All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- ni-logos-xt outbound traffic is now permitted on the firewall's 'work' zone. (#66)
usbguardconfiguration is verified when installed - requires manual installation (#68)
Release corresponding to the LV 2025Q3 / NILRT 11.2 release.
- Syslog outbound traffic is now permitted on the firewall's 'work' zone. (#64)
- Fixed a bug in the auditd configuration where the service's initscript would not be registered with update-rc.d. (#63)
- Fixed a bug in the auditd configuration that would cause an internal python error when trying to verify a system where the
auditd.conffile does not exist. (#65)
Release corresponding to the LV 2025Q2 / NILRT 11.1 release.
- Install and configure
auditdin order to log system activites. - Install and configure
syslog-ngin order to log system activites. - Added service definitons for SNAC-supported NI services to the firewalld configuration. (#50)
- Added a
nilrt-snac verifytask forni-labview-realtime. (#53) - Auditd is now installed and configured by
nilrt-snac configure. (#57) - syslog-ng is now configured by
nilrt-snac configure. (#59)
- Restricted write access to system logs in
/var/logto System Maintainers (root) and Auditors via theadmgroup. - Restricted write access to
auditd.confto System Maintainers and Admins via thesudogroup. - NTP traffic is now permitted on the public network, by default. (#50)
- niroco traffic is now permitted on the work firewall zone. (#52)
- Corrected the
verifyoperation to ensure it accurately detects configuration changes. - Corrected the opkg config file permissions so that unprivileged users can perform read-only opkg operations. (#55)
- Fixed a bug in the
verifyoperation that could cause it to return a sucess, if config values have been changed to super-strings of their current value. (#61)
Release corresponding to the NILRT 11.0 (2025Q1) distribution release.
- Added a
verifyoperation to non-destructively check that the system is still SNAC-compliant. (#15) - Added a system test fixture that sets up a wireguard tunnel between a Windows host and a SNAC device (#41).
- The dedicated wireguard interface is now called
wglv0(#6). - Most of the project's logic has been reimplemented as a python module (#15).
- Many changes to the
nilrt-snac configureactions.- Disable WIFI interfaces. (#2, #13)
- Install a
nilrt-snac-conflictsmeta-package, so that the tool can forbid re-installation of non-compliant packages. (#5) - Install
wireguard-toolsconfiguration files forwglv0, so it can persist between reboots (#6). - Install
libpwqualityand enable password quality checks. (#11, #25, #30) - Configure
sudo. (#19) - Remove
packagegroup-ni-graphicalin addition topackagegroup-core-x11andpackagegroup-ni-xfce(#44). - Install
wireguard-toolsfrom the NI IPK feed (#36, #39). - Install and configure
tmuxas the shell, including adding a 15 minute inactivity lock (#17) - Install
firewalldwith explicit control over both inbound and outbound traffic. (#29, #50)firewalldis configured to permit selected NI service traffic over wireguard. (#50)
- Create a valid
opasswdfile. (#35) - Install the
ni-sysapi-clipackage, to enable sysapi communications (#43). - Disable the graphical UI and console output (#45).
Release corresponding to the SNAC v0.1 beta release.
- The
configureoperation now installs anilrt-snac-conflictsmeta-package, so that the tool can forbid re-installation of non-compliant packages. (#5)
- The dedicated wireguard interface is now called
wglv0(#6). - The
configureoperation now installswireguard-toolsconfiguration files forwglv0, so it can persist between reboots (#6).
Initial draft implementation.