msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.02.768.2025.06.01
All checks were successful
Retrieve the DNSSEC status at the time of updating the repository. / Retrieve the DNSSEC status at the time of updating the repository. (push) Successful in 32s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-01 09:37:02 +02:00
parent b322a73154
commit 3c6a83fdb0
22 changed files with 116 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitea/trigger/t_generate_dns.yaml
View File

@@ -11,5 +11,5 @@
build:
counter: 1024
version: V8.02.644.2025.05.31
version: V8.02.768.2025.06.01
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.version.properties
View File

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V8.02.644.2025.05.31"
properties_version="V8.02.768.2025.06.01"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

2
CISS.debian.live.builder.spdx
View File

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
PackageVersion: Master V8.02.644.2025.05.31
PackageVersion: Master V8.02.768.2025.06.01
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

118
README.md
View File

@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.644.2025.05.31-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.768.2025.06.01-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -131,7 +131,7 @@ Below is a breakdown of each hardening component, with a summary of why each is
### 2.1.1. Boot Parameters
* **Description**: Customizes kernel commandline flags to disable unused features and enable mitigations.
* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
* **Key Parameters**:
* `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
* `audit=1`: Enables kernel auditing from boot to record system calls and security events.
@@ -171,12 +171,12 @@ Below is a breakdown of each hardening component, with a summary of why each is
### 2.1.2. CPU Vulnerability Mitigations
* **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
* **Rationale**: Prevents sidechannel attacks that exploit speculative execution, which remain a highrisk vector in
multitenant cloud environments.
* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
multi-tenant cloud environments.
### 2.1.3. Kernel Self-Protection
* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other selfprotections.
* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
* **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
### 2.1.4. Local Kernel Hardening
@@ -210,14 +210,14 @@ apply or revert these controls.
## 2.2. Module Blacklisting
* **Description**: Disables and blacklists nonessential or insecure kernel modules.
* **Description**: Disables and blacklists non-essential or insecure kernel modules.
* **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
## 2.3. Network Hardening
* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
inbound/outbound traffic behaviors.
* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of maninthemiddle on internal networks.
* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
## 2.4. Core Dump & Kernel Hardening
@@ -234,7 +234,7 @@ apply or revert these controls.
## 2.6. Permissions & Authentication
* **Description**: Sets strict directory and file permissions, integrates with PAM modules (e.g., `pam_faillock`).
* **Rationale**: Enforces the principle of least privilege at filesystem level and strengthens authentication policies.
* **Rationale**: Enforces the principle of least privilege at file-system level and strengthens authentication policies.
## 2.7. High-Security Baseline (Lynis Audit)
@@ -248,11 +248,11 @@ apply or revert these controls.
* **Description**: The SSH tunnel and access are secured through multiple layers of defense:
* **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
* **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
* **OneHit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host
* **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host
that touches closed ports.
* Additionally, the `fail2ban` service is hardened as well according to:
[Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening)
* **SSH UltraHardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to
* **SSH Ultra-Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to
[SSH Audit Guide Debian 12](https://www.ssh-audit.com/hardening_guides.html#debian_12):
* `RekeyLimit 1G 1h`
* `HostKey /etc/ssh/ssh_host_ed25519_key`
@@ -277,7 +277,7 @@ apply or revert these controls.
## 2.9. UFW Hardening
* **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
* **Rationale**: Implements a defaultdeny firewall, reducing lateral movement and data exfiltration risks immediately after
* **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
deployment.
## 2.10. Fail2Ban Enhancements
@@ -286,13 +286,13 @@ apply or revert these controls.
* Bans any connection to a closed port for 24 hours
* Automatically ignores designated bastion/jump host subnets
* Hardened via `systemd` policy override to limit privileges of the Fail2Ban service itself
* **Rationale**: Provides proactive defense against port scans and bruteforce attacks, while isolating the ban daemon in a
minimalprivilege context.
* **Rationale**: Provides proactive defense against port scans and brute-force attacks, while isolating the ban daemon in a
minimal-privilege context.
## 2.11. NTPsec & Chrony
* **Description**: Installs `chrony`, selects PTB NTPsec servers by default.
* **Rationale**: Ensures tamperresistant time synchronization, which is essential for log integrity, certificate validation,
* **Rationale**: Ensures tamper-resistant time synchronization, which is essential for log integrity, certificate validation,
and forensic accuracy.
# 3. Script Features & Rationale
@@ -379,9 +379,15 @@ predictable script behavior.
git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder
```
2. Edit the '.gitea/workflows/generate-iso.yaml' file according to your requirements.
2. Preparation:
1. Ensure you are root.
2. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
3. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
4. Make any other changes you need to.
3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
```yaml
chmod 0700 ./ciss_live_builder.sh
