msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

Compare commits

base: msw:v8.13.008-stable
Branches Tags
msw:master
msw:v8.13.142-stable msw:v8.13.008-stable msw:v8.03.864-stable msw:v8.03.832-stable msw:v8.03.768-stable msw:v8.03.644-stable
...
compare: msw:7fab4a183cc4a0b37fd224ed593ce622a716b3765ee36848150249c7b3e36d13
Branches Tags
msw:master
msw:v8.13.142-stable msw:v8.13.008-stable msw:v8.03.864-stable msw:v8.03.832-stable msw:v8.03.768-stable msw:v8.03.644-stable

23 Commits
v8.13.008- ... 7fab4a183c

Author SHA256 Message Date
Marc S. Weidner BOT
7fab4a183c DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci] 
X-CI-Metadata: master@c514634 at 2025-10-03T22:07:45Z on 0ef6f5664500

Generated at : 2025-10-03T22:07:45Z
Runner Host  : 0ef6f5664500
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : c514634 HEAD -> master
 2025-10-03 22:07:45 +00:00
Marc S. Weidner BOT
c514634dd4 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@32f1b05 at 2025-10-03T21:17:48Z on ef1f9ea14896

Generated at : 2025-10-03T21:17:48Z
Runner Host  : ef1f9ea14896
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 32f1b05 HEAD -> master
 2025-10-03 21:17:48 +00:00
Marc S. Weidner
32f1b05181 V8.13.032.2025.10.03
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m30s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 51m34s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-03 22:15:48 +01:00
Marc S. Weidner BOT
1a2d1a3ae1 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@5fcd2eb at 2025-10-03T18:43:20Z on 81c03bb1ea18

Generated at : 2025-10-03T18:43:20Z
Runner Host  : 81c03bb1ea18
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 5fcd2eb HEAD -> master
 2025-10-03 18:43:21 +00:00
Marc S. Weidner
5fcd2ebf42 V8.13.032.2025.10.03
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m25s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-03 19:41:39 +01:00
Marc S. Weidner BOT
7168374797 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@720eede at 2025-10-03T18:34:52Z on f95e1bf52e89

Generated at : 2025-10-03T18:34:52Z
Runner Host  : f95e1bf52e89
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 720eede HEAD -> master
 2025-10-03 18:34:52 +00:00
Marc S. Weidner
720eede478 V8.13.032.2025.10.03
Some checks failed
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m23s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-03 19:33:22 +01:00
Marc S. Weidner BOT
036fefdd3e DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@2bcbdf8 at 2025-10-03T18:14:04Z on a906e8c798d2

Generated at : 2025-10-03T18:14:04Z
Runner Host  : a906e8c798d2
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 2bcbdf8 HEAD -> master
 2025-10-03 18:14:05 +00:00
Marc S. Weidner
2bcbdf8716 V8.13.032.2025.10.03
Some checks failed
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 52s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m21s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-03 19:09:06 +01:00
Marc S. Weidner BOT
ffecfcdc50 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@a51e37b at 2025-10-03T17:42:11Z on 17b27bf14db1

Generated at : 2025-10-03T17:42:11Z
Runner Host  : 17b27bf14db1
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : a51e37b HEAD -> master
 2025-10-03 17:42:11 +00:00
Marc S. Weidner BOT
a51e37b648 DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci] 
X-CI-Metadata: master@0f8b894 at 2025-10-03T17:41:34Z on 71aa4f460676

Generated at : 2025-10-03T17:41:34Z
Runner Host  : 71aa4f460676
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : 0f8b894 HEAD -> master
 2025-10-03 17:41:34 +00:00
Marc S. Weidner
0f8b894e40 V8.13.032.2025.10.03
Some checks failed
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m2s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m39s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Details
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-03 18:39:15 +01:00
Marc S. Weidner BOT
ec171888f7 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci] 
X-CI-Metadata: master@d046770 at 2025-10-03T00:15:58Z on 09b46a8e3de7

Generated at : 2025-10-03T00:15:58Z
Runner Host  : 09b46a8e3de7
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : d046770 HEAD -> master
 2025-10-03 00:15:58 +00:00
Marc S. Weidner BOT
d046770aeb DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@6350278 at 2025-10-02T23:28:54Z on 471bb232066f

Generated at : 2025-10-02T23:28:54Z
Runner Host  : 471bb232066f
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 6350278 HEAD -> master
 2025-10-02 23:28:54 +00:00
Marc S. Weidner
63502787c0 V8.13.016.2025.09.28
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m19s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 49m31s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-03 00:26:03 +01:00
Marc S. Weidner BOT
a96af3ff06 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci] 
X-CI-Metadata: master@3c2c899 at 2025-10-02T05:21:58Z on d622961e7303

Generated at : 2025-10-02T05:21:58Z
Runner Host  : d622961e7303
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 3c2c899 HEAD -> master
 2025-10-02 05:21:58 +00:00
Marc S. Weidner
3c2c899403 V8.13.016.2025.09.28
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Failing after 6s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 46m3s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-02 05:35:36 +01:00
Marc S. Weidner BOT
e966a899c7 DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci] 
X-CI-Metadata: master@9b28418 at 2025-09-28T18:07:16Z on 00826445cf18

Generated at : 2025-09-28T18:07:16Z
Runner Host  : 00826445cf18
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : 9b28418 HEAD -> master
 2025-09-28 18:07:16 +00:00
Marc S. Weidner BOT
9b28418860 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci] 
X-CI-Metadata: master@40d81b5 at 2025-09-28T17:19:40Z on 7742f0ad5cbe

Generated at : 2025-09-28T17:19:40Z
Runner Host  : 7742f0ad5cbe
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 40d81b5 HEAD -> master
 2025-09-28 17:19:40 +00:00
Marc S. Weidner BOT
40d81b51f9 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci] 
X-CI-Metadata: master@ac05607 at 2025-09-28T16:27:10Z on bd5e33dea725

Generated at : 2025-09-28T16:27:10Z
Runner Host  : bd5e33dea725
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : ac05607 HEAD -> master
 2025-09-28 16:27:10 +00:00
Marc S. Weidner BOT
ac0560714b DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] 
X-CI-Metadata: master@7f35d1a at 2025-09-28T15:30:51Z on a05d37bda04a

Generated at : 2025-09-28T15:30:51Z
Runner Host  : a05d37bda04a
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 7f35d1a HEAD -> master
 2025-09-28 15:30:51 +00:00
Marc S. Weidner BOT
7f35d1ab38 DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci] 
X-CI-Metadata: master@ec6e791 at 2025-09-28T15:30:34Z on a7ef4e974f4a

Generated at : 2025-09-28T15:30:34Z
Runner Host  : a7ef4e974f4a
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : ec6e791 HEAD -> master
 2025-09-28 15:30:34 +00:00
Marc S. Weidner
ec6e791b9d V8.13.016.2025.09.28
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 45s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m1s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 47m22s
Details
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 47m36s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-09-28 16:29:27 +01:00
96 changed files with 423 additions and 294 deletions
Expand all files Collapse all files

2
.archive/.0000_lib_usage.sh
View File

@@ -21,7 +21,7 @@ usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m")
$(echo -e "\e[92mMaster V8.13.032.2025.10.03\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

2
.archive/0003_install_backports.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
View File

@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
placeholder: "e.g., Master V8.13.008.2025.08.22"
placeholder: "e.g., Master V8.13.032.2025.10.03"
validations:
required: true

2
.gitea/TODO/dockerfile
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
FROM debian:bookworm

2
.gitea/TODO/render-md-to-html.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
name: 🔁 Render README.md to README.html.

2
.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
View File

@@ -11,5 +11,5 @@
build:
counter: 1023
version: V8.13.008.2025.08.22
version: V8.13.032.2025.10.03
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
View File

@@ -11,5 +11,5 @@
build:
counter: 1023
version: V8.13.008.2025.08.22
version: V8.13.032.2025.10.03
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.gitea/trigger/t_generate_PUBLIC.yaml
View File

@@ -11,5 +11,5 @@
build:
counter: 1023
version: V8.13.008.2025.08.22
version: V8.13.032.2025.10.03
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.gitea/trigger/t_generate_dns.yaml
View File

@@ -11,5 +11,5 @@
build:
counter: 1023
version: V8.13.008.2025.08.22
version: V8.13.032.2025.10.03
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

42
.gitea/workflows/generate_PRIVATE_trixie_0.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -51,6 +51,7 @@ jobs:
gnupg \
openssh-client \
openssl \
perl \
sudo \
util-linux
@@ -93,6 +94,40 @@ jobs:
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🔧 Render live hook with secrets.
shell: bash
env:
ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
run: |
set -Ceuo pipefail
umask 077
tmpl="CISS.debian.live.builder/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
out="CISS.debian.live.builder/config/hooks/live/9935_hardening_ssh.chroot"
test -f "${tmpl}"
perl -0777 -pe '
BEGIN {
$ed = $ENV{ED25519_PRIV};
$edpub = $ENV{ED25519_PUB};
$rsa = $ENV{RSA_PRIV};
$rsapub = $ENV{RSA_PUB};
}
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
' "$tmpl" >| "$out"
grep -q "ssh_host_ed25519_key" "${out}"
grep -q "ssh_host_rsa_key" "${out}"
chmod 0755 "${out}"
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
@@ -142,9 +177,9 @@ jobs:
set -euo pipefail
chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
### Change "--autobuild=" to the specific kernel version you need: '6.12.48+deb13-amd64'.
./ciss_live_builder.sh \
--autobuild=6.12.41+deb13-amd64 \
--autobuild=6.12.48+deb13-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--control "${timestamp}" \
@@ -155,6 +190,7 @@ jobs:
--root-password-file /opt/config/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
--ssh-pubkey /opt/config \
--sshfp \
--trixie
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.

57
.gitea/workflows/generate_PRIVATE_trixie_1.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -51,6 +51,7 @@ jobs:
gnupg \
openssh-client \
openssl \
perl \
sudo \
util-linux
@@ -93,6 +94,7 @@ jobs:
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
@@ -136,15 +138,60 @@ jobs:
echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
- name: 🔧 Render live hook with secrets.
shell: bash
working-directory: ${{ github.workspace }}
env:
ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
run: |
set -Ceuo pipefail
umask 077
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
if [[ ! -f "$TPL" ]]; then
echo "Template not found: $TPL"
echo "::group::Tree of config/hooks/live"
ls -la "$REPO_ROOT/config/hooks/live" || true
echo "::endgroup::"
exit 2
fi
export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
export ED25519_PUB="${ED25519_PUB//$'\r'/}"
export RSA_PRIV="${RSA_PRIV//$'\r'/}"
export RSA_PUB="${RSA_PUB//$'\r'/}"
perl -0777 -pe '
BEGIN{
$ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
$rsa=$ENV{RSA_PRIV}; $rsapub=$ENV{RSA_PUB};
}
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
' "$TPL" > "$OUT"
chmod 0755 "$OUT"
echo "Hook rendered: $OUT"
- name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
shell: bash
working-directory: ${{ github.workspace }}
run: |
set -euo pipefail
chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
./ciss_live_builder.sh \
--autobuild=6.12.41+deb13-amd64 \
--autobuild=6.12.48+deb13-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--control "${timestamp}" \
@@ -152,8 +199,14 @@ jobs:
--root-password-file /opt/config/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
--ssh-pubkey /opt/config \
--sshfp \
--trixie
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "$OUT"
echo "Hook removed: $OUT"
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash
env:

172
.gitea/workflows/generate_PUBLIC_iso.yaml
View File

@@ -9,10 +9,14 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
name: 💙 Generating a PUBLIC Live ISO.
defaults:
run:
shell: bash
permissions:
contents: write
@@ -24,161 +28,31 @@ on:
- '.gitea/trigger/t_generate_PUBLIC.yaml'
jobs:
generate-private-ciss-debian-live-iso:
generate-public-cdlb-trixie:
name: 💙 Generating a PUBLIC Live ISO.
runs-on: ciss.debian.live.builder.iso.generator
runs-on: cdlb.trixie
### Run all steps inside Debian Bookworm
container:
image: debian:bookworm
image: debian:trixie
steps:
- name: 🛠️ Basic Image Setup and enable Bookworm Backports.
run: |
apt-get update -y
apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update -y
apt-get upgrade -y
- name: 🛠️ Installing Build Tools.
- name: 🛠️ Basic Image Setup.
shell: bash
run: |
apt-get update -y
apt-get install -y \
autoconf \
automake \
build-essential \
cryptsetup \
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get upgrade -y
apt-get install -y --no-install-recommends \
apt-utils \
bash \
ca-certificates \
curl \
debootstrap \
dosfstools \
efibootmgr \
gettext \
git \
gnupg \
haveged \
libbz2-dev \
zlib1g-dev \
liblzma-dev \
libtool \
live-build \
parted \
pkg-config \
ssh \
ssl-cert \
openssh-client \
openssl \
sudo \
texinfo \
wget \
whois \
- name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
shell: bash
run: |
urls=(
"https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
"https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
)
wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
gpg --batch --import signature_key.asc
for url in "${urls[@]}"; do
archive_name="${url##*/}"
pkg_name="${archive_name%.tar.bz2}"
echo "🔄 Processing ${pkg_name}"
if [[ ! -f "${archive_name}" ]]; then
echo "📥 Downloading: '${archive_name}'."
if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
echo "✅ Download successful: '${archive_name}'."
else
echo "❌ Download NOT successful: '${archive_name}'."
exit 1
fi
else
echo "💡 Skipping download, package already exists: '${archive_name}'."
fi
if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
if [[ ! -d "${pkg_name}" ]]; then
echo "📂 Extracting: '${archive_name}'."
if tar -xjf "${archive_name}"; then
echo "✅ Extraction successful: '${archive_name}'."
else
echo "❌ Extraction not successful: '${archive_name}'."
exit 1
fi
else
echo "💡 Skipping directory, already exists: '${pkg_name}'."
fi
echo "🏗️ Build and install the package: '${pkg_name}'."
cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
mkdir -p build
cd build || { echo "❌ Could not change to '/build'."; exit 1; }
sudo ../configure > /dev/null 2>&1 || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
echo "✅ Successful build and installation of '${pkg_name}'."
echo "-------------------------------------------------------------------------------------"
done
rm -f signature_key.asc
echo "✅ All packages were built and installed successfully."
mv_bin=(
"/usr/bin/gpg"
"/usr/bin/gpg-agent"
"/usr/bin/gpgconf"
"/usr/bin/gpg-connect-agent"
"/usr/bin/gpg-wks-client"
"/usr/bin/gpg-preset-passphrase"
)
for bin in "${mv_bin[@]}"; do
name="${bin##*/}"
if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
if mv "${bin}" "${bin}.debian-backup"; then
echo "✅ Moved successfully: '${bin}'."
else
echo "❌ Moved NOT successfully: '${bin}'."
fi
else
echo "💡 Does not exist as build binary: '${bin}'."
fi
done
for bin in "${mv_bin[@]}"; do
name="${bin##*/}"
if [[ -f "/usr/local/bin/${name}" ]]; then
if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
echo "✅ 'update-alternatives' successfully: '${bin}'."
else
echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
fi
else
echo "💡 Does not exist: '/usr/local/bin/${name}'."
fi
done
sudo ldconfig
gpgconf --kill all
/usr/local/bin/gpg-agent --daemon
util-linux
- name: ⚙️ Check GnuPG Version.
shell: bash
@@ -271,13 +145,14 @@ jobs:
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
./ciss_live_builder.sh \
--autobuild=6.1.0-37-amd64 \
--autobuild=6.12.48+deb13-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--control "${timestamp}" \
--root-password-file /opt/config/password.txt \
--ssh-port 42137 \
--ssh-pubkey /opt/config
--ssh-pubkey /opt/config \
--trixie
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash
@@ -364,11 +239,12 @@ jobs:
gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
VAR_DATE="$(date +%F)"
PRIVATE_FILE="LIVE_ISO.public"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

2
.gitea/workflows/linter_char_scripts.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
# Gitea Workflow: Shell-Script Linting
#

2
.gitea/workflows/render-dnssec-status.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

2
.gitea/workflows/render-dot-to-png.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
name: 🔁 Render Graphviz Diagrams.

2
.version.properties
View File

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V8.13.008.2025.08.22"
properties_version="V8.13.032.2025.10.03"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

2
CISS.debian.live.builder.spdx
View File

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
PackageVersion: Master V8.13.008.2025.08.22
PackageVersion: Master V8.13.032.2025.10.03
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

4
LINTER_RESULTS.txt
View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-10-03; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z"
This file was automatically generated by the DEPLOY BOT on: "2025-10-03T21:17:45Z"
✅ The last linter check was successful. ✅

16
LIVE_ISO.public
View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-09-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-11T22:40:21Z".
This file was automatically generated by the DEPLOY BOT on: "2025-09-28T18:07:13Z"
CISS.debian.live.builder ISO :
"ciss-debian-live-2025_08_11T21_49_56Z-amd64.hybrid.iso"
"ciss-debian-live-2025_09_28T17_20_38Z-amd64.hybrid.iso"
CISS.debian.live.builder ISO sha512 :
4aa02673b9a8d5b974014eca4371d1ed69b05eaea9e92203cf7c092880833e18812bf31ab053399eda98b7a3da0b76b8dcdaaba892e9f52f836ea9d2b0e09e38
49ea0ecfbcbe086786887a4d77727a582436d1b0172af34a4d85cf008541a6215d33b7326f7ff5445adfd0a687cbe67850b6d176b4c58be52e3858129ab369fc
CISS.debian.live.builder ISO sha512 sign :
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpxVQAKCRA85KY4hzOw
IZWOAQDJriUoDvDNSQiHbFfW4KVV1E1wqe12eS7GyfVFr9bISwEAoDKhQ85+RiGr
pCdWqvU8wcfzEIlKIpAgAZVrhX/xRw8=
=wNVV
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaNl5UQAKCRA85KY4hzOw
IW0DAQCOeexEEvs4TmIQGQKmGv4EJee4M5uCK8EGAYR5MkqgDAD/QB5/DglUkK3z
4KvoqoWSL5j0aB8JKVB+GU9pSc+emwA=
=WSB7
-----END PGP SIGNATURE-----
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

