KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
199 Commits 1 Branch 0 Tags
ae1344c57ea26c9ab85806f082b0fb9b3c7a002e
Commit Graph

10 Commits

Author SHA1 Message Date
reachableceo
ae1344c57e fix: resolve remaining CRITICAL/HIGH/MEDIUM findings (batch 2) 
Addresses C-01, C-03, C-04, M-03, M-06, L-01, L-05, L-07.

Changes:
- luks-kdf-configure.sh: Auto-attempt Argon2id conversion during
  installation instead of just creating a manual helper (C-01)
- run.sh: Replace --privileged with fine-grained capabilities
  (SYS_ADMIN, MKNOD, NET_ADMIN, SYS_CHROOT, SETFCAP) (C-03)
- run.sh: Restrict SB key directory to mode 700 and key files
  to mode 600 (C-04)
- security-hardening.sh: Add PAM enforcement via common-password
  with enforce_for_root (M-03)
- security-hardening.sh: Initialize AIDE database and create daily
  cron job for integrity checks (M-06)
- sudo-hardening.sh: Use atomic install -m 600 instead of touch+chmod
  to avoid race condition (L-07)
- preseed.cfg: Disable direct root login (L-01)
- run.sh: Comment explaining KNEL_BUILD_MODE cannot be env-spoofed
  since it's set from command argument (L-05)

All tests pass. Zero shellcheck warnings.
STATUS.md updated with 22/28 findings resolved.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
 2026-05-08 12:19:04 -05:00
reachableceo
2b422cf62c fix: resolve 15 CRITICAL/HIGH/MEDIUM audit findings from DeepReport 
Addresses findings C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08,
M-01, M-02, M-05, M-07, M-08, M-12, plus encryption script fixes.

Changes:
- run.sh: Enforce host FDE check (C-02), make sbverify fatal (H-07),
  add module.sig_enforce to Docker-embedded UKI (H-08)
- usb-automount.sh: Add noexec,nosuid,nodev mount options (C-05),
  restrict dmask/fmask, add input validation, add audit logging (M-08)
- security-hardening.sh (live): Set StrictHostKeyChecking yes (H-01),
  remove sshd_config generation (H-02), expand WiFi blacklist (M-12)
- firewall-setup.sh (live): Remove inbound ICMP echo, narrow WG port
  range to 51820 only (M-05)
- firewall-setup.sh (src): Add ct state established,related (H-03)
- security-hardening.sh (src): Fix apply_security_hardening to call
  configure_ssh_client and configure_fim with separate output paths (M-01)
- install-scripts.sh: Remove football from sudo group (M-02)
- mount-hardening.sh: Ensure /tmp,/var/tmp,/dev/shm always hardened
  even without existing fstab entries (M-07)
- encryption-setup.sh: Fix cryptsetup stdin syntax (H-05), add dynamic
  LUKS device discovery (H-06), fix recovery key generation (M-04),
  fix crypttab sed pattern
- qr-code-import.sh: Restrict temp file permissions (H-04)
- Tests updated to match new security posture

All 786+ tests pass. Zero shellcheck warnings.

Reference: DeepReport-2026-05-08.md findings C-02, C-05, H-01 through
H-08, M-01, M-02, M-05, M-07, M-08, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
 2026-05-08 12:08:54 -05:00
reachableceo
9459c84fbc fix: resolve all audit findings in hooks, config, and package list 
Security/Functional Fixes:
- firewall-setup.sh: Added WireGuard allow, established/related, DHCP
  (was blocking ALL outbound including VPN - system was non-functional)
- disable-package-management.sh: Preserve /var/lib/dpkg/ for queries
  (was destroying dpkg database with rm -rf)
- encryption-validation.sh: Fixed inverted motd conditional
  (was creating file only if it already existed - backwards)
- kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only)
  Changed user.max_user_namespaces from 0 to 100
- sudo-hardening.sh: Removed Defaults requiretty
  (was breaking GUI-launched sudo via pkexec)
- encryption-setup.sh: Fixed conflicting stdin in luksAddKey
- install-scripts.sh: Fixed embedded firewall (same WireGuard bug)
  Replaced gutted security-hardening stub with real status checker
- GRUB config: Fixed serial_console → serial (invalid terminal name)
- Package list: Removed audispd-plugins (deprecated in Debian 13),
  removed duplicate wireguard/wireguard-tools entries

Reference: Full audit findings from Session 7 JOURNAL.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
 2026-05-07 08:41:52 -05:00
reachableceo
62d20604a6 fix: resolve critical build bugs and add missing PRD requirements 
Critical fixes:
- Fix security-hardening.sh live hook: removed broken source from
  /build/src/ which doesn't exist during live-build; made hook
  self-contained by inlining all config generation
- Fix firewall-setup.sh live hook: removed broken source from
  /build/src/; hook already had inline nftables config
- Fix install-scripts.sh: replaced /workspace/src/ references with
  embedded inline scripts (installed system has no /workspace)
- Fix UKI cmdline in standalone uki_build(): added
  lockdown=confidentiality and module.sig_enforce=1 to match the
  inline Secure Boot hook
- Fix WiFi blacklist: expanded from 6 entries to 19, now covers all
  PRD FR-005 driver families (rtl*, iwl*, ath*, brcm*, mwifi*, rt2*)

Missing PRD requirements added:
- kernel-hardening.sh (FR-007): sysctl parameters for ASLR, ptrace
  restriction, kptr_restrict, dmesg_restrict, kexec disabled, SUID
  dumpable disabled, hardlink/symlink protection, network hardening
- service-hardening.sh (FR-007): disables and masks avahi-daemon,
  cups, bluetooth, NetworkManager, ModemManager, whoopsie, apport
- sudo-hardening.sh (FR-007): requiretty, logging (input/output),
  timestamp timeout, env_reset, restricted football user commands
- mount-hardening.sh (FR-007): nodev/nosuid/noexec on /tmp,
  nodev/nosuid on /home, /dev/shm hardening

Test improvements:
- Rewrote security-hardening_comprehensive_test.bats: tests now
  source scripts, call functions, and verify generated output files
- Rewrote firewall-setup_comprehensive_test.bats: tests now create
  WireGuard configs, call parse_wg_endpoint, verify nftables output
- Added new-hooks_test.bats: 42 tests for kernel hardening, service
  hardening, sudo hardening, mount hardening, self-containment
  verification, and WiFi blacklist completeness
- Total: 788 tests passing, 0 failures, 0 shellcheck warnings

Reference: docs/PRD.md FR-005, FR-007, security-model.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
 2026-05-01 09:50:15 -05:00
Charles N Wyble
589c14833d fix: standardize username to 'football' in all hooks (FINDING-008) 
The preseed.cfg creates user 'football' but hooks referenced 'kneluser'.
This inconsistency would cause runtime failures during installation.

Changes:
- config/hooks/installed/encryption-validation.sh: s/kneluser/football/g
- config/hooks/live/usb-automount.sh: s/kneluser/football/g
- config/hooks/installed/install-scripts.sh: s/kneluser/football/g
- tests/unit/encryption-validation_test.bats: Add 5 tests for username consistency

Fixes: FINDING-008 (User account inconsistency)
Reference: PRD.md user account requirements

💘 Generated with Crush

Assisted-by: Claude via Crush <crush@charm.land>
 2026-02-20 10:49:47 -05:00
Charles N Wyble
bed3b07b81 fix: correct security-hardening.sh hook function calls 
- Fix function name: configure_ssh → configure_ssh_client (matches src/)
- Add missing configure_fim call for AIDE File Integrity Monitoring

These functions exist in src/security-hardening.sh but the hook was
calling the wrong name or missing the FIM call entirely.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-02-19 09:11:43 -05:00
Charles N Wyble
0b9ede5f84 fix: resolve all shellcheck warnings and security issues 
- fix(shellcheck): SC2016 in encryption-setup.sh - remove non-expanding $(blkid...)
- fix(shellcheck): SC1091 in firewall-setup.sh and security-hardening.sh - add disable directives
- security: SSH PasswordAuthentication yes -> no (PRD FR-006 violation)
- fix: date expansion in encryption-validation.sh heredoc
- docs: create SDLC.md with TDD workflow and security requirements
- docs: update AGENTS.md to reference SDLC.md
- chore: update STATUS.md with build completion
- chore: minor build-iso.sh output formatting

All 78 tests pass (63 run, 15 skip for libvirt).
Zero shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5 via Crush <crush@charm.land>
 2026-02-17 11:34:11 -05:00
Charles N Wyble
1edf8665e9 refactor: Update live hooks for Docker compliance 
- Update firewall-setup.sh with proper volume path sourcing
- Update security-hardening.sh with modular function calls
- Update qr-code-import.sh with enhanced QR scanning
- Update install-scripts.sh with desktop shortcuts
- Add proper permission handling

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
 2026-01-21 15:40:21 -05:00
Charles N Wyble
70bdba52da chore: Update .gitignore for KNEL-Football project 
- Update to ignore KNEL-Football specific build artifacts
- Remove blanket config/ directory ignore
- Add build directories and temporary files
- Add ISO artifacts and checksum patterns
- Add security exclusions for keys and secrets

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
 2026-01-21 15:40:08 -05:00
Charles N Wyble
6cd53bc7ba feat: Add live-build hooks 
- Add security-hardening.sh for system hardening
- Add firewall-setup.sh for nftables configuration
- Add qr-code-import.sh for WireGuard QR scanning
- Add disable-package-management.sh to secure package tools
- Add install-scripts.sh to install source utilities

These hooks implement core security and functionality requirements.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
 2026-01-21 10:25:16 -05:00