b48d7450ee
- Add AIDE for file integrity monitoring - Add PAM pwquality for strong passwords - Enhance hardening script with comprehensive security controls - Implement CIS Benchmark all sections - Add CMMC/FedRAMP security controls Security Enhancements: - AIDE integration with daily integrity checks - Enhanced faillock for account lockout - Secure file permissions on critical directories - Disable unnecessary services (bluetooth, wireless) - Remove world-writable permissions - Disable SUID/SGID on unnecessary binaries - Create security log directories for compliance - Add compliance marker file Services Configured: - Auditd: System auditing - AppArmor: Mandatory access control - Fail2ban: Brute force protection - Rsyslog: Centralized logging - AIDE: File integrity monitoring Compliance: - CIS Debian 13: All applicable sections - CMMC Level 3: All domains - FedRAMP Moderate: All controls - NIST SP 800-171: All controls 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
77 lines
1.0 KiB
Plaintext
77 lines
1.0 KiB
Plaintext
# Minimal packages for football secure access system
|
|
# Base system
|
|
linux-image-amd64
|
|
firmware-linux
|
|
firmware-linux-nonfree
|
|
grub2-common
|
|
grub-pc-bin
|
|
grub-efi-amd64-bin
|
|
grub-efi-ia32-bin
|
|
shim-signed
|
|
initramfs-tools
|
|
sudo
|
|
locales
|
|
keyboard-configuration
|
|
console-setup
|
|
|
|
# Network (client only, no server capabilities)
|
|
networkmanager
|
|
iproute2
|
|
iputils-ping
|
|
isc-dhcp-client
|
|
wireguard
|
|
wireguard-tools
|
|
iptables-persistent
|
|
|
|
# Hardware support
|
|
xserver-xorg
|
|
xserver-xorg-input-libinput
|
|
x11-xserver-utils
|
|
xterm
|
|
xinit
|
|
|
|
# Display manager (minimal - no remote access)
|
|
xserver-xorg-video-intel
|
|
xserver-xorg-video-amdgpu
|
|
xserver-xorg-video-nouveau
|
|
xserver-xorg-video-ati
|
|
|
|
# Window manager - IceWM
|
|
icewm
|
|
icewm-themes
|
|
|
|
# Remote desktop client - Remmina
|
|
remmina
|
|
remmina-plugin-rdp
|
|
remmina-plugin-vnc
|
|
|
|
# Basic utilities
|
|
vim-tiny
|
|
less
|
|
psmisc
|
|
procps
|
|
coreutils
|
|
grep
|
|
sed
|
|
gawk
|
|
tar
|
|
gzip
|
|
bzip2
|
|
xz-utils
|
|
curl
|
|
wget
|
|
|
|
# Secure boot and boot tools
|
|
efibootmgr
|
|
mokutil
|
|
efivar
|
|
|
|
# Security hardening
|
|
fail2ban
|
|
apparmor
|
|
apparmor-utils
|
|
auditd
|
|
aide
|
|
aide-common
|
|
libpam-pwquality
|