V8.13.768.2025.12.06
Some checks failed
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m13s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 56s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 51m3s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Failing after 1m33s

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
2025-12-06 03:52:15 +01:00
parent 75cb1d8817
commit 2e50dd9535
47 changed files with 71 additions and 68 deletions

View File

@@ -8,15 +8,15 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.544.2025.12.05<br>
**Build**: V8.13.768.2025.12.06<br>
# 2.1. Repository Structure
# 2. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder
**Branch:** `master`
**Repository State:** Master Version **8.13**, Build **V8.13.544.2025.12.05** (as of 2025-10-11)
**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
## 2.2. Top-Level Layout
## 3.1. Top-Level Layout
````text
CISS.debian.live.builder/
@@ -59,15 +59,15 @@ CISS.debian.live.builder/
> **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
## 2.3. Directory Semantics
## 3.2. Directory Semantics
### 2.3.1. `.gitea/` — CI/CD Orchestration
### 3.2.1. `.gitea/` — CI/CD Orchestration
- **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
- **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
- **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
- **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
### 2.3.2. `config/` — Live-Build Configuration
### 3.2.2. `config/` — Live-Build Configuration
- **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
- **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
@@ -77,40 +77,40 @@ CISS.debian.live.builder/
- `root/` (administrator dotfiles and keys).
- **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
### 2.3.3. `docs/` — Documentation Corpus
### 3.2.3. `docs/` — Documentation Corpus
Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
### 2.3.4. `lib/` — Shell Library Modules
### 3.2.4. `lib/` — Shell Library Modules
Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
### 2.3.5. `scripts/` — Operational Helpers
### 3.2.5. `scripts/` — Operational Helpers
Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
### 2.3.6. `var/` — Variables & Defaults
### 3.2.6. `var/` — Variables & Defaults
Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
## 2.4. Key Files
## 3.3. Key Files
- **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
- **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
- **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
- **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
## 2.5. Conventions & Build Logic
## 3.4. Conventions & Build Logic
- **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
- **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISOs bootloader stage; `includes.chroot/` become part of the runtime filesystem.
- **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
- **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
## 2.6. Cross-References (Documentation)
## 3.5. Cross-References (Documentation)
- **Boot Parameters**: see `docs/BOOTPARAMS.md`.
- **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
- **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
- **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
## 2.7. Licensing & Compliance
## 3.6. Licensing & Compliance
The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.