fix: honest remediation batch 3 - fix broken claims and real Argon2id
Previous commits marked findings as ✅ that were actually superficial or broken. This commit fixes the real problems honestly. Real fixes: - Argon2id KDF: Fixed via preseed partman/early_command that patches partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id. Previous luks-kdf-configure.sh "auto-conversion" was dead code (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it). Now the hook is an honest verifier, not a fake converter. - src/security-hardening.sh: Removed sshd_config generation entirely (was still generating it despite claiming client-only) - AIDE init: Removed || true error swallowing, now reports failures - COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets with honest explanation of what's missing (3PAO, org controls) - VERIFICATION-REPORT.md: Added self-review warning about contradictions, fixed wrong preseed path (config/preseed.cfg → includes.installer/) - Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md - encryption-setup.sh: README now says "Argon2id (via early_command)" instead of bare "Argon2id" which was false - demo.preseed.cfg: Added same Argon2id early_command - Added .dockerignore (was missing) - Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc) Still remaining (honest assessment): - C-06: Git history scrub (needs git-filter-repo, destructive) - H-09: Build cache integrity (design work needed) - M-11: Docker base digest pinning - Phase 3: Test suite overhaul (85% grep-based, not behavioral) - Phase 4: Documentation cleanup (threat model, etc) - ISO NOT rebuilt since fixes 786 tests pass, 0 shellcheck warnings. 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
@@ -86,7 +86,7 @@ Encryption Details:
|
||||
- Cipher: AES-256-XTS
|
||||
- Key Size: 512 bits
|
||||
- Hash: SHA-512
|
||||
- KDF: Argon2id
|
||||
- KDF: Argon2id (configured via preseed early_command patch)
|
||||
|
||||
Key Slots:
|
||||
- Slot 0: Primary passphrase (set during installation)
|
||||
|
||||
@@ -1,17 +1,15 @@
|
||||
#!/bin/bash
|
||||
# LUKS KDF configuration hook - Auto-convert PBKDF2 to Argon2id
|
||||
# Addresses C-01: Argon2id KDF not actually enforced
|
||||
#
|
||||
# Debian partman-crypto creates LUKS2 with PBKDF2 by default.
|
||||
# This hook automatically converts to Argon2id during installation,
|
||||
# before the system boots for the first time.
|
||||
# LUKS KDF verification hook
|
||||
# PRD FR-001 requires Argon2id. The preseed early_command patches
|
||||
# partman-crypto to use --pbkdf argon2id at format time. This hook
|
||||
# verifies the conversion succeeded and creates fallback tools if not.
|
||||
#
|
||||
# Reference: PRD.md FR-001, security-model.md
|
||||
# Copyright 2026 Known Element Enterprises LLC
|
||||
# License: GNU Affero General Public License v3.0 only
|
||||
set -euo pipefail
|
||||
|
||||
echo "Configuring LUKS KDF - auto-converting to Argon2id..."
|
||||
echo "Verifying LUKS KDF configuration..."
|
||||
|
||||
# Find the LUKS device
|
||||
LUKS_DEVICE=""
|
||||
@@ -22,42 +20,24 @@ for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
|
||||
fi
|
||||
done
|
||||
|
||||
# Also try lsblk discovery
|
||||
if [ -z "$LUKS_DEVICE" ] && command -v lsblk >/dev/null 2>&1; then
|
||||
LUKS_DEVICE=$(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1; exit}')
|
||||
fi
|
||||
|
||||
if [ -z "$LUKS_DEVICE" ]; then
|
||||
echo "WARNING: No LUKS device found for KDF conversion"
|
||||
echo "Creating manual conversion helper instead..."
|
||||
echo "WARNING: No LUKS device found for KDF verification"
|
||||
else
|
||||
echo "Found LUKS device: $LUKS_DEVICE"
|
||||
|
||||
# Check current KDF
|
||||
CURRENT_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}' || echo "unknown")
|
||||
echo "Current KDF: $CURRENT_KDF"
|
||||
|
||||
if [ "$CURRENT_KDF" = "argon2id" ]; then
|
||||
echo "KDF is already Argon2id - no conversion needed."
|
||||
echo "KDF verification PASSED: Argon2id confirmed"
|
||||
touch /var/lib/knel-kdf-optimized
|
||||
else
|
||||
echo "Converting KDF from $CURRENT_KDF to Argon2id..."
|
||||
echo "This requires the encryption passphrase set during installation."
|
||||
|
||||
# Attempt non-interactive conversion
|
||||
# The user's passphrase was just set during install and is in the installer env
|
||||
if cryptsetup luksConvertKey "$LUKS_DEVICE" --pbkdf argon2id \
|
||||
--pbkdf-memory 524288 --pbkdf-parallel 4 --pbkdf-iterations 4 2>/dev/null; then
|
||||
echo "SUCCESS: KDF converted to Argon2id"
|
||||
touch /var/lib/knel-kdf-optimized
|
||||
|
||||
# Verify
|
||||
NEW_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}')
|
||||
echo "Verified KDF: $NEW_KDF"
|
||||
else
|
||||
echo "WARNING: Automatic KDF conversion failed (likely passphrase prompt)"
|
||||
echo "Manual conversion will be prompted on first login."
|
||||
fi
|
||||
echo "WARNING: KDF is $CURRENT_KDF, expected argon2id"
|
||||
echo "The early_command patch may not have applied."
|
||||
echo "Run /usr/local/bin/convert-luks-kdf.sh after first boot to convert."
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user