## V8.13.096.2025.10.09
Some checks failed
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m3s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m56s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Some checks failed
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m3s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m56s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -21,7 +21,7 @@ usage() {
|
|||||||
clear
|
clear
|
||||||
cat << EOF
|
cat << EOF
|
||||||
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
|
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
|
||||||
$(echo -e "\e[92mMaster V8.13.064.2025.10.07\e[0m")
|
$(echo -e "\e[92mMaster V8.13.096.2025.10.09\e[0m")
|
||||||
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
|
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
|
||||||
|
|
||||||
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
|
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ body:
|
|||||||
attributes:
|
attributes:
|
||||||
label: "Version"
|
label: "Version"
|
||||||
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
|
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
|
||||||
placeholder: "e.g., Master V8.13.064.2025.10.07"
|
placeholder: "e.g., Master V8.13.096.2025.10.09"
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
FROM debian:bookworm
|
FROM debian:bookworm
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
name: 🔁 Render README.md to README.html.
|
name: 🔁 Render README.md to README.html.
|
||||||
|
|
||||||
|
|||||||
@@ -10,6 +10,6 @@
|
|||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
build:
|
build:
|
||||||
counter: 1024
|
counter: 1023
|
||||||
version: V8.13.064.2025.10.07
|
version: V8.13.096.2025.10.09
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||||
|
|||||||
@@ -11,5 +11,5 @@
|
|||||||
|
|
||||||
build:
|
build:
|
||||||
counter: 1023
|
counter: 1023
|
||||||
version: V8.13.064.2025.10.07
|
version: V8.13.096.2025.10.09
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||||
|
|||||||
@@ -10,6 +10,6 @@
|
|||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
build:
|
build:
|
||||||
counter: 1024
|
counter: 1023
|
||||||
version: V8.13.064.2025.10.07
|
version: V8.13.096.2025.10.09
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||||
|
|||||||
@@ -11,5 +11,5 @@
|
|||||||
|
|
||||||
build:
|
build:
|
||||||
counter: 1023
|
counter: 1023
|
||||||
version: V8.13.064.2025.10.07
|
version: V8.13.096.2025.10.09
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
name: 🔐 Generating a Private Live ISO TRIXIE.
|
name: 🔐 Generating a Private Live ISO TRIXIE.
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
name: 🔐 Generating a Private Live ISO TRIXIE.
|
name: 🔐 Generating a Private Live ISO TRIXIE.
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
name: 💙 Generating a PUBLIC Live ISO.
|
name: 💙 Generating a PUBLIC Live ISO.
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
# Gitea Workflow: Shell-Script Linting
|
# Gitea Workflow: Shell-Script Linting
|
||||||
#
|
#
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
|
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
|
||||||
|
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
name: 🔁 Render Graphviz Diagrams.
|
name: 🔁 Render Graphviz Diagrams.
|
||||||
|
|
||||||
|
|||||||
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
|
|||||||
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
|
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
|
||||||
properties_SPDX-PackageName="CISS.debian.live.builder"
|
properties_SPDX-PackageName="CISS.debian.live.builder"
|
||||||
properties_SPDX-Security-Contact="security@coresecret.eu"
|
properties_SPDX-Security-Contact="security@coresecret.eu"
|
||||||
properties_version="V8.13.064.2025.10.07"
|
properties_version="V8.13.096.2025.10.09"
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
|
|||||||
Created: 2025-05-07T12:00:00Z
|
Created: 2025-05-07T12:00:00Z
|
||||||
Package: CISS.debian.live.builder
|
Package: CISS.debian.live.builder
|
||||||
PackageName: CISS.debian.live.builder
|
PackageName: CISS.debian.live.builder
|
||||||
PackageVersion: Master V8.13.064.2025.10.07
|
PackageVersion: Master V8.13.096.2025.10.09
|
||||||
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
|
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
|
||||||
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
|
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
|
||||||
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
|
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
|
||||||
|
|||||||
@@ -2,7 +2,7 @@
|
|||||||
gitea: none
|
gitea: none
|
||||||
include_toc: true
|
include_toc: true
|
||||||
---
|
---
|
||||||
[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
|
[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
|
||||||
|
|
||||||
[](https://eupl.eu/1.2/en/)
|
[](https://eupl.eu/1.2/en/)
|
||||||
[](https://opensource.org/license/eupl-1-2)
|
[](https://opensource.org/license/eupl-1-2)
|
||||||
@@ -26,7 +26,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
|
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
|
||||||
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
|
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
|
||||||
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
|
|||||||
|
|
||||||
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
|
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
|
||||||
|
|
||||||
Example: `V8.13.064.2025.10.07`
|
Example: `V8.13.096.2025.10.09`
|
||||||
|
|
||||||
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
|
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
|
||||||
|
|
||||||
|
|||||||
@@ -13,6 +13,9 @@ set -Ceuo pipefail
|
|||||||
|
|
||||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||||
|
|
||||||
|
export DEBIAN_FRONTEND="noninteractive"
|
||||||
|
apt-get update -qq
|
||||||
|
|
||||||
mkdir -p /root/.ciss/dlb/backup
|
mkdir -p /root/.ciss/dlb/backup
|
||||||
chmod 0700 /root/.ciss/dlb/backup
|
chmod 0700 /root/.ciss/dlb/backup
|
||||||
|
|
||||||
@@ -14,9 +14,13 @@ set -Ceuo pipefail
|
|||||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
# Get all NIC Driver of the current Host-machine
|
# Get all NIC drivers of the current Host machine.
|
||||||
|
# Globals:
|
||||||
|
# None
|
||||||
# Arguments:
|
# Arguments:
|
||||||
# None
|
# None
|
||||||
|
# Returns:
|
||||||
|
# 0: on success
|
||||||
#######################################
|
#######################################
|
||||||
grep_nic_driver_modules() {
|
grep_nic_driver_modules() {
|
||||||
declare _mods
|
declare _mods
|
||||||
@@ -33,15 +37,25 @@ grep_nic_driver_modules() {
|
|||||||
|
|
||||||
declare nic_module
|
declare nic_module
|
||||||
declare nic_modules
|
declare nic_modules
|
||||||
|
|
||||||
if [[ "${#_mods[@]}" -eq 1 ]]; then
|
if [[ "${#_mods[@]}" -eq 1 ]]; then
|
||||||
|
|
||||||
nic_module="${_mods[0]}"
|
nic_module="${_mods[0]}"
|
||||||
echo "${nic_module}"
|
echo "${nic_module}"
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
nic_modules="${_mods[*]}"
|
nic_modules="${_mods[*]}"
|
||||||
echo "${nic_modules}"
|
echo "${nic_modules}"
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
export DEBIAN_FRONTEND="noninteractive"
|
||||||
|
apt-get install -y intel-microcode amd64-microcode
|
||||||
|
|
||||||
# shellcheck disable=SC2155
|
# shellcheck disable=SC2155
|
||||||
declare nic_driver="$(grep_nic_driver_modules)"
|
