V8.13.544.2025.12.05
Some checks failed
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m24s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m36s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 44m39s
Some checks failed
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m24s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m36s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 44m39s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
47
README.md
47
README.md
@@ -2,7 +2,7 @@
|
||||
gitea: none
|
||||
include_toc: true
|
||||
---
|
||||
[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
|
||||
[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
|
||||
|
||||
[](https://eupl.eu/1.2/en/)
|
||||
[](https://opensource.org/license/eupl-1-2)
|
||||
@@ -27,7 +27,7 @@ include_toc: true
|
||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||
**Master Version**: 8.13<br>
|
||||
**Build**: V8.13.536.2025.12.04<br>
|
||||
**Build**: V8.13.544.2025.12.05<br>
|
||||
|
||||
**CISS.debian.live.builder — First of its own.**<br>
|
||||
**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
|
||||
@@ -175,7 +175,7 @@ installer toolchain.
|
||||
|
||||
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
|
||||
|
||||
Example: `V8.13.536.2025.12.04`
|
||||
Example: `V8.13.544.2025.12.05`
|
||||
|
||||
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
|
||||
|
||||
@@ -250,18 +250,17 @@ kernels it runs with are compiled according to this hardening profile. I treat d
|
||||
|
||||
### 2.1.4. Local Kernel Hardening
|
||||
|
||||
* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
|
||||
The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/90-ciss-local.hardened`:
|
||||
````bash
|
||||
###########################################################################################
|
||||
# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
|
||||
#######################################
|
||||
# Wrapper for loading CISS hardened Kernel Parameters.
|
||||
# Arguments:
|
||||
# none
|
||||
###########################################################################################
|
||||
# shellcheck disable=SC2317
|
||||
# None
|
||||
#######################################
|
||||
sysp() {
|
||||
sysctl -p /etc/sysctl.d/99_local.hardened
|
||||
# sleep 1
|
||||
sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
|
||||
sysctl -p /etc/sysctl.d/90-ciss-local.hardened
|
||||
# shellcheck disable=SC2312
|
||||
sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
|
||||
}
|
||||
````
|
||||
* **Key measures loaded by this file include:**
|
||||
@@ -277,6 +276,11 @@ Once applied, some hardening settings cannot be undone via `sysctl` without a re
|
||||
until the next boot. Automatic enforcement at startup is therefore omitted by design—run `sysp()` manually and plan a reboot to
|
||||
apply or revert these controls.
|
||||
|
||||
In case you provide the ``--cdi`` option to the installer, the ``sysp()`` function is automatically applied at the boot process via:
|
||||
[9999_cdi_starter.sh](scripts/usr/local/sbin/9999_cdi_starter.sh).
|
||||
|
||||
For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
|
||||
|
||||
## 2.2. Module Blacklisting
|
||||
|
||||
* **Description**: Disables and blacklists non-essential or insecure kernel modules.
|
||||
@@ -284,9 +288,22 @@ apply or revert these controls.
|
||||
|
||||
## 2.3. Network Hardening
|
||||
|
||||
* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
|
||||
inbound/outbound traffic behaviors.
|
||||
* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
|
||||
At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path
|
||||
filtering is enabled, ARP handling is pinned down, and loose binding of addresses is discouraged. Where appropriate, IPv6
|
||||
receives the same level of attention as IPv4. The network stack is switched firmly to ``systemd-networkd`` and ``systemd-resolved``.
|
||||
The hook [0000_basic_chroot_setup.chroot](config/hooks/live/0000_basic_chroot_setup.chroot) removes ``ifupdown``, wires up
|
||||
``systemd-networkd`` and ``systemd-resolved`` via explicit WantedBy symlinks, and ensures that the stub resolver at ``127.0.0.53``
|
||||
is the canonical ``resolv.conf`` target. The same hook writes dedicated configuration snippets:
|
||||
|
||||
``/etc/systemd/resolved.conf.d/10-ciss-dnssec.conf`` enforces opportunistic ``DNS-over-TLS`` and full ``DNSSEC`` validation
|
||||
while disabling ``LLMNR`` and ``MulticastDNS``.
|
||||
|
||||
This converges the system on a single, hardened DNS resolution path and avoids the common situation where multiple name
|
||||
resolution mechanisms step on each other. Where desired, this resolution chain can be plugged into **CenturionDNS**, a resolver
|
||||
infrastructure that I control and that enforces DNSSEC validation, QNAME minimisation, and a curated blocklist. For sensitive
|
||||
deployments, this stack is used as the default.
|
||||
|
||||
For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
|
||||
|
||||
## 2.4. Core Dump & Kernel Hardening
|
||||
|
||||
|
||||
Reference in New Issue
Block a user