowWorkspaces=0
TaskBarShowWindows=0
# Auto-start Remmina
StartupCommand="remmina"
# No desktop icons (clean interface)
DesktopBackgroundCenter=1
DesktopBackgroundColor="rgb:00/33/66"
# Security - minimize features
ShowLoginStatus=0
ShowLogoutMenu=1
ShowSettingsMenu=0
ShowHelpMenu=0
ShowRunProgram=0
# Remmina should be main focus
ClickToFocus=1
FocusOnAppRaise=1
RaiseOnFocus=1

19
chroot-overlay/home/user/.xinitrc
View File

@@ -1,19 +0,0 @@
#!/bin/bash
# ~/.xinitrc - Automatically start IceWM and Remmina
# Set keyboard layout if needed
setxkbmap us
# Set reasonable defaults for IceWM
export ICEWM_PRIVCFG=$HOME/.icewm
# Start IceWM
icewm &
ICEWM_PID=$!
# Start Remmina (maximized)
remmina &
REMMINA_PID=$!
# Wait for IceWM
wait $ICEWM_PID

42
chroot-overlay/home/user/Desktop/README.txt
View File

@@ -1,42 +0,0 @@
# Football Secure Access System
This system is configured for secure access to remote privileged access workstations through a WireGuard VPN tunnel.
**SYSTEM CHARACTERISTICS:**
- Remote access: DISABLED (no SSH, no network services)
- Local console access only
- Automatic IceWM window manager startup
- Remmina remote desktop client
- Secure Boot enforced
- **ALL network traffic MUST go through WireGuard VPN**
- **Direct network access BLOCKED - only WireGuard allowed**
**NETWORK CONFIGURATION:**
- Physical interface (eth0): ONLY allows WireGuard to configured endpoint
- WireGuard tunnel (wg0): ALL outbound traffic goes through this tunnel
- Inbound traffic: BLOCKED (except WireGuard keepalives)
- DHCP: Allowed on eth0 only for initial IP acquisition
**USAGE:**
1. Login with local user account
2. IceWM and Remmina start automatically
3. WireGuard tunnel is established automatically
4. Use Remmina to connect to PAW (Privileged Access Workstation) through VPN
5. Close Remmina when done
6. System locks automatically on inactivity
**SECURITY:**
- No remote administration permitted
- All direct network connections blocked
- Only WireGuard tunnel traffic allowed to configured endpoint
- System logs all actions
- Secure Boot verifies kernel integrity
- Firewall strictly enforced
**WIREGUARD ENDPOINT:**
- Configured during build (see build script variables)
- Only endpoint allowed: WG_ENDPOINT_IP:WG_ENDPOINT_PORT
- All traffic routes through VPN after connection
**CONTACT:**
For system issues, contact infrastructure security team.