KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: move PRD.md and SDLC.md to docs/ subdirectory

Browse Source 
Consolidate all documentation files under docs/ directory.
Update AGENTS.md and README.md to reflect new file locations.

💘 Generated with Crush

Assisted-by: GLM-5 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-02-19 14:52:56 -05:00
parent a284b095d8
commit f13bb8577a
4 changed files with 25 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

954
docs/PRD.md Normal file
View File

@@ -0,0 +1,954 @@
# KNEL-Football Secure OS - Product Requirements Document (PRD)
**Version:** 1.0
**Status:** Active
**Copyright:** © 2026 Known Element Enterprises LLC
**License:** GNU Affero General Public License v3.0 only
**Last Updated:** 2026-01-29
---
## Executive Summary
KNEL-Football Secure OS is a hardened Debian 13 Linux distribution designed for secure tier0 infrastructure access. The system implements a defense-in-depth security architecture with full disk encryption as a mandatory requirement, ensuring data protection against physical access attacks and unauthorized disclosure.
### Key Differentiators
- **Mandatory Full Disk Encryption (FDE)** - LUKS-based encryption for all system storage
- **Network Isolation** - VPN-only access with WireGuard
- **Minimal Attack Surface** - Only essential services and applications
- **Hardware Disabled** - WiFi and Bluetooth permanently disabled
- **Immutable Configuration** - Package management disabled by default
- **Privacy-Focused** - No telemetry, no user data collection
### System Architecture
**IMPORTANT CLARIFICATION**: KNEL-Football OS serves as a **secure remote terminal** for accessing tier0 infrastructure. It does NOT directly access tier0 infrastructure itself.
**Architecture**:
```
┌─────────────────┐
│ KNEL-Football OS│ ← Secure workstation with FDE
│ (Remote Terminal)│
└────────┬──────────┘
│ SSH/WireGuard
┌─────────────────┐
│ Privileged Access │ ← Physical workstation in secure facility
│ Workstation │
└────────┬──────────┘
│ Direct Access
┌─────────────────┐
│ Tier0 Network │ ← Protected infrastructure
│ Infrastructure│
└─────────────────┘
```
**Access Model**:
1. User boots KNEL-Football OS on secure laptop (FDE required)
2. OS connects via WireGuard VPN to secure network
3. User uses SSH/Remmina to access privileged workstation
4. Privileged workstation (physical) accesses tier0 infrastructure
5. No direct tier0 access from KNEL-Football OS
This creates a **two-factor security model**:
- **Factor 1**: Physical possession of KNEL-Football OS workstation
- **Factor 2**: Access to privileged workstation in secure facility
---
## Product Vision
To provide the most secure, compliant, and user-friendly operating system for tier0 infrastructure access, protecting sensitive data and systems through comprehensive encryption, network isolation, and defense-in-depth security controls.
---
## Product Scope
### In Scope
- Full disk encryption (LUKS) for all storage devices
- Debian 13 base system with security hardening
- IceWM desktop environment
- WireGuard VPN client with QR code import
- Network firewall with default-deny policy
- SSH server with key-based authentication
- USB device automount with restrictions
- Automated ISO build process
- Comprehensive security testing suite
### Out of Scope
- General-purpose computing applications
- Internet browsing capabilities
- Application package manager
- Wireless networking support
- Bluetooth support
- Cloud storage integration
- Multi-user support (single-user system)
---
## Functional Requirements
### FR-001: Full Disk Encryption (MANDATORY)
**Priority:** P0 (Critical)
**Status:** Required
**Description:**
The system MUST implement full disk encryption using LUKS (Linux Unified Key Setup) to protect all data at rest. Encryption must be mandatory and cannot be bypassed during installation.
**Requirements:**
1. **LUKS2 Format** - Use LUKS2 with Argon2id key derivation
2. **AES-XTS Encryption** - AES-256-XTS cipher with 512-bit key size
3. **Boot Partition Encryption** - Root filesystem must be encrypted
4. **Separate Boot Partition** - Unencrypted /boot for bootloader (UEFI requirement)
5. **Key Recovery** - Support for multiple passphrases/key slots
6. **Integrity Protection** - Authenticated encryption or dm-integrity layer
7. **Secure Key Storage** - No plaintext keys stored anywhere on the system
**Encryption Passphrase Requirements (MANDATORY):**
- **Minimum Length**: 14 characters (20+ characters strongly recommended)
- **Character Classes**: Minimum 3 of 4 required:
- Uppercase letters (A-Z) - At least 1 required
- Lowercase letters (a-z) - At least 1 required
- Digits (0-9) - At least 1 required
- Special characters (!@#$%^&*) - At least 1 required
- **Prohibited Patterns**:
- No common words (password, secret, admin, root, etc.)
- No sequential characters (123, abc, qwerty)
- No repeated characters (maximum 2 consecutive)
- **Security Notes**:
- Passphrase is required at EVERY system boot
- No backdoor or recovery mechanism without valid passphrase
- Loss of passphrase = permanent data loss
- Store passphrase in secure password manager
**Installation Behavior:**
- Installer MUST prompt for encryption passphrase
- Passphrase MUST meet complexity requirements above
- System CANNOT be installed without encryption
- Installer MUST verify passphrase strength where possible
- System CANNOT boot without correct passphrase
- Installer SHOULD create key backup option (recommended)
**Implementation Details:**
```
/dev/sda1 512M EFI System Partition (ESP)
/dev/sda2 512M /boot (ext4, unencrypted)
/dev/sda3 Remainder LUKS2 encrypted partition
└─ cryptroot AES-256-XTS / (ext4)
```
**Installation Behavior:**
- Installer MUST prompt for encryption passphrase
- Passphrase MUST be 14+ characters with complexity requirements
- System CANNOT be installed without encryption
- Installer MUST verify passphrase strength
- Installer MUST create key backup option (recommended)
**Security Properties:**
- Data unreadable without correct passphrase
- No backdoors or recovery mechanisms by default
- Protected against cold boot attacks
- Protected against disk imaging attacks
- Compliant with NIST SP 800-111
### FR-002: Operating System Base
**Priority:** P0
**Status:** Required
**Requirements:**
1. **Base Distribution** - Debian 13 (Trixie) Testing
2. **Architecture** - AMD64 (x86_64) only
3. **Kernel** - Latest stable kernel with security patches
4. **Security Patches** - All available security patches applied
5. **Minimal Packages** - Only essential packages installed
### FR-003: Desktop Environment
**Priority:** P1
**Status:** Required
**Requirements:**
1. **Window Manager** - IceWM (minimal resource footprint)
2. **Display Manager** - LightDM with privacy mode
3. **Theme** - Dark, privacy-focused theme
4. **Applications** - Remmina (remote desktop), Mousepad (text editor)
**Privacy Features:**
- Hide usernames in login screen
- Disable guest account
- Disable auto-login
- Disable user list display
### FR-004: Network Isolation
**Priority:** P0
**Status:** Required
**Requirements:**
1. **WireGuard VPN** - Required for all network access
2. **No Direct Internet** - All traffic through VPN tunnel
3. **Firewall Rules** - Default deny, specific allow rules
4. **QR Code Import** - Easy VPN configuration import
5. **Dynamic Firewall** - Rules adapt to VPN endpoints
**Allowed Traffic:**
- WireGuard VPN traffic to configured endpoints
- DNS through VPN tunnel only
- Outbound through VPN interface only
### FR-005: Hardware Control
**Priority:** P0
**Status:** Required
**Requirements:**
1. **WiFi Disabled** - Permanently disabled via kernel module blacklist
2. **Bluetooth Disabled** - Permanently disabled via kernel module blacklist
3. **USB Restricted** - Controlled automount with security restrictions
4. **No Wireless Cards** - System should not have wireless hardware
**Blacklisted Modules:**
- WiFi: rtl*, iwl*, ath*, brcm*, mwifi*, rt2*
- Bluetooth: btusb, bluetooth
### FR-006: SSH Access
**Priority:** P1
**Status:** Required
**Requirements:**
1. **Key-Based Authentication** - Only SSH keys (no passwords)
2. **WireGuard Keys** - Pre-configured WireGuard key pairs
3. **Root Login Disabled** - No direct root SSH access
4. **Custom SSH Port** - Non-standard port (configurable)
5. **Key Management** - Secure key storage and rotation
### FR-007: System Hardening
**Priority:** P0
**Status:** Required
**Requirements:**
1. **Password Policy** - 14+ character minimum, complexity required
2. **Audit Logging** - Comprehensive system activity logging
3. **Resource Limits** - Prevent resource exhaustion attacks
4. **Service Hardening** - Disable unnecessary services
5. **Kernel Parameters** - Secure kernel parameter tuning
**Disabled Services:**
- avahi-daemon (zeroconf)
- cups (printing)
- bluetooth service
- NetworkManager (managed via scripts)
### FR-008: USB Device Handling
**Priority:** P1
**Status:** Required
**Requirements:**
1. **Automount Support** - Automatic USB device mounting
2. **Restricted Permissions** - No auto-execution
3. **User Mount Points** - /media/username/device
4. **Filesystem Support** - FAT32, exFAT, NTFS, ext4
5. **Audit Logging** - Track USB device insertion/removal
**Security Restrictions:**
- No automatic program execution
- No symbolic links from USB
- No device special files from USB
- Read-only mode for untrusted USB (optional)
### FR-009: System Immutability
**Priority:** P1
**Status:** Required
**Requirements:**
1. **Package Management Disabled** - No apt/dpkg commands for users
2. **Immutable Configuration** - Critical files have immutable attributes
3. **No Auto-Updates** - Updates via ISO rebuild only
4. **Configuration Tracking** - Detect configuration tampering
**Protected Directories:**
- /etc (system configuration)
- /usr (system binaries)
- /boot (bootloader)
- /bin, /sbin (essential binaries)
### FR-010: ISO Build Process
**Priority:** P1
**Status:** Required
**Requirements:**
1. **Reproducible Builds** - Identical outputs from identical inputs
2. **Docker-Based** - All build operations in Docker containers
3. **Checksum Verification** - SHA256 and MD5 checksums for ISO
4. **Build Logging** - Complete build audit trail
5. **Automated Testing** - Comprehensive test suite execution
**Build Artifacts:**
- ISO image (~1-2 GB)
- SHA256 checksum file
- MD5 checksum file
- Build report (optional)
---
## Non-Functional Requirements
### NFR-001: Security
**Priority:** P0
**Requirements:**
- Full disk encryption (LUKS2, AES-256-XTS)
- Defense-in-depth architecture
- Zero-trust network model
- Compliance with security frameworks (NIST, ISO 27001)
- No backdoors or secret keys
### NFR-002: Performance
**Priority:** P2
**Requirements:**
- Boot time < 60 seconds (including LUKS passphrase prompt)
- Disk I/O overhead < 5% with encryption
- Memory usage < 2 GB at idle
- CPU usage < 5% at idle
### NFR-003: Reliability
**Priority:** P1
**Requirements:**
- Mean time between failures (MTBF) > 720 hours
- Graceful degradation on errors
- Comprehensive error handling
- Automatic recovery where possible
### NFR-004: Usability
**Priority:** P1
**Requirements:**
- Intuitive installation process
- Clear error messages
- Comprehensive documentation
- Minimal training required
### NFR-005: Maintainability
**Priority:** P1
**Requirements:**
- Clean code structure
- Comprehensive testing
- Well-documented configuration
- Automated build and deployment
### NFR-006: Compliance
**Priority:** P0
**Requirements:**
- NIST SP 800-53 (Security Controls)
- NIST SP 800-111 (Disk Encryption)
- ISO/IEC 27001 (Information Security)
- CIS Benchmarks for Debian Linux
- DISA STIG for Linux
---
## Security Architecture
### Encryption Layer
#### Full Disk Encryption (FDE)
- **Cipher:** AES-256-XTS
- **Key Size:** 512 bits
- **Mode:** LUKS2
- **KDF:** Argon2id (PBKDF2 fallback)
- **Integrity:** dm-integrity layer (optional)
#### Key Management
- Primary: User passphrase (required during boot)
- Recovery: Optional key slot for emergency recovery
- Storage: Keys never stored in plaintext
- Rotation: Key change support via cryptsetup
### Network Security Layer
#### VPN-Only Access
- **Protocol:** WireGuard
- **Encryption:** ChaCha20-Poly1305
- **Authentication:** Public/private key pairs
- **Configuration:** Dynamic endpoint-based firewall rules
#### Firewall Rules
```
Default Policy: DROP
Inbound Rules:
- SSH from VPN interface only (key-based auth)
- Established/related connections allowed
Outbound Rules:
- WireGuard VPN traffic to endpoints
- DNS through VPN tunnel only
- All traffic through VPN interface only
```
### System Security Layer
#### Kernel Hardening
- Module blacklisting (WiFi, Bluetooth)
- Secure kernel parameters
- Restricted ptrace scope
- Kernel address space layout randomization (KASLR)
#### Process Security
- Resource limits (ulimits)
- Service hardening (systemd sandboxing)
- Mandatory access control (optional SELinux/AppArmor)
### Access Control Layer
#### Authentication
- **Password Policy:** 14+ characters, complexity required
- **SSH:** Key-based only (no password auth)
- **Root Login:** Disabled via SSH
- **Sudo:** Limited sudo access for authorized users
#### Authorization
- **User Groups:** Minimal necessary groups only
- **File Permissions:** Secure default permissions
- **Sudo Configuration:** Specific command permissions
- **Audit Logging:** Track all privilege usage
---
## Data Requirements
### DR-001: Data at Rest
**Priority:** P0
**Requirements:**
- All system data encrypted at rest (LUKS2)
- Encryption key protected by user passphrase
- No plaintext data storage
- Secure deletion of temporary files
### DR-002: Data in Transit
**Priority:** P0
**Requirements:**
- All network traffic encrypted via VPN
- SSH encryption for remote access
- TLS for any HTTPS traffic (if applicable)
- No plaintext protocols allowed
### DR-003: Data Retention
**Priority:** P2
**Requirements:**
- Log retention: 90 days minimum
- User data: User-controlled
- System data: Until reinstallation
- Secure wipe on decommission
---
## User Requirements
### UR-001: Target Users
1. **Tier0 Infrastructure Engineers** - Primary users
2. **System Administrators** - Secondary users
3. **Security Auditors** - Compliance verification users
### UR-002: User Scenarios
**Scenario 1: Initial System Installation**
1. Boot ISO on target hardware
2. Configure disk encryption passphrase
3. Complete automated installation
4. Reboot into encrypted system
5. Configure WireGuard VPN
**Scenario 2: Daily System Use**
1. System prompts for encryption passphrase at boot
2. User logs in (username/password)
3. VPN automatically connects
4. User accesses infrastructure via SSH/Remmina
**Scenario 3: USB Data Transfer**
1. User inserts USB device
2. System automatically mounts to /media/username/device
3. User copies files to/from USB
4. User safely removes USB device
**Scenario 4: VPN Configuration**
1. User scans QR code with camera
2. System imports WireGuard configuration
3. Firewall rules updated automatically
4. VPN connection established
### UR-003: User Interface Requirements
**Login Screen:**
- Display system name only
- No user list (privacy mode)
- Require username entry
- Require password entry
- No guest account option
**Desktop Environment:**
- Minimal interface (IceWM)
- Application launcher
- System tray (VPN status indicator)
- Terminal access
- No unnecessary widgets
---
## Technical Requirements
### TR-001: System Requirements
**Minimum Hardware:**
- CPU: x86_64 (AMD64), 2 cores
- RAM: 4 GB (8 GB recommended)
- Storage: 64 GB SSD (128 GB recommended)
- Network: Ethernet (1 Gbps recommended)
- UEFI: UEFI 2.3+ firmware
**Recommended Hardware:**
- CPU: x86_64 (AMD64), 4+ cores
- RAM: 8 GB
- Storage: 256 GB NVMe SSD
- Network: Ethernet 10 Gbps
- UEFI: UEFI 2.7+ with Secure Boot
**Unsupported Hardware:**
- 32-bit systems (x86, ARM32)
- Legacy BIOS systems
- Systems without UEFI firmware
- Systems with < 4 GB RAM
- Systems with < 64 GB storage
### TR-002: Software Requirements
**Included Software:**
- Debian 13 base system
- Linux kernel (latest stable)
- IceWM window manager
- LightDM display manager
- WireGuard and tools
- OpenSSH server
- nftables firewall
- Remmina (remote desktop)
- Mousepad (text editor)
- zbar-tools (QR code scanning)
**Excluded Software:**
- Package managers (apt/dpkg for users)
- Wireless drivers and tools
- Bluetooth stack
- Printing system (CUPS)
- Cloud storage clients
- Media players
- Web browsers
### TR-003: Encryption Requirements
**LUKS2 Configuration:**
- Cipher: aes-xts-plain64
- Key size: 512 bits (256-bit keys for XTS)
- Hash: SHA-512
- KDF: Argon2id (with appropriate iterations)
- Salt size: 512 bits
- Key slots: 8 maximum (default: 1 used)
**Partition Layout (UEFI):**
```
/dev/sda1 512M EFI System Partition (FAT32)
/dev/sda2 512M /boot (ext4, unencrypted)
/dev/sda3 Remainder LUKS2 encrypted container
└─ cryptroot (mapped device) / (ext4)
```
**Boot Process:**
1. UEFI firmware loads GRUB from EFI System Partition
2. GRUB loads kernel and initramfs from /boot
3. initramfs prompts for encryption passphrase
4. LUKS container unlocked with passphrase
5. Root filesystem mounted
6. System boots normally
---
## Compliance Requirements
### CR-001: Regulatory Compliance
**NIST SP 800-53 (Security and Privacy Controls)**
- AC-2: Account Management
- AC-3: Access Enforcement
- AC-6: Least Privilege
- AU-2: Audit Events
- AU-3: Content of Audit Records
- AU-6: Audit Review, Analysis, and Reporting
- CM-3: Configuration Change Control
- CM-7: Least Functionality
- CM-8: System Components Inventory
- CP-7: Alternate Storage Site
- CP-9: System Backup
- CP-10: Information System Recovery and Reconstitution
- IA-2: Identification and Authentication
- IA-5: Authenticator Management
- SC-8: Transmission Confidentiality and Integrity
- SC-12: Cryptographic Key Establishment and Management
- SC-13: Cryptographic Protection
- SC-28: Protection of Information at Rest
**NIST SP 800-111 (Guide to Storage Encryption)**
- Full disk encryption implementation
- Cryptographic algorithm selection
- Key management procedures
- Authentication requirements
**ISO/IEC 27001:2013 (Information Security)**
- A.9 Access Control