declare nic_driver="$(grep_nic_driver_modules)"
|
||||||
cat << EOF >| /etc/initramfs-tools/modules
|
cat << EOF >| /etc/initramfs-tools/modules
|
||||||
@@ -68,7 +82,19 @@ cat << EOF >| /etc/initramfs-tools/modules
|
|||||||
# raid1
|
# raid1
|
||||||
# sd_mod
|
# sd_mod
|
||||||
|
|
||||||
### Main btrfs-Stack
|
### Load AppArmor early:
|
||||||
|
apparmor
|
||||||
|
|
||||||
|
### Entropy source for '/dev/random':
|
||||||
|
jitterentropy_rng
|
||||||
|
rng_core
|
||||||
|
|
||||||
|
### Live-ISO-Stack:
|
||||||
|
loop
|
||||||
|
squashfs
|
||||||
|
overlay
|
||||||
|
|
||||||
|
### Main btrfs-Stack:
|
||||||
btrfs
|
btrfs
|
||||||
lzo
|
lzo
|
||||||
xor
|
xor
|
||||||
@@ -76,12 +102,12 @@ xxhash
|
|||||||
zstd
|
zstd
|
||||||
zstd_compress
|
zstd_compress
|
||||||
|
|
||||||
### Main ext4-Stack
|
### Main ext4-Stack:
|
||||||
ext4
|
ext4
|
||||||
jbd2
|
jbd2
|
||||||
libcrc32c
|
libcrc32c
|
||||||
|
|
||||||
### Main VFAT/ESP/FAT/UEFI-Stack
|
### Main VFAT/ESP/FAT/UEFI-Stack:
|
||||||
exfat
|
exfat
|
||||||
fat
|
fat
|
||||||
nls_ascii
|
nls_ascii
|
||||||
@@ -91,30 +117,32 @@ nls_iso8859-15
|
|||||||
nls_utf8
|
nls_utf8
|
||||||
vfat
|
vfat
|
||||||
|
|
||||||
### Device mapper, encryption & integrity
|
### Device mapper, encryption & integrity:
|
||||||
dm_mod
|
dm_mod
|
||||||
dm_crypt
|
dm_crypt
|
||||||
dm_integrity
|
dm_integrity
|
||||||
dm_verity
|
dm_verity
|
||||||
|
|
||||||
### Main cryptography-Stack
|
### Main cryptography-Stack:
|
||||||
aes_generic
|
aes_generic
|
||||||
blake2b_generic
|
blake2b_generic
|
||||||
crc32c_generic
|
crc32c_generic
|
||||||
|
cryptd
|
||||||
libcrc32c
|
libcrc32c
|
||||||
sha256_generic
|
sha256_generic
|
||||||
sha512_generic
|
sha512_generic
|
||||||
|
xts
|
||||||
|
|
||||||
### QEMU Bochs-compatible virtual machine support
|
### QEMU Bochs-compatible virtual machine support:
|
||||||
bochs
|
bochs
|
||||||
|
|
||||||
### RAID6 parity generation module
|
### RAID6 parity generation module:
|
||||||
raid6_pq
|
raid6_pq
|
||||||
|
|
||||||
### Combined RAID4/5/6 support module
|
### Combined RAID4/5/6 support module:
|
||||||
raid456
|
raid456
|
||||||
|
|
||||||
### SCSI/SATA-Stack
|
### SCSI/SATA-Stack:
|
||||||
sd_mod
|
sd_mod
|
||||||
sr_mod
|
sr_mod
|
||||||
sg
|
sg
|
||||||
@@ -125,11 +153,11 @@ libata
|
|||||||
scsi_mod
|
scsi_mod
|
||||||
scsi_dh_alua
|
scsi_dh_alua
|
||||||
|
|
||||||
### NVMe-Stack
|
### NVMe-Stack:
|
||||||
nvme
|
nvme
|
||||||
nvme_core
|
nvme_core
|
||||||
|
|
||||||
### USB-Stack
|
### USB-Stack:
|
||||||
xhci_pci
|
xhci_pci
|
||||||
xhci_hcd
|
xhci_hcd
|
||||||
ehci_pci
|
ehci_pci
|
||||||
@@ -138,14 +166,14 @@ uhci_hcd
|
|||||||
usb_storage
|
usb_storage
|
||||||
uas
|
uas
|
||||||
|
|
||||||
### Virtual-Machines-Stack
|
### Virtual-Machines-Stack:
|
||||||
virtio_pci
|
virtio_pci
|
||||||
virtio_blk
|
virtio_blk
|
||||||
virtio_scsi
|
virtio_scsi
|
||||||
virtio_rng
|
virtio_rng
|
||||||
virtio_console
|
virtio_console
|
||||||
|
|
||||||
### Network Driver Host-machine
|
### Network Driver Host-machine:
|
||||||
"${nic_driver}"
|
"${nic_driver}"
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|||||||
34
config/hooks/live/0010_install_apparmor.chroot
Normal file
34
config/hooks/live/0010_install_apparmor.chroot
Normal file
@@ -0,0 +1,34 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# SPDX-Version: 3.0
|
||||||
|
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||||
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||||
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||||
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||||
|
# SPDX-FileType: SOURCE
|
||||||
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||||
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||||
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
set -Ceuo pipefail
|
||||||
|
|
||||||
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||||
|
|
||||||
|
export DEBIAN_FRONTEND="noninteractive"
|
||||||
|
apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
|
||||||
|
|
||||||
|
install -d /etc/systemd/system/apparmor.service.d
|
||||||
|
cat << EOF >| /etc/systemd/system/apparmor.service.d/10-live-force.conf
|
||||||
|
[Unit]
|
||||||
|
### Drop any negative live conditions that would skip AppArmor on overlay.
|
||||||
|
ConditionPathExists=
|
||||||
|
|
||||||
|
### Ensure we only rely on the security=apparmor condition.
|
||||||
|
ConditionSecurity=apparmor
|
||||||
|
EOF
|
||||||
|
|
||||||
|
install -d -m 0755 /var/cache/apparmor
|
||||||
|
|
||||||
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||||
@@ -14,16 +14,19 @@ set -Ceuo pipefail
|
|||||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||||
|
|
||||||
if [[ ! -f /root/.pwd ]]; then
|
if [[ ! -f /root/.pwd ]]; then
|
||||||
|
|
||||||
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
|
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
|
||||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
|
||||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cd /root
|
cd /root
|
||||||
|
|
||||||
|
# shellcheck disable=SC2312
|
||||||
cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
|
cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
|
||||||
chmod 600 /root/.ciss/dlb/backup/shadow.bak.*
|
chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
|
||||||
|
|
||||||
declare hashed_pwd
|
declare hashed_pwd
|
||||||
declare safe_hashed_pwd
|
declare safe_hashed_pwd
|
||||||
@@ -37,9 +40,13 @@ unset hashed_pwd safe_hashed_pwd
|
|||||||
cat /etc/shadow
|
cat /etc/shadow
|
||||||
|
|
||||||
if shred -vfzu -n 5 /root/.pwd; then
|
if shred -vfzu -n 5 /root/.pwd; then
|
||||||
|
|
||||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
|
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
||||||
|
|||||||
@@ -12,10 +12,9 @@
|
|||||||
set -Ceuo pipefail
|
set -Ceuo pipefail
|
||||||
|
|
||||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||||
# sleep 1
|
|
||||||
|
|
||||||
apt-get update -y
|
export DEBIAN_FRONTEND="noninteractive"
|
||||||
apt-get install --no-install-recommends haveged -y
|
apt-get install -y --no-install-recommends haveged
|
||||||
|
|
||||||
cd /root
|
cd /root
|
||||||
cat << 'EOF' >| /etc/default/haveged
|
cat << 'EOF' >| /etc/default/haveged
|
||||||
@@ -25,18 +24,8 @@ cat << 'EOF' >| /etc/default/haveged
|
|||||||
DAEMON_ARGS="-w 2048 -v 1"
|
DAEMON_ARGS="-w 2048 -v 1"
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
#mkdir -p /etc/systemd/system/haveged.service.d
|
|
||||||
#cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf
|
|
||||||
#[Service]
|
|
||||||
#NoNewPrivileges=yes
|
|
||||||
#ReadWritePaths=/dev/random /dev/urandom
|
|
||||||
#AmbientCapabilities=
|
|
||||||
#User=haveged
|
|
||||||
#Group=nogroup
|
|
||||||
#EOF
|
|
||||||
|
|
||||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
||||||
# sleep 1
|
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||||
|
|||||||
@@ -13,7 +13,9 @@ set -Ceuo pipefail
|
|||||||
|
|
||||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||||
|
|
||||||
apt-get update
|
export DEBIAN_FRONTEND="noninteractive"
|
||||||
|
|
||||||
|
apt-get update -qq
|
||||||
|
|
||||||
apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
|
apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
|
||||||
|
|
||||||
@@ -45,7 +47,6 @@ else
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
apt-get update
|
|
||||||
apt-get upgrade -y
|
apt-get upgrade -y
|
||||||
|
|
||||||
rm -f /tmp/deinstall.log
|
rm -f /tmp/deinstall.log
|
||||||
|
|||||||
@@ -13,6 +13,7 @@ set -Ceuo pipefail
|
|||||||
|
|
||||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||||
|
|
||||||
|
export DEBIAN_FRONTEND="noninteractive"
|
||||||
apt-get install -y aide > /dev/null 2>&1
|
apt-get install -y aide > /dev/null 2>&1
|
||||||
|
|
||||||
cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
|
cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
|
||||||
|
|||||||
@@ -14,11 +14,20 @@
|
|||||||
|
|
||||||
set -Ceuo pipefail
|
set -Ceuo pipefail
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
# Simple error terminal logger.
|
||||||
|
# Arguments:
|
||||||
|
# None
|
||||||
|
#######################################
|
||||||
|
log() { printf '[auditd-build] %s\n' "${*}" >&2; }
|
||||||
|
|
||||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
|
||||||
|
|
||||||
cd /root
|
cd /root
|
||||||
|
|
||||||
apt-get install auditd -y
|
export DEBIAN_FRONTEND="noninteractive"
|
||||||
|
|
||||||
|
apt-get install -y auditd
|
||||||
|
|
||||||
cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
|
cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
|
||||||
cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
|
cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
|
||||||
@@ -329,8 +338,53 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
|
|||||||
-e 2
|
-e 2
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
||||||
|
### Sanity checks: reject empty or malformed rulesets early.
|
||||||
|
if ! augenrules --check >/dev/null 2>&1; then
|
||||||
|
|
||||||
|
log "ERROR: augenrules --check failed. Please fix /etc/audit/rules.d/*.rules"
|
||||||
|
exit 1
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
### This writes '/etc/audit/audit.rules'.
|
||||||
|
log "Compiling /etc/audit/audit.rules (no load)"
|
||||||
|
augenrules --no-load
|
||||||
|
|
||||||
|
### Permissions hardening (augenrules typically sets sane perms; enforce anyway).
|
||||||
|
### 0600 is conservative; 0640 root:root is also acceptable.
|
||||||
|
if [[ -f /etc/audit/audit.rules ]]; then
|
||||||
|
|
||||||
|
chown root:root /etc/audit/audit.rules
|
||||||
|
chmod 0600 /etc/audit/audit.rules
|
||||||
|
|
||||||
|
else
|
||||||
|
|
||||||
|
log "ERROR: Expected /etc/audit/audit.rules was not created"
|
||||||
|
exit 2
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
### Minimal enablement checks for the first boot.
|
||||||
|
### Ensure auditd will try to load rules at boot (systemd unit usually does this).
|
||||||
|
### No-op on systems where auditd is socket-activated or already preset.
|
||||||
|
if command -v systemctl >/dev/null 2>&1; then
|
||||||
|
|
||||||
|
### Do not 'enable' in live images unless desired; we only make sure the unit exists.
|
||||||
|
systemctl --no-reload --quiet cat auditd.service >/dev/null || log "WARN: auditd.service not found at build time"
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
### Quick validation that the merged file is non-trivial.
|
||||||
|
if ! grep -Eq '(^-a|^-w|^-e\s+1)' /etc/audit/audit.rules; then
|
||||||
|
|
||||||
|
log "WARN: /etc/audit/audit.rules contains no active rules (-a/-w/-e). Is this intended?"
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
log "Done. /etc/audit/audit.rules is precompiled."
|
||||||
|
|
||||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
||||||
# sleep 1
|
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||||
|
|||||||
@@ -15,17 +15,22 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
|
|||||||
|
|
||||||
cd /root
|
cd /root
|
||||||
|
|
||||||
apt-get install --no-install-recommends debsums -y
|
export DEBIAN_FRONTEND="noninteractive"
|
||||||
|
apt-get install -y --no-install-recommends debsums
|
||||||
|
|
||||||
cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
|
cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
|
||||||
chmod 0644 /root/.ciss/dlb/backup/debsums.bak
|
chmod 0644 /root/.ciss/dlb/backup/debsums.bak
|
||||||
sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
|
sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
|
||||||
|
|
||||||
if debsums -g > /dev/null 2>&1; then
|
if debsums -g > /dev/null 2>&1; then
|
||||||
|
|
||||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
# Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
|
# Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
|
||||||
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n" > /dev/null 2>&1
|
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n" > /dev/null 2>&1
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
|
||||||
|
|||||||
@@ -204,6 +204,6 @@ USERGROUPS_ENAB yes
|
|||||||
|
|
||||||
#
|
#
|
||||||
# Added by CISS.debian.live.builder for redundance
|
# Added by CISS.debian.live.builder for redundance
|
||||||
umask 077
|
UMASK 077
|
||||||
|
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||||
|
|||||||
17
config/includes.chroot/etc/ssh/ssh_known_hosts
Normal file
17
config/includes.chroot/etc/ssh/ssh_known_hosts
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
# SPDX-Version: 3.0
|
||||||
|
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||||
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||||
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||||
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||||
|
# SPDX-FileType: SOURCE
|
||||||
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||||
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||||
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
|
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
|
||||||
|
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
|
||||||
|
|
||||||
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||||
24
config/includes.chroot/etc/ssh/sshd_confid.d/10-sshfp.conf
Normal file
24
config/includes.chroot/etc/ssh/sshd_confid.d/10-sshfp.conf
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
# SPDX-Version: 3.0
|
||||||
|
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||||
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||||
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||||
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||||
|
# SPDX-FileType: SOURCE
|
||||||
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||||
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||||
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
|
Host git.coresecret.dev
|
||||||
|
Port 42842
|
||||||
|
VerifyHostKeyDNS yes
|
||||||
|
StrictHostKeyChecking yes
|
||||||
|
GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
|
||||||
|
UserKnownHostsFile /dev/null
|
||||||
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
||||||
|
CanonicalizeHostname no
|
||||||
|
UpdateHostKeys no
|
||||||
|
|
||||||
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
### https://www.ssh-audit.com/
|
### https://www.ssh-audit.com/
|
||||||
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
|
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
|
||||||
@@ -65,12 +65,12 @@ GatewayPorts no
|
|||||||
### A+ Rating 100/100
|
### A+ Rating 100/100
|
||||||
RequiredRSASize 4096
|
RequiredRSASize 4096
|
||||||
Ciphers aes256-gcm@openssh.com
|
Ciphers aes256-gcm@openssh.com
|
||||||
KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
|
KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512
|
||||||
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||||
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
|
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
|
||||||
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
|
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
|
||||||
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
HostbasedAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
||||||
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
|
||||||
|
|
||||||
### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
|
### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
|
||||||
|
|||||||
@@ -9,7 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
### Version Master V8.13.064.2025.10.07
|
### Version Master V8.13.096.2025.10.09
|
||||||
|
|
||||||
### https://docs.kernel.org/
|
### https://docs.kernel.org/
|
||||||
### https://github.com/a13xp0p0v/kernel-hardening-checker/
|
### https://github.com/a13xp0p0v/kernel-hardening-checker/
|
||||||
|
|||||||
@@ -10,7 +10,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
declare -gr VERSION="Master V8.13.064.2025.10.07"
|
declare -gr VERSION="Master V8.13.096.2025.10.09"
|
||||||
|
|
||||||
### VERY EARLY CHECK FOR DEBUGGING
|
### VERY EARLY CHECK FOR DEBUGGING
|
||||||
if [[ $* == *" --debug "* ]]; then
|
if [[ $* == *" --debug "* ]]; then
|
||||||
|
|||||||
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
|
|||||||
|
|
||||||
# Please consider donating to my work at: https://coresecret.eu/spenden/
|
# Please consider donating to my work at: https://coresecret.eu/spenden/
|
||||||
###########################################################################################
|
###########################################################################################
|
||||||
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.064.2025.10.07 at: 10:18:37.9542
|
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.096.2025.10.09 at: 10:18:37.9542
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. DNSSEC Status
|
# 2. DNSSEC Status
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Haveged Audit on Netcup RS 2000 G11
|
# 2. Haveged Audit on Netcup RS 2000 G11
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Lynis Audit:
|
# 2. Lynis Audit:
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. SSH Audit by ssh-audit.com
|
# 2. SSH Audit by ssh-audit.com
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. TLS Audit:
|
# 2. TLS Audit:
|
||||||
````text
|
````text
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Hardened Kernel Boot Parameters
|
# 2. Hardened Kernel Boot Parameters
|
||||||
|
|
||||||
|
|||||||
@@ -8,10 +8,22 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Changelog
|
# 2. Changelog
|
||||||
|
|
||||||
|
## V8.13.096.2025.10.09
|
||||||
|
* **Added**: [0010_install_apparmor.chroot](../config/hooks/live/0010_install_apparmor.chroot)
|
||||||
|
* **Added**: [10-sshfp.conf](../config/includes.chroot/etc/ssh/sshd_confid.d/10-sshfp.conf)
|
||||||
|
* **Added**: [ssh_known_hosts](../config/includes.chroot/etc/ssh/ssh_known_hosts)
|
||||||
|
* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot)
|
||||||
|
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
|
||||||
|
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
|
||||||
|
* **Updated**: [login.defs](../config/includes.chroot/etc/login.defs)
|
||||||
|
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
|
||||||
|
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh)
|
||||||
|
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh)
|
||||||
|
|
||||||
## V8.13.064.2025.10.07
|
## V8.13.064.2025.10.07
|
||||||
* **Added**: An internal Gitea Action Runner switch for the CISS and PHYS central configuration source of truth.
|
* **Added**: An internal Gitea Action Runner switch for the CISS and PHYS central configuration source of truth.
|
||||||
* **Added**: Verbose status information screen on successful completion.
|
* **Added**: Verbose status information screen on successful completion.
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Centurion Net - Developer Branch Overview
|
# 2. Centurion Net - Developer Branch Overview
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Coding Style
|
# 2. Coding Style
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Contributing / participating
|
# 2. Contributing / participating
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Credits
|
# 2. Credits
|
||||||
|
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Download the latest PUBLIC CISS.debian.live.ISO
|
# 2. Download the latest PUBLIC CISS.debian.live.ISO
|
||||||
|
|
||||||
|
|||||||
@@ -8,12 +8,12 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2.1. Usage
|
# 2.1. Usage
|
||||||
````text
|
````text
|
||||||
CISS.debian.live.builder
|
CISS.debian.live.builder
|
||||||
Master V8.13.064.2025.10.07
|
Master V8.13.096.2025.10.09
|
||||||
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
|
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
|
||||||
|
|
||||||
(c) Marc S. Weidner, 2018 - 2025
|
(c) Marc S. Weidner, 2018 - 2025
|
||||||
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
|
|||||||
# 2.2. Contact
|
# 2.2. Contact
|
||||||
````text
|
````text
|
||||||
CISS.debian.live.builder
|
CISS.debian.live.builder
|
||||||
Master V8.13.064.2025.10.07
|
Master V8.13.096.2025.10.09
|
||||||
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
|
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
|
||||||
|
|
||||||
(c) Marc S. Weidner, 2018 - 2025
|
(c) Marc S. Weidner, 2018 - 2025
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ include_toc: true
|
|||||||
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
||||||
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
||||||
**Master Version**: 8.13<br>
|
**Master Version**: 8.13<br>
|
||||||
**Build**: V8.13.064.2025.10.07<br>
|
**Build**: V8.13.096.2025.10.09<br>
|
||||||
|
|
||||||
# 2. Resources
|
# 2. Resources
|
||||||
|
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ cdi() {
|
|||||||
tmp_entry="$(mktemp)"
|
tmp_entry="$(mktemp)"
|
||||||
cat << EOF >| "${tmp_entry}"
|
cat << EOF >| "${tmp_entry}"
|
||||||
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
|
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
|
||||||
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
|
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
|
||||||
initrd /live/initrd.img-${VAR_KERNEL}
|
initrd /live/initrd.img-${VAR_KERNEL}
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|||||||
@@ -40,8 +40,8 @@ lb_config_write_trixie() {
|
|||||||
--backports true \
|
--backports true \
|
||||||
--binary-filesystem fat32 \
|
--binary-filesystem fat32 \
|
||||||
--binary-image iso-hybrid \
|
--binary-image iso-hybrid \
|
||||||
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
|
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
|
||||||
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
|
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
|
||||||
--bootloaders grub-efi \
|
--bootloaders grub-efi \
|
||||||
--cache true \
|
--cache true \
|
||||||
--checksums sha512 sha256 md5 \
|
--checksums sha512 sha256 md5 \
|
||||||
|
|||||||
@@ -35,13 +35,13 @@ usage() {
|
|||||||
# shellcheck disable=SC2155
|
# shellcheck disable=SC2155
|
||||||
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
|
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
|
||||||
# shellcheck disable=SC2155
|
# shellcheck disable=SC2155
|
||||||
declare var_footer=$(center "V8.13.064.2025.10.07 2025-10-07 CLB(1)" "${var_cols}")
|
declare var_footer=$(center "V8.13.096.2025.10.09 2025-10-07 CLB(1)" "${var_cols}")
|
||||||
|
|
||||||
{
|
{
|
||||||
echo -e "\e[1;97m${var_header}\e[0m"
|
echo -e "\e[1;97m${var_header}\e[0m"
|
||||||
echo
|
echo
|
||||||
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
|
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
|
||||||
echo -e "\e[92mMaster V8.13.064.2025.10.07\e[0m"
|
echo -e "\e[92mMaster V8.13.096.2025.10.09\e[0m"
|
||||||
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
|
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
|
||||||
echo
|
echo
|
||||||
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
|
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
|
||||||
|
|||||||
@@ -45,7 +45,7 @@ main() {
|
|||||||
# shellcheck disable=SC2312
|
# shellcheck disable=SC2312
|
||||||
exec > >(tee -a "${log}") 2>&1
|
exec > >(tee -a "${log}") 2>&1
|
||||||
|
|
||||||
printf "CISS.debian.installer Master V8.13.064.2025.10.07 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
|
printf "CISS.debian.installer Master V8.13.096.2025.10.09 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
|
||||||
|
|
||||||
net_wait
|
net_wait
|
||||||
|
|
||||||
@@ -66,7 +66,7 @@ main() {
|
|||||||
# --reionice-priority 1 0 \
|
# --reionice-priority 1 0 \
|
||||||
# --renice-priority "-19"
|
# --renice-priority "-19"
|
||||||
|
|
||||||
printf "CISS.debian.installer Master V8.13.064.2025.10.07 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
|
printf "CISS.debian.installer Master V8.13.096.2025.10.09 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
# shellcheck disable=SC2155
|
# shellcheck disable=SC2155
|
||||||
declare -grx VAR_CONTACT="security@coresecret.eu"
|
declare -grx VAR_CONTACT="security@coresecret.eu"
|
||||||
declare -grx VAR_VERSION="Master V8.13.064.2025.10.07"
|
declare -grx VAR_VERSION="Master V8.13.096.2025.10.09"
|
||||||
declare -grx VAR_SYSTEM="$(uname -mnosv)"
|
declare -grx VAR_SYSTEM="$(uname -mnosv)"
|
||||||
declare -gx VAR_EARLY_DEBUG="false"
|
declare -gx VAR_EARLY_DEBUG="false"
|
||||||
declare -gx VAR_HANDLER_AUTOBUILD="false"
|
declare -gx VAR_HANDLER_AUTOBUILD="false"
|
||||||
|
|||||||
Reference in New Issue
Block a user