Marc S. Weidner BOT
aa94c53d65
X-CI-Metadata: master@aef00ec at 2025-10-26T18:19:48Z on 6f8f9a786bfa
Generated at : 2025-10-26T18:19:48Z
Runner Host : 6f8f9a786bfa
Workflow ID : 🛡️ Shell Script Linting
Git Commit : aef00ec HEAD -> master
Table of Contents
1. CISS.debian.installer
Centurion Intelligence Consulting Agency Information Security Standard
The CISS Debian Installer provides a fully automated and hardened installation process.
Master Version: 8.00
Build: V8.00.000.2025.06.17
This is a digitally signed, self-verifying shell script for installing a hardened Debian Bookworm server environment, based on
the latest server and service hardening best practices. Compared to the original Debian installer, this installer offers much
greater flexibility in terms of custom partitioning schemes and is more reliable than the Calamares suite.
Check out more:
- CenturionNet Services
- CenturionDNS Resolver
- CenturionDNS Blocklist
- CenturionNet Status
- CenturionMeet
- Contact the author
1.1. Preliminary Remarks
1.1.1. HSM
Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to move to a room-gapped environment. ^^
1.1.2. DNSSEC, HSTS, TLS
Please note that coresecret.dev is included in the (HSTS Preload List) and always serves the headers:
add_header Expect-CT "max-age=86400, enforce" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
- Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at: DNSSEC Audit Report
- A comprehensive TLS audit of the
git.coresecret.devGitea server is also available. See: TLS Audit Report - The infrastructure of the
CISS.debian.installerbuilding system is visualized here. See: Centurion Net
1.1.3. Gitea Action Runner Hardening
The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely
dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using
non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own
separate directory tree, employs DynamicUser features, and adheres to strict systemd hardening policies
(achieving a systemd-analyze securityrating of 2.6). Docker containers used by runners do not run in privileged
mode. Security is further enhanced through the use of both UFW software firewalls and dedicated hardware firewall appliances.
1.2. Keywords
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [BCP 14], [RFC2119], [RFC8174] when, and only when, they appear in all capitals, as shown here.
6. Licensing & Compliance
This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX standard for license expressions and metadata.
7. Disclaimer
This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
no tracking | no logging | no advertising | no profiling | no bullshit