16
LIVE_ISO_TRIXIE_0.private
View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-09-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:55:09Z"
This file was automatically generated by the DEPLOY BOT on: "2025-09-28T16:27:07Z"
CISS.debian.live.builder ISO :
"ciss-debian-live-2025_08_22T16_11_02Z-amd64.hybrid.iso"
"ciss-debian-live-2025_09_28T15_39_28Z-amd64.hybrid.iso"
CISS.debian.live.builder ISO sha512 :
35c288d96239804e244cbe99c8ce3895aec39104a7200c2ef7326d38e1ec4eea3bf60b895eaa4d981cb718ae4d27d2d4166f16252b88606a870d14c3db096a37
df9eb4fb9ee0598bef7665dd07c0c5935622dca2d8f42747cd4a187a9750ecb6381bd3a42bbc44ccf7bf70900c0ae99b9163d9e82acbf1dbedcd801a9d3c7bc2
CISS.debian.live.builder ISO sha512 sign :
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKig7QAKCRA85KY4hzOw
IWKWAP0Wlqbi3ArURSGW5m+E+OstdsU7qHjf+e1SVRJ3BGUzaAEAr3ceyHiiA2/7
RlXsvZxNgVDaEVSdjmt99dMrZK7DRws=
=4Oh3
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaNlh2wAKCRA85KY4hzOw
IfNnAQCMk83R452cTjogw59Ak8ohaHCHX8LFP7poMPFWtpGPygEAtTOEysHAXBPF
j2/p3TcTYyssUYQXcaeCvyHiFr1BHwM=
=8sNE
-----END PGP SIGNATURE-----
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

16
LIVE_ISO_TRIXIE_1.private
View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-10-03; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z"
This file was automatically generated by the DEPLOY BOT on: "2025-10-03T22:07:42Z"
CISS.debian.live.builder ISO :
"ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso"
"ciss-debian-live-2025_10_03T21_17_21Z-amd64.hybrid.iso"
CISS.debian.live.builder ISO sha512 :
4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3
df265db7b6f2ef72d43d3430ca9854d09cb26c70e76560172193916c061fb05f4467a5208b4990f3374175826555e8f453d185181fd3c9c54fd35ee8fa5e7b31
CISS.debian.live.builder ISO sha512 sign :
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw
IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8
IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ=
=boDM
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaOBJLgAKCRA85KY4hzOw
IeCeAQCgQIF7HeJII4ChUxSbZfr5b4Q0Z/bQ51G8j1WpZ6pF6QD/XsOJ0l74BDjg
A03OMLkQBM/WgPnWM9UvtPdfkkX+Kwo=
=R/Dp
-----END PGP SIGNATURE-----
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

12
README.md
View File

@@ -2,17 +2,17 @@
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.008.2025.08.22-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.032.2025.10.03-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
Example: `V8.13.008.2025.08.22`
Example: `V8.13.032.2025.10.03`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.

2
config/hooks/live/0000_generate_backup_dir.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0001_initramfs_modules.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0002_verify_checksums.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0050_activate_root.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0080_keyboard_layout.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0090_haveged.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0120_set_hostname.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0130_machineid.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0400_eza_install.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0800_lynis_setup.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0810_chrony_setup.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0820_kernel_hardening_checker.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0822_ssh_restart_hook.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0825_my_sqltuner_perl.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0830_download_yq.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0835_testssl.sh.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0845_harbian_audit.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0850_ssh_audit.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0855_dnsviz.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/0900_ufw_setup.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9900_process_accounting.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9910_motd.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9920_deleting_invalid_x509.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

27
config/hooks/live/9930_hardening_ssh.chroot
View File

@@ -9,17 +9,18 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /etc/ssh || {
printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
}
rm -rf ssh_host_*key*
# shellcheck disable=SC2312
ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
# shellcheck disable=SC2312
ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
@@ -44,7 +45,26 @@ ssh-keygen -r @ >| /root/sshfp
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
cat << 'EOF' >| /etc/profile.d/idle-users.sh
declare -girx TMOUT=14400
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
case $- in
*i*)
TMOUT=14400
export TMOUT
readonly TMOUT
;;
esac
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod +x /etc/profile.d/idle-users.sh
@@ -58,7 +78,6 @@ EOF
chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

94
config/hooks/live/9935_hardening_ssh.chroot.tmpl Normal file
View File

@@ -0,0 +1,94 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
cd /etc/ssh || {
printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
}
cat << 'EOF' >| ssh_host_ed25519_key
{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
EOF
cat << 'EOF' >| ssh_host_ed25519_key.pub
{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
EOF
cat << 'EOF' >| ssh_host_rsa_key
{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
EOF
cat << 'EOF' >| ssh_host_rsa_key.pub
{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
EOF
awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
rm -rf /etc/ssh/moduli
mv /etc/ssh/moduli.safe /etc/ssh/moduli
chmod 0600 /etc/ssh/ssh_host_*_key
chown root:root /etc/ssh/ssh_host_*_key
chmod 0644 /etc/ssh/ssh_host_*_key.pub
chown root:root /etc/ssh/ssh_host_*_key.pub
chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
touch /root/sshfp
ssh-keygen -r @ >| /root/sshfp
###########################################################################################
# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only #
# environment variables: TMOUT and HISTFILE. #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
cat << 'EOF' >| /etc/profile.d/idle-users.sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
case $- in
*i*)
TMOUT=14400
export TMOUT
readonly TMOUT
;;
esac
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod +x /etc/profile.d/idle-users.sh
mkdir -p /etc/systemd/system/ssh.service.d
cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
[Unit]
After=ufw.service
Requires=ufw.service
EOF
chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/hooks/live/9940_hardening_memory.dump.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9950_fail2ban_hardening.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9960_disable_services.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9970_remove_exim.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9980_usb_guard.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9985_clamav.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9990_final_purge.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9991_file_permissions.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9992_password_expiration.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9993_aide.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9994_password_policy.chroot
View File

@@ -13,7 +13,7 @@
### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9995_sysstat.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9996_auditd.chroot
View File

@@ -12,7 +12,7 @@
### https://github.com/linux-audit/audit-userspace/tree/master/rules
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

4
config/hooks/live/9997_debsums.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
@@ -33,4 +33,4 @@ printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/hooks/live/9998_sources_list_bookworm.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
config/hooks/live/9998_sources_list_trixie.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

4
config/hooks/live/9999_interfaces_update.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
@@ -62,4 +62,4 @@ printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e
# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/includes.chroot/etc/ssh/sshd_config
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

2
config/includes.chroot/etc/sysctl.d/99_local.hardened
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22
### Version Master V8.13.032.2025.10.03
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/

2
config/includes.chroot/preseed/.iso/iso.sh
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
# The example names get mapped to their roles here
declare timestamp

2
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.13.008.2025.08.22"
declare -gr VERSION="Master V8.13.032.2025.10.03"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then

2
config/includes.chroot/preseed/preseed.cfg
View File

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.008.2025.08.22 at: 10:18:37.9542
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.032.2025.10.03 at: 10:18:37.9542

5
config/package-lists/live.list.common.chroot
View File

@@ -21,6 +21,7 @@ bash-completion
bat
bc
bind9-dnsutils
bison
bsdmainutils
btrfs-progs
build-essential
@@ -28,6 +29,7 @@ bzip2
ca-certificates
clamav
clamav-daemon
clang-18
console-setup
cpuid
cryptsetup
@@ -47,6 +49,7 @@ dirmngr
dmsetup
dnsviz
dosfstools
dpkg-dev
e2fsprogs
efibootmgr
expect
@@ -54,6 +57,7 @@ fail2ban
fdisk
figlet
fio
flex
fzf
gawk
gdisk
@@ -80,6 +84,7 @@ linux-source
live-boot
live-config
live-config-systemd
lld-18
locate
logrotate
lsb-release

2
docs/AUDIT_DNSSEC.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. DNSSEC Status

2
docs/AUDIT_HAVEGED.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Haveged Audit on Netcup RS 2000 G11

2
docs/AUDIT_LYNIS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Lynis Audit:

2
docs/AUDIT_SSH.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. SSH Audit by ssh-audit.com

34
docs/AUDIT_TLS.md
View File

@@ -8,14 +8,15 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. TLS Audit:
````text
./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
#####################################################################
testssl.sh version 3.2.1 from https://testssl.sh/
(81471c3 2025-06-15 09:48:31)
testssl.sh version 3.2.2 from https://testssl.sh/
(2e77f5e 2025-09-22 19:35:27)
This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +27,7 @@ include_toc: true
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on kali:./bin/openssl.Linux.x86_64
Start 2025-06-23 17:58:48 -->> 152.53.110.40:443 (git.coresecret.dev) <<--
Start 2025-09-28 16:12:17 -->> 152.53.110.40:443 (git.coresecret.dev) <<--
Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40
rDNS (152.53.110.40): git.coresecret.dev.
@@ -188,18 +189,17 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Server key size RSA 4096 bits (exponent is 65537)
Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
Serial 1230B34459C6F27FA9BCD2 (OK: length 11)
Fingerprints SHA1 1A8BD98862771602E7DD46B742FB66D6C03E622E
SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
Serial 13292523EB168BD226CE46 (OK: length 11)
Fingerprints SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
Common Name (CN) coresecret.dev
subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
Trust (hostname) Ok via SAN (same w/o SNI)
Chain of trust Ok
EV cert (experimental) no
Certificate Validity (UTC) 153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
Certificate Validity (UTC) 178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
ETS/"eTLS", visibility info not present
In pwnedkeys.com DB not in database
Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
In pwnedkeys.com DB not in database Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
OCSP URI http://ocsp.buypass.com, not revoked
OCSP stapling offered, not revoked
OCSP must staple extension --
@@ -226,9 +226,9 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Cookie(s) 2 issued: 2/2 secure, 2/2 HttpOnly
Security headers X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self';
frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev
Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
git.coresecret.dev; frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
https://uml.coresecret.dev; manifest-src 'self' data:; media-src 'self' data: https://badges.coresecret.dev
https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
Expect-CT: max-age=86400, enforce
Permissions-Policy: interest-cohort=()
@@ -258,7 +258,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
@@ -309,7 +309,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Rating (experimental)
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Protocol Support (weighted) 100 (30)
Key Exchange (weighted) 100 (30)
@@ -317,7 +317,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Final Score 100
Overall Grade A+
Done 2025-06-23 18:00:16 [ 99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
Done 2025-09-28 16:13:50 [ 95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
````
---

2
docs/BOOTPARAMS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Hardened Kernel Boot Parameters

8
docs/CHANGELOG.md
View File

@@ -8,10 +8,16 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Changelog
## V8.13.032.2025.10.03
* **Added**: Internal Gitea Action Runner switch for static SSHFP records.
## V8.13.016.2025.09.28
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
## V8.13.008.2025.08.22
* **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)

2
docs/CNET.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Centurion Net - Developer Branch Overview

2
docs/CODING_CONVENTION.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Coding Style

2
docs/CONTRIBUTING.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Contributing / participating

2
docs/CREDITS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Credits

2
docs/DL_PUB_ISO.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Download the latest PUBLIC CISS.debian.live.ISO

6
docs/DOCUMENTATION.md
View File

@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2.1. Usage
````text
CISS.debian.live.builder
Master V8.13.008.2025.08.22
Master V8.13.032.2025.10.03
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
# 2.2. Contact
````text
CISS.debian.live.builder
Master V8.13.008.2025.08.22
Master V8.13.032.2025.10.03
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025

2
docs/REFERENCES.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br>
**Build**: V8.13.032.2025.10.03<br>
# 2. Resources

BIN
docs/SECURITY/coresecret.dev.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 204 KiB

