V8.02.512.2025.05.30
All checks were successful
Retrieve the DNSSEC status at the time of updating the repository. / build-diagrams (push) Successful in 29s
All checks were successful
Retrieve the DNSSEC status at the time of updating the repository. / build-diagrams (push) Successful in 29s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
20
README.md
20
README.md
@@ -40,8 +40,16 @@ Check out more:
|
||||
* [CenturionMeet](https://talk.e2ee.li/)
|
||||
* [Contact the author](https://coresecret.eu/contact/)
|
||||
|
||||
> Please note: All my signing keys are contained in an HSM and the signing environment is air gapped. Next step: move to
|
||||
> a room-gapped environment ^^
|
||||
> Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped.
|
||||
> The next step is to move to a room-gapped environment.
|
||||
|
||||
Please note that `coresecret.dev` is included in the HSTS Preload list and always serves the headers:
|
||||
````nginx configuration pro
|
||||
add_header Expect-CT "max-age=86400, enforce" always;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
||||
````
|
||||
Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
|
||||
|
||||
|
||||
## 1.1. Immutable Source-of-Truth System
|
||||
|
||||
@@ -70,11 +78,11 @@ source-defined infrastructure logic.<br>
|
||||
After build and configuration, the following audit reports can be generated:
|
||||
|
||||
* **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance.
|
||||
Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
|
||||
Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
|
||||
* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
|
||||
Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
|
||||
Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
|
||||
* **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
|
||||
Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
|
||||
Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
|
||||
|
||||
## 1.2. Preview
|
||||
|
||||
@@ -85,7 +93,7 @@ After build and configuration, the following audit reports can be generated:
|
||||
**The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
|
||||
|
||||
Regardless of whether you start it:
|
||||
* via the boot menu of your Live ISO (grub, isolinux) like **CISS.2025.debian.live.builder**,
|
||||
* via the boot menu of your Live ISO (grub, isolinux) like **CISS.debian.live.builder**,
|
||||
* via kexec in the running system,
|
||||
* via the debian-installer-launcher package,
|
||||
* or even via a graphical installer shortcut.
|
||||
|
||||
Reference in New Issue
Block a user