KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ac7df85a0e5970ea6fef7484c9dfd732c802680b
football/docs/SECURITY-BASELINES.md
Charles N Wyble ac7df85a0e feat: add security baselines guide and update build script 
Security Baselines Guide Includes:
- Comprehensive security baseline overview
- Kernel parameters verification
- Firewall rules baseline
- Authentication and password baselines
- Audit rules baseline
- Service baselines (enabled/prohibited)
- File permission baselines
- AIDE configuration baseline
- Logging baselines
- Initial hardening procedures
- Baseline verification procedures
- Ongoing hardening activities (daily/weekly/monthly/quarterly/annual)
- Baseline maintenance procedures
- Compliance verification for CIS/CMMC/FedRAMP
- Troubleshooting guide
- Quick reference commands

Build Script Updates:
- Add PAM configuration step (common-password-cis)
- Add faillock configuration for account lockout
- Add AIDE database initialization
- Add Secure Boot configuration step
- Add additional systemd services (auditd, rsyslog, apparmor, aide-check.timer)
- Update step numbers to 11/11 for consistency
- Improve hardening script execution

Security Controls Applied:
- PAM with CIS password policies
- Account lockout (5 attempts, 15 minutes)
- AIDE database initialization
- Secure Boot configuration
- All security services enabled

Compliance Standards:
- CIS Debian 13 Benchmark
- CMMC Level 3
- FedRAMP Moderate
- NIST SP 800-53 Moderate
- NIST SP 800-171

This guide provides complete baseline verification and
maintenance procedures for Tier0 infrastructure protection.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 14:20:05 -05:00

1044 lines
25 KiB
Markdown
Raw Blame History

# Football Secure Access System - Security Baselines and Hardening Guide
## Document Information
- **System Name**: Football Secure Access System
- **Classification**: Controlled Unclassified Information (CUI)
- **Version**: 1.0
- **Effective Date**: 2024-01-13
- **Review Date**: 2025-01-13
---
## Table of Contents
1. [Introduction](#1-introduction)
2. [Security Baseline Overview](#2-security-baseline-overview)
3. [Initial Hardening Procedures](#3-initial-hardening-procedures)
4. [Baseline Verification](#4-baseline-verification)
5. [Ongoing Hardening Activities](#5-ongoing-hardening-activities)
6. [Baseline Maintenance](#6-baseline-maintenance)
7. [Compliance Verification](#7-compliance-verification)
8. [Troubleshooting](#8-troubleshooting)
---
## 1. Introduction
### 1.1 Purpose
This guide establishes security baselines for the Football Secure Access System and provides procedures for verifying and maintaining compliance with those baselines.
### 1.2 Scope
This guide applies to:
- All Football Secure Access System deployments
- All system administrators
- All security assessments and audits
- All compliance verification activities
### 1.3 Baseline Principles
1.3.1 **Security by Default**: All systems are built with security as the default configuration
1.3.2 **Least Functionality**: Only necessary components and services are installed
1.3.3 **Defense in Depth**: Multiple layers of security controls are implemented
1.3.4 **Compliance by Design**: All configurations meet regulatory requirements
### 1.4 Applicable Standards
- **CIS Debian 13 Benchmark** (Version 3.0.0)
- **CMMC Level 3** (Department of Defense)
- **FedRAMP Moderate** (Federal Risk and Authorization Management Program)
- **NIST SP 800-53** (Security and Privacy Controls)
- **NIST SP 800-171** (Protecting Controlled Unclassified Information)
---
## 2. Security Baseline Overview
### 2.1 System Architecture Baseline
**Hardware Configuration:**
- UEFI Secure Boot: ENABLED
- TPM 2.0: PRESENT (if available)
- Physical ports: DISABLED (except for local administration)
- Removable media: DISABLED
**Software Configuration:**
- Operating System: Debian 13 (Trixie)
- Kernel: Latest security-patched version
- Packages: Minimal set (see packages.list)
- Services: Only required services enabled
**Network Configuration:**
- Physical Interface (eth0): WireGuard endpoint only
- Virtual Interface (wg0): All traffic through VPN
- Remote Access: DISABLED (no SSH, no other remote services)
- Firewall: Strict (WireGuard-only)
- DNS: Via VPN (10.100.0.1)
### 2.2 Security Control Baselines
#### 2.2.1 Kernel Parameters (sysctl)
```
net.ipv4.ip_forward = 0 # IP forwarding disabled
net.ipv4.conf.all.send_redirects = 0 # No ICMP redirects
net.ipv4.conf.all.accept_source_route = 0 # No source routing
net.ipv4.conf.all.accept_redirects = 0 # No ICMP redirects
net.ipv4.conf.all.rp_filter = 1 # Reverse path filtering
net.ipv4.tcp_syncookies = 1 # SYN cookies enabled
net.ipv4.conf.all.log_martians = 1 # Log martian packets
net.ipv4.icmp_echo_ignore_broadcasts = 1 # No ICMP broadcast response
kernel.sysrq = 0 # SysRq disabled
kernel.randomize_va_space = 2 # ASLR enabled
fs.protected_hardlinks = 1 # Hard link protection
fs.protected_symlinks = 1 # Symlink protection
kernel.yama.ptrace_scope = 1 # Ptrace restrictions
```
**Verification:**
```bash
sysctl -a | grep -E "ip_forward|send_redirects|accept_source_route|accept_redirects|rp_filter|tcp_syncookies|log_martians|echo_ignore_broadcasts|sysrq|randomize_va_space|protected_hardlinks|protected_symlinks|ptrace_scope"
```
#### 2.2.2 Firewall Rules (iptables)
**Chain Policies:**
- INPUT: DROP
- FORWARD: DROP
- OUTPUT: DROP
**Allowed Traffic:**
```
# Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# WireGuard on eth0 (only to endpoint)
iptables -A OUTPUT -o eth0 -d <WG_ENDPOINT_IP> -p udp --dport <WG_ENDPOINT_PORT> -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s <WG_ENDPOINT_IP> -p udp --sport <WG_ENDPOINT_PORT> -m state --state ESTABLISHED -j ACCEPT
# DHCP on eth0
iptables -A OUTPUT -o eth0 -p udp --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 67 -m state --state ESTABLISHED -j ACCEPT
# All traffic through WireGuard
iptables -A INPUT -i wg0 -j ACCEPT
iptables -A OUTPUT -o wg0 -j ACCEPT
```
**Verification:**
```bash
iptables -L -n -v
# Verify:
# - Chain policies are DROP
# - Only WireGuard endpoint allowed on eth0
# - DHCP allowed on eth0
# - All traffic allowed on wg0
```
#### 2.2.3 Authentication and Passwords
**Password Policy (pwquality.conf):**
```
minlen = 14 # Minimum length
lcredit = -1 # At least 1 lowercase
ucredit = -1 # At least 1 uppercase
dcredit = -1 # At least 1 digit
ocredit = -1 # At least 1 special character
difok = 3 # Minimum 3 character changes
maxclassrepeat = 3 # Max 3 consecutive same class
maxrepeat = 3 # Max 3 consecutive same character
enforce_for_root # Enforce for root too
```
**Login Configuration (login.defs):**
```
PASS_MAX_DAYS 90 # Password expires in 90 days
PASS_MIN_DAYS 1 # Minimum 1 day between changes
PASS_WARN_AGE 7 # Warn 7 days before expiration
LOGIN_RETRIES 5 # Lock after 5 failed attempts
LOGIN_TIMEOUT 60 # 60 second timeout
UMASK 077 # Secure umask
ENCRYPT_METHOD SHA512 # SHA512 password hashing
```
**Account Lockout (faillock.conf):**
```
deny = 5 # Lock after 5 failed attempts
unlock_time = 900 # Unlock after 15 minutes
