Charles N Wyble
3cd1c31960
Comprehensive cleanup to remove all traces of old debootstrap-based
build system approach, now fully migrated to ISO-based installer.
1. **Removed Obsolete Files**:
- Dockerfile.dev (old debootstrap container definition)
- config/preseed.sh (obsolete debootstrap script)
- docs/CLEANUP-SUMMARY.md (historical cleanup docs)
- docs/TEST-EVIDENCE.md (historical test docs)
- docs/old/ (entire directory with obsolete docs)
- tests/build-and-test.sh (old debootstrap test script)
2. **Rewrote AGENTS.md**:
- Removed all obsolete build system sections (Build System,
Current Build Status, Build Environment, Proof Testing,
Known Issues, Next Steps)
- Kept current relevant sections (Orientation, Overview,
Architecture, Security Model, Compliance, File Structure,
Configuration, Scripts, Deployment, Verification)
- Updated to focus solely on ISO-based approach
- Reduced from 1306 lines to ~650 lines (clean and concise)
- Added proper Build System section for ISO approach
- Added Testing section
- Added Troubleshooting section
3. **Updated Active Documentation**:
- docs/FUNCTIONAL-REQUIREMENTS.md (corrected installer description)
- docs/BUILD-DOCUMENTATION.md (removed debootstrap reference)
- docs/SECURITY-BASELINES.md (removed debootstrap reference)
- AGENTS.md (updated with COMMIT_CONVENTIONS reference)
4. **Project Now Clean**:
- All debootstrap references removed
- All obsolete documentation removed
- Focus entirely on ISO-based installer approach
- Ready for clean ISO builds
Files Deleted:
- Dockerfile.dev
- config/preseed.sh
- docs/CLEANUP-SUMMARY.md
- docs/TEST-EVIDENCE.md
- docs/old/ (BUILD-CONTINUOUS-STATUS.md, BUILD-PROGRESS.md,
BUILD-STATUS.md, DOCKER-README.md, DOCKER-SOLUTION.md,
QUICKSTART.md)
- tests/build-and-test.sh
Files Updated:
- AGENTS.md (complete rewrite, removed ~650 lines of obsolete content)
- docs/FUNCTIONAL-REQUIREMENTS.md (corrected installer type)
- docs/BUILD-DOCUMENTATION.md (removed obsolete tool reference)
- docs/SECURITY-BASELINES.md (removed obsolete reference)
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
Football - Minimal Debian Secure Access System
Fully self-contained, stripped-down, and locked-down Debian image intended for deployment onto physical access-only systems (Dell Laptop) called football-(x). Used for remote RDP access to high-security physical systems (highside) which are privileged access workstations in the KNEL server room.
Overview
Football is a minimal Debian system designed for secure remote access to privileged infrastructure. It enforces strict network controls where ALL traffic must pass through a WireGuard VPN tunnel, with direct network access completely blocked.
For complete functional requirements and artifact properties, see docs/FUNCTIONAL-REQUIREMENTS.md
Architecture
Security Model
- Zero remote access: No SSH, telnet, or any inbound services
- WireGuard-only networking: All traffic routed through mandatory VPN tunnel
- Secure Boot enforced: Kernel and bootloader signatures verified
- Minimal attack surface: Only IceWM and Remmina installed
- Local console only: No remote administration capabilities
Network Configuration
Physical Interface (eth0)
├─ DHCP: Allowed (for IP acquisition)
└─ WireGuard: ONLY allowed connection to configured endpoint
└─ Endpoint: WG_ENDPOINT_IP:WG_ENDPOINT_PORT (configurable)
WireGuard Interface (wg0)
└─ ALL outbound traffic
└─ VPN endpoint → PAW (Privileged Access Workstation)
Firewall Rules
- INPUT: DROP (except lo, WireGuard keepalive, and DHCP)
- OUTPUT: DROP on eth0 (except to WireGuard endpoint)
- FORWARD: DROP
- OUTPUT on wg0: ACCEPT (all VPN traffic)
Quick Start
Prerequisites
# Only requirement: Docker
# Docker handles all build tools and dependencies
docker --version
Build ISO
# Build the Football installer ISO
./scripts/build-iso.sh
This creates:
output/football-installer.iso- Bootable ISO with embedded preseed configuration
Test ISO
# Test ISO by booting a VM
./scripts/test-iso.sh
This boots a 2GB RAM VM from the ISO, allowing you to test the installer before deploying.
