From 328c58335b912496ebfa3c2aa84c12f8948a2ada8889b2e3b73c336addf8c047 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Thu, 5 Jun 2025 20:18:30 +0200 Subject: [PATCH] V8.03.400.2025.06.05 Signed-off-by: Marc S. Weidner --- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/render-md-to-html.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .../generate_PRIVATE_iso_flavour_0.yaml | 106 +++++++++++++++++- .../generate_PRIVATE_iso_flavour_1.yaml | 106 +++++++++++++++++- .gitea/workflows/generate_PUBLIC_iso.yaml | 106 +++++++++++++++++- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 2 +- .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 4 +- ciss_live_builder.sh | 2 +- config/hooks/live/9994_password_policy.chroot | 4 +- config/includes.chroot/etc/ssh/sshd_config | 2 +- .../etc/sysctl.d/99_local.hardened | 2 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/CHANGELOG.md | 7 +- docs/CNET.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 4 +- docs/REFERENCES.md | 2 +- lib/lib_check_provider.sh | 2 +- lib/lib_usage.sh | 2 +- scripts/9000-cdi-starter | 2 +- 33 files changed, 350 insertions(+), 39 deletions(-) diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index f38c0ba..aa26208 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -27,7 +27,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.03.384.2025.06.03" + placeholder: "e.g., Master V8.03.400.2025.06.05" validations: required: true diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 0a55846..fba6e69 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.384.2025.06.03 +### Version Master V8.03.400.2025.06.05 name: Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 001d661..28f5f21 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.03.384.2025.06.03 + version: V8.03.400.2025.06.05 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml index cab5b7f..25a84fb 100644 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.384.2025.06.03 +### Version Master V8.03.400.2025.06.05 name: Generating a Private Live ISO FLV 0. @@ -30,7 +30,7 @@ jobs: ### Run all steps inside Debian Bookworm container: - image: debian:trixie + image: debian:bookworm steps: - name: ๐Ÿ› ๏ธ Basic Image Setup and enable Bookworm Backports. @@ -62,6 +62,108 @@ jobs: wget \ whois + - name: ๐Ÿ› ๏ธ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5. + shell: bash + run: | + urls=( + "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2" + "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2" + ) + + for url in "${urls[@]}"; do + archive_name="${url##*/}" + pkg_name="${archive_name%.tar.bz2}" + echo "๐Ÿ”„ Processing ${pkg_name}" + if [[ ! -f "${archive_name}" ]]; then + echo "๐Ÿ“ฅ Downloading: '${archive_name}'." + if wget "${url}" -O "${archive_name}" > /dev/null 2>&1; then + echo "โœ… Download successful: '${archive_name}'." + else + echo "โŒ Download NOT successful: '${archive_name}'." + exit 1 + fi + else + echo "โ„น๏ธ Skipping download, package already exists: '${archive_name}'." + fi + + if [[ ! -d "${pkg_name}" ]]; then + echo "๐Ÿ“‚ Extracting: '${archive_name}'." + if tar -xjf "${archive_name}"; then + echo "โœ… Extraction successful: '${archive_name}'." + else + echo "โŒ Extraction not successful: '${archive_name}'." + exit 1 + fi + else + echo "โ„น๏ธ Skipping directory, already exists: '${pkg_name}'." + fi + + echo "๐Ÿ—๏ธ Build and install the package: '${pkg_name}'." + cd "${pkg_name}" || { echo "โŒ Could not change to '${pkg_name}'."; exit 1; } + mkdir -p build + cd build || { echo "โŒ Could not change to '/build'."; exit 1; } + + sudo ../configure > /dev/null 2>&1 || { echo "โŒ '../configure' NOT successful for '${pkg_name}'."; exit 1; } + make > /dev/null 2>&1 || { echo "โŒ 'make' NOT successful for '${pkg_name}'."; exit 1; } + sudo make install > /dev/null 2>&1 || { echo "โŒ 'make install' NOT successful for '${pkg_name}'."; exit 1; } + + cd ../.. || { echo "โŒ Could not change to '../..'."; exit 1; } + + rm -f "${archive_name}"; \ + echo "โœ… Removed archive: '${pkg_name}'." + rm -fr "${pkg_name}"; \ + echo "โœ… Removed build artifacts: '${pkg_name}'." + echo "โœ… Successful build and installation of '${pkg_name}'." + echo "-------------------------------------------------------------------------------------" + + done + + echo "โœ… All packages were built and installed successfully." + + mv_bin=( + "/usr/bin/gpg" + "/usr/bin/gpg-agent" + "/usr/bin/gpgconf" + "/usr/bin/gpg-connect-agent" + "/usr/bin/gpg-wks-client" + "/usr/bin/gpg-preset-passphrase" + ) + + for bin in "${mv_bin[@]}"; do + name="${bin##*/}" + if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then + if mv "${bin}" "${bin}.debian-backup"; then + echo "โœ… Moved successfully: '${bin}'." + else + echo "โŒ Moved NOT successfully: '${bin}'." + fi + else + echo "โ„น๏ธ Does not exist as build binary: '${bin}'." + fi + done + + for bin in "${mv_bin[@]}"; do + name="${bin##*/}" + if [[ -f "/usr/local/bin/${name}" ]]; then + if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then + echo "โœ… 'update-alternatives' successfully: '${bin}'." + else + echo "โŒ 'update-alternatives' NOT successfully: '${bin}'." + fi + else + echo "โ„น๏ธ Does not exist: '/usr/local/bin/${name}'." + fi + done + + sudo ldconfig + + gpgconf --kill all + /usr/local/bin/gpg-agent --daemon + - name: โš™๏ธ Check GnuPG Version. shell: bash run: | diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml index afa8683..670b157 100644 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.384.2025.06.03 +### Version Master V8.03.400.2025.06.05 name: Generating a Private Live ISO FLV 1. @@ -30,7 +30,7 @@ jobs: ### Run all steps inside Debian Bookworm container: - image: debian:trixie + image: debian:bookworm steps: - name: ๐Ÿ› ๏ธ Basic Image Setup and enable Bookworm Backports. @@ -62,6 +62,108 @@ jobs: wget \ whois + - name: ๐Ÿ› ๏ธ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5. + shell: bash + run: | + urls=( + "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2" + "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2" + ) + + for url in "${urls[@]}"; do + archive_name="${url##*/}" + pkg_name="${archive_name%.tar.bz2}" + echo "๐Ÿ”„ Processing ${pkg_name}" + if [[ ! -f "${archive_name}" ]]; then + echo "๐Ÿ“ฅ Downloading: '${archive_name}'." + if wget "${url}" -O "${archive_name}" > /dev/null 2>&1; then + echo "โœ… Download successful: '${archive_name}'." + else + echo "โŒ Download NOT successful: '${archive_name}'." + exit 1 + fi + else + echo "โ„น๏ธ Skipping download, package already exists: '${archive_name}'." + fi + + if [[ ! -d "${pkg_name}" ]]; then + echo "๐Ÿ“‚ Extracting: '${archive_name}'." + if tar -xjf "${archive_name}"; then + echo "โœ… Extraction successful: '${archive_name}'." + else + echo "โŒ Extraction not successful: '${archive_name}'." + exit 1 + fi + else + echo "โ„น๏ธ Skipping directory, already exists: '${pkg_name}'." + fi + + echo "๐Ÿ—๏ธ Build and install the package: '${pkg_name}'." + cd "${pkg_name}" || { echo "โŒ Could not change to '${pkg_name}'."; exit 1; } + mkdir -p build + cd build || { echo "โŒ Could not change to '/build'."; exit 1; } + + sudo ../configure > /dev/null 2>&1 || { echo "โŒ '../configure' NOT successful for '${pkg_name}'."; exit 1; } + make > /dev/null 2>&1 || { echo "โŒ 'make' NOT successful for '${pkg_name}'."; exit 1; } + sudo make install > /dev/null 2>&1 || { echo "โŒ 'make install' NOT successful for '${pkg_name}'."; exit 1; } + + cd ../.. || { echo "โŒ Could not change to '../..'."; exit 1; } + + rm -f "${archive_name}"; \ + echo "โœ… Removed archive: '${pkg_name}'." + rm -fr "${pkg_name}"; \ + echo "โœ… Removed build artifacts: '${pkg_name}'." + echo "โœ… Successful build and installation of '${pkg_name}'." + echo "-------------------------------------------------------------------------------------" + + done + + echo "โœ… All packages were built and installed successfully." + + mv_bin=( + "/usr/bin/gpg" + "/usr/bin/gpg-agent" + "/usr/bin/gpgconf" + "/usr/bin/gpg-connect-agent" + "/usr/bin/gpg-wks-client" + "/usr/bin/gpg-preset-passphrase" + ) + + for bin in "${mv_bin[@]}"; do + name="${bin##*/}" + if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then + if mv "${bin}" "${bin}.debian-backup"; then + echo "โœ… Moved successfully: '${bin}'." + else + echo "โŒ Moved NOT successfully: '${bin}'." + fi + else + echo "โ„น๏ธ Does not exist as build binary: '${bin}'." + fi + done + + for bin in "${mv_bin[@]}"; do + name="${bin##*/}" + if [[ -f "/usr/local/bin/${name}" ]]; then + if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then + echo "โœ… 'update-alternatives' successfully: '${bin}'." + else + echo "โŒ 'update-alternatives' NOT successfully: '${bin}'." + fi + else + echo "โ„น๏ธ Does not exist: '/usr/local/bin/${name}'." + fi + done + + sudo ldconfig + + gpgconf --kill all + /usr/local/bin/gpg-agent --daemon + - name: โš™๏ธ Check GnuPG Version. shell: bash run: | diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 55604dd..eac62cd 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.384.2025.06.03 +### Version Master V8.03.400.2025.06.05 name: Generating a PUBLIC Live ISO. @@ -30,7 +30,7 @@ jobs: ### Run all steps inside Debian Bookworm container: - image: debian:trixie + image: debian:bookworm steps: - name: ๐Ÿ› ๏ธ Basic Image Setup and enable