diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml index 81ca51c..8b2a19d 100644 --- a/.archive/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index acb4f23..4e37df6 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml index d89cf3b..28fadf0 100644 --- a/.archive/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 553da30..5934ffc 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V9.14.020.2026.06.08" + placeholder: "e.g., Master V9.14.022.2026.06.10" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index 77d84be..f8c8acc 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 5e8c4bb..353e1d9 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 name: 🔁 Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index a458c93..b302771 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.020.2026.06.08 + version: V9.14.022.2026.06.10 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index 9e3d4bb..7129dc2 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.020.2026.06.08 + version: V9.14.022.2026.06.10 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 9e3d4bb..7129dc2 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.020.2026.06.08 + version: V9.14.022.2026.06.10 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index 17ae7d7..d979328 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index fe9d250..d0d9553 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 2c2edd7..16e233d 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 77079b3..007a9bb 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index e278613..66ea77e 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 name: 🛡️ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index fff0f67..384c1e1 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 name: 🔁 Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index 0e151c3..7052b61 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 " properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V9.14.020.2026.06.08" +properties_version="V9.14.022.2026.06.10" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 87cd1ea..9785f65 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V9.14.020.2026.06.08 +PackageVersion: Master V9.14.022.2026.06.10 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 7c8a51b..6b87f79 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.020.2026.06.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
**CISS.debian.live.builder — First of its own.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.** @@ -175,7 +175,7 @@ installer toolchain. This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V9.14.020.2026.06.08` +Example: `V9.14.022.2026.06.10` `x.y.z` represents major (x), minor (y), and patch (z) version increments. @@ -365,6 +365,10 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis ## 2.9. UFW Hardening * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports. +* **Primordial SSH exception**: `--primordial-ssh ` adds an outgoing-only UFW TCP exception for a bootstrap/recovery SSH + port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall rule and does not replace + `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current hook still emits the + requested labelled rule because this repository has no separate UFW rule deduplication layer. * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after deployment. @@ -520,6 +524,7 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e --signing_key_pass=signing_key_pass.txt \ --signing_key=signing_key.asc \ --ssh-port 4242 \ + --primordial-ssh 2222 \ --ssh-pubkey /dev/shm/cdlb_secrets \ --sshfp \ --trixie @@ -569,6 +574,7 @@ preview it or run it. SSH_PUBKEY=/dev/shm/cdlb_secrets # Optional + PRIMORDIAL_SSH_PORT=2222 PROVIDER_NETCUP_IPV6=2001:cdb::1 # comma-separated; IPv6 in [] is fine JUMP_HOSTS=[2001:db8::1],[2001:db8::2] diff --git a/REPOSITORY.md b/REPOSITORY.md index f5592fc..a964008 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **9.14**, Build **V9.14.020.2026.06.08** (as of 2025-10-11) +**Repository State:** Master Version **9.14**, Build **V9.14.022.2026.06.10** (as of 2025-10-11) ## 3.1. Top-Level Layout diff --git a/ciss.secureboot/private/README.md b/ciss.secureboot/private/README.md index b70dda7..0814a5b 100644 --- a/ciss.secureboot/private/README.md +++ b/ciss.secureboot/private/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. CISS Secure Boot Private Material diff --git a/ciss.secureboot/public/README.md b/ciss.secureboot/public/README.md index 76a3205..b8338b2 100644 --- a/ciss.secureboot/public/README.md +++ b/ciss.secureboot/public/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. CISS Secure Boot Public Material diff --git a/config.mk.sample b/config.mk.sample index 4f4ba66..3875af3 100644 --- a/config.mk.sample +++ b/config.mk.sample @@ -15,6 +15,8 @@ BUILD_DIR ?= DROPBEAR_VERSION ?= ### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh: SOPS_VERSION ?= +### Optional outgoing bootstrap/recovery SSH port; empty disables the extra UFW rule: +PRIMORDIAL_SSH_PORT ?= PROVIDER_NETCUP_IPV6 ?= ROOT_PASSWORD_FILE ?= ### Secure Boot profile; debian-shim or ciss-uki: diff --git a/config/hooks/live/0900_ufw_setup.chroot b/config/hooks/live/0900_ufw_setup.chroot index 3612928..71c1038 100644 --- a/config/hooks/live/0900_ufw_setup.chroot +++ b/config/hooks/live/0900_ufw_setup.chroot @@ -15,6 +15,7 @@ printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" declare -r UFW_OUT_POLICY="deny" declare -r SSHPORT="SSHPORT_MUST_BE_SET" +# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET ufw --force reset @@ -44,7 +45,8 @@ if [[ ${UFW_OUT_POLICY,,} == "deny" ]]; then ufw allow out 853/tcp comment 'Outgoing DoT' ufw allow out 993/tcp comment 'Outgoing IMAPS' ufw allow out 4460/tcp comment 'Outgoing NTS' - ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)' + ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH Custom-Port' + # PRIMORDIAL_SSH_RULE_MUST_BE_SET ufw allow out 53/udp comment 'Outgoing DNS' ufw allow out 123/udp comment 'Outgoing NTP' ufw allow out 443/udp comment 'Outgoing QUIC' diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index 7cc1b5f..1ac2fdf 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index ca01fca..d477fb3 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened index c73b2fd..9a61c99 100644 --- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened +++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened @@ -11,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.020.2026.06.08 +# Version Master V9.14.022.2026.06.10 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 13b3a89..5e92b87 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V9.14.020.2026.06.08" +declare -gr VERSION="Master V9.14.022.2026.06.10" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index fa891fc..ef85481 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V9.14.020.2026.06.08 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V9.14.022.2026.06.10 at: 10:18:37.9542 diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index 9a7df00..a8c843a 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index 629c8bf..c3ba265 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 1f6682d..45cc361 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index fb6534a..3fa8b08 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index 4e71cd8..b03f190 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 762a4f1..5348ccc 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index c691852..86c71d6 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,11 +8,16 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Changelog +## V9.14.022.2026.06.10 +* **Added**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) Retrieve rdns for Primordial-Workflow™ +* **Added**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) SSH ufw out exception for Primordial-Workflow™ + ## V9.14.020.2026.06.08 +* **Added**: [bootscreen.txt](../bootscreen.txt) * **Changed**: ``sops 3.13.0`` to ``sops 3.13.1`` ## V9.14.018.2026.06.07 @@ -132,7 +137,7 @@ include_toc: true * **Changed**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + updated shopt handling. * **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) + integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts. * **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + integration of optional import of offline GPG CA public keys. -* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet primordial-workflow™. +* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet Primordial-Workflow™. * **Changed**: [lib_usage.sh](../lib/lib_usage.sh) + ``--signing_ca=*``. * **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + ``! -path './live/filesystem.squashfs'`` * **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) + increased verbosity. @@ -186,10 +191,10 @@ include_toc: true * **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc) * **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git * **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot. -* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™. -* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™. -* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™. -* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™. +* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet Primordial-Workflow™. +* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet Primordial-Workflow™. +* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet Primordial-Workflow™. +* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet Primordial-Workflow™. * **Added**: [0030-ciss-verify-checksums](../scripts/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot. * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}" * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}" @@ -197,11 +202,11 @@ include_toc: true * **Changed**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) Rewritten for new secrets handling. * **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + VAR_DATE improvements. * **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + VAR_DATE improvements. -* **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet primordial-workflow™. +* **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet Primordial-Workflow™. * **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + Final update-initramfs * **Changed**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) + Less strict MaxStartups settings. * **Changed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux -* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet primordial-workflow™. +* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet Primordial-Workflow™. * **Changed**: [lib_arg_priority_check.sh](../lib/lib_arg_priority_check.sh) Unified UI. * **Changed**: [lib_cdi.sh](../lib/lib_cdi.sh) + Commandline parameters: verify-checksums=sha512,sha384 verify-checksums-signatures * **Changed**: [lib_change_splash.sh](../lib/lib_change_splash.sh) Unified UI. @@ -210,11 +215,11 @@ include_toc: true * **Changed**: [lib_check_kernel.sh](../lib/lib_check_kernel.sh) Minor declare unification. * **Changed**: [lib_check_pkgs.sh](../lib/lib_check_pkgs.sh) Improved command checks. Unified UI. * **Changed**: [lib_check_provider.sh](../lib/lib_check_provider.sh) Unified variables. -* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet primordial-workflow™ artifacts. +* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet Primordial-Workflow™ artifacts. * **Changed**: [lib_debug.sh](../lib/lib_debug.sh) + Integrated EPOCH in PS4. * **Changed**: [lib_debug_header.sh](../lib/lib_debug_header.sh) + Integrated SOURCE_DATE_EPOCH. * **Changed**: [lib_hardening_root_pw.sh](../lib/lib_hardening_root_pw.sh) Unified UI. -* **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet primordial-workflow™. +* **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet Primordial-Workflow™. * **Changed**: [lib_hardening_ssh_tcp.sh](../lib/lib_hardening_ssh_tcp.sh) Unified UI. * **Changed**: [lib_lb_build_start.sh](../lib/lib_lb_build_start.sh) Deterministic return code examination. * **Changed**: [lib_lb_config_start.sh](../lib/lib_lb_config_start.sh) Removed potential disown race condition. @@ -254,11 +259,11 @@ include_toc: true ## V8.13.290.2025.10.26 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) -* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) Preparations for CISS and PhysNet primordial-workflow™. +* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) Preparations for CISS and PhysNet Primordial-Workflow™. ## V8.13.288.2025.10.24 -* **Added**: Preparations for CISS and PhysNet primordial-workflow™. -* **Added**: [0865_yq.chroot](../config/hooks/live/0865_yq.chroot)Preparations for CISS and PhysNet primordial-workflow™. +* **Added**: Preparations for CISS and PhysNet Primordial-Workflow™. +* **Added**: [0865_yq.chroot](../config/hooks/live/0865_yq.chroot)Preparations for CISS and PhysNet Primordial-Workflow™. * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + nftables mods * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) + banaction = nftables-* * **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection diff --git a/docs/CNET.md b/docs/CNET.md index cd672c7..5bd12f3 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 9a9c1ba..5965888 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Purpose diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index adf53e7..eff5266 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index c0f1ff2..e6b9d6c 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 7d9026e..69cb88b 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index fbcfe53..ba07909 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,14 +8,14 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2.1. Usage ````text CDLB(1) CISS.debian.live.builder CDLB(1) CISS.debian.live.builder from https://git.coresecret.dev/msw -Master V9.14.020.2026.06.08 +Master V9.14.022.2026.06.10 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. (c) Marc S. Weidner, 2018 - 2026 @@ -98,6 +98,14 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only' the argument '--build-directory' MUST be provided. + --primordial-ssh + Adds one outgoing UFW TCP exception for a bootstrap/recovery SSH port. + Outgoing only: no incoming firewall rule is added, and this option does not replace '--ssh-port'. + Effective only when the Live System's UFW outgoing policy is 'deny'. + Port MUST be a decimal integer between '1' and '65535'. + Example fragment: + ./ciss_live_builder.sh --ssh-port 42842 --primordial-ssh 2222 + --provider-netcup-ipv6 Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be encapsulated with [], e.g., [1234::abcd]. @@ -168,7 +176,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. 💷 Please consider donating to my work at: 🌐 https://coresecret.eu/spenden/ - V9.14.020.2026.06.08 2026-05-17 CDLB(1) + V9.14.022.2026.06.10 2026-05-17 CDLB(1) ```` # 3. Booting diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md index 8f04c48..31af2f2 100644 --- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md +++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation) diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md index c7c4811..5a1be57 100644 --- a/docs/MAN_SSH_Host_Key_Policy.md +++ b/docs/MAN_SSH_Host_Key_Policy.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index a917d03..dc112b6 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. Resources diff --git a/docs/documentation/30-ciss-hardening.conf.md b/docs/documentation/30-ciss-hardening.conf.md index 0aa169f..225ecc2 100644 --- a/docs/documentation/30-ciss-hardening.conf.md +++ b/docs/documentation/30-ciss-hardening.conf.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. ``30-ciss-hardening.conf`` diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md index 0ac66cd..7f2dcf6 100644 --- a/docs/documentation/90-ciss-local.hardened.md +++ b/docs/documentation/90-ciss-local.hardened.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. ``90-ciss-local.hardened`` diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md index 15479ce..9aa0b46 100644 --- a/docs/documentation/ciss_live_builder.sh.md +++ b/docs/documentation/ciss_live_builder.sh.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.020.2026.06.08
+**Build**: V9.14.022.2026.06.10
# 2. ``ciss_live_builder.sh`` diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh index be6c5b7..bed97ff 100644 --- a/lib/lib_arg_parser.sh +++ b/lib/lib_arg_parser.sh @@ -38,6 +38,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" # VAR_ISO8601 # VAR_LUKS # VAR_LUKS_KEY +# VAR_PRIMORDIAL_SSH_PORT # VAR_REIONICE_CLASS # VAR_REIONICE_PRIORITY # VAR_SIGNER @@ -287,6 +288,23 @@ arg_parser() { shift 1 ;; + --primordial-ssh) + if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then + + # shellcheck disable=SC2034 + declare -gix VAR_PRIMORDIAL_SSH_PORT="${2}" + shift 2 + + else + + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + printf "\e[91m❌ Error: --primordial-ssh MUST be an integer between '1' and '65535'.\e[0m\n" >&2 + read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR__SSH__PORT}" + + fi + ;; + --provider-netcup-ipv6) if [[ -n "${2-}" && "${2}" != -* ]]; then declare -i count=0 diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh index a21de7b..6b89183 100644 --- a/lib/lib_hardening_ultra.sh +++ b/lib/lib_hardening_ultra.sh @@ -13,13 +13,14 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" ####################################### -# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image. +# Module for following all 'CISS.debian.hardening' features into the Live ISO image. # Globals: # ARY_HANDLER_JUMPHOST # ARY_HANDLER_JUMPHOST_UNIQUE # BASH_SOURCE # VAR_ARCHITECTURE # VAR_HANDLER_BUILD_DIR +# VAR_PRIMORDIAL_SSH_PORT # VAR_SSHFP # VAR_SSHPORT # VAR_SSHPUBKEY @@ -196,12 +197,26 @@ hardening_ultra() { sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot" ### /config/hooks/live/0900_ufw_setup.chroot - sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + declare ufw_file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${ufw_file}" + + declare primordial_ssh_port="${VAR_PRIMORDIAL_SSH_PORT:-}" + if [[ -n "${primordial_ssh_port}" ]]; then + + sed -i "s|^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$|declare -r PRIMORDIAL_SSH_PORT=\"${primordial_ssh_port}\"|" "${ufw_file}" + sed -i "s|^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$| ufw allow out \"\${PRIMORDIAL_SSH_PORT}\"/tcp comment 'Outgoing Primordial SSH'|" "${ufw_file}" + + else + + sed -i '/^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$/d' "${ufw_file}" + sed -i '/^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$/d' "${ufw_file}" + + fi ### /config/hooks/live/0900_ufw_setup.chroot if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then - declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + declare file="${ufw_file}" sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" @@ -251,7 +266,7 @@ hardening_ultra() { ### ./config/hooks/live/9950_hardening_fail2ban.chroot ----------------------------------------------------------------------- if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then - printf "\e[95m🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n" + printf "\e[95m🧪 Updating fail2ban Jump-hosts IPs ... \e[0m\n" # Join array entries with spaces, preserving any newlines declare ips="${ARY_HANDLER_JUMPHOST[*]}" @@ -265,7 +280,7 @@ hardening_ultra() { # Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot" - printf "\e[92m✅ Updating fail2ban Jumphosts IPs done. \e[0m\n" + printf "\e[92m✅ Updating fail2ban Jump-hosts IPs done. \e[0m\n" else diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh index 5eda14f..105ef4e 100644 --- a/lib/lib_primordial.sh +++ b/lib/lib_primordial.sh @@ -90,7 +90,7 @@ init_primordial() { fi - ### Check for SSH CISS and PhysNet primordial-workflow(tm) integration ------------------------------------------------------- + ### Check for SSH CISS and PhysNet Primordial-Workflow™ integration ------------------------------------------------------- if [[ "${VAR_SSHFP,,}" == "true" ]]; then install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index 260a79d..3cdd26c 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -39,13 +39,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V9.14.020.2026.06.08 2026-06-08 CDLB(1)" "${var_cols}") + declare var_footer=$(center "V9.14.022.2026.06.10 2026-06-10 CDLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V9.14.020.2026.06.08\e[0m" + echo -e "\e[92mMaster V9.14.022.2026.06.10\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m" @@ -120,6 +120,12 @@ usage() { echo " Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'" echo " the argument '--build-directory' MUST be provided." echo + echo -e "\e[97m --primordial-ssh \e[0m" + echo " Adds one outgoing UFW TCP exception for a bootstrap SSH port." + echo " Outgoing only: no incoming firewall rule is added, and this option does not replace '--ssh-port'." + echo " Effective only when the Live System's UFW outgoing policy is 'deny'." + echo " Port MUST be a decimal integer between '1' and '65535'." + echo echo -e "\e[97m --provider-netcup-ipv6 \e[0m" echo " Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be" echo " encapsulated with [], e.g., [1234::abcd]." diff --git a/makefile b/makefile index e8884ea..1ecda49 100644 --- a/makefile +++ b/makefile @@ -25,7 +25,7 @@ TIMESTAMP ?= $(shell date -u +%Y-%m-%dT%H-%M-%S) ### Core parameters (safe defaults; override in config.mk, rename config.mk.sample to config.mk and apply the remaining values): ARCH ?= amd64 -AUTOBUILD ?= 6.16.3+deb13-amd64 +AUTOBUILD ?= 7.0.10+deb13-amd64 CONTROL ?= $(TIMESTAMP) DROPBEAR_VERSION ?= 2026.91 SOPS_VERSION ?= 3.13.1 @@ -63,6 +63,7 @@ define COMPOSE_AND [[ -n '$(FLAG_DEBUG)' ]] && cmd+=( --debug ) [[ -n '$(FLAG_DHCP_CENTURION)' ]] && cmd+=( --dhcp-centurion ) [[ -n '$(FLAG_TRIXIE)' ]] && cmd+=( --trixie ) + [[ -n '$(PRIMORDIAL_SSH_PORT)' ]] && cmd+=( --primordial-ssh '$(PRIMORDIAL_SSH_PORT)' ) [[ -n '$(PROVIDER_NETCUP_IPV6)' ]] && cmd+=( --provider-netcup-ipv6 '$(PROVIDER_NETCUP_IPV6)' ) [[ -n '$(RENICE)' ]] && cmd+=( --renice-priority '$(RENICE)' ) if [[ -n '$(REIONICE_CLASS)' && -n '$(REIONICE_PRIO)' ]]; then diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh index 89dddb1..280f23f 100644 --- a/scripts/usr/local/sbin/9999_cdi_starter.sh +++ b/scripts/usr/local/sbin/9999_cdi_starter.sh @@ -13,6 +13,8 @@ set -Ceuo pipefail umask 0077 +declare -gx VAR_RDNS_DOMAIN="" # Forward-confirmed reverse DNS domain. +declare -gx VAR_RDNS_IPV4="" # IPv4 address used for RDNS verification. declare -grx VAR_SEMAPHORE="/root/cdi.ciss" # Semaphore to appear. declare -girx VAR_TIMEOUT=3600 # Semaphore timer in seconds. @@ -90,6 +92,238 @@ net_wait() { # shellcheck disable=SC2034 readonly -f net_wait +####################################### +# Validate an IPv4 address. +# Globals: +# None +# Arguments: +# $1: IPv4 address +# Returns: +# 0: valid IPv4 address +# 1: invalid IPv4 address +####################################### +is_ipv4() { + ### Declare Arrays, HashMaps, and Variables. + declare -r var_ip="${1:-}" + declare -a ary_octets=() + declare var_octet="" + + [[ "${var_ip}" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] || return 1 + + IFS='.' read -r -a ary_octets <<< "${var_ip}" + + for var_octet in "${ary_octets[@]}"; do + + if ! ((10#${var_octet} <= 255)); then + + return 1 + + fi + + done + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f is_ipv4 + +####################################### +# Validate a DNS domain name returned by RDNS. +# Globals: +# None +# Arguments: +# $1: domain name +# Returns: +# 0: valid domain name +# 1: invalid domain name +####################################### +is_dns_name() { + ### Declare Arrays, HashMaps, and Variables. + declare -r var_name="${1:-}" + + [[ "${#var_name}" -le 253 ]] || return 1 + [[ "${var_name}" =~ ^[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?(\.[A-Za-z0-9]([A-Za-z0-9-]{0,61}[A-Za-z0-9])?)+$ ]] \ + || return 1 + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f is_dns_name + +####################################### +# Retrieve and forward-confirm reverse DNS for the active IPv4 route. +# Globals: +# VAR_RDNS_DOMAIN +# VAR_RDNS_IPV4 +# Arguments: +# $1: module log file +# Returns: +# 0: on confirmed RDNS +# 1: on missing or unconfirmed RDNS +####################################### +# retrieve_rdns() intentionally probes optional resolver tools and validation helpers inside conditionals. +# shellcheck disable=SC2310,SC2312 +retrieve_rdns() { + ### Declare Arrays, HashMaps, and Variables. + declare -r var_log="${1:-}" + declare -a ary_a=() + declare -a ary_rdns=() + declare -a ary_targets=() + declare var_a="" var_ipv4="" var_rdns="" var_target="" + + VAR_RDNS_DOMAIN="" + VAR_RDNS_IPV4="" + + mapfile -t ary_targets < <( + getent ahostsv4 git.coresecret.dev 2>/dev/null \ + | awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}[[:space:]]/ && !seen[$1]++ { print $1 }' + ) + ary_targets+=( "1.1.1.1" "9.9.9.9" "8.8.8.8" ) + + if command -v ip >/dev/null 2>&1; then + + for var_target in "${ary_targets[@]}"; do + + if var_ipv4="$( + ip -o -4 route get "${var_target}" 2>/dev/null \ + | awk '{ for (i = 1; i <= NF; i++) { if ($i == "src") { print $(i + 1); exit } } }' + )" && is_ipv4 "${var_ipv4}"; then + + break + + fi + + var_ipv4="" + + done + + if [[ -z "${var_ipv4}" ]]; then + + mapfile -t ary_targets < <( + ip -o -4 addr show scope global up 2>/dev/null \ + | awk '{ split($4, addr, "/"); if (!seen[addr[1]]++) { print addr[1] } }' + ) + + for var_target in "${ary_targets[@]}"; do + + if is_ipv4 "${var_target}"; then + + var_ipv4="${var_target}" + break + + fi + + done + + fi + + fi + + if [[ -z "${var_ipv4}" ]]; then + + logger -t cdi-watcher "retrieve_rdns(): no active IPv4 address found; continuing without RDNS." + printf "Command: [retrieve_rdns] no active IPv4 address found; continuing without RDNS.\n" >> "${var_log}" + return 1 + + fi + + if command -v dig >/dev/null 2>&1; then + + mapfile -t ary_rdns < <( + dig +time=3 +tries=1 +short -x "${var_ipv4}" 2>/dev/null \ + | sed 's/[.]$//' \ + | awk 'NF && !seen[$0]++ { print $0 }' + ) + + fi + + if ((${#ary_rdns[@]} == 0)) && command -v host >/dev/null 2>&1; then + + mapfile -t ary_rdns < <( + host "${var_ipv4}" 2>/dev/null \ + | awk '/domain name pointer/ { sub(/[.]$/, "", $NF); if (!seen[$NF]++) { print $NF } }' + ) + + fi + + if ((${#ary_rdns[@]} == 0)); then + + mapfile -t ary_rdns < <( + getent hosts "${var_ipv4}" 2>/dev/null \ + | awk '{ for (i = 2; i <= NF; i++) { sub(/[.]$/, "", $i); if (!seen[$i]++) { print $i } } }' + ) + + fi + + for var_rdns in "${ary_rdns[@]}"; do + + var_rdns="${var_rdns%.}" + var_rdns="${var_rdns,,}" + + if ! is_dns_name "${var_rdns}"; then + + continue + + fi + + ary_a=() + + if command -v dig >/dev/null 2>&1; then + + mapfile -t ary_a < <( + dig +time=3 +tries=1 +short A "${var_rdns}" 2>/dev/null \ + | awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/ && !seen[$0]++ { print $0 }' + ) + + fi + + if ((${#ary_a[@]} == 0)) && command -v host >/dev/null 2>&1; then + + mapfile -t ary_a < <( + host -t A "${var_rdns}" 2>/dev/null \ + | awk '/ has address / && !seen[$NF]++ { print $NF }' + ) + + fi + + if ((${#ary_a[@]} == 0)); then + + mapfile -t ary_a < <( + getent ahostsv4 "${var_rdns}" 2>/dev/null \ + | awk '!seen[$1]++ { print $1 }' + ) + + fi + + for var_a in "${ary_a[@]}"; do + + if is_ipv4 "${var_a}" && [[ "${var_a}" == "${var_ipv4}" ]]; then + + VAR_RDNS_IPV4="${var_ipv4}" + VAR_RDNS_DOMAIN="${var_rdns}" + logger -t cdi-watcher "retrieve_rdns(): confirmed IPv4 ${VAR_RDNS_IPV4} RDNS ${VAR_RDNS_DOMAIN}." + printf "Command: [retrieve_rdns] confirmed IPv4 [%s] RDNS [%s].\n" \ + "${VAR_RDNS_IPV4}" "${VAR_RDNS_DOMAIN}" >> "${var_log}" + return 0 + + fi + + done + + done + + logger -t cdi-watcher "retrieve_rdns(): no forward-confirmed RDNS for IPv4 ${var_ipv4}; continuing without RDNS." + printf "Command: [retrieve_rdns] no forward-confirmed RDNS for IPv4 [%s]; continuing without RDNS.\n" \ + "${var_ipv4}" >> "${var_log}" + + return 1 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f retrieve_rdns + ####################################### # Wrapper for loading CISS hardened Kernel Parameters. # Globals: @@ -130,7 +364,7 @@ main() { touch "${var_log}" - printf "CISS.debian.installer Master V9.14.020.2026.06.08 is up! \n" >> "${var_log}" + printf "CISS.debian.live.builder V9.14.022.2026.06.10 calling CISS.debian.installer ... \n" >> "${var_log}" ### Sleep a moment to settle boot artifacts. sleep 8 @@ -153,6 +387,12 @@ main() { fi printf "Command: [net_wait] executed.\n" >> "${var_log}" + ### Retrieve forward-confirmed reverse DNS. + printf "Command: [retrieve_rdns] to be executed ... \n" >> "${var_log}" + # shellcheck disable=SC2310 + retrieve_rdns "${var_log}" || true + printf "Command: [retrieve_rdns] executed.\n" >> "${var_log}" + ### apt update. if ! apt-get update >> "${var_log}"; then @@ -209,7 +449,7 @@ main() { ### Timeout reached without acceptable semaphore. logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle." - printf "CISS.debian.installer Master V9.14.020.2026.06.08: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" + printf "CISS.debian.live.builder V9.14.022.2026.06.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" exit 0 } diff --git a/var/early.var.sh b/var/early.var.sh index 89abad9..4cabdf6 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" declare -grx VAR_HOST="$(uname -n)" declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" declare -grx VAR_SYSTEM="$(uname -mnosv)" -declare -grx VAR_VERSION="Master V9.14.020.2026.06.08" +declare -grx VAR_VERSION="Master V9.14.022.2026.06.10" declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{ # Print $4 and $5; include $6 only if it exists out = $4 diff --git a/var/global.var.sh b/var/global.var.sh index f2a36e2..56a5f86 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -34,6 +34,7 @@ declare -g VAR_HANDLER_CDI="false" declare -g VAR_HANDLER_NETCUP_IPV6="false" declare -g VAR_HANDLER_SPLASH="" declare -g VAR_HASHED_PWD="" +declare -g VAR_PRIMORDIAL_SSH_PORT="" declare -g VAR_SCRIPT_SUCCESS="false" declare -g VAR_SOPS_VERSION="3.13.1" declare -g VAR_SSHFP="false"