docs(audit): update FINDING-002 to informational (by design)

Firewall OUTPUT DROP policy confirmed as intentional for immutable
system security model:
- Zero traffic leakage (no DNS poisoning, NTP spoofing, C2 exfil)
- Immutable system with no in-place updates
- WireGuard endpoint loaded via USB disk
- Time synchronized from host/hypervisor

Updated risk summary: 1 HIGH (Secure Boot), 4 MEDIUM, 3 LOW, 2 INFO

Remaining findings (001, 005, 006, 007, 008) to be addressed by
software team per audit recommendations.

💘 Generated with Crush

Assisted-by: GLM-4 via Crush <crush@charm.land>

docs/audit/2026-02-20/findings.md

@@ -33,9 +33,10 @@
 ### Areas Requiring Attention
 
 1. **Secure Boot Key Management**: Keys generated at build time without HSM or secure storage
-2. **Firewall Output Policy**: Default DROP on output chain may break DNS/updates
-3. **USB Automount**: Security risk for a secure workstation
-4. **Supply Chain**: No SLSA/SBOM, unpinned Docker packages
+2. **USB Automount**: Security risk for a secure workstation
+3. **Supply Chain**: No SLSA/SBOM, unpinned Docker packages
+
+**Note**: The strict firewall OUTPUT policy (FINDING-002) was confirmed as **intentional design** for an immutable system with zero traffic leakage.
 
 ---
 
@@ -83,11 +84,11 @@ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
 
 ---
 
-### FINDING-002: Firewall Output Chain Default DROP (HIGH)
+### FINDING-002: Firewall Output Chain Default DROP (INFORMATIONAL - BY DESIGN)
 
 **Category**: Network Security
-**Severity**: HIGH
-**Status**: Open
+**Severity**: INFORMATIONAL
+**Status**: By Design - No Action Required
 
 **Description**:
 The nftables firewall configuration sets a default DROP policy on the OUTPUT chain, only allowing loopback, WireGuard traffic, and ICMP ping.
@@ -106,27 +107,26 @@ chain output {
 }
 ```
 
-**Issues**:
-1. No DNS (UDP/TCP 53) allowed - system cannot resolve hostnames
-2. No NTP (UDP 123) allowed - time synchronization will fail
-3. No HTTP/HTTPS allowed - system cannot fetch updates or time
-4. WireGuard endpoint IP must be known at configuration time
-5. No outbound rules for apt repositories
+**Clarification from Project Team**:
+This is an **intentional design choice** for an immutable system security model:
 
-**Risk**: System may be unable to:
-- Synchronize time (breaks Kerberos, certificate validation)
-- Resolve DNS names
-- Receive security updates
-- Access WireGuard endpoint if IP changes
+1. **Zero Traffic Leakage**: No DNS, no NTP, no HTTP/HTTPS - eliminates DNS poisoning, NTP spoofing, and C2 exfiltration vectors
+2. **Immutable System**: Package management disabled, no in-place updates - CVEs handled by regenerating ISO and recreating VM
+3. **WireGuard via USB**: Endpoint IP loaded from `wg0.conf` on USB disk at provisioning time
+4. **Time from Host**: VM receives time from hypervisor/host system, no network time sync needed
+5. **Known Endpoints**: WireGuard peer IP is static and pre-configured
+
+**Assessment**:
+This is a **defensible security posture** for an air-gapped, immutable access terminal. The strict OUTPUT DROP policy prevents:
+- Data exfiltration via DNS tunneling
+- C2 beacon traffic
+- Supply chain attacks via compromised update servers
+- NTP-based attacks
 
 **Recommendation**:
-1. Add explicit DNS rules (TCP/UDP 53 to known DNS servers)
-2. Add NTP rules (UDP 123 to time servers)
-3. Consider allowing HTTPS to specific update repositories
-4. Document the firewall policy and required endpoints
-5. Add validation that WireGuard endpoint is reachable
+Document this design decision in the security model documentation for future auditors.
 
-**Compliance Impact**: NIST SP 800-41, CIS Benchmark 3.x
+**Compliance Impact**: NIST SP 800-41, CIS Benchmark 3.x - Compensating controls in place (immutable system, no package management)
 
 ---