KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: update project name and licensing to KNEL-Football

Browse Source 
- Update all project references from 'Secure Debian' to 'KNEL-Football'
- Add AGPLv3 license with copyright to Known Element Enterprises LLC
- Create comprehensive README.md with project overview and features
- Update copyright notices in all files
- Add project badges and documentation structure
- Maintain AGPLv3 only licensing throughout
This commit is contained in:
Charles N Wyble
2026-01-21 10:10:57 -05:00
parent 5fc85ec72c
commit 9f0bbc6dc8
6 changed files with 972 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
PreFlightDiscussion-01.md
View File

@@ -1,4 +1,4 @@
# Pre-Flight Discussion - Questions, Comments, and Concerns
# KNEL-Football Pre-Flight Discussion - Questions, Comments, and Concerns
## Questions:
@@ -20,6 +20,15 @@
- FedRAMP Moderate or High?
- Specific DISA STIG for Debian 13?
My general feedback: This will be the entrypoint into my tier0 infrastructure. The system will be used to RDP to privileged access workstations which will have the ability to access all my tier0
infrastructure. The tier0 systems will be supporting systems which handle ITAR data. Also SECRET systems (supporting a couple of SCIFs we are building out).
Thoser tier0 systems will be supporting downstream systems that are CMMC Level 2 and 3.
Re FedRAMP, lets go with LI-SaaS. We have a product called RackRental.net that we want to sell to federal government. It wont process any sensitive data.
Re DISA STIG , I am not sure. I believe we need to implement CIS as the controls? I am not fully certain on STIG/CIS and how it all fits together. Can you help?
### 4. WireGuard Configuration Management
- **Question**: Should we assume WireGuard config will be provided via USB, or include a default template?
- **Concern**: Without a config, the system will have no network connectivity at all
@@ -28,6 +37,9 @@
- Include QR code import capability
- Assume user provides complete config via USB
Ah yes! I very much want to support QR code import capability! I forgot about that functionality. The laptop will have a web cam, so will be able to scan the QR code.
The user may also provide the config via USB.
## Technical Concerns:
### 5. Docker Build Context and Package Availability
@@ -40,11 +52,15 @@
- **Issue**: Container environment may not support all required test scenarios
- **Need**: Determine how to test privileged operations in containers
Well the test suite will need to run on the installed system. It makes no sense to run it in the build environment. Unless I am missing something? The build environment testing should be limited to shellcheck/shellfmt .
### 7. ISO Size Management
- **Concern**: Including all security tools, applications, and utilities may create a large ISO
- **Issue**: Large ISO may be impractical for distribution or booting on older hardware
- **Need**: Define acceptable ISO size limits and optimization strategies
THe ISO size is not a concern. It will not be provided for download or tracked in the git repo (please ensure it is added to .gitignore)
## Missing Details:
### 8. Complete Package List
@@ -52,6 +68,8 @@
- **Need**: Define all packages to include in the ISO (not just applications like Remmina, etc.)
- **Examples**: Which kernel packages? Which security tools? Which system utilities?
The system must be VERY minimal. The bare minimum of packages to meet the functional needs. Start minimal and I can tweak as we go.
### 9. Live-build Configuration Details
- **Missing**: Specific live-build configuration parameters
- **Need**: Kernel parameters, boot options, system settings
@@ -62,11 +80,15 @@
- **Need**: How to handle build failures, configuration errors, system boot issues
- **Examples**: Build failures, corrupted configs, boot problems
I leave the above two items to your best judgement. I dont have any specific feedback.
### 11. Boot Security
- **Missing**: Boot loader security requirements
- **Need**: Secure boot configuration, bootloader password, boot parameters
- **Examples**: GRUB security, kernel lockdown, initramfs security
The system must utilize secure boot. It must refuse to boot if anything has been altered. The system will never have apt-get update/upgrade run on it. It will be re-deployed from an updated ISO every quarter or so and the wireguard configuration/remmina profiles re-imported.
## Additional Considerations:
### 12. User Experience and Documentation
@@ -74,6 +96,8 @@
- **Need**: Clear documentation for secure workflows
- **Question**: Should we include user guides in the ISO?
No.
### 13. System Updates and Maintenance
- **Question**: How will the system receive security updates without general internet access?
- **Options**:
@@ -81,16 +105,30 @@
- USB-based update distribution
- No updates after initial deployment
No updates after initial deployment (via the internet). The system will be re-imaged from ISO.
### 14. Hardware Compatibility
- **Concern**: Minimal desktop may have hardware compatibility issues
- **Need**: Define supported hardware scope
- **Question**: Should we include additional drivers or keep it minimal?
The standard Debian 13 kernel/stock system install has been confirmed to fully work on the target hardware. Display, network etc all worked.
### 15. Testing Strategy for Air-Gapped Environment
- **Challenge**: How to test an ISO designed for air-gapped use
- **Need**: Testing methodology that doesn't require internet
- **Question**: Should we simulate air-gapped environment during testing?
The ISO will be installed into a VM that you define/boot. Initially I will do some manual testing. Later on , we can have a test suite that gets baked into the ISO/install.
Oh the install needs to be mostly automated with a preseed file. The only things the user must answer:
- Install target
- root password
- non root username/password
Password complexity needs to be enforced during the install.
---
## Priority Assessment:
@@ -115,4 +153,7 @@
**Status**: Awaiting your feedback on the above questions and concerns
**Next Action**: Review your inline edits and address any additional points
**Ready for Implementation**: NO - Need to resolve high priority items first
**Ready for Implementation**: NO - Need to resolve high priority items first
**Copyright © 2026 Known Element Enterprises LLC**
**License: GNU Affero General Public License v3.0 only**