diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh index cdfa5c0..c6536b6 100644 --- a/.archive/.0000_lib_usage.sh +++ b/.archive/.0000_lib_usage.sh @@ -21,7 +21,7 @@ usage() { clear cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.13.392.2025.11.07\e[0m") +$(echo -e "\e[92mMaster V8.13.400.2025.11.08\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml index 8eda287..49cf2f6 100644 --- a/.archive/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index 19f2d75..e3a0059 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml index b0079aa..4df6943 100644 --- a/.archive/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 name: ๐Ÿ’™ Generating a PUBLIC Live ISO. diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 70f64dd..390b7b5 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.13.392.2025.11.07" + placeholder: "e.g., Master V8.13.400.2025.11.08" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index 9111d88..ed6a09f 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 5b606b7..022bc1a 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 name: ๐Ÿ” Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index dbfc567..4dac30c 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -11,5 +11,5 @@ build: counter: 1024 - version: V8.13.392.2025.11.07 + version: V8.13.400.2025.11.08 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index a7cef01..3c06eac 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.392.2025.11.07 + version: V8.13.400.2025.11.08 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index 16431ba..a1de38c 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index d0165a0..41d2a9b 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 6cbfde3..ee8a9bb 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 name: ๐Ÿ’™ Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index ba279c1..a6a2ae8 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 5dcac36..a8e5cc0 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 name: ๐Ÿ›ก๏ธ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index ac0fff9..ddebc29 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 name: ๐Ÿ” Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index b83a73b..b2aa29f 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.13.392.2025.11.07" +properties_version="V8.13.400.2025.11.08" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 57fbef0..f5b1d77 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.13.392.2025.11.07 +PackageVersion: Master V8.13.400.2025.11.08 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 4f74572..4165503 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.392.2025.11.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.400.2025.11.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V8.13.392.2025.11.07` +Example: `V8.13.400.2025.11.08` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/REPOSITORY.md b/REPOSITORY.md index 03aa416..bb21733 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2.1. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) โ€” Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **8.13**, Build **V8.13.392.2025.11.07** (as of 2025-10-11) +**Repository State:** Master Version **8.13**, Build **V8.13.400.2025.11.08** (as of 2025-10-11) ## 2.2. Top-Level Layout diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot index 8c46c99..b330845 100644 --- a/config/hooks/live/0000_basic_chroot_setup.chroot +++ b/config/hooks/live/0000_basic_chroot_setup.chroot @@ -198,6 +198,7 @@ EOF # shellcheck disable=SC2034 readonly -f generate_ciss_xdg_tmp_sh +### Ensuring XDG compliance: https://specifications.freedesktop.org/basedir/latest/ -------------------------------------------- generate_ciss_xdg_profile generate_ciss_xdg_sh generate_ciss_xdg_tmp_sh @@ -207,6 +208,8 @@ export DEBIAN_FRONTEND="noninteractive" INITRD="No" apt-get update -qq apt-get install -y --no-install-suggests libpam-systemd + +### Installing microcode updates ----------------------------------------------------------------------------------------------- if [[ -f /root/.architecture ]]; then apt-get install -y --no-install-suggests amd64-microcode intel-microcode @@ -214,12 +217,7 @@ if [[ -f /root/.architecture ]]; then fi - -if [[ -f /root/.architecture ]]; then - : -fi - - +### Prepare environment -------------------------------------------------------------------------------------------------------- mkdir -p /root/.ciss/cdlb/{backup,log,private_keys} chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys} @@ -229,7 +227,7 @@ chmod 0700 /root/git mkdir -p /etc/ciss/keys chmod 0755 /etc/ciss/keys -### Mask apt show version unit and timer. +### Mask apt show version unit and timer --------------------------------------------------------------------------------------- ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer ln -sf /dev/null /etc/systemd/system/apt-show-versions.service rm -f /etc/cron.daily/apt-show-versions || true diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot index 05643c2..98e57df 100644 --- a/config/hooks/live/0001_initramfs_modules.chroot +++ b/config/hooks/live/0001_initramfs_modules.chroot @@ -52,10 +52,9 @@ grep_nic_driver_modules() { return 0 } - -[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" -apt-get install -y intel-microcode amd64-microcode +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f grep_nic_driver_modules # shellcheck disable=SC2155 declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)" @@ -370,87 +369,101 @@ esac . /usr/share/initramfs-tools/hook-functions -### Ensure directory structure in initramfs -mkdir -p "${DESTDIR}/etc/ciss/keys" -mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d" -mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount" -mkdir -p "${DESTDIR}/usr/bin" -mkdir -p "${DESTDIR}/usr/local/bin" -mkdir -p "${DESTDIR}/usr/sbin" +### Ensure directory structure in initramfs ------------------------------------------------------------------------------------ +install -d -m 0755 "${DESTDIR}/etc/ciss/keys" +install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d" +install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount" +install -d -m 0755 "${DESTDIR}/usr/bin" +install -d -m 0755 "${DESTDIR}/usr/local/bin" +install -d -m 0755 "${DESTDIR}/usr/sbin" -### Include bash +### Include 'bash' ------------------------------------------------------------------------------------------------------------- copy_exec /usr/bin/bash /usr/bin/bash printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m" -### Include blkid +### Include 'blkid' ------------------------------------------------------------------------------------------------------------ copy_exec /usr/sbin/blkid /usr/sbin/blkid printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m" -### Include busybox +### Include 'busybox' ---------------------------------------------------------------------------------------------------------- copy_exec /usr/bin/busybox /usr/busybox printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m" -### Include GNU coreutils 'sort' (has -V) +### Include GNU coreutils 'sort' (has -V) -------------------------------------------------------------------------------------- copy_exec /usr/bin/sort /usr/bin/sort printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m" -### Include gpgv +### Include 'gpgv' ------------------------------------------------------------------------------------------------------------- copy_exec /usr/bin/gpgv /usr/bin/gpgv printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m" -### Include lsblk +### Include 'lsblk' ------------------------------------------------------------------------------------------------------------ copy_exec /usr/bin/lsblk /usr/bin/lsblk printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m" -### Include mkpasswd +### Include 'mkpasswd' --------------------------------------------------------------------------------------------------------- copy_exec /usr/bin/mkpasswd /usr/mkpasswd printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m" copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m" -### Include udevadm (udev management tool) +### Include 'udevadm' (udev management tool) ----------------------------------------------------------------------------------- copy_exec /usr/bin/udevadm /usr/bin/udevadm printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m" -### Include sha384sum, sha512sum +### Include 'sha384sum' 'sha512sum' -------------------------------------------------------------------------------------------- copy_exec /usr/bin/sha384sum /usr/bin/sha384sum printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m" copy_exec /usr/bin/sha512sum /usr/bin/sha512sum printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m" -### Include tree +### Include 'tree' ------------------------------------------------------------------------------------------------------------- copy_exec /usr/bin/tree /usr/bin/tree printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m" -### Include whois +### Include 'whois' ------------------------------------------------------------------------------------------------------------ copy_exec /usr/bin/whois /usr/bin/whois printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m" -### Link busybox applets for compatibility +### Link busybox applets for compatibility ------------------------------------------------------------------------------------- for dir in bin usr/bin; do ln -sf busybox "${DESTDIR}/${dir}/cat" ln -sf busybox "${DESTDIR}/${dir}/sleep" done -### Install PGP Signing Keys -install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg "${DESTDIR}/etc/ciss/keys/0x8733B021_public.gpg" -printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0x8733B021_public.gpg %s/etc/ciss/keys/0x8733B021_public.gpg] \n\e[0m" "${DESTDIR}" -install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/ciss/keys/0xE62E84F8_public.gpg" -printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}" +### Install GPG signing keys --------------------------------------------------------------------------------------------------- +src_dir="/etc/ciss/keys" +dst_dir="${DESTDIR}/etc/ciss/keys" +key="" +if [ -d "${src_dir}" ]; then + + install -d -m 0755 "${dst_dir}" + + for key in "${src_dir}"/*.gpg; do + + [ -e "${key}" ] || continue + + install -m 0444 "${key}" "${dst_dir}/" + + printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}" + + done + +fi printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m" @@ -459,10 +472,6 @@ EOF chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder -# TODO: Move to 9999_zzzz.chroot -### Regenerate the initramfs for the live system kernel. -update-initramfs -u -k all -v - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" exit 0 diff --git a/config/hooks/live/9999_zzzz.chroot b/config/hooks/live/9999_zzzz.chroot index 2f965a7..eb446b4 100644 --- a/config/hooks/live/9999_zzzz.chroot +++ b/config/hooks/live/9999_zzzz.chroot @@ -15,10 +15,16 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target" -### Regenerate the initramfs for the live system kernel. +### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------ +rm -f /root/ciss_xdg_tmp.sh + +### Securing '/etc/ciss/keys' -------------------------------------------------------------------------------------------------- +find /etc/ciss/keys -type f -exec chmod 0444 {} + + +### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------ update-initramfs -u -k all -v -### Determine the canonical systemd unit dir inside chroot. +### Determine the canonical systemd unit dir inside chroot --------------------------------------------------------------------- if [[ -d /lib/systemd/system ]]; then var_unit_dir=/lib/systemd/system @@ -76,8 +82,6 @@ for var_dm in "${ary_dm_units[@]}"; do done -rm -f /root/ciss_xdg_tmp.sh - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" exit 0 diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index 1493dcd..32d3628 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index 7f56666..d1b4245 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index 59a32a2..938c81e 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -11,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.392.2025.11.07 +# Version Master V8.13.400.2025.11.08 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 7bf8b96..684628f 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.13.392.2025.11.07" +declare -gr VERSION="Master V8.13.400.2025.11.08" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index c773cd7..3c88b58 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.13.392.2025.11.07 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.13.400.2025.11.08 at: 10:18:37.9542 diff --git a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums index f33023e..f0ab2e3 100644 --- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums +++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums @@ -28,14 +28,24 @@ # 0 : Successful verification ####################################### Verify_checksums() { + printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m" + + ### Declare variables -------------------------------------------------------------------------------------------------------- _MOUNTPOINT="${1}" + _PARAMETER="" + _TTY="/dev/tty8" LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" LIVE_VERIFY_CHECKSUMS_SIGNATURES="false" + _KEYFILE="" + + _MP="" + + ### Parse commandline arguments ---------------------------------------------------------------------------------------------- for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do case "${_PARAMETER}" in @@ -60,6 +70,20 @@ Verify_checksums() { done + ### Check GPG pubkey file correct path --------------------------------------------------------------------------------------- + for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do + + if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then + + _KEYFILE="${_MP}/0030-verify-checksums.gpg" + + break + + fi + + done + + ### Check if the function should be skipped ---------------------------------------------------------------------------------- case "${LIVE_VERIFY_CHECKSUMS}" in true) @@ -78,48 +102,58 @@ Verify_checksums() { ### CDLB verification of script integrity itself ----------------------------------------------------------------------------- if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then - log_begin_msg "Verifying integrity of '0030-verify-checksums' ..." + log_begin_msg "Verifying integrity of: [0030-verify-checksums] " printf "\n" + printf "\e[95m[INFO] Verifying integrity of: [0030-verify-checksums] ... \n\e[0m" - CDLB_SCRIPT="0030-verify-checksums" + _CAND="" + CDLB_SCRIPT_SELF="" CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE="" + + for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do + + [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; } + + done + [ -n "${CDLB_SCRIPT_SELF}" ] || { echo "cannot locate 0030-verify-checksums"; exit 1; } + + CDLB_CMD="/usr/bin/sha512sum" CDLB_SHA="sha512" - CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE="" - CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_SHA}" + CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}" + CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}" + CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}" + CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt" CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" - CDLB_CMD="/bin/sha512sum" - printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}" + printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}" - if ! /bin/gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then + if ! /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then - printf "[PANIC] Signature verification failed for: [0030-verify-checksums.sha512]\n" + printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}" sleep 16 - # TODO panic "[PANIC] Signature verification failed for: [0030-verify-checksums.sha512]" + # TODO panic "[FATAL] Verifying signature of: [0030-verify-checksums.sha512sum.txt.sig] failed. " else - printf "Signature verification successful for: [0030-verify-checksums.sha512]\n" + printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}" fi - printf "Recomputing hash for: [sha512]\n" + printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}" - CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; }) + CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; }) IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}" if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then - printf "[PANIC] Recomputing hash for: [sha512] failed.\n" + printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}" sleep 16 - # TODO panic "[PANIC] Recomputing hash for: [sha512] failed." + # TODO panic "[FATAL] Recomputing hash for: [sha512] failed." fi - printf "Hash verification successful for: [sha512]\n" - - printf "Verification of authenticity and integrity of '0030-verify-checksums' successfully completed. Proceeding." - + printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}" + printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SHA}" log_end_msg printf "\n" @@ -128,6 +162,7 @@ Verify_checksums() { ### Checksum and checksum signature verification ----------------------------------------------------------------------------- log_begin_msg "Verifying checksums" printf "\n" + printf "\e[95m[INFO] Verifying checksums ... \n\e[0m" # shellcheck disable=SC2001 for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do @@ -139,24 +174,30 @@ Verify_checksums() { if [ -e "${_CHECKSUM}" ]; then - printf "Found [%s] ...\n" "${_CHECKSUM}" + printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "${_CHECKSUM}" - if [ -e "/bin/${_DIGEST}sum" ]; then + if [ -e "/usr/bin/${_DIGEST}sum" ]; then + + printf "\e[95m[INFO] Found [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum" if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then - printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}" + printf "\e[95m[INFO] Checking signature of [%s] ... \n\e[0m" "${_CHECKSUM}" + _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig" - gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}" + + /usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}" _RETURN_PGP="${?}" + printf "\e[92m[INFO] Checking signature of [%s] successful. \n\e[0m" "${_CHECKSUM}" + else _RETURN_PGP="na" fi - printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}" + printf "\e[92m[INFO] Found [%s] done. \n\e[0m" "/usr/bin/${_DIGEST}sum" # shellcheck disable=SC2312 grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" @@ -167,7 +208,7 @@ Verify_checksums() { else - printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum" + printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum" fi @@ -178,26 +219,44 @@ Verify_checksums() { done log_end_msg + printf "\n" case "${_RETURN_PGP},${_RETURN_SHA}" in "0,0") - log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds." + printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m" + printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" sleep 8 + log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds." return 0 ;; "na,0") - log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds." + printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m" + printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" sleep 8 + log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds." return 0 ;; + "0,"*) + printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m" + printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" + sleep 8 + panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed." + ;; + *",0") - panic "Verification of signature file failed while verification of checksum file successful." + printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m" + printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" + sleep 8 + panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful." ;; "na,"*) + printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m" + printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" + sleep 8 panic "Verification of checksum file failed." ;; diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index d28859b..1839a4a 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index 0a6d42a..b58801a 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index a310d47..84186f0 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 0be9d8a..fd22f7b 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index be53e19..f891840 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 6a36f4b..ac98075 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 5ff9a9d..2961708 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,20 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Changelog +## V8.13.400.2025.11.08 +* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling +* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme +* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme +* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output +* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) - added verbosity output +* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) - bugfixes +* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) - moved ``update-initramfs`` to: +* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + ## V8.13.392.2025.11.07 * **Global**: Changed ``guard_sourcing`` to ``guard_sourcing || return "${ERR_GUARD_SRCE}"`` * **Added**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + Final secrets wiper before starting ``lb build``. diff --git a/docs/CNET.md b/docs/CNET.md index 7a55ff6..28281a7 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 8a53478..95b3265 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 7bb00d7..277c9bf 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index 1beca17..d79983e 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index b3fc099..384dc70 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 5f688d6..8ac0d9c 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,14 +8,14 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2.1. Usage ````text CDLB(1) CISS.debian.live.builder CDLB(1) CISS.debian.live.builder from https://git.coresecret.dev/msw -Master V8.13.392.2025.11.07 +Master V8.13.400.2025.11.08 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 @@ -145,7 +145,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. ๐Ÿ’ท Please consider donating to my work at: ๐ŸŒ https://coresecret.eu/spenden/ - V8.13.392.2025.11.07 2025-11-06 CDLB(1) + V8.13.400.2025.11.08 2025-11-06 CDLB(1) ```` # 3. Booting diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index 357f83a..424016c 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.392.2025.11.07
+**Build**: V8.13.400.2025.11.08
# 2. Resources diff --git a/lib/lib_ciss_upgrades_boot.sh b/lib/lib_ciss_upgrades_boot.sh index 1d19010..1ab1c48 100644 --- a/lib/lib_ciss_upgrades_boot.sh +++ b/lib/lib_ciss_upgrades_boot.sh @@ -37,8 +37,8 @@ ciss_upgrades_boot() { fi - declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512" - declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512.sig" + declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt" + declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt.sig" declare var_fil="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" declare var_prefix="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" diff --git a/lib/lib_gnupg.sh b/lib/lib_gnupg.sh index 2bed6ca..03e2ebf 100644 --- a/lib/lib_gnupg.sh +++ b/lib/lib_gnupg.sh @@ -45,7 +45,7 @@ init_gnupg() { ### Avoid collision with Gitea runner workflows. if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then - printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}" + printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿ” VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}" declare -grx GNUPGHOME="${VAR_WORKDIR}/cdlb_$$_gnupg" @@ -59,14 +59,14 @@ EOF if ! gpgconf --launch gpg-agent 2>&1; then - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ Failed to launch gpg-agent. \e[0m\n" + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ Failed to launch gpg-agent. \e[0m\n" return "${ERR_GPG__AGENT}" fi else - printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ VAR_CDLB_INSIDE_RUNNER: [%s] leaving GNUPGHOME untouched.\e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}" + printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿ” VAR_CDLB_INSIDE_RUNNER: [%s] leaving GNUPGHOME untouched.\e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}" fi @@ -87,7 +87,7 @@ EOF if ! gpg --batch --yes --pinentry-mode=loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"; then - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ Failed to import signing key. \e[0m\n" + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ Failed to import signing key. \e[0m\n" return "${ERR_GPG__AGENT}" fi @@ -97,8 +97,8 @@ EOF ### Export public key for verification inside ISO / chroot. install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys" install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.binary" - gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg" - gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg" + gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg" + gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg" umask "${__umask}" __umask="" diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index d4733e3..c8b9c56 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -39,13 +39,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V8.13.392.2025.11.07 2025-11-06 CDLB(1)" "${var_cols}") + declare var_footer=$(center "V8.13.400.2025.11.08 2025-11-06 CDLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V8.13.392.2025.11.07\e[0m" + echo -e "\e[92mMaster V8.13.400.2025.11.08\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m" diff --git a/scripts/usr/lib/live/build/binary_checksums.sh b/scripts/usr/lib/live/build/binary_checksums.sh index 95b55fc..f4b4c0d 100644 --- a/scripts/usr/lib/live/build/binary_checksums.sh +++ b/scripts/usr/lib/live/build/binary_checksums.sh @@ -26,6 +26,8 @@ set -e +printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/build/binary_checksums] ... \n\e[0m" + ### Including common functions. if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then . "${LIVE_BUILD}/scripts/build.sh" @@ -66,7 +68,7 @@ for CHECKSUM in ${LB_CHECKSUMS}; do CHECKSUMS="${CHECKSUM}sum.txt" - Echo_message "Begin creating binary ${CHECKSUMS} ..." + Echo_message "Creating binary ${CHECKSUMS} ..." ### Remove old checksums. # shellcheck disable=SC2292 @@ -90,26 +92,26 @@ for CHECKSUM in ${LB_CHECKSUMS}; do \! -path './*gpg' \ \! -path './*sig' \ -print0 | LC_ALL=C sort -z | xargs -0 "${CHECKSUM}sum" >| "${CHECKSUMS}" - Echo_message "Begin creating binary ${CHECKSUMS} done." + Echo_message "Creating binary ${CHECKSUMS} done." - Echo_message "Begin verifying binary ${CHECKSUMS} ..." + Echo_message "Verifying binary ${CHECKSUMS} ..." "${CHECKSUM}sum" -c --strict --quiet "${CHECKSUMS}" - Echo_message "Begin verifying binary ${CHECKSUMS} done." + Echo_message "Verifying binary ${CHECKSUMS} done." if [ "${VAR_SIGNER}" = "true" ]; then - Echo_message "Begin creating GPG binary signature ${CHECKSUMS} ..." + Echo_message "Creating GPG binary signature of ${CHECKSUMS} ..." gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \ --detach-sign --output "${CHECKSUMS}.sig" "${CHECKSUMS}" - Echo_message "Begin creating GPG binary signature ${CHECKSUMS} done." + Echo_message "Creating GPG binary signature of ${CHECKSUMS} done." - Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} ..." + Echo_message "Verifying GPG binary signature of ${CHECKSUMS} ..." gpgv --keyring "${VAR_VERIFY_KEYRING}" "${CHECKSUMS}.sig" "${CHECKSUMS}" - Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} done." + Echo_message "Verifying GPG binary signature of ${CHECKSUMS} done." fi - Echo_message "Begin creating '${CHECKSUM}sum.README' ..." + Echo_message "Creating '${CHECKSUM}sum.README' ..." cat << EOF >| "${CHECKSUM}sum.README" # SPDX-Version: 3.0 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; @@ -129,7 +131,7 @@ ${CHECKSUM}sum -c ${CHECKSUMS} # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text EOF - Echo_message "Begin creating '${CHECKSUM}sum.README' done." + Echo_message "Creating '${CHECKSUM}sum.README' done." cd "${OLDPWD}" @@ -144,4 +146,6 @@ cd "${OLDPWD}" ### Creating a stage file. Create_stagefile +printf "\e[92m[INFO] CDLB modified: [/usr/lib/live/build/binary_checksums] done. \n\e[0m" + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/scripts/usr/lib/live/build/binary_rootfs.sh b/scripts/usr/lib/live/build/binary_rootfs.sh index 4515c85..a132dd6 100644 --- a/scripts/usr/lib/live/build/binary_rootfs.sh +++ b/scripts/usr/lib/live/build/binary_rootfs.sh @@ -26,6 +26,8 @@ set -e +printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/build/binary_rootfs] ... \n\e[0m" + # Including common functions. if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then . "${LIVE_BUILD}/scripts/build.sh" @@ -460,4 +462,6 @@ fi # Creating a stage file Create_stagefile +printf "\e[92m[INFO] CDLB modified: [/usr/lib/live/build/binary_rootfs] done. \n\e[0m" + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/scripts/usr/local/sbin/9999-cdi-starter b/scripts/usr/local/sbin/9999-cdi-starter index 9a61486..127b31e 100644 --- a/scripts/usr/local/sbin/9999-cdi-starter +++ b/scripts/usr/local/sbin/9999-cdi-starter @@ -127,7 +127,7 @@ main() { # shellcheck disable=SC2312 exec > >(tee -a "${var_log}") 2>&1 - printf "CISS.debian.installer Master V8.13.392.2025.11.07 is up! \n" >> "${var_log}" + printf "CISS.debian.installer Master V8.13.400.2025.11.08 is up! \n" >> "${var_log}" ### Sleep a moment to settle boot artifacts. sleep 8 @@ -182,7 +182,7 @@ main() { ### Timeout reached without acceptable semaphore. logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle." - printf "CISS.debian.installer Master V8.13.392.2025.11.07: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" + printf "CISS.debian.installer Master V8.13.400.2025.11.08: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" exit 0 } diff --git a/var/early.var.sh b/var/early.var.sh index 1d196f1..b446f25 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" declare -grx VAR_HOST="$(uname -n)" declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" declare -grx VAR_SYSTEM="$(uname -mnosv)" -declare -grx VAR_VERSION="Master V8.13.392.2025.11.07" +declare -grx VAR_VERSION="Master V8.13.400.2025.11.08" declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{ # Print $4 and $5; include $6 only if it exists out = $4