msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.536.2025.12.04
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m24s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-12-04 18:43:56 +01:00
parent b934126432
commit 2f621bed73
2 changed files with 34 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@@ -29,21 +29,40 @@ include_toc: true
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.536.2025.12.04<br> **Build**: V8.13.536.2025.12.04<br>
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server **CISS.debian.live.builder — First of its own.**
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for **World-class CIA designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows
based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant This shell wrapper automates the creation of a Debian Trixie live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud
deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows based
on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
changes and made publicly available for download. The latest generic ISO is available at: changes and made publicly available for download. The latest generic ISO is available at:
**[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)** **[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
Check out more: Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fully encrypted, integrity-protected live medium**
* [CenturionNet Services](https://coresecret.eu/cnet/) in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships
with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a
customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to
an installed system.
**[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
* [CenturionDNS Resolver](https://eddns.eu/) * [CenturionDNS Resolver](https://eddns.eu/)
* [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)
* [CenturionNet Status](https://uptime.coresecret.eu/)
* [CenturionMeet](https://talk.e2ee.li/) * [CenturionMeet](https://talk.e2ee.li/)
* [CenturionNet Services](https://coresecret.eu/cnet/)
* [CenturionNet Status](https://uptime.coresecret.eu/)
**Contact the author:**
* [Contact the author](https://coresecret.eu/contact/) * [Contact the author](https://coresecret.eu/contact/)
**Legal Disclaimer:**
* This project is not affiliated with, authorized, maintained, sponsored, or endorsed by [Debian Project](https://www.debian.org/)
* [Centurion Imprint](https://coresecret.eu/imprint/)
* [Centurion Privacy](https://coresecret.eu/privacy/)
## 1.1. Preliminary Remarks ## 1.1. Preliminary Remarks
### 1.1.1. HSM ### 1.1.1. HSM

14
lib/lib_clean_up.sh
View File

@@ -95,6 +95,9 @@ clean_up() {
fi fi
### No tracing for security reasons ------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
### Removes secrets securely. ### Removes secrets securely.
# shellcheck disable=SC2312 # shellcheck disable=SC2312
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
@@ -111,17 +114,16 @@ clean_up() {
fi fi
### Securely shred all regular files below ./chroot, then remove empty dirs. ### Delete all files and directories below ./chroot.
if [[ -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then if [[ -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then
# shellcheck disable=SC2312 rm -rf "${VAR_HANDLER_BUILD_DIR}/chroot"
find "${VAR_HANDLER_BUILD_DIR}/chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
### Remove empty directories (bottom-up).
find "${VAR_HANDLER_BUILD_DIR}/chroot" -depth -xdev -type d -empty -delete
fi fi
### Turn on tracing again ----------------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
eval "${_old_nullglob}" 2>/dev/null || true eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true eval "${_old_dotglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true eval "${_old_failglob}" 2>/dev/null || true