football

KNEL/football

Fork 0

Commit Graph

Author	SHA1	Message	Date
reachableceo	2b422cf62c	fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes. Changes: - run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07), add module.sig_enforce to Docker-embedded UKI (H-08) - usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05), restrict dmask/fmask, add input validation, add audit logging (M-08) - security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01), remove sshd_config generation (H-02), expand WiFi blacklist (M-12) - firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port range to 51820 only (M-05) - firewall-setup.sh (src): Add ct state established,related (H-03) - security-hardening.sh (src): Fix apply_security_hardening to call configure_ssh_client and configure_fim with separate output paths (M-01) - install-scripts.sh: Remove football from sudo group (M-02) - mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened even without existing fstab entries (M-07) - encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic LUKS device discovery (H-06), fix recovery key generation (M-04), fix crypttab sed pattern - qr-code-import.sh: Restrict temp file permissions (H-04) - Tests updated to match new security posture All 786+ tests pass. Zero shellcheck warnings. Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through H-08, M-01, M-02, M-05, M-07, M-08, M-12 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>	2026-05-08 12:08:54 -05:00
reachableceo	62d20604a6	fix: resolve critical build bugs and add missing PRD requirements Critical fixes: - Fix security-hardening.sh live hook: removed broken source from /build/src/ which doesn't exist during live-build; made hook self-contained by inlining all config generation - Fix firewall-setup.sh live hook: removed broken source from /build/src/; hook already had inline nftables config - Fix install-scripts.sh: replaced /workspace/src/ references with embedded inline scripts (installed system has no /workspace) - Fix UKI cmdline in standalone uki_build(): added lockdown=confidentiality and module.sig_enforce=1 to match the inline Secure Boot hook - Fix WiFi blacklist: expanded from 6 entries to 19, now covers all PRD FR-005 driver families (rtl, iwl, ath, brcm, mwifi, rt2) Missing PRD requirements added: - kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID dumpable disabled, hardlink/symlink protection, network hardening - service-hardening.sh (FR-007): disables and masks avahi-daemon, cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport - sudo-hardening.sh (FR-007): requiretty, logging (input/output), timestamp timeout, env_reset, restricted football user commands - mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp, nodev/nosuid on /home, /dev/shm hardening Test improvements: - Rewrote security-hardening_comprehensive_test.bats: tests now source scripts, call functions, and verify generated output files - Rewrote firewall-setup_comprehensive_test.bats: tests now create WireGuard configs, call parse_wg_endpoint, verify nftables output - Added new-hooks_test.bats: 42 tests for kernel hardening, service hardening, sudo hardening, mount hardening, self-containment verification, and WiFi blacklist completeness - Total: 788 tests passing, 0 failures, 0 shellcheck warnings Reference: docs/PRD.md FR-005, FR-007, security-model.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>	2026-05-01 09:50:15 -05:00
reachableceo	821622d12b	test: add comprehensive test suites for all source scripts Add new BATS test files covering firewall-setup, security-hardening, build-iso execution, and configuration hooks. These complement the existing test files and bring total test count to 235. New test files: tests/unit/firewall-setup_comprehensive_test.bats (42 tests) - parse_wg_endpoint: config parsing, missing file, malformed config - generate_nftables_rules: rule generation, port/ip extraction - apply_firewall: WireGuard present/absent/default deny fallback - main: execution flow, argument passthrough tests/unit/security-hardening_comprehensive_test.bats (90 tests) - create_wifi_blacklist: module coverage, output path, file creation - create_bluetooth_blacklist: module coverage, output path - configure_ssh: Protocol 2, root login disabled, MaxAuthTries, etc. - configure_password_policy: minlen=14, character class requirements, dictionary check, username check, bad words, enforcing mode - configure_system_limits: core dump disabled, nproc limits - configure_audit_rules: passwd/shadow/sshd/wireguard/audit monitoring - apply_security_hardening: calls all sub-functions, progress output - main: execution flow, start/completion messages tests/unit/execution_comprehensive_test.bats (28 tests) - Script execution guards (set -euo pipefail, shebang) - Sourceability without execution - Function existence checks tests/unit/build-iso_comprehensive_test.bats (expanded to 39 tests) - Docker volume mounts, environment variables, build timeouts - live-build configuration parameters - Error handling and cleanup tests/integration/hooks_comprehensive_test.bats (36 tests) - All hooks have proper shebangs and error handling - Hooks reference correct source files - Configuration files exist and are well-formed - Encryption hooks present and executable All 235 tests pass: ./run.sh test 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-04-27 13:10:07 -05:00

Author

SHA1

Message

Date

reachableceo

2b422cf62c

fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport

Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08,
M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes.

Changes:
- run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07),
  add module.sig_enforce to Docker-embedded UKI (H-08)
- usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05),
  restrict dmask/fmask, add input validation, add audit logging (M-08)
- security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01),
  remove sshd_config generation (H-02), expand WiFi blacklist (M-12)
- firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port
  range to 51820 only (M-05)
- firewall-setup.sh (src): Add ct state established,related (H-03)
- security-hardening.sh (src): Fix apply_security_hardening to call
  configure_ssh_client and configure_fim with separate output paths (M-01)
- install-scripts.sh: Remove football from sudo group (M-02)
- mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened
  even without existing fstab entries (M-07)
- encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic
  LUKS device discovery (H-06), fix recovery key generation (M-04),
  fix crypttab sed pattern
- qr-code-import.sh: Restrict temp file permissions (H-04)
- Tests updated to match new security posture

All 786+ tests pass. Zero shellcheck warnings.

Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through
H-08, M-01, M-02, M-05, M-07, M-08, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

2026-05-08 12:08:54 -05:00

reachableceo

62d20604a6

fix: resolve critical build bugs and add missing PRD requirements

Critical fixes:
- Fix security-hardening.sh live hook: removed broken source from
  /build/src/ which doesn't exist during live-build; made hook
  self-contained by inlining all config generation
- Fix firewall-setup.sh live hook: removed broken source from
  /build/src/; hook already had inline nftables config
- Fix install-scripts.sh: replaced /workspace/src/ references with
  embedded inline scripts (installed system has no /workspace)
- Fix UKI cmdline in standalone uki_build(): added
  lockdown=confidentiality and module.sig_enforce=1 to match the
  inline Secure Boot hook
- Fix WiFi blacklist: expanded from 6 entries to 19, now covers all
  PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*)

Missing PRD requirements added:
- kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace
  restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID
  dumpable disabled, hardlink/symlink protection, network hardening
- service-hardening.sh (FR-007): disables and masks avahi-daemon,
  cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport
- sudo-hardening.sh (FR-007): requiretty, logging (input/output),
  timestamp timeout, env_reset, restricted football user commands
- mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp,
  nodev/nosuid on /home, /dev/shm hardening

Test improvements:
- Rewrote security-hardening_comprehensive_test.bats: tests now
  source scripts, call functions, and verify generated output files
- Rewrote firewall-setup_comprehensive_test.bats: tests now create
  WireGuard configs, call parse_wg_endpoint, verify nftables output
- Added new-hooks_test.bats: 42 tests for kernel hardening, service
  hardening, sudo hardening, mount hardening, self-containment
  verification, and WiFi blacklist completeness
- Total: 788 tests passing, 0 failures, 0 shellcheck warnings

Reference: docs/PRD.md FR-005, FR-007, security-model.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

2026-05-01 09:50:15 -05:00

reachableceo

821622d12b

test: add comprehensive test suites for all source scripts

Add new BATS test files covering firewall-setup, security-hardening,
build-iso execution, and configuration hooks. These complement the
existing test files and bring total test count to 235.

New test files:

tests/unit/firewall-setup_comprehensive_test.bats (42 tests)
- parse_wg_endpoint: config parsing, missing file, malformed config
- generate_nftables_rules: rule generation, port/ip extraction
- apply_firewall: WireGuard present/absent/default deny fallback
- main: execution flow, argument passthrough

tests/unit/security-hardening_comprehensive_test.bats (90 tests)
- create_wifi_blacklist: module coverage, output path, file creation
- create_bluetooth_blacklist: module coverage, output path
- configure_ssh: Protocol 2, root login disabled, MaxAuthTries, etc.
- configure_password_policy: minlen=14, character class requirements,
  dictionary check, username check, bad words, enforcing mode
- configure_system_limits: core dump disabled, nproc limits
- configure_audit_rules: passwd/shadow/sshd/wireguard/audit monitoring
- apply_security_hardening: calls all sub-functions, progress output
- main: execution flow, start/completion messages

tests/unit/execution_comprehensive_test.bats (28 tests)
- Script execution guards (set -euo pipefail, shebang)
- Sourceability without execution
- Function existence checks

tests/unit/build-iso_comprehensive_test.bats (expanded to 39 tests)
- Docker volume mounts, environment variables, build timeouts
- live-build configuration parameters
- Error handling and cleanup

tests/integration/hooks_comprehensive_test.bats (36 tests)
- All hooks have proper shebangs and error handling
- Hooks reference correct source files
- Configuration files exist and are well-formed
- Encryption hooks present and executable

All 235 tests pass: ./run.sh test

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

2026-04-27 13:10:07 -05:00

3 Commits