From ec6e791b9d57b137247e0c329829cf23cb7341715ef1e94eb5c62908d286d33a Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Sun, 28 Sep 2025 16:29:27 +0100 Subject: [PATCH] V8.13.016.2025.09.28 Signed-off-by: Marc S. Weidner --- .archive/.0000_lib_usage.sh | 2 +- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/dockerfile | 2 +- .gitea/TODO/render-md-to-html.yaml | 2 +- .../trigger/t_generate_PRIVATE_trixie_0.yaml | 2 +- .../trigger/t_generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/trigger/t_generate_PUBLIC.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_0.yaml | 4 +- .../workflows/generate_PRIVATE_trixie_1.yaml | 4 +- .gitea/workflows/generate_PUBLIC_iso.yaml | 172 +++--------------- .gitea/workflows/linter_char_scripts.yaml | 2 +- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 2 +- .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 12 +- config/includes.chroot/etc/ssh/sshd_config | 2 +- .../etc/sysctl.d/99_local.hardened | 2 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 34 ++-- docs/BOOTPARAMS.md | 2 +- docs/CHANGELOG.md | 5 +- docs/CNET.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 6 +- docs/REFERENCES.md | 2 +- lib/lib_usage.sh | 4 +- scripts/9000-cdi-starter | 2 +- var/early.var.sh | 2 +- 38 files changed, 90 insertions(+), 211 deletions(-) diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh index 51e3715..7b55375 100644 --- a/.archive/.0000_lib_usage.sh +++ b/.archive/.0000_lib_usage.sh @@ -21,7 +21,7 @@ usage() { clear cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m") +$(echo -e "\e[92mMaster V8.13.016.2025.09.28\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 0230b14..693b1b7 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.13.008.2025.08.22" + placeholder: "e.g., Master V8.13.016.2025.09.28" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index c5e4910..fd4b9f8 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 0a70f60..91d4d8c 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 name: ๐Ÿ” Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index e50b869..a48bae9 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.008.2025.08.22 + version: V8.13.016.2025.09.28 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index e50b869..a48bae9 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.008.2025.08.22 + version: V8.13.016.2025.09.28 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index b192b23..cb86b32 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.008.2025.08.22 + version: V8.13.016.2025.09.28 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index b192b23..cb86b32 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.008.2025.08.22 + version: V8.13.016.2025.09.28 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index bbed4d6..eba3171 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. @@ -144,7 +144,7 @@ jobs: timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'. ./ciss_live_builder.sh \ - --autobuild=6.12.41+deb13-amd64 \ + --autobuild=6.12.48+deb13-amd64 \ --architecture amd64 \ --build-directory /opt/livebuild \ --control "${timestamp}" \ diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index f6fee47..68dadff 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. @@ -144,7 +144,7 @@ jobs: timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'. ./ciss_live_builder.sh \ - --autobuild=6.12.41+deb13-amd64 \ + --autobuild=6.12.48+deb13-amd64 \ --architecture amd64 \ --build-directory /opt/livebuild \ --control "${timestamp}" \ diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 636817f..e0c65bf 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,10 +9,14 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 name: ๐Ÿ’™ Generating a PUBLIC Live ISO. +defaults: + run: + shell: bash + permissions: contents: write @@ -24,161 +28,31 @@ on: - '.gitea/trigger/t_generate_PUBLIC.yaml' jobs: - generate-private-ciss-debian-live-iso: + generate-public-cdlb-trixie: name: ๐Ÿ’™ Generating a PUBLIC Live ISO. - runs-on: ciss.debian.live.builder.iso.generator + runs-on: cdlb.trixie - ### Run all steps inside Debian Bookworm container: - image: debian:bookworm + image: debian:trixie steps: - - name: ๐Ÿ› ๏ธ Basic Image Setup and enable Bookworm Backports. - run: | - apt-get update -y - apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo - echo 'deb https://deb.debian.org/debian bookworm-backports main' \ - >| /etc/apt/sources.list.d/bookworm-backports.list - apt-get update -y - apt-get upgrade -y - - - name: ๐Ÿ› ๏ธ Installing Build Tools. + - name: ๐Ÿ› ๏ธ Basic Image Setup. shell: bash run: | - apt-get update -y - apt-get install -y \ - autoconf \ - automake \ - build-essential \ - cryptsetup \ + export DEBIAN_FRONTEND=noninteractive + apt-get update + apt-get upgrade -y + apt-get install -y --no-install-recommends \ + apt-utils \ + bash \ + ca-certificates \ curl \ - debootstrap \ - dosfstools \ - efibootmgr \ - gettext \ git \ gnupg \ - haveged \ - libbz2-dev \ - zlib1g-dev \ - liblzma-dev \ - libtool \ - live-build \ - parted \ - pkg-config \ - ssh \ - ssl-cert \ + openssh-client \ + openssl \ sudo \ - texinfo \ - wget \ - whois \ - - - name: ๐Ÿ› ๏ธ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5. - shell: bash - run: | - urls=( - "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2" - "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2" - "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2" - ) - - wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1 - gpg --batch --import signature_key.asc - - for url in "${urls[@]}"; do - archive_name="${url##*/}" - pkg_name="${archive_name%.tar.bz2}" - echo "๐Ÿ”„ Processing ${pkg_name}" - if [[ ! -f "${archive_name}" ]]; then - echo "๐Ÿ“ฅ Downloading: '${archive_name}'." - if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then - echo "โœ… Download successful: '${archive_name}'." - else - echo "โŒ Download NOT successful: '${archive_name}'." - exit 1 - fi - else - echo "๐Ÿ’ก Skipping download, package already exists: '${archive_name}'." - fi - - if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "โŒ Bad Signature: '${archive_name}'.";exit 1; fi - - if [[ ! -d "${pkg_name}" ]]; then - echo "๐Ÿ“‚ Extracting: '${archive_name}'." - if tar -xjf "${archive_name}"; then - echo "โœ… Extraction successful: '${archive_name}'." - else - echo "โŒ Extraction not successful: '${archive_name}'." - exit 1 - fi - else - echo "๐Ÿ’ก Skipping directory, already exists: '${pkg_name}'." - fi - - echo "๐Ÿ—๏ธ Build and install the package: '${pkg_name}'." - cd "${pkg_name}" || { echo "โŒ Could not change to '${pkg_name}'."; exit 1; } - mkdir -p build - cd build || { echo "โŒ Could not change to '/build'."; exit 1; } - - sudo ../configure > /dev/null 2>&1 || { echo "โŒ '../configure' NOT successful for '${pkg_name}'."; exit 1; } - make > /dev/null 2>&1 || { echo "โŒ 'make' NOT successful for '${pkg_name}'."; exit 1; } - sudo make install > /dev/null 2>&1 || { echo "โŒ 'make install' NOT successful for '${pkg_name}'."; exit 1; } - - cd ../.. || { echo "โŒ Could not change to '../..'."; exit 1; } - - rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "โœ… Removed archive: '${pkg_name}'." - rm -fr "${pkg_name}" && echo "โœ… Removed build artifacts: '${pkg_name}'." - echo "โœ… Successful build and installation of '${pkg_name}'." - echo "-------------------------------------------------------------------------------------" - - done - - rm -f signature_key.asc - - echo "โœ… All packages were built and installed successfully." - - mv_bin=( - "/usr/bin/gpg" - "/usr/bin/gpg-agent" - "/usr/bin/gpgconf" - "/usr/bin/gpg-connect-agent" - "/usr/bin/gpg-wks-client" - "/usr/bin/gpg-preset-passphrase" - ) - - for bin in "${mv_bin[@]}"; do - name="${bin##*/}" - if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then - if mv "${bin}" "${bin}.debian-backup"; then - echo "โœ… Moved successfully: '${bin}'." - else - echo "โŒ Moved NOT successfully: '${bin}'." - fi - else - echo "๐Ÿ’ก Does not exist as build binary: '${bin}'." - fi - done - - for bin in "${mv_bin[@]}"; do - name="${bin##*/}" - if [[ -f "/usr/local/bin/${name}" ]]; then - if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then - echo "โœ… 'update-alternatives' successfully: '${bin}'." - else - echo "โŒ 'update-alternatives' NOT successfully: '${bin}'." - fi - else - echo "๐Ÿ’ก Does not exist: '/usr/local/bin/${name}'." - fi - done - - sudo ldconfig - - gpgconf --kill all - /usr/local/bin/gpg-agent --daemon + util-linux - name: โš™๏ธ Check GnuPG Version. shell: bash @@ -271,13 +145,14 @@ jobs: timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. ./ciss_live_builder.sh \ - --autobuild=6.1.0-37-amd64 \ + --autobuild=6.12.48+deb13-amd64 \ --architecture amd64 \ --build-directory /opt/livebuild \ --control "${timestamp}" \ --root-password-file /opt/config/password.txt \ --ssh-port 42137 \ - --ssh-pubkey /opt/config + --ssh-pubkey /opt/config \ + --trixie - name: ๐Ÿ“ฅ Checking Centurion Cloud for existing LIVE ISOs. shell: bash @@ -364,11 +239,12 @@ jobs: gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + VAR_DATE="$(date +%F)" PRIVATE_FILE="LIVE_ISO.public" touch "${PRIVATE_FILE}" cat << EOF >| "${PRIVATE_FILE}" # SPDX-Version: 3.0 - # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; + # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 94dbce8..20d7175 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 0de050c..967df7a 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 name: ๐Ÿ›ก๏ธ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 0648340..8df62a7 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 name: ๐Ÿ” Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index ee037f8..f0967c5 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.13.008.2025.08.22" +properties_version="V8.13.016.2025.09.28" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index fbd3734..6d09c6e 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.13.008.2025.08.22 +PackageVersion: Master V8.13.016.2025.09.28 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 658ffc1..cb8dd3f 100644 --- a/README.md +++ b/README.md @@ -2,17 +2,17 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.008.2025.08.22-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.016.2025.09.28-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   -[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)   +[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)   [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/)   [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)   [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)   -[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)   -[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)   +[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)   +[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)   [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)   [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)   [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)   @@ -26,7 +26,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V8.13.008.2025.08.22` +Example: `V8.13.016.2025.09.28` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index a00fbc4..54758ed 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index 0bfbc7b..7014712 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.008.2025.08.22 +### Version Master V8.13.016.2025.09.28 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 3c08f0e..e68d762 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.13.008.2025.08.22" +declare -gr VERSION="Master V8.13.016.2025.09.28" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 5a223aa..848a2ce 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.13.008.2025.08.22 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.13.016.2025.09.28 at: 10:18:37.9542 diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index 6666039..14149e8 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index ab2b885..63afaed 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 9b88fcf..e725a32 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 7247c4c..cf498ff 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index a503e41..cadf7b7 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,14 +8,15 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. TLS Audit: - ````text +./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/ + ##################################################################### - testssl.sh version 3.2.1 from https://testssl.sh/ - (81471c3 2025-06-15 09:48:31) + testssl.sh version 3.2.2 from https://testssl.sh/ + (2e77f5e 2025-09-22 19:35:27) This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! @@ -26,7 +27,7 @@ include_toc: true Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers] on kali:./bin/openssl.Linux.x86_64 - Start 2025-06-23 17:58:48 -->> 152.53.110.40:443 (git.coresecret.dev) <<-- + Start 2025-09-28 16:12:17 -->> 152.53.110.40:443 (git.coresecret.dev) <<-- Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40 rDNS (152.53.110.40): git.coresecret.dev. @@ -188,18 +189,17 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe Server key size RSA 4096 bits (exponent is 65537) Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication - Serial 1230B34459C6F27FA9BCD2 (OK: length 11) - Fingerprints SHA1 1A8BD98862771602E7DD46B742FB66D6C03E622E - SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC + Serial 13292523EB168BD226CE46 (OK: length 11) + Fingerprints SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8 + SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B Common Name (CN) coresecret.dev subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev Trust (hostname) Ok via SAN (same w/o SNI) Chain of trust Ok EV cert (experimental) no - Certificate Validity (UTC) 153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59) + Certificate Validity (UTC) 178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59) ETS/"eTLS", visibility info not present - In pwnedkeys.com DB not in database - Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked + In pwnedkeys.com DB not in database Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked OCSP URI http://ocsp.buypass.com, not revoked OCSP stapling offered, not revoked OCSP must staple extension -- @@ -226,9 +226,9 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe Cookie(s) 2 issued: 2/2 secure, 2/2 HttpOnly Security headers X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff - Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self'; - frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev - https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev + Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self' + git.coresecret.dev; frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev + https://uml.coresecret.dev; manifest-src 'self' data:; media-src 'self' data: https://badges.coresecret.dev https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; Expect-CT: max-age=86400, enforce Permissions-Policy: interest-cohort=() @@ -258,7 +258,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services, see - https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC + https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) @@ -309,7 +309,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe Rating (experimental) - Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) + Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16) Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide Protocol Support (weighted) 100 (30) Key Exchange (weighted) 100 (30) @@ -317,7 +317,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe Final Score 100 Overall Grade A+ - Done 2025-06-23 18:00:16 [ 99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<-- + Done 2025-09-28 16:13:50 [ 95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<-- ```` --- diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 8fa2abb..9cb5102 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 5779faa..f044f94 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Changelog +## V8.13.016.2025.09.28 +* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64`` + ## V8.13.008.2025.08.22 * **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot) diff --git a/docs/CNET.md b/docs/CNET.md index c652248..e5610df 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 1d07ed1..06214a3 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 110b0ec..52f0251 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index c34287d..fafbbed 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index e5046d9..f79b4d3 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index dec69be..d82cb31 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,12 +8,12 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2.1. Usage ````text CISS.debian.live.builder -Master V8.13.008.2025.08.22 +Master V8.13.016.2025.09.28 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 @@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima # 2.2. Contact ````text CISS.debian.live.builder -Master V8.13.008.2025.08.22 +Master V8.13.016.2025.09.28 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index f8a7bd3..d5b7ac9 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.008.2025.08.22
+**Build**: V8.13.016.2025.09.28
# 2. Resources diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index aa26f08..c509a61 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -35,13 +35,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V8.13.008.2025.08.22 2025-08-11 CLB(1)" "${var_cols}") + declare var_footer=$(center "V8.13.016.2025.09.28 2025-08-11 CLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m" + echo -e "\e[92mMaster V8.13.016.2025.09.28\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m" diff --git a/scripts/9000-cdi-starter b/scripts/9000-cdi-starter index 7fb3d32..7c3b089 100644 --- a/scripts/9000-cdi-starter +++ b/scripts/9000-cdi-starter @@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " # sleep 1 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log -printf "CISS.debian.installer Master V8.13.008.2025.08.22 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log +printf "CISS.debian.installer Master V8.13.016.2025.09.28 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh diff --git a/var/early.var.sh b/var/early.var.sh index 316236b..acae11a 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -14,7 +14,7 @@ # shellcheck disable=SC2155 declare -grx VAR_CONTACT="security@coresecret.eu" -declare -grx VAR_VERSION="Master V8.13.008.2025.08.22" +declare -grx VAR_VERSION="Master V8.13.016.2025.09.28" declare -grx VAR_SYSTEM="$(uname -a)" declare -gx VAR_EARLY_DEBUG="false" declare -gx VAR_HANDLER_AUTOBUILD="false"