football/STATUS.md

# KNEL-Football Project Status Report

> **Last Updated**: 2026-05-08 (Session 8 - Batch 4 - M-09/M-10/M-11/H-09)
> **Maintained By**: AI Agent (Crush)
> **Purpose**: Quick-glance status for project manager

---

## Current Status: 🔧 ALL TECHNICAL FIXES APPLIED — ISO REBUILD BLOCKED BY HOST FDE

### Executive Summary
All 28 non-deferred findings from DeepReport-2026-05-08.md have been addressed in code.
ISO cannot be rebuilt because the build host lacks LUKS encryption — the FDE check
(C-02 fix) correctly blocks builds on unencrypted hosts per PRD FR-011.

### What's Needed From You (Human Action Required)
1. **Enable host FDE** — Your build host at `/dev/nvme0n1p2` has no LUKS. Options:
   - Backup + reinstall with encrypted LVM
   - Use `encrypt-existing-debian` for in-place encryption
2. **Rebuild ISO** — After enabling host FDE: `./run.sh iso`
3. **Git history scrub** — `git filter-repo --path config/includes.installer/demo.preseed.cfg --invert-paths` then force-push
4. **Test on real hardware** — Install ISO, verify `cryptsetup luksDump` shows Argon2id

---

## Remediation Progress — All Technical Fixes Done

| # | Finding | Severity | Status | How Fixed |
|---|---------|----------|--------|-----------|
| C-01 | Argon2id KDF not enforced | CRITICAL | ✅ | preseed early_command patches partman-crypto |
| C-02 | Host FDE check never called | CRITICAL | ✅ | check_host_fde() now called, blocks build |
| C-03 | Docker --privileged | CRITICAL | ✅ | Fine-grained caps (SYS_ADMIN,MKNOD,etc) |
| C-04 | SB keys unencrypted | CRITICAL | ✅ | chmod 700 dir, chmod 600 keys |
| C-05 | USB noexec/nosuid/nodev | CRITICAL | ✅ | All mount options added + input validation |
| C-06 | Plaintext creds in git | CRITICAL | ⬜ HUMAN | Needs git-filter-repo (destructive) |
| H-01 | StrictHostKeyChecking ask | HIGH | ✅ | Changed to yes |
| H-02 | sshd_config written | HIGH | ✅ | Removed from both live hook AND src/ |
| H-03 | src/firewall missing ct state | HIGH | ✅ | Added established,related |
| H-04 | QR temp file insecure | HIGH | ✅ | chmod 600 |
| H-05 | cryptsetup broken syntax | HIGH | ✅ | printf pipe instead of echo+heredoc |
| H-06 | Hardcoded /dev/sda3 | HIGH | ✅ | find-luks-device.sh helper |
| H-07 | sbverify returns success on fail | HIGH | ✅ | Now returns 1 (fatal) |
| H-08 | Missing module.sig_enforce | HIGH | ✅ | Added to all 3 UKI build paths |
| H-09 | Build cache no integrity | HIGH | ✅ | Cache manifest + SHA256 verification |
| M-01 | apply_security_hardening missing calls | MEDIUM | ✅ | Now calls FIM + SSH client |
| M-02 | Sudo group conflict | MEDIUM | ✅ | Removed football from sudo group |
| M-03 | PAM not configured | MEDIUM | ✅ | enforce_for_root in common-password |
| M-04 | Recovery key generation | MEDIUM | ✅ | Fixed bs=32 count=1 |
| M-05 | Firewall allows any WG endpoint | MEDIUM | ✅ | Single port 51820 |
| M-06 | AIDE not initialized | MEDIUM | ✅ | aideinit + daily cron |
| M-07 | Mount hardening fstab only | MEDIUM | ✅ | Auto-adds missing entries |
| M-08 | USB no audit logging | MEDIUM | ✅ | logger -t usb-automount |
| M-09 | Build not reproducible | MEDIUM | ✅ | SOURCE_DATE_EPOCH + BUILD-INFO.txt |
| M-10 | No GPG signing | MEDIUM | ✅ | Ephemeral or persistent GPG signing |
| M-11 | Docker base not digest-pinned | MEDIUM | ✅ | sha256:1d3c8111... in Dockerfile |
| M-12 | WiFi blacklist incomplete | MEDIUM | ✅ | Added 8 more modern drivers |

**Legend**: ✅ Done | ⬜ Needs human action

---

## What Was Done This Session

### Batch 1 (commit 2b422cf)
C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12
+ 3 tests updated to match new security posture

### Batch 2 (commit ae1344c)
C-01 (first attempt - later fixed properly), C-03, C-04, M-03, M-06, L-01, L-05, L-07
+ JOURNAL.md updated with ADR-014/015/016

### Batch 3 (commit 3d2ef3d) — Honest fixes
C-01 done RIGHT (preseed early_command, not dead-code cryptsetup), H-02 for real
(src/ sshd_config removed), COMPLIANCE.md marked aspirational, VERIFICATION-REPORT
warning added, AIDE error reporting fixed, .dockerignore added, .gitignore fixed

### Batch 4 (this commit)
M-09: SOURCE_DATE_EPOCH + BUILD-INFO.txt for reproducibility
M-10: GPG signing of ISO and checksums (ephemeral or persistent key)
M-11: Docker base image digest-pinned
H-09: Build cache integrity via SHA256 manifest
Dockerfile: Added sbsigntool, shim-signed, systemd-boot-efi, gpg

---

## Build Verification

| Item | Status |
|------|--------|
| Docker image | ✅ Built successfully with new packages |
| Lint (shellcheck) | ✅ 0 warnings |
| Tests | ✅ 786 pass, 0 fail |
| ISO build | ❌ Blocked — host lacks FDE (correct behavior) |

---

## What You Need To Do

### Step 1: Enable Host FDE
Your build host `/dev/nvme0n1p2` has no LUKS. You must encrypt it before building.

### Step 2: Rebuild ISO
```bash
./run.sh iso        # Will work after host FDE enabled
```

### Step 3: Scrub Git History (C-06)
```bash
# Install git-filter-repo
pip install git-filter-repo

# Remove demo.preseed.cfg from all history
git filter-repo --path config/includes.installer/demo.preseed.cfg --invert-paths
git push --force origin main
```

### Step 4: Validate on Real Hardware
- Install the ISO
- Run `cryptsetup luksDump /dev/sda3` — verify KDF shows argon2id
- Try `ssh localhost` — should be refused (no server)
- Insert USB — verify mount has noexec,nosuid,nodev
- Check `grep StrictHostKeyChecking /etc/ssh/ssh_config` — should be "yes"

---

*This file is maintained by the AI agent. For AI memory and insights, see JOURNAL.md.*