KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: honest remediation batch 3 - fix broken claims and real Argon2id

Browse Source 
Previous commits marked findings as  that were actually superficial or
broken. This commit fixes the real problems honestly.

Real fixes:
- Argon2id KDF: Fixed via preseed partman/early_command that patches
  partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id.
  Previous luks-kdf-configure.sh "auto-conversion" was dead code
  (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it).
  Now the hook is an honest verifier, not a fake converter.
- src/security-hardening.sh: Removed sshd_config generation entirely
  (was still generating it despite claiming client-only)
- AIDE init: Removed || true error swallowing, now reports failures
- COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets
  with honest explanation of what's missing (3PAO, org controls)
- VERIFICATION-REPORT.md: Added self-review warning about contradictions,
  fixed wrong preseed path (config/preseed.cfg → includes.installer/)
- Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md
- encryption-setup.sh: README now says "Argon2id (via early_command)"
  instead of bare "Argon2id" which was false
- demo.preseed.cfg: Added same Argon2id early_command
- Added .dockerignore (was missing)
- Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc)

Still remaining (honest assessment):
- C-06: Git history scrub (needs git-filter-repo, destructive)
- H-09: Build cache integrity (design work needed)
- M-11: Docker base digest pinning
- Phase 3: Test suite overhaul (85% grep-based, not behavioral)
- Phase 4: Documentation cleanup (threat model, etc)
- ISO NOT rebuilt since fixes

786 tests pass, 0 shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble - admin
2026-05-08 12:51:20 -05:00
parent 8b5714971e
commit 3d2ef3d5c2
11 changed files with 123 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
STATUS.md
View File

@@ -6,10 +6,22 @@
---
## Current Status: 🔧 REMEDIATION IN PROGRESS
## Current Status: 🔧 REMEDIATION IN PROGRESS (Batch 3 - Honest Assessment)
### Executive Summary
Deep audit completed (2026-05-08). Report: `DeepReport-2026-05-08.md`. 39 findings total (6 CRITICAL, 9 HIGH, 12 MEDIUM, 7 LOW, 5 INFO). Now executing Phase 1 & 2 remediation. Compliance claims acknowledged as aspirational — technical controls being fixed now.
Deep audit (DeepReport-2026-05-08.md) had 39 findings. Three batches of fixes applied.
22 findings genuinely fixed, 6 remain open (3 deferred, 3 need human action).
ISO has NOT been rebuilt since fixes — needs `./run.sh iso` to validate.
### What Changed in Batch 3
- C-01 Argon2id: Fixed properly via preseed `partman/early_command` patching partman-crypto
- COMPLIANCE.md: Marked CMMC/FedRAMP as aspirational (not certified)
- VERIFICATION-REPORT.md: Added self-review warning, fixed preseed path
- Removed sshd_config generation from src/security-hardening.sh entirely
- Fixed AIDE init to report errors instead of swallowing them
- Added .dockerignore, fixed .gitignore `*key*` pattern
- Fixed phantom script reference in COMPLIANCE.md
- Added Argon2id early_command to demo.preseed.cfg
---