From f0ee12513f66af08021f0efa0dce20452e412784b1f7109ebcaa04029be4d6f8 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Mon, 17 Nov 2025 06:42:57 +0100 Subject: [PATCH] V8.13.416.2025.11.17 Signed-off-by: Marc S. Weidner --- .archive/generate_PRIVATE_trixie_0.yaml | 2 +- .archive/generate_PRIVATE_trixie_1.yaml | 2 +- .archive/generate_PUBLIC_iso.yaml | 2 +- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/dockerfile | 2 +- .gitea/TODO/render-md-to-html.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_0.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/workflows/generate_PUBLIC_iso.yaml | 2 +- .gitea/workflows/linter_char_scripts.yaml | 2 +- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 2 +- .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 6 +- REPOSITORY.md | 4 +- ciss_live_builder.sh | 8 + .../hooks/live/0000_basic_chroot_setup.chroot | 3 +- .../hooks/live/0007_update_logrotate.chroot | 3 +- .../hooks/live/0010_install_apparmor.chroot | 3 +- config/hooks/live/0020_dropbear_build.chroot | 3 +- .../hooks/live/0021_dropbear_initramfs.chroot | 5 +- config/hooks/live/0022_dropbear_setup.chroot | 3 +- config/hooks/live/0080_keyboard_layout.chroot | 3 +- config/hooks/live/0090_jitterentropy.chroot | 3 +- config/hooks/live/0100_ciss_mem_wipe.chroot | 175 ++++++++++++++---- config/hooks/live/0400_eza_install.chroot | 3 +- config/hooks/live/0800_lynis_setup.chroot | 3 +- config/hooks/live/0810_chrony_setup.chroot | 3 +- .../live/0840_ufw_abuse_ipdb_reporter.chroot | 3 +- config/hooks/live/0860_sops.chroot | 3 +- config/hooks/live/0865_yq.chroot | 3 +- config/hooks/live/0870_bashdb.chroot | 3 +- .../hooks/live/9900_process_accounting.chroot | 3 +- config/hooks/live/9970_remove_exim.chroot | 3 +- config/hooks/live/9980_usb_guard.chroot | 3 +- config/hooks/live/9990_final_purge.chroot | 3 +- config/hooks/live/9993_aide.chroot | 3 +- config/hooks/live/9996_auditd.chroot | 3 +- config/hooks/live/9997_debsums.chroot | 3 +- .../live/9998_sources_list_trixie.chroot | 3 +- config/hooks/live/9999_yyyy_logrotate.chroot | 3 +- .../includes.chroot/etc/ssh/ssh_known_hosts | 2 +- config/includes.chroot/etc/ssh/sshd_config | 2 +- .../etc/sysctl.d/99_local.hardened | 2 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/BOOTPARAMS.md | 2 +- docs/CHANGELOG.md | 6 +- docs/CNET.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 6 +- docs/MAN_CISS_ISO_BOOT_CHAIN.md | 2 +- docs/MAN_SSH_Host_Key_Policy.md | 2 +- docs/REFERENCES.md | 2 +- lib/lib_usage.sh | 4 +- scripts/usr/local/sbin/9999_cdi_starter.sh | 4 +- var/bash.var.sh | 7 + var/early.var.sh | 2 +- 68 files changed, 251 insertions(+), 113 deletions(-) diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml index 9f5d631..aa690d2 100644 --- a/.archive/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index c7e7060..49c3eb0 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml index 90a7aed..684082b 100644 --- a/.archive/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 name: ๐Ÿ’™ Generating a PUBLIC Live ISO. diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index b5a5249..88abcc2 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.13.408.2025.11.13" + placeholder: "e.g., Master V8.13.416.2025.11.17" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index 6b9cf00..c50b240 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index afc48a9..578d721 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 name: ๐Ÿ” Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index b648e32..ad25d4c 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.408.2025.11.13 + version: V8.13.416.2025.11.17 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index 106bea9..4ed33f1 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 95bd361..9ee0bc0 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 5c7c089..207ca65 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 name: ๐Ÿ’™ Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index b57e702..a5fa9ab 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 990835f..af630ed 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 name: ๐Ÿ›ก๏ธ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 76c30d9..a8c5ecc 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 name: ๐Ÿ” Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index eace32a..87d9c1f 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.13.408.2025.11.13" +properties_version="V8.13.416.2025.11.17" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 5f7a2d3..3082bf9 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.13.408.2025.11.13 +PackageVersion: Master V8.13.416.2025.11.17 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 53d6b75..bc59537 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.408.2025.11.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.416.2025.11.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V8.13.408.2025.11.13` +Example: `V8.13.416.2025.11.17` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/REPOSITORY.md b/REPOSITORY.md index a358325..a885946 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2.1. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) โ€” Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **8.13**, Build **V8.13.408.2025.11.13** (as of 2025-10-11) +**Repository State:** Master Version **8.13**, Build **V8.13.416.2025.11.17** (as of 2025-10-11) ## 2.2. Top-Level Layout diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 09c6d76..a251e95 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -20,6 +20,14 @@ # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2, # or Cygwin on Windows systems. +### RESOURCES +# https://github.com/koalaman/shellcheck +# https://github.com/mvdan/sh +# https://google.github.io/styleguide/shellguide.html +# https://mywiki.wooledge.org/BashGuide +# https://www.bashsupport.com/de/ +# https://www.gnu.org/software/bash/manual/ + ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES. # shellcheck disable=SC2155,SC2249 declare -agx ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array. diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot index b330845..438288a 100644 --- a/config/hooks/live/0000_basic_chroot_setup.chroot +++ b/config/hooks/live/0000_basic_chroot_setup.chroot @@ -204,7 +204,8 @@ generate_ciss_xdg_sh generate_ciss_xdg_tmp_sh [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get update -qq apt-get install -y --no-install-suggests libpam-systemd diff --git a/config/hooks/live/0007_update_logrotate.chroot b/config/hooks/live/0007_update_logrotate.chroot index 68802c7..d0163f3 100644 --- a/config/hooks/live/0007_update_logrotate.chroot +++ b/config/hooks/live/0007_update_logrotate.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" rm -f "/etc/logrotate.conf" cat << EOF >| "/etc/logrotate.conf" diff --git a/config/hooks/live/0010_install_apparmor.chroot b/config/hooks/live/0010_install_apparmor.chroot index 27e3702..9ce38d1 100644 --- a/config/hooks/live/0010_install_apparmor.chroot +++ b/config/hooks/live/0010_install_apparmor.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra install -d /etc/systemd/system/apparmor.service.d diff --git a/config/hooks/live/0020_dropbear_build.chroot b/config/hooks/live/0020_dropbear_build.chroot index 0c46646..a052496 100644 --- a/config/hooks/live/0020_dropbear_build.chroot +++ b/config/hooks/live/0020_dropbear_build.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" ### Declare Arrays, HashMaps, and Variables. declare var_dropbear_version="2025.88" diff --git a/config/hooks/live/0021_dropbear_initramfs.chroot b/config/hooks/live/0021_dropbear_initramfs.chroot index c381ac3..a3c3390 100644 --- a/config/hooks/live/0021_dropbear_initramfs.chroot +++ b/config/hooks/live/0021_dropbear_initramfs.chroot @@ -10,14 +10,15 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -set -x + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" ### Declare Arrays, HashMaps, and Variables. declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}" apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true diff --git a/config/hooks/live/0022_dropbear_setup.chroot b/config/hooks/live/0022_dropbear_setup.chroot index 60fdbcc..8aae560 100644 --- a/config/hooks/live/0022_dropbear_setup.chroot +++ b/config/hooks/live/0022_dropbear_setup.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" ####################################### # Set up the 'dropbear-initramfs' environment. diff --git a/config/hooks/live/0080_keyboard_layout.chroot b/config/hooks/live/0080_keyboard_layout.chroot index e708bdc..8d8b34a 100644 --- a/config/hooks/live/0080_keyboard_layout.chroot +++ b/config/hooks/live/0080_keyboard_layout.chroot @@ -22,7 +22,8 @@ BACKSPACE="guess" EOF [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" dpkg-reconfigure -f noninteractive keyboard-configuration printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" diff --git a/config/hooks/live/0090_jitterentropy.chroot b/config/hooks/live/0090_jitterentropy.chroot index 20f4950..def1794 100644 --- a/config/hooks/live/0090_jitterentropy.chroot +++ b/config/hooks/live/0090_jitterentropy.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get install -y --no-install-recommends jitterentropy-rngd cd /root diff --git a/config/hooks/live/0100_ciss_mem_wipe.chroot b/config/hooks/live/0100_ciss_mem_wipe.chroot index e890499..ae442be 100644 --- a/config/hooks/live/0100_ciss_mem_wipe.chroot +++ b/config/hooks/live/0100_ciss_mem_wipe.chroot @@ -14,9 +14,10 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" -apt-get install -y --no-install-recommends kexec-tools busybox-static +apt-get install -y --no-install-recommends kexec-tools install -d -m 0755 /boot/ciss-memwipe install -d -m 0755 /usr/local/sbin @@ -25,32 +26,89 @@ install -d -m 0755 /etc/default ### Pick a kernel to kexec into: use the latest installed vmlinuz. ------------------------------------------------------------- # shellcheck disable=SC2012,SC2155 -declare _kernel="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)" -cp -f "/boot/vmlinuz-${_kernel}" /boot/ciss-memwipe/vmlinuz +declare _KERNEL="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)" +cp -f "/boot/vmlinuz-${_KERNEL}" /boot/ciss-memwipe/vmlinuz ### Build minimal initramfs with a busybox and a tiny '/init'. ----------------------------------------------------------------- -declare TMPDIR; TMPDIR="$(mktemp -d)" -trap 'rm -rf "${TMPDIR}"' EXIT +declare _TMP_DIR; _TMP_DIR="$(mktemp -d)" +trap 'rm -rf "${_TMP_DIR}"' EXIT -mkdir -p "${TMPDIR}"/{bin,dev,proc,sys,wipe} -cp -f /bin/busybox.static "${TMPDIR}/bin/busybox" +mkdir -p "${_TMP_DIR}"/{bin,dev,proc,sys,wipe} +### Locate the current busybox binary. ----------------------------------------------------------------------------------------- +declare _BUSYBOX_BIN; _BUSYBOX_BIN="$(command -v busybox || true)" +if [[ -z "${_BUSYBOX_BIN}" ]]; then + echo "ERROR: busybox not found after installation attempt." >&2 + exit 42 +fi + +cp -f "${_BUSYBOX_BIN}" "${_TMP_DIR}/bin/busybox" + +### + +####################################### +# Copy required shared libs into the initramfs (if the busybox is dynamic). +# Globals: +# _TMP_DIR +# Arguments: +# 1: _BUSYBOX_BIN +# Returns: +# 0: on success +####################################### +copy_libs() { + declare bin="$1" + + if ldd "${bin}" 2>&1 | grep -q 'not a dynamic executable'; then + return 0 + fi + + ldd "${bin}" | awk ' + /=> \// {print $3} + # some libs are printed as absolute path without "=>" + /^\// {print $1} + ' | while read -r lib; do + [[ -n "${lib}" ]] || continue + dest="${_TMP_DIR}$(dirname "${lib}")" + install -d -m 0755 "${dest}" + cp -f "${lib}" "${dest}" + done +} + +copy_libs "${_BUSYBOX_BIN}" + +### Generate /init script cat << 'EOF' >| "${TMPDIR}/init" #!/bin/busybox sh -### Minimal init to wipe RAM, then power off. -### Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95 +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# Minimal init to wipe RAM, then power off. +# Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95 set -eu +####################################### +# Helper +# Globals: +# None +# Arguments: +# 1: key +# Returns: +# 0: on success +####################################### get_arg() { # $1=key ; echoes value or empty - for tok in $(cat /proc/cmdline); do - - case "${tok}" in + case "$tok" in $1=*) echo "${tok#*=}"; return 0;; esac - done - echo "" } @@ -67,15 +125,24 @@ MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random" BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95 -echo 1 > /proc/sys/kernel/printk 2>/dev/null || true +echo 1 >| /proc/sys/kernel/printk 2>/dev/null || true MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)" SIZE_KB=$(( MEM_KB * PCT / 100 )) mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe +####################################### +# Wipe helper +# Globals: +# None +# Arguments: +# 1: pattern +# Returns: +# 0: on success +####################################### wipe_pass() { - pattern="$1" - if [ "${pattern}" = "zero" ]; then + pattern="$1" # zero or random + if [ "$pattern" = "zero" ]; then src="/dev/zero" else src="/dev/urandom" @@ -83,17 +150,19 @@ wipe_pass() { i=0 while :; do - busybox dd if="${src}" of="/wipe/block_${i}" bs="${BS}" status=none || break + # Use busybox dd explicitly to avoid surprises + busybox dd if="$src" of="/wipe/block_$i" bs="$BS" status=none || break i=$((i+1)) done sync echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true rm -f /wipe/block_* 2>/dev/null || true sync + return 0 } DO_ZERO=0; DO_RANDOM=0 -case "${MODE}" in +case "$MODE" in zero) DO_ZERO=1 ;; random) DO_RANDOM=1 ;; zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;; @@ -101,31 +170,59 @@ case "${MODE}" in esac p=1 -while [ ${p} -le "${PASSES}" ]; do - [ ${DO_ZERO} -eq 1 ] && wipe_pass zero - [ ${DO_RANDOM} -eq 1 ] && wipe_pass random +while [ $p -le "$PASSES" ]; do + [ $DO_ZERO -eq 1 ] && wipe_pass zero + [ $DO_RANDOM -eq 1 ] && wipe_pass random p=$((p+1)) done sync busybox poweroff -f || echo o >| /proc/sysrq-trigger + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF chmod +x "${TMPDIR}/init" +### Create the initramfs archive. ( cd "${TMPDIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img +### Default configuration. cat << 'EOF' >| /etc/default/ciss-memwipe -### CISS Memory Wipe defaults -CISS_WIPE_PASSES=2 # number of passes -CISS_WIPE_MODE="zero+random" # zero | random | zero+random -CISS_WIPE_DD_BS="64M" # dd block size -CISS_WIPE_TMPFS_PCT=95 # percentage of MemTotal to allocate +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# CISS Memory Wipe defaults: + +CISS_WIPE_PASSES=2 # number of passes +CISS_WIPE_MODE="zero+random" # zero | random | zero+random +CISS_WIPE_DD_BS="64M" # dd block size +CISS_WIPE_TMPFS_PCT=95 # percentage of MemTotal to allocate + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF +### Helper script cat << 'EOF' >| /usr/local/sbin/ciss-memwipe #!/bin/bash -# Prepare and execute kexec-based memory wipe. +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu set -euo pipefail . /etc/default/ciss-memwipe || true @@ -136,22 +233,19 @@ INITRD="/boot/ciss-memwipe/initrd.img" append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}" prepare() { - # Try to allow kexec if not locked down if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then echo 0 > /proc/sys/kernel/kexec_load_disabled || true fi - # Load wipe kernel - if command -v kexec >/dev/null 2>&1 && [ -s "${KERNEL}" ] && [ -s "${INITRD}" ]; then - kexec -l "${KERNEL}" --initrd="${INITRD}" --append="${append_common}" || true + if command -v kexec >/dev/null 2>&1 && [ -s "$KERNEL" ] && [ -s "$INITRD" ]; then + kexec -l "$KERNEL" --initrd="$INITRD" --append="$append_common" || true fi } fallback_inplace() { - # Last-resort: wipe in-place via tmpfs and then power off mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe i=0 while :; do - dd if=/dev/zero of="/run/wipe/blk_${i}" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break + dd if=/dev/zero of="/run/wipe/blk_$i" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break i=$((i+1)) done sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true @@ -162,9 +256,7 @@ fallback_inplace() { execute() { sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true - # Prefer systemd's path if possible if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then - # If kexec image was loaded, systemctl kexec will use it systemctl kexec || kexec -e || fallback_inplace else kexec -e || fallback_inplace @@ -176,15 +268,16 @@ case "${1:-}" in execute) execute ;; *) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;; esac + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF chmod 0755 /usr/local/sbin/ciss-memwipe -### Systemd service: load at boot, execute on shutdown +### Systemd service: load at boot, execute on shutdown. cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service [Unit] Description=CISS: preload and execute kexec-based RAM wipe on shutdown DefaultDependencies=no -# Ensure we run late enough on shutdown, but early enough to take over Before=shutdown.target After=local-fs.target network.target multi-user.target @@ -192,7 +285,6 @@ After=local-fs.target network.target multi-user.target Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/sbin/ciss-memwipe prepare -# ExecStop runs during shutdown: jump into wipe kernel ExecStop=/usr/local/sbin/ciss-memwipe execute TimeoutStartSec=20s TimeoutStopSec=infinity @@ -201,6 +293,9 @@ TimeoutStopSec=infinity WantedBy=multi-user.target EOF +install -d -m 0755 /etc/systemd/system/multi-user.target.wants +ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.target.wants/ciss-memwipe.service + systemctl enable ciss-memwipe.service printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" diff --git a/config/hooks/live/0400_eza_install.chroot b/config/hooks/live/0400_eza_install.chroot index efd4f96..5eb637a 100644 --- a/config/hooks/live/0400_eza_install.chroot +++ b/config/hooks/live/0400_eza_install.chroot @@ -24,7 +24,8 @@ echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get update -qq apt-get install -y eza diff --git a/config/hooks/live/0800_lynis_setup.chroot b/config/hooks/live/0800_lynis_setup.chroot index f27119b..59b9d85 100644 --- a/config/hooks/live/0800_lynis_setup.chroot +++ b/config/hooks/live/0800_lynis_setup.chroot @@ -17,7 +17,8 @@ curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --d echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get update -qq apt-get install -y lynis lynis show version diff --git a/config/hooks/live/0810_chrony_setup.chroot b/config/hooks/live/0810_chrony_setup.chroot index bada646..15e318b 100644 --- a/config/hooks/live/0810_chrony_setup.chroot +++ b/config/hooks/live/0810_chrony_setup.chroot @@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " mkdir -p /var/log/chrony [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" export TZ="Etc/UTC" apt-get install -y adjtimex chrony tzdata diff --git a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot index 4f7888d..4686f33 100644 --- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot +++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \ apt-get install -y nodejs diff --git a/config/hooks/live/0860_sops.chroot b/config/hooks/live/0860_sops.chroot index dfd1757..7e55810 100644 --- a/config/hooks/live/0860_sops.chroot +++ b/config/hooks/live/0860_sops.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" SOPS_VER="v3.11.0" ARCH="$(dpkg --print-architecture)" diff --git a/config/hooks/live/0865_yq.chroot b/config/hooks/live/0865_yq.chroot index f397b8c..457dd70 100644 --- a/config/hooks/live/0865_yq.chroot +++ b/config/hooks/live/0865_yq.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq diff --git a/config/hooks/live/0870_bashdb.chroot b/config/hooks/live/0870_bashdb.chroot index 36c6c8b..9588790 100644 --- a/config/hooks/live/0870_bashdb.chroot +++ b/config/hooks/live/0870_bashdb.chroot @@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " umask 0077 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get install -y texinfo diff --git a/config/hooks/live/9900_process_accounting.chroot b/config/hooks/live/9900_process_accounting.chroot index bfcd534..530ed5a 100644 --- a/config/hooks/live/9900_process_accounting.chroot +++ b/config/hooks/live/9900_process_accounting.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get install -y acct if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then diff --git a/config/hooks/live/9970_remove_exim.chroot b/config/hooks/live/9970_remove_exim.chroot index 7c9bb50..3ee61be 100644 --- a/config/hooks/live/9970_remove_exim.chroot +++ b/config/hooks/live/9970_remove_exim.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" cd /etc diff --git a/config/hooks/live/9980_usb_guard.chroot b/config/hooks/live/9980_usb_guard.chroot index f3470ee..742d018 100644 --- a/config/hooks/live/9980_usb_guard.chroot +++ b/config/hooks/live/9980_usb_guard.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get install -y usbguard ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm diff --git a/config/hooks/live/9990_final_purge.chroot b/config/hooks/live/9990_final_purge.chroot index aae8415..789cc30 100644 --- a/config/hooks/live/9990_final_purge.chroot +++ b/config/hooks/live/9990_final_purge.chroot @@ -15,7 +15,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get update -qq diff --git a/config/hooks/live/9993_aide.chroot b/config/hooks/live/9993_aide.chroot index 108699a..3266c12 100644 --- a/config/hooks/live/9993_aide.chroot +++ b/config/hooks/live/9993_aide.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get install -y aide > /dev/null 2>&1 cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot index 94f2af2..f10edbf 100644 --- a/config/hooks/live/9996_auditd.chroot +++ b/config/hooks/live/9996_auditd.chroot @@ -26,7 +26,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " cd /root [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get install -y auditd cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak diff --git a/config/hooks/live/9997_debsums.chroot b/config/hooks/live/9997_debsums.chroot index f8c21d0..3a51dee 100644 --- a/config/hooks/live/9997_debsums.chroot +++ b/config/hooks/live/9997_debsums.chroot @@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " cd /root [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" apt-get install -y --no-install-recommends debsums cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak diff --git a/config/hooks/live/9998_sources_list_trixie.chroot b/config/hooks/live/9998_sources_list_trixie.chroot index 1e1d725..e1ea124 100644 --- a/config/hooks/live/9998_sources_list_trixie.chroot +++ b/config/hooks/live/9998_sources_list_trixie.chroot @@ -14,7 +14,8 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" # shellcheck disable=SC2155 declare -r VAR_DATE="$(date +%F)" diff --git a/config/hooks/live/9999_yyyy_logrotate.chroot b/config/hooks/live/9999_yyyy_logrotate.chroot index eb493fa..77b6b4d 100644 --- a/config/hooks/live/9999_yyyy_logrotate.chroot +++ b/config/hooks/live/9999_yyyy_logrotate.chroot @@ -34,7 +34,8 @@ declare -ar ary_logrotate=( declare var_file="" var_log="" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh -export DEBIAN_FRONTEND="noninteractive" INITRD="No" +export DEBIAN_FRONTEND="noninteractive" +export INITRD="No" for var_log in "${ary_logrotate[@]}"; do diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index 4375467..a99c906 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index 7aa7dd6..2179186 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index 39dbf97..7f8f080 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -11,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.408.2025.11.13 +# Version Master V8.13.416.2025.11.17 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index eafa00e..428276e 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.13.408.2025.11.13" +declare -gr VERSION="Master V8.13.416.2025.11.17" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 18fbadb..fa98f93 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.13.408.2025.11.13 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.13.416.2025.11.17 at: 10:18:37.9542 diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index 8c3d257..7d6805f 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index c984a8c..c44a4cc 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index d303a10..8cc8215 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 8f724be..200ad05 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index b355725..684482a 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 9b2996a..d1e3f1c 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 6113935..74b1e63 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,14 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Changelog +## V8.13.416.2025.11.17 +* **Global**: Explicit ``export INITRD="No"`` +* **Changed**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + ## V8.13.408.2025.11.13 * **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``. * **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping. diff --git a/docs/CNET.md b/docs/CNET.md index 6c435bf..f19e168 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index d2a670c..ab72608 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index c2d39b8..d075993 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index 089c476..59a2c7d 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 264868b..46a52c0 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index a8db3b3..78bb6db 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,14 +8,14 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2.1. Usage ````text CDLB(1) CISS.debian.live.builder CDLB(1) CISS.debian.live.builder from https://git.coresecret.dev/msw -Master V8.13.408.2025.11.13 +Master V8.13.416.2025.11.17 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 @@ -146,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. ๐Ÿ’ท Please consider donating to my work at: ๐ŸŒ https://coresecret.eu/spenden/ - V8.13.408.2025.11.13 2025-11-06 CDLB(1) + V8.13.416.2025.11.17 2025-11-06 CDLB(1) ```` # 3. Booting diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md index 7a3606d..7fc025e 100644 --- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md +++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. CISS.debian.live.builder โ€“ Boot & Trust Chain (Technical Documentation) diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md index 1b25d77..ce744c2 100644 --- a/docs/MAN_SSH_Host_Key_Policy.md +++ b/docs/MAN_SSH_Host_Key_Policy.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. SSH Host Key Policy โ€“ CISS.debian.live.builder / CISS.debian.installer diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index e65c48c..25631d0 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.408.2025.11.13
+**Build**: V8.13.416.2025.11.17
# 2. Resources diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index 0e40e34..0542582 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -39,13 +39,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V8.13.408.2025.11.13 2025-11-06 CDLB(1)" "${var_cols}") + declare var_footer=$(center "V8.13.416.2025.11.17 2025-11-06 CDLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V8.13.408.2025.11.13\e[0m" + echo -e "\e[92mMaster V8.13.416.2025.11.17\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m" diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh index 00d8ce4..f1bb696 100644 --- a/scripts/usr/local/sbin/9999_cdi_starter.sh +++ b/scripts/usr/local/sbin/9999_cdi_starter.sh @@ -127,7 +127,7 @@ main() { # shellcheck disable=SC2312 exec > >(tee -a "${var_log}") 2>&1 - printf "CISS.debian.installer Master V8.13.408.2025.11.13 is up! \n" >> "${var_log}" + printf "CISS.debian.installer Master V8.13.416.2025.11.17 is up! \n" >> "${var_log}" ### Sleep a moment to settle boot artifacts. sleep 8 @@ -183,7 +183,7 @@ main() { ### Timeout reached without acceptable semaphore. logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle." - printf "CISS.debian.installer Master V8.13.408.2025.11.13: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" + printf "CISS.debian.installer Master V8.13.416.2025.11.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" exit 0 } diff --git a/var/bash.var.sh b/var/bash.var.sh index dd7c2bf..0e85393 100644 --- a/var/bash.var.sh +++ b/var/bash.var.sh @@ -12,6 +12,8 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" +unset BASH_ENV CDPATH ENV GLOBIGNORE + ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin set -o errexit # Exit script when a command exits with non-zero status, the same as "set -e". set -o errtrace # Any traps on ERR are inherited in a subshell environment, the same as "set -E". @@ -32,8 +34,13 @@ shopt -u dotglob # If set, Bash includes filenames beginning with a '.' shopt -u extglob # If set, enable the extended pattern matching features. shopt -u nullglob # If set, filename expansion patterns that match no files expand to nothing and are removed. +### Deterministic environment +declare -gx LC_ALL=C.UTF-8 +declare -gx LANG=C.UTF-8 +declare -gx TZ=UTC declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" declare -gx IFS=$' \t\n' + umask 0022 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/var/early.var.sh b/var/early.var.sh index 713d342..e3ae270 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" declare -grx VAR_HOST="$(uname -n)" declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" declare -grx VAR_SYSTEM="$(uname -mnosv)" -declare -grx VAR_VERSION="Master V8.13.408.2025.11.13" +declare -grx VAR_VERSION="Master V8.13.416.2025.11.17" declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{ # Print $4 and $5; include $6 only if it exists out = $4