even_deny_root # Lock root too
root_unlock_time = 900 # Root unlock after 15 minutes
```
**Verification:**
```bash
# Check password policy
grep -E "minlen|lcredit|ucredit|dcredit|ocredit" /etc/security/pwquality.conf
# Check login.defs
grep -E "PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE|UMASK|ENCRYPT_METHOD" /etc/login.defs
# Check account lockout
grep -E "deny|unlock_time" /etc/security/faillock.conf
```
#### 2.2.4 Audit Rules (auditd)
**Key Audit Rules:**
```
# Monitor system calls
-w /usr/bin/sudo -p x -k privileged_cmd
-w /usr/bin/su -p x -k privileged_cmd
-w /usr/bin/passwd -p x -k privileged_cmd
# Monitor file access
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
# Monitor configuration changes
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity
# Monitor cron jobs
-w /etc/crontab -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /var/spool/cron/ -p wa -k cron
# Monitor time changes
-w /etc/localtime -p wa -k time-change
-w /etc/timezone -p wa -k time-change
# Monitor network changes
-w /etc/hosts -p wa -k system-locale
-w /etc/network/ -p wa -k system-locale
-w /etc/wireguard/ -p wa -k system-locale
```
**Verification:**
```bash
# List loaded audit rules
auditctl -l
# Verify auditd is running
systemctl status auditd
```
#### 2.2.5 Service Baselines
**Required Services (ENABLED):**
```
auditd # System auditing
rsyslog # System logging
wg-quick@wg0 # WireGuard VPN
cron # Job scheduling
systemd-logind # Session management
```
**Prohibited Services (DISABLED/MASKED):**
```
ssh # Remote access (PROHIBITED)
sshd # Remote access daemon (PROHIBITED)
telnet # Remote access (PROHIBITED)
rsh # Remote access (PROHIBITED)
bluetooth # Wireless (PROHIBITED)
cups # Printing server (not needed)
nfs-common # Network filesystem (PROHIBITED)
samba # File sharing (PROHIBITED)
```
**Verification:**
```bash
# List enabled services
systemctl list-unit-files | grep enabled
# Verify SSH is masked
systemctl status ssh
systemctl status sshd
# Verify Bluetooth is disabled
systemctl status bluetooth
```
#### 2.2.6 File Permission Baselines
**Critical File Permissions:**
```
/etc/passwd 644 root:root
/etc/shadow 640 root:shadow
/etc/group 644 root:root
/etc/gshadow 640 root:shadow
/etc/sudoers 440 root:root
/etc/ssh/ 600 root:root
/etc/ssh/sshd_config 600 root:root
/root 700 root:root
/home/user 750 user:user
```
**Directory Permissions:**
```
/var/log 755 root:root
/var/log/audit 750 root:root
/etc 755 root:root
/etc/security 700 root:root
/etc/sudoers.d 750 root:root
```
**Verification:**
```bash
# Check critical file permissions
stat -c "%a %U:%G %n" /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/sudoers
```
#### 2.2.7 File Integrity Monitoring (AIDE)
**AIDE Configuration:**
```
Database: /var/lib/aide/aide.db
Scan frequency: Daily (via systemd timer)
Monitored directories:
- /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin
- /lib, /lib64, /usr/lib, /usr/local/lib
- /etc (except volatile files)
- /boot
- /lib/modules
```
**Verification:**
```bash
# Check AIDE configuration
cat /etc/aide.conf
# Check AIDE database exists
ls -la /var/lib/aide/
# Check AIDE timer is enabled
systemctl status aide-check.timer
```
#### 2.2.8 Logging Baselines
**Log Retention:**
```
/var/log/audit/ 365 days
/var/log/ 365 days
/var/log/security/ 365 days
/var/log/sudo/ 365 days
/var/log/firewall/ 90 days
/var/log/wireguard/ 90 days
```
**Log Format:**
- System logs: rsyslog (RFC 5424 format)
- Audit logs: auditd (binary format)
- Sudo logs: Plain text with timestamp
**Verification:**
```bash
# Check logrotate configuration
cat /etc/logrotate.d/cis-logs
# Verify log files exist
ls -la /var/log/audit/ /var/log/security/ /var/log/sudo/
# Verify rsyslog configuration
cat /etc/rsyslog.d/50-cis-logging.conf
```
---
## 3. Initial Hardening Procedures
### 3.1 Pre-Installation Checklist
**Before deploying Football system:**
- [ ] WireGuard keys generated and securely stored
- [ ] WireGuard endpoint IP and port confirmed
- [ ] UEFI Secure Boot enabled on target hardware
- [ ] Target hardware verified for Debian 13 compatibility
- [ ] Physical access controls verified
- [ ] Deployment authorization obtained
### 3.2 Build Process
**The build script (build.sh) automatically applies all hardening:**
1. **Bootstrap minimal Debian 13**
- Uses debootstrap with minbase variant
- Installs only required packages
2. **Apply chroot overlay**
- Copies all configuration files
- Implements all security baselines
3. **Configure WireGuard**
- Generates WireGuard configuration from keys
- Sets proper file permissions (600)
4. **Run hardening script (harden.sh)**
- Disables remote access services
- Configures strict firewall
- Applies kernel parameters
- Configures audit rules
- Enables security services
5. **Create bootable image**
- Sets up GPT partition table
- Configures UEFI boot
- Installs GRUB with password protection
- Generates final images
### 3.3 Post-Installation Verification
**After deployment, verify:**
**Step 1: Basic System Check**
```bash
# Verify Debian 13
cat /etc/debian_version # Should be "trixie/sid"
# Check kernel version
uname -r
# Verify boot mode
[ -d /sys/firmware/efi ] && echo "UEFI boot" || echo "Legacy boot"
```
**Step 2: Verify WireGuard**
```bash
# Check WireGuard status
sudo wg show
# Verify WireGuard interface
ip link show wg0
# Check WireGuard connection
ping 10.100.0.1 # Ping VPN server
```
**Step 3: Verify Firewall**
```bash
# Check firewall rules
sudo iptables -L -n -v
# Verify policies
sudo iptables -L | grep "Chain"
# Should show: Chain INPUT (policy DROP), Chain FORWARD (policy DROP), Chain OUTPUT (policy DROP)
```
**Step 4: Verify Services**
```bash
# Check critical services
systemctl status auditd rsyslog cron wg-quick@wg0
# Verify SSH is not running
systemctl status ssh sshd
# Should show: "masked" or "inactive"
```
**Step 5: Verify Security Controls**
```bash
# Verify kernel parameters
sudo sysctl -a | grep -E "ip_forward|tcp_syncookies|randomize_va_space"
# Verify password policy
grep -E "minlen|lcredit|ucredit" /etc/security/pwquality.conf
# Verify audit rules
sudo auditctl -l | head -20
# Verify AIDE
ls -la /var/lib/aide/aide.db
# Verify log files
ls -la /var/log/audit/ /var/log/security/
```
**Step 6: Run Compliance Tests**
```bash
# Run automated compliance verification
./tests/verify-compliance.sh
# Run full compliance test suite
./tests/compliance-test.sh
```
---
## 4. Baseline Verification
### 4.1 Automated Verification
**Run the automated compliance verification script:**
```bash
cd /home/charles/Projects/football
./tests/verify-compliance.sh
```
**Expected Output:**
```
================================================
Automated Compliance Verification
================================================
Verifying CIS Debian 13 Benchmark Implementation...
Verifying CMMC Level 3 Implementation...
Verifying FedRAMP Moderate Implementation...
[INFO] Checking prerequisites...
[PASS] Section 1: Filesystems Configuration
[PASS] Section 3: Network Configuration
[PASS] Section 4: Logging and Auditing
[PASS] Section 5: Access Control
...
================================================
COMPLIANCE VERIFICATION SUMMARY
================================================
Total Controls Verified: 150
Compliant: 145
Partially Compliant: 5
Non-Compliant: 0
Compliance Percentage: 96%
✓ SYSTEM COMPLIANT
The system meets compliance requirements for:
✓ CIS Debian 13 Benchmark
✓ CMMC Level 3
✓ FedRAMP Moderate
✓ NIST SP 800-171
✓ NIST SP 800-53 Moderate
```
### 4.2 Manual Verification Checklist
**Complete this checklist after each deployment or significant change:**
**System Configuration:**
- [ ] Debian 13 (trixie) installed
- [ ] Kernel is latest security-patched version
- [ ] UEFI boot enabled
- [ ] Secure Boot enabled (if supported)
**Network Configuration:**
- [ ] WireGuard configured with correct endpoint
- [ ] WireGuard interface (wg0) is UP
- [ ] Can ping VPN server (10.100.0.1)
- [ ] Firewall rules are correct
- [ ] All firewall policies are DROP
- [ ] No inbound services running
**Security Controls:**
- [ ] SSH is masked
- [ ] Telnet is not installed
- [ ] Bluetooth is disabled
- [ ] Wireless is disabled
- [ ] Auditd is running
- [ ] Rsyslog is running
- [ ] AIDE is configured
- [ ] AppArmor is enabled
**Kernel Parameters:**
- [ ] IP forwarding disabled
- [ ] Source routing disabled
- [ ] ICMP redirects disabled
- [ ] SYN cookies enabled
- [ ] ASLR enabled
- [ ] Core dumps disabled
**Authentication:**
- [ ] Password policy configured (14 char min, complexity)
- [ ] Password aging configured (90 days max)
- [ ] Account lockout configured (5 attempts)
- [ ] Umask set to 077
- [ ] SHA512 password hashing enabled
**File Permissions:**
- [ ] /etc/passwd: 644
- [ ] /etc/shadow: 640
- [ ] /etc/sudoers: 440
- [ ] /root: 700
- [ ] /home/user: 750
**Audit and Logging:**
- [ ] Audit rules loaded
- [ ] Audit logs being generated
- [ ] Security logs being generated
- [ ] Sudo logs being generated
- [ ] Log rotation configured
- [ ] Log retention meets requirements (365 days)
**Compliance Tests:**
- [ ] verify-compliance.sh passed
- [ ] compliance-test.sh passed
- [ ] All critical tests passed
- [ ] Compliance percentage >= 95%
---
## 5. Ongoing Hardening Activities
### 5.1 Daily Activities
**Automated (via systemd timers):**
- [ ] AIDE file integrity check runs daily
- [ ] Log rotation occurs automatically
- [ ] System log review for critical events
**Manual:**
- [ ] Review audit logs for critical security events
- [ ] Check WireGuard tunnel status
- [ ] Verify system is responding normally
### 5.2 Weekly Activities
**Manual:**
- [ ] Review failed login attempts
- [ ] Review administrative actions (sudo logs)
- [ ] Review security event alerts
- [ ] Check for security updates
- [ ] Verify audit logs are being generated
### 5.3 Monthly Activities
**Manual:**
- [ ] Review all audit logs
- [ ] Verify file integrity check results
- [ ] Check for unauthorized configuration changes
- [ ] Review system performance
- [ ] Verify security services are running
- [ ] Update security documentation if changes made
### 5.4 Quarterly Activities
**Manual:**
- [ ] Run full compliance test suite (compliance-test.sh)
- [ ] Review and update security baselines
- [ ] Conduct security assessment
- [ ] Review access controls
- [ ] Audit user accounts and access rights
- [ ] Review and update incident response procedures
### 5.5 Annual Activities
**Manual:**
- [ ] Conduct full security audit
- [ ] Review and update all security policies
- [ ] Conduct penetration testing
- [ ] Review and update incident response procedures
- [ ] Conduct security awareness training
- [ ] Review and update compliance documentation
- [ ] Re-authorize system (if required by organization)
---
## 6. Baseline Maintenance
### 6.1 Updating Baselines
**When to update baselines:**
- Security patches are applied
- System configuration changes
- New security requirements are identified
- Compliance standards are updated
- Security assessments recommend changes
**Update Process:**
1. Document need for baseline change
2. Obtain approval for change
3. Test change in non-production environment
4. Implement change in production
5. Verify compliance after change
6. Update baseline documentation
7. Update relevant policies and procedures
### 6.2 Re-Baselining After Changes
**After any significant change:**
1. **Run AIDE database update**
```bash
sudo aide --init
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
```
2. **Re-run compliance verification**
```bash
./tests/verify-compliance.sh
./tests/compliance-test.sh
```
3. **Update documentation**
- Update SECURITY-BASELINES.md
- Update COMPLIANCE.md
- Update relevant policies
4. **Document change**
- Create change record
- Include reason, impact, and test results
- Store in change management system
### 6.3 Rollback Procedures
**If baseline change causes issues:**
1. **Identify the problem**
- What is not working correctly
- What security control is affected
- What is the impact on operations
2. **Assess rollback options**
- Can the change be reverted?
- Is there a backup of previous configuration?
- What is the risk of rollback?
3. **Execute rollback**
- Restore previous configuration
- Revert to previous AIDE database
- Re-verify compliance
4. **Document rollback**
- What was rolled back
- Why it was rolled back
- What was learned
---
## 7. Compliance Verification
### 7.1 CIS Debian 13 Benchmark Verification
**Score Required: >= 90% (171/190 controls)**
**Verification Method:**
```bash
# Run compliance test suite
./tests/compliance-test.sh | grep "CIS Benchmark"
```
**Key CIS Controls to Verify:**
- 1.1.1: Unused filesystems disabled
- 1.1.3: /tmp configured
- 3.1.1: IP forwarding disabled
- 3.2.8: TCP SYN cookies enabled
- 4.1.2: Audit records stored
- 5.2.1: SSH server not installed
- 5.4.1.1: Password creation requirements
- 5.4.2: Password hashing algorithm
- 6.1.1: System accounts secured
### 7.2 CMMC Level 3 Verification
**Required: All 176 practices implemented**
**Verification Method:**
```bash
# Run compliance test suite
./tests/compliance-test.sh | grep "CMMC"
```
**Key CMMC Domains to Verify:**
- AC (Access Control): All practices
- AU (Audit and Accountability): All practices
- CM (Configuration Management): All practices
- SC (System and Communications Protection): All practices
- SI (System and Information Integrity): All practices
### 7.3 FedRAMP Moderate Verification
**Required: All 325 controls implemented**
**Verification Method:**
```bash
# Run compliance test suite
./tests/compliance-test.sh | grep "FedRAMP"
```
**Key FedRAMP Controls to Verify:**
- AC-2: Account Management
- AU-2: Audit Events
- AU-6: Audit Review
- CM-2: Baseline Configuration
- SC-8: Transmission Confidentiality
- SI-7: Software and Firmware Integrity
### 7.4 Continuous Compliance Monitoring
**Automated Monitoring:**
- AIDE checks: Daily
- Audit rule validation: Daily
- Service status checks: Daily
- Firewall rule verification: Daily
- Kernel parameter verification: Weekly
**Reporting:**
- Daily: Critical security events
- Weekly: Security event summary
- Monthly: Compliance status report
- Quarterly: Full compliance review
- Annually: Comprehensive audit
---
## 8. Troubleshooting
### 8.1 Common Issues and Solutions
**Issue 1: WireGuard Tunnel Not Connecting**
**Symptoms:**
- Cannot ping VPN server (10.100.0.1)
- wg show shows interface down
- No traffic through wg0
**Diagnosis:**
```bash
# Check WireGuard status
sudo wg show
# Check WireGuard logs
sudo journalctl -u wg-quick@wg0
# Check network connectivity to endpoint
ping <WG_ENDPOINT_IP>
```
**Solutions:**
1. Verify endpoint IP and port are correct
2. Verify WireGuard keys are correct
3. Check firewall allows WireGuard traffic
4. Verify endpoint is accessible
5. Restart WireGuard service
```bash
sudo systemctl restart wg-quick@wg0
```
**Issue 2: Firewall Blocking Legitimate Traffic**
**Symptoms:**
- Cannot access resources through VPN
- Connection timeouts
- Firewall drops shown in logs
**Diagnosis:**
```bash
# Check firewall rules
sudo iptables -L -n -v
# Check firewall logs
sudo tail -f /var/log/firewall.log
```
**Solutions:**
1. Verify WireGuard interface is UP
2. Check firewall rules include wg0 ACCEPT
3. Verify firewall policies are correct
4. Reload firewall rules
```bash
sudo systemctl restart block-remote-access
```
**Issue 3: Auditd Not Logging**
**Symptoms:**
- No audit logs in /var/log/audit/
- auditctl shows no rules loaded
- Security events not captured
**Diagnosis:**
```bash
# Check auditd status
sudo systemctl status auditd
# Check audit rules
sudo auditctl -l
# Check audit logs
sudo tail -f /var/log/audit/audit.log
```
**Solutions:**
1. Restart auditd service
```bash
sudo systemctl restart auditd
```
2. Reload audit rules
```bash
sudo augenrules --load
```
3. Verify audit configuration
```bash
cat /etc/audit/rules.d/cis-audit.rules
```
**Issue 4: AIDE Check Fails**
**Symptoms:**
- AIDE check reports many changes
- Unable to determine if changes are legitimate
- System appears compromised
**Diagnosis:**
```bash
# Run AIDE check
sudo aide --check
# Compare with expected changes
# (review system updates, configuration changes, etc.)
```
**Solutions:**
1. Identify legitimate changes (updates, config changes)
2. Verify no unauthorized changes
3. Update AIDE database if changes are legitimate
```bash
sudo aide --init
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
```
4. If unauthorized changes found, follow incident response procedures
**Issue 5: System Won't Boot**
**Symptoms:**
- System hangs during boot
- UEFI boot menu not accessible
- GRUB error
**Diagnosis:**
```bash
# Check from UEFI shell or recovery media
# Review boot logs
```
**Solutions:**
1. Try booting from recovery image
2. Check GRUB configuration
3. Reinstall GRUB if needed
4. Verify UEFI Secure Boot settings
5. Contact system vendor if hardware issue suspected
### 8.2 Getting Help
**Resources:**
- **Documentation**: /usr/share/doc/compliance/
- **Security Team**: security@knel.org
- **Infrastructure Team**: infra@knel.org
- **Compliance Officer**: compliance@knel.org
**Before requesting help:**
1. Gather system information:
```bash
uname -a
cat /etc/debian_version
ls -la /etc/security/
```
2. Gather diagnostic information:
```bash
sudo systemctl status auditd rsyslog wg-quick@wg0
sudo iptables -L -n -v
sudo auditctl -l
```
3. Check logs:
```bash
sudo journalctl -xe
sudo tail -50 /var/log/audit/audit.log
```
4. Try basic troubleshooting steps from above
5. Document what you've already tried
---
## Appendix A: Quick Reference Commands
### System Status Commands
```bash
# System information
uname -a
cat /etc/os-release
cat /etc/debian_version
# Service status
systemctl status auditd rsyslog wg-quick@wg0
systemctl list-unit-files | grep enabled
# Network status
ip link show
ip addr show
sudo wg show
ping 10.100.0.1
```
### Security Verification Commands
```bash
# Firewall
sudo iptables -L -n -v
sudo iptables-save | cat
# Kernel parameters
sudo sysctl -a | grep -E "ip_forward|tcp_syncookies|randomize_va_space"
# Audit
sudo auditctl -l
sudo systemctl status auditd
# File permissions
stat -c "%a %U:%G %n" /etc/passwd /etc/shadow /etc/sudoers
# Password policy
cat /etc/security/pwquality.conf
cat /etc/login.defs
```
### Compliance Test Commands
```bash
# Automated verification
./tests/verify-compliance.sh
# Full compliance test suite
./tests/compliance-test.sh
# AIDE check
sudo aide --check
# Audit rule verification
sudo auditctl -l | wc -l
```
---
## Related Documents
- Security Policy (docs/SECURITY-POLICY.md)
- Incident Response Procedures (docs/INCIDENT-RESPONSE.md)
- Compliance Mapping (COMPLIANCE.md)
- README.md (project documentation)
- QUICKSTART.md (build and deployment guide)
---
**Document Control**
- **Owner**: Security Team
- **Approver**: CISO
- **Next Review**: 2025-01-13
- **Classification**: CUI
- **Version**: 1.0
- **Effective Date**: 2024-01-13
---
**End of Document**
Reference in New Issue View Git Blame Copy Permalink