msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.002.2026.05.13

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-05-17 13:34:00 +01:00
parent 39aeea84a7
commit 6307bc2b7c
67 changed files with 315 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+10 -10
View File
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.002.2026.05.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,10 +11,10 @@ include_toc: true
[![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.3-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.11-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -26,11 +26,11 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.768.2025.12.06<br>
**Master Version**: 9.14<br>
**Build**: V9.14.002.2026.05.13<br>
**CISS.debian.live.builder — First of its own.**<br>
**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed
to serve as a reference implementation for hardened, image-based Debian deployments.
@@ -175,7 +175,7 @@ installer toolchain.
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
Example: `V8.13.768.2025.12.06`
Example: `V9.14.002.2026.05.13`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -221,7 +221,7 @@ The parameters fall into several categories.
* The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
* The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
* Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough, and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
* ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
* Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
* ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.