KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add security baselines guide and update build script

Browse Source 
Security Baselines Guide Includes:
- Comprehensive security baseline overview
- Kernel parameters verification
- Firewall rules baseline
- Authentication and password baselines
- Audit rules baseline
- Service baselines (enabled/prohibited)
- File permission baselines
- AIDE configuration baseline
- Logging baselines
- Initial hardening procedures
- Baseline verification procedures
- Ongoing hardening activities (daily/weekly/monthly/quarterly/annual)
- Baseline maintenance procedures
- Compliance verification for CIS/CMMC/FedRAMP
- Troubleshooting guide
- Quick reference commands

Build Script Updates:
- Add PAM configuration step (common-password-cis)
- Add faillock configuration for account lockout
- Add AIDE database initialization
- Add Secure Boot configuration step
- Add additional systemd services (auditd, rsyslog, apparmor, aide-check.timer)
- Update step numbers to 11/11 for consistency
- Improve hardening script execution

Security Controls Applied:
- PAM with CIS password policies
- Account lockout (5 attempts, 15 minutes)
- AIDE database initialization
- Secure Boot configuration
- All security services enabled

Compliance Standards:
- CIS Debian 13 Benchmark
- CMMC Level 3
- FedRAMP Moderate
- NIST SP 800-53 Moderate
- NIST SP 800-171

This guide provides complete baseline verification and
maintenance procedures for Tier0 infrastructure protection.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-01-13 14:20:05 -05:00
parent 392dd9dadc
commit ac7df85a0e
2 changed files with 1120 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
build.sh
View File

@@ -57,7 +57,7 @@ echo "WireGuard endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT"
# ============================================================================ # ============================================================================
echo "" echo ""
echo "[1/9] Preparing build environment..." echo "[1/11] Preparing build environment..."
# Clean up previous builds # Clean up previous builds
if [ -d "$CHROOT_DIR" ]; then if [ -d "$CHROOT_DIR" ]; then
@@ -77,7 +77,7 @@ sudo apt-get install -y debootstrap qemu-utils kpartx squashfs-tools
# ============================================================================ # ============================================================================
echo "" echo ""
echo "[2/9] Bootstrapping minimal Debian $DEBIAN_VERSION (Debian 13 Trixie)..." echo "[2/11] Bootstrapping minimal Debian $DEBIAN_VERSION (Debian 13 Trixie)..."
sudo debootstrap \ sudo debootstrap \
--arch=amd64 \ --arch=amd64 \
@@ -91,7 +91,7 @@ sudo debootstrap \
# ============================================================================ # ============================================================================
echo "" echo ""
echo "[3/9] Configuring APT sources..." echo "[3/11] Configuring APT sources..."
cat << 'EOF' | sudo tee "$CHROOT_DIR/etc/apt/sources.list" cat << 'EOF' | sudo tee "$CHROOT_DIR/etc/apt/sources.list"
deb http://deb.debian.org/debian trixie main contrib non-free non-free-firmware deb http://deb.debian.org/debian trixie main contrib non-free non-free-firmware
@@ -103,7 +103,7 @@ EOF
# ============================================================================ # ============================================================================
echo "" echo ""
echo "[4/9] Installing packages..." echo "[4/11] Installing packages..."
# Mount necessary filesystems for chroot # Mount necessary filesystems for chroot
sudo mount -t proc /proc "$CHROOT_DIR/proc" sudo mount -t proc /proc "$CHROOT_DIR/proc"
@@ -126,7 +126,7 @@ sudo chroot "$CHROOT_DIR" bash -c "
# ============================================================================ # ============================================================================
echo "" echo ""
echo "[5/9] Applying chroot overlay..." echo "[5/11] Applying chroot overlay..."
# Copy overlay files # Copy overlay files
sudo cp -r "$BUILD_DIR/chroot-overlay/"* "$CHROOT_DIR/" sudo cp -r "$BUILD_DIR/chroot-overlay/"* "$CHROOT_DIR/"
@@ -143,7 +143,7 @@ sudo chroot "$CHROOT_DIR" bash -c "
# ============================================================================ # ============================================================================
echo "" echo ""
echo "[6/9] Configuring WireGuard..." echo "[6/11] Configuring WireGuard..."
# Setup WireGuard configuration with keys # Setup WireGuard configuration with keys
sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \ sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
@@ -168,14 +168,13 @@ sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
# ============================================================================ # ============================================================================
echo "" echo ""
echo "[7/9] Running hardening script..." echo "[7/11] Running hardening script..."
sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
WG_ENDPOINT_PORT="$WG_ENDPOINT_PORT" \
chroot "$CHROOT_DIR" bash /tmp/harden.sh
# Copy hardening script to chroot first # Copy hardening script to chroot first
sudo cp "$BUILD_DIR/config/harden.sh" "$CHROOT_DIR/tmp/harden.sh" sudo cp "$BUILD_DIR/config/harden.sh" "$CHROOT_DIR/tmp/harden.sh"
sudo cp "$BUILD_DIR/config/secureboot.sh" "$CHROOT_DIR/tmp/secureboot.sh"
sudo cp "$BUILD_DIR/config/setup-wireguard.sh" "$CHROOT_DIR/tmp/setup-wireguard.sh"
sudo chroot "$CHROOT_DIR" bash -c " sudo chroot "$CHROOT_DIR" bash -c "
export WG_ENDPOINT_IP=$WG_ENDPOINT_IP export WG_ENDPOINT_IP=$WG_ENDPOINT_IP
export WG_ENDPOINT_PORT=$WG_ENDPOINT_PORT export WG_ENDPOINT_PORT=$WG_ENDPOINT_PORT
@@ -183,17 +182,82 @@ sudo chroot "$CHROOT_DIR" bash -c "
rm /tmp/harden.sh rm /tmp/harden.sh
" "
# ============================================================================
# CONFIGURE PAM
# ============================================================================
echo ""
echo "[8/11] Configuring PAM authentication..."
# Configure PAM with CIS password policy
if [ -f "$CHROOT_DIR/etc/pam.d/common-password-cis" ]; then
sudo cp "$CHROOT_DIR/etc/pam.d/common-password-cis" "$CHROOT_DIR/etc/pam.d/common-password"
echo "PAM password policy configured"
else
echo "Warning: CIS PAM configuration not found"
fi
# Configure faillock for account lockout
sudo chroot "$CHROOT_DIR" bash -c "
mkdir -p /etc/security
cat > /etc/security/faillock.conf << 'EOF'
deny = 5
unlock_time = 900
even_deny_root
root_unlock_time = 900
EOF
"
# ============================================================================
# INITIALIZE AIDE DATABASE
# ============================================================================
echo ""
echo "[9/11] Initializing AIDE database..."
sudo chroot "$CHROOT_DIR" bash -c "
# Initialize AIDE database
aide --init 2>/dev/null || echo 'AIDE init returned error code $?'
if [ -f /var/lib/aide/aide.db.new ]; then
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
chmod 600 /var/lib/aide/aide.db
chown root:root /var/lib/aide/aide.db
echo 'AIDE database initialized'
else
echo 'Warning: AIDE database not created'
fi
"
# ============================================================================
# CONFIGURE SECURE BOOT
# ============================================================================
echo ""
echo "[10/11] Configuring Secure Boot..."
sudo chroot "$CHROOT_DIR" bash -c "
if [ -f /tmp/secureboot.sh ]; then
bash /tmp/secureboot.sh
rm /tmp/secureboot.sh
fi
"
# ============================================================================ # ============================================================================
# ENABLE SYSTEMD SERVICES # ENABLE SYSTEMD SERVICES
# ============================================================================ # ============================================================================
echo "" echo ""
echo "[8/9] Configuring systemd services..." echo "[11/11] Configuring systemd services..."
sudo chroot "$CHROOT_DIR" bash -c " sudo chroot "$CHROOT_DIR" bash -c "
systemctl enable block-remote-access.service systemctl enable block-remote-access.service
systemctl enable wg-quick@wg0 systemctl enable wg-quick@wg0
systemctl enable auditd
systemctl enable rsyslog
systemctl enable apparmor
systemctl enable aide-check.timer
systemctl set-default graphical.target systemctl set-default graphical.target
echo 'Systemd services configured'
" "
# ============================================================================ # ============================================================================
@@ -217,7 +281,7 @@ sudo rm -rf "$CHROOT_DIR/tmp/"*
# ============================================================================ # ============================================================================
echo "" echo ""
echo "[9/9] Creating disk images..." echo "[11/11] Creating disk images..."
# Create raw disk image for physical system # Create raw disk image for physical system
RAW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-physical.img" RAW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-physical.img"

1043
docs/SECURITY-BASELINES.md Normal file
View File

File diff suppressed because it is too large Load Diff