msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.064.2025.10.07
Some checks failed
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m21s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 3m56s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-07 17:01:01 +01:00
parent ad30f41516
commit 77c1753d02
30 changed files with 227 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
View File

@@ -10,6 +10,6 @@
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 1023
counter: 1024
version: V8.13.064.2025.10.07
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

44
.gitea/workflows/generate_PRIVATE_trixie_0.yaml
View File

@@ -146,23 +146,27 @@ jobs:
shell: bash
working-directory: ${{ github.workspace }}
env:
ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
run: |
set -Ceuo pipefail
umask 077
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
ID_OUT"${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
ID_OUT_PUB"${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
if [[ ! -f "$TPL" ]]; then
echo "Template not found: $TPL"
if [[ ! -f "${TPL}" ]]; then
echo "Template not found: ${TPL}"
echo "::group::Tree of config/hooks/live"
ls -la "$REPO_ROOT/config/hooks/live" || true
ls -la "${REPO_ROOT}/config/hooks/live" || true
echo "::endgroup::"
exit 2
fi
@@ -171,6 +175,22 @@ jobs:
export ED25519_PUB="${ED25519_PUB//$'\r'/}"
export RSA_PRIV="${RSA_PRIV//$'\r'/}"
export RSA_PUB="${RSA_PUB//$'\r'/}"
export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
(
cat << EOF >| "${ID_OUT}"
${CISS_PRIMORDIAL}
EOF
) && chmod 0600 "${ID_OUT}"
echo "Written: ${ID_OUT}"
(
cat << EOF >| "${ID_OUT_PUB}"
${CISS_PRIMORDIAL_PUB}
EOF
) && chmod 0600 "${ID_OUT_PUB}"
echo "Written: ${ID_OUT_PUB}"
perl -0777 -pe '
BEGIN{
@@ -181,10 +201,10 @@ jobs:
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
' "$TPL" > "$OUT"
' "${TPL}" > "${OUT}"
chmod 0755 "$OUT"
echo "Hook rendered: $OUT"
chmod 0755 "${OUT}"
echo "Hook rendered: ${OUT}"
- name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
shell: bash

44
.gitea/workflows/generate_PRIVATE_trixie_1.yaml
View File

@@ -146,23 +146,27 @@ jobs:
shell: bash
working-directory: ${{ github.workspace }}
env:
ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
run: |
set -Ceuo pipefail
umask 077
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
ID_OUT"${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
ID_OUT_PUB"${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
if [[ ! -f "$TPL" ]]; then
echo "Template not found: $TPL"
if [[ ! -f "${TPL}" ]]; then
echo "Template not found: ${TPL}"
echo "::group::Tree of config/hooks/live"
ls -la "$REPO_ROOT/config/hooks/live" || true
ls -la "${REPO_ROOT}/config/hooks/live" || true
echo "::endgroup::"
exit 2
fi
@@ -171,6 +175,22 @@ jobs:
export ED25519_PUB="${ED25519_PUB//$'\r'/}"
export RSA_PRIV="${RSA_PRIV//$'\r'/}"
export RSA_PUB="${RSA_PUB//$'\r'/}"
export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
(
cat << EOF >| "${ID_OUT}"
${CISS_PRIMORDIAL}
EOF
) && chmod 0600 "${ID_OUT}"
echo "Written: ${ID_OUT}"
(
cat << EOF >| "${ID_OUT_PUB}"
${CISS_PRIMORDIAL_PUB}
EOF
) && chmod 0600 "${ID_OUT_PUB}"
echo "Written: ${ID_OUT_PUB}"
perl -0777 -pe '
BEGIN{
@@ -181,10 +201,10 @@ jobs:
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
' "$TPL" > "$OUT"
' "${TPL}" > "${OUT}"
chmod 0755 "$OUT"
echo "Hook rendered: $OUT"
chmod 0755 "${OUT}"
echo "Hook rendered: ${OUT}"
- name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
shell: bash

6
ciss_live_builder.sh
View File

@@ -210,6 +210,12 @@ arg_priority_check
check_stats
if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
if [[ ! "${VAR_SSHFP}" == "true" ]]; then
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
fi
check_hooks
hardening_ssh
lb_config_start