- A.10 Cryptography
- A.12 Operations Security
- A.14 System Acquisition, Development, and Maintenance
**CIS Benchmarks for Debian Linux**
- Initial setup guidelines
- Logging and monitoring
- Network configuration
- System access, authentication, and authorization
**DISA STIG for Linux**
- Firewall configuration
- System services configuration
- File permissions and ownership
### CR-002: Security Compliance
**Encryption Standards:**
- FIPS 140-2 Level 1 (certified algorithms)
- FIPS 197 (AES encryption)
- FIPS 180-4 (SHA hash functions)
- FIPS 202 (SHA-3 hash functions)
**Cryptographic Protocols:**
- TLS 1.3 (for any HTTPS)
- WireGuard protocol (VPN)
- SSH-2 protocol
**Key Management:**
- Secure key generation (CSPRNG)
- Secure key storage
- Key rotation support
- Secure key destruction
---
## Testing Requirements
### TST-001: Unit Testing
**Coverage:**
- All security hardening scripts
- Configuration generation scripts
- Key management functions
- Firewall rule generation
**Test Cases:**
- WiFi/Bluetooth module blacklisting verification
- SSH configuration validation
- Firewall rule validation
- Password policy enforcement
### TST-002: Integration Testing
**Test Scenarios:**
- Complete ISO build process
- Installation in virtual machine
- Encryption setup and verification
- VPN configuration and connectivity
- USB device handling
### TST-003: Security Testing
**Test Areas:**
- Full disk encryption verification
- Network isolation testing
- Firewall rule validation
- Authentication mechanism testing
- Privilege escalation prevention
### TST-004: Compliance Testing
**Validation:**
- NIST SP 800-53 control coverage
- NIST SP 800-111 encryption guidelines
- CIS Benchmark compliance
- Security configuration validation
### TST-005: Performance Testing
**Metrics:**
- Boot time with encryption
- Disk I/O performance impact
- Memory usage at idle
- Network throughput over VPN
---
## Quality Assurance
### QA-001: Code Quality
**Standards:**
- Shell scripts: Shellcheck compliant
- Configuration: Follow Debian conventions
- Documentation: Clear and complete
- Version control: Git with meaningful commits
### QA-002: Build Quality
**Requirements:**
- Reproducible builds
- Clean build logs
- No build warnings
- Automated checksum verification
### QA-003: Release Quality
**Criteria:**
- All tests passing
- Security scan clean
- Documentation complete
- Signed release artifacts
---
## Documentation Requirements
### DOC-001: User Documentation
**Required Documents:**
1. User Manual (installation and daily use)
2. Troubleshooting Guide
3. Security Configuration Guide
4. VPN Configuration Guide
### DOC-002: Technical Documentation
**Required Documents:**
1. System Architecture Documentation
2. Security Model Documentation
3. Build Process Documentation
4. API/Configuration Documentation
### DOC-003: Developer Documentation
**Required Documents:**
1. Contributor Guidelines
2. Code Style Guide
3. Testing Guidelines
4. Release Process Documentation
### DOC-004: Compliance Documentation
**Required Documents:**
1. Security Control Implementation Guide
2. Compliance Matrix (NIST, ISO, CIS)
3. Risk Assessment Report
4. Penetration Test Reports
---
## Deployment Requirements
### DEP-001: Distribution
**Distribution Methods:**
- ISO image download (official website)
- Secure distribution (HTTPS, verified checksums)
- GPG signature verification
- Release announcement channels
### DEP-002: Installation
**Installation Methods:**
- USB bootable media (recommended)
- Virtual machine deployment (testing)
- Automated installation (preseed configuration)
- Manual installation (expert mode)
**Installation Requirements:**
- UEFI firmware (mandatory)
- 64-bit AMD64 architecture
- Minimum 64 GB storage
- Minimum 4 GB RAM
- Ethernet network interface
### DEP-003: Updates
**Update Strategy:**
- Major updates: New ISO release
- Security patches: New ISO release
- Configuration changes: New ISO release
- No in-place system updates
**Update Frequency:**
- Major releases: Quarterly
- Security releases: As needed
- Emergency releases: Critical vulnerabilities only
---
## Risk Management
### RISK-001: Security Risks
**High Priority Risks:**
1. **Encryption Bypass** - Attackers attempt to bypass encryption
- Mitigation: LUKS2, strong passphrase, secure key management
2. **Physical Access** - Attackers gain physical access to hardware
- Mitigation: Full disk encryption, secure boot, TPM (optional)
