diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 48b1622..7af5dbe 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./setup.sh -v`." - placeholder: "e.g., Master V8.00.000.2025.06.17" + placeholder: "e.g., Master V9.14.000.2026.06.07" validations: required: true diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index c076edf..18391f9 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.00.000.2025.06.17 + version: V9.14.000.2026.06.07 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 9691df1..a198101 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.00.000.2025.06.17 +### Version Master V9.14.000.2026.06.07 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 979902d..183283c 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.00.000.2025.06.17 +### Version Master V9.14.000.2026.06.07 name: 🛡️ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index a28292a..9d811b6 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.00.000.2025.06.17 +### Version Master V9.14.000.2026.06.07 name: 🔁 Render Graphviz Diagrams. diff --git a/.preseed/SECRETS.yaml b/.preseed/SECRETS.yaml index 7b446fe..d03820b 100644 --- a/.preseed/SECRETS.yaml +++ b/.preseed/SECRETS.yaml @@ -11,7 +11,7 @@ # # # This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer -# Master V8.00.000.2025.06.17 +# Master V9.14.000.2026.06.07 # YAML specification: 1.2 # secrets: @@ -19,7 +19,7 @@ secrets: created_at: "2025-10-23" created_for: "host_domain_tld" name: "CISS.debian.installer" - version: "V8.00.000.2025.06.17" + version: "V9.14.000.2026.06.07" x_files: "false" ################################################################################################################################ # Grub bootloader passphrase diff --git a/.preseed/preseed.yaml b/.preseed/preseed.yaml index 34a4ccb..1b60acd 100644 --- a/.preseed/preseed.yaml +++ b/.preseed/preseed.yaml @@ -11,7 +11,7 @@ %YAML 1.2 --- # This file contains configurations for the CISS.debian.installer -# Master V8.00.000.2025.06.17 +# Master V9.14.000.2026.06.07 # YAML specification: 1.2 # preseed: @@ -19,7 +19,7 @@ preseed: created_at: "2025-10-23" created_for: "host_domain_tld" name: "CISS.debian.installer" - version: "V8.00.000.2025.06.17" + version: "V9.14.000.2026.06.07" # ################################################################################################################################ # APT settings diff --git a/.version.properties b/.version.properties index 7e7629c..f3bbd79 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.installer" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.00.000.2025.06.17" -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \ No newline at end of file +properties_version="V9.14.000.2026.06.07" +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..7c85836 --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,153 @@ +# AGENTS.md + +## Purpose + +This repository builds and maintains CISS.debian.installer, a script-driven Debian installer for hardened and reproducible +system installation workflows. + +Treat every change as security-sensitive, disk-destruction-sensitive, and boot-chain-sensitive. Persistent coding details live +in `docs/CODING_CONVENTION.md`. Review-only instructions live in `code_review.md`. + +## Instruction precedence for this repository + +Use this order when instructions differ: + +1. The current task prompt defines the immediate objective and task-specific acceptance criteria. +2. This `AGENTS.md` defines repository-wide constraints and routing guidance. +3. `docs/CODING_CONVENTION.md` defines detailed coding conventions. +4. `code_review.md` applies when performing a review or final self-review. +5. Personal/global Codex instructions apply only where they do not conflict with repository rules. + +When instructions conflict, prefer the safer, smaller, more easily reviewable change and explain the conflict. + +## Non-negotiable constraints + +- Target Debian 13 Trixie unless the task or repository explicitly states otherwise. +- Do not introduce Ubuntu-specific assumptions. +- Do not invent Debian Installer, debootstrap, initramfs-tools, cryptsetup, GRUB, systemd, Btrfs, Debian package, or upstream + tool behavior. +- Verify uncertain behavior against existing repository code or authoritative upstream documentation. +- Preserve encrypted-root and boot-chain security assumptions unless the task explicitly changes them. +- Preserve existing module source guards, especially `guard_sourcing`, `source_guard`, and `readonly -f` conventions. +- Do not overwrite existing `ERR`, `EXIT`, `INT`, or `TERM` traps from modules or runtime scripts. +- Prefer simple, explicit, inspectable Bash over clever abstraction. +- Do not use `eval`. +- Do not print secrets, passphrases, private keys, tokens, or sensitive environment values. +- Do not perform destructive disk operations in validation unless explicitly requested and safely isolated. + +## Repository map + +Common areas: + +- `ciss_debian_installer.sh`: primary installer entrypoint and phase orchestration. +- `meta_loader_*.sh`: ordered module, library, and variable sourcing. +- `.preseed/preseed.yaml`, `.preseed/partitioning.yaml`, `.preseed/SECRETS.yaml`: installer configuration, partition recipes, + and secret input material. +- `var/*.sh`: global variables, colors, terminal settings, and error codes. +- `lib/cdi_0000_preliminary/*`: contact, usage, and version helpers. +- `lib/cdi_0005_guard/*`: sourcing, source-guard, safe-execution, directory, and variable guards. +- `lib/cdi_0010_basic/*`, `lib/cdi_0025_logging/*`, `lib/cdi_0030_checks/*`, `lib/cdi_0050_debug/*`, + `lib/cdi_0060_traps/*`: basic helpers, logging, package/git checks, debug support, and traps. +- `lib/cdi_0100_arg/*`, `lib/cdi_0110_interactive/*`, `lib/cdi_0200_dialog/*`: argument handling and interactive dialogs. +- `func/cdi_1000_helper/*`: chroot helpers, GRUB helpers, module helpers, sanitizers, secure downloads, and YAML helpers. +- `func/cdi_1200_validation/*`, `func/cdi_1250_yaml/*`: validation and preseed/YAML processing. +- `func/cdi_3200_partitioning/*`: destructive partitioning, LUKS setup, formatting, mounting, and UUID logging. +- `func/cdi_4000_debootstrap/*`: debootstrap, target mount preparation, and base target setup. +- `func/cdi_4100_base/*`: APT sources, kernel, initramfs, systemd, firmware, and base package setup. +- `func/cdi_4200_boot/*`: fstab, crypttab, cryptsetup, GRUB, GRUB password, and boot parameter handling. +- `func/cdi_4300_network/*`: network setup, Dropbear initramfs remote unlock, initramfs updates, and SSH setup. +- `func/cdi_4400_hardening/*`, `func/cdi_4500_user/*`, `func/cdi_4600_packages/*`: hardening, account setup, package + installation, security verification, and auditing packages. +- `func/cdi_4900_xtended/*`, `func/cdi_5000_recovery/*`: final commands, logrotate, chroot exit, and recovery target handling. +- `includes/target/*`: files installed into the target system, including initramfs-tools hooks, scripts, Dropbear unlock + files, GRUB assets, SSH, OpenSSL, sysctl, modprobe, PAM, and profile configuration. +- `includes/chroot/hooks/*`: hook payloads copied into or executed inside the target environment. +- `upgrades/*`: vendored or upgrade-related materials for Dropbear, Linux image options, and Secure Boot work. +- `py/*`: Python-based configurator support. +- `docs/*`, `.gitea/workflows/*`: project documentation and repository automation. + +## Working method + +Before editing: + +1. Inspect the relevant scripts, configuration files, documentation, workflows, and naming conventions. +2. Identify the affected installer phase: host orchestration, YAML/preseed handling, destructive disk setup, target chroot, + initramfs, bootloader, network/Dropbear, hardening, user setup, package installation, finalization, or recovery. +3. Check existing source guards, trap behavior, logging, secret handling, and helper APIs before changing code. +4. Give a concise implementation plan and list likely files to touch unless the change is trivial. + +While editing: + +- Keep changes minimal and local to the task. +- Preserve existing architecture, naming style, error handling, formatting, and security posture. +- Do not perform unrelated cleanup or formatting churn. +- Reuse existing helpers for logging, fatal errors, validation, source guards, chroot execution, secure downloads, temporary + files, and secret cleanup where available. +- Prefer arrays for command argument composition. +- Do not introduce new runtime dependencies unless technically necessary and justified. + +After editing: + +- Run only the narrowest checks that prove the change. +- Changed Bash files: run `bash -n ` and `shellcheck ` if ShellCheck is available. +- Changed POSIX shell files: run `sh -n `. +- Changed CLI behavior: update `usage()` and relevant documentation, then run the safest available parser/help check if the + environment permits it. +- Changed Python files: run the relevant checks configured under `py/` when applicable. +- Changed installer, disk, initramfs, cryptsetup, GRUB, or Dropbear behavior: state the required Debian 13 Trixie validation + command or isolated test, but do not run destructive or full installer validation unless explicitly requested. +- For documentation-only changes, confirm the target files exist and review the final diff. + +## Bash conventions summary + +See `docs/CODING_CONVENTION.md` for details. + +- Use Bash for installer logic unless an existing Debian interface file must remain POSIX shell. +- Preserve module source guards and `readonly -f` usage where surrounding files use them. +- Prefer strict Bash mode where feasible and consistent with the file's execution context. +- Use `declare` for variables inside functions. +- Quote expansions unless word splitting or globbing is explicitly required. +- Prefer arrays where argument boundaries matter. +- Use `[[ ... ]]`, `case`, and `$(...)`. +- Avoid parsing `ls`; prefer structured tool output or existing helpers. +- Prefer `command -v` over `which`. +- Code comments must be in English. + +## Security-sensitive areas + +Before finalizing a change, check whether it affects: + +- disk wiping, partition table creation, partition type codes, or filesystem formatting +- cryptsetup/LUKS2 parameters, passphrases, key files, key slots, LUKS header backups, or nuke behavior +- Btrfs subvolumes, mount ordering, mount options, snapshots, or labels +- `/etc/fstab`, `/etc/crypttab`, UUIDs, PARTUUIDs, or mapper names +- initramfs-tools hooks, scripts, included binaries, or early boot behavior +- Dropbear initramfs remote unlock, forced commands, firewalling, host keys, unlock wrapper signatures, or hashes +- GRUB installation, GRUB modules, encrypted `/boot`, UEFI/BIOS paths, NVRAM handling, or Secure Boot material +- chroot command execution, mount propagation, target/root separation, or environment sanitization +- APT sources, package authentication, TLS, signatures, checksums, or remote downloads +- account setup, SSH policy, PAM, sudo, permissions, hardening files, or network exposure +- logging, debug tracing, traps, cleanup paths, or exposure of sensitive values + +If affected, document the concrete risk and mitigation in the final response. + +## Validation policy + +Use the narrowest validation that proves the requested change. Do not run full installer builds, debootstrap runs, live disk +tests, destructive partitioning, broad repository audits, or network-heavy validation unless the task explicitly asks for them +or the change cannot be validated responsibly without them. + +## Final response + +Return a concise implementation report: + +- changed files +- what changed +- checks run and result +- real remaining risks or follow-up steps + +Do not claim success for checks that were not run. + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/CISS.debian.installer.spdx b/CISS.debian.installer.spdx index 7a3cbe9..5b6205b 100644 --- a/CISS.debian.installer.spdx +++ b/CISS.debian.installer.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-06-17T12:00:00Z Package: CISS.debian.installer PackageName: CISS.debian.installer -PackageVersion: Master V8.00.000.2025.06.17 +PackageVersion: Master V9.14.000.2026.06.07 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.installer PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.installer @@ -20,4 +20,4 @@ License: LicenseRef-CCLA-1.0 LicenseID: LicenseRef-CCLA-1.0 LicenseName: Centurion Commercial License Agreement 1.0 LicenseCrossReference: https://coresecret.eu/imprint/licenses/ -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \ No newline at end of file +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/README.md b/README.md index 0d1307d..3650b11 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.00.000.2025.06.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.000.2026.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -11,9 +11,10 @@ include_toc: true [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)   [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)   -[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.7-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)   -[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)   -[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)   +[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)   +[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/)   +[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)   +[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.12-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)   [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)   [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)   [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu)   @@ -25,8 +26,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
