boma/docs/decisions
sjat 19dd89b875 Re-challenge accepted risks; adopt CIS hardening + IDS
Walked the seeded accepted-risk register (R1-R4) and turned inherited gaps into
deliberate decisions:

- Supply chain (R1): tightened to required baseline hygiene (digest pinning,
  official/verified images); active scanning deferred — stays an accepted risk
- CIS (R2): adopted as a positive decision — CIS Debian L1+L2 (base role) + CIS
  Docker (docker_host + service checklist); app layer via the checklist
- SELinux/AppArmor (R3): AppArmor becomes a baseline control (CIS-enforced);
  register keeps a clean "no SELinux" accept
- IDS (R4): adopt AIDE (baseline via CIS) + Suricata on OPNsense + active alerting

Register shrinks from 4 inherited gaps to 2 deliberate accepts. ADR-002 gains a
Hardening standard section; STATUS + TODO 15 track the (unbuilt) implementation,
including the CIS L2 partition impact on VM provisioning (ADR-006).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 15:15:39 +02:00
..
001-architecture.md Reconcile CI to trunk-based; mark base/docker_host not-built (R6-R8,R15-R16) 2026-05-30 19:32:37 +02:00
002-security.md Re-challenge accepted risks; adopt CIS hardening + IDS 2026-06-04 15:15:39 +02:00
003-toolchain.md Reconcile CI to trunk-based; mark base/docker_host not-built (R6-R8,R15-R16) 2026-05-30 19:32:37 +02:00
004-docker-model.md Add architecture decision records and runbooks 2026-05-30 14:10:01 +02:00
005-bootstrapping.md Purge residual .vault_pass references (review R1-R5) 2026-05-30 19:17:25 +02:00
006-terraform.md Use local Terraform state; drop unworkable Forgejo HTTP backend (R10b) 2026-05-30 21:34:05 +02:00
007-network.md Correct Forgejo host to forgejo.nyumbani.baobab.band 2026-05-30 18:16:38 +02:00
008-testing.md Fix Forgejo registry path to owner/image format (review R10a) 2026-05-30 21:34:02 +02:00
009-provisioning-handoff.md Correct Forgejo host to forgejo.nyumbani.baobab.band 2026-05-30 18:16:38 +02:00
010-forgejo-ci.md Record the Vaultwarden item name for the Forgejo token in ADR-010 2026-05-30 21:35:24 +02:00
012-hardware-capacity.md Note latest.md report mirror in ADR-012 2026-06-01 10:40:16 +02:00