From 834ea8798e40536de5479706d9b61298f0c9b4badea6775a48d800747303210d Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 3 Jun 2025 00:24:36 +0200 Subject: [PATCH] V8.03.384.2025.06.03 Signed-off-by: Marc S. Weidner --- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/render-md-to-html.yaml | 2 +- .../t_generate_PRIVATE_iso_flavour_0.yaml | 2 +- .../t_generate_PRIVATE_iso_flavour_1.yaml | 2 +- .gitea/trigger/t_generate_PUBLIC.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 4 +- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 193 ++++++++++++++++++ .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 6 +- ciss_live_builder.sh | 2 +- config/includes.chroot/etc/ssh/sshd_config | 2 +- .../etc/sysctl.d/99_local.hardened | 2 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/CHANGELOG.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 4 +- docs/REFERENCES.md | 2 +- docs/graphiz/ciss.debian.live.builder.dot | 159 +++++++++++++++ lib/lib_check_provider.sh | 2 +- lib/lib_usage.sh | 2 +- scripts/9000-cdi-starter | 2 +- 32 files changed, 386 insertions(+), 34 deletions(-) create mode 100644 .gitea/workflows/render-dot-to-png.yaml create mode 100644 docs/graphiz/ciss.debian.live.builder.dot diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 09bc71f..f38c0ba 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -27,7 +27,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.03.256.2025.06.02" + placeholder: "e.g., Master V8.03.384.2025.06.03" validations: required: true diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 1011a59..0a55846 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.256.2025.06.02 +### Version Master V8.03.384.2025.06.03 name: Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml index 08b363c..001d661 100644 --- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.03.256.2025.06.02 + version: V8.03.384.2025.06.03 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml index 08b363c..001d661 100644 --- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.03.256.2025.06.02 + version: V8.03.384.2025.06.03 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index 08b363c..001d661 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.03.256.2025.06.02 + version: V8.03.384.2025.06.03 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 927c755..001d661 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1024 - version: V8.03.256.2025.06.02 + counter: 1023 + version: V8.03.384.2025.06.03 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 53b79f2..1ff67ea 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.256.2025.06.02 +### Version Master V8.03.384.2025.06.03 name: Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml new file mode 100644 index 0000000..3eaaa6e --- /dev/null +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -0,0 +1,193 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024โ€“2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Version Master V8.03.384.2025.06.03 + +name: Render Graphviz Diagrams. + +permissions: + contents: write + +on: + push: + branches: + - master + paths: + - "**/*.gv" + - "**/*.dot" + +jobs: + build-graphiz-diagrams: + name: Render Graphviz Diagrams. + runs-on: ubuntu-latest + + steps: + - name: โš™๏ธ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + shell: bash + run: | + set -euo pipefail + rm -rf ~/.ssh && mkdir -m700 ~/.ssh + + ### Private Key + echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts + ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts + chmod 600 ~/.ssh/known_hosts + + ### Generate SSH Config for git.coresecret.dev Custom-Port + cat <| ~/.ssh/config + Host git.coresecret.dev + HostName git.coresecret.dev + Port 42842 + IdentityFile ~/.ssh/id_ed25519 + StrictHostKeyChecking yes + UserKnownHostsFile ~/.ssh/known_hosts + EOF + chmod 600 ~/.ssh/config + + ### https://github.com/actions/checkout/issues/1843 + - name: ๐Ÿ› ๏ธ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + shell: bash + env: + ### GITHUB_REF_NAME contains the branch name from the push event. + GITHUB_REF_NAME: ${{ github.ref_name }} + run: | + set -euo pipefail + git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . + git fetch --unshallow || echo "Nothing to fetch - already full clone." + + - name: ๐Ÿ› ๏ธ Cleaning the workspace. + shell: bash + run: | + set -euo pipefail + git reset --hard + git clean -fd + + - name: โš™๏ธ Importing the 'CI PGP DEPLOY ONLY' key. + shell: bash + run: | + set -euo pipefail + ### GPG-Home relative to the Runner Workspace to avoid changing global files. + export GNUPGHOME="$(pwd)/.gnupg" + mkdir -m 700 "${GNUPGHOME}" + echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc + gpg --batch --import ci-bot.sec.asc + ### Trust the key automatically + KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') + echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" + + - name: โš™๏ธ Configuring Git for signed CI/DEPLOY commits. + shell: bash + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + git config user.name "Marc S. Weidner BOT" + git config user.email "msw+bot@coresecret.dev" + git config commit.gpgsign true + git config gpg.program gpg + git config gpg.format openpgp + + - name: โš™๏ธ Convert APT sources to HTTPS. + shell: bash + run: | + set -euo pipefail + sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list + sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true + + - name: ๐Ÿ› ๏ธ Install Graphviz. + shell: bash + run: | + set -euo pipefail + sudo apt-get update + sudo apt-get install -y graphviz + + - name: ๐Ÿ› ๏ธ Render all .dot / .gv to PNG. + shell: bash + run: | + set -euo pipefail + find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do + out="${file%.*}.png" + dot -Tpng "${file}" -o "${out}" + done + + - name: ๐Ÿ”„ Sync with remote before commit using merge strategy. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + + echo "๐Ÿ”„ Fetching origin/master ..." + git fetch origin master + + echo "๐Ÿ” Merging origin/master into current branch ..." + git merge --no-edit origin/master || echo "โœ”๏ธ Already up to date or fast-forward." + + echo "๐Ÿ“‹ Post-merge status :" + git status + git log --oneline -n 5 + + - name: ๐Ÿ“ฆ Stage generated files. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + git add *.png || echo "โœ”๏ธ Nothing to add." + + - name: ๐Ÿ”‘ Commit and sign changes with CI metadata. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + export GNUPGHOME="$(pwd)/.gnupg" + + if git diff --cached --quiet; then + echo "โœ”๏ธ No staged changes to commit." + else + echo "๐Ÿ“ Committing changes with GPG signature ..." + + ### CI Metadata + TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')" + HOSTNAME="$(hostname -f || hostname)" + GIT_SHA="$(git rev-parse --short HEAD)" + GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" + WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" + + COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci] + + ${CI_HEADER} + + Generated at: ${TIMESTAMP_UTC} + Runner Host : ${HOSTNAME} + Workflow ID : ${WORKFLOW_ID} + Git Commit : ${GIT_SHA} HEAD โ†’ ${GIT_REF} + " + + echo "๐Ÿ” Commit message :" + echo "${COMMIT_MSG}" + git commit -S -m "${COMMIT_MSG}" + fi + + - name: ๐Ÿ” Push back to repository. + shell: bash + env: + GIT_SSH_COMMAND: "ssh -p 42842" + run: | + set -euo pipefail + echo "๐Ÿ“ค Pushing changes to ${GITHUB_REF_NAME} ..." + git push origin HEAD:${GITHUB_REF_NAME} + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.version.properties b/.version.properties index e357775..07c51f4 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.03.256.2025.06.02" +properties_version="V8.03.384.2025.06.03" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \ No newline at end of file diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index cdc3fee..5dddb0e 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.03.256.2025.06.02 +PackageVersion: Master V8.03.384.2025.06.03 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 9705751..a4600e7 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.256.2025.06.02-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.384.2025.06.03-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -26,7 +26,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -141,7 +141,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `8.03.256.2025.06.02` +Example: `8.03.384.2025.06.03` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 6806b39..5bc27da 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -40,7 +40,7 @@ declare -g VAR_HANDLER_AUTOBUILD="false" declare -gr VAR_CONTACT="security@coresecret.eu" -declare -gr VAR_VERSION="Master V8.03.256.2025.06.02" +declare -gr VAR_VERSION="Master V8.03.384.2025.06.03" ### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING declare arg diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index df088a8..add85f9 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.256.2025.06.02 +### Version Master V8.03.384.2025.06.03 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index f8e3b55..a5c4658 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.03.256.2025.06.02 +### Version Master V8.03.384.2025.06.03 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index cc77e93..a3dd9b9 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.03.256.2025.06.02" +declare -gr VERSION="Master V8.03.384.2025.06.03" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index cc4be8d..e14fefa 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.03.256.2025.06.02 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.03.384.2025.06.03 at: 10:18:37.9542 diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index 15ef787..c04ca2b 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index cb1174c..4ce6343 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 7ebde3d..2433c36 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index ff1f30b..f501599 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index 77f44a5..86e187e 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. TLS Audit: diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index e1bb360..ef9a2f0 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. Changelog diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 6a650bc..573872d 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 0b14743..893f542 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. Contributors diff --git a/docs/CREDITS.md b/docs/CREDITS.md index 734ffb4..684a71f 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 4b37bc9..187e659 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 2229b31..11017b1 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,12 +8,12 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. Usage ````text CISS.debian.live.builder -Master V8.03.256.2025.06.02 +Master V8.03.384.2025.06.03 (c) Marc S. Weidner, 2018 - 2025 (p) Centurion Press, 2024 - 2025 diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index f5f1c07..176d7c1 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.03
-**Build**: V8.03.256.2025.06.02
+**Build**: V8.03.384.2025.06.03
# 2. Resources diff --git a/docs/graphiz/ciss.debian.live.builder.dot b/docs/graphiz/ciss.debian.live.builder.dot new file mode 100644 index 0000000..aea4997 --- /dev/null +++ b/docs/graphiz/ciss.debian.live.builder.dot @@ -0,0 +1,159 @@ +digraph CISS_debian_live_builder { + // ----------------------------- + // General settings + // ----------------------------- + graph [ + fontsize=10, + splines=ortho, + rankdir=LR, + nodesep=0.6, + ranksep=0.8 + ]; + + node [fontname="Helvetica"]; + + // ----------------------------- + // KNOTS: All hosts and auxiliary anchors + // ----------------------------- + + // Internet (links) + InternetLeft [shape=oval, style=filled, fillcolor=lightblue, label="Internet"]; + + // Jump Host + Jump_Host [shape=diamond, style=filled, fillcolor=green, label="Jump Host"]; + + // Hidden-Master + Hidden_Master [shape=cylinder, style=filled, fillcolor=lavender, label="Hidden-Master"]; + + // Nameserver (Basis-Datenbankzylinder, hellgelb) + ns00 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns00.eddns.eu"]; + ns01 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns01.eddns.eu"]; + ns02 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns02.eddns.de"]; + ns03 [shape=cylinder, style=filled, fillcolor=lightyellow, label="ns03.eddns.de"]; + + // Hilfsanker fรผr cluster_ns (unsichtbar, damit Kanten sauber aus dem Rechteck herausgefรผhrt werden) + ns_anchor [shape=point, style=invis, width=0]; + + // B server (light red) + git [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="git.coresecret.dev"]; + lab [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="lab.coresecret.dev"]; + run [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="run.coresecret.dev"]; + + // Auxiliary anchor for cluster_B_small (invisible) + b_small_anchor [shape=point, style=invis, width=0]; + // Auxiliary anchor for cluster_B_big (invisible) + b_big_anchor [shape=point, style=invis, width=0]; + + // Database โ€œcloud.e2ee.liโ€ (light red) + cloud [shape=cylinder, style=filled, fillcolor="#FFCCCC", label="cloud.e2ee.li"]; + // Auxiliary anchor for cluster_cloud (invisible) + cloud_anchor [shape=point, style=invis, width=0]; + + // Internet (right, for TLS/HTTPS) + InternetTLS [shape=oval, style=filled, fillcolor=lightblue, label="TLS/HTTPS"]; + // Auxiliary anchor for cluster_tls_group (invisible) + tls_anchor [shape=point, style=invis, width=0]; + + + // ----------------------------- + // CLUSTER: Entire system (everything except the two Internet clouds) + // ----------------------------- + subgraph cluster_overall { + label="SSH-Pub-Key, 2FA, No-Root-Login, aes256-gcm@openssh.com, (No ChaCha), only"; + style=solid; + color=red; + + // ----- Cluster: Name server group ----- + subgraph cluster_ns { + label=""; + style=dashed; + color=red; + ns00; + ns01; + ns02; + ns03; + ns_anchor; + } + + // ----- Cluster: Hidden-Master ----- + subgraph cluster_hm { + label=""; + style=dashed; + color=red; + Hidden_Master; + } + + // ----- Cluster: TLS/HTTPS group (contains B-Server, cloud, and the TLS cloud) ----- + subgraph cluster_tls_group { + // The red dotted rectangle around B-Cluster, cloud, and the TLS cloud + label="ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256\n\ + ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256\n\ + TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256\n\ + TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256"; + style=dashed; + color=red; + + // ----- Cluster: Outer rectangle around all B nodes (lab + small rectangle) ----- + subgraph cluster_B_big { + label=""; + style=dashed; + color=red; + + // Direct node lab + lab; + // Invisible anchor pointed to by DNSSEC arrows + b_big_anchor; + + // ---- Cluster: B a) and c) (small rectangle around git and run) ---- + subgraph cluster_B_small { + label=""; + style=dashed; + color=red; + git; + run; + b_small_anchor; + } + } + + // ----- Cluster: "cloud.e2ee.li" ----- + subgraph cluster_cloud { + label="HA: LVM on RAID6 on dm-crypt incl. dm-integrity"; + style=dashed; + color=red; + cloud; + cloud_anchor; + } + + // ----- Node: TLS-Internet-Cloud ----- + InternetTLS; + tls_anchor; + } + } + + + // ----------------------------- + // EDGES + // ----------------------------- + + // Internet (left) โ†’ Jump Host + InternetLeft -> Jump_Host [color=green]; + + // Jump Host โ†’ Hidden-Master + Jump_Host -> Hidden_Master [color=green]; + + // Hidden master โ†’ Name server (green with label โ€œHMAC SHA512โ€) + Hidden_Master -> ns00 [color=green, label="HMAC SHA512"]; + Hidden_Master -> ns01 [color=green, label="HMAC SHA512"]; + Hidden_Master -> ns02 [color=green, label="HMAC SHA512"]; + Hidden_Master -> ns03 [color=green, label="HMAC SHA512"]; + + // Red arrow โ€œDNSSECโ€: from cluster nameserver (ns_anchor) โ†’ B cluster (b_big_anchor) + ns_anchor -> b_big_anchor [color=red, label="DNSSEC"]; + + // Red arrow โ€œDNSSECโ€: from cluster nameserver (ns_anchor) โ†’ cloud cluster (cloud_anchor) + ns_anchor -> cloud_anchor [color=red, label="DNSSEC"]; + + // Red arrows from TLS Internet โ†’ B-Cluster and cloud + InternetTLS -> b_big_anchor [color=red]; + InternetTLS -> cloud_anchor [color=red]; +} diff --git a/lib/lib_check_provider.sh b/lib/lib_check_provider.sh index 1a97071..513a3c1 100644 --- a/lib/lib_check_provider.sh +++ b/lib/lib_check_provider.sh @@ -18,7 +18,7 @@ check_provider() { clear cat << 'EOF' >| "${VAR_NOTES}" -Build: Master V8.03.256.2025.06.02 +Build: Master V8.03.384.2025.06.03 Press 'EXIT' to continue with CISS.debian.live.builder. diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index 880e2a8..e89da5b 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -22,7 +22,7 @@ usage() { cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.03.256.2025.06.02\e[0m") +$(echo -e "\e[92mMaster V8.03.384.2025.06.03\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m") diff --git a/scripts/9000-cdi-starter b/scripts/9000-cdi-starter index 6c8f485..c8e73b0 100644 --- a/scripts/9000-cdi-starter +++ b/scripts/9000-cdi-starter @@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " # sleep 1 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log -printf "CISS.debian.installer Master V8.03.256.2025.06.02 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log +printf "CISS.debian.installer Master V8.03.384.2025.06.03 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh