# Pre-Flight Discussion - Round 2 ## Follow-up Questions Based on Your Feedback: ### 1. Compliance Framework Clarification - **Your Feedback**: Entry point to tier0 infrastructure supporting ITAR/SECRET systems, CMMC Level 2/3 downstream, LI-SaaS for RackRental.net - **Questions**: - Should we target CMMC Level 3 for this system since it supports Level 2/3 downstream? - For STIG vs CIS: DISA STIGs are military requirements, CIS Benchmarks are industry best practices. Given your use case (tier0, ITAR/SECRET), I recommend DISA STIGs. Do you agree? - Should we implement the "Debian 13 STIG" or the more comprehensive "General Operating System STIG"? ### 2. QR Code Import Implementation - **Your Feedback**: Want QR code import capability using webcam - **Questions**: - Which QR code library should we use? (qrencode for generation, zbar for scanning) - Should we create a desktop shortcut for QR scanning, or integrate it into the WireGuard config management? - What QR code format should we support? (Standard WireGuard QR format?) ### 3. Testing Strategy Clarification - **Your Feedback**: Test suite runs on installed system, not in build environment - **Questions**: - Should we include the test suite in the ISO itself for post-install validation? - Or keep tests separate for QA/validation before deployment? - How should the tests be triggered on the installed system? (Desktop shortcut, command line?) ### 4. Package Management Strategy - **Your Feedback**: Very minimal packages, re-image quarterly rather than update - **Questions**: - Should we remove apt/apt-get entirely to prevent accidental updates? - Or keep it but disable network access? - What's your preference for package management tools on the final system? ### 5. Preseed Configuration Details - **Your Feedback**: Only install target, root password, non-root user/password are manual - **Questions**: - What timezone should we default to? - What keyboard layout should we default to? - Should we enforce password complexity in the preseed itself, or handle that post-install? ### 6. Secure Boot Implementation - **Your Feedback**: Must use secure boot, refuse to boot if altered - **Questions**: - Should we include Secure Boot keys in the ISO or use standard Microsoft keys? - Do you want UEFI-only boot, or support Legacy BIOS as well? - Should we implement measured boot or just standard Secure Boot? ### 7. Documentation Approach - **Your Feedback**: No user guides in ISO - **Questions**: - Should we create minimal inline help for the desktop shortcuts? - Or assume users are trained and don't need any documentation? - Where should we store technical documentation? (Project repo only?) ## Clarifications Received: ### ✅ Test Environment: Keep tests separate from build environment, use shellcheck/shellfmt only in build ### ✅ ISO Size: Not a concern, add to .gitignore ### ✅ Updates: Re-image quarterly, no internet updates ### ✅ Hardware: Standard Debian 13 kernel works on target hardware ### ✅ User Experience: No user guides needed ### ✅ Minimal Packages: Start minimal and iterate ## Remaining High Priority Items to Resolve: 1. **Compliance Framework**: CMMC level + STIG vs CIS decision 2. **QR Code Implementation**: Library choice and integration approach 3. **Testing Strategy**: In-ISO tests vs separate validation 4. **Package Management**: Remove or disable apt? 5. **Preseed Details**: Timezone, keyboard, password enforcement 6. **Secure Boot**: Key management and boot mode 7. **Documentation**: Minimal help vs none --- **Status**: Awaiting your responses to the above questions **Next Action**: Update specification based on your decisions **Ready for Implementation**: Getting closer - need to resolve these remaining items