# KNEL-Football Compliance Matrix

## Overview

This document maps security compliance requirements to implementation components in the KNEL-Football secure Debian 13 ISO build system.

**Copyright © 2026 Known Element Enterprises LLC**
**License: GNU Affero General Public License v3.0 only**

## Compliance Frameworks

- **CMMC Level 3** - Entry point to tier0 infrastructure supporting ITAR/SECRET systems
- **FedRAMP LI-SaaS** - For RackRental.net federal government product
- **DISA STIG** - Debian STIG requirements (adapted from Debian 11 to Debian 13)
- **CIS Benchmarks** - Center for Internet Security Debian Linux Benchmark

## Security Controls Mapping

### Network Security

| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| WiFi Module Blacklisting | N/A (custom) | 4.8 | Kernel module blacklisting | `config/hooks/live/security-hardening.sh` | ✅ |
| Bluetooth Module Blacklisting | N/A (custom) | 4.8 | Kernel module blacklisting | `config/hooks/live/security-hardening.sh` | ✅ |
| Default Deny Firewall | RHEL-08-040020 | 4.4 | nftables with deny all policy | `config/hooks/live/firewall-setup.sh` | ✅ |
| WireGuard-Only Network Access | N/A (custom) | 4.4 | Dynamic firewall rules | `src/firewall-setup.sh` | ✅ |

### System Hardening

| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| SSH Client-Only | RHEL-08-010000 | 5.2 | Client config, no server | `src/security-hardening.sh` | ✅ |
| Password Policy | RHEL-08-020200 | 5.1 | pwquality.conf with 14-char minimum | `src/security-hardening.sh` | ✅ |
| System Resource Limits | RHEL-08-040123 | 5.3 | limits.d/security.conf | `src/security-hardening.sh` | ✅ |
| File Permissions | RHEL-08-040040 | 3.3 | Secure file permissions | `src/security-hardening.sh` | ✅ |

### Logging and Monitoring

| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| Audit Daemon | RHEL-08-030160 | 6.2 | auditd configuration | `config/hooks/live/security-hardening.sh` | ✅ |
| System Logging | RHEL-08-030590 | 6.1 | rsyslog configuration | `package-lists/knel-football.list.chroot` | ✅ |
| Audit Rules | RHEL-08-030652 | 6.2 | Custom audit rules | `src/security-hardening.sh` | ✅ |

### Package Management

| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| Disable Package Management | N/A (custom) | 2.1 | chmod + chattr on package tools | `config/hooks/installed/disable-package-management.sh` | ✅ |
| Clean Package Metadata | N/A (custom) | 2.1 | Remove /var/lib/apt /var/lib/dpkg | `config/hooks/installed/disable-package-management.sh` | ✅ |

### Access Control

| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| Sudo Group Configuration | RHEL-08-010300 | 5.4 | User added to sudo group | `config/hooks/installed/install-scripts.sh` | ✅ |
| Hide Usernames in Display Manager | N/A (custom) | 5.7 | LightDM privacy configuration | `config/hooks/live/desktop-environment.sh` | ✅ |
| No Auto-Login | RHEL-08-020010 | 5.7 | LightDM manual login only | `config/hooks/live/desktop-environment.sh` | ✅ |

### Boot Security

| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| UEFI Boot Only | RHEL-08-010240 | 4.1 | ISO build configuration | `config/config` | ✅ |
| Secure Boot Support | RHEL-08-010240 | 4.1 | grub-efi-amd64-bin | `Dockerfile` | ✅ |

## Compliance Validation Tests

### Automated Tests

| Test Type | Test File | Validation Target | Coverage |
|-----------|------------|-----------------|----------|
| Unit Tests | `tests/unit/firewall_test.bats` | Firewall configuration parsing | 🔧 |
| Unit Tests | `tests/unit/security_test.bats` | Security hardening functions | 🔧 |
| Unit Tests | `tests/unit/build_test.bats` | Build process functions | 🔧 |
| Integration Tests | `tests/integration/config_test.bats` | Configuration file validation | 🌐 |
| Security Tests | `tests/security/compliance_test.bats` | Compliance verification | 🔒 |

### In-ISO Validation

The built ISO includes test capabilities for post-installation validation:

```bash
# Run compliance validation on installed system
/usr/local/bin/knel-compliance-check.sh
```

## Compliance Evidence

### Documentation

- **COMPLIANCE.md** - This compliance matrix
- **security-model.md** - Detailed security architecture
- **architecture.md** - System design and threat model

### Build Artifacts

- **Configuration Files** - All security configurations in version control
- **Hook Scripts** - Automated application of security controls
- **Test Suite** - Automated validation of compliance requirements
- **ISO Image** - Fully compliant, hardened operating system

### Verification Process

1. **Pre-Build Validation** - Tests run before ISO creation
2. **Build-Time Validation** - Hooks verify configuration application
3. **Post-Install Validation** - Compliance testing in live environment
4. **Security Audit** - Regular security reviews and penetration testing

## Security Controls Summary

### Network Controls

- ✅ WiFi and Bluetooth permanently disabled via kernel module blacklisting
- ✅ Default deny firewall policy with nftables
- ✅ WireGuard-only network access with dynamic configuration
- ✅ USB automount support for secure configuration transfer

- ✅ Minimal desktop with IceWM and privacy-focused LightDM
- ✅ SSH client-only (no server, no inbound access)
- ✅ Strong password policy (14 characters minimum)
- ✅ Comprehensive audit logging with auditd
- ✅ Package management disabled for immutable system

### Access Controls

- ✅ No auto-login, usernames hidden in display manager
- ✅ Sudo group configuration for administrative access
- ✅ System resource limits and security constraints
- ✅ File permissions hardened according to CIS benchmarks

## Compliance Status

| Framework | Status | Notes |
|-----------|--------|-------|
| CMMC Level 3 | ✅ Compliant | All required controls implemented |
| FedRAMP LI-SaaS | ✅ Compliant | Baseline security controls in place |
| DISA STIG | ✅ Compliant | Debian 13 STIG adaptation |
| CIS Benchmarks | ✅ Compliant | Industry best practices implemented |

---

**Copyright © 2026 Known Element Enterprises LLC**
**License: GNU Affero General Public License v3.0 only**

This compliance matrix is maintained as part of the KNEL-Football project and is updated whenever security requirements change or new controls are implemented.