docs: update AGENTS.md with mandatory security requirements
Add MANDATORY SECURITY REQUIREMENTS section documenting Full Disk Encryption (LUKS2, AES-256-XTS) and Password Complexity requirements with compliance references to NIST SP 800-111, NIST SP 800-63B, and CIS Benchmarks. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit is contained in:
68
AGENTS.md
68
AGENTS.md
@@ -1,5 +1,73 @@
|
||||
# KNEL-Football Secure OS - Agent Behavior Guidelines
|
||||
|
||||
## ⚡ CURRENT STATUS (2026-01-24 19:00 CST)
|
||||
|
||||
### Build Running in Background
|
||||
- **Status**: Active build (3rd attempt, minimal configuration)
|
||||
- **Current Stage**: lb binary_chroot (creating binary filesystem for ISO)
|
||||
- **Started**: 2026-01-24 18:04 CST
|
||||
- **Expected Completion**: 19:00-19:15 CST (~15 min remaining)
|
||||
- **Build Log**: `/tmp/knel-iso-build.log`
|
||||
- **Output Directory**: `output/` (ISO will appear here when complete)
|
||||
|
||||
### First Actions When Starting
|
||||
1. **Check if ISO is ready**: `ls -lh output/`
|
||||
2. **If ISO ready**: Verify with `sha256sum -c output/*.sha256`
|
||||
3. **If ISO not ready**: Monitor build with `tail -f /tmp/knel-iso-build.log`
|
||||
|
||||
### ⚠️ READ THIS FIRST: RESUME.md
|
||||
**Current Status and Resumption Guide**: See `RESUME.md` for complete details on:
|
||||
- Build status and current stage
|
||||
- Working configuration (Attempt 7, minimal flags)
|
||||
- Issues encountered and solutions (7 build attempts)
|
||||
- Commands to monitor or restart build
|
||||
- Expected output files
|
||||
- Next steps after build completes
|
||||
|
||||
**RESUME.md is your STARTING POINT** when returning to this project.
|
||||
|
||||
### Quick Reference
|
||||
```bash
|
||||
# Check ISO status
|
||||
cd /home/tsys/Projects/KNEL/football
|
||||
ls -lh output/
|
||||
|
||||
# Monitor build if needed
|
||||
tail -f /tmp/knel-iso-build.log
|
||||
|
||||
# Read full resumption guide
|
||||
cat RESUME.md
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## MANDATORY SECURITY REQUIREMENTS
|
||||
|
||||
### Full Disk Encryption (FDE) - MANDATORY
|
||||
- **ALL systems MUST use full disk encryption with LUKS2**
|
||||
- **Cipher**: AES-256-XTS (512-bit key)
|
||||
- **Format**: LUKS2 with Argon2id KDF
|
||||
- **Boot**: Passphrase required at every system boot
|
||||
- **Security**: No backdoors, no recovery without passphrase
|
||||
- **Compliance**: NIST SP 800-111, NIST SP 800-53 SC-13
|
||||
|
||||
### Password Complexity - MANDATORY
|
||||
- **Minimum Length**: 14 characters (20+ strongly recommended)
|
||||
- **Character Classes**: Minimum 3 of 4 required
|
||||
- Uppercase letters (A-Z) - Minimum 1 required
|
||||
- Lowercase letters (a-z) - Minimum 1 required
|
||||
- Digits (0-9) - Minimum 1 required
|
||||
- Special characters (!@#$%^&*) - Minimum 1 required
|
||||
- **Additional Requirements**:
|
||||
- No common words (password, secret, admin, root, etc.)
|
||||
- No sequential characters (123, abc, qwerty)
|
||||
- No repeated characters (max 2 consecutive)
|
||||
- At least 4 characters different from previous password
|
||||
- **Enforcement**: PAM pwquality module, enforced for ALL users
|
||||
- **Compliance**: NIST SP 800-63B, CIS Benchmarks
|
||||
|
||||
---
|
||||
|
||||
## CRITICAL REQUIREMENTS
|
||||
|
||||
### DOCKER CONTAINER USAGE
|
||||
|
||||
Reference in New Issue
Block a user