diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml
index 38a2cd4..ce29a87 100644
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
name: π Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml
index 03fcb86..c908fc6 100644
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
name: π Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml
index 7668c32..6f4b095 100644
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
name: π Generating a PUBLIC Live ISO.
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index cb89357..fb15898 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
- placeholder: "e.g., Master V8.13.536.2025.12.04"
+ placeholder: "e.g., Master V8.13.544.2025.12.05"
validations:
required: true
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index b28b1f5..bd25feb 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
FROM debian:bookworm
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index d551164..f22d26c 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
name: π Render README.md to README.html.
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
index b933317..5ea17c4 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.536.2025.12.04
+ version: V8.13.544.2025.12.05
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
index 88b0369..5ea17c4 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -10,6 +10,6 @@
# SPDX-Security-Contact: security@coresecret.eu
build:
- counter: 1024
- version: V8.13.536.2025.12.04
+ counter: 1023
+ version: V8.13.544.2025.12.05
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml
index 66dbf14..bf87a2c 100644
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.536.2025.12.04
+ version: V8.13.544.2025.12.05
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index 66dbf14..bf87a2c 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.536.2025.12.04
+ version: V8.13.544.2025.12.05
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index 6dc733f..fb50e29 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
name: π Generating a Private Live ISO TRIXIE.
@@ -65,6 +65,7 @@ jobs:
bash \
bat \
ca-certificates \
+ cryptsetup \
curl \
debootstrap \
git \
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index d45898f..a339d7e 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
name: π Generating a Private Live ISO TRIXIE.
@@ -65,6 +65,7 @@ jobs:
bash \
bat \
ca-certificates \
+ cryptsetup \
curl \
debootstrap \
git \
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index 8f6e995..f9b8667 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
name: π Generating a PUBLIC Live ISO.
@@ -65,6 +65,7 @@ jobs:
bash \
bat \
ca-certificates \
+ cryptsetup \
curl \
debootstrap \
git \
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index 2c920d5..eddd0c4 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index 0de1b81..02a4163 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
name: π‘οΈ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index 75fd3c8..f74a420 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
name: π Render Graphviz Diagrams.
diff --git a/.version.properties b/.version.properties
index 5218cd8..ef0839f 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.536.2025.12.04"
+properties_version="V8.13.544.2025.12.05"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index e135e41..ee6fd25 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.536.2025.12.04
+PackageVersion: Master V8.13.544.2025.12.05
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index 6f0d24c..ea69277 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -27,7 +27,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
**CISS.debian.live.builder β First of its own.**
**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.536.2025.12.04`
+Example: `V8.13.544.2025.12.05`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -250,18 +250,17 @@ kernels it runs with are compiled according to this hardening profile. I treat d
### 2.1.4. Local Kernel Hardening
-* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
+The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/90-ciss-local.hardened`:
````bash
-###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+#######################################
+# Wrapper for loading CISS hardened Kernel Parameters.
# Arguments:
-# none
-###########################################################################################
-# shellcheck disable=SC2317
+# None
+#######################################
sysp() {
- sysctl -p /etc/sysctl.d/99_local.hardened
- # sleep 1
- sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+ sysctl -p /etc/sysctl.d/90-ciss-local.hardened
+ # shellcheck disable=SC2312
+ sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
}
````
* **Key measures loaded by this file include:**
@@ -277,6 +276,11 @@ Once applied, some hardening settings cannot be undone via `sysctl` without a re
until the next boot. Automatic enforcement at startup is therefore omitted by designβrun `sysp()` manually and plan a reboot to
apply or revert these controls.
+In case you provide the ``--cdi`` option to the installer, the ``sysp()`` function is automatically applied at the boot process via:
+[9999_cdi_starter.sh](scripts/usr/local/sbin/9999_cdi_starter.sh).
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
+
## 2.2. Module Blacklisting
* **Description**: Disables and blacklists non-essential or insecure kernel modules.
@@ -284,9 +288,22 @@ apply or revert these controls.
## 2.3. Network Hardening
-* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
- inbound/outbound traffic behaviors.
