football

KNEL/football

Fork 0

Commit Graph

Author	SHA1	Message	Date
Charles N Wyble	ac7df85a0e	feat: add security baselines guide and update build script Security Baselines Guide Includes: - Comprehensive security baseline overview - Kernel parameters verification - Firewall rules baseline - Authentication and password baselines - Audit rules baseline - Service baselines (enabled/prohibited) - File permission baselines - AIDE configuration baseline - Logging baselines - Initial hardening procedures - Baseline verification procedures - Ongoing hardening activities (daily/weekly/monthly/quarterly/annual) - Baseline maintenance procedures - Compliance verification for CIS/CMMC/FedRAMP - Troubleshooting guide - Quick reference commands Build Script Updates: - Add PAM configuration step (common-password-cis) - Add faillock configuration for account lockout - Add AIDE database initialization - Add Secure Boot configuration step - Add additional systemd services (auditd, rsyslog, apparmor, aide-check.timer) - Update step numbers to 11/11 for consistency - Improve hardening script execution Security Controls Applied: - PAM with CIS password policies - Account lockout (5 attempts, 15 minutes) - AIDE database initialization - Secure Boot configuration - All security services enabled Compliance Standards: - CIS Debian 13 Benchmark - CMMC Level 3 - FedRAMP Moderate - NIST SP 800-53 Moderate - NIST SP 800-171 This guide provides complete baseline verification and maintenance procedures for Tier0 infrastructure protection. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-13 14:20:05 -05:00
Charles N Wyble	336089a1c5	feat: upgrade to Debian 13 (trixie) - Update build script to use Debian 13 trixie - Update APT sources for Debian 13 - Update documentation references to Debian 13 - Update compliance standards to include CMMC Level 3 This upgrade provides: - Latest security patches - Improved kernel hardening capabilities - Enhanced package management - Better compatibility with modern security standards References: - CIS Debian 13 Benchmark - CMMC Level 3 - FedRAMP Moderate 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-13 12:32:57 -05:00
Charles N Wyble	17dcee7e52	feat: add minimal Debian image build system with WireGuard-only networking Add complete build infrastructure for football secure access system: - Minimal Debian base with only IceWM and Remmina - WireGuard-only networking with strict firewall (eth0 allows only WireGuard) - All network traffic routed through mandatory VPN tunnel - Secure Boot enforced for physical deployments - Zero remote access - SSH, telnet disabled and blocked - AppArmor, auditd, and fail2ban for security hardening Build system generates both VM (qcow2) and physical (raw) images. WireGuard endpoint IP and port configurable via build script variables. Includes: - Package list with minimal dependencies - System hardening scripts - WireGuard client and server configuration tools - Comprehensive documentation (README.md, QUICKSTART.md) - systemd services for firewall enforcement - User environment with automatic IceWM startup 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-13 12:11:18 -05:00

Author

SHA1

Message

Date

Charles N Wyble

ac7df85a0e

feat: add security baselines guide and update build script

Security Baselines Guide Includes:
- Comprehensive security baseline overview
- Kernel parameters verification
- Firewall rules baseline
- Authentication and password baselines
- Audit rules baseline
- Service baselines (enabled/prohibited)
- File permission baselines
- AIDE configuration baseline
- Logging baselines
- Initial hardening procedures
- Baseline verification procedures
- Ongoing hardening activities (daily/weekly/monthly/quarterly/annual)
- Baseline maintenance procedures
- Compliance verification for CIS/CMMC/FedRAMP
- Troubleshooting guide
- Quick reference commands

Build Script Updates:
- Add PAM configuration step (common-password-cis)
- Add faillock configuration for account lockout
- Add AIDE database initialization
- Add Secure Boot configuration step
- Add additional systemd services (auditd, rsyslog, apparmor, aide-check.timer)
- Update step numbers to 11/11 for consistency
- Improve hardening script execution

Security Controls Applied:
- PAM with CIS password policies
- Account lockout (5 attempts, 15 minutes)
- AIDE database initialization
- Secure Boot configuration
- All security services enabled

Compliance Standards:
- CIS Debian 13 Benchmark
- CMMC Level 3
- FedRAMP Moderate
- NIST SP 800-53 Moderate
- NIST SP 800-171

This guide provides complete baseline verification and
maintenance procedures for Tier0 infrastructure protection.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 14:20:05 -05:00

Charles N Wyble

336089a1c5

feat: upgrade to Debian 13 (trixie)

- Update build script to use Debian 13 trixie
- Update APT sources for Debian 13
- Update documentation references to Debian 13
- Update compliance standards to include CMMC Level 3

This upgrade provides:
- Latest security patches
- Improved kernel hardening capabilities
- Enhanced package management
- Better compatibility with modern security standards

References:
- CIS Debian 13 Benchmark
- CMMC Level 3
- FedRAMP Moderate

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 12:32:57 -05:00

Charles N Wyble

17dcee7e52

feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 12:11:18 -05:00

3 Commits