msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

Compare commits

base: msw/CISS.debian.live.builder:b59bca727edfe0a0bd6875c3b6f271890c3b69e86369ef738eb40049e6759fa4
Branches Tags
msw/CISS.debian.live.builder:master msw/CISS.debian.live.builder:securityaudit/a10-a11-a12-secret-debug-cleanup msw/CISS.debian.live.builder:securityaudit/a01-a02-boot-attestation
msw/CISS.debian.live.builder:v8.13.142-stable msw/CISS.debian.live.builder:v8.13.008-stable msw/CISS.debian.live.builder:v8.03.864-stable msw/CISS.debian.live.builder:v8.03.832-stable msw/CISS.debian.live.builder:v8.03.768-stable msw/CISS.debian.live.builder:v8.03.644-stable
..
compare: msw/CISS.debian.live.builder:master
Branches Tags
msw/CISS.debian.live.builder:master msw/CISS.debian.live.builder:securityaudit/a10-a11-a12-secret-debug-cleanup msw/CISS.debian.live.builder:securityaudit/a01-a02-boot-attestation
msw/CISS.debian.live.builder:v8.13.142-stable msw/CISS.debian.live.builder:v8.13.008-stable msw/CISS.debian.live.builder:v8.03.864-stable msw/CISS.debian.live.builder:v8.03.832-stable msw/CISS.debian.live.builder:v8.03.768-stable msw/CISS.debian.live.builder:v8.03.644-stable

8 Commits
b59bca727e .. master

Author SHA256 Message Date
msw a8454eeadf V9.14.028.2026.06.18
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2026-06-18 10:49:41 +01:00
msw f31ac3503f V9.14.026.2026.06.17
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2026-06-18 06:46:41 +01:00
msw 0f28dad6c2 V9.14.026.2026.06.17
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2026-06-17 21:55:52 +01:00
msw 784c088c0e V9.14.026.2026.06.17
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2026-06-17 18:44:12 +01:00
msw 1d130a7027 V9.14.026.2026.06.17
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2026-06-17 17:14:45 +01:00
msw 7fb6ca2cd2 V9.14.026.2026.06.17
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2026-06-17 16:31:47 +01:00
msw 009f92aea1 V9.14.026.2026.06.17
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2026-06-17 15:49:17 +01:00
msw e11b6285ca V9.14.026.2026.06.12
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2026-06-12 06:26:46 +01:00
52 changed files with 426 additions and 171 deletions
Expand all files Collapse all files
.archive/generate_PRIVATE_trixie_0.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
name: 🔐 Generating a Private Live ISO TRIXIE.
.archive/generate_PRIVATE_trixie_1.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
name: 🔐 Generating a Private Live ISO TRIXIE.
.archive/generate_PUBLIC_iso.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
name: 💙 Generating a PUBLIC Live ISO.
.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+1 -1
View File
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
placeholder: "e.g., Master V9.14.026.2026.06.12"
placeholder: "e.g., Master V9.14.028.2026.06.18"
validations:
required: true
.gitea/TODO/dockerfile
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
FROM debian:bookworm
.gitea/TODO/render-md-to-html.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
name: 🔁 Render README.md to README.html.
.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+1 -1
View File
@@ -11,5 +11,5 @@
build:
counter: 1023
version: V9.14.026.2026.06.12
version: V9.14.028.2026.06.18
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/trigger/t_generate_PUBLIC.yaml
+1 -1
View File
@@ -11,5 +11,5 @@
build:
counter: 1023
version: V9.14.026.2026.06.12
version: V9.14.028.2026.06.18
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/trigger/t_generate_dns.yaml
+1 -1
View File
@@ -11,5 +11,5 @@
build:
counter: 1023
version: V9.14.026.2026.06.12
version: V9.14.028.2026.06.18
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
name: 🔐 Generating a Private Live ISO TRIXIE.
.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
name: 🔐 Generating a Private Live ISO TRIXIE.
.gitea/workflows/generate_PUBLIC_iso.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
name: 💙 Generating a PUBLIC Live ISO.
.gitea/workflows/linter_char_scripts.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
# Gitea Workflow: Shell-Script Linting
#
.gitea/workflows/render-dnssec-status.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
.gitea/workflows/render-dot-to-png.yaml
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
name: 🔁 Render Graphviz Diagrams.
.version.properties
+1 -1
View File
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V9.14.026.2026.06.12"
properties_version="V9.14.028.2026.06.18"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
CISS.debian.live.builder.spdx
+1 -1
View File
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
PackageVersion: Master V9.14.026.2026.06.12
PackageVersion: Master V9.14.028.2026.06.18
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
README.md
+4 -4
View File
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.026.2026.06.12-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.028.2026.06.18-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
**CISS.debian.live.builder — First of its own.**<br>
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -137,7 +137,7 @@ verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_
In compact form, my expectations for the system are:<br>
* Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root.
* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root. During boot, `0024-ciss-crypt-squash` copies `/live/filesystem.squashfs.sha512sum.txt[.sig]` from the real ISO medium to `/run/ciss-rootfs-attestation/`; `0042_ciss_post_decrypt_attest` then verifies that cached manifest/signature pair against `/etc/ciss/keys/<FPR>.gpg` and the exact bytes read from `/dev/mapper/crypt_liveiso`.
* Verification steps are not advisory. Any anomaly causes a hard abort during boot.
* After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
* For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
@@ -181,7 +181,7 @@ installer toolchain.
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
Example: `V9.14.026.2026.06.12`
Example: `V9.14.028.2026.06.18`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
REPOSITORY.md
+2 -2
View File
@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder
**Branch:** `master`
**Repository State:** Master Version **9.14**, Build **V9.14.026.2026.06.12** (as of 2025-10-11)
**Repository State:** Master Version **9.14**, Build **V9.14.028.2026.06.18** (as of 2025-10-11)
## 3.1. Top-Level Layout
ciss.secureboot/private/README.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. CISS Secure Boot Private Material
ciss.secureboot/public/README.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. CISS Secure Boot Public Material
config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
+64 -4
View File
@@ -65,6 +65,59 @@ preallocate() {
# shellcheck disable=SC2034
readonly -f preallocate
#######################################
# Validate that the rootfs attestation artifacts exist in the final ISO payload tree.
# Globals:
# None
# Arguments:
# 1: Rootfs attestation manifest path
# Returns:
# 0: on success
# 42: on failure
#######################################
require_rootfs_attestation_artifacts() {
declare manifest="${1}"
declare signature="${manifest}.sig"
declare artifact=""
for artifact in "${manifest}" "${signature}"; do
if [[ ! -e "${artifact}" ]]; then
printf "\e[91m❌ Required rootfs attestation artifact missing: [%s]. \e[0m\n" "${artifact}" >&2
return 42
fi
if [[ -L "${artifact}" || ! -f "${artifact}" ]]; then
printf "\e[91m❌ Required rootfs attestation artifact is not a regular file: [%s]. \e[0m\n" "${artifact}" >&2
return 42
fi
if [[ ! -s "${artifact}" ]]; then
printf "\e[91m❌ Required rootfs attestation artifact is empty: [%s]. \e[0m\n" "${artifact}" >&2
return 42
fi
if [[ ! -r "${artifact}" ]]; then
printf "\e[91m❌ Required rootfs attestation artifact is not readable: [%s]. \e[0m\n" "${artifact}" >&2
return 42
fi
done
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f require_rootfs_attestation_artifacts
#######################################
# Create and sign the rootfs attestation manifest for the exact SquashFS payload copied into the LUKS mapper.
# Globals:
@@ -142,9 +195,12 @@ EOF
# shellcheck disable=SC2034
readonly -f create_attestation
declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
declare ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt"
declare LIVE_PAYLOAD_DIR="${VAR_HANDLER_BUILD_DIR}/binary/live"
declare ROOTFS_ATTESTATION_NAME="filesystem.squashfs.sha512sum.txt"
declare ROOTFS_ATTESTATION_REL="live/${ROOTFS_ATTESTATION_NAME}"
declare LUKSFS="${LIVE_PAYLOAD_DIR}/ciss_rootfs.crypt"
declare ROOTFS="${LIVE_PAYLOAD_DIR}/filesystem.squashfs"
declare ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/${ROOTFS_ATTESTATION_REL}"
declare DM_LAB="crypt_liveiso"
declare DEVMAP="/dev/mapper/${DM_LAB}"
declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
@@ -162,8 +218,10 @@ declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n"
create_attestation "${ROOTFS}" "${ROOTFS_ATTESTATION}"
require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
printf "\e[92m✅ Attestation of filesystem.squashfs successful. \e[0m\n"
printf "\e[92m✅ Attestation of filesystem.squashfs successful: ISO paths [/%s] and [/%s.sig]. \e[0m\n" \
"${ROOTFS_ATTESTATION_REL}" "${ROOTFS_ATTESTATION_REL}"
### Safety margin:
# - LUKS2-Header and Metadata
@@ -250,6 +308,8 @@ shred -fzu -n 5 -- "${LUKS_KEY_FILE}"
rm -f -- "${ROOTFS}"
require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
umask "${__umask}"
__umask=""
config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
+1 -1
View File
@@ -39,7 +39,7 @@ install -d -m 0755 "${DESTDIR}/usr/sbin"
### Include binaries -----------------------------------------------------------------------------------------------------------
for bin in bash blkid busybox dd dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
for bin in awk bash blkid busybox dd dmsetup gawk gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
path="$(command -v "${bin}" 2>/dev/null || true)"
config/includes.chroot/etc/ssh/ssh_known_hosts
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
config/includes.chroot/etc/ssh/sshd_config
+1 -1
View File
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
+1 -1
View File
@@ -11,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V9.14.026.2026.06.12
# Version Master V9.14.028.2026.06.18
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+1 -1
View File
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V9.14.026.2026.06.12"
declare -gr VERSION="Master V9.14.028.2026.06.18"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
config/includes.chroot/preseed/preseed.cfg
+1 -1
View File
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V9.14.026.2026.06.12 at: 10:18:37.9542
# Written by: ./preseed_hash_generator.sh Version: Master V9.14.028.2026.06.18 at: 10:18:37.9542
config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
+68
View File
@@ -295,6 +295,10 @@ export CDLB_MAPPER_NAME="crypt_liveiso"
export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
export CDLB_MNT_MEDIUM="/run/live/medium"
export CDLB_MNT_ROOTFS="/run/live/rootfs"
export CDLB_ROOTFS_ATTEST_NAME="filesystem.squashfs.sha512sum.txt"
export CDLB_ROOTFS_ATTEST_CACHE_DIR="/run/ciss-rootfs-attestation"
export CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
export CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_MANIFEST}.sig"
export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
_PARAMETER=""
_dev=""
@@ -377,6 +381,66 @@ fi
printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
### Preserve rootfs attestation evidence before live-boot may replace or unmount the medium view. -----------------------------
CDLB_ROOTFS_ATTEST_SOURCE="${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}"
CDLB_ROOTFS_ATTEST_SOURCE_SIG="${CDLB_ROOTFS_ATTEST_SOURCE}.sig"
if [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE}" ] || [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" ]; then
printf "\e[91m[FATAL] Boot failure : Rootfs attestation artifacts not found on live medium: [%s] [%s] \n\e[0m" \
"${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}"
sleep 8
log "[FATAL] Boot failure : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
panic "[FATAL] Boot failure : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
fi
if ! mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
printf "\e[91m[FATAL] Boot failure : Failed to create rootfs attestation cache directory: [%s] \n\e[0m" \
"${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
sleep 8
log "[FATAL] Boot failure : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
panic "[FATAL] Boot failure : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
fi
if ! chmod 0755 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
printf "\e[91m[FATAL] Boot failure : Failed to permission rootfs attestation cache directory: [%s] \n\e[0m" \
"${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
sleep 8
log "[FATAL] Boot failure : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
panic "[FATAL] Boot failure : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
fi
if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \
! cp "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
printf "\e[91m[FATAL] Boot failure : Failed to preserve rootfs attestation artifacts in: [%s] \n\e[0m" \
"${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
sleep 8
log "[FATAL] Boot failure : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
panic "[FATAL] Boot failure : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
fi
if ! chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
printf "\e[91m[FATAL] Boot failure : Failed to make rootfs attestation cache read-only: [%s] \n\e[0m" \
"${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
sleep 8
log "[FATAL] Boot failure : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
panic "[FATAL] Boot failure : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
fi
chmod 0555 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" 2>&- || true
printf "\e[92m[INFO] Rootfs attestation : Preserved [%s] and [%s] \n\e[0m" \
"${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"
### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then
@@ -587,6 +651,10 @@ export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
export CDLB_ROOTFS_ATTEST_NAME=${CDLB_ROOTFS_ATTEST_NAME}
export CDLB_ROOTFS_ATTEST_CACHE_DIR=${CDLB_ROOTFS_ATTEST_CACHE_DIR}
export CDLB_ROOTFS_ATTEST_MANIFEST=${CDLB_ROOTFS_ATTEST_MANIFEST}
export CDLB_ROOTFS_ATTEST_SIGNATURE=${CDLB_ROOTFS_ATTEST_SIGNATURE}
export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
EOF
chmod 0444 /run/ciss-rootdev 2>&- || true
config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
+78 -35
View File
@@ -14,8 +14,6 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# ToDo: Remove Debug
# Module summary:
# - Runs after the encrypted live root filesystem has been decrypted.
# - Requires the pinned public key, external rootfs attestation manifest, and detached signature to exist as readable,
@@ -26,40 +24,9 @@
# - Panics on missing, malformed, unauthentic, or mismatched evidence.
set -eu
PS4='+ 0042(): '
set -x
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
ciss_debug_countdown=8
while [ "${ciss_debug_countdown}" -gt 0 ]; do
printf "\e[93m[DEBUG] 0042() countdown : %s seconds \n\e[0m" "${ciss_debug_countdown}"
sleep 1
ciss_debug_countdown=$((ciss_debug_countdown - 1))
done
printf "\e[93m[DEBUG] 0042() reached : countdown finished, checking panic availability \n\e[0m"
### Check panic command availability -------------------------------------------------------------------------------------------
if ! command -v panic >/dev/null 2>&1; then
printf "\e[93m[DEBUG] 0042() panic : installing fallback panic() \n\e[0m"
panic() {
printf '\e[91m[FATAL] %s \n\e[0m' "${*}" >&2
exit 1
}
else
printf "\e[93m[DEBUG] 0042() panic : existing panic command available \n\e[0m"
fi
printf "\e[93m[DEBUG] 0042() reached : panic availability check finished \n\e[0m"
### Declare variables ----------------------------------------------------------------------------------------------------------
### Will be replaced at build time:
@@ -72,8 +39,10 @@ export CDLB_MAPPER_DEV="${CDLB_MAPPER_DEV:-/dev/mapper/${CDLB_MAPPER_NAME}}"
export CDLB_MNT_MEDIUM="${CDLB_MNT_MEDIUM:-/run/live/medium}"
### Locations of the attestation file of filesystem.squashfs on the verified live medium. --------------------------------------
CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/filesystem.squashfs.sha512sum.txt}"
CDLB_ROOTFS_ATTEST_NAME="${CDLB_ROOTFS_ATTEST_NAME:-filesystem.squashfs.sha512sum.txt}"
CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}}"
CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_SIGNATURE:-${CDLB_ROOTFS_ATTEST_MANIFEST}.sig}"
CDLB_ROOTFS_ATTEST_CACHE_DIR="${CDLB_ROOTFS_ATTEST_CACHE_DIR:-/run/ciss-rootfs-attestation}"
CDLB_ROOTFS_ATTEST_CHECK="${CDLB_ROOTFS_ATTEST_CHECK:-/run/ciss-rootfs-attestation.sha512sum}"
CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
@@ -106,6 +75,17 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
#######################################
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
### Provide a local fail-closed fallback when this file is executed as a subprocess outside the live-boot shell context. --------
if ! command -v panic >/dev/null 2>&1; then
panic() {
log_er "${*}"
printf '%s\n' "0042 FATAL: ${*}" >/dev/console 2>/dev/null || :
exit 1
}
fi
#######################################
# Validate a boot-time attestation input file.
# Globals:
@@ -158,6 +138,63 @@ require_attestation_file() {
return 0
}
#######################################
# Resolve rootfs attestation paths on known live medium mountpoints.
# Globals:
# CDLB_MNT_MEDIUM
# CDLB_ROOTFS_ATTEST_MANIFEST
# CDLB_ROOTFS_ATTEST_NAME
# CDLB_ROOTFS_ATTEST_SIGNATURE
# Arguments:
# None
# Returns:
# 0: on success
#######################################
resolve_rootfs_attestation_artifacts() {
medium_path=""
manifest_path=""
signature_path=""
if [ -f "${CDLB_ROOTFS_ATTEST_MANIFEST}" ] && [ -f "${CDLB_ROOTFS_ATTEST_SIGNATURE}" ]; then
return 0
fi
manifest_path="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
signature_path="${manifest_path}.sig"
if [ -f "${manifest_path}" ] && [ -f "${signature_path}" ]; then
CDLB_ROOTFS_ATTEST_MANIFEST="${manifest_path}"
CDLB_ROOTFS_ATTEST_SIGNATURE="${signature_path}"
return 0
fi
for medium_path in "${CDLB_MNT_MEDIUM}" /run/live/medium /lib/live/mount/medium /cdrom; do
[ -n "${medium_path}" ] || continue
manifest_path="${medium_path}/live/${CDLB_ROOTFS_ATTEST_NAME}"
signature_path="${manifest_path}.sig"
if [ -f "${manifest_path}" ] && [ -f "${signature_path}" ]; then
CDLB_ROOTFS_ATTEST_MANIFEST="${manifest_path}"
CDLB_ROOTFS_ATTEST_SIGNATURE="${signature_path}"
return 0
fi
done
log_er "0042() : Rootfs attestation artifacts not found. Expected manifest/signature: [${CDLB_ROOTFS_ATTEST_MANIFEST}] [${CDLB_ROOTFS_ATTEST_SIGNATURE}]"
panic "0042() : Rootfs attestation artifacts not found. Expected manifest/signature: [${CDLB_ROOTFS_ATTEST_MANIFEST}] [${CDLB_ROOTFS_ATTEST_SIGNATURE}]"
return 1
}
#######################################
# Validate the decrypted rootfs payload device.
# Globals:
@@ -177,7 +214,11 @@ require_rootfs_payload_device() {
fi
if [ -L "${artifact_path}" ] || { [ ! -b "${artifact_path}" ] && [ ! -f "${artifact_path}" ]; }; then
if [ -b "${artifact_path}" ]; then
:
elif [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then
log_er "0042() : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]"
panic "0042() : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]"
@@ -303,6 +344,8 @@ verify_rootfs_payload() {
return 0
}
resolve_rootfs_attestation_artifacts
HASH_FILE="${CDLB_ROOTFS_ATTEST_MANIFEST}"
SIGN_FILE="${CDLB_ROOTFS_ATTEST_SIGNATURE}"
KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
-11
View File
@@ -498,17 +498,6 @@ setup_unionfs ()
### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
printf "\e[95m[INFO] Calling : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] ... \n\e[0m"
# ToDo: Remove debug.
ciss_debug_countdown=8
while [ "${ciss_debug_countdown}" -gt 0 ]; do
printf "\e[93m[DEBUG] 9990() countdown : %s seconds \n\e[0m" "${ciss_debug_countdown}"
sleep 1
ciss_debug_countdown=$((ciss_debug_countdown - 1))
done
chmod +x /usr/lib/live/boot/0042_ciss_post_decrypt_attest
if [ -x /usr/lib/live/boot/0042_ciss_post_decrypt_attest ]; then
docs/AUDIT_DNSSEC.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. DNSSEC Status
docs/AUDIT_HAVEGED.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Haveged Audit on Netcup RS 2000 G11
docs/AUDIT_LYNIS.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Lynis Audit:
docs/AUDIT_SSH.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. SSH Audit by ssh-audit.com
docs/AUDIT_TLS.md
+51 -53
View File
@@ -8,15 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. TLS Audit:
````text
./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
#####################################################################
testssl.sh version 3.2.2 from https://testssl.sh/
(2e77f5e 2025-09-22 19:35:27)
testssl.sh version 3.2.3 from https://testssl.sh/
(0ff7a34 2026-06-01 09:45:44)
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -27,7 +26,7 @@ include_toc: true
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on kali:./bin/openssl.Linux.x86_64
Start 2025-09-28 16:12:17 -->> 152.53.110.40:443 (git.coresecret.dev) <<--
Start 2026-06-17 14:44:50 -->> 152.53.110.40:443 (git.coresecret.dev) <<--
Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40
rDNS (152.53.110.40): git.coresecret.dev.
@@ -73,11 +72,11 @@ TLSv1
TLSv1.1
-
TLSv1.2 (server order)
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 448 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLSv1.3 (server order)
x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
x1302 TLS_AES_256_GCM_SHA384 MLKEM1024 AESGCM 256 TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 MLKEM1024 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
Has server cipher order? yes (OK) -- TLS 1.3 and below
@@ -88,21 +87,21 @@ TLSv1.3 (server order)
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
x1302 TLS_AES_256_GCM_SHA384 ECDH 448 AESGCM 256 TLS_AES_256_GCM_SHA384 available
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 448 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available
x1302 TLS_AES_256_GCM_SHA384 MLKEM1024 AESGCM 256 TLS_AES_256_GCM_SHA384 available
x1303 TLS_CHACHA20_POLY1305_SHA256 MLKEM1024 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 available
xcc14 ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xcc13 ECDHE-RSA-CHACHA20-POLY1305-OLD ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xcc15 DHE-RSA-CHACHA20-POLY1305-OLD DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD not a/v
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 available
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 not a/v
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not a/v
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 available
xc028 ECDHE-RSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not a/v
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 not a/v
xc014 ECDHE-RSA-AES256-SHA ECDH AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not a/v
xc00a ECDHE-ECDSA-AES256-SHA ECDH AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA not a/v
xa3 DHE-DSS-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 not a/v
x9f DHE-RSA-AES256-GCM-SHA384 DH AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 not a/v
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 available
xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 448 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 available
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xccaa DHE-RSA-CHACHA20-POLY1305 DH ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not a/v
xc0af ECDHE-ECDSA-AES256-CCM8 ECDH AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 not a/v
xc0ad ECDHE-ECDSA-AES256-CCM ECDH AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM not a/v
@@ -170,9 +169,10 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
xc086 - ECDH CamelliaGCM 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
xc08a - ECDH CamelliaGCM 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 not a/v
KEMs offered MLKEM1024 X25519MLKEM768 SecP384r1MLKEM1024
Elliptic curves offered: secp384r1 secp521r1 X448
TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
TLS 1.2 sig_algs offered: ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224
TLS 1.3 sig_algs offered: ECDSA+SHA384
Testing server defaults (Server Hello)
@@ -185,33 +185,33 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
TLS clock skew Random values, no fingerprinting possible
Certificate Compression none
Client Authentication none
Signature Algorithm SHA256 with RSA
Server key size RSA 4096 bits (exponent is 65537)
Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
Serial 13292523EB168BD226CE46 (OK: length 11)
Fingerprints SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
Signature Algorithm ECDSA with SHA256
Server key size EC 384 bits (curve P-384)
Server key usage Digital Signature
Server extended key usage TLS Web Server Authentication
Serial 85135AE9A772A9778768548CDED9F483 (OK: length 16)
Fingerprints SHA1 7745E895B49A44DA786509D124F7BAEF5BCDE21A
SHA256 EBAC1DAD82CFAF97644D2F9A03082DE9ABC2B44AD4C86FE6FA202D3EF7243FE4
Common Name (CN) coresecret.dev
subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
subjectAltName (SAN) coresecret.dev badges.coresecret.dev cendev.eu git.coresecret.dev lab.coresecret.dev phpmyadmin.git.coresecret.dev
run.coresecret.dev uml.coresecret.dev www.coresecret.dev
Trust (hostname) Ok via SAN (same w/o SNI)
Chain of trust Ok
EV cert (experimental) no
Certificate Validity (UTC) 178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
Certificate Validity (UTC) 89 >= 60 days (2026-06-16 00:00 --> 2026-09-14 23:59)
ETS/"eTLS", visibility info not present
In pwnedkeys.com DB not in database Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
OCSP URI http://ocsp.buypass.com, not revoked
In pwnedkeys.com DB not in database
Certificate Revocation List --
OCSP URI http://ocsp.sectigo.com, not revoked
OCSP stapling offered, not revoked
OCSP must staple extension --
OCSP must staple extension supported
DNS CAA RR (experimental) available - please check for match with "Issuer" below
communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
contactemail=caa@coresecret.eu, iodef=mailto:caa@coresecret.eu, issue=;, issue=certum.pl, issue=letsencrypt.org;,
issue=quantumsign.eu;, issue=sectigo.com, issuemail=certum.pl, issuevmc=sectigo.com, issuewild=;
Certificate Transparency yes (certificate extension)
Certificates provided 2
Issuer Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
Intermediate cert validity #1: ok > 40 days (2027-05-23 12:57). Buypass Class 2 CA 5 <-- Buypass Class 2 Root CA
Issuer ZeroSSL ECC DV SSL CA 2 (ZeroSSL GmbH from AT)
Intermediate cert validity #1: ok > 40 days (2035-09-23 23:59). ZeroSSL ECC DV SSL CA 2 <-- Sectigo Public Server Authentication Root E46
Intermediate Bad OCSP (exp.) Ok
@@ -223,7 +223,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Public Key Pinning --
Server banner nginx
Application banner --
Cookie(s) 2 issued: 2/2 secure, 2/2 HttpOnly
Cookie(s) 1 issued: 1/1 secure, 1/1 HttpOnly
Security headers X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
@@ -236,7 +236,6 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Embedder-Policy: unsafe-none
X-XSS-Protection: 1; mode=block
Permissions-Policy: interest-cohort=()
Referrer-Policy: no-referrer
Cache-Control: no-cache
Reverse Proxy banner --
@@ -257,8 +256,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
@@ -271,24 +269,24 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy
------------------------------------------------------------------------------------------------
Android 7.0 (native) No connection
Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
IE 8 Win 7 No connection
IE 11 Win 7 No connection
IE 11 Win 8.1 No connection
IE 11 Win Phone 8.1 No connection
IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
IE 11 Win 7 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
IE 11 Win 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
IE 11 Win Phone 8.1 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
IE 11 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Edge 15 Win 10 TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 384 bit ECDH (P-384)
Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 384 bit ECDH (P-384)
Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
@@ -299,11 +297,11 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 448 bit ECDH (X448)
Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768
Apple Mail (16.0) TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 521 bit ECDH (P-521)
Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 521 bit ECDH (P-521)
@@ -317,7 +315,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Final Score 100
Overall Grade A+
Done 2025-09-28 16:13:50 [ 95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
Done 2026-06-17 14:46:05 [ 78s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
````
---
docs/BOOTPARAMS.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Hardened Kernel Boot Parameters
docs/CHANGELOG.md
+12 -1
View File
@@ -8,10 +8,21 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Changelog
## V9.14.028.2026.06.18
* **Changed**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Explicitly permissions the runtime rootfs attestation cache and fails closed on cache creation or chmod errors.
* **Changed**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md) Documents the rootfs attestation artifact custody path from build-time `binary/live` creation through the `0024` runtime cache and `0042` verification.
* **Changed**: [README.md](../README.md) Documents the runtime rootfs attestation cache handoff.
## V9.14.026.2026.06.17
* **Updated**: git.coresecret.dev nginx Mainline 1.31.1 custom build with OpenSSL 4.0.1 to support PQC KEX algorithms:
* * ``MLKEM1024`` ``SecP384r1MLKEM1024`` ``X25519MLKEM768``
* * ECDH: ``X448`` ``secp521r1`` ``secp384r1``
* **Updated**: [AUDIT_TLS.md](AUDIT_TLS.md)
## V9.14.024.2026.06.11
* **Added**: [lib_build_dir_safety.sh](../lib/lib_build_dir_safety.sh) Integrated Security Audit Finding A12
* **Added**: [lib_debug_sanitize.sh](../lib/lib_debug_sanitize.sh) Integrated Security Audit Finding A11
docs/CNET.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Centurion Net - Developer Branch Overview
docs/CODING_CONVENTION.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Purpose
docs/CONTRIBUTING.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Contributing / participating
docs/CREDITS.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Credits
docs/DL_PUB_ISO.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Download the latest PUBLIC CISS.debian.live.ISO
docs/DOCUMENTATION.md
+3 -3
View File
@@ -8,14 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2.1. Usage
````text
CDLB(1) CISS.debian.live.builder CDLB(1)
CISS.debian.live.builder from https://git.coresecret.dev/msw
Master V9.14.026.2026.06.12
Master V9.14.028.2026.06.18
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
(c) Marc S. Weidner, 2018 - 2026
@@ -190,7 +190,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/
V9.14.026.2026.06.12 2026-05-17 CDLB(1)
V9.14.028.2026.06.18 2026-05-17 CDLB(1)
````
# 3. Booting
docs/MAN_CISS_ISO_BOOT_CHAIN.md
+101 -15
View File
@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. CISS.debian.live.builder Boot & Trust Chain (Technical Documentation)
**Status:** 2026-06-10<br>
**Status:** 2026-06-18<br>
**Audience:** CICA CISO, CISS staff, technically proficient administrators<br>
**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: after the CISS LUKS/dm-integrity container has been opened, and the live medium context has been exposed, `0030-ciss-verify-checksums` verifies the mounted live-medium checksum manifest, detached signature, and signer fingerprint; later, `0042_ciss_post_decrypt_attest` verifies the signed rootfs attestation manifest, and the exact final SquashFS payload bytes copied into the decrypted LUKS mapper. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>
**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: after the CISS LUKS/dm-integrity container has been opened, and the live medium context has been exposed, `0030-ciss-verify-checksums` verifies the mounted live-medium checksum manifest, detached signature, and signer fingerprint; `0024-ciss-crypt-squash` preserves the rootfs attestation artifacts from the real ISO medium into a stable initramfs runtime cache; later, `0042_ciss_post_decrypt_attest` verifies the signed rootfs attestation manifest, and the exact final SquashFS payload bytes copied into the decrypted LUKS mapper. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>
# 3. Overview
@@ -22,7 +22,7 @@ include_toc: true
* **Integrity and authenticity verification:**
1. **Mounted live medium:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed `/run/live/medium`, verify `sha512sum.txt` using `gpgv`, FPR pinning, and checksum execution.
2. **Decrypted rootfs payload:** Verify the external rootfs attestation manifest using `gpgv` and FPR pinning, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`.
2. **Decrypted rootfs payload:** Preserve the external rootfs attestation manifest and detached signature before live-boot may replace or unmount the medium view, verify the cached manifest using `gpgv` and FPR pinning, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`.
* **Storage-level confidentiality and keyed sector integrity:** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
* **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.
@@ -55,7 +55,7 @@ private Secure Boot key names are detected in those paths before live-build chec
| dm-integrity | `hmac-sha512` (keyed), journal | Keyed per-sector integrity for the opened mapping; not origin authenticity |
| PBKDF | `argon2id`, `--iter-time 1000` ms, `--pbkdf-memory 262144`, `--pbkdf-parallel 1` | Bounded key derivation cost for initramfs unlock |
| Signatures | Ed25519 or RSA-4096 (FPR pinned) | Public verifiability, non-repudiation |
| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs |
| Verification | `gpgv --keyring <pinned-keyring>` | Explicit keyring selection and no agent dependency in initramfs |
| Hash lists | `sha512sum` format | Deterministic content verification |
| Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock |
@@ -92,8 +92,10 @@ flowchart TD
0090 e09@--> 0100["Starting CISS.hardened dropbear"];
0100 e10@--> 0110["Executing live-boot, mounting ISO FS"];
0110 e11@--> 0122["Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work"];
0122 e12@--> 0124["Executing 0024-ciss: LUKS open (dm-crypt & integrity)"];
0124 e13@--> |SUCCESSFUL| LUKS["Decrypted mapper exposed; livefs_root=/run/live/medium set"];
0122 e12@--> 0124["Executing 0024-ciss: Mount ISO medium and locate /live/ciss_rootfs.crypt"];
0124 e13@--> CACHE["0024-ciss: Preserve rootfs attestation artifacts in /run/ciss-rootfs-attestation"];
CACHE e13b@--> LUKSOPEN["0024-ciss: LUKS open (dm-crypt & integrity)"];
LUKSOPEN e13c@--> |SUCCESSFUL| LUKS["Decrypted mapper exposed; livefs_root=/run/live/medium set"];
LUKS e14@--> 0126["Executing 0026-ciss: Hardening early sysctls"];
0126 e15@--> 0130["Executing 0030-ciss: Mounted live-medium checksum and signature verification"];
0130 e16@--> |SUCCESSFUL| ROOT["9990-overlay: Mount SquashFS / OverlayFS"];
@@ -111,6 +113,8 @@ flowchart TD
e11@{ animation: fast }
e12@{ animation: fast }
e13@{ animation: fast }
e13b@{ animation: fast }
e13c@{ animation: fast }
e14@{ animation: fast }
e15@{ animation: fast }
e16@{ animation: fast }
@@ -130,6 +134,8 @@ flowchart TD
0030 -- FAIL --> X;
0040 -- FAIL --> X;
0124 -- FAIL --> X;
CACHE -- FAIL --> X;
LUKSOPEN -- FAIL --> X;
0130 -- FAIL --> X;
0142 -- FAIL --> X;
```
@@ -145,6 +151,19 @@ ISO medium
└── OverlayFS / running root filesystem
```
Rootfs attestation evidence follows a separate side path:
```text
ISO medium
├── /live/filesystem.squashfs.sha512sum.txt
└── /live/filesystem.squashfs.sha512sum.txt.sig
└── copied by 0024-ciss-crypt-squash to:
├── /run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt
└── /run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig
```
The `/run/ciss-rootfs-attestation/` cache is only a stable initramfs runtime location. It is not a trust anchor. `0042_ciss_post_decrypt_attest` still requires the cached manifest to verify against the detached signature, the pinned GPG fingerprint, and the actual decrypted mapper bytes.
```mermaid
---
config:
@@ -186,6 +205,38 @@ cryptsetup luksFormat \
**Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
## 7.1. Rootfs Attestation Artifacts Created at Build Time
`config/hooks/live/zzzz_ciss_crypt_squash.hook.binary` runs in the live-build binary phase after `binary/live/filesystem.squashfs` exists and before the final ISO image is emitted.
The hook expects:
| Artifact | Build-time path | Purpose |
|-----------------------------|------------------------------------------------------------|-----------------------------------------------------------------------------------------|
| Final plaintext SquashFS | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs` | Source byte stream that will be attested and copied into the encrypted mapper. |
| Signing key passphrase file | `${VAR_SIGNING_KEY_PASSFILE}` | Unlocks the configured signing key without exposing the passphrase on the command line. |
| Verification keyring | `${VAR_VERIFY_KEYRING}` | Build-time self-check for the detached signature before the ISO is accepted. |
The hook creates:
| Artifact | Build-time path | ISO path |
|---------------------------------------|------------------------------------------------------------------------------|-----------------------------------------------|
| Encrypted live root container | `${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt` | `/live/ciss_rootfs.crypt` |
| Rootfs attestation manifest | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt` | `/live/filesystem.squashfs.sha512sum.txt` |
| Rootfs attestation detached signature | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt.sig` | `/live/filesystem.squashfs.sha512sum.txt.sig` |
The manifest format is intentionally small and deterministic:
```text
# CISS.debian.live.builder Master <version>
# Attestation file for filesystem.squashfs Version 1.0.0
# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
# Bytes : Final filesystem.squashfs <exact-byte-count>
<sha512-of-final-filesystem.squashfs> filesystem.squashfs
```
The signed boundary is the final SquashFS byte stream before LUKS wrapping. The hook writes that byte stream into `/dev/mapper/crypt_liveiso`, closes the mapper, shreds the transient LUKS key file, removes `binary/live/filesystem.squashfs`, and keeps only `/live/ciss_rootfs.crypt` plus the manifest/signature pair in the final ISO payload tree.
# 8. Mounted Live-Medium Checksum Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
**Goal:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed the live medium context, but before the final live root is accepted, verify:
@@ -203,17 +254,39 @@ cryptsetup luksFormat \
# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
**Goal:** After LUKS unlocked, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology.
**Goal:** After LUKS unlocked, and the live root has been mounted by `9990-overlay.sh`, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology.
* **Attested boundary:** the final `binary/live/filesystem.squashfs` byte stream, immediately before it is copied into `/dev/mapper/crypt_liveiso` by `zzzz_ciss_crypt_squash.hook.binary`.
* **Runtime verification boundary:** the first byte count declared by `# Bytes : Final filesystem.squashfs <bytes>` in the signed manifest, read from the decrypted mapper. Any LUKS allocation slack after the SquashFS payload is intentionally excluded.
* **Attestation files:** `/run/live/medium/live/filesystem.squashfs.sha512sum.txt[.sig]`
* **ISO attestation files:** `/run/live/medium/live/filesystem.squashfs.sha512sum.txt[.sig]` while the original ISO medium is mounted by `0024-ciss-crypt-squash`.
* **Runtime attestation cache:** `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt[.sig]`, copied by `0024-ciss-crypt-squash` before live-boot may replace or unmount the medium view during `toram` handling.
* **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
## 9.1. Runtime Artifact Custody and Expectations
| Step | Actor | Requires | Copies / writes | Later consumer |
|------|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|
| 1 | `0024-ciss-crypt-squash` | Mounted ISO medium at `/run/live/medium`; `/run/live/medium/live/ciss_rootfs.crypt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt.sig` | Copies the manifest to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt` and the detached signature to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; sets the cache directory to `0755` before copy, cached files to `0444`, and best-effort final directory mode to `0555` | `0042_ciss_post_decrypt_attest` |
| 2 | `0024-ciss-crypt-squash` | `/run/live/medium/live/ciss_rootfs.crypt`; unlock passphrase from console or Dropbear path | Opens the encrypted container as `/dev/mapper/crypt_liveiso`; writes `/run/ciss-rootdev` with mapper, medium, and attestation-cache paths | `9990-overlay.sh` |
| 3 | `9990-main.sh` | `/conf/param.conf` with `PLAIN_ROOT=1` and `livefs_root=/run/live/medium`; optional `toram` boot parameter | May copy live media to RAM and may leave `/run/live/medium` busy, replaced, or otherwise unsuitable as the only attestation source | `9990-overlay.sh` and `0042_ciss_post_decrypt_attest` |
| 4 | `9990-overlay.sh` | `/run/ciss-rootdev`; `/dev/mapper/crypt_liveiso` | Sources `/run/ciss-rootdev`, overrides the image directory to `/dev/mapper/crypt_liveiso`, mounts the decrypted SquashFS read-only, and invokes `/usr/lib/live/boot/0042_ciss_post_decrypt_attest` | `0042_ciss_post_decrypt_attest` |
| 5 | `0042_ciss_post_decrypt_attest` | `/etc/ciss/keys/<pinned-FPR>.gpg`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; `/dev/mapper/crypt_liveiso` | Creates transient `/run/ciss-rootfs-attestation.sha512sum` for `sha512sum -c`; does not create trusted evidence | Boot continues only after signature, FPR, and exact payload bytes all verify |
`0042_ciss_post_decrypt_attest` resolves artifacts in this order:
1. The explicit manifest/signature paths exported through `/run/ciss-rootdev`.
2. The default runtime cache under `/run/ciss-rootfs-attestation/`.
3. Compatibility fallback mountpoints: `${CDLB_MNT_MEDIUM}`, `/run/live/medium`, `/lib/live/mount/medium`, and `/cdrom`.
The fallback mountpoints are diagnostic and compatibility paths. The intended normal path for current CISS ISOs is the runtime cache copied by `0024-ciss-crypt-squash`.
**Core calls (initramfs):**
```sh
# 1) Signature and FPR pin (no agent)
DATA="/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt"
SIG="${DATA}.sig"
KEYFILE="/etc/ciss/keys/<pinned-FPR>.gpg"
/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIG}" "${DATA}"
# 2) Mandatory content hash verification
@@ -222,7 +295,7 @@ dd if="${CDLB_MAPPER_DEV}" ... | /usr/bin/sha512sum -c /run/ciss-rootfs-attestat
# 10. Failure Policy (fail-closed, deterministic)
* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch.
* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing rootfs attestation artifacts on the real ISO medium during `0024`, failed preservation of the runtime attestation cache, missing cached rootfs manifest/signature during `0042`, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch.
* A signed rootfs manifest alone is not sufficient. Boot continues only after the manifest signature/FPR, and the decrypted SquashFS payload bytes both verify successfully.
* `dm-integrity` protects the opened LUKS mapping against sector corruption or tampering under the LUKS key, but it is not treated as origin authenticity. Origin authenticity is provided by the signed rootfs attestation manifest and pinned signer fingerprint.
@@ -260,7 +333,12 @@ dd if="${CDLB_MAPPER_DEV}" ... | /usr/bin/sha512sum -c /run/ciss-rootfs-attestat
* **Key files:**
* Mounted live medium (for 0030): embedded public key blob (project-specific FPR)
* Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
* **Rootfs attestation artifacts:**
* ISO payload paths: `/live/filesystem.squashfs.sha512sum.txt`, `/live/filesystem.squashfs.sha512sum.txt.sig`
* Runtime cache paths: `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt`, `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`
* Transient checksum file for exact mapper-byte verification: `/run/ciss-rootfs-attestation.sha512sum`
* **Runtime handoff state:** `/run/ciss-rootdev`
* **Mounts (typical):** `/run/live/medium`, `/run/live/rootfs`, `/run/live/overlay`
# 13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths
```mermaid
@@ -268,21 +346,27 @@ flowchart TD
subgraph ISO Build Time
A["Embed and pin GPG FPR (into ISO & RootFS as needed)"] e00@--> B["Generate mounted-medium sha512sum.txt and .sig"];
B e01@--> C["Build filesystem.squashfs and wrap it into ciss_rootfs.crypt"];
B e01@--> C["Build filesystem.squashfs"];
C e01b@--> C2["Generate rootfs attestation manifest and detached signature in binary/live"];
C2 e01c@--> C3["Copy filesystem.squashfs into ciss_rootfs.crypt and remove plaintext filesystem.squashfs"];
e00@{ animation: fast }
e01@{ animation: fast }
e01b@{ animation: fast }
e01c@{ animation: fast }
end
subgraph ISO Boot Time
C e02@--> D["0024 opens ciss_rootfs.crypt with LUKS2 and dm-integrity"];
D e03@-->|SUCCESSFUL| E["Decrypted mapper exposed and livefs_root=/run/live/medium set"];
C3 e02@--> D["0024 mounts real ISO medium and expects ciss_rootfs.crypt plus rootfs attestation files under /live"];
D e02b@--> DCACHE["0024 copies rootfs attestation files to /run/ciss-rootfs-attestation"];
DCACHE e03@--> E["0024 opens ciss_rootfs.crypt with LUKS2/dm-integrity and exposes /dev/mapper/crypt_liveiso"];
E e04@--> F["0030 verifies mounted live-medium manifest, signature, FPR, and checksums"];
F e05@-->|SUCCESSFUL| G["Mounted live medium verified"];
G e06@--> H["9990-overlay mounts SquashFS / OverlayFS"];
H e07@--> I["0042 verifies signed rootfs attestation manifest and FPR"];
H e07@--> I["0042 verifies cached rootfs attestation manifest and FPR"];
I e08@--> J["0042 verifies exact SquashFS bytes from /dev/mapper/crypt_liveiso"];
J e09@-->|SUCCESSFUL| K["RootFS SquashFS payload attestation successful"];
e02@{ animation: fast }
e02b@{ animation: fast }
e03@{ animation: fast }
e04@{ animation: fast }
e05@{ animation: fast }
@@ -299,6 +383,8 @@ flowchart TD
end
D -- FAIL --> X;
DCACHE -- FAIL --> X;
E -- FAIL --> X;
F -- FAIL --> X;
I -- FAIL --> X;
J -- FAIL --> X;
docs/MAN_SSH_Host_Key_Policy.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. SSH Host Key Policy CISS.debian.live.builder / CISS.debian.installer
docs/REFERENCES.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Resources
docs/documentation/30-ciss-hardening.conf.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. ``30-ciss-hardening.conf``
docs/documentation/90-ciss-local.hardened.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. ``90-ciss-local.hardened``
docs/documentation/ciss_live_builder.sh.md
+1 -1
View File
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.12<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. ``ciss_live_builder.sh``
scripts/usr/local/sbin/9999_cdi_starter.sh
+2 -2
View File
@@ -601,7 +601,7 @@ main() {
var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log"
touch "${var_log}"
printf "CISS.debian.live.builder V9.14.026.2026.06.12 calling CISS.debian.installer ... \n" >> "${var_log}"
printf "CISS.debian.live.builder V9.14.028.2026.06.18 calling CISS.debian.installer ... \n" >> "${var_log}"
### Sleep a moment to settle boot artifacts.
sleep 8
@@ -696,7 +696,7 @@ main() {
### Timeout reached without acceptable semaphore.
logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
printf "CISS.debian.live.builder V9.14.026.2026.06.12: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
printf "CISS.debian.live.builder V9.14.028.2026.06.18: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
exit 0
}
var/early.var.sh
+1 -1
View File
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
declare -grx VAR_HOST="$(uname -n)"
declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
declare -grx VAR_VERSION="Master V9.14.026.2026.06.12"
declare -grx VAR_VERSION="Master V9.14.028.2026.06.18"
declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
# Print $4 and $5; include $6 only if it exists
out = $4