football

Author	SHA1	Message	Date
reachableceo	2b422cf62c	fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes. Changes: - run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07), add module.sig_enforce to Docker-embedded UKI (H-08) - usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05), restrict dmask/fmask, add input validation, add audit logging (M-08) - security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01), remove sshd_config generation (H-02), expand WiFi blacklist (M-12) - firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port range to 51820 only (M-05) - firewall-setup.sh (src): Add ct state established,related (H-03) - security-hardening.sh (src): Fix apply_security_hardening to call configure_ssh_client and configure_fim with separate output paths (M-01) - install-scripts.sh: Remove football from sudo group (M-02) - mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened even without existing fstab entries (M-07) - encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic LUKS device discovery (H-06), fix recovery key generation (M-04), fix crypttab sed pattern - qr-code-import.sh: Restrict temp file permissions (H-04) - Tests updated to match new security posture All 786+ tests pass. Zero shellcheck warnings. Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through H-08, M-01, M-02, M-05, M-07, M-08, M-12 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>	2026-05-08 12:08:54 -05:00
reachableceo	46dabde629	fix: resolve final PRD alignment issues, update docs PRD Alignment Fixes: - disable-package-management.sh: Keep dpkg-query executable for audit tools (was disabled despite comments claiming it was preserved) - run.sh: Replace silent FDE skip with explicit warning message (PRD FR-011 says mandatory but host has no LUKS) - run.sh: Fix checksum generation to use post-rename filename (was referencing live-image-amd64.hybrid.iso instead of knel-football-secure.iso) Documentation Updates: - STATUS.md: Add FR-012 to alignment matrix (was missing) - STATUS.md: Fix stale requiretty reference (was removed) - STATUS.md: Update PRD coverage to 12/12 - JOURNAL.md: Replace audit entry with comprehensive fix entry 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>	2026-05-07 09:13:29 -05:00
reachableceo	9459c84fbc	fix: resolve all audit findings in hooks, config, and package list Security/Functional Fixes: - firewall-setup.sh: Added WireGuard allow, established/related, DHCP (was blocking ALL outbound including VPN - system was non-functional) - disable-package-management.sh: Preserve /var/lib/dpkg/ for queries (was destroying dpkg database with rm -rf) - encryption-validation.sh: Fixed inverted motd conditional (was creating file only if it already existed - backwards) - kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only) Changed user.max_user_namespaces from 0 to 100 - sudo-hardening.sh: Removed Defaults requiretty (was breaking GUI-launched sudo via pkexec) - encryption-setup.sh: Fixed conflicting stdin in luksAddKey - install-scripts.sh: Fixed embedded firewall (same WireGuard bug) Replaced gutted security-hardening stub with real status checker - GRUB config: Fixed serial_console → serial (invalid terminal name) - Package list: Removed audispd-plugins (deprecated in Debian 13), removed duplicate wireguard/wireguard-tools entries Reference: Full audit findings from Session 7 JOURNAL.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>	2026-05-07 08:41:52 -05:00
reachableceo	0fb9abe43e	feat: add dual-mode ISO builds (production vs demo) with serial console Two build modes: - `./run.sh iso` — production ISO (prompts for credentials, quiet boot) - `./run.sh iso:demo` — demo/CI ISO (hardcoded test credentials, serial console output, verbose kernel) Changes: - run.sh: Accept iso:demo subcommand, pass KNEL_BUILD_MODE to Docker - run.sh: Demo mode uses verbose kernel cmdline with console=ttyS0 - config/bootloaders/grub-pc/config.cfg: GRUB serial console on ttyS0 at 115200 baud alongside VGA gfxterm (dual output) - config/includes.installer/demo.preseed.cfg: Fully automated preseed with hardcoded test credentials (NOT for production use) - config/hooks/binary/0199-serial-console.hook: Ensures serial console on Debian installer entries too - .gitignore: Fix binary/ pattern to /binary/ (was matching config/hooks/binary/) Demo credentials (TESTING ONLY): - User: football / Kn3l-F00tball-D3m0! - Root: Kn3l-R00t-D3m0! - LUKS: Kn3l-D3m0-LUKS! 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>	2026-05-01 11:35:43 -05:00
reachableceo	62d20604a6	fix: resolve critical build bugs and add missing PRD requirements Critical fixes: - Fix security-hardening.sh live hook: removed broken source from /build/src/ which doesn't exist during live-build; made hook self-contained by inlining all config generation - Fix firewall-setup.sh live hook: removed broken source from /build/src/; hook already had inline nftables config - Fix install-scripts.sh: replaced /workspace/src/ references with embedded inline scripts (installed system has no /workspace) - Fix UKI cmdline in standalone uki_build(): added lockdown=confidentiality and module.sig_enforce=1 to match the inline Secure Boot hook - Fix WiFi blacklist: expanded from 6 entries to 19, now covers all PRD FR-005 driver families (rtl, iwl, ath, brcm, mwifi, rt2) Missing PRD requirements added: - kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID dumpable disabled, hardlink/symlink protection, network hardening - service-hardening.sh (FR-007): disables and masks avahi-daemon, cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport - sudo-hardening.sh (FR-007): requiretty, logging (input/output), timestamp timeout, env_reset, restricted football user commands - mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp, nodev/nosuid on /home, /dev/shm hardening Test improvements: - Rewrote security-hardening_comprehensive_test.bats: tests now source scripts, call functions, and verify generated output files - Rewrote firewall-setup_comprehensive_test.bats: tests now create WireGuard configs, call parse_wg_endpoint, verify nftables output - Added new-hooks_test.bats: 42 tests for kernel hardening, service hardening, sudo hardening, mount hardening, self-containment verification, and WiFi blacklist completeness - Total: 788 tests passing, 0 failures, 0 shellcheck warnings Reference: docs/PRD.md FR-005, FR-007, security-model.md 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>	2026-05-01 09:50:15 -05:00
reachableceo	c03d3a793e	fix: restore lost functions and sections from rebase conflict resolution Three issues caused by the rebase onto origin/main: 1. encryption-setup.sh: restore aes_xts, xts, sha512 initramfs modules that were lost when resolving whitespace conflict 2. security-hardening.sh: add missing configure_ssh() function that creates hardened sshd_config as defense-in-depth (FR-006 client-only) 3. AGENTS.md: fix section headings to match test expectations (MANDATORY SECURITY REQUIREMENTS, DOCKER-ONLY WORKFLOW, AGENT WORKFLOW) All 830 tests now pass (was 815 pass / 15 fail). 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-04-27 13:22:00 -05:00
reachableceo	7545a164e5	fix: resolve all shellcheck warnings in source scripts and hooks This commit addresses every shellcheck warning (severity: warning and above) across the project's shell scripts. Only SC1091 info-level notices remain (sourced files not available during static analysis), which is expected and unavoidable in the Docker build workflow. Changes by file: src/build-iso.sh - Replace Unicode checkmark/cross characters (✓, ✗) with ASCII equivalents (PASS:, FAIL:) to eliminate commitBuffer encoding errors - Replace useless `cat \| cut` pipeline with direct file redirect (`cut -d' ' -f1 < file`), resolving SC2002 src/security-hardening.sh - Pass optional arguments through the function call chain in apply_security_hardening() to resolve SC2119/SC2120 (functions reference $1 but are called without arguments) src/firewall-setup.sh - Pass optional arguments through apply_firewall() in main() to resolve SC2119/SC2120 config/hooks/installed/encryption-setup.sh - Consolidate four individual `echo >> file` redirects into a single `{ cmd1; cmd2; } >> file` block, resolving SC2129 - Add shellcheck disable directive for intentional SC2016 in sed command (single quotes are required by sed, not a mistake) config/hooks/installed/encryption-validation.sh - Replace remaining Unicode checkmark characters with ASCII Verification: shellcheck --severity=warning src/.sh config/hooks//.sh => zero warnings, zero errors 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-04-27 13:09:39 -05:00
Charles N Wyble	5b01cfd71b	feat: add Argon2id KDF configuration for LUKS2 (FINDING-005) Debian partman-crypto does not support preseed configuration for KDF type, defaulting to PBKDF2. PRD requires Argon2id for its superior resistance to GPU-based attacks. Solution: Post-install hook that creates: - /usr/local/bin/convert-luks-kdf.sh: User-runnable script to convert PBKDF2 to Argon2id with proper parameters (memory=1GB, parallelism=4) - /etc/profile.d/knel-kdf-reminder.sh: Login reminder until conversion - Updated /var/backups/keys/README.txt with conversion instructions Tests added (3 new): - Argon2id KDF configuration hook or script exists - KDF conversion helper script is created - User receives notification about KDF optimization Reference: docs/PRD.md encryption requirements Audit: FINDING-005 (2026-02-20) 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-02-20 11:00:23 -05:00
Charles N Wyble	589c14833d	fix: standardize username to 'football' in all hooks (FINDING-008) The preseed.cfg creates user 'football' but hooks referenced 'kneluser'. This inconsistency would cause runtime failures during installation. Changes: - config/hooks/installed/encryption-validation.sh: s/kneluser/football/g - config/hooks/live/usb-automount.sh: s/kneluser/football/g - config/hooks/installed/install-scripts.sh: s/kneluser/football/g - tests/unit/encryption-validation_test.bats: Add 5 tests for username consistency Fixes: FINDING-008 (User account inconsistency) Reference: PRD.md user account requirements 💘 Generated with Crush Assisted-by: Claude via Crush <crush@charm.land>	2026-02-20 10:49:47 -05:00
Charles N Wyble	bed3b07b81	fix: correct security-hardening.sh hook function calls - Fix function name: configure_ssh → configure_ssh_client (matches src/) - Add missing configure_fim call for AIDE File Integrity Monitoring These functions exist in src/security-hardening.sh but the hook was calling the wrong name or missing the FIM call entirely. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-02-19 09:11:43 -05:00
Charles N Wyble	0b9ede5f84	fix: resolve all shellcheck warnings and security issues - fix(shellcheck): SC2016 in encryption-setup.sh - remove non-expanding $(blkid...) - fix(shellcheck): SC1091 in firewall-setup.sh and security-hardening.sh - add disable directives - security: SSH PasswordAuthentication yes -> no (PRD FR-006 violation) - fix: date expansion in encryption-validation.sh heredoc - docs: create SDLC.md with TDD workflow and security requirements - docs: update AGENTS.md to reference SDLC.md - chore: update STATUS.md with build completion - chore: minor build-iso.sh output formatting All 78 tests pass (63 run, 15 skip for libvirt). Zero shellcheck warnings. 💘 Generated with Crush Assisted-by: GLM-5 via Crush <crush@charm.land>	2026-02-17 11:34:11 -05:00
Charles N Wyble	d00f3c9f02	fix: resolve shellcheck warnings in shell scripts Improve code quality by addressing shellcheck warnings across security-critical scripts. src/security-hardening.sh: - Add shellcheck directive for SC2120/SC2119 - Function configure_password_policy() accepts optional args - Directive documents intentional usage pattern src/firewall-setup.sh: - Fix function argument passing in main() - Properly pass arguments to configure_firewall() config/hooks/installed/encryption-setup.sh: - Consolidate echo commands to fix SC2129 - Use single redirect for multiple writes Remaining warnings are non-critical: - SC1091: Source files exist at runtime in Docker container - SC2016: Intentional single quotes for sed pattern No functional changes - purely code quality improvements. 💘 Generated with Crush Assisted-by: GLM-5 via Crush <crush@charm.land>	2026-02-17 10:12:01 -05:00
ReachableCEO	2ab8040bdf	feat: add encryption validation and user notification hook Validate LUKS2 encryption configuration, create user-facing reminder files, MOTD messages, and first-boot check script to ensure encryption requirements are met and users are informed. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-29 10:00:05 -05:00
ReachableCEO	5cfa68be97	feat: add LUKS2 encryption setup hook Configure LUKS2 with AES-256-XTS encryption, cryptsetup-initramfs, initramfs modules, key management scripts, and encryption status systemd service for automated encryption setup during installation. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>	2026-01-29 09:59:58 -05:00
Charles N Wyble	6f038c3888	refactor: Update installed hooks and package lists - Update disable-package-management.sh with immutable permissions - Update install-scripts.sh with proper path handling - Add knel-football.list.chroot package list - Add desktop shortcuts for VPN configuration - Add USB automount support 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>	2026-01-21 15:40:27 -05:00
Charles N Wyble	1edf8665e9	refactor: Update live hooks for Docker compliance - Update firewall-setup.sh with proper volume path sourcing - Update security-hardening.sh with modular function calls - Update qr-code-import.sh with enhanced QR scanning - Update install-scripts.sh with desktop shortcuts - Add proper permission handling 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>	2026-01-21 15:40:21 -05:00
Charles N Wyble	70bdba52da	chore: Update .gitignore for KNEL-Football project - Update to ignore KNEL-Football specific build artifacts - Remove blanket config/ directory ignore - Add build directories and temporary files - Add ISO artifacts and checksum patterns - Add security exclusions for keys and secrets 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>	2026-01-21 15:40:08 -05:00
Charles N Wyble	6cd53bc7ba	feat: Add live-build hooks - Add security-hardening.sh for system hardening - Add firewall-setup.sh for nftables configuration - Add qr-code-import.sh for WireGuard QR scanning - Add disable-package-management.sh to secure package tools - Add install-scripts.sh to install source utilities These hooks implement core security and functionality requirements. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>	2026-01-21 10:25:16 -05:00

18 Commits