KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efb69887191b3f573f091ae86b34a660a99916f1
football/docs/COMPLIANCE.md
reachableceo efb6988719 fix: remove host FDE requirement, fix remaining audit partials 
Host FDE is no longer required — only guest (ISO) FDE matters per owner
direction. The build host's security posture is the owner's responsibility.
The Docker container already isolates the build process.

Changes:
- run.sh: Removed check_host_fde() function and its call in iso build path
- run.sh: Fixed SB key chmod in inline SECUREBOOT_HOOK (C-04 complete)
- run.sh: Fixed cache manifest format — no longer capped at 20 files (H-09)
- docs/PRD.md: Removed FR-011 Host FDE, renumbered FR-011 = Secure Boot/UKI
- docs/COMPLIANCE.md: Replaced fraudulent  summary with honest aspirational
- config/hooks/installed/encryption-validation.sh: lsblk discovery (H-06)
- src/security-hardening.sh: Synced WiFi blacklist with live hook (M-12)
- tests/: Updated 3 test files for guest encryption instead of host FDE
- AGENTS.md, README.md, audit docs: Removed host FDE references
- STATUS.md: Updated for current state
- JOURNAL.md: Added ADR-017 (host FDE not required)

782 tests pass, 0 fail, 0 shellcheck warnings.

Reference: DeepReport-2026-05-08.md C-02, C-04, H-06, H-09, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-08 14:28:04 -05:00

7.7 KiB
Raw Blame History

KNEL-Football Compliance Matrix

Overview

This document maps security compliance requirements to implementation components in the KNEL-Football secure Debian 13 ISO build system.

Important

: CMMC Level 3 and FedRAMP are aspirational targets for future production release. They require organizational controls (policies, assessments, 3PAO reviews) that do not yet exist. Current implementation covers technical controls only. No organizational certification has been obtained. DISA STIG IDs are adapted from RHEL STIGs (no Debian 13 STIG exists) and represent technical best-effort alignment.

Copyright © 2026 Known Element Enterprises LLC License: GNU Affero General Public License v3.0 only

Compliance Frameworks

Framework Status Notes
CMMC Level 3 🎯 Aspirational Requires 130+ practices, 3PAO assessment
FedRAMP LI-SaaS 🎯 Aspirational Requires agency sponsorship, ConMon
DISA STIG 🔧 Adapted RHEL STIG IDs applied to Debian 13 (no Debian STIG exists)
CIS Benchmarks Technical controls Center for Internet Security Debian Linux Benchmark
NIST SP 800-53 Partial ~12 controls mapped (800-53 has 1,000+)
NIST SP 800-111 Implemented LUKS2 disk encryption configured

Security Controls Mapping

Network Security

Control STIG ID CIS Control Implementation Hook/Script Status
WiFi Module Blacklisting N/A (custom) 4.8 Kernel module blacklisting config/hooks/live/security-hardening.sh
Bluetooth Module Blacklisting N/A (custom) 4.8 Kernel module blacklisting config/hooks/live/security-hardening.sh
Default Deny Firewall RHEL-08-040020 4.4 nftables with deny all policy config/hooks/live/firewall-setup.sh
WireGuard-Only Network Access N/A (custom) 4.4 Dynamic firewall rules src/firewall-setup.sh

System Hardening

Control STIG ID CIS Control Implementation Hook/Script Status
SSH Client-Only RHEL-08-010000 5.2 Client config, no server src/security-hardening.sh
Password Policy RHEL-08-020200 5.1 pwquality.conf with 14-char minimum src/security-hardening.sh
System Resource Limits RHEL-08-040123 5.3 limits.d/security.conf src/security-hardening.sh
File Permissions RHEL-08-040040 3.3 Secure file permissions src/security-hardening.sh

Logging and Monitoring

Control STIG ID CIS Control Implementation Hook/Script Status
Audit Daemon RHEL-08-030160 6.2 auditd configuration config/hooks/live/security-hardening.sh
System Logging RHEL-08-030590 6.1 rsyslog configuration package-lists/knel-football.list.chroot
Audit Rules RHEL-08-030652 6.2 Custom audit rules src/security-hardening.sh

Package Management

Control STIG ID CIS Control Implementation Hook/Script Status
Disable Package Management N/A (custom) 2.1 chmod + chattr on package tools config/hooks/installed/disable-package-management.sh
Clean Package Metadata N/A (custom) 2.1 Remove /var/lib/apt /var/lib/dpkg config/hooks/installed/disable-package-management.sh

Access Control

Control STIG ID CIS Control Implementation Hook/Script Status
Sudo Group Configuration RHEL-08-010300 5.4 User added to sudo group config/hooks/installed/install-scripts.sh
Hide Usernames in Display Manager N/A (custom) 5.7 LightDM privacy configuration config/hooks/live/desktop-environment.sh
No Auto-Login RHEL-08-020010 5.7 LightDM manual login only config/hooks/live/desktop-environment.sh

Boot Security

Control STIG ID CIS Control Implementation Hook/Script Status
UEFI Boot Only RHEL-08-010240 4.1 ISO build configuration config/config
Secure Boot Support RHEL-08-010240 4.1 grub-efi-amd64-bin Dockerfile

Compliance Validation Tests

Automated Tests

Test Type Test File Validation Target Coverage
Unit Tests tests/unit/firewall-setup_test.bats Firewall configuration parsing 🔧
Unit Tests tests/unit/security-hardening_test.bats Security hardening functions 🔧
Unit Tests tests/unit/build-iso_comprehensive_test.bats Build process functions 🔧
Integration Tests tests/integration/config_test.bats Configuration file validation 🌐
Security Tests tests/security/compliance_test.bats Compliance verification 🔒

In-ISO Validation

Post-installation validation can be performed using:

# Check encryption status
/usr/local/bin/check-encryption.sh

# Check security hardening status
/usr/local/bin/security-hardening.sh

# Convert LUKS KDF to Argon2id (if not already done)
/usr/local/bin/convert-luks-kdf.sh

Compliance Evidence

Documentation

  • COMPLIANCE.md - This compliance matrix
  • security-model.md - Detailed security architecture
  • architecture.md - System design and threat model

Build Artifacts

  • Configuration Files - All security configurations in version control
  • Hook Scripts - Automated application of security controls
  • Test Suite - Automated validation of compliance requirements
  • ISO Image - Fully compliant, hardened operating system

Verification Process

  1. Pre-Build Validation - Tests run before ISO creation
  2. Build-Time Validation - Hooks verify configuration application
  3. Post-Install Validation - Compliance testing in live environment
  4. Security Audit - Regular security reviews and penetration testing

Security Controls Summary

Network Controls

  • WiFi and Bluetooth permanently disabled via kernel module blacklisting

  • Default deny firewall policy with nftables

  • WireGuard-only network access with dynamic configuration

  • USB automount support for secure configuration transfer

  • Minimal desktop with IceWM and privacy-focused LightDM

  • SSH client-only (no server, no inbound access)

  • Strong password policy (14 characters minimum)

  • Comprehensive audit logging with auditd

  • Package management disabled for immutable system

Access Controls

  • No auto-login, usernames hidden in display manager
  • Sudo group configuration for administrative access
  • System resource limits and security constraints
  • File permissions hardened according to CIS benchmarks

Compliance Status

Framework Status Notes
CMMC Level 3 🎯 Aspirational Target Requires organizational controls not yet in place
FedRAMP LI-SaaS 🎯 Aspirational Target Requires organizational controls not yet in place
DISA STIG 🔄 Adapted Debian 13 STIG adaptation, not formally validated
CIS Benchmarks 🔄 Partial Industry best practices applied where applicable

Copyright © 2026 Known Element Enterprises LLC License: GNU Affero General Public License v3.0 only

This compliance matrix is maintained as part of the KNEL-Football project and is updated whenever security requirements change or new controls are implemented.

Reference in New Issue View Git Blame Copy Permalink