V9.14.002.2026.05.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-05-17 13:34:00 +01:00
parent 39aeea84a7
commit 6307bc2b7c
67 changed files with 315 additions and 176 deletions
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. DNSSEC Status

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Lynis Audit:

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. SSH Audit by ssh-audit.com

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. TLS Audit:
 ````text
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Hardened Kernel Boot Parameters

@@ -7,11 +7,20 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Changelog

+## V9.14.002.2026.05.13
+* **Added**: [9935_hardening_ssl.chroot](../config/hooks/live/9935_hardening_ssl.chroot)
+* **Added**: [dropbear-2026.91.tar.bz2](../upgrades/dropbear/dropbear-2026.91.tar.bz2)
+* **Added**: [dropbear-2026.91.tar.bz2.asc](../upgrades/dropbear/dropbear-2026.91.tar.bz2.asc)
+* **Added**: Dropbear Version Argument ``--dropbear-version=*`` and ``--dropbear-version <STRING>``
+* **Changed**: [SHA512SUM.asc](../upgrades/dropbear/SHA512SUM.asc)
+* **Changed**: ``dropbear 2025.88`` to ``dropbear 2026.91``
+* **Changed**: ``sops 3.11.0`` to ``sops 3.13.0``
+
 ## V8.13.768.2025.12.06
 * **Global**: Stable Release

@@ -119,13 +128,13 @@ include_toc: true
 * **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6

 ## V8.13.400.2025.11.08
-* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) - GPG key handling
-* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
-* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
-* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
-* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) - added verbosity output
-* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) - bugfixes
-* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) - moved ``update-initramfs`` to:
+* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) : GPG key handling
+* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) : Unified naming scheme
+* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) : Unified naming scheme
+* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) : Unified naming scheme, added verbosity output
+* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) : added verbosity output
+* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) : bugfixes
+* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) : moved ``update-initramfs`` to:
 * **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)

 ## V8.13.392.2025.11.07
@@ -221,7 +230,7 @@ include_toc: true
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) changed var injection
 * **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection
 * **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection
-* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - yq
+* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) : yq

 ## V8.13.280.2025.10.23
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules
@@ -244,8 +253,8 @@ include_toc: true
 * **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
 * **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) updated ignoreip
-* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog
-* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd
+* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) added: rsyslog
+* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) removed: haveged, added: jitterentropy-rngd

 ## V8.13.192.2025.10.18
 * **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Coding Style

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Contributing / participating

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Credits

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

@@ -7,15 +7,15 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.768.2025.12.06
+Master V9.14.002.2026.05.13
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -64,6 +64,12 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
      - https://dns01.eddns.eu/
      - https://dns02.eddns.de/
      - https://dns03.eddns.eu/
+      
+  --dropbear-version <STRING>
+    Selects the bundled Dropbear source tarball version used for the hardened initramfs build.
+    The matching file MUST exist as:
+    <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>
+    If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>.

  --jump-host <IP | IP | ... >
    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6
@@ -146,7 +152,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V8.13.768.2025.12.06                        2025-11-06                         CDLB(1)
+                        V9.14.002.2026.05.13                        2025-11-06                         CDLB(1)
 ````

 # 3. Booting
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

@@ -220,7 +220,7 @@ cryptsetup luksFormat \
  * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
 * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`

-# 13. Diagram: CISS Live ISO Build, Boot and Run Time Trust Chain & Verification Paths
+# 13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths
 ```mermaid
 flowchart TD

@@ -261,7 +261,7 @@ I -- FAIL --> X;

 # 14. Closing Remarks

-This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases make the state transparent and deterministic.
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot, and active attacks **both before and after decryption**. The dual-verification phases make the state transparent and deterministic.

 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. Resources

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. ``30-ciss-hardening.conf``

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. ``90-ciss-local.hardened``

@@ -7,8 +7,8 @@ include_toc: true

 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.002.2026.05.13<br>

 # 2. ``ciss_live_builder.sh``