KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: honest remediation batch 3 - fix broken claims and real Argon2id

Browse Source 
Previous commits marked findings as  that were actually superficial or
broken. This commit fixes the real problems honestly.

Real fixes:
- Argon2id KDF: Fixed via preseed partman/early_command that patches
  partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id.
  Previous luks-kdf-configure.sh "auto-conversion" was dead code
  (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it).
  Now the hook is an honest verifier, not a fake converter.
- src/security-hardening.sh: Removed sshd_config generation entirely
  (was still generating it despite claiming client-only)
- AIDE init: Removed || true error swallowing, now reports failures
- COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets
  with honest explanation of what's missing (3PAO, org controls)
- VERIFICATION-REPORT.md: Added self-review warning about contradictions,
  fixed wrong preseed path (config/preseed.cfg → includes.installer/)
- Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md
- encryption-setup.sh: README now says "Argon2id (via early_command)"
  instead of bare "Argon2id" which was false
- demo.preseed.cfg: Added same Argon2id early_command
- Added .dockerignore (was missing)
- Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc)

Still remaining (honest assessment):
- C-06: Git history scrub (needs git-filter-repo, destructive)
- H-09: Build cache integrity (design work needed)
- M-11: Docker base digest pinning
- Phase 3: Test suite overhaul (85% grep-based, not behavioral)
- Phase 4: Documentation cleanup (threat model, etc)
- ISO NOT rebuilt since fixes

786 tests pass, 0 shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble - admin
2026-05-08 12:51:20 -05:00
parent 8b5714971e
commit 3d2ef3d5c2
11 changed files with 123 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/COMPLIANCE.md
View File

@@ -4,15 +4,24 @@
This document maps security compliance requirements to implementation components in the KNEL-Football secure Debian 13 ISO build system.
> **IMPORTANT**: CMMC Level 3 and FedRAMP are **aspirational targets** for future production release.
> They require organizational controls (policies, assessments, 3PAO reviews) that do not yet exist.
> Current implementation covers **technical controls only**. No organizational certification has been obtained.
> DISA STIG IDs are adapted from RHEL STIGs (no Debian 13 STIG exists) and represent technical best-effort alignment.
**Copyright © 2026 Known Element Enterprises LLC**
**License: GNU Affero General Public License v3.0 only**
## Compliance Frameworks
- **CMMC Level 3** - Entry point to tier0 infrastructure supporting ITAR/SECRET systems
- **FedRAMP LI-SaaS** - For RackRental.net federal government product
- **DISA STIG** - Debian STIG requirements (adapted from Debian 11 to Debian 13)
- **CIS Benchmarks** - Center for Internet Security Debian Linux Benchmark
| Framework | Status | Notes |
|-----------|--------|-------|
| **CMMC Level 3** | 🎯 Aspirational | Requires 130+ practices, 3PAO assessment |
| **FedRAMP LI-SaaS** | 🎯 Aspirational | Requires agency sponsorship, ConMon |
| **DISA STIG** | 🔧 Adapted | RHEL STIG IDs applied to Debian 13 (no Debian STIG exists) |
| **CIS Benchmarks** | ✅ Technical controls | Center for Internet Security Debian Linux Benchmark |
| **NIST SP 800-53** | ✅ Partial | ~12 controls mapped (800-53 has 1,000+) |
| **NIST SP 800-111** | ✅ Implemented | LUKS2 disk encryption configured |
## Security Controls Mapping
@@ -78,11 +87,17 @@ This document maps security compliance requirements to implementation components
### In-ISO Validation
The built ISO includes test capabilities for post-installation validation:
Post-installation validation can be performed using:
```bash
# Run compliance validation on installed system
/usr/local/bin/knel-compliance-check.sh
# Check encryption status
/usr/local/bin/check-encryption.sh
# Check security hardening status
/usr/local/bin/security-hardening.sh
# Convert LUKS KDF to Argon2id (if not already done)
/usr/local/bin/convert-luks-kdf.sh
```
## Compliance Evidence

23
docs/VERIFICATION-REPORT.md
View File

@@ -1,6 +1,11 @@
# KNEL-Football Secure OS - Work Verification Report
**Date**: 2026-02-19
> **WARNING**: This report was generated by the same AI agent that wrote the code.
> It contains contradictions (two different build times: 72min vs 37min, two different
> checksum sets). It should NOT be relied upon as independent verification.
> A proper third-party security assessment is recommended before production deployment.
**Date**: 2026-02-19 (updated 2026-05-08 with audit corrections)
**Purpose**: Double-check all work completed for mandatory FDE and password complexity
---
@@ -23,11 +28,11 @@
**Requirement**: All systems MUST use full disk encryption with LUKS2
**Verification**:
-**config/preseed.cfg**: Partition method set to "crypto"
-**config/preseed.cfg**: LUKS2 format enabled
-**config/preseed.cfg**: AES-XTS-plain64 cipher configured
-**config/preseed.cfg**: 512-bit key size configured
-**config/preseed.cfg**: LVM within encrypted partition
-**config/includes.installer/preseed.cfg**: Partition method set to "crypto"
-**config/includes.installer/preseed.cfg**: LUKS2 format enabled
-**config/includes.installer/preseed.cfg**: AES-XTS-plain64 cipher configured
-**config/includes.installer/preseed.cfg**: 512-bit key size configured
-**config/includes.installer/preseed.cfg**: LVM within encrypted partition
-**config/hooks/installed/encryption-setup.sh**: LUKS2 configuration hook created
-**config/hooks/installed/encryption-validation.sh**: Encryption validation hook created
@@ -55,7 +60,7 @@ partman-crypto/use-luks2 boolean true
**Requirement**: 14+ character minimum with complexity requirements
**Verification**:
-**config/preseed.cfg**: Default passphrase set to 24-char complex password
-**config/includes.installer/preseed.cfg**: Default passphrase set to 24-char complex password
-**config/hooks/installed/encryption-validation.sh**: Passphrase strength validation function
-**PRD.md**: Detailed passphrase requirements documented
-**AGENTS.md**: MANDATORY requirements section with passphrase requirements
@@ -83,7 +88,7 @@ passwd/root-password-crypted string !
**Verification**:
-**src/security-hardening.sh**: Enhanced password policy configured
-**config/preseed.cfg**: libpam-pwquality package included
-**config/includes.installer/preseed.cfg**: libpam-pwquality package included
-**PRD.md**: Password complexity requirements documented
-**AGENTS.md**: MANDATORY requirements section with password requirements
@@ -404,7 +409,7 @@ knel-football-secure.iso: OK ✅
| File | Size | Status |
|------|------|--------|
| config/preseed.cfg | 4.2 KB | ✅ Updated |
| config/includes.installer/preseed.cfg | 4.2 KB | ✅ Updated |
| src/security-hardening.sh | Updated | ✅ Updated |
### 6.3 Hook Scripts ✅