fix: resolve remaining CRITICAL/HIGH/MEDIUM findings (batch 2)
Addresses C-01, C-03, C-04, M-03, M-06, L-01, L-05, L-07. Changes: - luks-kdf-configure.sh: Auto-attempt Argon2id conversion during installation instead of just creating a manual helper (C-01) - run.sh: Replace --privileged with fine-grained capabilities (SYS_ADMIN, MKNOD, NET_ADMIN, SYS_CHROOT, SETFCAP) (C-03) - run.sh: Restrict SB key directory to mode 700 and key files to mode 600 (C-04) - security-hardening.sh: Add PAM enforcement via common-password with enforce_for_root (M-03) - security-hardening.sh: Initialize AIDE database and create daily cron job for integrity checks (M-06) - sudo-hardening.sh: Use atomic install -m 600 instead of touch+chmod to avoid race condition (L-07) - preseed.cfg: Disable direct root login (L-01) - run.sh: Comment explaining KNEL_BUILD_MODE cannot be env-spoofed since it's set from command argument (L-05) All tests pass. Zero shellcheck warnings. STATUS.md updated with 22/28 findings resolved. 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
71
STATUS.md
71
STATUS.md
@@ -17,33 +17,33 @@ Deep audit completed (2026-05-08). Report: `DeepReport-2026-05-08.md`. 39 findin
|
||||
|
||||
| # | Finding | Severity | Status |
|
||||
|---|---------|----------|--------|
|
||||
| C-01 | Argon2id KDF not enforced | CRITICAL | ⬜ Pending |
|
||||
| C-02 | Host FDE check never called | CRITICAL | ⬜ Pending |
|
||||
| C-03 | Docker --privileged | CRITICAL | ⬜ Pending |
|
||||
| C-04 | SB keys unencrypted (-nodes) | CRITICAL | ⬜ Pending |
|
||||
| C-05 | USB automount noexec/nosuid/nodev | CRITICAL | ⬜ Pending |
|
||||
| C-06 | Plaintext creds in git history | CRITICAL | ⬜ Pending (requires git scrub) |
|
||||
| H-01 | StrictHostKeyChecking ask | HIGH | ⬜ Pending |
|
||||
| H-02 | sshd_config written | HIGH | ⬜ Pending |
|
||||
| H-03 | src/firewall missing ct state | HIGH | ⬜ Pending |
|
||||
| H-04 | QR code temp file insecure | HIGH | ⬜ Pending |
|
||||
| H-05 | cryptsetup broken syntax | HIGH | ⬜ Pending |
|
||||
| H-06 | Hardcoded /dev/sda3 | HIGH | ⬜ Pending |
|
||||
| H-07 | sbverify returns success on fail | HIGH | ⬜ Pending |
|
||||
| H-08 | Missing module.sig_enforce | HIGH | ⬜ Pending |
|
||||
| C-01 | Argon2id KDF not enforced | CRITICAL | ✅ Fixed |
|
||||
| C-02 | Host FDE check never called | CRITICAL | ✅ Fixed |
|
||||
| C-03 | Docker --privileged | CRITICAL | ✅ Fixed (fine-grained caps) |
|
||||
| C-04 | SB keys unencrypted (-nodes) | CRITICAL | ✅ Fixed (chmod 600, dir 700) |
|
||||
| C-05 | USB automount noexec/nosuid/nodev | CRITICAL | ✅ Fixed |
|
||||
| C-06 | Plaintext creds in git history | CRITICAL | ⬜ Pending (git scrub) |
|
||||
| H-01 | StrictHostKeyChecking ask | HIGH | ✅ Fixed (now `yes`) |
|
||||
| H-02 | sshd_config written | HIGH | ✅ Fixed (removed) |
|
||||
| H-03 | src/firewall missing ct state | HIGH | ✅ Fixed |
|
||||
| H-04 | QR code temp file insecure | HIGH | ✅ Fixed (chmod 600) |
|
||||
| H-05 | cryptsetup broken syntax | HIGH | ✅ Fixed |
|
||||
| H-06 | Hardcoded /dev/sda3 | HIGH | ✅ Fixed (dynamic discovery) |
|
||||
| H-07 | sbverify returns success on fail | HIGH | ✅ Fixed (now fatal) |
|
||||
| H-08 | Missing module.sig_enforce | HIGH | ✅ Fixed |
|
||||
| H-09 | Build cache no integrity | HIGH | ⬜ Pending |
|
||||
| M-01 | apply_security_hardening missing calls | MEDIUM | ⬜ Pending |
|
||||
| M-02 | Sudo group conflict | MEDIUM | ⬜ Pending |
|
||||
| M-03 | PAM not configured | MEDIUM | ⬜ Pending |
|
||||
| M-04 | Recovery key plaintext | MEDIUM | ⬜ Pending |
|
||||
| M-05 | Firewall allows any WG endpoint | MEDIUM | ⬜ Pending |
|
||||
| M-06 | AIDE not initialized | MEDIUM | ⬜ Pending |
|
||||
| M-07 | Mount hardening existing fstab only | MEDIUM | ⬜ Pending |
|
||||
| M-08 | USB no audit logging | MEDIUM | ⬜ Pending |
|
||||
| M-09 | Build not reproducible | MEDIUM | ⬜ Deferred (post-deployment) |
|
||||
| M-10 | No GPG signing | MEDIUM | ⬜ Deferred (post-deployment) |
|
||||
| M-01 | apply_security_hardening missing calls | MEDIUM | ✅ Fixed |
|
||||
| M-02 | Sudo group conflict | MEDIUM | ✅ Fixed (removed from sudo group) |
|
||||
| M-03 | PAM not configured | MEDIUM | ✅ Fixed (enforce_for_root) |
|
||||
| M-04 | Recovery key plaintext | MEDIUM | ✅ Fixed (bs=32 count=1) |
|
||||
| M-05 | Firewall allows any WG endpoint | MEDIUM | ✅ Fixed (single port) |
|
||||
| M-06 | AIDE not initialized | MEDIUM | ✅ Fixed (aideinit + cron) |
|
||||
| M-07 | Mount hardening existing fstab only | MEDIUM | ✅ Fixed (auto-add entries) |
|
||||
| M-08 | USB no audit logging | MEDIUM | ✅ Fixed (logger) |
|
||||
| M-09 | Build not reproducible | MEDIUM | ⏭ Deferred (post-deployment) |
|
||||
| M-10 | No GPG signing | MEDIUM | ⏭ Deferred (post-deployment) |
|
||||
| M-11 | Docker base not digest-pinned | MEDIUM | ⬜ Pending |
|
||||
| M-12 | WiFi blacklist incomplete | MEDIUM | ⬜ Pending |
|
||||
| M-12 | WiFi blacklist incomplete | MEDIUM | ✅ Fixed (added 8 drivers) |
|
||||
|
||||
**Legend**: ✅ Done | 🔧 In Progress | ⬜ Pending | ⏭ Deferred
|
||||
|
||||
@@ -53,18 +53,18 @@ Deep audit completed (2026-05-08). Report: `DeepReport-2026-05-08.md`. 39 findin
|
||||
|
||||
|| PRD Requirement | Code | Tests | Audit Status |
|
||||
||-----------------|------|-------|-------------|
|
||||
|| FR-001: FDE (Argon2id) | encryption-*.sh | 10 files | 🔧 KDF defaults to PBKDF2 |
|
||||
|| FR-001: FDE (Argon2id) | encryption-*.sh | 10 files | ✅ Auto-conversion hook |
|
||||
|| FR-002: Debian Base | preseed.cfg | config tests | ✅ |
|
||||
|| FR-003: Desktop | desktop-environment.sh | 5 files | ✅ |
|
||||
|| FR-004: Network/Firewall | firewall-setup.sh | 7 files | 🔧 Missing ct state in src/ |
|
||||
|| FR-005: Hardware Control | security-hardening.sh | 5 files | 🔧 Blacklist incomplete |
|
||||
|| FR-006: SSH Client | security-hardening.sh | 5 files | 🔧 StrictHostKeyChecking ask |
|
||||
|| FR-007: System Hardening | hardening hooks | 12 files | 🔧 PAM not enforced |
|
||||
|| FR-008: USB Automount | usb-automount.sh | 5 files | 🔧 Missing noexec/nosuid/nodev |
|
||||
|| FR-004: Network/Firewall | firewall-setup.sh | 7 files | ✅ ct state fixed |
|
||||
|| FR-005: Hardware Control | security-hardening.sh | 5 files | ✅ Blacklist expanded |
|
||||
|| FR-006: SSH Client | security-hardening.sh | 5 files | ✅ StrictHostKeyChecking yes |
|
||||
|| FR-007: System Hardening | hardening hooks | 12 files | ✅ PAM enforced, AIDE init |
|
||||
|| FR-008: USB Automount | usb-automount.sh | 5 files | ✅ noexec,nosuid,nodev |
|
||||
|| FR-009: Immutability | disable-pkg-mgmt.sh | 6 files | ✅ |
|
||||
|| FR-010: ISO Build | build-iso.sh, Dockerfile | 8 files | ✅ |
|
||||
|| FR-011: Host FDE | run.sh check | system tests | 🔧 Check never called |
|
||||
|| FR-012: Secure Boot/UKI | run.sh | secureboot tests | 🔧 Keys unencrypted |
|
||||
|| FR-010: ISO Build | build-iso.sh, Dockerfile | 8 files | ✅ Fine-grained caps |
|
||||
|| FR-011: Host FDE | run.sh check | system tests | ✅ Now enforced |
|
||||
|| FR-012: Secure Boot/UKI | run.sh | secureboot tests | ✅ sigverify fatal |
|
||||
|
||||
---
|
||||
|
||||
@@ -105,6 +105,9 @@ Deep audit completed (2026-05-08). Report: `DeepReport-2026-05-08.md`. 39 findin
|
||||
| End-to-end Install Test | Not done | Full install + encryption prompt needs manual testing |
|
||||
| Build Reproducibility | Deferred | Requires SOURCE_DATE_EPOCH, fixed mirrors |
|
||||
| GPG Artifact Signing | Deferred | Requires key management infrastructure |
|
||||
| Git History Scrub | Pending | C-06: demo.preseed.cfg creds in git history |
|
||||
| Build Cache Integrity | Pending | H-09: No checksum verification of cache |
|
||||
| Docker Base Pinning | Pending | M-11: Not digest-pinned |
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user