From 9cdcc0a9ec922a30bbe338c0e3daf930a54699cf8633d9d31c055d2a81562587 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Sun, 7 Jun 2026 07:24:22 +0100 Subject: [PATCH] V9.14.018.2026.06.07 Signed-off-by: Marc S. Weidner --- .archive/generate_PRIVATE_trixie_0.yaml | 2 +- .archive/generate_PRIVATE_trixie_1.yaml | 2 +- .archive/generate_PUBLIC_iso.yaml | 2 +- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/dockerfile | 2 +- .gitea/TODO/render-md-to-html.yaml | 2 +- .../trigger/t_generate_PRIVATE_trixie_0.yaml | 2 +- .gitea/trigger/t_generate_PUBLIC.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_0.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/workflows/generate_PUBLIC_iso.yaml | 2 +- .gitea/workflows/linter_char_scripts.yaml | 2 +- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 2 +- .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 6 +- REPOSITORY.md | 4 +- ciss.secureboot/private/README.md | 2 +- ciss.secureboot/public/README.md | 2 +- config/hooks/live/0022_dropbear_setup.chroot | 2 +- .../includes.chroot/etc/ssh/ssh_known_hosts | 2 +- config/includes.chroot/etc/ssh/sshd_config | 2 +- .../etc/sysctl.d/90-ciss-local.hardened | 2 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- .../usr/lib/live/boot/0022-ciss-overlay-tmpfs | 6 +- .../usr/lib/live/boot/0024-ciss-crypt-squash | 8 +- .../usr/lib/live/boot/0026-ciss-early-sysctl | 7 +- .../lib/live/boot/0030-ciss-verify-checksums | 8 ++ .../live/boot/0042_ciss_post_decrypt_attest | 103 ++++++++++++++---- .../usr/lib/live/boot/9990-main.sh | 15 ++- .../usr/lib/live/boot/9990-networking.sh | 13 ++- .../usr/lib/live/boot/9990-overlay.sh | 17 ++- docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/BOOTPARAMS.md | 2 +- docs/CHANGELOG.md | 14 ++- docs/CNET.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 6 +- docs/MAN_CISS_ISO_BOOT_CHAIN.md | 2 +- docs/MAN_SSH_Host_Key_Policy.md | 2 +- docs/REFERENCES.md | 2 +- docs/documentation/30-ciss-hardening.conf.md | 2 +- docs/documentation/90-ciss-local.hardened.md | 2 +- docs/documentation/ciss_live_builder.sh.md | 2 +- lib/lib_usage.sh | 4 +- scripts/usr/local/sbin/9999_cdi_starter.sh | 6 +- var/early.var.sh | 2 +- 56 files changed, 204 insertions(+), 97 deletions(-) diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml index a62defc..d1b8b97 100644 --- a/.archive/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index 1f8b576..a45d616 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml index 015f4ae..c276005 100644 --- a/.archive/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index be862a5..1e36c9b 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V9.14.016.2026.06.06" + placeholder: "e.g., Master V9.14.018.2026.06.07" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index 9119f08..e7ca750 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index f079943..4916125 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 name: 🔁 Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index 9e0d583..eaad4ac 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.016.2026.06.06 + version: V9.14.018.2026.06.07 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index 61bd308..632361f 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.016.2026.06.06 + version: V9.14.018.2026.06.07 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 61bd308..632361f 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.016.2026.06.06 + version: V9.14.018.2026.06.07 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index 355f380..d4d70ee 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index cacf3f5..aaa8b85 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 3b65c1b..9551ef3 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 9da7aca..4a1feaa 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 1d2e423..cdaddf5 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 name: 🛡️ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 83eae0e..db56c74 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 name: 🔁 Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index 8b8a3cc..5fa44e7 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 " properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V9.14.016.2026.06.06" +properties_version="V9.14.018.2026.06.07" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index ce28d63..f326da8 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V9.14.016.2026.06.06 +PackageVersion: Master V9.14.018.2026.06.07 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index dfcffab..c1e2a09 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.016.2026.06.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.018.2026.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
**CISS.debian.live.builder — First of its own.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.** @@ -175,7 +175,7 @@ installer toolchain. This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V9.14.016.2026.06.06` +Example: `V9.14.018.2026.06.07` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/REPOSITORY.md b/REPOSITORY.md index 39f37e7..59a2550 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **9.14**, Build **V9.14.016.2026.06.06** (as of 2025-10-11) +**Repository State:** Master Version **9.14**, Build **V9.14.018.2026.06.07** (as of 2025-10-11) ## 3.1. Top-Level Layout diff --git a/ciss.secureboot/private/README.md b/ciss.secureboot/private/README.md index d004fb7..746dde0 100644 --- a/ciss.secureboot/private/README.md +++ b/ciss.secureboot/private/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. CISS Secure Boot Private Material diff --git a/ciss.secureboot/public/README.md b/ciss.secureboot/public/README.md index 278bfe2..e973880 100644 --- a/ciss.secureboot/public/README.md +++ b/ciss.secureboot/public/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. CISS Secure Boot Public Material diff --git a/config/hooks/live/0022_dropbear_setup.chroot b/config/hooks/live/0022_dropbear_setup.chroot index bcfddc9..d63f6b4 100644 --- a/config/hooks/live/0022_dropbear_setup.chroot +++ b/config/hooks/live/0022_dropbear_setup.chroot @@ -95,7 +95,7 @@ write_dropbear_conf() { [[ -z "${sshport:-}" ]] && sshport="2222" ### CISS internal - [[ "${sshport}" == "42137" ]] && sshport="44137" + [[ "${sshport}" == "42137" ]] && sshport="64137" cat << EOF >| /etc/dropbear/initramfs/dropbear.conf # SPDX-Version: 3.0 diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index 4790590..3711073 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index 669b9ab..36bc365 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened index bec0065..217fe58 100644 --- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened +++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened @@ -11,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.016.2026.06.06 +# Version Master V9.14.018.2026.06.07 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 27c2dcf..443f4a5 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V9.14.016.2026.06.06" +declare -gr VERSION="Master V9.14.018.2026.06.07" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index a4dcf76..5a61297 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V9.14.016.2026.06.06 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V9.14.018.2026.06.07 at: 10:18:37.9542 diff --git a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs index 1da7893..3d8742c 100644 --- a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs +++ b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs @@ -14,8 +14,10 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay. -# Phase : premount (executed by live-boot inside the initramfs). +# Module summary: +# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit. +# - Mount it with restrictive flags and permissions before OverlayFS uses it. +# - Prepare the upper and work directories required by the later live-boot overlay setup. _SAVED_SET_OPTS="$(set +o)" diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash index 894fe38..81bf303 100644 --- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash +++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash @@ -14,8 +14,12 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh' -# Phase : premount (executed by live-boot inside the initramfs) +# Module summary: +# - Read CISS boot parameters for the encrypted root path and live ISO label. +# - Mount the live medium read-only and locate the encrypted SquashFS container. +# - Attach the encrypted container through a read-only loop device. +# - Accept a LUKS passphrase from the local console or remotely unlock FIFO. +# - Open the decrypted root mapper and expose the handoff state for later live-boot overlay processing. _SAVED_SET_OPTS="$(set +o)" diff --git a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl index 46059d5..8b94ecd 100644 --- a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl +++ b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl @@ -14,8 +14,11 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Purpose: Enforce early sysctls before services start. -# Phase : premount (executed by live-boot inside the initramfs). +# Module summary: +# - Runs during live-boot premount while the system is still inside the initramfs. +# - Applies early kernel hardening before the real root and regular services are active. +# - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer +# exposure where supported. _SAVED_SET_OPTS="$(set +o)" diff --git a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums index 17c3b18..63d9d29 100644 --- a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums +++ b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums @@ -14,6 +14,14 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu +# Module summary: +# This live-boot component implements the verify-checksums mode for the mounted live medium. +# It reads the live-boot command line to decide whether checksum verification is enabled and which digests to accept. +# It locates the pinned CISS GPG key material on the live medium, optionally verifies this script's signed hash, +# optionally verifies signed checksum files, and checks the first matching checksum manifest with the matching digest tool. It +# writes detailed checksum output to the verification TTY. It panics instead of continuing boot when integrity or +# authenticity verification fails. + ### Modified Version of the original file: ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums' ### If the offered checksum is successfully verified, proceed with booting. Otherwise, panic. diff --git a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest index 9f878e3..878f1a7 100644 --- a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest +++ b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest @@ -14,8 +14,13 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Purpose: Late rootfs attestation and dmsetup health checking. -# Phase : executed by live-boot inside the 9990-main.sh. +# Module summary: +# - Runs after the encrypted live root filesystem has been decrypted. +# - Requires the pinned public key, attestation hash file, and detached signature to exist as readable, non-empty regular files +# inside the decrypted rootfs. +# - Verifies the attestation signature with gpgv against the pinned key material. +# - Confirms that the signature fingerprint matches the build-time expected rootfs fingerprint and panics on missing, malformed, +# or mismatched evidence. _SAVED_SET_OPTS="$(set +o)" @@ -30,7 +35,7 @@ export CDLB_EXP_FPR="@EXP_FPR@" export CDLB_EXP_CA_FPR="@EXP_CA_FPR@" ### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ---------------------- -CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}" +export CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}" ### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------ CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}" @@ -66,33 +71,83 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; } ####################################### log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; } +####################################### +# Validate a boot-time attestation input file. +# Globals: +# None +# Arguments: +# 1: Human-readable artifact label +# 2: Absolute artifact path +# Returns: +# 0: on success +####################################### +require_attestation_file() { + artifact_label="${1}" + artifact_path="${2}" + + if [ ! -e "${artifact_path}" ]; then + + if [ -L "${artifact_path}" ]; then + + log_er "0042() : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]" + panic "0042() : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]" + + fi + + log_er "0042() : ${artifact_label} missing: [${artifact_path}]" + panic "0042() : ${artifact_label} missing: [${artifact_path}]" + + fi + + if [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then + + log_er "0042() : ${artifact_label} is not a regular file: [${artifact_path}]" + panic "0042() : ${artifact_label} is not a regular file: [${artifact_path}]" + + fi + + if [ ! -s "${artifact_path}" ]; then + + log_er "0042() : ${artifact_label} is empty: [${artifact_path}]" + panic "0042() : ${artifact_label} is empty: [${artifact_path}]" + + fi + + if [ ! -r "${artifact_path}" ]; then + + log_er "0042() : ${artifact_label} is not readable: [${artifact_path}]" + panic "0042() : ${artifact_label} is not readable: [${artifact_path}]" + + fi + + return 0 +} + HASH_FILE="${CDLB_ATTEST_FPR_SHA}" SIGN_FILE="${CDLB_ATTEST_FPR_SIG}" KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg" -if [ -s "${KEYFILE}" ]; then - - log_er "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]" - panic "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]" - -fi - -if [ -s "${HASH_FILE}" ]; then - - log_er "0042() : Attestation data missing: [${HASH_FILE}]" - panic "0042() : Attestation data missing: [${HASH_FILE}]" - -fi - -if [ -s "${SIGN_FILE}" ]; then - - log_er "0042() : Attestation signature missing: [${SIGN_FILE}]" - panic "0042() : Attestation signature missing: [${SIGN_FILE}]" - -fi +require_attestation_file "Public key" "${KEYFILE}" +require_attestation_file "Attestation data" "${HASH_FILE}" +require_attestation_file "Attestation signature" "${SIGN_FILE}" log_in "0042() : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR." -_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")" + +if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then + + log_er "0042() : gpgv verification failed for signature: [${SIGN_FILE}]" + + if [ -n "${_STATUS}" ]; then + + printf '%s\n' "${_STATUS}" >&2 + + fi + + sleep 8 + panic "0042() : gpgv verification failed for signature: [${SIGN_FILE}]" + +fi + _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')" ### Compare against pinned and expected fingerprint. --------------------------------------------------------------------------- diff --git a/config/includes.chroot/usr/lib/live/boot/9990-main.sh b/config/includes.chroot/usr/lib/live/boot/9990-main.sh index 50f7e8d..dfa8e67 100644 --- a/config/includes.chroot/usr/lib/live/boot/9990-main.sh +++ b/config/includes.chroot/usr/lib/live/boot/9990-main.sh @@ -14,9 +14,18 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Modified Version of the original file: -### https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh' -### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened. +# Modified Version of the original file: +# https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh' +# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened. + +# Module summary: +# - Run early cryptroot handling before live filesystem discovery. +# - Parse live-boot parameters, apply debug/read-only/network setup, and load initramfs configuration. +# - Locate or reuse the live filesystem from network, iSCSI, plain root, memdisk, LVM-backed media, or the +# CISS encrypted SquashFS preseed. +# - Verify checksums, optionally copy live media to RAM or disk, and mount the final live root via unionfs or image stacking. +# - Transfer selected runtime configuration into the target root, validate the mounted root, configure fstab/netbase/swap, and +# preserve boot logs. # set -e diff --git a/config/includes.chroot/usr/lib/live/boot/9990-networking.sh b/config/includes.chroot/usr/lib/live/boot/9990-networking.sh index 4f18ab1..97a9fb9 100644 --- a/config/includes.chroot/usr/lib/live/boot/9990-networking.sh +++ b/config/includes.chroot/usr/lib/live/boot/9990-networking.sh @@ -14,9 +14,16 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Modified Version of the original file: -### https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh' -### Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten. +# Modified Version of the original file: +# https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh' +# Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten. + +# Module summary: +# - Resolve the boot interface from Syslinux/PXELINUX BOOTIF metadata when available. +# - Bring up live-boot networking for local, netboot, fetch, HTTPFS, and FTPFS paths. +# - Probe configured or discovered interfaces with ipconfig and export the selected device. +# - Populate hostname, hosts, DNS, and HWADDR data only where needed by later boot stages. +# - Preserve an existing /etc/resolv.conf so systemd-networkd ownership is not overwritten. # set -e diff --git a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh index 7d9293a..ce406dc 100644 --- a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh +++ b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh @@ -14,9 +14,16 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Modified Version of the original file: -### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh' -### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened. +# Modified Version of the original file: +# https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh' +# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened. + +# Module summary: +# This live-boot overlay module prepares the root filesystem view during boot. It accepts the CISS decrypted root +# device override from /run/ciss-rootdev, mounts the read-only root image set or plain-mapped root, applies dm-verity +# options where available, prepares the writable overlay backing store from tmpfs, persistence, or NFS_COW, creates the +# final union mounts, activates custom persistence mounts, normalizes key permissions, and invokes the CISS post-decrypt +# attestation hook after the overlay is in place. #set -e @@ -152,7 +159,7 @@ setup_unionfs () rootfslist="${mpoint} ${rootfslist}" mount_options="" - # Setup dm-verity support if a device has it supported + # Set up dm-verity support if a device has it supported hash_device="${image}.verity" # shellcheck disable=SC2086 if [ -f ${hash_device} ] @@ -434,7 +441,7 @@ setup_unionfs () fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}" done - # Remove persistence depending on boot parameter + # Remove persistence depending on the boot parameter Remove_persistence # Correct the permissions of /: diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index 36233f0..eb3a7bd 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index 7245a79..8e04efa 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 290b72e..4fbbe31 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 7ae707b..5acbda9 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index 5a3f164..7d55a39 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 761221d..fff91f2 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 50e9355..8391c20 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,22 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Changelog +## V9.14.018.2026.06.07 +* **Added**: [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) Module summary +* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Module summary +* **Added**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) Module summary +* **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Module summary +* **Added**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Module summary +* **Added**: [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh) Module summary +* **Added**: [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh) Module summary +* **Added**: [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh) Module summary +* **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) Fixed: ``sysctl -p /etc/sysctl.d/90-ciss-local.hardened`` +* **Changed**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Fixed: Signature checksum verification. + ## V9.14.016.2026.06.06 * **Changed**: [zzzz_ciss_uki_build.hook.binary](../config/hooks/live/zzzz_ciss_uki_build.hook.binary) * **Changed**: [zzzz_ciss_uki_install.hook.binary](../config/hooks/live/zzzz_ciss_uki_install.hook.binary) diff --git a/docs/CNET.md b/docs/CNET.md index 04b146a..e5f2682 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 18c05fb..416ea6f 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index a8a29a4..0de29aa 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 5fab688..7114707 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 912f403..4b534e8 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,14 +8,14 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2.1. Usage ````text CDLB(1) CISS.debian.live.builder CDLB(1) CISS.debian.live.builder from https://git.coresecret.dev/msw -Master V9.14.016.2026.06.06 +Master V9.14.018.2026.06.07 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. (c) Marc S. Weidner, 2018 - 2026 @@ -168,7 +168,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. 💷 Please consider donating to my work at: 🌐 https://coresecret.eu/spenden/ - V9.14.016.2026.06.06 2026-05-17 CDLB(1) + V9.14.018.2026.06.07 2026-05-17 CDLB(1) ```` # 3. Booting diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md index 7073289..5b83815 100644 --- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md +++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation) diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md index 6daf3d4..098fe91 100644 --- a/docs/MAN_SSH_Host_Key_Policy.md +++ b/docs/MAN_SSH_Host_Key_Policy.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index bc7b1f8..e755440 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Resources diff --git a/docs/documentation/30-ciss-hardening.conf.md b/docs/documentation/30-ciss-hardening.conf.md index 5fbb3cd..338257b 100644 --- a/docs/documentation/30-ciss-hardening.conf.md +++ b/docs/documentation/30-ciss-hardening.conf.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. ``30-ciss-hardening.conf`` diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md index b4fd766..50a1915 100644 --- a/docs/documentation/90-ciss-local.hardened.md +++ b/docs/documentation/90-ciss-local.hardened.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. ``90-ciss-local.hardened`` diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md index a3f8967..e4bd378 100644 --- a/docs/documentation/ciss_live_builder.sh.md +++ b/docs/documentation/ciss_live_builder.sh.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. ``ciss_live_builder.sh`` diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index 0d3fe6d..3f9e786 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -39,13 +39,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V9.14.016.2026.06.06 2026-06-04 CDLB(1)" "${var_cols}") + declare var_footer=$(center "V9.14.018.2026.06.07 2026-06-04 CDLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V9.14.016.2026.06.06\e[0m" + echo -e "\e[92mMaster V9.14.018.2026.06.07\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m" diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh index 73002df..2d5da28 100644 --- a/scripts/usr/local/sbin/9999_cdi_starter.sh +++ b/scripts/usr/local/sbin/9999_cdi_starter.sh @@ -100,7 +100,7 @@ readonly -f net_wait # 0: on success ####################################### sysp() { - sysctl -p /etc/sysctl.d/99_local.hardened + sysctl -p /etc/sysctl.d/90-ciss-local.hardened # shellcheck disable=SC2312 sysctl -a | grep -E '^(kernel|vm|net)\.' >| "/var/log/sysctl_check_$(date +'%Y-%m-%d_%H-%M-%S').log" @@ -130,7 +130,7 @@ main() { touch "${var_log}" - printf "CISS.debian.installer Master V9.14.016.2026.06.06 is up! \n" >> "${var_log}" + printf "CISS.debian.installer Master V9.14.018.2026.06.07 is up! \n" >> "${var_log}" ### Sleep a moment to settle boot artifacts. sleep 8 @@ -209,7 +209,7 @@ main() { ### Timeout reached without acceptable semaphore. logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle." - printf "CISS.debian.installer Master V9.14.016.2026.06.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" + printf "CISS.debian.installer Master V9.14.018.2026.06.07: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" exit 0 } diff --git a/var/early.var.sh b/var/early.var.sh index 907d181..799d490 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" declare -grx VAR_HOST="$(uname -n)" declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" declare -grx VAR_SYSTEM="$(uname -mnosv)" -declare -grx VAR_VERSION="Master V9.14.016.2026.06.06" +declare -grx VAR_VERSION="Master V9.14.018.2026.06.07" declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{ # Print $4 and $5; include $6 only if it exists out = $4