After

Width:  |  Height:  |  Size: 186 KiB

25
lib/lib_arg_parser.sh
View File

@@ -95,6 +95,7 @@ arg_parser() {
--architecture)
if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then
# shellcheck disable=SC2034
declare -gx VAR_ARCHITECTURE="${2}"
shift 2
else
@@ -124,12 +125,14 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
declare -g VAR_HANDLER_CDI=true
# shellcheck disable=SC2034
declare -g VAR_HANDLER_CDI="true"
shift 1
;;
--change-splash )
if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then
# shellcheck disable=SC2034
declare -g VAR_HANDLER_SPLASH="${2}"
shift 2
else
@@ -143,6 +146,7 @@ arg_parser() {
--control)
if [[ -n "${2-}" ]]; then
# shellcheck disable=SC2034
declare -g VAR_HANDLER_ISO_COUNTER="${2}"
shift 2
else
@@ -171,6 +175,7 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
# shellcheck disable=SC2034
declare -gi VAR_HANDLER_DHCP=1
shift 1
;;
@@ -180,6 +185,7 @@ arg_parser() {
declare -i count=0
shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
# shellcheck disable=SC2034
declare -g ARY_HANDLER_JUMPHOST+=("$1")
count=$((count + 1))
shift
@@ -202,6 +208,7 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
# shellcheck disable=SC2034
declare -gi VAR_HANDLER_STA=1
shift 1
;;
@@ -209,10 +216,12 @@ arg_parser() {
--provider-netcup-ipv6)
if [[ -n "${2-}" && "${2}" != -* ]]; then
declare -i count=0
declare -g VAR_HANDLER_NETCUP_IPV6=true
# shellcheck disable=SC2034
declare -g VAR_HANDLER_NETCUP_IPV6="true"
shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do
declare cleaned="${1//[\[\]]/}"
# shellcheck disable=SC2034
declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}")
count=$((count + 1))
shift
@@ -230,6 +239,7 @@ arg_parser() {
--renice-priority)
if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
# shellcheck disable=SC2034
VAR_HANDLER_PRIORITY="$2"
shift 2
else
@@ -249,6 +259,7 @@ arg_parser() {
exit "${ERR_REIONICE_P}"
else
if [[ "${2}" =~ ^[1-3]$ ]]; then
# shellcheck disable=SC2034
VAR_REIONICE_CLASS="${2}"
if [[ -z "${3-}" ]]; then
:
@@ -359,6 +370,7 @@ arg_parser() {
hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
# shellcheck disable=SC2034
declare -g VAR_HASHED_PWD="${hash_temp}"
unset hash_temp plaintext_pw
@@ -375,6 +387,7 @@ arg_parser() {
--ssh-port)
if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
# shellcheck disable=SC2034
declare -gi VAR_SSHPORT="${2}"
shift 2
else
@@ -385,12 +398,20 @@ arg_parser() {
fi
;;
--sshfp)
# shellcheck disable=SC2034
declare -g VAR_SSHFP="true"
shift 1
;;
--ssh-pubkey)
# shellcheck disable=SC2034
declare -g VAR_SSHPUBKEY="${2}"
shift 2
;;
--trixie)
# shellcheck disable=SC2034
declare -g VAR_SUITE="trixie"
shift 1
;;

18
lib/lib_hardening_ultra.sh
View File

@@ -166,7 +166,25 @@ hardening_ultra() {
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
### Updating SSH Keys, Ports.
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
### Check for static SSHFP key material via Gitea Actions Runner Secrets injection.
if [[ "${VAR_SSHFP}" == "true" ]]; then
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
else
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
fi
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"

4
lib/lib_usage.sh
View File

@@ -35,13 +35,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
# shellcheck disable=SC2155
declare var_footer=$(center "V8.13.008.2025.08.22 2025-08-11 CLB(1)" "${var_cols}")
declare var_footer=$(center "V8.13.032.2025.10.03 2025-08-11 CLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m"
echo -e "\e[92mMaster V8.13.032.2025.10.03\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"

2
scripts/0010_dhcp_supersede.sh
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

2
scripts/0100_centurion_dns.sh
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

4
scripts/9000-cdi-starter
View File

@@ -9,13 +9,13 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
[[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
printf "CISS.debian.installer Master V8.13.008.2025.08.22 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
printf "CISS.debian.installer Master V8.13.032.2025.10.03 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh

2
scripts/etc/network/9999_interfaces_update_netcup.chroot
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1

2
var/early.var.sh
View File

@@ -14,7 +14,7 @@
# shellcheck disable=SC2155
declare -grx VAR_CONTACT="security@coresecret.eu"
declare -grx VAR_VERSION="Master V8.13.008.2025.08.22"
declare -grx VAR_VERSION="Master V8.13.032.2025.10.03"
declare -grx VAR_SYSTEM="$(uname -a)"
declare -gx VAR_EARLY_DEBUG="false"
declare -gx VAR_HANDLER_AUTOBUILD="false"

1
var/global.var.sh
View File

@@ -38,6 +38,7 @@ declare -g VAR_SCRIPT_SUCCESS="false"
declare -g VAR_SUITE="bookworm"
declare -g VAR_HANDLER_NETCUP_IPV6="false"
declare -g VAR_HASHED_PWD=""
declare -g VAR_SSHFP="false"
declare -gi VAR_HANDLER_STA=0
declare -gi VAR_HANDLER_PRIORITY=0
declare -gi VAR_REIONICE_CLASS=2