From 2a866d7520ec8fc952f801f8f0019085e62ca4c8318368443f00cb1c922a55b6 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 21 Oct 2025 20:52:39 +0100 Subject: [PATCH] V8.13.256.2025.10.21 Signed-off-by: Marc S. Weidner --- .archive/.0000_lib_usage.sh | 2 +- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/dockerfile | 2 +- .gitea/TODO/render-md-to-html.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_0.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/workflows/generate_PUBLIC_iso.yaml | 2 +- .gitea/workflows/linter_char_scripts.yaml | 2 +- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 2 +- .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 6 +- REPOSITORY.md | 4 +- .../hooks/live/0007_update_logrotate.chroot | 36 +++- .../hooks/live/9950_fail2ban_hardening.chroot | 176 ++++++++++++------ .../includes.chroot/etc/ssh/ssh_known_hosts | 2 +- config/includes.chroot/etc/ssh/sshd_config | 2 +- .../etc/sysctl.d/99_local.hardened | 2 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- config/includes.chroot/root/.zshenv | 11 +- docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/BOOTPARAMS.md | 2 +- docs/CHANGELOG.md | 7 +- docs/CNET.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 6 +- docs/REFERENCES.md | 2 +- lib/lib_usage.sh | 4 +- scripts/9999-cdi-starter | 4 +- var/early.var.sh | 2 +- 40 files changed, 200 insertions(+), 116 deletions(-) diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh index 3296776..fb9ebe8 100644 --- a/.archive/.0000_lib_usage.sh +++ b/.archive/.0000_lib_usage.sh @@ -21,7 +21,7 @@ usage() { clear cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.13.224.2025.10.19\e[0m") +$(echo -e "\e[92mMaster V8.13.256.2025.10.21\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index b769ebb..c3d5754 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.13.224.2025.10.19" + placeholder: "e.g., Master V8.13.256.2025.10.21" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index 62ca94f..d3f35ee 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index bb27a04..3930765 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 name: 🔁 Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 2c744e8..67bc211 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.224.2025.10.19 + version: V8.13.256.2025.10.21 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index bb4808b..8eb81a2 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 3c2b73f..72e611d 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 0fec040..c533d61 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 2240651..267cb05 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index fe0de79..ed64c42 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 name: 🛡️ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index d8490ee..13b2098 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 name: 🔁 Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index 663c9b0..b728254 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.13.224.2025.10.19" +properties_version="V8.13.256.2025.10.21" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 82d1c84..07cca3a 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.13.224.2025.10.19 +PackageVersion: Master V8.13.256.2025.10.21 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 2325b46..e090db7 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.224.2025.10.19-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.256.2025.10.21-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -26,7 +26,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V8.13.224.2025.10.19` +Example: `V8.13.256.2025.10.21` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/REPOSITORY.md b/REPOSITORY.md index bc3b41c..f2cf957 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2.1. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **8.13**, Build **V8.13.224.2025.10.19** (as of 2025-10-11) +**Repository State:** Master Version **8.13**, Build **V8.13.256.2025.10.21** (as of 2025-10-11) ## 2.2. Top-Level Layout diff --git a/config/hooks/live/0007_update_logrotate.chroot b/config/hooks/live/0007_update_logrotate.chroot index 298b963..4e86d79 100644 --- a/config/hooks/live/0007_update_logrotate.chroot +++ b/config/hooks/live/0007_update_logrotate.chroot @@ -20,27 +20,49 @@ rm -f "/etc/logrotate.conf" cat << EOF >| "/etc/logrotate.conf" # See "man logrotate" for details. Global options do not affect preceding include directives. -# rotate log files daily +# Rotate log files daily daily -# keep 384 daily worth of backlogs +# Keep 384 daily worth of backlogs. rotate 384 -# hard cap: delete rotated logs older than 384 days +# Hard cap: delete rotated logs older than 384 days. maxage 384 -# create new (empty) log files after rotating old ones +# Do not rotate the log if it is empty (this overrides the ifempty option). +notifempty + +# Create new (empty) log files after rotating old ones. create -# use date as a suffix of the rotated file +# Use date as a suffix of the rotated file. dateext -# gzip older rotations +# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name +# that is the same as the timestamps within it. +dateyesterday + +# Enable compression compress -# keep the most recent rotation uncompressed for one cycle +# Use zstd instead of gzip. +compresscmd /usr/bin/zstd + +# File extension for compressed logs. +compressext .zst + +# Set zstd level 3 (default). +compressoptions -20 + +# How to decompress for 'logrotate -d' or similar. +uncompresscmd /usr/bin/unzstd + +# Keep the most recent rotation uncompressed for one cycle. delaycompress +# Delete log files using shred -u instead of unlink(). +shred + # packages drop log rotation information into this directory include /etc/logrotate.d diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_fail2ban_hardening.chroot index a6e531d..ef6ca59 100644 --- a/config/hooks/live/9950_fail2ban_hardening.chroot +++ b/config/hooks/live/9950_fail2ban_hardening.chroot @@ -24,7 +24,7 @@ sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak -cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf +cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git @@ -37,69 +37,106 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf # SPDX-Security-Contact: security@coresecret.eu [DEFAULT] -usedns = yes -# 127.0.0.1/8 – IPv4 loopback range (local host) -# ::1/128 – IPv6 loopback -# fe80::/10 – IPv6 link-local (on-link only; NDP/RA/DAD) -# fc00::/7 – IPv6 ULA (private LAN addresses) -# ff00::/8 – IPv6 multicast (not an unicast host) -# ::/128 – IPv6 unspecified (all zeros; never a real peer) -ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 MUST_BE_SET -maxretry = 8 -findtime = 24h -bantime = 24h +dbpurgeage = 384d +# 127.0.0.1/8 - IPv4 loopback range (local host) +# ::1/128 - IPv6 loopback +# fe80::/10 - IPv6 link-local (on-link only; NDP/RA/DAD) +# ff00::/8 - IPv6 multicast (not an unicast host) +# ::/128 - IPv6 unspecified (all zeros; never a real peer) +ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 MUST_BE_SET [recidive] -enabled = true -filter = recidive -logpath = /var/log/fail2ban/fail2ban.log* -banaction = iptables-allports -bantime = 32d -findtime = 384d -maxretry = 4 +enabled = true +banaction = ufw[blocktype=deny] +bantime = 8d +bantime.increment = true +bantime.factor = 1 +bantime.maxtime = 128d +bantime.multipliers = 1 2 4 8 16 +bantime.overalljails = true +bantime.rndtime = 877s +filter = recidive +findtime = 16d +logpath = /var/log/fail2ban/fail2ban.log* +maxretry = 3 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused] ### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd] [sshd] -enabled = true -backend = systemd -filter = sshd -mode = normal -port = MUST_BE_SET -protocol = tcp -logpath = /var/log/auth.log -maxretry = 4 -findtime = 24h -bantime = 24h +enabled = true +backend = systemd +bantime = 1h +bantime.increment = true +bantime.factor = 1 +bantime.maxtime = 16d +bantime.multipliers = 1 2 4 8 16 32 64 128 256 384 +bantime.overalljails = true +bantime.rndtime = 877s +filter = sshd +findtime = 16m +maxretry = 4 +mode = aggressive +port = MUST_BE_SET +protocol = tcp [sshd-refused] -enabled = true -filter = ciss-sshd-refused -port = MUST_BE_SET -protocol = tcp -logpath = /var/log/auth.log -maxretry = 1 -findtime = 24h -bantime = 24h +enabled = true +bantime = 1h +bantime.increment = true +bantime.factor = 1 +bantime.maxtime = 16d +bantime.multipliers = 1 2 4 8 16 32 64 128 256 384 +bantime.overalljails = true +bantime.rndtime = 877s +filter = ciss-sshd-refused +findtime = 16m +logpath = /var/log/auth.log +maxretry = 1 +port = MUST_BE_SET +protocol = tcp -# ufw aggressive approach: -# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...). -# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt. +# +# CISS aggressive approach: +# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...). +# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt. +# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked. +# + +[icmp] +enabled = true +banaction = ufw[blocktype=deny] +bantime = 1h +bantime.increment = true +bantime.factor = 1 +bantime.maxtime = 16d +bantime.multipliers = 1 2 4 8 16 32 64 128 256 384 +bantime.overalljails = true +bantime.rndtime = 877s +filter = ciss-icmp +findtime = 16m +logpath = /var/log/ufw.log +maxretry = 1 [ufw] -enabled = true -filter = ciss-ufw -action = iptables-allports -logpath = /var/log/ufw.log -maxretry = 1 -bantime = 24h -findtime = 24h +enabled = true +banaction = ufw[blocktype=deny] +bantime = 1h +bantime.increment = true +bantime.factor = 1 +bantime.maxtime = 16d +bantime.multipliers = 1 2 4 8 16 32 64 128 256 384 +bantime.overalljails = true +bantime.rndtime = 877s +filter = ciss-ufw +findtime = 16m +logpath = /var/log/ufw.log +maxretry = 1 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF -cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf +cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-icmp.conf # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git @@ -112,7 +149,29 @@ cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf # SPDX-Security-Contact: security@coresecret.eu [Definition] -failregex = \[UFW BLOCK\].+SRC= DST +# Generic ICMP/ICMPv6 blocks +failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=\b.*?\bPROTO=ICMP\b.*$ + ^.*UFW (?:BLOCK|REJECT).*?\bSRC=\b.*?\bPROTO=ICMPv6\b.*$ + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf +EOF + +cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +[Definition] +# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing. +failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$ +ignoreregex = # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF @@ -169,33 +228,36 @@ EOF cat << 'EOF' >> /etc/fail2ban/fail2ban.local [Definition] -logtarget = /var/log/fail2ban/fail2ban.log +logtarget = /var/log/fail2ban/fail2ban.log [Database] # Keep entries for at least 384 days to cover recidive findtime. -dbpurgeage = 384d +dbpurgeage = 384d EOF ########################################################################################### # Remarks: Logrotate must be updated either # ########################################################################################### cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak -#sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban cat << EOF >| /etc/logrotate.d/fail2ban /var/log/fail2ban/fail2ban.log { - daily rotate 384 - compress - # Do not rotate if empty + maxage 384 notifempty - + dateext + dateyesterday + compress + compresscmd /usr/bin/zstd + compressext .zst + compressoptions -20 + uncompresscmd /usr/bin/unzstd delaycompress + shred missingok postrotate fail2ban-client flushlogs 1>/dev/null endscript - # If fail2ban runs as non-root it still needs to have write access # to logfiles. # create 640 fail2ban adm diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index 710ab18..b88454c 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index 76c0310..3aab4e0 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index c3980ab..8aa4f1d 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.224.2025.10.19 +# Version Master V8.13.256.2025.10.21 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index c3cdb21..2afb85b 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.13.224.2025.10.19" +declare -gr VERSION="Master V8.13.256.2025.10.21" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 0b3a539..600f4c9 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.13.224.2025.10.19 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.13.256.2025.10.21 at: 10:18:37.9542 diff --git a/config/includes.chroot/root/.zshenv b/config/includes.chroot/root/.zshenv index afd1d52..56553d5 100644 --- a/config/includes.chroot/root/.zshenv +++ b/config/includes.chroot/root/.zshenv @@ -13,15 +13,10 @@ : "${XDG_CACHE_HOME:=${HOME}/.cache}" : "${XDG_DATA_HOME:=${HOME}/.local/share}" : "${XDG_STATE_HOME:=${HOME}/.local/state}" -if [ -z "${XDG_RUNTIME_DIR:-}" ]; then - if [ -d "/run/user/$(id -u)" ]; then - XDG_RUNTIME_DIR="/run/user/$(id -u)" - else - XDG_RUNTIME_DIR="/tmp/xdg-runtime-$(id -u)" - fi -fi -export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME XDG_RUNTIME_DIR +# Do NOT set XDG_RUNTIME_DIR here. + +export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME ### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile) if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index b7419a1..501a6b0 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index 7fea557..4436db2 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 2199571..1c357df 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 3d7eb2f..e302cfb 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index adebaf7..244f308 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 8b92c35..3c0477f 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 9589e57..45713c7 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,15 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Changelog +## V8.13.256.2025.10.21 +* **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) +* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) +* **Updated**: [.zshenv](../config/includes.chroot/root/.zshenv) + ## V8.13.224.2025.10.19 * **Added**: [.zshenv](../config/includes.chroot/root/.zshenv) * **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot) diff --git a/docs/CNET.md b/docs/CNET.md index 249ecd6..90e8154 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 6cb39d7..896aa4d 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index e2d2c3b..1d6f50a 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index f736784..3827036 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index d863db1..3a6b0ed 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 4478969..e980381 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,12 +8,12 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2.1. Usage ````text CISS.debian.live.builder -Master V8.13.224.2025.10.19 +Master V8.13.256.2025.10.21 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 @@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima # 2.2. Contact ````text CISS.debian.live.builder -Master V8.13.224.2025.10.19 +Master V8.13.256.2025.10.21 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index 8239391..a26d8fe 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Resources diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index 9455cf0..02da999 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -35,13 +35,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V8.13.224.2025.10.19 2025-10-07 CLB(1)" "${var_cols}") + declare var_footer=$(center "V8.13.256.2025.10.21 2025-10-07 CLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V8.13.224.2025.10.19\e[0m" + echo -e "\e[92mMaster V8.13.256.2025.10.21\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m" diff --git a/scripts/9999-cdi-starter b/scripts/9999-cdi-starter index f9f7547..3395d12 100644 --- a/scripts/9999-cdi-starter +++ b/scripts/9999-cdi-starter @@ -66,7 +66,7 @@ main() { # shellcheck disable=SC2312 exec > >(tee -a "${log}") 2>&1 - printf "CISS.debian.installer Master V8.13.224.2025.10.19 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log + printf "CISS.debian.installer Master V8.13.256.2025.10.21 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log net_wait @@ -87,7 +87,7 @@ main() { # --reionice-priority 1 0 \ # --renice-priority "-19" - printf "CISS.debian.installer Master V8.13.224.2025.10.19 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log + printf "CISS.debian.installer Master V8.13.256.2025.10.21 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log exit 0 } diff --git a/var/early.var.sh b/var/early.var.sh index 4922538..e834143 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -14,7 +14,7 @@ # shellcheck disable=SC2155 declare -grx VAR_CONTACT="security@coresecret.eu" -declare -grx VAR_VERSION="Master V8.13.224.2025.10.19" +declare -grx VAR_VERSION="Master V8.13.256.2025.10.21" declare -grx VAR_SYSTEM="$(uname -mnosv)" declare -gx VAR_EARLY_DEBUG="false" declare -gx VAR_HANDLER_AUTOBUILD="false"