From 3ee781bc2b49a1ae65f474db65dd789c1e956bebecf7c33322b0458a78f73770 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Tue, 12 Aug 2025 09:32:11 +0200
Subject: [PATCH] V8.04.002.2025.08.11

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 config/hooks/live/9996_auditd.chroot              | 13 +++++++++----
 config/hooks/live/9998_sources_list_trixie.chroot |  2 +-
 config/templates/sources.list.binary              | 15 +++++++++++++++
 config/templates/sources.list.chroot              | 15 +++++++++++++++
 4 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 config/templates/sources.list.binary
 create mode 100644 config/templates/sources.list.chroot

diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot
index 0389da4..2b82d8b 100644
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -53,10 +53,15 @@ cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
 ## is a first match wins system. Uncomment the rules you want.
 
 ## Cron jobs fill the logs with stuff we normally don't want
--a never,user -F subj_type=crond_t
+-a never,user
 
 ## This prevents chrony from overwhelming the logs
--a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
+-a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
+
+## Human-attributable time changes
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 
 ### This is not very interesting and wastes a lot of space if
 ### the server is public facing
@@ -75,8 +80,8 @@ EOF
 ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
 cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 ## This rule suppresses the time-change event when chrony does time updates
--a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony -F subj_type=chronyd_t
--a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
 
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
diff --git a/config/hooks/live/9998_sources_list_trixie.chroot b/config/hooks/live/9998_sources_list_trixie.chroot
index 1b0a885..c8baf0f 100644
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
diff --git a/config/templates/sources.list.binary b/config/templates/sources.list.binary
new file mode 100644
index 0000000..7ce2fad
--- /dev/null
+++ b/config/templates/sources.list.binary
@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# File: config/templates/sources.list.binary
+# Intentionally empty – disable classic sources.list in the ISO/live system.
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/config/templates/sources.list.chroot b/config/templates/sources.list.chroot
new file mode 100644
index 0000000..968ecd4
--- /dev/null
+++ b/config/templates/sources.list.chroot
@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# File: config/templates/sources.list.chroot
+# Intentionally empty – disable classic sources.list generation (deb822 in use).
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf