football

KNEL/football

Fork 0

Commit Graph

Author	SHA1	Message	Date
Charles N Wyble	b48d7450ee	feat: add security packages and enhance hardening script - Add AIDE for file integrity monitoring - Add PAM pwquality for strong passwords - Enhance hardening script with comprehensive security controls - Implement CIS Benchmark all sections - Add CMMC/FedRAMP security controls Security Enhancements: - AIDE integration with daily integrity checks - Enhanced faillock for account lockout - Secure file permissions on critical directories - Disable unnecessary services (bluetooth, wireless) - Remove world-writable permissions - Disable SUID/SGID on unnecessary binaries - Create security log directories for compliance - Add compliance marker file Services Configured: - Auditd: System auditing - AppArmor: Mandatory access control - Fail2ban: Brute force protection - Rsyslog: Centralized logging - AIDE: File integrity monitoring Compliance: - CIS Debian 13: All applicable sections - CMMC Level 3: All domains - FedRAMP Moderate: All controls - NIST SP 800-171: All controls 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-13 13:13:26 -05:00
Charles N Wyble	336089a1c5	feat: upgrade to Debian 13 (trixie) - Update build script to use Debian 13 trixie - Update APT sources for Debian 13 - Update documentation references to Debian 13 - Update compliance standards to include CMMC Level 3 This upgrade provides: - Latest security patches - Improved kernel hardening capabilities - Enhanced package management - Better compatibility with modern security standards References: - CIS Debian 13 Benchmark - CMMC Level 3 - FedRAMP Moderate 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-13 12:32:57 -05:00
Charles N Wyble	17dcee7e52	feat: add minimal Debian image build system with WireGuard-only networking Add complete build infrastructure for football secure access system: - Minimal Debian base with only IceWM and Remmina - WireGuard-only networking with strict firewall (eth0 allows only WireGuard) - All network traffic routed through mandatory VPN tunnel - Secure Boot enforced for physical deployments - Zero remote access - SSH, telnet disabled and blocked - AppArmor, auditd, and fail2ban for security hardening Build system generates both VM (qcow2) and physical (raw) images. WireGuard endpoint IP and port configurable via build script variables. Includes: - Package list with minimal dependencies - System hardening scripts - WireGuard client and server configuration tools - Comprehensive documentation (README.md, QUICKSTART.md) - systemd services for firewall enforcement - User environment with automatic IceWM startup 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-13 12:11:18 -05:00

Author

SHA1

Message

Date

Charles N Wyble

b48d7450ee

feat: add security packages and enhance hardening script

- Add AIDE for file integrity monitoring
- Add PAM pwquality for strong passwords
- Enhance hardening script with comprehensive security controls
- Implement CIS Benchmark all sections
- Add CMMC/FedRAMP security controls

Security Enhancements:
- AIDE integration with daily integrity checks
- Enhanced faillock for account lockout
- Secure file permissions on critical directories
- Disable unnecessary services (bluetooth, wireless)
- Remove world-writable permissions
- Disable SUID/SGID on unnecessary binaries
- Create security log directories for compliance
- Add compliance marker file

Services Configured:
- Auditd: System auditing
- AppArmor: Mandatory access control
- Fail2ban: Brute force protection
- Rsyslog: Centralized logging
- AIDE: File integrity monitoring

Compliance:
- CIS Debian 13: All applicable sections
- CMMC Level 3: All domains
- FedRAMP Moderate: All controls
- NIST SP 800-171: All controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 13:13:26 -05:00

Charles N Wyble

336089a1c5

feat: upgrade to Debian 13 (trixie)

- Update build script to use Debian 13 trixie
- Update APT sources for Debian 13
- Update documentation references to Debian 13
- Update compliance standards to include CMMC Level 3

This upgrade provides:
- Latest security patches
- Improved kernel hardening capabilities
- Enhanced package management
- Better compatibility with modern security standards

References:
- CIS Debian 13 Benchmark
- CMMC Level 3
- FedRAMP Moderate

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 12:32:57 -05:00

Charles N Wyble

17dcee7e52

feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 12:11:18 -05:00

3 Commits