football/JOURNAL.md

# KNEL-Football Development Journal

> **IMPORTANT**: This file is APPEND-ONLY. Never delete or modify existing entries.
> Add new entries at the TOP (after this header) with date and context.
> This serves as long-term memory for AI agents and human developers.

---

## Entry 2026-02-17 (Session 3): Project Re-Orientation

### Context
New session start. User requested deep project review and orientation. Reviewed git logs,
STATUS.md, JOURNAL.md, and current system state.

### Current State Assessment

1. **ISO Status**: STALE
   - Built: 2026-02-17 10:50
   - 6 commits since build (FIM, audit, SSH client-only, shellcheck fixes)
   - Missing features: AIDE FIM, comprehensive auditd, SSH client-only
   - Rebuild required to include recent security features

2. **Test Suite**: HEALTHY
   - 111 tests total, 92 pass, 19 skip (VM-required)
   - Skip reasons: VM not running, requires manual verification
   - Categories: unit (12), integration (6), security (44), system (47)
   - Zero failures, zero shellcheck warnings

3. **Compliance**: IN PROGRESS
   - CIS 1.4 (FIM): Code ready, not in ISO
   - CIS 5.2 (SSH): Code ready, not in ISO
   - CIS 6.2 (Audit): Code ready, not in ISO
   - NIST/FedRAMP/CMMC: Same status - config ready, needs rebuild

4. **Blockers**:
   - User NOT in libvirt group (blocks VM testing)
   - ISO outdated (blocks runtime verification)

### Architecture Review

```
KNEL-Football OS (this project)
    │ WireGuard (outbound only)
    ▼
Privileged Access Workstation
    │ Direct access
    ▼
Tier0 Infrastructure
```

Key design principle: **No inbound services**. SSH client, RDP client, WireGuard client only.

### Security Features Implemented (Code)

| Feature | File | Status |
|---------|------|--------|
| Full Disk Encryption | config/hooks/installed/encryption-*.sh | ✅ Code ready |
| Password Policy | src/security-hardening.sh | ✅ Code ready |
| Firewall (nftables) | config/hooks/live/firewall-setup.sh | ✅ Code ready |
| FIM (AIDE) | config/hooks/live/aide-setup.sh | ✅ Code ready |
| Audit Logging | config/hooks/live/audit-logging.sh | ✅ Code ready |
| SSH Client-Only | config/hooks/live/ssh-client-only.sh | ✅ Code ready |
| WiFi/Bluetooth Block | config/hooks/live/security-hardening.sh | ✅ Code ready |

### Key Files to Understand

- `run.sh` - Main entry point for all operations
- `AGENTS.md` - Agent behavior guidelines (READ FIRST)
- `STATUS.md` - Manager status report
- `JOURNAL.md` - This file - AI memory
- `PRD.md` - Product requirements
- `config/preseed.cfg` - Debian installer configuration
- `config/hooks/live/` - Runtime configuration hooks
- `tests/` - BATS test suite

### Open Action Items (from STATUS.md)

1. Rebuild ISO with new security features
2. Logout/login for libvirt access (user action)
3. Run VM boot tests after ISO rebuild
4. Remove hardcoded passwords from preseed.cfg
5. Consider Secure Boot implementation

### Session Decision

**Next step**: Rebuild ISO to include FIM, audit logging, SSH client-only changes.
This is a 60-90 minute build. User should decide if they want to start it now.

### ADR-008: ISO Rebuild Priority
**Date**: 2026-02-17
**Status**: Proposed

**Context**: 6 commits with security features made since last ISO build. Need to decide
whether to rebuild now or continue development.

**Options**:
1. Rebuild now - validates features, enables runtime testing
2. Continue development - batch more changes, rebuild later

**Recommendation**: Rebuild now. Features are ready, compliance requires verification.

---

## Entry 2026-02-17 (Session 2): FIM, Audit, SSH Security Enhancements

### Context
Continued session focused on closing compliance gaps for CIS, FedRAMP, and CMMC.
Added File Integrity Monitoring (FIM), comprehensive audit logging, and SSH client-only
configuration. Resolved all shellcheck warnings and added git safety documentation.

### Changes Implemented

1. **File Integrity Monitoring (AIDE)**
   - Added `config/hooks/live/aide-setup.sh`
   - Configured to monitor /etc, /bin, /sbin, /usr/bin, /usr/sbin, /lib
   - Initializes database on first boot
   - Compliance: CIS 1.4, FedRAMP AU-7, CMMC AU.3.059

2. **Comprehensive Audit Logging**
   - Added `config/hooks/live/audit-logging.sh`
   - Monitors: auth, access, modification, privilege, session events
   - Log retention: 90 days
   - Compliance: CIS 6.2, FedRAMP AU-2, CMMC AU.2.042

3. **SSH Client-Only Configuration**
   - Modified `config/hooks/live/ssh-client-only.sh`
   - Disabled sshd service, removed server package
   - SSH client tools remain for outbound connections
   - Compliance: CIS 5.2, NIST 800-53 IA-5, CMMC IA.2.078