This is a digitally signed, self-verifying shell script for installing a hardened Debian Bookworm server environment, based on the latest server and service hardening best practices. Compared to the original Debian installer, this installer offers much diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index bc83019..c6a5b62 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. DNSSEC Status diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index 1af87e2..d08313a 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. TLS Audit: diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index e31f996..83775ed 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -7,12 +7,12 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Changelog -## V8.00.000.2025.06.17 +## V9.14.000.2026.06.07 * Initial Release diff --git a/docs/CNET.md b/docs/CNET.md index 7158d74..69e46ca 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index b919b8d..33cddd7 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -7,84 +7,200 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
-# 2. Coding Style +# 2. Purpose -## 2.1. PR +This document defines detailed coding conventions for CISS.debian.installer. `AGENTS.md` is the short operational guide for +Codex. `code_review.md` is used for review tasks and final self-review. -You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR. +The repository implements a Bash-first Debian installer for hardened, reproducible system installation workflows. Treat every +change as security-sensitive, disk-destruction-sensitive, and boot-chain-sensitive, especially changes affecting partitioning, +LUKS, Btrfs, initramfs, Dropbear remote unlock, GRUB, package sources, signatures, checksums, hardening settings, or logs. -## 2.2 Documentation +# 3. Change discipline -Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in -`~/docs/DOCUMENTATION.md`. +- Keep changes small, local, and reviewable. +- Make one functional change per patch set. +- Preserve existing architecture, naming style, error handling, formatting, and security posture. +- Target Debian 13 Trixie unless the task or repository explicitly states otherwise. +- Do not introduce Ubuntu-specific assumptions. +- Do not invent Debian Installer, debootstrap, initramfs-tools, cryptsetup, GRUB, systemd, Btrfs, Debian package, or upstream + tool behavior. +- Verify uncertain behavior against repository code or authoritative upstream documentation. +- Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification, + checksum verification, provenance verification, or input validation unless explicitly requested and documented. +- Do not perform unrelated cleanup or formatting churn. -## 2.3. Coding +# 4. Installer phase awareness -### 2.3.1. Shell / bash +Identify the affected phase before changing behavior: -Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of -neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there. +- `ciss_debian_installer.sh`: host-side entrypoint, root/Bash checks, lock handling, trap activation, and phase order. +- `meta_loader_*.sh`: ordered sourcing of variables, functions, and libraries via `source_guard`. +- `.preseed/preseed.yaml`, `.preseed/partitioning.yaml`, `.preseed/SECRETS.yaml`: installer settings, partition recipes, and + secret material. +- `lib/cdi_0100_arg/*`: CLI argument sanitation, parsing, priority handling, and passphrase-module argument support. +- `func/cdi_1200_validation/*` and `func/cdi_1250_yaml/*`: element, IP, preseed, YAML, and secret validation. +- `func/cdi_3200_partitioning/*`: destructive disk wiping, partition creation, LUKS setup, formatting, mount ordering, and UUID + logging. +- `func/cdi_4000_debootstrap/*`: debootstrap, target mount preparation, base target setup, hostname, resolver, timezone, and + locale setup. +- `func/cdi_4100_base/*`: APT source generation, updates, kernel/initramfs installation, toolset, systemd, machine-id, + firmware, microcode, Chrony, and base packages. +- `func/cdi_4200_boot/*`: fstab, crypttab, cryptsetup-initramfs, GRUB installation, GRUB password, and boot parameters. +- `func/cdi_4300_network/*`: target networking, network security, Dropbear build/initramfs/setup, initramfs update, and SSH. +- `func/cdi_4400_hardening/*`: kernel modules, sysctl, fail2ban, filesystem permissions, entropy, memory, OpenSSL, UFW, USB, + and malware-auditing hardening. +- `func/cdi_4500_user/*`: account preparation, password policy, user setup, SSH keys, privileges, and timing fields. +- `func/cdi_4600_packages/*`: package installation, security profile installation, verification, and auditing packages. +- `func/cdi_4900_xtended/*`: final commands, logrotate setup, and target chroot exit. +- `func/cdi_5000_recovery/*`: recovery target debootstrap and finalization when recovery is enabled. +- `includes/target/*`: files installed into the target system, including initramfs-tools hooks/scripts/files and service + configuration. +- `includes/chroot/hooks/*`: chroot hook payloads. +- `upgrades/*`: vendored upgrade/build material for Dropbear, Linux image options, and Secure Boot work. +- `py/*`: Python configurator support. -* Don't use backticks anymore, use `$(..)` instead -* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets -* In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't - quote at all. -* The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read! -* Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see - e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is - slower as it forks, fopens and pipes back the result. -* `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"` -* Bash can also deal perfectly with regular expressions, see - e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html) - and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com). -* If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can - achieve the same with e.g. `awk`. -* Be careful with very advanced bash features. Mac OS X is still using bash version 3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)). -* Always use a return value for a function/method. 0 means all is fine. -* Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible. -* Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide. +Keep host-side behavior, target chroot behavior, initramfs behavior, and bootloader behavior separate. -### 2.3.2. Shell specific +# 5. Bash baseline -* Security: - * Watch out for any input especially (but not only) supplied from the server. Input should never be trusted. - * Unless you're really sure where the values come from, variables need to be put in quotes. +- Use Bash for installer logic and orchestration. +- Use POSIX shell only where an existing Debian interface file requires it, such as an initramfs hook or script that already + declares `#!