46dabde629
fix: resolve final PRD alignment issues, update docs
...
PRD Alignment Fixes:
- disable-package-management.sh: Keep dpkg-query executable for audit
tools (was disabled despite comments claiming it was preserved)
- run.sh: Replace silent FDE skip with explicit warning message
(PRD FR-011 says mandatory but host has no LUKS)
- run.sh: Fix checksum generation to use post-rename filename
(was referencing live-image-amd64.hybrid.iso instead of
knel-football-secure.iso)
Documentation Updates:
- STATUS.md: Add FR-012 to alignment matrix (was missing)
- STATUS.md: Fix stale requiretty reference (was removed)
- STATUS.md: Update PRD coverage to 12/12
- JOURNAL.md: Replace audit entry with comprehensive fix entry
💘 Generated with Crush
Assisted-by: GLM-5.1 via Crush <crush@charm.land >
2026-05-07 09:13:29 -05:00
reachableceo
9459c84fbc
fix: resolve all audit findings in hooks, config, and package list
...
Security/Functional Fixes:
- firewall-setup.sh: Added WireGuard allow, established/related, DHCP
(was blocking ALL outbound including VPN - system was non-functional)
- disable-package-management.sh: Preserve /var/lib/dpkg/ for queries
(was destroying dpkg database with rm -rf)
- encryption-validation.sh: Fixed inverted motd conditional
(was creating file only if it already existed - backwards)
- kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only)
Changed user.max_user_namespaces from 0 to 100
- sudo-hardening.sh: Removed Defaults requiretty
(was breaking GUI-launched sudo via pkexec)
- encryption-setup.sh: Fixed conflicting stdin in luksAddKey
- install-scripts.sh: Fixed embedded firewall (same WireGuard bug)
Replaced gutted security-hardening stub with real status checker
- GRUB config: Fixed serial_console → serial (invalid terminal name)
- Package list: Removed audispd-plugins (deprecated in Debian 13),
removed duplicate wireguard/wireguard-tools entries
Reference: Full audit findings from Session 7 JOURNAL.md
💘 Generated with Crush
Assisted-by: GLM-5.1 via Crush <crush@charm.land >
2026-05-07 08:41:52 -05:00
6f038c3888
refactor: Update installed hooks and package lists
...
- Update disable-package-management.sh with immutable permissions
- Update install-scripts.sh with proper path handling
- Add knel-football.list.chroot package list
- Add desktop shortcuts for VPN configuration
- Add USB automount support
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land >
2026-01-21 15:40:27 -05:00
6cd53bc7ba
feat: Add live-build hooks
...
- Add security-hardening.sh for system hardening
- Add firewall-setup.sh for nftables configuration
- Add qr-code-import.sh for WireGuard QR scanning
- Add disable-package-management.sh to secure package tools
- Add install-scripts.sh to install source utilities
These hooks implement core security and functionality requirements.
💘 Generated with Crush
Assisted-by: GLM-4.6 via Crush <crush@charm.land >
2026-01-21 10:25:16 -05:00
