From 0f8b894e40a7b71b98dce5e39e905360e83f3d63625d748cb41ce8d0b38f5b41 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Fri, 3 Oct 2025 18:39:15 +0100 Subject: [PATCH] V8.13.032.2025.10.03 Signed-off-by: Marc S. Weidner --- .archive/.0000_lib_usage.sh | 2 +- .archive/0003_install_backports.chroot | 2 +- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/dockerfile | 2 +- .gitea/TODO/render-md-to-html.yaml | 2 +- .../trigger/t_generate_PRIVATE_trixie_0.yaml | 2 +- .../trigger/t_generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/trigger/t_generate_PUBLIC.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_0.yaml | 40 +++++++- .../workflows/generate_PRIVATE_trixie_1.yaml | 39 +++++++- .gitea/workflows/generate_PUBLIC_iso.yaml | 2 +- .gitea/workflows/linter_char_scripts.yaml | 2 +- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 2 +- .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 8 +- .../live/0000_generate_backup_dir.chroot | 2 +- .../hooks/live/0001_initramfs_modules.chroot | 2 +- .../hooks/live/0002_verify_checksums.chroot | 2 +- config/hooks/live/0050_activate_root.chroot | 2 +- config/hooks/live/0080_keyboard_layout.chroot | 2 +- config/hooks/live/0090_haveged.chroot | 2 +- config/hooks/live/0120_set_hostname.chroot | 2 +- config/hooks/live/0130_machineid.chroot | 2 +- config/hooks/live/0400_eza_install.chroot | 2 +- config/hooks/live/0800_lynis_setup.chroot | 2 +- config/hooks/live/0810_chrony_setup.chroot | 2 +- .../live/0820_kernel_hardening_checker.chroot | 2 +- .../hooks/live/0822_ssh_restart_hook.chroot | 2 +- .../hooks/live/0825_my_sqltuner_perl.chroot | 2 +- config/hooks/live/0830_download_yq.chroot | 2 +- config/hooks/live/0835_testssl.sh.chroot | 2 +- .../live/0840_ufw_abuse_ipdb_reporter.chroot | 2 +- config/hooks/live/0845_harbian_audit.chroot | 2 +- config/hooks/live/0850_ssh_audit.chroot | 2 +- config/hooks/live/0855_dnsviz.chroot | 2 +- config/hooks/live/0900_ufw_setup.chroot | 2 +- ...it_clone_ciss_2025_debian_installer.chroot | 2 +- .../hooks/live/9900_process_accounting.chroot | 2 +- config/hooks/live/9910_motd.chroot | 2 +- .../live/9920_deleting_invalid_x509.chroot | 2 +- config/hooks/live/9930_hardening_ssh.chroot | 27 +++++- .../hooks/live/9935_hardening_ssh.chroot.tmpl | 94 +++++++++++++++++++ .../live/9940_hardening_memory.dump.chroot | 2 +- .../hooks/live/9950_fail2ban_hardening.chroot | 2 +- .../hooks/live/9960_disable_services.chroot | 2 +- config/hooks/live/9970_remove_exim.chroot | 2 +- config/hooks/live/9980_usb_guard.chroot | 2 +- config/hooks/live/9985_clamav.chroot | 2 +- config/hooks/live/9990_final_purge.chroot | 2 +- .../hooks/live/9991_file_permissions.chroot | 2 +- .../live/9992_password_expiration.chroot | 2 +- config/hooks/live/9993_aide.chroot | 2 +- config/hooks/live/9994_password_policy.chroot | 2 +- config/hooks/live/9995_sysstat.chroot | 2 +- config/hooks/live/9996_auditd.chroot | 2 +- config/hooks/live/9997_debsums.chroot | 4 +- .../live/9998_sources_list_bookworm.chroot | 2 +- .../live/9998_sources_list_trixie.chroot | 2 +- .../hooks/live/9999_interfaces_update.chroot | 4 +- config/includes.chroot/etc/ssh/sshd_config | 2 +- .../etc/sysctl.d/99_local.hardened | 2 +- config/includes.chroot/preseed/.iso/iso.sh | 2 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- config/package-lists/live.list.common.chroot | 5 + docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/BOOTPARAMS.md | 2 +- docs/CHANGELOG.md | 5 +- docs/CNET.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 6 +- docs/REFERENCES.md | 2 +- lib/lib_arg_parser.sh | 25 ++++- lib/lib_hardening_ultra.sh | 16 ++++ lib/lib_usage.sh | 4 +- scripts/0010_dhcp_supersede.sh | 2 +- scripts/0100_centurion_dns.sh | 2 +- scripts/9000-cdi-starter | 4 +- .../9999_interfaces_update_netcup.chroot | 2 +- var/early.var.sh | 2 +- var/global.var.sh | 1 + 91 files changed, 333 insertions(+), 101 deletions(-) create mode 100644 config/hooks/live/9935_hardening_ssh.chroot.tmpl diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh index 7b55375..3af51ca 100644 --- a/.archive/.0000_lib_usage.sh +++ b/.archive/.0000_lib_usage.sh @@ -21,7 +21,7 @@ usage() { clear cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.13.016.2025.09.28\e[0m") +$(echo -e "\e[92mMaster V8.13.032.2025.10.03\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") diff --git a/.archive/0003_install_backports.chroot b/.archive/0003_install_backports.chroot index 109a484..7b47175 100644 --- a/.archive/0003_install_backports.chroot +++ b/.archive/0003_install_backports.