This project has been created as part of the 42 curriculum by csekakul.
Welcome to Born2beRoot, a system administration project focused on building, configuration-hardening, and deploying a headless enterprise server infrastructure using strict virtualization security policies.
The objective of this project is to set up a stable, safe, and completely minimal environment using VirtualBox. This architecture bypasses any graphic display layers (no graphical user interface) to run isolated server deployments, applying cryptographic storage layers, tight access profiles, and persistent performance audits.
- LVM Cryptography: Storage layer built on top of 2 distinct encrypted logical volume partitions.
- Network Isolation: SSH daemon restricted exclusively to Port
4242with disabled root-level authentication. - Policy Enforcement: Custom PAM password expiration rules and advanced logging rules configured for
sudocommand groups. - Monitoring Daemon: Background execution script tracking core resource spikes and broadcast-pushing metrics to terminal nodes.
- Selected System: Debian (Latest Stable Release).
- Rationale: Debian provides an exceptionally stable, lightweight baseline package environment utilizing predictable upstream updates. Its native packaging environment facilitates lightweight configurations without enterprise subscription dependencies. In contrast, Rocky Linux utilizes a complex enterprise footprint centered around the Red Hat ecosystem, which is powerful but unnecessary for localized single-purpose server isolation layers.
- AppArmor (Debian Baseline): Operates on path-based Mandatory Access Control (MAC) profile maps. It is highly intuitive to configure, debug, and manage for single-purpose application containers.
- SELinux (Rocky Linux Baseline): Operates on strict security-label contexts bound to system inodes. It offers granular control vectors but presents a steep configuration learning curve that frequently introduces complex overhead errors during minimal server deployments.
- UFW (Uncomplicated Firewall): A lightweight interface mapping directly over native iptables netfilter matrices. Its syntax is direct, predictable, and simple to evaluate during explicit port auditing loops.
- firewalld: A dynamic network zone daemon tracking isolated state modifications. While useful in complex corporate networks with changing interface targets, its structural size introduces unnecessary overhead into a standalone static server node.
- VirtualBox: A mature, cross-platform hardware hypervisor engine providing robust virtual disk, internal network bridging, and CLI utility mappings for x86 architectures.
- UTM: A specialized system emulation platform engineered intentionally for Apple Silicon hardware abstraction tiers utilizing native hypervisor frameworks.
To enforce robust system protection, local access profiles utilize strict operational rules:
- Password Expiration: Passwords must expire systematically every 30 days.
- Modification Gaps: Minimum intervals between subsequent changes are restricted to 2 days.
- Expiration Warnings: Users receive early warning alerts 7 days prior to terminal authentication timeouts.
- Complexity Requirements: Password limits require a minimum of 10 characters consisting of at least one uppercase char, one lowercase char, and a numerical value.
- Sequence Protection: Sequences are guarded against containing more than 3 consecutive identical characters or matching local account names.
The tracking system routes administrative interactions through specific security parameters:
- Authentication Boundaries: System authentication limits are capped to a maximum of 3 consecutive invalid attempts.
- Custom Security Feedback: Drops custom alert errors when authentication checks drop a mismatch.
- Comprehensive Auditing: Active logging records every single execution path, archiving full I/O parameters into
/var/log/sudo/. - Environment Constraints: Enforces explicit TTY interaction layers and restricts operational target paths:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
The integrated script triggers dynamically upon environment initialization, executing an iterative loops every 10 minutes to broadcast metrics directly across terminal screens using wall:
#!/bin/bash
# Telemetry calculation loops
arch=$(uname -a)
pcpu=$(grep "physical id" /proc/cpuinfo | sort -u | wc -l)
vcpu=$(grep -c "^processor" /proc/cpuinfo)
mem_used=$(free -m | awk '/Mem:/ {print $3}')
mem_total=$(free -m | awk '/Mem:/ {print $2}')
mem_pct=$(free | awk '/Mem:/ {printf("%.2f"), $3/$2*100}')
disk_used=$(df -m --total | awk '/total/ {print $3}')
disk_total=$(df -h --total | awk '/total/ {print $2}')
disk_pct=$(df -m --total | awk '/total/ {print $5}')
cpu_load=$(top -bn1 | awk '/^%Cpu/ {printf("%.1f%%"), $2 + $4}')
last_boot=$(who -b | awk '{print $3" "$4}')
lvm_use=$(if [ $(lsblk | grep -c "lvm") -gt 0 ]; then echo yes; else echo no; fi)
tcp_conn=$(ss -ta | grep -c ESTAB)
user_log=$(users | wc -w)
ip_addr=$(hostname -I | awk '{print $1}')
mac_addr=$(ip link show | awk '/ether/ {print $2}')
sudo_cmd=$(journalctl _COMM=sudo | grep -c "COMMAND=")
wall " #Architecture: $arch
#Physical CPU: $pcpu
#vCPU: $vcpu
#Memory Usage: $mem_used/${mem_total}MB ($mem_pct%)
#Disk Usage: $disk_used/${disk_total} ($disk_pct)
#CPU load: $cpu_load
#Last boot: $last_boot
#LVM use: $lvm_use
#TCP Connections: $tcp_conn ESTABLISHED
#User log: $user_log
#Network: IP $ip_addr ($mac_addr)
#Sudo: $sudo_cmd cmd"The signature.txt file acts as the verifiable baseline integrity proof. To verify or capture the SHA-1 validation checksum of your local virtual disk space without starting the VM container:
# Windows Environment
certUtil -hashfile "C:\Users\YourUser\VirtualBox VMs\csekakul42\csekakul42.vdi" sha1
# Linux Environment
sha1sum ~/VirtualBox\ VMs/csekakul42/csekakul42.vdi
# macOS / Apple Silicon UTM Environment
shasum ~/Library/Containers/com.utmapp.UTM/Data/Documents/csekakul42.utm/Images/disk-0.qcow2