feat: add security baselines guide and update build script

Security Baselines Guide Includes: - Comprehensive security baseline overview - Kernel parameters verification - Firewall rules baseline - Authentication and password baselines - Audit rules baseline - Service baselines (enabled/prohibited) - File permission baselines - AIDE configuration baseline - Logging baselines - Initial hardening procedures - Baseline verification procedures - Ongoing hardening activities (daily/weekly/monthly/quarterly/annual) - Baseline maintenance procedures - Compliance verification for CIS/CMMC/FedRAMP - Troubleshooting guide - Quick reference commands Build Script Updates: - Add PAM configuration step (common-password-cis) - Add faillock configuration for account lockout - Add AIDE database initialization - Add Secure Boot configuration step - Add additional systemd services (auditd, rsyslog, apparmor, aide-check.timer) - Update step numbers to 11/11 for consistency - Improve hardening script execution Security Controls Applied: - PAM with CIS password policies - Account lockout (5 attempts, 15 minutes) - AIDE database initialization - Secure Boot configuration - All security services enabled Compliance Standards: - CIS Debian 13 Benchmark - CMMC Level 3 - FedRAMP Moderate - NIST SP 800-53 Moderate - NIST SP 800-171 This guide provides complete baseline verification and maintenance procedures for Tier0 infrastructure protection. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 14:20:05 -05:00
parent 392dd9dadc
commit ac7df85a0e
2 changed files with 1120 additions and 13 deletions
--- a/build.sh
+++ b/build.sh
@@ -57,7 +57,7 @@ echo "WireGuard endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT"
 # ============================================================================

 echo ""
-echo "[1/9] Preparing build environment..."
+echo "[1/11] Preparing build environment..."

 # Clean up previous builds
 if [ -d "$CHROOT_DIR" ]; then
@@ -77,7 +77,7 @@ sudo apt-get install -y debootstrap qemu-utils kpartx squashfs-tools
 # ============================================================================

 echo ""
-echo "[2/9] Bootstrapping minimal Debian $DEBIAN_VERSION (Debian 13 Trixie)..."
+echo "[2/11] Bootstrapping minimal Debian $DEBIAN_VERSION (Debian 13 Trixie)..."

 sudo debootstrap \
    --arch=amd64 \
@@ -91,7 +91,7 @@ sudo debootstrap \
 # ============================================================================

 echo ""
-echo "[3/9] Configuring APT sources..."
+echo "[3/11] Configuring APT sources..."

 cat << 'EOF' | sudo tee "$CHROOT_DIR/etc/apt/sources.list"
 deb http://deb.debian.org/debian trixie main contrib non-free non-free-firmware
@@ -103,7 +103,7 @@ EOF
 # ============================================================================

 echo ""
-echo "[4/9] Installing packages..."
+echo "[4/11] Installing packages..."

 # Mount necessary filesystems for chroot
 sudo mount -t proc /proc "$CHROOT_DIR/proc"
@@ -126,7 +126,7 @@ sudo chroot "$CHROOT_DIR" bash -c "
 # ============================================================================

 echo ""
-echo "[5/9] Applying chroot overlay..."
+echo "[5/11] Applying chroot overlay..."

 # Copy overlay files
 sudo cp -r "$BUILD_DIR/chroot-overlay/"* "$CHROOT_DIR/"
@@ -143,7 +143,7 @@ sudo chroot "$CHROOT_DIR" bash -c "
 # ============================================================================

 echo ""
-echo "[6/9] Configuring WireGuard..."
+echo "[6/11] Configuring WireGuard..."

 # Setup WireGuard configuration with keys
 sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
@@ -168,14 +168,13 @@ sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
 # ============================================================================

 echo ""
-echo "[7/9] Running hardening script..."
-
-sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
-     WG_ENDPOINT_PORT="$WG_ENDPOINT_PORT" \
-     chroot "$CHROOT_DIR" bash /tmp/harden.sh
+echo "[7/11] Running hardening script..."

 # Copy hardening script to chroot first
 sudo cp "$BUILD_DIR/config/harden.sh" "$CHROOT_DIR/tmp/harden.sh"
+sudo cp "$BUILD_DIR/config/secureboot.sh" "$CHROOT_DIR/tmp/secureboot.sh"
+sudo cp "$BUILD_DIR/config/setup-wireguard.sh" "$CHROOT_DIR/tmp/setup-wireguard.sh"
+
 sudo chroot "$CHROOT_DIR" bash -c "
    export WG_ENDPOINT_IP=$WG_ENDPOINT_IP
    export WG_ENDPOINT_PORT=$WG_ENDPOINT_PORT
@@ -183,17 +182,82 @@ sudo chroot "$CHROOT_DIR" bash -c "
    rm /tmp/harden.sh
 "

+# ============================================================================
+# CONFIGURE PAM
+# ============================================================================
+
+echo ""
+echo "[8/11] Configuring PAM authentication..."
+
+# Configure PAM with CIS password policy
+if [ -f "$CHROOT_DIR/etc/pam.d/common-password-cis" ]; then
+    sudo cp "$CHROOT_DIR/etc/pam.d/common-password-cis" "$CHROOT_DIR/etc/pam.d/common-password"
+    echo "PAM password policy configured"
+else
+    echo "Warning: CIS PAM configuration not found"
+fi
+
+# Configure faillock for account lockout
+sudo chroot "$CHROOT_DIR" bash -c "
+    mkdir -p /etc/security
+    cat > /etc/security/faillock.conf << 'EOF'
+deny = 5
+unlock_time = 900
+even_deny_root
+root_unlock_time = 900
+EOF
+"
+
+# ============================================================================
+# INITIALIZE AIDE DATABASE
+# ============================================================================
+
+echo ""
+echo "[9/11] Initializing AIDE database..."
+
+sudo chroot "$CHROOT_DIR" bash -c "
+    # Initialize AIDE database
+    aide --init 2>/dev/null || echo 'AIDE init returned error code $?'
+    if [ -f /var/lib/aide/aide.db.new ]; then
+        mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+        chmod 600 /var/lib/aide/aide.db
+        chown root:root /var/lib/aide/aide.db
+        echo 'AIDE database initialized'
+    else
+        echo 'Warning: AIDE database not created'
+    fi
+"
+
+# ============================================================================
+# CONFIGURE SECURE BOOT
+# ============================================================================
+
+echo ""
+echo "[10/11] Configuring Secure Boot..."
+
+sudo chroot "$CHROOT_DIR" bash -c "
+    if [ -f /tmp/secureboot.sh ]; then
+        bash /tmp/secureboot.sh
+        rm /tmp/secureboot.sh
+    fi
+"
+
 # ============================================================================
 # ENABLE SYSTEMD SERVICES
 # ============================================================================

 echo ""
-echo "[8/9] Configuring systemd services..."
+echo "[11/11] Configuring systemd services..."

 sudo chroot "$CHROOT_DIR" bash -c "
    systemctl enable block-remote-access.service
    systemctl enable wg-quick@wg0
+    systemctl enable auditd
+    systemctl enable rsyslog
+    systemctl enable apparmor
+    systemctl enable aide-check.timer
    systemctl set-default graphical.target
+    echo 'Systemd services configured'
 "

 # ============================================================================
@@ -217,7 +281,7 @@ sudo rm -rf "$CHROOT_DIR/tmp/"*
 # ============================================================================

 echo ""
-echo "[9/9] Creating disk images..."
+echo "[11/11] Creating disk images..."

 # Create raw disk image for physical system
 RAW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-physical.img"
--- a/docs/SECURITY-BASELINES.md
+++ b/docs/SECURITY-BASELINES.md