148 Commits

Author SHA256 Message Date
c42a39b757 DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
X-CI-Metadata: master@131b29e at 2025-10-14T22:23:31Z on f4002627fb64

Generated at : 2025-10-14T22:23:31Z
Runner Host  : f4002627fb64
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : 131b29e HEAD -> master
2025-10-14 22:23:31 +00:00
131b29e8b6 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@faaa4db at 2025-10-14T21:28:38Z on d18e1ac3c3c3

Generated at : 2025-10-14T21:28:38Z
Runner Host  : d18e1ac3c3c3
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : faaa4db HEAD -> master
2025-10-14 21:28:38 +00:00
faaa4db9f3 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
X-CI-Metadata: master@582a110 at 2025-10-14T20:32:31Z on bd9f5fe27835

Generated at : 2025-10-14T20:32:31Z
Runner Host  : bd9f5fe27835
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 582a110 HEAD -> master
2025-10-14 20:32:31 +00:00
582a110f04 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@f61b149 at 2025-10-14T19:37:06Z on d1071e4144b1

Generated at : 2025-10-14T19:37:06Z
Runner Host  : d1071e4144b1
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : f61b149 HEAD -> master
2025-10-14 19:37:06 +00:00
f61b149ab5 DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
X-CI-Metadata: master@5155670 at 2025-10-14T19:36:51Z on a8b40b834c2b

Generated at : 2025-10-14T19:36:51Z
Runner Host  : a8b40b834c2b
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : 5155670 HEAD -> master
2025-10-14 19:36:51 +00:00
51556707e2 V8.13.142.2025.10.14
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m20s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m35s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 56m6s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 54m46s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-14 20:35:02 +01:00
d8458b7220 DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
X-CI-Metadata: master@d31654a at 2025-10-11T16:53:56Z on 473891862d16

Generated at : 2025-10-11T16:53:56Z
Runner Host  : 473891862d16
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : d31654a HEAD -> master
2025-10-11 16:53:56 +00:00
d31654a9ac DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
X-CI-Metadata: master@b7760d5 at 2025-10-11T15:59:05Z on 8f3f3c9b81b1

Generated at : 2025-10-11T15:59:05Z
Runner Host  : 8f3f3c9b81b1
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : b7760d5 HEAD -> master
2025-10-11 15:59:05 +00:00
b7760d5868 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@c68a163 at 2025-10-11T15:30:57Z on 6db3fcc467c1

Generated at : 2025-10-11T15:30:57Z
Runner Host  : 6db3fcc467c1
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : c68a163 HEAD -> master
2025-10-11 15:30:57 +00:00
c68a163982 V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m30s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 16:29:19 +01:00
c7dd4c40cd DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@e319a04 at 2025-10-11T15:28:50Z on 0009d39a8a09

Generated at : 2025-10-11T15:28:50Z
Runner Host  : 0009d39a8a09
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : e319a04 HEAD -> master
2025-10-11 15:28:50 +00:00
e319a049de V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m45s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 16:26:50 +01:00
d1616934af DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@14f1b99 at 2025-10-11T15:07:13Z on e5e4b2d4ebd2

Generated at : 2025-10-11T15:07:13Z
Runner Host  : e5e4b2d4ebd2
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 14f1b99 HEAD -> master
2025-10-11 15:07:13 +00:00
14f1b99268 V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m7s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 54m4s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 54m53s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 16:04:51 +01:00
147b54450f DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@a8a2798 at 2025-10-11T10:23:01Z on a0aa3b7b4a4e

Generated at : 2025-10-11T10:23:01Z
Runner Host  : a0aa3b7b4a4e
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : a8a2798 HEAD -> master
2025-10-11 10:23:01 +00:00
a8a27980eb DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@d52df34 at 2025-10-11T09:28:48Z on 6b5472c3cf3d

Generated at : 2025-10-11T09:28:48Z
Runner Host  : 6b5472c3cf3d
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : d52df34 HEAD -> master
2025-10-11 09:28:48 +00:00
d52df34b7b V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m32s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 55m56s
Signed-off-by: André H. Zimnol <git.cs@physnet.eu>
2025-10-11 11:27:14 +02:00
70f42be6ec DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
X-CI-Metadata: master@8ce7830 at 2025-10-11T09:16:55Z on 84a6e8b36df0

Generated at : 2025-10-11T09:16:55Z
Runner Host  : 84a6e8b36df0
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : 8ce7830 HEAD -> master
2025-10-11 09:16:55 +00:00
8ce7830013 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@746792c at 2025-10-11T08:22:37Z on 10a922ad7ad5

Generated at : 2025-10-11T08:22:37Z
Runner Host  : 10a922ad7ad5
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 746792c HEAD -> master
2025-10-11 08:22:37 +00:00
746792cba2 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
X-CI-Metadata: master@675649c at 2025-10-11T07:27:24Z on 5a1e841cc9a1

Generated at : 2025-10-11T07:27:24Z
Runner Host  : 5a1e841cc9a1
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 675649c HEAD -> master
2025-10-11 07:27:24 +00:00
675649c646 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@6427501 at 2025-10-11T07:09:37Z on 87bcb42bc21d

Generated at : 2025-10-11T07:09:37Z
Runner Host  : 87bcb42bc21d
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 6427501 HEAD -> master
2025-10-11 07:09:37 +00:00
64275013c0 V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m58s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 08:07:13 +01:00
54b153ba76 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@bf7d616 at 2025-10-11T06:29:30Z on 9ecef9d21c23

Generated at : 2025-10-11T06:29:30Z
Runner Host  : 9ecef9d21c23
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : bf7d616 HEAD -> master
2025-10-11 06:29:30 +00:00
bf7d616ea6 V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 07:27:39 +01:00
9d235a427e DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@2ffb74a at 2025-10-11T06:21:42Z on 93ea4e320fc0

Generated at : 2025-10-11T06:21:42Z
Runner Host  : 93ea4e320fc0
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 2ffb74a HEAD -> master
2025-10-11 06:21:42 +00:00
2ffb74a408 V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m34s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 55m9s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 54m12s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 07:20:03 +01:00
a4da5a6991 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@aeea58f at 2025-10-11T06:07:03Z on cb61900a5d66

Generated at : 2025-10-11T06:07:03Z
Runner Host  : cb61900a5d66
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : aeea58f HEAD -> master
2025-10-11 06:07:03 +00:00
aeea58ff84 V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 07:04:51 +01:00
9a06c569f1 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@40ab6fb at 2025-10-11T05:16:24Z on aab10d17cef0

Generated at : 2025-10-11T05:16:24Z
Runner Host  : aab10d17cef0
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 40ab6fb HEAD -> master
2025-10-11 05:16:24 +00:00
40ab6fb578 V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m29s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 06:14:50 +01:00
5b843d6e59 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@18c60ce at 2025-10-11T05:01:41Z on d907a509428d

Generated at : 2025-10-11T05:01:41Z
Runner Host  : d907a509428d
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 18c60ce HEAD -> master
2025-10-11 05:01:41 +00:00
18c60ce260 V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 06:00:02 +01:00
11952e0621 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@cb49063 at 2025-10-11T04:55:22Z on 943227b7d6c9

Generated at : 2025-10-11T04:55:22Z
Runner Host  : 943227b7d6c9
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : cb49063 HEAD -> master
2025-10-11 04:55:22 +00:00
cb490632c4 DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
X-CI-Metadata: master@83fa76d at 2025-10-11T04:55:18Z on c1fef329d98e

Generated at : 2025-10-11T04:55:18Z
Runner Host  : c1fef329d98e
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : 83fa76d HEAD -> master
2025-10-11 04:55:18 +00:00
83fa76d4aa V8.13.132.2025.10.11
Some checks failed
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m23s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m27s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 05:53:47 +01:00
1813ae3774 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@c4fc603 at 2025-10-11T04:45:09Z on 71643455bf9b

Generated at : 2025-10-11T04:45:09Z
Runner Host  : 71643455bf9b
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : c4fc603 HEAD -> master
2025-10-11 04:45:09 +00:00
c4fc603d5b V8.13.132.2025.10.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m40s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-11 05:42:56 +01:00
a9182d59f6 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@db9dca9 at 2025-10-10T22:25:07Z on edeab28f3a63

Generated at : 2025-10-10T22:25:07Z
Runner Host  : edeab28f3a63
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : db9dca9 HEAD -> master
2025-10-10 22:25:07 +00:00
db9dca9fa2 ## V8.13.128.2025.10.10
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m50s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-10 23:22:55 +01:00
cae8d68ecc DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@9688142 at 2025-10-10T19:42:53Z on b064133f7e6d

Generated at : 2025-10-10T19:42:53Z
Runner Host  : b064133f7e6d
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 9688142 HEAD -> master
2025-10-10 19:42:53 +00:00
9688142245 ## V8.13.128.2025.10.10
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-10 20:40:50 +01:00
f36de4a5b4 DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
X-CI-Metadata: master@5d00daf at 2025-10-10T07:59:34Z on 2f63aebc2fa1

Generated at : 2025-10-10T07:59:34Z
Runner Host  : 2f63aebc2fa1
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : 5d00daf HEAD -> master
2025-10-10 07:59:34 +00:00
5d00daf2ae DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@175af76 at 2025-10-10T07:01:21Z on 1d1d638e2d18

Generated at : 2025-10-10T07:01:21Z
Runner Host  : 1d1d638e2d18
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 175af76 HEAD -> master
2025-10-10 07:01:21 +00:00
175af760bc DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
X-CI-Metadata: master@c60e138 at 2025-10-10T06:08:59Z on cd53256b1fec

Generated at : 2025-10-10T06:08:59Z
Runner Host  : cd53256b1fec
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : c60e138 HEAD -> master
2025-10-10 06:08:59 +00:00
c60e138b27 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@2d76fca at 2025-10-10T05:23:00Z on df4f04c14c09

Generated at : 2025-10-10T05:23:00Z
Runner Host  : df4f04c14c09
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 2d76fca HEAD -> master
2025-10-10 05:23:00 +00:00
2d76fca675 ## V8.13.128.2025.10.10
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 6m16s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 52m19s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 58m12s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-10 06:16:21 +01:00
a44bd771d3 DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
X-CI-Metadata: master@1857d73 at 2025-10-10T02:30:45Z on b615bf5877e4

Generated at : 2025-10-10T02:30:45Z
Runner Host  : b615bf5877e4
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : 1857d73 HEAD -> master
2025-10-10 02:30:45 +00:00
1857d730e2 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@b1243bd at 2025-10-10T01:36:18Z on 9c927fb54656

Generated at : 2025-10-10T01:36:18Z
Runner Host  : 9c927fb54656
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : b1243bd HEAD -> master
2025-10-10 01:36:18 +00:00
b1243bdf97 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
X-CI-Metadata: master@c805308 at 2025-10-10T00:42:29Z on 8466996eb449

Generated at : 2025-10-10T00:42:29Z
Runner Host  : 8466996eb449
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : c805308 HEAD -> master
2025-10-10 00:42:29 +00:00
c8053082fd DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@779c830 at 2025-10-09T23:43:56Z on 0bc491a6bd10

Generated at : 2025-10-09T23:43:56Z
Runner Host  : 0bc491a6bd10
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 779c830 HEAD -> master
2025-10-09 23:43:56 +00:00
779c830111 DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
X-CI-Metadata: master@d6fdcac at 2025-10-09T23:42:51Z on f3a7e7266b5a

Generated at : 2025-10-09T23:42:51Z
Runner Host  : f3a7e7266b5a
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : d6fdcac HEAD -> master
2025-10-09 23:42:51 +00:00
d6fdcacc9c ## V8.13.128.2025.10.10
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m0s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m0s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 53m47s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 54m23s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-10 00:41:49 +01:00
3b89515b70 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@97af826 at 2025-10-09T23:27:36Z on 6baed9d6e796

Generated at : 2025-10-09T23:27:36Z
Runner Host  : 6baed9d6e796
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 97af826 HEAD -> master
2025-10-09 23:27:36 +00:00
97af826d5e ## V8.13.096.2025.10.09
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m52s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-10 00:25:37 +01:00
584077e1c0 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@c8791a9 at 2025-10-09T23:07:12Z on c1c0164d6115

Generated at : 2025-10-09T23:07:12Z
Runner Host  : c1c0164d6115
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : c8791a9 HEAD -> master
2025-10-09 23:07:12 +00:00
c8791a9221 ## V8.13.096.2025.10.09
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m50s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-10 00:05:04 +01:00
b577201cc3 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@eca769a at 2025-10-09T22:45:47Z on 7d242cab28fb

Generated at : 2025-10-09T22:45:47Z
Runner Host  : 7d242cab28fb
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : eca769a HEAD -> master
2025-10-09 22:45:47 +00:00
eca769a7df ## V8.13.096.2025.10.09
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m40s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-09 23:44:01 +01:00
b51049eb8e DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@474b34a at 2025-10-09T22:28:35Z on f60f3568f52e

Generated at : 2025-10-09T22:28:35Z
Runner Host  : f60f3568f52e
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 474b34a HEAD -> master
2025-10-09 22:28:35 +00:00
474b34afd3 ## V8.13.096.2025.10.09
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m36s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-09 23:26:55 +01:00
ca5cbbf323 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@38a6fe4 at 2025-10-09T22:04:16Z on b70676e52861

Generated at : 2025-10-09T22:04:16Z
Runner Host  : b70676e52861
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 38a6fe4 HEAD -> master
2025-10-09 22:04:16 +00:00
38a6fe4a2c ## V8.13.096.2025.10.09
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m34s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-09 23:02:18 +01:00
b140f0e03e DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@7060f94 at 2025-10-09T20:21:47Z on d32c3893a2d8

Generated at : 2025-10-09T20:21:47Z
Runner Host  : d32c3893a2d8
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 7060f94 HEAD -> master
2025-10-09 20:21:47 +00:00
7060f945c1 ## V8.13.096.2025.10.09
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m29s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-09 21:20:11 +01:00
3e07d26cc6 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@78f835f at 2025-10-09T19:59:24Z on 883209c73448

Generated at : 2025-10-09T19:59:24Z
Runner Host  : 883209c73448
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 78f835f HEAD -> master
2025-10-09 19:59:24 +00:00
78f835f96e DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
X-CI-Metadata: master@d3f9bec at 2025-10-09T19:58:33Z on 942c5e51f0da

Generated at : 2025-10-09T19:58:33Z
Runner Host  : 942c5e51f0da
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : d3f9bec HEAD -> master
2025-10-09 19:58:33 +00:00
d3f9bec31c ## V8.13.096.2025.10.09
Some checks failed
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m3s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m56s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-09 20:57:08 +01:00
e682b6ac17 DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
X-CI-Metadata: master@3b1ab56 at 2025-10-07T22:12:20Z on 5b3b53e1f6b5

Generated at : 2025-10-07T22:12:20Z
Runner Host  : 5b3b53e1f6b5
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : 3b1ab56 HEAD -> master
2025-10-07 22:12:20 +00:00
3b1ab56d2c DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@195b9a9 at 2025-10-07T21:19:31Z on 3c94a67ced29

Generated at : 2025-10-07T21:19:31Z
Runner Host  : 3c94a67ced29
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 195b9a9 HEAD -> master
2025-10-07 21:19:31 +00:00
195b9a9c91 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
X-CI-Metadata: master@fc4aa8d at 2025-10-07T20:26:01Z on 7ae9d957e923

Generated at : 2025-10-07T20:26:01Z
Runner Host  : 7ae9d957e923
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : fc4aa8d HEAD -> master
2025-10-07 20:26:01 +00:00
fc4aa8d23f DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@1b88361 at 2025-10-07T19:38:24Z on 2b0434069983

Generated at : 2025-10-07T19:38:24Z
Runner Host  : 2b0434069983
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 1b88361 HEAD -> master
2025-10-07 19:38:24 +00:00
1b883619e7 V8.13.064.2025.10.07
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 4m41s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 53m30s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 52m47s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 20:33:33 +01:00
fc719ebfa9 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@353d4cf at 2025-10-07T18:41:45Z on a3976e114c41

Generated at : 2025-10-07T18:41:45Z
Runner Host  : a3976e114c41
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 353d4cf HEAD -> master
2025-10-07 18:41:45 +00:00
353d4cf7df DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@66a2dd4 at 2025-10-07T17:47:40Z on a9f7e769ba0c

Generated at : 2025-10-07T17:47:40Z
Runner Host  : a9f7e769ba0c
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 66a2dd4 HEAD -> master
2025-10-07 17:47:40 +00:00
66a2dd465e V8.13.064.2025.10.07
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 55m41s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 18:46:02 +01:00
ef486ce7e5 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@1cefc27 at 2025-10-07T17:43:02Z on bf27e58bc3ec

Generated at : 2025-10-07T17:43:02Z
Runner Host  : bf27e58bc3ec
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 1cefc27 HEAD -> master
2025-10-07 17:43:02 +00:00
1cefc27d54 V8.13.064.2025.10.07
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 18:41:01 +01:00
7c0a3238a7 Merge remote-tracking branch 'origin/master' 2025-10-07 18:32:52 +01:00
242f0a0159 V8.13.064.2025.10.07
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 18:32:33 +01:00
11d1e529a9 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@fd23579 at 2025-10-07T17:29:37Z on 83560933bd23

Generated at : 2025-10-07T17:29:37Z
Runner Host  : 83560933bd23
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : fd23579 HEAD -> master
2025-10-07 17:29:37 +00:00
fd2357998b DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@a5bcb4b at 2025-10-07T16:38:35Z on 44f748102f80

Generated at : 2025-10-07T16:38:35Z
Runner Host  : 44f748102f80
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : a5bcb4b HEAD -> master
2025-10-07 16:38:35 +00:00
a5bcb4bb17 V8.13.064.2025.10.07
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 52m58s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 17:36:43 +01:00
4a985e1c81 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@c60d4e1 at 2025-10-07T16:35:09Z on 129140d51a62

Generated at : 2025-10-07T16:35:09Z
Runner Host  : 129140d51a62
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : c60d4e1 HEAD -> master
2025-10-07 16:35:09 +00:00
c60d4e1742 V8.13.064.2025.10.07
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m39s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 17:32:54 +01:00
0c4060fe5d DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@f8d84b3 at 2025-10-07T16:12:24Z on 353bf6e6e1f7

Generated at : 2025-10-07T16:12:24Z
Runner Host  : 353bf6e6e1f7
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : f8d84b3 HEAD -> master
2025-10-07 16:12:24 +00:00
f8d84b3585 V8.13.064.2025.10.07
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m43s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 17:10:37 +01:00
306d08ff87 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@cd36d38 at 2025-10-07T16:08:13Z on 05fa9e4624b2

Generated at : 2025-10-07T16:08:13Z
Runner Host  : 05fa9e4624b2
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : cd36d38 HEAD -> master
2025-10-07 16:08:13 +00:00
cd36d382bb V8.13.064.2025.10.07
Some checks failed
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 57s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 17:06:23 +01:00
0aca2331de DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@77c1753 at 2025-10-07T16:05:30Z on f7681ed1d3b9

Generated at : 2025-10-07T16:05:30Z
Runner Host  : f7681ed1d3b9
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 77c1753 HEAD -> master
2025-10-07 16:05:30 +00:00
77c1753d02 V8.13.064.2025.10.07
Some checks failed
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m21s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 3m56s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 17:01:01 +01:00
ad30f41516 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@7cba3e3 at 2025-10-07T13:57:26Z on 64aa0db75e26

Generated at : 2025-10-07T13:57:26Z
Runner Host  : 64aa0db75e26
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 7cba3e3 HEAD -> master
2025-10-07 13:57:26 +00:00
7cba3e3531 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@44aa779 at 2025-10-07T13:05:14Z on c5162d222a72

Generated at : 2025-10-07T13:05:14Z
Runner Host  : c5162d222a72
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 44aa779 HEAD -> master
2025-10-07 13:05:14 +00:00
44aa77969f V8.13.064.2025.10.07
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m34s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 53m54s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 14:03:33 +01:00
117959234e V8.13.064.2025.10.07
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Failing after 4s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 42s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 14:00:34 +01:00
4bc332249c DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@a536c4d at 2025-10-07T12:29:04Z on 3c38522e10e9

Generated at : 2025-10-07T12:29:04Z
Runner Host  : 3c38522e10e9
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : a536c4d HEAD -> master
2025-10-07 12:29:04 +00:00
a536c4da96 DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
X-CI-Metadata: master@95835f1 at 2025-10-07T11:52:24Z on 0e357a70c050

Generated at : 2025-10-07T11:52:24Z
Runner Host  : 0e357a70c050
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : 95835f1 HEAD -> master
2025-10-07 11:52:24 +00:00
95835f1e15 Merge remote-tracking branch 'origin/master'
Some checks failed
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 58s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m19s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
2025-10-07 12:51:23 +01:00
68c803550b V8.13.064.2025.10.07
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 12:51:05 +01:00
9466395273 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@181b73b at 2025-10-07T00:00:01Z on ff2a36e41830

Generated at : 2025-10-07T00:00:01Z
Runner Host  : ff2a36e41830
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 181b73b HEAD -> master
2025-10-07 00:00:01 +00:00
181b73b04c DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@7f678ba at 2025-10-06T23:10:29Z on 619cb2299d57

Generated at : 2025-10-06T23:10:29Z
Runner Host  : 619cb2299d57
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 7f678ba HEAD -> master
2025-10-06 23:10:29 +00:00
7f678baa64 V8.13.048.2025.10.06
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m24s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 51m2s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 00:08:40 +01:00
1d711ea816 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@9e66e27 at 2025-10-06T22:15:24Z on c1b91ac5451a

Generated at : 2025-10-06T22:15:24Z
Runner Host  : c1b91ac5451a
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 9e66e27 HEAD -> master
2025-10-06 22:15:24 +00:00
9e66e27eae DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
X-CI-Metadata: master@9a72da4 at 2025-10-06T21:22:17Z on 37066177cc01

Generated at : 2025-10-06T21:22:17Z
Runner Host  : 37066177cc01
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : 9a72da4 HEAD -> master
2025-10-06 21:22:17 +00:00
9a72da4e97 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@fda63ad at 2025-10-06T21:18:56Z on 674283aee3da

Generated at : 2025-10-06T21:18:56Z
Runner Host  : 674283aee3da
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : fda63ad HEAD -> master
2025-10-06 21:18:56 +00:00
fda63adb9c V8.13.048.2025.10.06
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m29s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 53m8s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-06 22:17:05 +01:00
368d523f95 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@e00c6e8 at 2025-10-06T20:26:57Z on 4e285ac8f230

Generated at : 2025-10-06T20:26:57Z
Runner Host  : 4e285ac8f230
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : e00c6e8 HEAD -> master
2025-10-06 20:26:57 +00:00
e00c6e8900 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
X-CI-Metadata: master@02f56b7 at 2025-10-06T19:34:05Z on 8a0e7cf4ef0f

Generated at : 2025-10-06T19:34:05Z
Runner Host  : 8a0e7cf4ef0f
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 02f56b7 HEAD -> master
2025-10-06 19:34:05 +00:00
02f56b725f DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@a475cc4 at 2025-10-06T18:47:35Z on f05b16ce98ea

Generated at : 2025-10-06T18:47:35Z
Runner Host  : f05b16ce98ea
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : a475cc4 HEAD -> master
2025-10-06 18:47:35 +00:00
a475cc45a3 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@5d64de9 at 2025-10-06T18:33:38Z on b44f5c7a3a13

Generated at : 2025-10-06T18:33:38Z
Runner Host  : b44f5c7a3a13
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 5d64de9 HEAD -> master
2025-10-06 18:33:38 +00:00
5d64de95bc V8.13.048.2025.10.06
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m23s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-06 19:32:12 +01:00
d313ae0b51 DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
X-CI-Metadata: master@edc59d3 at 2025-10-06T18:30:10Z on a29c133149a7

Generated at : 2025-10-06T18:30:10Z
Runner Host  : a29c133149a7
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : edc59d3 HEAD -> master
2025-10-06 18:30:10 +00:00
edc59d362f V8.13.048.2025.10.06
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 59s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m22s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 52m58s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 55m15s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-06 19:28:59 +01:00
eb90a815e8 Merge remote-tracking branch 'origin/master' 2025-10-06 19:01:34 +01:00
6f1793f2ac V8.13.048.2025.10.06
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-06 18:22:28 +01:00
2a4d5e5b2e DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@f7a7d1c at 2025-10-05T19:06:18Z on 0c18e997ea45

Generated at : 2025-10-05T19:06:18Z
Runner Host  : 0c18e997ea45
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : f7a7d1c HEAD -> master
2025-10-05 19:06:18 +00:00
f7a7d1cff0 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@40b3fb8 at 2025-10-05T18:13:11Z on 916e88ca368b

Generated at : 2025-10-05T18:13:11Z
Runner Host  : 916e88ca368b
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 40b3fb8 HEAD -> master
2025-10-05 18:13:11 +00:00
40b3fb8ff7 V8.13.032.2025.10.03
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m20s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 54m30s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-05 19:11:30 +01:00
636c34cee5 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@47ebdf7 at 2025-10-04T06:31:57Z on fee380419830

Generated at : 2025-10-04T06:31:57Z
Runner Host  : fee380419830
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 47ebdf7 HEAD -> master
2025-10-04 06:31:57 +00:00
47ebdf7ed0 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@61d9bf1 at 2025-10-04T05:41:56Z on db8360a9f9dc

Generated at : 2025-10-04T05:41:56Z
Runner Host  : db8360a9f9dc
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 61d9bf1 HEAD -> master
2025-10-04 05:41:56 +00:00
61d9bf1510 V8.13.032.2025.10.03
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m25s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 51m29s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-04 06:40:11 +01:00
bd77170cf9 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@49c6277 at 2025-10-04T04:45:17Z on bd7f276357da

Generated at : 2025-10-04T04:45:17Z
Runner Host  : bd7f276357da
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 49c6277 HEAD -> master
2025-10-04 04:45:17 +00:00
49c6277efa V8.13.032.2025.10.03
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m16s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-04 05:43:54 +01:00
d55f420c35 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@af84d52 at 2025-10-04T04:39:57Z on 11dafe664f2c

Generated at : 2025-10-04T04:39:57Z
Runner Host  : 11dafe664f2c
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : af84d52 HEAD -> master
2025-10-04 04:39:57 +00:00
af84d5292b V8.13.032.2025.10.03
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m23s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-04 05:38:09 +01:00
53642d6115 V8.13.032.2025.10.03
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-04 05:33:30 +01:00
7fab4a183c DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@c514634 at 2025-10-03T22:07:45Z on 0ef6f5664500

Generated at : 2025-10-03T22:07:45Z
Runner Host  : 0ef6f5664500
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : c514634 HEAD -> master
2025-10-03 22:07:45 +00:00
c514634dd4 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@32f1b05 at 2025-10-03T21:17:48Z on ef1f9ea14896

Generated at : 2025-10-03T21:17:48Z
Runner Host  : ef1f9ea14896
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 32f1b05 HEAD -> master
2025-10-03 21:17:48 +00:00
32f1b05181 V8.13.032.2025.10.03
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m30s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 51m34s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-03 22:15:48 +01:00
1a2d1a3ae1 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@5fcd2eb at 2025-10-03T18:43:20Z on 81c03bb1ea18

Generated at : 2025-10-03T18:43:20Z
Runner Host  : 81c03bb1ea18
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 5fcd2eb HEAD -> master
2025-10-03 18:43:21 +00:00
5fcd2ebf42 V8.13.032.2025.10.03
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m25s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-03 19:41:39 +01:00
7168374797 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@720eede at 2025-10-03T18:34:52Z on f95e1bf52e89

Generated at : 2025-10-03T18:34:52Z
Runner Host  : f95e1bf52e89
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 720eede HEAD -> master
2025-10-03 18:34:52 +00:00
720eede478 V8.13.032.2025.10.03
Some checks failed
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m23s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-03 19:33:22 +01:00
036fefdd3e DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@2bcbdf8 at 2025-10-03T18:14:04Z on a906e8c798d2

Generated at : 2025-10-03T18:14:04Z
Runner Host  : a906e8c798d2
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 2bcbdf8 HEAD -> master
2025-10-03 18:14:05 +00:00
2bcbdf8716 V8.13.032.2025.10.03
Some checks failed
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 52s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m21s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-03 19:09:06 +01:00
ffecfcdc50 DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@a51e37b at 2025-10-03T17:42:11Z on 17b27bf14db1

