diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml index 0112836..55eee11 100644 --- a/.archive/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 name: πŸ” Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index fe23070..1a08ed9 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 name: πŸ” Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml index ff3e465..ed374a6 100644 --- a/.archive/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 name: πŸ’™ Generating a PUBLIC Live ISO. diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 48d3c54..997c938 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V9.14.002.2026.05.13" + placeholder: "e.g., Master V9.14.004.2026.05.17" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index e41b1e2..c145c21 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index be815b0..7288cc9 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 name: πŸ” Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index 703ddc1..82a4fb2 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.002.2026.05.13 + version: V9.14.004.2026.05.17 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index f75d38a..0462a1c 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.002.2026.05.13 + version: V9.14.004.2026.05.17 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index f75d38a..0462a1c 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.002.2026.05.13 + version: V9.14.004.2026.05.17 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index f5b66d9..4bb58d5 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 name: πŸ” Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index e9e481e..88f31ff 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 name: πŸ” Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index c919486..c88e571 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 name: πŸ’™ Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index b7113dc..5d7ac90 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index c689359..3c3cb79 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 name: πŸ›‘οΈ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 7f24cd5..2517f64 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 name: πŸ” Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index a883fa9..8bfce75 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 " properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V9.14.002.2026.05.13" +properties_version="V9.14.004.2026.05.17" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..ee6ad7e --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,86 @@ +# AGENTS.md + +## Repository purpose + +This repository builds and maintains Debian-based live/installer infrastructure. +Treat changes as security-sensitive and boot-chain-sensitive. +Follow `docs/CODING_CONVENTION.md` for coding style and `code_review.md` for reviews. + +## Non-negotiable constraints + +- Target distribution: Debian 13 Trixie unless explicitly stated otherwise. +- Do not introduce Ubuntu-specific assumptions. +- Do not invent live-build, initramfs, cryptsetup, systemd, GRUB, or Debian package behavior. Verify against existing files or + official documentation. +- Do not add phase-argument gates to live-boot/initramfs scripts. Script execution is controlled by Debian hook placement. +- Preserve encrypted-root / encrypted-SquashFS architecture unless the task explicitly changes it. +- Prefer simple, inspectable Bash over clever abstractions. + +## Repository workflow + +Before editing: +- Inspect the relevant scripts, hooks, config files, README files, and existing naming conventions. +- Identify the exact boot/build phase affected by the change. +- Explain the minimal intended change. + +Boot/build phases: +- host-side orchestration: `ciss_live_builder.sh`, `lib/*.sh`, `makefile` +- live-build hooks: `config/hooks/live/*.chroot` and `config/hooks/live/*.binary` +- initramfs hooks/scripts: `config/includes.chroot/etc/initramfs-tools/*` +- live-boot runtime scripts: `config/includes.chroot/usr/lib/live/boot/*` + +After editing: +- Run the most relevant available checks. +- At minimum, run syntax checks for changed shell scripts: + - `bash -n ` + - `shellcheck ` if available +- If POSIX shell scripts are changed, run `sh -n ` where Bash syntax is not expected. +- If the make wrapper or builder argument composition changes, run `make dry-run`. +- If Python files are introduced or changed: + - `ruff check` + - `mypy` + - `pytest` if tests exist +- If CLI options or user-facing behavior change, update `usage()` and the relevant README/docs. +- If live-build, initramfs, or ISO behavior changes, describe the required Debian Trixie live-build or ISO validation command. + +## Bash conventions + +- Use explicit error handling. +- Quote expansions. +- Prefer arrays where word splitting matters. +- Avoid `eval`. +- Avoid parsing `ls`. +- Keep functions