#!/bin/bash # Football System Security Configuration # Applied during installation via preseed late_command set -e echo "Applying Football security configuration..." # ============================================================================ # Password Complexity Enforcement # ============================================================================ echo "Configuring password complexity..." # Minimum requirements: # - Minimum 12 characters # - Require mixed case # - Require at least one digit # - Require at least one special character # - Require 3 character classes cat > /etc/security/pwquality.conf << 'EOF' # Football Password Complexity Requirements # Minimum password length minlen = 12 # Maximum password length maxlen = 64 # Minimum number of character classes required minclass = 3 # Minimum number of uppercase letters minupper = 1 # Minimum number of lowercase letters minlower = 1 # Minimum number of digits mindigit = 1 # Minimum number of special characters minspecial = 1 # Require password to not contain username usercheck = 1 # Require password to not contain username reversed enforce_for_root = 1 # Reject passwords with common patterns dictcheck = 1 # Reject passwords that contain common dictionary words maxrepeat = 3 # Reject passwords with too many repeating characters maxsequence = 3 # Reject passwords with sequential characters gecoscheck = 1 # Reject passwords containing user GECOS information badwords = football password admin root # Reject passwords containing these words EOF # Configure PAM to use pwquality cat > /etc/pam.d/common-password << 'EOF' # PAM configuration for password quality # Enforces Football security requirements password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=5000 password sufficient pam_unix.so sha512 rounds=5000 nullok secure try_first_pass use_authtok password required pam_deny.so EOF echo "✅ Password complexity configured" echo "" echo "Password Requirements:" echo " • Minimum 12 characters" echo " • Mixed case (uppercase and lowercase)" echo " • At least one number (0-9)" echo " • At least one special character (!@#$%^&*)" echo " • No dictionary words or common patterns" echo "" # ============================================================================ # Auto-Lock After 1 Minute Idle # ============================================================================ echo "Configuring auto-lock after 1 minute..." # Ensure xautolock is installed (already in package list) # Add xautolock to .xinitrc for auto-lock if [ -f /home/user/.xinitrc ]; then # Add xautolock to .xinitrc (before IceWM starts) cat >> /home/user/.xinitrc << 'EOF' # Auto-lock screen after 1 minute of idle xautolock -time 1 -locker "xscreensaver-command -lock" -detectsleep -corners 0000 -cornerredelay 3 & EOF echo "✅ Auto-lock configured" else echo "⚠️ .xinitrc not found (will be created later)" fi # ============================================================================ # USB Drive Mounting # ============================================================================ echo "Configuring USB drive mounting..." # Create polkit rules for USB mounting mkdir -p /etc/polkit-1/localauthority/50-local.d cat > /etc/polkit-1/localauthority/50-local.d/10-allow-usb-mount.pkla << 'EOF' [Allow USB Mounting] Identity=unix-user:* Action=org.freedesktop.udisks2.filesystem-mount ResultAny=yes EOF cat > /etc/polkit-1/localauthority/50-local.d/20-allow-usb-eject.pkla << 'EOF' [Allow USB Eject] Identity=unix-user:* Action=org.freedesktop.udisks2.eject-media ResultAny=yes EOF # Add user to plugdev group for USB access if id user >/dev/null 2>&1; then usermod -a -G plugdev user usermod -a -G cdrom user echo "✅ User added to plugdev and cdrom groups" fi echo "✅ USB mounting configured" echo "" echo "USB Drive Mounting:" echo " • User can mount USB drives via file manager" echo " • USB drives appear in IceWM menu" echo " • Use Remmina or IceWM file manager to browse USB" echo "" # ============================================================================ # Display Manager Configuration # ============================================================================ echo "Configuring LightDM display manager..." # Configure LightDM to be minimal and secure cat > /etc/lightdm/lightdm.conf << 'EOF' [Seat:*] # Disable guest sessions allow-guest=false # Disable switching users greeter-hide-users=true # Disable manual user entry (shows username field, not user list) # This allows manual username entry without displaying user list [LightDM] # Minimal greeter greeter-session=lightdm-gtk-greeter # Auto-login disabled autologin-user= # No auto-login timeout autologin-user-timeout=0 [XDMCPServer] # XDMCP disabled (no remote X sessions) enabled=false [Greeter] # Minimal and secure greeter hide-users=true show-manual-login=true # No guest session allow-guest=false # Show password field show-password-label=true # Minimal theme theme-name=Adwaita EOF echo "✅ LightDM configured" echo "" echo "Display Manager Features:" echo " • LightDM (minimal and lightweight)" echo " • Usernames hidden (no account picking)" echo " • Manual username/password entry" echo " • No guest sessions" echo " • No user switching" echo "" # ============================================================================ # Log Configuration # ============================================================================ echo "Configuring logging..." # Ensure football verification log directory exists mkdir -p /var/log/football echo "✅ Logging configured" echo "" # ============================================================================ # Complete # ============================================================================ echo "================================================" echo "Football Security Configuration Complete" echo "================================================" echo "" echo "Applied Configurations:" echo " ✓ Password complexity enforcement (12+ chars, mixed case, numbers, special chars)" echo " ✓ Auto-lock after 1 minute idle" echo " ✓ USB drive mounting enabled" echo " ✓ Display power management disabled" echo " ✓ Logging configured" echo "" echo "Security configuration successfully applied!"