# KNEL-Football

<p align="center">
  <img src="https://img.shields.io/badge/license-AGPLv3-blue.svg" alt="License: AGPLv3">
  <img src="https://img.shields.io/badge/Debian-13-blue.svg" alt="Debian 13">
  <img src="https://img.shields.io/badge/Build-Docker-green.svg" alt="Build: Docker">
  <img src="https://img.shields.io/badge/Security-Strict-red.svg" alt="Security: Strict">
</p>

## Overview

KNEL-Football is a highly secure, compliant Debian 13 (Trixie) installation ISO built using a strict Docker-based workflow with Test-Driven Development methodology. The resulting ISO provides a minimal, hardened system with restricted networking designed for tier0 infrastructure access.

## Features

### Security Hardening
- ✅ CMMC Level 3 compliant
- ✅ FedRAMP LI-SaaS ready
- ✅ DISA STIG and CIS Benchmark implementation
- ✅ WiFi and Bluetooth permanently disabled (kernel blacklist)
- ✅ Package management tools disabled with immutable permissions
- ✅ Secure Boot with measured boot (UEFI only)

### Network Restrictions
- ✅ WireGuard-only network access
- ✅ Dynamic firewall configuration (nftables)
- ✅ No general internet connectivity
- ✅ QR code import for configuration

### Minimal Desktop
- ✅ IceWM window manager (minimal)
- ✅ LightDM display manager (privacy mode)
- ✅ Required applications: Remmina, WireGuard, Mousepad, PCManFM
- ✅ USB automount support

## Quick Start

### Prerequisites
- Docker
- Git
- Libvirt (virt-install, virsh)

### Build
```bash
# Clone the repository
git clone https://git.knownelement.com/KNEL/football.git
cd football

# Build the ISO
./src/run.sh build
```

### Test
```bash
# Run all tests
./src/run.sh test

# Run linting checks
./src/run.sh lint
```

### Clean
```bash
# Clean build artifacts
./src/run.sh clean
```

## Project Structure

```
knel-football/
├── README.md                    # This file
├── LICENSE                      # AGPLv3 license
├── AGENTS.md                    # AI agent documentation
├── football-spec.md             # Technical specification
├── run.sh                      # Host wrapper script
├── ./config/Dockerfile                  # Build/test container
├── .gitignore                  # Git ignore rules
├── config/                    # live-build configuration
│   ├── preseed.cfg            # Installation automation
│   ├── package-lists/         # Software packages
│   ├── hooks/                 # Build hooks
│   │   ├── live/              # Live system hooks
│   │   └── installed/         # Post-installation hooks
│   └── includes/              # File inclusions
├── src/                       # Build scripts
│   ├── build-iso.sh           # Main ISO build
│   ├── security-hardening.sh  # Security configurations
│   ├── firewall-setup.sh       # Dynamic firewall
│   └── compliance-check.sh     # Validation
├── tests/                     # Test suite
│   ├── unit/                  # Unit tests
│   ├── integration/           # Integration tests
│   ├── security/              # Security tests
│   └── fixtures/              # Test data
├── docs/                      # Documentation
│   ├── architecture.md         # System architecture
│   ├── security-model.md       # Security model
│   └── user-guide.md          # User documentation
└── output/                    # Generated ISO files
```

## Security Features

### Kernel Module Blacklisting
- WiFi modules: cfg80211, mac80211, brcmfmac, iwlwifi, ath9k, rt73usb
- Bluetooth modules: btusb, bluetooth, btrtl, btintel, btbcm

### Firewall Configuration
- Default deny policy
- Dynamic WireGuard endpoint parsing
- UDP traffic only to WireGuard server
- nftables implementation

### Package Management Security
- Execute permissions removed
- Immutable with `chattr +i`
- APT/DPKG metadata cleared
- No package updates possible

### Boot Security
- UEFI-only boot mode
- Secure Boot enabled
- Measured boot implementation
- Custom keys included

## Compliance

- **CMMC Level 3** - Entry point to tier0 infrastructure
- **FedRAMP LI-SaaS** - Ready for federal government deployment
- **DISA STIG** - Adapted Debian 11 STIG for Debian 13
- **CIS Benchmarks** - Industry best practices for Debian Linux

## User Workflow

### Installation
1. Boot from ISO
2. Complete manual partitioning
3. Set root password
4. Create non-root user (auto-added to sudo)

### Configuration
1. Mount USB drive with WireGuard config
2. Use desktop shortcuts to import/apply configuration
3. QR code scanning available for mobile configuration

### Remote Access
1. Remmina for RDP connections
2. WireGuard tunnel for all network traffic
3. No direct internet access possible

## Development

### Test-Driven Development
- Tests written before implementation
- 100% code coverage mandatory
- BATS framework for testing
- Shellcheck for linting

### Build Environment
- Docker-based container
- No build tools on host
- All dependencies in container
- Proper file permissions

## Contributing

This project is developed under the GNU Affero General Public License v3.0. Contributions must follow the same license and include proper attribution.

## License

Copyright © 2026 Known Element Enterprises LLC

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.

## Contact

**Known Element Enterprises LLC**
- Website: https://knownelement.com
- Repository: https://git.knownelement.com/KNEL/football

---

<div align="center">
  <strong>Security through Compliance. Compliance through Process.</strong>
</div>