msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.02.512.2025.05.30

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-05-30 00:28:39 +02:00
parent 2680012395
commit b2282d3475
172 changed files with 14057 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
config/bootloaders/grub-efi/grub.cfg Normal file
View File

@@ -0,0 +1,46 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
source /boot/grub/config.cfg
GRUB_DEFAULT=0
GRUB_TIMEOUT=16
GRUB_DISTRIBUTOR="CISS.debian.live.builder"
# Live boot
@LINUX_LIVE@
### CISS.2025 BOB
#MUST_BE_REPLACED
### CISS.2025 EOB
submenu 'CISS CoreSecret Legacy DI ...' --hotkey=c {
source /boot/grub/theme.cfg
menuentry "CISS CoreSecret Legacy DI" --hotkey=s {
linux @KERNEL_GI@ @APPEND_GI@
initrd @INITRD_GI@
}
}
submenu 'Utilities ...' --hotkey=u {
source /boot/grub/theme.cfg
# Memtest (if any)
if @ENABLE_MEMTEST@; then
source /boot/grub/memtest.cfg
fi
# Firmware setup (UEFI)
if [ "${grub_platform}" = "efi" ]; then
menuentry "UEFI Firmware Settings" --hotkey=e {
fwsetup
}
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

BIN
config/bootloaders/grub-efi/splash.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 MiB

46
config/bootloaders/grub-pc/grub.cfg Normal file
View File

@@ -0,0 +1,46 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
source /boot/grub/config.cfg
GRUB_DEFAULT=0
GRUB_TIMEOUT=16
GRUB_DISTRIBUTOR="CISS.debian.live.builder"
# Live boot
@LINUX_LIVE@
### CISS.2025 BOB
#MUST_BE_REPLACED
### CISS.2025 EOB
submenu 'CISS CoreSecret Legacy DI ...' --hotkey=c {
source /boot/grub/theme.cfg
menuentry "CISS CoreSecret Legacy DI" --hotkey=s {
linux @KERNEL_GI@ @APPEND_GI@
initrd @INITRD_GI@
}
}
submenu 'Utilities ...' --hotkey=u {
source /boot/grub/theme.cfg
# Memtest (if any)
if @ENABLE_MEMTEST@; then
source /boot/grub/memtest.cfg
fi
# Firmware setup (UEFI)
if [ "${grub_platform}" = "efi" ]; then
menuentry "UEFI Firmware Settings" --hotkey=e {
fwsetup
}
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

BIN
config/bootloaders/grub-pc/splash.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 MiB

BIN
config/bootloaders/splash.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 MiB

27
config/hooks/live/0000_generate_backup_dir.chroot Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /root/.ciss/dlb/backup
chmod 0700 /root/.ciss/dlb/backup
mkdir -p /root/git
chmod 0700 /root/git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

294
config/hooks/live/0001_initramfs_modules.chroot Normal file
View File

@@ -0,0 +1,294 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
#######################################
# Get all NIC Driver of the current Host-machine
# Arguments:
# None
#######################################
grep_nic_driver_modules() {
declare _mods
# Gather all Driver and sort unique
readarray -t _mods < <(
lspci -k \
| grep -A2 -i ethernet \
| grep 'Kernel driver in use' \
| awk '{print $5}' \
| sort -u
)
declare nic_module
declare nic_modules
if [[ "${#_mods[@]}" -eq 1 ]]; then
nic_module="${_mods[0]}"
echo "${nic_module}"
else
nic_modules="${_mods[*]}"
echo "${nic_modules}"
fi
}
# shellcheck disable=SC2155
declare nic_driver="$(grep_nic_driver_modules)"
cat << EOF >| /etc/initramfs-tools/modules
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax: module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
### QEMU Bochs-compatible virtual machine support
bochs
### Device-mapper core module (required for all dm_* features)
dm_mod
### Device-mapper integrity target (provides integrity checking)
dm-integrity
### Device-mapper crypt target (provides disk encryption)
dm-crypt
### Generic AES block cipher implementation (used by dm-crypt)
aes_generic
### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
sha256_generic
### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
crc32c_generic
### Main btrfs filesystem module
btrfs
### Zstandard compression support for btrfs
zstd_compress
### XOR parity implementation for RAID functionality
xor
### RAID6 parity generation module
raid6_pq
### Combined RAID4/5/6 support module
raid456
### Network Driver Host-machine
"${nic_driver}"
EOF
cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#
# The Configuration file for update-initramfs(8)
#
#
# update_initramfs [ yes | all | no ]
#
# Default is yes
# If set to all update-initramfs will update all initramfs
# If set to no disables any update to initramfs besides kernel upgrade
update_initramfs=yes
#
# backup_initramfs [ yes | no ]
#
# Default is no
# If set to no leaves no .bak backup files.
backup_initramfs=no
EOF
cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#
# initramfs.conf
# Configuration file for mkinitramfs(8). See initramfs.conf(5).
#
# Note that configuration options from this file can be overridden
# by config files in the /etc/initramfs-tools/conf.d directory.
#
# MODULES: [ most | netboot | dep | list ]
#
# most - Add most filesystem and all hard-drive drivers.
#
# dep - Try and guess that module to load.
#
# netboot - Add the base modules, network modules, but skip block devices.
#
# list - Only include modules from the 'additional modules' list
#
MODULES=most
#
# BUSYBOX: [ y | n | auto ]
#
# Use busybox shell and utilities. If set to n, klibc utilities will be used.
# If set to auto (or unset), busybox will be used if installed and klibc will
# be used otherwise.
#
BUSYBOX=auto
#
# KEYMAP: [ y | n ]
#
# Load a keymap during the initramfs stage.
#
KEYMAP=n
#
# COMPRESS: [ gzip | bzip2 | lz4 | lzma | lzop | xz | zstd ]
#
COMPRESS=zstd
#
# COMPRESSLEVEL: ...
#
# Set a compression level for the compressor.
# Defaults vary by compressor.
#
# Valid values are:
# 19 for gzip|bzip2|lzma|lzop
# 09 for lz4|xz
# 019 for zstd
# COMPRESSLEVEL=3
#
# DEVICE: ...
#
# Specify a specific network interface, like eth0
# Overridden by optional ip= or BOOTIF= bootarg
#
DEVICE=
#
# NFSROOT: [ auto | HOST:MOUNT ]
#
NFSROOT=auto
#
# RUNSIZE: ...
#
# The size of the /run tmpfs mount point, like 256M or 10%
# Overridden by optional initramfs.runsize= bootarg
#
RUNSIZE=10%
#
# FSTYPE: ...
#
# The filesystem type(s) to support, or "auto" to use the current root
# filesystem type
#
FSTYPE=auto
EOF
cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -e
PREREQ=""
prereqs() { echo "$PREREQ"; }
case $1 in
prereqs) prereqs; exit 0 ;;
esac
. /usr/share/initramfs-tools/hook-functions
mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin"
# Include Bash
copy_exec /usr/bin/bash /usr/bin
# Include lsblk (block device information tool)
copy_exec /usr/bin/lsblk /usr/bin
# Include udevadm (udev management tool)
copy_exec /usr/bin/udevadm /usr/bin
EOF
chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
### Regenerate the initramfs for the live system kernel
update-initramfs -u -k all
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

144
config/hooks/live/0002_verify_checksums.chroot Normal file
View File

@@ -0,0 +1,144 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
target="/usr/lib/live/boot/0030-verify-checksums"
src="$(mktemp)"
if [[ ! -d /usr/lib/live/boot ]]; then
mkdir -p /usr/lib/live/boot
fi
cat << 'EOF' >| "${src}"
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### In case of successful verification of the offered checksums, proceed with booting, else panic.
### Inside 0002_verify_checksums.chroot ###
#######################################
# Live build ISO with the modified checksum verification script for continuing the boot process.
# Globals:
# LIVE_BOOT_CMDLINE
# LIVE_VERIFY_CHECKSUMS
# LIVE_VERIFY_CHECKSUMS_DIGESTS
# _CHECKSUM
# _CHECKSUMS
# _DIGEST
# _MOUNTPOINT
# _PARAMETER
# _RETURN
# _TTY
# Arguments:
# $1: ${_PARAMETER}
# Returns:
# 0 : Successful Verification
#######################################
Verify_checksums() {
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
esac
done
case "${LIVE_VERIFY_CHECKSUMS}" in
true) ;;
*)
return 0
;;
esac
_MOUNTPOINT="${1}"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
_TTY="/dev/tty8"
log_begin_msg "Verifying checksums"
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
if [ -e "${_CHECKSUM}" ]; then
echo "Found ${_CHECKSUM}..." > "${_TTY}"
if [ -e "/bin/${_DIGEST}sum" ]; then
echo "Checking ${_CHECKSUM}..." > "${_TTY}"
# Verify checksums
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN="${?}"
# Stop after the first verification
# break 2
else
echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
fi
fi
done
done
log_end_msg
case "${_RETURN}" in
0)
log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds."
sleep 10
return 0
;;
*)
panic "Verification failed, $(basename ${_TTY}) for more information."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
# Copy and make executable
install -Dm755 "${src}" "${target}"
rm -f "${src}"
unset target src
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

53
config/hooks/live/0050_activate_root.chroot Normal file
View File

@@ -0,0 +1,53 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
if [[ ! -f /root/.pwd ]]; then
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
# sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
# sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
exit 0
fi
cd /root
cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
chmod 600 /root/.ciss/dlb/backup/shadow.bak.*
declare hashed_pwd
declare safe_hashed_pwd
IFS= read -r hashed_pwd < /root/.pwd
safe_hashed_pwd=$(printf '%s' "${hashed_pwd}" | sed 's/[\/&]/\\&/g')
sed -i "s|^root:[^:]*:\(.*\)|root:${safe_hashed_pwd}:\1|" /etc/shadow
sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
unset hashed_pwd safe_hashed_pwd
cat /etc/shadow
# sleep 1
if shred -vfzu -n 5 /root/.pwd; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

31
config/hooks/live/0080_keyboard_layout.chroot Normal file
View File

@@ -0,0 +1,31 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cat << 'EOF' >| /etc/default/keyboard
XKBMODEL="pc105"
XKBLAYOUT="de"
XKBVARIANT=""
XKBOPTIONS=""
BACKSPACE="guess"
EOF
dpkg-reconfigure -f noninteractive keyboard-configuration
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
config/hooks/live/0090_haveged.chroot Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get update -y
apt-get install --no-install-recommends haveged -y
cd /root
cat << 'EOF' >| /etc/default/haveged
# Configuration file for haveged
# Options to pass to haveged:
DAEMON_ARGS="-w 2048 -v 1"
EOF
#mkdir -p /etc/systemd/system/haveged.service.d
#cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf
#[Service]
#NoNewPrivileges=yes
#ReadWritePaths=/dev/random /dev/urandom
#AmbientCapabilities=
#User=haveged
#Group=nogroup
#EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

34
config/hooks/live/0120_set_hostname.chroot Normal file
View File

@@ -0,0 +1,34 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
cat << 'EOF' >| /etc/hostname
live.local
EOF
cat << 'EOF' >| /etc/mailname
localhost.local
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

40
config/hooks/live/0130_machineid.chroot Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root
if [[ -f /var/lib/dbus/machine-id ]]; then
rm /var/lib/dbus/machine-id
fi
cat << 'EOF' >| /var/lib/dbus/machine-id
b08dfa6083e7567a1921a715000001fb
EOF
chmod 644 /var/lib/dbus/machine-id
if [[ -f /etc/machine-id ]]; then
rm /etc/machine-id
fi
cat << 'EOF' >| /etc/machine-id
b08dfa6083e7567a1921a715000001fb
EOF
chmod 644 /etc/machine-id
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

162
config/hooks/live/0400_eza_install.chroot Normal file
View File

@@ -0,0 +1,162 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root
repo="ryanoasis/nerd-fonts"
latest_release=$(curl -s "https://api.github.com/repos/${repo}/releases/latest" | jq -r .tag_name)
download_url="https://github.com/${repo}/releases/download/${latest_release}/Hack.zip"
wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg --dearmor -o /etc/apt/keyrings/gierens.gpg
echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
apt-get update -y
apt-get install -y eza
git clone https://github.com/eza-community/eza-themes.git
mkdir -p /root/.config/eza
cat << 'EOF' >| "/root/eza-themes/themes/centurion.yml"
colourful: true
filekinds:
normal: {foreground: Default}
directory: {foreground: Purple, is_bold: true}
symlink: {foreground: Cyan}
pipe: {foreground: Yellow}
block_device: {foreground: Yellow, is_bold: true}
char_device: {foreground: Yellow, is_bold: true}
socket: {foreground: Red, is_bold: true}
special: {foreground: Yellow}
executable: {foreground: Green, is_bold: true}
mount_point: {foreground: Purple, is_bold: true, is_underlined: true}
perms:
user_read: {foreground: Yellow, is_bold: true}
user_write: {foreground: Red, is_bold: true}
user_execute_file: {foreground: Green, is_bold: true, is_underlined: true}
user_execute_other: {foreground: Green, is_bold: true}
group_read: {foreground: Yellow}
group_write: {foreground: Red}
group_execute: {foreground: Green}
other_read: {foreground: Yellow}
other_write: {foreground: Red}
other_execute: {foreground: Green}
special_user_file: {foreground: Purple}
special_other: {foreground: Purple}
attribute: {foreground: Default}
size:
major: {foreground: Green, is_bold: true}
minor: {foreground: Green}
number_byte: {foreground: Green, is_bold: true}
number_kilo: {foreground: Green, is_bold: true}
number_mega: {foreground: Green, is_bold: true}
number_giga: {foreground: Green, is_bold: true}
number_huge: {foreground: Green, is_bold: true}
unit_byte: {foreground: Green}
unit_kilo: {foreground: Green}
unit_mega: {foreground: Green}
unit_giga: {foreground: Green}
unit_huge: {foreground: Green}
users:
user_you: {foreground: Yellow, is_bold: true}
user_root: {foreground: Default}
user_other: {foreground: Default}
group_yours: {foreground: Yellow, is_bold: true}
group_other: {foreground: Default}
group_root: {foreground: Default}
links:
normal: {foreground: Red, is_bold: true}
multi_link_file: {foreground: Red, background: Yellow}
git:
new: {foreground: Green}
modified: {foreground: Blue}
deleted: {foreground: Red}
renamed: {foreground: Yellow}
typechange: {foreground: Purple}
ignored: {foreground: Default, is_dimmed: true}
conflicted: {foreground: Red}
git_repo:
branch_main: {foreground: Green}
branch_other: {foreground: Yellow}
git_clean: {foreground: Green}
git_dirty: {foreground: Yellow}
security_context:
colon: {foreground: Default, is_dimmed: true}
user: {foreground: Blue}
role: {foreground: Green}
typ: {foreground: Yellow}
range: {foreground: Cyan}
file_type:
image: {foreground: Purple}
video: {foreground: Purple, is_bold: true}
music: {foreground: Cyan}
lossless: {foreground: Cyan, is_bold: true}
crypto: {foreground: Green, is_bold: true}
document: {foreground: Green}
compressed: {foreground: Red}
temp: {foreground: White}
compiled: {foreground: Yellow}
build: {foreground: Yellow, is_bold: true, is_underlined: true}
source: {foreground: Yellow, is_bold: true}
punctuation: {foreground: DarkGray, is_bold: true}
date: {foreground: Cyan}
inode: {foreground: Purple}
blocks: {foreground: Cyan}
header: {foreground: White, is_bold: true, is_underlined: true}
octal: {foreground: Purple}
flags: {foreground: Default}
symlink_path: {foreground: Cyan}
control_char: {foreground: Red}
broken_symlink: {foreground: Red}
broken_path_overlay: {foreground: Default, is_underlined: true}
filenames:
# Custom filename-based overrides
# Cargo.toml: {icon: {glyph: 🦀}}
extensions:
# Custom extension-based overrides
# rs: {filename: {foreground: Red}, icon: {glyph: 🦀}}
EOF
chmod 0644 "/root/eza-themes/themes/centurion.yml"
ln -sf "/root/eza-themes/themes/centurion.yml" /root/.config/eza/theme.yml
mkdir -p /tmp/nerd
mkdir -p /root/.local/share/fonts
wget --no-clobber --https-only --secure-protocol=TLSv1_3 -P /tmp/nerd "${download_url}"
unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
fc-cache -fv
rm -rf /tmp/nerd
unset repo latest_release download_url
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

28
config/hooks/live/0800_lynis_setup.chroot Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
apt-get update -y
apt-get install -y lynis
lynis show version
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

68
config/hooks/live/0810_chrony_setup.chroot Normal file
View File

@@ -0,0 +1,68 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /var/log/chrony
# See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages.
apt-get install chrony -y
systemctl enable chrony.service
mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
chmod 644 /root/.ciss/dlb/backup/chrony.conf.bak
cat << 'EOF' >| /etc/chrony/chrony.conf
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
driftfile /var/lib/chrony/chrony.drift
keyfile /etc/chrony/chrony.keys
logdir /var/log/chrony
ntsdumpdir /var/lib/chrony
sourcedir /run/chrony-dhcp
sourcedir /etc/chrony/sources.d
log tracking measurements statistics
authselectmode require
server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
server ptbtime4.ptb.de iburst nts noselect minpoll 5 maxpoll 9
# server nts.netnod.se iburst nts minpoll 5 maxpoll 9
# server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
# server ntp12.metas.ch iburst nts minpoll 5 maxpoll 9
# server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
# server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
leapsectz right/UTC
leapsecmode system
maxupdateskew 100.0
rtcsync
makestep 1 3
EOF
chmod 644 /etc/chrony/chrony.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
config/hooks/live/0820_kernel_hardening_checker.chroot Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root/git
git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

52
config/hooks/live/0822_ssh_restart_hook.chroot Normal file
View File

@@ -0,0 +1,52 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root
declare target_script="/etc/cron.d/restart-ssh"
cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh
EOF
chmod 644 "${target_script}"
cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Script to restart SSH at boot
systemctl stop ssh
sleep 5
systemctl start ssh
EOF
chmod +x /usr/local/bin/restart-ssh.sh
unset target_script
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
config/hooks/live/0825_my_sqltuner_perl.chroot Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root/git
git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
config/hooks/live/0830_download_yq.chroot Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
chmod +x /usr/bin/yq
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
config/hooks/live/0835_testssl.sh.chroot Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root/git
git clone https://github.com/testssl/testssl.sh.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

28
config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get install -y curl
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
apt-get install -y nodejs
cd /root/git
git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
config/hooks/live/0845_harbian_audit.chroot Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root/git
git clone https://github.com/hardenedlinux/harbian-audit.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
config/hooks/live/0850_ssh_audit.chroot Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root/git
git clone https://github.com/jtesta/ssh-audit.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

67
config/hooks/live/0900_ufw_setup.chroot Normal file
View File

@@ -0,0 +1,67 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
declare -r UFW_OUT_POLICY="deny"
declare -r SSHPORT="MUST_BE_SET"
ufw --force reset
ufw logging medium
ufw default deny incoming
ufw default "${UFW_OUT_POLICY}" outgoing
ufw default deny forward
ufw allow in "${SSHPORT}"/tcp comment 'Incoming SSH (Custom-Port)'
ufw limit "${SSHPORT}"/tcp comment 'Rate-Limit for SSH (Custom-Port)'
if [[ ${UFW_OUT_POLICY,,} == "deny" ]]; then
ufw allow out 21/tcp comment 'Outgoing FTP'
ufw allow out 22/tcp comment 'Outgoing SSH'
ufw allow out 25/tcp comment 'Outgoing SMTP'
ufw allow out 53/tcp comment 'Outgoing DNS'
ufw allow out 80/tcp comment 'Outgoing HTTP'
ufw allow out 123/tcp comment 'Outgoing NTP'
ufw allow out 143/tcp comment 'Outgoing IMAP'
ufw allow out 443/tcp comment 'Outgoing HTTPS'
ufw allow out 465/tcp comment 'Outgoing SMTPS'
ufw allow out 587/tcp comment 'Outgoing SMTPS'
ufw allow out 993/tcp comment 'Outgoing IMAPS'
ufw allow out 4460/tcp comment 'Outgoing NTS'
ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
ufw allow out 53/udp comment 'Outgoing DNS'
ufw allow out 123/udp comment 'Outgoing NTP'
ufw allow out 443/udp comment 'Outgoing QUIC'
ufw allow out 853/udp comment 'Outgoing DoQ'
fi
sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" /etc/ufw/before.rules
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" /etc/ufw/before.rules
sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

25
config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# TODO: MUST be uncommented
cd /root/git
# git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
config/hooks/live/9900_process_accounting.chroot Normal file
View File

@@ -0,0 +1,33 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get install -y acct
if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
mkdir -p /etc/systemd/system/multi-user.target.wants
fi
if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

31
config/hooks/live/9910_motd.chroot Normal file
View File

@@ -0,0 +1,31 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /root/.ciss/dlb/backup/update-motd.d
cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
cat << 'EOF' >| /etc/update-motd.d/10-uname
#!/bin/sh
uname -snrm
EOF
chmod 0755 /etc/update-motd.d/10-uname
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

170
config/hooks/live/9920_deleting_invalid_x509.chroot Normal file
View File

@@ -0,0 +1,170 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
declare backup_dir="/root/.ciss/dlb/backup/certificates"
declare current_date
current_date=$(date +%s)
declare -ax expired_certificates=()
#######################################
# Backup Wrapper for all x509 Root CA Certs
# Globals:
# backup_dir
# search_dirs
# dir
# Arguments:
# None
#######################################
create_backup() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
mkdir -p "${backup_dir}"
declare dir=""
for dir in "${search_dirs[@]}"; do
if [ -d "${dir}" ] && compgen -G "${dir}"/* > /dev/null; then
cp -r "${dir}"/* "${backup_dir}"
fi
done
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
}
#######################################
# Check the validity of each certificate.
# Globals:
# CERT
# CERT_DATE
# CERT_DATE_SECONDS
# CURRENT_DATE
# DIR
# EXPIRED_CERTIFICATES
# SEARCH_DIRS
# Arguments:
# None
#######################################
check_certificates() {
declare dir=""
declare cert=""
declare cert_date=""
declare cert_date_seconds=""
for dir in "${search_dirs[@]}"; do
while IFS= read -r -d '' cert; do
cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//')
cert_date_seconds=$(date -d "${cert_date}" +%s)
if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
declare -g expired_certificates+=("${cert}")
fi
done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
done
}
# done < <(find "${dir}" -type f -name "*.crt" -o -name "*.pem" -print0)
# done < <(find "${DIR}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
#######################################
# Find and clean all ca-certificates.crt files in SEARCH_DIRS.
# Globals:
# CURRENT_DATE
# SEARCH_DIRS
# cert
# line
# Arguments:
# None
#######################################
delete_expired_from_all_bundles() {
declare dir bundle
for dir in "${search_dirs[@]}"; do
bundle="${dir}/ca-certificates.crt"
if [[ -f ${bundle} ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
declare tmp_bundle="${bundle}.tmp"
declare -a block=()
declare expired=0
declare enddate cert_date_seconds
: > "${tmp_bundle}"
declare line=""
while IFS= read -r line; do
block+=("${line}")
if [[ ${line} == "-----END CERTIFICATE-----" ]]; then
cert=$(printf "%s\n" "${block[@]}")
enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//')
if [[ -n ${enddate} ]]; then
declare cert_date_seconds=""
cert_date_seconds=$(date -d "${enddate}" +%s)
if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
expired=1
else
expired=0
fi
else
expired=0
fi
if [[ ${expired} -eq 0 ]]; then
printf "%s\n" "${block[@]}" >> "${tmp_bundle}"
else
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
fi
block=()
fi
done < "${bundle}"
mv -f "${tmp_bundle}" "${bundle}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
fi
done
}
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
create_backup
delete_expired_from_all_bundles
check_certificates
if [[ ${#expired_certificates[@]} -eq 0 ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No expired certificates found.\e[0m\n"
else
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
for exp_cert in "${expired_certificates[@]}"; do
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
done
for exp_cert in "${expired_certificates[@]}"; do
rm -f "${exp_cert}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
basename=$(basename "${exp_cert}")
mozilla_entry="mozilla/${basename%.pem}.crt"
mozilla_entry="${mozilla_entry%.crt}.crt"
declare ca_conf="/etc/ca-certificates.conf"
if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
fi
done
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
update-ca-certificates --fresh
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
# sleep 1
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

64
config/hooks/live/9930_hardening_ssh.chroot Normal file
View File

@@ -0,0 +1,64 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /etc/ssh || {
printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
}
rm -rf ssh_host_*key*
ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
rm -rf /etc/ssh/moduli
mv /etc/ssh/moduli.safe /etc/ssh/moduli
chmod 0600 /etc/ssh/ssh_host_*_key
chown root:root /etc/ssh/ssh_host_*_key
chmod 0644 /etc/ssh/ssh_host_*_key.pub
chown root:root /etc/ssh/ssh_host_*_key.pub
chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
touch /root/sshfp
ssh-keygen -r @ >| /root/sshfp
###########################################################################################
# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only #
# environment variables: TMOUT and HISTFILE. #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
cat << 'EOF' >| /etc/profile.d/idle-users.sh
declare -girx TMOUT=14400
EOF
chmod +x /etc/profile.d/idle-users.sh
mkdir -p /etc/systemd/system/ssh.service.d
cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
[Unit]
After=ufw.service
Requires=ufw.service
EOF
chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
config/hooks/live/9940_hardening_memory.dump.chroot Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
sed -i "/#* soft core 0/ i\* soft core 0" /etc/security/limits.conf
sed -i "/#root hard core 100000/ i\* hard core 0" /etc/security/limits.conf
if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
mkdir -p /etc/systemd/coredump.conf.d
fi
touch /etc/systemd/coredump.conf.d/disable.conf
chmod 0644 /etc/systemd/coredump.conf.d/disable.conf
cat << EOF >| /etc/systemd/coredump.conf.d/disable.conf
[Coredump]
Storage=none
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

148
config/hooks/live/9950_fail2ban_hardening.chroot Normal file
View File

@@ -0,0 +1,148 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root
cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[DEFAULT]
usedns = yes
# local | vpn
ignoreip = 127.0.0.0/8 ::1 MUST_BE_SET
maxretry = 8
findtime = 24h
bantime = 24h
### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
### Jump host mistyped 13 times: no ban, only after four attempts [sshd]
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = MUST_BE_SET
protocol = tcp
logpath = /var/log/auth.log
maxretry = 4
findtime = 24h
bantime = 24h
[sshd-refused]
enabled = true
filter = sshd-refused
port = MUST_BE_SET
protocol = tcp
logpath = /var/log/auth.log
maxretry = 1
findtime = 24h
bantime = 24h
# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
[ufw]
enabled = true
filter = ufw.aggressive
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
findtime = 24h
bantime = 24h
protocol = tcp,udp
EOF
cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
[Definition]
failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
EOF
cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
[Definition]
failregex = ^refused connect from \S+ \(<HOST>\)
EOF
###########################################################################################
# Remarks: hardening of fail2ban systemd #
###########################################################################################
# https://wiki.archlinux.org/title/fail2ban#Service_hardening #
# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read #
# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to #
# operate # on any firewall that has a command-line shell interface. By using #
# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths #
# allows Fail2ban to have write access on required paths. #
###########################################################################################
mkdir -p /etc/systemd/system/fail2ban.service.d
mkdir /var/log/fail2ban
cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
### Added by CISS.debian.live.builder
ProtectClock=true
ProtectHostname=true
EOF
cat << 'EOF' >> /etc/fail2ban/fail2ban.local
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
EOF
###########################################################################################
# Remarks: Logrotate must be updated either #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
touch /var/log/fail2ban/fail2ban.log
chmod 640 /var/log/fail2ban/fail2ban.log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

31
config/hooks/live/9960_disable_services.chroot Normal file
View File

@@ -0,0 +1,31 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
###########################################################################################
# Remarks: Turn off Energy saving mode and ctrl-alt-del #
###########################################################################################
declare target=""
for target in sleep.target suspend.target hibernate.target hybrid-sleep.target ctrl-alt-del.target; do
ln -sf /dev/null "/etc/systemd/system/${target}"
done
unset target
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

40
config/hooks/live/9970_remove_exim.chroot Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /etc
apt-get purge exim4 -y
apt-get purge exim4-base -y
apt-get purge exim4-config -y
apt-get autoremove -y
apt-get autoclean -y
apt-get autopurge -y
apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
apt-get update -y
apt-get upgrade -y
if [[ -d /etc/exim4 ]]; then
rm -rf /etc/exim4
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

45
config/hooks/live/9980_usb_guard.chroot Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get install -y usbguard
# sleep 1
# Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
touch /tmp/rules.conf
usbguard generate-policy >> /tmp/rules.conf
if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
cp -a /tmp/rules.conf /etc/usbguard/rules.conf
chmod 0600 /etc/usbguard/rules.conf
else
rm -f /etc/usbguard/rules.conf
cp -a /tmp/rules.conf /etc/usbguard/rules.conf
chmod 0600 /etc/usbguard/rules.conf
fi
cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
# sleep 1
rm -f /tmp/rules.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

77
config/hooks/live/9985_clamav.chroot Normal file
View File

@@ -0,0 +1,77 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /etc/systemd/system/clamav-daemon.service.d
cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
[Service]
User=clamav
Group=clamav
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
NoNewPrivileges=yes
PermissionsStartOnly=true
ExecStartPre=/bin/mkdir -p /run/clamav
ExecStartPre=/bin/chown clamav:clamav /run/clamav
ExecStartPre=/bin/chmod 750 /run/clamav
ReadOnlyPaths=/
ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav
MemoryDenyWriteExecute=yes
MemoryLimit=512M
CPUShares=512
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=@system-service
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
EOF
chmod 0644 /etc/systemd/system/clamav-daemon.service.d/override.conf
mkdir -p /etc/systemd/system/clamav-freshclam.service.d
cat << 'EOF' >| /etc/systemd/system/clamav-freshclam.service.d/override.conf
[Service]
User=clamav
Group=clamav
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
NoNewPrivileges=yes
ReadOnlyPaths=/
ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
MemoryDenyWriteExecute=yes
MemoryLimit=512M
CPUShares=512
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=@system-service
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
EOF
chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

59
config/hooks/live/9990_final_purge.chroot Normal file
View File

@@ -0,0 +1,59 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get update -y
apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \
qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
if [[ -s /tmp/deinstall.log ]]; then
printf "\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
sed -i 's!deinstall!!' /tmp/deinstall.log
while IFS= read -r line; do
declare trimmed_string
trimmed_string=$(echo "$line" | awk '{$1=$1};1')
echo "y" | apt-get purge "${trimmed_string}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
# sleep 1
done < /tmp/deinstall.log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
else
printf "\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
fi
apt-get update -y
apt-get upgrade -y
rm -f /tmp/deinstall.log
rm -fr /opt/udebs
apt-get autoclean -y
apt-get autoremove -y
apt-get autopurge -y
updatedb
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

105
config/hooks/live/9991_file_permissions.chroot Normal file
View File

@@ -0,0 +1,105 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
chmod 0644 /etc/banner
chmod 0644 /etc/issue
chmod 0644 /etc/issue.net
if [[ -f /etc/motd ]]; then
cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
chmod 0644 /root/.ciss/dlb/backup/motd.bak
rm /etc/motd
fi
touch /etc/motd
cat << EOF >| /etc/motd
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2018 - 2025
Centurion Intelligence Consulting Agency (tm)
https://coresecret.eu/
Please consider making a donation:
https://coresecret.eu/spenden/
EOF
cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
sed -i 's/UMASK 022/UMASK 077/' /etc/login.defs
sed -i 's/PASS_MAX_DAYS 99999/PASS_MAX_DAYS 16384/' /etc/login.defs
sed -i 's/PASS_MIN_DAYS 0/PASS_MIN_DAYS 1/' /etc/login.defs
sed -i 's/PASS_WARN_AGE 7/PASS_WARN_AGE 128/' /etc/login.defs
sed -i 's/ENCRYPT_METHOD SHA512/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
sed -i 's/#SHA_CRYPT_MIN_ROUNDS 5000/SHA_CRYPT_MIN_ROUNDS 8388608/' /etc/login.defs
sed -i 's/#SHA_CRYPT_MAX_ROUNDS 5000/SHA_CRYPT_MAX_ROUNDS 8388608/' /etc/login.defs
sed -i 's/#YESCRYPT_COST_FACTOR 5/YESCRYPT_COST_FACTOR 8/' /etc/login.defs
if [[ -f /etc/cron.deny ]]; then
rm /etc/cron.deny
fi
if [[ -f /etc/cron.allow ]]; then
cp -u /etc/cron.allow /root/.backup/cron.allow.bak
chmod 644 /root/.backup/cron.allow.bak
chmod 600 /etc/cron.allow
cat << EOF >| /etc/cron.allow
root
EOF
else
touch /etc/cron.allow
chmod 0600 /etc/cron.allow
cat << EOF >| /etc/cron.allow
root
EOF
fi
chmod g-wx,o-rwx /etc/cron.allow
chown root:root /etc/cron.allow
chmod 0640 /etc/shadow
chown root:shadow /etc/shadow
chmod 0700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
chmod 0700 /etc/sudoers.d
chmod 0600 /etc/crontab
chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
chmod 0750 /home
if chmod 0750 /var/spool/apt-mirror; then :; fi
mkdir /root/.ansible
declare bin
declare target
for bin in as gcc g++ cc clang; do
target=$(readlink -f "/usr/bin/${bin}") || {
printf "\e[92m✅ Info: '%s' not found, skipping. \e[0m\n" "${bin}"
continue
}
chmod 700 "${target}" || {
printf "\e[92m❌ Error: chmod failed for '%s', skipping. \e[0m\n" "${bin}"
}
done
unset bin target
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

52
config/hooks/live/9992_password_expiration.chroot Normal file
View File

@@ -0,0 +1,52 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
if ! command -v chage &>/dev/null; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
fi
declare -i max_days=16384
mapfile -t users_to_update < <(
awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow
)
if [[ ${#users_to_update[@]} -eq 0 ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
fi
declare user
for user in "${users_to_update[@]}"; do
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
chage --maxdays "$max_days" "$user"
done
unset max_days user users_to_update
awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

32
config/hooks/live/9993_aide.chroot Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get install -y aide
cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
if aideinit; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

135
config/hooks/live/9994_password_policy.chroot Normal file
View File

@@ -0,0 +1,135 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### NIST recommends at least eight characters but advises longer passphrases (e.g., 1264) for increased security.
### NIST SP 80063B, https://pages.nist.gov/800-63-3/sp800-63b.html
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
cat << 'EOF' >| /etc/security/pwquality.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Current recommendations for '/etc/security/pwquality.conf' based on common best practices,
### including NIST SP 80063B, https://pages.nist.gov/800-63-3/sp800-63b.html
### and weighing usability against security.
### Configuration for systemwide password quality limits
### Defaults:
### Number of characters in the new password that must not be present in the
### old password.
difok = 4
### Length over complexity: Studies show that longer passphrases are significantly more
### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters
### but advises longer passphrases (e.g., 1264) for increased security. Twenty characters strike a
### good balance between security and user convenience.
### Minimum acceptable size for the new password (plus one if
### credits are not disabled, which is the default). (See pam_cracklib manual.)
### Cannot be set to a lower value than 6.
minlen = 20
### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
### NIST SP 80063B advises against rigid complexity rules (numbers, symbols, uppercase)
### because they can lead users to adopt predictable patterns (e.g., “Pa$$word!”).
### Length and dictionary checks are more effective.
### The maximum credit for having digits in the new password. If less than 0
### it is the minimum number of digits in the new password.
dcredit = 0
### The maximum credit for having uppercase characters in the new password.
### If less than 0, it is the minimum number of uppercase characters in the new
### password.
ucredit = 0
### The maximum credit for having lowercase characters in the new password.
### If less than 0, it is the minimum number of lowercase characters in the new
### password.
lcredit = 0
### The maximum credit for having other characters in the new password.
### If less than 0, it is the minimum number of other characters in the new
### password.
ocredit = 0
### The minimum number of required classes of characters for the new
### password (digits, uppercase, lowercase, others).
minclass = 0
### The maximum number of allowed consecutive same characters in the new password.
### The check is disabled if the value is 0.
maxrepeat = 2
### The maximum number of allowed consecutive characters of the same class in the
### new password.
### The check is disabled if the value is 0.
maxclassrepeat = 4
### Whether to check for the words from the passwd entry GECOS string of the user.
### The check is enabled if the value is not 0.
### gecoscheck = 0
### Whether to check for the words from the cracklib dictionary.
### The check is enabled if the value is not 0.
dictcheck = 1
### Whether to check if it contains the username in some form.
### The check is enabled if the value is not 0.
usercheck = 1
### Length of substrings from the username to check for in the password
### The check is enabled if the value is greater than 0, and the usercheck is enabled.
usersubstr = 3
### Whether the check is enforced by the PAM module and possibly other
### applications.
### The new password is rejected if it fails the check, and the value is not 0.
enforcing = 1
### Path to the cracklib dictionaries. The default is to use the cracklib default.
dictpath =
# Prompt user at most N times before returning with error. The default is 1.
retry = 3
# Enforces pwquality checks on the root user password.
# Enabled if the option is present.
enforce_for_root
# Skip testing the password quality for users that are not present in the
# /etc/passwd file.
# Enabled if the option is present.
local_users_only
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

23
config/hooks/live/9995_sysstat.chroot Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

332
config/hooks/live/9996_auditd.chroot Normal file
View File

@@ -0,0 +1,332 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### https://github.com/linux-audit/audit-userspace/tree/master/rules
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root
apt-get install auditd -y
cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
rm -rf /etc/audit/rules.d/audit.rules
############################################################### /etc/audit/rules.d/10-base-config.rules
cat << EOF >| /etc/audit/rules.d/10-base-config.rules
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 60000
## Set failure mode to syslog
-f 1
EOF
############################################################### /etc/audit/rules.d/11-loginuid.rules
cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
--loginuid-immutable
EOF
############################################################### /etc/audit/rules.d/20-dont-audit.rules
cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
## This is for don't audit rules. We put these early because audit
### is a first match wins system. Uncomment the rules you want.
## Cron jobs fill the logs with stuff we normally don't want
-a never,user -F subj_type=crond_t
## This prevents chrony from overwhelming the logs
-a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
### This is not very interesting and wastes a lot of space if
### the server is public facing
-a always,exclude -F msgtype=CRYPTO_KEY_USER
EOF
############################################################### /etc/audit/rules.d/21-no32bit.rules
cat << EOF >| /etc/audit/rules.d/21-no32bit.rules
## If you are on a 64 bit platform, everything _should_ be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit ABI.
-a always,exit -F arch=b32 -S all -F key=32bit-abi
EOF
############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
## Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
## Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit-rules
## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
## User enable and disable. This is entirely handled by pam.
## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
## Watch for configuration changes to privilege escalation.
-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
## Audit log access
-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
## Attempts to modify MAC controls
-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
## Software updates. This is entirely handled by rpm.
## System start and shutdown. This is entirely handled by systemd
## Kernel Module loading. This is handled in 43-module-load.rules
## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.
EOF
############################################################### /etc/audit/rules.d/99-finalize.rules
cat << EOF >| /etc/audit/rules.d/99-finalize.rules
-e 2
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
config/hooks/live/9997_debsums.chroot Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root
apt-get install --no-install-recommends debsums -y
cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
chmod 0644 /root/.ciss/dlb/backup/debsums.bak
sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
if debsums -g; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
else
# Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n" > /dev/null 2>&1
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

59
config/hooks/live/9998_sources_list.chroot Normal file
View File

@@ -0,0 +1,59 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root
if [[ -f /etc/apt/sources.list ]]; then
mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
fi
cat << 'EOF' >| /etc/apt/sources.list
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#-----------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS
#-----------------------------------------------------------------------------------------#
### Debian Main Repos Bookworm
deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

65
config/hooks/live/9999_interfaces_update.chroot Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
rm -f /etc/network/interfaces
cat << 'EOF' >| /etc/network/interfaces
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
### The loopback network interface
auto lo
iface lo inet loopback
### Fully dynamic interface
auto dynamic
iface dynamic inet dhcp
pre-up \
IFACE=$(ip -o link show \
| awk -F': ' '{print $2}' \
| grep -m1 -v lo) && \
echo "Using interface $IFACE as dynamic" && \
ip link set dev "$IFACE" up && \
ip link set dev "$IFACE" name dynamic
post-down \
ip link set dev dynamic name "$IFACE" && \
echo "Restored interface name $IFACE"
source /etc/network/interfaces.d/*
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0644 /etc/network/interfaces
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

43
config/includes.binary/boot/grub/config.cfg Normal file
View File

@@ -0,0 +1,43 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set timeout=16
set default=0
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
font=$prefix/unicode.pf2
fi
# Copied from the netinst image
if loadfont $font ; then
set gfxmode=800x600
set gfxpayload=keep
insmod efi_gop
insmod efi_uga
insmod video_bochs
insmod video_cirrus
else
set gfxmode=auto
insmod all_video
fi
insmod gfxterm
insmod png
source /boot/grub/theme.cfg
terminal_output gfxterm
insmod play
play 960 440 1 0 4 440 1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

12
config/includes.chroot/etc/banner Normal file
View File

@@ -0,0 +1,12 @@
#######################################################################
# #
## ##
###### ######## ### ## ######## ### ## ####### ### ####### ### ##
### #### ## ### ### ## ## ### ## #### ##
### ####### ####### ### ### ## ###### ### ## ## #######
### ### ### ### ### ### ## ## ## ### ## ## ### ###
###### ####### ### ## ### ##### ## ## ### ##### ### ##
# #
#######################################################################

11
config/includes.chroot/etc/issue Normal file
View File

@@ -0,0 +1,11 @@
********************************************************************
* *
* This system is for the use of authorized users only. Usage of *
* this system may be monitored and recorded by system personnel. *
* *
* Anyone using this system expressly consents to such monitoring *
* and is advised that if such monitoring reveals possible *
* evidence of criminal activity, system personnel may provide the *
* evidence from such monitoring to law enforcement officials. *
* *
********************************************************************

11
config/includes.chroot/etc/issue.net Normal file
View File

@@ -0,0 +1,11 @@
********************************************************************
* *
* This system is for the use of authorized users only. Usage of *
* this system may be monitored and recorded by system personnel. *
* *
* Anyone using this system expressly consents to such monitoring *
* and is advised that if such monitoring reveals possible *
* evidence of criminal activity, system personnel may provide the *
* evidence from such monitoring to law enforcement officials. *
* *
********************************************************************

13
config/includes.chroot/etc/live/config.conf Normal file
View File

@@ -0,0 +1,13 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
LIVE_CONFIGS="username"
USERNAME=root
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

114
config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf Normal file
View File

@@ -0,0 +1,114 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# The kernel allows unprivileged users to indirectly cause certain modules to be loaded
# via module auto-loading. This allows an attacker to auto-load a vulnerable module which
# is then exploited. One such example is CVE-2017-6074, in which an attacker could trigger
# the DCCP kernel module to be loaded by initiating a DCCP connection and then exploit a
# vulnerability in said kernel module.
# Specific kernel modules can be blacklisted by inserting files into /etc/modprobe.d with
# instructions on which kernel modules to blacklist.
##### Disable Uncommon Network Protocols #####
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install p8022 /bin/true
install can /bin/true
install atm /bin/true
# DCCP Datagram Congestion Control Protocol
# SCTP Stream Control Transmission Protocol
# RDS Reliable Datagram Sockets
# TIPC Transparent Inter-process Communication
# HDLC High-Level Data Link Control
# AX25 Amateur X.25
# NetRom
# X25
# ROSE
# DECnet
# Econet
# af_802154 IEEE 802.15.4
# IPX Internetwork Packet Exchange
# AppleTalk
# PSNAP Subnetwork Access Protocol
# p8023 Novell raw IEEE 802.3
# p8022 IEEE 802.2
# CAN Controller Area Network
# ATM
##### Disable Uncommon Filesystems #####
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install udf /bin/true
blacklist cramfs
blacklist freevxfs
blacklist jffs2
blacklist hfs
blacklist hfsplus
blacklist udf
##### Disable Uncommon Network Filesystems #####
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install ksmbd /bin/true
install gfs2 /bin/true
blacklist cifs
blacklist nfs
blacklist nfsv3
blacklist nfsv4
blacklist ksmbd
blacklist gfs2
# The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
install vivid /bin/true
##### Disable access to USB #####
install usb_storage /bin/true
blacklist usb-storage
##### Disable access to IEEE1394 #####
install firewire-core /bin/true
##### Blacklist automatic loading of miscellaneous modules #####
##### https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco #####
# evbug is a debug tool that should be loaded explicitly
blacklist evbug
# these drivers are very simple
blacklist usbmouse
blacklist usbkbd
# causes no end of confusion by creating unexpected network interfaces
blacklist eth1394
# ugly and loud noise, getting on everyone's nerves
blacklist pcspkr
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
config/includes.chroot/etc/network/interfaces Normal file
View File

@@ -0,0 +1,36 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
### The loopback network interface
auto lo
iface lo inet loopback
### Fully dynamic interface
auto dynamic
iface dynamic inet dhcp
pre-up \
IFACE=$(ip -o link show \
| awk -F': ' '{print $2}' \
| grep -m1 -v lo) && \
echo "Using interface $IFACE as dynamic" && \
ip link set dev "$IFACE" up && \
ip link set dev "$IFACE" name dynamic
post-down \
ip link set dev dynamic name "$IFACE" && \
echo "Restored interface name $IFACE"
source /etc/network/interfaces.d/*
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

134
config/includes.chroot/etc/ssh/sshd_config Normal file
View File

@@ -0,0 +1,134 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.02.512.2025.05.30
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
Banner /etc/banner
DebianBanner no
VersionAddendum none
Compression no
LogLevel VERBOSE
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Port MUST_BE_CHANGED
AllowUsers root
UseDNS no
### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
### whichever occurs first.
RekeyLimit 1G 1h
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
PubkeyAuthentication yes
PermitRootLogin prohibit-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
LoginGraceTime 2m
MaxAuthTries 3
MaxSessions 2
### Begin randomly dropping new unauthenticated connections after the 8th attempt,
### with a 64% chance to drop each additional connection, up to a hard limit of 16.
MaxStartups 08:64:16
### Restrict each individual source IP to only 4 unauthenticated connection slot
### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
PerSourceMaxStartups 4
ClientAliveInterval 300
ClientAliveCountMax 2
AuthorizedKeysFile %h/.ssh/authorized_keys
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
GatewayPorts no
### A+ Rating 100/100
RequiredRSASize 4096
Ciphers aes256-gcm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
KbdInteractiveAuthentication no
### Set this to 'yes' to enable PAM authentication, account processing,
### and session processing. If this is enabled, PAM authentication will
### be allowed through the ChallengeResponseAuthentication and
### PasswordAuthentication. Depending on your PAM configuration,
### PAM authentication via ChallengeResponseAuthentication may bypass
### the setting of "PermitRootLogin without-password".
### If you just want the PAM account and session checks to run without
### PAM authentication, then enable this but set PasswordAuthentication
### and ChallengeResponseAuthentication to 'no'.
UsePAM yes
### Allow client to pass locale environment variables
AcceptEnv LANG LC_*
### override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
PidFile /var/run/sshd.pid
PrintMotd no
PrintLastLog yes
TCPKeepAlive no
### For this to work you will also need host keys in /etc/ssh/ssh_known_hosts!
### Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication!
HostbasedAuthentication no
### Don't read the user's ~/.rhosts and ~/.shosts files
# IgnoreRhosts yes
# UsePrivilegeSeparation yes
### Kerberos options
# KerberosAuthentication no
# KerberosOrLocalPasswd yes
# KerberosTicketCleanup yes
# KerberosGetAFSToken no
### GSSAPI options
# GSSAPIAuthentication no
# GSSAPICleanupCredentials yes
# GSSAPIStrictAcceptorCheck yes
# GSSAPIKeyExchange no
# AuthorizedPrincipalsFile none
# AuthorizedKeysCommand none
# AuthorizedKeysCommandUser nobody
# PermitTunnel no
# ChrootDirectory none
# X11DisplayOffset 10
# X11UseLocalhost yes
# PermitTTY yes
# PermitUserEnvironment no
# IgnoreUserKnownHosts no
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

328
config/includes.chroot/etc/sysctl.d/99_local.hardened Normal file
View File

@@ -0,0 +1,328 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.02.512.2025.05.30
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
### https://kspp.github.io/
### https://linux-audit.com/tags/kernel/
###########################################################################################
# Warning
# Be careful not to lock yourself out of your system after a reboot due to incorrect
# settings. For example, 'kernel.modules_disabled=1' will generally prevent the network
# stack from being brought up after a reboot, which means NO SSH.
###########################################################################################
##### Linux Kernel #####
### Disable loading new modules. Be careful with using this option!
kernel.modules_disabled=1
### Restricting access to kernel pointers.
kernel.kptr_restrict=2
### Restricting access to kernel logs.
kernel.dmesg_restrict=1
###########################################################################################
# Despite the value of dmesg_restrict, the kernel log will still be displayed in the
# console during boot.
# This option prevents those information leaks.
###########################################################################################
kernel.printk=3 3 3 3
### Restricting eBPF to the CAP_BPF capability
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
### Restricting loading TTY line disciplines to the CAP_SYS_MODULE capability
dev.tty.ldisc_autoload=0
###########################################################################################
# The userfaultfd() syscall is often abused to exploit use-after-free flaws.
# This sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.
###########################################################################################
vm.unprivileged_userfaultfd=0
###########################################################################################
# kexec is a system call that is used to boot another kernel during runtime.
# This functionality can be abused to load a malicious kernel and gain arbitrary code
# execution in kernel mode, so this sysctl disables it.
###########################################################################################
kernel.kexec_load_disabled=1
###########################################################################################
# Prevents unprivileged users from creating their own user namespaces, potentially
# enabling exploits. This is a good additional safeguard.
###########################################################################################
kernel.unprivileged_userns_clone=0
###########################################################################################
# The SysRq key exposes a lot of potentially dangerous debugging functionality to
# unprivileged users. You can set the value to 0 to disable SysRq completely.
###########################################################################################
kernel.sysrq=0
### Randomize memory space.
kernel.randomize_va_space=2
###########################################################################################
# These prevent creating files in potentially attacker-controlled environments, such as
# world-writable directories.
###########################################################################################
fs.protected_fifos=2
fs.protected_regular=2
###########################################################################################
# This only permits symlinks to be followed when outside a world-writable sticky directory,
# when the owner of the symlink and follower match or when the directory owner matches the
# symlink's owner.
###########################################################################################
fs.protected_symlinks=1
fs.protected_hardlinks=1
###########################################################################################
# ptrace is a system call that allows a program to alter and inspect another running
# process, which allows attackers to trivially modify the memory of other running programs.
# 0 - classic ptrace permissions:
# a process can PTRACE_ATTACH to any other process running under the same uid,
# as long as it is dumpable (i.e., did not transition uids,
# start privileged, or have called prctl(PR_SET_DUMPABLE...) already).
# Similarly, PTRACE_TRACEME is unchanged.
#
# 1 - restricted ptrace:
# a process must have a predefined relationship with the inferior it wants to call
# PTRACE_ATTACH on. By default, this relationship is that of only its descendants when the
# above classic criteria is also met. To change the relationship, an inferior can call
# prctl(PR_SET_PTRACER, debugger, ...) to declare an allowed debugger PID to call
# PTRACE_ATTACH on the inferior. Using PTRACE_TRACEME is unchanged.
#
# 2 - admin-only attach:
# only processes with CAP_SYS_PTRACE may use ptrace, either with PTRACE_ATTACH or through
# children calling PTRACE_TRACEME.
#
# 3 - no attach:
# no processes may use ptrace with PTRACE_ATTACH nor via PTRACE_TRACEME. Once set, this
# sysctl value cannot be changed.
###########################################################################################
kernel.yama.ptrace_scope=2
### Use filename based on core_pattern value
kernel.core_uses_pid=1
###########################################################################################
# Performance events add considerable kernel attack surface and have caused abundant
# vulnerabilities. Be careful ! Performance might be affected ! Here turned off by default.
###########################################################################################
#kernel.perf_event_paranoid=2
###########################################################################################
# ASLR is a common exploit mitigation that randomizes the position of critical parts of a
# process in memory. This can make a wide variety of exploits harder to pull off, as they
# first require an information leak. The above settings increase the bits of entropy used
# for mmap ASLR, improving its effectiveness. The values of these sysctls must be set in
# relation to the CPU architecture. The above values are compatible with x86, but other
# architectures may differ.
###########################################################################################
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
###########################################################################################
# In addition to ASLR hardening, one could adjust the behavior for memory overbooking.
# Determines how the kernel provides the available memory for processes:
# - 0 (default): kernel decides heuristically whether memory allocations are allowed.
# - 1: Memory is always allocated, even if it is not physically available; can lead to
# out-of-memory errors.
# - 2: The kernel only allows memory allocations up to the available physical memory + swap
# (safe mode).
#vm.overcommit_memory=2
# Specifies how much of the available physical memory (plus swap) can be made available
# for memory allocations when vm.overcommit_memory=2 is active.
# The value is a percentage.
# 50: Up to 50% of the physical memory can be reserved for memory-intensive applications.
###########################################################################################
#vm.overcommit_ratio=50
###########################################################################################
# Reduces the likelihood of important data remaining unsecured in RAM for too long.
# Specifies the percentage of the total memory that can be filled with changed (dirty) data
# before it is written to the permanent memory (e.g., the hard disk).
# 15: If 15% of the RAM is occupied by dirty pages, a background flush process is triggered
# to write this data.
#vm.dirty_ratio=15
# Specifies the percentage of total memory at which the kernel starts writing dirty pages
# in the background before the dirty_ratio threshold is reached.
# 5: The kernel starts writing data in the background when 5% of RAM is occupied with
# dirty pages.
###########################################################################################
#vm.dirty_background_ratio=5
###########################################################################################
# Similar to core dumps, swapping or paging copies parts of memory to disk, which can
# contain sensitive information. The kernel should be configured to only swap if absolutely
# necessary.
###########################################################################################
#vm.swappiness=1
### This setting minimizes swapping, which is useful for servers.
### However, one could also consider vm.swappiness=0 if enough RAM is available.
# vm.swappiness=0
###########################################################################################
# Process that runs with elevated privileges may still dump their memory even after these
# settings.
###########################################################################################
fs.suid_dumpable=0
kernel.core_pattern= | /bin/false
### Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
#user.max_user_namespaces=0
###########################################################################################
# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2)
# If you want to set oops_limit greater than one, you will need to disable
# CONFIG_PANIC_ON_OOPS.
###########################################################################################
kernel.warn_limit=1
kernel.oops_limit=1
###########################################################################################
# Disable TIOCSTI, which is used to inject keypresses.
# (This will, however, break screen readers.)
###########################################################################################
dev.tty.legacy_tiocsti=0
###########################################################################################
# IO_uring has yielded some security concerns and vulnerabilities,
# particularly for those sticking to older versions of the Linux kernel.
# There have also been IO_uring integration issues with the Linux security subsystem.
###########################################################################################
#kernel.io_uring_disabled=2
##### Network Stack #####
### Disable IP source routing, we are not a router:
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
###########################################################################################
# This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make
# the device more difficult to enumerate on the network and prevent clock fingerprinting
# through ICMP timestamps.
###########################################################################################
net.ipv4.icmp_echo_ignore_all=1
### Enable ignoring broadcast request.
net.ipv4.icmp_echo_ignore_broadcasts=1
### This helps protect against SYN flood attacks
net.ipv4.tcp_syncookies=1
###########################################################################################
# This protects against time-wait assassination by dropping RST packets for sockets in
# the time-wait state.
###########################################################################################
net.ipv4.tcp_rfc1337=1
###########################################################################################
# These enable source validation of packets received from all interfaces of the machine.
# This protects against IP spoofing, in which an attacker sends a packet with a fraudulent
# IP address.
###########################################################################################
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
###########################################################################################
# This disables ICMP redirect acceptance and sending to prevent man-in-the-middle attacks
# and minimize information disclosure.
###########################################################################################
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
###########################################################################################
# A martian packet is a packet with a source address, which is obviously wrong -
# nothing could possibly be routed back to that address.
###########################################################################################
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
###########################################################################################
# Deactivates IP forwarding. This means that the system discards packets that are not
# intended for its own IP addresses. It therefore does not act as a router and does not
# forward data packets between network interfaces.
###########################################################################################
net.ipv4.conf.all.forwarding=0
###########################################################################################
# Disabling RA prevents the system from receiving routing information from potentially
# insecure or compromised routers. This is particularly important for servers that use
# static network configurations and should not dynamically accept new IPv6 routes or
# prefixes. An attacker could otherwise use forged RA messages to change the network route
# and redirect traffic, for example.
###########################################################################################
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
###########################################################################################
# These parameters relate to secure ICMP redirects. ICMP redirects are messages that a
# router sends to a device to inform it that there is a better route for the data traffic.
# This setting prevents the system from responding to redirects that have been spoofed by
# potential attackers to redirect traffic (e.g., for man-in-the-middle attacks).
###########################################################################################
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1
###########################################################################################
# This setting prevents the disclosure of TCP timestamps that can be used for system
# fingerprinting:
###########################################################################################
net.ipv4.tcp_timestamps=0
###########################################################################################
# To make ARP spoofing attacks more difficult. Defines how the system responds to ARP
# requests.
# - 0 (default): Responds to every request, including IPs configured on other interfaces.
# - 1: Only responds to requests that are specifically intended for the IP of the
# respective interface. Increases security by preventing ARP spoofing attacks, as the
# system does not send unnecessary ARP responses.
###########################################################################################
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.default.arp_ignore=1
###########################################################################################
# To minimize attacks on half-open connections.
# Specifies the maximum number of connection requests (SYN packets)
# that can be held in the connection establishment state (SYN_RECV) in the queue.
# 4096: A generous queue to better intercept SYN flood attacks.
# Useful for systems with high network traffic, or if protection against DoS attacks
# needs to be improved:
###########################################################################################
net.ipv4.tcp_max_syn_backlog=4096
###########################################################################################
# Specifies the maximum number of SYN/ACK retries before the connection is aborted:
# 2: The kernel will only send a SYN/ACK twice before dropping the connection.
# Reduces the time and effort wasted on inactive connection requests.
# This improves performance and protects against SYN flood attacks, but could cause
# problems on poor networks.
###########################################################################################
net.ipv4.tcp_synack_retries=2
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

14
config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf Normal file
View File

@@ -0,0 +1,14 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin root --noclear %I $TERM
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

31
config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh Normal file
View File

@@ -0,0 +1,31 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# No bash in the installer environment, only BusyBox.
set -o errexit
set -o nounset
set -o noclobber
export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
echo '152.53.35.74 coresecret.eu' >> /etc/hosts
touch /tmp/late-command-script
chmod 0700 /tmp/late-command-script
. /.ciss/install/.ash/di_scripting_flexibility.sh
sh /.ciss/install/.ash/di_scripting_password.sh
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# No bash in the installer environment, only BusyBox.
set -o errexit
set -o nounset
set -o noclobber
export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
. /.ciss/install/.ash/di_scripting_flexibility.sh
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

415
config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh Normal file
View File

@@ -0,0 +1,415 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# No bash in the installer environment, only BusyBox.
set -o errexit
set -o nounset
set -o noclobber
export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
. /.ciss/install/.ash/di_scripting_flexibility.sh
readonly DISK_NAME="sda"
readonly DISK_PATH="/dev/${DISK_NAME}"
readonly SLEEPTIMER="2"
do_sleep() {
sleep "${SLEEPTIMER}"
}
modprobe btrfs || true
modprobe ext4 || true
blkdiscard "${DISK_PATH}"
parted "${DISK_PATH}" --script -- mklabel gpt
#/dev/sda1 -- ESP
do_dev_sda1() {
parted "${DISK_PATH}" --script -- mkpart ESP fat32 1MiB 512MiB set 1 esp on
do_sleep
FORMAT_LABEL="ESP"
PARTITION="${DISK_PATH}1"
format_partition() {
if mkfs.fat -F32 -n "${FORMAT_LABEL}" "${PARTITION}"; then
echo "Partition: ${PARTITION} successfully formatted with FAT32."
else
echo "Partition: ${PARTITION} NOT successfully formated with FAT32."
fi
if blkid "${PARTITION}" | grep -q 'TYPE="vfat"'; then
echo "Partition: ${PARTITION} correctly formatted with FAT32."
else
echo "Partition: ${PARTITION} NOT correctly formatted with FAT32."
fi
}
ATTEMPTS=0
MAX_ATTEMPTS=3
while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
ATTEMPTS=$((ATTEMPTS + 1))
done
if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
else
echo "Partition ${PARTITION} successfully formatted and checked."
fi
}
do_dev_sda1
#/dev/sda2 -- /boot
do_dev_sda2() {
parted "${DISK_PATH}" --script -- mkpart primary ext4 512MiB 4096MiB
do_sleep
FORMAT_LABEL="boot"
PARTITION="${DISK_PATH}2"
format_partition() {
if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then
echo "Partition: ${PARTITION} successfully formatted with ext4."
else
echo "Partition: ${PARTITION} NOT successfully formated with ext4."
fi
if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then
echo "Partition: ${PARTITION} correctly formatted with ext4."
else
echo "Partition: ${PARTITION} NOT correctly formatted with ext4."
fi
}
ATTEMPTS=0
MAX_ATTEMPTS=3
while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
ATTEMPTS=$((ATTEMPTS + 1))
done
if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
else
echo "Partition ${PARTITION} successfully formatted and checked."
fi
}
do_dev_sda2
#/dev/sda3 -- preparing for crypt_ephemeral_swap
parted "${DISK_PATH}" --script -- mkpart primary 4096MiB 8192MiB
do_sleep
#/dev/sda4 -- preparing for crypt_ephemeral_tmp
parted "${DISK_PATH}" --script -- mkpart primary 8192MiB 12288MiB
do_sleep
#/dev/sda5 -- /home
parted "${DISK_PATH}" --script -- mkpart primary 12288MiB 45056MiB
do_sleep
#/dev/sda6 -- /
parted "${DISK_PATH}" --script -- mkpart primary 45056MiB 77824MiB
do_sleep
#/dev/sda7 -- /usr
parted "${DISK_PATH}" --script -- mkpart primary 77824MiB 143360MiB
do_sleep
#/dev/sda8 -- /var
parted "${DISK_PATH}" --script -- mkpart primary 143360MiB 208896MiB
do_sleep
#/dev/sda9 -- /var/log
parted "${DISK_PATH}" --script -- mkpart primary 208896MiB 225280MiB
do_sleep
#/dev/sda10 -- /var/log/audit
parted "${DISK_PATH}" --script -- mkpart primary 225280MiB 241664MiB
do_sleep
#/dev/sda11 -- /var/tmp
parted "${DISK_PATH}" --script -- mkpart primary 241664MiB 258048MiB
do_sleep
#/dev/sda12 -- temporary installation /tmp
do_dev_sda12() {
parted "${DISK_PATH}" --script -- mkpart primary 258048MiB 261120MiB
do_sleep
FORMAT_LABEL="installation_tmp"
PARTITION="${DISK_PATH}12"
format_partition() {
if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then
echo "Partition: ${PARTITION} successfully formatted with ext4."
else
echo "Partition: ${PARTITION} NOT successfully formated with ext4."
fi
if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then
echo "Partition: ${PARTITION} correctly formatted with ext4."
else
echo "Partition: ${PARTITION} NOT correctly formatted with ext4."
fi
}
ATTEMPTS=0
MAX_ATTEMPTS=3
while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
ATTEMPTS=$((ATTEMPTS + 1))
done
if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
else
echo "Partition ${PARTITION} successfully formatted and checked."
fi
}
do_dev_sda12
# Encrypt and open /dev/sda5 to /dev/sda11
i=5
while [ "${i}" -lt 12 ]; do
PARTITION="/dev/${DISK_NAME}${i}"
MAPPER_NAME="crypt_${DISK_NAME}${i}"
if cryptsetup luksFormat "${PARTITION}" --key-file=/.ciss/install/.cfg/.password.cfg --batch-mode --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 --use-random --verbose; then
echo "Partition: ${PARTITION} successfully encrypted."
do_sleep
if cryptsetup open "${PARTITION}" "${MAPPER_NAME}" --key-file=/.ciss/install/.cfg/.password.cfg; then
echo "Partition: ${PARTITION} successfully opened as: ${MAPPER_NAME}."
if mkfs.btrfs -L "${MAPPER_NAME}" /dev/mapper/"${MAPPER_NAME}"; then
echo "Partition: ${PARTITION} successfully formatted."
else
echo "Partition: ${PARTITION} NOT successfully formatted."
fi
else
echo "Partition: ${PARTITION} NOT successfully opened as: ${MAPPER_NAME}."
fi
else
echo "Partition: ${PARTITION} NOT successfully encrypted."
fi
i=$((i + 1))
done
do_sleep
# Generate /target directories-
FILE_DIR="/.ciss/install/.cfg/.directories.cfg"
# Check that the file exists.
if [ ! -f "${FILE_DIR}" ]; then
echo "Error: File ${FILE_DIR} cannot be read." >&2
exit 1
fi
while read -r DIR; do
sleep 1
# Proceed only if the row is not empty.
if [ -n "${DIR}" ]; then
# Verify if the directory already exists.
if [ -d "${DIR}" ]; then
echo "Directory ${DIR} already exists."
else
# Try to create a directory.
until [ -d "${DIR}" ]; do
mkdir -p "${DIR}"
if [ ! -d "${DIR}" ]; then
echo "Error: Creating ${DIR} directory failed. Try again. " >&2
sleep 1
fi
done
echo "Directory ${DIR} created successfully".
fi
fi
done < "${FILE_DIR}"
do_sleep
mount /dev/mapper/crypt_sda6 /target
do_sleep
mkdir /target/boot
mount /dev/sda2 /target/boot
do_sleep
mkdir /target/boot/efi
mount /dev/sda1 /target/boot/efi
do_sleep
mkdir /target/home
mount /dev/mapper/crypt_sda5 /target/home
do_sleep
mkdir /target/usr
mount /dev/mapper/crypt_sda7 /target/usr
do_sleep
mkdir /target/var
mount /dev/mapper/crypt_sda8 /target/var
do_sleep
mkdir /target/var/log
mount /dev/mapper/crypt_sda9 /target/var/log
do_sleep
mkdir /target/var/log/audit
mount /dev/mapper/crypt_sda10 /target/var/log/audit
do_sleep
mkdir /target/var/tmp
mount /dev/mapper/crypt_sda11 /target/var/tmp
do_sleep
mkdir /target/tmp
mount /dev/sda12 /target/tmp
do_sleep
mkdir /target/dev
mount --bind /dev /target/dev
do_sleep
if [ -d "/target/dev/pts" ]; then
echo "Directory /target/dev/pts already exists."
else
mkdir /target/dev/pts
fi
mkdir /target/proc
mount --bind /proc /target/proc
do_sleep
mkdir /target/sys
mount --bind /sys /target/sys
do_sleep
mkdir /target/run
mount --bind /run /target/run
do_sleep
if [ -d "/target/run/lock" ]; then
echo "Directory /target/run/lock already exists."
else
mkdir /target/run/lock
fi
mkdir /target/etc
mkdir /target/etc/apt
mkdir /target/etc/network
touch /target/etc/fstab
chmod 0644 /target/etc/fstab
# shellcheck disable=SC2129
cat << EOF >> /target/etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
EOF
echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) / btrfs defaults,errors=remount-ro 0 1" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /boot was on /dev/sda2 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/sda2) /boot ext4 defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /boot/efi was on /dev/sda1 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/sda1) /boot/efi vfat umask=0077 0 1" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) /home btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) /usr btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) /var btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) /var/log btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) /var/log/audit btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) /var/tmp btrfs defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /tmp was on /dev/sda12 during installation" >> /target/etc/fstab
echo "UUID=$(blkid -s UUID -o value /dev/sda12) /tmp ext4 defaults 0 2" >> /target/etc/fstab
echo "" >> /target/etc/fstab
echo "# /media/cdrom0 was on /dev/sr0 during installation" >> /target/etc/fstab
echo "/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0" >> /target/etc/fstab
echo "" >> /target/etc/fstab
touch /target/etc/crypttab
chmod 0644 /target/etc/crypttab
# shellcheck disable=SC2129
cat << EOF >> /target/etc/crypttab
# <name> <device> <password-file-or-none> <options>
EOF
echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/crypttab
echo "crypt_sda6 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/crypttab
echo "crypt_sda5 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/crypttab
echo "crypt_sda7 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/crypttab
echo "crypt_sda8 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/crypttab
echo "crypt_sda9 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/crypttab
echo "crypt_sda10 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/crypttab
echo "crypt_sda11 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) none luks,discard" >> /target/etc/crypttab
echo "" >> /target/etc/crypttab
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

32
config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# No bash in the installer environment, only BusyBox.
set -o errexit
set -o nounset
set -o noclobber
export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
. /.ciss/install/.ash/di_scripting_flexibility.sh
mkdir -m 0700 /target/root/.d-i-backup
if [ -f /tmp/late-command-script ]; then
sh /tmp/late-command-script
fi
sh /.ciss/install/.ash/di_scripting_ssh.sh
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

35
config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# No bash in the installer environment, only BusyBox.
set -o errexit
set -o nounset
set -o noclobber
readonly RED="\033[91m"
export RED
readonly GREEN="\033[92m"
export GREEN
readonly YELLOW="\033[93m"
export YELLOW
readonly BLUE="\033[94m"
export BLUE
readonly MAGENTA="\033[95m"
export MAGENTA
readonly CYAN="\033[96m"
export CYAN
readonly WHITE="\033[97m"
export WHITE
readonly NORMAL="\033[0m"
export NORMAL
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

93
config/includes.chroot/preseed/.ash/di_scripting_password.sh Normal file
View File

@@ -0,0 +1,93 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# No bash in the installer environment, only BusyBox.
set -o errexit
set -o nounset
set -o noclobber
# Create a passphrase by pulling only characters in the range '!' to '~' (ASCII 0x21 to 0x7e) from /dev/random.
umask 0077
TMP_PASSPHRASE_FILE=$(mktemp)
readonly TMP_PASSPHRASE_FILE
grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}"
# Create an include file for debian-installer with the passphrase as answers to the questions.
DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
readonly DEB_INSTALLER_CRYPT_INC_FILE
# Read the first line (the passphrase) POSIX-compliant
# IFS= prevents leading/trailing spaces from being truncated,
# -r ensures that backslashes are not interpreted.
IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
# A single printf call with exactly one redirect
# ShellCheck-compliant and valid in POSIX-sh
printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
# Echo the file to be included, so debian-installer will do that - assuming this command is being run via 'preseed/include_command'.
# Without file:// will try and fetch from the webserver this preseed was served from.
echo "file://${DEB_INSTALLER_CRYPT_INC_FILE}"
# Add extra commands to the file that should be run using 'preseed/late_command' to ensure the passphrase is included in the new installation.
readonly IN_TARGET_KEY_FILE=/etc/keys/luks-lvm.key
cat - >> /tmp/late-command-script << LATE_EOF
##### BEGIN ADDED BY preseed-crypto-key preseed/include_command
umask 0077
mkdir -p /target$(dirname "${IN_TARGET_KEY_FILE}")
cp "${TMP_PASSPHRASE_FILE}" /target"${IN_TARGET_KEY_FILE}"
# Use /root as /tmp might be noexec
cat - >/target/root/configure-crypt-unlock <<EOF
#!/usr/bin/bash
# Standard bash safety features
set -eufo pipefail
if grep -q UMASK /etc/initramfs-tools/initramfs.conf
then
sed -i 's-^#\?UMASK.*\\\$-UMASK=0077-' /etc/initramfs-tools/initramfs.conf
else
echo -e "# Secure initramfs while it contains unlock keys for root filesystem\nUMASK=0077" >>/etc/initramfs-tools/initramfs.conf
fi
# Include keyfile in initramfs
sed -i 's-^#\?KEYFILE_PATTERN=.*\\\$-KEYFILE_PATTERN=$(dirname ${IN_TARGET_KEY_FILE})/*.key-' /etc/cryptsetup-initramfs/conf-hook
# Configure crypt to use keyfile to unlock encrypted partition(s)
sed -i 's#\(UUID=[^ ]\+\) none#\1 ${IN_TARGET_KEY_FILE}#' /etc/crypttab
# Update initramfs with key file
update-initramfs -u
exit 0
EOF
sleep 1
chmod 500 /target/root/configure-crypt-unlock
in-target /root/configure-crypt-unlock
rm /target/root/configure-crypt-unlock
exit 0
##### END ADDED BY preseed-crypto-key preseed/include_command
LATE_EOF
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

50
config/includes.chroot/preseed/.ash/di_scripting_ssh.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# No bash in the installer environment, only BusyBox.
set -o errexit
set -o nounset
set -o noclobber
if [ ! -d /target/root/.ssh ]; then
mkdir -m 0700 /target/root/.ssh
fi
if [ -f /target/etc/ssh/ssh_host_ed25519_key ]; then
rm -f /target/etc/ssh/ssh_host_ed25519_key
fi
if [ -f /target/etc/ssh/ssh_host_rsa_key ]; then
rm -f /target/etc/ssh/ssh_host_rsa_key
fi
in-target ssh-keygen -o -a 1024 -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root d-i $(date -I)"
in-target ssh-keygen -o -a 1024 -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root d-i $(date -I)"
cp -a /target/etc/ssh/sshd_config /target/root/.d-i-backup/sshd_config.bak
rm -f /target/etc/ssh/sshd_config
cp /cdrom/install/.lib/sshd_config.lib /target/etc/ssh/sshd_config
chmod 0600 /target/etc/ssh/sshd_config
sed -i "s/Port 22/Port 37768/" /target/etc/ssh/sshd_config
sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root/" /target/etc/ssh/sshd_config
cp /cdrom/install/.lib/banner.lib /target/etc/banner
chmod 0644 /target/etc/banner
umask 0077
wget --https-only --secure-protocol=TLSv1_3 -c -O /target/root/.ssh/authorized_keys https://coresecret.eu/download/developer/2024_rsa4096_developer_root.pub.key
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

32
config/includes.chroot/preseed/.cfg/.directories.cfg Normal file
View File

@@ -0,0 +1,32 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
/target
/target/boot
/target/boot/efi
/target/etc
/target/etc/apt
/target/etc/network
/target/dev
/target/dev/pts
/target/home
/target/proc
/target/root
/target/run
/target/run/lock
/target/sys
/target/usr
/target/var
/target/var/log
/target/var/log/audit
/target/var/log/ciss
/target/var/tmp
/target/tmp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

78
config/includes.chroot/preseed/.cfg/apt.cfg Normal file
View File

@@ -0,0 +1,78 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# apt settings #
###########################################################################################
# Choose, if you want to scan additional installation media (default: false):
d-i apt-setup/cdrom/set-first boolean false
# By default source repositories are listed in /etc/apt/sources.list:
d-i apt-setup/enable-source-repositories boolean true
# A network mirror can be used to supplement the software that is not included on the
# installation media. This may also make newer versions of software available:
d-i apt-setup/use_mirror boolean true
# Uncomment the following line, if you don't want to have the sources.list entry for a
# DVD/BD installation image active in the installed system:
d-i apt-setup/disable-cdrom-entries boolean true
# You can choose to install non-free firmware:
d-i apt-setup/non-free-firmware boolean true
# You can choose to install non-free and contrib software:
d-i apt-setup/non-free boolean true
d-i apt-setup/contrib boolean true
# Debian has two services that provide updates to releases:
#
# security and release updates.
# .
# Security updates help to keep your system secured against attacks.
# Enabling this service is strongly recommended.
# .
# Release updates provide more current versions for software that changes relatively
# frequently and where not having the latest version could reduce the usability of the
# software. It also provides regression fixes. This service is only available for stable
# and oldstable releases.
# .
# Backported software are adapted from the development version to work with this release.
# Although this software has not gone through such complete testing as that contained in
# the release, it includes newer versions of some applications which may provide useful
# features. Enabling backports here does not cause any of them to be installed by default;
# it only allows you to manually select backports to use.
# https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt
d-i apt-setup/services-select multiselect security updates, release updates, backported software
# Different spelling:
# d-i apt-setup/services-select multiselect security, updates, backports
d-i apt-setup/security_host string security.debian.org
# Whether to upgrade packages after debootstrap. Allowed values: none, safe-upgrade, full-upgrade
d-i pkgsel/upgrade select full-upgrade
# Applying updates on a frequent basis is an important part of keeping the system secure.
#
# .
# By default, security updates are not automatically installed, as security advisories should be
# reviewed before manual installation of the updates using standard package management tools.
# .
# Alternatively the unattended-upgrades package can be installed, which will install security
# updates automatically. Note however that automatic installation of updates may occasionally
# cause unexpected downtime of services provided by this machine in the rare cases where the
# update is not fully backward-compatible, or where the security advisory requires the
# administrator to perform some other manual operation.
# .
# Possible choices: No automatic updates, Install security updates automatically
d-i pkgsel/update-policy select Install security updates automatically
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
config/includes.chroot/preseed/.cfg/base.cfg Normal file
View File

@@ -0,0 +1,24 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Base installer #
###########################################################################################
# Configure APT to not install recommended packages by default. Use of this option can
# result in an incomplete system and should only be used by very experienced users:
d-i base-installer/install-recommends boolean true
# The kernel image to be installed; "none" can be used if no kernel is to be installed:
d-i base-installer/kernel/image string linux-image-amd64
# Choose to not get the tasksel dialog displayed at all (and don't install any packages):
d-i pkgsel/run_tasksel boolean false
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

26
config/includes.chroot/preseed/.cfg/finished.cfg Normal file
View File

@@ -0,0 +1,26 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Finishing installation #
###########################################################################################
# Avoid that last message about the install being complete:
d-i finish-install/reboot_in_progress note
# This will prevent the installer from ejecting the CD during the reboot:
d-i cdrom-detect/eject boolean true
# This is how to make the installer shutdown when finished, but not reboot:
d-i debian-installer/exit/halt boolean false
# This will power off the machine instead of just halting it:
d-i debian-installer/exit/poweroff boolean true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
config/includes.chroot/preseed/.cfg/firmware.cfg Normal file
View File

@@ -0,0 +1,19 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Firmware settings #
###########################################################################################
# never : Completely disables the firmware search.
# missing (default) : Searches only when the firmware is needed.
# always : Always searches and asks for any firmware that could be useful for the hardware.
d-i hw-detect/firmware-lookup string missing
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

62
config/includes.chroot/preseed/.cfg/grub.cfg Normal file
View File

@@ -0,0 +1,62 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# GRUB2 settings #
###########################################################################################
# Due notably to potential USB sticks, the location of the primary drive can not be
# determined safely in general, so this needs to be specified:
d-i grub-installer/bootdev string /dev/sda
# To install to the primary device (assuming it is not a USB stick):
# d-i grub-installer/bootdev string default
# Set this to false to install GRUB Legacy rather than GRUB 2, if possible:
d-i grub-installer/grub2_instead_of_grub_legacy boolean true
# This is fairly safe to set, it makes grub install automatically to the UEFI partition/boot
# record if no other operating system is detected on the machine:
d-i grub-installer/only_debian boolean true
# This one makes grub-installer install to the UEFI partition/boot record, if it also finds
# some other OS, which is less safe as it might not be able to boot that other OS:
d-i grub-installer/with_other_os boolean true
# OS-prober did not detect any other operating systems on your computer at this time, but you
# may still wish to enable it in case you install more in the future:
d-i grub-installer/enable_os_prober_otheros_no boolean true
# Skip installing grub:
d-i grub-installer/skip boolean false
# Force GRUB installation to the EFI removable media path?
# .
# It seems that this computer is configured to boot via EFI, but maybe that configuration will
# not work for booting from the hard drive. Some EFI firmware implementations do not meet the
# EFI specification (i.e. they are buggy!) and do not support proper configuration of boot
# options from system hard drives.
# .
# A workaround for this problem is to install an extra copy of the EFI version of the GRUB
# boot loader to a fallback location, the "removable media path". Almost all EFI systems, no
# matter how buggy, will boot GRUB that way.
# .
# Warning: If the installer failed to detect another operating system that is present on your
# computer that also depends on this fallback, installing GRUB there will make that operating
# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary.
d-i grub-installer/force-efi-extra-removable boolean false
# Description: Update NVRAM variables to automatically boot into Debian?
# .
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior.
d-i grub-installer/update-nvram boolean true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

25
config/includes.chroot/preseed/.cfg/locale.cfg Normal file
View File

@@ -0,0 +1,25 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Locale settings #
###########################################################################################
# Preseeding only locale sets language, country and locale:
# d-i debian-installer/locale string en_US
# The values can also be preseeded individually for greater flexibility:
# d-i debian-installer/language string en
# d-i debian-installer/country string NL
# d-i debian-installer/locale string en_GB.UTF-8
d-i debian-installer/locale string en_US.UTF-8
d-i keyboard-configuration/layoutcode string de
d-i keyboard-configuration/xkb-keymap select German
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

15
config/includes.chroot/preseed/.cfg/md5sum.txt Normal file
View File

@@ -0,0 +1,15 @@
336de475a23be401db656485fe2134e5 apt.cfg
9b2768bf48aada9e1fc33cfe94571826 base.cfg
95c0feba9a9ed2a1f3d86cc2bf1910f8 finished.cfg
bccbc23588d19b3057e4b4915b03538b firmware.cfg
d80da843499d8d797703b8aef2bf28d5 grub.cfg
e876c113af0630f113811e5bade71b06 locale.cfg
2b85692b087100a0535fe8711cdbcb63 modules.cfg
1c0c74ed939c34d620bde9b8f1a91a1c network.cfg
da7738a8db3d4e2c220bf3f5b3e50dcb packages.cfg
5dff498042e3d095a792951ba1bd9d2f partitioning.cfg
7f71ea76c629c4e4f0ab2f9a6c8b28ea security.cfg
8e6b49c07d678060b661f7dd2fad6f39 software.cfg
f526221c741e4e2c5090f2ff60e53d62 ssh.cfg
1ffc41f4c70be83fd6524262494bdf11 time.cfg
67b9d1aa4bb4a4b8610ca42fa45521cf user.cfg

39
config/includes.chroot/preseed/.cfg/modules.cfg Normal file
View File

@@ -0,0 +1,39 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Modules #
###########################################################################################
# Install standard modules:
d-i anna/standard_modules boolean true
d-i anna/choose_modules string \
crypto-dm-modules \
crypto-dm-setup-udeb \
ethdetect \
fdisk-udeb \
grub-installer \
hw-detect \
lowmem \
lvm2 \
mbr \
netcfg \
network-console \
parted \
partman-auto \
partman-auto-crypto \
partman-basicfilesystems \
partman-btrfs \
partman-crypto \
partman-ext4 \
partman-lvm \
partman-md \
rescue-mode
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

56
config/includes.chroot/preseed/.cfg/network.cfg Normal file
View File

@@ -0,0 +1,56 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Network setting #
###########################################################################################
# netcfg will choose an interface that has link if possible. This makes it # skip
# displaying a list if there is more than one interface:
d-i netcfg/choose_interface select auto
# To pick a particular interface instead:
# d-i netcfg/choose_interface select eth1
# To set a different link detection timeout (default is 3 seconds).
d-i netcfg/link_wait_timeout string 10
# If dhcp server is slow and the installer times out waiting for it, this might be useful.
d-i netcfg/dhcp_timeout string 60
d-i netcfg/dhcpv6_timeout string 60
###########################################################################################
# Automatic network configuration is the default. If you prefer to configure the network #
# manually, uncomment this line and the static network configuration below. #
###########################################################################################
# d-i netcfg/disable_autoconfig boolean true
###########################################################################################
# If you want the preconfiguration file to work on systems both with and without a dhcp #
# server, uncomment these lines and the static network configuration below. #
###########################################################################################
d-i netcfg/dhcp_failed note
d-i netcfg/dhcp_options select Configure network manually
###########################################################################################
# Static network configuration. #
###########################################################################################
# d-i netcfg/get_nameservers string 192.168.128.254
# d-i netcfg/get_ipaddress string 192.168.128.128
# d-i netcfg/get_netmask string 255.255.255.0
# d-i netcfg/get_gateway string 192.168.128.254
# d-i netcfg/confirm_static boolean true
###########################################################################################
# If non-free firmware is needed for the network or other hardware, you can configure the #
# installer to always try to load it, without prompting. Or change to false to disable #
# asking. #
###########################################################################################
d-i hw-detect/load_firmware boolean true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

44
config/includes.chroot/preseed/.cfg/packages.cfg Normal file
View File

@@ -0,0 +1,44 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Deb packages settings #
###########################################################################################
# Please select the protocol to be used for downloading files. If unsure, select "http":
d-i mirror/protocol string https
# Country code or "manual":
d-i mirror/country string US
# Suite to install:
d-i mirror/suite string stable
# Suite to use for loading installer components (optional):
d-i mirror/udeb/suite string stable
# Debian archive mirror hostname. Please enter the hostname of the mirror from which
# Debian will be downloaded. An alternate port can be specified using the standard
# [hostname]:[port] format:
d-i mirror/http/hostname string deb.debian.org
# Debian archive mirror directory. Please enter the directory in which the mirror of
# the Debian archive is located:
d-i mirror/http/directory string /debian/
# HTTP proxy information (blank for none). If you need to use a HTTP proxy to access the
# outside world, enter the proxy information here. Otherwise, leave this blank. The proxy
# information should be given in the standard form of "http://[[user][:pass]@]host[:port]/".
d-i mirror/http/proxy string
# Debian archive mirror country. The goal is to find a mirror of the Debian archive that
# is close to you on the network -- be aware that nearby countries, or even your own, may
# not be the best choice.
d-i mirror/https/countries select US
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

360
config/includes.chroot/preseed/.cfg/partitioning.cfg Normal file
View File

@@ -0,0 +1,360 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Partitioning CISS.partitioning #
###########################################################################################
# If the system has free space you can choose to only partition that space. This is only
# honoured if partman-auto/method is NOT set. Alternatively, choose 'use_entire_disk':
# d-i partman-auto/init_automatically_partition select biggest_free
# Alternatively, you may specify a disk to partition.
###d-i partman-auto/disk string /dev/sda
# In addition, you'll need to specify the method to use. Presently available methods are:
# - regular : use the usual partition types for your architecture
# - lvm : use LVM to partition the disk
# - crypto : use LVM within an encrypted partition
###d-i partman-auto/method string crypto
# When disk encryption is enabled, skip wiping the partitions beforehand:
###d-i partman-auto-crypto/erase_disks boolean false
# You can define the amount of space that will be used for the LVM volume group. It can
# either be a size with its unit (eg. 20 GB), a percentage of free space or 'max' keyword:
###d-i partman-auto-lvm/guided_size string max
# Name of the volume group for the new system:
###d-i partman-auto-lvm/new_vg_name string vg_ciss
# Force UEFI booting ('BIOS compatibility' will be lost). Default: false:
###d-i partman-efi/non_efi_system boolean false
# If one of the disks that are going to be automatically partitioned contains an old LVM
# configuration, the user will normally receive a warning. This can be preseeded away:
###d-i partman-lvm/device_remove_lvm boolean true
# The same applies to pre-existing software RAID array:
###d-i partman-md/device_remove_md boolean true
# And the same goes for the confirmation to write the lvm partitions:
###d-i partman-lvm/confirm boolean true
###d-i partman-lvm/confirm_nooverwrite boolean true
###########################################################################################
# This makes partman automatically partition without confirmation, provided that it was #
# told what to do using one of the methods specified. #
###########################################################################################
# The following debconfvariables are often important for the basic configuration and for #
# mounting after manual partitioning. These ensure that the installer does not attempt to #
# make changes or overwrite already mounted partitions. They help to 'switch off' the #
# installer when it tries to apply partitioning automatically. #
###########################################################################################
# Confirm whether you actually want to create a new partition table and write it to disk:
###d-i partman-partitioning/confirm_write_new_label boolean true
###d-i partman/choose_partition select finish
###d-i partman/confirm boolean true
###d-i partman/confirm_nooverwrite boolean true
# Ensure the partition table is GPT - this is required for EFI:
###d-i partman-partitioning/choose_label select gpt
###d-i partman-partitioning/default_label string gpt
# This setting ensures that partitions without a mount point do not trigger a warning dialogue.
###d-i partman-basicfilesystems/no_mount_point boolean true
# This setting tells the Debian installer not to issue a warning if no swap partition is set up.
###d-i partman-basicfilesystems/no_swap boolean true
# Encryption settings
# d-i partman-crypto/passphrase password < set by ./preseed/.ash/0_di_preseed_include_command.sh >
# d-i partman-crypto/passphrase-again password < set by ./preseed/.ash/0_di_preseed_include_command.sh >
###d-i partman-crypto/passphrase password DEFAULT
###d-i partman-crypto/passphrase-again password DEFAULT
###d-i partman-crypto/weak_passphrase boolean true
# https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt
###d-i partman-crypto/entropy entropy 256
# debconf-set-selections -c ./preseed/.cfg/partitioning.cfg: "warning: Unknown type entropy, skipping line" therefore as string:
###d-i partman-crypto/entropy string 256
# Are you sure you want to use a random key?
###d-i partman-crypto/use_random_for_nonswap boolean false
###########################################################################################
# This command is run immediately before the partitioner starts. It may be useful to #
# apply dynamic partitioner preseeding that depends on the state of the disks (which may #
# not be visible when preseed/early_command runs). #
###########################################################################################
# d-i partman/early_command string /sh /.ciss/install/.ash/2_di_partman_early_command.sh
###d-i partman-auto/expert_recipe string \
\
511MiB 511MiB 511MiB EFS \
label{ ESP } \
$defaultignore{ } \
$primary{ } \
$bootable{ } \
method{ efi } \
format{ } \
use_filesystem{ } \
filesystem{ EFS } \
device{ /dev/sda } \
mountpoint{ /boot } \
. \
rescue :: \
3584MiB 3584MiB 3584MiB ext4 \
label{ rescue } \
$defaultignore{ } \
$primary{ } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
device{ /dev/sda } \
mountpoint{ /mnt/rescue } \
. \
crypt_boot :: \
4096MiB 4096MiB 4096MiB ext4 \
label{ boot } \
$defaultignore{ } \
$primary{ } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
device{ /dev/sda } \
mountpoint{ /boot } \
. \
crypt_ephemeral_swap :: \
4096MiB 4096MiB 4096MiB none \
label{ crypt_swap } \
$defaultignore{ } \
$primary{ } \
method{ keep } \
device{ /dev/sda } \
. \
crypt_ephemeral_tmp :: \
4096MiB 4096MiB 4096MiB none \
label{ crypt_tmp } \
$defaultignore{ } \
$primary{ } \
method{ keep } \
device{ /dev/sda } \
. \
crypt_home :: \
32768MiB 32768MiB 32768MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_home } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /home } \
. \
crypt_root :: \
32768MiB 32768MiB 32768MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_root } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ / } \
. \
crypt_usr :: \
40960MiB 40960MiB 40960MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_usr } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /usr } \
. \
crypt_var :: \
40960MiB 40960MiB 40960MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_var } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /var } \
. \
crypt_var_log :: \
16384MiB 16384MiB 16384MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_var_log } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /var/log } \
. \
crypt_var_log_audit :: \
16384MiB 16384MiB 16384MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_var_log_audit } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /var/log/audit } \
. \
crypt_var_tmp :: \
16384MiB 16384MiB 16384MiB crypto \
$primary{ } \
method{ crypto } \
format{ } \
use_filesystem{ } \
filesystem{ btrfs } \
label{ btrfs_var_tmp } \
options/subvol{ @snapshots } \
device{ /dev/sda } \
mountpoint{ /var/tmp } \
. \
installer_tmp :: \
1024MiB 16384MiB -1 ext4 \
$defaultignore{ } \
$primary{ } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /tmp } \
device{ /dev/sda } \
label{ installer_tmp } \
.
###########################################################################################
#d-i partman-auto/choose_recipe select ciss-2025-btrfs-ultra
#d-i partman-auto/expert_recipe string \
ciss-2025-btrfs-ultra :: \
ESP : \
511 511 511 free \
$defaultignore{ } \
$primary{ } \
$bootable{ } \
method{ efi } format{ } \
label{ ESP } \
. \
boot : \
3584 3584 3584 ext4 \
$defaultignore{ } \
$primary{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /boot } \
label{ boot } \
. \
crypt_ephemeral_swap : \
4096 4096 4096 none \
$defaultignore{ } \
$primary{ } \
method{ keep } \
label{ crypt_sda3 } \
. \
crypt_ephemeral_tmp : \
4096 4096 4096 none \
$defaultignore{ } \
$primary{ } \
method{ keep } \
label{ crypt_sda4 } \
. \
lv_home : \
32768 32768 32768 btrfs \
$lvmok{ } \
lv_name{ lv_home } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_home } \
options/subvol{ @snapshots } \
mountpoint{ /home } \
. \
lv_root : \
32768 32768 32768 btrfs \
$lvmok{ } \
lv_name{ lv_root } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_root } \
options/subvol{ @snapshots } \
mountpoint{ / } \
. \
lv_usr : \
65536 65536 65536 btrfs \
$lvmok{ } } \
lv_name{ lv_usr } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_usr } \
options/subvol{ @snapshots } \
mountpoint{ /usr } \
. \
lv_var : \
65536 65536 65536 btrfs \
$lvmok{ } \
lv_name{ lv_var } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_var } \
options/subvol{ @snapshots } \
mountpoint{ /var } \
. \
lv_var_log : \
16384 16384 16384 btrfs \
$lvmok{ } \
lv_name{ lv_var_log } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_var_log } \
options/subvol{ @snapshots } \
mountpoint{ /var/log } \
. \
lv_var_log_audit : \
16384 16384 16384 \
$lvmok{ } \
lv_name{ lv_var_log_audit } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_var_log_audit } \
options/subvol{ @snapshots } \
mountpoint{ /var/log/audit } \
. \
lv_var_tmp : \
1 16384 -1 \
$lvmok{ } \
lv_name{ lv_var_tmp } \
method{ format } format{ } \
use_filesystem{ } filesystem{ btrfs } \
label{ btrfs_var_tmp } \
options/subvol{ @snapshots } \
mountpoint{ /var/tmp } \
. \
rescue : \
1024 8192 -1 \
$defaultignore{ } \
$primary{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /tmp } \
label{ rescue } \
.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

21
config/includes.chroot/preseed/.cfg/security.cfg Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Security settings #
###########################################################################################
# The installer will ensure that any packages are signed and authenticated.
d-i debian-installer/allow_unauthenticated boolean false
# This ensures that the connection between the installer and the server from which files
# are downloaded is encrypted and signed by a trusted certificate authority.
d-i debian-installer/allow_unauthenticated_ssl boolean false
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

59
config/includes.chroot/preseed/.cfg/software.cfg Normal file
View File

@@ -0,0 +1,59 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Software installation #
###########################################################################################
d-i pkgsel/include string \
apt-show-versions \
apt-transport-https \
apt-utils \
bat \
bc \
ca-certificates \
curl \
debconf \
debconf-utils \
dialog \
expect \
figlet \
fzf \
gawk \
git \
gnupg2 \
haveged \
htop \
iftop \
iputils-ping \
jq \
keychain \
libpam-google-authenticator \
libpam-pwquality \
locate \
lsb-release \
lvm2 \
makepasswd \
man \
mtr \
nano \
ncat \
neofetch \
net-tools \
parted \
pollinate \
pwgen \
openssh-server \
unzip \
virt-what \
whois \
wget \
zip
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

22
config/includes.chroot/preseed/.cfg/ssh.cfg Normal file
View File

@@ -0,0 +1,22 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# SSH settings #
###########################################################################################
# Use the following settings if you wish to make use of the network-console component for #
# remote installation over SSH. This only makes sense if you intend to perform the #
# remainder of the installation manually. #
###########################################################################################
d-i network-console/authorized_keys_url string https : //coresecret.eu/download/developer/2024_rsa4096_developer_root.pub.key
# d-i network-console/password password < never ever use plain hardcoded credentials >
# d-i network-console/password-again password < never ever use plain hardcoded credentials >
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
config/includes.chroot/preseed/.cfg/time.cfg Normal file
View File

@@ -0,0 +1,33 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Time settings #
###########################################################################################
# Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html
# Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de
# Portugal : https://si.tecnico.ulisboa.pt/en/servicos/servidores-e-dados/ntp/
# Portugal : ntp1.tecnico.ulisboa.pt ntp2.tecnico.ulisboa.pt
# Switzerland : https://www.metas.ch/metas/de/home/fabe/zeit-und-frequenz/time-dissemination.html
# Switzerland : ntp11.metas.ch ntp12.metas.ch ntp13.metas.ch
# USA : https://tf.nist.gov/tf-cgi/servers.cgi
# USA : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu
d-i clock-setup/ntp-server string ntp.ripe.net ptbtime3.ptb.de ptbtime2.ptb.de ntp12.metas.ch ntp2.tecnico.ulisboa.pt time-c-b.nist.gov
# Controls whether or not the hardware clock is set to UTC:
d-i clock-setup/utc boolean true
# Any valid setting for $TZ; see the contents of /usr/share/zoneinfo/ for valid values:
d-i time/zone string Europe/Lisbon
# Controls whether to use NTP to set the clock during the install:
d-i clock-setup/ntp boolean true
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

30
config/includes.chroot/preseed/.cfg/user.cfg Normal file
View File

@@ -0,0 +1,30 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# User settings #
###########################################################################################
# Skip creation of a root account (normal user account will be able to use sudo):
d-i passwd/root-login boolean true
d-i passwd/root-password-crypted password $6$rounds = 4194304$4QhOp0Tdthmfky4f$1fRa/D45can2j0ttQDRoK9x8ovBFCftxn0hvyyU3.BlRRafsgs48wpikr1XODyhmgUySZHqXF3zeQeBZNYTul0
# Alternatively, to skip creation of a normal user account:
d-i passwd/make-user boolean false
# To create a normal user account:
d-i passwd/user-fullname string Debian User
d-i passwd/username string debian
d-i passwd/user-password-crypted password $6$rounds=8388608$bwnJ5ZlnOmYxFE21$LDJ4QBBmoob3pAu5JL4e4RkCt5qFnS2ZFIOm9bOEuADCcsLfOagGmkmh7Lj8OtqdgGSLg8TMXDbizLaZx.hiS1
###########################################################################################
# SALT=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16) #
# mkpasswd --method=sha-512 --salt="${SALT}" --rounds=8388608 # which seems p4ranoid #
###########################################################################################
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

65
config/includes.chroot/preseed/.iso/iso.sh Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
# The example names get mapped to their roles here
declare timestamp
timestamp=$(date +"%Y%m%d%H%M")
declare -r LABEL="${timestamp:0:4}_${timestamp:4:2}_${timestamp:6:2}-${timestamp:8:2}_${timestamp:10:2}"
declare -r SEQNO="${timestamp:0:4}.${timestamp:4:2}.${timestamp:6:2}-${timestamp:8:2}:${timestamp:10:2}"
declare -r ISO_ORIGINAL="/opt/netinstaller/debian-12.8.0-amd64-netinst.iso"
declare -r IMGCENTURION="/mnt/debian-original"
declare -r ISO_MODIFIED="/root/${LABEL}-CISS-12.8.0-amd64-netinst.iso"
declare -r MBR_TEMPLATE="isohdpfx.bin"
declare size
size=$(xorriso -as mkisofs -print-size "${IMGCENTURION}" | tail -n 1 | awk '{print $1}')
clear
echo "Sequence No. : ${SEQNO}"
echo "Estimated Size : ${size}"
# Extract MBR template file to disk
dd if="${ISO_ORIGINAL}" bs=1 count=432 of="${MBR_TEMPLATE}"
# Create the new ISO image
xorriso -as mkisofs \
-r \
-volid 'CISS Debian 12.8.0 x86_64' \
-appid 'Centurion Debian Installer' \
-volset 'CISS.hardened.bookworm' \
-volset-seqno "${SEQNO}" \
-volset-size "${size}" \
-publisher 'Centurion Intelligence Consulting Agency' \
-sysid 'GNU/Linux amd64' \
-copyright 'COPYRIGHT' \
-o "${ISO_MODIFIED}" \
-J -J -joliet-long -cache-inodes \
-isohybrid-mbr "${MBR_TEMPLATE}" \
-b isolinux/isolinux.bin \
-c isolinux/boot.cat \
-boot-load-size 4 -boot-info-table -no-emul-boot \
-eltorito-alt-boot \
-e boot/grub/efi.img \
-no-emul-boot -isohybrid-gpt-basdat -isohybrid-apm-hfsplus \
"${IMGCENTURION}"
# Check output of new ISO image
echo ""
file "${ISO_MODIFIED}"
echo ""
isoinfo -d -i "${ISO_MODIFIED}"
echo ""
file "${ISO_MODIFIED}"
echo ""
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

238
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh Normal file
View File

@@ -0,0 +1,238 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.02.512.2025.05.30"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
declare -gr EARLY_DEBUG=true
# Set a verbose PS4 prompt including timestamp, source, line, exit status and function name
declare -gr PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m$?\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
# shellcheck disable=SC2155
declare -gr DEBUG_LOG="/tmp/ciss_live_builder_$$.log"
# Generates empty DEBUG_LOG
touch "${DEBUG_LOG}" && chmod 0600 "${DEBUG_LOG}"
# Open file descriptor 42 for writing to the debug log
exec 42>| "${DEBUG_LOG}"
# Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%T.%4N)" "${VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[2]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Build Version : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[3]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Release : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[4]}"
printf "\e[97m+\e[0m\e[92m%s: UID : %s \e[0m\n" "$(date +%T.%4N)" "${UID}"
printf "\e[97m+\e[0m\e[92m%s: EUID : %s \e[0m\n" "$(date +%T.%4N)" "${EUID}"
printf "\e[97m+\e[0m\e[92m%s: Hostname : %s \e[0m\n" "$(date +%T.%4N)" "${HOSTNAME}"
printf "\e[97m+\e[0m\e[92m%s: Script name : %s \e[0m\n" "$(date +%T.%4N)" "$0"
printf "\e[97m+\e[0m\e[92m%s: Argument counter : %s \e[0m\n" "$(date +%T.%4N)" "$#"
printf "\e[97m+\e[0m\e[92m%s: Argument string : %s \e[0m\n" "$(date +%T.%4N)" "$*"
printf "\e[97m+\e[0m\e[92m%s: Script PID : %s \e[0m\n" "$(date +%T.%4N)" "$$"
printf "\e[97m+\e[0m\e[92m%s: Script Parent PID : %s \e[0m\n" "$(date +%T.%4N)" "${PPID}"
printf "\e[97m+\e[0m\e[92m%s: Script work DIR : %s \e[0m\n" "$(date +%T.%4N)" "${PWD}"
printf "\e[97m+\e[0m\e[92m%s: Shell Options : %s \e[0m\n" "$(date +%T.%4N)" "$-"
printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date +%T.%4N)" "${BASHOPTS}"
printf "\e[97m+\e[0m\e[92m%s: === Debug Log === : \e[0m\n" "$(date +%T.%4N)"
} >&42
# Tell Bash to send xtrace output to FD 42
export BASH_XTRACEFD=42
# Enable inheritable shell options
export SHELLOPTS
# Turn on xtrace
set -x
else
declare -gr EARLY_DEBUG=false
fi
### Definition of error codes
declare -gir ERR_NOT_USER_0=128
declare -gir ERR_UNSPPTBASH=255
### Definition of error trap vars
# declare -g errcode="" # = $? = $1 = ERRCODE
# declare -g errscrt="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT
# declare -g errline="" # = ${LINENO} = $3 = ERRLINE
# declare -g errfunc="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
# declare -g errcmmd="" # = ${$BASH_COMMAND} = $5 = ERRCMMD
### Preliminary vars declaration
declare -gr argument_count="$#"
declare -gr argument_string="$*"
### Preliminary checks
[[ ${EUID} -ne 0 ]] \
&& printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2 && exit "${ERR_NOT_USER_0}"
[[ -z ${BASH_VERSINFO[0]} ]] \
&& printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2 && exit "${ERR_UNSPPTBASH}"
[[ $(kill -l | grep -c SIG) -eq 0 ]] \
&& printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2 && exit "${ERR_UNSPPTBASH}"
[[ ${BASH_VERSINFO[0]} -lt 5 ]] \
&& printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2 && exit "${ERR_UNSPPTBASH}"
[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] \
&& printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2 && exit "${ERR_UNSPPTBASH}"
### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
set -o errexit # Exit script when a command exits with non-zero status, the same as "set -e".
set -o nounset # Exit script on use of an undefined variable, the same as "set -u".
set -o pipefail # Makes pipelines return the exit status of the last command in the pipe that failed.
set -o noclobber # Prevent overwriting, the same as "set -C".
#######################################
# Trap function to be called on 'ERR'.
# Globals:
# DEBUG_LOG
# EARLY_DEBUG
# VERSION
# argument_count
# argument_string
# Arguments:
# $1: $?
# $2: ${BASH_SOURCE[0]}
# $3: ${LINENO}
# $4: ${FUNCNAME[0]:-main}
# $5: ${BASH_COMMAND}
#######################################
# shellcheck disable=SC2317
trap_on_err() {
declare -r errcode="$1"
declare -r errscrt="$2"
declare -r errline="$3"
declare -r errfunc="$4"
declare -r errcmmd="$5"
trap - ERR
if [[ "${errcode}" -ne 127 ]]; then
printf "\e[91m❌ Hash Generation Process failed.\e[0m\n" >&2
printf "\e[91m❌ Version : '%s' \e[0m\n" "${VERSION}" >&2
printf "\e[91m❌ Error : '%s' \e[0m\n" "${errcode}" >&2
printf "\e[91m❌ Line : '%s' \e[0m\n" "${errline}" >&2
printf "\e[91m❌ Script : '%s' \e[0m\n" "${errscrt}" >&2
printf "\e[91m❌ Function : '%s' \e[0m\n" "${errfunc}" >&2
printf "\e[91m❌ Command : '%s' \e[0m\n" "${errcmmd}" >&2
printf "\e[91m❌ Arguments # : '%s' \e[0m\n" "${argument_count}" >&2
printf "\e[91m❌ Arguments : '%s' \e[0m\n" "${argument_string}" >&2
if "${EARLY_DEBUG}"; then
printf "\e[91m❌ Debug Log : '%s' \e[0m\n" "${DEBUG_LOG}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${DEBUG_LOG}" >&2
fi
printf "\n"
fi
}
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
### Initialization
# shellcheck disable=SC2155
declare -gr SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
# shellcheck disable=SC2155
declare -gr WORK_DIR="$(dirname "${SCRIPT_FULLPATH}")"
declare -gr BASE_DIR="${WORK_DIR%/.iso}"
declare -gr CFG_DIR="${BASE_DIR}/.cfg"
declare -gr PRES_FILE="${BASE_DIR}/preseed.cfg"
declare -gr HASH_FILE="${CFG_DIR}/md5sum.txt"
declare -ga hashes=()
# shellcheck disable=SC2188
>| "${HASH_FILE}"
#######################################
# Generator for md5 Hashes
# Globals:
# CFG_DIR
# HASH_FILE
# hash
# hashes
# Arguments:
# None
#######################################
gen_hash() {
# Enable nullglob so that non-matching patterns expand to nothing
shopt -s nullglob
declare file
declare filename
# Loop over all *.cfg files in CFG_DIR
for file in "${CFG_DIR}"/*.cfg; do
# Only process if it's a regular file
if [[ -f "${file}" ]]; then
# Calculate md5 hash (only the hash value)
hash=$(md5sum "${file}" | awk '{ print $1 }')
# Extract the filename without a path
filename=${file##*/}
# Append "hash filename" to HASH_FILE
echo "${hash} ${filename}" >> "${HASH_FILE}"
# Add hash to array
hashes+=("${hash}")
fi
done
}
gen_hash
{
declare in_hash_block=false
declare outer_line
declare hash
while IFS= read -r outer_line; do
# Check if a line contains "#BOH" and start the hash insertion block
if [[ ${outer_line} == "#BOH" ]]; then
echo "${outer_line}"
# shellcheck disable=SC1003
echo 'd-i preseed/include/checksum string \'
# Add all new hashes from the array "hashes" except the last one
for ((i = 0; i < ${#hashes[@]} - 1; i++)); do
hash="${hashes[i]}"
echo "${hash} \\"
done
# Output the last hash without the trailing backslash.
echo "${hashes[@]: -1}"
# Set the flag for the hash block to "true".
in_hash_block=true
continue
fi
# Check if the line "#EOH" has been reached to end the hash block.
if [[ ${outer_line} == "#EOH" && ${in_hash_block} == true ]]; then
echo "${outer_line}"
in_hash_block=false
continue
fi
# Skip lines within the hash block (old hashes and d-i line).
if [[ ${in_hash_block} == true ]]; then
# Skip the line "d-i preseed/include/checksum string".
if [[ ${outer_line} =~ ^d-i\ preseed/include/checksum\ string ]]; then
continue
fi
# Skip lines with old hashes.
if [[ ${outer_line} =~ [a-f0-9]{32} ]]; then
continue
fi
fi
# Leave all other rows unchanged.
echo "${outer_line}"
done < "${PRES_FILE}"
} >| "${PRES_FILE}.tmp"
mv -f "${PRES_FILE}.tmp" "${PRES_FILE}"
sed -i ':a;N;/\n#EOH/!ba;s/\(\n\)\+\(#EOH\)/\n#EOH/' "${PRES_FILE}"
sed -i '$d' "$PRES_FILE"
echo "# Written by: $0 Version: ${VERSION} at: $(date +%T.%4N)" >> "${PRES_FILE}"
printf "\e[92m✅ '%s' Process successful.\e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

12
config/includes.chroot/preseed/.lib/banner.lib Normal file
View File

@@ -0,0 +1,12 @@
#######################################################################
# #
## ##
###### ######## ### ## ######## ### ## ####### ### ####### ### ##
### #### ## ### ### ## ## ### ## #### ##
### ####### ####### ### ### ## ###### ### ## ## #######
### ### ### ### ### ### ## ## ## ### ## ## ### ###
###### ####### ### ## ### ##### ## ## ### ##### ### ##
# #
#######################################################################

118
config/includes.chroot/preseed/.lib/sshd_config.lib Normal file
View File

@@ -0,0 +1,118 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
Banner /etc/banner
DebianBanner no
VersionAddendum none
Compression no
LogLevel VERBOSE
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Port MUST_BE_CHANGED
AllowUsers root
UseDNS no
RekeyLimit 1G 1h
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
PubkeyAuthentication yes
PermitRootLogin prohibit-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
LoginGraceTime 2m
MaxAuthTries 3
MaxSessions 2
MaxStartups 10:30:60
ClientAliveInterval 300
ClientAliveCountMax 2
AuthorizedKeysFile %h/.ssh/authorized_keys
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
GatewayPorts no
# ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
Ciphers aes256-gcm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-ed25519
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp384,ssh-ed25519,sk-ssh-ed25519@openssh.com
# Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
KbdInteractiveAuthentication no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
PidFile /var/run/sshd.pid
PrintMotd no
PrintLastLog yes
TCPKeepAlive no
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts!
# Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication!
HostbasedAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
# IgnoreRhosts yes
# UsePrivilegeSeparation yes
# Kerberos options
# KerberosAuthentication no
# KerberosOrLocalPasswd yes
# KerberosTicketCleanup yes
# KerberosGetAFSToken no
# GSSAPI options
# GSSAPIAuthentication no
# GSSAPICleanupCredentials yes
# GSSAPIStrictAcceptorCheck yes
# GSSAPIKeyExchange no
# AuthorizedPrincipalsFile none
# AuthorizedKeysCommand none
# AuthorizedKeysCommandUser nobody
# PermitTunnel no
# ChrootDirectory none
# X11DisplayOffset 10
# X11UseLocalhost yes
# PermitTTY yes
# PermitUserEnvironment no
# IgnoreUserKnownHosts no
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

81
config/includes.chroot/preseed/CCLA-1.0.md Normal file
View File

@@ -0,0 +1,81 @@
# Centurion Commercial License Agreement 1.0
## **1. General Terms**
1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").
1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.
1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.
1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.
## **2. Grant of License**
2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a
- non-exclusive,
- non-transferable,
- time-limited,
right to use the Software for commercial purposes.
2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.
## **3. Subscription Fees and Payment**
3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.
3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.
## **4. Restrictions**
4.1. Licensee shall not:
- Distribute, sublicense, or resell the Software.
- Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.
4.2. The Software may not be used for illegal or unethical purposes.
## **5. Support and Updates**
5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying
support agreement.
5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.
## **6. Termination**
6.1. This Agreement is valid for the subscription term unless terminated earlier:
- By Licensee, with a 30-day written notice.
- By Licensor, in the event of Licensees breach of this Agreement.
6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.
## **7. Liability and Warranty**
7.1. The Software is provided "as is" without warranties of any kind, except as required by law.
7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.
## **8. Governing Law**
8.1. This Agreement shall be governed by the laws of Portugal.
8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.
## **9. Miscellaneous**
9.1. Any changes to this Agreement must be in writing and signed by both parties.
9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.
## 10. **Contact Information**
* Licensor : Centurion Intelligence Consulting Agency
* Email : legal@coresecret.eu
---
This Subscription License Agreement was last updated at 09.05.2025.

256
config/includes.chroot/preseed/LICENSE Normal file
View File

@@ -0,0 +1,256 @@
# SPDX-License-Identifier: EUPL-1.2
EUPL-1.2
EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016
This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
a use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work:
Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL.
1.Definitions
In this Licence, the following terms have the following meaning:
— 'The Licence':this Licence.
— 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be.
— 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15.
— 'The Work':the Original Work or its Derivative Works.
— 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
modify.
— 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
a computer as a program.
— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
— 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work.
— 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
Licence.
— 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work:
— use the Work in any circumstances and for all usage,
— reproduce the Work,
— modify the Work and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof,
— lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work.
4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
thereto.
5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence.
7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
and may therefore contain defects or 'bugs' inherent to this type of development.
For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof.
11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice.
14.Jurisdiction
Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law
Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides, or has his registered office
— this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
a European Union Member State.
Appendix
'Compatible Licences' according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version.

115
config/includes.chroot/preseed/preseed.cfg Normal file
View File

@@ -0,0 +1,115 @@
#_preseed_V1
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# https://d-i.debian.org/doc/internals/
# https://d-i.debian.org/doc/internals/ch02.html
# https://preseed.debian.net/debian-preseed/
# https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt
# https://wiki.debian.org/DebianInstaller/Preseed
# https://wiki.debian.org/RepackBootableISO
# https://www.debian.org/releases/stable/amd64/apb.en.html
# file:///lib/partman/recipes-amd64-efi/
###########################################################################################
# debconf-set-selections -c preseed.cfg # checked #
###########################################################################################
# Preseeded encrypted partitions need to use LVM: #
# https://www.linuxjournal.com/content/preseeding-full-disk-encryption #
###########################################################################################
# d-i preseeding is inherently not secure. Nothing in the installer checks for attempts #
# at buffer overflows or other exploits of the values of a # preconfiguration file like #
# this one. Only use preconfiguration files from # trusted locations! To drive that home, #
# and because it's generally useful, here's a way to run any shell command you'd like #
# inside the installer, automatically. #
###########################################################################################
# Sequence of execution: #
###########################################################################################
# d-i preseed/include_command #
# This command is executed first and dynamically loads additional preseeding settings #
# before further configuration steps start. This makes it possible for all settings #
# downloaded or generated by this command to be available early and influence other #
# preseeding commands or partitioning steps. #
###########################################################################################
# d-i preseed/early_command #
# After running include_command, preseed/early_command is executed. This command is often #
# used to apply custom tweaks or settings just before partitioning. #
###########################################################################################
# d-i partman/early_command #
# This is run immediately before the partitioning process (Partman) is started and is #
# used to perform system- or volume-specific settings or checks. #
###########################################################################################
# Remaining configuration and installation #
# After these early commands, all further installation and configuration steps specified #
# in the preseed file follow. #
###########################################################################################
d-i preseed/include string \
/preseed/.cfg/apt.cfg \
/preseed/.cfg/base.cfg \
/preseed/.cfg/finished.cfg \
/preseed/.cfg/firmware.cfg \
/preseed/.cfg/grub.cfg \
/preseed/.cfg/locale.cfg \
/preseed/.cfg/modules.cfg \
/preseed/.cfg/network.cfg \
/preseed/.cfg/packages.cfg \
/preseed/.cfg/partitioning.cfg \
/preseed/.cfg/security.cfg \
/preseed/.cfg/software.cfg \
/preseed/.cfg/ssh.cfg \
/preseed/.cfg/time.cfg \
/preseed/.cfg/user.cfg
#BOH
d-i preseed/include/checksum string \
336de475a23be401db656485fe2134e5 \
9b2768bf48aada9e1fc33cfe94571826 \
95c0feba9a9ed2a1f3d86cc2bf1910f8 \
bccbc23588d19b3057e4b4915b03538b \
d80da843499d8d797703b8aef2bf28d5 \
e876c113af0630f113811e5bade71b06 \
2b85692b087100a0535fe8711cdbcb63 \
1c0c74ed939c34d620bde9b8f1a91a1c \
da7738a8db3d4e2c220bf3f5b3e50dcb \
5dff498042e3d095a792951ba1bd9d2f \
7f71ea76c629c4e4f0ab2f9a6c8b28ea \
8e6b49c07d678060b661f7dd2fad6f39 \
f526221c741e4e2c5090f2ff60e53d62 \
1ffc41f4c70be83fd6524262494bdf11 \
67b9d1aa4bb4a4b8610ca42fa45521cf
#EOH
d-i debconf/priority string critical
popularity-contest popularity-contest/participate boolean false
###########################################################################################
# This command is executed first and dynamically loads additional preseeding settings #
# before further configuration steps start. #
###########################################################################################
d-i preseed/include_command string sh /preseed/.ash/0_di_preseed_include_command.sh
###########################################################################################
# This first command is run as early as possible, just after preseeding is read. #
###########################################################################################
d-i preseed/early_command string sh /preseed/.ash/1_di_preseed_early_command.sh
###########################################################################################
# This command is run just before the install finishes, but when there is still a usable #
# /target directory. You can chroot to /target and use it directly or use the apt-install #
# and in-target commands to easily install packages and run commands in the target system.#
###########################################################################################
d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.02.512.2025.05.30 at: 10:18:37.9542

92
config/includes.chroot/root/.bashrc Normal file
View File

@@ -0,0 +1,92 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# ~/.bashrc: executed by bash(1) for non-login shells.
# Note: PS1 and umask are already set in /etc/profile. You should not
# need this unless you want different defaults for root.
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
# umask 022
# You may uncomment the following lines if you want `ls' to be colorized:
# export LS_OPTIONS='--color=auto'
# eval "$(dircolors)"
# alias ls='ls $LS_OPTIONS'
# alias ll='ls $LS_OPTIONS -l'
# alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
# alias rm='rm -i'
# alias cp='cp -i'
# alias mv='mv -i'
[[ $- != *i* ]] && return
trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
source /root/.ciss/alias
source /root/.ciss/shortcuts
source /root/.ciss/scan_libwrap
### History
touch /tmp/.bash_history
chmod 0660 /tmp/.bash_history
chown root:root /tmp/.bash_history
export HISTFILE=/tmp/.bash_history
export HISTSIZE=2048
export HISTFILESIZE=2048
shopt -s histappend
### Define colors for bash prompt
export CRED='\033[1;91m'
export CGRE='\033[1;92m'
export CYEL='\033[1;93m'
export CBLU='\033[1;94m'
export CMAG='\033[1;95m'
export CCYA='\033[1;96m'
export CWHI='\033[1;97m'
export CRES='\033[0m'
#if [[ "${UID}" -eq 0 ]]; then
# export user_color="${CRED}"
#else
# export user_color="${CGRE}"
#fi
### Define bash colorful prompt
# PS1="${user_color}\d${CRES}|${user_color}\u${CRES}@${CMAG}\h${CRES}:${CCYA}\w${CRES}/>>\$(if [[ \$? -eq 0 ]]; then echo -e \"${CGRE}\$?${CRES}\"; else echo -e \"${CRED}\$?${CRES}\"; fi)|~\$ "
PS1="\
\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
\[\033[1;95m\]\h\[\033[0m\]:\
\[\033[1;96m\]\w\[\033[0m\]/>>\
\$(if [[ \$? -eq 0 ]]; then \
# Show exit status in green if zero
echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
else \
# Show exit status in red otherwise
echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
fi)\
|~\$ "
### Overwrite Protection
set -o noclobber
alias cp="cp -iv"
alias mv='mv -iv'
alias rm='rm -iv'
# Welcome message after login
printf "\n"
printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
printf "\n"
printf "\n"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

212
config/includes.chroot/root/.ciss/alias Normal file
View File

@@ -0,0 +1,212 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
########################################################################################### ℵ
#######################################
# Outputs a 16-character random printable string
# Arguments:
# None
#######################################
genstring() {
(haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
}
# Generates 1,048,576 random bytes into a timestamped file
alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
########################################################################################### Bash
alias clear="printf '\033c'"
alias c='clear'
alias q='exit'
########################################################################################### Chrony
alias cytr='echo "tracking -a -v" | chronyc'
alias cysd='echo "selectdata -a -v" | chronyc'
alias cyss='echo "sourcestats -a -v" | chronyc'
########################################################################################### fail2ban & ufw
alias f2ball='fail2ban-client status'
alias f2bubn='fail2ban-client unban --all'
alias f2bufw='fail2ban-client status ufw'
alias usn='ufw status numbered'
alias usv='ufw status verbose'
########################################################################################### ls
alias ls='eza --group-directories-first --icons=always --oneline --long --all --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension'
alias lsf='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension'
alias lss='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension --extended'
alias la='ls'
alias ll=ls
alias l=ls
########################################################################################### Package Management
alias aptac='apt autoclean'
alias aptap='apt autopurge'
alias aptar='apt autoremove'
alias aptcheck='apt-get check'
alias aptdep='apt-cache depends'
alias aptdl='apt-get install --download-only'
alias aptfug='apt full-upgrade'
alias aptupd='apt update'
alias aptupg='apt upgrade'
alias apti='apt install'
alias aptp='apt purge'
alias aptr='apt remove'
alias aptse='apt search'
alias aptsh='apt show'
alias aptimage='apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "dbg" | grep -v "meta-package" | grep -v "cloud" | grep -v "PREEMPT"'
########################################################################################### Readability
alias df='df -h'
alias free='free -m'
alias mkdir='mkdir -pv'
########################################################################################### Service restart
alias rsban='systemctl restart fail2ban'
alias rsweb='systemctl restart nginx php8.4-fpm redis'
########################################################################################### System maintaining
alias boot='reboot -h now'
alias cscan='clamscan -r --bell -i'
alias chkhvg='haveged -n 0 | dieharder -g 200 -a'
alias dev='lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH'
alias i='echo "$(whoami) @ $(uname -a)"'
alias ipunused='iptables -L -v -n'
alias jboot='journalctl --boot=0'
alias lsadt='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency'
alias lsadtdoc='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency > /root/lynis-$(date +%F_%H-%M-%S).txt 2>&1'
alias n='nano'
alias nstat='netstat -tlpnvWa'
alias s='sudo -i'
alias sas='systemd-analyze security'
alias shut='shutdown -h now'
alias ssa='systemctl status'
alias ssf='systemctl status --failed'
alias sysdr='systemctl daemon-reload'
alias syses='systemctl edit'
alias sysrl='systemctl reload'
alias sysrs='systemctl restart'
alias syssp='systemctl stop'
alias sysst='systemctl start'
alias v='nvim'
alias whatdelete='lsof | grep deleted'
alias whatimage='dpkg --list | grep linux-image'
alias whatpurge='dpkg --get-selections | grep deinstall'
########################################################################################### Functions
###########################################################################################
# Generates Secure (/dev/random) Passwords
# Arguments:
# Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
###########################################################################################
# shellcheck disable=SC2317
genpasswd() {
declare -i length=32
declare -i usebase64=0
while [[ $# -gt 0 ]]; do
case "$1" in
--base64)
usebase64=1
;;
'' | *[!0-9]*) ;;
*)
length="$1"
;;
esac
shift
done
declare passwd
passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")
if [[ ${usebase64} -eq 1 ]]; then
echo -n "${passwd}" | base64
else
echo "${passwd}"
fi
}
###########################################################################################
# Generates Secure (/dev/random) Passwords
# Arguments:
# none
###########################################################################################
# shellcheck disable=SC2317
genpasswdhash() {
declare salt
salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
}
###########################################################################################
# Globals: Wrapper for secure curl
# Arguments:
# $1: URL from which to download a specific file
# $2: /path/to/file to be saved to
###########################################################################################
# shellcheck disable=SC2317
scurl() {
if [[ $# -ne 2 ]]; then
printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>. \e[0m\n" >&2
return 1
fi
if ! curl --proto '=https' --tlsv1.3 -sSf -o "${2}" "${1}"; then
printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
return 2
fi
}
###########################################################################################
# Globals: Wrapper for secure wget
# Arguments:
# $1: URL from which to download a specific file
# $2: /path/to/file to be saved to
###########################################################################################
# shellcheck disable=SC2317
swget() {
if [[ $# -ne 2 ]]; then
printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>. \e[0m\n" >&2
return 1
fi
if ! wget --no-clobber --https-only --secure-protocol=TLSv1_3 -qO "${2}" "${1}"; then
printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
return 2
fi
}
###########################################################################################
# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
# Arguments:
# none
###########################################################################################
# shellcheck disable=SC2317
sysp() {
sysctl -p /etc/sysctl.d/99_local.hardened
# sleep 1
sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
}
###########################################################################################
# Globals: Wrapper for tree
# Arguments:
# $1: Depth of Directory Listing
###########################################################################################
# shellcheck disable=SC2317
trel() {
declare depth=${1:-3}
tree -C -h --dirsfirst -L "${depth}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
config/includes.chroot/root/.ciss/clean_logout.sh Normal file
View File

@@ -0,0 +1,39 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
clear
cat << 'EOF'
#######################################################################
# #
## ##
###### ######## ### ## ######## ### ## ####### ### ####### ### ##
### #### ## ### ### ## ## ### ## #### ##
### ####### ####### ### ### ## ###### ### ## ## #######
### ### ### ### ### ### ## ## ## ### ## ## ### ###
###### ####### ### ## ### ##### ## ## ### ##### ### ##
# #
#######################################################################
EOF
echo ""
echo -e "\e[97m (c) Marc S. Weidner, 2018 - 2025 \e[0m"
echo -e "\e[97m (p) Centurion Press, 2018 - 2025 \e[0m"
echo -e "\e[97m Centurion Intelligence Consulting Agency (tm) \e[0m"
echo -e "\e[97m https://coresecret.eu/ \e[0m"
echo -e "\e[95m Please consider making a donation: \e[0m"
echo -e "\e[95m https://coresecret.eu/spenden/ \e[0m"
echo ""
echo -e "\e[92m All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
echo -e "\e[92m Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
# shellcheck disable=SC2162
read
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

41
config/includes.chroot/root/.ciss/scan_libwrap Normal file
View File

@@ -0,0 +1,41 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Scanner for 'libwrap' usage.
# Arguments:
# None
#######################################
scanlw() {
printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n"
printf "\n"
# Collect binaries from all running PIDs
declare pid exe_path comm user
for pid in $(ps -e -o pid=); do
exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)
# Skip if not a regular executable
[[ -x "${exe_path}" ]] || continue
# Check if the binary is linked with libwrap
if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then
comm=$(ps -p "$pid" -o comm=)
user=$(ps -p "$pid" -o user=)
printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}"
fi
done
printf "\n"
printf "\e[92m✅ Scan complete. \e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

116
config/includes.chroot/root/.ciss/shortcuts Normal file
View File

@@ -0,0 +1,116 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -ga shortcuts=(
"aptac: apt autoclean"
"aptap: apt autopurge"
"aptar: apt autoremove"
"aptcheck: apt-get check"
"aptdep: apt-cache depends"
"aptdl: apti --download-only"
"aptfug: apt full-upgrade"
"apti: apt install"
"aptimage: get Kernel Img"
"aptp: apt purge"
"aptr: apt remove"
"aptse: apt search"
"aptsh: apt show"
"aptupd: apt update"
"aptupg: apt upgrade"
"boot: reboot -h now"
"c: clear"
"clear: printf \033c"
"cscan: clamscan -r --bell -i"
"chkhvg: hvg -n 0 | dieharder -g 200 -a"
"cysd: chrony selectdata"
"cyss: chrony sourcestats"
"cytr: chrony tracking"
"dev: lsblk -o ..."
"df: df -h"
"f2ball: f2b status all"
"f2bubn: f2b unban --all"
"f2bufw: f2b status ufw"
"free: free -m"
"genkeyfile: 1MiBi"
"genpasswd: PWD"
"genpasswdhash: PWD Hash"
"genstring: Random String"
"i: who you are"
"ipunused: iptables -L -v -n"
"jboot: journalctl --boot=0"
"l: ls"
"la: ls"
"ll: ls"
"ls: eza"
"lsadt: lynis audit system"
"lsadtdoc: lynis audit system"
"lsf: eza --absolute"
"lss: eza --extended"
"mkdir: mkdir -pv"
"n: nano"
"nstat: netstat -tlpnvWa"
"q: exit"
"rsban: restart fail2ban"
"rsweb: restart nginx php8.4-fpm redis"
"s: sudo -i"
"sas: systemd-analyze security"
"scanlw: scan libwrap"
"scurl: TLS1.3 curl"
"shut: shutdown -h now"
"ssa: systemctl status"
"ssf: systemctl status --failed"
"swget: TLS1.3 wget"
"sysdr: systemctl daemon-reload"
"syses: systemctl edit"
"sysp: load 99_local.hardened"
"sysrl: systemctl reload"
"sysrs: systemctl restart'"
"syssp: systemctl stop"
"sysst: systemctl start"
"trel: tree"
"usn: ufw status numbered"
"usv: ufw status verbose"
"v: nvim"
"whatdelete: lsof | grep deleted"
"whatimage: dpkg --list | grep linux"
"whatpurge: dpkg --get-selections"
)
#######################################
# Show available Aliases
# Globals:
# CMAG
# CRES
# shortcuts
# Arguments:
# None
#######################################
celp() {
declare arr=("${shortcuts[@]}")
declare cols=3
declare col_width=42
declare i=0
declare entry
for entry in "${arr[@]}"; do
# Print entry left-aligned in fixed width, colored
printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
((i++))
if ((i % cols == 0)); then
printf "\n"
fi
done
# If last line not full, add a newline
if ((i % cols != 0)); then
printf "\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

0
config/includes.chroot/root/.ssh/authorized_keys Normal file
View File

12
config/package-lists/live.list.amd64.chroot Normal file
View File

@@ -0,0 +1,12 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
grub-efi-amd64-signed
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

12
config/package-lists/live.list.arm64.chroot Normal file
View File

@@ -0,0 +1,12 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
grub-efi-arm64-signed
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

127
config/package-lists/live.list.common.chroot Normal file
View File

@@ -0,0 +1,127 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
apparmor
apparmor-profiles-extra
apparmor-utils
apt-file
apt-mirror
apt-show-versions
apt-transport-https
bash-completion
bat
bc
bind9-dnsutils
bsdmainutils
btrfs-progs
ca-certificates
chkrootkit
clamav
clamav-daemon
console-setup
cryptsetup
cryptsetup-nuke-password
curl
debconf
debconf-utils
debian-installer
debian-installer-launcher
debian-kernel-handbook
debootstrap
dhcpdump
dhcping
dialog
dieharder
dirmngr
dmsetup
dosfstools
efibootmgr
expect
fail2ban
figlet
fzf
gawk
gdisk
git
gnupg2
haveged
htop
iftop
iproute2
iputils-ping
jq
keyboard-configuration
keychain
knot-dnssecutils
knot-dnsutils
libpam-google-authenticator
libpam-pwquality
libpwquality-tools
linux-doc-6.12
linux-source
live-boot
live-config
live-config-systemd
locate
logrotate
lsb-release
lvm2
makedev
makepasswd
man
man-db
manpages
manpages-dev
mtr
nano
ncat
neofetch
neovim
net-tools
netselect-apt
nmap
nodejs
openssl
parted
perl
pollinate
pwgen
python3
rkhunter
rng-tools
rsnapshot
rsync
rsyslog
screen
shellcheck
software-properties-common
spectre-meltdown-checker
speedtest-cli
squashfs-tools
ssh
ssl-cert
sudo
sysstat
systemd-sysv
tree
tshark
ufw
unattended-upgrades
unzip
virt-what
wamerican
wbritish
wfrench
wget
whois
wngerman
zip
zsh
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh