football/README.md

Football - Minimal Debian Secure Access System

Fully self-contained, stripped-down, and locked-down Debian image intended for deployment onto physical access-only systems (Dell Laptop) called football-(x). Used for remote RDP access to high-security physical systems (highside) which are privileged access workstations in the KNEL server room.

Overview

Football is a minimal Debian system designed for secure remote access to privileged infrastructure. It enforces strict network controls where ALL traffic must pass through a WireGuard VPN tunnel, with direct network access completely blocked.

Architecture

Security Model

• Zero remote access: No SSH, telnet, or any inbound services
• WireGuard-only networking: All traffic routed through mandatory VPN tunnel
• Secure Boot enforced: Kernel and bootloader signatures verified
• Minimal attack surface: Only IceWM and Remmina installed
• Local console only: No remote administration capabilities

Network Configuration

Physical Interface (eth0)
├─ DHCP: Allowed (for IP acquisition)
└─ WireGuard: ONLY allowed connection to configured endpoint
    └─ Endpoint: WG_ENDPOINT_IP:WG_ENDPOINT_PORT (configurable)

WireGuard Interface (wg0)
└─ ALL outbound traffic
    └─ VPN endpoint → PAW (Privileged Access Workstation)

Firewall Rules

• INPUT: DROP (except lo, WireGuard keepalive, and DHCP)
• OUTPUT: DROP on eth0 (except to WireGuard endpoint)
• FORWARD: DROP
• OUTPUT on wg0: ACCEPT (all VPN traffic)

Quick Start

Prerequisites

# Install build dependencies (requires Debian 13 Trixie or later)
sudo apt-get install debootstrap qemu-utils kpartx squashfs-tools

Generate WireGuard Keys

# Generate client key pair
wg genkey | tee client-private.key | wg pubkey > client-public.key

# Add client public key to WireGuard server configuration
# Server configuration (on your WireGuard VPN server):
# [Peer]
# PublicKey = $(cat client-public.key)
# AllowedIPs = 10.100.0.2/32

Configure Build

Edit build.sh and set the following variables:

WG_ENDPOINT_IP="192.0.2.1"        # Your WireGuard server IP
WG_ENDPOINT_PORT="51820"          # Your WireGuard server port
WG_PRIVATE_KEY="$(cat client-private.key)"  # Client private key
WG_PUBLIC_KEY="<SERVER_PUBLIC_KEY>"         # Server public key

Build Image

./build.sh

This creates:

• output/football-physical.img - Raw image for physical hardware
• output/football-vm.qcow2 - QCOW2 image for virtual machines

Deploy

Virtual Machine

qemu-system-x86_64 \
  -m 2048 \
  -drive file=output/football-vm.qcow2,format=qcow2

Physical System

1. Write raw image to USB or disk:

   sudo dd if=output/football-physical.img of=/dev/sdX bs=4M status=progress
   

2. Boot system with UEFI Secure Boot enabled

3. Change default user password (changeme)

Directory Structure

football/
├── build.sh                      # Main build script
├── config/
│   ├── packages.list            # Minimal package list
│   ├── harden.sh                # System hardening script
│   ├── secureboot.sh            # Secure Boot configuration
│   └── setup-wireguard.sh       # WireGuard setup script
├── chroot-overlay/              # Files copied to built system
│   ├── etc/
│   │   ├── systemd/system/     # Systemd services
│   │   ├── wireguard/           # WireGuard config templates
│   │   └── network/interfaces  # Network configuration
│   └── home/user/              # User configuration
│       ├── .bashrc
│       ├── .xinitrc
│       ├── .icewm/preferences
│       └── Desktop/README.txt
└── output/                     # Generated images (not in git)

Security Features

Hardening Measures

1. Network Isolation

   • All inbound traffic blocked
   • Only WireGuard traffic allowed on physical interface
   • Mandatory VPN tunnel for all outbound traffic

2. Service Restrictions

   • SSH server disabled and masked
   • All remote access services removed
   • Bluetooth disabled
   • Unnecessary kernel modules disabled

3. Secure Boot

   • GRUB locked with password protection
   • Kernel lockdown mode enabled
   • Signed bootloader (shim-signed)
   • EFI variables write-protected

4. Application Whitelisting

   • Only IceWM and Remmina installed
   • No development tools
   • Minimal command-line utilities

5. System Hardening

   • AppArmor enforcing
   • Fail2Ban enabled
   • Auditd logging
   • Core dumps disabled
   • Strict umask (077)

Firewall Rules (Detailed)

# IPv4 Rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow WireGuard to endpoint on eth0
iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP \
  -p udp --dport $WG_ENDPOINT_PORT -j ACCEPT
iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP \
  -p udp --sport $WG_ENDPOINT_PORT -j ACCEPT

# Allow DHCP on eth0
iptables -A OUTPUT -o eth0 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 67 -j ACCEPT

# Allow ALL traffic on WireGuard interface
iptables -A INPUT -i wg0 -j ACCEPT
iptables -A OUTPUT -o wg0 -j ACCEPT

Usage

Default User

• Username: user
• Password: changeme (CHANGE IMMEDIATELY!)

Automatic Startup

1. Login triggers automatic IceWM start
2. Remmina launches automatically
3. WireGuard tunnel establishes automatically
4. Use Remmina to connect to PAW

Remmina Configuration

Create Remmina profiles in:

• Path: /home/user/.local/share/remmina/
• Protocol: RDP or VNC (as needed)
• Server: PAW internal IP via WireGuard

System Administration

Local console access only:

# Check WireGuard status
sudo wg show

# View firewall rules
sudo iptables -L -n -v

# Check logs
sudo journalctl -u wg-quick@wg0
sudo journalctl -u block-remote-access

Troubleshooting

WireGuard Connection Fails

1. Verify endpoint IP and port
2. Check firewall rules allow WireGuard
3. Verify keys are correctly configured
4. Check WireGuard server logs

Network Blocked

1. Confirm WireGuard interface is up: ip link show wg0
2. Check firewall: sudo iptables -L -n -v
3. Verify WireGuard config: sudo wg show

Secure Boot Issues

1. Ensure UEFI is enabled
2. Verify Microsoft UEFI CA is installed
3. Check Secure Boot status: mokutil --sb-state

System Won't Boot

1. Verify UEFI boot mode (not legacy BIOS)
2. Check GRUB installation
3. Review kernel logs from boot

Advanced Configuration

Customizing the Build

Edit config/packages.list to add/remove packages Modify chroot-overlay/ to customize system files

Changing Image Size

Edit build.sh:

DISK_SIZE_MB=8192  # Change to desired size in MB

Multiple Deployment Profiles

Create different build.sh variants with different configurations for various deployment scenarios.

Security Considerations

Before Deployment

1. ✅ Generate unique WireGuard keys per deployment
2. ✅ Change default password
3. ✅ Verify Secure Boot configuration
4. ✅ Test WireGuard connection
5. ✅ Verify firewall rules
6. ✅ Configure PAW connection in Remmina

During Operation

1. ✅ Monitor WireGuard connection
2. ✅ Review audit logs regularly
3. ✅ Keep system updated (manual, controlled updates)
4. ✅ Physical security of device

Incident Response

If compromise suspected:

1. Isolate system physically
2. Preserve logs and memory dump
3. Contact security team
4. Destroy/rebuild system from scratch

Compliance

This system is designed to support:

• NIST SP 800-171 controls
• NIST SP 800-53 Moderate
• CIS Benchmarks for Debian 13 (Trixie)
• CMMC Level 3 controls
• FedRAMP Moderate controls
• Zero Trust network architecture principles
• Privileged Access Management (PAM) best practices

License

See LICENSE file.

Support

For issues or questions:

• Contact: Infrastructure Security Team
• Location: KNEL server room

---

WARNING: This is a security-focused build system. Unauthorized modifications or deployments may compromise infrastructure security.