# KNEL-Football Pre-Flight Discussion - Round 2 ## Follow-up Questions Based on Your Feedback: ### 1. Compliance Framework Clarification - **Your Feedback**: Entry point to tier0 infrastructure supporting ITAR/SECRET systems, CMMC Level 2/3 downstream, LI-SaaS for RackRental.net - **Questions**: - Should we target CMMC Level 3 for this system since it supports Level 2/3 downstream? Yes - For STIG vs CIS: DISA STIGs are military requirements, CIS Benchmarks are industry best practices. Given your use case (tier0, ITAR/SECRET), I recommend DISA STIGs. Do you agree? - Should we implement the "Debian 13 STIG" or the more comprehensive "General Operating System STIG"? How about we do both? Start with the CIS Benchmark for Debian Linux. Then layer on the Debian STIG. It appears the last STIG was for Debian 11. ### 2. QR Code Import Implementation - **Your Feedback**: Want QR code import capability using webcam - **Questions**: - Which QR code library should we use? (qrencode for generation, zbar for scanning) Well we dont need to generate any qr codes do we? The system will only be a wireguard client. It won't have any systems connecting to it. - Should we create a desktop shortcut for QR scanning, or integrate it into the WireGuard config management? How about a shell script to kick off the scan and update the config file? - What QR code format should we support? (Standard WireGuard QR format?) I believe the standard wireguard qr format should be fine. I will test and we can tweak if it doesn't work. ### 3. Testing Strategy Clarification - **Your Feedback**: Test suite runs on installed system, not in build environment - **Questions**: - Should we include the test suite in the ISO itself for post-install validation? Include in the ISO - Or keep tests separate for QA/validation before deployment? - How should the tests be triggered on the installed system? (Desktop shortcut, command line?) command line. ### 4. Package Management Strategy - **Your Feedback**: Very minimal packages, re-image quarterly rather than update - **Questions**: - Should we remove apt/apt-get entirely to prevent accidental updates? Yes - Or keep it but disable network access? - What's your preference for package management tools on the final system? No package management tools on the final system allowed. At the very least they should have execute permission removed and be chattr +i . I don't know if Debian will let you remove things like apt and dpkg as they are pretty core to the system. ### 5. Preseed Configuration Details - **Your Feedback**: Only install target, root password, non-root user/password are manual - **Questions**: - What timezone should we default to? US/Chicago - What keyboard layout should we default to? Standard US English keyboard. - Should we enforce password complexity in the preseed itself, or handle that post-install? In the preseed itself ### 6. Secure Boot Implementation - **Your Feedback**: Must use secure boot, refuse to boot if altered - **Questions**: - Should we include Secure Boot keys in the ISO or use standard Microsoft keys? Include secure boot keys in the ISO - Do you want UEFI-only boot, or support Legacy BIOS as well? UEFI only - Should we implement measured boot or just standard Secure Boot? Measured boot ### 7. Documentation Approach - **Your Feedback**: No user guides in ISO - **Questions**: - Should we create minimal inline help for the desktop shortcuts? No - Or assume users are trained and don't need any documentation? They are trained and dont need documentation - Where should we store technical documentation? (Project repo only?) Repo only ## Clarifications Received: ### ✅ Test Environment: Keep tests separate from build environment, use shellcheck/shellfmt only in build ### ✅ ISO Size: Not a concern, add to .gitignore ### ✅ Updates: Re-image quarterly, no internet updates ### ✅ Hardware: Standard Debian 13 kernel works on target hardware ### ✅ User Experience: No user guides needed ### ✅ Minimal Packages: Start minimal and iterate ## Remaining High Priority Items to Resolve: 1. **Compliance Framework**: CMMC level + STIG vs CIS decision 2. **QR Code Implementation**: Library choice and integration approach 3. **Testing Strategy**: In-ISO tests vs separate validation 4. **Package Management**: Remove or disable apt? 5. **Preseed Details**: Timezone, keyboard, password enforcement 6. **Secure Boot**: Key management and boot mode 7. **Documentation**: Minimal help vs none --- **Status**: Awaiting your responses to the above questions **Next Action**: Update specification based on your decisions **Ready for Implementation**: Getting closer - need to resolve these remaining items