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
+At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path
+filtering is enabled, ARP handling is pinned down, and loose binding of addresses is discouraged. Where appropriate, IPv6
+receives the same level of attention as IPv4. The network stack is switched firmly to ``systemd-networkd`` and ``systemd-resolved``.
+The hook [0000_basic_chroot_setup.chroot](config/hooks/live/0000_basic_chroot_setup.chroot) removes ``ifupdown``, wires up
+``systemd-networkd`` and ``systemd-resolved`` via explicit WantedBy symlinks, and ensures that the stub resolver at ``127.0.0.53``
+is the canonical ``resolv.conf`` target. The same hook writes dedicated configuration snippets:
+
+``/etc/systemd/resolved.conf.d/10-ciss-dnssec.conf`` enforces opportunistic ``DNS-over-TLS`` and full ``DNSSEC`` validation
+while disabling ``LLMNR`` and ``MulticastDNS``.
+
+This converges the system on a single, hardened DNS resolution path and avoids the common situation where multiple name
+resolution mechanisms step on each other. Where desired, this resolution chain can be plugged into **CenturionDNS**, a resolver
+infrastructure that I control and that enforces DNSSEC validation, QNAME minimisation, and a curated blocklist. For sensitive
+deployments, this stack is used as the default.
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
## 2.4. Core Dump & Kernel Hardening
diff --git a/REPOSITORY.md b/REPOSITORY.md
index 7ba4d01..a98ece4 100644
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2.1. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) β Debian Live Builder
**Branch:** `master`
-**Repository State:** Master Version **8.13**, Build **V8.13.536.2025.12.04** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.544.2025.12.05** (as of 2025-10-11)
## 2.2. Top-Level Layout
diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts
index 4bc8af0..a12c848 100644
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index 4d1686d..4bffa38 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
similarity index 99%
rename from config/includes.chroot/etc/sysctl.d/99_local.hardened
rename to config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
index 43af3b1..5f429cc 100644
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
@@ -11,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index c59f958..688245a 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.536.2025.12.04"
+declare -gr VERSION="Master V8.13.544.2025.12.05"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index 1acaf21..0c36259 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.536.2025.12.04 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.544.2025.12.05 at: 10:18:37.9542
diff --git a/config/includes.chroot/root/.ciss/alias b/config/includes.chroot/root/.ciss/alias
index 3f42dc8..052a969 100644
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -228,7 +228,7 @@ swget() {
# None
#######################################
sysp() {
- sysctl -p /etc/sysctl.d/99_local.hardened
+ sysctl -p /etc/sysctl.d/90-ciss-local.hardened
# shellcheck disable=SC2312
sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
}
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index 1a92462..b86af1f 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. DNSSEC Status
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index f3e037c..6b99a03 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Haveged Audit on Netcup RS 2000 G11
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index 467f2e5..4390cad 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Lynis Audit:
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index b63fefb..4c8622c 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. SSH Audit by ssh-audit.com
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index 45c4c7f..a1ca11d 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. TLS Audit:
````text
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index 212cc85..1ea70d9 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index d36d2af..7fb5a51 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Changelog
+## V8.13.544.2025.12.05
+* **Added**: [90-ciss-local.hardened.md](documentation/90-ciss-local.hardened.md)
+
## V8.13.536.2025.12.04
* **Added**: [ciss_live_builder.sh.md](documentation/ciss_live_builder.sh.md)
* **Bugfixes**: Unified network management via ``systemd-networkd``
@@ -251,7 +254,7 @@ include_toc: true
* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc) added HISTIGNORE and EDITOR
## V8.13.144.2025.10.16
-* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/99_local.hardened)
+* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened)
* **Updated**: [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
* **Changed**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
diff --git a/docs/CNET.md b/docs/CNET.md
index 0a481af..7fd7dd5 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md
index de1e2dd..0ef02c2 100644
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Coding Style
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 9f9eddc..9fed0cc 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index a1573b1..d46a5a1 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Credits
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index 77414dd..3221afa 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Download the latest PUBLIC CISS.debian.live.ISO
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index 78e767c..c86ce0c 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2.1. Usage
````text
CDLB(1) CISS.debian.live.builder CDLB(1)
CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.536.2025.12.04
+Master V8.13.544.2025.12.05
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
@@ -146,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
π· Please consider donating to my work at:
π https://coresecret.eu/spenden/
- V8.13.536.2025.12.04 2025-11-06 CDLB(1)
+ V8.13.544.2025.12.05 2025-11-06 CDLB(1)
````
# 3. Booting
diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index 918f648..7dabfab 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. CISS.debian.live.builder β Boot & Trust Chain (Technical Documentation)
diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md
index 27b3eaf..8502966 100644
--- a/docs/MAN_SSH_Host_Key_Policy.md
+++ b/docs/MAN_SSH_Host_Key_Policy.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. SSH Host Key Policy β CISS.debian.live.builder / CISS.debian.installer
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index 5192b46..bdfa555 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. Resources
diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md
new file mode 100644
index 0000000..d43f4e8
--- /dev/null
+++ b/docs/documentation/90-ciss-local.hardened.md
@@ -0,0 +1,109 @@
+---
+gitea: none
+include_toc: true
+-----------------
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.13
+**Build**: V8.13.544.2025.12.05
+
+# 2. 90-ciss-local.hardened
+
+The configuration fragment ``90-ciss-local.hardened`` defines the local kernel and network hardening baseline that CISS systems
+apply via the Linux ``sysctl`` mechanism. It is written as a conventional ``sysctl.d`` drop-in and is meant to be consumed by early
+userspace tooling such as ``systemd-sysctl``, which imports the settings into ``/proc/sys`` during boot.
+
+At a high level, the file does not contain executable shell logic. It consists exclusively of documented keyβvalue assignments
+in the sysctl namespace plus a number of commented candidates that serve as a catalogue of optional hardening toggles.
+The numeric prefix ``90-`` places it late in the ``sysctl.d`` processing order, so its values override both distribution defaults
+and any earlier CISS baseline fragments. Error handling and reporting are delegated to the standard sysctl loader: unknown or
+unsupported keys will be rejected and logged, but the configuration itself does not implement any conditional fallback paths.
+
+The first block targets kernel level attack surface and introspection capabilities. By setting ``kernel.modules_disabled=1``
+the configuration irrevocably closes the in-kernel module loader once the sysctl is applied, which prevents any further ``insmod``
+or ``modprobe`` operations and thereby cuts off an entire class of kernel code injection vectors. The embedded warning comments
+ point out that this implies a very rigid boot pipeline: any device drivers, filesystems, or network stack components that are
+not built in or preloaded before this switch is flipped will simply never appear, which would otherwise lead to a dead network
+stack and loss of remote access. Additional restrictions such as ``kernel.unprivileged_bpf_disabled=1``, ``net.core.bpf_jit_harden=2``,
+``dev.tty.ldisc_autoload=0``, ``vm.unprivileged_userfaultfd=0``, ``kernel.kexec_load_disabled=1`` and ``kernel.unprivileged_userns_clone=0``
+collectively neutralize typical exploitation primitives. They disable unprivileged BPF program loading, force the BPF JIT into
+its hardened mode, prevent automatic loading of TTY line discipline modules, restrict ``userfaultfd`` to privileged callers,
+shut off in-kernel kexec, and forbid unprivileged user namespace creation. Taken together, these choices assume a server or
+appliance workload that does not need container-style unprivileged namespaces, local kexec reseating, or dynamic TTY plumbing
+and is willing to trade flexibility for a markedly smaller attack surface.
+
+A second cluster tightens diagnostic visibility and process inspection. The settings ``kernel.kptr_restrict=2`` and
+``kernel.dmesg_restrict=1`` remove kernel pointer values and log contents from unprivileged users, while ``kernel.printk=3 3 3 3``
+drastically reduces what is emitted on the console during and after boot. TTY injection via the historical TIOCSTI ioctl is
+disabled with ``dev.tty.legacy_tiocsti=0``, which the comments correctly note may break some screen readers but eliminates a
+convenient path to smuggle keystrokes into another session. Process debugging is gated using the Yama LSM control
+``kernel.yama.ptrace_scope=2``, which only permits ``ptrace`` attach operations from processes that hold ``CAP_SYS_PTRACE``;
+unprivileged users can no longer freely attach debuggers to sibling processes. This aligns the system strongly towards a
+production profile in which on-host debugging is effectively a privileged maintenance activity rather than a normal user
+capability.
+
+Crash handling and memory layout are hardened in a deliberate, multistep fashion. Classic process core dumps are effectively
+disabled by ``fs.suid_dumpable=0`` and ``kernel.core_pattern=|/bin/false``, so even privileged processes do not leave crash images
+lying around on persistent storage. ``kernel.core_uses_pid=1`` is kept consistent with this policy but has no practical effect
+once the core pattern is redirected into ``false``. The mapping base randomization knobs ``kernel.randomize_va_space=2``,
+``vm.mmap_rnd_bits=32`` and ``vm.mmap_rnd_compat_bits=16`` increase address space layout randomization for both native and compat
+processes, raising the entropy available for exploit mitigation. The comments explicitly point out that the chosen bit widths
+are tuned for x86 type architectures, and that other CPU families may require different values, so the configuration implicitly
+assumes a modern x86_64 kernel that implements these sysctls. The pair ``kernel.warn_limit=1`` and ``kernel.oops_limit=1``
+introduces an extremely low tolerance for kernel anomalies: in combination with a build that enables ``CONFIG_PANIC_ON_OOPS``,
+which the commentary references, even a single WARN, BUG, or oops will trigger a reboot cycle rather than allow the kernel to
+limp along in a potentially corrupted state.
+
+Filesystem-related sysctls are used to close off classes of symlink and hardlink-based attacks against privileged processes. The
+combination of ``fs.protected_symlinks=1``, ``fs.protected_hardlinks=1``, ``fs.protected_fifos=2`` and ``fs.protected_regular=2``
+changes how the kernel resolves symbolic links, hardlinks, and special files in world-writable directories. Access is
+constrained so that following such references across user boundaries or into attacker-controlled locations is significantly more
+difficult. This is particularly relevant for services that operate within shared directories such as ``/tmp`` and that
+historically have been exploitable through TOCTOU race conditions on links.
+
+The networking section establishes a host profile that behaves explicitly as an end system, not as a router, and that is hostile
+to in-band reconfiguration from the network. Source routing is disabled for both IPv4 and IPv6 through
+``net.ipv4.conf.*.accept_source_route=0`` and ``net.ipv6.conf.*.accept_source_route=0``. Redirects are neither accepted nor sent,
+using the cluster ``net.ipv4.conf.*.accept_redirects=0``, ``net.ipv4.conf.*.secure_redirects=0``, ``net.ipv6.conf.*.accept_redirects=0``,
+and ``net.ipv4.conf.*.send_redirects=0``. Reverse path filtering is enabled with ``net.ipv4.conf.all.rp_filter=1`` and
+``net.ipv4.conf.default.rp_filter=1``, which offers a basic defense against address spoofing. Logging of martian packets is
+activated by ``net.ipv4.conf.*.log_martians=1``, so the system will record traffic with obviously bogus source addresses. IP
+forwarding is forcibly disabled via ``net.ipv4.conf.all.forwarding=0``, reinforcing the assumption that these machines are not
+supposed to forward traffic between interfaces.
+
+On the IPv6 side, router advertisements are turned off by ``net.ipv6.conf.all.accept_ra=0`` and ``net.ipv6.conf.default.accept_ra=0``,
+which means that global IPv6 addressing and routing information must be configured statically or via a trusted configuration
+mechanism. ARP resilience is improved by setting ``net.ipv4.conf.all.arp_ignore=1`` and ``net.ipv4.conf.default.arp_ignore=1``, so
+the kernel only replies to ARP requests that match the target IP address on the receiving interface; this shrinks the surface
+for ARP spoofing and gratuitous replies. ICMP behavior is made highly conservative: ``net.ipv4.icmp_echo_ignore_all=1`` and
+``net.ipv4.icmp_echo_ignore_broadcasts=1`` effectively suppress echo replies entirely and ignore directed broadcasts, which
+hinders network scanning and mitigates certain amplification attacks at the cost of losing simple ``ping`` diagnostics.
+
+Transport level settings are focused on resilience against SYN flood type denial of service and fingerprinting noise. The switch
+``net.ipv4.tcp_syncookies=1`` activates SYN cookies, ``net.ipv4.tcp_rfc1337=1`` instructs the kernel to protect against time-wait
+assassination, and ``net.ipv4.tcp_max_syn_backlog=4096`` enlarges the queue for half-open connections, so the system can sustain
+more parallel handshake attempts before dropping them. ``net.ipv4.tcp_synack_retries=2`` it reduces the number of retransmissions for
+SYN-ACK packets, which shortens the time wasted on unreachable peers and malicious scanners but can marginally penalize very
+lossy networks. Finally, ``net.ipv4.tcp_timestamps=0`` disables TCP timestamps, which otherwise leak information about host uptime
+and clock behavior and can be abused for subtle fingerprinting.
+
+Beyond the active values, the module also documents several tunables that are intentionally left commented out. These include
+sysctls for IO_uring disablement, performance event restrictions, memory overcommit policy, dirty page ratios, and swap
+aggressiveness. Their presence turns the file into a compact reference of hardened defaults that the CISS ecosystem considers
+defensible, while still leaving room for operator-specific adjustments when hardware constraints or workload characteristics
+demand different trade-offs.
+
+In terms of preconditions, the configuration assumes a Linux kernel new enough to understand the modern hardening knobs it
+targets, and a deployment model where almost all required modules and capabilities are either built into the kernel or loaded
+before sysctl application. It does not itself coordinate with the live boot or initramfs stages: instead, it defines the
+steady-state behavior of a system that has already pivoted into its real root filesystem. Within the overall
+**CISS.debian.live.builder** architecture, ``90-ciss-local.hardened`` therefore functions as the final, host level enforcement layer
+that aligns runtime behavior with the hardened kernel command line and build time options defined elsewhere in the project,
+closing off residual dynamic features and network behaviors that would otherwise remain available after boot.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+
diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md
index 3b20517..31504fe 100644
--- a/docs/documentation/ciss_live_builder.sh.md
+++ b/docs/documentation/ciss_live_builder.sh.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.536.2025.12.04
+**Build**: V8.13.544.2025.12.05
# 2. ciss_live_builder.sh
diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh
index 756a37a..7cb91a7 100644
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
# shellcheck disable=SC2155
- declare var_footer=$(center "V8.13.536.2025.12.04 2025-11-06 CDLB(1)" "${var_cols}")
+ declare var_footer=$(center "V8.13.544.2025.12.05 2025-11-06 CDLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
- echo -e "\e[92mMaster V8.13.536.2025.12.04\e[0m"
+ echo -e "\e[92mMaster V8.13.544.2025.12.05\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh
index 1bdb096..688f44b 100644
--- a/scripts/usr/local/sbin/9999_cdi_starter.sh
+++ b/scripts/usr/local/sbin/9999_cdi_starter.sh
@@ -130,7 +130,7 @@ main() {
touch "${var_log}"
- printf "CISS.debian.installer Master V8.13.536.2025.12.04 is up! \n" >> "${var_log}"
+ printf "CISS.debian.installer Master V8.13.544.2025.12.05 is up! \n" >> "${var_log}"
### Sleep a moment to settle boot artifacts.
sleep 8
@@ -209,7 +209,7 @@ main() {
### Timeout reached without acceptable semaphore.
logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
- printf "CISS.debian.installer Master V8.13.536.2025.12.04: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+ printf "CISS.debian.installer Master V8.13.544.2025.12.05: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
exit 0
}
diff --git a/var/early.var.sh b/var/early.var.sh
index 8be6e0b..2f62f2d 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
declare -grx VAR_HOST="$(uname -n)"
declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.536.2025.12.04"
+declare -grx VAR_VERSION="Master V8.13.544.2025.12.05"
declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
# Print $4 and $5; include $6 only if it exists
out = $4