V8.13.536.2025.12.04
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m24s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m24s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
33
README.md
33
README.md
@@ -29,21 +29,40 @@ include_toc: true
|
||||
**Master Version**: 8.13<br>
|
||||
**Build**: V8.13.536.2025.12.04<br>
|
||||
|
||||
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
|
||||
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
|
||||
cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows
|
||||
based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
|
||||
**CISS.debian.live.builder — First of its own.**
|
||||
**World-class CIA designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
|
||||
|
||||
This shell wrapper automates the creation of a Debian Trixie live ISO hardened according to the latest best practices in server
|
||||
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud
|
||||
deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows based
|
||||
on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
|
||||
changes and made publicly available for download. The latest generic ISO is available at:
|
||||
**[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
|
||||
|
||||
Check out more:
|
||||
* [CenturionNet Services](https://coresecret.eu/cnet/)
|
||||
Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fully encrypted, integrity-protected live medium**
|
||||
in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
|
||||
with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships
|
||||
with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a
|
||||
customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
|
||||
are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to
|
||||
an installed system.
|
||||
**[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
|
||||
|
||||
Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
|
||||
* [CenturionDNS Resolver](https://eddns.eu/)
|
||||
* [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)
|
||||
* [CenturionNet Status](https://uptime.coresecret.eu/)
|
||||
* [CenturionMeet](https://talk.e2ee.li/)
|
||||
* [CenturionNet Services](https://coresecret.eu/cnet/)
|
||||
* [CenturionNet Status](https://uptime.coresecret.eu/)
|
||||
|
||||
**Contact the author:**
|
||||
* [Contact the author](https://coresecret.eu/contact/)
|
||||
|
||||
**Legal Disclaimer:**
|
||||
* This project is not affiliated with, authorized, maintained, sponsored, or endorsed by [Debian Project](https://www.debian.org/)
|
||||
* [Centurion Imprint](https://coresecret.eu/imprint/)
|
||||
* [Centurion Privacy](https://coresecret.eu/privacy/)
|
||||
|
||||
## 1.1. Preliminary Remarks
|
||||
|
||||
### 1.1.1. HSM
|
||||
|
||||
@@ -95,6 +95,9 @@ clean_up() {
|
||||
|
||||
fi
|
||||
|
||||
### No tracing for security reasons ------------------------------------------------------------------------------------------
|
||||
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
|
||||
|
||||
### Removes secrets securely.
|
||||
# shellcheck disable=SC2312
|
||||
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
|
||||
@@ -111,17 +114,16 @@ clean_up() {
|
||||
|
||||
fi
|
||||
|
||||
### Securely shred all regular files below ./chroot, then remove empty dirs.
|
||||
### Delete all files and directories below ./chroot.
|
||||
if [[ -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then
|
||||
|
||||
# shellcheck disable=SC2312
|
||||
find "${VAR_HANDLER_BUILD_DIR}/chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
|
||||
|
||||
### Remove empty directories (bottom-up).
|
||||
find "${VAR_HANDLER_BUILD_DIR}/chroot" -depth -xdev -type d -empty -delete
|
||||
rm -rf "${VAR_HANDLER_BUILD_DIR}/chroot"
|
||||
|
||||
fi
|
||||
|
||||
### Turn on tracing again ----------------------------------------------------------------------------------------------------
|
||||
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
|
||||
|
||||
eval "${_old_nullglob}" 2>/dev/null || true
|
||||
eval "${_old_dotglob}" 2>/dev/null || true
|
||||
eval "${_old_failglob}" 2>/dev/null || true
|
||||
|
||||
Reference in New Issue
Block a user