⚠️ Historisches Changelog – Einträge beschreiben den Stand zum Zeitpunkt der Erstellung.
Based on Keep a Changelog.
- USB Volume Hardening (
include/security/usb_volume_hardening.h,src/security/usb_volume_hardening.cpp) — Defence-in-depth against FAT filesystem manipulation on USB admin sticks:computeVolumeHash()/verifyVolumeHash()— SHA-256 of the license file content; any FAT-level replacement or byte-level edit is detected before the license is parsed.isMountedReadOnly()— verifies/proc/mounts(Linux) orFILE_READ_ONLY_VOLUME(Windows); read-only mount enforcement prevents live writes to the stick during authentication.getUSBDeviceSerial()/verifyUSBSerial()— reads SCSI VPD serial via sysfs on Linux, volume serial on Windows; preventsdd-cloned sticks from being accepted.- All hash/serial comparisons use
CRYPTO_memcmp(constant-time) to prevent timing attacks.
- Three new
USBAdminConfigfields:require_readonly_mount,expected_volume_hash,expected_usb_serial— all opt-in; existing deployments are unaffected. - Three new
Metricscounters:usb_denied_not_readonly,usb_denied_volume_hash_mismatch,usb_denied_serial_mismatch— for monitoring and alerting. - All hardening rejections produce structured audit-log entries with event names
USB_DENIED_NOT_READONLY,USB_DENIED_VOLUME_HASH_MISMATCH,USB_DENIED_SERIAL_MISMATCH. - 22 tests in
tests/test_usb_volume_hardening.cpp;USBVolumeHardeningFocusedTestsstandalone target.
- Post-quantum cryptography support (Kyber KEM, Dilithium signatures)
- HSM-backed SigningService for hardware-protected key operations
- QueryMaskingPolicy for PII field masking in query results
- Secret manager with vault integration (Vault, AWS Secrets Manager)
- Security evidence collector for compliance reporting
- Certificate rotation automation
- AES-256-GCM field-level encryption
- PKI certificate management (X.509, GPG)
- RBAC policy enforcement