---
gitea: none
include_toc: true
---

# 1. CISS.debian.live.builder

**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.016.2025.09.28<br>

# 2. Hardened Kernel Boot Parameters

Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented 
with a short rationale.

* ``audit=1``: Enable kernel auditing subsystem.
* ``audit_backlog_limit=8192``: Set audit event buffer depth.
* ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
* ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
* ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
* ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
* ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
* ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
* ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
* ``iommu=force``: Enforce use of IOMMU.
* ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
* ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
* ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
* ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
* ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
* ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
* ``loglevel=0``: Silence all kernel messages (only EMERG shown).
* ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
* ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
* ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
* ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
* ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
* ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
* ``panic=-1``: Prevent automatic reboot after panic.
* ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
* ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
* ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
* ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
* ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
* ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
* ``rodata=on``: Enforce read-only sections for .rodata.
* ``slab_nomerge``: Disable merging of similar slab caches.
* ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
* ``vsyscall=none``: Disable vsyscall legacy mapping.

---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->