2
config/hooks/live/0001_initramfs_modules.chroot
View File

@@ -327,7 +327,7 @@ EOF
chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
### Regenerate the initramfs for the live system kernel
update-initramfs -u -k all
update-initramfs -u -k all -v
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

8
config/hooks/live/9900_process_accounting.chroot
View File

@@ -12,22 +12,26 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get install -y acct
if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
mkdir -p /etc/systemd/system/multi-user.target.wants
fi
if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/hooks/live/9910_motd.chroot
View File

@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /root/.ciss/dlb/backup/update-motd.d
cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
@@ -25,7 +24,6 @@ EOF
chmod 0755 /etc/update-motd.d/10-uname
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

67
config/hooks/live/9920_deleting_invalid_x509.chroot
View File

@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
declare backup_dir="/root/.ciss/dlb/backup/certificates"
@@ -27,17 +26,24 @@ declare -ax expired_certificates=()
# search_dirs
# dir
# Arguments:
# None
# None
#######################################
create_backup() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
mkdir -p "${backup_dir}"
declare dir=""
for dir in "${search_dirs[@]}"; do
if [ -d "${dir}" ] && compgen -G "${dir}"/* > /dev/null; then
if [[ -d "${dir}" ]] && compgen -G "${dir}"/* > /dev/null; then
cp -r "${dir}"/* "${backup_dir}"
fi
done
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
}
@@ -52,25 +58,32 @@ create_backup() {
# EXPIRED_CERTIFICATES
# SEARCH_DIRS
# Arguments:
# None
# None
#######################################
check_certificates() {
declare dir=""
declare cert=""
declare cert_date=""
declare cert_date_seconds=""
for dir in "${search_dirs[@]}"; do
# shellcheck disable=SC2312
while IFS= read -r -d '' cert; do
cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//')
cert_date_seconds=$(date -d "${cert_date}" +%s)
if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
declare -g expired_certificates+=("${cert}")
fi
done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
done
}
# done < <(find "${dir}" -type f -name "*.crt" -o -name "*.pem" -print0)
# done < <(find "${DIR}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
#######################################
# Find and clean all ca-certificates.crt files in SEARCH_DIRS.
@@ -80,13 +93,17 @@ check_certificates() {
# cert
# line
# Arguments:
# None
# None
#######################################
delete_expired_from_all_bundles() {
declare dir bundle
for dir in "${search_dirs[@]}"; do
bundle="${dir}/ca-certificates.crt"
if [[ -f ${bundle} ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
declare tmp_bundle="${bundle}.tmp"
declare -a block=()
@@ -97,33 +114,57 @@ delete_expired_from_all_bundles() {
declare line=""
while IFS= read -r line; do
block+=("${line}")
if [[ ${line} == "-----END CERTIFICATE-----" ]]; then
cert=$(printf "%s\n" "${block[@]}")
enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//')
if [[ -n ${enddate} ]]; then
declare cert_date_seconds=""
cert_date_seconds=$(date -d "${enddate}" +%s)
if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
expired=1
else
expired=0
fi
else
expired=0
fi
if [[ ${expired} -eq 0 ]]; then
printf "%s\n" "${block[@]}" >> "${tmp_bundle}"
else
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
fi
block=()
fi
done < "${bundle}"
mv -f "${tmp_bundle}" "${bundle}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
fi
done
}
@@ -141,30 +182,38 @@ else
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
for exp_cert in "${expired_certificates[@]}"; do
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
done
for exp_cert in "${expired_certificates[@]}"; do
rm -f "${exp_cert}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
basename=$(basename "${exp_cert}")
mozilla_entry="mozilla/${basename%.pem}.crt"
mozilla_entry="${mozilla_entry%.crt}.crt"
declare ca_conf="/etc/ca-certificates.conf"
if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
fi
done
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
update-ca-certificates --fresh
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
# sleep 1
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
config/hooks/live/9935_hardening_ssh.chroot.tmpl
View File

@@ -88,7 +88,6 @@ EOF
chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

12
config/hooks/live/9940_hardening_memory.dump.chroot
View File

@@ -12,15 +12,20 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
sed -i "/#* soft core 0/ i\* soft core 0" /etc/security/limits.conf
sed -i "/#root hard core 100000/ i\* hard core 0" /etc/security/limits.conf
grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
|| sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\* soft core 0' /etc/security/limits.conf
grep -Eq '^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
|| sed -i -E '/^[[:space:]]*#?[[:space:]]*root[[:space:]]+hard[[:space:]]+core[[:space:]]+100000[[:space:]]*$/ i\* hard core 0' /etc/security/limits.conf
if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
mkdir -p /etc/systemd/coredump.conf.d
fi
touch /etc/systemd/coredump.conf.d/disable.conf
@@ -31,7 +36,6 @@ Storage=none
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/hooks/live/9950_fail2ban_hardening.chroot
View File

@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root
@@ -142,7 +141,6 @@ touch /var/log/fail2ban/fail2ban.log
chmod 640 /var/log/fail2ban/fail2ban.log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/hooks/live/9960_disable_services.chroot
View File

@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
###########################################################################################
# Remarks: Turn off Energy saving mode and ctrl-alt-del #
@@ -25,7 +24,6 @@ done
unset target
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
config/hooks/live/9970_remove_exim.chroot
View File

@@ -12,21 +12,17 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /etc
apt-get purge exim4 -y
apt-get purge exim4-base -y
apt-get purge exim4-config -y
apt-get purge exim4 exim4-base exim4-config -y
apt-get autoremove -y
apt-get autoclean -y
apt-get autopurge -y
apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
apt-get update -y
apt-get update
apt-get upgrade -y
if [[ -d /etc/exim4 ]]; then
@@ -34,7 +30,6 @@ if [[ -d /etc/exim4 ]]; then
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/hooks/live/9985_clamav.chroot
View File

@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /etc/systemd/system/clamav-daemon.service.d
cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -71,7 +70,6 @@ EOF
chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
config/hooks/live/9990_final_purge.chroot
View File

@@ -12,36 +12,40 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get update -y
apt-get update
apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
if [[ -s /tmp/deinstall.log ]]; then
printf "\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
sed -i 's!deinstall!!' /tmp/deinstall.log
while IFS= read -r line; do
declare trimmed_string
trimmed_string=$(echo "$line" | awk '{$1=$1};1')
trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
echo "y" | apt-get purge "${trimmed_string}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
# sleep 1
done < /tmp/deinstall.log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
else
printf "\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
fi
apt-get update -y
apt-get update
apt-get upgrade -y
rm -f /tmp/deinstall.log
@@ -53,7 +57,6 @@ apt-get autopurge -y
updatedb
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

11
config/hooks/live/9991_file_permissions.chroot
View File

@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
chmod 0644 /etc/banner
chmod 0644 /etc/issue
@@ -99,8 +98,16 @@ for bin in as gcc g++ cc clang; do
done
unset bin target
### Directories: 0700
find /root -type d -exec chmod 0700 {} +
### Executable files: 0700 (any x-bit set)
find /root -type f -perm /111 -exec chmod 0700 {} +
### Non-executable files: 0600
find /root -type f ! -perm /111 -exec chmod 0600 {} +
### Ownership: UID:GID (do not dereference symlinks; stay on this filesystem)
find /root -xdev -exec chown -h root:root {} +
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

13
config/hooks/live/9992_password_expiration.chroot
View File

@@ -12,31 +12,35 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
if ! command -v chage &>/dev/null; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
fi
declare -i max_days=16384
# shellcheck disable=SC2312
mapfile -t users_to_update < <(
awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow
)
if [[ ${#users_to_update[@]} -eq 0 ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
fi
declare user
for user in "${users_to_update[@]}"; do
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
chage --maxdays "$max_days" "$user"
chage --maxdays "${max_days}" "${user}"
done
unset max_days user users_to_update
@@ -46,7 +50,6 @@ awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
config/hooks/live/9993_aide.chroot
View File

@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get install -y aide > /dev/null 2>&1
@@ -20,13 +19,16 @@ cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
if aideinit > /dev/null 2>&1; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
config/hooks/live/9994_password_policy.chroot
View File

@@ -16,14 +16,16 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
cat << 'EOF' >| /etc/security/pwquality.conf
cat << EOF >| /etc/security/pwquality.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -129,7 +131,6 @@ local_users_only
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/hooks/live/9995_sysstat.chroot
View File

@@ -12,12 +12,10 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
config/hooks/live/9996_auditd.chroot
View File

@@ -15,7 +15,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root

2
config/hooks/live/9997_debsums.chroot
View File

@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root
@@ -30,7 +29,6 @@ else
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
config/hooks/live/9998_sources_list_bookworm.chroot
View File

@@ -12,7 +12,9 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
cd /root
@@ -22,7 +24,7 @@ fi
cat << 'EOF' >| /etc/apt/sources.list
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>

13
config/hooks/live/9998_sources_list_trixie.chroot
View File

@@ -12,7 +12,9 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
cd /root
@@ -29,7 +31,7 @@ EOF
if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then
cat << EOF >| /etc/apt/sources.list.d/trixie.sources
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
@@ -52,7 +54,7 @@ fi
if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then
cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
@@ -75,7 +77,7 @@ fi
if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then
cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
@@ -99,7 +101,7 @@ fi
if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then
cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
@@ -120,7 +122,6 @@ EOF
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

12
config/hooks/live/9999_interfaces_update.chroot
View File

@@ -12,14 +12,16 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
rm -f /etc/network/interfaces
cat << 'EOF' >| /etc/network/interfaces
cat << EOF >| /etc/network/interfaces
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -32,6 +34,9 @@ cat << 'EOF' >| /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
EOF
cat << 'EOF' >> /etc/network/interfaces
### The loopback network interface
auto lo
iface lo inet loopback
@@ -59,7 +64,6 @@ EOF
chmod 0644 /etc/network/interfaces
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
docs/CHANGELOG.md
View File

@@ -13,6 +13,7 @@ include_toc: true
# 2. Changelog
## V8.13.064.2025.10.07
* **Added**: An internal Gitea Action Runner switch for the CISS and PHYS central configuration source of truth.
* **Added**: Verbose status information screen on successful completion.
* **Added**: Verbose status information in 'CISS.debian.live.iso.'
* **Added**: Loop to desynchronize parallel workflows.
@@ -21,6 +22,9 @@ include_toc: true
* **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
* **Updated**: [9000-cdi-starter](../scripts/9000-cdi-starter)
* **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
* **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
* **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified Kernel bootparameter.
* **Updated**: [lib_run_analysis.sh](../lib/lib_run_analysis.sh)

13
lib/lib_lb_build_start.sh
View File

@@ -19,30 +19,37 @@ guard_sourcing
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
# None
#######################################
lb_build_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
# sleep 1
# shellcheck disable=SC2164
cd "${SCRIPT_BASEPATH}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2312
if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
printf "\e[92m✅ Build successfully completed.\e[0m\n"
else
printf "\e[91m❌ Build failed!\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
# shellcheck disable=SC2155
declare iso_file=$(find . -maxdepth 1 -type f -name "*.iso" | sort | tail -n1)
if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then
if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then
printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
lib/lib_lb_config_start.sh
View File

@@ -17,29 +17,36 @@ guard_sourcing
# Globals:
# VAR_HANDLER_BUILD_DIR
# Arguments:
# $0: Script-name
# 0: Script-name
#######################################
lb_config_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
else
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
fi
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
# Start lb config in a completely detached shell
bash -c "lb config" &
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Preparing environment done.\e[0m\n"
else
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
rm -f ./config/binary
rm -f ./config/bootstrap
@@ -52,6 +59,7 @@ lb_config_start() {
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
lib/lib_note_target.sh
View File

@@ -22,7 +22,7 @@
note_target() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
cat << EOF >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/cdlb.txt"
cat << EOF >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.txt"
################################################################################
This CISS.debian.live ISO was built by:

2
var/early.var.sh
View File

@@ -15,7 +15,7 @@
# shellcheck disable=SC2155
declare -grx VAR_CONTACT="security@coresecret.eu"
declare -grx VAR_VERSION="Master V8.13.064.2025.10.07"
declare -grx VAR_SYSTEM="$(uname -a)"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
declare -gx VAR_EARLY_DEBUG="false"
declare -gx VAR_HANDLER_AUTOBUILD="false"