Deploy
Virtual Machine
The VM from test-iso.sh is ready for installation. Installer will:
- Auto-answer all questions except:
- Username creation
- User password (min 12 chars, mixed case, numbers, special chars)
- Root password (min 12 chars, mixed case, numbers, special chars)
- Target disk selection
Physical System
-
Write ISO to USB or disk:
sudo dd if=output/football-installer.iso of=/dev/sdX bs=4M status=progress -
Boot system from USB
-
Installer will use embedded preseed to automate installation
-
Provide only:
- Username/password for user account
- Root password
- Target disk
-
Change default user password (
changeme)
Directory Structure
football/
├── build.sh # Main build script
├── config/
│ ├── packages.list # Minimal package list
│ ├── harden.sh # System hardening script
│ ├── secureboot.sh # Secure Boot configuration
│ └── setup-wireguard.sh # WireGuard setup script
├── chroot-overlay/ # Files copied to built system
│ ├── etc/
│ │ ├── systemd/system/ # Systemd services
│ │ ├── wireguard/ # WireGuard config templates
│ │ └── network/interfaces # Network configuration
│ └── home/user/ # User configuration
│ ├── .bashrc
│ ├── .xinitrc
│ ├── .icewm/preferences
│ └── Desktop/README.txt
└── output/ # Generated images (not in git)
Security Features
Hardening Measures
-
Network Isolation
- All inbound traffic blocked
- Only WireGuard traffic allowed on physical interface
- Mandatory VPN tunnel for all outbound traffic
-
Service Restrictions
- SSH server disabled and masked
- All remote access services removed
- Bluetooth disabled
- Unnecessary kernel modules disabled
-
Secure Boot
- GRUB locked with password protection
- Kernel lockdown mode enabled
- Signed bootloader (shim-signed)
- EFI variables write-protected
-
Application Whitelisting
- Only IceWM and Remmina installed
- No development tools
- Minimal command-line utilities
-
System Hardening
- AppArmor enforcing
- Fail2Ban enabled
- Auditd logging
- Core dumps disabled
- Strict umask (077)
Firewall Rules (Detailed)
# IPv4 Rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow WireGuard to endpoint on eth0
iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP \
-p udp --dport $WG_ENDPOINT_PORT -j ACCEPT
iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP \
-p udp --sport $WG_ENDPOINT_PORT -j ACCEPT
# Allow DHCP on eth0
iptables -A OUTPUT -o eth0 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 67 -j ACCEPT
# Allow ALL traffic on WireGuard interface
iptables -A INPUT -i wg0 -j ACCEPT
iptables -A OUTPUT -o wg0 -j ACCEPT
Usage
Default User
- Username:
user - Password:
changeme(CHANGE IMMEDIATELY!)
Automatic Startup
- Login triggers automatic IceWM start
- Remmina launches automatically
- WireGuard tunnel establishes automatically
- Use Remmina to connect to PAW
Remmina Configuration
Create Remmina profiles in:
- Path:
/home/user/.local/share/remmina/ - Protocol: RDP or VNC (as needed)
- Server: PAW internal IP via WireGuard
System Administration
Local console access only:
# Check WireGuard status
sudo wg show
# View firewall rules
sudo iptables -L -n -v
# Check logs
sudo journalctl -u wg-quick@wg0
sudo journalctl -u block-remote-access
Troubleshooting
WireGuard Connection Fails
- Verify endpoint IP and port
- Check firewall rules allow WireGuard
- Verify keys are correctly configured
- Check WireGuard server logs
Network Blocked
- Confirm WireGuard interface is up:
ip link show wg0 - Check firewall:
sudo iptables -L -n -v - Verify WireGuard config:
sudo wg show
Secure Boot Issues
- Ensure UEFI is enabled
- Verify Microsoft UEFI CA is installed
- Check Secure Boot status:
mokutil --sb-state
System Won't Boot
- Verify UEFI boot mode (not legacy BIOS)
- Check GRUB installation
- Review kernel logs from boot
Advanced Configuration
Customizing the Build
Edit config/packages.list to add/remove packages
Modify chroot-overlay/ to customize system files
Changing Image Size
Edit build.sh:
DISK_SIZE_MB=8192 # Change to desired size in MB
Multiple Deployment Profiles
Create different build.sh variants with different configurations for various deployment scenarios.
Security Considerations
Before Deployment
- ✅ Generate unique WireGuard keys per deployment
- ✅ Change default password
- ✅ Verify Secure Boot configuration
- ✅ Test WireGuard connection
- ✅ Verify firewall rules
- ✅ Configure PAW connection in Remmina
During Operation
- ✅ Monitor WireGuard connection
- ✅ Review audit logs regularly
- ✅ Keep system updated (manual, controlled updates)
- ✅ Physical security of device
Incident Response
If compromise suspected:
- Isolate system physically
- Preserve logs and memory dump
- Contact security team
- Destroy/rebuild system from scratch
Compliance
This system is designed to support:
- NIST SP 800-171 controls
- NIST SP 800-53 Moderate
- CIS Benchmarks for Debian 13 (Trixie)
- CMMC Level 3 controls
- FedRAMP Moderate controls
- Zero Trust network architecture principles
- Privileged Access Management (PAM) best practices
License
See LICENSE file.
Support
For issues or questions:
- Contact: Infrastructure Security Team
- Location: KNEL server room
WARNING: This is a security-focused build system. Unauthorized modifications or deployments may compromise infrastructure security.