V8.13.408.2025.11.13
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -8,10 +8,33 @@ include_toc: true
|
||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||
**Master Version**: 8.13<br>
|
||||
**Build**: V8.13.404.2025.11.10<br>
|
||||
**Build**: V8.13.408.2025.11.13<br>
|
||||
|
||||
# 2. Changelog
|
||||
|
||||
## V8.13.408.2025.11.13
|
||||
* **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
|
||||
* **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
|
||||
* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
|
||||
* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
|
||||
* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh) + Enforce early sysctls before services start.
|
||||
* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking.
|
||||
* **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
|
||||
* **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
|
||||
* **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location.
|
||||
* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + securing ``/.ciss``, removing ``.keep``.
|
||||
* **Changed**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh) + integrated dynamic GPG FPR injection.
|
||||
* **Changed**: [9999_ciss_debian_live_builder.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh) + ``dmsetup``.
|
||||
* **Changed**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) + integrated dynamic GPG FPR injection.
|
||||
* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) + ``--signing_ca=*``.
|
||||
* **Changed**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + updated shopt handling.
|
||||
* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) + integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts.
|
||||
* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + integration of optional import of offline GPG CA public keys.
|
||||
* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet primordial-workflow™.
|
||||
* **Changed**: [lib_usage.sh](../lib/lib_usage.sh) + ``--signing_ca=*``.
|
||||
* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + ``! -path './live/filesystem.squashfs'``
|
||||
* **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) + increased verbosity.
|
||||
|
||||
## V8.13.404.2025.11.10
|
||||
* **Added**: [0020_dropbear_build.chroot](../config/hooks/live/0020_dropbear_build.chroot)
|
||||
* **Added**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot)
|
||||
@@ -22,14 +45,14 @@ include_toc: true
|
||||
* **Added**: [0000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh)
|
||||
* **Added**: [dropbear](../config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear)
|
||||
* **Added**: [MAN_SSH_Host_Key_Policy.md](MAN_SSH_Host_Key_Policy.md)
|
||||
* **Added**: [zzzz_luks_squash.hook.binary](../config/hooks/live/zzzz_luks_squash.hook.binary) + Preparing squashfs LUKS encryption
|
||||
* **Added**: [zzzz_luks_squash.hook.binary](../config/hooks/live/zzzz_ciss_crypt_squash.hook.binary) + Preparing squashfs LUKS encryption
|
||||
* **Bugfixes**: [generate_PRIVATE_trixie_0.yaml](../.gitea/workflows/generate_PRIVATE_trixie_0.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
* **Bugfixes**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
* **Bugfixes**: [generate_PUBLIC_iso.yaml](../.gitea/workflows/generate_PUBLIC_iso.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
* **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
* **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
* **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
|
||||
* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums)
|
||||
* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
|
||||
* **Changed**: [localoptions.h](../upgrades/dropbear/localoptions.h)
|
||||
* **Changed**: [.shellcheckrc](../.shellcheckrc)
|
||||
* **Changed**: [9940_hardening_memory.dump.chroot](../config/hooks/live/9940_hardening_memory.dump.chroot) + added: 9999-ciss-coredump-disable.conf
|
||||
@@ -38,7 +61,7 @@ include_toc: true
|
||||
* **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6
|
||||
|
||||
## V8.13.400.2025.11.08
|
||||
* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling
|
||||
* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) - GPG key handling
|
||||
* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
|
||||
* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
|
||||
* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
|
||||
@@ -55,16 +78,17 @@ include_toc: true
|
||||
* **Bugfixes**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + modified passphrase handling
|
||||
|
||||
## V8.13.384.2025.11.06
|
||||
* **Global**: Debian bookworm support deprecated.
|
||||
* **Global**: Changed ``shred -vfzu -n 5`` to ``shred -fzu -n 5``.
|
||||
* **Global**: Live-hooks: ``apt-get`` commands safeguarded by ``export DEBIAN_FRONTEND="noninteractive" INITRD="No"``.
|
||||
* **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
|
||||
* **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
|
||||
* **Added**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
|
||||
* **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
|
||||
* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™.
|
||||
* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™.
|
||||
* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™.
|
||||
* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™.
|
||||
* **Added**: [0030-verify-checksums](../scripts/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
|
||||
* **Added**: [0030-ciss-verify-checksums](../scripts/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
|
||||
* **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
|
||||
* **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
|
||||
* **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
|
||||
@@ -100,9 +124,6 @@ include_toc: true
|
||||
* **Changed**: [early.var.sh](../var/early.var.sh) Unified variable declaration.
|
||||
* **Changed**: [global.var.sh](../var/global.var.sh) Unified variable declaration.
|
||||
* **Changed**: [ciss_live_builder.sh](../ciss_live_builder.sh) Updated program workflow for deterministic environment creation.
|
||||
* **Removed**: [0002_verify_checksums.chroot](../.archive/0002_verify_checksums.chroot) Unified handling via includes.chroot.
|
||||
* **Removed**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot) Debian bookworm support deprecated.
|
||||
* **Removed**: [lib_lb_config_write.sh](../.archive/lib_lb_config_write.sh) Debian bookworm support deprecated.
|
||||
* **Updated**: [icon.lib](../.archive/icon.lib) + Emojis
|
||||
|
||||
## V8.13.298.2025.10.30
|
||||
@@ -222,7 +243,6 @@ include_toc: true
|
||||
* **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
|
||||
* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)
|
||||
* **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
|
||||
* **Updated**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot)
|
||||
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
|
||||
* **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
|
||||
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
|
||||
@@ -241,7 +261,7 @@ include_toc: true
|
||||
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
|
||||
|
||||
## V8.13.008.2025.08.22
|
||||
* **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
|
||||
* **Removed**: [0003_install_backports.chroot]
|
||||
|
||||
## V8.13.004.2025.08.21
|
||||
* **Added**: [makefile](../makefile)
|
||||
|
||||
Reference in New Issue
Block a user