3. **VPN Compromise** - VPN endpoint or configuration compromised
- Mitigation: Key rotation, endpoint hardening, audit logging
**Medium Priority Risks:**
4. **USB Attacks** - Malicious USB devices inserted
- Mitigation: Restricted mounting, no auto-execution, audit logging
5. **Privilege Escalation** - Users attempt to gain root access
- Mitigation: Strong passwords, sudo restrictions, audit logging
6. **Configuration Drift** - System configuration modified
- Mitigation: Immutable attributes, audit logging, compliance checks
### RISK-002: Operational Risks
**Risks:**
- Lost encryption passphrase (data loss)
- System corruption (reinstallation required)
- Hardware failure (recovery procedures needed)
- User error (documentation and training)
**Mitigations:**
- Backup key slot recommendation
- Comprehensive recovery documentation
- Regular system backups (if applicable)
- Clear user documentation
---
## Success Criteria
### SC-001: Technical Success
- Full disk encryption implemented and functional (MANDATORY)
- ISO builds successfully (reproducible)
- All tests passing (100% pass rate)
- Security controls implemented (100% coverage)
### SC-002: Security Success
- Full disk encryption verified (LUKS2, AES-256-XTS)
- Compliance achieved (NIST, ISO, CIS)
- Security assessment passed (critical vulnerabilities = 0)
- Penetration test passed (high-severity issues = 0)
### SC-003: Operational Success
- System boots within 60 seconds (with passphrase prompt)
- Disk I/O overhead < 5% with encryption
- User can complete common tasks without issues
- Documentation is comprehensive and accurate
---
## Future Enhancements
### FE-001: Potential Enhancements
1. **TPM Integration** - Use TPM for passphrase storage (optional)
2. **Smart Card Support** - Smart card-based authentication
3. **Hardware Security Module (HSM)** - Enterprise key management
4. **Trusted Platform Module (TPM)** - Boot attestation
5. **Secure Boot** - Full secure boot chain verification
6. **SELinux/AppArmor** - Mandatory access control
7. **Multi-User Support** - Multiple user accounts (future consideration)
8. **Automated Backup** - Encrypted backup solution
9. **Remote Wipe** - Secure data destruction capability
10. **Hardware Inventory** - Automatic hardware inventory tracking
### FE-002: Research Areas
1. **Alternative Encryption** - Evaluate dm-crypt with dm-integrity
2. **Post-Quantum Cryptography** - Quantum-resistant algorithms
3. **Hardware Enclaves** - Intel SGX or AMD SEV
4. **Containerization** - Application-level isolation
5. **Zero Trust Networking** - Enhanced zero-trust model
---
## Appendix A: Terminology
| Term | Definition |
|------|------------|
| FDE | Full Disk Encryption - Encryption of entire storage device |
| LUKS | Linux Unified Key Setup - Disk encryption specification |
| LUKS2 | Second version of LUKS with enhanced features |
| AES-XTS | Advanced Encryption Standard in XEX-based Tweaked CodeBook mode |
| KDF | Key Derivation Function - Derives encryption keys from password |
| UEFI | Unified Extensible Firmware Interface - Modern firmware interface |
| ESP | EFI System Partition - FAT32 partition for UEFI boot files |
| VPN | Virtual Private Network - Encrypted network tunnel |
| WireGuard | Modern, high-performance VPN protocol |
| nftables | Linux packet filtering framework |
| IceWM | Ice Window Manager - Lightweight window manager |
| LightDM - Light Display Manager - Cross-desktop display manager |
---
## Appendix B: References
1. NIST SP 800-53: Security and Privacy Controls for Information Systems
2. NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices
3. ISO/IEC 27001:2013: Information Security Management Systems
4. CIS Benchmarks: Center for Internet Security Security Configuration Guides
5. DISA STIG: Defense Information Systems Agency Security Technical Implementation Guides
6. LUKS Specification: https://gitlab.com/cryptsetup/LUKS2-docs
7. WireGuard Protocol: https://www.wireguard.com/protocol/
8. Debian Live Manual: https://live-team.pages.debian.net/live-manual/
---
## Appendix C: Change History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2026-01-28 | KNEL-Football Team | Initial PRD with mandatory full disk encryption |
---
**Copyright © 2026 Known Element Enterprises LLC**
**License: GNU Affero General Public License v3.0 only**
This PRD is maintained as part of the KNEL-Football project and is updated when requirements change or new features are added.