Generated at : 2025-10-03T17:42:11Z
Runner Host  : 17b27bf14db1
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : a51e37b HEAD -> master
2025-10-03 17:42:11 +00:00
a51e37b648 DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
X-CI-Metadata: master@0f8b894 at 2025-10-03T17:41:34Z on 71aa4f460676

Generated at : 2025-10-03T17:41:34Z
Runner Host  : 71aa4f460676
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : 0f8b894 HEAD -> master
2025-10-03 17:41:34 +00:00
0f8b894e40 V8.13.032.2025.10.03
Some checks failed
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m2s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m39s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-03 18:39:15 +01:00
ec171888f7 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@d046770 at 2025-10-03T00:15:58Z on 09b46a8e3de7

Generated at : 2025-10-03T00:15:58Z
Runner Host  : 09b46a8e3de7
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : d046770 HEAD -> master
2025-10-03 00:15:58 +00:00
d046770aeb DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@6350278 at 2025-10-02T23:28:54Z on 471bb232066f

Generated at : 2025-10-02T23:28:54Z
Runner Host  : 471bb232066f
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 6350278 HEAD -> master
2025-10-02 23:28:54 +00:00
63502787c0 V8.13.016.2025.09.28
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m19s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 49m31s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-03 00:26:03 +01:00
a96af3ff06 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@3c2c899 at 2025-10-02T05:21:58Z on d622961e7303

Generated at : 2025-10-02T05:21:58Z
Runner Host  : d622961e7303
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 3c2c899 HEAD -> master
2025-10-02 05:21:58 +00:00
3c2c899403 V8.13.016.2025.09.28
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Failing after 6s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 46m3s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-02 05:35:36 +01:00
e966a899c7 DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
X-CI-Metadata: master@9b28418 at 2025-09-28T18:07:16Z on 00826445cf18

Generated at : 2025-09-28T18:07:16Z
Runner Host  : 00826445cf18
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : 9b28418 HEAD -> master
2025-09-28 18:07:16 +00:00
9b28418860 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
X-CI-Metadata: master@40d81b5 at 2025-09-28T17:19:40Z on 7742f0ad5cbe

Generated at : 2025-09-28T17:19:40Z
Runner Host  : 7742f0ad5cbe
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 40d81b5 HEAD -> master
2025-09-28 17:19:40 +00:00
40d81b51f9 DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
X-CI-Metadata: master@ac05607 at 2025-09-28T16:27:10Z on bd5e33dea725

Generated at : 2025-09-28T16:27:10Z
Runner Host  : bd5e33dea725
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : ac05607 HEAD -> master
2025-09-28 16:27:10 +00:00
ac0560714b DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
X-CI-Metadata: master@7f35d1a at 2025-09-28T15:30:51Z on a05d37bda04a

Generated at : 2025-09-28T15:30:51Z
Runner Host  : a05d37bda04a
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 7f35d1a HEAD -> master
2025-09-28 15:30:51 +00:00
7f35d1ab38 DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]
X-CI-Metadata: master@ec6e791 at 2025-09-28T15:30:34Z on a7ef4e974f4a

Generated at : 2025-09-28T15:30:34Z
Runner Host  : a7ef4e974f4a
Workflow ID  : 🛡️ Retrieve DNSSEC status of coresecret.dev.
Git Commit   : ec6e791 HEAD -> master
2025-09-28 15:30:34 +00:00
ec6e791b9d V8.13.016.2025.09.28
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 45s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m1s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Successful in 47m22s
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 47m36s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-28 16:29:27 +01:00
130 changed files with 2014 additions and 693 deletions

View File

@@ -21,7 +21,7 @@ usage() {
clear clear
cat << EOF cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m") $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m") $(echo -e "\e[92mMaster V8.13.142.2025.10.14\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

View File

@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
DEBIAN_FRONTEND=noninteractive \ DEBIAN_FRONTEND=noninteractive \
apt-get update && \ apt-get update && \
@@ -33,7 +32,6 @@ DEBIAN_FRONTEND=noninteractive \
whois whois
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -0,0 +1,72 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# Purpose: Copy vendor 'legacy.conf' to '/etc/tmpfiles.d' and drop duplicate '/run/lock' lines.
#######################################
# Simple error terminal logger.
# Arguments:
# None
#######################################
log() { printf '[tmpfiles-fix] %s\n' "$*" >&2; }
### Locate vendor 'legacy.conf' (The path can vary).
declare vendor=""
for p in /usr/lib/tmpfiles.d/legacy.conf /lib/tmpfiles.d/legacy.conf; do
if [[ -f "${p}" ]]; then vendor="${p}"; break; fi
done
if [[ -z "${vendor}" ]]; then
log "WARN: vendor legacy.conf not found; creating a minimal override"
install -D -m 0644 /dev/null /etc/tmpfiles.d/legacy.conf
else
install -D -m 0644 "${vendor}" /etc/tmpfiles.d/legacy.conf
fi
### Deduplicate: keep only the FIRST 'd /run/lock ' definition, drop subsequent ones.
# shellcheck disable=SC2155
declare tmpdir="$(mktemp -d)"
declare out="${tmpdir}/legacy.conf"
awk '
BEGIN{seen=0}
{
# Preserve everything by default
keep=1
# Match tmpfiles "d /run/lock ..." (allowing variable spacing and case of directive)
if ($1 ~ /^[dD]$/ && $2 == "/run/lock") {
if (seen==1) { keep=0 } else { seen=1 }
}
if (keep) print
}' /etc/tmpfiles.d/legacy.conf >| "${out}"
### Install the sanitized file atomically.
install -m 0644 -o root -g root "${out}" /etc/tmpfiles.d/legacy.conf
rm -rf -- "${tmpdir}"
log "Deduplicated /etc/tmpfiles.d/legacy.conf (kept only first /run/lock entry)."
command -v systemd-tmpfiles >/dev/null 2>&1 && systemd-tmpfiles --create --prefix /run/lock || true
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -25,7 +25,7 @@ body:
attributes: attributes:
label: "Version" label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`." description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
placeholder: "e.g., Master V8.13.008.2025.08.22" placeholder: "e.g., Master V8.13.142.2025.10.14"
validations: validations:
required: true required: true

View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
FROM debian:bookworm FROM debian:bookworm

View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
name: 🔁 Render README.md to README.html. name: 🔁 Render README.md to README.html.

View File

@@ -11,5 +11,5 @@
build: build:
counter: 1023 counter: 1023
version: V8.13.008.2025.08.22 version: V8.13.142.2025.10.14
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

View File

@@ -11,5 +11,5 @@
build: build:
counter: 1023 counter: 1023
version: V8.13.008.2025.08.22 version: V8.13.142.2025.10.14
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

View File

@@ -11,5 +11,5 @@
build: build:
counter: 1023 counter: 1023
version: V8.13.008.2025.08.22 version: V8.13.142.2025.10.14
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

View File

@@ -11,5 +11,5 @@
build: build:
counter: 1023 counter: 1023
version: V8.13.008.2025.08.22 version: V8.13.142.2025.10.14
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
name: 🔐 Generating a Private Live ISO TRIXIE. name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -51,6 +51,7 @@ jobs:
gnupg \ gnupg \
openssh-client \ openssh-client \
openssl \ openssl \
perl \
sudo \ sudo \
util-linux util-linux
@@ -62,6 +63,11 @@ jobs:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash shell: bash
run: | run: |
set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
rm -rf ~/.ssh && mkdir -m700 ~/.ssh rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key ### Private Key
@@ -136,17 +142,91 @@ jobs:
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
- name: 🔧 Render live hook with secrets.
shell: bash
working-directory: ${{ github.workspace }}
env:
ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
run: |
set -Ceuo pipefail
umask 077
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
if [[ ! -f "${TPL}" ]]; then
echo "Template not found: ${TPL}"
echo "::group::Tree of config/hooks/live"
ls -la "${REPO_ROOT}/config/hooks/live" || true
echo "::endgroup::"
exit 2
fi
export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
export ED25519_PUB="${ED25519_PUB//$'\r'/}"
export RSA_PRIV="${RSA_PRIV//$'\r'/}"
export RSA_PUB="${RSA_PUB//$'\r'/}"
export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
(
cat << EOF >| "${ID_OUT}"
${CISS_PRIMORDIAL}
EOF
) && chmod 0600 "${ID_OUT}"
if [[ -f "${ID_OUT}" ]]; then
echo "Written: ${ID_OUT}"
else
echo "Error: ${ID_OUT} not written."
fi
(
cat << EOF >| "${ID_OUT_PUB}"
${CISS_PRIMORDIAL_PUB}
EOF
) && chmod 0600 "${ID_OUT_PUB}"
if [[ -f "${ID_OUT_PUB}" ]]; then
echo "Written: ${ID_OUT_PUB}"
else
echo "Error: ${ID_OUT_PUB} not written."
fi
perl -0777 -pe '
BEGIN{
$ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
$rsa=$ENV{RSA_PRIV}; $rsapub=$ENV{RSA_PUB};
}
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
' "${TPL}" > "${OUT}"
chmod 0755 "${OUT}"
echo "Hook rendered: ${OUT}"
- name: 🛠️ Starting CISS.debian.live.builder. This may take a while ... - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
shell: bash shell: bash
working-directory: ${{ github.workspace }}
run: | run: |
set -euo pipefail set -euo pipefail
chmod 0755 ciss_live_builder.sh chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'. ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
./ciss_live_builder.sh \ ./ciss_live_builder.sh \
--autobuild=6.12.41+deb13-amd64 \ --autobuild=6.16.3+deb13-amd64 \
--architecture amd64 \ --architecture amd64 \
--build-directory /opt/livebuild \ --build-directory /opt/livebuild \
--cdi \
--control "${timestamp}" \ --control "${timestamp}" \
--debug \ --debug \
--dhcp-centurion \ --dhcp-centurion \
@@ -155,8 +235,14 @@ jobs:
--root-password-file /opt/config/password.txt \ --root-password-file /opt/config/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \ --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
--ssh-pubkey /opt/config \ --ssh-pubkey /opt/config \
--sshfp \
--trixie --trixie
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "$OUT"
echo "Hook removed: $OUT"
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs. - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash shell: bash
env: env:

View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
name: 🔐 Generating a Private Live ISO TRIXIE. name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -51,6 +51,7 @@ jobs:
gnupg \ gnupg \
openssh-client \ openssh-client \
openssl \ openssl \
perl \
sudo \ sudo \
util-linux util-linux
@@ -62,6 +63,11 @@ jobs:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash shell: bash
run: | run: |
set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
rm -rf ~/.ssh && mkdir -m700 ~/.ssh rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key ### Private Key
@@ -136,24 +142,104 @@ jobs:
echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
- name: 🔧 Render live hook with secrets.
shell: bash
working-directory: ${{ github.workspace }}
env:
ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
run: |
set -Ceuo pipefail
umask 077
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
if [[ ! -f "${TPL}" ]]; then
echo "Template not found: ${TPL}"
echo "::group::Tree of config/hooks/live"
ls -la "${REPO_ROOT}/config/hooks/live" || true
echo "::endgroup::"
exit 2
fi
export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
export ED25519_PUB="${ED25519_PUB//$'\r'/}"
export RSA_PRIV="${RSA_PRIV//$'\r'/}"
export RSA_PUB="${RSA_PUB//$'\r'/}"
export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
(
cat << EOF >| "${ID_OUT}"
${CISS_PRIMORDIAL}
EOF
) && chmod 0600 "${ID_OUT}"
if [[ -f "${ID_OUT}" ]]; then
echo "Written: ${ID_OUT}"
else
echo "Error: ${ID_OUT} not written."
fi
(
cat << EOF >| "${ID_OUT_PUB}"
${CISS_PRIMORDIAL_PUB}
EOF
) && chmod 0600 "${ID_OUT_PUB}"
if [[ -f "${ID_OUT_PUB}" ]]; then
echo "Written: ${ID_OUT_PUB}"
else
echo "Error: ${ID_OUT_PUB} not written."
fi
perl -0777 -pe '
BEGIN{
$ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
$rsa=$ENV{RSA_PRIV}; $rsapub=$ENV{RSA_PUB};
}
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
' "${TPL}" > "${OUT}"
chmod 0755 "${OUT}"
echo "Hook rendered: ${OUT}"
- name: 🛠️ Starting CISS.debian.live.builder. This may take a while ... - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
shell: bash shell: bash
working-directory: ${{ github.workspace }}
run: | run: |
set -euo pipefail set -euo pipefail
chmod 0755 ciss_live_builder.sh chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'. ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
./ciss_live_builder.sh \ ./ciss_live_builder.sh \
--autobuild=6.12.41+deb13-amd64 \ --autobuild=6.16.3+deb13-amd64 \
--architecture amd64 \ --architecture amd64 \
--build-directory /opt/livebuild \ --build-directory /opt/livebuild \
--cdi \
--control "${timestamp}" \ --control "${timestamp}" \
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \ --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
--root-password-file /opt/config/password.txt \ --root-password-file /opt/config/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \ --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
--ssh-pubkey /opt/config \ --ssh-pubkey /opt/config \
--sshfp \
--trixie --trixie
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "$OUT"
echo "Hook removed: $OUT"
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs. - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash shell: bash
env: env:

View File

@@ -9,10 +9,14 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
name: 💙 Generating a PUBLIC Live ISO. name: 💙 Generating a PUBLIC Live ISO.
defaults:
run:
shell: bash
permissions: permissions:
contents: write contents: write
@@ -24,161 +28,32 @@ on:
- '.gitea/trigger/t_generate_PUBLIC.yaml' - '.gitea/trigger/t_generate_PUBLIC.yaml'
jobs: jobs:
generate-private-ciss-debian-live-iso: generate-public-cdlb-trixie:
name: 💙 Generating a PUBLIC Live ISO. name: 💙 Generating a PUBLIC Live ISO.
runs-on: ciss.debian.live.builder.iso.generator runs-on: cdlb.trixie
### Run all steps inside Debian Bookworm
container: container:
image: debian:bookworm image: debian:trixie
steps: steps:
- name: 🛠️ Basic Image Setup and enable Bookworm Backports. - name: 🛠️ Basic Image Setup.
run: |
apt-get update -y
apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
echo 'deb https://deb.debian.org/debian bookworm-backports main' \
>| /etc/apt/sources.list.d/bookworm-backports.list
apt-get update -y
apt-get upgrade -y
- name: 🛠️ Installing Build Tools.
shell: bash shell: bash
run: | run: |
apt-get update -y export DEBIAN_FRONTEND=noninteractive
apt-get install -y \ apt-get update
autoconf \ apt-get upgrade -y
automake \ apt-get install -y --no-install-recommends \
build-essential \ apt-utils \
cryptsetup \ bash \
ca-certificates \
curl \ curl \
debootstrap \
dosfstools \
efibootmgr \
gettext \
git \ git \
gnupg \ gnupg \
haveged \ openssh-client \
libbz2-dev \ openssl \
zlib1g-dev \ perl \
liblzma-dev \
libtool \
live-build \
parted \
pkg-config \
ssh \
ssl-cert \
sudo \ sudo \
texinfo \ util-linux
wget \
whois \
- name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
shell: bash
run: |
urls=(
"https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
"https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
"https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
)
wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
gpg --batch --import signature_key.asc
for url in "${urls[@]}"; do
archive_name="${url##*/}"
pkg_name="${archive_name%.tar.bz2}"
echo "🔄 Processing ${pkg_name}"
if [[ ! -f "${archive_name}" ]]; then
echo "📥 Downloading: '${archive_name}'."
if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
echo "✅ Download successful: '${archive_name}'."
else
echo "❌ Download NOT successful: '${archive_name}'."
exit 1
fi
else
echo "💡 Skipping download, package already exists: '${archive_name}'."
fi
if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
if [[ ! -d "${pkg_name}" ]]; then
echo "📂 Extracting: '${archive_name}'."
if tar -xjf "${archive_name}"; then
echo "✅ Extraction successful: '${archive_name}'."
else
echo "❌ Extraction not successful: '${archive_name}'."
exit 1
fi
else
echo "💡 Skipping directory, already exists: '${pkg_name}'."
fi
echo "🏗️ Build and install the package: '${pkg_name}'."
cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
mkdir -p build
cd build || { echo "❌ Could not change to '/build'."; exit 1; }
sudo ../configure > /dev/null 2>&1 || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
echo "✅ Successful build and installation of '${pkg_name}'."
echo "-------------------------------------------------------------------------------------"
done
rm -f signature_key.asc
echo "✅ All packages were built and installed successfully."
mv_bin=(
"/usr/bin/gpg"
"/usr/bin/gpg-agent"
"/usr/bin/gpgconf"
"/usr/bin/gpg-connect-agent"
"/usr/bin/gpg-wks-client"
"/usr/bin/gpg-preset-passphrase"
)
for bin in "${mv_bin[@]}"; do
name="${bin##*/}"
if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
if mv "${bin}" "${bin}.debian-backup"; then
echo "✅ Moved successfully: '${bin}'."
else
echo "❌ Moved NOT successfully: '${bin}'."
fi
else
echo "💡 Does not exist as build binary: '${bin}'."
fi
done
for bin in "${mv_bin[@]}"; do
name="${bin##*/}"
if [[ -f "/usr/local/bin/${name}" ]]; then
if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
echo "✅ 'update-alternatives' successfully: '${bin}'."
else
echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
fi
else
echo "💡 Does not exist: '/usr/local/bin/${name}'."
fi
done
sudo ldconfig
gpgconf --kill all
/usr/local/bin/gpg-agent --daemon
- name: ⚙️ Check GnuPG Version. - name: ⚙️ Check GnuPG Version.
shell: bash shell: bash
@@ -188,6 +63,11 @@ jobs:
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash shell: bash
run: | run: |
set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
rm -rf ~/.ssh && mkdir -m700 ~/.ssh rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key ### Private Key
@@ -269,15 +149,18 @@ jobs:
sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
chmod 0755 ciss_live_builder.sh chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
./ciss_live_builder.sh \ ./ciss_live_builder.sh \
--autobuild=6.1.0-37-amd64 \ --autobuild=6.16.3+deb13-amd64 \
--architecture amd64 \ --architecture amd64 \
--build-directory /opt/livebuild \ --build-directory /opt/livebuild \
--cdi \
--control "${timestamp}" \ --control "${timestamp}" \
--debug \
--root-password-file /opt/config/password.txt \ --root-password-file /opt/config/password.txt \
--ssh-port 42137 \ --ssh-port 42137 \
--ssh-pubkey /opt/config --ssh-pubkey /opt/config \
--trixie
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs. - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash shell: bash
@@ -364,11 +247,12 @@ jobs:
gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
VAR_DATE="$(date +%F)"
PRIVATE_FILE="LIVE_ISO.public" PRIVATE_FILE="LIVE_ISO.public"
touch "${PRIVATE_FILE}" touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}" cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
# Gitea Workflow: Shell-Script Linting # Gitea Workflow: Shell-Script Linting
# #
@@ -41,6 +41,10 @@ jobs:
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
rm -rf ~/.ssh && mkdir -m700 ~/.ssh rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key ### Private Key

View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
name: 🛡️ Retrieve DNSSEC status of coresecret.dev. name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -33,6 +33,10 @@ jobs:
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
rm -rf ~/.ssh && mkdir -m700 ~/.ssh rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key ### Private Key

View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
name: 🔁 Render Graphviz Diagrams. name: 🔁 Render Graphviz Diagrams.
@@ -34,6 +34,10 @@ jobs:
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
rm -rf ~/.ssh && mkdir -m700 ~/.ssh rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key ### Private Key

View File

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu" properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V8.13.008.2025.08.22" properties_version="V8.13.142.2025.10.14"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

View File

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder PackageName: CISS.debian.live.builder
PackageVersion: Master V8.13.008.2025.08.22 PackageVersion: Master V8.13.142.2025.10.14
PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,8 +9,8 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z" This file was automatically generated by the DEPLOY BOT on: "2025-10-14T19:37:03Z"
The last linter check was successful. ⚠️ The last linter check was NOT successful. ⚠️
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-11T22:40:21Z". This file was automatically generated by the DEPLOY BOT on: "2025-10-14T22:23:27Z"
CISS.debian.live.builder ISO : CISS.debian.live.builder ISO :
"ciss-debian-live-2025_08_11T21_49_56Z-amd64.hybrid.iso" "ciss-debian-live-2025_10_14T21_30_07Z-amd64.hybrid.iso"
CISS.debian.live.builder ISO sha512 : CISS.debian.live.builder ISO sha512 :
4aa02673b9a8d5b974014eca4371d1ed69b05eaea9e92203cf7c092880833e18812bf31ab053399eda98b7a3da0b76b8dcdaaba892e9f52f836ea9d2b0e09e38 442037d11eb48f4adbd1a3da17cf36062ec6be816627c38fe814458840020f212c551b96d5e785c4372fa09fc11fd9529f34166530b1e1f5ce9335abadb5f771
CISS.debian.live.builder ISO sha512 sign : CISS.debian.live.builder ISO sha512 sign :
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpxVQAKCRA85KY4hzOw iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7NXwAKCRA85KY4hzOw
IZWOAQDJriUoDvDNSQiHbFfW4KVV1E1wqe12eS7GyfVFr9bISwEAoDKhQ85+RiGr IT3LAP4uP8glLMDEpUntKJQTiPqSYjGUyIFoKmsgALGPJcnnoQD/fcz4Mq12mF32
pCdWqvU8wcfzEIlKIpAgAZVrhX/xRw8= jf4ETKQBqlxuQyLTPvPFhLsrBbDD0AI=
=wNVV =/UNR
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:55:09Z" This file was automatically generated by the DEPLOY BOT on: "2025-10-14T20:32:28Z"
CISS.debian.live.builder ISO : CISS.debian.live.builder ISO :
"ciss-debian-live-2025_08_22T16_11_02Z-amd64.hybrid.iso" "ciss-debian-live-2025_10_14T19_36_59Z-amd64.hybrid.iso"
CISS.debian.live.builder ISO sha512 : CISS.debian.live.builder ISO sha512 :
35c288d96239804e244cbe99c8ce3895aec39104a7200c2ef7326d38e1ec4eea3bf60b895eaa4d981cb718ae4d27d2d4166f16252b88606a870d14c3db096a37 57559f9b9c5e50dad6a5b2023d992c26b8f4d25dd0d45ffa5cfd479ee623287e2c2eead70016267b848c5910db5ba5c4e2dfeeb12cca6f59fe455dad886c51d9
CISS.debian.live.builder ISO sha512 sign : CISS.debian.live.builder ISO sha512 sign :
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKig7QAKCRA85KY4hzOw iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO6zXAAKCRA85KY4hzOw
IWKWAP0Wlqbi3ArURSGW5m+E+OstdsU7qHjf+e1SVRJ3BGUzaAEAr3ceyHiiA2/7 Idq2AQDRmgHRGnX1bn+cNV5JirecSke0IAwlAjEXOl4tFoQlewEA0s2R1A3OQjIq
RlXsvZxNgVDaEVSdjmt99dMrZK7DRws= fAhdl2wltVNT5+jUg6EUj3FE3kVPaQo=
=4Oh3 =fmxg
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z" This file was automatically generated by the DEPLOY BOT on: "2025-10-14T21:28:34Z"
CISS.debian.live.builder ISO : CISS.debian.live.builder ISO :
"ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso" "ciss-debian-live-2025_10_14T20_33_51Z-amd64.hybrid.iso"
CISS.debian.live.builder ISO sha512 : CISS.debian.live.builder ISO sha512 :
4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3 4a47a1ed0986b67774047b2bfc6fdd53753fa8f301f8376b23ccde1f5187aeffbca7fce3194a3d7b61278630291a1d2d954a289da712c064326eb6b7020c228c
CISS.debian.live.builder ISO sha512 sign : CISS.debian.live.builder ISO sha512 sign :
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7AggAKCRA85KY4hzOw
IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8 IWpdAP4xCxUP4V0lOBE1u7+wEOoEmXiRC10Va4Hf2UXjH1BSVwEAsz/cMaGt+rJT
IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ= q0i+5EftPavvIst48aXQsp7QKjyNewM=
=boDM =x3/T
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

View File

@@ -2,17 +2,17 @@
gitea: none gitea: none
include_toc: true include_toc: true
--- ---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.008.2025.08.22-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) [![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.142.2025.10.14-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp; &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html) [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
&nbsp; &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
Example: `V8.13.008.2025.08.22` Example: `V8.13.142.2025.10.14`
`x.y.z` represents major (x), minor (y), and patch (z) version increments. `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -453,6 +453,7 @@ predictable script behavior.
--build-directory /opt/livebuild \ --build-directory /opt/livebuild \
--change-splash hexagon \ --change-splash hexagon \
--control "${timestamp}" \ --control "${timestamp}" \
--cdi \
--debug \ --debug \
--dhcp-centurion \ --dhcp-centurion \
--jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \ --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \

119
REPOSITORY.md Normal file
View File

@@ -0,0 +1,119 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.142.2025.10.14<br>
# 2.1. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder
**Branch:** `master`
**Repository State:** Master Version **8.13**, Build **V8.13.142.2025.10.14** (as of 2025-10-11)
## 2.2. Top-Level Layout
````text
CISS.debian.live.builder/
├─ .archive/ # Archived artefacts or historical assets
├─ .gitea/ # Gitea CI/CD metadata (workflows, triggers, templates)
│ ├─ ISSUE_TEMPLATE/
│ ├─ properties/{json, lua}
│ ├─ TO DO/{dockerfile, render-md-to-html.yaml}
│ ├─ trigger/{t_generate_.yaml}
│ └─ workflows/{generate_.yaml, linter_char_scripts.yaml, render-.yaml}
├─ .pubkey/ # Public keys (e.g., for CI or verification)
├─ config/ # Live-build configuration (boot, hooks, includes, package lists)
│ ├─ bootloaders/{grub-efi, grub-pc, splash.png}
│ ├─ hooks/live/.chroot # Ordered chroot hooks (0000_* … 99xx_)
│ ├─ includes.binary/boot/grub/config.cfg
│ ├─ includes.chroot/{etc, preseed, root}
│ └─ package-lists/{live.list.amd64.chroot, live.list.arm64.chroot, live.list.common.chroot}
├─ docs/ # Project documentation (audits, change log, policies)
│ ├─ AUDIT_.md, BOOTPARAMS.md, CHANGELOG.md, CODING_CONVENTION.md, ...
│ ├─ SECURITY/, LICENSES/, graphviz/, screenshots/
├─ lib/ # Shell library modules used by the builder
├─ scripts/ # Helper/orchestration scripts (e.g., network, live-boot)
├─ var/ # Variable sets and early/global defaults (*.var.sh)
├─ .editorconfig
├─ .gitignore
├─ .shellcheckrc
├─ .version.properties
├─ CISS.debian.live.builder.spdx # SPDX bill of materials / license manifest
├─ LICENSE
├─ SECURITY.md
├─ README.md
├─ config.mk.sample
├─ ciss_live_builder.sh # Main entrypoint / wrapper
├─ makefile
├─ meta_sources_debug.sh
├─ LIVE_ISO_TRIXIE_0.private # CI artefact markers
├─ LIVE_ISO_TRIXIE_1.private # CI artefact markers
└─ LIVE_ISO.public # CI artefact markers
````
> **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
## 2.3. Directory Semantics
### 2.3.1. `.gitea/` — CI/CD Orchestration
- **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
- **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
- **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
- **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
### 2.3.2. `config/` — Live-Build Configuration
- **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_fail2ban_hardening.chroot`).
- **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
- **`includes.chroot/`**: Files copied into the live systems root:
- `etc/` (APT configuration, `live/`, `modprobe.d/`, network, SSH, `sysctl.d/`, systemd drop-ins, banners),
- `preseed/` (installer preseeding and supporting artifacts),
- `root/` (administrator dotfiles and keys).
- **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
### 2.3.3. `docs/` — Documentation Corpus
Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
### 2.3.4. `lib/` — Shell Library Modules
Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
### 2.3.5. `scripts/` — Operational Helpers
Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
### 2.3.6. `var/` — Variables & Defaults
Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
## 2.4. Key Files
- **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
- **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
- **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
- **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
## 2.5. Conventions & Build Logic
- **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
- **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISOs bootloader stage; `includes.chroot/` become part of the runtime filesystem.
- **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
- **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
## 2.6. Cross-References (Documentation)
- **Boot Parameters**: see `docs/BOOTPARAMS.md`.
- **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
- **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
- **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
## 2.7. Licensing & Compliance
The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

View File

@@ -143,6 +143,7 @@ declare -gx VAR_SETUP="true"
source_guard "./lib/lib_lb_config_start.sh" source_guard "./lib/lib_lb_config_start.sh"
source_guard "./lib/lib_lb_config_write.sh" source_guard "./lib/lib_lb_config_write.sh"
source_guard "./lib/lib_lb_config_write_trixie.sh" source_guard "./lib/lib_lb_config_write_trixie.sh"
source_guard "./lib/lib_note_target.sh"
source_guard "./lib/lib_provider_netcup.sh" source_guard "./lib/lib_provider_netcup.sh"
source_guard "./lib/lib_run_analysis.sh" source_guard "./lib/lib_run_analysis.sh"
source_guard "./lib/lib_sanitizer.sh" source_guard "./lib/lib_sanitizer.sh"
@@ -209,6 +210,12 @@ arg_priority_check
check_stats check_stats
if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
if [[ ! "${VAR_SSHFP}" == "true" ]]; then
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
fi
check_hooks check_hooks
hardening_ssh hardening_ssh
lb_config_start lb_config_start
@@ -236,6 +243,7 @@ change_splash
check_dhcp check_dhcp
cdi cdi
provider_netcup provider_netcup
note_target
### Start the build process ### Start the build process
set +o errtrace set +o errtrace

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,20 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /root/.ciss/dlb/backup export DEBIAN_FRONTEND="noninteractive"
chmod 0700 /root/.ciss/dlb/backup apt-get update -qq
mkdir -p /root/.ciss/dlb/{backup,log}
chmod 0700 /root/.ciss/dlb/{backup,log}
mkdir -p /root/git mkdir -p /root/git
chmod 0700 /root/git chmod 0700 /root/git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,15 +9,18 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
####################################### #######################################
# Get all NIC Driver of the current Host-machine # Get all NIC drivers of the current Host machine.
# Globals:
# None
# Arguments: # Arguments:
# None # None
# Returns:
# 0: on success
####################################### #######################################
grep_nic_driver_modules() { grep_nic_driver_modules() {
declare _mods declare _mods
@@ -34,20 +37,30 @@ grep_nic_driver_modules() {
declare nic_module declare nic_module
declare nic_modules declare nic_modules
if [[ "${#_mods[@]}" -eq 1 ]]; then if [[ "${#_mods[@]}" -eq 1 ]]; then
nic_module="${_mods[0]}" nic_module="${_mods[0]}"
echo "${nic_module}" echo "${nic_module}"
else else
nic_modules="${_mods[*]}" nic_modules="${_mods[*]}"
echo "${nic_modules}" echo "${nic_modules}"
fi fi
return 0
} }
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y intel-microcode amd64-microcode
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare nic_driver="$(grep_nic_driver_modules)" declare nic_driver="$(grep_nic_driver_modules)"
cat << EOF >| /etc/initramfs-tools/modules cat << EOF >| /etc/initramfs-tools/modules
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -69,7 +82,19 @@ cat << EOF >| /etc/initramfs-tools/modules
# raid1 # raid1
# sd_mod # sd_mod
### Main btrfs-Stack ### Load AppArmor early:
apparmor
### Entropy source for '/dev/random':
jitterentropy_rng
rng_core
### Live-ISO-Stack:
loop
squashfs
overlay
### Main btrfs-Stack:
btrfs btrfs
lzo lzo
xor xor
@@ -77,12 +102,12 @@ xxhash
zstd zstd
zstd_compress zstd_compress
### Main ext4-Stack ### Main ext4-Stack:
ext4 ext4
jbd2 jbd2
libcrc32c libcrc32c
### Main VFAT/ESP/FAT/UEFI-Stack ### Main VFAT/ESP/FAT/UEFI-Stack:
exfat exfat
fat fat
nls_ascii nls_ascii
@@ -92,30 +117,32 @@ nls_iso8859-15
nls_utf8 nls_utf8
vfat vfat
### Device mapper, encryption & integrity ### Device mapper, encryption & integrity:
dm_mod dm_mod
dm_crypt dm_crypt
dm_integrity dm_integrity
dm_verity dm_verity
### Main cryptography-Stack ### Main cryptography-Stack:
aes_generic aes_generic
blake2b_generic blake2b_generic
crc32c_generic crc32c_generic
cryptd
libcrc32c libcrc32c
sha256_generic sha256_generic
sha512_generic sha512_generic
xts
### QEMU Bochs-compatible virtual machine support ### QEMU Bochs-compatible virtual machine support:
bochs bochs
### RAID6 parity generation module ### RAID6 parity generation module:
raid6_pq raid6_pq
### Combined RAID4/5/6 support module ### Combined RAID4/5/6 support module:
raid456 raid456
### SCSI/SATA-Stack ### SCSI/SATA-Stack:
sd_mod sd_mod
sr_mod sr_mod
sg sg
@@ -126,11 +153,11 @@ libata
scsi_mod scsi_mod
scsi_dh_alua scsi_dh_alua
### NVMe-Stack ### NVMe-Stack:
nvme nvme
nvme_core nvme_core
### USB-Stack ### USB-Stack:
xhci_pci xhci_pci
xhci_hcd xhci_hcd
ehci_pci ehci_pci
@@ -139,21 +166,21 @@ uhci_hcd
usb_storage usb_storage
uas uas
### Virtual-Machines-Stack ### Virtual-Machines-Stack:
virtio_pci virtio_pci
virtio_blk virtio_blk
virtio_scsi virtio_scsi
virtio_rng virtio_rng
virtio_console virtio_console
### Network Driver Host-machine ### Network Driver Host-machine:
"${nic_driver}" "${nic_driver}"
EOF EOF
cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -188,7 +215,7 @@ EOF
cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -293,7 +320,7 @@ EOF
cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
#!/bin/sh #!/bin/sh
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -328,10 +355,9 @@ EOF
chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
### Regenerate the initramfs for the live system kernel ### Regenerate the initramfs for the live system kernel
update-initramfs -u -k all update-initramfs -u -k all -v
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
target="/usr/lib/live/boot/0030-verify-checksums" target="/usr/lib/live/boot/0030-verify-checksums"
src="$(mktemp)" src="$(mktemp)"
@@ -24,7 +23,7 @@ fi
cat << 'EOF' >| "${src}" cat << 'EOF' >| "${src}"
#!/bin/sh #!/bin/sh
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -138,7 +137,6 @@ rm -f "${src}"
unset target src unset target src
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,17 +9,26 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# TODO: MUST be uncommented export DEBIAN_FRONTEND="noninteractive"
cd /root/git apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
# git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
install -d /etc/systemd/system/apparmor.service.d
cat << EOF >| /etc/systemd/system/apparmor.service.d/10-live-force.conf
[Unit]
### Drop any negative live conditions that would skip AppArmor on overlay.
ConditionPathExists=
### Ensure we only rely on the security=apparmor condition.
ConditionSecurity=apparmor
EOF
install -d -m 0755 /var/cache/apparmor
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -0,0 +1,44 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
Host git.coresecret.dev
Port 42842
VerifyHostKeyDNS yes
StrictHostKeyChecking yes
GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
UserKnownHostsFile /dev/null
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
CanonicalizeHostname no
UpdateHostKeys no
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,24 +9,24 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
if [[ ! -f /root/.pwd ]]; then if [[ ! -f /root/.pwd ]]; then
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n" printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
# sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
# sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
exit 0 exit 0
fi fi
cd /root cd /root
# shellcheck disable=SC2312
cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)" cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
chmod 600 /root/.ciss/dlb/backup/shadow.bak.* chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
declare hashed_pwd declare hashed_pwd
declare safe_hashed_pwd declare safe_hashed_pwd
@@ -38,16 +38,18 @@ sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
unset hashed_pwd safe_hashed_pwd unset hashed_pwd safe_hashed_pwd
cat /etc/shadow cat /etc/shadow
# sleep 1
if shred -vfzu -n 5 /root/.pwd; then if shred -vfzu -n 5 /root/.pwd; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
else else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2 printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cat << 'EOF' >| /etc/default/keyboard cat << 'EOF' >| /etc/default/keyboard
XKBMODEL="pc105" XKBMODEL="pc105"
@@ -25,7 +24,6 @@ EOF
dpkg-reconfigure -f noninteractive keyboard-configuration dpkg-reconfigure -f noninteractive keyboard-configuration
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,13 +9,12 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get update -y export DEBIAN_FRONTEND="noninteractive"
apt-get install --no-install-recommends haveged -y apt-get install -y --no-install-recommends haveged
cd /root cd /root
cat << 'EOF' >| /etc/default/haveged cat << 'EOF' >| /etc/default/haveged
@@ -25,18 +24,8 @@ cat << 'EOF' >| /etc/default/haveged
DAEMON_ARGS="-w 2048 -v 1" DAEMON_ARGS="-w 2048 -v 1"
EOF EOF
#mkdir -p /etc/systemd/system/haveged.service.d
#cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf
#[Service]
#NoNewPrivileges=yes
#ReadWritePaths=/dev/random /dev/urandom
#AmbientCapabilities=
#User=haveged
#Group=nogroup
#EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1 # sleep 1

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1 # sleep 1

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root cd /root
@@ -24,7 +23,8 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
apt-get update -y export DEBIAN_FRONTEND="noninteractive"
apt-get update
apt-get install -y eza apt-get install -y eza
git clone https://github.com/eza-community/eza-themes.git git clone https://github.com/eza-community/eza-themes.git
@@ -145,10 +145,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
fc-cache -fv fc-cache -fv
rm -rf /tmp/nerd rm -rf /tmp/nerd
unset repo latest_release download_url
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,20 +9,19 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
apt-get update -y export DEBIAN_FRONTEND="noninteractive"
apt-get update
apt-get install -y lynis apt-get install -y lynis
lynis show version lynis show version
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,20 +9,34 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /var/log/chrony mkdir -p /var/log/chrony
# See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages.
apt-get install chrony -y export DEBIAN_FRONTEND="noninteractive"
export TZ="Etc/UTC"
apt-get install -y adjtimex chrony tzdata
systemctl enable chrony.service systemctl enable chrony.service
mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
chmod 644 /root/.ciss/dlb/backup/chrony.conf.bak chmod 0644 /root/.ciss/dlb/backup/chrony.conf.bak
cat << EOF >| /etc/chrony/chrony.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
cat << 'EOF' >| /etc/chrony/chrony.conf
# Include configuration files found in /etc/chrony/conf.d. # Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d confdir /etc/chrony/conf.d
driftfile /var/lib/chrony/chrony.drift driftfile /var/lib/chrony/chrony.drift
@@ -36,16 +50,14 @@ log tracking measurements statistics
authselectmode require authselectmode require
server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9 server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9 server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9 server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
server ptbtime4.ptb.de iburst nts minpoll 5 maxpoll 9 server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
server sth1.ntp.se iburst nts minpoll 5 maxpoll 9 server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9
server ntp0.fau.de iburst nts minpoll 5 maxpoll 9 server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9 server sth1.ntp.se iburst nts minpoll 5 maxpoll 9
# server ntp.ripe.net iburst nts minpoll 5 maxpoll 9 server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
# server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
# server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
leapsectz right/UTC leapsectz right/UTC
@@ -55,13 +67,50 @@ maxupdateskew 100.0
rtcsync rtcsync
makestep 1 3 makestep 0.25 3
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
chmod 644 /etc/chrony/chrony.conf chmod 0644 /etc/chrony/chrony.conf
[[ -f /root/.ciss/check_chrony.sh ]] && chmod 0700 /root/.ciss/check_chrony.sh
### Build right/UTC from tzdata leap table if missing.
if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
install -d -m 0755 /usr/share/zoneinfo/right
### Minimal zic source for a fixed UTC zone.
declare -r tmp_src="/tmp/UTC.src"
printf 'Zone UTC 0 - UTC\n' > "${tmp_src}"
### Prefer the zic-format leapseconds file.
declare leap_zic="/usr/share/zoneinfo/leapseconds"
if [[ -s "${leap_zic}" ]]; then
zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
else
echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
fi
rm -f "${tmp_src}"
fi
if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,16 +9,14 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root/git cd /root/git
git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root cd /root
declare target_script="/etc/cron.d/restart-ssh" declare target_script="/etc/cron.d/restart-ssh"
@@ -21,12 +20,12 @@ cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh @reboot root /usr/local/bin/restart-ssh.sh
EOF EOF
chmod 644 "${target_script}" chmod 0644 "${target_script}"
cat << 'EOF' >| /usr/local/bin/restart-ssh.sh cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -43,10 +42,8 @@ systemctl start ssh
EOF EOF
chmod +x /usr/local/bin/restart-ssh.sh chmod +x /usr/local/bin/restart-ssh.sh
unset target_script
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,16 +9,14 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root/git cd /root/git
git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,16 +9,14 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
chmod +x /usr/bin/yq chmod +x /usr/bin/yq
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,16 +9,14 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root/git cd /root/git
git clone https://github.com/testssl/testssl.sh.git git clone https://github.com/testssl/testssl.sh.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,12 +9,11 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get install -y curl export DEBIAN_FRONTEND="noninteractive"
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \ curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
apt-get install -y nodejs apt-get install -y nodejs
@@ -22,7 +21,6 @@ cd /root/git
git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1 # sleep 1

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1 # sleep 1

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1 # sleep 1

View File

@@ -0,0 +1,53 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
export DEBIAN_FRONTEND=noninteractive
SOPS_VER="v3.11.0"
ARCH="$(dpkg --print-architecture)"
case "${ARCH}" in
amd64) SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
arm64) SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
*) echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
esac
cd /tmp
curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
--certificate "sops-${SOPS_VER}.checksums.pem" \
--signature "sops-${SOPS_VER}.checksums.sig" \
--certificate-identity-regexp="https://github.com/getsops" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
sops --version --check-for-updates
age --version
rm -f "/tmp/${SOPS_FILE}"
rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1 # sleep 1

