msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

DEPLOY BOT: Auto-Generate *.html from *.md [skip ci]

Browse Source
This commit is contained in:
Marc S. Weidner
2025-06-02 07:32:11 +00:00
parent 8dc2bc97cd
commit a86bac8963
27 changed files with 5433 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

180
.html/AUDIT_DNSSEC.html Normal file
View File

@@ -0,0 +1,180 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/AUDIT_DNSSEC.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/AUDIT_DNSSEC.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-dnssec-status">2. DNSSEC Status</h1>
<p>This is an auto-generated overview of the DNSSEC status of <code>coresecret.dev</code> at the time of the last human-initiated push event.</p>
<p><img src="SECURITY/coresecret.dev.png" alt="DNSSEC Status" /></p>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

309
.html/AUDIT_HAVEGED.html Normal file
View File

@@ -0,0 +1,309 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/AUDIT_HAVEGED.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/AUDIT_HAVEGED.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-haveged-audit-on-netcup-rs-2000-g11">2. Haveged Audit on Netcup RS 2000 G11</h1>
<pre class="text"><code>Mon May 19|root@live:~/&gt;&gt;0|~$ haveged -n 0 | dieharder -g 200 -a
haveged: command socket is listening at fd 3
Writing unlimited bytes to stdout
#=============================================================================#
# dieharder version 3.31.1 Copyright 2003 Robert G. Brown #
#=============================================================================#
rng_name |rands/second| Seed |
stdin_input_raw| 1.77e+07 |1806134257|
#=============================================================================#
test_name |ntup| tsamples |psamples| p-value |Assessment
#=============================================================================#
diehard_birthdays| 0| 100| 100|0.21358950| PASSED
diehard_operm5| 0| 1000000| 100|0.23365564| PASSED
diehard_rank_32x32| 0| 40000| 100|0.33364435| PASSED
diehard_rank_6x8| 0| 100000| 100|0.83680113| PASSED
diehard_bitstream| 0| 2097152| 100|0.89183344| PASSED
diehard_opso| 0| 2097152| 100|0.95817018| PASSED
diehard_oqso| 0| 2097152| 100|0.25923499| PASSED
diehard_dna| 0| 2097152| 100|0.28604687| PASSED
diehard_count_1s_str| 0| 256000| 100|0.25146863| PASSED
diehard_count_1s_byt| 0| 256000| 100|0.64817854| PASSED
diehard_parking_lot| 0| 12000| 100|0.68180941| PASSED
diehard_2dsphere| 2| 8000| 100|0.52576112| PASSED
diehard_3dsphere| 3| 4000| 100|0.02636962| PASSED
diehard_squeeze| 0| 100000| 100|0.81226498| PASSED
diehard_sums| 0| 100| 100|0.54642776| PASSED
diehard_runs| 0| 100000| 100|0.98440072| PASSED
diehard_runs| 0| 100000| 100|0.75118526| PASSED
diehard_craps| 0| 200000| 100|0.93104571| PASSED
diehard_craps| 0| 200000| 100|0.45994663| PASSED
marsaglia_tsang_gcd| 0| 10000000| 100|0.38263075| PASSED
marsaglia_tsang_gcd| 0| 10000000| 100|0.16784328| PASSED
sts_monobit| 1| 100000| 100|0.26368088| PASSED
sts_runs| 2| 100000| 100|0.10069666| PASSED
sts_serial| 1| 100000| 100|0.53426480| PASSED
sts_serial| 2| 100000| 100|0.95654933| PASSED
sts_serial| 3| 100000| 100|0.75042664| PASSED
sts_serial| 3| 100000| 100|0.27693306| PASSED
sts_serial| 4| 100000| 100|0.79225401| PASSED
sts_serial| 4| 100000| 100|0.49273684| PASSED
sts_serial| 5| 100000| 100|0.58017632| PASSED
sts_serial| 5| 100000| 100|0.39423250| PASSED
sts_serial| 6| 100000| 100|0.72811005| PASSED
sts_serial| 6| 100000| 100|0.94342669| PASSED
sts_serial| 7| 100000| 100|0.98343053| PASSED
sts_serial| 7| 100000| 100|0.74692814| PASSED
sts_serial| 8| 100000| 100|0.56538653| PASSED
sts_serial| 8| 100000| 100|0.91826111| PASSED
sts_serial| 9| 100000| 100|0.63502589| PASSED
sts_serial| 9| 100000| 100|0.28959825| PASSED
sts_serial| 10| 100000| 100|0.74650890| PASSED
sts_serial| 10| 100000| 100|0.95475310| PASSED
sts_serial| 11| 100000| 100|0.35838186| PASSED
sts_serial| 11| 100000| 100|0.80481197| PASSED
sts_serial| 12| 100000| 100|0.74700860| PASSED
sts_serial| 12| 100000| 100|0.49849890| PASSED
sts_serial| 13| 100000| 100|0.55828107| PASSED
sts_serial| 13| 100000| 100|0.23244603| PASSED
sts_serial| 14| 100000| 100|0.23080285| PASSED
sts_serial| 14| 100000| 100|0.83936220| PASSED
sts_serial| 15| 100000| 100|0.64411755| PASSED
sts_serial| 15| 100000| 100|0.99255934| PASSED
sts_serial| 16| 100000| 100|0.00563047| PASSED
sts_serial| 16| 100000| 100|0.31608374| PASSED
rgb_bitdist| 1| 100000| 100|0.64550890| PASSED
rgb_bitdist| 2| 100000| 100|0.87656240| PASSED
rgb_bitdist| 3| 100000| 100|0.67169827| PASSED
rgb_bitdist| 4| 100000| 100|0.44406906| PASSED
rgb_bitdist| 5| 100000| 100|0.67772729| PASSED
rgb_bitdist| 6| 100000| 100|0.73853919| PASSED
rgb_bitdist| 7| 100000| 100|0.86999808| PASSED
rgb_bitdist| 8| 100000| 100|0.01313259| PASSED
rgb_bitdist| 9| 100000| 100|0.55009611| PASSED
rgb_bitdist| 10| 100000| 100|0.70726109| PASSED
rgb_bitdist| 11| 100000| 100|0.03154815| PASSED
rgb_bitdist| 12| 100000| 100|0.84462282| PASSED
rgb_minimum_distance| 2| 10000| 1000|0.83132423| PASSED
rgb_minimum_distance| 3| 10000| 1000|0.68188237| PASSED
rgb_minimum_distance| 4| 10000| 1000|0.51409655| PASSED
rgb_minimum_distance| 5| 10000| 1000|0.42544360| PASSED
rgb_permutations| 2| 100000| 100|0.66313395| PASSED
rgb_permutations| 3| 100000| 100|0.95535890| PASSED
rgb_permutations| 4| 100000| 100|0.45758425| PASSED
rgb_permutations| 5| 100000| 100|0.98313853| PASSED
rgb_lagged_sum| 0| 1000000| 100|0.41578816| PASSED
rgb_lagged_sum| 1| 1000000| 100|0.76861829| PASSED
rgb_lagged_sum| 2| 1000000| 100|0.43447789| PASSED
rgb_lagged_sum| 3| 1000000| 100|0.49698037| PASSED
rgb_lagged_sum| 4| 1000000| 100|0.02212798| PASSED
rgb_lagged_sum| 5| 1000000| 100|0.04465057| PASSED
rgb_lagged_sum| 6| 1000000| 100|0.10526977| PASSED
rgb_lagged_sum| 7| 1000000| 100|0.79849751| PASSED
rgb_lagged_sum| 8| 1000000| 100|0.83675235| PASSED
rgb_lagged_sum| 9| 1000000| 100|0.37604856| PASSED
rgb_lagged_sum| 10| 1000000| 100|0.46712205| PASSED
rgb_lagged_sum| 11| 1000000| 100|0.16098525| PASSED
rgb_lagged_sum| 12| 1000000| 100|0.81557499| PASSED
rgb_lagged_sum| 13| 1000000| 100|0.11553821| PASSED
rgb_lagged_sum| 14| 1000000| 100|0.85637944| PASSED
rgb_lagged_sum| 15| 1000000| 100|0.91125298| PASSED
rgb_lagged_sum| 16| 1000000| 100|0.59747378| PASSED
rgb_lagged_sum| 17| 1000000| 100|0.70077562| PASSED
rgb_lagged_sum| 18| 1000000| 100|0.66815407| PASSED
rgb_lagged_sum| 19| 1000000| 100|0.04941226| PASSED
rgb_lagged_sum| 20| 1000000| 100|0.37939018| PASSED
rgb_lagged_sum| 21| 1000000| 100|0.42653722| PASSED
rgb_lagged_sum| 22| 1000000| 100|0.86316011| PASSED
rgb_lagged_sum| 23| 1000000| 100|0.43038293| PASSED
rgb_lagged_sum| 24| 1000000| 100|0.34472083| PASSED
rgb_lagged_sum| 25| 1000000| 100|0.73741194| PASSED
rgb_lagged_sum| 26| 1000000| 100|0.05584980| PASSED
rgb_lagged_sum| 27| 1000000| 100|0.80601600| PASSED
rgb_lagged_sum| 28| 1000000| 100|0.99361052| PASSED
rgb_lagged_sum| 29| 1000000| 100|0.27812997| PASSED
rgb_lagged_sum| 30| 1000000| 100|0.94547008| PASSED
rgb_lagged_sum| 31| 1000000| 100|0.02400797| PASSED
rgb_lagged_sum| 32| 1000000| 100|0.98890248| PASSED
rgb_kstest_test| 0| 10000| 1000|0.53680166| PASSED
dab_bytedistrib| 0| 51200000| 1|0.38634245| PASSED
dab_dct| 256| 50000| 1|0.02760776| PASSED
Preparing to run test 207. ntuple = 0
dab_filltree| 32| 15000000| 1|0.47264235| PASSED
dab_filltree| 32| 15000000| 1|0.49416126| PASSED
Preparing to run test 208. ntuple = 0
dab_filltree2| 0| 5000000| 1|0.12940766| PASSED
dab_filltree2| 1| 5000000| 1|0.40415388| PASSED
Preparing to run test 209. ntuple = 0
dab_monobit2| 12| 65000000| 1|0.51567978| PASSED
haveged: Cannot write data in file: Broken pipe
tot tests(BA8): A:1/1 B:1/1 last entropy estimate 8.00294
fills: 470064, generated: 229.5 G bytes</code></pre>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

783
.html/AUDIT_LYNIS.html Normal file
View File

@@ -0,0 +1,783 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/AUDIT_LYNIS.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/AUDIT_LYNIS.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-lynis-audit">2. Lynis Audit:</h1>
<pre class="text"><code>[ Lynis 3.1.4 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2024, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 3.1.4
Operating system: Linux
Operating system name: Debian
Operating system version: 12
Kernel version: 6.12.22+bpo
Hardware platform: x86_64
Hostname: live
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
---------------------------------------------------
Auditor: Centurion_Intelligence_Consulting_Agency
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ NO UPDATE ]
[+] System tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugins enabled [ NONE ]
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ ENABLED ]
- Checking Secure Boot [ DISABLED ]
- Boot loader [ NONE FOUND ]
- Check running services (systemctl) [ DONE ]
Result: found 17 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 24 enabled services
- Check startup files (permissions) [ OK ]
- Running &#39;systemd-analyze security&#39;
Unit name (exposure value) and predicate
--------------------------------
- auditd.service (value=8.7) [ EXPOSED ]
- chrony.service (value=3.5) [ PROTECTED ]
- clamav-daemon.service (value=3.5) [ PROTECTED ]
- cron.service (value=9.6) [ UNSAFE ]
- dbus.service (value=9.6) [ UNSAFE ]
- dm-event.service (value=9.5) [ UNSAFE ]
- emergency.service (value=9.5) [ UNSAFE ]
- fail2ban.service (value=6.5) [ MEDIUM ]
- getty@tty1.service (value=9.6) [ UNSAFE ]
- haveged.service (value=3.0) [ PROTECTED ]
- ifup@ens3.service (value=9.5) [ UNSAFE ]
- ifup@ens4.service (value=9.5) [ UNSAFE ]
- lvm2-lvmpolld.service (value=9.5) [ UNSAFE ]
- polkit.service (value=9.6) [ UNSAFE ]
- rc-local.service (value=9.6) [ UNSAFE ]
- rescue.service (value=9.5) [ UNSAFE ]
- rsyslog.service (value=9.6) [ UNSAFE ]
- ssh.service (value=9.6) [ UNSAFE ]
- systemd-ask-password-console.service (value=9.4) [ UNSAFE ]
- systemd-ask-password-wall.service (value=9.4) [ UNSAFE ]
- systemd-fsckd.service (value=9.5) [ UNSAFE ]
- systemd-initctl.service (value=9.4) [ UNSAFE ]
- systemd-journald.service (value=4.3) [ PROTECTED ]
- systemd-logind.service (value=2.8) [ PROTECTED ]
- systemd-networkd.service (value=2.6) [ PROTECTED ]
- systemd-udevd.service (value=7.1) [ MEDIUM ]
- unattended-upgrades.service (value=9.6) [ UNSAFE ]
- usbguard-dbus.service (value=9.6) [ UNSAFE ]
- usbguard.service (value=2.8) [ PROTECTED ]
- user@0.service (value=9.8) [ UNSAFE ]
- uuidd.service (value=5.8) [ MEDIUM ]
[+] Kernel
------------------------------------
- Checking default runlevel [ runlevel 5 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 84 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ NOT FOUND ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration
- configuration in systemd conf files [ DEFAULT ]
- configuration in /etc/profile [ DEFAULT ]
- &#39;hard&#39; configuration in /etc/security/limits.conf [ DISABLED ]
- &#39;soft&#39; configuration in /etc/security/limits.conf [ DISABLED ]
- Checking setuid core dumps configuration [ DISABLED ]
- Check if reboot is needed [ NO ]
[+] Memory and Processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ NOT FOUND ]
- Searching for IO waiting processes [ NOT FOUND ]
- Search prelink tooling [ NOT FOUND ]
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Password hashing methods [ OK ]
- Password hashing rounds (minimum) [ CONFIGURED ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- Sudoers file(s) [ FOUND ]
- Permissions for directory: /etc/sudoers.d [ OK ]
- Permissions for: /etc/sudoers [ OK ]
- Permissions for: /etc/sudoers.d/README [ OK ]
- Permissions for: /etc/sudoers.d/live [ OK ]
- PAM password strength tools [ OK ]
- PAM configuration files (pam.conf) [ FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Locked accounts [ OK ]
- User password aging (minimum) [ CONFIGURED ]
- User password aging (maximum) [ CONFIGURED ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NOT FOUND ]
- umask (/etc/login.defs) [ OK ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ ENABLED ]
[+] Kerberos
------------------------------------
- Check for Kerberos KDC and principals [ NOT FOUND ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 12 shells (valid shells: 12).
- Session timeout settings/tools [ FOUND ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ OK ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ NONE ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
- Mount options of /dev [ PARTIALLY HARDENED ]
- Mount options of /dev/shm [ PARTIALLY HARDENED ]
- Mount options of /run [ HARDENED ]
- Mount options of /tmp [ PARTIALLY HARDENED ]
- Total without nodev:11 noexec:13 nosuid:9 ro or noexec (W^X): 9 of total 33
- Checking Locate database [ FOUND ]
- Disable kernel support of some filesystems
- Module cramfs is blacklisted [ OK ]
- Module freevxfs is blacklisted [ OK ]
- Module hfs is blacklisted [ OK ]
- Module hfsplus is blacklisted [ OK ]
- Module jffs2 is blacklisted [ OK ]
- Module udf is blacklisted [ OK ]
[+] USB Devices
------------------------------------
- Checking usb-storage driver (modprobe config) [ DISABLED ]
- Checking USB devices authorization [ ENABLED ]
- Checking USBGuard [ FOUND ]
- Configuration [ FOUND ]
- Restore controller device state [ false ]
- Rule for controllers connected before daemon starts [ keep ]
- Rule for devices connected before daemon starts [ allow ]
- Rule for devices inserted after daemon starts [ apply-policy ]
- Rule for devices not in RuleFile [ block ]
- RuleFile [ FOUND ]
- Controllers &amp; Devices allow [ 2 ]
- Controllers &amp; Devices block [ 0 ]
- Controllers &amp; Devices reject [ 0 ]
[+] Storage
------------------------------------
- Checking firewire ohci driver (modprobe config) [ DISABLED ]
[+] NFS
------------------------------------
- Check running NFS daemon [ NOT FOUND ]
[+] Name services
------------------------------------
- Searching DNS domain name [ FOUND ]
Domain name: local
- Checking /etc/hosts
- Duplicate entries in hosts file [ NONE ]
- Presence of configured hostname in /etc/hosts [ FOUND ]
- Hostname mapped to localhost [ NOT FOUND ]
- Localhost mapping to IP address [ OK ]
[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ FOUND ]
- Querying package manager
- Query unpurged packages [ NONE ]
- debsums utility [ FOUND ]
- Cron job for debsums [ FOUND ]
- Checking security repository in sources.list file [ OK ]
- Checking APT package database [ OK ]
- Checking vulnerable packages (apt-get only) [ DONE ]
- Checking upgradeable packages [ NONE ]
- Checking package audit tool [ INSTALLED ]
Found: apt-get
- Toolkit for automatic upgrades (unattended-upgrade) [ FOUND ]
[+] Networking
------------------------------------
- Checking IPv6 configuration [ ENABLED ]
Configuration method [ MANUAL ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 135.181.207.105 [ OK ]
Nameserver: 89.58.62.53 [ OK ]
- Minimal of 2 responsive nameservers [ OK ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ RUNNING ]
- Checking for ARP monitoring software [ NOT FOUND ]
- Uncommon network protocols [ NOT FOUND ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]
[+] Software: e-mail and messaging
------------------------------------
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Chain INPUT (table: filter, target: DROP) [ DROP ]
- Chain INPUT (table: security, target: ACCEPT) [ ACCEPT ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall [ ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- OpenSSH option: AllowTcpForwarding [ OK ]
- OpenSSH option: ClientAliveCountMax [ OK ]
- OpenSSH option: ClientAliveInterval [ OK ]
- OpenSSH option: FingerprintHash [ OK ]
- OpenSSH option: GatewayPorts [ OK ]
- OpenSSH option: IgnoreRhosts [ OK ]
- OpenSSH option: LoginGraceTime [ OK ]
- OpenSSH option: LogLevel [ OK ]
- OpenSSH option: MaxAuthTries [ OK ]
- OpenSSH option: MaxSessions [ OK ]
- OpenSSH option: PermitRootLogin [ OK ]
- OpenSSH option: PermitUserEnvironment [ OK ]
- OpenSSH option: PermitTunnel [ OK ]
- OpenSSH option: Port [ OK ]
- OpenSSH option: PrintLastLog [ OK ]
- OpenSSH option: StrictModes [ OK ]
- OpenSSH option: TCPKeepAlive [ OK ]
- OpenSSH option: UseDNS [ OK ]
- OpenSSH option: X11Forwarding [ OK ]
- OpenSSH option: AllowAgentForwarding [ OK ]
- OpenSSH option: AllowUsers [ FOUND ]
- OpenSSH option: AllowGroups [ NOT FOUND ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]
[+] Databases
------------------------------------
No database engines found
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]
[+] PHP
------------------------------------
- Checking PHP [ NOT FOUND ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking wazuh-agent daemon status [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking remote logging [ NOT ENABLED ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ DONE ]
[+] Insecure services
------------------------------------
- Installed inetd package [ NOT FOUND ]
- Installed xinetd package [ OK ]
- xinetd status [ NOT ACTIVE ]
- Installed rsh client package [ OK ]
- Installed rsh server package [ OK ]
- Installed telnet client package [ OK ]
- Installed telnet server package [ NOT FOUND ]
- Checking NIS client installation [ OK ]
- Checking NIS server installation [ OK ]
- Checking TFTP client installation [ OK ]
- Checking TFTP server installation [ OK ]
[+] Banners and identification
------------------------------------
- /etc/issue [ FOUND ]
- /etc/issue contents [ OK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ OK ]
[+] Scheduled tasks
------------------------------------
- Checking crontab and cronjob files [ DONE ]
[+] Accounting
------------------------------------
- Checking accounting information [ OK ]
- Checking sysstat accounting data [ ENABLED ]
- Checking auditd [ ENABLED ]
- Checking audit rules [ OK ]
- Checking audit configuration file [ OK ]
- Checking auditd log file [ FOUND ]
[+] Time and Synchronization
------------------------------------
- NTP daemon found: chronyd [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/139] [ NONE ]
[WARNING]: Test CRYP-7902 had a long execution: 20.445007 seconds
- Found 0 encrypted and 0 unencrypted swap devices in use. [ OK ]
- Kernel entropy is sufficient [ YES ]
- HW RNG &amp; rngd [ NO ]
- SW prng [ YES ]
- MOR variable not found [ WEAK ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ FOUND ]
- Checking AppArmor status [ DISABLED ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence TOMOYO Linux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ NONE ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- AIDE [ FOUND ]
- AIDE config file [ FOUND ]
- AIDE database [ FOUND ]
- dm-integrity (status) [ DISABLED ]
- dm-verity (status) [ DISABLED ]
- AIDE config (Checksum) [ OK ]
- Checking presence integrity tool [ FOUND ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Ansible artifact [ FOUND ]
- Automation tooling [ FOUND ]
- Checking presence of Fail2ban [ FOUND ]
- Checking Fail2ban jails [ ENABLED ]
- Checking for IDS/IPS tooling [ FOUND ]
[+] Software: Malware
------------------------------------
- Checking chkrootkit [ FOUND ]
- Checking Rootkit Hunter [ FOUND ]
- Checking ClamAV scanner [ FOUND ]
- Malware software components [ FOUND ]
- Active agent [ NOT FOUND ]
- Rootkit scanner [ FOUND ]
[+] File Permissions
------------------------------------
- Starting file permissions check
File: /etc/cron.allow [ OK ]
File: /etc/crontab [ OK ]
File: /etc/group [ OK ]
File: /etc/group- [ OK ]
File: /etc/hosts.allow [ OK ]
File: /etc/hosts.deny [ OK ]
File: /etc/issue [ OK ]
File: /etc/issue.net [ OK ]
File: /etc/motd [ OK ]
File: /etc/passwd [ OK ]
File: /etc/passwd- [ OK ]
File: /etc/ssh/sshd_config [ OK ]
Directory: /root/.ssh [ OK ]
Directory: /etc/cron.d [ OK ]
Directory: /etc/cron.daily [ OK ]
Directory: /etc/cron.hourly [ OK ]
Directory: /etc/cron.weekly [ OK ]
Directory: /etc/cron.monthly [ OK ]
[+] Home directories
------------------------------------
- Permissions of home directories [ OK ]
- Ownership of home directories [ OK ]
- Checking shell history files [ OK ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- dev.tty.ldisc_autoload (exp: 0) [ OK ]
- fs.protected_fifos (exp: 2) [ OK ]
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_regular (exp: 2) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ OK ]
- kernel.kptr_restrict (exp: 2) [ OK ]
- kernel.modules_disabled (exp: 1) [ OK ]
- kernel.perf_event_paranoid (exp: 2 3 4) [ OK ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ OK ]
- kernel.unprivileged_bpf_disabled (exp: 1) [ OK ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
- net.core.bpf_jit_harden (exp: 2) [ OK ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ OK ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ OK ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ OK ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ FOUND ]
- Non-native binary formats [ FOUND ]
[+] Custom tests
------------------------------------
- Running custom tests... [ NONE ]
[+] Plugins (phase 2)
------------------------------------
================================================================================
-[ Lynis 3.1.4 Results ]-
Great, no warnings
Suggestions (5):
----------------------------
* Consider hardening system services [BOOT-5264]
- Details : Run &#39;/usr/bin/systemd-analyze security SERVICE&#39; for each service
- Related resources
* Article: Systemd features to secure service files: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
* Website: https://cisofy.com/lynis/controls/BOOT-5264/
* To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]
- Related resources
* Website: https://cisofy.com/lynis/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
- Related resources
* Website: https://cisofy.com/lynis/controls/FILE-6310/
* Check iptables rules to see which rules are currently not used [FIRE-4513]
- Related resources
* Website: https://cisofy.com/lynis/controls/FIRE-4513/
* Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
- Related resources
* Website: https://cisofy.com/lynis/controls/LOGG-2154/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 92 [################## ]
Tests performed : 261
Plugins enabled : 0
Components:
- Firewall [V]
- Malware scanner [V]
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Lynis 3.1.4
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2024, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)</code></pre>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