small and readable. +- Use English comments. +- Explain security-sensitive fallbacks. +- Fail closed where possible. + +## Python conventions + +- Use Python 3.14-compatible code unless the project states otherwise. +- Use pathlib. +- Add type hints. +- Keep ruff and mypy compatibility. +- Avoid broad `except Exception` unless justified and logged. +- Prefer explicit models/config objects over unstructured dictionaries for durable interfaces. + +## Security review checklist + +Before finalizing a change, check whether it affects: +- boot trust +- initramfs behavior +- cryptsetup/LUKS handling +- key material +- remote unlock +- TLS/mTLS verification +- signature/hash verification +- network exposure +- file permissions +- persistence +- logging of sensitive values + +If affected, document the risk and mitigation in the final response. + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 3ae2730..9fc2f3f 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V9.14.002.2026.05.13 +PackageVersion: Master V9.14.004.2026.05.17 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 2758db7..a623f98 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.002.2026.05.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.004.2026.05.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
**CISS.debian.live.builder β€” First of its own.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.** @@ -175,7 +175,7 @@ installer toolchain. This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V9.14.002.2026.05.13` +Example: `V9.14.004.2026.05.17` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/REPOSITORY.md b/REPOSITORY.md index f5b8298..5b8bbfb 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) β€” Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **9.14**, Build **V9.14.002.2026.05.13** (as of 2025-10-11) +**Repository State:** Master Version **9.14**, Build **V9.14.004.2026.05.17** (as of 2025-10-11) ## 3.1. Top-Level Layout diff --git a/code_review.md b/code_review.md new file mode 100644 index 0000000..ec63867 --- /dev/null +++ b/code_review.md @@ -0,0 +1,49 @@ +# code_review.md + +Review priorities, in order: + +1. Correctness +2. Security regressions +3. Boot/build reproducibility +4. Data loss risk +5. Error handling +6. Test coverage +7. Maintainability +8. Minimality of diff +9. Style consistency + +Finding classes: +- BLOCKER: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before + merge +- RISK: plausible issue or security concern that is not fully proven from the available context +- CLEANUP: maintainability, readability, or consistency improvement that is not required for correctness +- NOTE: observation only; no change requested + +Review output format: +- List findings first, ordered by severity. +- Cite file paths and line numbers where possible. +- For each finding, explain the concrete impact, and the smallest reasonable fix. +- Separate observations, inferences, and recommendations. +- After findings, list missing checks or residual risks. +- If there are no findings, say so explicitly and still mention relevant test gaps. + +Do not nitpick formatting if automated tooling exists. +Do not invent requirements not present in the task, repository, or documentation. + +Security-sensitive review checklist: +- boot trust +- initramfs behavior +- cryptsetup/LUKS handling +- encrypted SquashFS handling +- key material +- remotely unlock +- TLS/mTLS verification +- signature/hash verification +- network exposure +- file permissions +- persistence +- logging of sensitive values + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index 92870e6..302b81f 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index 090fe35..b976300 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened index e7fa47f..4c1f394 100644 --- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened +++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened @@ -11,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.002.2026.05.13 +# Version Master V9.14.004.2026.05.17 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 7e87f44..150bc1e 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V9.14.002.2026.05.13" +declare -gr VERSION="Master V9.14.004.2026.05.17" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 4dd0a53..6c9aa3d 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V9.14.002.2026.05.13 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V9.14.004.2026.05.17 at: 10:18:37.9542 diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index cda8deb..c268a46 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index bb28751..f9c0a01 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index bc17bf3..31bd644 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index db49d9c..445c6b4 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index 1e5f24d..06df12b 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 