football

KNEL/football

Fork 0

Commit Graph

Author	SHA1	Message	Date
Charles N Wyble	d9eb08c9fd	feat: implement comprehensive auditing and logging for compliance - Add CIS audit rules for system events monitoring - Configure rsyslog for centralized security logging - Implement logrotate for 365-day retention - Add AIDE file integrity monitoring configuration Audit Rules Coverage: - System calls monitoring - Privileged command execution - File access and modification - User/group information changes - Network configuration changes - Cron and service management - Login and session events Logging Features: - Separate logs for security, admin, access, change events - Rate limiting to prevent log flooding - RFC 5424 format compliance - Secure file permissions (0640) File Integrity Monitoring: - AIDE daily integrity checks - Monitor critical system files and directories - Exclude volatile filesystems (/proc, /sys, /tmp) - Automated integrity verification Compliance: - CIS Benchmark 4.1: Audit and Accountability - CMMC Level 3: AU domain (Audit and Accountability) - FedRAMP Moderate: AU controls 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-13 13:13:09 -05:00
Charles N Wyble	1d74ae7ff1	feat: implement CIS Debian Benchmark hardening controls - Add kernel hardening via sysctl (network, system, ARP hardening) - Implement password quality requirements (14 char, complexity) - Configure password aging policies (90 day max) - Add PAM authentication hardening with faillock - Implement sudo restrictions and least privilege CIS Benchmark Controls Implemented: - Section 1: Filesystem Permissions - Section 3: Network Parameters - Section 4: Logging and Auditing - Section 5: Access Control Security Features: - Kernel parameter hardening (randomization, core dumps) - Strong password policies (complexity, aging, lockout) - Sudo access logging and restrictions - Authentication failure account lockout Compliance: - CIS Debian 13 Benchmark: Section 1, 3, 4, 5 - CMMC Level 3: AC, IA, CM domains - FedRAMP Moderate: AC, IA, CM controls 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-13 12:33:11 -05:00
Charles N Wyble	17dcee7e52	feat: add minimal Debian image build system with WireGuard-only networking Add complete build infrastructure for football secure access system: - Minimal Debian base with only IceWM and Remmina - WireGuard-only networking with strict firewall (eth0 allows only WireGuard) - All network traffic routed through mandatory VPN tunnel - Secure Boot enforced for physical deployments - Zero remote access - SSH, telnet disabled and blocked - AppArmor, auditd, and fail2ban for security hardening Build system generates both VM (qcow2) and physical (raw) images. WireGuard endpoint IP and port configurable via build script variables. Includes: - Package list with minimal dependencies - System hardening scripts - WireGuard client and server configuration tools - Comprehensive documentation (README.md, QUICKSTART.md) - systemd services for firewall enforcement - User environment with automatic IceWM startup 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-13 12:11:18 -05:00

Author

SHA1

Message

Date

Charles N Wyble

d9eb08c9fd

feat: implement comprehensive auditing and logging for compliance

- Add CIS audit rules for system events monitoring
- Configure rsyslog for centralized security logging
- Implement logrotate for 365-day retention
- Add AIDE file integrity monitoring configuration

Audit Rules Coverage:
- System calls monitoring
- Privileged command execution
- File access and modification
- User/group information changes
- Network configuration changes
- Cron and service management
- Login and session events

Logging Features:
- Separate logs for security, admin, access, change events
- Rate limiting to prevent log flooding
- RFC 5424 format compliance
- Secure file permissions (0640)

File Integrity Monitoring:
- AIDE daily integrity checks
- Monitor critical system files and directories
- Exclude volatile filesystems (/proc, /sys, /tmp)
- Automated integrity verification

Compliance:
- CIS Benchmark 4.1: Audit and Accountability
- CMMC Level 3: AU domain (Audit and Accountability)
- FedRAMP Moderate: AU controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 13:13:09 -05:00

Charles N Wyble

1d74ae7ff1

feat: implement CIS Debian Benchmark hardening controls

- Add kernel hardening via sysctl (network, system, ARP hardening)
- Implement password quality requirements (14 char, complexity)
- Configure password aging policies (90 day max)
- Add PAM authentication hardening with faillock
- Implement sudo restrictions and least privilege

CIS Benchmark Controls Implemented:
- Section 1: Filesystem Permissions
- Section 3: Network Parameters
- Section 4: Logging and Auditing
- Section 5: Access Control

Security Features:
- Kernel parameter hardening (randomization, core dumps)
- Strong password policies (complexity, aging, lockout)
- Sudo access logging and restrictions
- Authentication failure account lockout

Compliance:
- CIS Debian 13 Benchmark: Section 1, 3, 4, 5
- CMMC Level 3: AC, IA, CM domains
- FedRAMP Moderate: AC, IA, CM controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 12:33:11 -05:00

Charles N Wyble

17dcee7e52

feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 12:11:18 -05:00

3 Commits