reachableceo
3d2ef3d5c2
Previous commits marked findings as ✅ that were actually superficial or broken. This commit fixes the real problems honestly. Real fixes: - Argon2id KDF: Fixed via preseed partman/early_command that patches partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id. Previous luks-kdf-configure.sh "auto-conversion" was dead code (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it). Now the hook is an honest verifier, not a fake converter. - src/security-hardening.sh: Removed sshd_config generation entirely (was still generating it despite claiming client-only) - AIDE init: Removed || true error swallowing, now reports failures - COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets with honest explanation of what's missing (3PAO, org controls) - VERIFICATION-REPORT.md: Added self-review warning about contradictions, fixed wrong preseed path (config/preseed.cfg → includes.installer/) - Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md - encryption-setup.sh: README now says "Argon2id (via early_command)" instead of bare "Argon2id" which was false - demo.preseed.cfg: Added same Argon2id early_command - Added .dockerignore (was missing) - Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc) Still remaining (honest assessment): - C-06: Git history scrub (needs git-filter-repo, destructive) - H-09: Build cache integrity (design work needed) - M-11: Docker base digest pinning - Phase 3: Test suite overhaul (85% grep-based, not behavioral) - Phase 4: Documentation cleanup (threat model, etc) - ISO NOT rebuilt since fixes 786 tests pass, 0 shellcheck warnings. 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
165 lines
6.1 KiB
INI
165 lines
6.1 KiB
INI
# KNEL-Football Demo/CI Preseed Configuration
|
|
# DO NOT USE IN PRODUCTION - hardcoded credentials for automated testing only
|
|
# For production, use preseed.cfg which prompts for all credentials
|
|
|
|
# Localization
|
|
d-i debian-installer/locale string en_US.UTF-8
|
|
d-i debian-installer/supported_locales multiselect en_US.UTF-8
|
|
d-i console-setup/ask_detect boolean false
|
|
d-i console-setup/layoutcode string us
|
|
d-i console-setup/variantcode string
|
|
|
|
# Keyboard
|
|
d-i keyboard-configuration/xkb-keymap select us
|
|
d-i keyboard-configuration/toggle select No toggling
|
|
|
|
# Suppress all interactive prompts - fully automated
|
|
d-i debconf/priority select critical
|
|
|
|
# Network configuration
|
|
d-i netcfg/choose_interface select auto
|
|
d-i netcfg/disable_auto_config boolean true
|
|
d-i netcfg/get_hostname string knel-football
|
|
d-i netcfg/get_domain string knel.net
|
|
d-i netcfg/hostname string knel-football
|
|
|
|
# Mirror configuration
|
|
d-i mirror/country string manual
|
|
d-i mirror/http/hostname string deb.debian.org
|
|
d-i mirror/http/directory string /debian
|
|
d-i mirror/http/proxy string
|
|
|
|
# Clock and time zone setup
|
|
d-i time/zone string US/Chicago
|
|
d-i clock-setup/utc boolean true
|
|
d-i clock-setup/ntp boolean true
|
|
|
|
# User setup - DEMO CREDENTIALS (NOT FOR PRODUCTION)
|
|
# football user: Kn3l-F00tball-D3m0!
|
|
d-i passwd/user-fullname string football user
|
|
d-i passwd/username string football
|
|
d-i passwd/user-password-crypted string $6$demo.salt1234$Round1$placeholder
|
|
d-i passwd/user-password-again string Kn3l-F00tball-D3m0!
|
|
d-i passwd/root-login boolean true
|
|
d-i passwd/root-password-crypted string $6$demo.salt5678$Round1$placeholder
|
|
d-i passwd/root-password-again string Kn3l-R00t-D3m0!
|
|
|
|
# Password quality
|
|
d-i passwd/make-user boolean true
|
|
d-i passwd/user-default-groups string audio,video,plugdev,input,cdrom,floppy
|
|
|
|
# Partitioning (LUKS full disk encryption)
|
|
d-i partman-partitioning/choose_label select gpt
|
|
d-i partman-partitioning/default_label string gpt
|
|
|
|
d-i partman-auto/disk string /dev/sda
|
|
d-i partman-auto/method string crypto
|
|
|
|
# LVM configuration
|
|
d-i partman-auto-lvm/device_remove_lvs boolean true
|
|
d-i partman-auto-lvm/device_remove_lvs_span boolean true
|
|
d-i partman-auto-lvm/guided_size string max
|
|
d-i partman-auto-lvm/new_vg_name string knel_vg
|
|
d-i partman-lvm/device_remove_lvm boolean true
|
|
d-i partman-lvm/confirm boolean true
|
|
d-i partman-lvm/confirm_nooverwrite boolean true
|
|
|
|
# Expert recipe for UEFI + encrypted LVM
|
|
d-i partman-auto/expert_recipe string \
|
|
efi-boot-root :: \
|
|
538 538 1075 free \
|
|
$iflabel{ gpt } \
|
|
$reusemethod{ } \
|
|
method{ efi } format{ } \
|
|
. \
|
|
512 1024 1024 ext4 \
|
|
$primary{ } $bootable{ } \
|
|
method{ format } format{ } \
|
|
use_filesystem{ } filesystem{ ext4 } \
|
|
mountpoint{ /boot } \
|
|
. \
|
|
10000 20000 -1 ext4 \
|
|
$lvmok{ } \
|
|
in_vg{ knel_vg } \
|
|
lv_name{ root } \
|
|
method{ format } format{ } \
|
|
use_filesystem{ } filesystem{ ext4 } \
|
|
mountpoint{ / } \
|
|
. \
|
|
1024 200% 8192 linux-swap \
|
|
$lvmok{ } \
|
|
in_vg{ knel_vg } \
|
|
lv_name{ swap } \
|
|
method{ swap } format{ } \
|
|
.
|
|
|
|
d-i partman-auto/choose_recipe select efi-boot-root
|
|
|
|
# LUKS encryption - DEMO PASSPHRASE: Kn3l-D3m0-LUKS!
|
|
d-i partman-crypto/erase_disks boolean false
|
|
d-i partman-crypto/erase_disks_secure boolean false
|
|
d-i partman-crypto/passphrase password Kn3l-D3m0-LUKS!
|
|
d-i partman-crypto/passphrase-again password Kn3l-D3m0-LUKS!
|
|
d-i partman-crypto/weak_passphrase boolean true
|
|
d-i partman-crypto/cipher aes-xts-plain64
|
|
d-i partman-crypto/keysize 512
|
|
d-i partman-crypto/lvm boolean true
|
|
d-i partman-crypto/use-luks2 boolean true
|
|
d-i partman/early_command string sed -i 's/cryptsetup luksFormat/cryptsetup --pbkdf argon2id --pbkdf-memory 524288 --pbkdf-parallel 4 luksFormat/g' /lib/partman-crypto/crypto-base.sh 2>/dev/null || true
|
|
|
|
# Confirm partitioning
|
|
d-i partman-partitioning/confirm_write_new_label boolean true
|
|
d-i partman/choose_partition select finish
|
|
d-i partman/confirm boolean true
|
|
d-i partman/confirm_nooverwrite boolean true
|
|
|
|
# Package selection
|
|
tasksel tasksel/first multiselect standard
|
|
d-i pkgsel/include string \
|
|
icewm \
|
|
lightdm \
|
|
remmina \
|
|
wireguard \
|
|
wireguard-tools \
|
|
mousepad \
|
|
zbar-tools \
|
|
nftables \
|
|
openssh-client \
|
|
cryptsetup \
|
|
cryptsetup-initramfs \
|
|
busybox \
|
|
dmsetup \
|
|
libpam-pwquality
|
|
|
|
# Boot loader configuration
|
|
d-i grub-installer/only_debian boolean true
|
|
d-i grub-installer/with_other_os boolean false
|
|
d-i grub-installer/bootdev string default
|
|
d-i grub-installer/force-efi-extra-removable boolean true
|
|
|
|
# Popularity contest
|
|
popularity-contest popularity-contest/participate boolean false
|
|
|
|
# Security configuration
|
|
d-i security/updates select none
|
|
d-i passwd/shadow boolean true
|
|
|
|
# Finish
|
|
d-i finish-install/reboot_in_progress note
|
|
d-i cdrom-detect/eject boolean false
|
|
|
|
# Skip additional prompts
|
|
d-i apt-setup/contrib boolean false
|
|
d-i apt-setup/non-free boolean false
|
|
d-i apt-setup/backports boolean false
|
|
d-i apt-setup/services-select multiselect
|
|
|
|
# Don't ask about kernel flavors
|
|
d-i base-installer/kernel/image select linux-image-amd64
|
|
|
|
# Don't ask about hostname confirmation
|
|
d-i netcfg/confirm_static boolean true
|
|
|
|
# Skip GRUB install confirmation
|
|
d-i grub-installer/skip boolean true
|