KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94abcfffda8fa19192a3784349aff33ab3224bcd
football/docs/COMPLIANCE.md
reachableceo 94abcfffda fix: resolve 11 test failures, clean up stale files, add NVMe build cache 
Test Fixes:
- Fixed grep regex matching `test:iso)` instead of `iso|iso:demo)` by
  using `grep -F` for literal string matching in 3 test files
- Increased grep context from -A 5 to -A 15 for FDE reference tests
  since FDE mention is 9+ lines into the iso command block

Stale Files:
- Deleted test-iso.sh (merged into run.sh in Session 4)
- Deleted verify.sh (orphaned, never referenced anywhere)

Documentation:
- Fixed stale test file references in COMPLIANCE.md
- Updated TEST-COVERAGE.md to remove "delegates to test-iso.sh"
- Added JOURNAL.md entry with full audit findings
- Updated STATUS.md timestamp

NVMe Build Cache (from previous session, was uncommitted):
- Added Docker volume `knel-football-cache` for build caching
- Added `clean:cache` and `cache` commands to run.sh
- Cache preserves bootstrap + package downloads between builds

Test Results: 786 pass, 0 fail, 16 VM skip

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-07 07:51:56 -05:00

146 lines
6.8 KiB
Markdown
Raw Blame History

# KNEL-Football Compliance Matrix
## Overview
This document maps security compliance requirements to implementation components in the KNEL-Football secure Debian 13 ISO build system.
**Copyright © 2026 Known Element Enterprises LLC**
**License: GNU Affero General Public License v3.0 only**
## Compliance Frameworks
- **CMMC Level 3** - Entry point to tier0 infrastructure supporting ITAR/SECRET systems
- **FedRAMP LI-SaaS** - For RackRental.net federal government product
- **DISA STIG** - Debian STIG requirements (adapted from Debian 11 to Debian 13)
- **CIS Benchmarks** - Center for Internet Security Debian Linux Benchmark
## Security Controls Mapping
### Network Security
| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| WiFi Module Blacklisting | N/A (custom) | 4.8 | Kernel module blacklisting | `config/hooks/live/security-hardening.sh` | ✅ |
| Bluetooth Module Blacklisting | N/A (custom) | 4.8 | Kernel module blacklisting | `config/hooks/live/security-hardening.sh` | ✅ |
| Default Deny Firewall | RHEL-08-040020 | 4.4 | nftables with deny all policy | `config/hooks/live/firewall-setup.sh` | ✅ |
| WireGuard-Only Network Access | N/A (custom) | 4.4 | Dynamic firewall rules | `src/firewall-setup.sh` | ✅ |
### System Hardening
| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| SSH Client-Only | RHEL-08-010000 | 5.2 | Client config, no server | `src/security-hardening.sh` | ✅ |
| Password Policy | RHEL-08-020200 | 5.1 | pwquality.conf with 14-char minimum | `src/security-hardening.sh` | ✅ |
| System Resource Limits | RHEL-08-040123 | 5.3 | limits.d/security.conf | `src/security-hardening.sh` | ✅ |
| File Permissions | RHEL-08-040040 | 3.3 | Secure file permissions | `src/security-hardening.sh` | ✅ |
### Logging and Monitoring
| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| Audit Daemon | RHEL-08-030160 | 6.2 | auditd configuration | `config/hooks/live/security-hardening.sh` | ✅ |
| System Logging | RHEL-08-030590 | 6.1 | rsyslog configuration | `package-lists/knel-football.list.chroot` | ✅ |
| Audit Rules | RHEL-08-030652 | 6.2 | Custom audit rules | `src/security-hardening.sh` | ✅ |
### Package Management
| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| Disable Package Management | N/A (custom) | 2.1 | chmod + chattr on package tools | `config/hooks/installed/disable-package-management.sh` | ✅ |
| Clean Package Metadata | N/A (custom) | 2.1 | Remove /var/lib/apt /var/lib/dpkg | `config/hooks/installed/disable-package-management.sh` | ✅ |
### Access Control
| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| Sudo Group Configuration | RHEL-08-010300 | 5.4 | User added to sudo group | `config/hooks/installed/install-scripts.sh` | ✅ |
| Hide Usernames in Display Manager | N/A (custom) | 5.7 | LightDM privacy configuration | `config/hooks/live/desktop-environment.sh` | ✅ |
| No Auto-Login | RHEL-08-020010 | 5.7 | LightDM manual login only | `config/hooks/live/desktop-environment.sh` | ✅ |
### Boot Security
| Control | STIG ID | CIS Control | Implementation | Hook/Script | Status |
|---------|----------|-------------|----------------|-------------|--------|
| UEFI Boot Only | RHEL-08-010240 | 4.1 | ISO build configuration | `config/config` | ✅ |
| Secure Boot Support | RHEL-08-010240 | 4.1 | grub-efi-amd64-bin | `Dockerfile` | ✅ |
## Compliance Validation Tests
### Automated Tests
| Test Type | Test File | Validation Target | Coverage |
|-----------|------------|-----------------|----------|
| Unit Tests | `tests/unit/firewall-setup_test.bats` | Firewall configuration parsing | 🔧 |
| Unit Tests | `tests/unit/security-hardening_test.bats` | Security hardening functions | 🔧 |
| Unit Tests | `tests/unit/build-iso_comprehensive_test.bats` | Build process functions | 🔧 |
| Integration Tests | `tests/integration/config_test.bats` | Configuration file validation | 🌐 |
| Security Tests | `tests/security/compliance_test.bats` | Compliance verification | 🔒 |
### In-ISO Validation
The built ISO includes test capabilities for post-installation validation:
```bash
# Run compliance validation on installed system
/usr/local/bin/knel-compliance-check.sh
```
## Compliance Evidence
### Documentation
- **COMPLIANCE.md** - This compliance matrix
- **security-model.md** - Detailed security architecture
- **architecture.md** - System design and threat model
### Build Artifacts
- **Configuration Files** - All security configurations in version control
- **Hook Scripts** - Automated application of security controls
- **Test Suite** - Automated validation of compliance requirements
- **ISO Image** - Fully compliant, hardened operating system
### Verification Process
1. **Pre-Build Validation** - Tests run before ISO creation
2. **Build-Time Validation** - Hooks verify configuration application
3. **Post-Install Validation** - Compliance testing in live environment
4. **Security Audit** - Regular security reviews and penetration testing
## Security Controls Summary
### Network Controls
- ✅ WiFi and Bluetooth permanently disabled via kernel module blacklisting
- ✅ Default deny firewall policy with nftables
- ✅ WireGuard-only network access with dynamic configuration
- ✅ USB automount support for secure configuration transfer
- ✅ Minimal desktop with IceWM and privacy-focused LightDM
- ✅ SSH client-only (no server, no inbound access)
- ✅ Strong password policy (14 characters minimum)
- ✅ Comprehensive audit logging with auditd
- ✅ Package management disabled for immutable system
### Access Controls
- ✅ No auto-login, usernames hidden in display manager
- ✅ Sudo group configuration for administrative access
- ✅ System resource limits and security constraints
- ✅ File permissions hardened according to CIS benchmarks
## Compliance Status
| Framework | Status | Notes |
|-----------|--------|-------|
| CMMC Level 3 | ✅ Compliant | All required controls implemented |
| FedRAMP LI-SaaS | ✅ Compliant | Baseline security controls in place |
| DISA STIG | ✅ Compliant | Debian 13 STIG adaptation |
| CIS Benchmarks | ✅ Compliant | Industry best practices implemented |
---
**Copyright © 2026 Known Element Enterprises LLC**
**License: GNU Affero General Public License v3.0 only**
This compliance matrix is maintained as part of the KNEL-Football project and is updated whenever security requirements change or new controls are implemented.
Reference in New Issue View Git Blame Copy Permalink