212
.html/AUDIT_SSH.html Normal file
View File

@@ -0,0 +1,212 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/AUDIT_SSH.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/AUDIT_SSH.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-ssh-audit-by-ssh-auditcom">2. SSH Audit by ssh-audit.com</h1>
<p><img src="/docs/screenshots/CISS.debian.live.builder_ssh_audit.png" alt="CISS.2025.debian.live.builder" /></p>
<h1 id="3-ssh-audit-by-httpsgithubcomjtestassh-audit">3. SSH Audit by <a href="https://github.com/jtesta/ssh-audit">https://github.com/jtesta/ssh-audit</a></h1>
<pre class="text"><code># general
(gen) banner: SSH-2.0-OpenSSH_9.2p1
(gen) software: OpenSSH 9.2p1
(gen) compatibility: OpenSSH 9.9+, Dropbear SSH 2020.79+
(gen) compression: disabled
# key exchange algorithms
(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
`- [info] default key exchange from OpenSSH 9.0 to 9.8
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) sntrup761x25519-sha512 -- [info] available since OpenSSH 9.9
`- [info] default key exchange since OpenSSH 9.9
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) kex-strict-s-v00@openssh.com -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)
# host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2, Dropbear SSH 2020.79
# encryption algorithms (ciphers)
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
# algorithm recommendations (for OpenSSH 9.2)
(rec) +aes128-ctr -- enc algorithm to append
(rec) +aes128-gcm@openssh.com -- enc algorithm to append
(rec) +aes192-ctr -- enc algorithm to append</code></pre>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

223
.html/CCLA-1.0.html Normal file
View File

@@ -0,0 +1,223 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./config/includes.chroot/preseed/CCLA-1.0.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./config/includes.chroot/preseed/CCLA-1.0.md</h1>
</header>
<h1 id="centurion-commercial-license-agreement-10">Centurion Commercial License Agreement 1.0</h1>
<h2 id="1-general-terms"><strong>1. General Terms</strong></h2>
<p>1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").</p>
<p>1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.</p>
<p>1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.</p>
<p>1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.</p>
<h2 id="2-grant-of-license"><strong>2. Grant of License</strong></h2>
<p>2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a</p>
<ul>
<li>non-exclusive,</li>
<li>non-transferable,</li>
<li>time-limited,</li>
</ul>
<p>right to use the Software for commercial purposes.</p>
<p>2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.</p>
<h2 id="3-subscription-fees-and-payment"><strong>3. Subscription Fees and Payment</strong></h2>
<p>3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.</p>
<p>3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.</p>
<h2 id="4-restrictions"><strong>4. Restrictions</strong></h2>
<p>4.1. Licensee shall not:</p>
<ul>
<li>Distribute, sublicense, or resell the Software.</li>
<li>Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.</li>
</ul>
<p>4.2. The Software may not be used for illegal or unethical purposes.</p>
<h2 id="5-support-and-updates"><strong>5. Support and Updates</strong></h2>
<p>5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying support agreement.</p>
<p>5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.</p>
<h2 id="6-termination"><strong>6. Termination</strong></h2>
<p>6.1. This Agreement is valid for the subscription term unless terminated earlier:</p>
<ul>
<li>By Licensee, with a 30-day written notice.</li>
<li>By Licensor, in the event of Licensees breach of this Agreement.</li>
</ul>
<p>6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.</p>
<h2 id="7-liability-and-warranty"><strong>7. Liability and Warranty</strong></h2>
<p>7.1. The Software is provided "as is" without warranties of any kind, except as required by law.</p>
<p>7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.</p>
<h2 id="8-governing-law"><strong>8. Governing Law</strong></h2>
<p>8.1. This Agreement shall be governed by the laws of Portugal.</p>
<p>8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.</p>
<h2 id="9-miscellaneous"><strong>9. Miscellaneous</strong></h2>
<p>9.1. Any changes to this Agreement must be in writing and signed by both parties.</p>
<p>9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.</p>
<h2 id="10-contact-information">10. <strong>Contact Information</strong></h2>
<ul>
<li>Licensor : Centurion Intelligence Consulting Agency</li>
<li>Email : <a href="mailto:legal@coresecret.eu">legal@coresecret.eu</a></li>
</ul>
<hr />
<p>This Subscription License Agreement was last updated at 09.05.2025.</p>
</body>
</html>

178
.html/CHANGELOG.html Normal file
View File

@@ -0,0 +1,178 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/CHANGELOG.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/CHANGELOG.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="tba">TBA</h1>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

250
.html/CODING_CONVENTION.html Normal file
View File

@@ -0,0 +1,250 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/CODING_CONVENTION.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/CODING_CONVENTION.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-coding-style">2. Coding Style</h1>
<h2 id="21-pr">2.1. PR</h2>
<p>You'd make the life of the maintainers easier if you submit only <em>one</em> patch with <em>one</em> functional change per PR.</p>
<h2 id="22-documentation">2.2 Documentation</h2>
<p>Some people really read that ! New features would need to be documented in the appropriate section in <code>usage()</code> and in <code>~/docs/DOCUMENTATION.md</code>.</p>
<h2 id="23-coding">2.3. Coding</h2>
<h3 id="231-shell--bash">2.3.1. Shell / bash</h3>
<p>Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there.</p>
<ul>
<li>Don't use backticks anymore, use <code>$(..)</code> instead</li>
<li>Use double square <code>[[]]</code> brackets (<em>conditional expressions)</em> instead of single square <code>[]</code> brackets</li>
<li>In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (<code>=~</code>) you shouldn't quote at all.</li>
<li>The <a href="http://mywiki.wooledge.org/BashPitfalls">BashPitfalls</a> is a good read!</li>
<li>Whenever possible try to avoid <code>tr</code> <code>sed</code> <code>awk</code> and use bash internal functions instead, see e.g., <a href="http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html">bash shell parameter substitution</a>. It is slower as it forks, fopens and pipes back the result.</li>
<li><code>read</code> often can replace <code>awk</code>: <code>IFS=, read -ra a b c &lt;&lt;&lt; "$line_with_comma"</code></li>
<li>Bash can also deal perfectly with regular expressions, see e.g., <a href="https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html">here</a> and <a href="https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com">here</a>. You can as well have a look @ <code>is_ipv4addr()</code> or <code>is_ipv6addr()</code>.</li>
<li>If you still need to use any of <code>tr</code>, <code>sed</code> and <code>awk</code>: try to avoid a mix of several external binaries e.g., if you can achieve the same with e.g. <code>awk</code>.</li>
<li>Be careful with very advanced bash features. Mac OS X is still using bash version 3 (<a href="http://tldp.org/LDP/abs/html/bashver4.html">differences</a>).</li>
<li>Always use a return value for a function/method. 0 means all is fine.</li>
<li>Make use of <a href="https://github.com/koalaman/shellcheck">shellcheck</a> if possible.</li>
<li>Follow the <a href="https://google.github.io/styleguide/shellguide.html">shellformat</a> Shell-Style Guide.</li>
</ul>
<h3 id="232-shell-specific">2.3.2. Shell specific</h3>
<ul>
<li>Security:
<ul>
<li>Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.</li>
<li>Unless you're really sure where the values come from, variables need to be put in quotes.</li>
</ul></li>
</ul>
<h3 id="233-variables">2.3.3. Variables</h3>
<ul>
<li>Use <strong>"speaking variables"</strong> but don't overdo it with the length.</li>
<li>No <em>camelCase</em>, please. We distinguish between lowercase and uppercase only.
<ul>
<li>Global variables:
<ul>
<li>use them only when really necessary,</li>
<li>in CAPS,</li>
<li>initialize them (<code>declare -g VAR_EXAMPLE=""</code>),</li>
<li>SHOULD start with:
<ul>
<li><code>ARY_</code> for Arrays,</li>
<li><code>C_</code> for Variables defining colored outputs,</li>
<li><code>ERR_</code> for Error Codes Variables,</li>
<li><code>HMP_</code> for HashMap Arrays,</li>
<li><code>LOG_</code> for Logfile Variables,</li>
<li><code>PID_</code> for PID Variables,</li>
<li><code>PIPE_</code> for PIPE Variables,</li>
<li><code>VAR_</code> for Variables</li>
</ul></li>
</ul></li>
<li>Local variables:
<ul>
<li>are lower case,</li>
<li>declare them before usage (<code>declare</code> eq <code>local</code>),</li>
<li>initialize them (<code>declare var_example=""</code>),</li>
<li>SHOULD start with:
<ul>
<li><code>ary_</code> for Arrays,</li>
<li><code>c_</code> for Variables defining colored outputs,</li>
<li><code>err_</code> for Error Codes Variables,</li>
<li><code>hmp_</code> for HashMap Arrays,</li>
<li><code>log_</code> for Logfile Variables,</li>
<li><code>var_</code> for Variables.</li>
</ul></li>
</ul></li>
</ul></li>
</ul>
<h1 id="3-misc">3. Misc</h1>
<ul>
<li>Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected.</li>
</ul>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

184
.html/CONTRIBUTING.html Normal file
View File

@@ -0,0 +1,184 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/CONTRIBUTING.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/CONTRIBUTING.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-contributors">2. Contributors</h1>
<h2 id="x">X</h2>
<p>I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism.</p>
<h2 id="ζ">Ζ</h2>
<ul>
<li>Zimnol, André H.; Private Contributor</li>
</ul>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

186
.html/CREDITS.html Normal file
View File

@@ -0,0 +1,186 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/CREDITS.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/CREDITS.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-credits">2. Credits</h1>
<h2 id="22-authors">2.2. Authors</h2>
<h2 id="23-contributors">2.3. Contributors</h2>
<h3 id="x">X</h3>
<p>I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism.</p>
<h3 id="ζ">Ζ</h3>
<ul>
<li>Zimnol, André H.; Private Contributor</li>
</ul>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

300
.html/DOCUMENTATION.html Normal file
View File

@@ -0,0 +1,300 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/DOCUMENTATION.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/DOCUMENTATION.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-usage">2. Usage</h1>
<pre class="text"><code>CISS.debian.live.builder
Master V8.03.127.2025.06.02
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025
https://coresecret.eu/
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
&quot;./ciss_live_builder.sh &lt;option&gt;&quot;, where &lt;option&gt; is one or more of:
--help, -h
What you&#39;re looking at.
--architecture &lt;STRING&gt; one of &lt;amd64 | arm64&gt;
A string reflecting the architecture of the Live System.
MUST be provided.
--build-directory &lt;/path/to/build_directory&gt;
Where the Debian Live Build Image should be generated.
MUST be provided.
--change-splash &lt;STRING&gt; one of &lt;club | hexagon&gt;
A string reflecting the GRub Boot Screen Splash you want to use.
If omitted defaults to &quot;./.archive/background/club.png&quot;.
--cdi (Experimental Feature)
This option generates a boot menu entry to start the forthcoming
&#39;CISS.debian.installer&#39;, which will be executed after
the system has successfully booted up.
--contact, -c
Displays contact information of the author.
--control &lt;INTEGER&gt;
An integer that reflects the version of your Live ISO Image.
MUST be provided.
--debug
Enables debug logging for the main program routine. Detailed logging
information are written to &quot;/tmp/ciss_live_builder_3764286.log&quot;
--dhcp-centurion
If a DHCP lease is provided, the provider&#39;s nameserver will be overridden,
and only the hardened, privacy-focused Centurion DNS servers will be used:
- https://dns01.eddns.eu/
- https://dns02.eddns.de/
--jump-host &lt;IP | IP | ... &gt;
Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
If provided, than it MUST be a &lt;SPACE&gt; separated list.
IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
--log-statistics-only
Provides statistic only after successful building a
CISS.debian.live-ISO. While enabling &quot;--log-statistics-only&quot;
the argument &quot;--build-directory&quot; MUST be provided while
all further options MUST be omitted.
--provider-netcup-ipv6
Activates IPv6 support for Netcup Root Server. One unique
IPv6 address MUST be provided in this case.
--renice-priority &lt;PRIORITY&gt;
Reset the nice priority value of the script and all its children
to the desired PRIORITY. MUST be an integer (between &quot;-19&quot; and 19).
Negative (higher) values MUST be enclosed in double quotes &#39;&quot;&#39;.
--reionice-priority &lt;CLASS&gt; &lt;PRIORITY&gt;
Reset the ionice priority value of the script and all its children
to the desired CLASS. MUST be an integer:
1: realtime
2: best-effort
3: idle
defaults to &quot;2&quot;.
PRIORITY MUST be an integer:
between 0 (highest) and 7 (lowest) priority.
defaults to &quot;4&quot;.
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
--root-password-file &lt;/path/to/password.txt&gt;
Password file for &#39;root&#39;, if given, MUST be a string of 20 to 64 characters,
and MUST NOT contain the special character &#39;&quot;&#39;.
If the argument is omitted, no further login authentication is required for
the local console. The root password is hashed with an 16 Byte &#39;/dev/random&#39;
generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
after Hash generation all Variables containing plain password fragments are
deleted. Password file SHOULD be 0400 and root:root and is deleted without
further prompt after password hash has been successfully generated via:
shred -vfzu 5 -f.
No tracing of any plain text password fragment in any debug log.
--ssh-port &lt;INTEGER&gt;
The desired Port SSH should listen to.
If not provided defaults to Port 22.
--ssh-pubkey &lt;/path/to/.ssh/&gt;
Imports the SSH Public Key(s) from the FILE &#39;authorized_keys&#39; of the
specified PATH into the Live ISO. MUST be provided.
--version, -v
Displays version of ./ciss_live_builder.sh.
NOTES:
- You MUST be root to run this script.
Contact:
- https://coresecret.eu/
- security@coresecret.eu
- PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
- https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD</code></pre>
<h1 id="3-booting">3. Booting</h1>
<h2 id="31-grub-menu">3.1. Grub Menu</h2>
<p><img src="/docs/screenshots/20250517_boot_grub.jpg" alt="Boot Menu" /></p>
<h2 id="32-integrity-checks">3.2. Integrity checks</h2>
<p><img src="screenshots/20250517_boot_integrity_check.jpg" alt="Integrity Check" /></p>
<p><img src="screenshots/20250517_boot_integrity_success.jpg" alt="Integrity Success" /></p>
<h2 id="33-console-login">3.3. Console Login</h2>
<p><img src="screenshots/20250517_console_login.jpg" alt="Console Login" /></p>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

577
.html/README.html Normal file
View File

@@ -0,0 +1,577 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./README.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./README.md</h1>
</header>
<p><a href="https://git.coresecret.dev/msw/CISS.debian.live.builder"><img src="https://badges.coresecret.dev/badge/Release-V8.03.127.2025.06.02-white?style=plastic&amp;logo=linux&amp;logoColor=white&amp;logoSize=auto&amp;label=Release&amp;color=%23FCC624" alt="Static Badge" /></a>   <a href="https://eupl.eu/1.2/en/"><img src="https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=Licence&amp;color=%23003399" alt="Static Badge" /></a>   <a href="https://opensource.org/license/eupl-1-2"><img src="https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&amp;logo=opensourceinitiative&amp;logoColor=white&amp;logoSize=auto&amp;label=OSI&amp;color=%233DA639" alt="Static Badge" /></a>   <a href="https://www.gnu.org/software/bash/"><img src="https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=Bash&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://shellcheck.net/"><img src="https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=shellcheck&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://github.com/mvdan/sh"><img src="https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=shellformat&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://google.github.io/styleguide/shellguide.html"><img src="https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=Shellstyle&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://docs.gitea.com/"><img src="https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&amp;logo=gitea&amp;logoColor=white&amp;logoSize=auto&amp;label=gitea&amp;color=%23609926" alt="Static Badge" /></a>   <a href="https://www.jetbrains.com/store/?section=personal&amp;billing=yearly"><img src="https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&amp;logo=intellijidea&amp;logoColor=white&amp;logoSize=auto&amp;label=IntelliJ&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://keepassxc.org/"><img src="https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&amp;logo=keepassxc&amp;logoColor=white&amp;logoSize=auto&amp;label=KeePassXC&amp;color=%236CAC4D" alt="Static Badge" /></a>   <a href="https://www.netcup.com/de"><img src="https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&amp;logo=netcup&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%23056473" alt="Static Badge" /></a>   <a href="https://coresecret.eu/"><img src="https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://x.com/coresecret_eu"><img src="https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&amp;logo=x&amp;logoColor=white&amp;logoSize=auto&amp;label=SocialMedia&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#sepa"><img src="https://badges.coresecret.dev/badge/Donation-Donation-white?style=plastic&amp;logo=sepa&amp;logoColor=white&amp;logoSize=auto&amp;label=&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#bitcoin"><img src="https://badges.coresecret.dev/badge/bitcoin-Bitcoin-white?style=plastic&amp;logo=bitcoin&amp;logoColor=white&amp;logoSize=auto&amp;label=Donation&amp;color=%23F7931A" alt="Static Badge" /></a>   <a href="https://coresecret.eu/contact/#simplex"><img src="https://badges.coresecret.dev/badge/simplex-Simplex-white?style=plastic&amp;logo=simplex&amp;logoColor=white&amp;logoSize=auto&amp;label=Contact&amp;color=%23000000" alt="Static Badge" /></a>  </p>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<p>This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud deployment or unattended installations via the forthcoming <code>CISS.debian.installer</code>. Find here more information to download the latest ISO available. To download the latest public available <strong>CISS.debian.live.builder ISO</strong>, see: tba.</p>
<p>Check out more:</p>
<ul>
<li><a href="https://coresecret.eu/cnet/">CenturionNet Services</a></li>
<li><a href="https://dns.eddns.eu/">CenturionDNS Resolver</a></li>
<li><a href="https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt">CenturionDNS Blocklist</a></li>
<li><a href="https://uptime.coresecret.eu/">CenturionNet Status</a></li>
<li><a href="https://talk.e2ee.li/">CenturionMeet</a></li>
<li><a href="https://coresecret.eu/contact/">Contact the author</a></li>
</ul>
<h2 id="11-preliminary-remarks">1.1. Preliminary Remarks</h2>
<h3 id="111-hsm">1.1.1. HSM</h3>
<p>Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to move to a room-gapped environment. ^^</p>
<h3 id="112-hsts-and-dnssec">1.1.2. HSTS and DNSSEC</h3>
<p>Please note that <code>coresecret.dev</code> is included in the <a href="https://hstspreload.org/">(HSTS Preload List)</a> and always serves the headers:</p>
<pre class="nginx"><code>add_header Expect-CT &quot;max-age=86400, enforce&quot; always;
add_header Strict-Transport-Security &quot;max-age=63072000; includeSubDomains; preload&quot; always;</code></pre>
<p>Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.html">DNSSEC Audit Report</a></p>
<h2 id="12-immutable-source-of-truth-system">1.2. Immutable Source-of-Truth System</h2>
<p>This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static source-code definitions. All configurations, system components, and installation routines are embedded during build time and locked for runtime immutability. This ensures that the live environment functions as a trusted <strong>Source of Truth</strong> — not only for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br></p>
<p>Once booted, the environment optionally launches a fully scripted installer, via the forthcoming <code>CISS.debian.installer</code>, yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully secured provisioning. Combined with checksum verification, <strong>activated by default</strong>, at boot and strict firewall defaults, this architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br></p>
<p>An even more secure deployment variant — an unattended and headless version — can be built without any active network interface or shell-access, also via the forthcoming <code>CISS.debian.installer</code>. Such a version performs all verification steps autonomously, provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports without cryptographic hardened access, while also the <code>/boot</code> partition could be encrypted via the built-in support of <code>grub2 (2.12-1~bpo12+1)</code>.<br></p>
<p>This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in source-defined infrastructure logic.<br></p>
<p>After build and configuration, the following audit reports can be generated:</p>
<ul>
<li><strong>Haveged Audit Report</strong>: Validates entropy daemon health and confirms '/dev/random' seeding performance. Type <code>chkhvg</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.html">Haveged Audit Report</a></li>
<li><strong>Lynis Audit Report</strong>: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline. Type <code>lsadt</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.html">Lynis Audit Report</a></li>
<li><strong>SSH Audit Report</strong>: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. Type <code>ssh-audit &lt;IP&gt;:&lt;PORT&gt;</code>. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.html">SSH Audit Report</a></li>
</ul>
<h2 id="12-preview">1.2. Preview</h2>
<p><img src="/docs/screenshots/CISS.debian.live.builder_preview.jpeg" alt="CISS.debian.live.builder" /></p>
<h2 id="13-caution-significant-information-for-those-considering-using-d-i">1.3. Caution. Significant information for those considering using D-I.</h2>
<p><strong>The Debian Installer (d-i) will ALWAYS boot a new system.</strong><br></p>
<p>Regardless of whether you start it:</p>
<ul>
<li>via the boot menu of your Live ISO (grub, isolinux) like <strong>CISS.debian.live.builder</strong>,</li>
<li>via kexec in the running system,</li>
<li>via the debian-installer-launcher package,</li>
<li>or even via a graphical installer shortcut.</li>
</ul>
<p>The following happens in all cases:</p>
<ul>
<li>The installer kernel (/install/vmlinuz) + initrd.gz are started.</li>
<li>The existing live system is exited.</li>
<li>The memory is overwritten.</li>
<li>All running processes e.g., firewall, hardened SSH access, etc. pp. cease to exist.</li>
</ul>
<p>The Debian Installer loads:</p>
<ul>
<li>its own kernel,</li>
<li>its own initramfs,</li>
<li>its own minimal root filesystem (BusyBox + udeb packages),</li>
<li>no SSH access (unless explicitly enabled via preseed)</li>
<li>no firewall, AppArmor, logging, etc. pp.,</li>
<li>it disables all running network services, even if you were previously in the live system.</li>
</ul>
<p>This means function status of the <strong>CISS.2025.debian.live.builder</strong> ISO after d-i start:</p>
<ul>
<li>ufw, iptables, nftables ✘ disabled, not loaded,</li>
<li>sshd with hardening ✘ stopped (processes gone),</li>
<li>the running kernel ✘ replaced,</li>
<li>Logging (rsyslog, journald) ✘ not active,</li>
<li>preseed control over the network is possible (but without any protection).</li>
</ul>
<h1 id="2-features--rationale">2. Features &amp; Rationale</h1>
<p>Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.</p>
<h2 id="21-kernel-hardening">2.1. Kernel Hardening</h2>
<h3 id="211-boot-parameters">2.1.1. Boot Parameters</h3>
<ul>
<li><strong>Description</strong>: Customizes kernel command-line flags to disable unused features and enable mitigations.</li>
<li><strong>Key Parameters</strong>:
<ul>
<li><code>audit_backlog_limit=8192</code>: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.</li>
<li><code>audit=1</code>: Enables kernel auditing from boot to record system calls and security events.</li>
<li><code>cfi=kcfi</code>: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.</li>
<li><code>debugfs=off</code>: Disables debugfs to prevent non-privileged access to kernel internals.</li>
<li><code>efi=disable_early_pci_dma</code>: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.</li>
<li><code>efi_no_storage_paranoia</code>: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.</li>
<li><code>hardened_usercopy=1</code>: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.</li>
<li><code>ia32_emulation=0</code>: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.</li>
<li><code>init_on_alloc=1</code>: Zeroes memory on allocation to prevent leakage of previous data.</li>
<li><code>init_on_free=1</code>: Initializes memory on free to catch use-after-free bugs.</li>
<li><code>iommu=force</code>: Enforces IOMMU for all devices to isolate DMA-capable hardware.</li>
<li><code>kfence.sample_interval=100</code>: Configures the kernel fence memory safety tool to sample every 100 allocations.</li>
<li><code>kvm.nx_huge_pages=force</code>: Enforces non-executable huge pages in KVM to mitigate code injection.</li>
<li><code>l1d_flush=on</code>: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.</li>
<li><code>lockdown=confidentiality</code>: Puts the kernel in confidentiality lockdown to restrict direct hardware access.</li>
<li><code>loglevel=0</code>: Suppresses non-critical kernel messages to reduce information leakage.</li>
<li><code>mce=0</code>: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.</li>
<li><code>mitigations=auto,nosmt</code>: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.</li>
<li><code>mmio_stale_data=full,nosmt</code>: Ensures stale MMIO data is fully flushed and disables SMT for added protection.</li>
<li><code>oops=panic</code>: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.</li>
<li><code>page_alloc.shuffle=1</code>: Randomizes physical page allocation to hinder memory layout prediction attacks.</li>
<li><code>page_poison=1</code>: Fills freed pages with a poison pattern to detect use-after-free.</li>
<li><code>panic=-1</code>: Disables automatic reboot on panic to preserve the system state for forensic analysis.</li>
<li><code>pti=on</code>: Enables page table isolation to mitigate Meltdown attacks.</li>
<li><code>random.trust_bootloader=off</code>: Prevents trusting entropy provided by the bootloader.</li>
<li><code>random.trust_cpu=off</code>: Disables trusting CPU-provided randomness, enforcing external entropy sources.</li>
<li><code>randomize_kstack_offset=on</code>: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.</li>
<li><code>randomize_va_space=2</code>: Enables full address space layout randomization (ASLR) for user space.</li>
<li><code>retbleed=auto,nosmt</code>: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.</li>
<li><code>rodata=on</code>: Marks kernel read-only data sections to prevent runtime modification.</li>
<li><code>tsx=off</code>: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.</li>
<li><code>vdso32=0</code>: Disables 32-bit vDSO to prevent unintended cross-mode calls.</li>
<li><code>vsyscall=none</code>: Disables legacy vsyscall support to close a potential attack vector.</li>
</ul></li>
<li><strong>Rationale</strong>: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.</li>
</ul>
<h3 id="212-cpu-vulnerability-mitigations">2.1.2. CPU Vulnerability Mitigations</h3>
<ul>
<li><strong>Description</strong>: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).</li>
<li><strong>Rationale</strong>: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in multi-tenant cloud environments.</li>
</ul>
<h3 id="213-kernel-self-protection">2.1.3. Kernel Self-Protection</h3>
<ul>
<li><strong>Description</strong>: Activates <code>CONFIG_DEBUG_RODATA</code>, <code>CONFIG_STRICT_MODULE_RWX</code>, and other self-protections.</li>
<li><strong>Rationale</strong>: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.</li>
</ul>
<h3 id="214-local-kernel-hardening">2.1.4. Local Kernel Hardening</h3>
<ul>
<li><strong>Description</strong>: The wrapper <code>sysp()</code>provides a function to apply and audit local kernel hardening rules from <code>/etc/sysctl.d/99_local.hardened</code>:</li>
</ul>
<pre class="bash"><code>###########################################################################################
# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
# Arguments:
# none
###########################################################################################
# shellcheck disable=SC2317
sysp() {
sysctl -p /etc/sysctl.d/99_local.hardened
# sleep 1
sysctl -a | grep -E &#39;kernel|vm|net&#39; &gt; /var/log/sysctl_check&quot;$(date +&quot;%Y-%m-%d_%H:%M:%S&quot;)&quot;.log
}</code></pre>
<ul>
<li><strong>Key measures loaded by this file include:</strong>
<ul>
<li>Disabling module loading <code>kernel.modules_disabled=1</code></li>
<li>Restricting kernel pointers &amp; logs <code>kernel.kptr_restrict=2</code>, <code>kernel.dmesg_restrict=1</code>, <code>kernel.printk=3 3 3 3</code></li>
<li>Disabling unprivileged BPF and userfaultfd</li>
<li>Disabling kexec and unprivileged user namespaces</li>
<li>Locking down ptrace scope <code>kernel.yama.ptrace_scope=2</code></li>
<li>Protecting filesystem links and FIFOs <code>fs.protected_*</code></li>
</ul></li>
</ul>
<p><strong>Warning</strong> Once applied, some hardening settings cannot be undone via <code>sysctl</code> without a reboot, and dynamic module loading remains disabled until the next boot. Automatic enforcement at startup is therefore omitted by design—run <code>sysp()</code> manually and plan a reboot to apply or revert these controls.</p>
<h2 id="22-module-blacklisting">2.2. Module Blacklisting</h2>
<ul>
<li><strong>Description</strong>: Disables and blacklists non-essential or insecure kernel modules.</li>
<li><strong>Rationale</strong>: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.</li>
</ul>
<h2 id="23-network-hardening">2.3. Network Hardening</h2>
<ul>
<li><strong>Description</strong>: Applies <code>sysctl</code> settings (e.g., <code>net.ipv4.conf.all.rp_filter=1</code>, <code>arp_ignore</code>, <code>arp_announce</code>) to restrict inbound/outbound traffic behaviors.</li>
<li><strong>Rationale</strong>: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.</li>
</ul>
<h2 id="24-core-dump--kernel-hardening">2.4. Core Dump &amp; Kernel Hardening</h2>
<ul>
<li><strong>Description</strong>: Limits core dump generation paths, enforces <code>Yama</code> restrictions, and configures <code>kernel.kptr_restrict</code>.</li>
<li><strong>Rationale</strong>: Prevents leakage of sensitive memory contents and reduces information disclosure from unintentional crash dumps.</li>
</ul>
<h2 id="25-entropy-collection-improvements">2.5. Entropy Collection Improvements</h2>
<ul>
<li><strong>Description</strong>: Installs and configures <code>haveged</code>, seeds <code>/dev/random</code> early.</li>
<li><strong>Rationale</strong>: Cloud instances frequently suffer low entropy at the start; improving randomness ensures strong cryptographic key generation for SSH and other services.</li>
</ul>
<h2 id="26-permissions--authentication">2.6. Permissions &amp; Authentication</h2>
<ul>
<li><strong>Description</strong>: Sets strict directory and file permissions, integrates with PAM modules (e.g., <code>pam_faillock</code>).</li>
<li><strong>Rationale</strong>: Enforces the principle of least privilege at file-system level and strengthens authentication policies.</li>
</ul>
<h2 id="27-high-security-baseline-lynis-audit">2.7. High-Security Baseline (Lynis Audit)</h2>
<ul>
<li><strong>Description</strong>: Run a baseline audit via <a href="https://cisofy.com/lynis/">Lynis</a> after build completion. The generated live environment consistently achieves a 91%+ score in Lynis security audits.</li>
<li><strong>Rationale</strong>: Provides independent verification of security posture and flags any configuration drifts or missing hardening steps.</li>
</ul>
<h2 id="28-ssh-tunnel--access-security">2.8. SSH Tunnel &amp; Access Security</h2>
<ul>
<li><strong>Description</strong>: The SSH tunnel and access are secured through multiple layers of defense:
<ul>
<li><strong>Firewall Restriction</strong>: ufw allows connections only from defined jump host or VPN exit node IPs.</li>
<li><strong>TCP Wrappers</strong>: <code>/etc/hosts.allow</code> and <code>/etc/hosts.deny</code> enforce an <code>ALL: ALL</code> deny policy, permitting only specified hosts.</li>
<li><strong>One-Hit Ban</strong>: A custom Fail2Ban rule <code>/etc/fail2ban/jail.d/centurion-default.conf</code> immediately bans any host that touches closed ports.
<ul>
<li>Additionally, the <code>fail2ban</code> service is hardened as well according to: <a href="https://wiki.archlinux.org/title/fail2ban#Service_hardening">Arch Linux Wiki Fail2ban Hardening</a></li>
</ul></li>
<li><strong>SSH Ultra-Hardening</strong>: The <code>/etc/sshd_config</code> enforces strict cryptographic and connection controls with respect to <a href="https://www.ssh-audit.com/hardening_guides.html#debian_12">SSH Audit Guide Debian 12</a>:
<ul>
<li><code>RekeyLimit 1G 1h</code></li>
<li><code>HostKey /etc/ssh/ssh_host_ed25519_key</code></li>
<li><code>HostKey /etc/ssh/ssh_host_rsa_key (8192-bit RSA)</code></li>
<li><code>PubkeyAuthentication yes</code></li>
<li><code>PermitRootLogin prohibit-password</code></li>
<li><code>PasswordAuthentication no</code></li>
<li><code>PermitEmptyPasswords no</code></li>
<li><code>LoginGraceTime 2m</code></li>
<li><code>MaxAuthTries 3</code></li>
<li><code>MaxSessions 2</code></li>
<li><code>MaxStartups 08:64:16</code></li>
<li><code>PerSourceMaxStartups 4</code></li>
<li><code>RequiredRSASize 4096</code></li>
<li><code>Ciphers aes256-gcm@openssh.com</code></li>
<li><code>KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-</code></li>
<li><code>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</code></li>
</ul></li>
</ul></li>
<li><strong>Rationale</strong>: These measures ensure that only authorized hosts can establish SSH tunnels, with strict cryptographic and usage policies enforced. Minimizes brute force, passive sniffing, and reduces credentials' exposure by limiting protocol features to vetted algorithms.</li>
</ul>
<h2 id="29-ufw-hardening">2.9. UFW Hardening</h2>
<ul>
<li><strong>Description</strong>: Defaults to <code>deny incoming</code> and (optionally) <code>deny outgoing</code>; automatically opens only whitelisted ports.</li>
<li><strong>Rationale</strong>: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after deployment.</li>
</ul>
<h2 id="210-fail2ban-enhancements">2.10. Fail2Ban Enhancements</h2>
<ul>
<li><strong>Description</strong>:
<ul>
<li>Bans any connection to a closed port for 24 hours</li>
<li>Automatically ignores designated bastion/jump host subnets</li>
<li>Hardened via <code>systemd</code> policy override to limit privileges of the Fail2Ban service itself</li>
</ul></li>
<li><strong>Rationale</strong>: Provides proactive defense against port scans and brute-force attacks, while isolating the ban daemon in a minimal-privilege context.</li>
</ul>
<h2 id="211-ntpsec--chrony">2.11. NTPsec &amp; Chrony</h2>
<ul>
<li><strong>Description</strong>: Installs <code>chrony</code>, selects PTB NTPsec servers by default.</li>
<li><strong>Rationale</strong>: Ensures tamper-resistant time synchronization, which is essential for log integrity, certificate validation, and forensic accuracy.</li>
</ul>
<h1 id="3-script-features--rationale">3. Script Features &amp; Rationale</h1>
<h2 id="31-input-validation--security">3.1. Input Validation &amp; Security</h2>
<ul>
<li><strong>Description</strong>: All script arguments are validated using a robust input sanitizer.</li>
<li><strong>Rationale</strong>: Prevents injection attacks and ensures only expected data types and values are processed.</li>
</ul>
<h2 id="32-debug-mode-with-detailed-logging">3.2. Debug Mode with Detailed Logging</h2>
<ul>
<li><p><strong>Description</strong>: A built-in debug mode outputs clear, timestamped logs including:</p>
<ul>
<li>Script Name and Path of called Function,</li>
<li>Line Number,</li>
<li>Function Name,</li>
<li>Exit Code of the previous Command,</li>
<li>Executed Command.</li>
</ul></li>
<li><p><strong>Rationale</strong>: Simplifies troubleshooting and provides precise error tracing.</p></li>
</ul>
<h2 id="33-secure-debug-logging">3.3. Secure Debug Logging</h2>
<ul>
<li><strong>Description</strong>: No hardcoded plaintext password fragments or sensitive artifacts appear in debug logs.</li>
<li><strong>Rationale</strong>: Prevents accidental exposure of credentials during troubleshooting.</li>
</ul>
<h2 id="34-secure-password-handling">3.4. Secure Password Handling</h2>
<ul>
<li><strong>Description</strong>: Password files, if provided, are shredded immediately after being hashed.</li>
<li><strong>Rationale</strong>: Prevents password recovery from temporary files.</li>
</ul>
<h2 id="35-variable-declaration--validation">3.5. Variable Declaration &amp; Validation</h2>
<ul>
<li><strong>Description</strong>: All variables are declared and validated before use.</li>
<li><strong>Rationale</strong>: Avoids unintended behavior from unset or improperly set variables.</li>
</ul>
<h2 id="36-pure-bash-implementation">3.6. Pure Bash Implementation</h2>
<ul>
<li><strong>Description</strong>: The entire wrapper and all its functions are written in pure Bash, without external dependencies.</li>
<li><strong>Rationale</strong>: Ensures maximum portability and compatibility with standard Debian environments.</li>
</ul>
<h2 id="37-bash-error-handling">3.7. Bash Error Handling</h2>
<ul>
<li><p><strong>Description</strong>: The implemented xtrace wrapper <code>set -x</code> enforces comprehensive Bash error handling to ensure</p>
<ul>
<li>robust,</li>
<li>predictable execution,</li>
<li>and early detection of failures.</li>
</ul>
<p>and delivers full information, which command failed to execute:</p>
<ul>
<li>Script Name and Path of called Function,</li>
<li>Line Number,</li>
<li>Function Name,</li>
<li>Exit Code of the previous Command,</li>
<li>Executed Command,</li>
<li>Environment Settings,</li>
<li>Argument Counter passed to Script,</li>
<li>Argument String passed to Script.</li>
</ul></li>
<li><p>The following <code>set</code> options are applied at the beginning of the script (see <a href="https://www.gnu.org/software/bash/manual/bash.html#The-Set-BuiltinGNU">Bash Manual, The Set Builtin</a>):</p></li>
</ul>
<pre class="bash"><code>set -o errexit # Exit script when a command exits with non-zero status (same as &quot;set -e&quot;).
set -o errtrace # Inherit ERR traps in subshells (same as &quot;set -E&quot;).
set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as &quot;set -T&quot;).
set -o nounset # Exit script on use of an undefined variable (same as &quot;set -u&quot;).
set -o pipefail # Return the exit status of the last failed command in a pipeline.
set -o noclobber # Prevent overwriting files via redirection (same as &quot;set -C&quot;).</code></pre>
<ul>
<li><strong>Rationale</strong>: These options enforce strict error checking and handling, reducing silent failures and ensuring predictable script behavior.</li>
</ul>
<h1 id="4-prerequisites">4. Prerequisites</h1>
<ul>
<li><strong>Host</strong>: Debian Bookworm or newer with <code>live-build</code> package installed.</li>
<li><strong>Privileges</strong>: Root or sudo access to execute <code>ciss_live_builder.sh</code> and related scripts.</li>
<li><strong>Network</strong>: Outbound access to Debian repositories and PTB NTPsec pool.</li>
</ul>
<h1 id="5-installation--usage">5. Installation &amp; Usage</h1>
<h1 id="51-interactive-cli--dialog-wrapper">5.1. Interactive CLI / Dialog Wrapper</h1>
<ol type="1">
<li><p>Clone the repository:</p>
<pre class="bash"><code>git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder</code></pre></li>
<li><p>Preparation:</p>
<ol type="1">
<li>Ensure you are root.</li>
<li>Create the build directory <code>mkdir /opt/livebuild</code>.</li>
<li>Place your desired SSH public key in the <code>authorized_keys</code> file, for example, in the <code>/opt/gitea/CISS.debian.live.builder</code> directory.</li>
<li>Place your desired Password in the <code>password.txt</code> file, for example, in the <code>/opt/gitea/CISS.debian.live.builder</code> directory.</li>
<li>Make any other changes you need to.</li>
</ol></li>
<li><p>Run the config builder script <code>./ciss_live_builder.sh</code> and the integrated <code>lb build</code> command (example):</p>
<pre class="yaml"><code>chmod 0700 ./ciss_live_builder.sh
./ciss_live_builder.sh --architecture amd64 \
--build-directory /opt/livebuild \
--change-splash hexagon \
--control 384 \
--debug \
--dhcp-centurion \
--jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
--provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
--renice-priority &quot;-19&quot; \
--reionice-priority 1 2 \
--root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
--ssh-port 4242 \
--ssh-pubkey /opt/gitea/CISS.debian.live.builder</code></pre></li>
<li><p>Locate your ISO in the <code>--build-directory</code>.</p></li>
<li><p>Boot from the ISO and login to the live image via the console, or the multi-layer secured <strong>coresecret</strong> SSH tunnel.</p></li>
<li><p>Type <code>sysp</code> for the final kernel hardening features.</p></li>
<li><p>Check the boot log with <code>jboot</code> and via <code>ssf</code> that all services are up.</p></li>
<li><p>Finally, audit your environment with <code>lsadt</code> for a comprehensive Lynis audit.</p></li>
<li><p>Type <code>celp</code> for some shortcuts.</p></li>
</ol>
<h1 id="52-cicd-gitea-runner-workflow-example">5.2. CI/CD Gitea Runner Workflow Example</h1>
<ol type="1">
<li><p>Clone the repository:</p>
<pre class="bash"><code>git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder</code></pre></li>
<li><p>Edit the <code>.gitea/workflows/generate-iso.yaml</code> file according to your requirements. Ensure that the trigger file <code>.gitea/trigger/t_generate.iso.yaml</code> and the counter are updated. Change all the necessary <code>{{ secrets.VAR }}</code>. Push your commits to trigger the workflow. Then download your final ISO from the specified Location.</p></li>
</ol>
<pre class="yaml"><code>#...
steps:
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
run: |
rm -rf ~/.ssh &amp;&amp; mkdir -m700 ~/.ssh
### Private Key
echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
#...
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
run: |
git clone --branch &quot;${GITHUB_REF_NAME}&quot; ssh://git@CHANGE_ME .
#...
- name: Importing the &#39;CI PGP DEPLOY ONLY&#39; key.
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME=&quot;$(pwd)/.gnupg&quot;
mkdir -m700 &quot;${GNUPGHOME}&quot;
echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| ci-bot.sec.asc
#...
- name: Configuring Git for signed CI/DEPLOY commits.
run: |
export GNUPGHOME=&quot;$(pwd)/.gnupg&quot;
git config user.name &quot;CHANGE_ME&quot;
git config user.email &quot;CHANGE_ME&quot;
#...
- name: Preparing the build environment.
run: |
mkdir -p /opt/config
mkdir -p /opt/livebuild
echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| /opt/config/password.txt
echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| /opt/config/authorized_keys
#...
- name: Starting CISS.debian.live.builder. This may take a while ...
run: |
chmod 0700 ciss_live_builder.sh &amp;&amp; chown root:root ciss_live_builder.sh
timestamp=$(date -u +&quot;%Y_%m_%d_%H_%M_Z&quot;)
### Change &quot;--autobuild=&quot; to the specific kernel version you need: &#39;6.12.22+bpo-amd64&#39;.
./ciss_live_builder.sh \
--autobuild=CHANGE_ME \
--architecture CHANGE_ME \
--build-directory /opt/livebuild \
--control &quot;${timestamp}&quot; \
--jump-host &quot;${{ secrets.CHANGE_ME }}&quot; \
--root-password-file /opt/config/password.txt \
--ssh-port CHANGE_ME \
--ssh-pubkey /opt/config
#...
### SKIP OR CHANGE ALL REMAINING STEPS</code></pre>
<h1 id="6-licensing--compliance">6. Licensing &amp; Compliance</h1>
<p>This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX standard for license expressions and metadata.</p>
<h1 id="7-disclaimer">7. Disclaimer</h1>
<p>This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.</p>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

241
.html/REFERENCES.html Normal file
View File

@@ -0,0 +1,241 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./docs/REFERENCES.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./docs/REFERENCES.md</h1>
</header>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-resources">2. Resources</h1>
<h2 id="21-debian-live-related">2.1. Debian Live related</h2>
<ul>
<li><a href="https://salsa.debian.org/live-team/live-boot">Debian live-boot</a></li>
<li><a href="https://live-team.pages.debian.net/live-manual/html/live-manual/index.en.html">Debian Live Manual</a></li>
<li><a href="https://manpages.debian.org/bookworm/live-boot-doc/live-boot.7.en.html">Debian Live Boot Doc</a></li>
<li><a href="https://manpages.debian.org/bookworm/live-build/index.html">Debian Live Build</a></li>
<li><a href="https://manpages.debian.org/bookworm/live-config-doc/index.html">Debian Live Config</a></li>
<li><a href="https://manpages.debian.org/bookworm/live-tools/index.html">Debian Live Tools</a></li>
</ul>
<h2 id="22-disk-encryption-related">2.2. Disk Encryption related</h2>
<ul>
<li><a href="https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system"><span>https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)"><span>https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode"><span>https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode</span></a></li>
<li><a href="https://wiki.archlinux.org/title/GRUB#Encrypted_/boot"><span>https://wiki.archlinux.org/title/GRUB#Encrypted_/boot</span></a></li>
<li><a href="https://wiki.archlinux.org/title/GRUB#LUKS2"><span>https://wiki.archlinux.org/title/GRUB#LUKS2</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Advanced_Format"><span>https://wiki.archlinux.org/title/Advanced_Format</span></a></li>
<li><a href="https://packages.debian.org/bookworm-backports/grub-common"><span>https://packages.debian.org/bookworm-backports/grub-common</span></a></li>
<li><a href="https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html"><span>https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption"><span>https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption</span></a></li>
<li><a href="https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup"><span>https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup</span></a></li>
</ul>
<h2 id="23-kernel-related">2.3. Kernel related</h2>
<ul>
<li><a href="https://wiki.archlinux.org/title/Kernel"><span>https://wiki.archlinux.org/title/Kernel</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Kernel_parameters"><span>https://wiki.archlinux.org/title/Kernel_parameters</span></a></li>
<li><a href="https://www.kernel.org/"><span>https://www.kernel.org/</span></a></li>
<li><a href="https://github.com/anthraxx/linux-hardened"><span>https://github.com/anthraxx/linux-hardened</span></a></li>
</ul>
<h2 id="24-policy-related">2.4. Policy related</h2>
<ul>
<li><a href="https://www.debian.org/doc/manuals/securing-debian-manual/"><span>https://www.debian.org/doc/manuals/securing-debian-manual/</span></a></li>
<li><a href="https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server"><span>https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server</span></a></li>
<li><a href="https://www.cisecurity.org/cis-benchmarks"><span>https://www.cisecurity.org/cis-benchmarks</span></a></li>
<li><a href="https://github.com/CISOfy/lynis"><span>https://github.com/CISOfy/lynis</span></a></li>
<li><a href="https://github.com/lateralblast/lunar"><span>https://github.com/lateralblast/lunar</span></a></li>
<li><a href="https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html"><span>https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html</span></a></li>
</ul>
<h2 id="25-security-related">2.5. Security related</h2>
<ul>
<li><a href="https://wiki.archlinux.org/title/General_recommendations"><span>https://wiki.archlinux.org/title/General_recommendations</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Security"><span>https://wiki.archlinux.org/title/Security</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Identity_management"><span>https://wiki.archlinux.org/title/Identity_management</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Capabilities"><span>https://wiki.archlinux.org/title/Capabilities</span></a></li>
<li><a href="https://privsec.dev/posts/linux/desktop-linux-hardening/"><span>https://privsec.dev/posts/linux/desktop-linux-hardening/</span></a></li>
<li><a href="https://wiki.archlinux.org/title/fail2ban#Service_hardenin"><span>https://wiki.archlinux.org/title/fail2ban#Service_hardenin</span></a></li>
<li><a href="https://theprivacyguide1.github.io/linux_hardening_guide"><span>https://theprivacyguide1.github.io/linux_hardening_guide</span></a></li>
<li><a href="https://github.com/zabbly/linux"><span>https://github.com/zabbly/linux</span></a></li>
</ul>
<h2 id="26-bash-related">2.6. Bash related</h2>
<ul>
<li><a href="https://www.gnu.org/software/bash/manual/"><span>https://www.gnu.org/software/bash/manual/</span></a></li>
<li><a href="https://www.shellcheck.net/"><span>https://www.shellcheck.net/</span></a></li>
<li><a href="https://explainshell.com/"><span>https://explainshell.com/</span></a></li>
<li><a href="https://google.github.io/styleguide/shellguide.html"><span>https://google.github.io/styleguide/shellguide.html</span></a></li>
<li><a href="https://github.com/mvdan/sh"><span>https://github.com/mvdan/sh</span></a></li>
<li><a href="https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab"><span>https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab</span></a></li>
</ul>
<h3 id="261-error-handling">2.6.1. Error handling</h3>
<ul>
<li><a href="https://www.davidpashley.com/articles/writing-robust-shell-scripts/#id2596016">Use set -e - Writing Robust Bash Shell Scripts - David Pashley</a></li>
<li><a href="https://mywiki.wooledge.org/BashFAQ/105">Why doesn't set -e (or set -o errexit, or trap ERR) do what I expected? - BashFAQ/105 - Greg's Wiki</a></li>
</ul>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

185
.html/SECURITY.html Normal file
View File

@@ -0,0 +1,185 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>./SECURITY.md</title>
<style>
html {
color: #1a1a1a;
background-color: #fdfdfd;
}
body {
margin: 0 auto;
max-width: 36em;
padding-left: 50px;
padding-right: 50px;
padding-top: 50px;
padding-bottom: 50px;
hyphens: auto;
overflow-wrap: break-word;
text-rendering: optimizeLegibility;
font-kerning: normal;
}
@media (max-width: 600px) {
body {
font-size: 0.9em;
padding: 12px;
}
h1 {
font-size: 1.8em;
}
}
@media print {
html {
background-color: white;
}
body {
background-color: transparent;
color: black;
font-size: 12pt;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3, h4 {
page-break-after: avoid;
}
}
p {
margin: 1em 0;
}
a {
color: #1a1a1a;
}
a:visited {
color: #1a1a1a;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
margin-top: 1.4em;
}
h5, h6 {
font-size: 1em;
font-style: italic;
}
h6 {
font-weight: normal;
}
ol, ul {
padding-left: 1.7em;
margin-top: 1em;
}
li > ol, li > ul {
margin-top: 0;
}
blockquote {
margin: 1em 0 1em 1.7em;
padding-left: 1em;
border-left: 2px solid #e6e6e6;
color: #606060;
}
code {
font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
font-size: 85%;
margin: 0;
hyphens: manual;
}
pre {
margin: 1em 0;
overflow: auto;
}
pre code {
padding: 0;
overflow: visible;
overflow-wrap: normal;
}
.sourceCode {
background-color: transparent;
overflow: visible;
}
hr {
background-color: #1a1a1a;
border: none;
height: 1px;
margin: 1em 0;
}
table {
margin: 1em 0;
border-collapse: collapse;
width: 100%;
overflow-x: auto;
display: block;
font-variant-numeric: lining-nums tabular-nums;
}
table caption {
margin-bottom: 0.75em;
}
tbody {
margin-top: 0.5em;
border-top: 1px solid #1a1a1a;
border-bottom: 1px solid #1a1a1a;
}
th {
border-top: 1px solid #1a1a1a;
padding: 0.25em 0.5em 0.25em 0.5em;
}
td {
padding: 0.125em 0.5em 0.25em 0.5em;
}
header {
margin-bottom: 4em;
text-align: center;
}
#TOC li {
list-style: none;
}
#TOC ul {
padding-left: 1.3em;
}
#TOC > ul {
padding-left: 0;
}
#TOC a:not(:hover) {
text-decoration: none;
}
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">./SECURITY.md</h1>
</header>
<h1 id="security-policy">Security Policy</h1>
<h2 id="reporting-vulnerabilities">Reporting vulnerabilities</h2>
<p>Please send your vulnerability reports to <code>security@coresecret.eu</code></p>
<p>To make sure that your report reaches me, please:</p>
<p>Include the words <code>CISS.debian.live.builder</code> and <code>vulnerability</code> to the subject line as well as a short description of the vulnerability.</p>
<p>Make sure that the message body contains a clear description of the vulnerability.</p>
<p>If you have not received a reply to your email within seven days, please make sure to follow up with me again at <code>security@coresecret.eu</code></p>
<p>Once again, make sure that the word <code>vulnerability</code> is in the subject line.</p>
<p>My security policy is available at:</p>
<p><a href="https://coresecret.eu/security-policy/"><span>https://coresecret.eu/security-policy/</span></a></p>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
</body>
</html>

405
README.html Normal file
View File

@@ -0,0 +1,405 @@
<p><a href="https://git.coresecret.dev/msw/CISS.debian.live.builder"><img src="https://badges.coresecret.dev/badge/Release-V8.03.127.2025.06.02-white?style=plastic&amp;logo=linux&amp;logoColor=white&amp;logoSize=auto&amp;label=Release&amp;color=%23FCC624" alt="Static Badge" /></a>   <a href="https://eupl.eu/1.2/en/"><img src="https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=Licence&amp;color=%23003399" alt="Static Badge" /></a>   <a href="https://opensource.org/license/eupl-1-2"><img src="https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&amp;logo=opensourceinitiative&amp;logoColor=white&amp;logoSize=auto&amp;label=OSI&amp;color=%233DA639" alt="Static Badge" /></a>   <a href="https://www.gnu.org/software/bash/"><img src="https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=Bash&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://shellcheck.net/"><img src="https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&amp;logo=gnubash&amp;logoColor=white&amp;logoSize=auto&amp;label=shellcheck&amp;color=%234EAA25" alt="Static Badge" /></a>   <a href="https://github.com/mvdan/sh"><img src="https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=shellformat&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://google.github.io/styleguide/shellguide.html"><img src="https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&amp;logo=google&amp;logoColor=white&amp;logoSize=auto&amp;label=Shellstyle&amp;color=%234285F4" alt="Static Badge" /></a>   <a href="https://docs.gitea.com/"><img src="https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&amp;logo=gitea&amp;logoColor=white&amp;logoSize=auto&amp;label=gitea&amp;color=%23609926" alt="Static Badge" /></a>   <a href="https://www.jetbrains.com/store/?section=personal&amp;billing=yearly"><img src="https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&amp;logo=intellijidea&amp;logoColor=white&amp;logoSize=auto&amp;label=IntelliJ&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://keepassxc.org/"><img src="https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&amp;logo=keepassxc&amp;logoColor=white&amp;logoSize=auto&amp;label=KeePassXC&amp;color=%236CAC4D" alt="Static Badge" /></a>   <a href="https://www.netcup.com/de"><img src="https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&amp;logo=netcup&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%23056473" alt="Static Badge" /></a>   <a href="https://coresecret.eu/"><img src="https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&amp;logo=europeanunion&amp;logoColor=white&amp;logoSize=auto&amp;label=powered&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://x.com/coresecret_eu"><img src="https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&amp;logo=x&amp;logoColor=white&amp;logoSize=auto&amp;label=SocialMedia&amp;color=%23000000" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#sepa"><img src="https://badges.coresecret.dev/badge/Donation-Donation-white?style=plastic&amp;logo=sepa&amp;logoColor=white&amp;logoSize=auto&amp;label=&amp;color=%230F243E" alt="Static Badge" /></a>   <a href="https://coresecret.eu/spenden/#bitcoin"><img src="https://badges.coresecret.dev/badge/bitcoin-Bitcoin-white?style=plastic&amp;logo=bitcoin&amp;logoColor=white&amp;logoSize=auto&amp;label=Donation&amp;color=%23F7931A" alt="Static Badge" /></a>   <a href="https://coresecret.eu/contact/#simplex"><img src="https://badges.coresecret.dev/badge/simplex-Simplex-white?style=plastic&amp;logo=simplex&amp;logoColor=white&amp;logoSize=auto&amp;label=Contact&amp;color=%23000000" alt="Static Badge" /></a>  </p>
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<p>This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud deployment or unattended installations via the forthcoming <code>CISS.debian.installer</code>. Find here more information to download the latest ISO available. To download the latest public available <strong>CISS.debian.live.builder ISO</strong>, see: tba.</p>
<p>Check out more:</p>
<ul>
<li><a href="https://coresecret.eu/cnet/">CenturionNet Services</a></li>
<li><a href="https://dns.eddns.eu/">CenturionDNS Resolver</a></li>
<li><a href="https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt">CenturionDNS Blocklist</a></li>
<li><a href="https://uptime.coresecret.eu/">CenturionNet Status</a></li>
<li><a href="https://talk.e2ee.li/">CenturionMeet</a></li>
<li><a href="https://coresecret.eu/contact/">Contact the author</a></li>
</ul>
<h2 id="11-preliminary-remarks">1.1. Preliminary Remarks</h2>
<h3 id="111-hsm">1.1.1. HSM</h3>
<p>Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to move to a room-gapped environment. ^^</p>
<h3 id="112-hsts-and-dnssec">1.1.2. HSTS and DNSSEC</h3>
<p>Please note that <code>coresecret.dev</code> is included in the <a href="https://hstspreload.org/">(HSTS Preload List)</a> and always serves the headers:</p>
<pre class="nginx"><code>add_header Expect-CT &quot;max-age=86400, enforce&quot; always;
add_header Strict-Transport-Security &quot;max-age=63072000; includeSubDomains; preload&quot; always;</code></pre>
<p>Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.html">DNSSEC Audit Report</a></p>
<h2 id="12-immutable-source-of-truth-system">1.2. Immutable Source-of-Truth System</h2>
<p>This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static source-code definitions. All configurations, system components, and installation routines are embedded during build time and locked for runtime immutability. This ensures that the live environment functions as a trusted <strong>Source of Truth</strong> — not only for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br></p>
<p>Once booted, the environment optionally launches a fully scripted installer, via the forthcoming <code>CISS.debian.installer</code>, yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully secured provisioning. Combined with checksum verification, <strong>activated by default</strong>, at boot and strict firewall defaults, this architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br></p>
<p>An even more secure deployment variant — an unattended and headless version — can be built without any active network interface or shell-access, also via the forthcoming <code>CISS.debian.installer</code>. Such a version performs all verification steps autonomously, provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports without cryptographic hardened access, while also the <code>/boot</code> partition could be encrypted via the built-in support of <code>grub2 (2.12-1~bpo12+1)</code>.<br></p>
<p>This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in source-defined infrastructure logic.<br></p>
<p>After build and configuration, the following audit reports can be generated:</p>
<ul>
<li><strong>Haveged Audit Report</strong>: Validates entropy daemon health and confirms '/dev/random' seeding performance. Type <code>chkhvg</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.html">Haveged Audit Report</a></li>
<li><strong>Lynis Audit Report</strong>: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline. Type <code>lsadt</code> at the prompt. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.html">Lynis Audit Report</a></li>
<li><strong>SSH Audit Report</strong>: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. Type <code>ssh-audit &lt;IP&gt;:&lt;PORT&gt;</code>. See example report: <a href="https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_SSH.html">SSH Audit Report</a></li>
</ul>
<h2 id="12-preview">1.2. Preview</h2>
<p><img src="/docs/screenshots/CISS.debian.live.builder_preview.jpeg" alt="CISS.debian.live.builder" /></p>
<h2 id="13-caution-significant-information-for-those-considering-using-d-i">1.3. Caution. Significant information for those considering using D-I.</h2>
<p><strong>The Debian Installer (d-i) will ALWAYS boot a new system.</strong><br></p>
<p>Regardless of whether you start it:</p>
<ul>
<li>via the boot menu of your Live ISO (grub, isolinux) like <strong>CISS.debian.live.builder</strong>,</li>
<li>via kexec in the running system,</li>
<li>via the debian-installer-launcher package,</li>
<li>or even via a graphical installer shortcut.</li>
</ul>
<p>The following happens in all cases:</p>
<ul>
<li>The installer kernel (/install/vmlinuz) + initrd.gz are started.</li>
<li>The existing live system is exited.</li>
<li>The memory is overwritten.</li>
<li>All running processes e.g., firewall, hardened SSH access, etc. pp. cease to exist.</li>
</ul>
<p>The Debian Installer loads:</p>
<ul>
<li>its own kernel,</li>
<li>its own initramfs,</li>
<li>its own minimal root filesystem (BusyBox + udeb packages),</li>
<li>no SSH access (unless explicitly enabled via preseed)</li>
<li>no firewall, AppArmor, logging, etc. pp.,</li>
<li>it disables all running network services, even if you were previously in the live system.</li>
</ul>
<p>This means function status of the <strong>CISS.2025.debian.live.builder</strong> ISO after d-i start:</p>
<ul>
<li>ufw, iptables, nftables ✘ disabled, not loaded,</li>
<li>sshd with hardening ✘ stopped (processes gone),</li>
<li>the running kernel ✘ replaced,</li>
<li>Logging (rsyslog, journald) ✘ not active,</li>
<li>preseed control over the network is possible (but without any protection).</li>
</ul>
<h1 id="2-features--rationale">2. Features &amp; Rationale</h1>
<p>Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.</p>
<h2 id="21-kernel-hardening">2.1. Kernel Hardening</h2>
<h3 id="211-boot-parameters">2.1.1. Boot Parameters</h3>
<ul>
<li><strong>Description</strong>: Customizes kernel command-line flags to disable unused features and enable mitigations.</li>
<li><strong>Key Parameters</strong>:
<ul>
<li><code>audit_backlog_limit=8192</code>: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.</li>
<li><code>audit=1</code>: Enables kernel auditing from boot to record system calls and security events.</li>
<li><code>cfi=kcfi</code>: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.</li>
<li><code>debugfs=off</code>: Disables debugfs to prevent non-privileged access to kernel internals.</li>
<li><code>efi=disable_early_pci_dma</code>: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.</li>
<li><code>efi_no_storage_paranoia</code>: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.</li>
<li><code>hardened_usercopy=1</code>: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.</li>
<li><code>ia32_emulation=0</code>: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.</li>
<li><code>init_on_alloc=1</code>: Zeroes memory on allocation to prevent leakage of previous data.</li>
<li><code>init_on_free=1</code>: Initializes memory on free to catch use-after-free bugs.</li>
<li><code>iommu=force</code>: Enforces IOMMU for all devices to isolate DMA-capable hardware.</li>
<li><code>kfence.sample_interval=100</code>: Configures the kernel fence memory safety tool to sample every 100 allocations.</li>
<li><code>kvm.nx_huge_pages=force</code>: Enforces non-executable huge pages in KVM to mitigate code injection.</li>
<li><code>l1d_flush=on</code>: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.</li>
<li><code>lockdown=confidentiality</code>: Puts the kernel in confidentiality lockdown to restrict direct hardware access.</li>
<li><code>loglevel=0</code>: Suppresses non-critical kernel messages to reduce information leakage.</li>
<li><code>mce=0</code>: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.</li>
<li><code>mitigations=auto,nosmt</code>: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.</li>
<li><code>mmio_stale_data=full,nosmt</code>: Ensures stale MMIO data is fully flushed and disables SMT for added protection.</li>
<li><code>oops=panic</code>: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.</li>
<li><code>page_alloc.shuffle=1</code>: Randomizes physical page allocation to hinder memory layout prediction attacks.</li>
<li><code>page_poison=1</code>: Fills freed pages with a poison pattern to detect use-after-free.</li>
<li><code>panic=-1</code>: Disables automatic reboot on panic to preserve the system state for forensic analysis.</li>
<li><code>pti=on</code>: Enables page table isolation to mitigate Meltdown attacks.</li>
<li><code>random.trust_bootloader=off</code>: Prevents trusting entropy provided by the bootloader.</li>
<li><code>random.trust_cpu=off</code>: Disables trusting CPU-provided randomness, enforcing external entropy sources.</li>
<li><code>randomize_kstack_offset=on</code>: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.</li>
<li><code>randomize_va_space=2</code>: Enables full address space layout randomization (ASLR) for user space.</li>
<li><code>retbleed=auto,nosmt</code>: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.</li>
<li><code>rodata=on</code>: Marks kernel read-only data sections to prevent runtime modification.</li>
<li><code>tsx=off</code>: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.</li>
<li><code>vdso32=0</code>: Disables 32-bit vDSO to prevent unintended cross-mode calls.</li>
<li><code>vsyscall=none</code>: Disables legacy vsyscall support to close a potential attack vector.</li>
</ul></li>
<li><strong>Rationale</strong>: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.</li>
</ul>
<h3 id="212-cpu-vulnerability-mitigations">2.1.2. CPU Vulnerability Mitigations</h3>
<ul>
<li><strong>Description</strong>: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).</li>
<li><strong>Rationale</strong>: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in multi-tenant cloud environments.</li>
</ul>
<h3 id="213-kernel-self-protection">2.1.3. Kernel Self-Protection</h3>
<ul>
<li><strong>Description</strong>: Activates <code>CONFIG_DEBUG_RODATA</code>, <code>CONFIG_STRICT_MODULE_RWX</code>, and other self-protections.</li>
<li><strong>Rationale</strong>: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.</li>
</ul>
<h3 id="214-local-kernel-hardening">2.1.4. Local Kernel Hardening</h3>
<ul>
<li><strong>Description</strong>: The wrapper <code>sysp()</code>provides a function to apply and audit local kernel hardening rules from <code>/etc/sysctl.d/99_local.hardened</code>:</li>
</ul>
<pre class="bash"><code>###########################################################################################
# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
# Arguments:
# none
###########################################################################################
# shellcheck disable=SC2317
sysp() {
sysctl -p /etc/sysctl.d/99_local.hardened
# sleep 1
sysctl -a | grep -E &#39;kernel|vm|net&#39; &gt; /var/log/sysctl_check&quot;$(date +&quot;%Y-%m-%d_%H:%M:%S&quot;)&quot;.log
}</code></pre>
<ul>
<li><strong>Key measures loaded by this file include:</strong>
<ul>
<li>Disabling module loading <code>kernel.modules_disabled=1</code></li>
<li>Restricting kernel pointers &amp; logs <code>kernel.kptr_restrict=2</code>, <code>kernel.dmesg_restrict=1</code>, <code>kernel.printk=3 3 3 3</code></li>
<li>Disabling unprivileged BPF and userfaultfd</li>
<li>Disabling kexec and unprivileged user namespaces</li>
<li>Locking down ptrace scope <code>kernel.yama.ptrace_scope=2</code></li>
<li>Protecting filesystem links and FIFOs <code>fs.protected_*</code></li>
</ul></li>
</ul>
<p><strong>Warning</strong> Once applied, some hardening settings cannot be undone via <code>sysctl</code> without a reboot, and dynamic module loading remains disabled until the next boot. Automatic enforcement at startup is therefore omitted by design—run <code>sysp()</code> manually and plan a reboot to apply or revert these controls.</p>
<h2 id="22-module-blacklisting">2.2. Module Blacklisting</h2>
<ul>
<li><strong>Description</strong>: Disables and blacklists non-essential or insecure kernel modules.</li>
<li><strong>Rationale</strong>: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.</li>
</ul>
<h2 id="23-network-hardening">2.3. Network Hardening</h2>
<ul>
<li><strong>Description</strong>: Applies <code>sysctl</code> settings (e.g., <code>net.ipv4.conf.all.rp_filter=1</code>, <code>arp_ignore</code>, <code>arp_announce</code>) to restrict inbound/outbound traffic behaviors.</li>
<li><strong>Rationale</strong>: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.</li>
</ul>
<h2 id="24-core-dump--kernel-hardening">2.4. Core Dump &amp; Kernel Hardening</h2>
<ul>
<li><strong>Description</strong>: Limits core dump generation paths, enforces <code>Yama</code> restrictions, and configures <code>kernel.kptr_restrict</code>.</li>
<li><strong>Rationale</strong>: Prevents leakage of sensitive memory contents and reduces information disclosure from unintentional crash dumps.</li>
</ul>
<h2 id="25-entropy-collection-improvements">2.5. Entropy Collection Improvements</h2>
<ul>
<li><strong>Description</strong>: Installs and configures <code>haveged</code>, seeds <code>/dev/random</code> early.</li>
<li><strong>Rationale</strong>: Cloud instances frequently suffer low entropy at the start; improving randomness ensures strong cryptographic key generation for SSH and other services.</li>
</ul>
<h2 id="26-permissions--authentication">2.6. Permissions &amp; Authentication</h2>
<ul>
<li><strong>Description</strong>: Sets strict directory and file permissions, integrates with PAM modules (e.g., <code>pam_faillock</code>).</li>
<li><strong>Rationale</strong>: Enforces the principle of least privilege at file-system level and strengthens authentication policies.</li>
</ul>
<h2 id="27-high-security-baseline-lynis-audit">2.7. High-Security Baseline (Lynis Audit)</h2>
<ul>
<li><strong>Description</strong>: Run a baseline audit via <a href="https://cisofy.com/lynis/">Lynis</a> after build completion. The generated live environment consistently achieves a 91%+ score in Lynis security audits.</li>
<li><strong>Rationale</strong>: Provides independent verification of security posture and flags any configuration drifts or missing hardening steps.</li>
</ul>
<h2 id="28-ssh-tunnel--access-security">2.8. SSH Tunnel &amp; Access Security</h2>
<ul>
<li><strong>Description</strong>: The SSH tunnel and access are secured through multiple layers of defense:
<ul>
<li><strong>Firewall Restriction</strong>: ufw allows connections only from defined jump host or VPN exit node IPs.</li>
<li><strong>TCP Wrappers</strong>: <code>/etc/hosts.allow</code> and <code>/etc/hosts.deny</code> enforce an <code>ALL: ALL</code> deny policy, permitting only specified hosts.</li>
<li><strong>One-Hit Ban</strong>: A custom Fail2Ban rule <code>/etc/fail2ban/jail.d/centurion-default.conf</code> immediately bans any host that touches closed ports.
<ul>
<li>Additionally, the <code>fail2ban</code> service is hardened as well according to: <a href="https://wiki.archlinux.org/title/fail2ban#Service_hardening">Arch Linux Wiki Fail2ban Hardening</a></li>
</ul></li>
<li><strong>SSH Ultra-Hardening</strong>: The <code>/etc/sshd_config</code> enforces strict cryptographic and connection controls with respect to <a href="https://www.ssh-audit.com/hardening_guides.html#debian_12">SSH Audit Guide Debian 12</a>:
<ul>
<li><code>RekeyLimit 1G 1h</code></li>
<li><code>HostKey /etc/ssh/ssh_host_ed25519_key</code></li>
<li><code>HostKey /etc/ssh/ssh_host_rsa_key (8192-bit RSA)</code></li>
<li><code>PubkeyAuthentication yes</code></li>
<li><code>PermitRootLogin prohibit-password</code></li>
<li><code>PasswordAuthentication no</code></li>
<li><code>PermitEmptyPasswords no</code></li>
<li><code>LoginGraceTime 2m</code></li>
<li><code>MaxAuthTries 3</code></li>
<li><code>MaxSessions 2</code></li>
<li><code>MaxStartups 08:64:16</code></li>
<li><code>PerSourceMaxStartups 4</code></li>
<li><code>RequiredRSASize 4096</code></li>
<li><code>Ciphers aes256-gcm@openssh.com</code></li>
<li><code>KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-</code></li>
<li><code>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com</code></li>
</ul></li>
</ul></li>
<li><strong>Rationale</strong>: These measures ensure that only authorized hosts can establish SSH tunnels, with strict cryptographic and usage policies enforced. Minimizes brute force, passive sniffing, and reduces credentials' exposure by limiting protocol features to vetted algorithms.</li>
</ul>
<h2 id="29-ufw-hardening">2.9. UFW Hardening</h2>
<ul>
<li><strong>Description</strong>: Defaults to <code>deny incoming</code> and (optionally) <code>deny outgoing</code>; automatically opens only whitelisted ports.</li>
<li><strong>Rationale</strong>: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after deployment.</li>
</ul>
<h2 id="210-fail2ban-enhancements">2.10. Fail2Ban Enhancements</h2>
<ul>
<li><strong>Description</strong>:
<ul>
<li>Bans any connection to a closed port for 24 hours</li>
<li>Automatically ignores designated bastion/jump host subnets</li>
<li>Hardened via <code>systemd</code> policy override to limit privileges of the Fail2Ban service itself</li>
</ul></li>
<li><strong>Rationale</strong>: Provides proactive defense against port scans and brute-force attacks, while isolating the ban daemon in a minimal-privilege context.</li>
</ul>
<h2 id="211-ntpsec--chrony">2.11. NTPsec &amp; Chrony</h2>
<ul>
<li><strong>Description</strong>: Installs <code>chrony</code>, selects PTB NTPsec servers by default.</li>
<li><strong>Rationale</strong>: Ensures tamper-resistant time synchronization, which is essential for log integrity, certificate validation, and forensic accuracy.</li>
</ul>
<h1 id="3-script-features--rationale">3. Script Features &amp; Rationale</h1>
<h2 id="31-input-validation--security">3.1. Input Validation &amp; Security</h2>
<ul>
<li><strong>Description</strong>: All script arguments are validated using a robust input sanitizer.</li>
<li><strong>Rationale</strong>: Prevents injection attacks and ensures only expected data types and values are processed.</li>
</ul>
<h2 id="32-debug-mode-with-detailed-logging">3.2. Debug Mode with Detailed Logging</h2>
<ul>
<li><p><strong>Description</strong>: A built-in debug mode outputs clear, timestamped logs including:</p>
<ul>
<li>Script Name and Path of called Function,</li>
<li>Line Number,</li>
<li>Function Name,</li>
<li>Exit Code of the previous Command,</li>
<li>Executed Command.</li>
</ul></li>
<li><p><strong>Rationale</strong>: Simplifies troubleshooting and provides precise error tracing.</p></li>
</ul>
<h2 id="33-secure-debug-logging">3.3. Secure Debug Logging</h2>
<ul>
<li><strong>Description</strong>: No hardcoded plaintext password fragments or sensitive artifacts appear in debug logs.</li>
<li><strong>Rationale</strong>: Prevents accidental exposure of credentials during troubleshooting.</li>
</ul>
<h2 id="34-secure-password-handling">3.4. Secure Password Handling</h2>
<ul>
<li><strong>Description</strong>: Password files, if provided, are shredded immediately after being hashed.</li>
<li><strong>Rationale</strong>: Prevents password recovery from temporary files.</li>
</ul>
<h2 id="35-variable-declaration--validation">3.5. Variable Declaration &amp; Validation</h2>
<ul>
<li><strong>Description</strong>: All variables are declared and validated before use.</li>
<li><strong>Rationale</strong>: Avoids unintended behavior from unset or improperly set variables.</li>
</ul>
<h2 id="36-pure-bash-implementation">3.6. Pure Bash Implementation</h2>
<ul>
<li><strong>Description</strong>: The entire wrapper and all its functions are written in pure Bash, without external dependencies.</li>
<li><strong>Rationale</strong>: Ensures maximum portability and compatibility with standard Debian environments.</li>
</ul>
<h2 id="37-bash-error-handling">3.7. Bash Error Handling</h2>
<ul>
<li><p><strong>Description</strong>: The implemented xtrace wrapper <code>set -x</code> enforces comprehensive Bash error handling to ensure</p>
<ul>
<li>robust,</li>
<li>predictable execution,</li>
<li>and early detection of failures.</li>
</ul>
<p>and delivers full information, which command failed to execute:</p>
<ul>
<li>Script Name and Path of called Function,</li>
<li>Line Number,</li>
<li>Function Name,</li>
<li>Exit Code of the previous Command,</li>
<li>Executed Command,</li>
<li>Environment Settings,</li>
<li>Argument Counter passed to Script,</li>
<li>Argument String passed to Script.</li>
</ul></li>
<li><p>The following <code>set</code> options are applied at the beginning of the script (see <a href="https://www.gnu.org/software/bash/manual/bash.html#The-Set-BuiltinGNU">Bash Manual, The Set Builtin</a>):</p></li>
</ul>
<pre class="bash"><code>set -o errexit # Exit script when a command exits with non-zero status (same as &quot;set -e&quot;).
set -o errtrace # Inherit ERR traps in subshells (same as &quot;set -E&quot;).
set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as &quot;set -T&quot;).
set -o nounset # Exit script on use of an undefined variable (same as &quot;set -u&quot;).
set -o pipefail # Return the exit status of the last failed command in a pipeline.
set -o noclobber # Prevent overwriting files via redirection (same as &quot;set -C&quot;).</code></pre>
<ul>
<li><strong>Rationale</strong>: These options enforce strict error checking and handling, reducing silent failures and ensuring predictable script behavior.</li>
</ul>
<h1 id="4-prerequisites">4. Prerequisites</h1>
<ul>
<li><strong>Host</strong>: Debian Bookworm or newer with <code>live-build</code> package installed.</li>
<li><strong>Privileges</strong>: Root or sudo access to execute <code>ciss_live_builder.sh</code> and related scripts.</li>
<li><strong>Network</strong>: Outbound access to Debian repositories and PTB NTPsec pool.</li>
</ul>
<h1 id="5-installation--usage">5. Installation &amp; Usage</h1>
<h1 id="51-interactive-cli--dialog-wrapper">5.1. Interactive CLI / Dialog Wrapper</h1>
<ol type="1">
<li><p>Clone the repository:</p>
<pre class="bash"><code>git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder</code></pre></li>
<li><p>Preparation:</p>
<ol type="1">
<li>Ensure you are root.</li>
<li>Create the build directory <code>mkdir /opt/livebuild</code>.</li>
<li>Place your desired SSH public key in the <code>authorized_keys</code> file, for example, in the <code>/opt/gitea/CISS.debian.live.builder</code> directory.</li>
<li>Place your desired Password in the <code>password.txt</code> file, for example, in the <code>/opt/gitea/CISS.debian.live.builder</code> directory.</li>
<li>Make any other changes you need to.</li>
</ol></li>
<li><p>Run the config builder script <code>./ciss_live_builder.sh</code> and the integrated <code>lb build</code> command (example):</p>
<pre class="yaml"><code>chmod 0700 ./ciss_live_builder.sh
./ciss_live_builder.sh --architecture amd64 \
--build-directory /opt/livebuild \
--change-splash hexagon \
--control 384 \
--debug \
--dhcp-centurion \
--jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
--provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
--renice-priority &quot;-19&quot; \
--reionice-priority 1 2 \
--root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
--ssh-port 4242 \
--ssh-pubkey /opt/gitea/CISS.debian.live.builder</code></pre></li>
<li><p>Locate your ISO in the <code>--build-directory</code>.</p></li>
<li><p>Boot from the ISO and login to the live image via the console, or the multi-layer secured <strong>coresecret</strong> SSH tunnel.</p></li>
<li><p>Type <code>sysp</code> for the final kernel hardening features.</p></li>
<li><p>Check the boot log with <code>jboot</code> and via <code>ssf</code> that all services are up.</p></li>
<li><p>Finally, audit your environment with <code>lsadt</code> for a comprehensive Lynis audit.</p></li>
<li><p>Type <code>celp</code> for some shortcuts.</p></li>
</ol>
<h1 id="52-cicd-gitea-runner-workflow-example">5.2. CI/CD Gitea Runner Workflow Example</h1>
<ol type="1">
<li><p>Clone the repository:</p>
<pre class="bash"><code>git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder</code></pre></li>
<li><p>Edit the <code>.gitea/workflows/generate-iso.yaml</code> file according to your requirements. Ensure that the trigger file <code>.gitea/trigger/t_generate.iso.yaml</code> and the counter are updated. Change all the necessary <code>{{ secrets.VAR }}</code>. Push your commits to trigger the workflow. Then download your final ISO from the specified Location.</p></li>
</ol>
<pre class="yaml"><code>#...
steps:
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
run: |
rm -rf ~/.ssh &amp;&amp; mkdir -m700 ~/.ssh
### Private Key
echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
#...
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
run: |
git clone --branch &quot;${GITHUB_REF_NAME}&quot; ssh://git@CHANGE_ME .
#...
- name: Importing the &#39;CI PGP DEPLOY ONLY&#39; key.
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME=&quot;$(pwd)/.gnupg&quot;
mkdir -m700 &quot;${GNUPGHOME}&quot;
echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| ci-bot.sec.asc
#...
- name: Configuring Git for signed CI/DEPLOY commits.
run: |
export GNUPGHOME=&quot;$(pwd)/.gnupg&quot;
git config user.name &quot;CHANGE_ME&quot;
git config user.email &quot;CHANGE_ME&quot;
#...
- name: Preparing the build environment.
run: |
mkdir -p /opt/config
mkdir -p /opt/livebuild
echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| /opt/config/password.txt
echo &quot;${{ secrets.CHANGE_ME }}&quot; &gt;| /opt/config/authorized_keys
#...
- name: Starting CISS.debian.live.builder. This may take a while ...
run: |
chmod 0700 ciss_live_builder.sh &amp;&amp; chown root:root ciss_live_builder.sh
timestamp=$(date -u +&quot;%Y_%m_%d_%H_%M_Z&quot;)
### Change &quot;--autobuild=&quot; to the specific kernel version you need: &#39;6.12.22+bpo-amd64&#39;.
./ciss_live_builder.sh \
--autobuild=CHANGE_ME \
--architecture CHANGE_ME \
--build-directory /opt/livebuild \
--control &quot;${timestamp}&quot; \
--jump-host &quot;${{ secrets.CHANGE_ME }}&quot; \
--root-password-file /opt/config/password.txt \
--ssh-port CHANGE_ME \
--ssh-pubkey /opt/config
#...
### SKIP OR CHANGE ALL REMAINING STEPS</code></pre>
<h1 id="6-licensing--compliance">6. Licensing &amp; Compliance</h1>
<p>This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX standard for license expressions and metadata.</p>
<h1 id="7-disclaimer">7. Disclaimer</h1>
<p>This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.</p>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

13
SECURITY.html Normal file
View File

@@ -0,0 +1,13 @@
<h1 id="security-policy">Security Policy</h1>
<h2 id="reporting-vulnerabilities">Reporting vulnerabilities</h2>
<p>Please send your vulnerability reports to <code>security@coresecret.eu</code></p>
<p>To make sure that your report reaches me, please:</p>
<p>Include the words <code>CISS.debian.live.builder</code> and <code>vulnerability</code> to the subject line as well as a short description of the vulnerability.</p>
<p>Make sure that the message body contains a clear description of the vulnerability.</p>
<p>If you have not received a reply to your email within seven days, please make sure to follow up with me again at <code>security@coresecret.eu</code></p>
<p>Once again, make sure that the word <code>vulnerability</code> is in the subject line.</p>
<p>My security policy is available at:</p>
<p><a href="https://coresecret.eu/security-policy/"><span>https://coresecret.eu/security-policy/</span></a></p>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

51
config/includes.chroot/preseed/CCLA-1.0.html Normal file
View File

@@ -0,0 +1,51 @@
<h1 id="centurion-commercial-license-agreement-10">Centurion Commercial License Agreement 1.0</h1>
<h2 id="1-general-terms"><strong>1. General Terms</strong></h2>
<p>1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").</p>
<p>1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.</p>
<p>1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.</p>
<p>1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.</p>
<h2 id="2-grant-of-license"><strong>2. Grant of License</strong></h2>
<p>2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a</p>
<ul>
<li>non-exclusive,</li>
<li>non-transferable,</li>
<li>time-limited,</li>
</ul>
<p>right to use the Software for commercial purposes.</p>
<p>2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.</p>
<h2 id="3-subscription-fees-and-payment"><strong>3. Subscription Fees and Payment</strong></h2>
<p>3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.</p>
<p>3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.</p>
<h2 id="4-restrictions"><strong>4. Restrictions</strong></h2>
<p>4.1. Licensee shall not:</p>
<ul>
<li>Distribute, sublicense, or resell the Software.</li>
<li>Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.</li>
</ul>
<p>4.2. The Software may not be used for illegal or unethical purposes.</p>
<h2 id="5-support-and-updates"><strong>5. Support and Updates</strong></h2>
<p>5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying support agreement.</p>
<p>5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.</p>
<h2 id="6-termination"><strong>6. Termination</strong></h2>
<p>6.1. This Agreement is valid for the subscription term unless terminated earlier:</p>
<ul>
<li>By Licensee, with a 30-day written notice.</li>
<li>By Licensor, in the event of Licensees breach of this Agreement.</li>
</ul>
<p>6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.</p>
<h2 id="7-liability-and-warranty"><strong>7. Liability and Warranty</strong></h2>
<p>7.1. The Software is provided "as is" without warranties of any kind, except as required by law.</p>
<p>7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.</p>
<h2 id="8-governing-law"><strong>8. Governing Law</strong></h2>
<p>8.1. This Agreement shall be governed by the laws of Portugal.</p>
<p>8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.</p>
<h2 id="9-miscellaneous"><strong>9. Miscellaneous</strong></h2>
<p>9.1. Any changes to this Agreement must be in writing and signed by both parties.</p>
<p>9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.</p>
<h2 id="10-contact-information">10. <strong>Contact Information</strong></h2>
<ul>
<li>Licensor : Centurion Intelligence Consulting Agency</li>
<li>Email : <a href="mailto:legal@coresecret.eu">legal@coresecret.eu</a></li>
</ul>
<hr />
<p>This Subscription License Agreement was last updated at 09.05.2025.</p>

8
docs/AUDIT_DNSSEC.html Normal file
View File

@@ -0,0 +1,8 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-dnssec-status">2. DNSSEC Status</h1>
<p>This is an auto-generated overview of the DNSSEC status of <code>coresecret.dev</code> at the time of the last human-initiated push event.</p>
<p><img src="SECURITY/coresecret.dev.png" alt="DNSSEC Status" /></p>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

137
docs/AUDIT_HAVEGED.html Normal file
View File

@@ -0,0 +1,137 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-haveged-audit-on-netcup-rs-2000-g11">2. Haveged Audit on Netcup RS 2000 G11</h1>
<pre class="text"><code>Mon May 19|root@live:~/&gt;&gt;0|~$ haveged -n 0 | dieharder -g 200 -a
haveged: command socket is listening at fd 3
Writing unlimited bytes to stdout
#=============================================================================#
# dieharder version 3.31.1 Copyright 2003 Robert G. Brown #
#=============================================================================#
rng_name |rands/second| Seed |
stdin_input_raw| 1.77e+07 |1806134257|
#=============================================================================#
test_name |ntup| tsamples |psamples| p-value |Assessment
#=============================================================================#
diehard_birthdays| 0| 100| 100|0.21358950| PASSED
diehard_operm5| 0| 1000000| 100|0.23365564| PASSED
diehard_rank_32x32| 0| 40000| 100|0.33364435| PASSED
diehard_rank_6x8| 0| 100000| 100|0.83680113| PASSED
diehard_bitstream| 0| 2097152| 100|0.89183344| PASSED
diehard_opso| 0| 2097152| 100|0.95817018| PASSED
diehard_oqso| 0| 2097152| 100|0.25923499| PASSED
diehard_dna| 0| 2097152| 100|0.28604687| PASSED
diehard_count_1s_str| 0| 256000| 100|0.25146863| PASSED
diehard_count_1s_byt| 0| 256000| 100|0.64817854| PASSED
diehard_parking_lot| 0| 12000| 100|0.68180941| PASSED
diehard_2dsphere| 2| 8000| 100|0.52576112| PASSED
diehard_3dsphere| 3| 4000| 100|0.02636962| PASSED
diehard_squeeze| 0| 100000| 100|0.81226498| PASSED
diehard_sums| 0| 100| 100|0.54642776| PASSED
diehard_runs| 0| 100000| 100|0.98440072| PASSED
diehard_runs| 0| 100000| 100|0.75118526| PASSED
diehard_craps| 0| 200000| 100|0.93104571| PASSED
diehard_craps| 0| 200000| 100|0.45994663| PASSED
marsaglia_tsang_gcd| 0| 10000000| 100|0.38263075| PASSED
marsaglia_tsang_gcd| 0| 10000000| 100|0.16784328| PASSED
sts_monobit| 1| 100000| 100|0.26368088| PASSED
sts_runs| 2| 100000| 100|0.10069666| PASSED
sts_serial| 1| 100000| 100|0.53426480| PASSED
sts_serial| 2| 100000| 100|0.95654933| PASSED
sts_serial| 3| 100000| 100|0.75042664| PASSED
sts_serial| 3| 100000| 100|0.27693306| PASSED
sts_serial| 4| 100000| 100|0.79225401| PASSED
sts_serial| 4| 100000| 100|0.49273684| PASSED
sts_serial| 5| 100000| 100|0.58017632| PASSED
sts_serial| 5| 100000| 100|0.39423250| PASSED
sts_serial| 6| 100000| 100|0.72811005| PASSED
sts_serial| 6| 100000| 100|0.94342669| PASSED
sts_serial| 7| 100000| 100|0.98343053| PASSED
sts_serial| 7| 100000| 100|0.74692814| PASSED
sts_serial| 8| 100000| 100|0.56538653| PASSED
sts_serial| 8| 100000| 100|0.91826111| PASSED
sts_serial| 9| 100000| 100|0.63502589| PASSED
sts_serial| 9| 100000| 100|0.28959825| PASSED
sts_serial| 10| 100000| 100|0.74650890| PASSED
sts_serial| 10| 100000| 100|0.95475310| PASSED
sts_serial| 11| 100000| 100|0.35838186| PASSED
sts_serial| 11| 100000| 100|0.80481197| PASSED
sts_serial| 12| 100000| 100|0.74700860| PASSED
sts_serial| 12| 100000| 100|0.49849890| PASSED
sts_serial| 13| 100000| 100|0.55828107| PASSED
sts_serial| 13| 100000| 100|0.23244603| PASSED
sts_serial| 14| 100000| 100|0.23080285| PASSED
sts_serial| 14| 100000| 100|0.83936220| PASSED
sts_serial| 15| 100000| 100|0.64411755| PASSED
sts_serial| 15| 100000| 100|0.99255934| PASSED
sts_serial| 16| 100000| 100|0.00563047| PASSED
sts_serial| 16| 100000| 100|0.31608374| PASSED
rgb_bitdist| 1| 100000| 100|0.64550890| PASSED
rgb_bitdist| 2| 100000| 100|0.87656240| PASSED
rgb_bitdist| 3| 100000| 100|0.67169827| PASSED
rgb_bitdist| 4| 100000| 100|0.44406906| PASSED
rgb_bitdist| 5| 100000| 100|0.67772729| PASSED
rgb_bitdist| 6| 100000| 100|0.73853919| PASSED
rgb_bitdist| 7| 100000| 100|0.86999808| PASSED
rgb_bitdist| 8| 100000| 100|0.01313259| PASSED
rgb_bitdist| 9| 100000| 100|0.55009611| PASSED
rgb_bitdist| 10| 100000| 100|0.70726109| PASSED
rgb_bitdist| 11| 100000| 100|0.03154815| PASSED
rgb_bitdist| 12| 100000| 100|0.84462282| PASSED
rgb_minimum_distance| 2| 10000| 1000|0.83132423| PASSED
rgb_minimum_distance| 3| 10000| 1000|0.68188237| PASSED
rgb_minimum_distance| 4| 10000| 1000|0.51409655| PASSED
rgb_minimum_distance| 5| 10000| 1000|0.42544360| PASSED
rgb_permutations| 2| 100000| 100|0.66313395| PASSED
rgb_permutations| 3| 100000| 100|0.95535890| PASSED
rgb_permutations| 4| 100000| 100|0.45758425| PASSED
rgb_permutations| 5| 100000| 100|0.98313853| PASSED
rgb_lagged_sum| 0| 1000000| 100|0.41578816| PASSED
rgb_lagged_sum| 1| 1000000| 100|0.76861829| PASSED
rgb_lagged_sum| 2| 1000000| 100|0.43447789| PASSED
rgb_lagged_sum| 3| 1000000| 100|0.49698037| PASSED
rgb_lagged_sum| 4| 1000000| 100|0.02212798| PASSED
rgb_lagged_sum| 5| 1000000| 100|0.04465057| PASSED
rgb_lagged_sum| 6| 1000000| 100|0.10526977| PASSED
rgb_lagged_sum| 7| 1000000| 100|0.79849751| PASSED
rgb_lagged_sum| 8| 1000000| 100|0.83675235| PASSED
rgb_lagged_sum| 9| 1000000| 100|0.37604856| PASSED
rgb_lagged_sum| 10| 1000000| 100|0.46712205| PASSED
rgb_lagged_sum| 11| 1000000| 100|0.16098525| PASSED
rgb_lagged_sum| 12| 1000000| 100|0.81557499| PASSED
rgb_lagged_sum| 13| 1000000| 100|0.11553821| PASSED
rgb_lagged_sum| 14| 1000000| 100|0.85637944| PASSED
rgb_lagged_sum| 15| 1000000| 100|0.91125298| PASSED
rgb_lagged_sum| 16| 1000000| 100|0.59747378| PASSED
rgb_lagged_sum| 17| 1000000| 100|0.70077562| PASSED
rgb_lagged_sum| 18| 1000000| 100|0.66815407| PASSED
rgb_lagged_sum| 19| 1000000| 100|0.04941226| PASSED
rgb_lagged_sum| 20| 1000000| 100|0.37939018| PASSED
rgb_lagged_sum| 21| 1000000| 100|0.42653722| PASSED
rgb_lagged_sum| 22| 1000000| 100|0.86316011| PASSED
rgb_lagged_sum| 23| 1000000| 100|0.43038293| PASSED
rgb_lagged_sum| 24| 1000000| 100|0.34472083| PASSED
rgb_lagged_sum| 25| 1000000| 100|0.73741194| PASSED
rgb_lagged_sum| 26| 1000000| 100|0.05584980| PASSED
rgb_lagged_sum| 27| 1000000| 100|0.80601600| PASSED
rgb_lagged_sum| 28| 1000000| 100|0.99361052| PASSED
rgb_lagged_sum| 29| 1000000| 100|0.27812997| PASSED
rgb_lagged_sum| 30| 1000000| 100|0.94547008| PASSED
rgb_lagged_sum| 31| 1000000| 100|0.02400797| PASSED
rgb_lagged_sum| 32| 1000000| 100|0.98890248| PASSED
rgb_kstest_test| 0| 10000| 1000|0.53680166| PASSED
dab_bytedistrib| 0| 51200000| 1|0.38634245| PASSED
dab_dct| 256| 50000| 1|0.02760776| PASSED
Preparing to run test 207. ntuple = 0
dab_filltree| 32| 15000000| 1|0.47264235| PASSED
dab_filltree| 32| 15000000| 1|0.49416126| PASSED
Preparing to run test 208. ntuple = 0
dab_filltree2| 0| 5000000| 1|0.12940766| PASSED
dab_filltree2| 1| 5000000| 1|0.40415388| PASSED
Preparing to run test 209. ntuple = 0
dab_monobit2| 12| 65000000| 1|0.51567978| PASSED
haveged: Cannot write data in file: Broken pipe
tot tests(BA8): A:1/1 B:1/1 last entropy estimate 8.00294
fills: 470064, generated: 229.5 G bytes</code></pre>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

611
docs/AUDIT_LYNIS.html Normal file
View File

@@ -0,0 +1,611 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-lynis-audit">2. Lynis Audit:</h1>
<pre class="text"><code>[ Lynis 3.1.4 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2024, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 3.1.4
Operating system: Linux
Operating system name: Debian
Operating system version: 12
Kernel version: 6.12.22+bpo
Hardware platform: x86_64
Hostname: live
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
---------------------------------------------------
Auditor: Centurion_Intelligence_Consulting_Agency
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ NO UPDATE ]
[+] System tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugins enabled [ NONE ]
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ ENABLED ]
- Checking Secure Boot [ DISABLED ]
- Boot loader [ NONE FOUND ]
- Check running services (systemctl) [ DONE ]
Result: found 17 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 24 enabled services
- Check startup files (permissions) [ OK ]
- Running &#39;systemd-analyze security&#39;
Unit name (exposure value) and predicate
--------------------------------
- auditd.service (value=8.7) [ EXPOSED ]
- chrony.service (value=3.5) [ PROTECTED ]
- clamav-daemon.service (value=3.5) [ PROTECTED ]
- cron.service (value=9.6) [ UNSAFE ]
- dbus.service (value=9.6) [ UNSAFE ]
- dm-event.service (value=9.5) [ UNSAFE ]
- emergency.service (value=9.5) [ UNSAFE ]
- fail2ban.service (value=6.5) [ MEDIUM ]
- getty@tty1.service (value=9.6) [ UNSAFE ]
- haveged.service (value=3.0) [ PROTECTED ]
- ifup@ens3.service (value=9.5) [ UNSAFE ]
- ifup@ens4.service (value=9.5) [ UNSAFE ]
- lvm2-lvmpolld.service (value=9.5) [ UNSAFE ]
- polkit.service (value=9.6) [ UNSAFE ]
- rc-local.service (value=9.6) [ UNSAFE ]
- rescue.service (value=9.5) [ UNSAFE ]
- rsyslog.service (value=9.6) [ UNSAFE ]
- ssh.service (value=9.6) [ UNSAFE ]
- systemd-ask-password-console.service (value=9.4) [ UNSAFE ]
- systemd-ask-password-wall.service (value=9.4) [ UNSAFE ]
- systemd-fsckd.service (value=9.5) [ UNSAFE ]
- systemd-initctl.service (value=9.4) [ UNSAFE ]
- systemd-journald.service (value=4.3) [ PROTECTED ]
- systemd-logind.service (value=2.8) [ PROTECTED ]
- systemd-networkd.service (value=2.6) [ PROTECTED ]
- systemd-udevd.service (value=7.1) [ MEDIUM ]
- unattended-upgrades.service (value=9.6) [ UNSAFE ]
- usbguard-dbus.service (value=9.6) [ UNSAFE ]
- usbguard.service (value=2.8) [ PROTECTED ]
- user@0.service (value=9.8) [ UNSAFE ]
- uuidd.service (value=5.8) [ MEDIUM ]
[+] Kernel
------------------------------------
- Checking default runlevel [ runlevel 5 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 84 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ NOT FOUND ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration
- configuration in systemd conf files [ DEFAULT ]
- configuration in /etc/profile [ DEFAULT ]
- &#39;hard&#39; configuration in /etc/security/limits.conf [ DISABLED ]
- &#39;soft&#39; configuration in /etc/security/limits.conf [ DISABLED ]
- Checking setuid core dumps configuration [ DISABLED ]
- Check if reboot is needed [ NO ]
[+] Memory and Processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ NOT FOUND ]
- Searching for IO waiting processes [ NOT FOUND ]
- Search prelink tooling [ NOT FOUND ]
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Password hashing methods [ OK ]
- Password hashing rounds (minimum) [ CONFIGURED ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- Sudoers file(s) [ FOUND ]
- Permissions for directory: /etc/sudoers.d [ OK ]
- Permissions for: /etc/sudoers [ OK ]
- Permissions for: /etc/sudoers.d/README [ OK ]
- Permissions for: /etc/sudoers.d/live [ OK ]
- PAM password strength tools [ OK ]
- PAM configuration files (pam.conf) [ FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Locked accounts [ OK ]
- User password aging (minimum) [ CONFIGURED ]
- User password aging (maximum) [ CONFIGURED ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NOT FOUND ]
- umask (/etc/login.defs) [ OK ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ ENABLED ]
[+] Kerberos
------------------------------------
- Check for Kerberos KDC and principals [ NOT FOUND ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 12 shells (valid shells: 12).
- Session timeout settings/tools [ FOUND ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ OK ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ NONE ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
- Mount options of /dev [ PARTIALLY HARDENED ]
- Mount options of /dev/shm [ PARTIALLY HARDENED ]
- Mount options of /run [ HARDENED ]
- Mount options of /tmp [ PARTIALLY HARDENED ]
- Total without nodev:11 noexec:13 nosuid:9 ro or noexec (W^X): 9 of total 33
- Checking Locate database [ FOUND ]
- Disable kernel support of some filesystems
- Module cramfs is blacklisted [ OK ]
- Module freevxfs is blacklisted [ OK ]
- Module hfs is blacklisted [ OK ]
- Module hfsplus is blacklisted [ OK ]
- Module jffs2 is blacklisted [ OK ]
- Module udf is blacklisted [ OK ]
[+] USB Devices
------------------------------------
- Checking usb-storage driver (modprobe config) [ DISABLED ]
- Checking USB devices authorization [ ENABLED ]
- Checking USBGuard [ FOUND ]
- Configuration [ FOUND ]
- Restore controller device state [ false ]
- Rule for controllers connected before daemon starts [ keep ]
- Rule for devices connected before daemon starts [ allow ]
- Rule for devices inserted after daemon starts [ apply-policy ]
- Rule for devices not in RuleFile [ block ]
- RuleFile [ FOUND ]
- Controllers &amp; Devices allow [ 2 ]
- Controllers &amp; Devices block [ 0 ]
- Controllers &amp; Devices reject [ 0 ]
[+] Storage
------------------------------------
- Checking firewire ohci driver (modprobe config) [ DISABLED ]
[+] NFS
------------------------------------
- Check running NFS daemon [ NOT FOUND ]
[+] Name services
------------------------------------
- Searching DNS domain name [ FOUND ]
Domain name: local
- Checking /etc/hosts
- Duplicate entries in hosts file [ NONE ]
- Presence of configured hostname in /etc/hosts [ FOUND ]
- Hostname mapped to localhost [ NOT FOUND ]
- Localhost mapping to IP address [ OK ]
[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ FOUND ]
- Querying package manager
- Query unpurged packages [ NONE ]
- debsums utility [ FOUND ]
- Cron job for debsums [ FOUND ]
- Checking security repository in sources.list file [ OK ]
- Checking APT package database [ OK ]
- Checking vulnerable packages (apt-get only) [ DONE ]
- Checking upgradeable packages [ NONE ]
- Checking package audit tool [ INSTALLED ]
Found: apt-get
- Toolkit for automatic upgrades (unattended-upgrade) [ FOUND ]
[+] Networking
------------------------------------
- Checking IPv6 configuration [ ENABLED ]
Configuration method [ MANUAL ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 135.181.207.105 [ OK ]
Nameserver: 89.58.62.53 [ OK ]
- Minimal of 2 responsive nameservers [ OK ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ RUNNING ]
- Checking for ARP monitoring software [ NOT FOUND ]
- Uncommon network protocols [ NOT FOUND ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]
[+] Software: e-mail and messaging
------------------------------------
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Chain INPUT (table: filter, target: DROP) [ DROP ]
- Chain INPUT (table: security, target: ACCEPT) [ ACCEPT ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall [ ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- OpenSSH option: AllowTcpForwarding [ OK ]
- OpenSSH option: ClientAliveCountMax [ OK ]
- OpenSSH option: ClientAliveInterval [ OK ]
- OpenSSH option: FingerprintHash [ OK ]
- OpenSSH option: GatewayPorts [ OK ]
- OpenSSH option: IgnoreRhosts [ OK ]
- OpenSSH option: LoginGraceTime [ OK ]
- OpenSSH option: LogLevel [ OK ]
- OpenSSH option: MaxAuthTries [ OK ]
- OpenSSH option: MaxSessions [ OK ]
- OpenSSH option: PermitRootLogin [ OK ]
- OpenSSH option: PermitUserEnvironment [ OK ]
- OpenSSH option: PermitTunnel [ OK ]
- OpenSSH option: Port [ OK ]
- OpenSSH option: PrintLastLog [ OK ]
- OpenSSH option: StrictModes [ OK ]
- OpenSSH option: TCPKeepAlive [ OK ]
- OpenSSH option: UseDNS [ OK ]
- OpenSSH option: X11Forwarding [ OK ]
- OpenSSH option: AllowAgentForwarding [ OK ]
- OpenSSH option: AllowUsers [ FOUND ]
- OpenSSH option: AllowGroups [ NOT FOUND ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]
[+] Databases
------------------------------------
No database engines found
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]
[+] PHP
------------------------------------
- Checking PHP [ NOT FOUND ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking wazuh-agent daemon status [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking remote logging [ NOT ENABLED ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ DONE ]
[+] Insecure services
------------------------------------
- Installed inetd package [ NOT FOUND ]
- Installed xinetd package [ OK ]
- xinetd status [ NOT ACTIVE ]
- Installed rsh client package [ OK ]
- Installed rsh server package [ OK ]
- Installed telnet client package [ OK ]
- Installed telnet server package [ NOT FOUND ]
- Checking NIS client installation [ OK ]
- Checking NIS server installation [ OK ]
- Checking TFTP client installation [ OK ]
- Checking TFTP server installation [ OK ]
[+] Banners and identification
------------------------------------
- /etc/issue [ FOUND ]
- /etc/issue contents [ OK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ OK ]
[+] Scheduled tasks
------------------------------------
- Checking crontab and cronjob files [ DONE ]
[+] Accounting
------------------------------------
- Checking accounting information [ OK ]
- Checking sysstat accounting data [ ENABLED ]
- Checking auditd [ ENABLED ]
- Checking audit rules [ OK ]
- Checking audit configuration file [ OK ]
- Checking auditd log file [ FOUND ]
[+] Time and Synchronization
------------------------------------
- NTP daemon found: chronyd [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/139] [ NONE ]
[WARNING]: Test CRYP-7902 had a long execution: 20.445007 seconds
- Found 0 encrypted and 0 unencrypted swap devices in use. [ OK ]
- Kernel entropy is sufficient [ YES ]
- HW RNG &amp; rngd [ NO ]
- SW prng [ YES ]
- MOR variable not found [ WEAK ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ FOUND ]
- Checking AppArmor status [ DISABLED ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence TOMOYO Linux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ NONE ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- AIDE [ FOUND ]
- AIDE config file [ FOUND ]
- AIDE database [ FOUND ]
- dm-integrity (status) [ DISABLED ]
- dm-verity (status) [ DISABLED ]
- AIDE config (Checksum) [ OK ]
- Checking presence integrity tool [ FOUND ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Ansible artifact [ FOUND ]
- Automation tooling [ FOUND ]
- Checking presence of Fail2ban [ FOUND ]
- Checking Fail2ban jails [ ENABLED ]
- Checking for IDS/IPS tooling [ FOUND ]
[+] Software: Malware
------------------------------------
- Checking chkrootkit [ FOUND ]
- Checking Rootkit Hunter [ FOUND ]
- Checking ClamAV scanner [ FOUND ]
- Malware software components [ FOUND ]
- Active agent [ NOT FOUND ]
- Rootkit scanner [ FOUND ]
[+] File Permissions
------------------------------------
- Starting file permissions check
File: /etc/cron.allow [ OK ]
File: /etc/crontab [ OK ]
File: /etc/group [ OK ]
File: /etc/group- [ OK ]
File: /etc/hosts.allow [ OK ]
File: /etc/hosts.deny [ OK ]
File: /etc/issue [ OK ]
File: /etc/issue.net [ OK ]
File: /etc/motd [ OK ]
File: /etc/passwd [ OK ]
File: /etc/passwd- [ OK ]
File: /etc/ssh/sshd_config [ OK ]
Directory: /root/.ssh [ OK ]
Directory: /etc/cron.d [ OK ]
Directory: /etc/cron.daily [ OK ]
Directory: /etc/cron.hourly [ OK ]
Directory: /etc/cron.weekly [ OK ]
Directory: /etc/cron.monthly [ OK ]
[+] Home directories
------------------------------------
- Permissions of home directories [ OK ]
- Ownership of home directories [ OK ]
- Checking shell history files [ OK ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- dev.tty.ldisc_autoload (exp: 0) [ OK ]
- fs.protected_fifos (exp: 2) [ OK ]
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_regular (exp: 2) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ OK ]
- kernel.kptr_restrict (exp: 2) [ OK ]
- kernel.modules_disabled (exp: 1) [ OK ]
- kernel.perf_event_paranoid (exp: 2 3 4) [ OK ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ OK ]
- kernel.unprivileged_bpf_disabled (exp: 1) [ OK ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
- net.core.bpf_jit_harden (exp: 2) [ OK ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ OK ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ OK ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ OK ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ FOUND ]
- Non-native binary formats [ FOUND ]
[+] Custom tests
------------------------------------
- Running custom tests... [ NONE ]
[+] Plugins (phase 2)
------------------------------------
================================================================================
-[ Lynis 3.1.4 Results ]-
Great, no warnings
Suggestions (5):
----------------------------
* Consider hardening system services [BOOT-5264]
- Details : Run &#39;/usr/bin/systemd-analyze security SERVICE&#39; for each service
- Related resources
* Article: Systemd features to secure service files: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
* Website: https://cisofy.com/lynis/controls/BOOT-5264/
* To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]
- Related resources
* Website: https://cisofy.com/lynis/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
- Related resources
* Website: https://cisofy.com/lynis/controls/FILE-6310/
* Check iptables rules to see which rules are currently not used [FIRE-4513]
- Related resources
* Website: https://cisofy.com/lynis/controls/FIRE-4513/
* Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
- Related resources
* Website: https://cisofy.com/lynis/controls/LOGG-2154/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 92 [################## ]
Tests performed : 261
Plugins enabled : 0
Components:
- Firewall [V]
- Malware scanner [V]
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Lynis 3.1.4
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2024, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)</code></pre>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

40
docs/AUDIT_SSH.html Normal file
View File

@@ -0,0 +1,40 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-ssh-audit-by-ssh-auditcom">2. SSH Audit by ssh-audit.com</h1>
<p><img src="/docs/screenshots/CISS.debian.live.builder_ssh_audit.png" alt="CISS.2025.debian.live.builder" /></p>
<h1 id="3-ssh-audit-by-httpsgithubcomjtestassh-audit">3. SSH Audit by <a href="https://github.com/jtesta/ssh-audit">https://github.com/jtesta/ssh-audit</a></h1>
<pre class="text"><code># general
(gen) banner: SSH-2.0-OpenSSH_9.2p1
(gen) software: OpenSSH 9.2p1
(gen) compatibility: OpenSSH 9.9+, Dropbear SSH 2020.79+
(gen) compression: disabled
# key exchange algorithms
(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
`- [info] default key exchange from OpenSSH 9.0 to 9.8
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) sntrup761x25519-sha512 -- [info] available since OpenSSH 9.9
`- [info] default key exchange since OpenSSH 9.9
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) kex-strict-s-v00@openssh.com -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)
# host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2, Dropbear SSH 2020.79
# encryption algorithms (ciphers)
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
# algorithm recommendations (for OpenSSH 9.2)
(rec) +aes128-ctr -- enc algorithm to append
(rec) +aes128-gcm@openssh.com -- enc algorithm to append
(rec) +aes192-ctr -- enc algorithm to append</code></pre>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

6
docs/CHANGELOG.html Normal file
View File

@@ -0,0 +1,6 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="tba">TBA</h1>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

78
docs/CODING_CONVENTION.html Normal file
View File

@@ -0,0 +1,78 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-coding-style">2. Coding Style</h1>
<h2 id="21-pr">2.1. PR</h2>
<p>You'd make the life of the maintainers easier if you submit only <em>one</em> patch with <em>one</em> functional change per PR.</p>
<h2 id="22-documentation">2.2 Documentation</h2>
<p>Some people really read that ! New features would need to be documented in the appropriate section in <code>usage()</code> and in <code>~/docs/DOCUMENTATION.md</code>.</p>
<h2 id="23-coding">2.3. Coding</h2>
<h3 id="231-shell--bash">2.3.1. Shell / bash</h3>
<p>Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there.</p>
<ul>
<li>Don't use backticks anymore, use <code>$(..)</code> instead</li>
<li>Use double square <code>[[]]</code> brackets (<em>conditional expressions)</em> instead of single square <code>[]</code> brackets</li>
<li>In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (<code>=~</code>) you shouldn't quote at all.</li>
<li>The <a href="http://mywiki.wooledge.org/BashPitfalls">BashPitfalls</a> is a good read!</li>
<li>Whenever possible try to avoid <code>tr</code> <code>sed</code> <code>awk</code> and use bash internal functions instead, see e.g., <a href="http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html">bash shell parameter substitution</a>. It is slower as it forks, fopens and pipes back the result.</li>
<li><code>read</code> often can replace <code>awk</code>: <code>IFS=, read -ra a b c &lt;&lt;&lt; "$line_with_comma"</code></li>
<li>Bash can also deal perfectly with regular expressions, see e.g., <a href="https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html">here</a> and <a href="https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com">here</a>. You can as well have a look @ <code>is_ipv4addr()</code> or <code>is_ipv6addr()</code>.</li>
<li>If you still need to use any of <code>tr</code>, <code>sed</code> and <code>awk</code>: try to avoid a mix of several external binaries e.g., if you can achieve the same with e.g. <code>awk</code>.</li>
<li>Be careful with very advanced bash features. Mac OS X is still using bash version 3 (<a href="http://tldp.org/LDP/abs/html/bashver4.html">differences</a>).</li>
<li>Always use a return value for a function/method. 0 means all is fine.</li>
<li>Make use of <a href="https://github.com/koalaman/shellcheck">shellcheck</a> if possible.</li>
<li>Follow the <a href="https://google.github.io/styleguide/shellguide.html">shellformat</a> Shell-Style Guide.</li>
</ul>
<h3 id="232-shell-specific">2.3.2. Shell specific</h3>
<ul>
<li>Security:
<ul>
<li>Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.</li>
<li>Unless you're really sure where the values come from, variables need to be put in quotes.</li>
</ul></li>
</ul>
<h3 id="233-variables">2.3.3. Variables</h3>
<ul>
<li>Use <strong>"speaking variables"</strong> but don't overdo it with the length.</li>
<li>No <em>camelCase</em>, please. We distinguish between lowercase and uppercase only.
<ul>
<li>Global variables:
<ul>
<li>use them only when really necessary,</li>
<li>in CAPS,</li>
<li>initialize them (<code>declare -g VAR_EXAMPLE=""</code>),</li>
<li>SHOULD start with:
<ul>
<li><code>ARY_</code> for Arrays,</li>
<li><code>C_</code> for Variables defining colored outputs,</li>
<li><code>ERR_</code> for Error Codes Variables,</li>
<li><code>HMP_</code> for HashMap Arrays,</li>
<li><code>LOG_</code> for Logfile Variables,</li>
<li><code>PID_</code> for PID Variables,</li>
<li><code>PIPE_</code> for PIPE Variables,</li>
<li><code>VAR_</code> for Variables</li>
</ul></li>
</ul></li>
<li>Local variables:
<ul>
<li>are lower case,</li>
<li>declare them before usage (<code>declare</code> eq <code>local</code>),</li>
<li>initialize them (<code>declare var_example=""</code>),</li>
<li>SHOULD start with:
<ul>
<li><code>ary_</code> for Arrays,</li>
<li><code>c_</code> for Variables defining colored outputs,</li>
<li><code>err_</code> for Error Codes Variables,</li>
<li><code>hmp_</code> for HashMap Arrays,</li>
<li><code>log_</code> for Logfile Variables,</li>
<li><code>var_</code> for Variables.</li>
</ul></li>
</ul></li>
</ul></li>
</ul>
<h1 id="3-misc">3. Misc</h1>
<ul>
<li>Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected.</li>
</ul>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

12
docs/CONTRIBUTING.html Normal file
View File

@@ -0,0 +1,12 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-contributors">2. Contributors</h1>
<h2 id="x">X</h2>
<p>I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism.</p>
<h2 id="ζ">Ζ</h2>
<ul>
<li>Zimnol, André H.; Private Contributor</li>
</ul>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

14
docs/CREDITS.html Normal file
View File

@@ -0,0 +1,14 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-credits">2. Credits</h1>
<h2 id="22-authors">2.2. Authors</h2>
<h2 id="23-contributors">2.3. Contributors</h2>
<h3 id="x">X</h3>
<p>I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism.</p>
<h3 id="ζ">Ζ</h3>
<ul>
<li>Zimnol, André H.; Private Contributor</li>
</ul>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

128
docs/DOCUMENTATION.html Normal file
View File

@@ -0,0 +1,128 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-usage">2. Usage</h1>
<pre class="text"><code>CISS.debian.live.builder
Master V8.03.127.2025.06.02
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025
https://coresecret.eu/
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
&quot;./ciss_live_builder.sh &lt;option&gt;&quot;, where &lt;option&gt; is one or more of:
--help, -h
What you&#39;re looking at.
--architecture &lt;STRING&gt; one of &lt;amd64 | arm64&gt;
A string reflecting the architecture of the Live System.
MUST be provided.
--build-directory &lt;/path/to/build_directory&gt;
Where the Debian Live Build Image should be generated.
MUST be provided.
--change-splash &lt;STRING&gt; one of &lt;club | hexagon&gt;
A string reflecting the GRub Boot Screen Splash you want to use.
If omitted defaults to &quot;./.archive/background/club.png&quot;.
--cdi (Experimental Feature)
This option generates a boot menu entry to start the forthcoming
&#39;CISS.debian.installer&#39;, which will be executed after
the system has successfully booted up.
--contact, -c
Displays contact information of the author.
--control &lt;INTEGER&gt;
An integer that reflects the version of your Live ISO Image.
MUST be provided.
--debug
Enables debug logging for the main program routine. Detailed logging
information are written to &quot;/tmp/ciss_live_builder_3764286.log&quot;
--dhcp-centurion
If a DHCP lease is provided, the provider&#39;s nameserver will be overridden,
and only the hardened, privacy-focused Centurion DNS servers will be used:
- https://dns01.eddns.eu/
- https://dns02.eddns.de/
--jump-host &lt;IP | IP | ... &gt;
Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
If provided, than it MUST be a &lt;SPACE&gt; separated list.
IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
--log-statistics-only
Provides statistic only after successful building a
CISS.debian.live-ISO. While enabling &quot;--log-statistics-only&quot;
the argument &quot;--build-directory&quot; MUST be provided while
all further options MUST be omitted.
--provider-netcup-ipv6
Activates IPv6 support for Netcup Root Server. One unique
IPv6 address MUST be provided in this case.
--renice-priority &lt;PRIORITY&gt;
Reset the nice priority value of the script and all its children
to the desired PRIORITY. MUST be an integer (between &quot;-19&quot; and 19).
Negative (higher) values MUST be enclosed in double quotes &#39;&quot;&#39;.
--reionice-priority &lt;CLASS&gt; &lt;PRIORITY&gt;
Reset the ionice priority value of the script and all its children
to the desired CLASS. MUST be an integer:
1: realtime
2: best-effort
3: idle
defaults to &quot;2&quot;.
PRIORITY MUST be an integer:
between 0 (highest) and 7 (lowest) priority.
defaults to &quot;4&quot;.
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
--root-password-file &lt;/path/to/password.txt&gt;
Password file for &#39;root&#39;, if given, MUST be a string of 20 to 64 characters,
and MUST NOT contain the special character &#39;&quot;&#39;.
If the argument is omitted, no further login authentication is required for
the local console. The root password is hashed with an 16 Byte &#39;/dev/random&#39;
generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
after Hash generation all Variables containing plain password fragments are
deleted. Password file SHOULD be 0400 and root:root and is deleted without
further prompt after password hash has been successfully generated via:
shred -vfzu 5 -f.
No tracing of any plain text password fragment in any debug log.
--ssh-port &lt;INTEGER&gt;
The desired Port SSH should listen to.
If not provided defaults to Port 22.
--ssh-pubkey &lt;/path/to/.ssh/&gt;
Imports the SSH Public Key(s) from the FILE &#39;authorized_keys&#39; of the
specified PATH into the Live ISO. MUST be provided.
--version, -v
Displays version of ./ciss_live_builder.sh.
NOTES:
- You MUST be root to run this script.
Contact:
- https://coresecret.eu/
- security@coresecret.eu
- PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
- https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD</code></pre>
<h1 id="3-booting">3. Booting</h1>
<h2 id="31-grub-menu">3.1. Grub Menu</h2>
<p><img src="/docs/screenshots/20250517_boot_grub.jpg" alt="Boot Menu" /></p>
<h2 id="32-integrity-checks">3.2. Integrity checks</h2>
<p><img src="screenshots/20250517_boot_integrity_check.jpg" alt="Integrity Check" /></p>
<p><img src="screenshots/20250517_boot_integrity_success.jpg" alt="Integrity Success" /></p>
<h2 id="33-console-login">3.3. Console Login</h2>
<p><img src="screenshots/20250517_console_login.jpg" alt="Console Login" /></p>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>

53
docs/LICENSES/CCLA-1.0.html Normal file
View File

@@ -0,0 +1,53 @@
<h1 id="spdx-license-identifier-licenseref-ccla-10">SPDX-License-Identifier: LicenseRef-CCLA-1.0</h1>
<h1 id="centurion-commercial-license-agreement-10">Centurion Commercial License Agreement 1.0</h1>
<h2 id="1-general-terms"><strong>1. General Terms</strong></h2>
<p>1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").</p>
<p>1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.</p>
<p>1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.</p>
<p>1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.</p>
<h2 id="2-grant-of-license"><strong>2. Grant of License</strong></h2>
<p>2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a</p>
<ul>
<li>non-exclusive,</li>
<li>non-transferable,</li>
<li>time-limited,</li>
</ul>
<p>right to use the Software for commercial purposes.</p>
<p>2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.</p>
<h2 id="3-subscription-fees-and-payment"><strong>3. Subscription Fees and Payment</strong></h2>
<p>3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.</p>
<p>3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.</p>
<h2 id="4-restrictions"><strong>4. Restrictions</strong></h2>
<p>4.1. Licensee shall not:</p>
<ul>
<li>Distribute, sublicense, or resell the Software.</li>
<li>Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.</li>
</ul>
<p>4.2. The Software may not be used for illegal or unethical purposes.</p>
<h2 id="5-support-and-updates"><strong>5. Support and Updates</strong></h2>
<p>5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying support agreement.</p>
<p>5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.</p>
<h2 id="6-termination"><strong>6. Termination</strong></h2>
<p>6.1. This Agreement is valid for the subscription term unless terminated earlier:</p>
<ul>
<li>By Licensee, with a 30-day written notice.</li>
<li>By Licensor, in the event of Licensees breach of this Agreement.</li>
</ul>
<p>6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.</p>
<h2 id="7-liability-and-warranty"><strong>7. Liability and Warranty</strong></h2>
<p>7.1. The Software is provided "as is" without warranties of any kind, except as required by law.</p>
<p>7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.</p>
<h2 id="8-governing-law"><strong>8. Governing Law</strong></h2>
<p>8.1. This Agreement shall be governed by the laws of Portugal.</p>
<p>8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.</p>
<h2 id="9-miscellaneous"><strong>9. Miscellaneous</strong></h2>
<p>9.1. Any changes to this Agreement must be in writing and signed by both parties.</p>
<p>9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.</p>
<h2 id="10-contact-information">10. <strong>Contact Information</strong></h2>
<ul>
<li>Licensor : Centurion Intelligence Consulting Agency</li>
<li>Email : <a href="mailto:legal@coresecret.eu">legal@coresecret.eu</a></li>
</ul>
<hr />
<p>This Subscription License Agreement was last updated at 09.05.2025.</p>

69
docs/REFERENCES.html Normal file
View File

@@ -0,0 +1,69 @@
<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-resources">2. Resources</h1>
<h2 id="21-debian-live-related">2.1. Debian Live related</h2>
<ul>
<li><a href="https://salsa.debian.org/live-team/live-boot">Debian live-boot</a></li>
<li><a href="https://live-team.pages.debian.net/live-manual/html/live-manual/index.en.html">Debian Live Manual</a></li>
<li><a href="https://manpages.debian.org/bookworm/live-boot-doc/live-boot.7.en.html">Debian Live Boot Doc</a></li>
<li><a href="https://manpages.debian.org/bookworm/live-build/index.html">Debian Live Build</a></li>
<li><a href="https://manpages.debian.org/bookworm/live-config-doc/index.html">Debian Live Config</a></li>
<li><a href="https://manpages.debian.org/bookworm/live-tools/index.html">Debian Live Tools</a></li>
</ul>
<h2 id="22-disk-encryption-related">2.2. Disk Encryption related</h2>
<ul>
<li><a href="https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system"><span>https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)"><span>https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode"><span>https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode</span></a></li>
<li><a href="https://wiki.archlinux.org/title/GRUB#Encrypted_/boot"><span>https://wiki.archlinux.org/title/GRUB#Encrypted_/boot</span></a></li>
<li><a href="https://wiki.archlinux.org/title/GRUB#LUKS2"><span>https://wiki.archlinux.org/title/GRUB#LUKS2</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Advanced_Format"><span>https://wiki.archlinux.org/title/Advanced_Format</span></a></li>
<li><a href="https://packages.debian.org/bookworm-backports/grub-common"><span>https://packages.debian.org/bookworm-backports/grub-common</span></a></li>
<li><a href="https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html"><span>https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption"><span>https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption</span></a></li>
<li><a href="https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup"><span>https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup</span></a></li>
</ul>
<h2 id="23-kernel-related">2.3. Kernel related</h2>
<ul>
<li><a href="https://wiki.archlinux.org/title/Kernel"><span>https://wiki.archlinux.org/title/Kernel</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Kernel_parameters"><span>https://wiki.archlinux.org/title/Kernel_parameters</span></a></li>
<li><a href="https://www.kernel.org/"><span>https://www.kernel.org/</span></a></li>
<li><a href="https://github.com/anthraxx/linux-hardened"><span>https://github.com/anthraxx/linux-hardened</span></a></li>
</ul>
<h2 id="24-policy-related">2.4. Policy related</h2>
<ul>
<li><a href="https://www.debian.org/doc/manuals/securing-debian-manual/"><span>https://www.debian.org/doc/manuals/securing-debian-manual/</span></a></li>
<li><a href="https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server"><span>https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server</span></a></li>
<li><a href="https://www.cisecurity.org/cis-benchmarks"><span>https://www.cisecurity.org/cis-benchmarks</span></a></li>
<li><a href="https://github.com/CISOfy/lynis"><span>https://github.com/CISOfy/lynis</span></a></li>
<li><a href="https://github.com/lateralblast/lunar"><span>https://github.com/lateralblast/lunar</span></a></li>
<li><a href="https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html"><span>https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html</span></a></li>
</ul>
<h2 id="25-security-related">2.5. Security related</h2>
<ul>
<li><a href="https://wiki.archlinux.org/title/General_recommendations"><span>https://wiki.archlinux.org/title/General_recommendations</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Security"><span>https://wiki.archlinux.org/title/Security</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Identity_management"><span>https://wiki.archlinux.org/title/Identity_management</span></a></li>
<li><a href="https://wiki.archlinux.org/title/Capabilities"><span>https://wiki.archlinux.org/title/Capabilities</span></a></li>
<li><a href="https://privsec.dev/posts/linux/desktop-linux-hardening/"><span>https://privsec.dev/posts/linux/desktop-linux-hardening/</span></a></li>
<li><a href="https://wiki.archlinux.org/title/fail2ban#Service_hardenin"><span>https://wiki.archlinux.org/title/fail2ban#Service_hardenin</span></a></li>
<li><a href="https://theprivacyguide1.github.io/linux_hardening_guide"><span>https://theprivacyguide1.github.io/linux_hardening_guide</span></a></li>
<li><a href="https://github.com/zabbly/linux"><span>https://github.com/zabbly/linux</span></a></li>
</ul>
<h2 id="26-bash-related">2.6. Bash related</h2>
<ul>
<li><a href="https://www.gnu.org/software/bash/manual/"><span>https://www.gnu.org/software/bash/manual/</span></a></li>
<li><a href="https://www.shellcheck.net/"><span>https://www.shellcheck.net/</span></a></li>
<li><a href="https://explainshell.com/"><span>https://explainshell.com/</span></a></li>
<li><a href="https://google.github.io/styleguide/shellguide.html"><span>https://google.github.io/styleguide/shellguide.html</span></a></li>
<li><a href="https://github.com/mvdan/sh"><span>https://github.com/mvdan/sh</span></a></li>
<li><a href="https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab"><span>https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab</span></a></li>
</ul>
<h3 id="261-error-handling">2.6.1. Error handling</h3>
<ul>
<li><a href="https://www.davidpashley.com/articles/writing-robust-shell-scripts/#id2596016">Use set -e - Writing Robust Bash Shell Scripts - David Pashley</a></li>
<li><a href="https://mywiki.wooledge.org/BashFAQ/105">Why doesn't set -e (or set -o errexit, or trap ERR) do what I expected? - BashFAQ/105 - Greg's Wiki</a></li>
</ul>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>