# Football Secure Access System - Security Baselines and Hardening Guide ## Document Information - **System Name**: Football Secure Access System - **Classification**: Controlled Unclassified Information (CUI) - **Version**: 1.0 - **Effective Date**: 2024-01-13 - **Review Date**: 2025-01-13 --- ## Table of Contents 1. [Introduction](#1-introduction) 2. [Security Baseline Overview](#2-security-baseline-overview) 3. [Initial Hardening Procedures](#3-initial-hardening-procedures) 4. [Baseline Verification](#4-baseline-verification) 5. [Ongoing Hardening Activities](#5-ongoing-hardening-activities) 6. [Baseline Maintenance](#6-baseline-maintenance) 7. [Compliance Verification](#7-compliance-verification) 8. [Troubleshooting](#8-troubleshooting) --- ## 1. Introduction ### 1.1 Purpose This guide establishes security baselines for the Football Secure Access System and provides procedures for verifying and maintaining compliance with those baselines. ### 1.2 Scope This guide applies to: - All Football Secure Access System deployments - All system administrators - All security assessments and audits - All compliance verification activities ### 1.3 Baseline Principles 1.3.1 **Security by Default**: All systems are built with security as the default configuration 1.3.2 **Least Functionality**: Only necessary components and services are installed 1.3.3 **Defense in Depth**: Multiple layers of security controls are implemented 1.3.4 **Compliance by Design**: All configurations meet regulatory requirements ### 1.4 Applicable Standards - **CIS Debian 13 Benchmark** (Version 3.0.0) - **CMMC Level 3** (Department of Defense) - **FedRAMP Moderate** (Federal Risk and Authorization Management Program) - **NIST SP 800-53** (Security and Privacy Controls) - **NIST SP 800-171** (Protecting Controlled Unclassified Information) --- ## 2. Security Baseline Overview ### 2.1 System Architecture Baseline **Hardware Configuration:** - UEFI Secure Boot: ENABLED - TPM 2.0: PRESENT (if available) - Physical ports: DISABLED (except for local administration) - Removable media: DISABLED **Software Configuration:** - Operating System: Debian 13 (Trixie) - Kernel: Latest security-patched version - Packages: Minimal set (see packages.list) - Services: Only required services enabled **Network Configuration:** - Physical Interface (eth0): WireGuard endpoint only - Virtual Interface (wg0): All traffic through VPN - Remote Access: DISABLED (no SSH, no other remote services) - Firewall: Strict (WireGuard-only) - DNS: Via VPN (10.100.0.1) ### 2.2 Security Control Baselines #### 2.2.1 Kernel Parameters (sysctl) ``` net.ipv4.ip_forward = 0 # IP forwarding disabled net.ipv4.conf.all.send_redirects = 0 # No ICMP redirects net.ipv4.conf.all.accept_source_route = 0 # No source routing net.ipv4.conf.all.accept_redirects = 0 # No ICMP redirects net.ipv4.conf.all.rp_filter = 1 # Reverse path filtering net.ipv4.tcp_syncookies = 1 # SYN cookies enabled net.ipv4.conf.all.log_martians = 1 # Log martian packets net.ipv4.icmp_echo_ignore_broadcasts = 1 # No ICMP broadcast response kernel.sysrq = 0 # SysRq disabled kernel.randomize_va_space = 2 # ASLR enabled fs.protected_hardlinks = 1 # Hard link protection fs.protected_symlinks = 1 # Symlink protection kernel.yama.ptrace_scope = 1 # Ptrace restrictions ``` **Verification:** ```bash sysctl -a | grep -E "ip_forward|send_redirects|accept_source_route|accept_redirects|rp_filter|tcp_syncookies|log_martians|echo_ignore_broadcasts|sysrq|randomize_va_space|protected_hardlinks|protected_symlinks|ptrace_scope" ``` #### 2.2.2 Firewall Rules (iptables) **Chain Policies:** - INPUT: DROP - FORWARD: DROP - OUTPUT: DROP **Allowed Traffic:** ``` # Loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # WireGuard on eth0 (only to endpoint) iptables -A OUTPUT -o eth0 -d -p udp --dport -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -s -p udp --sport -m state --state ESTABLISHED -j ACCEPT # DHCP on eth0 iptables -A OUTPUT -o eth0 -p udp --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp --sport 67 -m state --state ESTABLISHED -j ACCEPT # All traffic through WireGuard iptables -A INPUT -i wg0 -j ACCEPT iptables -A OUTPUT -o wg0 -j ACCEPT ``` **Verification:** ```bash iptables -L -n -v # Verify: # - Chain policies are DROP # - Only WireGuard endpoint allowed on eth0 # - DHCP allowed on eth0 # - All traffic allowed on wg0 ``` #### 2.2.3 Authentication and Passwords **Password Policy (pwquality.conf):** ``` minlen = 14 # Minimum length lcredit = -1 # At least 1 lowercase ucredit = -1 # At least 1 uppercase dcredit = -1 # At least 1 digit ocredit = -1 # At least 1 special character difok = 3 # Minimum 3 character changes maxclassrepeat = 3 # Max 3 consecutive same class maxrepeat = 3 # Max 3 consecutive same character enforce_for_root # Enforce for root too ``` **Login Configuration (login.defs):** ``` PASS_MAX_DAYS 90 # Password expires in 90 days PASS_MIN_DAYS 1 # Minimum 1 day between changes PASS_WARN_AGE 7 # Warn 7 days before expiration LOGIN_RETRIES 5 # Lock after 5 failed attempts LOGIN_TIMEOUT 60 # 60 second timeout UMASK 077 # Secure umask ENCRYPT_METHOD SHA512 # SHA512 password hashing ``` **Account Lockout (faillock.conf):** ``` deny = 5 # Lock after 5 failed attempts unlock_time = 900 # Unlock after 15 minutes even_deny_root # Lock root too root_unlock_time = 900 # Root unlock after 15 minutes ``` **Verification:** ```bash # Check password policy grep -E "minlen|lcredit|ucredit|dcredit|ocredit" /etc/security/pwquality.conf # Check login.defs grep -E "PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE|UMASK|ENCRYPT_METHOD" /etc/login.defs # Check account lockout grep -E "deny|unlock_time" /etc/security/faillock.conf ``` #### 2.2.4 Audit Rules (auditd) **Key Audit Rules:** ``` # Monitor system calls -w /usr/bin/sudo -p x -k privileged_cmd -w /usr/bin/su -p x -k privileged_cmd -w /usr/bin/passwd -p x -k privileged_cmd # Monitor file access -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/gshadow -p wa -k identity # Monitor configuration changes -w /etc/sudoers -p wa -k identity -w /etc/sudoers.d/ -p wa -k identity # Monitor cron jobs -w /etc/crontab -p wa -k cron -w /etc/cron.hourly/ -p wa -k cron -w /etc/cron.daily/ -p wa -k cron -w /etc/cron.weekly/ -p wa -k cron -w /etc/cron.monthly/ -p wa -k cron -w /var/spool/cron/ -p wa -k cron # Monitor time changes -w /etc/localtime -p wa -k time-change -w /etc/timezone -p wa -k time-change # Monitor network changes -w /etc/hosts -p wa -k system-locale -w /etc/network/ -p wa -k system-locale -w /etc/wireguard/ -p wa -k system-locale ``` **Verification:** ```bash # List loaded audit rules auditctl -l # Verify auditd is running systemctl status auditd ``` #### 2.2.5 Service Baselines **Required Services (ENABLED):** ``` auditd # System auditing rsyslog # System logging wg-quick@wg0 # WireGuard VPN cron # Job scheduling systemd-logind # Session management ``` **Prohibited Services (DISABLED/MASKED):** ``` ssh # Remote access (PROHIBITED) sshd # Remote access daemon (PROHIBITED) telnet # Remote access (PROHIBITED) rsh # Remote access (PROHIBITED) bluetooth # Wireless (PROHIBITED) cups # Printing server (not needed) nfs-common # Network filesystem (PROHIBITED) samba # File sharing (PROHIBITED) ``` **Verification:** ```bash # List enabled services systemctl list-unit-files | grep enabled # Verify SSH is masked systemctl status ssh systemctl status sshd # Verify Bluetooth is disabled systemctl status bluetooth ``` #### 2.2.6 File Permission Baselines **Critical File Permissions:** ``` /etc/passwd 644 root:root /etc/shadow 640 root:shadow /etc/group 644 root:root /etc/gshadow 640 root:shadow /etc/sudoers 440 root:root /etc/ssh/ 600 root:root /etc/ssh/sshd_config 600 root:root /root 700 root:root /home/user 750 user:user ``` **Directory Permissions:** ``` /var/log 755 root:root /var/log/audit 750 root:root /etc 755 root:root /etc/security 700 root:root /etc/sudoers.d 750 root:root ``` **Verification:** ```bash # Check critical file permissions stat -c "%a %U:%G %n" /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/sudoers ``` #### 2.2.7 File Integrity Monitoring (AIDE) **AIDE Configuration:** ``` Database: /var/lib/aide/aide.db Scan frequency: Daily (via systemd timer) Monitored directories: - /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin - /lib, /lib64, /usr/lib, /usr/local/lib - /etc (except volatile files) - /boot - /lib/modules ``` **Verification:** ```bash # Check AIDE configuration cat /etc/aide.conf # Check AIDE database exists ls -la /var/lib/aide/ # Check AIDE timer is enabled systemctl status aide-check.timer ``` #### 2.2.8 Logging Baselines **Log Retention:** ``` /var/log/audit/ 365 days /var/log/ 365 days /var/log/security/ 365 days /var/log/sudo/ 365 days /var/log/firewall/ 90 days /var/log/wireguard/ 90 days ``` **Log Format:** - System logs: rsyslog (RFC 5424 format) - Audit logs: auditd (binary format) - Sudo logs: Plain text with timestamp **Verification:** ```bash # Check logrotate configuration cat /etc/logrotate.d/cis-logs # Verify log files exist ls -la /var/log/audit/ /var/log/security/ /var/log/sudo/ # Verify rsyslog configuration cat /etc/rsyslog.d/50-cis-logging.conf ``` --- ## 3. Initial Hardening Procedures ### 3.1 Pre-Installation Checklist **Before deploying Football system:** - [ ] WireGuard keys generated and securely stored - [ ] WireGuard endpoint IP and port confirmed - [ ] UEFI Secure Boot enabled on target hardware - [ ] Target hardware verified for Debian 13 compatibility - [ ] Physical access controls verified - [ ] Deployment authorization obtained ### 3.2 Build Process **The build script (build.sh) automatically applies all hardening:** 1. **Bootstrap minimal Debian 13** - Uses debootstrap with minbase variant - Installs only required packages 2. **Apply chroot overlay** - Copies all configuration files - Implements all security baselines 3. **Configure WireGuard** - Generates WireGuard configuration from keys - Sets proper file permissions (600) 4. **Run hardening script (harden.sh)** - Disables remote access services - Configures strict firewall - Applies kernel parameters - Configures audit rules - Enables security services 5. **Create bootable image** - Sets up GPT partition table - Configures UEFI boot - Installs GRUB with password protection - Generates final images ### 3.3 Post-Installation Verification **After deployment, verify:** **Step 1: Basic System Check** ```bash # Verify Debian 13 cat /etc/debian_version # Should be "trixie/sid" # Check kernel version uname -r # Verify boot mode [ -d /sys/firmware/efi ] && echo "UEFI boot" || echo "Legacy boot" ``` **Step 2: Verify WireGuard** ```bash # Check WireGuard status sudo wg show # Verify WireGuard interface ip link show wg0 # Check WireGuard connection ping 10.100.0.1 # Ping VPN server ``` **Step 3: Verify Firewall** ```bash # Check firewall rules sudo iptables -L -n -v # Verify policies sudo iptables -L | grep "Chain" # Should show: Chain INPUT (policy DROP), Chain FORWARD (policy DROP), Chain OUTPUT (policy DROP) ``` **Step 4: Verify Services** ```bash # Check critical services systemctl status auditd rsyslog cron wg-quick@wg0 # Verify SSH is not running systemctl status ssh sshd # Should show: "masked" or "inactive" ``` **Step 5: Verify Security Controls** ```bash # Verify kernel parameters sudo sysctl -a | grep -E "ip_forward|tcp_syncookies|randomize_va_space" # Verify password policy grep -E "minlen|lcredit|ucredit" /etc/security/pwquality.conf # Verify audit rules sudo auditctl -l | head -20 # Verify AIDE ls -la /var/lib/aide/aide.db # Verify log files ls -la /var/log/audit/ /var/log/security/ ``` **Step 6: Run Compliance Tests** ```bash # Run automated compliance verification ./tests/verify-compliance.sh # Run full compliance test suite ./tests/compliance-test.sh ``` --- ## 4. Baseline Verification ### 4.1 Automated Verification **Run the automated compliance verification script:** ```bash cd /home/charles/Projects/football ./tests/verify-compliance.sh ``` **Expected Output:** ``` ================================================ Automated Compliance Verification ================================================ Verifying CIS Debian 13 Benchmark Implementation... Verifying CMMC Level 3 Implementation... Verifying FedRAMP Moderate Implementation... [INFO] Checking prerequisites... [PASS] Section 1: Filesystems Configuration [PASS] Section 3: Network Configuration [PASS] Section 4: Logging and Auditing [PASS] Section 5: Access Control ... ================================================ COMPLIANCE VERIFICATION SUMMARY ================================================ Total Controls Verified: 150 Compliant: 145 Partially Compliant: 5 Non-Compliant: 0 Compliance Percentage: 96% ✓ SYSTEM COMPLIANT The system meets compliance requirements for: ✓ CIS Debian 13 Benchmark ✓ CMMC Level 3 ✓ FedRAMP Moderate ✓ NIST SP 800-171 ✓ NIST SP 800-53 Moderate ``` ### 4.2 Manual Verification Checklist **Complete this checklist after each deployment or significant change:** **System Configuration:** - [ ] Debian 13 (trixie) installed - [ ] Kernel is latest security-patched version - [ ] UEFI boot enabled - [ ] Secure Boot enabled (if supported) **Network Configuration:** - [ ] WireGuard configured with correct endpoint - [ ] WireGuard interface (wg0) is UP - [ ] Can ping VPN server (10.100.0.1) - [ ] Firewall rules are correct - [ ] All firewall policies are DROP - [ ] No inbound services running **Security Controls:** - [ ] SSH is masked - [ ] Telnet is not installed - [ ] Bluetooth is disabled - [ ] Wireless is disabled - [ ] Auditd is running - [ ] Rsyslog is running - [ ] AIDE is configured - [ ] AppArmor is enabled **Kernel Parameters:** - [ ] IP forwarding disabled - [ ] Source routing disabled - [ ] ICMP redirects disabled - [ ] SYN cookies enabled - [ ] ASLR enabled - [ ] Core dumps disabled **Authentication:** - [ ] Password policy configured (14 char min, complexity) - [ ] Password aging configured (90 days max) - [ ] Account lockout configured (5 attempts) - [ ] Umask set to 077 - [ ] SHA512 password hashing enabled **File Permissions:** - [ ] /etc/passwd: 644 - [ ] /etc/shadow: 640 - [ ] /etc/sudoers: 440 - [ ] /root: 700 - [ ] /home/user: 750 **Audit and Logging:** - [ ] Audit rules loaded - [ ] Audit logs being generated - [ ] Security logs being generated - [ ] Sudo logs being generated - [ ] Log rotation configured - [ ] Log retention meets requirements (365 days) **Compliance Tests:** - [ ] verify-compliance.sh passed - [ ] compliance-test.sh passed - [ ] All critical tests passed - [ ] Compliance percentage >= 95% --- ## 5. Ongoing Hardening Activities ### 5.1 Daily Activities **Automated (via systemd timers):** - [ ] AIDE file integrity check runs daily - [ ] Log rotation occurs automatically - [ ] System log review for critical events **Manual:** - [ ] Review audit logs for critical security events - [ ] Check WireGuard tunnel status - [ ] Verify system is responding normally ### 5.2 Weekly Activities **Manual:** - [ ] Review failed login attempts - [ ] Review administrative actions (sudo logs) - [ ] Review security event alerts - [ ] Check for security updates - [ ] Verify audit logs are being generated ### 5.3 Monthly Activities **Manual:** - [ ] Review all audit logs - [ ] Verify file integrity check results - [ ] Check for unauthorized configuration changes - [ ] Review system performance - [ ] Verify security services are running - [ ] Update security documentation if changes made ### 5.4 Quarterly Activities **Manual:** - [ ] Run full compliance test suite (compliance-test.sh) - [ ] Review and update security baselines - [ ] Conduct security assessment - [ ] Review access controls - [ ] Audit user accounts and access rights - [ ] Review and update incident response procedures ### 5.5 Annual Activities **Manual:** - [ ] Conduct full security audit - [ ] Review and update all security policies - [ ] Conduct penetration testing - [ ] Review and update incident response procedures - [ ] Conduct security awareness training - [ ] Review and update compliance documentation - [ ] Re-authorize system (if required by organization) --- ## 6. Baseline Maintenance ### 6.1 Updating Baselines **When to update baselines:** - Security patches are applied - System configuration changes - New security requirements are identified - Compliance standards are updated - Security assessments recommend changes **Update Process:** 1. Document need for baseline change 2. Obtain approval for change 3. Test change in non-production environment 4. Implement change in production 5. Verify compliance after change 6. Update baseline documentation 7. Update relevant policies and procedures ### 6.2 Re-Baselining After Changes **After any significant change:** 1. **Run AIDE database update** ```bash sudo aide --init sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db ``` 2. **Re-run compliance verification** ```bash ./tests/verify-compliance.sh ./tests/compliance-test.sh ``` 3. **Update documentation** - Update SECURITY-BASELINES.md - Update COMPLIANCE.md - Update relevant policies 4. **Document change** - Create change record - Include reason, impact, and test results - Store in change management system ### 6.3 Rollback Procedures **If baseline change causes issues:** 1. **Identify the problem** - What is not working correctly - What security control is affected - What is the impact on operations 2. **Assess rollback options** - Can the change be reverted? - Is there a backup of previous configuration? - What is the risk of rollback? 3. **Execute rollback** - Restore previous configuration - Revert to previous AIDE database - Re-verify compliance 4. **Document rollback** - What was rolled back - Why it was rolled back - What was learned --- ## 7. Compliance Verification ### 7.1 CIS Debian 13 Benchmark Verification **Score Required: >= 90% (171/190 controls)** **Verification Method:** ```bash # Run compliance test suite ./tests/compliance-test.sh | grep "CIS Benchmark" ``` **Key CIS Controls to Verify:** - 1.1.1: Unused filesystems disabled - 1.1.3: /tmp configured - 3.1.1: IP forwarding disabled - 3.2.8: TCP SYN cookies enabled - 4.1.2: Audit records stored - 5.2.1: SSH server not installed - 5.4.1.1: Password creation requirements - 5.4.2: Password hashing algorithm - 6.1.1: System accounts secured ### 7.2 CMMC Level 3 Verification **Required: All 176 practices implemented** **Verification Method:** ```bash # Run compliance test suite ./tests/compliance-test.sh | grep "CMMC" ``` **Key CMMC Domains to Verify:** - AC (Access Control): All practices - AU (Audit and Accountability): All practices - CM (Configuration Management): All practices - SC (System and Communications Protection): All practices - SI (System and Information Integrity): All practices ### 7.3 FedRAMP Moderate Verification **Required: All 325 controls implemented** **Verification Method:** ```bash # Run compliance test suite ./tests/compliance-test.sh | grep "FedRAMP" ``` **Key FedRAMP Controls to Verify:** - AC-2: Account Management - AU-2: Audit Events - AU-6: Audit Review - CM-2: Baseline Configuration - SC-8: Transmission Confidentiality - SI-7: Software and Firmware Integrity ### 7.4 Continuous Compliance Monitoring **Automated Monitoring:** - AIDE checks: Daily - Audit rule validation: Daily - Service status checks: Daily - Firewall rule verification: Daily - Kernel parameter verification: Weekly **Reporting:** - Daily: Critical security events - Weekly: Security event summary - Monthly: Compliance status report - Quarterly: Full compliance review - Annually: Comprehensive audit --- ## 8. Troubleshooting ### 8.1 Common Issues and Solutions **Issue 1: WireGuard Tunnel Not Connecting** **Symptoms:** - Cannot ping VPN server (10.100.0.1) - wg show shows interface down - No traffic through wg0 **Diagnosis:** ```bash # Check WireGuard status sudo wg show # Check WireGuard logs sudo journalctl -u wg-quick@wg0 # Check network connectivity to endpoint ping ``` **Solutions:** 1. Verify endpoint IP and port are correct 2. Verify WireGuard keys are correct 3. Check firewall allows WireGuard traffic 4. Verify endpoint is accessible 5. Restart WireGuard service ```bash sudo systemctl restart wg-quick@wg0 ``` **Issue 2: Firewall Blocking Legitimate