KNEL/KNELServerBuild
2
0
Fork 0
Code Pull Requests Actions Packages Releases 1 Activity
Files
24c10b6f3590edd1a15f7d211c0b65f929fc35f5
KNELServerBuild/claude-todo.md
ReachableCEO 0c736c7295 Enforce HTTPS for all downloads to eliminate security vulnerabilities 
- Convert 16 HTTP URLs to HTTPS across 3 critical scripts
- Dell OMSA script: Ubuntu archive and Dell repository URLs now use HTTPS
- Proxmox legacy script: Download URLs converted to secure connections
- SSL stack script: Apache source URLs updated to official archive
- Update documentation to reflect resolved security issues
- Mark HTTPS enforcement as completed in todo lists

This addresses the second critical security concern from the security review,
eliminating man-in-the-middle attack vectors during package downloads.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-14 09:22:32 -05:00

162 lines
5.3 KiB
Markdown
Raw Blame History

# Claude TODO - TSYS FetchApply Automation Tasks
**Purpose:** Actionable items optimized for AI assistant implementation
**Priority:** Critical → High → Medium → Low
## 🚨 CRITICAL (Immediate Security Fixes)
### ✅ RESOLVED: Secure Deployment Method
**Previous Issue:** `curl | bash` deployment method
**Status:** Fixed in README.md - now uses `git clone` + local script execution
### ✅ RESOLVED: Replace HTTP URLs with HTTPS
**Files modified:**
- `ProjectCode/Dell/Server/omsa.sh` - Converted 11 HTTP URLs to HTTPS (Ubuntu archive, Dell repo)
- `ProjectCode/legacy/prox7.sh` - Converted 2 HTTP URLs to HTTPS (Proxmox downloads)
- `ProjectCode/Modules/RandD/sslStackFromSource.sh` - Converted 3 HTTP URLs to HTTPS (Apache sources)
**Status:** All HTTP URLs in active scripts converted to HTTPS. Only remaining HTTP references are in comments and LibreNMS agent files (external dependencies).
### TASK-002: Add Download Integrity Verification
**Create new function in:** `Framework-Includes/VerifyDownload.sh`
**Function to implement:**
```bash
function verify_download() {
local url="$1"
local expected_hash="$2"
local output_file="$3"
curl -fsSL "$url" -o "$output_file"
local actual_hash=$(sha256sum "$output_file" | cut -d' ' -f1)
if [ "$actual_hash" != "$expected_hash" ]; then
print_error "Hash verification failed for $output_file"
rm -f "$output_file"
return 1
fi
print_info "Download verified: $output_file"
}
```
### TASK-003: Create Secure Deployment Script
**Create:** `ProjectCode/SecureSetupNewSystem.sh`
**Features to implement:**
- GPG signature verification
- SHA256 checksum validation
- HTTPS-only downloads
- Rollback capability
## 🔶 HIGH (Security Enhancements)
### TASK-004: Remove Hardcoded SSH Keys
**Files to modify:**
- `ProjectCode/ConfigFiles/SSH/AuthorizedKeys/root-ssh-authorized-keys`
- `ProjectCode/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys`
- `ProjectCode/Modules/Security/secharden-ssh.sh:31,40,51`
**Implementation approach:**
1. Create environment variable support: `SSH_KEYS_URL` or `SSH_KEYS_VAULT_PATH`
2. Modify secharden-ssh.sh to fetch keys from secure source
3. Add key validation before deployment
### TASK-005: Add Secrets Management Framework
**Create:** `Framework-Includes/SecretsManager.sh`
**Functions to implement:**
```bash
function get_secret() { } # Retrieve secret from vault
function validate_secret() { } # Validate secret format
function rotate_secret() { } # Trigger secret rotation
```
### TASK-006: Enhanced Preflight Checks
**Modify:** `Framework-Includes/PreflightCheck.sh`
**Add checks for:**
- Network connectivity to required hosts
- Disk space requirements
- Existing conflicting software
- Required system capabilities
## 🔹 MEDIUM (Operational Improvements)
### TASK-007: Add Configuration Backup
**Create:** `Framework-Includes/ConfigBackup.sh`
**Functions:**
```bash
function backup_config() { } # Create timestamped backup
function restore_config() { } # Restore from backup
function list_backups() { } # Show available backups
```
### TASK-008: Implement State Tracking
**Create:** `Framework-Includes/StateManager.sh`
**Track:**
- Deployment progress
- Module completion status
- Rollback points
- System changes made
### TASK-009: Add Retry Logic
**Enhance existing scripts with:**
- Configurable retry attempts for network operations
- Exponential backoff for failed operations
- Circuit breaker for repeatedly failing services
## 🔸 LOW (Quality of Life)
### TASK-010: Enhanced Logging
**Modify:** `Framework-Includes/Logging.sh`
**Add:**
- Structured logging (JSON format option)
- Log levels (DEBUG, INFO, WARN, ERROR)
- Remote logging capability
- Log rotation management
### TASK-011: Progress Indicators
**Add to:** `Framework-Includes/PrettyPrint.sh`
```bash
function show_progress() { } # Display progress bar
function update_status() { } # Update current operation
```
### TASK-012: Dry Run Mode
**Add to:** `ProjectCode/SetupNewSystem.sh`
**Implementation:**
- `--dry-run` flag support
- Preview of changes without execution
- Dependency analysis output
## Implementation Order for Claude
**Updated Priority After Security Fix (July 14, 2025):**
1. **Start with TASK-001** (HTTPS enforcement - simple find/replace operations)
2. **Create framework functions** (TASK-002, TASK-005, TASK-007)
3. **Enhance existing modules** (TASK-004, TASK-006)
4. **Add operational features** (TASK-008, TASK-009)
5. **Improve user experience** (TASK-010, TASK-011, TASK-012)
**Note:** Major deployment security risk resolved - remaining tasks focus on hardening internal operations.
## File Location Patterns
- **Framework components:** `Framework-Includes/*.sh`
- **Security modules:** `ProjectCode/Modules/Security/*.sh`
- **Configuration files:** `ProjectCode/ConfigFiles/*/`
- **Main entry point:** `ProjectCode/SetupNewSystem.sh`
## Testing Strategy
For each task:
1. Create backup of original files
2. Implement changes incrementally
3. Test with `bash -n` for syntax validation
4. Verify functionality with controlled test runs
5. Document changes made
## Error Handling Requirements
All new functions must:
- Use `set -euo pipefail` compatibility
- Integrate with existing error handling framework
- Log errors to `$LOGFILENAME`
- Return appropriate exit codes
- Clean up temporary files on failure
View Git Blame Copy Permalink