19c0464..b79b3e9 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 86e0c75..e328058 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,15 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Changelog +## V9.14.004.2026.05.17 +* **Added**: [AGENTS.md](../AGENTS.md) +* **Added**: [code_review.md](../code_review.md) +* **Changed**: [CODING_CONVENTION.md](CODING_CONVENTION.md) + ## V9.14.002.2026.05.13 * **Added**: [9935_hardening_ssl.chroot](../config/hooks/live/9935_hardening_ssl.chroot) * **Added**: [dropbear-2026.91.tar.bz2](../upgrades/dropbear/dropbear-2026.91.tar.bz2) diff --git a/docs/CNET.md b/docs/CNET.md index 692c24d..9267aa1 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index fc7bd8e..0fe2e51 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -6,86 +6,128 @@ include_toc: true # 1. CISS.debian.live.builder **Centurion Intelligence Consulting Agency Information Security Standard**
-*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer* -# 2. Coding Style +# 2. Purpose -## 2.1. PR +This document defines the coding and review conventions for this repository. -You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR. +The project builds Debian-based live and installer infrastructure. Treat every change as security-sensitive and +boot-chain-sensitive, especially changes that affect initramfs behavior, encrypted SquashFS handling, LUKS, Dropbear, GRUB, +checksums, signatures, package sources, hardening settings, or network exposure. -## 2.2 Documentation +# 3. Change discipline -Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in -`~/docs/DOCUMENTATION.md`. +* Keep changes small, local, and reviewable. +* Make one functional change per pull request or patch set. +* Preserve existing architecture, naming style, error handling, formatting, and security posture. +* Do not introduce Ubuntu-specific assumptions. The default target distribution is Debian 13 Trixie. +* Do not invent live-build, live-boot, initramfs, cryptsetup, GRUB, systemd, or Debian package behavior. Verify against existing + code or authoritative Debian/upstream documentation. +* Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification, checksum + verification, or input validation unless the task explicitly requires it and the risk is documented. +* Prefer simple, inspectable Bash over clever abstractions. -## 2.3. Coding +# 4. Boot and build phases -### 2.3.1. Shell / bash +Identify the affected phase before changing behavior: -Bash is actually quite powerfulβ€”not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of -neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there. +* `ciss_live_builder.sh` and `lib/*.sh`: host-side orchestration and argument handling. +* `makefile`: local wrapper for composing and executing builder invocations. +* `config/hooks/live/*.chroot`: live-build chroot hooks. +* `config/hooks/live/*.binary`: live-build binary-image hooks. +* `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks. +* `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts. +* `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts. +* `scripts/*`: source files copied into the generated image or used by build helpers. -* Don't use backticks anymore, use `$(..)` instead -* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets -* In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't - quote at all. -* The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read! -* Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see - e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is - slower as it forks, fopens and pipes back the result. -* `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"` -* Bash can also deal perfectly with regular expressions, see - e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html) - and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com). -* If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can - achieve the same with e.g. `awk`. -* Be careful with very advanced bash features. Mac OS X is still using bash version - 3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)). -* Always use a return value for a function/method. 0 means all is fine. -* Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible. -* Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide. +Do not add ad-hoc phase arguments to live-boot or initramfs scripts. Execution phase must be controlled by the directory and +hook placement expected by Debian tooling. -### 2.3.2. Shell specific +# 5. Bash style -* Security: - * Watch out for any input especially (but not only) supplied from the server. Input should never be trusted. - * Unless you're really sure where the values come from, variables need to be put in quotes. +* Use Bash for builder scripts and live-build hooks when the existing file uses Bash. +* Use POSIX `sh` only where Debian hook interfaces or neighboring files require it. Keep such files POSIX-compatible. +* Prefer `set -Ceuo pipefail` for Bash scripts where feasible. If a script cannot use strict mode safely, keep the exception + local and make the reason clear. +* Quote expansions unless word splitting or globbing is explicitly required. +* Prefer arrays where arguments or file names may contain whitespace. +* Use `[[ ... ]]` for Bash conditionals. For regular-expression matches with `=~`, do not quote the right-hand regex. +* Use `$(...)` command substitution, not backticks. +* Avoid `eval`. +* Avoid parsing `ls`. +* Prefer `command -v` over `which`. +* Check command results explicitly when failure needs custom handling. +* Use `case` for option dispatch and multi-branch string handling. +* Keep functions small and readable. +* Use English comments. Add comments for non-obvious security or boot-chain decisions, not for obvious assignments. -### 2.3.3. Variables +# 6. Variables and functions -* Use **"speaking variables"** but don't overdo it with the length. -* No _camelCase_, please. We distinguish between lowercase and uppercase only. - * Global variables: - * use them only when really necessary, - * in CAPS, - * initialize them (`declare -g VAR_EXAMPLE=""`), - * SHOULD start with: - * `ARY_` for Arrays, - * `C_` for Variables defining colored outputs, - * `ERR_` for Error Codes Variables, - * `HMP_` for HashMap Arrays, - * `LOG_` for Logfile Variables, - * `PID_` for PID Variables, - * `PIPE_` for PIPE Variables, - * `VAR_` for Variables - * Local variables: - * are lower case, - * declare them before usage (`declare` eq `local`), - * initialize them (`declare var_example=""`), - * SHOULD start with: - * `ary_` for Arrays, - * `c_` for Variables defining colored outputs, - * `err_` for Error Codes Variables, - * `hmp_` for HashMap Arrays, - * `log_` for Logfile Variables, - * `var_` for Variables. +Follow the existing repository naming style: -# 3. Misc +* Global variables are uppercase and initialized before use. +* Global arrays use the `ARY_` prefix where this convention already applies. +* Other established global prefixes include `C_`, `ERR_`, `HMP_`, `LOG_`, `PID_`, `PIPE_`, and `VAR_`. +* Local variables are lowercase and initialized before use. +* Local array and helper prefixes include `ary_`, `c_`, `err_`, `hmp_`, `log_`, and `var_`. +* Function names use lowercase words separated by underscores. +* Prefer `declare` or `local` consistently with the surrounding file. -* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected. +# 7. Input, secrets, and files + +* Treat CLI arguments, environment variables, generated file paths, network data, package metadata, and user-provided files as + untrusted until validated. +* Validate ports, IP addresses, kernel version strings, paths, package names, and feature flags before use. +* Fail closed when validation cannot prove that continuing is safe. +* Do not print secrets, private keys, passphrases, tokens, or sensitive environment values. +* Use restrictive permissions for generated secret material. +* Prefer `mktemp` for temporary files and clean them up with traps when appropriate. +* Do not create persistent state unless the behavior is intentional and documented. + +# 8. Dependencies and downloads + +* Do not add new runtime dependencies unless the task requires them. Prefer standard Debian tooling or existing project helpers. +* When a dependency is needed, document why an existing or standard-library alternative is insufficient. +* Do not add remote downloads, auto-update behavior, telemetry, or network callbacks without explicit justification. +* For required downloads, use HTTPS where applicable and preserve or add signature/checksum verification. +* Do not use `curl | sh`, `wget | sh`, or equivalent execution of unaudited remote content. + +# 9. Documentation + +Update documentation together with behavior: + +* New or changed CLI options must update `usage()` and relevant README or documentation sections. +* Boot parameter changes must update `docs/BOOTPARAMS.md` where applicable. +* Security-sensitive behavior changes must update the relevant audit, manual, or security documentation. +* Generated examples must stay valid for Debian 13 Trixie unless the task explicitly targets another release. +* Code comments, embedded prompts, commit messages, and repository documentation should normally be written in English. + +# 10. Formatting + +* Preserve SPDX headers and existing file headers where present. +* New source or configuration files should include the project SPDX header when comparable files already use one. +* Follow `.editorconfig`: LF line endings, UTF-8 where configured, two-space Markdown indentation, and tabs for `makefile` + recipes. +* Keep line lengths readable and consistent with neighboring files. +* Do not churn formatting unrelated to the task. + +# 11. Checks + +Run the narrowest checks that prove the change: + +* Shell files: `bash -n ` for Bash scripts, and `shellcheck ` when ShellCheck is available. +* POSIX shell files: `sh -n ` where Bash syntax is not expected. +* Make wrapper or argument-composition changes: `make dry-run`. +* Python files, if introduced or changed: `ruff check`, `mypy`, and `pytest` when tests exist. +* Live-build, initramfs, or ISO behavior changes: document the required Debian Trixie build validation command, normally + `make live` or the equivalent `./ciss_live_builder.sh ...` invocation. + +If a relevant check cannot be run in the current environment, state the exact reason and the command that should be run locally. + +# 12. Code review + +Reviews follow `code_review.md`. --- **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index bd80a75..94c6ed5 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index d5422e9..3970b82 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 3d132cd..20e9c8f 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 579e85c..48dadae 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,14 +8,14 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2.1. Usage ````text CDLB(1) CISS.debian.live.builder CDLB(1) CISS.debian.live.builder from https://git.coresecret.dev/msw -Master V9.14.002.2026.05.13 +Master V9.14.004.2026.05.17 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 @@ -152,7 +152,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. πŸ’· Please consider donating to my work at: 🌐 https://coresecret.eu/spenden/ - V9.14.002.2026.05.13 2025-11-06 CDLB(1) + V9.14.004.2026.05.17 2025-11-06 CDLB(1) ```` # 3. Booting diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md index 97388d6..3bfad0c 100644 --- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md +++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation) diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md index 10c1034..dbb70af 100644 --- a/docs/MAN_SSH_Host_Key_Policy.md +++ b/docs/MAN_SSH_Host_Key_Policy.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index e718afe..0456407 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. Resources diff --git a/docs/documentation/30-ciss-hardening.conf.md b/docs/documentation/30-ciss-hardening.conf.md index abfc699..fae4d1b 100644 --- a/docs/documentation/30-ciss-hardening.conf.md +++ b/docs/documentation/30-ciss-hardening.conf.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. ``30-ciss-hardening.conf`` diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md index 90745f3..08dfa75 100644 --- a/docs/documentation/90-ciss-local.hardened.md +++ b/docs/documentation/90-ciss-local.hardened.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. ``90-ciss-local.hardened`` diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md index 3dbf5d1..ba062ca 100644 --- a/docs/documentation/ciss_live_builder.sh.md +++ b/docs/documentation/ciss_live_builder.sh.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.002.2026.05.13
+**Build**: V9.14.004.2026.05.17
# 2. ``ciss_live_builder.sh`` diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index 823de3b..5f13032 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -39,13 +39,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V9.14.002.2026.05.13 2026-05-13 CDLB(1)" "${var_cols}") + declare var_footer=$(center "V9.14.004.2026.05.17 2026-05-13 CDLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V9.14.002.2026.05.13\e[0m" + echo -e "\e[92mMaster V9.14.004.2026.05.17\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m" diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh index 3266b93..f45d190 100644 --- a/scripts/usr/local/sbin/9999_cdi_starter.sh +++ b/scripts/usr/local/sbin/9999_cdi_starter.sh @@ -130,7 +130,7 @@ main() { touch "${var_log}" - printf "CISS.debian.installer Master V9.14.002.2026.05.13 is up! \n" >> "${var_log}" + printf "CISS.debian.installer Master V9.14.004.2026.05.17 is up! \n" >> "${var_log}" ### Sleep a moment to settle boot artifacts. sleep 8 @@ -209,7 +209,7 @@ main() { ### Timeout reached without acceptable semaphore. logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle." - printf "CISS.debian.installer Master V9.14.002.2026.05.13: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" + printf "CISS.debian.installer Master V9.14.004.2026.05.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" exit 0 } diff --git a/var/early.var.sh b/var/early.var.sh index b1679ab..2d4c830 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" declare -grx VAR_HOST="$(uname -n)" declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" declare -grx VAR_SYSTEM="$(uname -mnosv)" -declare -grx VAR_VERSION="Master V9.14.002.2026.05.13" +declare -grx VAR_VERSION="Master V9.14.004.2026.05.17" declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{ # Print $4 and $5; include $6 only if it exists out = $4