msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.03.768.2025.06.23
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 35s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m23s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-23 08:03:24 +02:00
parent 4bae828016
commit e9b21a2b5b
41 changed files with 443 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
View File

@@ -25,7 +25,7 @@ body:
attributes: attributes:
label: "Version" label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`." description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
placeholder: "e.g., Master V8.03.768.2025.06.19" placeholder: "e.g., Master V8.03.768.2025.06.23"
validations: validations:
required: true required: true

2
.gitea/TODO/dockerfile
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.23
FROM debian:bookworm FROM debian:bookworm

2
.gitea/TODO/render-md-to-html.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.23
name: 🔁 Render README.md to README.html. name: 🔁 Render README.md to README.html.

2
.gitea/trigger/t_generate_dns.yaml
View File

@@ -11,5 +11,5 @@
build: build:
counter: 1023 counter: 1023
version: V8.03.768.2025.06.19 version: V8.03.768.2025.06.23
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.22
name: 🔐 Generating a Private Live ISO FLV 0. name: 🔐 Generating a Private Live ISO FLV 0.

2
.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.22
name: 🔐 Generating a Private Live ISO FLV 1. name: 🔐 Generating a Private Live ISO FLV 1.

2
.gitea/workflows/generate_PUBLIC_iso.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.22
name: 💙 Generating a PUBLIC Live ISO. name: 💙 Generating a PUBLIC Live ISO.

2
.gitea/workflows/linter_char_scripts.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.23
# Gitea Workflow: Shell-Script Linting # Gitea Workflow: Shell-Script Linting
# #

2
.gitea/workflows/render-dnssec-status.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.23
name: 🛡️ Retrieve DNSSEC status of coresecret.dev. name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

2
.gitea/workflows/render-dot-to-png.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.23
name: 🔁 Render Graphviz Diagrams. name: 🔁 Render Graphviz Diagrams.

2
.version.properties
View File

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu" properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V8.03.768.2025.06.19" properties_version="V8.03.768.2025.06.23"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

2
CISS.debian.live.builder.spdx
View File

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder PackageName: CISS.debian.live.builder
PackageVersion: Master V8.03.768.2025.06.19 PackageVersion: Master V8.03.768.2025.06.23
PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

6
README.md
View File

@@ -2,7 +2,7 @@
gitea: none gitea: none
include_toc: true include_toc: true
--- ---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.768.2025.06.19-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) [![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.768.2025.06.23-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp; &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -142,7 +142,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
Example: `V8.03.768.2025.06.19` Example: `V8.03.768.2025.06.23`
`x.y.z` represents major (x), minor (y), and patch (z) version increments. `x.y.z` represents major (x), minor (y), and patch (z) version increments.

2
ciss_live_builder.sh
View File

@@ -41,7 +41,7 @@
. ./lib/lib_usage.sh; usage; exit 1; } . ./lib/lib_usage.sh; usage; exit 1; }
declare -gx VAR_CONTACT="security@coresecret.eu" declare -gx VAR_CONTACT="security@coresecret.eu"
declare -gx VAR_VERSION="Master V8.03.768.2025.06.19" declare -gx VAR_VERSION="Master V8.03.768.2025.06.23"
### CHECK FOR CONTACT, HELP, AND VERSION STRING ### CHECK FOR CONTACT, HELP, AND VERSION STRING
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done

2
config/includes.chroot/etc/ssh/sshd_config
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.23
### https://www.ssh-audit.com/ ### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

2
config/includes.chroot/etc/sysctl.d/99_local.hardened
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.768.2025.06.19 ### Version Master V8.03.768.2025.06.23
### https://docs.kernel.org/ ### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/

2
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.03.768.2025.06.19" declare -gr VERSION="Master V8.03.768.2025.06.23"
### VERY EARLY CHECK FOR DEBUGGING ### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then if [[ $* == *" --debug "* ]]; then

2
config/includes.chroot/preseed/preseed.cfg
View File

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/ # Please consider donating to my work at: https://coresecret.eu/spenden/
########################################################################################### ###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.03.768.2025.06.19 at: 10:18:37.9542 # Written by: ./preseed_hash_generator.sh Version: Master V8.03.768.2025.06.23 at: 10:18:37.9542

38
config/includes.chroot/root/.ciss/alias
View File

@@ -149,13 +149,16 @@ genpasswdhash() {
mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
} }
########################################################################################### #######################################
# Globals: Wrapper for secure curl # Wrapper for secure curl
# Arguments: # Arguments:
# $1: URL from which to download a specific file # $1: URL from which to download a specific file
# $2: /path/to/file to be saved to # $2: /path/to/file to be saved to
########################################################################################### # Returns:
# shellcheck disable=SC2317 # 0: Download successful
# 1: Usage error
# 2: Download failure
#######################################
scurl() { scurl() {
if [[ $# -ne 2 ]]; then if [[ $# -ne 2 ]]; then
printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2 printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
@@ -176,13 +179,16 @@ scurl() {
return 0 return 0
} }
########################################################################################### #######################################
# Globals: Wrapper for secure wget # Wrapper for secure wget
# Arguments: # Arguments:
# $1: URL from which to download a specific file # $1: URL from which to download a specific file
# $2: /path/to/file to be saved to # $2: /path/to/file to be saved to
########################################################################################### # Returns:
# shellcheck disable=SC2317 # 0: Download successful
# 1: Usage error
# 2: Download failure
#######################################
swget() { swget() {
if [[ $# -ne 2 ]]; then if [[ $# -ne 2 ]]; then
printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2 printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
@@ -204,24 +210,22 @@ swget() {
return 0 return 0
} }
########################################################################################### #######################################
# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters # Wrapper for loading CISS.2025 hardened Kernel Parameters
# Arguments: # Arguments:
# none # None
########################################################################################### #######################################
# shellcheck disable=SC2317
sysp() { sysp() {
sysctl -p /etc/sysctl.d/99_local.hardened sysctl -p /etc/sysctl.d/99_local.hardened
# sleep 1 # sleep 1
sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
} }
########################################################################################### #######################################
# Globals: Wrapper for tree # Wrapper for tree
# Arguments: # Arguments:
# $1: Depth of Directory Listing # $1: Depth of Directory Listing
########################################################################################### #######################################
# shellcheck disable=SC2317
trel() { trel() {
declare depth=${1:-3} declare depth=${1:-3}
tree -C -h --dirsfirst -L "${depth}" tree -C -h --dirsfirst -L "${depth}"

9
config/package-lists/live.list.common.chroot
View File

@@ -21,6 +21,7 @@ bc
bind9-dnsutils bind9-dnsutils
bsdmainutils bsdmainutils
btrfs-progs btrfs-progs
bzip2
ca-certificates ca-certificates
clamav clamav
clamav-daemon clamav-daemon
@@ -42,9 +43,11 @@ dirmngr
dmsetup dmsetup
dnsviz dnsviz
dosfstools dosfstools
e2fsprogs
efibootmgr efibootmgr
expect expect
fail2ban fail2ban
fdisk
figlet figlet
fzf fzf
gawk gawk
@@ -79,6 +82,7 @@ man
man-db man-db
manpages manpages
manpages-dev manpages-dev
mdadm
mtr mtr
nano nano
ncat ncat
@@ -110,11 +114,13 @@ ssl-cert
sudo sudo
sysstat sysstat
systemd-sysv systemd-sysv
tar
tree tree
tshark tshark
ufw ufw
unattended-upgrades unattended-upgrades
unzip unzip
util-linux
virt-what virt-what
wamerican wamerican
wbritish wbritish
@@ -122,6 +128,9 @@ wfrench
wget wget
whois whois
wngerman wngerman
xfsprogs
xz-utils
yq
zip zip
zsh zsh
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
docs/AUDIT_DNSSEC.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. DNSSEC Status # 2. DNSSEC Status

2
docs/AUDIT_HAVEGED.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. Haveged Audit on Netcup RS 2000 G11 # 2. Haveged Audit on Netcup RS 2000 G11

2
docs/AUDIT_LYNIS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. Lynis Audit: # 2. Lynis Audit:

2
docs/AUDIT_SSH.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. SSH Audit by ssh-audit.com # 2. SSH Audit by ssh-audit.com

343
docs/AUDIT_TLS.md
View File

@@ -8,14 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. TLS Audit: # 2. TLS Audit:
````text ````text
##################################################################### #####################################################################
testssl.sh version 3.2rc4 from https://testssl.sh/dev/ testssl.sh version 3.2.1 from https://testssl.sh/
(6746fa5 2025-04-18 13:17:50) (81471c3 2025-06-15 09:48:31)
This program is free software. Distribution and modification under This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +26,313 @@ include_toc: true
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers] Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on kali:./bin/openssl.Linux.x86_64 on kali:./bin/openssl.Linux.x86_64
Start 2025-06-02 18:04:19 -->> 152.53.110.40:443 (coresecret.dev) <<-- Start 2025-06-23 06:37:04 -->> 135.181.207.105:443 (dns01.eddns.eu) <<--
Further IP addresses: 2a01:4f9:c012:a813:135:181:207:105
rDNS (135.181.207.105): dns01.eddns.eu.
Service detected: HTTP
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 h2, http/1.1 (offered)
Testing for server implementation bugs
No bugs found.
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
Triple DES Ciphers / IDEA not offered
Obsoleted CBC ciphers (AES, ARIA etc.) not offered
Strong encryption (AEAD ciphers) with no FS not offered
Forward Secrecy strong encryption (AEAD ciphers) offered (OK)
Testing server's cipher preferences
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
-
SSLv3
-
TLSv1
-
TLSv1.1
-
TLSv1.2 (server order)
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLSv1.3 (server order)
x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
Has server cipher order? yes (OK) -- TLS 1.3 and below
Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
FS is offered (OK) , ciphers follow (client/browser support is important here)
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 available
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available
xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xcc15 DHE-RSA-CHACHA20-POLY1305-OLD DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 available
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not a/v
xc028 ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not a/v
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 not a/v
xc014 ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not a/v
xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA not a/v
xa3 DHE-DSS-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 not a/v
x9f DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 not a/v
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 available
xccaa DHE-RSA-CHACHA20-POLY1305 DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xc0af ECDHE-ECDSA-AES256-CCM8 ECDH AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 not a/v
xc0ad ECDHE-ECDSA-AES256-CCM ECDH AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM not a/v
xc0a3 DHE-RSA-AES256-CCM8 DH AESCCM8 256 TLS_DHE_RSA_WITH_AES_256_CCM_8 not a/v
xc09f DHE-RSA-AES256-CCM DH AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM not a/v
x6b DHE-RSA-AES256-SHA256 DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 not a/v
x6a DHE-DSS-AES256-SHA256 DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 not a/v
x39 DHE-RSA-AES256-SHA DH AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA not a/v
x38 DHE-DSS-AES256-SHA DH AES 256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA not a/v
xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v
xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 not a/v
xc4 DHE-RSA-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not a/v
xc3 DHE-DSS-CAMELLIA256-SHA256 DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 not a/v
x88 DHE-RSA-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA not a/v
x87 DHE-DSS-CAMELLIA256-SHA DH Camellia 256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA not a/v
xc043 DHE-DSS-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 not a/v
xc045 DHE-RSA-ARIA256-CBC-SHA384 DH ARIA 256 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v
xc049 ECDHE-ECDSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 not a/v
xc04d ECDHE-RSA-ARIA256-CBC-SHA384 ECDH ARIA 256 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 not a/v
xc053 DHE-RSA-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v
xc057 DHE-DSS-ARIA256-GCM-SHA384 DH ARIAGCM 256 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 not a/v
xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 not a/v
xc061 ECDHE-ARIA256-GCM-SHA384 ECDH ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 not a/v
xc07d - DH CamelliaGCM 256 TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v
xc081 - DH CamelliaGCM 256 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 not a/v
xc087 - ECDH CamelliaGCM 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v
xc08b - ECDH CamelliaGCM 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 not a/v
x1301 TLS_AES_128_GCM_SHA256 any AESGCM 128 TLS_AES_128_GCM_SHA256 not a/v
x1304 TLS_AES_128_CCM_SHA256 any AESCCM 128 TLS_AES_128_CCM_SHA256 not a/v
x1305 TLS_AES_128_CCM_8_SHA256 any AESCCM8 128 TLS_AES_128_CCM_8_SHA256 not a/v
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not a/v
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 not a/v
xc027 ECDHE-RSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not a/v
xc023 ECDHE-ECDSA-AES128-SHA256 ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 not a/v
xc013 ECDHE-RSA-AES128-SHA ECDH AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not a/v
xc009 ECDHE-ECDSA-AES128-SHA ECDH AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not a/v
xa2 DHE-DSS-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 not a/v
x9e DHE-RSA-AES128-GCM-SHA256 DH AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 not a/v
xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 not a/v
xc0ac ECDHE-ECDSA-AES128-CCM ECDH AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM not a/v
xc0a2 DHE-RSA-AES128-CCM8 DH AESCCM8 128 TLS_DHE_RSA_WITH_AES_128_CCM_8 not a/v
xc09e DHE-RSA-AES128-CCM DH AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM not a/v
x67 DHE-RSA-AES128-SHA256 DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 not a/v
x40 DHE-DSS-AES128-SHA256 DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 not a/v
x33 DHE-RSA-AES128-SHA DH AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA not a/v
x32 DHE-DSS-AES128-SHA DH AES 128 TLS_DHE_DSS_WITH_AES_128_CBC_SHA not a/v
xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v
xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v
xbe DHE-RSA-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not a/v
xbd DHE-DSS-CAMELLIA128-SHA256 DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 not a/v
x9a DHE-RSA-SEED-SHA DH SEED 128 TLS_DHE_RSA_WITH_SEED_CBC_SHA not a/v
x99 DHE-DSS-SEED-SHA DH SEED 128 TLS_DHE_DSS_WITH_SEED_CBC_SHA not a/v
x45 DHE-RSA-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA not a/v
x44 DHE-DSS-CAMELLIA128-SHA DH Camellia 128 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA not a/v
xc042 DHE-DSS-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 not a/v
xc044 DHE-RSA-ARIA128-CBC-SHA256 DH ARIA 128 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v
xc048 ECDHE-ECDSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 not a/v
xc04c ECDHE-RSA-ARIA128-CBC-SHA256 ECDH ARIA 128 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 not a/v
xc052 DHE-RSA-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v
xc056 DHE-DSS-ARIA128-GCM-SHA256 DH ARIAGCM 128 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 not a/v
xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 not a/v
xc060 ECDHE-ARIA128-GCM-SHA256 ECDH ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 not a/v
xc07c - DH CamelliaGCM 128 TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
xc080 - DH CamelliaGCM 128 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 not a/v
xc086 - ECDH CamelliaGCM 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
xc08a - ECDH CamelliaGCM 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
Elliptic curves offered: secp384r1 secp521r1 X448
TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
Testing server defaults (Server Hello)
TLS extensions (standard) "server name/#0" "max fragment length/#1" "status request/#5" "supported_groups/#10" "EC point formats/#11"
"application layer protocol negotiation/#16" "extended master secret/#23" "supported versions/#43" "key share/#51"
"renegotiation info/#65281"
Session Ticket RFC 5077 hint no -- no lifetime advertised
SSL Session ID support yes
Session Resumption Tickets no, ID: yes
TLS clock skew Random values, no fingerprinting possible
Certificate Compression none
Client Authentication none
Signature Algorithm SHA384 with RSA
Server key size RSA 4096 bits (exponent is 262147)
Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
Serial A39CFE0064280D467269C012636F9EE8 (OK: length 16)
Fingerprints SHA1 9E19BE00A07E50CC5DB94A51419D431E845F810A
SHA256 92D01842FB6275890EF74AAD742990EFD76ABA0604203B327F3270E805B6F356
Common Name (CN) eddns.eu
subjectAltName (SAN) eddns.eu dns01.eddns.eu dns02.eddns.de dns03.eddns.eu eddns.de
Trust (hostname) Ok via SAN (same w/o SNI)
Chain of trust Ok
EV cert (experimental) no
Certificate Validity (UTC) 358 >= 60 days (2025-06-16 00:00 --> 2026-06-16 23:59)
ETS/"eTLS", visibility info not present
In pwnedkeys.com DB not in database
Certificate Revocation List --
OCSP URI http://zerossl.ocsp.sectigo.com, not revoked
OCSP stapling offered, not revoked
OCSP must staple extension supported
DNS CAA RR (experimental) available - please check for match with "Issuer" below
communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
Certificate Transparency yes (certificate extension)
Certificates provided 2
Issuer ZeroSSL RSA Domain Secure Site CA (ZeroSSL from AT)
Intermediate cert validity #1: ok > 40 days (2030-01-29 23:59). ZeroSSL RSA Domain Secure Site CA <-- USERTrust RSA Certification Authority
Intermediate Bad OCSP (exp.) Ok
Testing HTTP header response @ "/"
HTTP Status Code 200 OK
HTTP clock skew 0 sec from localtime
Strict Transport Security 730 days=63072000 s, includeSubDomains, preload
Public Key Pinning --
Server banner nginx
Application banner --
Cookie(s) (none issued at "/")
Security headers X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Expect-CT: max-age=86400, enforce
Permissions-Policy: interest-cohort=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Embedder-Policy: credentialless
X-XSS-Protection: 1; mode=block
Access-Control-Allow-Origin: https://dns01.eddns.eu
Permissions-Policy: interest-cohort=()
Referrer-Policy: same-origin
Cache-Control: no-cache
Reverse Proxy banner --
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK), no session ticket extension
ROBOT Server does not support any cipher suites that use RSA key transport
Secure Renegotiation (RFC 5746) supported (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK) - only supplied "/" tested
POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support
TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=92D01842FB6275890EF74AAD742990EFD76ABA0604203B327F3270E805B6F356
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
Winshock (CVE-2014-6321), experimental not vulnerable (OK)
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Running client simulations (HTTP) via sockets
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy
------------------------------------------------------------------------------------------------
Android 7.0 (native) No connection
Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
IE 8 Win 7 No connection
IE 11 Win 7 No connection
IE 11 Win 8.1 No connection
IE 11 Win Phone 8.1 No connection
IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Java 7u25 No connection
Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Rating (experimental)
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Protocol Support (weighted) 100 (30)
Key Exchange (weighted) 100 (30)
Cipher Strength (weighted) 100 (40)
Final Score 100
Overall Grade A+
Done 2025-06-23 06:38:43 [ 102s] -->> 135.181.207.105:443 (dns01.eddns.eu) <<--
25-06-23|root@kali.ed448.eu:/root/gitea/testssl.sh/>>1|~#> ./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
#####################################################################
testssl.sh version 3.2.1 from https://testssl.sh/
(81471c3 2025-06-15 09:48:31)
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
#####################################################################
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on kali:./bin/openssl.Linux.x86_64
Start 2025-06-23 06:55:40 -->> 152.53.110.40:443 (git.coresecret.dev) <<--
Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40 Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40
rDNS (152.53.110.40): git.coresecret.dev. rDNS (152.53.110.40): git.coresecret.dev.
@@ -193,17 +499,21 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
Common Name (CN) coresecret.dev Common Name (CN) coresecret.dev
subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
Trust (hostname) Ok via SAN and CN (same w/o SNI) Trust (hostname) Ok via SAN (same w/o SNI)
Chain of trust Ok Chain of trust Ok
EV cert (experimental) no EV cert (experimental) no
Certificate Validity (UTC) 174 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59) Certificate Validity (UTC) 153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
ETS/"eTLS", visibility info not present ETS/"eTLS", visibility info not present
In pwnedkeys.com DB not in database In pwnedkeys.com DB not in database
Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
OCSP URI http://ocsp.buypass.com, not revoked OCSP URI http://ocsp.buypass.com, not revoked
OCSP stapling offered, not revoked OCSP stapling offered, not revoked
OCSP must staple extension -- OCSP must staple extension --
DNS CAA RR (experimental) not offered DNS CAA RR (experimental) available - please check for match with "Issuer" below
iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl, issue=letsencrypt.org;,
issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
Certificate Transparency yes (certificate extension) Certificate Transparency yes (certificate extension)
Certificates provided 2 Certificates provided 2
Issuer Buypass Class 2 CA 5 (Buypass AS-983163327 from NO) Issuer Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
@@ -213,23 +523,27 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Testing HTTP header response @ "/" Testing HTTP header response @ "/"
HTTP Status Code 301 Moved Permanently, redirecting to "https://git.coresecret.dev" HTTP Status Code 200 OK
HTTP clock skew 0 sec from localtime HTTP clock skew 0 sec from localtime
Strict Transport Security 730 days=63072000 s, includeSubDomains, preload Strict Transport Security 730 days=63072000 s, includeSubDomains, preload
Public Key Pinning -- Public Key Pinning --
Server banner nginx Server banner nginx
Application banner -- Application banner --
Cookie(s) (none issued at "/") -- maybe better try target URL of 30x Cookie(s) 2 issued: 2/2 secure, 2/2 HttpOnly
Security headers X-Frame-Options: SAMEORIGIN Security headers X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self';
frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev
https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
Expect-CT: max-age=86400, enforce Expect-CT: max-age=86400, enforce
Permissions-Policy: interest-cohort=() Permissions-Policy: interest-cohort=()
Cross-Origin-Opener-Policy: same-origin Cross-Origin-Opener-Policy: cross-origin
Cross-Origin-Resource-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Embedder-Policy: unsafe-none
X-XSS-Protection: 1; mode=block X-XSS-Protection: 1; mode=block
Permissions-Policy: interest-cohort=() Permissions-Policy: interest-cohort=()
Referrer-Policy: same-origin Referrer-Policy: no-referrer
Cache-Control: no-cache Cache-Control: no-cache
Reverse Proxy banner -- Reverse Proxy banner --
@@ -268,6 +582,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384) Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521) Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
@@ -308,7 +623,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Final Score 100 Final Score 100
Overall Grade A+ Overall Grade A+
Done 2025-06-02 18:05:51 [ 95s] -->> 152.53.110.40:443 (coresecret.dev) <<-- Done 2025-06-23 06:57:01 [ 86s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
```` ````
--- ---

6
docs/CHANGELOG.md
View File

@@ -8,10 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. Changelog # 2. Changelog
## V8.03.768.2025.06.22
* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Lock FD and Artifacts.
## V8.03.768.2025.06.19 ## V8.03.768.2025.06.19
* Minor main script improvements. * Minor main script improvements.

2
docs/CNET.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. Centurion Net - Developer Branch Overview # 2. Centurion Net - Developer Branch Overview

2
docs/CODING_CONVENTION.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. Coding Style # 2. Coding Style

2
docs/CONTRIBUTING.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. Contributing / participating # 2. Contributing / participating

2
docs/CREDITS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. Credits # 2. Credits

2
docs/DL_PUB_ISO.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. Download the latest PUBLIC CISS.debian.live.ISO # 2. Download the latest PUBLIC CISS.debian.live.ISO

6
docs/DOCUMENTATION.md
View File

@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2.1. Usage # 2.1. Usage
````text ````text
CISS.debian.live.builder CISS.debian.live.builder
Master V8.03.768.2025.06.19 Master V8.03.768.2025.06.23
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025 (c) Marc S. Weidner, 2018 - 2025
@@ -133,7 +133,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
# 2.2. Contact # 2.2. Contact
````text ````text
CISS.debian.live.builder CISS.debian.live.builder
Master V8.03.768.2025.06.19 Master V8.03.768.2025.06.23
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025 (c) Marc S. Weidner, 2018 - 2025

2
docs/REFERENCES.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.03<br> **Master Version**: 8.03<br>
**Build**: V8.03.768.2025.06.19<br> **Build**: V8.03.768.2025.06.23<br>
# 2. Resources # 2. Resources

2
lib/lib_check_provider.sh
View File

@@ -18,7 +18,7 @@
check_provider() { check_provider() {
clear clear
cat << 'EOF' >| "${VAR_NOTES}" cat << 'EOF' >| "${VAR_NOTES}"
Build: Master V8.03.768.2025.06.19 Build: Master V8.03.768.2025.06.23
Press 'EXIT' to continue with CISS.debian.live.builder. Press 'EXIT' to continue with CISS.debian.live.builder.

5
lib/lib_clean_up.sh
View File

@@ -26,6 +26,11 @@ clean_up() {
rm -f -- "${VAR_KERNEL_INF}" rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}" rm -f -- "${VAR_KERNEL_SRT}"
rm -f -- "${VAR_KERNEL_TMP}" rm -f -- "${VAR_KERNEL_TMP}"
# Release advisory lock on FD 127.
flock -u 127
# Close file descriptor 127.
exec 127>&-
# Remove the lockfile artifact.
rm -f /run/lock/ciss_live_builder.lock rm -f /run/lock/ciss_live_builder.lock
if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then

2
lib/lib_contact.sh
View File

@@ -21,7 +21,7 @@ contact() {
clear clear
cat << EOF cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m") $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.03.768.2025.06.19\e[0m") $(echo -e "\e[92mMaster V8.03.768.2025.06.23\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

2
lib/lib_debug.sh
View File

@@ -36,7 +36,7 @@ debugger() {
} | sort >| "${VAR_DUMP_VARS_INITIAL}" } | sort >| "${VAR_DUMP_VARS_INITIAL}"
declare -gx VAR_EARLY_DEBUG=true declare -gx VAR_EARLY_DEBUG=true
### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
declare -grx PS4='\e[97m+\e[0m\e[96m$(date +%Y-%m-%dT%H:%M:%S.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m ' declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log" declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
### Generates empty LOG_DEBUG ### Generates empty LOG_DEBUG

43
lib/lib_debug_header.sh
View File

@@ -30,27 +30,30 @@
debug_header() { debug_header() {
declare -r arg_counter="$1" declare -r arg_counter="$1"
declare -r arg_string="$2" declare -r arg_string="$2"
# shellcheck disable=SC2155
declare git_head=$(git rev-parse HEAD)
{ {
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${VAR_VERSION}" printf "\e[97m+\e[0m\e[92m%s: Git Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${git_head}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${EPOCHREALTIME}" printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${BASH_VERSINFO[0]}" printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${BASH_VERSINFO[1]}" printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${BASH_VERSINFO[2]}" printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Build Version : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${BASH_VERSINFO[3]}" printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Release : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${BASH_VERSINFO[4]}" printf "\e[97m+\e[0m\e[92m%s: Bash Build Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[3]}"
printf "\e[97m+\e[0m\e[92m%s: UID : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${UID}" printf "\e[97m+\e[0m\e[92m%s: Bash Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[4]}"
printf "\e[97m+\e[0m\e[92m%s: EUID : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${EUID}" printf "\e[97m+\e[0m\e[92m%s: UID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${UID}"
printf "\e[97m+\e[0m\e[92m%s: Hostname : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${HOSTNAME}" printf "\e[97m+\e[0m\e[92m%s: EUID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EUID}"
printf "\e[97m+\e[0m\e[92m%s: Script name : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "$0" printf "\e[97m+\e[0m\e[92m%s: Hostname : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${HOSTNAME}"
printf "\e[97m+\e[0m\e[92m%s: Argument Counter : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${arg_counter}" printf "\e[97m+\e[0m\e[92m%s: Script name : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$0"
printf "\e[97m+\e[0m\e[92m%s: Argument String Original : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${arg_string}" printf "\e[97m+\e[0m\e[92m%s: Argument Counter : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_counter}"
printf "\e[97m+\e[0m\e[92m%s: Script PID : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "$$" printf "\e[97m+\e[0m\e[92m%s: Argument String Original : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_string}"
printf "\e[97m+\e[0m\e[92m%s: Script Parent PID : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${PPID}" printf "\e[97m+\e[0m\e[92m%s: Script PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$$"
printf "\e[97m+\e[0m\e[92m%s: Script work DIR : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${PWD}" printf "\e[97m+\e[0m\e[92m%s: Script Parent PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PPID}"
printf "\e[97m+\e[0m\e[92m%s: Shell Options : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "$-" printf "\e[97m+\e[0m\e[92m%s: Script work DIR : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PWD}"
printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" "${BASHOPTS}" printf "\e[97m+\e[0m\e[92m%s: Shell Options : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$-"
printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date +%Y-%m-%dT%H:%M:%S.%4N)" printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
} >&42 } >&42
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

22
lib/lib_trap_on_exit.sh
View File

@@ -18,20 +18,20 @@
# $1: $? # $1: $?
####################################### #######################################
trap_on_exit() { trap_on_exit() {
declare -r trap_on_exit_code="$1" declare -r var_trap_on_exit_code="$1"
trap - EXIT trap - EXIT
if (( trap_on_exit_code == 0 )); then if (( var_trap_on_exit_code == 0 )); then
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
clean_up "${trap_on_exit_code}" clean_up "${var_trap_on_exit_code}"
print_scr_exit "${trap_on_exit_code}" print_scr_exit "${var_trap_on_exit_code}"
exit 0 exit "${var_trap_on_exit_code}"
else else
exit "${trap_on_exit_code}" exit "${var_trap_on_exit_code}"
fi fi
} }
####################################### #######################################
# Print Success Message for Trap on 'EXIT' on 'stdout' # Print Success Message for Trap on 'EXIT' on 'stdout'.
# Globals: # Globals:
# LOG_DEBUG # LOG_DEBUG
# LOG_VAR # LOG_VAR
@@ -40,16 +40,16 @@ trap_on_exit() {
# VAR_HANDLER_BUILD_DIR # VAR_HANDLER_BUILD_DIR
# VAR_SCRIPT_SUCCESS # VAR_SCRIPT_SUCCESS
# Arguments: # Arguments:
# $1: ${trap_on_exit_code} of trap_on_exit() # $1: ${var_trap_on_exit_code} of trap_on_exit()
####################################### #######################################
print_scr_exit() { print_scr_exit() {
declare -r print_scr_exit_code="$1" declare -r var_print_scr_exit_code="$1"
if (( print_scr_exit_code == 0 )); then if (( var_print_scr_exit_code == 0 )); then
if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
printf "\n" printf "\n"
printf "\e[92m✅ CISS.debian.live.builder Script successful. \e[0m\n" printf "\e[92m✅ CISS.debian.live.builder Script successful. \e[0m\n"
printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/" printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${print_scr_exit_code}" printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${var_print_scr_exit_code}"
printf "\n" printf "\n"
if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then
printf "\e[92m✅ Script Runtime : %s \e[0m\n" "${SECONDS}" printf "\e[92m✅ Script Runtime : %s \e[0m\n" "${SECONDS}"

2
lib/lib_usage.sh
View File

@@ -21,7 +21,7 @@ usage() {
clear clear
cat << EOF cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m") $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.03.768.2025.06.19\e[0m") $(echo -e "\e[92mMaster V8.03.768.2025.06.23\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

2
scripts/9000-cdi-starter
View File

@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
# sleep 1 # sleep 1
[[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
printf "CISS.debian.installer Master V8.03.768.2025.06.19 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log printf "CISS.debian.installer Master V8.03.768.2025.06.23 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh