Projects | Florian Stosse

docker-admxlint

Sun, 26 May 2024 00:00:00 +0000

docker-admxlint packages the C++ admx-lint validator tool into a lightweight, CI/CD-ready Docker image. This container allows system administrators and policy engineers to validate custom Administrative Templates (.admx) and language resource files (.adml) against official Microsoft XML Schema Definitions (XSD) without having to manually build or run dependencies locally.

It is particularly useful for pipeline automation when building custom GPO baselines.

Key Use Cases & Features

Schema Compliance: Verifies namespace structures, element definitions, and category mappings against official Group Policy schemas.
Pipeline Integration: Easily integrate ADMX lint checks into GitHub Actions, GitLab CI, or custom DevSecOps pipelines.
Zero Local Setup: Eliminates the need to configure build environments or C++ compilers on local development workstations.

Quick Usage

Run the linter on your ADMX files by mounting your templates folder into the container:

docker run --rm -v $(pwd)/policies:/workspace harvester57/docker-admxlint:latest /workspace

chainguard-images

Sat, 25 May 2024 00:00:00 +0000

chainguard-images is a curated collection of secure, minimal, and production-ready container images built on top of Chainguard’s distroless base images (Wolfi/Apko). By stripping out unnecessary tools, shells, package managers, and libraries, these images achieve an extremely small footprint and approach a Zero-CVE status by design.

This collection packages various applications and language runtimes, ensuring secure-by-default execution in modern container orchestration stacks.

Security Benefits of Distroless

Minimizing Attack Surface: Removing standard shell binaries (/bin/sh, /bin/bash) and diagnostic tools prevents attackers from executing arbitrary commands upon compromise.
Vulnerability reduction: Eliminating unused packages results in container images that trigger fewer CVE alerts in security scanners.
Secure Ingestion: Optimized for high-assurance and air-gapped container registries that require signed, low-overhead artifacts.
Reproducible Builds: Compiled using secure and verifiable declarative build files.

freematics-traccar-encrypted

Fri, 24 May 2024 00:00:00 +0000

freematics-traccar-encrypted (forked from the original project, now deleted from GitHub) is a custom firmware extension and intermediary proxy designed to secure telematics transmission between Freematics hardware trackers (such as Freematics ONE+) and a Traccar GPS server.

By default, Freematics devices stream vehicle telemetry and GPS data over unencrypted UDP channels because resource-constrained microcontrollers cannot handle the overhead of full TLS handshakes. This project resolves that gap by introducing a lightweight cryptography layer directly onto the device firmware and terminating it via a custom decryption proxy.

Architecture & Mechanics

Firmware Encryption: Extends the Freematics telelogger sketch with a fast, hardware-friendly symmetric encryption algorithm (ChaCha stream cipher) to secure UDP payloads before transmission.
Decryption Proxy: A lightweight intermediary service, written in Go, that listens for encrypted telematics packets from the tracker, validates payload integrity, decrypts the contents, and forwards standard unencrypted telematics records to the Traccar backend.
Tamper Prevention: Protects location coordinates, speed, and OBD-II vehicle diagnostic data against passive eavesdropping and man-in-the-middle spoofing vectors.

openstreetmap-tile-server

Thu, 23 May 2024 00:00:00 +0000

openstreetmap-tile-server is a deployment configuration and guide for hosting a local, offline OpenStreetMap (OSM) tile server. Designed specifically for high-security, air-gapped, or isolated network environments, it enables applications to render mapping data without requesting external web resources.

This stack leverages Docker to simplify deployment, package ingestion, and render pipeline orchestration.

Stack Components

Database: PostgreSQL with PostGIS extensions to manage geographical data.
Ingestion: Osm2pgsql for importing and styling .osm.pbf map files.
Renderer: Mapnik and renderd for rendering vector map data into raster tiles.
Tile Server: Apache with mod_tile to serve pre-rendered or on-the-fly map tiles.
Front-End Integration: Simple Leaflet-based templates for verifying local tile rendering.

Usage Outline

Pre-render tiles or import specific geographical datasets (e.g., country extracts from Geofabrik) to serve them locally within your network. Useful for command-and-control centers, localized flight-tracking platforms, and telemetry dashboards operating in secure perimeters.

exploit-protection-policy

Wed, 22 May 2024 00:00:00 +0000

Exploit-Protection-policy provides a production-hardened Exploit Protection (EP) policy tailored for Windows 10 and Windows 11 systems. It combines multiple industry-standard security baselines with advanced restrictions to maximize security without breaking compatibility with everyday applications.

This policy has been tested in air-gapped systems to protect endpoints from advanced threat vectors while maintaining productivity.

Merged Security Baselines

DISA STIG Exploit Protection v3.
Microsoft Security Baseline Exploit Protection policy (specifically aligned for enterprise systems).
milgradesec’s custom Exploit Protection rule configurations.

Key Protections Enforced

System-Wide Mitigations: Enforces fundamental protections such as Control Flow Guard (CFG), Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Heap Protection by default.
Advanced Payload Controls: Restricts execution vectors using Export Address Filtering (EAF/EAF+), Import Address Filtering (IAF), and Return-Oriented Programming (ROP) mitigations.
Image & Code Integrity Restrictions: Blocks loading of low-integrity or remote images, preventing malicious library injection.
Application-Specific Tuning: Includes pre-configured exceptions and application rules to balance high-security containment with software compatibility.

sudo-check

Tue, 21 May 2024 00:00:00 +0000

sudo-check is a lightweight security auditing utility designed to analyze Linux /etc/sudoers files and /etc/sudoers.d/ directories. It helps security engineers and system administrators quickly identify misconfigurations, overly permissive rules, and potential privilege escalation pathways.

By scanning for common policy weaknesses, this tool provides actionable insights to tighten system access controls.

Key Auditing Features

Rule Analysis: Identifies NOPASSWD directives and wildcard user specifications that could allow unauthorized root access.
Directive Validation: Verifies the presence of key security directives such as env_reset, secure_path, and use_pty.
Permission Checks: Validates the file permissions and ownership of critical configuration files to prevent unauthorized editing.
Alias Resolution: Parsers user, run-as, and command aliases to audit complex, nested rule structures.

ad-hardening

Mon, 20 May 2024 00:00:00 +0000

ad-hardening is a comprehensive guidebook and reference repository dedicated to securing and hardening Active Directory (AD) environments in air-gapped, isolated networks. While physical isolation eliminates many remote threats, it places a heavier security premium on internal access control, endpoint hygiene, and physical media management.

This project outlines step-by-step guidance, configurations, and templates to establish a resilient security posture inside sensitive, non-internet-connected directory environments.

Core Hardening Pillars

Tiered Administrative Model: Isolating Tier 0 (Domain Controllers/Admins) credentials from Tier 1 (Servers) and Tier 2 (Workstations) to eliminate lateral escalation risks.
Offline Authentication & MFA: Strategies for deploying local, offline-capable multi-factor authentication without internet-based validation services.
Service Account Securing: transitioning legacy service accounts to Group Managed Service Accounts (gMSAs) to enforce automatic password rotation.
Audit & Event Analysis: Configuration templates for offline Windows Event Forwarding (WEF) and local security log auditing.
Removable Media Control: Hardening USB and other removable hardware access policies via Group Policy Objects (GPOs) to combat sneakernet malware propagation vectors.

Security-ADMX

Sun, 19 May 2024 00:00:00 +0000

Security-ADMX is a collection of custom Administrative Templates (.admx and .adml) specifically designed for hardening Windows 10 and Windows 11 workstations. It allows system administrators and security engineers to configure advanced security settings via local or domain Group Policy (GPO) that are otherwise difficult or tedious to manage.

Developed out of the need to streamline security compliance across embedded and workstation deployments, this project packages several security controls into easily manageable policies.