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,25 +9,30 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y acct apt-get install -y acct
if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
mkdir -p /etc/systemd/system/multi-user.target.wants mkdir -p /etc/systemd/system/multi-user.target.wants
fi fi
if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
else else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2 printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /root/.ciss/dlb/backup/update-motd.d mkdir -p /root/.ciss/dlb/backup/update-motd.d
cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
@@ -24,8 +23,7 @@ EOF
chmod 0755 /etc/update-motd.d/10-uname chmod 0755 /etc/update-motd.d/10-uname
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt") declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
declare backup_dir="/root/.ciss/dlb/backup/certificates" declare backup_dir="/root/.ciss/dlb/backup/certificates"
@@ -27,17 +26,24 @@ declare -ax expired_certificates=()
# search_dirs # search_dirs
# dir # dir
# Arguments: # Arguments:
# None # None
####################################### #######################################
create_backup() { create_backup() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
mkdir -p "${backup_dir}" mkdir -p "${backup_dir}"
declare dir="" declare dir=""
for dir in "${search_dirs[@]}"; do for dir in "${search_dirs[@]}"; do
if [ -d "${dir}" ] && compgen -G "${dir}"/* > /dev/null; then
if [[ -d "${dir}" ]] && compgen -G "${dir}"/* > /dev/null; then
cp -r "${dir}"/* "${backup_dir}" cp -r "${dir}"/* "${backup_dir}"
fi fi
done done
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
} }
@@ -52,25 +58,32 @@ create_backup() {
# EXPIRED_CERTIFICATES # EXPIRED_CERTIFICATES
# SEARCH_DIRS # SEARCH_DIRS
# Arguments: # Arguments:
# None # None
####################################### #######################################
check_certificates() { check_certificates() {
declare dir="" declare dir=""
declare cert="" declare cert=""
declare cert_date="" declare cert_date=""
declare cert_date_seconds="" declare cert_date_seconds=""
for dir in "${search_dirs[@]}"; do for dir in "${search_dirs[@]}"; do
# shellcheck disable=SC2312
while IFS= read -r -d '' cert; do while IFS= read -r -d '' cert; do
cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//') cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//')
cert_date_seconds=$(date -d "${cert_date}" +%s) cert_date_seconds=$(date -d "${cert_date}" +%s)
if [[ ${cert_date_seconds} -lt ${current_date} ]]; then if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
declare -g expired_certificates+=("${cert}") declare -g expired_certificates+=("${cert}")
fi fi
done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0) done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
done done
} }
# done < <(find "${dir}" -type f -name "*.crt" -o -name "*.pem" -print0)
# done < <(find "${DIR}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
####################################### #######################################
# Find and clean all ca-certificates.crt files in SEARCH_DIRS. # Find and clean all ca-certificates.crt files in SEARCH_DIRS.
@@ -80,13 +93,17 @@ check_certificates() {
# cert # cert
# line # line
# Arguments: # Arguments:
# None # None
####################################### #######################################
delete_expired_from_all_bundles() { delete_expired_from_all_bundles() {
declare dir bundle declare dir bundle
for dir in "${search_dirs[@]}"; do for dir in "${search_dirs[@]}"; do
bundle="${dir}/ca-certificates.crt" bundle="${dir}/ca-certificates.crt"
if [[ -f ${bundle} ]]; then if [[ -f ${bundle} ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
declare tmp_bundle="${bundle}.tmp" declare tmp_bundle="${bundle}.tmp"
declare -a block=() declare -a block=()
@@ -97,33 +114,57 @@ delete_expired_from_all_bundles() {
declare line="" declare line=""
while IFS= read -r line; do while IFS= read -r line; do
block+=("${line}") block+=("${line}")
if [[ ${line} == "-----END CERTIFICATE-----" ]]; then if [[ ${line} == "-----END CERTIFICATE-----" ]]; then
cert=$(printf "%s\n" "${block[@]}") cert=$(printf "%s\n" "${block[@]}")
enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//') enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//')
if [[ -n ${enddate} ]]; then if [[ -n ${enddate} ]]; then
declare cert_date_seconds="" declare cert_date_seconds=""
cert_date_seconds=$(date -d "${enddate}" +%s) cert_date_seconds=$(date -d "${enddate}" +%s)
if [[ ${cert_date_seconds} -lt ${current_date} ]]; then if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
expired=1 expired=1
else else
expired=0 expired=0
fi fi
else else
expired=0 expired=0
fi fi
if [[ ${expired} -eq 0 ]]; then if [[ ${expired} -eq 0 ]]; then
printf "%s\n" "${block[@]}" >> "${tmp_bundle}" printf "%s\n" "${block[@]}" >> "${tmp_bundle}"
else else
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
fi fi
block=() block=()
fi fi
done < "${bundle}" done < "${bundle}"
mv -f "${tmp_bundle}" "${bundle}" mv -f "${tmp_bundle}" "${bundle}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
fi fi
done done
} }
@@ -141,30 +182,38 @@ else
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
for exp_cert in "${expired_certificates[@]}"; do for exp_cert in "${expired_certificates[@]}"; do
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
done done
for exp_cert in "${expired_certificates[@]}"; do for exp_cert in "${expired_certificates[@]}"; do
rm -f "${exp_cert}" rm -f "${exp_cert}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
basename=$(basename "${exp_cert}") basename=$(basename "${exp_cert}")
mozilla_entry="mozilla/${basename%.pem}.crt" mozilla_entry="mozilla/${basename%.pem}.crt"
mozilla_entry="${mozilla_entry%.crt}.crt" mozilla_entry="${mozilla_entry%.crt}.crt"
declare ca_conf="/etc/ca-certificates.conf" declare ca_conf="/etc/ca-certificates.conf"
if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}" sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
fi fi
done done
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
update-ca-certificates --fresh update-ca-certificates --fresh
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
# sleep 1
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,17 +9,18 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /etc/ssh || { cd /etc/ssh || {
printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n" printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
} }
rm -rf ssh_host_*key* rm -rf ssh_host_*key*
# shellcheck disable=SC2312
ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
# shellcheck disable=SC2312
ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)" ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
@@ -44,7 +45,26 @@ ssh-keygen -r @ >| /root/sshfp
# The chmod +x command ensures that the file is executed in every shell session. # # The chmod +x command ensures that the file is executed in every shell session. #
########################################################################################### ###########################################################################################
cat << 'EOF' >| /etc/profile.d/idle-users.sh cat << 'EOF' >| /etc/profile.d/idle-users.sh
declare -girx TMOUT=14400 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
case $- in
*i*)
TMOUT=14400
export TMOUT
readonly TMOUT
;;
esac
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF EOF
chmod +x /etc/profile.d/idle-users.sh chmod +x /etc/profile.d/idle-users.sh
@@ -58,7 +78,6 @@ EOF
chmod 0644 /etc/systemd/system/ssh.service.d/override.conf chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -0,0 +1,93 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
cd /etc/ssh || {
printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
}
cat << 'EOF' >| ssh_host_ed25519_key
{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
EOF
cat << 'EOF' >| ssh_host_ed25519_key.pub
{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
EOF
cat << 'EOF' >| ssh_host_rsa_key
{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
EOF
cat << 'EOF' >| ssh_host_rsa_key.pub
{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
EOF
awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
rm -rf /etc/ssh/moduli
mv /etc/ssh/moduli.safe /etc/ssh/moduli
chmod 0600 /etc/ssh/ssh_host_*_key
chown root:root /etc/ssh/ssh_host_*_key
chmod 0644 /etc/ssh/ssh_host_*_key.pub
chown root:root /etc/ssh/ssh_host_*_key.pub
chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
touch /root/sshfp
ssh-keygen -r @ >| /root/sshfp
###########################################################################################
# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only #
# environment variables: TMOUT and HISTFILE. #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
cat << 'EOF' >| /etc/profile.d/idle-users.sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
case $- in
*i*)
TMOUT=14400
export TMOUT
readonly TMOUT
;;
esac
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod +x /etc/profile.d/idle-users.sh
mkdir -p /etc/systemd/system/ssh.service.d
cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
[Unit]
After=ufw.service
Requires=ufw.service
EOF
chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,18 +9,23 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
sed -i "/#* soft core 0/ i\* soft core 0" /etc/security/limits.conf
sed -i "/#root hard core 100000/ i\* hard core 0" /etc/security/limits.conf grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
|| sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\* soft core 0' /etc/security/limits.conf
grep -Eq '^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
|| sed -i -E '/^[[:space:]]*#?[[:space:]]*root[[:space:]]+hard[[:space:]]+core[[:space:]]+100000[[:space:]]*$/ i\* hard core 0' /etc/security/limits.conf
if [[ ! -d /etc/systemd/coredump.conf.d ]]; then if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
mkdir -p /etc/systemd/coredump.conf.d mkdir -p /etc/systemd/coredump.conf.d
fi fi
touch /etc/systemd/coredump.conf.d/disable.conf touch /etc/systemd/coredump.conf.d/disable.conf
@@ -31,7 +36,6 @@ Storage=none
EOF EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root cd /root
@@ -142,7 +141,6 @@ touch /var/log/fail2ban/fail2ban.log
chmod 640 /var/log/fail2ban/fail2ban.log chmod 640 /var/log/fail2ban/fail2ban.log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
########################################################################################### ###########################################################################################
# Remarks: Turn off Energy saving mode and ctrl-alt-del # # Remarks: Turn off Energy saving mode and ctrl-alt-del #
@@ -25,7 +24,6 @@ done
unset target unset target
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,24 +9,20 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /etc cd /etc
apt-get purge exim4 -y apt-get purge exim4 exim4-base exim4-config -y
apt-get purge exim4-base -y
apt-get purge exim4-config -y
apt-get autoremove -y apt-get autoremove -y
apt-get autoclean -y apt-get autoclean -y
apt-get autopurge -y apt-get autopurge -y
apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
apt-get update -y apt-get update
apt-get upgrade -y apt-get upgrade -y
if [[ -d /etc/exim4 ]]; then if [[ -d /etc/exim4 ]]; then
@@ -34,7 +30,6 @@ if [[ -d /etc/exim4 ]]; then
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,37 +9,37 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y usbguard apt-get install -y usbguard
# sleep 1 ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
# Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
touch /tmp/rules.conf touch /tmp/rules.conf
usbguard generate-policy >> /tmp/rules.conf usbguard generate-policy >> /tmp/rules.conf
if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
cp -a /tmp/rules.conf /etc/usbguard/rules.conf cp -a /tmp/rules.conf /etc/usbguard/rules.conf
chmod 0600 /etc/usbguard/rules.conf chmod 0600 /etc/usbguard/rules.conf
else else
rm -f /etc/usbguard/rules.conf rm -f /etc/usbguard/rules.conf
cp -a /tmp/rules.conf /etc/usbguard/rules.conf cp -a /tmp/rules.conf /etc/usbguard/rules.conf
chmod 0600 /etc/usbguard/rules.conf chmod 0600 /etc/usbguard/rules.conf
fi fi
cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf #sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
# sleep 1
rm -f /tmp/rules.conf rm -f /tmp/rules.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
mkdir -p /etc/systemd/system/clamav-daemon.service.d mkdir -p /etc/systemd/system/clamav-daemon.service.d
cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -71,7 +70,6 @@ EOF
chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,39 +9,44 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
apt-get update -y export DEBIAN_FRONTEND="noninteractive"
apt-get update -qq
apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
if [[ -s /tmp/deinstall.log ]]; then if [[ -s /tmp/deinstall.log ]]; then
printf "\n" printf "\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
sed -i 's!deinstall!!' /tmp/deinstall.log sed -i 's!deinstall!!' /tmp/deinstall.log
while IFS= read -r line; do while IFS= read -r line; do
declare trimmed_string declare trimmed_string
trimmed_string=$(echo "$line" | awk '{$1=$1};1') trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
echo "y" | apt-get purge "${trimmed_string}" echo "y" | apt-get purge "${trimmed_string}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
# sleep 1
done < /tmp/deinstall.log done < /tmp/deinstall.log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
else else
printf "\n" printf "\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
fi fi
apt-get update -y
apt-get upgrade -y apt-get upgrade -y
rm -f /tmp/deinstall.log rm -f /tmp/deinstall.log
@@ -52,8 +57,7 @@ apt-get autopurge -y
updatedb updatedb
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
chmod 0644 /etc/banner chmod 0644 /etc/banner
chmod 0644 /etc/issue chmod 0644 /etc/issue
@@ -55,8 +54,8 @@ fi
if [[ -f /etc/cron.allow ]]; then if [[ -f /etc/cron.allow ]]; then
cp -u /etc/cron.allow /root/.backup/cron.allow.bak cp -u /etc/cron.allow /root/.backup/cron.allow.bak
chmod 644 /root/.backup/cron.allow.bak chmod 0644 /root/.backup/cron.allow.bak
chmod 600 /etc/cron.allow chmod 0600 /etc/cron.allow
cat << EOF >| /etc/cron.allow cat << EOF >| /etc/cron.allow
root root
EOF EOF
@@ -99,8 +98,18 @@ for bin in as gcc g++ cc clang; do
done done
unset bin target unset bin target
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}" ### Directories: 0700
# sleep 1 find /root -type d -exec chmod 0700 {} +
### Executable files: 0700 (any x-bit set)
find /root -type f -perm /111 -exec chmod 0700 {} +
### Non-executable files: 0600
find /root -type f ! -perm /111 -exec chmod 0600 {} +
### Ownership: UID:GID (do not dereference symlinks; stay on this filesystem)
find /root -xdev -exec chown -h root:root {} +
rm -f /etc/tmpfiles.d/legacy.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,34 +9,38 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
if ! command -v chage &>/dev/null; then if ! command -v chage &>/dev/null; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
fi fi
declare -i max_days=16384 declare -i max_days=16384
# shellcheck disable=SC2312
mapfile -t users_to_update < <( mapfile -t users_to_update < <(
awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow
) )
if [[ ${#users_to_update[@]} -eq 0 ]]; then if [[ ${#users_to_update[@]} -eq 0 ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
fi fi
declare user declare user
for user in "${users_to_update[@]}"; do for user in "${users_to_update[@]}"; do
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
chage --maxdays "$max_days" "$user" chage --maxdays "${max_days}" "${user}"
done done
unset max_days user users_to_update unset max_days user users_to_update
@@ -46,7 +50,6 @@ awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,24 +9,27 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y aide > /dev/null 2>&1 apt-get install -y aide > /dev/null 2>&1
cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
if aideinit > /dev/null 2>&1; then if aideinit > /dev/null 2>&1; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
else else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2 printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -13,17 +13,19 @@
### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security. ### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html ### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
cat << 'EOF' >| /etc/security/pwquality.conf cat << EOF >| /etc/security/pwquality.conf
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -129,7 +131,6 @@ local_users_only
EOF EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,15 +9,13 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -12,14 +12,21 @@
### https://github.com/linux-audit/audit-userspace/tree/master/rules ### https://github.com/linux-audit/audit-userspace/tree/master/rules
set -C -e -u -o pipefail set -Ceuo pipefail
#######################################
# Simple error terminal logger.
# Arguments:
# None
#######################################
log() { printf '[auditd-build] %s\n' "${*}" >&2; }
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root cd /root
apt-get install auditd -y export DEBIAN_FRONTEND="noninteractive"
apt-get install -y auditd
cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
@@ -330,8 +337,65 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
-e 2 -e 2
EOF EOF
shopt -s nullglob
rules=(/etc/audit/rules.d/*.rules)
if (( ${#rules[@]} == 0 )); then
log "ERROR: /etc/audit/rules.d is empty. Seed rules before this hook."
exit 127
fi
if ! /sbin/augenrules --check >/dev/null 2>&1; then
log "ERROR: augenrules --check failed. Fix the /etc/audit/rules.d/*.rules first."
exit 128
fi
# shellcheck disable=2155
declare tmp="$(mktemp)"
printf '%s\0' "${rules[@]}" \
| xargs -0 -I{} basename "{}" \
| sort -V \
| while read -r fname; do
f="/etc/audit/rules.d/${fname}"
### Normalize CRLF and strip UTF-8 BOM.
sed -e 's/\r$//' -e '1s/^\xEF\xBB\xBF//' "${f}" >> "${tmp}"
printf '\n' >> "${tmp}"
done
# shellcheck disable=2155
declare tmp_stripped="$(mktemp)"
sed -e '/^[[:space:]]*#/d' -e '/^[[:space:]]*$/d' "${tmp}" >| "${tmp_stripped}"
sed -E 's/[[:space:]]+#.*$//' -i "${tmp_stripped}"
install -m 0600 -o root -g root "${tmp_stripped}" /etc/audit/audit.rules
rm -f "${tmp}" "${tmp_stripped}"
if ! grep -Eq '(^-a|^-w|^-e[[:space:]]+1|^-e[[:space:]]+2)' /etc/audit/audit.rules; then
log "WARN: /etc/audit/audit.rules contains no -a/-w rules or '-e 1/2'; is this intended?"
fi
log "Done. /etc/audit/audit.rules generated at build-time (no kernel load)."
mkdir -p /etc/systemd/system/audit-rules.service.d
cat << EOF >| /etc/systemd/system/audit-rules.service.d/10-ciss.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Service]
ExecStart=
ExecStart=/usr/sbin/augenrules --load
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,28 +9,31 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
cd /root cd /root
apt-get install --no-install-recommends debsums -y export DEBIAN_FRONTEND="noninteractive"
apt-get install -y --no-install-recommends debsums
cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
chmod 0644 /root/.ciss/dlb/backup/debsums.bak chmod 0644 /root/.ciss/dlb/backup/debsums.bak
sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
if debsums -g > /dev/null 2>&1; then if debsums -g > /dev/null 2>&1; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
else else
# Omit false negative error output to stdout and stderr, as no problematic errors occur on startup. # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n" > /dev/null 2>&1 printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n" > /dev/null 2>&1
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,12 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
cd /root cd /root
@@ -22,7 +24,7 @@ fi
cat << 'EOF' >| /etc/apt/sources.list cat << 'EOF' >| /etc/apt/sources.list
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>

View File

@@ -9,10 +9,12 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
cd /root cd /root
@@ -29,7 +31,7 @@ EOF
if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then
cat << EOF >| /etc/apt/sources.list.d/trixie.sources cat << EOF >| /etc/apt/sources.list.d/trixie.sources
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
@@ -52,7 +54,7 @@ fi
if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then
cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
@@ -75,7 +77,7 @@ fi
if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then
cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
@@ -99,7 +101,7 @@ fi
if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then
cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
@@ -120,7 +122,6 @@ EOF
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,17 +9,19 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
rm -f /etc/network/interfaces rm -f /etc/network/interfaces
cat << 'EOF' >| /etc/network/interfaces cat << EOF >| /etc/network/interfaces
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -32,6 +34,9 @@ cat << 'EOF' >| /etc/network/interfaces
# This file describes the network interfaces available on your system # This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5). # and how to activate them. For more information, see interfaces(5).
EOF
cat << 'EOF' >> /etc/network/interfaces
### The loopback network interface ### The loopback network interface
auto lo auto lo
iface lo inet loopback iface lo inet loopback
@@ -59,7 +64,6 @@ EOF
chmod 0644 /etc/network/interfaces chmod 0644 /etc/network/interfaces
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
# sleep 1
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -8,6 +8,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
LIVE_CONFIGS="username"
USERNAME=root # LIVE_CONFIG_CMDLINE="${LIVE_CONFIG_CMDLINE} ADD PARAMETER HERE"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -204,6 +204,6 @@ USERGROUPS_ENAB yes
# #
# Added by CISS.debian.live.builder for redundance # Added by CISS.debian.live.builder for redundance
umask 077 UMASK 077
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

View File

@@ -0,0 +1,17 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.142.2025.10.14
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

View File

@@ -1,5 +1,5 @@
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
### https://www.ssh-audit.com/ ### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -65,12 +65,12 @@ GatewayPorts no
### A+ Rating 100/100 ### A+ Rating 100/100
RequiredRSASize 4096 RequiredRSASize 4096
Ciphers aes256-gcm@openssh.com Ciphers aes256-gcm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256- KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512- GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 HostbasedAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads) ### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)

View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.13.008.2025.08.22 # Version Master V8.13.142.2025.10.14
### https://docs.kernel.org/ ### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/

View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -C -e -u -o pipefail set -Ceuo pipefail
# The example names get mapped to their roles here # The example names get mapped to their roles here
declare timestamp declare timestamp

View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.13.008.2025.08.22" declare -gr VERSION="Master V8.13.142.2025.10.14"
### VERY EARLY CHECK FOR DEBUGGING ### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then if [[ $* == *" --debug "* ]]; then

View File

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/ # Please consider donating to my work at: https://coresecret.eu/spenden/
########################################################################################### ###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.008.2025.08.22 at: 10:18:37.9542 # Written by: ./preseed_hash_generator.sh Version: Master V8.13.142.2025.10.14 at: 10:18:37.9542

View File

@@ -11,8 +11,8 @@
[[ $- != *i* ]] && return [[ $- != *i* ]] && return
### Never use errexit/pipefail in interactive shells ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
set +o errexit +o pipefail set +o errexit +o nounset +o pipefail
trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT
source /root/.ciss/alias source /root/.ciss/alias
@@ -20,9 +20,6 @@ source /root/.ciss/f2bchk.sh
source /root/.ciss/shortcuts source /root/.ciss/shortcuts
source /root/.ciss/scan_libwrap source /root/.ciss/scan_libwrap
### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
set +o errexit +o nounset +o pipefail
### History ### History
touch /tmp/.bash_history touch /tmp/.bash_history
chmod 0660 /tmp/.bash_history chmod 0660 /tmp/.bash_history
@@ -62,23 +59,15 @@ alias cp="cp -iv"
alias mv='mv -iv' alias mv='mv -iv'
alias rm='rm -iv' alias rm='rm -iv'
### Welcome message after login
printf "\n"
printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
printf "\e[92m✅ Welcome back\e[0m"
printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
printf "\n"
printf "\n"
### Welcome message after login. ### Welcome message after login.
#printf "\n" printf "%b" "${NL}"
#printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}" printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
#printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}" printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
#printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}" printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
#printf "%s! Type%s " "${CGRE}" "${CRES}" printf "%b! Type%b" "${CGRE}" "${CRES}"
#printf "%s'celp'%s " "${CMAG}" "${CRES}" printf "%b 'celp'%b" "${CMAG}" "${CRES}"
#printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}" printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
#printf "\n" printf "%b" "${NL}"
#printf "\n" printf "%b" "${NL}"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -222,13 +222,12 @@ swget() {
} }
####################################### #######################################
# Wrapper for loading CISS.2025 hardened Kernel Parameters. # Wrapper for loading CISS hardened Kernel Parameters.
# Arguments: # Arguments:
# None # None
####################################### #######################################
sysp() { sysp() {
sysctl -p /etc/sysctl.d/99_local.hardened sysctl -p /etc/sysctl.d/99_local.hardened
# sleep 1
# shellcheck disable=SC2312 # shellcheck disable=SC2312
sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
} }

View File

@@ -0,0 +1,142 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
#######################################
# Minimal leap-second probe for Debian/chrony systems.
# - Prints kernel leap flags & TAI offset (ΔAT).
# - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
# - Shows chrony tracking summary (incl. leap status).
# - Demonstrates 23:59:60 rendering via TZ=right/UTC.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
main() {
### 1) System TZ and tzdata source.
printf "System TZ link: [%s]\n\n" "$(readlink -f /etc/localtime || true)"
if [[ -f /usr/share/zoneinfo/leap-seconds.list ]]; then
declare tz_leap_line tz_tai tz_ntp ts_human
tz_leap_line="$(awk '($1 !~ /^#/) {L=$0} END{print L}' /usr/share/zoneinfo/leap-seconds.list)"
tz_ntp="$(awk '{print $1}' <<<"${tz_leap_line}")"
tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
printf "tzdata ΔAT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
else
printf "tzdata leap-seconds.list not found.\n"
fi
### 2) Kernel view (requires adjtimex).
if command -v adjtimex >/dev/null 2>&1; then
printf "Kernel time status (adjtimex -p):\n"
adjtimex -p | sed 's/^/ /'
declare k_tai
k_tai="$(adjtimex -p | awk '/^tai:/ {print $2}')"
if [[ -n "${k_tai:-}" ]]; then
printf "Kernel-exported ΔAT [tai]: %s s\n" "${k_tai}"
fi
else
printf "Package: 'adjtimex' not found. Install 'adjtimex' for kernel leap/TAI details.\n\n"
fi
### 3) Chrony summary.
if command -v chronyc >/dev/null 2>&1; then
printf "\n"
printf "chronyc tracking:\n"
chronyc -n tracking | sed 's/^/ /'
else
printf "Package: 'chronyc' not found. Skipping chrony status.\n\n"
fi
### 4) right/UTC demonstration of 23:59:60 (uses 2016-12-31 leap).
if [[ -f /usr/share/zoneinfo/right/UTC ]]; then
printf "\n"
printf "right/UTC leap rendering check (expect 23:59:60):\n\n"
TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
else
printf "\n"
printf "File: 'tzdata right/UTC' zone not installed; skipping 23:59:60 demo.\n\n"
fi
printf "\n"
printf "Hint:\n"
printf " • ΔAT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
printf " • For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
return 0
}
### Build right/UTC from tzdata leap table if missing.
if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
install -d -m 0755 /usr/share/zoneinfo/right
### Minimal zic source for a fixed UTC zone.
declare -r tmp_src="/tmp/UTC.src"
printf 'Zone UTC 0 - UTC\n' > "${tmp_src}"
### Prefer the zic-format leapseconds file.
declare leap_zic="/usr/share/zoneinfo/leapseconds"
if [[ -s "${leap_zic}" ]]; then
zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
else
echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
fi
rm -f "${tmp_src}"
fi
if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
fi
main "$@"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -8,6 +8,9 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
adjtimex
age
apparmor apparmor
apparmor-profiles-extra apparmor-profiles-extra
apparmor-utils apparmor-utils
@@ -21,6 +24,7 @@ bash-completion
bat bat
bc bc
bind9-dnsutils bind9-dnsutils
bison
bsdmainutils bsdmainutils
btrfs-progs btrfs-progs
build-essential build-essential
@@ -28,7 +32,9 @@ bzip2
ca-certificates ca-certificates
clamav clamav
clamav-daemon clamav-daemon
clang-18
console-setup console-setup
cosign
cpuid cpuid
cryptsetup cryptsetup
cryptsetup-nuke-password cryptsetup-nuke-password
@@ -47,6 +53,7 @@ dirmngr
dmsetup dmsetup
dnsviz dnsviz
dosfstools dosfstools
dpkg-dev
e2fsprogs e2fsprogs
efibootmgr efibootmgr
expect expect
@@ -54,6 +61,7 @@ fail2ban
fdisk fdisk
figlet figlet
fio fio
flex
fzf fzf
gawk gawk
gdisk gdisk
@@ -80,6 +88,7 @@ linux-source
live-boot live-boot
live-config live-config
live-config-systemd live-config-systemd
lld-18
locate locate
logrotate logrotate
lsb-release lsb-release
@@ -89,7 +98,6 @@ man
man-db man-db
manpages manpages
manpages-dev manpages-dev
mdadm
mtr mtr
musl-tools musl-tools
nano nano
@@ -102,8 +110,8 @@ nmap
nodejs nodejs
openssl openssl
parted parted
pciutils
perl perl
pollinate
pwgen pwgen
python3 python3
rkhunter rkhunter
@@ -141,4 +149,5 @@ xz-utils
yq yq
zip zip
zsh zsh
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. DNSSEC Status # 2. DNSSEC Status

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Haveged Audit on Netcup RS 2000 G11 # 2. Haveged Audit on Netcup RS 2000 G11

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Lynis Audit: # 2. Lynis Audit:

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. SSH Audit by ssh-audit.com # 2. SSH Audit by ssh-audit.com

View File

@@ -8,14 +8,15 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. TLS Audit: # 2. TLS Audit:
````text ````text
./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
##################################################################### #####################################################################
testssl.sh version 3.2.1 from https://testssl.sh/ testssl.sh version 3.2.2 from https://testssl.sh/
(81471c3 2025-06-15 09:48:31) (2e77f5e 2025-09-22 19:35:27)
This program is free software. Distribution and modification under This program is free software. Distribution and modification under
GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +27,7 @@ include_toc: true
Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers] Using OpenSSL 1.0.2-bad (Mar 28 2025) [~179 ciphers]
on kali:./bin/openssl.Linux.x86_64 on kali:./bin/openssl.Linux.x86_64
Start 2025-06-23 17:58:48 -->> 152.53.110.40:443 (git.coresecret.dev) <<-- Start 2025-09-28 16:12:17 -->> 152.53.110.40:443 (git.coresecret.dev) <<--
Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40 Further IP addresses: 2a0a:4cc0:80:330f:152:53:110:40
rDNS (152.53.110.40): git.coresecret.dev. rDNS (152.53.110.40): git.coresecret.dev.
@@ -188,18 +189,17 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Server key size RSA 4096 bits (exponent is 65537) Server key size RSA 4096 bits (exponent is 65537)
Server key usage Digital Signature, Key Encipherment Server key usage Digital Signature, Key Encipherment
Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication
Serial 1230B34459C6F27FA9BCD2 (OK: length 11) Serial 13292523EB168BD226CE46 (OK: length 11)
Fingerprints SHA1 1A8BD98862771602E7DD46B742FB66D6C03E622E Fingerprints SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
Common Name (CN) coresecret.dev Common Name (CN) coresecret.dev
subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev subjectAltName (SAN) coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
Trust (hostname) Ok via SAN (same w/o SNI) Trust (hostname) Ok via SAN (same w/o SNI)
Chain of trust Ok Chain of trust Ok
EV cert (experimental) no EV cert (experimental) no
Certificate Validity (UTC) 153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59) Certificate Validity (UTC) 178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
ETS/"eTLS", visibility info not present ETS/"eTLS", visibility info not present
In pwnedkeys.com DB not in database In pwnedkeys.com DB not in database Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
Certificate Revocation List http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
OCSP URI http://ocsp.buypass.com, not revoked OCSP URI http://ocsp.buypass.com, not revoked
OCSP stapling offered, not revoked OCSP stapling offered, not revoked
OCSP must staple extension -- OCSP must staple extension --
@@ -226,9 +226,9 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Cookie(s) 2 issued: 2/2 secure, 2/2 HttpOnly Cookie(s) 2 issued: 2/2 secure, 2/2 HttpOnly
Security headers X-Frame-Options: SAMEORIGIN Security headers X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self'; Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev git.coresecret.dev; frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev https://uml.coresecret.dev; manifest-src 'self' data:; media-src 'self' data: https://badges.coresecret.dev
https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none'; https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
Expect-CT: max-age=86400, enforce Expect-CT: max-age=86400, enforce
Permissions-Policy: interest-cohort=() Permissions-Policy: interest-cohort=()
@@ -258,7 +258,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
FREAK (CVE-2015-0204) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services, see make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1
LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK)
@@ -309,7 +309,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Rating (experimental) Rating (experimental)
Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30) Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
Protocol Support (weighted) 100 (30) Protocol Support (weighted) 100 (30)
Key Exchange (weighted) 100 (30) Key Exchange (weighted) 100 (30)
@@ -317,7 +317,7 @@ Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Ciphe
Final Score 100 Final Score 100
Overall Grade A+ Overall Grade A+
Done 2025-06-23 18:00:16 [ 99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<-- Done 2025-09-28 16:13:50 [ 95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
```` ````
--- ---

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Hardened Kernel Boot Parameters # 2. Hardened Kernel Boot Parameters

View File

@@ -8,10 +8,67 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Changelog # 2. Changelog
## V8.13.142.2025.10.14
* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
## V8.13.132.2025.10.11
* **Added**: [REPOSITORY.md](../REPOSITORY.md)
## V8.13.128.2025.10.10
* **Added**: Packages ``age``, ``cosign``
* **Added**: Repository https://github.com/getsops/sops.git
* **Added**: [0040_ssh_config_setup.chroot](../config/hooks/live/0040_ssh_config_setup.chroot)
* **Added**: [0860_sops.chroot](../config/hooks/live/0860_sops.chroot)
* **Added**: [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
* **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
## V8.13.096.2025.10.09
* **Added**: [0010_install_apparmor.chroot](../config/hooks/live/0010_install_apparmor.chroot)
* **Added**: [ssh_known_hosts](../config/includes.chroot/etc/ssh/ssh_known_hosts)
* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot)
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
* **Updated**: [login.defs](../config/includes.chroot/etc/login.defs)
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh)
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh)
## V8.13.064.2025.10.07
* **Added**: An internal Gitea Action Runner switch for the CISS and PHYS central configuration source of truth.
* **Added**: Verbose status information screen on successful completion.
* **Added**: Verbose status information in 'CISS.debian.live.iso.'
* **Added**: Loop to desynchronize parallel workflows.
* **Added**: [lib_note_target.sh](../lib/lib_note_target.sh)
* **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
* **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
* **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
* **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
* **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified Kernel bootparameter.
* **Updated**: [lib_run_analysis.sh](../lib/lib_run_analysis.sh)
## V8.13.048.2025.10.06
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
* **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
* **Updated**: [9000-cdi-starter](../scripts/9999-cdi-starter)
## V8.13.032.2025.10.03
* **Added**: Internal Gitea Action Runner switch for static SSHFP records.
## V8.13.016.2025.09.28
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
## V8.13.008.2025.08.22 ## V8.13.008.2025.08.22
* **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot) * **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Centurion Net - Developer Branch Overview # 2. Centurion Net - Developer Branch Overview

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Coding Style # 2. Coding Style

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Contributing / participating # 2. Contributing / participating

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Credits # 2. Credits

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Download the latest PUBLIC CISS.debian.live.ISO # 2. Download the latest PUBLIC CISS.debian.live.ISO

View File

@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2.1. Usage # 2.1. Usage
````text ````text
CISS.debian.live.builder CISS.debian.live.builder
Master V8.13.008.2025.08.22 Master V8.13.142.2025.10.14
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025 (c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
# 2.2. Contact # 2.2. Contact
````text ````text
CISS.debian.live.builder CISS.debian.live.builder
Master V8.13.008.2025.08.22 Master V8.13.142.2025.10.14
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025 (c) Marc S. Weidner, 2018 - 2025

View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br> **Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br> *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br> **Master Version**: 8.13<br>
**Build**: V8.13.008.2025.08.22<br> **Build**: V8.13.142.2025.10.14<br>
# 2. Resources # 2. Resources

Binary file not shown.

Before

Width:  |  Height:  |  Size: 204 KiB

After

Width:  |  Height:  |  Size: 180 KiB

View File

@@ -13,26 +13,10 @@
guard_sourcing guard_sourcing
####################################### #######################################
# Argument Parser # Argument Parser.
# Globals: # Globals:
# ARY_HANDLER_JUMPHOST # ARY_HANDLER_JUMPHOST
# ARY_HANDLER_NETCUP_IPV6 # ARY_HANDLER_NETCUP_IPV6
# ERR_ARG_MSMTCH
# ERR_CONTROL_CT
# ERR_MISS_PWD_F
# ERR_MISS_PWD_P
# ERR_NOTABSPATH
# ERR_OWNS_PWD_F
# ERR_PASS_LENGH
# ERR_PASS_PLICY
# ERR_REIONICE_P
# ERR_REIO_C_VAL
# ERR_REIO_P_VAL
# ERR_RENICE_PRI
# ERR_RGHT_PWD_F
# ERR_SPLASH_PNG
# ERR_UNCRITICAL
# ERR__SSH__PORT
# VAR_ARCHITECTURE # VAR_ARCHITECTURE
# VAR_BUILD_LOG # VAR_BUILD_LOG
# VAR_EARLY_DEBUG # VAR_EARLY_DEBUG
@@ -49,14 +33,35 @@ guard_sourcing
# VAR_ISO8601 # VAR_ISO8601
# VAR_REIONICE_CLASS # VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY # VAR_REIONICE_PRIORITY
# VAR_SSHFP
# VAR_SSHPORT # VAR_SSHPORT
# VAR_SSHPUBKEY # VAR_SSHPUBKEY
# VAR_SUITE
# Arguments: # Arguments:
# None # None
# Returns:
# 0: on success
# ERR_ARG_MSMTCH: on failure
# ERR_CONTROL_CT: on failure
# ERR_MISS_PWD_F: on failure
# ERR_MISS_PWD_P: on failure
# ERR_NOTABSPATH: on failure
# ERR_OWNS_PWD_F: on failure
# ERR_PASS_LENGH: on failure
# ERR_PASS_PLICY: on failure
# ERR_REIONICE_P: on failure
# ERR_REIO_C_VAL: on failure
# ERR_REIO_P_VAL: on failure
# ERR_RENICE_PRI: on failure
# ERR_RGHT_PWD_F: on failure
# ERR_SPLASH_PNG: on failure
# ERR__SSH__PORT: on failure
####################################### #######################################
arg_parser() { arg_parser() {
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
declare argument="${1}" declare argument="${1}"
case "${argument,,}" in case "${argument,,}" in
-a=* | --autobuild=*) -a=* | --autobuild=*)
@@ -95,6 +100,7 @@ arg_parser() {
--architecture) --architecture)
if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then
# shellcheck disable=SC2034
declare -gx VAR_ARCHITECTURE="${2}" declare -gx VAR_ARCHITECTURE="${2}"
shift 2 shift 2
else else
@@ -124,12 +130,14 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}" exit "${ERR_ARG_MSMTCH}"
fi fi
declare -g VAR_HANDLER_CDI=true # shellcheck disable=SC2034
declare -g VAR_HANDLER_CDI="true"
shift 1 shift 1
;; ;;
--change-splash ) --change-splash )
if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then
# shellcheck disable=SC2034
declare -g VAR_HANDLER_SPLASH="${2}" declare -g VAR_HANDLER_SPLASH="${2}"
shift 2 shift 2
else else
@@ -143,6 +151,7 @@ arg_parser() {
--control) --control)
if [[ -n "${2-}" ]]; then if [[ -n "${2-}" ]]; then
# shellcheck disable=SC2034
declare -g VAR_HANDLER_ISO_COUNTER="${2}" declare -g VAR_HANDLER_ISO_COUNTER="${2}"
shift 2 shift 2
else else
@@ -171,6 +180,7 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}" exit "${ERR_ARG_MSMTCH}"
fi fi
# shellcheck disable=SC2034
declare -gi VAR_HANDLER_DHCP=1 declare -gi VAR_HANDLER_DHCP=1
shift 1 shift 1
;; ;;
@@ -180,6 +190,7 @@ arg_parser() {
declare -i count=0 declare -i count=0
shift shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
# shellcheck disable=SC2034
declare -g ARY_HANDLER_JUMPHOST+=("$1") declare -g ARY_HANDLER_JUMPHOST+=("$1")
count=$((count + 1)) count=$((count + 1))
shift shift
@@ -202,6 +213,7 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}" exit "${ERR_ARG_MSMTCH}"
fi fi
# shellcheck disable=SC2034
declare -gi VAR_HANDLER_STA=1 declare -gi VAR_HANDLER_STA=1
shift 1 shift 1
;; ;;
@@ -209,10 +221,12 @@ arg_parser() {
--provider-netcup-ipv6) --provider-netcup-ipv6)
if [[ -n "${2-}" && "${2}" != -* ]]; then if [[ -n "${2-}" && "${2}" != -* ]]; then
declare -i count=0 declare -i count=0
declare -g VAR_HANDLER_NETCUP_IPV6=true # shellcheck disable=SC2034
declare -g VAR_HANDLER_NETCUP_IPV6="true"
shift shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do
declare cleaned="${1//[\[\]]/}" declare cleaned="${1//[\[\]]/}"
# shellcheck disable=SC2034
declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}") declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}")
count=$((count + 1)) count=$((count + 1))
shift shift
@@ -230,6 +244,7 @@ arg_parser() {
--renice-priority) --renice-priority)
if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
# shellcheck disable=SC2034
VAR_HANDLER_PRIORITY="$2" VAR_HANDLER_PRIORITY="$2"
shift 2 shift 2
else else
@@ -249,6 +264,7 @@ arg_parser() {
exit "${ERR_REIONICE_P}" exit "${ERR_REIONICE_P}"
else else
if [[ "${2}" =~ ^[1-3]$ ]]; then if [[ "${2}" =~ ^[1-3]$ ]]; then
# shellcheck disable=SC2034
VAR_REIONICE_CLASS="${2}" VAR_REIONICE_CLASS="${2}"
if [[ -z "${3-}" ]]; then if [[ -z "${3-}" ]]; then
: :
@@ -359,6 +375,7 @@ arg_parser() {
hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}") hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
# shellcheck disable=SC2034
declare -g VAR_HASHED_PWD="${hash_temp}" declare -g VAR_HASHED_PWD="${hash_temp}"
unset hash_temp plaintext_pw unset hash_temp plaintext_pw
@@ -375,6 +392,7 @@ arg_parser() {
--ssh-port) --ssh-port)
if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
# shellcheck disable=SC2034
declare -gi VAR_SSHPORT="${2}" declare -gi VAR_SSHPORT="${2}"
shift 2 shift 2
else else
@@ -385,12 +403,20 @@ arg_parser() {
fi fi
;; ;;
--sshfp)
# shellcheck disable=SC2034
declare -g VAR_SSHFP="true"
shift 1
;;
--ssh-pubkey) --ssh-pubkey)
# shellcheck disable=SC2034
declare -g VAR_SSHPUBKEY="${2}" declare -g VAR_SSHPUBKEY="${2}"
shift 2 shift 2
;; ;;
--trixie) --trixie)
# shellcheck disable=SC2034
declare -g VAR_SUITE="trixie" declare -g VAR_SUITE="trixie"
shift 1 shift 1
;; ;;
@@ -400,6 +426,12 @@ arg_parser() {
usage usage
;; ;;
esac esac
done done
return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f arg_parser
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

View File

@@ -19,34 +19,54 @@ guard_sourcing
# VAR_REIONICE_CLASS # VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY # VAR_REIONICE_PRIORITY
# Arguments: # Arguments:
# None # None
# Returns:
# 0: on success
####################################### #######################################
arg_priority_check() { arg_priority_check() {
declare var declare var
### Check if nice PRIORITY is set and adjust nice priority. ### Check if nice PRIORITY is set and adjust nice priority.
if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
if command -v renice >/dev/null; then if command -v renice >/dev/null; then
renice "${VAR_HANDLER_PRIORITY}" -p "$$" renice "${VAR_HANDLER_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1 var=$(ps -o ni= -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
# sleep 1 # sleep 1
unset var unset var
else else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n" printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
fi fi
fi fi
### Check if ionice PRIORITY is set and adjust ionice priority. ### Check if ionice PRIORITY is set and adjust ionice priority.
if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then
if command -v ionice >/dev/null; then if command -v ionice >/dev/null; then
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$" ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1 var=$(ionice -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
# sleep 1 # sleep 1
unset var unset var
else else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n" printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
fi fi
fi fi
return 0
} }
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f arg_priority_check
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

Some files were not shown because too many files have changed in this diff Show More