V8.03.127.2025.06.02

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1024
-  version: V8.02.768.2025.06.01
+  version: V8.03.127.2025.06.02
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate-iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.02.768.2025.06.01
+### Version Master V8.03.127.2025.06.02
 
 name: Generating a private Live ISO.
 
@@ -132,12 +132,12 @@ jobs:
       - name: Preparing the build environment.
         shell: bash
         run: |
-          mkdir -p opt/config
+          mkdir -p /opt/config
-          mkdir -p opt/livebuild
+          mkdir -p /opt/livebuild
-          touch opt/config/password.txt && chmod 0600 opt/config/password.txt
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
-          touch opt/config/authorized_keys && chmod 0600 opt/config/authorized_keys
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| opt/config/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| opt/config/authorized_keys
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
 
       - name: Starting CISS.debian.live.builder. This may take a while ...
         shell: bash
@@ -154,17 +154,18 @@ jobs:
             --dhcp-centurion \
             --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
             --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
-            --root-password-file opt/config/password.txt \
+            --root-password-file /opt/config/password.txt \
             --ssh-port 42842 \
-            --ssh-pubkey opt/config
+            --ssh-pubkey /opt/config
 
       - name: Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
         run: |
           set -euo pipefail
-          NC_BASE="https://cloud.e2ee.li"
-          SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}"
-          SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
           SHARE_SUBDIR=""
 
           echo "Get directory listing via PROPFIND ..."
@@ -198,10 +199,11 @@ jobs:
 
       - name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
         shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
         run: |
-          SHARE_TOKEN="${{ secrets.CENTURION_CLOUD_UL_USER }}"
-          SHARE_PASS="${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
-
           if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
@@ -211,8 +213,8 @@ jobs:
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
           fi
 
-          if curl --progress-bar --retry 2 https://cloud.e2ee.li/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
-          --upload-file "${VAR_ISO_FILE_PATH}" -u '${SHARE_TOKEN}:${SHARE_PASS}' | cat; then
+          --upload-file "${VAR_ISO_FILE_PATH}" -u '${SHARE_TOKEN}:${SHARE_PASS}'; then
             echo "✅ New ISO successfully uploaded."
           else
             echo "❌ Uploading the new ISO failed."
@@ -236,6 +238,7 @@ jobs:
           sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
           SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
           touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
           gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.02.768.2025.06.01
+### Version Master V8.03.127.2025.06.02
 
 name: Retrieve the DNSSEC status at the time of updating the repository.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.02.768.2025.06.01"
+properties_version="V8.03.127.2025.06.02"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.02.768.2025.06.01
+PackageVersion: Master V8.03.127.2025.06.02
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.768.2025.06.01-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.127.2025.06.02-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -26,11 +26,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`.
+cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Find here more information to download
+the latest ISO available.
 
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
@@ -40,7 +41,7 @@ Check out more:
 * [CenturionMeet](https://talk.e2ee.li/) 
 * [Contact the author](https://coresecret.eu/contact/)
 
-## 1.1. Notes
+## 1.1. Preliminary Remarks
 
 ### 1.1.1. HSM
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
@@ -453,10 +454,10 @@ predictable script behavior.
   #...
         - name: Preparing the build environment.
           run: |
-            rm -rf opt/{config,livebuild}
+            mkdir -p /opt/config
-            mkdir -p opt/{config,livebuild}
+            mkdir -p /opt/livebuild
-            echo "${{ secrets.CHANGE_ME }}" >| opt/config/password.txt
+            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/password.txt
-            echo "${{ secrets.CHANGE_ME }}" >| opt/config/authorized_keys
+            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/authorized_keys
   #...
         - name: Starting CISS.debian.live.builder. This may take a while ...
           run: |
@@ -464,18 +465,16 @@ predictable script behavior.
             timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
             ### Change "--autobuild=" to the specific kernel version you need: '6.12.22+bpo-amd64'.
             ./ciss_live_builder.sh \
-            --autobuild=CHANGE_ME \
+              --autobuild=CHANGE_ME \
-            --architecture CHANGE_ME \
+              --architecture CHANGE_ME \
-            --build-directory opt/livebuild \
+              --build-directory /opt/livebuild \
-            --control "${timestamp}" \
+              --control "${timestamp}" \
-            --jump-host "${{ secrets.CHANGE_ME }}" \
+              --jump-host "${{ secrets.CHANGE_ME }}" \
-            --renice-priority "-19" \
+              --root-password-file /opt/config/password.txt \
-            --reionice-priority 1 2 \
+              --ssh-port CHANGE_ME \
-            --root-password-file opt/config/password.txt \
+              --ssh-pubkey /opt/config
-            --ssh-port CHANGE_ME \
-            --ssh-pubkey opt/config
   #...
-        ### SKIP OR ADAPT ALL REMAINING STEPS
+        ### SKIP OR CHANGE ALL REMAINING STEPS
   ```
 
 # 6. Licensing & Compliance

ciss_live_builder.sh

@@ -40,7 +40,7 @@
 
 declare -g VAR_HANDLER_AUTOBUILD="false"
 declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.02.768.2025.06.01"
+declare -gr VAR_VERSION="Master V8.03.127.2025.06.02"
 
 ### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
 declare arg

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.02.768.2025.06.01
+### Version Master V8.03.127.2025.06.02
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.02.768.2025.06.01
+### Version Master V8.03.127.2025.06.02
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.02.768.2025.06.01"
+declare -gr VERSION="Master V8.03.127.2025.06.02"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.02.768.2025.06.01 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.127.2025.06.02 at: 10:18:37.9542

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/CHANGELOG.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # TBA
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # 2. Contributors
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # 2. Credits
 

docs/DOCUMENTATION.md

@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # 2. Usage
 ````text
 CISS.debian.live.builder
-Master V8.02.768.2025.06.01
+Master V8.03.127.2025.06.02
 
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.768.2025.06.01<br>
+**Build**: V8.03.127.2025.06.02<br>
 
 # 2. Resources
 

lib/lib_check_provider.sh

@@ -18,7 +18,7 @@
 check_provider() {
   clear
   cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.02.768.2025.06.01
+Build: Master V8.03.127.2025.06.02
 
 Press 'EXIT' to continue with CISS.debian.live.builder.
 

lib/lib_usage.sh

@@ -22,7 +22,7 @@ usage() {
   cat << EOF
 
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.02.768.2025.06.01\e[0m")
+$(echo -e "\e[92mMaster V8.03.127.2025.06.02\e[0m")
 
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")

scripts/9000-cdi-starter

@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.02.768.2025.06.01 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.127.2025.06.02 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
   chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh