V9.14.022.2026.06.11: document and test audit safeguards
This commit is contained in:
@@ -60,12 +60,15 @@ and spoofing surfaces.
|
||||
|
||||
Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
|
||||
(`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
|
||||
line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
|
||||
that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
|
||||
transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
|
||||
wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
|
||||
encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
|
||||
named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
|
||||
line, is guarded by a `0700 root:root` secret root and single-link regular `0400` or `0600` root-owned files, and any symlink
|
||||
inside the secret path is treated as a hard failure that aborts the run. Filename-only secret arguments reject slashes and
|
||||
traversal.
|
||||
Critical code paths temporarily disable Bash xtrace, and a final exact-value debug-log sanitisation pass provides additional
|
||||
defence in depth. Transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed, but this is only a
|
||||
best-effort cleanup on SSD, NVMe, copy-on-write, journaled, and virtualised storage. Use tmpfs for secrets and encrypted storage
|
||||
for build workspaces. Destructive build cleanup is restricted to the exact canonical directory carrying the
|
||||
`.ciss-live-builder-owned` marker. This private operator workflow still requires strict local path validation; it does not
|
||||
define public ISO release policy.
|
||||
|
||||
Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
|
||||
* [CenturionDNS Resolver](https://eddns.eu/)
|
||||
@@ -493,10 +496,14 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
|
||||
|
||||
2. Preparation:
|
||||
1. Ensure you are root.
|
||||
2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
|
||||
3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
|
||||
4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
|
||||
5. Make any other changes you need to.
|
||||
2. Create the empty build directory with `install -d -m 0700 -o root -g root /opt/cdlb`.
|
||||
3. Create the tmpfs secret root with `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
|
||||
4. Place required secret files in the secret root as single-link regular, non-symlink, root-owned files with mode `0400`
|
||||
or `0600`.
|
||||
5. Place your desired SSH public key in `/dev/shm/cdlb_secrets/authorized_keys`.
|
||||
6. Place your desired root password in `/dev/shm/cdlb_secrets/password.txt`.
|
||||
7. Use filename-only values without slashes, `.` or `..` for `--key_age`, `--key_luks`, and signing-file arguments.
|
||||
8. Make any other changes you need to.
|
||||
|
||||
3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
|
||||
|
||||
@@ -538,6 +545,10 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
|
||||
both the newer Sigstore bundle asset, and the legacy-split certificate/signature assets before checking the downloaded
|
||||
SOPS binary with `sha256sum -c --ignore-missing`.
|
||||
|
||||
On the first run, the builder creates `.ciss-live-builder-owned` in a new or empty build directory whose canonical parent
|
||||
already exists. A populated directory without that marker is rejected and is never adopted automatically. Cleanup remains
|
||||
intentionally destructive inside the exact validated marker-owned directory.
|
||||
|
||||
4. Locate your ISO in the `--build-directory`.
|
||||
5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
|
||||
6. Type `sysp` for the final kernel hardening features.
|
||||
@@ -559,7 +570,8 @@ preview it or run it.
|
||||
|
||||
2. Preparation:
|
||||
1. Ensure you are root.
|
||||
2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
|
||||
2. Create the empty build directory and tmpfs secret root with restrictive ownership and permissions:
|
||||
`install -d -m 0700 -o root -g root /opt/cdlb /dev/shm/cdlb_secrets`.
|
||||
3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
|
||||
4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
|
||||
5. Copy and edit the sample and set your options (no spaces around commas in lists):
|
||||
@@ -656,10 +668,10 @@ The private directory is ignored by Git. The hooks fail if the CISS EFI image si
|
||||
#...
|
||||
- name: Preparing the build environment.
|
||||
run: |
|
||||
mkdir -p /opt/config
|
||||
mkdir -p /opt/livebuild
|
||||
echo "${{ secrets.CHANGE_ME }}" >| /opt/config/password.txt
|
||||
echo "${{ secrets.CHANGE_ME }}" >| /opt/config/authorized_keys
|
||||
install -d -m 0700 -o root -g root /opt/livebuild /dev/shm/cdlb_secrets
|
||||
umask 0077
|
||||
printf '%s\n' "${{ secrets.CHANGE_ME }}" >| /dev/shm/cdlb_secrets/password.txt
|
||||
printf '%s\n' "${{ secrets.CHANGE_ME }}" >| /dev/shm/cdlb_secrets/authorized_keys
|
||||
#...
|
||||
- name: Starting CISS.debian.live.builder. This may take a while ...
|
||||
run: |
|
||||
@@ -672,9 +684,9 @@ The private directory is ignored by Git. The hooks fail if the CISS EFI image si
|
||||
--build-directory /opt/livebuild \
|
||||
--control "${timestamp}" \
|
||||
--jump-host "${{ secrets.CHANGE_ME }}" \
|
||||
--root-password-file /opt/config/password.txt \
|
||||
--root-password-file /dev/shm/cdlb_secrets/password.txt \
|
||||
--ssh-port CHANGE_ME \
|
||||
--ssh-pubkey /opt/config
|
||||
--ssh-pubkey /dev/shm/cdlb_secrets
|
||||
#...
|
||||
### SKIP OR CHANGE ALL REMAINING STEPS
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user