msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.022.2026.06.10

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-10 17:57:31 +01:00
parent ae87d7ac54
commit 800cd175fc
55 changed files with 379 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+9 -3
View File
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.020.2026.06.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.020.2026.06.08<br>
**Build**: V9.14.022.2026.06.10<br>
**CISS.debian.live.builder — First of its own.**<br>
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
Example: `V9.14.020.2026.06.08`
Example: `V9.14.022.2026.06.10`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -365,6 +365,10 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
## 2.9. UFW Hardening
* **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
* **Primordial SSH exception**: `--primordial-ssh <port>` adds an outgoing-only UFW TCP exception for a bootstrap/recovery SSH
port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall rule and does not replace
`--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current hook still emits the
requested labelled rule because this repository has no separate UFW rule deduplication layer.
* **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
deployment.
@@ -520,6 +524,7 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
--signing_key_pass=signing_key_pass.txt \
--signing_key=signing_key.asc \
--ssh-port 4242 \
--primordial-ssh 2222 \
--ssh-pubkey /dev/shm/cdlb_secrets \
--sshfp \
--trixie
@@ -569,6 +574,7 @@ preview it or run it.
SSH_PUBKEY=/dev/shm/cdlb_secrets
# Optional
PRIMORDIAL_SSH_PORT=2222
PROVIDER_NETCUP_IPV6=2001:cdb::1
# comma-separated; IPv6 in [] is fine
JUMP_HOSTS=[2001:db8::1],[2001:db8::2]