V8.02.768.2025.06.01

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-01 09:37:02 +02:00
parent b322a73154
commit 3c6a83fdb0
22 changed files with 116 additions and 46 deletions
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1024
-  version: V8.02.644.2025.05.31
+  version: V8.02.768.2025.06.01
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.02.644.2025.05.31"
+properties_version="V8.02.768.2025.06.01"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.02.644.2025.05.31
+PackageVersion: Master V8.02.768.2025.06.01
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.644.2025.05.31-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.768.2025.06.01-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -131,7 +131,7 @@ Below is a breakdown of each hardening component, with a summary of why each is
 ### 2.1.1. Boot Parameters
-* **Description**: Customizes kernel command‑line flags to disable unused features and enable mitigations.
+* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
 * **Key Parameters**:
  * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
  * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
@@ -171,12 +171,12 @@ Below is a breakdown of each hardening component, with a summary of why each is
 ### 2.1.2. CPU Vulnerability Mitigations
 * **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
-* **Rationale**: Prevents side‑channel attacks that exploit speculative execution, which remain a high‑risk vector in
+* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
-  multi‑tenant cloud environments.
+  multi-tenant cloud environments.
 ### 2.1.3. Kernel Self-Protection
-* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self‑protections.
+* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
 * **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
 ### 2.1.4. Local Kernel Hardening
@@ -210,14 +210,14 @@ apply or revert these controls.
 ## 2.2. Module Blacklisting
-* **Description**: Disables and blacklists non‑essential or insecure kernel modules.
+* **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 ## 2.3. Network Hardening
 * **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
  inbound/outbound traffic behaviors.
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man‑in‑the‑middle on internal networks.
+* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
 ## 2.4. Core Dump & Kernel Hardening
@@ -234,7 +234,7 @@ apply or revert these controls.
 ## 2.6. Permissions & Authentication
 * **Description**: Sets strict directory and file permissions, integrates with PAM modules (e.g., `pam_faillock`).
-* **Rationale**: Enforces the principle of least privilege at file‑system level and strengthens authentication policies.
+* **Rationale**: Enforces the principle of least privilege at file-system level and strengthens authentication policies.
 ## 2.7. High-Security Baseline (Lynis Audit)
@@ -248,11 +248,11 @@ apply or revert these controls.
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
  * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
  * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
-  * **One‑Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
+  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
    that touches closed ports. 
    * Additionally, the `fail2ban` service is hardened as well according to:
    [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 
-  * **SSH Ultra‑Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to 
+  * **SSH Ultra-Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to 
    [SSH Audit Guide Debian 12](https://www.ssh-audit.com/hardening_guides.html#debian_12):
    * `RekeyLimit 1G 1h`
    * `HostKey /etc/ssh/ssh_host_ed25519_key`
@@ -277,7 +277,7 @@ apply or revert these controls.
 ## 2.9. UFW Hardening
 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
-* **Rationale**: Implements a default‑deny firewall, reducing lateral movement and data exfiltration risks immediately after
+* **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
  deployment.
 ## 2.10. Fail2Ban Enhancements
@@ -286,13 +286,13 @@ apply or revert these controls.
  * Bans any connection to a closed port for 24 hours
  * Automatically ignores designated bastion/jump host subnets
  * Hardened via `systemd` policy override to limit privileges of the Fail2Ban service itself
-* **Rationale**: Provides proactive defense against port scans and brute‑force attacks, while isolating the ban daemon in a
+* **Rationale**: Provides proactive defense against port scans and brute-force attacks, while isolating the ban daemon in a
-  minimal‑privilege context.
+  minimal-privilege context.
 ## 2.11. NTPsec & Chrony
 * **Description**: Installs `chrony`, selects PTB NTPsec servers by default.
-* **Rationale**: Ensures tamper‑resistant time synchronization, which is essential for log integrity, certificate validation,
+* **Rationale**: Ensures tamper-resistant time synchronization, which is essential for log integrity, certificate validation,
  and forensic accuracy.
 # 3. Script Features & Rationale
@@ -379,9 +379,15 @@ predictable script behavior.
   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
   cd CISS.debian.live.builder
   ```
-2. Edit the '.gitea/workflows/generate-iso.yaml' file according to your requirements.
+2. Preparation:
   1. Ensure you are root.
   2. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   3. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   4. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
   ```yaml
   chmod 0700 ./ciss_live_builder.sh
   ./ciss_live_builder.sh --architecture amd64 \
                          --build-directory /opt/livebuild \
                          --change-splash hexagon \
@@ -396,16 +402,80 @@ predictable script behavior.
                          --ssh-port 4242 \
                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder
   ```
-3. Locate your ISO in the `--build-directory`.
+4. Locate your ISO in the `--build-directory`.
-4. Boot from the ISO and login to the live image via the console, or the multi-layer secured coresecret SSH tunnel.
+5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
-5. Type `sysp` for the final kernel hardening features.
+6. Type `sysp` for the final kernel hardening features.
-6. Check the boot log with `jboot` and via `ssf` that all services are up.
+7. Check the boot log with `jboot` and via `ssf` that all services are up.
-7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
+8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
-8. Type `celp` for some shortcuts.
+9. Type `celp` for some shortcuts.
 # 5.2. CI/CD Gitea Runner Workflow Example
-1. tba
+1. Clone the repository:
   ```bash
   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
   cd CISS.debian.live.builder
   ```
 2. Edit the `.gitea/workflows/generate-iso.yaml` file according to your requirements. Ensure that the trigger file
   `.gitea/trigger/t_generate.iso.yaml` and the counter are updated. Change all the necessary `{{ secrets.VAR }}`.
   Push your commits to trigger the workflow. Then download your final ISO from the specified Location.
  ```yaml
  #...
      steps:
        - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
          run: |
            rm -rf ~/.ssh && mkdir -m700 ~/.ssh
            ### Private Key
            echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
            chmod 600 ~/.ssh/id_ed25519
  #...
        ### https://github.com/actions/checkout/issues/1843
        - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
          run: |
            git clone --branch "${GITHUB_REF_NAME}" ssh://git@CHANGE_ME .
  #...
        - name: Importing the 'CI PGP DEPLOY ONLY' key.
          run: |
            ### GPG-Home relative to the Runner Workspace to avoid changing global files.
            export GNUPGHOME="$(pwd)/.gnupg"
            mkdir -m700 "${GNUPGHOME}"
            echo "${{ secrets.CHANGE_ME }}" >| ci-bot.sec.asc
  #...
        - name: Configuring Git for signed CI/DEPLOY commits.
          run: |
            export GNUPGHOME="$(pwd)/.gnupg"
            git config user.name "CHANGE_ME"
            git config user.email "CHANGE_ME"
  #...
        - name: Preparing the build environment.
          run: |
            rm -rf opt/{config,livebuild}
            mkdir -p opt/{config,livebuild}
            echo "${{ secrets.CHANGE_ME }}" >| opt/config/password.txt
            echo "${{ secrets.CHANGE_ME }}" >| opt/config/authorized_keys
  #...
        - name: Starting CISS.debian.live.builder. This may take a while ...
          run: |
            chmod 0700 ciss_live_builder.sh && chown root:root ciss_live_builder.sh
            timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
            ### Change "--autobuild=" to the specific kernel version you need: '6.12.22+bpo-amd64'.
            ./ciss_live_builder.sh \
            --autobuild=CHANGE_ME \
            --architecture CHANGE_ME \
            --build-directory opt/livebuild \
            --control "${timestamp}" \
            --jump-host "${{ secrets.CHANGE_ME }}" \
            --renice-priority "-19" \
            --reionice-priority 1 2 \
            --root-password-file opt/config/password.txt \
            --ssh-port CHANGE_ME \
            --ssh-pubkey opt/config
  #...
        ### SKIP OR ADAPT ALL REMAINING STEPS
  ```
 # 6. Licensing & Compliance
@@ -415,7 +485,7 @@ standard for license expressions and metadata.
 # 7. Disclaimer
-This README is provided "as‑is" without any warranty. Review your organization's policies before deploying to production.
+This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -40,7 +40,7 @@
 declare -g VAR_HANDLER_AUTOBUILD="false"
 declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.02.644.2025.05.31"
+declare -gr VAR_VERSION="Master V8.02.768.2025.06.01"
 ### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
 declare arg
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.02.644.2025.05.31
+### Version Master V8.02.768.2025.06.01
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.02.644.2025.05.31
+### Version Master V8.02.768.2025.06.01
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.02.644.2025.05.31"
+declare -gr VERSION="Master V8.02.768.2025.06.01"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.02.644.2025.05.31 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.02.768.2025.06.01 at: 10:18:37.9542
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # TBA
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # 2. Contributors
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # 2. Credits
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # 2. Usage
 ````text
 CISS.debian.live.builder
-Master V8.02.644.2025.05.31
+Master V8.02.768.2025.06.01
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.644.2025.05.31<br>
+**Build**: V8.02.768.2025.06.01<br>
 # 2. Resources
--- a/lib/lib_check_provider.sh
+++ b/lib/lib_check_provider.sh
@@ -18,7 +18,7 @@
 check_provider() {
  clear
  cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.02.644.2025.05.31
+Build: Master V8.02.768.2025.06.01
 Press 'EXIT' to continue with CISS.debian.live.builder.
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -22,7 +22,7 @@ usage() {
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.02.644.2025.05.31\e[0m")
+$(echo -e "\e[92mMaster V8.02.768.2025.06.01\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.02.644.2025.05.31 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.02.768.2025.06.01 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh