V8.13.384.2025.11.06

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -48,8 +48,8 @@ MaxAuthTries                 3
 MaxSessions                  2
 ### Begin randomly dropping new unauthenticated connections after the 2nd attempt,
 ### with a 64% chance to drop each additional connection, up to a hard limit of 08.
-MaxStartups                  02:64:08
-### Restrict each individual source IP to only 4 unauthenticated connection slot
+MaxStartups                  16:32:48
+### Restrict each individual source IP to only 8 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
 PerSourceMaxStartups         8
 ClientAliveInterval          300

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -1,3 +1,5 @@
+# bashsupport disable=BP5007
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -9,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.296.2025.10.29
+# Version Master V8.13.384.2025.11.06
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.296.2025.10.29"
+declare -gr VERSION="Master V8.13.384.2025.11.06"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.296.2025.10.29 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.384.2025.11.06 at: 10:18:37.9542

config/includes.chroot/usr/lib/live/boot/0030-verify-checksums

@@ -0,0 +1,212 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Modified Version of the original file:
+### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
+### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
+
+#######################################
+# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
+# Globals:
+#   LIVE_BOOT_CMDLINE
+#   _TTY
+# Arguments:
+#   1: _MOUNTPOINT
+# Returns:
+#   0 : Successful verification
+#######################################
+Verify_checksums() {
+  _MOUNTPOINT="${1}"
+
+  _TTY="/dev/tty8"
+
+  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
+
+  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
+
+  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
+
+    case "${_PARAMETER}" in
+
+      live-boot.verify-checksums=* | verify-checksums=*)
+
+        LIVE_VERIFY_CHECKSUMS="true"
+        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
+        ;;
+
+      live-boot.verify-checksums | verify-checksums)
+
+        LIVE_VERIFY_CHECKSUMS="true"
+        ;;
+
+      live-boot.verify-checksums-signatures | verify-checksums-signatures)
+
+        LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
+        ;;
+
+    esac
+
+  done
+
+  case "${LIVE_VERIFY_CHECKSUMS}" in
+
+    true)
+      :
+      ;;
+
+    *)
+      return 0
+      ;;
+
+  esac
+
+  # shellcheck disable=SC2164
+  cd "${_MOUNTPOINT}"
+
+  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
+  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
+
+    log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
+    printf "\n"
+
+    CDLB_SCRIPT="$(basename "${0}")"
+    CDLB_SHA="sha512"
+    CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
+
+    for CDLB_ITEM in ${CDLB_SHA}; do
+
+      CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
+      CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
+      CDLB_CMD="${CDLB_ITEM}sum"
+
+      printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
+
+      if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
+
+        printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
+        sleep 8
+        # TODO: Remove debug mode
+        # return 0
+
+      else
+
+        printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
+
+      fi
+
+      printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
+
+      CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
+      read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
+
+      if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
+
+        printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
+        sleep 8
+        # TODO: Remove debug mode
+        # return 0
+
+      fi
+
+      printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
+
+    done
+
+    printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
+
+    log_end_msg
+    printf "\n"
+
+  fi
+
+  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
+  log_begin_msg "Verifying checksums"
+  printf "\n"
+
+  # shellcheck disable=SC2001
+  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
+
+    # shellcheck disable=SC2060
+    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
+
+    for _CHECKSUM in ${_CHECKSUMS}; do
+
+      if [ -e "${_CHECKSUM}" ]; then
+
+        printf "Found [%s] ...\n" "${_CHECKSUM}"
+
+        if [ -e "/bin/${_DIGEST}sum" ]; then
+
+          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
+
+            printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
+            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
+            gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
+            _RETURN_PGP="${?}"
+
+          else
+
+            _RETURN_PGP="na"
+
+          fi
+
+          printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
+
+          # shellcheck disable=SC2312
+          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
+          _RETURN_SHA="${?}"
+
+          # Stop after the first verification.
+          break 2
+
+        else
+
+          printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
+
+        fi
+
+      fi
+
+    done
+
+  done
+
+  log_end_msg
+
+  case "${_RETURN_PGP},${_RETURN_SHA}" in
+
+    0,0)
+      log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
+      sleep 8
+      return 0
+      ;;
+
+    na,0)
+      log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
+      sleep 8
+      return 0
+      ;;
+
+    *,0)
+      panic "Verification of signature file failed while verification of checksum file successful."
+      ;;
+
+    na,*)
+      panic "Verification of checksum file failed."
+      ;;
+
+  esac
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh