V9.14.022.2026.06.10
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -365,10 +365,11 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
|
||||
## 2.9. UFW Hardening
|
||||
|
||||
* **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
|
||||
* **Primordial SSH exception**: `--primordial-ssh <port>` adds an outgoing-only UFW TCP exception for a bootstrap/recovery SSH
|
||||
port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall rule and does not replace
|
||||
`--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current hook still emits the
|
||||
requested labelled rule because this repository has no separate UFW rule deduplication layer.
|
||||
* **Primordial SSH exception**: `--primordial-url <https-git-url>`, `--primordial-key <ssh-identity-filename>` and
|
||||
`--primordial-ssh <port>` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP
|
||||
exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall
|
||||
rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current
|
||||
hook still emits the requested labelled rule because this repository has no separate UFW rule deduplication layer.
|
||||
* **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
|
||||
deployment.
|
||||
|
||||
@@ -524,7 +525,9 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
|
||||
--signing_key_pass=signing_key_pass.txt \
|
||||
--signing_key=signing_key.asc \
|
||||
--ssh-port 4242 \
|
||||
--primordial-ssh 2222 \
|
||||
--primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \
|
||||
--primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \
|
||||
--primordial-ssh 42842 \
|
||||
--ssh-pubkey /dev/shm/cdlb_secrets \
|
||||
--sshfp \
|
||||
--trixie
|
||||
@@ -574,7 +577,9 @@ preview it or run it.
|
||||
SSH_PUBKEY=/dev/shm/cdlb_secrets
|
||||
|
||||
# Optional
|
||||
PRIMORDIAL_SSH_PORT=2222
|
||||
PRIMORDIAL_URL=https://git.coresecret.dev/ahz/PhysNet.primordial.git
|
||||
PRIMORDIAL_KEY=id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10
|
||||
PRIMORDIAL_SSH_PORT=42842
|
||||
PROVIDER_NETCUP_IPV6=2001:cdb::1
|
||||
# comma-separated; IPv6 in [] is fine
|
||||
JUMP_HOSTS=[2001:db8::1],[2001:db8::2]
|
||||
|
||||
Reference in New Issue
Block a user