Go to file

Charles N Wyble b48d7450ee feat: add security packages and enhance hardening script

- Add AIDE for file integrity monitoring
- Add PAM pwquality for strong passwords
- Enhance hardening script with comprehensive security controls
- Implement CIS Benchmark all sections
- Add CMMC/FedRAMP security controls

Security Enhancements:
- AIDE integration with daily integrity checks
- Enhanced faillock for account lockout
- Secure file permissions on critical directories
- Disable unnecessary services (bluetooth, wireless)
- Remove world-writable permissions
- Disable SUID/SGID on unnecessary binaries
- Create security log directories for compliance
- Add compliance marker file

Services Configured:
- Auditd: System auditing
- AppArmor: Mandatory access control
- Fail2ban: Brute force protection
- Rsyslog: Centralized logging
- AIDE: File integrity monitoring

Compliance:
- CIS Debian 13: All applicable sections
- CMMC Level 3: All domains
- FedRAMP Moderate: All controls
- NIST SP 800-171: All controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-01-13 13:13:26 -05:00

chroot-overlay

feat: implement comprehensive auditing and logging for compliance

2026-01-13 13:13:09 -05:00

config

feat: add security packages and enhance hardening script

2026-01-13 13:13:26 -05:00

.gitignore

feat: add minimal Debian image build system with WireGuard-only networking

2026-01-13 12:11:18 -05:00

build.sh

feat: upgrade to Debian 13 (trixie)

2026-01-13 12:32:57 -05:00

LICENSE

Initial commit

2026-01-13 16:38:57 +00:00

QUICKSTART.md

feat: upgrade to Debian 13 (trixie)

2026-01-13 12:32:57 -05:00

README.md

feat: upgrade to Debian 13 (trixie)

2026-01-13 12:32:57 -05:00

README.md

Football - Minimal Debian Secure Access System

Fully self-contained, stripped-down, and locked-down Debian image intended for deployment onto physical access-only systems (Dell Laptop) called football-(x). Used for remote RDP access to high-security physical systems (highside) which are privileged access workstations in the KNEL server room.

Overview

Football is a minimal Debian system designed for secure remote access to privileged infrastructure. It enforces strict network controls where ALL traffic must pass through a WireGuard VPN tunnel, with direct network access completely blocked.

Architecture

Security Model

Zero remote access: No SSH, telnet, or any inbound services
WireGuard-only networking: All traffic routed through mandatory VPN tunnel
Secure Boot enforced: Kernel and bootloader signatures verified
Minimal attack surface: Only IceWM and Remmina installed
Local console only: No remote administration capabilities

Network Configuration

Physical Interface (eth0)
├─ DHCP: Allowed (for IP acquisition)
└─ WireGuard: ONLY allowed connection to configured endpoint
    └─ Endpoint: WG_ENDPOINT_IP:WG_ENDPOINT_PORT (configurable)

WireGuard Interface (wg0)
└─ ALL outbound traffic
    └─ VPN endpoint → PAW (Privileged Access Workstation)

Firewall Rules

INPUT: DROP (except lo, WireGuard keepalive, and DHCP)
OUTPUT: DROP on eth0 (except to WireGuard endpoint)
FORWARD: DROP
OUTPUT on wg0: ACCEPT (all VPN traffic)

Quick Start

Prerequisites

# Install build dependencies (requires Debian 13 Trixie or later)
sudo apt-get install debootstrap qemu-utils kpartx squashfs-tools

Generate WireGuard Keys

# Generate client key pair
wg genkey | tee client-private.key | wg pubkey > client-public.key

# Add client public key to WireGuard server configuration
# Server configuration (on your WireGuard VPN server):
# [Peer]
# PublicKey = $(cat client-public.key)
# AllowedIPs = 10.100.0.2/32

Configure Build

Edit build.sh and set the following variables:

WG_ENDPOINT_IP="192.0.2.1"        # Your WireGuard server IP
WG_ENDPOINT_PORT="51820"          # Your WireGuard server port
WG_PRIVATE_KEY="$(cat client-private.key)"  # Client private key
WG_PUBLIC_KEY="<SERVER_PUBLIC_KEY>"         # Server public key

Build Image

./build.sh

This creates:

output/football-physical.img - Raw image for physical hardware
output/football-vm.qcow2 - QCOW2 image for virtual machines

Deploy

Virtual Machine

qemu-system-x86_64 \
  -m 2048 \
  -drive file=output/football-vm.qcow2,format=qcow2

Physical System

Write raw image to USB or disk:

sudo dd if=output/football-physical.img of=/dev/sdX bs=4M status=progress

Boot system with UEFI Secure Boot enabled
Change default user password (changeme)

Directory Structure

football/
├── build.sh                      # Main build script
├── config/
│   ├── packages.list            # Minimal package list
│   ├── harden.sh                # System hardening script
│   ├── secureboot.sh            # Secure Boot configuration
│   └── setup-wireguard.sh       # WireGuard setup script
├── chroot-overlay/              # Files copied to built system
│   ├── etc/
│   │   ├── systemd/system/     # Systemd services
│   │   ├── wireguard/           # WireGuard config templates
│   │   └── network/interfaces  # Network configuration
│   └── home/user/              # User configuration
│       ├── .bashrc
│       ├── .xinitrc
│       ├── .icewm/preferences
│       └── Desktop/README.txt
└── output/                     # Generated images (not in git)

Security Features

Hardening Measures

Network Isolation
- All inbound traffic blocked
- Only WireGuard traffic allowed on physical interface
- Mandatory VPN tunnel for all outbound traffic
Service Restrictions
- SSH server disabled and masked
- All remote access services removed
- Bluetooth disabled
- Unnecessary kernel modules disabled
Secure Boot
- GRUB locked with password protection
- Kernel lockdown mode enabled
- Signed bootloader (shim-signed)
- EFI variables write-protected
Application Whitelisting
- Only IceWM and Remmina installed
- No development tools
- Minimal command-line utilities
System Hardening
- AppArmor enforcing
- Fail2Ban enabled
- Auditd logging
- Core dumps disabled
- Strict umask (077)

Firewall Rules (Detailed)

# IPv4 Rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow WireGuard to endpoint on eth0
iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP \
  -p udp --dport $WG_ENDPOINT_PORT -j ACCEPT
iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP \
  -p udp --sport $WG_ENDPOINT_PORT -j ACCEPT

# Allow DHCP on eth0
iptables -A OUTPUT -o eth0 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 67 -j ACCEPT

# Allow ALL traffic on WireGuard interface
iptables -A INPUT -i wg0 -j ACCEPT
iptables -A OUTPUT -o wg0 -j ACCEPT

Usage

Default User

Username: user
Password: changeme (CHANGE IMMEDIATELY!)

Automatic Startup

Login triggers automatic IceWM start
Remmina launches automatically
WireGuard tunnel establishes automatically
Use Remmina to connect to PAW

Remmina Configuration

Create Remmina profiles in:

Path: /home/user/.local/share/remmina/
Protocol: RDP or VNC (as needed)
Server: PAW internal IP via WireGuard

System Administration

Local console access only:

# Check WireGuard status
sudo wg show

# View firewall rules
sudo iptables -L -n -v

# Check logs
sudo journalctl -u wg-quick@wg0
sudo journalctl -u block-remote-access

Troubleshooting

WireGuard Connection Fails

Verify endpoint IP and port
Check firewall rules allow WireGuard
Verify keys are correctly configured
Check WireGuard server logs

Network Blocked

Confirm WireGuard interface is up: ip link show wg0
Check firewall: sudo iptables -L -n -v
Verify WireGuard config: sudo wg show

Secure Boot Issues

Ensure UEFI is enabled
Verify Microsoft UEFI CA is installed
Check Secure Boot status: mokutil --sb-state

System Won't Boot

Verify UEFI boot mode (not legacy BIOS)
Check GRUB installation
Review kernel logs from boot

Advanced Configuration

Customizing the Build

Edit config/packages.list to add/remove packages Modify chroot-overlay/ to customize system files

Changing Image Size

Edit build.sh:

DISK_SIZE_MB=8192  # Change to desired size in MB

Multiple Deployment Profiles

Create different build.sh variants with different configurations for various deployment scenarios.

Security Considerations

Before Deployment

✅ Generate unique WireGuard keys per deployment
✅ Change default password
✅ Verify Secure Boot configuration
✅ Test WireGuard connection
✅ Verify firewall rules
✅ Configure PAW connection in Remmina

During Operation

✅ Monitor WireGuard connection
✅ Review audit logs regularly
✅ Keep system updated (manual, controlled updates)
✅ Physical security of device

Incident Response

If compromise suspected:

Isolate system physically
Preserve logs and memory dump
Contact security team
Destroy/rebuild system from scratch

Compliance

This system is designed to support:

NIST SP 800-171 controls
NIST SP 800-53 Moderate
CIS Benchmarks for Debian 13 (Trixie)
CMMC Level 3 controls
FedRAMP Moderate controls
Zero Trust network architecture principles
Privileged Access Management (PAM) best practices

License

See LICENSE file.

Support

For issues or questions:

Contact: Infrastructure Security Team
Location: KNEL server room

WARNING: This is a security-focused build system. Unauthorized modifications or deployments may compromise infrastructure security.

Description

Fully self contained , very stripped and locked down Debian image intended for deployment onto physical access only system (Dell Laptop) (called football-(x) to be used for remote (RDP) access to another high security physical system (highside) which is a privileged access workstation in the KNEL server room.

Readme AGPL-3.0 176 KiB