msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.544.2025.12.05
Some checks failed
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m24s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m36s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 44m39s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-12-05 01:47:40 +01:00
parent 6a368a6286
commit 2fc8e90ee6
47 changed files with 199 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
docs/documentation/90-ciss-local.hardened.md Normal file
View File

@@ -0,0 +1,109 @@
---
gitea: none
include_toc: true
-----------------
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.544.2025.12.05<br>
# 2. 90-ciss-local.hardened
The configuration fragment ``90-ciss-local.hardened`` defines the local kernel and network hardening baseline that CISS systems
apply via the Linux ``sysctl`` mechanism. It is written as a conventional ``sysctl.d`` drop-in and is meant to be consumed by early
userspace tooling such as ``systemd-sysctl``, which imports the settings into ``/proc/sys`` during boot.
At a high level, the file does not contain executable shell logic. It consists exclusively of documented keyvalue assignments
in the sysctl namespace plus a number of commented candidates that serve as a catalogue of optional hardening toggles.
The numeric prefix ``90-`` places it late in the ``sysctl.d`` processing order, so its values override both distribution defaults
and any earlier CISS baseline fragments. Error handling and reporting are delegated to the standard sysctl loader: unknown or
unsupported keys will be rejected and logged, but the configuration itself does not implement any conditional fallback paths.
The first block targets kernel level attack surface and introspection capabilities. By setting ``kernel.modules_disabled=1``
the configuration irrevocably closes the in-kernel module loader once the sysctl is applied, which prevents any further ``insmod``
or ``modprobe`` operations and thereby cuts off an entire class of kernel code injection vectors. The embedded warning comments
point out that this implies a very rigid boot pipeline: any device drivers, filesystems, or network stack components that are
not built in or preloaded before this switch is flipped will simply never appear, which would otherwise lead to a dead network
stack and loss of remote access. Additional restrictions such as ``kernel.unprivileged_bpf_disabled=1``, ``net.core.bpf_jit_harden=2``,
``dev.tty.ldisc_autoload=0``, ``vm.unprivileged_userfaultfd=0``, ``kernel.kexec_load_disabled=1`` and ``kernel.unprivileged_userns_clone=0``
collectively neutralize typical exploitation primitives. They disable unprivileged BPF program loading, force the BPF JIT into
its hardened mode, prevent automatic loading of TTY line discipline modules, restrict ``userfaultfd`` to privileged callers,
shut off in-kernel kexec, and forbid unprivileged user namespace creation. Taken together, these choices assume a server or
appliance workload that does not need container-style unprivileged namespaces, local kexec reseating, or dynamic TTY plumbing
and is willing to trade flexibility for a markedly smaller attack surface.
A second cluster tightens diagnostic visibility and process inspection. The settings ``kernel.kptr_restrict=2`` and
``kernel.dmesg_restrict=1`` remove kernel pointer values and log contents from unprivileged users, while ``kernel.printk=3 3 3 3``
drastically reduces what is emitted on the console during and after boot. TTY injection via the historical TIOCSTI ioctl is
disabled with ``dev.tty.legacy_tiocsti=0``, which the comments correctly note may break some screen readers but eliminates a
convenient path to smuggle keystrokes into another session. Process debugging is gated using the Yama LSM control
``kernel.yama.ptrace_scope=2``, which only permits ``ptrace`` attach operations from processes that hold ``CAP_SYS_PTRACE``;
unprivileged users can no longer freely attach debuggers to sibling processes. This aligns the system strongly towards a
production profile in which on-host debugging is effectively a privileged maintenance activity rather than a normal user
capability.
Crash handling and memory layout are hardened in a deliberate, multistep fashion. Classic process core dumps are effectively
disabled by ``fs.suid_dumpable=0`` and ``kernel.core_pattern=|/bin/false``, so even privileged processes do not leave crash images
lying around on persistent storage. ``kernel.core_uses_pid=1`` is kept consistent with this policy but has no practical effect
once the core pattern is redirected into ``false``. The mapping base randomization knobs ``kernel.randomize_va_space=2``,
``vm.mmap_rnd_bits=32`` and ``vm.mmap_rnd_compat_bits=16`` increase address space layout randomization for both native and compat
processes, raising the entropy available for exploit mitigation. The comments explicitly point out that the chosen bit widths
are tuned for x86 type architectures, and that other CPU families may require different values, so the configuration implicitly
assumes a modern x86_64 kernel that implements these sysctls. The pair ``kernel.warn_limit=1`` and ``kernel.oops_limit=1``
introduces an extremely low tolerance for kernel anomalies: in combination with a build that enables ``CONFIG_PANIC_ON_OOPS``,
which the commentary references, even a single WARN, BUG, or oops will trigger a reboot cycle rather than allow the kernel to
limp along in a potentially corrupted state.
Filesystem-related sysctls are used to close off classes of symlink and hardlink-based attacks against privileged processes. The
combination of ``fs.protected_symlinks=1``, ``fs.protected_hardlinks=1``, ``fs.protected_fifos=2`` and ``fs.protected_regular=2``
changes how the kernel resolves symbolic links, hardlinks, and special files in world-writable directories. Access is
constrained so that following such references across user boundaries or into attacker-controlled locations is significantly more
difficult. This is particularly relevant for services that operate within shared directories such as ``/tmp`` and that
historically have been exploitable through TOCTOU race conditions on links.
The networking section establishes a host profile that behaves explicitly as an end system, not as a router, and that is hostile
to in-band reconfiguration from the network. Source routing is disabled for both IPv4 and IPv6 through
``net.ipv4.conf.*.accept_source_route=0`` and ``net.ipv6.conf.*.accept_source_route=0``. Redirects are neither accepted nor sent,
using the cluster ``net.ipv4.conf.*.accept_redirects=0``, ``net.ipv4.conf.*.secure_redirects=0``, ``net.ipv6.conf.*.accept_redirects=0``,
and ``net.ipv4.conf.*.send_redirects=0``. Reverse path filtering is enabled with ``net.ipv4.conf.all.rp_filter=1`` and
``net.ipv4.conf.default.rp_filter=1``, which offers a basic defense against address spoofing. Logging of martian packets is
activated by ``net.ipv4.conf.*.log_martians=1``, so the system will record traffic with obviously bogus source addresses. IP
forwarding is forcibly disabled via ``net.ipv4.conf.all.forwarding=0``, reinforcing the assumption that these machines are not
supposed to forward traffic between interfaces.
On the IPv6 side, router advertisements are turned off by ``net.ipv6.conf.all.accept_ra=0`` and ``net.ipv6.conf.default.accept_ra=0``,
which means that global IPv6 addressing and routing information must be configured statically or via a trusted configuration
mechanism. ARP resilience is improved by setting ``net.ipv4.conf.all.arp_ignore=1`` and ``net.ipv4.conf.default.arp_ignore=1``, so
the kernel only replies to ARP requests that match the target IP address on the receiving interface; this shrinks the surface
for ARP spoofing and gratuitous replies. ICMP behavior is made highly conservative: ``net.ipv4.icmp_echo_ignore_all=1`` and
``net.ipv4.icmp_echo_ignore_broadcasts=1`` effectively suppress echo replies entirely and ignore directed broadcasts, which
hinders network scanning and mitigates certain amplification attacks at the cost of losing simple ``ping`` diagnostics.
Transport level settings are focused on resilience against SYN flood type denial of service and fingerprinting noise. The switch
``net.ipv4.tcp_syncookies=1`` activates SYN cookies, ``net.ipv4.tcp_rfc1337=1`` instructs the kernel to protect against time-wait
assassination, and ``net.ipv4.tcp_max_syn_backlog=4096`` enlarges the queue for half-open connections, so the system can sustain
more parallel handshake attempts before dropping them. ``net.ipv4.tcp_synack_retries=2`` it reduces the number of retransmissions for
SYN-ACK packets, which shortens the time wasted on unreachable peers and malicious scanners but can marginally penalize very
lossy networks. Finally, ``net.ipv4.tcp_timestamps=0`` disables TCP timestamps, which otherwise leak information about host uptime
and clock behavior and can be abused for subtle fingerprinting.
Beyond the active values, the module also documents several tunables that are intentionally left commented out. These include
sysctls for IO_uring disablement, performance event restrictions, memory overcommit policy, dirty page ratios, and swap
aggressiveness. Their presence turns the file into a compact reference of hardened defaults that the CISS ecosystem considers
defensible, while still leaving room for operator-specific adjustments when hardware constraints or workload characteristics
demand different trade-offs.
In terms of preconditions, the configuration assumes a Linux kernel new enough to understand the modern hardening knobs it
targets, and a deployment model where almost all required modules and capabilities are either built into the kernel or loaded
before sysctl application. It does not itself coordinate with the live boot or initramfs stages: instead, it defines the
steady-state behavior of a system that has already pivoted into its real root filesystem. Within the overall
**CISS.debian.live.builder** architecture, ``90-ciss-local.hardened`` therefore functions as the final, host level enforcement layer
that aligns runtime behavior with the hardened kernel command line and build time options defined elsewhere in the project,
closing off residual dynamic features and network behaviors that would otherwise remain available after boot.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

2
docs/documentation/ciss_live_builder.sh.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.536.2025.12.04<br>
**Build**: V8.13.544.2025.12.05<br>
# 2. ciss_live_builder.sh