./ciss_live_builder.sh --architecture amd64 \
--build-directory /opt/livebuild \
--change-splash hexagon \
@@ -396,16 +402,80 @@ predictable script behavior.
--ssh-port 4242 \
--ssh-pubkey /opt/gitea/CISS.debian.live.builder
```
3. Locate your ISO in the `--build-directory`.
4. Boot from the ISO and login to the live image via the console, or the multi-layer secured coresecret SSH tunnel.
5. Type `sysp` for the final kernel hardening features.
6. Check the boot log with `jboot` and via `ssf` that all services are up.
7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
8. Type `celp` for some shortcuts.
4. Locate your ISO in the `--build-directory`.
5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
6. Type `sysp` for the final kernel hardening features.
7. Check the boot log with `jboot` and via `ssf` that all services are up.
8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
9. Type `celp` for some shortcuts.
# 5.2. CI/CD Gitea Runner Workflow Example
1. tba
1. Clone the repository:
```bash
git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder
```
2. Edit the `.gitea/workflows/generate-iso.yaml` file according to your requirements. Ensure that the trigger file
`.gitea/trigger/t_generate.iso.yaml` and the counter are updated. Change all the necessary `{{ secrets.VAR }}`.
Push your commits to trigger the workflow. Then download your final ISO from the specified Location.
```yaml
#...
steps:
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
run: |
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
#...
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@CHANGE_ME .
#...
- name: Importing the 'CI PGP DEPLOY ONLY' key.
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m700 "${GNUPGHOME}"
echo "${{ secrets.CHANGE_ME }}" >| ci-bot.sec.asc
#...
- name: Configuring Git for signed CI/DEPLOY commits.
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "CHANGE_ME"
git config user.email "CHANGE_ME"
#...
- name: Preparing the build environment.
run: |
rm -rf opt/{config,livebuild}
mkdir -p opt/{config,livebuild}
echo "${{ secrets.CHANGE_ME }}" >| opt/config/password.txt
echo "${{ secrets.CHANGE_ME }}" >| opt/config/authorized_keys
#...
- name: Starting CISS.debian.live.builder. This may take a while ...
run: |
chmod 0700 ciss_live_builder.sh && chown root:root ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
### Change "--autobuild=" to the specific kernel version you need: '6.12.22+bpo-amd64'.
./ciss_live_builder.sh \
--autobuild=CHANGE_ME \
--architecture CHANGE_ME \
--build-directory opt/livebuild \
--control "${timestamp}" \
--jump-host "${{ secrets.CHANGE_ME }}" \
--renice-priority "-19" \
--reionice-priority 1 2 \
--root-password-file opt/config/password.txt \
--ssh-port CHANGE_ME \
--ssh-pubkey opt/config
#...
### SKIP OR ADAPT ALL REMAINING STEPS
```
# 6. Licensing & Compliance
@@ -415,7 +485,7 @@ standard for license expressions and metadata.
# 7. Disclaimer
This README is provided "asis" without any warranty. Review your organization's policies before deploying to production.
This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

2
ciss_live_builder.sh
View File

@@ -40,7 +40,7 @@
declare -g VAR_HANDLER_AUTOBUILD="false"
declare -gr VAR_CONTACT="security@coresecret.eu"
declare -gr VAR_VERSION="Master V8.02.644.2025.05.31"
declare -gr VAR_VERSION="Master V8.02.768.2025.06.01"
### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
declare arg

2
config/includes.chroot/etc/ssh/sshd_config
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.02.644.2025.05.31
### Version Master V8.02.768.2025.06.01
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

2
config/includes.chroot/etc/sysctl.d/99_local.hardened
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.02.644.2025.05.31
### Version Master V8.02.768.2025.06.01
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/

2
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.02.644.2025.05.31"
declare -gr VERSION="Master V8.02.768.2025.06.01"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then

2
config/includes.chroot/preseed/preseed.cfg
View File

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.02.644.2025.05.31 at: 10:18:37.9542
# Written by: ./preseed_hash_generator.sh Version: Master V8.02.768.2025.06.01 at: 10:18:37.9542

2
docs/AUDIT_DNSSEC.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# 2. DNSSEC Status

2
docs/AUDIT_HAVEGED.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# 2. Haveged Audit on Netcup RS 2000 G11

2
docs/AUDIT_LYNIS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# 2. Lynis Audit:

2
docs/AUDIT_SSH.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# 2. SSH Audit by ssh-audit.com

2
docs/CHANGELOG.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# TBA

2
docs/CODING_CONVENTION.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# 2. Coding Style

2
docs/CONTRIBUTING.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# 2. Contributors

2
docs/CREDITS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# 2. Credits

4
docs/DOCUMENTATION.md
View File

@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# 2. Usage
````text
CISS.debian.live.builder
Master V8.02.644.2025.05.31
Master V8.02.768.2025.06.01
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025

2
docs/REFERENCES.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
# 2. Resources

2
lib/lib_check_provider.sh
View File

@@ -18,7 +18,7 @@
check_provider() {
clear
cat << 'EOF' >| "${VAR_NOTES}"
Build: Master V8.02.644.2025.05.31
Build: Master V8.02.768.2025.06.01
Press 'EXIT' to continue with CISS.debian.live.builder.

2
lib/lib_usage.sh
View File

@@ -22,7 +22,7 @@ usage() {
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.02.644.2025.05.31\e[0m")
$(echo -e "\e[92mMaster V8.02.768.2025.06.01\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")

2
scripts/9000-cdi-starter
View File

@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
# sleep 1
[[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
printf "CISS.debian.installer Master V8.02.644.2025.05.31 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
printf "CISS.debian.installer Master V8.02.768.2025.06.01 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh