KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
157 Commits 1 Branch 0 Tags
48d635d8ccdd392b155f881f6353cd2bbd6a38be
Commit Graph

6 Commits

Author SHA1 Message Date
Charles N Wyble
169362ce3d feat: implement Secure Boot with UKI in run.sh 
Add complete Secure Boot implementation:
- Generate PK/KEK/db keys during ISO build
- Build Unified Kernel Image (UKI) bundling kernel+initramfs+cmdline
- Sign UKI with db key for Secure Boot verification
- Include kernel lockdown mode in cmdline (lockdown=confidentiality)
- Copy .auth files to ISO for UEFI key enrollment

All Secure Boot logic is embedded in run.sh as an inline binary hook
created during the Docker build process - no separate scripts.

Required packages added: efitools, sbsigntools, systemd-boot, binutils

VM template updated with TPM v2.0 for Secure Boot measurements.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-02-20 07:40:21 -05:00
Charles N Wyble
987c70b604 fix: remove obsolete icewm-themes package 
Package icewm-themes is no longer available in Debian testing.
icewm-common provides the necessary themes as a dependency.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-02-19 20:39:13 -05:00
Charles N Wyble
0807611efe feat: add FIM, comprehensive audit logging, SSH client-only for CIS/FedRAMP/CMMC 
Security enhancements for tier0 infrastructure access:
- Add AIDE for file integrity monitoring (CIS 1.4, FedRAMP AU-7, CMMC AU.3.059)
- Add comprehensive audit rules covering identity, network, boot, and privilege escalation
- Remove SSH server (openssh-server), add SSH client only (openssh-client)
- Add audispd-plugins for audit event processing
- Update security-hardening.sh with configure_fim() and configure_ssh_client()
- Update compliance tests for FIM, audit, and client-only architecture

Package changes:
- Remove: openssh-server, iptables
- Add: openssh-client, aide, aide-common, audispd-plugins

No inbound services - outbound VPN/SSH/RDP only for accessing privileged workstation.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-02-17 12:24:30 -05:00
Charles N Wyble
6929ecfbc9 feat: add Secure Boot support packages 
Add UEFI Secure Boot packages to enable booting on systems
with Secure Boot enabled:

- shim-signed: Microsoft-signed shim bootloader
- grub-efi-amd64-signed: Signed GRUB EFI bootloader
- grub-efi-amd64-bin: GRUB EFI binaries
- efibootmgr: EFI boot manager utility

This is mandatory for modern UEFI systems that ship with
Secure Boot enabled by default.

Compliance: UEFI Secure Boot specification

💘 Generated with Crush

Assisted-by: GLM-5 via Crush <crush@charm.land>
 2026-02-17 10:11:19 -05:00
Charles N Wyble
6f038c3888 refactor: Update installed hooks and package lists 
- Update disable-package-management.sh with immutable permissions
- Update install-scripts.sh with proper path handling
- Add knel-football.list.chroot package list
- Add desktop shortcuts for VPN configuration
- Add USB automount support

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
 2026-01-21 15:40:27 -05:00
Charles N Wyble
3fc85b8130 feat: Phase 1 - Project structure and build environment 
- Add project directory structure with config, src, tests directories
- Implement run.sh host wrapper script for Docker-based workflow
- Create Dockerfile for build/test environment with live-build
- Add basic live-build configuration with preseed and package lists
- Add .gitignore and .dockerignore files

This establishes the foundation for building the secure Debian ISO.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
 2026-01-21 10:22:03 -05:00