338
docs/SDLC.md Normal file
View File

@@ -0,0 +1,338 @@
# KNEL-Football Secure OS - Software Development Lifecycle (SDLC)
**Version:** 1.0
**Status:** Active
**Last Updated:** 2026-02-17
---
## Overview
This document defines the mandatory Software Development Lifecycle (SDLC) for the KNEL-Football Secure OS project. As a **critical infrastructure project** supporting CMMC/FedRAMP/ITAR compliance, we maintain zero tolerance for security defects and require strict adherence to these processes.
---
## Core Principles
### 1. Security First
- Every change must preserve or enhance security
- No shortcuts, no exceptions, no "temporary" bypasses
- All code is security-critical code
### 2. Test-Driven Development (TDD)
- **Red → Green → Refactor** - Mandatory workflow
- No code without tests
- No merge without passing tests
### 3. Defense in Depth
- Multiple layers of verification
- Automated + manual review
- Build-time + runtime validation
---
## Test-Driven Development (TDD) Workflow
### Mandatory TDD Process
```
┌─────────────────────────────────────────────────────────────┐
│ TDD WORKFLOW │
├─────────────────────────────────────────────────────────────┤
│ │
│ 1. RED: Write a failing test │
│ ┌─────────────────────────────────────────────────┐ │
│ │ • Write test FIRST (before implementation) │ │
│ │ • Test MUST fail initially │ │
│ │ • Run: ./run.sh test:<suite> │ │
│ │ • Confirm test fails for RIGHT reason │ │
│ └─────────────────────────────────────────────────┘ │
│ ↓ │
│ 2. GREEN: Write minimal code to pass │
│ ┌─────────────────────────────────────────────────┐ │
│ │ • Write MINIMUM code to make test pass │ │
│ │ • Do not over-engineer │ │
│ │ • Run: ./run.sh test:<suite> │ │
│ │ • Confirm test passes │ │
│ └─────────────────────────────────────────────────┘ │
│ ↓ │
│ 3. REFACTOR: Improve code quality │
│ ┌─────────────────────────────────────────────────┐ │
│ │ • Clean up implementation │ │
│ │ • Remove duplication │ │
│ │ • Improve readability │ │
│ │ • Run: ./run.sh test (ALL tests must pass) │ │
│ └─────────────────────────────────────────────────┘ │
│ ↓ │
│ REPEAT AS NEEDED │
│ │
└─────────────────────────────────────────────────────────────┘
```
### TDD Rules
1. **Rule 1**: You MUST write a failing test before writing implementation code
2. **Rule 2**: You MUST NOT write more implementation than needed to pass the test
3. **Rule 3**: You MUST run ALL tests after refactoring
### Test Execution Commands
```bash
# Run all tests
./run.sh test
# Run specific test suites
./run.sh test:unit # Unit tests only
./run.sh test:integration # Integration tests only
./run.sh test:security # Security/compliance tests only
# Run linting (shellcheck)
./run.sh lint
```
### Test Coverage Requirements
| Category | Minimum Coverage | Target |
|----------|------------------|--------|
| Security functions | 100% | 100% |
| Encryption setup | 100% | 100% |
| Password policy | 100% | 100% |
| Firewall rules | 100% | 100% |
| Build scripts | 80% | 95% |
| Utility functions | 80% | 90% |
---
## Pre-Commit Checklist
**Before committing ANY change, verify:**
- [ ] All tests pass: `./run.sh test`
- [ ] Lint passes with zero warnings: `./run.sh lint`
- [ ] Security tests pass: `./run.sh test:security`
- [ ] Code follows existing style
- [ ] Commit message follows conventional format
- [ ] No secrets, credentials, or sensitive data in commit
---
## Code Quality Standards
### Shell Script Standards
1. **Zero Shellcheck Warnings**
- All shell scripts MUST pass shellcheck with zero warnings
- No exceptions, no suppressions without documented justification
- Run: `./run.sh lint`
2. **Strict Mode**
- All scripts MUST use: `set -euo pipefail`
- No uninitialized variables
- No unset variable access
3. **Error Handling**
- All errors must be handled explicitly
- Use `|| true` only when failure is expected and acceptable
- Log all errors with context
4. **Security Conventions**
- Quote all variables: `"$variable"`
- Use `[[ ]]` for tests (not `[ ]`)
- Avoid `eval` and other code injection vectors
- Never log secrets or credentials
### Documentation Standards
1. **Code Comments**
- Explain WHY, not WHAT
- Reference requirements (e.g., "PRD FR-006: Key-based auth only")
- Document security implications
2. **Function Documentation**
```bash
# Function: configure_ssh
# Purpose: Configure SSH server with security hardening
# Requirements: PRD FR-006 (Key-Based Authentication Only)
# Security: Disables password auth per NIST guidelines
configure_ssh() {
```
---
## Git Workflow
### Branch Strategy
```
main (protected)
├── feature/<feature-name> # New features
├── fix/<bug-name> # Bug fixes
├── security/<issue-name> # Security fixes (priority)
└── docs/<doc-name> # Documentation updates
```
### Commit Message Format
```
<type>: <subject>
<body (optional)>
<footer (optional)>
💘 Generated with Crush
Assisted-by: <AI-Model> via Crush <crush@charm.land>
```
**Types:**
- `feat`: New feature
- `fix`: Bug fix
- `security`: Security vulnerability fix
- `docs`: Documentation changes
- `test`: Test additions/modifications
- `refactor`: Code refactoring
- `chore`: Maintenance tasks
**Example:**
```
security: disable SSH password authentication
PRD FR-006 requires key-based authentication only.
PasswordAuthentication was incorrectly set to 'yes',
violating the security requirement.
Fixes: SSH config now uses PasswordAuthentication no
💘 Generated with Crush
Assisted-by: GLM-4.7 via Crush <crush@charm.land>
```
### Merge Requirements
- [ ] All tests pass
- [ ] Zero lint warnings
- [ ] At least one approval (for team projects)
- [ ] No unresolved conversations
- [ ] Branch up to date with main
---
## Security Review Process
### When Security Review is Required
1. Any change to:
- Encryption configuration
- Password policy
- Firewall rules
- SSH configuration
- Authentication mechanisms
- Kernel module blacklists
2. Any change touching files in:
- `config/hooks/installed/`
- `config/hooks/live/`
- `src/security-hardening.sh`
- `src/firewall-setup.sh`
### Security Review Checklist
- [ ] Change aligns with PRD requirements
- [ ] No security regressions introduced
- [ ] Complies with NIST SP 800-53 controls
- [ ] Complies with NIST SP 800-111 (encryption)
- [ ] Complies with CIS Benchmarks
- [ ] Audit logging covers the change
- [ ] Documentation updated
---
## Compliance Mapping
### NIST SP 800-53 Control Mapping
| Control | Implementation | Test |
|---------|----------------|------|
| AC-3 (Access Enforcement) | SSH key-only auth | `test:security` |
| AU-2 (Audit Events) | auditd rules | `test:security` |
| SC-13 (Crypto Protection) | LUKS2 encryption | `test:security` |
| SC-28 (Data at Rest) | Full disk encryption | `test:security` |
### Compliance Test Execution
```bash
# Run compliance-focused tests
./run.sh test:security
# Run encryption-specific tests
./run.sh test:encryption
# Run full compliance verification
./run.sh test
```
---
## Release Process
### Pre-Release Checklist
- [ ] All tests pass (78 tests: 63 pass, 15 skip for libvirt)
- [ ] Zero lint warnings
- [ ] Security review complete
- [ ] Documentation updated
- [ ] CHANGELOG updated
- [ ] Version bump in applicable files
### Build Verification
```bash
# Build ISO
./run.sh iso
# Verify checksums
cd output/
sha256sum -c knel-football-secure.iso.sha256
md5sum -c knel-football-secure.iso.md5
```
---
## Incident Response
### Security Vulnerability Found
1. **STOP** - Do not commit the vulnerable code
2. **DOCUMENT** - Create issue tracking the vulnerability
3. **FIX** - Implement fix following TDD process
4. **VERIFY** - All tests pass, security tests pass
5. **REVIEW** - Security review of the fix
6. **RELEASE** - Expedited release if critical
---
## References
- **PRD.md** - Product Requirements Document
- **AGENTS.md** - Agent Behavior Guidelines
- **README.md** - Project overview and commands
- **docs/TEST-COVERAGE.md** - Test suite documentation
- **docs/VERIFICATION-REPORT.md** - Verification results
---
## Version History
| Version | Date | Changes |
|---------|------|---------|
| 1.0 | 2026-02-17 | Initial SDLC document |
---
**This SDLC is MANDATORY for all changes to this project.**
**Copyright © 2026 Known Element Enterprises LLC**
**License: GNU Affero General Public License v3.0 only**