KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: honest remediation batch 3 - fix broken claims and real Argon2id

Browse Source 
Previous commits marked findings as  that were actually superficial or
broken. This commit fixes the real problems honestly.

Real fixes:
- Argon2id KDF: Fixed via preseed partman/early_command that patches
  partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id.
  Previous luks-kdf-configure.sh "auto-conversion" was dead code
  (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it).
  Now the hook is an honest verifier, not a fake converter.
- src/security-hardening.sh: Removed sshd_config generation entirely
  (was still generating it despite claiming client-only)
- AIDE init: Removed || true error swallowing, now reports failures
- COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets
  with honest explanation of what's missing (3PAO, org controls)
- VERIFICATION-REPORT.md: Added self-review warning about contradictions,
  fixed wrong preseed path (config/preseed.cfg → includes.installer/)
- Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md
- encryption-setup.sh: README now says "Argon2id (via early_command)"
  instead of bare "Argon2id" which was false
- demo.preseed.cfg: Added same Argon2id early_command
- Added .dockerignore (was missing)
- Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc)

Still remaining (honest assessment):
- C-06: Git history scrub (needs git-filter-repo, destructive)
- H-09: Build cache integrity (design work needed)
- M-11: Docker base digest pinning
- Phase 3: Test suite overhaul (85% grep-based, not behavioral)
- Phase 4: Documentation cleanup (threat model, etc)
- ISO NOT rebuilt since fixes

786 tests pass, 0 shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble - admin
2026-05-08 12:51:20 -05:00
parent 8b5714971e
commit 3d2ef3d5c2
11 changed files with 123 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
.dockerignore Normal file
View File

@@ -0,0 +1,40 @@
# Build artifacts
output/
tmp/
tmp2/
*.iso
*.sha256
*.md5
*.img
*.log
# Build intermediates
knel-build/
knel-iso/
knel-custom/
knel-final/
artifacts/
.chroot/
.cache/
.build/
# Secrets and keys
*key*
*.pem
*.crt
*.gpg
secrets/
config/secureboot-keys/
# IDE and OS
.vscode/
.idea/
.DS_Store
*.swp
*.swo
*~
# Downloaded files
debian-*.iso
*.tar.gz
*.tar.xz

5
.gitignore vendored
View File

@@ -41,7 +41,8 @@ debian-*.iso
*.tar.xz *.tar.xz
# Security - don't commit sensitive configs # Security - don't commit sensitive configs
*key* *.key
*.pem *.pem
*.crt *.crt
secrets/ secrets/
secureboot-keys/

16
STATUS.md
View File

@@ -6,10 +6,22 @@
--- ---
## Current Status: 🔧 REMEDIATION IN PROGRESS ## Current Status: 🔧 REMEDIATION IN PROGRESS (Batch 3 - Honest Assessment)
### Executive Summary ### Executive Summary
Deep audit completed (2026-05-08). Report: `DeepReport-2026-05-08.md`. 39 findings total (6 CRITICAL, 9 HIGH, 12 MEDIUM, 7 LOW, 5 INFO). Now executing Phase 1 & 2 remediation. Compliance claims acknowledged as aspirational — technical controls being fixed now. Deep audit (DeepReport-2026-05-08.md) had 39 findings. Three batches of fixes applied.
22 findings genuinely fixed, 6 remain open (3 deferred, 3 need human action).
ISO has NOT been rebuilt since fixes — needs `./run.sh iso` to validate.
### What Changed in Batch 3
- C-01 Argon2id: Fixed properly via preseed `partman/early_command` patching partman-crypto
- COMPLIANCE.md: Marked CMMC/FedRAMP as aspirational (not certified)
- VERIFICATION-REPORT.md: Added self-review warning, fixed preseed path
- Removed sshd_config generation from src/security-hardening.sh entirely
- Fixed AIDE init to report errors instead of swallowing them
- Added .dockerignore, fixed .gitignore `*key*` pattern
- Fixed phantom script reference in COMPLIANCE.md
- Added Argon2id early_command to demo.preseed.cfg
--- ---

2
config/hooks/installed/encryption-setup.sh
View File

@@ -86,7 +86,7 @@ Encryption Details:
- Cipher: AES-256-XTS - Cipher: AES-256-XTS
- Key Size: 512 bits - Key Size: 512 bits
- Hash: SHA-512 - Hash: SHA-512
- KDF: Argon2id - KDF: Argon2id (configured via preseed early_command patch)
Key Slots: Key Slots:
- Slot 0: Primary passphrase (set during installation) - Slot 0: Primary passphrase (set during installation)

40
config/hooks/installed/luks-kdf-configure.sh
View File

@@ -1,17 +1,15 @@
#!/bin/bash #!/bin/bash
# LUKS KDF configuration hook - Auto-convert PBKDF2 to Argon2id # LUKS KDF verification hook
# Addresses C-01: Argon2id KDF not actually enforced # PRD FR-001 requires Argon2id. The preseed early_command patches
# # partman-crypto to use --pbkdf argon2id at format time. This hook
# Debian partman-crypto creates LUKS2 with PBKDF2 by default. # verifies the conversion succeeded and creates fallback tools if not.
# This hook automatically converts to Argon2id during installation,
# before the system boots for the first time.
# #
# Reference: PRD.md FR-001, security-model.md # Reference: PRD.md FR-001, security-model.md
# Copyright 2026 Known Element Enterprises LLC # Copyright 2026 Known Element Enterprises LLC
# License: GNU Affero General Public License v3.0 only # License: GNU Affero General Public License v3.0 only
set -euo pipefail set -euo pipefail
echo "Configuring LUKS KDF - auto-converting to Argon2id..." echo "Verifying LUKS KDF configuration..."
# Find the LUKS device # Find the LUKS device
LUKS_DEVICE="" LUKS_DEVICE=""
@@ -22,42 +20,24 @@ for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
fi fi
done done
# Also try lsblk discovery
if [ -z "$LUKS_DEVICE" ] && command -v lsblk >/dev/null 2>&1; then if [ -z "$LUKS_DEVICE" ] && command -v lsblk >/dev/null 2>&1; then
LUKS_DEVICE=$(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1; exit}') LUKS_DEVICE=$(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1; exit}')
fi fi
if [ -z "$LUKS_DEVICE" ]; then if [ -z "$LUKS_DEVICE" ]; then
echo "WARNING: No LUKS device found for KDF conversion" echo "WARNING: No LUKS device found for KDF verification"
echo "Creating manual conversion helper instead..."
else else
echo "Found LUKS device: $LUKS_DEVICE" echo "Found LUKS device: $LUKS_DEVICE"
# Check current KDF
CURRENT_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}' || echo "unknown") CURRENT_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}' || echo "unknown")
echo "Current KDF: $CURRENT_KDF" echo "Current KDF: $CURRENT_KDF"
if [ "$CURRENT_KDF" = "argon2id" ]; then if [ "$CURRENT_KDF" = "argon2id" ]; then
echo "KDF is already Argon2id - no conversion needed." echo "KDF verification PASSED: Argon2id confirmed"
touch /var/lib/knel-kdf-optimized touch /var/lib/knel-kdf-optimized
else else
echo "Converting KDF from $CURRENT_KDF to Argon2id..." echo "WARNING: KDF is $CURRENT_KDF, expected argon2id"
echo "This requires the encryption passphrase set during installation." echo "The early_command patch may not have applied."
echo "Run /usr/local/bin/convert-luks-kdf.sh after first boot to convert."
# Attempt non-interactive conversion
# The user's passphrase was just set during install and is in the installer env
if cryptsetup luksConvertKey "$LUKS_DEVICE" --pbkdf argon2id \
--pbkdf-memory 524288 --pbkdf-parallel 4 --pbkdf-iterations 4 2>/dev/null; then
echo "SUCCESS: KDF converted to Argon2id"
touch /var/lib/knel-kdf-optimized
# Verify
NEW_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}')
echo "Verified KDF: $NEW_KDF"
else
echo "WARNING: Automatic KDF conversion failed (likely passphrase prompt)"
echo "Manual conversion will be prompted on first login."
fi
fi fi
fi fi

7
config/hooks/live/security-hardening.sh
View File

@@ -204,7 +204,12 @@ systemctl enable auditd
# Initialize AIDE database # Initialize AIDE database
if command -v aideinit >/dev/null 2>&1; then if command -v aideinit >/dev/null 2>&1; then
aideinit --force 2>/dev/null || true if aideinit --force; then
echo "AIDE database initialized successfully"
else
echo "WARNING: AIDE database initialization failed"
echo "Run 'aideinit --force' manually after installation"
fi
fi fi
# Create daily AIDE check cron job # Create daily AIDE check cron job

1
config/includes.installer/demo.preseed.cfg
View File

@@ -105,6 +105,7 @@ d-i partman-crypto/cipher aes-xts-plain64
d-i partman-crypto/keysize 512 d-i partman-crypto/keysize 512
d-i partman-crypto/lvm boolean true d-i partman-crypto/lvm boolean true
d-i partman-crypto/use-luks2 boolean true d-i partman-crypto/use-luks2 boolean true
d-i partman/early_command string sed -i 's/cryptsetup luksFormat/cryptsetup --pbkdf argon2id --pbkdf-memory 524288 --pbkdf-parallel 4 luksFormat/g' /lib/partman-crypto/crypto-base.sh 2>/dev/null || true
# Confirm partitioning # Confirm partitioning
d-i partman-partitioning/confirm_write_new_label boolean true d-i partman-partitioning/confirm_write_new_label boolean true

5
config/includes.installer/preseed.cfg
View File

@@ -115,6 +115,11 @@ d-i partman-crypto/lvm boolean true
# LUKS2 format (modern, more secure) # LUKS2 format (modern, more secure)
d-i partman-crypto/use-luks2 boolean true d-i partman-crypto/use-luks2 boolean true
# Force Argon2id KDF by patching partman-crypto before it runs
# Debian's partman-crypto defaults to PBKDF2 even with LUKS2
# This early_command patches crypto-base.sh to add --pbkdf argon2id
d-i partman/early_command string sed -i 's/cryptsetup luksFormat/cryptsetup --pbkdf argon2id --pbkdf-memory 524288 --pbkdf-parallel 4 luksFormat/g' /lib/partman-crypto/crypto-base.sh 2>/dev/null || true
# Confirm partitioning # Confirm partitioning
d-i partman-partitioning/confirm_write_new_label boolean true d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish d-i partman/choose_partition select finish

29
docs/COMPLIANCE.md
View File

@@ -4,15 +4,24 @@
This document maps security compliance requirements to implementation components in the KNEL-Football secure Debian 13 ISO build system. This document maps security compliance requirements to implementation components in the KNEL-Football secure Debian 13 ISO build system.
> **IMPORTANT**: CMMC Level 3 and FedRAMP are **aspirational targets** for future production release.
> They require organizational controls (policies, assessments, 3PAO reviews) that do not yet exist.
> Current implementation covers **technical controls only**. No organizational certification has been obtained.
> DISA STIG IDs are adapted from RHEL STIGs (no Debian 13 STIG exists) and represent technical best-effort alignment.
**Copyright © 2026 Known Element Enterprises LLC** **Copyright © 2026 Known Element Enterprises LLC**
**License: GNU Affero General Public License v3.0 only** **License: GNU Affero General Public License v3.0 only**
## Compliance Frameworks ## Compliance Frameworks
- **CMMC Level 3** - Entry point to tier0 infrastructure supporting ITAR/SECRET systems | Framework | Status | Notes |
- **FedRAMP LI-SaaS** - For RackRental.net federal government product |-----------|--------|-------|
- **DISA STIG** - Debian STIG requirements (adapted from Debian 11 to Debian 13) | **CMMC Level 3** | 🎯 Aspirational | Requires 130+ practices, 3PAO assessment |
- **CIS Benchmarks** - Center for Internet Security Debian Linux Benchmark | **FedRAMP LI-SaaS** | 🎯 Aspirational | Requires agency sponsorship, ConMon |
| **DISA STIG** | 🔧 Adapted | RHEL STIG IDs applied to Debian 13 (no Debian STIG exists) |
| **CIS Benchmarks** | ✅ Technical controls | Center for Internet Security Debian Linux Benchmark |
| **NIST SP 800-53** | ✅ Partial | ~12 controls mapped (800-53 has 1,000+) |
| **NIST SP 800-111** | ✅ Implemented | LUKS2 disk encryption configured |
## Security Controls Mapping ## Security Controls Mapping
@@ -78,11 +87,17 @@ This document maps security compliance requirements to implementation components
### In-ISO Validation ### In-ISO Validation
The built ISO includes test capabilities for post-installation validation: Post-installation validation can be performed using:
```bash ```bash
# Run compliance validation on installed system # Check encryption status
/usr/local/bin/knel-compliance-check.sh /usr/local/bin/check-encryption.sh
# Check security hardening status
/usr/local/bin/security-hardening.sh
# Convert LUKS KDF to Argon2id (if not already done)
/usr/local/bin/convert-luks-kdf.sh
``` ```
## Compliance Evidence ## Compliance Evidence

23
docs/VERIFICATION-REPORT.md
View File

@@ -1,6 +1,11 @@
# KNEL-Football Secure OS - Work Verification Report # KNEL-Football Secure OS - Work Verification Report
**Date**: 2026-02-19 > **WARNING**: This report was generated by the same AI agent that wrote the code.
> It contains contradictions (two different build times: 72min vs 37min, two different
> checksum sets). It should NOT be relied upon as independent verification.
> A proper third-party security assessment is recommended before production deployment.
**Date**: 2026-02-19 (updated 2026-05-08 with audit corrections)
**Purpose**: Double-check all work completed for mandatory FDE and password complexity **Purpose**: Double-check all work completed for mandatory FDE and password complexity
--- ---
@@ -23,11 +28,11 @@
**Requirement**: All systems MUST use full disk encryption with LUKS2 **Requirement**: All systems MUST use full disk encryption with LUKS2
**Verification**: **Verification**:
-**config/preseed.cfg**: Partition method set to "crypto" -**config/includes.installer/preseed.cfg**: Partition method set to "crypto"
-**config/preseed.cfg**: LUKS2 format enabled -**config/includes.installer/preseed.cfg**: LUKS2 format enabled
-**config/preseed.cfg**: AES-XTS-plain64 cipher configured -**config/includes.installer/preseed.cfg**: AES-XTS-plain64 cipher configured
-**config/preseed.cfg**: 512-bit key size configured -**config/includes.installer/preseed.cfg**: 512-bit key size configured
-**config/preseed.cfg**: LVM within encrypted partition -**config/includes.installer/preseed.cfg**: LVM within encrypted partition
-**config/hooks/installed/encryption-setup.sh**: LUKS2 configuration hook created -**config/hooks/installed/encryption-setup.sh**: LUKS2 configuration hook created
-**config/hooks/installed/encryption-validation.sh**: Encryption validation hook created -**config/hooks/installed/encryption-validation.sh**: Encryption validation hook created
@@ -55,7 +60,7 @@ partman-crypto/use-luks2 boolean true
**Requirement**: 14+ character minimum with complexity requirements **Requirement**: 14+ character minimum with complexity requirements
**Verification**: **Verification**:
-**config/preseed.cfg**: Default passphrase set to 24-char complex password -**config/includes.installer/preseed.cfg**: Default passphrase set to 24-char complex password
-**config/hooks/installed/encryption-validation.sh**: Passphrase strength validation function -**config/hooks/installed/encryption-validation.sh**: Passphrase strength validation function
-**PRD.md**: Detailed passphrase requirements documented -**PRD.md**: Detailed passphrase requirements documented
-**AGENTS.md**: MANDATORY requirements section with passphrase requirements -**AGENTS.md**: MANDATORY requirements section with passphrase requirements
@@ -83,7 +88,7 @@ passwd/root-password-crypted string !
**Verification**: **Verification**:
-**src/security-hardening.sh**: Enhanced password policy configured -**src/security-hardening.sh**: Enhanced password policy configured
-**config/preseed.cfg**: libpam-pwquality package included -**config/includes.installer/preseed.cfg**: libpam-pwquality package included
-**PRD.md**: Password complexity requirements documented -**PRD.md**: Password complexity requirements documented
-**AGENTS.md**: MANDATORY requirements section with password requirements -**AGENTS.md**: MANDATORY requirements section with password requirements
@@ -404,7 +409,7 @@ knel-football-secure.iso: OK ✅
| File | Size | Status | | File | Size | Status |
|------|------|--------| |------|------|--------|
| config/preseed.cfg | 4.2 KB | ✅ Updated | | config/includes.installer/preseed.cfg | 4.2 KB | ✅ Updated |
| src/security-hardening.sh | Updated | ✅ Updated | | src/security-hardening.sh | Updated | ✅ Updated |
### 6.3 Hook Scripts ✅ ### 6.3 Hook Scripts ✅

31
src/security-hardening.sh
View File

@@ -84,33 +84,16 @@ EOF
echo "SSH client configuration created at $output_file" echo "SSH client configuration created at $output_file"
} }
# Function to configure SSH hardening (server config as defense-in-depth) # Function to ensure no SSH server configuration exists
# System is SSH client-only per PRD FR-006, but sshd_config is hardened defensively # PRD FR-006: Client-only system. No sshd_config should ever exist.
configure_ssh() { configure_ssh() {
local output_file="${1:-/etc/ssh/sshd_config}" local output_file="${1:-/etc/ssh/sshd_config}"
cat >"$output_file" <<'EOF' # Remove any existing sshd_config to prevent accidental activation
# SSH Server Hardening Configuration (defense-in-depth) if [[ -f "$output_file" && "$output_file" == /etc/ssh/sshd_config ]]; then
# Reference: PRD FR-006 - Client-only system, sshd not installed rm -f "$output_file"
# This config exists as a security baseline if sshd is ever installed fi
echo "SSH server config removed per PRD FR-006 (client-only system)"
# Protocol
Protocol 2
# Authentication
PermitRootLogin no
PermitEmptyPasswords no
MaxAuthTries 3
# Session
ClientAliveInterval 300
ClientAliveCountMax 2
# Forwarding
X11Forwarding no
EOF
echo "SSH hardening configuration created at $output_file"
} }
# Function to configure password policy # Function to configure password policy