KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
149 Commits 1 Branch 0 Tags
ad2d4d3e61e0a88b96a191b9ba894247a6d433b6
Commit Graph

12 Commits

Author SHA1 Message Date
Charles N Wyble
7e8bbf7a8f fix: copy config files to correct live-build config directory 
Changed cp destination from ./ to ./config/ to ensure includes.installer
and other config files are placed in the correct location for live-build
to process them. This fixes preseed.cfg not being embedded in the installer
initrd.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-02-19 20:16:42 -05:00
Charles N Wyble
ab49d1f98b refactor: remove versioning from ISO filename 
ISO now always named knel-football-secure.iso (no v1.0.0 suffix).
Updated all references in code, docs, and tests.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-02-17 15:44:09 -05:00
Charles N Wyble
0807611efe feat: add FIM, comprehensive audit logging, SSH client-only for CIS/FedRAMP/CMMC 
Security enhancements for tier0 infrastructure access:
- Add AIDE for file integrity monitoring (CIS 1.4, FedRAMP AU-7, CMMC AU.3.059)
- Add comprehensive audit rules covering identity, network, boot, and privilege escalation
- Remove SSH server (openssh-server), add SSH client only (openssh-client)
- Add audispd-plugins for audit event processing
- Update security-hardening.sh with configure_fim() and configure_ssh_client()
- Update compliance tests for FIM, audit, and client-only architecture

Package changes:
- Remove: openssh-server, iptables
- Add: openssh-client, aide, aide-common, audispd-plugins

No inbound services - outbound VPN/SSH/RDP only for accessing privileged workstation.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-02-17 12:24:30 -05:00
Charles N Wyble
0b9ede5f84 fix: resolve all shellcheck warnings and security issues 
- fix(shellcheck): SC2016 in encryption-setup.sh - remove non-expanding $(blkid...)
- fix(shellcheck): SC1091 in firewall-setup.sh and security-hardening.sh - add disable directives
- security: SSH PasswordAuthentication yes -> no (PRD FR-006 violation)
- fix: date expansion in encryption-validation.sh heredoc
- docs: create SDLC.md with TDD workflow and security requirements
- docs: update AGENTS.md to reference SDLC.md
- chore: update STATUS.md with build completion
- chore: minor build-iso.sh output formatting

All 78 tests pass (63 run, 15 skip for libvirt).
Zero shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5 via Crush <crush@charm.land>
 2026-02-17 11:34:11 -05:00
Charles N Wyble
d00f3c9f02 fix: resolve shellcheck warnings in shell scripts 
Improve code quality by addressing shellcheck warnings
across security-critical scripts.

src/security-hardening.sh:
- Add shellcheck directive for SC2120/SC2119
- Function configure_password_policy() accepts optional args
- Directive documents intentional usage pattern

src/firewall-setup.sh:
- Fix function argument passing in main()
- Properly pass arguments to configure_firewall()

config/hooks/installed/encryption-setup.sh:
- Consolidate echo commands to fix SC2129
- Use single redirect for multiple writes

Remaining warnings are non-critical:
- SC1091: Source files exist at runtime in Docker container
- SC2016: Intentional single quotes for sed pattern

No functional changes - purely code quality improvements.

💘 Generated with Crush

Assisted-by: GLM-5 via Crush <crush@charm.land>
 2026-02-17 10:12:01 -05:00
ReachableCEO
c1505a9940 chore: remove obsolete scripts and clean project structure 
Remove obsolete script files that are no longer needed. Root run.sh has all functionality. Clean src/ directory to only contain necessary source scripts.

Deleted files:
- bin/cleanup.sh (functionality in run.sh)
- bin/docker-manage.sh (functionality in run.sh)
- lib/docker.sh (not used, deleted)
- src/build.sh (obsolete, not referenced)
- src/run.sh (obsolete, duplicate of root run.sh)
- src/run-new.sh (broken, references deleted lib/docker.sh)
- plan/PreFlightDiscussion-*.md (planning docs no longer needed)

Modified files:
- .gitignore - Added Docker build artifacts (bin/, lib/, plan/)
- tests/test_helper/common.bash - Fixed for standalone execution

Current src/ directory (essential scripts only):
- build-iso.sh - ISO build orchestration
- firewall-setup.sh - Firewall configuration
- security-hardening.sh - Security hardening functions

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-01-29 12:42:51 -05:00
ReachableCEO
54c88c401d feat: update ISO build command with encryption flags 
Add --privileged flag (required for encryption support), --user root flag (required by live-build), build in /tmp container directory (not mounted volume), and remove problematic flags for successful build with encryption support.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-01-29 10:00:57 -05:00
ReachableCEO
ad23d12eda feat: enhance password complexity requirements to NIST SP 800-63B 
Enforce 14+ character minimum, require all character classes (uppercase, lowercase, digit, special), prevent common patterns, check against dictionary and bad words, and apply to all users including root.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-01-29 10:00:07 -05:00
Charles N Wyble
fb75282b8e refactor: Update security scripts with modular functions 
- Refactor security-hardening.sh with modular functions
- Add create_wifi_blacklist function
- Add create_bluetooth_blacklist function
- Add configure_ssh, password_policy, system_limits, audit_rules
- Update firewall-setup.sh with proper WireGuard endpoint parsing
- Add dynamic nftables rule generation

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
 2026-01-21 15:39:55 -05:00
Charles N Wyble
4cafafba56 refactor: Update build-iso.sh for Docker compliance 
- Enhance build-iso.sh with strict Docker container usage
- Add proper volume mounts (/workspace:/build:/output)
- Ensure all operations inside container
- Add comprehensive error handling and reporting
- Only copy final artifacts (ISO, checksums, reports)

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
 2026-01-21 15:39:46 -05:00
Charles N Wyble
9b0cbc658d feat: Add enhanced build and run scripts 
- Add src/build.sh for Docker-based ISO building
- Add src/run-new.sh with enhanced container management
- Add src/run.sh as host wrapper for build process

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
 2026-01-21 15:39:40 -05:00
Charles N Wyble
ca08f9a259 feat: Add core build scripts 
- Add build-iso.sh with validation and build functions
- Add firewall-setup.sh with dynamic nftables configuration
- Add security-hardening.sh with comprehensive hardening functions
- All scripts follow strict mode and are executable

These provide the core functionality for the secure ISO build process.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
 2026-01-21 10:24:11 -05:00