msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

DEPLOY BOT: Auto-Generate *.html from *.md [skip ci]

Browse Source 
X-CI-Metadata: master@291cbe2 at 2025-06-02T15:01:40Z on 9c5c5e3592be

  Generated at: 2025-06-02T15:01:40Z
  Runner Host : 9c5c5e3592be
  Workflow ID : Render README.md to README.html.
  Git Commit  : 291cbe2 HEAD → master
This commit is contained in:
Marc S. Weidner
2025-06-02 15:01:40 +00:00
parent 291cbe267b
commit 7fadba9cc2
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.html
View File

@@ -1,7 +1,7 @@
<p><a href="https://git.coresecret.dev/msw/CISS.debian.live.builder"><img src="https://badges.coresecret.dev/badge/Release-V8.03.256.2025.06.02-white?style=plastic&amp;logo=linux&amp;logoColor=white&amp;logoSize=auto&amp;label=Release&amp;color=%23FCC624" alt="Static Badge" /></a>   <a href="https://eupl.eu/1.2/en/"><img src="https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=Licence&amp;color=%23003399" alt="Static Badge" /></a>   <a href="https://opensource.org/license/eupl-1-2"><img src="https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&amp;logo=opensourceinitiative&amp;logoColor=white&amp;logoSize=auto&amp;label=OSI&amp;color=%233DA639" alt="Static Badge" /></a>   <a href="https://www.gnu.org/software/bash/"><img src="https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=Bash&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://shellcheck.net/"><img src="https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=shellcheck&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://github.com/mvdan/sh"><img src="https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=shellformat&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://google.github.io/styleguide/shellguide.html"><img src="https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=Shellstyle&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://docs.gitea.com/"><img src="https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&amp;logo=gitea&amp;logoColor=white&amp;logoSize=auto&amp;label=gitea&amp;color=%23609926" alt="Static Badge" /></a>   <a href="https://www.jetbrains.com/store/?section=personal&amp;billing=yearly"><img src="https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&amp;logo=intellijidea&amp;logoColor=white&amp;logoSize=auto&amp;label=IntelliJ&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://keepassxc.org/"><img src="https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&amp;logo=keepassxc&amp;logoColor=white&amp;logoSize=auto&amp;label=KeePassXC&amp;color=%236CAC4D" alt="Static Badge" /></a>   <a href="https://www.netcup.com/de"><img src="https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&amp;logo=netcup&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%23056473" alt="Static Badge" /></a>   <a href="https://coresecret.eu/"><img src="https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://x.com/coresecret_eu"><img src="https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&amp;logo=x&amp;logoColor=white&amp;logoSize=auto&amp;label=SocialMedia&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#sepa"><img src="https://badges.coresecret.dev/badge/Donation-Donation-white?style=plastic&amp;logo=sepa&amp;logoColor=white&amp;logoSize=auto&amp;label=&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#bitcoin"><img src="https://badges.coresecret.dev/badge/bitcoin-Bitcoin-white?style=plastic&amp;logo=bitcoin&amp;logoColor=white&amp;logoSize=auto&amp;label=Donation&amp;color=%23F7931A" alt="Static Badge" /></a>   <a href="https://coresecret.eu/contact/#simplex"><img src="https://badges.coresecret.dev/badge/simplex-Simplex-white?style=plastic&amp;logo=simplex&amp;logoColor=white&amp;logoSize=auto&amp;label=Contact&amp;color=%23000000" alt="Static Badge" /></a>  </p>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.256.2025.06.02<br></p>
<p>This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud deployment or unattended installations via the forthcoming <code>CISS.debian.installer</code>. The latest generic ISO is available at: <a href="/docs/DL_PUB_ISO.html">CISS.debian.live.ISO_PUBLIC</a></p>
<p>This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud deployment or unattended installations via the forthcoming <code>CISS.debian.installer</code>. The latest generic ISO is available at: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/DL_PUB_ISO.html">CISS.debian.live.ISO_PUBLIC</a></p>
<p>Check out more:</p>
<ul>
<li><a href="https://coresecret.eu/cnet/">CenturionNet Services</a></li>
@@ -18,7 +18,7 @@
<p>Please note that <code>coresecret.dev</code> is included in the <a href="https://hstspreload.org/">(HSTS Preload List)</a> and always serves the headers:</p>
<pre class="nginx"><code>add_header Expect-CT &quot;max-age=86400, enforce&quot; always;
add_header Strict-Transport-Security &quot;max-age=63072000; includeSubDomains; preload&quot; always;</code></pre>
<p>Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at <a href="/docs/AUDIT_DNSSEC.html">DNSSEC Audit Report</a></p>
<p>Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.html">DNSSEC Audit Report</a></p>
<h2 id="12-immutable-source-of-truth-system">1.2. Immutable Source-of-Truth System</h2>
<p>This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static source-code definitions. All configurations, system components, and installation routines are embedded during build time and locked for runtime immutability. This ensures that the live environment functions as a trusted <strong>Source of Truth</strong> — not only for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br></p>
<p>Once booted, the environment optionally launches a fully scripted installer, via the forthcoming <code>CISS.debian.installer</code>, yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully secured provisioning. Combined with checksum verification, <strong>activated by default</strong>, at boot and strict firewall defaults, this architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br></p>
@@ -26,12 +26,12 @@ add_header Strict-Transport-Security &quot;max-age=63072000; includeSubDomains;
<p>This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in source-defined infrastructure logic.<br></p>
<p>After build and configuration, the following audit reports can be generated:</p>
<ul>
<li><strong>Haveged Audit Report</strong>: Validates entropy daemon health and confirms '/dev/random' seeding performance. Type <code>chkhvg</code> at the prompt. See example report: <a href="/docs/AUDIT_HAVEGED.html">Haveged Audit Report</a></li>
<li><strong>Lynis Audit Report</strong>: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline. Type <code>lsadt</code> at the prompt. See example report: <a href="/docs/AUDIT_LYNIS.html">Lynis Audit Report</a></li>
<li><strong>SSH Audit Report</strong>: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. Type <code>ssh-audit &lt;IP&gt;:&lt;PORT&gt;</code>. See example report: <a href="/docs/AUDIT_SSH.html">SSH Audit Report</a></li>
<li><strong>Haveged Audit Report</strong>: Validates entropy daemon health and confirms '/dev/random' seeding performance. Type <code>chkhvg</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.html">Haveged Audit Report</a></li>
<li><strong>Lynis Audit Report</strong>: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline. Type <code>lsadt</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.html">Lynis Audit Report</a></li>
<li><strong>SSH Audit Report</strong>: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. Type <code>ssh-audit &lt;IP&gt;:&lt;PORT&gt;</code>. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.html">SSH Audit Report</a></li>
</ul>
<h2 id="12-preview">1.2. Preview</h2>
<p><img src="/docs/screenshots/CISS.debian.live.builder_preview.jpeg" alt="CISS.debian.live.builder" /></p>
<p><img src="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/screenshots/CISS.debian.live.builder_preview.jpeg" alt="CISS.debian.live.builder" /></p>
<h2 id="13-caution-significant-information-for-those-considering-using-d-i">1.3. Caution. Significant information for those considering using D-I.</h2>
<p><strong>The Debian Installer (d-i) will ALWAYS boot a new system.</strong><br></p>
<p>Regardless of whether you start it:</p>