CISS.debian.live.builder/docs/documentation/90-ciss-local.hardened.md

Table of Contents

• 1. CISS.debian.live.builder
• 2. 90-ciss-local.hardened

1. CISS.debian.live.builder

Centurion Intelligence Consulting Agency Information Security Standard
Debian Live Build Generator for hardened live environment and CISS Debian Installer
Master Version: 8.13
Build: V8.13.768.2025.12.06

2. 90-ciss-local.hardened

The configuration fragment 90-ciss-local.hardened defines the local kernel and network hardening baseline that CISS systems apply via the Linux sysctl mechanism. It is written as a conventional sysctl.d drop-in and is meant to be consumed by early userspace tooling such as systemd-sysctl, which imports the settings into /proc/sys during boot.

At a high level, the file does not contain executable shell logic. It consists exclusively of documented key–value assignments in the sysctl namespace plus a number of commented candidates that serve as a catalogue of optional hardening toggles. The numeric prefix 90- places it late in the sysctl.d processing order, so its values override both distribution defaults and any earlier CISS baseline fragments. Error handling and reporting are delegated to the standard sysctl loader: unknown or unsupported keys will be rejected and logged, but the configuration itself does not implement any conditional fallback paths.

The first block targets kernel level attack surface and introspection capabilities. By setting kernel.modules_disabled=1 the configuration irrevocably closes the in-kernel module loader once the sysctl is applied, which prevents any further insmod or modprobe operations and thereby cuts off an entire class of kernel code injection vectors. The embedded warning comments point out that this implies a very rigid boot pipeline: any device drivers, filesystems, or network stack components that are not built in or preloaded before this switch is flipped will simply never appear, which would otherwise lead to a dead network stack and loss of remote access. Additional restrictions such as kernel.unprivileged_bpf_disabled=1, net.core.bpf_jit_harden=2, dev.tty.ldisc_autoload=0, vm.unprivileged_userfaultfd=0, kernel.kexec_load_disabled=1 and kernel.unprivileged_userns_clone=0 collectively neutralize typical exploitation primitives. They disable unprivileged BPF program loading, force the BPF JIT into its hardened mode, prevent automatic loading of TTY line discipline modules, restrict userfaultfd to privileged callers, shut off in-kernel kexec, and forbid unprivileged user namespace creation. Taken together, these choices assume a server or appliance workload that does not need container-style unprivileged namespaces, local kexec reseating, or dynamic TTY plumbing and is willing to trade flexibility for a markedly smaller attack surface.

A second cluster tightens diagnostic visibility and process inspection. The settings kernel.kptr_restrict=2 and kernel.dmesg_restrict=1 remove kernel pointer values and log contents from unprivileged users, while kernel.printk=3 3 3 3 drastically reduces what is emitted on the console during and after boot. TTY injection via the historical TIOCSTI ioctl is disabled with dev.tty.legacy_tiocsti=0, which the comments correctly note may break some screen readers but eliminates a convenient path to smuggle keystrokes into another session. Process debugging is gated using the Yama LSM control kernel.yama.ptrace_scope=2, which only permits ptrace attach operations from processes that hold CAP_SYS_PTRACE; unprivileged users can no longer freely attach debuggers to sibling processes. This aligns the system strongly towards a production profile in which on-host debugging is effectively a privileged maintenance activity rather than a normal user capability.

Crash handling and memory layout are hardened in a deliberate, multistep fashion. Classic process core dumps are effectively disabled by fs.suid_dumpable=0 and kernel.core_pattern=|/bin/false, so even privileged processes do not leave crash images lying around on persistent storage. kernel.core_uses_pid=1 is kept consistent with this policy but has no practical effect once the core pattern is redirected into false. The mapping base randomization knobs kernel.randomize_va_space=2, vm.mmap_rnd_bits=32 and vm.mmap_rnd_compat_bits=16 increase address space layout randomization for both native and compat processes, raising the entropy available for exploit mitigation. The comments explicitly point out that the chosen bit widths are tuned for x86 type architectures, and that other CPU families may require different values, so the configuration implicitly assumes a modern x86_64 kernel that implements these sysctls. The pair kernel.warn_limit=1 and kernel.oops_limit=1 introduces an extremely low tolerance for kernel anomalies: in combination with a build that enables CONFIG_PANIC_ON_OOPS, which the commentary references, even a single WARN, BUG, or oops will trigger a reboot cycle rather than allow the kernel to limp along in a potentially corrupted state.

Filesystem-related sysctls are used to close off classes of symlink and hardlink-based attacks against privileged processes. The combination of fs.protected_symlinks=1, fs.protected_hardlinks=1, fs.protected_fifos=2 and fs.protected_regular=2 changes how the kernel resolves symbolic links, hardlinks, and special files in world-writable directories. Access is constrained so that following such references across user boundaries or into attacker-controlled locations is significantly more difficult. This is particularly relevant for services that operate within shared directories such as /tmp and that historically have been exploitable through TOCTOU race conditions on links.

The networking section establishes a host profile that behaves explicitly as an end system, not as a router, and that is hostile to in-band reconfiguration from the network. Source routing is disabled for both IPv4 and IPv6 through net.ipv4.conf.*.accept_source_route=0 and net.ipv6.conf.*.accept_source_route=0. Redirects are neither accepted nor sent, using the cluster net.ipv4.conf.*.accept_redirects=0, net.ipv4.conf.*.secure_redirects=0, net.ipv6.conf.*.accept_redirects=0, and net.ipv4.conf.*.send_redirects=0. Reverse path filtering is enabled with net.ipv4.conf.all.rp_filter=1 and net.ipv4.conf.default.rp_filter=1, which offers a basic defense against address spoofing. Logging of martian packets is activated by net.ipv4.conf.*.log_martians=1, so the system will record traffic with obviously bogus source addresses. IP forwarding is forcibly disabled via net.ipv4.conf.all.forwarding=0, reinforcing the assumption that these machines are not supposed to forward traffic between interfaces.

On the IPv6 side, router advertisements are turned off by net.ipv6.conf.all.accept_ra=0 and net.ipv6.conf.default.accept_ra=0, which means that global IPv6 addressing and routing information must be configured statically or via a trusted configuration mechanism. ARP resilience is improved by setting net.ipv4.conf.all.arp_ignore=1 and net.ipv4.conf.default.arp_ignore=1, so the kernel only replies to ARP requests that match the target IP address on the receiving interface; this shrinks the surface for ARP spoofing and gratuitous replies. ICMP behavior is made highly conservative: net.ipv4.icmp_echo_ignore_all=1 and net.ipv4.icmp_echo_ignore_broadcasts=1 effectively suppress echo replies entirely and ignore directed broadcasts, which hinders network scanning and mitigates certain amplification attacks at the cost of losing simple ping diagnostics.

Transport level settings are focused on resilience against SYN flood type denial of service and fingerprinting noise. The switch net.ipv4.tcp_syncookies=1 activates SYN cookies, net.ipv4.tcp_rfc1337=1 instructs the kernel to protect against time-wait assassination, and net.ipv4.tcp_max_syn_backlog=4096 enlarges the queue for half-open connections, so the system can sustain more parallel handshake attempts before dropping them. net.ipv4.tcp_synack_retries=2 it reduces the number of retransmissions for SYN-ACK packets, which shortens the time wasted on unreachable peers and malicious scanners but can marginally penalize very lossy networks. Finally, net.ipv4.tcp_timestamps=0 disables TCP timestamps, which otherwise leak information about host uptime and clock behavior and can be abused for subtle fingerprinting.

Beyond the active values, the module also documents several tunables that are intentionally left commented out. These include sysctls for IO_uring disablement, performance event restrictions, memory overcommit policy, dirty page ratios, and swap aggressiveness. Their presence turns the file into a compact reference of hardened defaults that the CISS ecosystem considers defensible, while still leaving room for operator-specific adjustments when hardware constraints or workload characteristics demand different trade-offs.

In terms of preconditions, the configuration assumes a Linux kernel new enough to understand the modern hardening knobs it targets, and a deployment model where almost all required modules and capabilities are either built into the kernel or loaded before sysctl application. It does not itself coordinate with the live boot or initramfs stages: instead, it defines the steady-state behavior of a system that has already pivoted into its real root filesystem. Within the overall CISS.debian.live.builder architecture, 90-ciss-local.hardened therefore functions as the final, host level enforcement layer that aligns runtime behavior with the hardened kernel command line and build time options defined elsewhere in the project, closing off residual dynamic features and network behaviors that would otherwise remain available after boot.

---

no tracking | no logging | no advertising | no profiling | no bullshit