# KNEL-Football Secure OS - Agent Behavior Guidelines ## ⚡ CURRENT STATUS (2026-01-24 19:00 CST) ### Build Running in Background - **Status**: Active build (3rd attempt, minimal configuration) - **Current Stage**: lb binary_chroot (creating binary filesystem for ISO) - **Started**: 2026-01-24 18:04 CST - **Expected Completion**: 19:00-19:15 CST (~15 min remaining) - **Build Log**: `/tmp/knel-iso-build.log` - **Output Directory**: `output/` (ISO will appear here when complete) ### First Actions When Starting 1. **Check if ISO is ready**: `ls -lh output/` 2. **If ISO ready**: Verify with `sha256sum -c output/*.sha256` 3. **If ISO not ready**: Monitor build with `tail -f /tmp/knel-iso-build.log` ### ⚠️ READ THIS FIRST: RESUME.md **Current Status and Resumption Guide**: See `RESUME.md` for complete details on: - Build status and current stage - Working configuration (Attempt 7, minimal flags) - Issues encountered and solutions (7 build attempts) - Commands to monitor or restart build - Expected output files - Next steps after build completes **RESUME.md is your STARTING POINT** when returning to this project. ### Quick Reference ```bash # Check ISO status cd /home/tsys/Projects/KNEL/football ls -lh output/ # Monitor build if needed tail -f /tmp/knel-iso-build.log # Read full resumption guide cat RESUME.md ``` --- ## MANDATORY SECURITY REQUIREMENTS ### Full Disk Encryption (FDE) - MANDATORY - **ALL systems MUST use full disk encryption with LUKS2** - **Cipher**: AES-256-XTS (512-bit key) - **Format**: LUKS2 with Argon2id KDF - **Boot**: Passphrase required at every system boot - **Security**: No backdoors, no recovery without passphrase - **Compliance**: NIST SP 800-111, NIST SP 800-53 SC-13 ### Password Complexity - MANDATORY - **Minimum Length**: 14 characters (20+ strongly recommended) - **Character Classes**: Minimum 3 of 4 required - Uppercase letters (A-Z) - Minimum 1 required - Lowercase letters (a-z) - Minimum 1 required - Digits (0-9) - Minimum 1 required - Special characters (!@#$%^&*) - Minimum 1 required - **Additional Requirements**: - No common words (password, secret, admin, root, etc.) - No sequential characters (123, abc, qwerty) - No repeated characters (max 2 consecutive) - At least 4 characters different from previous password - **Enforcement**: PAM pwquality module, enforced for ALL users - **Compliance**: NIST SP 800-63B, CIS Benchmarks --- ## CRITICAL REQUIREMENTS ### DOCKER CONTAINER USAGE - ALL operations MUST be performed inside Docker containers - ONLY use Docker volumes for file operations - NEVER create directories in user home directory (/home) - NEVER modify host system files directly - ONLY final artifacts may be copied to host system ### WORKSPACE MANAGEMENT - Use /workspace (Docker volume) for all build operations - Use /tmp for temporary files - Use /build for intermediate build files - ONLY final ISO and checksum files may be copied out of container ### PROHIBITED ACTIONS - ❌ Creating directories in /home - ❌ Modifying host system files - ❌ Installing packages on host system - ❌ Writing files outside Docker volumes - ❌ Modifying user home directory structure ### REQUIRED WORKFLOW 1. Start Docker container with volumes 2. Perform ALL work inside container 3. Use only mounted volumes for file I/O 4. Copy ONLY final artifacts to host system 5. Clean up container after completion ### DOCKER VOLUME STRUCTURE ``` /workspace/ # All build operations /build/ # Intermediate files /tmp/ # Temporary files /output/ # Final artifacts only ``` ### EXCEPTIONS Only these files may be copied to host system: - *.iso (final ISO files) - *.sha256 (checksum files) - *.md5 (checksum files) - BUILD-REPORT.txt (build documentation) ## VIOLATIONS Any violation of these requirements is CRITICAL and must be immediately corrected.