From 5af5b079c8ba3371e309196b84354d424bd95318c44d3ecb37c3a3f33fd3edf6 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Mon, 11 Aug 2025 20:41:55 +0200 Subject: [PATCH] V8.04.002.2025.08.11 Signed-off-by: Marc S. Weidner --- .../t_generate_PRIVATE_iso_flavour_0.yaml | 2 +- .../generate_PRIVATE_iso_flavour_0.yaml | 2 +- .../generate_PRIVATE_iso_flavour_1.yaml | 2 +- .gitea/workflows/generate_PUBLIC_iso.yaml | 2 +- .../hooks/live/9950_fail2ban_hardening.chroot | 4 +- .../live/9998_sources_list_bookworm.chroot | 6 +- .../live/9998_sources_list_trixie.chroot | 84 +++++++++++++++---- .../preseed/.lib/sshd_config.lib | 6 +- docs/CHANGELOG.md | 82 +++++++++--------- 9 files changed, 121 insertions(+), 69 deletions(-) diff --git a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml index 4420084..ddda575 100644 --- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1023 + counter: 1024 version: V8.04.002.2025.08.11 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml index b57166d..22d4e34 100644 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml @@ -270,7 +270,7 @@ jobs: timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. ./ciss_live_builder.sh \ - --autobuild=6.12.38+deb12-amd64 \ + --autobuild=6.1.0-37-amd64 \ --architecture amd64 \ --build-directory /opt/livebuild \ --control "${timestamp}" \ diff --git a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml index 44ce1d8..85aeb55 100644 --- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml @@ -270,7 +270,7 @@ jobs: timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. ./ciss_live_builder.sh \ - --autobuild=6.12.38+deb12-amd64 \ + --autobuild=6.1.0-37-amd64 \ --architecture amd64 \ --build-directory /opt/livebuild \ --control "${timestamp}" \ diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index c9146c0..29dacd4 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -271,7 +271,7 @@ jobs: timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. ./ciss_live_builder.sh \ - --autobuild=6.12.38+deb12-amd64 \ + --autobuild=6.1.0-37-amd64 \ --architecture amd64 \ --build-directory /opt/livebuild \ --control "${timestamp}" \ diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_fail2ban_hardening.chroot index b3f143b..4b402ac 100644 --- a/config/hooks/live/9950_fail2ban_hardening.chroot +++ b/config/hooks/live/9950_fail2ban_hardening.chroot @@ -33,8 +33,8 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. -# SPDX-PackageName: CISS.2025.debian.live.builder +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu [DEFAULT] diff --git a/config/hooks/live/9998_sources_list_bookworm.chroot b/config/hooks/live/9998_sources_list_bookworm.chroot index e025078..f1b0995 100644 --- a/config/hooks/live/9998_sources_list_bookworm.chroot +++ b/config/hooks/live/9998_sources_list_bookworm.chroot @@ -28,8 +28,8 @@ cat << 'EOF' >| /etc/apt/sources.list # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. -# SPDX-PackageName: CISS.2025.debian.live.builder +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu #-----------------------------------------------------------------------------------------# # OFFICIAL DEBIAN REPOS @@ -56,4 +56,4 @@ printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e # sleep 1 exit 0 -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9998_sources_list_trixie.chroot b/config/hooks/live/9998_sources_list_trixie.chroot index faf6d2c..9e828de 100644 --- a/config/hooks/live/9998_sources_list_trixie.chroot +++ b/config/hooks/live/9998_sources_list_trixie.chroot @@ -20,34 +20,86 @@ if [[ -f /etc/apt/sources.list ]]; then mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak fi -cat << 'EOF' >| /etc/apt/sources.list +cat << EOF >| /etc/apt/sources.list.d/trixie.sources # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. -# SPDX-PackageName: CISS.2025.debian.live.builder +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -#-----------------------------------------------------------------------------------------# -# OFFICIAL DEBIAN REPOS -#-----------------------------------------------------------------------------------------# -### Debian Main Repos Bookworm +Types: deb deb-src +URIs: https://deb.debian.org/debian/ +Suites: trixie +Components: main contrib non-free non-free-firmware +Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg -deb https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware -deb-src https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF -deb http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware -deb-src http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware +cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu -deb https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware -deb-src https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware +Types: deb deb-src +URIs: https://security.debian.org/debian-security/ +Suites: trixie-security +Components: main contrib non-free non-free-firmware +Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg -deb https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware -deb-src https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + +cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +Types: deb deb-src +URIs: https://deb.debian.org/debian/ +Suites: trixie-updates +Components: main contrib non-free non-free-firmware +Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + +cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +Types: deb deb-src +URIs: https://deb.debian.org/debian/ +Suites: trixie-backports +Components: main contrib non-free non-free-firmware +Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF diff --git a/config/includes.chroot/preseed/.lib/sshd_config.lib b/config/includes.chroot/preseed/.lib/sshd_config.lib index 7f1d7a5..9193fef 100644 --- a/config/includes.chroot/preseed/.lib/sshd_config.lib +++ b/config/includes.chroot/preseed/.lib/sshd_config.lib @@ -5,8 +5,8 @@ # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. -# SPDX-PackageName: CISS.2025.debian.live.builder +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu Include /etc/ssh/sshd_config.d/*.conf @@ -115,4 +115,4 @@ HostbasedAuthentication no # PermitUserEnvironment no # IgnoreUserKnownHosts no -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index dea3494..b0872e9 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -13,102 +13,102 @@ include_toc: true # 2. Changelog ## V8.04.002.2025.08.11 -* Added: [lib_source_guard.sh](../lib/lib_source_guard.sh) -* Updated: [bash.var.sh](../var/bash.var.sh) -* Updated: Support for Debian Trixie via Argument ``--trixie`` -* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.38+deb12-amd64`` +* **Added**: [lib_source_guard.sh](../lib/lib_source_guard.sh) +* **Updated**: [bash.var.sh](../var/bash.var.sh) +* **Updated**: Support for Debian Trixie via Argument ``--trixie`` +* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.1.0-37-amd64`` ## V8.03.920.2025.08.07 -* Updated: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) -* Updated: [ciss_live_builder.sh](../ciss_live_builder.sh) -* Updated: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) +* **Updated**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) +* **Updated**: [ciss_live_builder.sh](../ciss_live_builder.sh) +* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) ## V8.03.912.2025.07.23 -* Updated: [alias](../config/includes.chroot/root/.ciss/alias) -* Updated: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh) -* Updated: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh) -* Updated: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap) -* Updated: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) -* Updated: [.bashrc](../config/includes.chroot/root/.bashrc) +* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) +* **Updated**: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh) +* **Updated**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh) +* **Updated**: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap) +* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) +* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc) ## V8.03.896.2025.07.22 -* Added: [.shellcheckrc](../.shellcheckrc) -* Bugfixes: [ciss_live_builder.sh](../ciss_live_builder.sh) -* Updated: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot) +* **Added**: [.shellcheckrc](../.shellcheckrc) +* **Bugfixes**: [ciss_live_builder.sh](../ciss_live_builder.sh) +* **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot) ## V8.03.880.2025.07.19 -* Updated: [alias](../config/includes.chroot/root/.ciss/alias) -* Updated: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) -* Added: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) -* Added: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) +* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) +* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) +* **Added**: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) +* **Added**: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) ## V8.03.864.2025.07.15 -* Updated: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh) -* Added: [BOOTPARAMS.md](BOOTPARAMS.md) -* Added: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) +* **Updated**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh) +* **Added**: [BOOTPARAMS.md](BOOTPARAMS.md) +* **Added**: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) ## V8.03.832.2025.06.25 -* Added: [lib_version.sh](../lib/lib_version.sh) -* Updated: +* **Added**: [lib_version.sh](../lib/lib_version.sh) +* **Updated**: * [lib_contact.sh](../lib/lib_contact.sh) * [lib_usage.sh](../lib/lib_usage.sh) -* Packages added: +* **Packages added**: * https://packages.debian.org/bookworm/fio * https://packages.debian.org/bookworm/stress -* Timezone changed to ``Etc/UTC`` +* **Updated**: Timezone changed to ``Etc/UTC`` ## V8.03.832.2025.06.24 -* Updated: +* **Updated**: * [lib_check_provider.sh](../lib/lib_check_provider.sh) * [lib_debug_header.sh](../lib/lib_debug_header.sh) * [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh) -* The Debian package ``bat`` will be installed to enable smooth log reading. +* **Added**: The Debian package ``bat`` will be installed to enable smooth log reading. ## V8.03.768.2025.06.23 -* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts. +* **Updated**: [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts. * Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh) * Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh) -* Added Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh) -* Added ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh) - * to prevent the caller LIB-file from being sourced twice. +* **Added**: Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh) +* **Added**: ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh) + to prevent the caller LIB-file from being sourced twice. ## V8.03.768.2025.06.19 * Minor main script improvements. -* Updated [lib_usage.sh](../lib/lib_usage.sh) output. +* **Updated**: [lib_usage.sh](../lib/lib_usage.sh) output. ## V8.03.768.2025.06.18 * Minor main script improvements. -* Updated contact section. +* **Updated**: Contact section. * Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver. ## V8.03.768.2025.06.17 -* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64`` +* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64`` ## V8.03.768.2025.06.11 -* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64`` +* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64`` ## V8.03.768.2025.06.09 -* Added: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh) -* Updated: [alias](../config/includes.chroot/root/.ciss/alias) +* **Added**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh) +* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) * ``scurl()`` * ``swget()`` ## V8.03.644.2025.06.07 -* Updated workflows ISO Generators Runners. +* **Updated**: Workflows ISO Generators Runners. * Installing ``bookworm-backports`` Versions of: * ``btrfs-progs`` * ``curl`` @@ -129,7 +129,7 @@ include_toc: true ## V8.03.512.2025.06.06 -* Updated workflows: +* **Updated**: Workflows: 1. ``git stash push`` 2. ``git fetch origin master`` 3. ``git merge --no-edit origin/master``