KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
203 Commits 1 Branch 0 Tags
efb69887191b3f573f091ae86b34a660a99916f1
Commit Graph

6 Commits

Author SHA1 Message Date
reachableceo
efb6988719 fix: remove host FDE requirement, fix remaining audit partials 
Host FDE is no longer required — only guest (ISO) FDE matters per owner
direction. The build host's security posture is the owner's responsibility.
The Docker container already isolates the build process.

Changes:
- run.sh: Removed check_host_fde() function and its call in iso build path
- run.sh: Fixed SB key chmod in inline SECUREBOOT_HOOK (C-04 complete)
- run.sh: Fixed cache manifest format — no longer capped at 20 files (H-09)
- docs/PRD.md: Removed FR-011 Host FDE, renumbered FR-011 = Secure Boot/UKI
- docs/COMPLIANCE.md: Replaced fraudulent  summary with honest aspirational
- config/hooks/installed/encryption-validation.sh: lsblk discovery (H-06)
- src/security-hardening.sh: Synced WiFi blacklist with live hook (M-12)
- tests/: Updated 3 test files for guest encryption instead of host FDE
- AGENTS.md, README.md, audit docs: Removed host FDE references
- STATUS.md: Updated for current state
- JOURNAL.md: Added ADR-017 (host FDE not required)

782 tests pass, 0 fail, 0 shellcheck warnings.

Reference: DeepReport-2026-05-08.md C-02, C-04, H-06, H-09, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
 2026-05-08 14:28:04 -05:00
reachableceo
9459c84fbc fix: resolve all audit findings in hooks, config, and package list 
Security/Functional Fixes:
- firewall-setup.sh: Added WireGuard allow, established/related, DHCP
  (was blocking ALL outbound including VPN - system was non-functional)
- disable-package-management.sh: Preserve /var/lib/dpkg/ for queries
  (was destroying dpkg database with rm -rf)
- encryption-validation.sh: Fixed inverted motd conditional
  (was creating file only if it already existed - backwards)
- kernel-hardening.sh: Removed kernel.exec-shield (Red Hat only)
  Changed user.max_user_namespaces from 0 to 100
- sudo-hardening.sh: Removed Defaults requiretty
  (was breaking GUI-launched sudo via pkexec)
- encryption-setup.sh: Fixed conflicting stdin in luksAddKey
- install-scripts.sh: Fixed embedded firewall (same WireGuard bug)
  Replaced gutted security-hardening stub with real status checker
- GRUB config: Fixed serial_console → serial (invalid terminal name)
- Package list: Removed audispd-plugins (deprecated in Debian 13),
  removed duplicate wireguard/wireguard-tools entries

Reference: Full audit findings from Session 7 JOURNAL.md

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
 2026-05-07 08:41:52 -05:00
reachableceo
7545a164e5 fix: resolve all shellcheck warnings in source scripts and hooks 
This commit addresses every shellcheck warning (severity: warning and
above) across the project's shell scripts. Only SC1091 info-level
notices remain (sourced files not available during static analysis),
which is expected and unavoidable in the Docker build workflow.

Changes by file:

src/build-iso.sh
- Replace Unicode checkmark/cross characters (✓, ✗) with ASCII
  equivalents (PASS:, FAIL:) to eliminate commitBuffer encoding errors
- Replace useless `cat | cut` pipeline with direct file redirect
  (`cut -d' ' -f1 < file`), resolving SC2002

src/security-hardening.sh
- Pass optional arguments through the function call chain in
  apply_security_hardening() to resolve SC2119/SC2120 (functions
  reference $1 but are called without arguments)

src/firewall-setup.sh
- Pass optional arguments through apply_firewall() in main() to
  resolve SC2119/SC2120

config/hooks/installed/encryption-setup.sh
- Consolidate four individual `echo >> file` redirects into a single
  `{ cmd1; cmd2; } >> file` block, resolving SC2129
- Add shellcheck disable directive for intentional SC2016 in sed
  command (single quotes are required by sed, not a mistake)

config/hooks/installed/encryption-validation.sh
- Replace remaining Unicode checkmark characters with ASCII

Verification:
  shellcheck --severity=warning src/*.sh config/hooks/**/*.sh
  => zero warnings, zero errors

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-04-27 13:09:39 -05:00
Charles N Wyble
589c14833d fix: standardize username to 'football' in all hooks (FINDING-008) 
The preseed.cfg creates user 'football' but hooks referenced 'kneluser'.
This inconsistency would cause runtime failures during installation.

Changes:
- config/hooks/installed/encryption-validation.sh: s/kneluser/football/g
- config/hooks/live/usb-automount.sh: s/kneluser/football/g
- config/hooks/installed/install-scripts.sh: s/kneluser/football/g
- tests/unit/encryption-validation_test.bats: Add 5 tests for username consistency

Fixes: FINDING-008 (User account inconsistency)
Reference: PRD.md user account requirements

💘 Generated with Crush

Assisted-by: Claude via Crush <crush@charm.land>
 2026-02-20 10:49:47 -05:00
Charles N Wyble
0b9ede5f84 fix: resolve all shellcheck warnings and security issues 
- fix(shellcheck): SC2016 in encryption-setup.sh - remove non-expanding $(blkid...)
- fix(shellcheck): SC1091 in firewall-setup.sh and security-hardening.sh - add disable directives
- security: SSH PasswordAuthentication yes -> no (PRD FR-006 violation)
- fix: date expansion in encryption-validation.sh heredoc
- docs: create SDLC.md with TDD workflow and security requirements
- docs: update AGENTS.md to reference SDLC.md
- chore: update STATUS.md with build completion
- chore: minor build-iso.sh output formatting

All 78 tests pass (63 run, 15 skip for libvirt).
Zero shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5 via Crush <crush@charm.land>
 2026-02-17 11:34:11 -05:00
ReachableCEO
2ab8040bdf feat: add encryption validation and user notification hook 
Validate LUKS2 encryption configuration, create user-facing reminder files, MOTD messages, and first-boot check script to ensure encryption requirements are met and users are informed.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
 2026-01-29 10:00:05 -05:00