msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.02.512.2025.05.30

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-05-30 00:28:39 +02:00
parent 2680012395
commit b2282d3475
172 changed files with 14057 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
docs/AUDIT_HAVEGED.md Normal file
View File

@@ -0,0 +1,151 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
# 2. Haveged Audit on Netcup RS 2000 G11
````text
Mon May 19|root@live:~/>>0|~$ haveged -n 0 | dieharder -g 200 -a
haveged: command socket is listening at fd 3
Writing unlimited bytes to stdout
#=============================================================================#
# dieharder version 3.31.1 Copyright 2003 Robert G. Brown #
#=============================================================================#
rng_name |rands/second| Seed |
stdin_input_raw| 1.77e+07 |1806134257|
#=============================================================================#
test_name |ntup| tsamples |psamples| p-value |Assessment
#=============================================================================#
diehard_birthdays| 0| 100| 100|0.21358950| PASSED
diehard_operm5| 0| 1000000| 100|0.23365564| PASSED
diehard_rank_32x32| 0| 40000| 100|0.33364435| PASSED
diehard_rank_6x8| 0| 100000| 100|0.83680113| PASSED
diehard_bitstream| 0| 2097152| 100|0.89183344| PASSED
diehard_opso| 0| 2097152| 100|0.95817018| PASSED
diehard_oqso| 0| 2097152| 100|0.25923499| PASSED
diehard_dna| 0| 2097152| 100|0.28604687| PASSED
diehard_count_1s_str| 0| 256000| 100|0.25146863| PASSED
diehard_count_1s_byt| 0| 256000| 100|0.64817854| PASSED
diehard_parking_lot| 0| 12000| 100|0.68180941| PASSED
diehard_2dsphere| 2| 8000| 100|0.52576112| PASSED
diehard_3dsphere| 3| 4000| 100|0.02636962| PASSED
diehard_squeeze| 0| 100000| 100|0.81226498| PASSED
diehard_sums| 0| 100| 100|0.54642776| PASSED
diehard_runs| 0| 100000| 100|0.98440072| PASSED
diehard_runs| 0| 100000| 100|0.75118526| PASSED
diehard_craps| 0| 200000| 100|0.93104571| PASSED
diehard_craps| 0| 200000| 100|0.45994663| PASSED
marsaglia_tsang_gcd| 0| 10000000| 100|0.38263075| PASSED
marsaglia_tsang_gcd| 0| 10000000| 100|0.16784328| PASSED
sts_monobit| 1| 100000| 100|0.26368088| PASSED
sts_runs| 2| 100000| 100|0.10069666| PASSED
sts_serial| 1| 100000| 100|0.53426480| PASSED
sts_serial| 2| 100000| 100|0.95654933| PASSED
sts_serial| 3| 100000| 100|0.75042664| PASSED
sts_serial| 3| 100000| 100|0.27693306| PASSED
sts_serial| 4| 100000| 100|0.79225401| PASSED
sts_serial| 4| 100000| 100|0.49273684| PASSED
sts_serial| 5| 100000| 100|0.58017632| PASSED
sts_serial| 5| 100000| 100|0.39423250| PASSED
sts_serial| 6| 100000| 100|0.72811005| PASSED
sts_serial| 6| 100000| 100|0.94342669| PASSED
sts_serial| 7| 100000| 100|0.98343053| PASSED
sts_serial| 7| 100000| 100|0.74692814| PASSED
sts_serial| 8| 100000| 100|0.56538653| PASSED
sts_serial| 8| 100000| 100|0.91826111| PASSED
sts_serial| 9| 100000| 100|0.63502589| PASSED
sts_serial| 9| 100000| 100|0.28959825| PASSED
sts_serial| 10| 100000| 100|0.74650890| PASSED
sts_serial| 10| 100000| 100|0.95475310| PASSED
sts_serial| 11| 100000| 100|0.35838186| PASSED
sts_serial| 11| 100000| 100|0.80481197| PASSED
sts_serial| 12| 100000| 100|0.74700860| PASSED
sts_serial| 12| 100000| 100|0.49849890| PASSED
sts_serial| 13| 100000| 100|0.55828107| PASSED
sts_serial| 13| 100000| 100|0.23244603| PASSED
sts_serial| 14| 100000| 100|0.23080285| PASSED
sts_serial| 14| 100000| 100|0.83936220| PASSED
sts_serial| 15| 100000| 100|0.64411755| PASSED
sts_serial| 15| 100000| 100|0.99255934| PASSED
sts_serial| 16| 100000| 100|0.00563047| PASSED
sts_serial| 16| 100000| 100|0.31608374| PASSED
rgb_bitdist| 1| 100000| 100|0.64550890| PASSED
rgb_bitdist| 2| 100000| 100|0.87656240| PASSED
rgb_bitdist| 3| 100000| 100|0.67169827| PASSED
rgb_bitdist| 4| 100000| 100|0.44406906| PASSED
rgb_bitdist| 5| 100000| 100|0.67772729| PASSED
rgb_bitdist| 6| 100000| 100|0.73853919| PASSED
rgb_bitdist| 7| 100000| 100|0.86999808| PASSED
rgb_bitdist| 8| 100000| 100|0.01313259| PASSED
rgb_bitdist| 9| 100000| 100|0.55009611| PASSED
rgb_bitdist| 10| 100000| 100|0.70726109| PASSED
rgb_bitdist| 11| 100000| 100|0.03154815| PASSED
rgb_bitdist| 12| 100000| 100|0.84462282| PASSED
rgb_minimum_distance| 2| 10000| 1000|0.83132423| PASSED
rgb_minimum_distance| 3| 10000| 1000|0.68188237| PASSED
rgb_minimum_distance| 4| 10000| 1000|0.51409655| PASSED
rgb_minimum_distance| 5| 10000| 1000|0.42544360| PASSED
rgb_permutations| 2| 100000| 100|0.66313395| PASSED
rgb_permutations| 3| 100000| 100|0.95535890| PASSED
rgb_permutations| 4| 100000| 100|0.45758425| PASSED
rgb_permutations| 5| 100000| 100|0.98313853| PASSED
rgb_lagged_sum| 0| 1000000| 100|0.41578816| PASSED
rgb_lagged_sum| 1| 1000000| 100|0.76861829| PASSED
rgb_lagged_sum| 2| 1000000| 100|0.43447789| PASSED
rgb_lagged_sum| 3| 1000000| 100|0.49698037| PASSED
rgb_lagged_sum| 4| 1000000| 100|0.02212798| PASSED
rgb_lagged_sum| 5| 1000000| 100|0.04465057| PASSED
rgb_lagged_sum| 6| 1000000| 100|0.10526977| PASSED
rgb_lagged_sum| 7| 1000000| 100|0.79849751| PASSED
rgb_lagged_sum| 8| 1000000| 100|0.83675235| PASSED
rgb_lagged_sum| 9| 1000000| 100|0.37604856| PASSED
rgb_lagged_sum| 10| 1000000| 100|0.46712205| PASSED
rgb_lagged_sum| 11| 1000000| 100|0.16098525| PASSED
rgb_lagged_sum| 12| 1000000| 100|0.81557499| PASSED
rgb_lagged_sum| 13| 1000000| 100|0.11553821| PASSED
rgb_lagged_sum| 14| 1000000| 100|0.85637944| PASSED
rgb_lagged_sum| 15| 1000000| 100|0.91125298| PASSED
rgb_lagged_sum| 16| 1000000| 100|0.59747378| PASSED
rgb_lagged_sum| 17| 1000000| 100|0.70077562| PASSED
rgb_lagged_sum| 18| 1000000| 100|0.66815407| PASSED
rgb_lagged_sum| 19| 1000000| 100|0.04941226| PASSED
rgb_lagged_sum| 20| 1000000| 100|0.37939018| PASSED
rgb_lagged_sum| 21| 1000000| 100|0.42653722| PASSED
rgb_lagged_sum| 22| 1000000| 100|0.86316011| PASSED
rgb_lagged_sum| 23| 1000000| 100|0.43038293| PASSED
rgb_lagged_sum| 24| 1000000| 100|0.34472083| PASSED
rgb_lagged_sum| 25| 1000000| 100|0.73741194| PASSED
rgb_lagged_sum| 26| 1000000| 100|0.05584980| PASSED
rgb_lagged_sum| 27| 1000000| 100|0.80601600| PASSED
rgb_lagged_sum| 28| 1000000| 100|0.99361052| PASSED
rgb_lagged_sum| 29| 1000000| 100|0.27812997| PASSED
rgb_lagged_sum| 30| 1000000| 100|0.94547008| PASSED
rgb_lagged_sum| 31| 1000000| 100|0.02400797| PASSED
rgb_lagged_sum| 32| 1000000| 100|0.98890248| PASSED
rgb_kstest_test| 0| 10000| 1000|0.53680166| PASSED
dab_bytedistrib| 0| 51200000| 1|0.38634245| PASSED
dab_dct| 256| 50000| 1|0.02760776| PASSED
Preparing to run test 207. ntuple = 0
dab_filltree| 32| 15000000| 1|0.47264235| PASSED
dab_filltree| 32| 15000000| 1|0.49416126| PASSED
Preparing to run test 208. ntuple = 0
dab_filltree2| 0| 5000000| 1|0.12940766| PASSED
dab_filltree2| 1| 5000000| 1|0.40415388| PASSED
Preparing to run test 209. ntuple = 0
dab_monobit2| 12| 65000000| 1|0.51567978| PASSED
haveged: Cannot write data in file: Broken pipe
tot tests(BA8): A:1/1 B:1/1 last entropy estimate 8.00294
fills: 470064, generated: 229.5 G bytes
````
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

625
docs/AUDIT_LYNIS.md Normal file
View File

@@ -0,0 +1,625 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
# 2. Lynis Audit:
````text
[ Lynis 3.1.4 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.
2007-2024, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]
---------------------------------------------------
Program version: 3.1.4
Operating system: Linux
Operating system name: Debian
Operating system version: 12
Kernel version: 6.12.22+bpo
Hardware platform: x86_64
Hostname: live
---------------------------------------------------
Profiles: /etc/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/share/lynis/plugins
---------------------------------------------------
Auditor: Centurion_Intelligence_Consulting_Agency
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ NO UPDATE ]
[+] System tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete
- Plugins enabled [ NONE ]
[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ ENABLED ]
- Checking Secure Boot [ DISABLED ]
- Boot loader [ NONE FOUND ]
- Check running services (systemctl) [ DONE ]
Result: found 17 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 24 enabled services
- Check startup files (permissions) [ OK ]
- Running 'systemd-analyze security'
Unit name (exposure value) and predicate
--------------------------------
- auditd.service (value=8.7) [ EXPOSED ]
- chrony.service (value=3.5) [ PROTECTED ]
- clamav-daemon.service (value=3.5) [ PROTECTED ]
- cron.service (value=9.6) [ UNSAFE ]
- dbus.service (value=9.6) [ UNSAFE ]
- dm-event.service (value=9.5) [ UNSAFE ]
- emergency.service (value=9.5) [ UNSAFE ]
- fail2ban.service (value=6.5) [ MEDIUM ]
- getty@tty1.service (value=9.6) [ UNSAFE ]
- haveged.service (value=3.0) [ PROTECTED ]
- ifup@ens3.service (value=9.5) [ UNSAFE ]
- ifup@ens4.service (value=9.5) [ UNSAFE ]
- lvm2-lvmpolld.service (value=9.5) [ UNSAFE ]
- polkit.service (value=9.6) [ UNSAFE ]
- rc-local.service (value=9.6) [ UNSAFE ]
- rescue.service (value=9.5) [ UNSAFE ]
- rsyslog.service (value=9.6) [ UNSAFE ]
- ssh.service (value=9.6) [ UNSAFE ]
- systemd-ask-password-console.service (value=9.4) [ UNSAFE ]
- systemd-ask-password-wall.service (value=9.4) [ UNSAFE ]
- systemd-fsckd.service (value=9.5) [ UNSAFE ]
- systemd-initctl.service (value=9.4) [ UNSAFE ]
- systemd-journald.service (value=4.3) [ PROTECTED ]
- systemd-logind.service (value=2.8) [ PROTECTED ]
- systemd-networkd.service (value=2.6) [ PROTECTED ]
- systemd-udevd.service (value=7.1) [ MEDIUM ]
- unattended-upgrades.service (value=9.6) [ UNSAFE ]
- usbguard-dbus.service (value=9.6) [ UNSAFE ]
- usbguard.service (value=2.8) [ PROTECTED ]
- user@0.service (value=9.8) [ UNSAFE ]
- uuidd.service (value=5.8) [ MEDIUM ]
[+] Kernel
------------------------------------
- Checking default runlevel [ runlevel 5 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 84 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ NOT FOUND ]
- Checking for available kernel update [ OK ]
- Checking core dumps configuration
- configuration in systemd conf files [ DEFAULT ]
- configuration in /etc/profile [ DEFAULT ]
- 'hard' configuration in /etc/security/limits.conf [ DISABLED ]
- 'soft' configuration in /etc/security/limits.conf [ DISABLED ]
- Checking setuid core dumps configuration [ DISABLED ]
- Check if reboot is needed [ NO ]
[+] Memory and Processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ NOT FOUND ]
- Searching for IO waiting processes [ NOT FOUND ]
- Search prelink tooling [ NOT FOUND ]
[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ OK ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ OK ]
- Password hashing methods [ OK ]
- Password hashing rounds (minimum) [ CONFIGURED ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- Sudoers file(s) [ FOUND ]
- Permissions for directory: /etc/sudoers.d [ OK ]
- Permissions for: /etc/sudoers [ OK ]
- Permissions for: /etc/sudoers.d/README [ OK ]
- Permissions for: /etc/sudoers.d/live [ OK ]
- PAM password strength tools [ OK ]
- PAM configuration files (pam.conf) [ FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Locked accounts [ OK ]
- User password aging (minimum) [ CONFIGURED ]
- User password aging (maximum) [ CONFIGURED ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile) [ NOT FOUND ]
- umask (/etc/login.defs) [ OK ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ ENABLED ]
[+] Kerberos
------------------------------------
- Check for Kerberos KDC and principals [ NOT FOUND ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 12 shells (valid shells: 12).
- Session timeout settings/tools [ FOUND ]
- Checking default umask values
- Checking default umask in /etc/bash.bashrc [ NONE ]
- Checking default umask in /etc/profile [ NONE ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ OK ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ NONE ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
- Mount options of /dev [ PARTIALLY HARDENED ]
- Mount options of /dev/shm [ PARTIALLY HARDENED ]
- Mount options of /run [ HARDENED ]
- Mount options of /tmp [ PARTIALLY HARDENED ]
- Total without nodev:11 noexec:13 nosuid:9 ro or noexec (W^X): 9 of total 33
- Checking Locate database [ FOUND ]
- Disable kernel support of some filesystems
- Module cramfs is blacklisted [ OK ]
- Module freevxfs is blacklisted [ OK ]
- Module hfs is blacklisted [ OK ]
- Module hfsplus is blacklisted [ OK ]
- Module jffs2 is blacklisted [ OK ]
- Module udf is blacklisted [ OK ]
[+] USB Devices
------------------------------------
- Checking usb-storage driver (modprobe config) [ DISABLED ]
- Checking USB devices authorization [ ENABLED ]
- Checking USBGuard [ FOUND ]
- Configuration [ FOUND ]
- Restore controller device state [ false ]
- Rule for controllers connected before daemon starts [ keep ]
- Rule for devices connected before daemon starts [ allow ]
- Rule for devices inserted after daemon starts [ apply-policy ]
- Rule for devices not in RuleFile [ block ]
- RuleFile [ FOUND ]
- Controllers & Devices allow [ 2 ]
- Controllers & Devices block [ 0 ]
- Controllers & Devices reject [ 0 ]
[+] Storage
------------------------------------
- Checking firewire ohci driver (modprobe config) [ DISABLED ]
[+] NFS
------------------------------------
- Check running NFS daemon [ NOT FOUND ]
[+] Name services
------------------------------------
- Searching DNS domain name [ FOUND ]
Domain name: local
- Checking /etc/hosts
- Duplicate entries in hosts file [ NONE ]
- Presence of configured hostname in /etc/hosts [ FOUND ]
- Hostname mapped to localhost [ NOT FOUND ]
- Localhost mapping to IP address [ OK ]
[+] Ports and packages
------------------------------------
- Searching package managers
- Searching dpkg package manager [ FOUND ]
- Querying package manager
- Query unpurged packages [ NONE ]
- debsums utility [ FOUND ]
- Cron job for debsums [ FOUND ]
- Checking security repository in sources.list file [ OK ]
- Checking APT package database [ OK ]
- Checking vulnerable packages (apt-get only) [ DONE ]
- Checking upgradeable packages [ NONE ]
- Checking package audit tool [ INSTALLED ]
Found: apt-get
- Toolkit for automatic upgrades (unattended-upgrade) [ FOUND ]
[+] Networking
------------------------------------
- Checking IPv6 configuration [ ENABLED ]
Configuration method [ MANUAL ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 135.181.207.105 [ OK ]
Nameserver: 89.58.62.53 [ OK ]
- Minimal of 2 responsive nameservers [ OK ]
- Checking default gateway [ DONE ]
- Getting listening ports (TCP/UDP) [ DONE ]
- Checking promiscuous interfaces [ OK ]
- Checking waiting connections [ OK ]
- Checking status DHCP client [ RUNNING ]
- Checking for ARP monitoring software [ NOT FOUND ]
- Uncommon network protocols [ NOT FOUND ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]
[+] Software: e-mail and messaging
------------------------------------
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Chain INPUT (table: filter, target: DROP) [ DROP ]
- Chain INPUT (table: security, target: ACCEPT) [ ACCEPT ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall [ ACTIVE ]
[+] Software: webserver
------------------------------------
- Checking Apache [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- OpenSSH option: AllowTcpForwarding [ OK ]
- OpenSSH option: ClientAliveCountMax [ OK ]
- OpenSSH option: ClientAliveInterval [ OK ]
- OpenSSH option: FingerprintHash [ OK ]
- OpenSSH option: GatewayPorts [ OK ]
- OpenSSH option: IgnoreRhosts [ OK ]
- OpenSSH option: LoginGraceTime [ OK ]
- OpenSSH option: LogLevel [ OK ]
- OpenSSH option: MaxAuthTries [ OK ]
- OpenSSH option: MaxSessions [ OK ]
- OpenSSH option: PermitRootLogin [ OK ]
- OpenSSH option: PermitUserEnvironment [ OK ]
- OpenSSH option: PermitTunnel [ OK ]
- OpenSSH option: Port [ OK ]
- OpenSSH option: PrintLastLog [ OK ]
- OpenSSH option: StrictModes [ OK ]
- OpenSSH option: TCPKeepAlive [ OK ]
- OpenSSH option: UseDNS [ OK ]
- OpenSSH option: X11Forwarding [ OK ]
- OpenSSH option: AllowAgentForwarding [ OK ]
- OpenSSH option: AllowUsers [ FOUND ]
- OpenSSH option: AllowGroups [ NOT FOUND ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]
[+] Databases
------------------------------------
No database engines found
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]
[+] PHP
------------------------------------
- Checking PHP [ NOT FOUND ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]
[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking wazuh-agent daemon status [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking remote logging [ NOT ENABLED ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ DONE ]
[+] Insecure services
------------------------------------
- Installed inetd package [ NOT FOUND ]
- Installed xinetd package [ OK ]
- xinetd status [ NOT ACTIVE ]
- Installed rsh client package [ OK ]
- Installed rsh server package [ OK ]
- Installed telnet client package [ OK ]
- Installed telnet server package [ NOT FOUND ]
- Checking NIS client installation [ OK ]
- Checking NIS server installation [ OK ]
- Checking TFTP client installation [ OK ]
- Checking TFTP server installation [ OK ]
[+] Banners and identification
------------------------------------
- /etc/issue [ FOUND ]
- /etc/issue contents [ OK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ OK ]
[+] Scheduled tasks
------------------------------------
- Checking crontab and cronjob files [ DONE ]
[+] Accounting
------------------------------------
- Checking accounting information [ OK ]
- Checking sysstat accounting data [ ENABLED ]
- Checking auditd [ ENABLED ]
- Checking audit rules [ OK ]
- Checking audit configuration file [ OK ]
- Checking auditd log file [ FOUND ]
[+] Time and Synchronization
------------------------------------
- NTP daemon found: chronyd [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]
[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/139] [ NONE ]
[WARNING]: Test CRYP-7902 had a long execution: 20.445007 seconds
- Found 0 encrypted and 0 unencrypted swap devices in use. [ OK ]
- Kernel entropy is sufficient [ YES ]
- HW RNG & rngd [ NO ]
- SW prng [ YES ]
- MOR variable not found [ WEAK ]
[+] Virtualization
------------------------------------
[+] Containers
------------------------------------
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ FOUND ]
- Checking AppArmor status [ DISABLED ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence TOMOYO Linux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ NONE ]
[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- AIDE [ FOUND ]
- AIDE config file [ FOUND ]
- AIDE database [ FOUND ]
- dm-integrity (status) [ DISABLED ]
- dm-verity (status) [ DISABLED ]
- AIDE config (Checksum) [ OK ]
- Checking presence integrity tool [ FOUND ]
[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Ansible artifact [ FOUND ]
- Automation tooling [ FOUND ]
- Checking presence of Fail2ban [ FOUND ]
- Checking Fail2ban jails [ ENABLED ]
- Checking for IDS/IPS tooling [ FOUND ]
[+] Software: Malware
------------------------------------
- Checking chkrootkit [ FOUND ]
- Checking Rootkit Hunter [ FOUND ]
- Checking ClamAV scanner [ FOUND ]
- Malware software components [ FOUND ]
- Active agent [ NOT FOUND ]
- Rootkit scanner [ FOUND ]
[+] File Permissions
------------------------------------
- Starting file permissions check
File: /etc/cron.allow [ OK ]
File: /etc/crontab [ OK ]
File: /etc/group [ OK ]
File: /etc/group- [ OK ]
File: /etc/hosts.allow [ OK ]
File: /etc/hosts.deny [ OK ]
File: /etc/issue [ OK ]
File: /etc/issue.net [ OK ]
File: /etc/motd [ OK ]
File: /etc/passwd [ OK ]
File: /etc/passwd- [ OK ]
File: /etc/ssh/sshd_config [ OK ]
Directory: /root/.ssh [ OK ]
Directory: /etc/cron.d [ OK ]
Directory: /etc/cron.daily [ OK ]
Directory: /etc/cron.hourly [ OK ]
Directory: /etc/cron.weekly [ OK ]
Directory: /etc/cron.monthly [ OK ]
[+] Home directories
------------------------------------
- Permissions of home directories [ OK ]
- Ownership of home directories [ OK ]
- Checking shell history files [ OK ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- dev.tty.ldisc_autoload (exp: 0) [ OK ]
- fs.protected_fifos (exp: 2) [ OK ]
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_regular (exp: 2) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ OK ]
- kernel.kptr_restrict (exp: 2) [ OK ]
- kernel.modules_disabled (exp: 1) [ OK ]
- kernel.perf_event_paranoid (exp: 2 3 4) [ OK ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ OK ]
- kernel.unprivileged_bpf_disabled (exp: 1) [ OK ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ]
- net.core.bpf_jit_harden (exp: 2) [ OK ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ OK ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ OK ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ OK ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]
[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ FOUND ]
- Non-native binary formats [ FOUND ]
[+] Custom tests
------------------------------------
- Running custom tests... [ NONE ]
[+] Plugins (phase 2)
------------------------------------
================================================================================
-[ Lynis 3.1.4 Results ]-
Great, no warnings
Suggestions (5):
----------------------------
* Consider hardening system services [BOOT-5264]
- Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service
- Related resources
* Article: Systemd features to secure service files: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
* Website: https://cisofy.com/lynis/controls/BOOT-5264/
* To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]
- Related resources
* Website: https://cisofy.com/lynis/controls/FILE-6310/
* To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
- Related resources
* Website: https://cisofy.com/lynis/controls/FILE-6310/
* Check iptables rules to see which rules are currently not used [FIRE-4513]
- Related resources
* Website: https://cisofy.com/lynis/controls/FIRE-4513/
* Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
- Related resources
* Website: https://cisofy.com/lynis/controls/LOGG-2154/
Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 92 [################## ]
Tests performed : 261
Plugins enabled : 0
Components:
- Firewall [V]
- Malware scanner [V]
Scan mode:
Normal [V] Forensics [ ] Integration [ ] Pentest [ ]
Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Lynis 3.1.4
Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)
2007-2024, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
================================================================================
[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)
````
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

56
docs/AUDIT_SSH.md Normal file
View File

@@ -0,0 +1,56 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
# 2. SSH Audit by ssh-audit.com
![CISS.2025.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_ssh_audit.png)
# 3. SSH Audit by https://github.com/jtesta/ssh-audit
````text
# general
(gen) banner: SSH-2.0-OpenSSH_9.2p1
(gen) software: OpenSSH 9.2p1
(gen) compatibility: OpenSSH 9.9+, Dropbear SSH 2020.79+
(gen) compression: disabled
# key exchange algorithms
(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
`- [info] default key exchange from OpenSSH 9.0 to 9.8
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) sntrup761x25519-sha512 -- [info] available since OpenSSH 9.9
`- [info] default key exchange since OpenSSH 9.9
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) kex-strict-s-v00@openssh.com -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)
# host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2, Dropbear SSH 2020.79
# encryption algorithms (ciphers)
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
# algorithm recommendations (for OpenSSH 9.2)
(rec) +aes128-ctr -- enc algorithm to append
(rec) +aes128-gcm@openssh.com -- enc algorithm to append
(rec) +aes192-ctr -- enc algorithm to append
````
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

17
docs/CHANGELOG.md Normal file
View File

@@ -0,0 +1,17 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
# TBA
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

80
docs/CODING_CONVENTION.md Normal file
View File

@@ -0,0 +1,80 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
# 2. Coding Style
## 2.1. PR
You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR.
## 2.2 Documentation
Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in
`~/docs/DOCUMENTATION.md`.
## 2.3. Coding
### 2.3.1. Shell / bash
Bash is actually quite powerful—not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of
neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there.
* Don't use backticks anymore, use `$(..)` instead
* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets
* In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't
quote at all.
* The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read!
* Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see
e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is
slower as it forks, fopens and pipes back the result.
* `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"`
* Bash can also deal perfectly with regular expressions, see
e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html)
and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com). You can as well have a look @
`is_ipv4addr()` or `is_ipv6addr()`.
* If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can
achieve the same with e.g. `awk`.
* Be careful with very advanced bash features. Mac OS X is still using bash version
3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)).
* Always use a return value for a function/method. 0 means all is fine.
* Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible.
* Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide.
### 2.3.2. Shell specific
* Security:
* Watch out for any input especially (but not only) supplied from the server. Input should never be trusted.
* Unless you're really sure where the values come from, variables need to be put in quotes.
### 2.3.3. Variables
* Use **"speaking variables"** but don't overdo it with the length.
* No _camelCase_, please. We distinguish between lowercase and uppercase only.
* Global variables:
* use them only when really necessary,
* in CAPS,
* initialize them (`declare -g VAR=""`),
* use `declare -g` and use typing (variable types) if possible.
* Local variables:
* are lower case,
* declare them before usage (`declare`),
* initialize them (`declare VAR=""`).
* Preferred declaration and initialization:
* VAR: `declare -g VAR=""` and `declare -a ARRAY=()`.
# 3. Misc
* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

25
docs/CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,25 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
# 2. Contributors
## X
I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism.
## Ζ
* Zimnol, André H.; Private Contributor
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

29
docs/CREDITS.md Normal file
View File

@@ -0,0 +1,29 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
# 2. Credits
## 2.2. Authors
## 2.3. Contributors
### X
I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism.
### Ζ
* Zimnol, André H.; Private Contributor
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

146
docs/DOCUMENTATION.md Normal file
View File

@@ -0,0 +1,146 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
# 2. Usage
````text
CISS.debian.live.builder
Master V8.02.512.2025.05.30
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025
https://coresecret.eu/
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
"./ciss_live_builder.sh <option>", where <option> is one or more of:
--help, -h
What you're looking at.
--architecture <STRING> one of <amd64 | arm64>
A string reflecting the architecture of the Live System.
MUST be provided.
--build-directory </path/to/build_directory>
Where the Debian Live Build Image should be generated.
MUST be provided.
--change-splash <STRING> one of <club | hexagon>
A string reflecting the GRub Boot Screen Splash you want to use.
If omitted defaults to "./.archive/background/club.png".
--cdi (Experimental Feature)
This option generates a boot menu entry to start the forthcoming
'CISS.debian.installer', which will be executed after
the system has successfully booted up.
--contact, -c
Displays contact information of the author.
--control <INTEGER>
An integer that reflects the version of your Live ISO Image.
MUST be provided.
--debug
Enables debug logging for the main program routine. Detailed logging
information are written to "/tmp/ciss_live_builder_3764286.log"
--dhcp-centurion
If a DHCP lease is provided, the provider's nameserver will be overridden,
and only the hardened, privacy-focused Centurion DNS servers will be used:
- https://dns01.eddns.eu/
- https://dns02.eddns.de/
--jump-host <IP | IP | ... >
Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
If provided, than it MUST be a <SPACE> separated list.
IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
--log-statistics-only
Provides statistic only after successful building a
CISS.debian.live-ISO. While enabling "--log-statistics-only"
the argument "--build-directory" MUST be provided while
all further options MUST be omitted.
--provider-netcup-ipv6
Activates IPv6 support for Netcup Root Server. One unique
IPv6 address MUST be provided in this case.
--renice-priority <PRIORITY>
Reset the nice priority value of the script and all its children
to the desired PRIORITY. MUST be an integer (between "-19" and 19).
Negative (higher) values MUST be enclosed in double quotes '"'.
--reionice-priority <CLASS> <PRIORITY>
Reset the ionice priority value of the script and all its children
to the desired CLASS. MUST be an integer:
1: realtime
2: best-effort
3: idle
defaults to "2".
PRIORITY MUST be an integer:
between 0 (highest) and 7 (lowest) priority.
defaults to "4".
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
--root-password-file </path/to/password.txt>
Password file for 'root', if given, MUST be a string of 20 to 64 characters,
and MUST NOT contain the special character '"'.
If the argument is omitted, no further login authentication is required for
the local console. The root password is hashed with an 16 Byte '/dev/random'
generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
after Hash generation all Variables containing plain password fragments are
deleted. Password file SHOULD be 0400 and root:root and is deleted without
further prompt after password hash has been successfully generated via:
shred -vfzu 5 -f.
No tracing of any plain text password fragment in any debug log.
--ssh-port <INTEGER>
The desired Port SSH should listen to.
If not provided defaults to Port 22.
--ssh-pubkey </path/to/.ssh/>
Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
specified PATH into the Live ISO. MUST be provided.
--version, -v
Displays version of ./ciss_live_builder.sh.
NOTES:
- You MUST be root to run this script.
Contact:
- https://coresecret.eu/
- security@coresecret.eu
- PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
- https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
````
# 3. Booting
## 3.1. Grub Menu
![Boot Menu](/docs/screenshots/20250517_boot_grub.jpg)
## 3.2. Integrity checks
![Integrity Check](screenshots/20250517_boot_integrity_check.jpg)
![Integrity Success](screenshots/20250517_boot_integrity_success.jpg)
## 3.3. Console Login
![Console Login](screenshots/20250517_console_login.jpg)
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

155
docs/LICENSES/CC-BY-NC-ND-4.0.txt Normal file
View File

@@ -0,0 +1,155 @@
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
Using Creative Commons Public Licenses
Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors.
Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensors' permission is not necessary for any reasonfor example, because of any applicable exception or limitation to copyright - then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public.
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
Section 1 Definitions.
a. Adapted Material means material subject to Copyright and Similar Rights that are derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synced in timed relation with a moving image.
b. Copyright and Similar Rights mean copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
c. Effective Technological Measures mean those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
d. Exceptions and Limitations mean fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
e. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
f. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material, and that the Licensor has authority to license.
g. Licensor means the individual(s) or entity(ies) granting rights under this Public License.
h. NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subjects to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange.
i. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
j. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
k. You mean the individual or entity exercising the Licensed Rights under this Public License. 'Your' has a corresponding meaning.
Section 2 Scope.
a. License grant.
1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and
B. produce and reproduce, but not Share, Adapted Material for NonCommercial purposes only.
2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
3. Term. The term of this Public License is specified in Section 6(a).
4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
5. Downstream recipients.
A. Offer from the Licensor Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
B. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
b. Other rights.
1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
2. Patent and trademark rights are not licensed under this Public License.
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases, the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
Section 3 License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
a. Attribution.
1. If You Share the Licensed Material, You must:
A. retain the following if it is supplied by the Licensor with the Licensed Material:
i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
ii. a copyright notice;
iii. a notice that refers to this Public License;
iv. a notice that refers to the disclaimer of warranties;
v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material.
2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
Section 4 Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all, or a substantial portion of the contents of the database for NonCommercial purposes only and provided You do not Share Adapted Material;
b. if You include all, or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
Section 5 Disclaimer of Warranties and Limitation of Liability.
a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
Section 6 Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
2. upon express reinstatement by the Licensor.
For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
Section 7 Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
Section 8 Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent, including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
Creative Commons may be contacted at creativecommons.org.

84
docs/LICENSES/CCLA-1.0.md Normal file
View File

@@ -0,0 +1,84 @@
# SPDX-License-Identifier: LicenseRef-CCLA-1.0
# Centurion Commercial License Agreement 1.0
## **1. General Terms**
1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").
1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.
1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.
1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.
## **2. Grant of License**
2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a
- non-exclusive,
- non-transferable,
- time-limited,
right to use the Software for commercial purposes.
2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.
## **3. Subscription Fees and Payment**
3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.
3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.
## **4. Restrictions**
4.1. Licensee shall not:
- Distribute, sublicense, or resell the Software.
- Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.
4.2. The Software may not be used for illegal or unethical purposes.
## **5. Support and Updates**
5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying
support agreement.
5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.
## **6. Termination**
6.1. This Agreement is valid for the subscription term unless terminated earlier:
- By Licensee, with a 30-day written notice.
- By Licensor, in the event of Licensees breach of this Agreement.
6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.
## **7. Liability and Warranty**
7.1. The Software is provided "as is" without warranties of any kind, except as required by law.
7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.
## **8. Governing Law**
8.1. This Agreement shall be governed by the laws of Portugal.
8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.
## **9. Miscellaneous**
9.1. Any changes to this Agreement must be in writing and signed by both parties.
9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.
## 10. **Contact Information**
* Licensor : Centurion Intelligence Consulting Agency
* Email : legal@coresecret.eu
---
This Subscription License Agreement was last updated at 09.05.2025.
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

5
docs/LICENSES/CCLA-1.0.spdx Normal file
View File

@@ -0,0 +1,5 @@
SPDX-License-Identifier: LicenseRef-CCLA-1.0
SPDX-FileCopyrightText: 2024-2025 Centurion Intelligence Consulting Agency
LicenseRef-CCLA-1.0 is a custom Commercial License Agreement used for projects maintained by Centurion Intelligence Consulting Agency.
The full license text can be found at: https://coresecret.eu/imprint/licenses/ or in the same directory: CCLA-1.0.md

256
docs/LICENSES/EUPL-1.2.txt Normal file
View File

@@ -0,0 +1,256 @@
# SPDX-License-Identifier: EUPL-1.2
EUPL-1.2
EUROPEAN UNION PUBLIC LICENCE v. 1.2
EUPL © the European Union 2007, 2016
This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
a use is covered by a right of the copyright holder of the Work).
The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
notice immediately following the copyright notice for the Work:
Licensed under the EUPL
or has expressed by any other means his willingness to license under the EUPL.
1.Definitions
In this Licence, the following terms have the following meaning:
— 'The Licence':this Licence.
— 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
as Source Code and also as Executable Code as the case may be.
— 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
the country mentioned in Article 15.
— 'The Work':the Original Work or its Derivative Works.
— 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
modify.
— 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
a computer as a program.
— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
— 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
the creation of a Derivative Work.
— 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
Licence.
— 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
functionalities at the disposal of any other natural or legal person.
2.Scope of the rights granted by the Licence
The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
the duration of copyright vested in the Original Work:
— use the Work in any circumstances and for all usage,
— reproduce the Work,
— modify the Work and make Derivative Works based upon the Work,
— communicate to the public, including the right to make available or display the Work or copies thereof to the public
and perform publicly, as the case may be, the Work,
— distribute the Work or copies thereof,
— lend and rent the Work or copies thereof,
— sublicense rights in the Work or copies thereof.
Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
applicable law permits so.
In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
by law in order to make effective the licence of the economic rights here above listed.
The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
extent necessary to make use of the rights granted on the Work under this Licence.
3.Communication of the Source Code
The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
distribute or communicate the Work.
4.Limitations on copyright
Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
thereto.
5.Obligations of the Licensee
The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
obligations are the following:
Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
to carry prominent notices stating that the Work has been modified and the date of modification.
Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
Work or Derivative Work that alter or restrict the terms of the Licence.
Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
for as long as the Licensee continues to distribute or communicate the Work.
Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the copyright notice.
6.Chain of Authorship
The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
licensed to him/her and that he/she has the power and authority to grant the Licence.
Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
to the Work, under the terms of this Licence.
7.Disclaimer of Warranty
The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
and may therefore contain defects or 'bugs' inherent to this type of development.
For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
Licence.
This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
8.Disclaimer of Liability
Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
9.Additional agreements
While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
the fact You have accepted any warranty or additional liability.
10.Acceptance of the Licence
The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
and conditions.
Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
or Communication by You of the Work or copies thereof.
11.Information to the public
In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
12.Termination of the Licence
The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
of the Licence.
Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
the Licence, provided such persons remain in full compliance with the Licence.
13.Miscellaneous
Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
Work.
If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
and enforceable.
The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
New versions of the Licence will be published with a unique version number.
All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
advantage of the linguistic version of their choice.
14.Jurisdiction
Without prejudice to specific agreement between parties,
— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
— any litigation arising between other parties and resulting from the interpretation of this License will be subject to
the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
15.Applicable Law
Without prejudice to specific agreement between parties,
— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
resides, or has his registered office
— this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
a European Union Member State.
Appendix
'Compatible Licences' according to Article 5 EUPL are:
— GNU General Public License (GPL) v. 2, v. 3
— GNU Affero General Public License (AGPL) v. 3
— Open Software License (OSL) v. 2.1, v. 3.0
— Eclipse Public License (EPL) v. 1.0
— CeCILL v. 2.0, v. 2.1
— Mozilla Public Licence (MPL) v. 2
— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
— European Union Public Licence (EUPL) v. 1.1, v. 1.2
— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
The European Commission may update this Appendix to later versions of the above licences without producing
a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
covered Source Code from exclusive appropriation.
All other changes or additions to this Appendix require the production of a new EUPL version.

80
docs/REFERENCES.md Normal file
View File

@@ -0,0 +1,80 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
# 2. Resources
## 2.1. Debian Live related
- [Debian live-boot](https://salsa.debian.org/live-team/live-boot)
- [Debian Live Manual](https://live-team.pages.debian.net/live-manual/html/live-manual/index.en.html)
- [Debian Live Boot Doc](https://manpages.debian.org/bookworm/live-boot-doc/live-boot.7.en.html)
- [Debian Live Build](https://manpages.debian.org/bookworm/live-build/index.html)
- [Debian Live Config](https://manpages.debian.org/bookworm/live-config-doc/index.html)
- [Debian Live Tools](https://manpages.debian.org/bookworm/live-tools/index.html)
## 2.2. Disk Encryption related
- [https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system)
- [https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB))
- [https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode)
- [https://wiki.archlinux.org/title/GRUB#Encrypted_/boot](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot)
- [https://wiki.archlinux.org/title/GRUB#LUKS2](https://wiki.archlinux.org/title/GRUB#LUKS2)
- [https://wiki.archlinux.org/title/Advanced_Format](https://wiki.archlinux.org/title/Advanced_Format)
- [https://packages.debian.org/bookworm-backports/grub-common](https://packages.debian.org/bookworm-backports/grub-common)
- [https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html](https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html)
- [https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption)
- [https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup)
## 2.3. Kernel related
- [https://wiki.archlinux.org/title/Kernel](https://wiki.archlinux.org/title/Kernel)
- [https://wiki.archlinux.org/title/Kernel_parameters](https://wiki.archlinux.org/title/Kernel_parameters)
- [https://www.kernel.org/](https://www.kernel.org/)
- [https://github.com/anthraxx/linux-hardened](https://github.com/anthraxx/linux-hardened)
## 2.4. Policy related
- [https://www.debian.org/doc/manuals/securing-debian-manual/](https://www.debian.org/doc/manuals/securing-debian-manual/)
- [https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server](https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server)
- [https://www.cisecurity.org/cis-benchmarks](https://www.cisecurity.org/cis-benchmarks)
- [https://github.com/CISOfy/lynis](https://github.com/CISOfy/lynis)
- [https://github.com/lateralblast/lunar](https://github.com/lateralblast/lunar)
- [https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html](https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html)
## 2.5. Security related
- [https://wiki.archlinux.org/title/General_recommendations](https://wiki.archlinux.org/title/General_recommendations)
- [https://wiki.archlinux.org/title/Security](https://wiki.archlinux.org/title/Security)
- [https://wiki.archlinux.org/title/Identity_management](https://wiki.archlinux.org/title/Identity_management)
- [https://wiki.archlinux.org/title/Capabilities](https://wiki.archlinux.org/title/Capabilities)
- [https://privsec.dev/posts/linux/desktop-linux-hardening/](https://privsec.dev/posts/linux/desktop-linux-hardening/)
- [https://wiki.archlinux.org/title/fail2ban#Service_hardenin](https://wiki.archlinux.org/title/fail2ban#Service_hardenin)
- [https://theprivacyguide1.github.io/linux_hardening_guide](https://theprivacyguide1.github.io/linux_hardening_guide)
- [https://github.com/zabbly/linux](https://github.com/zabbly/linux)
## 2.6. Bash related
- [https://www.gnu.org/software/bash/manual/](https://www.gnu.org/software/bash/manual/)
- [https://www.shellcheck.net/](https://www.shellcheck.net/)
- [https://explainshell.com/](https://explainshell.com/)
- [https://google.github.io/styleguide/shellguide.html](https://google.github.io/styleguide/shellguide.html)
- [https://github.com/mvdan/sh](https://github.com/mvdan/sh)
- [https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab](https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab)
### 2.6.1. Error handling
- [Use set -e - Writing Robust Bash Shell Scripts - David Pashley](https://www.davidpashley.com/articles/writing-robust-shell-scripts/#id2596016)
- [Why doesn't set -e (or set -o errexit, or trap ERR) do what I expected? - BashFAQ/105 - Greg's Wiki](https://mywiki.wooledge.org/BashFAQ/105)
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

BIN
docs/screenshots/20250517_boot_grub.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 324 KiB

BIN
docs/screenshots/20250517_boot_integrity_check.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

BIN
docs/screenshots/20250517_boot_integrity_success.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

BIN
docs/screenshots/20250517_console_login.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
docs/screenshots/CISS.debian.live.builder_preview.jpeg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 128 KiB

BIN
docs/screenshots/CISS.debian.live.builder_ssh_audit.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 199 KiB