msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.512.2025.11.27
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m26s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-27 23:44:42 +00:00
parent 7fc9692ce2
commit 26e22f47a5
21 changed files with 501 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
config/hooks/live/0100_ciss_mem_wipe.chroot
View File

@@ -44,8 +44,6 @@ fi
cp -f "${_BUSYBOX_BIN}" "${_TMP_DIR}/bin/busybox"
###
#######################################
# Copy required shared libs into the initramfs (if the busybox is dynamic).
# Globals:
@@ -76,7 +74,7 @@ copy_libs() {
copy_libs "${_BUSYBOX_BIN}"
### Generate /init script
### Generate '/init' script ----------------------------------------------------------------------------------------------------
cat << 'EOF' >| "${_TMP_DIR}/init"
#!/bin/busybox sh
# SPDX-Version: 3.0
@@ -184,7 +182,7 @@ EOF
chmod +x "${_TMP_DIR}/init"
### Create the initramfs archive.
### Create the initramfs archive -----------------------------------------------------------------------------------------------
( cd "${_TMP_DIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
### Default configuration.
@@ -210,7 +208,7 @@ CISS_WIPE_TMPFS_PCT=95 # percentage of MemTotal to allocate
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
### Helper script
### Helper script --------------------------------------------------------------------------------------------------------------
cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
#!/bin/bash
# SPDX-Version: 3.0
@@ -273,7 +271,7 @@ esac
EOF
chmod 0755 /usr/local/sbin/ciss-memwipe
### Systemd service: load at boot, execute on shutdown.
### Systemd service: load at boot, execute on shutdown. ------------------------------------------------------------------------
cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
[Unit]
Description=CISS: preload and execute kexec-based RAM wipe on shutdown

69
config/hooks/live/9999_interfaces_update.chroot
View File

@@ -1,69 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
rm -f /etc/network/interfaces
cat << EOF >| /etc/network/interfaces
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
EOF
cat << 'EOF' >> /etc/network/interfaces
### The loopback network interface
auto lo
iface lo inet loopback
### Fully dynamic interface
auto dynamic
iface dynamic inet dhcp
pre-up \
IFACE=$(ip -o link show \
| awk -F': ' '{print $2}' \
| grep -m1 -v lo) && \
echo "Using interface $IFACE as dynamic" && \
ip link set dev "$IFACE" up && \
ip link set dev "$IFACE" name dynamic
post-down \
ip link set dev dynamic name "$IFACE" && \
echo "Restored interface name $IFACE"
source /etc/network/interfaces.d/*
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0644 /etc/network/interfaces
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

270
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -22,6 +22,8 @@ declare -g PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
### Will be replaced at build time:
declare -gr CDLB_DB_EXP_FPR="@EXP_FPR@"
declare -gr CDLB_DB_EXP_CA_FPR="@EXP_CA_FPR@"
declare -gr CDLB_MAPPER_NAME="crypt_liveiso"
declare -gr CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
#######################################
# Variable declaration
@@ -36,8 +38,6 @@ declare -r MAG='\e[0;95m'
declare -r RED='\e[0;91m'
declare -r RES='\e[0m'
declare -r NL='\n'
declare -g NUKE_ENABLED='false'
declare -g NUKE_HASH=''
declare -g PASSPHRASE=''
#######################################
@@ -56,6 +56,9 @@ ask_via_stdin() {
printf "\n" >&2
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ask_via_stdin
#######################################
# Printed text in color.
@@ -64,6 +67,9 @@ ask_via_stdin() {
# *: Text to print.
#######################################
color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f color_echo
#######################################
# Die Helper: print and then exit hard.
@@ -74,6 +80,9 @@ color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "
# 1: Message string to print.
#######################################
die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f die
#######################################
# Drop into the bash environment.
@@ -81,111 +90,9 @@ die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3;
# None
#######################################
drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; }
#######################################
# Extract the 'nuke=' parameter from '/proc/cmdline'.
# Globals:
# GRE
# NUKE_ENABLED
# NUKE_HASH
# RED
# REGEX
# Arguments:
# None
# Returns:
# 0: on success
#######################################
extract_nuke_hash() {
declare ARG="" CMDLINE=""
### Read '/proc/cmdline' into a single line safely.
read -r CMDLINE < /proc/cmdline
for ARG in ${CMDLINE}; do
# shellcheck disable=SC2249
case "${ARG,,}" in
nuke=*)
NUKE_HASH="${ARG#*=}"
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
declare -g NUKE_ENABLED="true"
color_echo "${GRE}" "✅ System self check: [ok]"
return 0
else
### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]."
color_echo "${RED}" "✘ Dropping to bash ...:"
drop_bash
fi
;;
esac
done
color_echo "${GRE}" "✅ No Nuke Hash found."
return 0
}
#######################################
# Gather information of all LUKS Devices available on the system.
# Arguments:
# None
#######################################
gather_luks_devices() {
declare prev=() curr=()
declare -i tries=0
while ((tries < 10)); do
# shellcheck disable=SC2312
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
if [[ "${curr[*]}" == "${prev[*]}" ]]; then
break
fi
prev=("${curr[@]}")
tries=$((tries + 1))
sleep 1
done
printf '%s\n' "${curr[@]}"
return 0
}
#######################################
# Erase the LUKS headers on all LUKS devices, then shut down the system.
# Globals:
# DEVICES_LUKS
# RED
# Arguments:
# None
#######################################
nuke() {
declare dev=""
for dev in "${DEVICES_LUKS[@]}"; do
cryptsetup erase --batch-mode "${dev}" || true
color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
done
secure_unset_pass
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
power_off 16
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f drop_bash
#######################################
# Unified power-off routine.
@@ -200,6 +107,9 @@ power_off() {
echo o >| /proc/sysrq-trigger
### The System powers off immediately; no further code is executed.
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f power_off
#######################################
# Print Error Message for Trap on 'ERR' on Terminal.
@@ -233,6 +143,9 @@ print_scr_err() {
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f print_scr_err
#######################################
# Print Error Message for '0'-Exit-Code on Terminal.
@@ -242,6 +155,9 @@ print_scr_err() {
# None
#######################################
print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; sleep 3; }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f print_scr_scc
#######################################
# Generates an informative shell prompt.
@@ -264,12 +180,13 @@ else \
fi)\
|~\$ "
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f prompt_string
#######################################
# Read the passphrase interactively.
# Globals:
# NUKE_ENABLED
# NUKE_HASH
# PASSPHRASE
# Arguments:
# None
@@ -277,31 +194,13 @@ fi)\
# 0: on success
#######################################
read_passphrase() {
declare -i ROUNDS=0
declare CAND="" SALT=""
### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
ask_via_stdin "Enter passphrase: " PASSPHRASE
### NUKE pre-check.
if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
ROUNDS="${ROUNDS#rounds=}"
SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
### NUKE final check.
if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
nuke
fi
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f read_passphrase
#######################################
# Securely unset the 'PASSPHRASE'-variable.
@@ -311,6 +210,9 @@ read_passphrase() {
# None
#######################################
secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f secure_unset_pass
#######################################
# Trap function to be called on 'ERR'.
@@ -334,6 +236,9 @@ trap_on_err() {
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
power_off 16
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f trap_on_err
#######################################
# Security Trap on 'EXIT'.
@@ -346,6 +251,9 @@ trap_on_exit() {
trap - ERR EXIT INT TERM
[[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f trap_on_exit
#######################################
# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
@@ -362,6 +270,9 @@ trap_on_term() {
color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds."
power_off 3
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f trap_on_term
#######################################
# Check the integrity and authenticity of this script itself.
@@ -382,13 +293,13 @@ verify_script() {
for item in "${algo[@]}"; do
hashfile="${dir}/${script}.${item}sum.txt"
hashfile="${dir}/${script}.sha${item}sum.txt"
sigfile="${hashfile}.sig"
cmd="${item}sum"
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
if ! gpgv --keyring /etc/ciss/keys/"${sigfile}".gpg "${sigfile}" "${hashfile}"; then
if ! gpgv --keyring "/etc/ciss/keys/${CDLB_DB_EXP_FPR}.gpg" "${sigfile}" "${hashfile}"; then
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds."
@@ -423,6 +334,9 @@ verify_script() {
color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f verify_script
#######################################
# Main Program Sequence.
@@ -438,6 +352,8 @@ verify_script() {
# None
#######################################
main() {
declare PASS="" COUNTER=0 PASS_SENT=0 WAIT_LOOP=0
exec 1>&2
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
@@ -454,44 +370,62 @@ main() {
color_echo "${MAG}" "Integrity self-check ..."
verify_script
### Read newline-separated output into an array.
while :; do
if [[ -b "${CDLB_MAPPER_DEV}" ]]; then
secure_unset_pass
printf "%b" "${NL}"
color_echo "${GRE}" "CISS LUKS Container successfully opened. Closing dropbear connection in 3 seconds."
sleep 3
exit 0
fi
if [[ "${COUNTER}" -eq 3 ]]; then
secure_unset_pass
break
fi
if [[ "${PASS_SENT}" -eq 0 ]]; then
# shellcheck disable=SC2310
read_passphrase || continue
printf '%s\n' "${PASSPHRASE}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
PASS_SENT=1
WAIT_LOOP=0
else
WAIT_LOOP=$((WAIT_LOOP + 1))
COUNTER=$((COUNTER + 1))
if [[ "${WAIT_LOOP}" -ge 160 ]]; then
color_echo "${GRE}" "Please try again"
PASS_SENT=0
WAIT_LOOP=0
fi
fi
sleep 0.1
done
printf "%b" "${NL}"
color_echo "${MAG}" "Scanning for LUKS devices ..."
# shellcheck disable=SC2312
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
### If there are no LUKS devices at all, drop to bash.
if (( ${#DEVICES_LUKS[@]} == 0 )); then
printf "%b" "${NL}"
color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
drop_bash
fi
### Extract the 'nuke='-parameter from '/proc/cmdline'.
printf "%b" "${NL}"
extract_nuke_hash
### Read passphrase interactively.
read_passphrase
if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
secure_unset_pass
exit 0
else
secure_unset_pass
printf "%b" "${NL}"
color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
color_echo "${GRE}" " No LUKS operations performed. Dropping to bash ..."
color_echo "${GRE}" " To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
drop_bash
fi
color_echo "${GRE}" "No LUKS operations successful. Dropping to bash ..."
drop_bash
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f main
main "${@}"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
View File

@@ -1,3 +1,5 @@
# bashsupport disable=BP5007
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git

16
config/includes.chroot/etc/resolv.conf Normal file
View File

@@ -0,0 +1,16 @@
# bashsupport disable=BP5007
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
ln -s /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

19
config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network
View File

@@ -9,9 +9,28 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Match]
Type=ether
[Network]
DHCP=yes
DNSOverTLS=opportunistic
DNSSEC=yes
IPv6AcceptRA=yes
LinkLocalAddressing=ipv6
[DHCPv4]
RoutesToDNS=no
UseDNS=yes
UseDomains=no
UseHostname=no
UseNTP=no
[DHCPv6]
RoutesToDNS=no
UseDNS=yes
UseDomains=no
UseHostname=no
UseNTP=no
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

10
config/includes.chroot/usr/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/usr/lib/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/usr/lib/live/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/usr/lib/systemd/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

19
config/includes.chroot/usr/lib/systemd/system-preset/90-ciss-networkd.preset Normal file
View File

@@ -0,0 +1,19 @@
# bashsupport disable=BP5007
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
enable systemd-networkd.service
enable systemd-resolved.service
disable networking.service
disable NetworkManager.service
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

10
config/includes.chroot/usr/share/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/usr/share/initramfs-tools/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/usr/share/initramfs-tools/scripts/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu