football

KNEL/football

Fork 0

Commit Graph

Author	SHA1	Message	Date
reachableceo	3d2ef3d5c2	fix: honest remediation batch 3 - fix broken claims and real Argon2id Previous commits marked findings as ✅ that were actually superficial or broken. This commit fixes the real problems honestly. Real fixes: - Argon2id KDF: Fixed via preseed partman/early_command that patches partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id. Previous luks-kdf-configure.sh "auto-conversion" was dead code (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it). Now the hook is an honest verifier, not a fake converter. - src/security-hardening.sh: Removed sshd_config generation entirely (was still generating it despite claiming client-only) - AIDE init: Removed \|\| true error swallowing, now reports failures - COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets with honest explanation of what's missing (3PAO, org controls) - VERIFICATION-REPORT.md: Added self-review warning about contradictions, fixed wrong preseed path (config/preseed.cfg → includes.installer/) - Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md - encryption-setup.sh: README now says "Argon2id (via early_command)" instead of bare "Argon2id" which was false - demo.preseed.cfg: Added same Argon2id early_command - Added .dockerignore (was missing) - Fixed .gitignore key pattern (too broad, matched keyboard.conf etc) Still remaining (honest assessment): - C-06: Git history scrub (needs git-filter-repo, destructive) - H-09: Build cache integrity (design work needed) - M-11: Docker base digest pinning - Phase 3: Test suite overhaul (85% grep-based, not behavioral) - Phase 4: Documentation cleanup (threat model, etc) - ISO NOT rebuilt since fixes 786 tests pass, 0 shellcheck warnings. 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>	2026-05-08 12:51:20 -05:00
reachableceo	0fb9abe43e	feat: add dual-mode ISO builds (production vs demo) with serial console Two build modes: - `./run.sh iso` — production ISO (prompts for credentials, quiet boot) - `./run.sh iso:demo` — demo/CI ISO (hardcoded test credentials, serial console output, verbose kernel) Changes: - run.sh: Accept iso:demo subcommand, pass KNEL_BUILD_MODE to Docker - run.sh: Demo mode uses verbose kernel cmdline with console=ttyS0 - config/bootloaders/grub-pc/config.cfg: GRUB serial console on ttyS0 at 115200 baud alongside VGA gfxterm (dual output) - config/includes.installer/demo.preseed.cfg: Fully automated preseed with hardcoded test credentials (NOT for production use) - config/hooks/binary/0199-serial-console.hook: Ensures serial console on Debian installer entries too - .gitignore: Fix binary/ pattern to /binary/ (was matching config/hooks/binary/) Demo credentials (TESTING ONLY): - User: football / Kn3l-F00tball-D3m0! - Root: Kn3l-R00t-D3m0! - LUKS: Kn3l-D3m0-LUKS! 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>	2026-05-01 11:35:43 -05:00

Author

SHA1

Message

Date

reachableceo

3d2ef3d5c2

fix: honest remediation batch 3 - fix broken claims and real Argon2id

Previous commits marked findings as ✅ that were actually superficial or
broken. This commit fixes the real problems honestly.

Real fixes:
- Argon2id KDF: Fixed via preseed partman/early_command that patches
  partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id.
  Previous luks-kdf-configure.sh "auto-conversion" was dead code
  (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it).
  Now the hook is an honest verifier, not a fake converter.
- src/security-hardening.sh: Removed sshd_config generation entirely
  (was still generating it despite claiming client-only)
- AIDE init: Removed || true error swallowing, now reports failures
- COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets
  with honest explanation of what's missing (3PAO, org controls)
- VERIFICATION-REPORT.md: Added self-review warning about contradictions,
  fixed wrong preseed path (config/preseed.cfg → includes.installer/)
- Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md
- encryption-setup.sh: README now says "Argon2id (via early_command)"
  instead of bare "Argon2id" which was false
- demo.preseed.cfg: Added same Argon2id early_command
- Added .dockerignore (was missing)
- Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc)

Still remaining (honest assessment):
- C-06: Git history scrub (needs git-filter-repo, destructive)
- H-09: Build cache integrity (design work needed)
- M-11: Docker base digest pinning
- Phase 3: Test suite overhaul (85% grep-based, not behavioral)
- Phase 4: Documentation cleanup (threat model, etc)
- ISO NOT rebuilt since fixes

786 tests pass, 0 shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

2026-05-08 12:51:20 -05:00

reachableceo

0fb9abe43e

feat: add dual-mode ISO builds (production vs demo) with serial console

Two build modes:
- `./run.sh iso` — production ISO (prompts for credentials, quiet boot)
- `./run.sh iso:demo` — demo/CI ISO (hardcoded test credentials, serial
  console output, verbose kernel)

Changes:
- run.sh: Accept iso:demo subcommand, pass KNEL_BUILD_MODE to Docker
- run.sh: Demo mode uses verbose kernel cmdline with console=ttyS0
- config/bootloaders/grub-pc/config.cfg: GRUB serial console on ttyS0
  at 115200 baud alongside VGA gfxterm (dual output)
- config/includes.installer/demo.preseed.cfg: Fully automated preseed
  with hardcoded test credentials (NOT for production use)
- config/hooks/binary/0199-serial-console.hook: Ensures serial console
  on Debian installer entries too
- .gitignore: Fix binary/ pattern to /binary/ (was matching config/hooks/binary/)

Demo credentials (TESTING ONLY):
- User: football / Kn3l-F00tball-D3m0!
- Root: Kn3l-R00t-D3m0!
- LUKS: Kn3l-D3m0-LUKS!

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

2026-05-01 11:35:43 -05:00

2 Commits