/bin/sh`. +- The main installer requires Bash 5.1 or newer; do not add compatibility code for older Bash versions unless explicitly + requested. +- Prefer `set -Ceuo pipefail` for executable Bash scripts where feasible. In sourced modules, preserve the caller's shell + option and trap model unless the surrounding code already changes it intentionally. +- Preserve `guard_sourcing || return "${ERR_GUARD_SOURCE}"` in sourced modules that use it. +- Preserve `source_guard`-based module loading. +- Preserve `readonly -f` on functions where surrounding files use it. +- Do not overwrite existing `ERR`, `EXIT`, `INT`, or `TERM` traps. Coordinate any trap change with `lib/cdi_0060_traps/*` and + initramfs runtime scripts. -### 2.3.3. Variables +# 6. Bash style -* Use **"speaking variables"** but don't overdo it with the length. -* No _camelCase_, please. We distinguish between lowercase and uppercase only. - * Global variables: - * use them only when really necessary, - * in CAPS, - * initialize them (`declare -g VAR_EXAMPLE=""`), - * SHOULD start with: - * `ARY_` for Arrays, - * `C_` for Variables defining colored outputs, - * `ERR_` for Error Codes Variables, - * `HMP_` for HashMap Arrays, - * `LOG_` for Logfile Variables, - * `PID_` for PID Variables, - * `PIPE_` for PIPE Variables, - * `VAR_` for Variables - * Local variables: - * are lower case, - * declare them before usage (`declare` eq `local`), - * initialize them (`declare var_example=""`), - * SHOULD start with: - * `ary_` for Arrays, - * `c_` for Variables defining colored outputs, - * `err_` for Error Codes Variables, - * `hmp_` for HashMap Arrays, - * `log_` for Logfile Variables, - * `var_` for Variables. +- Quote expansions unless word splitting or globbing is explicitly required. +- Prefer arrays for commands and options. +- Use `[[ ... ]]` for Bash conditionals. +- Use `case` for option dispatch and multi-branch string handling. +- Use `$(...)` command substitution, not backticks. +- Do not use `eval`. +- Avoid parsing `ls`. +- Prefer `command -v` over `which`. +- Check command results explicitly when failure needs custom logging or cleanup. +- Keep functions small enough to review. +- End functions explicitly with `return 0` where consistent with surrounding code. +- Use English comments. Comment non-obvious security, disk, cryptographic, initramfs, or boot-chain decisions. -# 3. Misc +# 7. Variables and naming -* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected. +Follow the existing repository naming style: + +- Global variables are uppercased and initialized before use. +- Global arrays and maps use established prefixes such as `ARY_`, `HMP_`, `C_`, `ERR_`, `LOG_`, `PID_`, `PIPE_`, and `VAR_`. +- Local variables are lowercase and initialized before use. +- Local arrays and helper variables use established prefixes such as `ary_`, `hmp_`, `c_`, `err_`, `log_`, and `var_`. +- Use `declare` consistently with surrounding files. +- Function names use lowercase words separated by underscores. +- Avoid new global variables when an argument, local variable, or existing helper is sufficient. +- Keep Boolean-like values normalized where existing code expects lowercase strings. + +# 8. Input validation, secrets, and files + +- Treat CLI arguments, YAML values, environment variables, generated paths, network data, package metadata, and user-provided + files as untrusted until validated. +- Validate disk names, partition numbers, mount paths, filesystem names, Debian suites, architecture names, ports, IP + addresses, package names, URLs, feature flags, and file paths before use. +- Fail closed when validation cannot prove that continuing is safe. +- Do not print secrets, passphrases, private keys, tokens, decrypted SOPS values, or sensitive environment values. +- Keep debug tracing disabled around secret handling unless the local guard explicitly protects sensitive values. +- Use restrictive permissions for generated key material, passphrase files, LUKS header backups, SSH material, and root-only + configuration. +- Prefer `mktemp` for temporary files and clean them up with existing cleanup or trap helpers. +- Preserve existing secure deletion helpers where used for passphrase or key material. +- Do not add a persistent state unless the behavior is intentional, scoped, and documented. + +# 9. Disk, partitioning, and cryptsetup safety + +- Treat changes under `func/cdi_3200_partitioning/*` as destructive by default. +- Never run partitioning, formatting, LUKS, `blkdiscard`, `sgdisk --zap-all`, or `dd` validation on a real device unless the + task explicitly requests it, and the target is safely isolated. +- Preserve explicit device scoping from `.preseed/partitioning.yaml`. +- Preserve udev settling and UUID/PARTUUID collection where disk identity is needed by later phases. +- Preserve LUKS2 defaults and stronger cryptographic settings unless the task explicitly changes them. +- Do not weaken PBKDF, cipher, hash, key size, integrity, discard, or keyslot behavior without documenting the risk. +- Preserve the special handling for encrypted `/boot`, root, recovery, ephemeral `SWAP`, and ephemeral `/tmp`. +- Keep LUKS header backups encrypted when backup behavior is enabled and remove plaintext backup material after encryption. +- Keep `/etc/fstab` and `/etc/crypttab` generation consistent with mapper names, UUIDs, PARTUUIDs, filesystem types, and mount + options. +- Preserve Btrfs subvolume and snapshot semantics when changing Btrfs mount or formatting logic. + +# 10. Chroot, target, and boot-chain safety + +- Use `chroot_exec` for simple command execution in the target. +- Use `chroot_script` or `chroot_stdin` for shell constructs, redirection, pipelines, loops, or larger payloads. +- Preserve the sanitized `env -i` target environment unless a task explicitly requires a new variable. +- Do not leak host paths or host environment assumptions into the target system. +- Preserve target mount setup and teardown behavior. +- Keep initramfs-tools hooks and scripts in their expected directories; do not add ad-hoc phase arguments. +- Preserve Dropbear initramfs forced-command, unlock-wrapper integrity checks, signature verification, and nuke behavior. +- Preserve GRUB support for encrypted boot paths, and the repository's UEFI/BIOS handling unless explicitly changed. +- Do not change UEFI NVRAM behavior or fallback boot paths without documenting the boot-chain impact. + +# 11. Dependencies and downloads + +- Do not add new runtime dependencies unless the task requires them. +- Prefer standard Debian tooling or existing project helpers. +- When a dependency is needed, document why the existing toolchain, or a standard alternative is insufficient. +- Do not add remote downloads, auto-update behavior, telemetry, or network callbacks without explicit justification. +- For required downloads, use HTTPS where applicable and preserve or add signature, checksum, or provenance verification. +- Do not use `curl | sh`, `wget | sh`, or equivalent execution of unaudited remote content. +- Preserve package authentication and APT source integrity checks. + +# 12. Documentation rules + +- Update documentation together with behavior changes. +- New or changed CLI options must update `usage()` and relevant documentation. +- New or changed YAML/preseed keys must update the relevant `.preseed` example or project documentation. +- Boot parameter changes must update `docs/man/BOOTPARAMS.md` when applicable. +- Security-sensitive behavior changes must update the relevant manual, audit, or security documentation when applicable. +- Generated examples must stay valid for Debian 13 Trixie unless the task explicitly targets another release. +- Code comments, embedded prompts, commit messages, and repository documentation should normally be written in English. + +# 13. Formatting + +- Preserve SPDX headers and existing file headers where present. +- New source or configuration files should include the project SPDX header when comparable files already use one. +- Follow `.editorconfig`: LF line endings, UTF-8, two-space indentation for most repository files, four-space indentation for + Python, and readable line lengths. +- Preserve the local Vim modeline style in source/config files where neighboring files use it. +- Keep Markdown concise and structured. Avoid decorative text that does not define repository behavior. +- Do not churn formatting unrelated to the task. + +# 14. Narrow validation policy + +Run only the narrowest checks that prove the change: + +- Bash files: `bash -n ` and `shellcheck ` when ShellCheck is available. +- POSIX shell files: `sh -n `. +- CLI or parser changes: the safest available help/parser check, if the environment permits it without performing installer + actions. +- YAML/preseed changes: parse or validate the changed file with repository tooling if a cheap parser or validator is present. +- Python files: run the relevant checks configured under `py/`, such as Ruff, mypy, or pytest, when applicable. +- Documentation-only changes: confirm the target files exist, check the final diff, and run Markdown linting only when the + repository has a cheap configured Markdown lint command. + +Do not run full installer builds, debootstrap, destructive disk tests, broad repository audits, or network-heavy validation +unless explicitly requested or technically required to validate the change. + +If a relevant check cannot be run, state the exact reason, and the command that should be run locally. + +# 15. Code review + +Reviews follow `code_review.md`. --- **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 42a4c3e..2376bd4 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index e92b618..c4fd444 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Credits diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 4281dff..d80b300 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -7,13 +7,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Usage ````text CISS.debian.installer -Master V8.00.000.2025.06.17 +Master V9.14.000.2026.06.07 (c) Marc S. Weidner, 2018 - 2025 (p) Centurion Press, 2024 - 2025 diff --git a/docs/MANPAGES.md b/docs/MANPAGES.md index 6498b9c..7f89aa2 100644 --- a/docs/MANPAGES.md +++ b/docs/MANPAGES.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. ToC diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index 1956c3e..52bce3c 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Resources diff --git a/docs/man/BOOTPARAMS.md b/docs/man/BOOTPARAMS.md index a7678a8..a17357d 100644 --- a/docs/man/BOOTPARAMS.md +++ b/docs/man/BOOTPARAMS.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Hardened Kernel Boot Parameters diff --git a/docs/man/DEBUG_HANDLING.md b/docs/man/DEBUG_HANDLING.md index 6b4a1c8..17fecac 100644 --- a/docs/man/DEBUG_HANDLING.md +++ b/docs/man/DEBUG_HANDLING.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Debugging and Tracing Infrastructure diff --git a/docs/man/ERROR_HANDLING.md b/docs/man/ERROR_HANDLING.md index 028ae9d..471b686 100644 --- a/docs/man/ERROR_HANDLING.md +++ b/docs/man/ERROR_HANDLING.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Global Environment and Error Handling in CISS.debian.installer diff --git a/docs/man/LINTER_CHAR.md b/docs/man/LINTER_CHAR.md index 82a6d26..3e330e8 100644 --- a/docs/man/LINTER_CHAR.md +++ b/docs/man/LINTER_CHAR.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Git Workflow Linter — Character Set Policy Enforcement diff --git a/docs/man/TRAP_MECHANISM.md b/docs/man/TRAP_MECHANISM.md index 022a3ef..db6024a 100644 --- a/docs/man/TRAP_MECHANISM.md +++ b/docs/man/TRAP_MECHANISM.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Interplay Between Global Hardening Settings and TRAP Mechanisms diff --git a/func/cdi_1000_helper/README/README_1080.md b/func/cdi_1000_helper/README/README_1080.md index 84b9351..b733ea6 100644 --- a/func/cdi_1000_helper/README/README_1080.md +++ b/func/cdi_1000_helper/README/README_1080.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. [1080_helper_chroot.sh](../1080_helper_chroot.sh) **Scope:** This note explains *what to use when* among diff --git a/func/cdi_4000_debootstrap/README/README_4000.md b/func/cdi_4000_debootstrap/README/README_4000.md index 2221751..feef5df 100644 --- a/func/cdi_4000_debootstrap/README/README_4000.md +++ b/func/cdi_4000_debootstrap/README/README_4000.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. [4000_debootstrap.sh](../4000_debootstrap.sh) This module provisions a minimal Debian userspace into the installers target root (`$TARGET`) using `debootstrap`. diff --git a/func/cdi_4100_base/4150_installation_chrony.sh b/func/cdi_4100_base/4150_installation_chrony.sh index 546cb79..16956bc 100644 --- a/func/cdi_4100_base/4150_installation_chrony.sh +++ b/func/cdi_4100_base/4150_installation_chrony.sh @@ -13,7 +13,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### -# Setup chrony NTPSec client. +# Set up chrony NTPSec client. # Every 'apt-get install' command is invoked by adding 'export INITRD=No' # to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage: # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html diff --git a/func/cdi_4300_network/4310_dropbear_build.sh b/func/cdi_4300_network/4310_dropbear_build.sh index 85bc4f6..7cba5db 100644 --- a/func/cdi_4300_network/4310_dropbear_build.sh +++ b/func/cdi_4300_network/4310_dropbear_build.sh @@ -26,7 +26,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### dropbear_build() { ### Declare Arrays, HashMaps, and Variables. - declare var_dropbear_version="2025.88" + declare var_dropbear_version="2026.91" declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" declare var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}" declare -r var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log" diff --git a/func/cdi_4300_network/4311_dropbear_initramfs.sh b/func/cdi_4300_network/4311_dropbear_initramfs.sh index a97852d..adcaa9d 100644 --- a/func/cdi_4300_network/4311_dropbear_initramfs.sh +++ b/func/cdi_4300_network/4311_dropbear_initramfs.sh @@ -44,7 +44,7 @@ dropbear_initramfs() { chroot_script "${var_target}" " export INITRD=No [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh - apt-get purge -y dropbear dropbear-run || true + apt-get purge -y dropbear || true " chroot_script "${var_target}" " diff --git a/func/cdi_4300_network/4312_dropbear_setup.sh b/func/cdi_4300_network/4312_dropbear_setup.sh index 1e9be5a..d1bf949 100644 --- a/func/cdi_4300_network/4312_dropbear_setup.sh +++ b/func/cdi_4300_network/4312_dropbear_setup.sh @@ -84,17 +84,17 @@ dropbear_setup() { write_dropbear_conf ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs. - install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh" \ - "${TARGET}/etc/initramfs-tools/scripts/init-premount/1000-fixpath" - install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh" \ - "${TARGET}/etc/initramfs-tools/scripts/init-top/0000-fixpath" + install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh" \ + "${TARGET}/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh" + install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh" \ + "${TARGET}/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh" ### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs. - install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh" \ + install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh" \ "${TARGET}/etc/initramfs-tools/hooks/" ### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment. - install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh" \ + install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/hooks/9999_ciss_prompt.sh" \ "${TARGET}/etc/initramfs-tools/hooks/" ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices. diff --git a/includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh b/includes/target/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh similarity index 97% rename from includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh rename to includes/target/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh index d1e2e02..e21c4b8 100644 --- a/includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh +++ b/includes/target/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh @@ -1,4 +1,7 @@ #!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git @@ -13,7 +16,7 @@ set -e -printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m" +printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh] \n\e[0m" PREREQ="" prereqs() { echo "${PREREQ}"; } @@ -137,6 +140,6 @@ install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner" printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}" -printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m" +printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh] \n\e[0m" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh b/includes/target/etc/initramfs-tools/hooks/9999_ciss_prompt.sh similarity index 87% rename from includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh rename to includes/target/etc/initramfs-tools/hooks/9999_ciss_prompt.sh index 2d9cfd5..30a5188 100644 --- a/includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh +++ b/includes/target/etc/initramfs-tools/hooks/9999_ciss_prompt.sh @@ -1,4 +1,7 @@ #!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git @@ -13,10 +16,11 @@ set -e -printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m" +printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_prompt.sh] \n\e[0m" PREREQ="" prereqs() { echo "${PREREQ}"; } +# shellcheck disable=SC2249 case "${1}" in prereqs) prereqs; exit 0 ;; esac @@ -34,6 +38,6 @@ export PS1='$( STATUS=$?; \ fi; ) ' EOF -printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m" +printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_prompt.sh] \n\e[0m" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh b/includes/target/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh similarity index 92% rename from includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh rename to includes/target/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh index e7e5d95..a3479c4 100644 --- a/includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh +++ b/includes/target/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh @@ -1,4 +1,7 @@ #!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git @@ -14,6 +17,7 @@ set -e PREREQ="" prereqs() { echo "${PREREQ}"; } +# shellcheck disable=SC2249 case "${1}" in prereqs) prereqs; exit 0 ;; esac diff --git a/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh b/includes/target/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh similarity index 92% rename from includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh rename to includes/target/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh index 3c4afa2..58188bc 100644 --- a/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh +++ b/includes/target/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh @@ -1,4 +1,7 @@ #!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git @@ -14,6 +17,7 @@ set -e PREREQ="" prereqs() { echo "${PREREQ}"; } +# shellcheck disable=SC2249 case "${1}" in prereqs) prereqs; exit 0 ;; esac diff --git a/includes/target/etc/ssl/openssl.cnf b/includes/target/etc/ssl/openssl.cnf index d1379d6..25f9a94 100644 --- a/includes/target/etc/ssl/openssl.cnf +++ b/includes/target/etc/ssl/openssl.cnf @@ -415,8 +415,12 @@ CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA2 # TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only: Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 +# ToDo: Update PQC Groups to include P-521 and P-384. + # Prefer strong, widely-supported ECDHE groups (first = most preferred): -Groups = X448:X25519:P-521:P-384 +Groups = X448:P-521:P-384 + +SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256 # Operational flags: # -SessionTicket => disable TLS session tickets (TLS 1.2 + 1.3) diff --git a/includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear b/includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear index 9e1b807..cc16704 100644 --- a/includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear +++ b/includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear @@ -1,15 +1,18 @@ #!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh PREREQ="udev" prereqs() { - echo "${PREREQ}" + echo "${PREREQ}" } +# shellcheck disable=SC2249 case "$1" in - prereqs) - prereqs - exit 0 + prereqs) + prereqs + exit 0 ;; esac @@ -18,31 +21,32 @@ esac run_dropbear() { - ### CISS.debian.installer - ### Remove old flags for dropbear version 2025.88-2. - ### Only accepts flags from '/etc/dropbear/dropbear.conf'. + ### CISS.debian.installer + ### Remove old flags for dropbear version 2025.88-2. + ### Only accepts flags from '/etc/dropbear/dropbear.conf'. - #local flags="Fs" - # shellcheck disable=SC2292 - [ "${debug}" != y ] || flags="E${flags}" # log to standard error + #local flags="Fs" + # shellcheck disable=SC2034,SC2154,SC2292 + [ "${debug}" != y ] || flags="E${flags}" # log to standard error - # Always run configure_networking() before dropbear(8); on NFS - # mounts this has been done already + # Always run configure_networking() before dropbear(8); on NFS + # mounts this has been done already - # shellcheck disable=SC2292 - [ "${BOOT}" = nfs ] || configure_networking + # shellcheck disable=SC2292 + [ "${BOOT}" = nfs ] || configure_networking - log_begin_msg "Starting dropbear" - # Using exec and keeping dropbear in the foreground enables the - # init-bottom script to kill the remaining ipconfig processes if - # someone unlocks the rootfs from the console while the network is - # being configured - exec /sbin/dropbear ${DROPBEAR_OPTIONS-} + log_begin_msg "Starting dropbear" + # Using exec and keeping dropbear in the foreground enables the + # init-bottom script to kill the remaining ipconfig processes if + # someone unlocks the rootfs from the console while the network is + # being configured + # shellcheck disable=SC2086 + exec /sbin/dropbear ${DROPBEAR_OPTIONS-} } # shellcheck disable=SC2292 if [ -e /etc/dropbear/dropbear.conf ]; then - . /etc/dropbear/dropbear.conf + . /etc/dropbear/dropbear.conf fi . /scripts/functions @@ -57,3 +61,5 @@ fi run_dropbear & echo $! >/run/dropbear.pid + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/cdi_0000_preliminary/0002_usage.sh b/lib/cdi_0000_preliminary/0002_usage.sh index 5a40304..6b3cbe6 100644 --- a/lib/cdi_0000_preliminary/0002_usage.sh +++ b/lib/cdi_0000_preliminary/0002_usage.sh @@ -37,9 +37,9 @@ usage() { declare var_cols=$(tput cols 2> /dev/null || echo 80) # shellcheck disable=SC2155 - declare var_header=$(center "V8.00.000.2025.06.17 CISS.debian.installer" "${var_cols}") + declare var_header=$(center "V9.14.000.2026.06.07 CISS.debian.installer" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V8.00.000.2025.06.17 CISS.debian.installer" "${var_cols}") + declare var_footer=$(center "V9.14.000.2026.06.07 CISS.debian.installer" "${var_cols}") { echo -e "\e[97m${var_header} \e[0m" diff --git a/lib/cdi_0000_preliminary/README.md b/lib/cdi_0000_preliminary/README.md index 99493ff..24330d3 100644 --- a/lib/cdi_0000_preliminary/README.md +++ b/lib/cdi_0000_preliminary/README.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Preliminary Components – `cdi_0000_preliminary` diff --git a/lib/cdi_0005_guard/README.md b/lib/cdi_0005_guard/README.md index a4fe3e3..6df8925 100644 --- a/lib/cdi_0005_guard/README.md +++ b/lib/cdi_0005_guard/README.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. Guarding and Safe Execution – `cdi_0005_guard` diff --git a/lib/cdi_0050_debug/0052_debug_trace.sh b/lib/cdi_0050_debug/0052_debug_trace.sh index f24e6d5..6eb2f22 100644 --- a/lib/cdi_0050_debug/0052_debug_trace.sh +++ b/lib/cdi_0050_debug/0052_debug_trace.sh @@ -25,7 +25,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### debug_trace() { ### Set a verbose PS4 prompt including timestamp, source, line, exit status of previous command, and function name - declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m ' + declare -grx PS4='\e[97m+\e[96m[${EPOCHREALTIME}]\e[97m:\e[94m[$$]\e[97m:\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[97m:\e[93m[${?}]\e[97m:\e[95m[${FUNCNAME[0]:-main}()]\e[97m>>\e[0m ' # shellcheck disable=SC2155 declare -grx LOG_TRC="${DIR_LOG}/ciss_debian_installer_$$_trace.log" ### Generates empty LOG_TRC diff --git a/upgrades/dropbear/SHA512SUM.asc b/upgrades/dropbear/SHA512SUM.asc index 17ccf8a..69ac355 100644 --- a/upgrades/dropbear/SHA512SUM.asc +++ b/upgrades/dropbear/SHA512SUM.asc @@ -1,24 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -eb16a13aa44732cab4db009bd55903e45f8756598683377bfe55185fbf0e3265 CHANGES -738b7f358547f0c64c3e1a56bbc5ef98d34d9ec6adf9ccdf01dc0bf2caa2bc8d dropbear-2025.87.tar.bz2 -af24198895f604c2e114abe29a2f0c3fe30831e6db26e0f93fd5f78e734b61be dropbear-2025.87.tar.bz2.asc -783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4 dropbear-2025.88.tar.bz2 -fe40fd8f40a7c5498025cc2058eaecbcd9e649a833d6cdecdab35f1156f4d411 dropbear-2025.88.tar.bz2.asc +16be820347723271b0fea6049ffeed6d6680d7429c65406d8af37776393a0250 dropbear-2026.90.tar.bz2 +594ac6bd51f361890f6bd829bfe1ce92d241e5f8662d595c13a789e31563f5f7 dropbear-2026.90.tar.bz2.asc +defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34 dropbear-2026.91.tar.bz2 +26888fbc9cca8ae8026ea754d711edeb5fdbde0a31f897164695bf59035693fb dropbear-2026.91.tar.bz2.asc -----BEGIN PGP SIGNATURE----- -iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbUOIACgkQRJMUlPKc -Z3OS6w//bPQkIfs5ErkEBNRJDkYCDGekydYur0e2KtA2FX+vgPYI289FM4tXaD5f -hlBBT5oBQ740ekTLWMMnKcJV3Ut0QYnaXwiH2dHKtT4OEgRQIYqFlbAimpNPMZOL -IiBv+v9g71XJ3MrFyJSUo00mryIIIeuVQEWl8zxzsG8sf5usOUDwiJNWPul3fOJL -Ur+vTmCr7XYuq9kFG4YdJNLPLwDZ68e2u1fEpxpsnBmYFx5VS/WvD+qyuUfkR81h -HmcDgQJUJgx6Taq0OQJa4KnE4+HWjMd6V6JsDTsfYp4CjASO6HP2bON4zJWyphqL -cyrHAxiADtfU3RO59+XQ6AhTzhtGpZRgHLqetv40DjGN2lOGOdRk3TbE3/dbDl4W -f9zaPFGXyTA49iiVMMz2GVWlydpjs9HKsIKwwO7vU/EIi4S/USNJRI9wKUji3qKH -HO09YNoO0XuWzIpeGwfqbeaQ+SCPRPAMQMM0a2Mt10VzympY6w2kHAVbMV48kJ2i -AMtkgsxLUFdptDSdGKc/KHkbWRR22YCSSUXr1lxCA3fuCUWkS/2pAGzfbd+sd9BS -QkAiGVCWeFQML61aaoNxMT2+MbS80zrOWm8fjXblg3wCU6F3+TTmmDUNKI3NFi8z -4TVeAM0oGqeI+PX4hP7pyBy06dGiWiYEAGMiyno6vRXWJrwTVzI= -=/DnI +iQIzBAEBCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZXsACgkQRJMUlPKc +Z3NxYA//TmgdzpN6Jh8zNCL3cjK9J3IgJWIxgtPnoPDb0GxMt5rSME9uAQLggVut +310OAJ9CCfVYyCECm9ZpgbaeXPHP02Xx6sccpU7bU3nMa1W+Pu0dea3ToFWGFv5i +52INS0UGP+R58JJzGlxlwm1oRNXoG3tfJHR7FHof5G0a60jdcxqjW2JfkN4x28kR +RLXCqCWfJOjVMIVVQLsVmjZQlBkXLuykg2rbocqBu2dNH4nOuekDWFUpLXoGm2Zd +OhdFmWGIJfLFybPersLBGSO6LJFhzi5KoloeesaCQ26X2ld8R+cu6rKae2f0zDQi +O63yQIg7Oxr4XUnthziZdYA4karVrUdx97I39xTP9ioYxnEWHSdWk2iwKWsLhrPd +X9TEcsmTMia0RSNqarNlsnXiloWFIRKuxlEBO1SMHG45Fr5mXsPxFLc81acQlGtl +Kvwl3O5vxaa8Qd46EtLJXsNQW09tW0j1yM3JyAoLZs69/N8iB5lk74nYT+jZhI0b +9/+tfHLRoa+ccJdNfCdfWzCTZpFxG0D6ah6SJY8CgMMvITBT5OfYTR4tvSbt1Sa4 +y65YOPB4QabxuaUC6p0JQ57STUX6D8NtvJwpoZUDb6XDovpXsVb3T0di9eKKYQSv +/TsSRvf57OiCL9u/C5bIV2g0N5pkN9Bsddye0wUqfEdYH/NwXBs= +=OTzQ -----END PGP SIGNATURE----- diff --git a/upgrades/dropbear/dropbear-2025.88.tar.bz2 b/upgrades/dropbear/dropbear-2025.88.tar.bz2 deleted file mode 100644 index 2668ea1..0000000 Binary files a/upgrades/dropbear/dropbear-2025.88.tar.bz2 and /dev/null differ diff --git a/upgrades/dropbear/dropbear-2025.88.tar.bz2.asc b/upgrades/dropbear/dropbear-2025.88.tar.bz2.asc deleted file mode 100644 index f6709a3..0000000 --- a/upgrades/dropbear/dropbear-2025.88.tar.bz2.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmgbTlUACgkQRJMUlPKc -Z3PY2xAAkSmMipofQkVDE8owIY1VrXGICpFFby7oIzog1oiWrTWlqjGPBwxrLEAa -W5qXPez0mu9CMs0eGgqHnpUCOR2OJKXzlllSwWcO2Q9Ioi+fSYB//A/+FRK5Jyvf -P3H6Iq4N4vCbOGS0zHwmlAhTMh1ezKuqnjCrP9z6gvOj6hiiI0DtX2YtYfXml4o8 -Xgvv+w3uReC/Pf7Z7Zia18tWlLIC1DoVC18CmLmnnyqE032Cn8HsE/scboTehgJd -SKfpztf8/9IjAJpkoeuh3VEXeq5gUjdaW13cBvaPBg798+GsnY7ot7g2PLgnpc7w -Y1Npg2QZebKE2KHSEGhvIfHeGC6uSEekQnNbck6/ge8ytRzvfzxtTFCMWlGVdgd4 -dFLNajFRt1VOYXMgm7w725cndXYjpvi7zNgGI/kuOQG92hGR8ZaQYYHUTI+B9sr1 -Fit8VmaOsLN7ES8UcNlWeRPHAlvkhdfjltcCSVBziJWGW5rYsuT03X/gbjSiflA5 -kwB/5A2Bf5DHtORbdtx9kfd5yqsnWaLczEKRjyikJqDUXW6CcclbEiucWIgR75cS -Ee9cf8ILKn/Dr6z+h60y0VQ+1gUcVDnK9yxoqywS5/QoUFXltzu032ZmhyDdgfex -93NbacgaVtges8t0S0s7PgfzpUSLgNte6aHOYwl5mDAh0zLGpoo= -=uS3y ------END PGP SIGNATURE----- diff --git a/upgrades/dropbear/dropbear-2026.90.tar.bz2 b/upgrades/dropbear/dropbear-2026.90.tar.bz2 new file mode 100644 index 0000000..787137d Binary files /dev/null and b/upgrades/dropbear/dropbear-2026.90.tar.bz2 differ diff --git a/upgrades/dropbear/dropbear-2026.90.tar.bz2.asc b/upgrades/dropbear/dropbear-2026.90.tar.bz2.asc new file mode 100644 index 0000000..cbd990a --- /dev/null +++ b/upgrades/dropbear/dropbear-2026.90.tar.bz2.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmn22d8ACgkQRJMUlPKc +Z3Ndlg//Vj21j/hlAIPD0AOAgYYLvudvR2bA1gJBHrlAQB4FQSWWgW+C0xdHks7X +YUkKFhLMMP8twemA2EApfMtEp+YayfN/djiwCTfhrCI2ObTZJZU6FwyKiENviKGo +hH7rFeh1HdSJuU+HExF9bCq+1oGFjhpOKh982R0hasLzKgN2PmF1v/jEqNpibyIc +o7/7xXFGne39xTrwIuvhjl44iCrIKrcqpObt2cHKRx3D5E1b5nz1JriceCQr4zPa +tRBXyvl7Ub/N0xZ0K81LA5cDuP2h5H1W1X0BEVTMi+4vIJhaFfOCZhFp9vjlKuuW +vLhPJWakaLOM2o0PawHW3pVQfq9vOPOGUYcQoSCjgplEsvySbIHS33/nHrPq9ncb +S6kYQnXtNmWOuWoZfUmGNSBItzd9aOWJ/CukhtovJHRCvM9W68GhR4kqNhZpfvhY +NL35NC3IydxvzZUZzW6OvaBzGnAVshILyVnlrGkI9ikc8BJUY6GllcMopD5+vCbt +YYKZhThckaHmtZL4bkyA1v8KN7uVprCKQSgC56lbXD+fr7qM/sjNLmp+UVCnjTuU +XDFnS7dELDZCXweTmxIowwPetaDtnfBPuYWmGtSezG63Zbsv32/UMAy3YCT7vg/V +9dzK0h2/EG6GCZ9UfYj/uYCuvb8HhbVji0fMYbzo1eT4NAJwPpY= +=/+S8 +-----END PGP SIGNATURE----- diff --git a/upgrades/dropbear/dropbear-2026.91.tar.bz2 b/upgrades/dropbear/dropbear-2026.91.tar.bz2 new file mode 100644 index 0000000..9fce37e Binary files /dev/null and b/upgrades/dropbear/dropbear-2026.91.tar.bz2 differ diff --git a/upgrades/dropbear/dropbear-2026.91.tar.bz2.asc b/upgrades/dropbear/dropbear-2026.91.tar.bz2.asc new file mode 100644 index 0000000..33357db --- /dev/null +++ b/upgrades/dropbear/dropbear-2026.91.tar.bz2.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAmoAZREACgkQRJMUlPKc +Z3P87g//ZamgpADh+1CziP9UJ8iiQSi+6lGDcNmkLwNfw1dXA7zAJ2L10uz1We5V +ercshPNSurf/rYCQJIvav1JE2x4oHXAgnzO1pnrIDriBmCa17EJD2udDHImE1A4K +KP6JxeaaZTkPYCQftIh3bj7kyJnjpRIptN41GHLeyfQ9bD/ikpGm7uVVqOv1y08O +Z1pBlZ4IeKrdN7ghHclTTS7+w9nDcYuP62B+KOg7U2oE6+hTfO6PZnHxumUqFlck +iDEOpdjWixp62ju5ad2o+qWsV4QDg5y/smb51ZDIiFkQh3BJKs6qS83ZNBseGdCX +vtfKLBSpH/k28WlIwzNq3xiwD7xLR1niX4IrNFUF71eFZhFt6FAMk7oBhSse86qs +TUUDsssQBAGgNbyRAGSkjBKQ9hdrGXuqV7r8PnDGo+n+EF7pRBJTObM29jshgnjm +CZ8zMu8LB5cCzWJCXUhNX9HqcW4LIDPGI6v24ychxGqLS5ekKHbv7Pr/xguHyVJq +U7HXsUtA43HAXnk1RaVYV3I9CzLinJ9Cs3sNBRpcIEKQfpYXTDL58lEg/mJRloqC +EIBgb9pB8EvFbIz3mbOayvrLnMzmyL1ujsc1CYUcEti1MV6IrgOjGxi/kUrcrZaQ +1kPA/eRcG1iRpyYk19/cD1JyI477HRnRQDeqMPRO9VTeCMOXO2s= +=PPW+ +-----END PGP SIGNATURE----- diff --git a/upgrades/dropbear/localoptions.h b/upgrades/dropbear/localoptions.h index 6b6a9a0..3b49b8b 100644 --- a/upgrades/dropbear/localoptions.h +++ b/upgrades/dropbear/localoptions.h @@ -1,12 +1,12 @@ /* # SPDX-Version: 3.0 */ -/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; */ -/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */ +/* # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; */ +/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git */ /* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */ /* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; */ /* # SPDX-FileType: SOURCE */ -/* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */ +/* # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 */ /* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */ -/* # SPDX-PackageName: CISS.debian.installer */ +/* # SPDX-PackageName: CISS.debian.live.builder */ /* # SPDX-Security-Contact: security@coresecret.eu */ #ifndef DROPBEAR_LOCALOPTIONS_H_ diff --git a/upgrades/linux-image/linux_image_clang_options.sh b/upgrades/linux-image/linux_image_clang_options.sh index 5b62c87..b93f8db 100644 --- a/upgrades/linux-image/linux_image_clang_options.sh +++ b/upgrades/linux-image/linux_image_clang_options.sh @@ -10,6 +10,8 @@ # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu +# ToDo: Update to the latest Kernel Version. + ### https://kspp.github.io/ set -o errexit diff --git a/upgrades/secure-boot/ciss-sb-pki.cnf b/upgrades/secure-boot/ciss-sb-pki.cnf index 83869cf..1276180 100644 --- a/upgrades/secure-boot/ciss-sb-pki.cnf +++ b/upgrades/secure-boot/ciss-sb-pki.cnf @@ -9,6 +9,8 @@ # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu +# ToDo: Update to the latest version of the CISS PKI. + # Keep the corresponding ROOT CA strict offline, offsite and air-gapped and maybe in a HSM or at least encrypted in a vault. # # The firmware does not check "whether KEK originates from PK in terms of certificate logic." It only checks whether the @@ -87,7 +89,7 @@ clearance_max = 64 serialNumber = QSCD Serial Number serialNumber_max = 64 ############################### = 1234567890123456789012345678901234567890123456789012345678901234 -commonName_default = CISS Secure Boot Root CA 2025 RSA 4096 +commonName_default = CISS Secure Boot Root CA 2026 RSA 4096 organizationName_default = Centurion Intelligence Consulting Agency organizationalUnitName_default = CISO organizationIdentifier_default = VATPT-307086887 @@ -104,7 +106,7 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer authorityInfoAccess = @ciss_sb_pki certificatePolicies = 2.5.29.32.0, @ciss_sb_policy -nsComment = "CISS Secure Boot Root CA 2025 RSA 4096" +nsComment = "CISS Secure Boot Root CA 2026 RSA 4096" [ v3_pk ] basicConstraints = critical, CA:true, pathlen:0 @@ -147,6 +149,4 @@ CPS.0 = "https://policy.quantumsign.eu/" fullname = URI:https://crl.quantumign.eu/ reasons = keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn, AACompromise - - # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/var/README/README_BASH_VAR.md b/var/README/README_BASH_VAR.md index 31edac8..f83edac 100644 --- a/var/README/README_BASH_VAR.md +++ b/var/README/README_BASH_VAR.md @@ -7,8 +7,8 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
-**Master Version**: 8.00
-**Build**: V8.00.000.2025.06.17
+**Master Version**: 9.00
+**Build**: V9.14.000.2026.06.07
# 2. [bash.var.sh](../bash.var.sh) This module establishes the global execution profile for all modules of the `CISS.debian.installer`. It is sourced at the very diff --git a/var/early.var.sh b/var/early.var.sh index 42c8979..6fe4a27 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -24,7 +24,7 @@ declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{ declare -grx VAR_CONTACT="security@coresecret.eu" # shellcheck disable=SC2155 declare -grx VAR_DS_VER="$(debootstrap --version)" -declare -grx VAR_VERSION="Master V8.00.000.2025.06.17" +declare -grx VAR_VERSION="Master V9.14.000.2026.06.07" # shellcheck disable=SC2155 declare -grx VAR_SYSTEM="$(uname -mnosv)" declare -gx VAR_ARG_SANITIZED=""