msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.02.768.2025.06.01
All checks were successful
Retrieve the DNSSEC status at the time of updating the repository. / Retrieve the DNSSEC status at the time of updating the repository. (push) Successful in 32s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-01 09:37:02 +02:00
parent b322a73154
commit 3c6a83fdb0
22 changed files with 116 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
README.md
View File

@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.644.2025.05.31-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.768.2025.06.01-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.644.2025.05.31<br>
**Build**: V8.02.768.2025.06.01<br>
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -131,7 +131,7 @@ Below is a breakdown of each hardening component, with a summary of why each is
### 2.1.1. Boot Parameters
* **Description**: Customizes kernel commandline flags to disable unused features and enable mitigations.
* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
* **Key Parameters**:
* `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
* `audit=1`: Enables kernel auditing from boot to record system calls and security events.
@@ -171,12 +171,12 @@ Below is a breakdown of each hardening component, with a summary of why each is
### 2.1.2. CPU Vulnerability Mitigations
* **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
* **Rationale**: Prevents sidechannel attacks that exploit speculative execution, which remain a highrisk vector in
multitenant cloud environments.
* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
multi-tenant cloud environments.
### 2.1.3. Kernel Self-Protection
* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other selfprotections.
* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
* **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
### 2.1.4. Local Kernel Hardening
@@ -210,14 +210,14 @@ apply or revert these controls.
## 2.2. Module Blacklisting
* **Description**: Disables and blacklists nonessential or insecure kernel modules.
* **Description**: Disables and blacklists non-essential or insecure kernel modules.
* **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
## 2.3. Network Hardening
* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
inbound/outbound traffic behaviors.
* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of maninthemiddle on internal networks.
* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
## 2.4. Core Dump & Kernel Hardening
@@ -234,7 +234,7 @@ apply or revert these controls.
## 2.6. Permissions & Authentication
* **Description**: Sets strict directory and file permissions, integrates with PAM modules (e.g., `pam_faillock`).
* **Rationale**: Enforces the principle of least privilege at filesystem level and strengthens authentication policies.
* **Rationale**: Enforces the principle of least privilege at file-system level and strengthens authentication policies.
## 2.7. High-Security Baseline (Lynis Audit)
@@ -248,11 +248,11 @@ apply or revert these controls.
* **Description**: The SSH tunnel and access are secured through multiple layers of defense:
* **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
* **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
* **OneHit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host
* **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host
that touches closed ports.
* Additionally, the `fail2ban` service is hardened as well according to:
[Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening)
* **SSH UltraHardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to
* **SSH Ultra-Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to
[SSH Audit Guide Debian 12](https://www.ssh-audit.com/hardening_guides.html#debian_12):
* `RekeyLimit 1G 1h`
* `HostKey /etc/ssh/ssh_host_ed25519_key`
@@ -277,7 +277,7 @@ apply or revert these controls.
## 2.9. UFW Hardening
* **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
* **Rationale**: Implements a defaultdeny firewall, reducing lateral movement and data exfiltration risks immediately after
* **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
deployment.
## 2.10. Fail2Ban Enhancements
@@ -286,13 +286,13 @@ apply or revert these controls.
* Bans any connection to a closed port for 24 hours
* Automatically ignores designated bastion/jump host subnets
* Hardened via `systemd` policy override to limit privileges of the Fail2Ban service itself
* **Rationale**: Provides proactive defense against port scans and bruteforce attacks, while isolating the ban daemon in a
minimalprivilege context.
* **Rationale**: Provides proactive defense against port scans and brute-force attacks, while isolating the ban daemon in a
minimal-privilege context.
## 2.11. NTPsec & Chrony
* **Description**: Installs `chrony`, selects PTB NTPsec servers by default.
* **Rationale**: Ensures tamperresistant time synchronization, which is essential for log integrity, certificate validation,
* **Rationale**: Ensures tamper-resistant time synchronization, which is essential for log integrity, certificate validation,
and forensic accuracy.
# 3. Script Features & Rationale
@@ -379,9 +379,15 @@ predictable script behavior.
git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder
```
2. Edit the '.gitea/workflows/generate-iso.yaml' file according to your requirements.
2. Preparation:
1. Ensure you are root.
2. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
3. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
4. Make any other changes you need to.
3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
```yaml
chmod 0700 ./ciss_live_builder.sh
./ciss_live_builder.sh --architecture amd64 \
--build-directory /opt/livebuild \
--change-splash hexagon \
@@ -396,16 +402,80 @@ predictable script behavior.
--ssh-port 4242 \
--ssh-pubkey /opt/gitea/CISS.debian.live.builder
```
3. Locate your ISO in the `--build-directory`.
4. Boot from the ISO and login to the live image via the console, or the multi-layer secured coresecret SSH tunnel.
5. Type `sysp` for the final kernel hardening features.
6. Check the boot log with `jboot` and via `ssf` that all services are up.
7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
8. Type `celp` for some shortcuts.
4. Locate your ISO in the `--build-directory`.
5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
6. Type `sysp` for the final kernel hardening features.
7. Check the boot log with `jboot` and via `ssf` that all services are up.
8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
9. Type `celp` for some shortcuts.
# 5.2. CI/CD Gitea Runner Workflow Example
1. tba
1. Clone the repository:
```bash
git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder
```
2. Edit the `.gitea/workflows/generate-iso.yaml` file according to your requirements. Ensure that the trigger file
`.gitea/trigger/t_generate.iso.yaml` and the counter are updated. Change all the necessary `{{ secrets.VAR }}`.
Push your commits to trigger the workflow. Then download your final ISO from the specified Location.
```yaml
#...
steps:
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
run: |
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
#...
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@CHANGE_ME .
#...
- name: Importing the 'CI PGP DEPLOY ONLY' key.
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m700 "${GNUPGHOME}"
echo "${{ secrets.CHANGE_ME }}" >| ci-bot.sec.asc
#...
- name: Configuring Git for signed CI/DEPLOY commits.
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "CHANGE_ME"
git config user.email "CHANGE_ME"
#...
- name: Preparing the build environment.
run: |
rm -rf opt/{config,livebuild}
mkdir -p opt/{config,livebuild}
echo "${{ secrets.CHANGE_ME }}" >| opt/config/password.txt
echo "${{ secrets.CHANGE_ME }}" >| opt/config/authorized_keys
#...
- name: Starting CISS.debian.live.builder. This may take a while ...
run: |
chmod 0700 ciss_live_builder.sh && chown root:root ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
### Change "--autobuild=" to the specific kernel version you need: '6.12.22+bpo-amd64'.
./ciss_live_builder.sh \
--autobuild=CHANGE_ME \
--architecture CHANGE_ME \
--build-directory opt/livebuild \
--control "${timestamp}" \
--jump-host "${{ secrets.CHANGE_ME }}" \
--renice-priority "-19" \
--reionice-priority 1 2 \
--root-password-file opt/config/password.txt \
--ssh-port CHANGE_ME \
--ssh-pubkey opt/config
#...
### SKIP OR ADAPT ALL REMAINING STEPS
```
# 6. Licensing & Compliance
@@ -415,7 +485,7 @@ standard for license expressions and metadata.
# 7. Disclaimer
This README is provided "asis" without any warranty. Review your organization's policies before deploying to production.
This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**