fix: honest remediation batch 3 - fix broken claims and real Argon2id
Previous commits marked findings as ✅ that were actually superficial or broken. This commit fixes the real problems honestly. Real fixes: - Argon2id KDF: Fixed via preseed partman/early_command that patches partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id. Previous luks-kdf-configure.sh "auto-conversion" was dead code (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it). Now the hook is an honest verifier, not a fake converter. - src/security-hardening.sh: Removed sshd_config generation entirely (was still generating it despite claiming client-only) - AIDE init: Removed || true error swallowing, now reports failures - COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets with honest explanation of what's missing (3PAO, org controls) - VERIFICATION-REPORT.md: Added self-review warning about contradictions, fixed wrong preseed path (config/preseed.cfg → includes.installer/) - Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md - encryption-setup.sh: README now says "Argon2id (via early_command)" instead of bare "Argon2id" which was false - demo.preseed.cfg: Added same Argon2id early_command - Added .dockerignore (was missing) - Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc) Still remaining (honest assessment): - C-06: Git history scrub (needs git-filter-repo, destructive) - H-09: Build cache integrity (design work needed) - M-11: Docker base digest pinning - Phase 3: Test suite overhaul (85% grep-based, not behavioral) - Phase 4: Documentation cleanup (threat model, etc) - ISO NOT rebuilt since fixes 786 tests pass, 0 shellcheck warnings. 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
@@ -1,6 +1,11 @@
|
||||
# KNEL-Football Secure OS - Work Verification Report
|
||||
|
||||
**Date**: 2026-02-19
|
||||
> **WARNING**: This report was generated by the same AI agent that wrote the code.
|
||||
> It contains contradictions (two different build times: 72min vs 37min, two different
|
||||
> checksum sets). It should NOT be relied upon as independent verification.
|
||||
> A proper third-party security assessment is recommended before production deployment.
|
||||
|
||||
**Date**: 2026-02-19 (updated 2026-05-08 with audit corrections)
|
||||
**Purpose**: Double-check all work completed for mandatory FDE and password complexity
|
||||
|
||||
---
|
||||
@@ -23,11 +28,11 @@
|
||||
**Requirement**: All systems MUST use full disk encryption with LUKS2
|
||||
|
||||
**Verification**:
|
||||
- ✅ **config/preseed.cfg**: Partition method set to "crypto"
|
||||
- ✅ **config/preseed.cfg**: LUKS2 format enabled
|
||||
- ✅ **config/preseed.cfg**: AES-XTS-plain64 cipher configured
|
||||
- ✅ **config/preseed.cfg**: 512-bit key size configured
|
||||
- ✅ **config/preseed.cfg**: LVM within encrypted partition
|
||||
- ✅ **config/includes.installer/preseed.cfg**: Partition method set to "crypto"
|
||||
- ✅ **config/includes.installer/preseed.cfg**: LUKS2 format enabled
|
||||
- ✅ **config/includes.installer/preseed.cfg**: AES-XTS-plain64 cipher configured
|
||||
- ✅ **config/includes.installer/preseed.cfg**: 512-bit key size configured
|
||||
- ✅ **config/includes.installer/preseed.cfg**: LVM within encrypted partition
|
||||
- ✅ **config/hooks/installed/encryption-setup.sh**: LUKS2 configuration hook created
|
||||
- ✅ **config/hooks/installed/encryption-validation.sh**: Encryption validation hook created
|
||||
|
||||
@@ -55,7 +60,7 @@ partman-crypto/use-luks2 boolean true
|
||||
**Requirement**: 14+ character minimum with complexity requirements
|
||||
|
||||
**Verification**:
|
||||
- ✅ **config/preseed.cfg**: Default passphrase set to 24-char complex password
|
||||
- ✅ **config/includes.installer/preseed.cfg**: Default passphrase set to 24-char complex password
|
||||
- ✅ **config/hooks/installed/encryption-validation.sh**: Passphrase strength validation function
|
||||
- ✅ **PRD.md**: Detailed passphrase requirements documented
|
||||
- ✅ **AGENTS.md**: MANDATORY requirements section with passphrase requirements
|
||||
@@ -83,7 +88,7 @@ passwd/root-password-crypted string !
|
||||
|
||||
**Verification**:
|
||||
- ✅ **src/security-hardening.sh**: Enhanced password policy configured
|
||||
- ✅ **config/preseed.cfg**: libpam-pwquality package included
|
||||
- ✅ **config/includes.installer/preseed.cfg**: libpam-pwquality package included
|
||||
- ✅ **PRD.md**: Password complexity requirements documented
|
||||
- ✅ **AGENTS.md**: MANDATORY requirements section with password requirements
|
||||
|
||||
@@ -404,7 +409,7 @@ knel-football-secure.iso: OK ✅
|
||||
|
||||
| File | Size | Status |
|
||||
|------|------|--------|
|
||||
| config/preseed.cfg | 4.2 KB | ✅ Updated |
|
||||
| config/includes.installer/preseed.cfg | 4.2 KB | ✅ Updated |
|
||||
| src/security-hardening.sh | Updated | ✅ Updated |
|
||||
|
||||
### 6.3 Hook Scripts ✅
|
||||
|
||||
Reference in New Issue
Block a user