Traffic** **Symptoms:** - Cannot access resources through VPN - Connection timeouts - Firewall drops shown in logs **Diagnosis:** ```bash # Check firewall rules sudo iptables -L -n -v # Check firewall logs sudo tail -f /var/log/firewall.log ``` **Solutions:** 1. Verify WireGuard interface is UP 2. Check firewall rules include wg0 ACCEPT 3. Verify firewall policies are correct 4. Reload firewall rules ```bash sudo systemctl restart block-remote-access ``` **Issue 3: Auditd Not Logging** **Symptoms:** - No audit logs in /var/log/audit/ - auditctl shows no rules loaded - Security events not captured **Diagnosis:** ```bash # Check auditd status sudo systemctl status auditd # Check audit rules sudo auditctl -l # Check audit logs sudo tail -f /var/log/audit/audit.log ``` **Solutions:** 1. Restart auditd service ```bash sudo systemctl restart auditd ``` 2. Reload audit rules ```bash sudo augenrules --load ``` 3. Verify audit configuration ```bash cat /etc/audit/rules.d/cis-audit.rules ``` **Issue 4: AIDE Check Fails** **Symptoms:** - AIDE check reports many changes - Unable to determine if changes are legitimate - System appears compromised **Diagnosis:** ```bash # Run AIDE check sudo aide --check # Compare with expected changes # (review system updates, configuration changes, etc.) ``` **Solutions:** 1. Identify legitimate changes (updates, config changes) 2. Verify no unauthorized changes 3. Update AIDE database if changes are legitimate ```bash sudo aide --init sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db ``` 4. If unauthorized changes found, follow incident response procedures **Issue 5: System Won't Boot** **Symptoms:** - System hangs during boot - UEFI boot menu not accessible - GRUB error **Diagnosis:** ```bash # Check from UEFI shell or recovery media # Review boot logs ``` **Solutions:** 1. Try booting from recovery image 2. Check GRUB configuration 3. Reinstall GRUB if needed 4. Verify UEFI Secure Boot settings 5. Contact system vendor if hardware issue suspected ### 8.2 Getting Help **Resources:** - **Documentation**: /usr/share/doc/compliance/ - **Security Team**: security@knel.org - **Infrastructure Team**: infra@knel.org - **Compliance Officer**: compliance@knel.org **Before requesting help:** 1. Gather system information: ```bash uname -a cat /etc/debian_version ls -la /etc/security/ ``` 2. Gather diagnostic information: ```bash sudo systemctl status auditd rsyslog wg-quick@wg0 sudo iptables -L -n -v sudo auditctl -l ``` 3. Check logs: ```bash sudo journalctl -xe sudo tail -50 /var/log/audit/audit.log ``` 4. Try basic troubleshooting steps from above 5. Document what you've already tried --- ## Appendix A: Quick Reference Commands ### System Status Commands ```bash # System information uname -a cat /etc/os-release cat /etc/debian_version # Service status systemctl status auditd rsyslog wg-quick@wg0 systemctl list-unit-files | grep enabled # Network status ip link show ip addr show sudo wg show ping 10.100.0.1 ``` ### Security Verification Commands ```bash # Firewall sudo iptables -L -n -v sudo iptables-save | cat # Kernel parameters sudo sysctl -a | grep -E "ip_forward|tcp_syncookies|randomize_va_space" # Audit sudo auditctl -l sudo systemctl status auditd # File permissions stat -c "%a %U:%G %n" /etc/passwd /etc/shadow /etc/sudoers # Password policy cat /etc/security/pwquality.conf cat /etc/login.defs ``` ### Compliance Test Commands ```bash # Automated verification ./tests/verify-compliance.sh # Full compliance test suite ./tests/compliance-test.sh # AIDE check sudo aide --check # Audit rule verification sudo auditctl -l | wc -l ``` --- ## Related Documents - Security Policy (docs/SECURITY-POLICY.md) - Incident Response Procedures (docs/INCIDENT-RESPONSE.md) - Compliance Mapping (COMPLIANCE.md) - README.md (project documentation) - QUICKSTART.md (build and deployment guide) --- **Document Control** - **Owner**: Security Team - **Approver**: CISO - **Next Review**: 2025-01-13 - **Classification**: CUI - **Version**: 1.0 - **Effective Date**: 2024-01-13 --- **End of Document**