4. **Shellcheck Fixes**
   - Resolved all warnings in shell scripts
   - SC2120/SC2119: Functions called without arguments (correct behavior)
   - SC1091: Source files exist at runtime
   - SC2034: Variables used in templates
   - Result: ZERO shellcheck warnings

5. **Git Safety Rules**
   - Added to AGENTS.md:
     - Quote all path arguments (handles spaces)
     - Use non-interactive rebase (`git rebase --no-interactive` not available, use `-i` with care)
     - Destructive operations require user confirmation

### Test Coverage Update

```
Before Session: 31 tests
After Session:  111 tests (+80)

Unit Tests:        12 → 12 (unchanged)
Integration Tests:  6 →  6 (unchanged)
Security Tests:    13 → 44 (+31)
System Tests:       0 → 47 (+47, new category)
```

### Architectural Decision Records

#### ADR-005: File Integrity Monitoring via AIDE
**Date**: 2026-02-17
**Status**: Accepted

**Context**: Need file integrity monitoring for compliance (CIS 1.4, FedRAMP AU-7).

**Decision**: Use AIDE (Advanced Intrusion Detection Environment) with focused monitoring
of critical system directories.

**Rationale**:
- AIDE is mature, well-supported on Debian
- Lightweight compared to commercial alternatives
- Meets multiple compliance requirements
- Database can be rebuilt if needed

**Consequences**:
- Initial database creation on first boot (minor delay)
- Regular checks recommended via cron
- False positives if system packages updated legitimately

#### ADR-006: Comprehensive Audit via auditd
**Date**: 2026-02-17
**Status**: Accepted

**Context**: Need comprehensive audit logging for CIS 6.2, FedRAMP AU-2.

**Decision**: Use auditd with rules for all major event categories.

**Rationale**:
- auditd is the Linux standard for audit logging
- Kernel-level monitoring (cannot be bypassed by userspace)
- Structured logs for analysis
- Meets multiple compliance requirements

**Consequences**:
- Increased log volume (manageable with rotation)
- Performance impact minimal on workstation workloads
- Log retention policy required (90 days set)

#### ADR-007: SSH Client-Only Mode
**Date**: 2026-02-17
**Status**: Accepted

**Context**: KNEL-Football should have no inbound services.

**Decision**: Remove SSH server, keep only client tools.

**Rationale**:
- Reduces attack surface significantly
- Aligns with "outbound only" security model
- User can SSH out to other systems as needed
- No management via SSH (physical console only)

**Consequences**:
- No remote administration via SSH
- Must use physical console for management
- WireGuard outbound only, no inbound connections

### Lessons Learned

1. **Shellcheck Warnings Can Be Misleading**
   - SC2120/SC2119 warnings were false positives
   - Functions intentionally don't use arguments (generate static config)
   - Used `# shellcheck disable` sparingly, documented why

2. **Compliance Requirements Overlap**
   - CIS 1.4 (FIM) → FedRAMP AU-7 → CMMC AU.3.059
   - Single AIDE implementation satisfies all three
   - Document compliance mappings clearly

3. **Test Framework Scales Well**
   - Adding 80 new tests was straightforward
   - BATS + custom helpers pattern works
   - System tests for VM boot require special handling (libvirt)

### Action Items for Future Sessions

1. Rebuild ISO with new security features
2. Run VM boot tests after user logout/login for libvirt
3. Verify FDE runtime behavior in VM
4. Consider Secure Boot implementation
5. Update preseed.cfg to remove hardcoded passwords

---

## Entry 2026-02-17 (Session 1): Project Assessment and Test Coverage Analysis

### Context
Comprehensive project review after session handoff. User requested full orientation
and 100% test coverage including VM boot tests, Secure Boot, and FDE runtime tests.

### Insights

1. **Test Infrastructure Pattern**
   - BATS tests work well for static analysis but lack runtime verification
   - Current tests validate file existence and content, not actual behavior
   - Missing entire category: system/integration tests that boot the ISO

2. **Docker-Only Workflow is Correct**
   - All build/test commands run inside Docker containers
   - Prevents host system pollution
   - Makes builds reproducible across environments
   - Volumes: `/workspace` (read-only), `/build` (temp), `/output` (artifacts)

3. **Shellcheck Warnings Are Non-Critical**
   - SC2120/SC2119: Functions don't use arguments but called without `"$@"`
   - SC1091: Source files not available during shellcheck (exist at runtime)
   - Pattern: Functions generate config, don't need arguments

### Architectural Decision Records (ADRs)

#### ADR-001: Two-Tier Security Model
**Date**: 2026-01-28 (documented 2026-02-17)
**Status**: Accepted

**Context**: How should KNEL-Football OS access tier0 infrastructure?

**Decision**: KNEL-Football OS is a secure remote terminal, NOT direct tier0 access.
Flow: KNEL-Football OS → WireGuard VPN → Privileged Access Workstation → Tier0

**Rationale**:
- Defense in depth - multiple hops before tier0
- Compromise of laptop doesn't directly expose tier0
- WireGuard provides encrypted tunnel
- Physical workstation adds another security layer

**Consequences**:
- Network configuration focuses on WireGuard only
- WiFi/Bluetooth permanently disabled
- SSH configured for key-based auth only

#### ADR-002: Docker-Only Build Environment
**Date**: 2026-01-28 (documented 2026-02-17)
**Status**: Accepted

**Context**: How should ISO builds be executed?

**Decision**: ALL build operations run inside Docker containers. No host modifications.

**Rationale**:
- Reproducible builds across different host systems
- No pollution of host environment
- Easy cleanup (just remove containers/images)
- CI/CD friendly

**Consequences**:
- `run.sh` wraps all commands with `docker run`
- ISO build requires `--privileged` for loop devices
- Output artifacts copied via volume mounts

#### ADR-003: LUKS2 Over LUKS1
**Date**: 2026-01-28 (documented 2026-02-17)
**Status**: Accepted

**Context**: Which disk encryption format to use?

**Decision**: Use LUKS2 with Argon2id KDF, AES-256-XTS cipher, 512-bit key.

**Rationale**:
- LUKS2 is newer, more secure format
- Argon2id resists GPU/ASIC attacks better than PBKDF2
- AES-XTS is NIST-approved for disk encryption
- 512-bit key provides security margin

**Consequences**:
- Modern systems only (older grub may not support)
- Boot requires passphrase entry
- No recovery without passphrase

#### ADR-004: BATS Without External Libraries
**Date**: 2026-01-28 (documented 2026-02-17)
**Status**: Accepted

**Context**: BATS test framework libraries were failing to load.

**Decision**: Remove bats-support, bats-assert, bats-file dependencies.
Use custom assertion functions in `tests/test_helper/common.bash`.

**Rationale**:
- External library loading was unreliable
- Custom functions provide same functionality
- Fewer dependencies = fewer failure points
- Easier to debug when tests fail

**Consequences**:
- Custom assertions must be maintained
- Tests don't benefit from upstream library fixes
- But: simpler, more predictable behavior

### Patterns Observed

1. **Hook Organization**
   - `config/hooks/live/` - Runs during live session (before install)
   - `config/hooks/installed/` - Runs after installation
   - Pattern: Source shared functions, call main function

2. **Script Structure**
   ```bash
   #!/bin/bash
   set -euo pipefail
   # Functions that generate config
   main() { ... }
   # Call main if script executed directly
   ```

3. **Test Structure**
   ```bash
   #!/usr/bin/env bats
   @test "description" {
       # Setup
       # Exercise
       # Verify
   }
   ```

### Lessons Learned

1. **test:iso Command Was Broken**
   - `run.sh:172` references deleted `test-iso.sh`
   - Commit c1505a9 removed obsolete scripts including test-iso.sh
   - But run.sh was not updated to remove the command
   - Lesson: When removing files, search for all references

2. **Preseed.cfg Has Hardcoded Passwords**
   - Lines 28-31 contain default passwords
   - These are installer defaults, should be changed on first boot
   - Security risk if users don't change them
   - Lesson: Consider using installer prompts instead

3. **Test Coverage Claim vs Reality**
   - Documentation claimed 95% coverage
   - Reality: 100% static analysis, 0% runtime/VM testing
   - Lesson: Be precise about what "coverage" means

### Action Items for Future Sessions

1. Implement VM boot tests using libvirt
2. Add Secure Boot support (shim-signed, grub-efi-amd64-signed)
3. Create runtime FDE passphrase prompt tests
4. Remove hardcoded passwords from preseed.cfg
5. Fix shellcheck warnings (low priority, non-critical)

---

## Entry 2026-01-28: Initial Build Completion

### Context
First successful ISO build completed after 72 minutes.

### Insights

1. **Live-Build Stages**
   - bootstrap: Downloads base system (longest stage)
   - chroot: Installs packages, runs hooks
   - binary: Creates ISO filesystem
   - checksum: Generates SHA256/MD5

2. **Build Time Breakdown**
   - Total: ~72 minutes
   - bootstrap: ~40 minutes (network dependent)
   - chroot: ~20 minutes
   - binary: ~10 minutes

3. **ISO Size**
   - Final ISO: 450 MB
   - Includes: Debian base, IceWM, WireGuard, security tools
   - Reasonable size for secure workstation

### Patterns

1. **Docker Volume Strategy**
   - `/workspace` mounted read-only (source code)
   - `/build` for intermediate files
   - `/output` for final artifacts
   - Prevents accidental modification of source

2. **Checksum Generation**
   - Generate both SHA256 and MD5
   - Name checksum files after ISO
   - Copy to output directory with ISO

---

*End of Journal. Add new entries at the top.*