Bookworm Backports. @@ -62,6 +62,108 @@ jobs: wget \ whois + - name: ๐Ÿ› ๏ธ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5. + shell: bash + run: | + urls=( + "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2" + "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2" + "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2" + ) + + for url in "${urls[@]}"; do + archive_name="${url##*/}" + pkg_name="${archive_name%.tar.bz2}" + echo "๐Ÿ”„ Processing ${pkg_name}" + if [[ ! -f "${archive_name}" ]]; then + echo "๐Ÿ“ฅ Downloading: '${archive_name}'." + if wget "${url}" -O "${archive_name}" > /dev/null 2>&1; then + echo "โœ… Download successful: '${archive_name}'." + else + echo "โŒ Download NOT successful: '${archive_name}'." + exit 1 + fi + else + echo "โ„น๏ธ Skipping download, package already exists: '${archive_name}'." + fi + + if [[ ! -d "${pkg_name}" ]]; then + echo "๐Ÿ“‚ Extracting: '${archive_name}'." + if tar -xjf "${archive_name}"; then + echo "โœ… Extraction successful: '${archive_name}'." + else + echo "โŒ Extraction not successful: '${archive_name}'." + exit 1 + fi + else + echo "โ„น๏ธ Skipping directory, already exists: '${pkg_name}'." + fi + + echo "๐Ÿ—๏ธ Build and install the package: '${pkg_name}'." + cd "${pkg_name}" || { echo "โŒ Could not change to '${pkg_name}'."; exit 1; } + mkdir -p build + cd build || { echo "โŒ Could not change to '/build'."; exit 1; } + + sudo ../configure > /dev/null 2>&1 || { echo "โŒ '../configure' NOT successful for '${pkg_name}'."; exit 1; } + make > /dev/null 2>&1 || { echo "โŒ 'make' NOT successful for '${pkg_name}'."; exit 1; } + sudo make install > /dev/null 2>&1 || { echo "โŒ 'make install' NOT successful for '${pkg_name}'."; exit 1; } + + cd ../.. || { echo "โŒ Could not change to '../..'."; exit 1; } + + rm -f "${archive_name}"; \ + echo "โœ… Removed archive: '${pkg_name}'." + rm -fr "${pkg_name}"; \ + echo "โœ… Removed build artifacts: '${pkg_name}'." + echo "โœ… Successful build and installation of '${pkg_name}'." + echo "-------------------------------------------------------------------------------------" + + done + + echo "โœ… All packages were built and installed successfully." + + mv_bin=( + "/usr/bin/gpg" + "/usr/bin/gpg-agent" + "/usr/bin/gpgconf" + "/usr/bin/gpg-connect-agent" + "/usr/bin/gpg-wks-client" + "/usr/bin/gpg-preset-passphrase" + ) + + for bin in "${mv_bin[@]}"; do + name="${bin##*/}" + if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then + if mv "${bin}" "${bin}.debian-backup"; then + echo "โœ… Moved successfully: '${bin}'." + else + echo "โŒ Moved NOT successfully: '${bin}'." + fi + else + echo "โ„น๏ธ Does not exist as build binary: '${bin}'." + fi + done + + for bin in "${mv_bin[@]}"; do + name="${bin##*/}" + if [[ -f "/usr/local/bin/${name}" ]]; then + if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then + echo "โœ… 'update-alternatives' successfully: '${bin}'." + else + echo "โŒ 'update-alternatives' NOT successfully: '${bin}'." + fi + else + echo "โ„น๏ธ Does not exist: '/usr/local/bin/${name}'." + fi + done + + sudo ldconfig + + gpgconf --kill all + /usr/local/bin/gpg-agent --daemon + - name: โš™๏ธ Check GnuPG Version. shell: bash run: | diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index a3b8c5a..a8267ad 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.384.2025.06.03 +### Version Master V8.03.400.2025.06.05 name: Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index d3e681c..3b66604 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.384.2025.06.03 +### Version Master V8.03.400.2025.06.05 name: Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index 07c51f4..24c6024 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.03.384.2025.06.03" +properties_version="V8.03.400.2025.06.05" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \ No newline at end of file diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 5dddb0e..9f2c3f1 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.03.384.2025.06.03 +PackageVersion: Master V8.03.400.2025.06.05 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 62b851d..4ba02d4 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.384.2025.06.03-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.400.2025.06.05-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -26,7 +26,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 5bc27da..38797de 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -40,7 +40,7 @@ declare -g VAR_HANDLER_AUTOBUILD="false" declare -gr VAR_CONTACT="security@coresecret.eu" -declare -gr VAR_VERSION="Master V8.03.384.2025.06.03" +declare -gr VAR_VERSION="Master