V9.14.022.2026.06.11: document and test audit safeguards
This commit is contained in:
+13
-2
@@ -37,6 +37,10 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
|
||||
|
||||
--build-directory </path/to/build_directory>
|
||||
Where the Debian Live Build Image should be generated. RECOMMENDED path: </opt/cdlb>
|
||||
The path MUST be canonical and dedicated to the builder; a new directory's canonical parent MUST already exist.
|
||||
New or empty directories receive the
|
||||
'.ciss-live-builder-owned' marker; populated unmarked directories are rejected. Cleanup is intentionally destructive
|
||||
only inside the exact validated marker-owned directory.
|
||||
MUST be provided.
|
||||
|
||||
--change-splash <STRING> one of <club | hexagon>
|
||||
@@ -57,6 +61,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
|
||||
--debug, -d
|
||||
Enables debug logging for the main program routine. Detailed logging information are written to:
|
||||
</tmp/ciss_live_builder_1801049.log>
|
||||
A final exact-value sanitisation pass is defence in depth and does not replace careful tracing discipline.
|
||||
|
||||
--dhcp-centurion
|
||||
If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused
|
||||
@@ -86,11 +91,13 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
|
||||
|
||||
--key_age=*
|
||||
The SOPS AGE private keyring for decryption operations. Change '*' to your desired SOPS AGE key file.
|
||||
'*' MUST be a filename only without slashes, '.' or '..' traversal.
|
||||
File MUST be placed in:
|
||||
</dev/shm/cdlb_secrets>
|
||||
|
||||
--key_luks=*
|
||||
The LUKS encryption / decryption passphrase for '/'-fs-encryption. Change '*' to your desired passphrase file.
|
||||
'*' MUST be a filename only without slashes, '.' or '..' traversal.
|
||||
File MUST be placed in:
|
||||
</dev/shm/cdlb_secrets>
|
||||
|
||||
@@ -140,7 +147,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
|
||||
--root-password-file </dev/shm/cdlb_secrets/password.txt>>
|
||||
Password file for 'root', if given, MUST be a string of 42 to 64 characters.
|
||||
If the argument is omitted, no further login authentication is required for the local console.
|
||||
MUST be placed in:
|
||||
Safe absolute paths remain supported and are validated separately. RECOMMENDED path:
|
||||
</dev/shm/cdlb_secrets/password.txt>
|
||||
|
||||
--secure-boot-profile <STRING> one of <debian-shim | ciss-uki>
|
||||
@@ -156,7 +163,8 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
|
||||
specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file.
|
||||
Specify the fingerprint of the key to use via '--signing_key_fpr=*'.
|
||||
Optionally import an offline GPG CA signing public key via: '--signing_ca=*'.
|
||||
Change '*' to your desired files / fingerprint. Files MUST be placed in:
|
||||
Change '*' to your desired filename-only files / fingerprint. Filename-only values MUST NOT contain slashes or traversal.
|
||||
Files MUST be placed in:
|
||||
</dev/shm/cdlb_secrets>
|
||||
|
||||
--sshfp
|
||||
@@ -182,6 +190,9 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
|
||||
|
||||
💡 Notes:
|
||||
🔵 You MUST be 'root' to run this script.
|
||||
🔵 Private operator control does not remove the requirement for strict local secret path validation.
|
||||
🔵 '/dev/shm/cdlb_secrets' MUST be tmpfs-backed, root-owned, mode 0700, and contain only single-link regular non-symlink files
|
||||
with mode 0400 or 0600. Secure deletion with shred is best-effort only on modern storage.
|
||||
|
||||
💷 Please consider donating to my work at:
|
||||
🌐 https://coresecret.eu/spenden/
|
||||
|
||||
Reference in New Issue
Block a user