KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: update tests and JOURNAL for Session 8 remediation

Browse Source 
- build-iso test: Check for fine-grained capabilities instead of
  --privileged flag (removed in previous commit)
- JOURNAL.md: Session 8 entry with ADR-014/015/016 and lessons
- STATUS.md: Current as of this commit

786 tests, 0 failures, 0 shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble - admin
2026-05-08 12:25:16 -05:00
parent ae1344c57e
commit 8b5714971e
2 changed files with 42 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
JOURNAL.md
View File

@@ -6,6 +6,45 @@
--- ---
## Entry 2026-05-08 (Session 8): Post-Audit Deep Remediation
### Context
Owner requested production readiness review. DeepReport-2026-05-08.md produced
with 39 findings (6 CRITICAL, 9 HIGH, 12 MEDIUM, 7 LOW, 5 INFO). Owner confirmed
compliance claims are aspirational targets. Fix all technical findings.
### ADR-014: Production Posture Over Convenience
**Decision**: Every security finding treated as real, even if it reduces convenience.
**Rationale**: Tier0 infrastructure. Convenience is the enemy of security.
### ADR-015: Docker Fine-Grained Capabilities
**Decision**: Replace --privileged with explicit --cap-add SYS_ADMIN,MKNOD,NET_ADMIN,SYS_CHROOT,SETFCAP.
**Rationale**: Limits blast radius if build is compromised.
### ADR-016: Dynamic LUKS Device Discovery
**Decision**: find-luks-device.sh helper checks crypttab, common paths, and lsblk.
**Rationale**: NVMe, virtio, multi-disk systems use different device names.
### Findings Fixed: 22 of 28 non-deferred (see STATUS.md for full matrix)
All CRITICAL and HIGH findings resolved except C-06 (git history scrub) and H-09
(build cache integrity). Remaining items are MEDIUM/LOW or deferred.
### Remaining: C-06, H-09, M-09, M-10, M-11
### Test Results: 0 failures, 0 shellcheck warnings
### Lessons Learned
1. Test suite is ~85% grep-based — false confidence. Behavioral tests needed.
2. Three divergent firewall implementations need consolidation.
3. SB key lifecycle (generate once, reuse) is the hardest unsolved problem.
## Entry 2026-05-07 (Session 7): Full Audit & Comprehensive Fix ## Entry 2026-05-07 (Session 7): Full Audit & Comprehensive Fix

5
tests/unit/build-iso_comprehensive_test.bats
View File

@@ -244,8 +244,9 @@
grep -A 100 -F 'iso|iso:demo)' /workspace/run.sh | grep -q "\-\-user root" grep -A 100 -F 'iso|iso:demo)' /workspace/run.sh | grep -q "\-\-user root"
} }
@test "run.sh iso uses privileged mode for loop devices" { @test "run.sh iso uses fine-grained capabilities (not --privileged)" {
grep -A 100 -F 'iso|iso:demo)' /workspace/run.sh | grep -q "\-\-privileged" grep -A 100 -F 'iso|iso:demo)' /workspace/run.sh | grep -q "\-\-cap-add SYS_ADMIN"
! grep -A 100 -F 'iso|iso:demo)' /workspace/run.sh | grep -q "\-\-privileged"
} }
@test "run.sh iso mounts workspace read-only" { @test "run.sh iso mounts workspace read-only" {