V8.03.400.2025.06.05" ### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING declare arg diff --git a/config/hooks/live/9994_password_policy.chroot b/config/hooks/live/9994_password_policy.chroot index 9b8fe3c..b6ecf3c 100644 --- a/config/hooks/live/9994_password_policy.chroot +++ b/config/hooks/live/9994_password_policy.chroot @@ -83,12 +83,12 @@ minlen = 20 ### The maximum number of allowed consecutive same characters in the new password. ### The check is disabled if the value is 0. -maxrepeat = 2 +maxrepeat = 3 ### The maximum number of allowed consecutive characters of the same class in the ### new password. ### The check is disabled if the value is 0. -maxclassrepeat = 4 +maxclassrepeat = 0 ### Whether to check for the words from the passwd entry GECOS string of the user. ### The check is enabled if the value is not 0. diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index add85f9..0f8947b 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.384.2025.06.03 +### Version Master V8.03.400.2025.06.05 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index a5c4658..9192e7a 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.384.2025.06.03 +### Version Master V8.03.400.2025.06.05 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index a3dd9b9..0fad2da 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.03.384.2025.06.03" +declare -gr VERSION="Master V8.03.400.2025.06.05" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index e14fefa..ea588af 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.03.384.2025.06.03 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.03.400.2025.06.05 at: 10:18:37.9542 diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index c04ca2b..e25f8f1 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index 4ce6343..b049363 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 2433c36..97eb350 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index f501599..714405d 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index 86e187e..92544e6 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. TLS Audit: diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index ef9a2f0..91b97dc 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,15 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Changelog +## V8.03.400.2025.06.05 + +* The workflow image was changed to ``debian:bookworm``. +* Added a LIVE ISO workflow routine to build GnuPG from sources, since Bookworm GPG does not recognize key format 5. + --- **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** diff --git a/docs/CNET.md b/docs/CNET.md index 6d390c4..d828f18 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 573872d..c9edf35 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 3b10c77..3e1f189 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index 684a71f..a05be69 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 19be779..0b6161b 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 11017b1..5609490 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,12 +8,12 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Usage ````text CISS.debian.live.builder -Master V8.03.384.2025.06.03 +Master V8.03.400.2025.06.05 (c) Marc S. Weidner, 2018 - 2025 (p) Centurion Press, 2024 - 2025 diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index 176d7c1..2e0e03e 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.384.2025.06.03
+**Build**: V8.03.400.2025.06.05
# 2. Resources diff --git a/lib/lib_check_provider.sh b/lib/lib_check_provider.sh index 513a3c1..4262a7c 100644 --- a/lib/lib_check_provider.sh +++ b/lib/lib_check_provider.sh @@ -18,7 +18,7 @@ check_provider() { clear cat << 'EOF' >| "${VAR_NOTES}" -Build: Master V8.03.384.2025.06.03 +Build: Master V8.03.400.2025.06.05 Press 'EXIT' to continue with CISS.debian.live.builder. diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index e89da5b..d0488ee 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -22,7 +22,7 @@ usage() { cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.03.384.2025.06.03\e[0m") +$(echo -e "\e[92mMaster V8.03.400.2025.06.05\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m") diff --git a/scripts/9000-cdi-starter b/scripts/9000-cdi-starter index c8e73b0..ecf1be5 100644 --- a/scripts/9000-cdi-starter +++ b/scripts/9000-cdi-starter @@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " # sleep 1 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log -printf "CISS.debian.installer Master V8.03.384.2025.06.03 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log +printf "CISS.debian.installer Master V8.03.400.2025.06.05 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh