KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(audit): update FINDING-002 to informational (by design)

Browse Source 
Firewall OUTPUT DROP policy confirmed as intentional for immutable
system security model:
- Zero traffic leakage (no DNS poisoning, NTP spoofing, C2 exfil)
- Immutable system with no in-place updates
- WireGuard endpoint loaded via USB disk
- Time synchronized from host/hypervisor

Updated risk summary: 1 HIGH (Secure Boot), 4 MEDIUM, 3 LOW, 2 INFO

Remaining findings (001, 005, 006, 007, 008) to be addressed by
software team per audit recommendations.

💘 Generated with Crush

Assisted-by: GLM-4 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-02-20 10:35:42 -05:00
parent c8b004cf3e
commit 09b4f12026
2 changed files with 41 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/audit/2026-02-20/SUMMARY.md
View File

@@ -30,10 +30,10 @@ KNEL-Football is a hardened Debian 13 Linux distribution designed as a **secure
| Severity | Count | Key Areas |
|----------|-------|-----------|
| Critical | 0 | - |
| High | 2 | Secure Boot keys, Firewall output |
| High | 1 | Secure Boot keys |
| Medium | 4 | Docker privileged, USB automount, KDF config, Supply chain |
| Low | 3 | Test gaps, Documentation, Input validation |
| Info | 1 | Package management |
| Info | 2 | Firewall (by design), Package management |
---
@@ -45,14 +45,19 @@ Keys generated at build time without HSM or secure storage. An attacker with bui
**Impact**: Complete chain of trust compromise
**Effort**: Medium (requires key management infrastructure)
### 2. Firewall Output Chain Blocks Essential Services (HIGH)
Default DROP policy on OUTPUT chain prevents DNS resolution, NTP synchronization, and system updates.
**Impact**: System cannot function properly (DNS, time sync, updates)
**Effort**: Low (add explicit allow rules)
---
## Design Decisions Confirmed
### Firewall Output Policy (By Design)
The strict OUTPUT DROP policy was confirmed as **intentional** for an immutable system:
- Zero traffic leakage (no DNS poisoning, NTP spoofing, C2 exfiltration vectors)
- Immutable system with no in-place updates (CVEs handled by ISO regeneration)
- WireGuard endpoint loaded via USB disk (wg0.conf)
- Time synchronized from host/hypervisor
**Assessment**: Defensible security posture for an air-gapped access terminal.
## Positive Security Observations
1. **Strong SDLC Enforcement** - Pre-commit hooks enforce TDD, linting, and coverage
@@ -67,9 +72,8 @@ Default DROP policy on OUTPUT chain prevents DNS resolution, NTP synchronization
## Recommendations Priority
### Must Fix Before Release
1. Fix firewall OUTPUT chain to allow DNS/NTP/updates
2. Disable USB automount (conflicts with security model)
3. Verify Argon2id KDF is actually used in LUKS
1. Disable USB automount (conflicts with security model)
2. Verify Argon2id KDF is actually used in LUKS
### Short-term (30 days)
1. Implement Secure Boot key management with HSM or air-gapped storage
@@ -92,7 +96,7 @@ Default DROP policy on OUTPUT chain prevents DNS resolution, NTP synchronization
| NIST SP 800-53 AC-19 | ⚠️ Issue | USB automount |
| NIST SP 800-111 | ✅ Pass | LUKS2 encryption |
| CIS Benchmark 6.x | ✅ Pass | Comprehensive audit logging |
| FedRAMP SC-7 | ⚠️ Issue | Firewall output policy |
| FedRAMP SC-7 | ✅ Pass | Strict output policy (by design) |
---
@@ -105,9 +109,9 @@ Default DROP policy on OUTPUT chain prevents DNS resolution, NTP synchronization
## Conclusion
KNEL-Football demonstrates **mature security architecture** with strong foundations. The project is **suitable for production with remediation** of the two HIGH findings. The SDLC practices are exemplary and should be maintained.
KNEL-Football demonstrates **mature security architecture** with strong foundations. The project is **suitable for production with remediation** of the HIGH finding. The SDLC practices are exemplary and should be maintained.
**Recommendation**: Address firewall and Secure Boot key issues before release. The remaining findings can be addressed post-release with documented timelines.
**Recommendation**: Address Secure Boot key management before release. The firewall output policy is confirmed as intentional design for an immutable system.
---

46
docs/audit/2026-02-20/findings.md
View File

@@ -33,9 +33,10 @@
### Areas Requiring Attention
1. **Secure Boot Key Management**: Keys generated at build time without HSM or secure storage
2. **Firewall Output Policy**: Default DROP on output chain may break DNS/updates
3. **USB Automount**: Security risk for a secure workstation
4. **Supply Chain**: No SLSA/SBOM, unpinned Docker packages
2. **USB Automount**: Security risk for a secure workstation
3. **Supply Chain**: No SLSA/SBOM, unpinned Docker packages
**Note**: The strict firewall OUTPUT policy (FINDING-002) was confirmed as **intentional design** for an immutable system with zero traffic leakage.
---
@@ -83,11 +84,11 @@ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
---
### FINDING-002: Firewall Output Chain Default DROP (HIGH)
### FINDING-002: Firewall Output Chain Default DROP (INFORMATIONAL - BY DESIGN)
**Category**: Network Security
**Severity**: HIGH
**Status**: Open
**Severity**: INFORMATIONAL
**Status**: By Design - No Action Required
**Description**:
The nftables firewall configuration sets a default DROP policy on the OUTPUT chain, only allowing loopback, WireGuard traffic, and ICMP ping.
@@ -106,27 +107,26 @@ chain output {
}
```
**Issues**:
1. No DNS (UDP/TCP 53) allowed - system cannot resolve hostnames
2. No NTP (UDP 123) allowed - time synchronization will fail
3. No HTTP/HTTPS allowed - system cannot fetch updates or time
4. WireGuard endpoint IP must be known at configuration time
5. No outbound rules for apt repositories
**Clarification from Project Team**:
This is an **intentional design choice** for an immutable system security model:
**Risk**: System may be unable to:
- Synchronize time (breaks Kerberos, certificate validation)
- Resolve DNS names
- Receive security updates
- Access WireGuard endpoint if IP changes
1. **Zero Traffic Leakage**: No DNS, no NTP, no HTTP/HTTPS - eliminates DNS poisoning, NTP spoofing, and C2 exfiltration vectors
2. **Immutable System**: Package management disabled, no in-place updates - CVEs handled by regenerating ISO and recreating VM
3. **WireGuard via USB**: Endpoint IP loaded from `wg0.conf` on USB disk at provisioning time
4. **Time from Host**: VM receives time from hypervisor/host system, no network time sync needed
5. **Known Endpoints**: WireGuard peer IP is static and pre-configured
**Assessment**:
This is a **defensible security posture** for an air-gapped, immutable access terminal. The strict OUTPUT DROP policy prevents:
- Data exfiltration via DNS tunneling
- C2 beacon traffic
- Supply chain attacks via compromised update servers
- NTP-based attacks
**Recommendation**:
1. Add explicit DNS rules (TCP/UDP 53 to known DNS servers)
2. Add NTP rules (UDP 123 to time servers)
3. Consider allowing HTTPS to specific update repositories
4. Document the firewall policy and required endpoints
5. Add validation that WireGuard endpoint is reachable
Document this design decision in the security model documentation for future auditors.
**Compliance Impact**: NIST SP 800-41, CIS Benchmark 3.x
**Compliance Impact**: NIST SP 800-41, CIS Benchmark 3.x - Compensating controls in place (immutable system, no package management)
---