Charles N Wyble
b2dab97452
- Add architecture.md with system architecture details - Add COMPLIANCE.md with compliance matrix - Add security-model.md with security specifications - Add prompts-cache.md for AI prompt history 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
KNEL-Football
Overview
KNEL-Football is a highly secure, compliant Debian 13 (Trixie) installation ISO built using a strict Docker-based workflow with Test-Driven Development methodology. The resulting ISO provides a minimal, hardened system with restricted networking designed for tier0 infrastructure access.
Features
Security Hardening
- ✅ CMMC Level 3 compliant
- ✅ FedRAMP LI-SaaS ready
- ✅ DISA STIG and CIS Benchmark implementation
- ✅ WiFi and Bluetooth permanently disabled (kernel blacklist)
- ✅ Package management tools disabled with immutable permissions
- ✅ Secure Boot with measured boot (UEFI only)
Network Restrictions
- ✅ WireGuard-only network access
- ✅ Dynamic firewall configuration (nftables)
- ✅ No general internet connectivity
- ✅ QR code import for configuration
Minimal Desktop
- ✅ IceWM window manager (minimal)
- ✅ LightDM display manager (privacy mode)
- ✅ Required applications: Remmina, WireGuard, Mousepad, PCManFM
- ✅ USB automount support
Quick Start
Prerequisites
- Docker
- Git
- Libvirt (virt-install, virsh)
Build
# Clone the repository
git clone https://git.knownelement.com/KNEL/football.git
cd football
# Build the ISO
./run.sh build
Test
# Run all tests
./run.sh test
# Run linting checks
./run.sh lint
Clean
# Clean build artifacts
./run.sh clean
Project Structure
knel-football/
├── README.md # This file
├── LICENSE # AGPLv3 license
├── AGENTS.md # AI agent documentation
├── football-spec.md # Technical specification
├── run.sh # Host wrapper script
├── Dockerfile # Build/test container
├── .gitignore # Git ignore rules
├── config/ # live-build configuration
│ ├── preseed.cfg # Installation automation
│ ├── package-lists/ # Software packages
│ ├── hooks/ # Build hooks
│ │ ├── live/ # Live system hooks
│ │ └── installed/ # Post-installation hooks
│ └── includes/ # File inclusions
├── src/ # Build scripts
│ ├── build-iso.sh # Main ISO build
│ ├── security-hardening.sh # Security configurations
│ ├── firewall-setup.sh # Dynamic firewall
│ └── compliance-check.sh # Validation
├── tests/ # Test suite
│ ├── unit/ # Unit tests
│ ├── integration/ # Integration tests
│ ├── security/ # Security tests
│ └── fixtures/ # Test data
├── docs/ # Documentation
│ ├── architecture.md # System architecture
│ ├── security-model.md # Security model
│ └── user-guide.md # User documentation
└── output/ # Generated ISO files
Security Features
Kernel Module Blacklisting
- WiFi modules: cfg80211, mac80211, brcmfmac, iwlwifi, ath9k, rt73usb
- Bluetooth modules: btusb, bluetooth, btrtl, btintel, btbcm
Firewall Configuration
- Default deny policy
- Dynamic WireGuard endpoint parsing
- UDP traffic only to WireGuard server
- nftables implementation
Package Management Security
- Execute permissions removed
- Immutable with
chattr +i - APT/DPKG metadata cleared
- No package updates possible
Boot Security
- UEFI-only boot mode
- Secure Boot enabled
- Measured boot implementation
- Custom keys included
Compliance
- CMMC Level 3 - Entry point to tier0 infrastructure
- FedRAMP LI-SaaS - Ready for federal government deployment
- DISA STIG - Adapted Debian 11 STIG for Debian 13
- CIS Benchmarks - Industry best practices for Debian Linux
User Workflow
Installation
- Boot from ISO
- Complete manual partitioning
- Set root password
- Create non-root user (auto-added to sudo)
Configuration
- Mount USB drive with WireGuard config
- Use desktop shortcuts to import/apply configuration
- QR code scanning available for mobile configuration
Remote Access
- Remmina for RDP connections
- WireGuard tunnel for all network traffic
- No direct internet access possible
Development
Test-Driven Development
- Tests written before implementation
- 100% code coverage mandatory
- BATS framework for testing
- Shellcheck for linting
Build Environment
- Docker-based container
- No build tools on host
- All dependencies in container
- Proper file permissions
Contributing
This project is developed under the GNU Affero General Public License v3.0. Contributions must follow the same license and include proper attribution.
License
Copyright © 2026 Known Element Enterprises LLC
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License along with this program. If not, see https://www.gnu.org/licenses/.
Contact
Known Element Enterprises LLC
- Website: https://knownelement.com
- Repository: https://git.knownelement.com/KNEL/football