# KNEL-Football Project Status Report > **Last Updated**: 2026-05-08 (Session 8 - Batch 4 - M-09/M-10/M-11/H-09) > **Maintained By**: AI Agent (Crush) > **Purpose**: Quick-glance status for project manager --- ## Current Status: 🔧 ALL TECHNICAL FIXES APPLIED — ISO REBUILD BLOCKED BY HOST FDE ### Executive Summary All 28 non-deferred findings from DeepReport-2026-05-08.md have been addressed in code. ISO cannot be rebuilt because the build host lacks LUKS encryption — the FDE check (C-02 fix) correctly blocks builds on unencrypted hosts per PRD FR-011. ### What's Needed From You (Human Action Required) 1. **Enable host FDE** — Your build host at `/dev/nvme0n1p2` has no LUKS. Options: - Backup + reinstall with encrypted LVM - Use `encrypt-existing-debian` for in-place encryption 2. **Rebuild ISO** — After enabling host FDE: `./run.sh iso` 3. **Git history scrub** — `git filter-repo --path config/includes.installer/demo.preseed.cfg --invert-paths` then force-push 4. **Test on real hardware** — Install ISO, verify `cryptsetup luksDump` shows Argon2id --- ## Remediation Progress — All Technical Fixes Done | # | Finding | Severity | Status | How Fixed | |---|---------|----------|--------|-----------| | C-01 | Argon2id KDF not enforced | CRITICAL | ✅ | preseed early_command patches partman-crypto | | C-02 | Host FDE check never called | CRITICAL | ✅ | check_host_fde() now called, blocks build | | C-03 | Docker --privileged | CRITICAL | ✅ | Fine-grained caps (SYS_ADMIN,MKNOD,etc) | | C-04 | SB keys unencrypted | CRITICAL | ✅ | chmod 700 dir, chmod 600 keys | | C-05 | USB noexec/nosuid/nodev | CRITICAL | ✅ | All mount options added + input validation | | C-06 | Plaintext creds in git | CRITICAL | ⬜ HUMAN | Needs git-filter-repo (destructive) | | H-01 | StrictHostKeyChecking ask | HIGH | ✅ | Changed to yes | | H-02 | sshd_config written | HIGH | ✅ | Removed from both live hook AND src/ | | H-03 | src/firewall missing ct state | HIGH | ✅ | Added established,related | | H-04 | QR temp file insecure | HIGH | ✅ | chmod 600 | | H-05 | cryptsetup broken syntax | HIGH | ✅ | printf pipe instead of echo+heredoc | | H-06 | Hardcoded /dev/sda3 | HIGH | ✅ | find-luks-device.sh helper | | H-07 | sbverify returns success on fail | HIGH | ✅ | Now returns 1 (fatal) | | H-08 | Missing module.sig_enforce | HIGH | ✅ | Added to all 3 UKI build paths | | H-09 | Build cache no integrity | HIGH | ✅ | Cache manifest + SHA256 verification | | M-01 | apply_security_hardening missing calls | MEDIUM | ✅ | Now calls FIM + SSH client | | M-02 | Sudo group conflict | MEDIUM | ✅ | Removed football from sudo group | | M-03 | PAM not configured | MEDIUM | ✅ | enforce_for_root in common-password | | M-04 | Recovery key generation | MEDIUM | ✅ | Fixed bs=32 count=1 | | M-05 | Firewall allows any WG endpoint | MEDIUM | ✅ | Single port 51820 | | M-06 | AIDE not initialized | MEDIUM | ✅ | aideinit + daily cron | | M-07 | Mount hardening fstab only | MEDIUM | ✅ | Auto-adds missing entries | | M-08 | USB no audit logging | MEDIUM | ✅ | logger -t usb-automount | | M-09 | Build not reproducible | MEDIUM | ✅ | SOURCE_DATE_EPOCH + BUILD-INFO.txt | | M-10 | No GPG signing | MEDIUM | ✅ | Ephemeral or persistent GPG signing | | M-11 | Docker base not digest-pinned | MEDIUM | ✅ | sha256:1d3c8111... in Dockerfile | | M-12 | WiFi blacklist incomplete | MEDIUM | ✅ | Added 8 more modern drivers | **Legend**: ✅ Done | ⬜ Needs human action --- ## What Was Done This Session ### Batch 1 (commit 2b422cf) C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12 + 3 tests updated to match new security posture ### Batch 2 (commit ae1344c) C-01 (first attempt - later fixed properly), C-03, C-04, M-03, M-06, L-01, L-05, L-07 + JOURNAL.md updated with ADR-014/015/016 ### Batch 3 (commit 3d2ef3d) — Honest fixes C-01 done RIGHT (preseed early_command, not dead-code cryptsetup), H-02 for real (src/ sshd_config removed), COMPLIANCE.md marked aspirational, VERIFICATION-REPORT warning added, AIDE error reporting fixed, .dockerignore added, .gitignore fixed ### Batch 4 (this commit) M-09: SOURCE_DATE_EPOCH + BUILD-INFO.txt for reproducibility M-10: GPG signing of ISO and checksums (ephemeral or persistent key) M-11: Docker base image digest-pinned H-09: Build cache integrity via SHA256 manifest Dockerfile: Added sbsigntool, shim-signed, systemd-boot-efi, gpg --- ## Build Verification | Item | Status | |------|--------| | Docker image | ✅ Built successfully with new packages | | Lint (shellcheck) | ✅ 0 warnings | | Tests | ✅ 786 pass, 0 fail | | ISO build | ❌ Blocked — host lacks FDE (correct behavior) | --- ## What You Need To Do ### Step 1: Enable Host FDE Your build host `/dev/nvme0n1p2` has no LUKS. You must encrypt it before building. ### Step 2: Rebuild ISO ```bash ./run.sh iso # Will work after host FDE enabled ``` ### Step 3: Scrub Git History (C-06) ```bash # Install git-filter-repo pip install git-filter-repo # Remove demo.preseed.cfg from all history git filter-repo --path config/includes.installer/demo.preseed.cfg --invert-paths git push --force origin main ``` ### Step 4: Validate on Real Hardware - Install the ISO - Run `cryptsetup luksDump /dev/sda3` — verify KDF shows argon2id - Try `ssh localhost` — should be refused (no server) - Insert USB — verify mount has noexec,nosuid,nodev - Check `grep StrictHostKeyChecking /etc/ssh/ssh_config` — should be "yes" --- *This file is maintained by the AI agent. For AI memory and insights, see JOURNAL.md.*