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 693b1b7..ebe1680 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.13.016.2025.09.28" + placeholder: "e.g., Master V8.13.032.2025.10.03" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index fd4b9f8..fb5fa48 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 91d4d8c..b79c3d2 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 name: 🔁 Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index a48bae9..ce18224 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.016.2025.09.28 + version: V8.13.032.2025.10.03 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index a48bae9..ce18224 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.016.2025.09.28 + version: V8.13.032.2025.10.03 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index cb86b32..da1ee5d 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.016.2025.09.28 + version: V8.13.032.2025.10.03 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index cb86b32..da1ee5d 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.016.2025.09.28 + version: V8.13.032.2025.10.03 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index eba3171..6969938 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 name: 🔐 Generating a Private Live ISO TRIXIE. @@ -51,6 +51,7 @@ jobs: gnupg \ openssh-client \ openssl \ + perl \ sudo \ util-linux @@ -93,6 +94,40 @@ jobs: git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." + - name: 🔧 Render live hook with secrets. + shell: bash + env: + ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }} + ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }} + RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }} + RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }} + run: | + set -Ceuo pipefail + umask 077 + + tmpl="config/hooks/live/9935_hardening_ssh.chroot.tmpl" + out="config/hooks/live/9935_hardening_ssh.chroot" + + test -f "${tmpl}" + + perl -0777 -pe ' + BEGIN { + $ed = $ENV{ED25519_PRIV}; + $edpub = $ENV{ED25519_PUB}; + $rsa = $ENV{RSA_PRIV}; + $rsapub = $ENV{RSA_PUB}; + } + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g; + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g; + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g; + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g; + ' "$tmpl" >| "$out" + + grep -q "ssh_host_ed25519_key" "${out}" + grep -q "ssh_host_rsa_key" "${out}" + + chmod 0755 "${out}" + - name: 🛠️ Cleaning the workspace. shell: bash run: | @@ -142,7 +177,7 @@ jobs: set -euo pipefail chmod 0755 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") - ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'. + ### Change "--autobuild=" to the specific kernel version you need: '6.12.48+deb13-amd64'. ./ciss_live_builder.sh \ --autobuild=6.12.48+deb13-amd64 \ --architecture amd64 \ @@ -155,6 +190,7 @@ jobs: --root-password-file /opt/config/password.txt \ --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \ --ssh-pubkey /opt/config \ + --sshfp \ --trixie - name: 📥 Checking Centurion Cloud for existing LIVE ISOs. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 68dadff..e2f7a81 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 name: 🔐 Generating a Private Live ISO TRIXIE. @@ -51,6 +51,7 @@ jobs: gnupg \ openssh-client \ openssl \ + perl \ sudo \ util-linux @@ -93,6 +94,41 @@ jobs: git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." + + - name: 🔧 Render live hook with secrets. + shell: bash + env: + ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }} + ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }} + RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }} + RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }} + run: | + set -Ceuo pipefail + umask 077 + + tmpl="config/hooks/live/9935_hardening_ssh.chroot.tmpl" + out="config/hooks/live/9935_hardening_ssh.chroot" + + test -f "${tmpl}" + + perl -0777 -pe ' + BEGIN { + $ed = $ENV{ED25519_PRIV}; + $edpub = $ENV{ED25519_PUB}; + $rsa = $ENV{RSA_PRIV}; + $rsapub = $ENV{RSA_PUB}; + } + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g; + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g; + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g; + s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g; + ' "$tmpl" >| "$out" + + grep -q "ssh_host_ed25519_key" "${out}" + grep -q "ssh_host_rsa_key" "${out}" + + chmod 0755 "${out}" + - name: 🛠️ Cleaning the workspace. shell: bash run: | @@ -152,6 +188,7 @@ jobs: --root-password-file /opt/config/password.txt \ --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \ --ssh-pubkey /opt/config \ + --sshfp \ --trixie - name: 📥 Checking Centurion Cloud for existing LIVE ISOs. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index e0c65bf..31dad13 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 20d7175..a52678f 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 967df7a..43401dc 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 name: 🛡️ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 8df62a7..d0476f4 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 name: 🔁 Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index f0967c5..38e772c 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.13.016.2025.09.28" +properties_version="V8.13.032.2025.10.03" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 6d09c6e..c047af5 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.13.016.2025.09.28 +PackageVersion: Master V8.13.032.2025.10.03 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index cb8dd3f..cc90ee5 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.016.2025.09.28-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.032.2025.10.03-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -12,7 +12,7 @@ include_toc: true [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)   [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)   -[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)   +[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)   [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)   [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)   [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)   @@ -26,7 +26,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V8.13.016.2025.09.28` +Example: `V8.13.032.2025.10.03` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/config/hooks/live/0000_generate_backup_dir.chroot b/config/hooks/live/0000_generate_backup_dir.chroot index 4831c26..993f2ef 100644 --- a/config/hooks/live/0000_generate_backup_dir.chroot +++ b/config/hooks/live/0000_generate_backup_dir.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot index 6ec84ae..e2d561a 100644 --- a/config/hooks/live/0001_initramfs_modules.chroot +++ b/config/hooks/live/0001_initramfs_modules.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0002_verify_checksums.chroot b/config/hooks/live/0002_verify_checksums.chroot index b3eefc1..85c57c6 100644 --- a/config/hooks/live/0002_verify_checksums.chroot +++ b/config/hooks/live/0002_verify_checksums.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0050_activate_root.chroot b/config/hooks/live/0050_activate_root.chroot index 7e4a95e..0942fdc 100644 --- a/config/hooks/live/0050_activate_root.chroot +++ b/config/hooks/live/0050_activate_root.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0080_keyboard_layout.chroot b/config/hooks/live/0080_keyboard_layout.chroot index fc2d7b7..05af1e5 100644 --- a/config/hooks/live/0080_keyboard_layout.chroot +++ b/config/hooks/live/0080_keyboard_layout.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0090_haveged.chroot b/config/hooks/live/0090_haveged.chroot index 022815b..692ffaf 100644 --- a/config/hooks/live/0090_haveged.chroot +++ b/config/hooks/live/0090_haveged.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0120_set_hostname.chroot b/config/hooks/live/0120_set_hostname.chroot index f25af27..8fe2bd2 100644 --- a/config/hooks/live/0120_set_hostname.chroot +++ b/config/hooks/live/0120_set_hostname.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0130_machineid.chroot b/config/hooks/live/0130_machineid.chroot index 4de2ecc..f88ad36 100644 --- a/config/hooks/live/0130_machineid.chroot +++ b/config/hooks/live/0130_machineid.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0400_eza_install.chroot b/config/hooks/live/0400_eza_install.chroot index 7e7ee0b..d60c503 100644 --- a/config/hooks/live/0400_eza_install.chroot +++ b/config/hooks/live/0400_eza_install.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0800_lynis_setup.chroot b/config/hooks/live/0800_lynis_setup.chroot index c6f465f..43c78d9 100644 --- a/config/hooks/live/0800_lynis_setup.chroot +++ b/config/hooks/live/0800_lynis_setup.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0810_chrony_setup.chroot b/config/hooks/live/0810_chrony_setup.chroot index 9275a2a..593655d 100644 --- a/config/hooks/live/0810_chrony_setup.chroot +++ b/config/hooks/live/0810_chrony_setup.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0820_kernel_hardening_checker.chroot b/config/hooks/live/0820_kernel_hardening_checker.chroot index eeccd34..447a710 100644 --- a/config/hooks/live/0820_kernel_hardening_checker.chroot +++ b/config/hooks/live/0820_kernel_hardening_checker.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0822_ssh_restart_hook.chroot b/config/hooks/live/0822_ssh_restart_hook.chroot index 096005b..0073f65 100644 --- a/config/hooks/live/0822_ssh_restart_hook.chroot +++ b/config/hooks/live/0822_ssh_restart_hook.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0825_my_sqltuner_perl.chroot b/config/hooks/live/0825_my_sqltuner_perl.chroot index 8ad3849..7ddfd3f 100644 --- a/config/hooks/live/0825_my_sqltuner_perl.chroot +++ b/config/hooks/live/0825_my_sqltuner_perl.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0830_download_yq.chroot b/config/hooks/live/0830_download_yq.chroot index a919417..aa00cce 100644 --- a/config/hooks/live/0830_download_yq.chroot +++ b/config/hooks/live/0830_download_yq.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0835_testssl.sh.chroot b/config/hooks/live/0835_testssl.sh.chroot index 61181a5..c80bf98 100644 --- a/config/hooks/live/0835_testssl.sh.chroot +++ b/config/hooks/live/0835_testssl.sh.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot index 703cc15..8320d4a 100644 --- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot +++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0845_harbian_audit.chroot b/config/hooks/live/0845_harbian_audit.chroot index 4188f20..5c243c7 100644 --- a/config/hooks/live/0845_harbian_audit.chroot +++ b/config/hooks/live/0845_harbian_audit.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0850_ssh_audit.chroot b/config/hooks/live/0850_ssh_audit.chroot index 689fad4..6b3c94d 100644 --- a/config/hooks/live/0850_ssh_audit.chroot +++ b/config/hooks/live/0850_ssh_audit.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0855_dnsviz.chroot b/config/hooks/live/0855_dnsviz.chroot index 8642137..f7ccf0e 100644 --- a/config/hooks/live/0855_dnsviz.chroot +++ b/config/hooks/live/0855_dnsviz.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/0900_ufw_setup.chroot b/config/hooks/live/0900_ufw_setup.chroot index 26ecc92..ec0cea8 100644 --- a/config/hooks/live/0900_ufw_setup.chroot +++ b/config/hooks/live/0900_ufw_setup.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot index 3ec8974..9206eec 100644 --- a/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot +++ b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9900_process_accounting.chroot b/config/hooks/live/9900_process_accounting.chroot index 0f3b861..c8a7ed1 100644 --- a/config/hooks/live/9900_process_accounting.chroot +++ b/config/hooks/live/9900_process_accounting.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9910_motd.chroot b/config/hooks/live/9910_motd.chroot index 25762d7..e357573 100644 --- a/config/hooks/live/9910_motd.chroot +++ b/config/hooks/live/9910_motd.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9920_deleting_invalid_x509.chroot b/config/hooks/live/9920_deleting_invalid_x509.chroot index b124220..3030dea 100644 --- a/config/hooks/live/9920_deleting_invalid_x509.chroot +++ b/config/hooks/live/9920_deleting_invalid_x509.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9930_hardening_ssh.chroot b/config/hooks/live/9930_hardening_ssh.chroot index 260d656..b7f4a1a 100644 --- a/config/hooks/live/9930_hardening_ssh.chroot +++ b/config/hooks/live/9930_hardening_ssh.chroot @@ -9,17 +9,18 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" -# sleep 1 cd /etc/ssh || { printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n" } rm -rf ssh_host_*key* +# shellcheck disable=SC2312 ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)" +# shellcheck disable=SC2312 ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)" awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe @@ -44,7 +45,26 @@ ssh-keygen -r @ >| /root/sshfp # The chmod +x command ensures that the file is executed in every shell session. # ########################################################################################### cat << 'EOF' >| /etc/profile.d/idle-users.sh -declare -girx TMOUT=14400 +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +case $- in + *i*) + TMOUT=14400 + export TMOUT + readonly TMOUT + ;; +esac + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF chmod +x /etc/profile.d/idle-users.sh @@ -58,7 +78,6 @@ EOF chmod 0644 /etc/systemd/system/ssh.service.d/override.conf printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" -# sleep 1 exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9935_hardening_ssh.chroot.tmpl b/config/hooks/live/9935_hardening_ssh.chroot.tmpl new file mode 100644 index 0000000..56baa4c --- /dev/null +++ b/config/hooks/live/9935_hardening_ssh.chroot.tmpl @@ -0,0 +1,94 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -Ceuo pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" + +cd /etc/ssh || { + printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n" +} + +cat << 'EOF' >| ssh_host_ed25519_key +{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }} +EOF + +cat << 'EOF' >| ssh_host_ed25519_key.pub +{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }} +EOF + +cat << 'EOF' >| ssh_host_rsa_key +{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }} +EOF + +cat << 'EOF' >| ssh_host_rsa_key.pub +{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }} +EOF + +awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe +rm -rf /etc/ssh/moduli +mv /etc/ssh/moduli.safe /etc/ssh/moduli + +chmod 0600 /etc/ssh/ssh_host_*_key +chown root:root /etc/ssh/ssh_host_*_key +chmod 0644 /etc/ssh/ssh_host_*_key.pub +chown root:root /etc/ssh/ssh_host_*_key.pub + +chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config + +touch /root/sshfp +ssh-keygen -r @ >| /root/sshfp + +########################################################################################### +# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only # +# environment variables: TMOUT and HISTFILE. # +# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.# +# readonly HISTFILE ensures that the command history cannot be changed. # +# The chmod +x command ensures that the file is executed in every shell session. # +########################################################################################### +cat << 'EOF' >| /etc/profile.d/idle-users.sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +case $- in + *i*) + TMOUT=14400 + export TMOUT + readonly TMOUT + ;; +esac + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + +chmod +x /etc/profile.d/idle-users.sh + +mkdir -p /etc/systemd/system/ssh.service.d +cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf +[Unit] +After=ufw.service +Requires=ufw.service +EOF +chmod 0644 /etc/systemd/system/ssh.service.d/override.conf + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9940_hardening_memory.dump.chroot b/config/hooks/live/9940_hardening_memory.dump.chroot index c7294b0..e151ee4 100644 --- a/config/hooks/live/9940_hardening_memory.dump.chroot +++ b/config/hooks/live/9940_hardening_memory.dump.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_fail2ban_hardening.chroot index 82b7a13..42521fc 100644 --- a/config/hooks/live/9950_fail2ban_hardening.chroot +++ b/config/hooks/live/9950_fail2ban_hardening.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9960_disable_services.chroot b/config/hooks/live/9960_disable_services.chroot index e6a7857..dbaacf3 100644 --- a/config/hooks/live/9960_disable_services.chroot +++ b/config/hooks/live/9960_disable_services.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9970_remove_exim.chroot b/config/hooks/live/9970_remove_exim.chroot index e1692df..8212e5b 100644 --- a/config/hooks/live/9970_remove_exim.chroot +++ b/config/hooks/live/9970_remove_exim.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9980_usb_guard.chroot b/config/hooks/live/9980_usb_guard.chroot index d6cce7b..a4ce582 100644 --- a/config/hooks/live/9980_usb_guard.chroot +++ b/config/hooks/live/9980_usb_guard.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9985_clamav.chroot b/config/hooks/live/9985_clamav.chroot index 083a220..dd06215 100644 --- a/config/hooks/live/9985_clamav.chroot +++ b/config/hooks/live/9985_clamav.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9990_final_purge.chroot b/config/hooks/live/9990_final_purge.chroot index 7ed8340..cb93e74 100644 --- a/config/hooks/live/9990_final_purge.chroot +++ b/config/hooks/live/9990_final_purge.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9991_file_permissions.chroot b/config/hooks/live/9991_file_permissions.chroot index cfdf0b2..18925d4 100644 --- a/config/hooks/live/9991_file_permissions.chroot +++ b/config/hooks/live/9991_file_permissions.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9992_password_expiration.chroot b/config/hooks/live/9992_password_expiration.chroot index c3e3b16..565cc73 100644 --- a/config/hooks/live/9992_password_expiration.chroot +++ b/config/hooks/live/9992_password_expiration.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9993_aide.chroot b/config/hooks/live/9993_aide.chroot index 124b0e9..17c63aa 100644 --- a/config/hooks/live/9993_aide.chroot +++ b/config/hooks/live/9993_aide.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9994_password_policy.chroot b/config/hooks/live/9994_password_policy.chroot index d8f73a4..4dd0b9c 100644 --- a/config/hooks/live/9994_password_policy.chroot +++ b/config/hooks/live/9994_password_policy.chroot @@ -13,7 +13,7 @@ ### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security. ### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9995_sysstat.chroot b/config/hooks/live/9995_sysstat.chroot index 11823a8..727c1eb 100644 --- a/config/hooks/live/9995_sysstat.chroot +++ b/config/hooks/live/9995_sysstat.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot index 2b82d8b..252280b 100644 --- a/config/hooks/live/9996_auditd.chroot +++ b/config/hooks/live/9996_auditd.chroot @@ -12,7 +12,7 @@ ### https://github.com/linux-audit/audit-userspace/tree/master/rules -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9997_debsums.chroot b/config/hooks/live/9997_debsums.chroot index 59b1175..e57918f 100644 --- a/config/hooks/live/9997_debsums.chroot +++ b/config/hooks/live/9997_debsums.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 @@ -33,4 +33,4 @@ printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e # sleep 1 exit 0 -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9998_sources_list_bookworm.chroot b/config/hooks/live/9998_sources_list_bookworm.chroot index 906655a..498e81b 100644 --- a/config/hooks/live/9998_sources_list_bookworm.chroot +++ b/config/hooks/live/9998_sources_list_bookworm.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9998_sources_list_trixie.chroot b/config/hooks/live/9998_sources_list_trixie.chroot index f9437e0..51fc98c 100644 --- a/config/hooks/live/9998_sources_list_trixie.chroot +++ b/config/hooks/live/9998_sources_list_trixie.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/config/hooks/live/9999_interfaces_update.chroot b/config/hooks/live/9999_interfaces_update.chroot index 154c2cf..aca191d 100644 --- a/config/hooks/live/9999_interfaces_update.chroot +++ b/config/hooks/live/9999_interfaces_update.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 @@ -62,4 +62,4 @@ printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e # sleep 1 exit 0 -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index 54758ed..8d82c8b 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index 7014712..db7d67f 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.016.2025.09.28 +### Version Master V8.13.032.2025.10.03 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/iso.sh b/config/includes.chroot/preseed/.iso/iso.sh index 3d6c8c6..ec01f06 100644 --- a/config/includes.chroot/preseed/.iso/iso.sh +++ b/config/includes.chroot/preseed/.iso/iso.sh @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail # The example names get mapped to their roles here declare timestamp diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index e68d762..fe21f0d 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.13.016.2025.09.28" +declare -gr VERSION="Master V8.13.032.2025.10.03" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 848a2ce..839c873 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.13.016.2025.09.28 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.13.032.2025.10.03 at: 10:18:37.9542 diff --git a/config/package-lists/live.list.common.chroot b/config/package-lists/live.list.common.chroot index a6cefef..51ea5ce 100644 --- a/config/package-lists/live.list.common.chroot +++ b/config/package-lists/live.list.common.chroot @@ -21,6 +21,7 @@ bash-completion bat bc bind9-dnsutils +bison bsdmainutils btrfs-progs build-essential @@ -28,6 +29,7 @@ bzip2 ca-certificates clamav clamav-daemon +clang-18 console-setup cpuid cryptsetup @@ -47,6 +49,7 @@ dirmngr dmsetup dnsviz dosfstools +dpkg-dev e2fsprogs efibootmgr expect @@ -54,6 +57,7 @@ fail2ban fdisk figlet fio +flex fzf gawk gdisk @@ -80,6 +84,7 @@ linux-source live-boot live-config live-config-systemd +lld-18 locate logrotate lsb-release diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index 14149e8..4436ea9 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index 63afaed..4aa91bd 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index e725a32..896fd0e 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index cf498ff..f2580a4 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index cadf7b7..d6ee107 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 9cb5102..515d7dd 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index f044f94..2412e20 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Changelog +## V8.13.032.2025.10.03 +* **Added**: Internal Gitea Action Runner switch for static SSHFP records. + ## V8.13.016.2025.09.28 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64`` diff --git a/docs/CNET.md b/docs/CNET.md index e5610df..79b886e 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 06214a3..2360693 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 52f0251..88e6bf4 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index fafbbed..2eadfa3 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index f79b4d3..e854f68 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index d82cb31..c48494d 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,12 +8,12 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2.1. Usage ````text CISS.debian.live.builder -Master V8.13.016.2025.09.28 +Master V8.13.032.2025.10.03 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 @@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima # 2.2. Contact ````text CISS.debian.live.builder -Master V8.13.016.2025.09.28 +Master V8.13.032.2025.10.03 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index d5b7ac9..86d2015 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Resources diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh index 9633012..5fe99b8 100644 --- a/lib/lib_arg_parser.sh +++ b/lib/lib_arg_parser.sh @@ -95,6 +95,7 @@ arg_parser() { --architecture) if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then + # shellcheck disable=SC2034 declare -gx VAR_ARCHITECTURE="${2}" shift 2 else @@ -124,12 +125,14 @@ arg_parser() { read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_ARG_MSMTCH}" fi - declare -g VAR_HANDLER_CDI=true + # shellcheck disable=SC2034 + declare -g VAR_HANDLER_CDI="true" shift 1 ;; --change-splash ) if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then + # shellcheck disable=SC2034 declare -g VAR_HANDLER_SPLASH="${2}" shift 2 else @@ -143,6 +146,7 @@ arg_parser() { --control) if [[ -n "${2-}" ]]; then + # shellcheck disable=SC2034 declare -g VAR_HANDLER_ISO_COUNTER="${2}" shift 2 else @@ -171,6 +175,7 @@ arg_parser() { read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_ARG_MSMTCH}" fi + # shellcheck disable=SC2034 declare -gi VAR_HANDLER_DHCP=1 shift 1 ;; @@ -180,6 +185,7 @@ arg_parser() { declare -i count=0 shift while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do + # shellcheck disable=SC2034 declare -g ARY_HANDLER_JUMPHOST+=("$1") count=$((count + 1)) shift @@ -202,6 +208,7 @@ arg_parser() { read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_ARG_MSMTCH}" fi + # shellcheck disable=SC2034 declare -gi VAR_HANDLER_STA=1 shift 1 ;; @@ -209,10 +216,12 @@ arg_parser() { --provider-netcup-ipv6) if [[ -n "${2-}" && "${2}" != -* ]]; then declare -i count=0 - declare -g VAR_HANDLER_NETCUP_IPV6=true + # shellcheck disable=SC2034 + declare -g VAR_HANDLER_NETCUP_IPV6="true" shift while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do declare cleaned="${1//[\[\]]/}" + # shellcheck disable=SC2034 declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}") count=$((count + 1)) shift @@ -230,6 +239,7 @@ arg_parser() { --renice-priority) if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then + # shellcheck disable=SC2034 VAR_HANDLER_PRIORITY="$2" shift 2 else @@ -249,6 +259,7 @@ arg_parser() { exit "${ERR_REIONICE_P}" else if [[ "${2}" =~ ^[1-3]$ ]]; then + # shellcheck disable=SC2034 VAR_REIONICE_CLASS="${2}" if [[ -z "${3-}" ]]; then : @@ -359,6 +370,7 @@ arg_parser() { hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}") [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + # shellcheck disable=SC2034 declare -g VAR_HASHED_PWD="${hash_temp}" unset hash_temp plaintext_pw @@ -375,6 +387,7 @@ arg_parser() { --ssh-port) if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then + # shellcheck disable=SC2034 declare -gi VAR_SSHPORT="${2}" shift 2 else @@ -385,12 +398,20 @@ arg_parser() { fi ;; + --sshfp) + # shellcheck disable=SC2034 + declare -g VAR_SSHFP="true" + shift 1 + ;; + --ssh-pubkey) + # shellcheck disable=SC2034 declare -g VAR_SSHPUBKEY="${2}" shift 2 ;; --trixie) + # shellcheck disable=SC2034 declare -g VAR_SUITE="trixie" shift 1 ;; diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh index b448d82..fdafe6f 100644 --- a/lib/lib_hardening_ultra.sh +++ b/lib/lib_hardening_ultra.sh @@ -166,7 +166,23 @@ hardening_ultra() { ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n" + + + ### Updating SSH Keys, Ports. printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n" + + ### Check for static SSHFP key material via Gitea Actions Runner Secrets injection. + if [[ "${VAR_SSHFP}" == "true" ]]; then + + rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot" + + else + + rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl" + + fi + + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index c509a61..75a9da6 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -35,13 +35,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V8.13.016.2025.09.28 2025-08-11 CLB(1)" "${var_cols}") + declare var_footer=$(center "V8.13.032.2025.10.03 2025-08-11 CLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V8.13.016.2025.09.28\e[0m" + echo -e "\e[92mMaster V8.13.032.2025.10.03\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m" diff --git a/scripts/0010_dhcp_supersede.sh b/scripts/0010_dhcp_supersede.sh index dd33979..c36f85e 100644 --- a/scripts/0010_dhcp_supersede.sh +++ b/scripts/0010_dhcp_supersede.sh @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" diff --git a/scripts/0100_centurion_dns.sh b/scripts/0100_centurion_dns.sh index 1c4d6bf..52787e5 100644 --- a/scripts/0100_centurion_dns.sh +++ b/scripts/0100_centurion_dns.sh @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/scripts/9000-cdi-starter b/scripts/9000-cdi-starter index 7c3b089..2c1f630 100644 --- a/scripts/9000-cdi-starter +++ b/scripts/9000-cdi-starter @@ -9,13 +9,13 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log -printf "CISS.debian.installer Master V8.13.016.2025.09.28 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log +printf "CISS.debian.installer Master V8.13.032.2025.10.03 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh diff --git a/scripts/etc/network/9999_interfaces_update_netcup.chroot b/scripts/etc/network/9999_interfaces_update_netcup.chroot index ad1b0ea..6c316e8 100644 --- a/scripts/etc/network/9999_interfaces_update_netcup.chroot +++ b/scripts/etc/network/9999_interfaces_update_netcup.chroot @@ -9,7 +9,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -set -C -e -u -o pipefail +set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" # sleep 1 diff --git a/var/early.var.sh b/var/early.var.sh index acae11a..2580aca 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -14,7 +14,7 @@ # shellcheck disable=SC2155 declare -grx VAR_CONTACT="security@coresecret.eu" -declare -grx VAR_VERSION="Master V8.13.016.2025.09.28" +declare -grx VAR_VERSION="Master V8.13.032.2025.10.03" declare -grx VAR_SYSTEM="$(uname -a)" declare -gx VAR_EARLY_DEBUG="false" declare -gx VAR_HANDLER_AUTOBUILD="false" diff --git a/var/global.var.sh b/var/global.var.sh index 2314a76..9f6c133 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -38,6 +38,7 @@ declare -g VAR_SCRIPT_SUCCESS="false" declare -g VAR_SUITE="bookworm" declare -g VAR_HANDLER_NETCUP_IPV6="false" declare -g VAR_HASHED_PWD="" +declare -g VAR_SSHFP="false" declare -gi VAR_HANDLER_STA=0 declare -gi VAR_HANDLER_PRIORITY=0 declare -gi VAR_REIONICE_CLASS=2