From 97596fbcba2822d7cff843ca00736145347df0bf7419f2741228d1a72d67590e Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Thu, 11 Jun 2026 17:11:22 +0100 Subject: [PATCH] V9.14.024.2026.06.11 Signed-off-by: Marc S. Weidner --- .../0030-ciss-verify-checksums | 81 +++++++- .archive/generate_PRIVATE_trixie_0.yaml | 2 +- .archive/generate_PRIVATE_trixie_1.yaml | 2 +- .archive/generate_PUBLIC_iso.yaml | 2 +- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/dockerfile | 2 +- .gitea/TODO/render-md-to-html.yaml | 2 +- .../trigger/t_generate_PRIVATE_trixie_0.yaml | 2 +- .gitea/trigger/t_generate_PUBLIC.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_0.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/workflows/generate_PUBLIC_iso.yaml | 2 +- .gitea/workflows/linter_char_scripts.yaml | 2 +- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 2 +- .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 64 +++--- REPOSITORY.md | 4 +- ciss.secureboot/private/README.md | 2 +- ciss.secureboot/public/README.md | 2 +- ciss_live_builder.sh | 53 +++-- .../live/zzzz_ciss_crypt_squash.hook.binary | 141 +++++++++++-- .../includes.chroot/etc/ssh/ssh_known_hosts | 2 +- config/includes.chroot/etc/ssh/sshd_config | 2 +- .../etc/sysctl.d/90-ciss-local.hardened | 2 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- .../lib/live/boot/0030-ciss-verify-checksums | 94 ++++++++- .../live/boot/0042_ciss_post_decrypt_attest | 193 ++++++++++++++++-- docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/BOOTPARAMS.md | 2 +- docs/CHANGELOG.md | 16 +- docs/CNET.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 18 +- docs/MAN_CISS_ISO_BOOT_CHAIN.md | 32 +-- docs/MAN_SSH_Host_Key_Policy.md | 2 +- docs/REFERENCES.md | 2 +- docs/documentation/30-ciss-hardening.conf.md | 2 +- docs/documentation/90-ciss-local.hardened.md | 2 +- docs/documentation/ciss_live_builder.sh.md | 2 +- lib/lib_arg_parser.sh | 74 +++++-- lib/lib_check_secrets.sh | 8 +- lib/lib_ciss_upgrades_boot.sh | 4 +- lib/lib_clean_up.sh | 45 ++-- lib/lib_gnupg.sh | 8 +- lib/lib_hardening_ultra.sh | 1 + lib/lib_lb_config_start.sh | 8 +- lib/lib_primordial.sh | 14 ++ lib/lib_trap_on_exit.sh | 4 + lib/lib_usage.sh | 16 +- scripts/usr/local/sbin/9999_cdi_starter.sh | 4 +- var/early.var.sh | 2 +- var/global.var.sh | 3 + 63 files changed, 767 insertions(+), 200 deletions(-) rename {scripts/usr/lib/live/boot => .archive}/0030-ciss-verify-checksums (79%) diff --git a/scripts/usr/lib/live/boot/0030-ciss-verify-checksums b/.archive/0030-ciss-verify-checksums similarity index 79% rename from scripts/usr/lib/live/boot/0030-ciss-verify-checksums rename to .archive/0030-ciss-verify-checksums index 8bc8a80..9eb7723 100644 --- a/scripts/usr/lib/live/boot/0030-ciss-verify-checksums +++ b/.archive/0030-ciss-verify-checksums @@ -46,11 +46,26 @@ Verify_checksums() { LIVE_VERIFY_CHECKSUMS_SIGNATURES="false" + _CHECKSUM_LOG_DIR="${LIVE_VERIFY_CHECKSUMS_LOG_DIR:-/run}" + _KEYFILE="" _MP="" + _MANIFEST_FOUND="false" + + _TOOL_FOUND="false" + + _VERIFICATION_EXECUTED="false" + + _VERIFICATION_SUCCEEDED="false" + + _RETURN_PGP="" + + _RETURN_SHA="" + ### Parse commandline arguments ---------------------------------------------------------------------------------------------- + # shellcheck disable=SC2154 for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do case "${_PARAMETER}" in @@ -107,6 +122,14 @@ Verify_checksums() { done + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ] && [ -z "${_KEYFILE}" ]; then + + printf "\e[91m[FATAL] No pinned GPG key file found while checksum signature verification is enabled. \n\e[0m" + sleep 8 + panic "No pinned GPG key file found while checksum signature verification is enabled." + + fi + # shellcheck disable=SC2164 cd "${_MOUNTPOINT}" @@ -203,10 +226,14 @@ Verify_checksums() { if [ -e "${_CHECKSUM}" ]; then + _MANIFEST_FOUND="true" + printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}" if [ -e "/usr/bin/${_DIGEST}sum" ]; then + _TOOL_FOUND="true" + printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum" if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then @@ -234,18 +261,34 @@ Verify_checksums() { fi # shellcheck disable=SC2312 - if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then + _VERIFICATION_EXECUTED="true" + _CHECKSUM_LOG="${_CHECKSUM_LOG_DIR}/ciss-${_DIGEST}sum-check.log" + if ! grep -v '^#' "${_CHECKSUM}" | grep -q '[^[:space:]]'; then + + _RETURN_SHA="254" + : > "${_CHECKSUM_LOG}" + printf "\e[91m[FATAL] Checksum manifest has no checksum entries: [%s] \n\e[0m" "${_CHECKSUM}" + + elif grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then _RETURN_SHA="${?}" + cat "${_CHECKSUM_LOG}" > "${_TTY}" printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" else _RETURN_SHA="${?}" + cat "${_CHECKSUM_LOG}" > "${_TTY}" printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" fi + if { [ "${_RETURN_PGP}" = "0" ] || [ "${_RETURN_PGP}" = "na" ]; } && [ "${_RETURN_SHA}" = "0" ]; then + + _VERIFICATION_SUCCEEDED="true" + + fi + # Stop after the first verification. break 2 @@ -265,6 +308,36 @@ Verify_checksums() { log_end_msg printf "\n" + if [ "${_MANIFEST_FOUND}" != "true" ]; then + + printf "\e[91m[FATAL] No supported checksum manifest found. Checksum verification is fail-closed. \n\e[0m" + sleep 8 + panic "No supported checksum manifest found. Checksum verification is fail-closed." + + fi + + if [ "${_TOOL_FOUND}" != "true" ]; then + + printf "\e[91m[FATAL] Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed. \n\e[0m" + sleep 8 + panic "Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed." + + fi + + if [ "${_VERIFICATION_EXECUTED}" != "true" ]; then + + printf "\e[91m[FATAL] Checksum verification was not executed. Checksum verification is fail-closed. \n\e[0m" + sleep 8 + panic "Checksum verification was not executed. Checksum verification is fail-closed." + + fi + + if [ "${_VERIFICATION_SUCCEEDED}" != "true" ]; then + + printf "\e[91m[FATAL] Checksum verification did not complete successfully. Evaluating fail-closed failure state. \n\e[0m" + + fi + case "${_RETURN_PGP},${_RETURN_SHA}" in "0,0") @@ -304,6 +377,12 @@ Verify_checksums() { panic "Verification of checksum file failed." ;; + *) + printf "\e[91m[FATAL] Unknown checksum verification state: [%s,%s]. \n\e[0m" "${_RETURN_PGP:-unset}" "${_RETURN_SHA:-unset}" + sleep 8 + panic "Unknown checksum verification state. Checksum verification is fail-closed." + ;; + esac } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml index 8b2a19d..c36d39e 100644 --- a/.archive/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index 4e37df6..802f275 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml index 28fadf0..d043e1a 100644 --- a/.archive/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 5934ffc..e0327f1 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V9.14.022.2026.06.10" + placeholder: "e.g., Master V9.14.024.2026.06.11" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index f8c8acc..1c22469 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 353e1d9..1a78c30 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 name: 🔁 Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index b302771..173056e 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.022.2026.06.10 + version: V9.14.024.2026.06.11 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index 7129dc2..04cc452 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.022.2026.06.10 + version: V9.14.024.2026.06.11 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 7129dc2..04cc452 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.022.2026.06.10 + version: V9.14.024.2026.06.11 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index d979328..d8cfe9b 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index d0d9553..29bab23 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 16e233d..a4e13a6 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 007a9bb..8d3ece7 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 66ea77e..dab64c8 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 name: 🛡️ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 384c1e1..8357900 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 name: 🔁 Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index 7052b61..3cf04bd 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 " properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V9.14.022.2026.06.10" +properties_version="V9.14.024.2026.06.11" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 9785f65..979d646 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V9.14.022.2026.06.10 +PackageVersion: Master V9.14.024.2026.06.11 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 02cf7a7..674bf92 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.024.2026.06.11-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
**CISS.debian.live.builder — First of its own.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.** @@ -46,9 +46,10 @@ Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fu in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a -customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components -are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to -an installed system. For an overview of the entire build process, see: +customised `verify-checksums` path providing fail-closed ISO-edge verification and runtime attestation of the exact final +SquashFS payload bytes selected for the encrypted live root. All components are aligned with the `CISS.debian.installer` +baseline, ensuring a unified cryptographic and security posture from first boot to an installed system. For an overview of the +entire build process, see: **[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)** When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: @@ -60,12 +61,17 @@ and spoofing surfaces. Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory (`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command -line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure -that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and -transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are -wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the -encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via -named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings. +line. The secret root must be an existing `root:root` tmpfs or ramfs directory with `0700` permissions and no symlinks or +special files below it. Filename-only secret arguments are rejected when they contain path separators, traversal names, shell +metacharacters, or unsafe leading dashes. Critical code paths temporarily disable Bash xtrace so that credentials never leak +into debug logs; the final exact-value sanitization pass runs only after xtrace has been stopped and its debug file descriptor +has been closed, then redacts still-known secret values from debug, variable, and error logs as defense in depth. Transient +secret files are shredded (`shred -fzu`) as soon as they are no longer needed; this is best-effort on SSD/NVMe media, so the +architecture relies primarily on tmpfs for secret staging. GNUPG homes used for signing are wiped, +unencrypted chroot artifacts and includes are removed after `lb build`, and cleanup is intentionally destructive only inside +the exact build directory carrying the `.ciss-live-builder-owned` marker. At runtime, LUKS passphrases in the live ISO and +installer are transported via named pipes inside the initramfs instead of process arguments, further minimizing exposure in +process listings. Check out more leading world-class services powered by Centurion Intelligence Consulting Agency: * [CenturionDNS Resolver](https://eddns.eu/) @@ -123,7 +129,7 @@ lockstep avoids those mismatches and gives me predictable artifacts across build The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical - immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container +immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
@@ -131,7 +137,7 @@ verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_ In compact form, my expectations for the system are:
* Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM. -* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root. +* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root. * Verification steps are not advisory. Any anomaly causes a hard abort during boot. * After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed. * For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition. @@ -175,7 +181,7 @@ installer toolchain. This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V9.14.022.2026.06.10` +Example: `V9.14.024.2026.06.11` `x.y.z` represents major (x), minor (y), and patch (z) version increments. @@ -369,7 +375,7 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis `--primordial-ssh ` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current - hook still emits the requested labelled rule because this repository has no separate UFW rule deduplication layer. + hook still emits the requested labeled rule because this repository has no separate UFW rule deduplication layer. * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after deployment. @@ -493,10 +499,13 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e 2. Preparation: 1. Ensure you are root. - 2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`. + 2. Create the build directory `install -d -m 0755 -o root -g root /opt/cdlb` and the tmpfs secrets directory + `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`. 3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory. 4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory. - 5. Make any other changes you need to. + 5. Keep files below `/dev/shm/cdlb_secrets` as regular, non-symlink files owned by `root:root`; the builder normalizes them + to `0400` before use. + 6. Make any other changes you need to. 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example): @@ -505,7 +514,7 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z) ./ciss_live_builder.sh \ --architecture amd64 \ - --autobuild=6.16.3+deb13-amd64 \ + --autobuild=7.0.10+deb13-amd64 \ --build-directory /opt/cdlb \ --cdi \ --change-splash hexagon \ @@ -525,9 +534,9 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e --signing_key_pass=signing_key_pass.txt \ --signing_key=signing_key.asc \ --ssh-port 4242 \ - --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \ - --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \ - --primordial-ssh 42842 \ + --primordial-key SSH-key-filename-for-Primordial-overlay-clone \ + --primordial-ssh SSH-port-for-Primordial-overlay-clone \ + --primordial-url URL-to-Primordial-overlay-clone \ --ssh-pubkey /dev/shm/cdlb_secrets \ --sshfp \ --trixie @@ -559,10 +568,13 @@ preview it or run it. 2. Preparation: 1. Ensure you are root. - 2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`. + 2. Create the build directory `install -d -m 0755 -o root -g root /opt/cdlb` and the tmpfs secrets directory + `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`. 3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory. 4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory. - 5. Copy and edit the sample and set your options (no spaces around commas in lists): + 5. Keep files below `/dev/shm/cdlb_secrets` as regular, non-symlink files owned by `root:root`; the builder normalizes them + to `0400` before use. + 6. Copy and edit the sample and set your options (no spaces around commas in lists): ````bash cp config.mk.sample config.mk @@ -577,9 +589,9 @@ preview it or run it. SSH_PUBKEY=/dev/shm/cdlb_secrets # Optional - PRIMORDIAL_URL=https://git.coresecret.dev/ahz/PhysNet.primordial.git - PRIMORDIAL_KEY=id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 - PRIMORDIAL_SSH_PORT=42842 + PRIMORDIAL_KEY=SSH-key-filename-for-Primordial-overlay-clone + PRIMORDIAL_SSH_PORT=SSH-port-for-Primordial-overlay-clone + PRIMORDIAL_URL=URL-to-Primordial-overlay-clone PROVIDER_NETCUP_IPV6=2001:cdb::1 # comma-separated; IPv6 in [] is fine JUMP_HOSTS=[2001:db8::1],[2001:db8::2] diff --git a/REPOSITORY.md b/REPOSITORY.md index a964008..23414ac 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **9.14**, Build **V9.14.022.2026.06.10** (as of 2025-10-11) +**Repository State:** Master Version **9.14**, Build **V9.14.024.2026.06.11** (as of 2025-10-11) ## 3.1. Top-Level Layout diff --git a/ciss.secureboot/private/README.md b/ciss.secureboot/private/README.md index 0814a5b..edf845a 100644 --- a/ciss.secureboot/private/README.md +++ b/ciss.secureboot/private/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. CISS Secure Boot Private Material diff --git a/ciss.secureboot/public/README.md b/ciss.secureboot/public/README.md index b8338b2..5a5cfb0 100644 --- a/ciss.secureboot/public/README.md +++ b/ciss.secureboot/public/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. CISS Secure Boot Public Material diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 49a5fea..8e1cb6e 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -41,6 +41,8 @@ declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/roo declare -grx VAR_TMP_SECRET="/dev/shm/cdlb_secrets" # Fixed tmpfs path to store securely build artifacts. declare -grx VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")" # '/root/git/CISS.debian.live.builder' +clear + ### PRELIMINARY CHECKS. ### No ash, dash, ksh, sh. # shellcheck disable=SC2292 @@ -116,7 +118,6 @@ for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh ; for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done ### ALL CHECKS DONE. READY TO START THE SCRIPT. -clear printf '\033[95m' cat bootscreen.txt printf '\033[0m\n' @@ -143,6 +144,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} + [[ "${VAR_SETUP}" == true ]] && { source_guard "./lib/lib_arg_parser.sh" source_guard "./lib/lib_arg_priority_check.sh" + source_guard "./lib/lib_build_dir_safety.sh" source_guard "./lib/lib_boot_screen.sh" source_guard "./lib/lib_cdi.sh" source_guard "./lib/lib_change_splash.sh" @@ -160,6 +162,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} + source_guard "./lib/lib_clean_screen.sh" source_guard "./lib/lib_clean_up.sh" source_guard "./lib/lib_copy_integrity.sh" + source_guard "./lib/lib_debug_sanitize.sh" source_guard "./lib/lib_gnupg.sh" source_guard "./lib/lib_hardening_root_pw.sh" source_guard "./lib/lib_hardening_ssh_tcp.sh" @@ -173,6 +176,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} + source_guard "./lib/lib_provider_netcup.sh" source_guard "./lib/lib_run_analysis.sh" source_guard "./lib/lib_sanitizer.sh" + source_guard "./lib/lib_secret_validation.sh" source_guard "./lib/lib_secureboot_profile.sh" source_guard "./lib/lib_trap_on_err.sh" source_guard "./lib/lib_trap_on_exit.sh" @@ -180,22 +184,6 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} + source_guard "./lib/lib_usage.sh" } -### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS. -### Formal validation still happens in arg_parser(). -for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do - case "${ARY_PARAM_ARRAY[idx],,}" in - --secure-boot-profile=*) - declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}" - ;; - --secure-boot-profile) - if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then - declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}" - fi - ;; - esac -done -unset idx - ### CHECKING REQUIRED PACKAGES. check_pkgs @@ -221,9 +209,30 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi ### Updating Status of Dialog Gauge Bar. -if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi +if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nValidating secrets artifacts ... \nXXX\n20\n" >&3; fi +validate_secret_root "${VAR_TMP_SECRET}" +harden_secret_root_files "${VAR_TMP_SECRET}" -### Following the CISS Bash naming and ordering scheme: +### Updating Status of Dialog Gauge Bar. +if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nPre-Scan Secure-Boot ... \nXXX\n30\n" >&3; fi +### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS. +### Formal validation still happens in arg_parser(). +for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do + case "${ARY_PARAM_ARRAY[idx],,}" in + --secure-boot-profile=*) + declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}" + ;; + --secure-boot-profile) + if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then + declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}" + fi + ;; + esac +done +unset idx + +### Updating Status of Dialog Gauge Bar. +if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nTraps active ... \nXXX\n50\n" >&3; fi trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR @@ -234,9 +243,13 @@ declare -ar ARY_ARG_SANITIZED=("$@") declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}" ### Updating Status of Dialog Gauge Bar. -if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi +if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n80\n" >&3; fi arg_parser "$@" +### Updating Status of Dialog Gauge Bar. +if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nValidate secret Arguments ... \nXXX\n95\n" >&3; fi +validate_selected_secret_inputs + ### Updating Status of Dialog Gauge Bar. if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi clean_ip diff --git a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary index be5a0da..f3a9e80 100644 --- a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary +++ b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary @@ -1,4 +1,5 @@ #!/bin/bash +# shellcheck disable=SC2154 # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git @@ -11,9 +12,10 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -# Final live-build binary hook for encrypted root filesystem packaging. Preallocate a LUKS2 container, formats it with the -# generated build secret, copies the generated filesystem.squashfs into the opened encrypted mapping, then closes the container, -# shreds the temporary LUKS secret, and removes the plaintext SquashFS from the ISO payload. +# Final live-build binary hook for encrypted root filesystem packaging. It creates and signs a deterministic attestation +# manifest for the final filesystem.squashfs byte stream, preallocates a LUKS2 container, formats it with the generated build +# secret, copies the generated filesystem.squashfs into the opened encrypted mapping, then closes the container, shreds the +# temporary LUKS secret, and removes the plaintext SquashFS from the ISO payload. printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" @@ -63,12 +65,120 @@ preallocate() { # shellcheck disable=SC2034 readonly -f preallocate -declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs" -declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt" -declare KEYFD="" +####################################### +# Create and sign the rootfs attestation manifest for the exact SquashFS payload copied into the LUKS mapper. +# Globals: +# VAR_SIGNING_KEY_FPR +# VAR_SIGNING_KEY_PASSFILE +# VAR_VERIFY_KEYRING +# Arguments: +# 1: Final SquashFS payload file +# 2: Manifest path below binary/live +# Returns: +# 0: on success +# 42: on failure +####################################### +create_attestation() { + declare rootfs_file="$1" + declare rootfs_attestation="$2" + declare rootfs_hash="" + declare rootfs_size="" + + rootfs_size="$(stat -c%s -- "${rootfs_file}")" + rootfs_hash="$(sha512sum "${rootfs_file}")" + rootfs_hash="${rootfs_hash%% *}" + + # The attested boundary is the final SquashFS byte stream before LUKS wrapping. The boot verifier reads exactly this many + # bytes from the decrypted mapper and intentionally excludes the LUKS allocation slack after the SquashFS payload. + cat << EOF >| "${rootfs_attestation}" +# CISS rootfs attestation manifest v1 +# boundary: final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso +# rootfs-size-bytes: ${rootfs_size} +${rootfs_hash} ciss-rootfs.squashfs +EOF + chmod 0444 "${rootfs_attestation}" + + gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \ + --detach-sign --output "${rootfs_attestation}.sig" "${rootfs_attestation}" + chmod 0444 "${rootfs_attestation}.sig" + + gpgv --keyring "${VAR_VERIFY_KEYRING}" "${rootfs_attestation}.sig" "${rootfs_attestation}" + + printf "\e[92m[INFO] Rootfs attestation manifest created and verified: [%s]. \e[0m\n" "${rootfs_attestation}" + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f create_attestation + +declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt" +declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs" +declare ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt" +declare DM_LAB="crypt_liveiso" +declare DEVMAP="/dev/mapper/${DM_LAB}" +declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}" +declare KEYFD="" # shellcheck disable=SC2155 -declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}") +declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")" +# shellcheck disable=SC2155 +declare VAR_ROOTFS_HASH="$(LC_ALL=C sha512sum "${ROOTFS}")" +declare VAR_ROOTFS_HASH="${VAR_ROOTFS_HASH%% *}" + +### Attestation Boundary +# - The attested boundary is the final SquashFS byte stream before LUKS wrapping. +# - The boot verifier reads exactly this many bytes from the decrypted mapper and intentionally excludes the LUKS allocation +# slack after the SquashFS payload. +printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n" + +cat << EOF >| "${ROOTFS_ATTESTATION}" +# CISS.debian.live.builder Master ${VAR_VERSION} +# Attestation file for filesystem.squashfs Version 1.0.0 +# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso +# Bytes : Final filesystem.squashfs ${VAR_ROOTFS_SIZE} +${VAR_ROOTFS_HASH} filesystem.squashfs +EOF + +chmod 0444 "${ROOTFS_ATTESTATION}" + +if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \ + --detach-sign --output "${ROOTFS_ATTESTATION}.sig" "${ROOTFS_ATTESTATION}"; then + + printf "\e[92m✅ [gpg of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}" + +else + + printf "\e[91m❌ [gpg of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}" + return 42 + +fi + +chmod 0444 "${ROOTFS_ATTESTATION}.sig" + +if gpgv --keyring "${VAR_VERIFY_KEYRING}" "${ROOTFS_ATTESTATION}.sig" "${ROOTFS_ATTESTATION}"; then + + printf "\e[92m✅ [gpgv of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}.sig" + +else + + printf "\e[91m❌ [gpgv of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}.sig" + return 42 + +fi + +if LC_ALL=C sha512sum -c --strict --quiet "${ROOTFS_ATTESTATION}"; then + + printf "\e[92m✅ [LC_ALL=C sha512sum -c --strict --quiet of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}" + +else + + printf "\e[91m❌ [LC_ALL=C sha512sum -c --strict --quiet of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}" + return 42 + +fi + +printf "\e[92m✅ Attestation of filesystem.squashfs successful. \e[0m\n" ### Safety margin: # - LUKS2-Header and Metadata @@ -82,7 +192,7 @@ declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) * preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}" -exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt" +exec {KEYFD}<"${LUKS_KEY_FILE}" if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then @@ -93,7 +203,7 @@ if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then --iter-time 1000 \ --key-file "/proc/$$/fd/${KEYFD}" \ --key-size 512 \ - --label crypt_liveiso \ + --label "${DM_LAB}" \ --luks2-keyslots-size 16777216 \ --luks2-metadata-size 4194304 \ --pbkdf argon2id \ @@ -108,10 +218,11 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then cryptsetup luksFormat \ --batch-mode \ --cipher aes-xts-plain64 \ + --integrity hmac-sha512 \ --iter-time 1000 \ --key-file "/proc/$$/fd/${KEYFD}" \ --key-size 512 \ - --label crypt_liveiso \ + --label "${DM_LAB}" \ --luks2-keyslots-size 16777216 \ --luks2-metadata-size 4194304 \ --pbkdf argon2id \ @@ -123,10 +234,10 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then fi -cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso +cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" "${DM_LAB}" # shellcheck disable=SC2155 -declare -i LUKS_FREE=$(blockdev --getsize64 /dev/mapper/crypt_liveiso) +declare -i LUKS_FREE=$(blockdev --getsize64 "${DEVMAP}") declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}" if (( LUKS_FREE >= SQUASH_FS )); then @@ -140,13 +251,13 @@ else fi -dd if="${ROOTFS}" of=/dev/mapper/crypt_liveiso bs=8M status=progress conv=fsync +dd if="${ROOTFS}" of="${DEVMAP}" bs=8M status=progress conv=fsync sync -cryptsetup close crypt_liveiso +cryptsetup close "${DM_LAB}" exec {KEYFD}<&- -shred -fzu -n 5 -- "${VAR_TMP_SECRET}/luks.txt" +shred -fzu -n 5 -- "${LUKS_KEY_FILE}" rm -f -- "${ROOTFS}" diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index 1ac2fdf..a340fb9 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index d477fb3..1d72703 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened index 9a61c99..c1980c6 100644 --- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened +++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened @@ -11,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.022.2026.06.10 +# Version Master V9.14.024.2026.06.11 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 5e92b87..3961cb1 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V9.14.022.2026.06.10" +declare -gr VERSION="Master V9.14.024.2026.06.11" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index ef85481..ecfa40e 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V9.14.022.2026.06.10 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V9.14.024.2026.06.11 at: 10:18:37.9542 diff --git a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums index 63d9d29..8eee9ff 100644 --- a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums +++ b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums @@ -15,12 +15,14 @@ # SPDX-Security-Contact: security@coresecret.eu # Module summary: -# This live-boot component implements the verify-checksums mode for the mounted live medium. -# It reads the live-boot command line to decide whether checksum verification is enabled and which digests to accept. -# It locates the pinned CISS GPG key material on the live medium, optionally verifies this script's signed hash, -# optionally verifies signed checksum files, and checks the first matching checksum manifest with the matching digest tool. It -# writes detailed checksum output to the verification TTY. It panics instead of continuing boot when integrity or -# authenticity verification fails. +# This live-boot component implements verify-checksums mode for the mounted live medium. +# It reads the live-boot command line to decide whether checksum verification is enabled, which digests to accept, and +# whether checksum signature verification is required. When signature verification is enabled, it requires to be pinned CISS GPG +# key material from the live medium, verifies this script's signed SHA-512 hash, and verifies the selected checksum manifest +# signature before accepting checksum results. It checks the first supported checksum manifest with an available matching digest +# tool and writes detailed checksum command output to the verification TTY when checksum execution runs. It fails closed by +# panicking on missing manifests, missing digest tools, empty manifests, failed signatures, failed checksums, or unknown +# verification states. ### Modified Version of the original file: ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums' @@ -87,11 +89,26 @@ Verify_checksums() { _CHECKSUM_LOG="" + _CHECKSUM_LOG_DIR="${LIVE_VERIFY_CHECKSUMS_LOG_DIR:-/run}" + _KEYFILE="" + _MANIFEST_FOUND="false" + _MP="" + _RETURN_PGP="" + + _RETURN_SHA="" + + _TOOL_FOUND="false" + + _VERIFICATION_EXECUTED="false" + + _VERIFICATION_SUCCEEDED="false" + ### Parse commandline arguments ---------------------------------------------------------------------------------------------- + # shellcheck disable=SC2154 for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do case "${_PARAMETER}" in @@ -148,6 +165,14 @@ Verify_checksums() { done + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ] && [ -z "${_KEYFILE}" ]; then + + log_er "No pinned GPG key file found while checksum signature verification is enabled." + sleep 8 + panic "[FATAL] No pinned GPG key file found while checksum signature verification is enabled." + + fi + # shellcheck disable=SC2164 cd "${_MOUNTPOINT}" @@ -244,10 +269,14 @@ Verify_checksums() { if [ -e "${_CHECKSUM}" ]; then + _MANIFEST_FOUND="true" + log_in "Found: [${_CHECKSUM}] ..." if [ -e "/usr/bin/${_DIGEST}sum" ]; then + _TOOL_FOUND="true" + log_in "Found: [/usr/bin/${_DIGEST}sum] ..." if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then @@ -275,8 +304,15 @@ Verify_checksums() { fi # shellcheck disable=SC2312 - _CHECKSUM_LOG="/run/ciss-${_DIGEST}sum-check.log" - if grep -v '^#' "${_CHECKSUM}" | LC_ALL=C /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then + _CHECKSUM_LOG="${_CHECKSUM_LOG_DIR}/ciss-${_DIGEST}sum-check.log" + _VERIFICATION_EXECUTED="true" + if ! grep -v '^#' "${_CHECKSUM}" | grep -q '[^[:space:]]'; then + + _RETURN_SHA="254" + : > "${_CHECKSUM_LOG}" + log_er "Checksum manifest has no checksum entries: [${_CHECKSUM}]" + + elif grep -v '^#' "${_CHECKSUM}" | LC_ALL=C /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then _RETURN_SHA="${?}" cat "${_CHECKSUM_LOG}" > "${_TTY}" @@ -294,6 +330,12 @@ Verify_checksums() { fi + if { [ "${_RETURN_PGP}" = "0" ] || [ "${_RETURN_PGP}" = "na" ]; } && [ "${_RETURN_SHA}" = "0" ]; then + + _VERIFICATION_SUCCEEDED="true" + + fi + # Stop after the first verification. break 2 @@ -313,6 +355,36 @@ Verify_checksums() { log_end_msg printf "\n" + if [ "${_MANIFEST_FOUND}" != "true" ]; then + + log_er "No supported checksum manifest found. Checksum verification is fail-closed." + sleep 8 + panic "[FATAL] No supported checksum manifest found. Checksum verification is fail-closed." + + fi + + if [ "${_TOOL_FOUND}" != "true" ]; then + + log_er "Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed." + sleep 8 + panic "[FATAL] Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed." + + fi + + if [ "${_VERIFICATION_EXECUTED}" != "true" ]; then + + log_er "Checksum verification was not executed. Checksum verification is fail-closed." + sleep 8 + panic "[FATAL] Checksum verification was not executed. Checksum verification is fail-closed." + + fi + + if [ "${_VERIFICATION_SUCCEEDED}" != "true" ]; then + + log_er "[FATAL] Checksum verification did not complete successfully. Evaluating fail-closed failure state." + + fi + case "${_RETURN_PGP},${_RETURN_SHA}" in "0,0") @@ -345,6 +417,12 @@ Verify_checksums() { panic "Verification of [sha checksum] file failed." ;; + *) + log_er "Unknown checksum verification state: [${_RETURN_PGP:-unset},${_RETURN_SHA:-unset}]." + sleep 8 + panic "[FATAL] Unknown checksum verification state. Checksum verification is fail-closed." + ;; + esac } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest index 878f1a7..e0575d1 100644 --- a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest +++ b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest @@ -16,18 +16,27 @@ # Module summary: # - Runs after the encrypted live root filesystem has been decrypted. -# - Requires the pinned public key, attestation hash file, and detached signature to exist as readable, non-empty regular files -# inside the decrypted rootfs. -# - Verifies the attestation signature with gpgv against the pinned key material. -# - Confirms that the signature fingerprint matches the build-time expected rootfs fingerprint and panics on missing, malformed, -# or mismatched evidence. - -_SAVED_SET_OPTS="$(set +o)" +# - Requires the pinned public key, external rootfs attestation manifest, and detached signature to exist as readable, +# non-empty regular files. +# - Verifies the attestation signature with gpgv against the pinned key material and expected signer fingerprint. +# - Verifies the exact final SquashFS byte stream copied into the decrypted LUKS mapper. The signed manifest provides both the +# SHA-512 digest and the exact byte length; allocation slack after that SquashFS payload is intentionally out of scope. +# - Panics on missing, malformed, unauthentic, or mismatched evidence. set -eu printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m" +### Check panic command availability ------------------------------------------------------------------------------------------- +if ! command -v panic >/dev/null 2>&1; then + + panic() { + printf '\e[91m[FATAL] %s \n\e[0m' "${*}" >&2 + exit 1 + } + +fi + ### Declare variables ---------------------------------------------------------------------------------------------------------- ### Will be replaced at build time: @@ -36,10 +45,13 @@ export CDLB_EXP_CA_FPR="@EXP_CA_FPR@" ### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ---------------------- export CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}" +export CDLB_MAPPER_DEV="${CDLB_MAPPER_DEV:-/dev/mapper/${CDLB_MAPPER_NAME}}" +export CDLB_MNT_MEDIUM="${CDLB_MNT_MEDIUM:-/run/live/medium}" -### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------ -CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}" -CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt.sig}" +### Locations of the attestation file of filesystem.squashfs on the verified live medium. -------------------------------------- +CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/filesystem.squashfs.sha512sum.txt}" +CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_SIGNATURE:-${CDLB_ROOTFS_ATTEST_MANIFEST}.sig}" +CDLB_ROOTFS_ATTEST_CHECK="${CDLB_ROOTFS_ATTEST_CHECK:-/run/ciss-rootfs-attestation.sha512sum}" CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}" ### Declare functions ---------------------------------------------------------------------------------------------------------- @@ -123,15 +135,162 @@ require_attestation_file() { return 0 } -HASH_FILE="${CDLB_ATTEST_FPR_SHA}" -SIGN_FILE="${CDLB_ATTEST_FPR_SIG}" +####################################### +# Validate the decrypted rootfs payload device. +# Globals: +# None +# Arguments: +# 1: Absolute payload device path +# Returns: +# 0: on success +####################################### +require_rootfs_payload_device() { + artifact_path="${1}" + + if [ ! -e "${artifact_path}" ]; then + + log_er "0042() : Rootfs payload device missing: [${artifact_path}]" + panic "0042() : Rootfs payload device missing: [${artifact_path}]" + + fi + + if [ -L "${artifact_path}" ] || { [ ! -b "${artifact_path}" ] && [ ! -f "${artifact_path}" ]; }; then + + log_er "0042() : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]" + panic "0042() : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]" + + fi + + if [ ! -r "${artifact_path}" ]; then + + log_er "0042() : Rootfs payload is not readable: [${artifact_path}]" + panic "0042() : Rootfs payload is not readable: [${artifact_path}]" + + fi + + return 0 +} + +####################################### +# Stream exactly the attested SquashFS payload bytes from the decrypted mapper. +# Globals: +# None +# Arguments: +# 1: Payload device or regular test fixture +# 2: Exact payload byte count +# Returns: +# 0: on success +####################################### +stream_rootfs_payload() { + payload_device="${1}" + payload_size="${2}" + block_size=1048576 + full_blocks=$((payload_size / block_size)) + remainder=$((payload_size % block_size)) + remainder_offset=$((full_blocks * block_size)) + + if [ "${full_blocks}" -gt 0 ]; then + + dd if="${payload_device}" bs="${block_size}" count="${full_blocks}" 2>/dev/null || return 1 + + fi + + if [ "${remainder}" -gt 0 ]; then + + dd if="${payload_device}" bs=1 skip="${remainder_offset}" count="${remainder}" 2>/dev/null || return 1 + + fi + + return 0 +} + +####################################### +# Verify the attested SquashFS payload hash against the decrypted mapper bytes. +# Globals: +# CDLB_ROOTFS_ATTEST_CHECK +# Arguments: +# 1: Manifest path +# 2: Payload device path +# Returns: +# 0: on success +####################################### +verify_rootfs_payload() { + manifest_path="${1}" + payload_device="${2}" + payload_size="" + payload_hash="" + + payload_size="$(awk -F': ' '/^# rootfs-size-bytes: /{print $2; exit}' "${manifest_path}")" + payload_hash="$(awk '($0 !~ /^#/ && NF >= 2){print $1; exit}' "${manifest_path}")" + + case "${payload_size}" in + + ""|*[!0-9]*) + log_er "0042() : Rootfs attestation manifest has invalid payload size." + panic "0042() : Rootfs attestation manifest has invalid payload size." + ;; + + esac + + if [ "${payload_size}" -le 0 ]; then + + log_er "0042() : Rootfs attestation manifest has empty payload size." + panic "0042() : Rootfs attestation manifest has empty payload size." + + fi + + case "${payload_hash}" in + + ""|*[!0123456789abcdefABCDEF]*) + log_er "0042() : Rootfs attestation manifest has invalid SHA-512 payload hash." + panic "0042() : Rootfs attestation manifest has invalid SHA-512 payload hash." + ;; + + esac + + if [ "${#payload_hash}" -ne 128 ]; then + + log_er "0042() : Rootfs attestation manifest SHA-512 payload hash has invalid length." + panic "0042() : Rootfs attestation manifest SHA-512 payload hash has invalid length." + + fi + + if ! printf '%s -\n' "${payload_hash}" > "${CDLB_ROOTFS_ATTEST_CHECK}"; then + + log_er "0042() : Failed to prepare transient rootfs payload checksum file." + panic "0042() : Failed to prepare transient rootfs payload checksum file." + + fi + + chmod 0600 "${CDLB_ROOTFS_ATTEST_CHECK}" 2>/dev/null || : + + log_in "0042() : Verifying exact SquashFS payload bytes from: [${payload_device}]" + + # stream_rootfs_payload may be evaluated in a pipeline here; sha512sum -c is the fail-closed authority for truncated or + # tampered payload bytes. + # shellcheck disable=SC2310 + if ! stream_rootfs_payload "${payload_device}" "${payload_size}" | /usr/bin/sha512sum -c "${CDLB_ROOTFS_ATTEST_CHECK}"; then + + log_er "0042() : Rootfs payload SHA-512 verification failed." + panic "0042() : Rootfs payload SHA-512 verification failed." + + fi + + log_ok "0042() : Rootfs payload SHA-512 verification successful." + + return 0 +} + +HASH_FILE="${CDLB_ROOTFS_ATTEST_MANIFEST}" +SIGN_FILE="${CDLB_ROOTFS_ATTEST_SIGNATURE}" KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg" -require_attestation_file "Public key" "${KEYFILE}" -require_attestation_file "Attestation data" "${HASH_FILE}" -require_attestation_file "Attestation signature" "${SIGN_FILE}" +require_attestation_file "Public key" "${KEYFILE}" +require_attestation_file "Rootfs attestation manifest" "${HASH_FILE}" +require_attestation_file "Rootfs attestation signature" "${SIGN_FILE}" +require_rootfs_payload_device "${CDLB_MAPPER_DEV}" -log_in "0042() : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR." +log_in "0042() : Verifying rootfs attestation manifest with 'gpgv' and pinned GPG FPR." if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then @@ -163,7 +322,7 @@ else fi -eval "${_SAVED_SET_OPTS}" +verify_rootfs_payload "${HASH_FILE}" "${CDLB_MAPPER_DEV}" printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m" diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index a8c843a..7ae3b16 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index c3ba265..10d6cae 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 45cc361..9cdf706 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 3fa8b08..66a1414 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index b03f190..5893160 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 5348ccc..a9028b3 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 8b1970f..c882e26 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,22 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Changelog +## V9.14.024.2026.06.11 +* **Added**: [lib_build_dir_safety.sh](../lib/lib_build_dir_safety.sh) Integrated Security Audit Finding A12 +* **Added**: [lib_debug_sanitize.sh](../lib/lib_debug_sanitize.sh) Integrated Security Audit Finding A11 +* **Added**: [lib_secret_validation.sh](../lib/lib_secret_validation.sh) Integrated Security Audit Finding A10 +* **Changed**: [zzzz_ciss_crypt_squash.hook.binary](../config/hooks/live/zzzz_ciss_crypt_squash.hook.binary) Integrated Security Audit Finding A01 + A10 +* **Changed**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Integrated Security Audit Finding A02 +* **Changed**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Integrated Security Audit Finding A01 +* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Integrated Security Audit Finding A01 +* **Changed**: [lib_lb_config_start.sh](../lib/lib_lb_config_start.sh) Integrated Security Audit Finding A12 +* **Changed**: [README.md](../README.md) Integrated Security Audit Finding A01 + A02 +* **Changed**: [lib_usage.sh](../lib/lib_usage.sh) Integrated Security Audit Finding A10 + ## V9.14.022.2026.06.10 * **Added**: [lib_logo.sh](../lib/lib_logo.sh) * **Added**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) Retrieve rdns for Primordial-Workflow™ @@ -196,7 +208,7 @@ include_toc: true * **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet Primordial-Workflow™. * **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet Primordial-Workflow™. * **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet Primordial-Workflow™. -* **Added**: [0030-ciss-verify-checksums](../scripts/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot. +* **Added**: [0030-ciss-verify-checksums](../.archive/0030-ciss-verify-checksums) Unified handling via includes.chroot. * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}" * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}" * **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}" diff --git a/docs/CNET.md b/docs/CNET.md index 5bd12f3..015588f 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 5965888..308afae 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Purpose diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index eff5266..4f3798a 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index e6b9d6c..5a1a32c 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 69cb88b..5f15778 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 05e1146..e414f77 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,14 +8,14 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2.1. Usage ````text CDLB(1) CISS.debian.live.builder CDLB(1) CISS.debian.live.builder from https://git.coresecret.dev/msw -Master V9.14.022.2026.06.10 +Master V9.14.024.2026.06.11 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. (c) Marc S. Weidner, 2018 - 2026 @@ -37,6 +37,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. --build-directory Where the Debian Live Build Image should be generated. RECOMMENDED path: + Cleanup is destructive inside the exact builder-owned path and requires '.ciss-live-builder-owned'. MUST be provided. --change-splash one of @@ -57,6 +58,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. --debug, -d Enables debug logging for the main program routine. Detailed logging information are written to: + After xtrace is stopped and its debug FD is closed, a final exact-value redaction pass sanitizes logs. --dhcp-centurion If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused @@ -86,12 +88,12 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. --key_age=* The SOPS AGE private keyring for decryption operations. Change '*' to your desired SOPS AGE key file. - File MUST be placed in: + This MUST be a filename only and MUST be placed in the root-owned tmpfs secret root: --key_luks=* The LUKS encryption / decryption passphrase for '/'-fs-encryption. Change '*' to your desired passphrase file. - File MUST be placed in: + This MUST be a filename only and MUST be placed in the root-owned tmpfs secret root: --log-statistics-only @@ -140,7 +142,8 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. --root-password-file > Password file for 'root', if given, MUST be a string of 42 to 64 characters. If the argument is omitted, no further login authentication is required for the local console. - MUST be placed in: + The path MUST be absolute, regular, non-symlink, root-owned, and mode 0400 after normalization. + RECOMMENDED path: --secure-boot-profile one of @@ -156,7 +159,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file. Specify the fingerprint of the key to use via '--signing_key_fpr=*'. Optionally import an offline GPG CA signing public key via: '--signing_ca=*'. - Change '*' to your desired files / fingerprint. Files MUST be placed in: + Change '*' to your desired filename-only files / fingerprint. Files MUST be placed in: --sshfp @@ -171,6 +174,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. --ssh-pubkey Imports the SSH Public Key from the file 'authorized_keys' into the Live ISO. + Directory MUST be absolute, regular, non-symlink, root-owned, and not group/world-writable. Key file MUST be placed in: @@ -186,7 +190,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. 💷 Please consider donating to my work at: 🌐 https://coresecret.eu/spenden/ - V9.14.022.2026.06.10 2026-05-17 CDLB(1) + V9.14.024.2026.06.11 2026-05-17 CDLB(1) ```` # 3. Booting diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md index 31af2f2..b238906 100644 --- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md +++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation) -**Status:** 2025-11-12
+**Status:** 2026-06-10
**Audience:** CICA CISO, CISS staff, technically proficient administrators
-**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock that verifies the exact final SquashFS payload bytes copied into the decrypted LUKS mapper, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.
# 3. Overview @@ -22,7 +22,7 @@ include_toc: true * **Integrity & authenticity verification:** 1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin. - 2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin. + 2. **Late:** Verify the external rootfs attestation manifest using `gpgv` and FPR pin, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`. * **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB). * **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding. @@ -97,7 +97,7 @@ flowchart TD LUKS e14@--> ROOT["Assemble RootFS OverlayFS"]; ROOT e15@--> 0126["Executing 0026-ciss: Hardening early sysctls"]; 0126 e16@--> 0130["Executing 0030-ciss: Verification of authenticity and integrity via embedded and pinned GPG of ISO edge"]; - 0130 e17@--> |SUCCESSFUL| 0142["Executing 0042-ciss: Attestation of RootFS"]; + 0130 e17@--> |SUCCESSFUL| 0142["Executing 0042-ciss: Attestation of RootFS SquashFS payload"]; 0142 e18@--> 0145["init-bottom: stop CISS.hardened dropbear, tear down initramfs net"]; 0145 e19@--> 9050["Switching root (run-init / pivot_root)"]; 9050 e20@--> 9010["Starting /sbin/init -> systemd"]; @@ -185,30 +185,34 @@ cryptsetup luksFormat \ **Core call (initramfs):** ```sh -/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify sha512sum.txt.sig sha512sum.txt +/usr/bin/gpgv --keyring "$KEYFILE" --status-fd 1 sha512sum.txt.sig sha512sum.txt # parse [GNUPG:] VALIDSIG ... ... ``` # 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh) -**Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology. +**Goal:** After LUKS unlocked, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology. -* **Attestation files:** `/root/.ciss/attestation/.sha512sum.txt[.sig]` +* **Attested boundary:** the final `binary/live/filesystem.squashfs` byte stream, immediately before it is copied into `/dev/mapper/crypt_liveiso` by `zzzz_ciss_crypt_squash.hook.binary`. +* **Runtime verification boundary:** the first `rootfs-size-bytes` bytes read from the decrypted mapper. Any LUKS allocation slack after the SquashFS payload is intentionally excluded. +* **Attestation files:** `/run/live/medium/live/ciss_rootfs.sha512sum.txt[.sig]` * **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin) **Core calls (initramfs):** ```sh # 1) Signature and FPR pin (no agent) -/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify "$SIG" "$DATA" +/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIG}" "${DATA}" -# 2) Optional: Content hash verification -( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" ) +# 2) Mandatory content hash verification +dd if="${CDLB_MAPPER_DEV}" ... | /usr/bin/sha512sum -c /run/ciss-rootfs-attestation.sha512sum ``` # 10. Failure Policy (fail-closed, deterministic) -* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key / signature. +* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch. +* A signed rootfs manifest alone is not sufficient. Boot continues only after the manifest signature/FPR, and the decrypted SquashFS payload bytes both verify successfully. +* `dm-integrity` protects the opened LUKS mapping against sector corruption or tampering under the LUKS key, but it is not treated as origin authenticity. Origin authenticity is provided by the signed rootfs attestation manifest and pinned signer fingerprint. # 11. CISS hardened and built dropbear @@ -261,8 +265,8 @@ flowchart TD E e04@--> F["Mounting RootFS"]; F e05@--> G["0030 verification of authenticity and integrity via embedded and pinned GPG of ISO edge"]; G e06@-->|SUCCESSFUL| H["ISO edge verified"]; - H e07@--> I["0042 post-decrypt-attestation of RootFS"]; - I e08@-->|SUCCESSFUL| J["RootFS attestation successful"]; + H e07@--> I["0042 post-decrypt-attestation of RootFS SquashFS payload"]; + I e08@-->|SUCCESSFUL| J["RootFS SquashFS payload attestation successful"]; e02@{ animation: fast } e03@{ animation: fast } e04@{ animation: fast } diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md index 5a1be57..fb53e16 100644 --- a/docs/MAN_SSH_Host_Key_Policy.md +++ b/docs/MAN_SSH_Host_Key_Policy.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index dc112b6..26cf3fc 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. Resources diff --git a/docs/documentation/30-ciss-hardening.conf.md b/docs/documentation/30-ciss-hardening.conf.md index 225ecc2..3c6e751 100644 --- a/docs/documentation/30-ciss-hardening.conf.md +++ b/docs/documentation/30-ciss-hardening.conf.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. ``30-ciss-hardening.conf`` diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md index 7f2dcf6..bb90633 100644 --- a/docs/documentation/90-ciss-local.hardened.md +++ b/docs/documentation/90-ciss-local.hardened.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. ``90-ciss-local.hardened`` diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md index 9aa0b46..f0c6894 100644 --- a/docs/documentation/ciss_live_builder.sh.md +++ b/docs/documentation/ciss_live_builder.sh.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.022.2026.06.10
+**Build**: V9.14.024.2026.06.11
# 2. ``ciss_live_builder.sh`` diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh index 680957c..26b5187 100644 --- a/lib/lib_arg_parser.sh +++ b/lib/lib_arg_parser.sh @@ -76,7 +76,6 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" # ERR__SSH__PORT: on failure ####################################### arg_parser() { - declare primordial_key_regex='^[A-Za-z0-9._@%+=:,~-]+$' declare primordial_url_regex='^https://[A-Za-z0-9.-]+/[A-Za-z0-9._~/%+=:@,-]+\.git$' while [[ $# -gt 0 ]]; do @@ -109,6 +108,16 @@ arg_parser() { shift 1 ;; + -l | --logo) + if [[ -n "${2-}" && "${2}" != -* ]]; then + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + printf "\e[91m❌ Error: --logo MUST NOT be followed by an argument.\e[0m\n" >&2 + read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + shift 1 + ;; + -v | --version) if [[ -n "${2-}" && "${2}" != -* ]]; then if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi @@ -134,10 +143,9 @@ arg_parser() { ;; --build-directory) - declare -gx VAR_HANDLER_BUILD_DIR="${2}" - if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then + declare -gx VAR_HANDLER_BUILD_DIR="${2-}" + if ! validate_build_dir_argument "${VAR_HANDLER_BUILD_DIR}"; then if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi - printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2 exit "${ERR_NOTABSPATH}" fi declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/cdlb_${VAR_ISO8601}_build.log" @@ -266,18 +274,28 @@ arg_parser() { ;; --key_age=*) + declare key_age="${1#*=}" + if ! validate_secret_filename "--key_age" "${key_age}"; then + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + exit "${ERR_ARG_MSMTCH}" + fi # shellcheck disable=SC2034 declare -gx VAR_AGE="true" # shellcheck disable=SC2034 - declare -gx VAR_AGE_KEY="${1#*=}" + declare -gx VAR_AGE_KEY="${key_age}" shift 1 ;; --key_luks=*) + declare key_luks="${1#*=}" + if ! validate_secret_filename "--key_luks" "${key_luks}"; then + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + exit "${ERR_ARG_MSMTCH}" + fi # shellcheck disable=SC2034 declare -gx VAR_LUKS="true" # shellcheck disable=SC2034 - declare -gx VAR_LUKS_KEY="${1#*=}" + declare -gx VAR_LUKS_KEY="${key_luks}" shift 1 ;; @@ -296,7 +314,7 @@ arg_parser() { --primordial-key) declare primordial_key="${2-}" - if [[ -n "${primordial_key}" && "${primordial_key}" != -* && "${primordial_key}" != "." && "${primordial_key}" != ".." && "${primordial_key}" != */* && "${primordial_key}" =~ ${primordial_key_regex} ]]; then + if validate_secret_filename "--primordial-key" "${primordial_key}"; then # shellcheck disable=SC2034 declare -gx VAR_PRIMORDIAL_KEY="${primordial_key}" @@ -315,7 +333,7 @@ arg_parser() { --primordial-key=*) declare primordial_key="${1#*=}" - if [[ -n "${primordial_key}" && "${primordial_key}" != "." && "${primordial_key}" != ".." && "${primordial_key}" != */* && "${primordial_key}" =~ ${primordial_key_regex} ]]; then + if validate_secret_filename "--primordial-key" "${primordial_key}"; then # shellcheck disable=SC2034 declare -gx VAR_PRIMORDIAL_KEY="${primordial_key}" @@ -461,7 +479,7 @@ arg_parser() { ;; --root-password-file) - declare pw_file="${2}" + declare pw_file="${2-}" if [[ -z "${pw_file}" ]]; then @@ -473,10 +491,9 @@ arg_parser() { fi - if [[ ! -f "${pw_file}" ]]; then + if ! validate_secret_absolute_file_basics "--root-password-file" "${pw_file}"; then if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi - printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2 # shellcheck disable=SC2162 read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_MISS_PWD_F}" @@ -507,6 +524,13 @@ arg_parser() { } fi + validate_secret_file_path "--root-password-file" "${pw_file}" || { + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + # shellcheck disable=SC2162 + read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_RGHT_PWD_F}" + } + declare plaintext_pw ### No tracing for security reasons ---------------------------------------------------------------------------------- [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x @@ -606,16 +630,26 @@ arg_parser() { ;; --signing_ca=*) + declare signing_ca="${1#*=}" + if ! validate_secret_filename "--signing_ca" "${signing_ca}"; then + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + exit "${ERR_ARG_MSMTCH}" + fi # shellcheck disable=SC2034 - declare -gx VAR_SIGNING_CA="${1#*=}" + declare -gx VAR_SIGNING_CA="${signing_ca}" shift 1 ;; --signing_key=*) + declare signing_key="${1#*=}" + if ! validate_secret_filename "--signing_key" "${signing_key}"; then + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + exit "${ERR_ARG_MSMTCH}" + fi # shellcheck disable=SC2034 declare -gx VAR_SIGNER="true" # shellcheck disable=SC2034 - declare -gx VAR_SIGNING_KEY="${1#*=}" + declare -gx VAR_SIGNING_KEY="${signing_key}" shift 1 ;; @@ -626,8 +660,13 @@ arg_parser() { ;; --signing_key_pass=*) + declare signing_key_pass="${1#*=}" + if ! validate_secret_filename "--signing_key_pass" "${signing_key_pass}"; then + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + exit "${ERR_ARG_MSMTCH}" + fi # shellcheck disable=SC2034 - declare -gx VAR_SIGNING_KEY_PASS="${1#*=}" + declare -gx VAR_SIGNING_KEY_PASS="${signing_key_pass}" shift 1 ;; @@ -694,8 +733,13 @@ arg_parser() { ;; --ssh-pubkey) + declare ssh_pubkey="${2-}" + if ! validate_ssh_pubkey_directory "${ssh_pubkey}"; then + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + exit "${ERR_ARG_MSMTCH}" + fi # shellcheck disable=SC2034 - declare -gx VAR_SSHPUBKEY="${2}" + declare -gx VAR_SSHPUBKEY="${ssh_pubkey}" shift 2 ;; diff --git a/lib/lib_check_secrets.sh b/lib/lib_check_secrets.sh index e82448d..cc15ad4 100644 --- a/lib/lib_check_secrets.sh +++ b/lib/lib_check_secrets.sh @@ -33,12 +33,16 @@ x_remove() { shopt -s nullglob dotglob + ### Collect exact currently available secret values before removing their source files. + ### Log rewriting is intentionally deferred to the final trap after xtrace has been stopped. + collect_debug_secret_values || true + if [[ "${VAR_SIGNER}" == "true" ]]; then # shellcheck disable=SC2312 find "${VAR_TMP_SECRET}" -xdev -type f \ - ! -path "${VAR_TMP_SECRET}/signing_key_pass.txt" \ - ! -path "${VAR_TMP_SECRET}/luks.txt" \ + ! -path "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS:-signing_key_pass.txt}" \ + ! -path "${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}" \ -print0 \ | xargs -0 --no-run-if-empty shred -fzu -n 5 -- diff --git a/lib/lib_ciss_upgrades_boot.sh b/lib/lib_ciss_upgrades_boot.sh index d60442e..04c4ed8 100644 --- a/lib/lib_ciss_upgrades_boot.sh +++ b/lib/lib_ciss_upgrades_boot.sh @@ -1,4 +1,5 @@ #!/bin/bash +# shellcheck disable=SC2154 # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git @@ -14,9 +15,10 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" ####################################### # Integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts: -# - /root/.ciss/attestation/VAR_SIGNING_KEY_FPR.* +# - /root/.ciss/attestation/VAR_SIGNING_KEY_FPR.* legacy-signed public-key copy, not rootfs content attestation # - /etc/initramfs-tools/files/unlock_wrapper.sh # - /usr/lib/live/boot/0030-ciss-verify-checksums +# Rootfs content attestation for the final SquashFS payload is generated by zzzz_ciss_crypt_squash.hook.binary. # Globals: # BASH_SOURCE # VAR_HANDLER_BUILD_DIR diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh index 3075257..e5efe10 100644 --- a/lib/lib_clean_up.sh +++ b/lib/lib_clean_up.sh @@ -33,6 +33,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" ####################################### clean_up() { declare clean_exit_code="$1" fs_type="" _old_nullglob="" _old_dotglob="" _old_failglob="" + declare build_dir_valid="false" includes_chroot="" ### Enable nullglob/dotglob, disable failglob for safe globbing. _old_nullglob="$(shopt -p nullglob || true)" @@ -52,10 +53,10 @@ clean_up() { rm -f -- "${VAR_NOTES}" ### Release advisory lock on FD 127. - flock -u 127 + flock -u 127 2>/dev/null || true ### Close file descriptor 127. - exec 127>&- + exec 127>&- 2>/dev/null || true ### Remove the lockfile artifact. rm -f /run/lock/ciss_live_builder.lock @@ -100,32 +101,46 @@ clean_up() { ### No tracing for security reasons ------------------------------------------------------------------------------------------ [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x - ### Removes secrets securely. - # shellcheck disable=SC2312 - find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- - find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete + ### Stop xtrace before destructive cleanup and collect still-available exact secret values. + ### The final log rewrite runs later from the trap after no further debug/error log writes are expected. + finalize_debug_xtrace_logging || true + collect_debug_secret_values || true - ### Securely shred all regular files below ./includes.chroot, then remove empty dirs. - if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then + ### Removes secrets securely. + if [[ -n "${VAR_TMP_SECRET:-}" && -d "${VAR_TMP_SECRET}" && ! -L "${VAR_TMP_SECRET}" ]]; then # shellcheck disable=SC2312 - find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- + find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- || true + find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete || true + + fi + + if [[ -n "${VAR_HANDLER_BUILD_DIR:-}" && -d "${VAR_HANDLER_BUILD_DIR}" ]]; then + if require_builder_owned_build_dir "${VAR_HANDLER_BUILD_DIR}"; then + build_dir_valid="true" + fi + fi + + ### Securely shred all regular files below ./includes.chroot, then remove empty dirs. + includes_chroot="${VAR_HANDLER_BUILD_DIR:-}/config/includes.chroot" + if [[ "${build_dir_valid}" == "true" && -d "${includes_chroot}" ]] \ + && require_builder_owned_subpath "${VAR_HANDLER_BUILD_DIR}" "${includes_chroot}"; then + + # shellcheck disable=SC2312 + find "${includes_chroot}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- || true ### Remove empty directories (bottom-up). - find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete + find "${includes_chroot}" -depth -xdev -type d -empty -delete || true fi ### Delete all files and directories below ./chroot. - if [[ -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then + if [[ "${build_dir_valid}" == "true" && -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then - rm -rf "${VAR_HANDLER_BUILD_DIR}/chroot" + safe_remove_builder_subpath "${VAR_HANDLER_BUILD_DIR}" "${VAR_HANDLER_BUILD_DIR}/chroot" || true fi - ### Turn on tracing again ---------------------------------------------------------------------------------------------------- - [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x - eval "${_old_nullglob}" 2>/dev/null || true eval "${_old_dotglob}" 2>/dev/null || true eval "${_old_failglob}" 2>/dev/null || true diff --git a/lib/lib_gnupg.sh b/lib/lib_gnupg.sh index 1737789..0dffd49 100644 --- a/lib/lib_gnupg.sh +++ b/lib/lib_gnupg.sh @@ -72,9 +72,15 @@ EOF fi - ### Use pubring as verification keyring reference. + ### Use pubring as a verification keyring reference. declare -grx VAR_VERIFY_KEYRING="${GNUPGHOME}/pubring.kbx" + validate_secret_file_in_root "--signing_key" "${VAR_SIGNING_KEY}" || return "${?}" + validate_secret_file_in_root "--signing_key_pass" "${VAR_SIGNING_KEY_PASS}" || return "${?}" + if [[ -n "${VAR_SIGNING_CA}" ]]; then + validate_secret_file_in_root "--signing_ca" "${VAR_SIGNING_CA}" || return "${?}" + fi + declare -grx VAR_SIGNING_KEY_PASSFILE="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}" ### No tracing for security reasons ------------------------------------------------------------------------------------------ diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh index 6b89183..95d69f8 100644 --- a/lib/lib_hardening_ultra.sh +++ b/lib/lib_hardening_ultra.sh @@ -182,6 +182,7 @@ hardening_ultra() { printf "\e[95m🧪 Updating SSH Keys, Ports ... \e[0m\n" ### ./config/includes.chroot/root/.ssh --------------------------------------------------------------------------------------- + validate_ssh_pubkey_directory "${VAR_SSHPUBKEY}" || return "${?}" install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" install -m 0600 -o root -g root "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/" diff --git a/lib/lib_lb_config_start.sh b/lib/lib_lb_config_start.sh index d07f48e..3c25956 100644 --- a/lib/lib_lb_config_start.sh +++ b/lib/lib_lb_config_start.sh @@ -30,12 +30,14 @@ lb_config_start() { mkdir -p "${VAR_HANDLER_BUILD_DIR}" # shellcheck disable=SC2164 cd "${VAR_HANDLER_BUILD_DIR}" + ensure_builder_owned_build_dir "${VAR_HANDLER_BUILD_DIR}" printf "\e[92m✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}" else # shellcheck disable=SC2164 cd "${VAR_HANDLER_BUILD_DIR}" + ensure_builder_owned_build_dir "${VAR_HANDLER_BUILD_DIR}" fi @@ -48,11 +50,7 @@ lb_config_start() { lb clean --binary --cache --purge --source - if [[ "${PWD}" == "${VAR_HANDLER_BUILD_DIR}" && "${PWD}" != "/" && -n "${PWD}" ]]; then - - rm -rf -- ./* ./.??* - - fi + safe_clean_build_dir_contents "${VAR_HANDLER_BUILD_DIR}" printf "\e[92m✅ Deleting former config, binary and cache done.\e[0m\n" diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh index 105ef4e..82b7b1c 100644 --- a/lib/lib_primordial.sh +++ b/lib/lib_primordial.sh @@ -84,6 +84,8 @@ init_primordial() { ### Check for SOPS AGE key integration --------------------------------------------------------------------------------------- if [[ "${VAR_AGE,,}" == "true" ]]; then + validate_secret_file_in_root "--key_age" "${VAR_AGE_KEY}" || return "$?" + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age" install -m 0400 "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.config/sops/age/keys.txt" shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" 2>/dev/null || rm -f "${VAR_TMP_SECRET}/${VAR_AGE_KEY}" @@ -93,6 +95,18 @@ init_primordial() { ### Check for SSH CISS and PhysNet Primordial-Workflow™ integration ------------------------------------------------------- if [[ "${VAR_SSHFP,,}" == "true" ]]; then + # shellcheck disable=SC2312 + if find "${VAR_TMP_SECRET}" -xdev \( -name 'id*' -o -name 'ssh_host_*' \) -type l -print -quit | grep -q .; then + printf "\e[91m❌ ERROR: SSH identity and host key inputs MUST NOT be symlinks. \e[0m\n" >&2 + return "${ERR_INVLD_CHAR}" + fi + + # shellcheck disable=SC2312 + if find "${VAR_TMP_SECRET}" -xdev \( -name 'id*' -o -name 'ssh_host_*' \) ! -type f -print -quit | grep -q .; then + printf "\e[91m❌ ERROR: SSH identity and host key inputs MUST be regular files. \e[0m\n" >&2 + return "${ERR_INVLD_CHAR}" + fi + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" install -m 0600 "${VAR_TMP_SECRET}/id"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/" normalize_ssh_keys_in_dir "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" diff --git a/lib/lib_trap_on_exit.sh b/lib/lib_trap_on_exit.sh index 14a6bce..aaaddd8 100644 --- a/lib/lib_trap_on_exit.sh +++ b/lib/lib_trap_on_exit.sh @@ -49,6 +49,8 @@ trap_on_exit() { print_scr_exit "${errcode}" + sanitize_debug_logs || true + exit "${errcode}" else @@ -61,6 +63,8 @@ trap_on_exit() { print_scr_exit_non_zero "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}" + sanitize_debug_logs || true + fi exit "${errcode}" diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index bef358a..107c990 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -39,13 +39,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V9.14.022.2026.06.10 2026-06-10 CDLB(1)" "${var_cols}") + declare var_footer=$(center "${VAR_VERSION} 2026-06-11 CDLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V9.14.022.2026.06.10\e[0m" + echo -e "\e[92mMaster ${VAR_VERSION}\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m" @@ -67,6 +67,7 @@ usage() { echo echo -e "\e[97m --build-directory \e[0m" echo " Where the Debian Live Build Image should be generated. RECOMMENDED path: " + echo " Cleanup is destructive inside the exact builder-owned path and requires '.ciss-live-builder-owned'." echo " MUST be provided." echo echo -e "\e[97m --change-splash one of \e[0m" @@ -87,6 +88,7 @@ usage() { echo -e "\e[97m --debug, -d \e[0m" echo " Enables debug logging for the main program routine. Detailed logging information are written to:" echo " " + echo " After xtrace is stopped and its debug FD is closed, a final exact-value redaction pass sanitizes logs." echo echo -e "\e[97m --dhcp-centurion \e[0m" echo " If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused " @@ -108,12 +110,12 @@ usage() { echo echo -e "\e[97m --key_age=* \e[0m" echo " The SOPS AGE private keyring for decryption operations. Change '*' to your desired SOPS AGE key file." - echo " File MUST be placed in:" + echo " This MUST be a filename only and MUST be placed in the root-owned tmpfs secret root:" echo " " echo echo -e "\e[97m --key_luks=* \e[0m" echo " The LUKS encryption / decryption passphrase for '/'-fs-encryption. Change '*' to your desired passphrase file." - echo " File MUST be placed in:" + echo " This MUST be a filename only and MUST be placed in the root-owned tmpfs secret root:" echo " " echo echo -e "\e[97m --log-statistics-only \e[0m" @@ -162,7 +164,8 @@ usage() { echo -e "\e[97m --root-password-file > \e[0m" echo " Password file for 'root', if given, MUST be a string of 42 to 64 characters." echo " If the argument is omitted, no further login authentication is required for the local console." - echo " MUST be placed in:" + echo " The path MUST be absolute, regular, non-symlink, root-owned, and mode 0400 after normalization." + echo " RECOMMENDED path:" echo " " echo echo -e "\e[97m --secure-boot-profile one of \e[0m" @@ -178,7 +181,7 @@ usage() { echo " specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file." echo " Specify the fingerprint of the key to use via '--signing_key_fpr=*'." echo " Optionally import an offline GPG CA signing public key via: '--signing_ca=*'." - echo " Change '*' to your desired files / fingerprint. Files MUST be placed in:" + echo " Change '*' to your desired filename-only files / fingerprint. Files MUST be placed in:" echo " " echo echo -e "\e[97m --sops-version \e[0m" @@ -201,6 +204,7 @@ usage() { echo echo -e "\e[97m --ssh-pubkey \e[0m" echo " Imports the SSH Public Key from the file 'authorized_keys' into the Live ISO." + echo " Directory MUST be absolute, regular, non-symlink, root-owned, and not group/world-writable." echo " Key file MUST be placed in:" echo " " echo diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh index 9f2dbcb..9201ded 100644 --- a/scripts/usr/local/sbin/9999_cdi_starter.sh +++ b/scripts/usr/local/sbin/9999_cdi_starter.sh @@ -601,7 +601,7 @@ main() { var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log" touch "${var_log}" - printf "CISS.debian.live.builder V9.14.022.2026.06.10 calling CISS.debian.installer ... \n" >> "${var_log}" + printf "CISS.debian.live.builder V9.14.024.2026.06.11 calling CISS.debian.installer ... \n" >> "${var_log}" ### Sleep a moment to settle boot artifacts. sleep 8 @@ -696,7 +696,7 @@ main() { ### Timeout reached without acceptable semaphore. logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle." - printf "CISS.debian.live.builder V9.14.022.2026.06.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" + printf "CISS.debian.live.builder V9.14.024.2026.06.11: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" exit 0 } diff --git a/var/early.var.sh b/var/early.var.sh index 4cabdf6..fab7f26 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" declare -grx VAR_HOST="$(uname -n)" declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" declare -grx VAR_SYSTEM="$(uname -mnosv)" -declare -grx VAR_VERSION="Master V9.14.022.2026.06.10" +declare -grx VAR_VERSION="Master V9.14.024.2026.06.11" declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{ # Print $4 and $5; include $6 only if it exists out = $4 diff --git a/var/global.var.sh b/var/global.var.sh index 0cd3eb0..91c5a29 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -43,6 +43,7 @@ declare -g VAR_SSHFP="false" declare -g VAR_SSHPORT="" declare -g VAR_SSHPUBKEY="" declare -g VAR_SUITE="trixie" +declare -ga ARY_DEBUG_SECRET_VALUES=() declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=() declare -ga ARY_HANDLER_JUMPHOST=() declare -ga ARY_HANDLER_NETCUP_IPV6=() @@ -51,10 +52,12 @@ declare -gi VAR_HANDLER_PRIORITY=0 declare -gi VAR_HANDLER_STA=0 declare -gi VAR_REIONICE_CLASS=2 declare -gi VAR_REIONICE_PRIORITY=4 +declare -gr CISS_BUILD_DIR_MARKER=".ciss_debian_live_builder_owned" declare -gr VAR_CHROOT_DIR="chroot" declare -gr VAR_PACKAGES_FILE="chroot.packages.live" declare -gx VAR_AGE_KEY="" declare -gx VAR_AGE="false" +declare -gx VAR_ARG_SANITIZED="" declare -gx VAR_CDLB_INSIDE_RUNNER="${VAR_CDLB_INSIDE_RUNNER:-false}" declare -gx VAR_CISS_SECUREBOOT_PROFILE="debian-shim" declare -gx VAR_LUKS_KEY=""