KNEL-Football

Overview

KNEL-Football is a highly secure, compliant Debian 13 (Trixie) installation ISO built using a strict Docker-based workflow with Test-Driven Development methodology. The resulting ISO provides a minimal, hardened system with restricted networking designed for tier0 infrastructure access.

Features

Security Hardening

• ✅ CMMC Level 3 compliant
• ✅ FedRAMP LI-SaaS ready
• ✅ DISA STIG and CIS Benchmark implementation
• ✅ WiFi and Bluetooth permanently disabled (kernel blacklist)
• ✅ Package management tools disabled with immutable permissions
• ✅ Secure Boot with measured boot (UEFI only)

Network Restrictions

• ✅ WireGuard-only network access
• ✅ Dynamic firewall configuration (nftables)
• ✅ No general internet connectivity
• ✅ QR code import for configuration

Minimal Desktop

• ✅ IceWM window manager (minimal)
• ✅ LightDM display manager (privacy mode)
• ✅ Required applications: Remmina, WireGuard, Mousepad, PCManFM
• ✅ USB automount support

Quick Start

Prerequisites

• Docker
• Git
• Libvirt (virt-install, virsh)

Build

# Clone the repository
git clone https://git.knownelement.com/KNEL/football.git
cd football

# Build the ISO
./src/run.sh build

Test

# Run all tests
./src/run.sh test

# Run linting checks
./src/run.sh lint

Clean

# Clean build artifacts
./src/run.sh clean

Project Structure

knel-football/
├── README.md                    # This file
├── LICENSE                      # AGPLv3 license
├── AGENTS.md                    # AI agent documentation
├── football-spec.md             # Technical specification
├── run.sh                      # Host wrapper script
├── ./config/Dockerfile                  # Build/test container
├── .gitignore                  # Git ignore rules
├── config/                    # live-build configuration
│   ├── preseed.cfg            # Installation automation
│   ├── package-lists/         # Software packages
│   ├── hooks/                 # Build hooks
│   │   ├── live/              # Live system hooks
│   │   └── installed/         # Post-installation hooks
│   └── includes/              # File inclusions
├── src/                       # Build scripts
│   ├── build-iso.sh           # Main ISO build
│   ├── security-hardening.sh  # Security configurations
│   ├── firewall-setup.sh       # Dynamic firewall
│   └── compliance-check.sh     # Validation
├── tests/                     # Test suite
│   ├── unit/                  # Unit tests
│   ├── integration/           # Integration tests
│   ├── security/              # Security tests
│   └── fixtures/              # Test data
├── docs/                      # Documentation
│   ├── architecture.md         # System architecture
│   ├── security-model.md       # Security model
│   └── user-guide.md          # User documentation
└── output/                    # Generated ISO files

Security Features

Kernel Module Blacklisting

• WiFi modules: cfg80211, mac80211, brcmfmac, iwlwifi, ath9k, rt73usb
• Bluetooth modules: btusb, bluetooth, btrtl, btintel, btbcm

Firewall Configuration

• Default deny policy
• Dynamic WireGuard endpoint parsing
• UDP traffic only to WireGuard server
• nftables implementation

Package Management Security

• Execute permissions removed
• Immutable with chattr +i
• APT/DPKG metadata cleared
• No package updates possible

Boot Security

• UEFI-only boot mode
• Secure Boot enabled
• Measured boot implementation
• Custom keys included

Compliance

• CMMC Level 3 - Entry point to tier0 infrastructure
• FedRAMP LI-SaaS - Ready for federal government deployment
• DISA STIG - Adapted Debian 11 STIG for Debian 13
• CIS Benchmarks - Industry best practices for Debian Linux

User Workflow

Installation

1. Boot from ISO
2. Complete manual partitioning
3. Set root password
4. Create non-root user (auto-added to sudo)

Configuration

1. Mount USB drive with WireGuard config
2. Use desktop shortcuts to import/apply configuration
3. QR code scanning available for mobile configuration

Remote Access

1. Remmina for RDP connections
2. WireGuard tunnel for all network traffic
3. No direct internet access possible

Development

Test-Driven Development

• Tests written before implementation
• 100% code coverage mandatory
• BATS framework for testing
• Shellcheck for linting

Build Environment

• Docker-based container
• No build tools on host
• All dependencies in container
• Proper file permissions

Contributing

This project is developed under the GNU Affero General Public License v3.0. Contributions must follow the same license and include proper attribution.

License

Copyright © 2026 Known Element Enterprises LLC

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see https://www.gnu.org/licenses/.

Contact

Known Element Enterprises LLC

• Website: https://knownelement.com
• Repository: https://git.knownelement.com/KNEL/football

---

Security through Compliance. Compliance through Process.