msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
securityaudit/a10-a11-a12-secret-debug-cleanup
CISS.debian.live.builder/docs/DOCUMENTATION.md
T

9.7 KiB
Raw Permalink Blame History

Table of Contents

1. CISS.debian.live.builder

Centurion Intelligence Consulting Agency Information Security Standard
Debian Live Build Generator for hardened live environment and CISS Debian Installer
Master Version: 9.14
Build: V9.14.022.2026.06.10

2.1. Usage

                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

CISS.debian.live.builder from https://git.coresecret.dev/msw
Master V9.14.022.2026.06.10
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

(c) Marc S. Weidner, 2018 - 2026
(p) Centurion Press, 2024 - 2026

./ciss_live_builder.sh <option>, where <option> is one or more of:

  --help, -h
    What you're looking at.

  --autobuild=*, -a=*
    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel selector dialog.
    Change '*' to your desired Linux kernel and trim the 'linux-image-' string to select a specific kernel,
    e.g. '--autobuild=6.12.30+bpo-amd64'.

  --architecture <STRING> one of <amd64 | arm64>
    A string reflecting the architecture of the Live System.
    MUST be provided.

  --build-directory </path/to/build_directory>
    Where the Debian Live Build Image should be generated. RECOMMENDED path: </opt/cdlb>
    The path MUST be canonical and dedicated to the builder; a new directory's canonical parent MUST already exist.
    New or empty directories receive the
    '.ciss-live-builder-owned' marker; populated unmarked directories are rejected. Cleanup is intentionally destructive
    only inside the exact validated marker-owned directory.
    MUST be provided.

  --change-splash <STRING> one of <club | hexagon>
    A string reflecting the Grub Boot Screen Splash you want to use. If omitted defaults to:
    <./.archive/background/club.png>

  --cdi
    This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed
    once the system has successfully booted up.

  --contact, -c
    Show author contact information.

  --control <STRING>
    A string, that reflects the version of your Live ISO Image.
    MUST be provided.

  --debug, -d
    Enables debug logging for the main program routine. Detailed logging information are written to:
    </tmp/ciss_live_builder_1801049.log>
    A final exact-value sanitisation pass is defence in depth and does not replace careful tracing discipline.

  --dhcp-centurion
    If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused
    Centurion DNS servers will be used instead:
      - https://dns01.eddns.eu/
      - https://dns02.eddns.de/
      - https://dns03.eddns.eu/
      
  --dropbear-version <STRING>
    Selects the bundled Dropbear source tarball version used for the hardened initramfs build.
    The matching file MUST exist as:
    <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>
    If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>.

  --sops-version <STRING>
    Selects the upstream SOPS release version used for the SOPS binary installed into the Live System.
    The value MUST be a semantic version such as '3.13.1'. A leading 'v' is accepted and normalized.
    The expected amd64 upstream asset is:
    <https://github.com/getsops/sops/releases/download/v<STRING>/sops-v<STRING>.linux.amd64>
    SOPS checksums are verified with Cosign using either Sigstore bundle mode or legacy split certificate/signature mode.
    If omitted defaults to VAR_SOPS_VERSION from <./var/global.var.sh>.

  --jump-host <IP | IP | ... >
    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6
    addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list.
    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.

  --key_age=*
    The SOPS AGE private keyring for decryption operations. Change '*' to your desired SOPS AGE key file.
    '*' MUST be a filename only without slashes, '.' or '..' traversal.
    File MUST be placed in:
    </dev/shm/cdlb_secrets>

  --key_luks=*
    The LUKS encryption / decryption passphrase for '/'-fs-encryption. Change '*' to your desired passphrase file.
    '*' MUST be a filename only without slashes, '.' or '..' traversal.
    File MUST be placed in:
    </dev/shm/cdlb_secrets>

  --log-statistics-only
    Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'
    the argument '--build-directory' MUST be provided.

  --primordial-key <ssh-identity-filename>
    SSH identity filename for the Primordial overlay clone. This MUST be a filename only; the runtime path is derived as
    '/root/.ssh/<ssh-identity-filename>'.
    Example fragment:
      ./ciss_live_builder.sh --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \
        --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \
        --primordial-ssh 42842
        
  --primordial-ssh <INTEGER>
    Adds one outgoing UFW TCP exception for a bootstrap/recovery SSH port.
    Outgoing only: no incoming firewall rule is added, and this option does not replace '--ssh-port'.
    Effective only when the Live System's UFW outgoing policy is 'deny'.
    Port MUST be a decimal integer between '1' and '65535'.

  --primordial-url <https-git-url>
    HTTPS Git repository URL for the Primordial CDI overlay. MUST start with 'https://', include a host and path, and end in
    '.git'. The CDI starter converts this URL to an SSH clone URL at runtime.

  --provider-netcup-ipv6
    Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be
    encapsulated with [], e.g., [1234::abcd].

  --renice-priority <PRIORITY>
    Reset the nice priority value of the script and all its children to the desired <PRIORITY>. MUST be an integer
    between '-19' and 19. Negative (higher) values MUST be enclosed in double quotes '"'.

  --reionice-priority <CLASS> <PRIORITY>
    Reset the ionice priority value of the script and all its children to the desired <CLASS>. MUST be an integer:
      1: realtime
      2: best-effort
      3: idle
    Defaults to '2'.
    Whereas <PRIORITY> MUST be an integer as well between:
      0: highest priority and
      7: lowest priority.
    Defaults to '4'.
    A real-time I/O process can significantly slow down other processes or even cause them to starve if it
    continuously requests I/O.

  --root-password-file </dev/shm/cdlb_secrets/password.txt>>
    Password file for 'root', if given, MUST be a string of 42 to 64 characters.
    If the argument is omitted, no further login authentication is required for the local console.
    Safe absolute paths remain supported and are validated separately. RECOMMENDED path:
    </dev/shm/cdlb_secrets/password.txt>

  --secure-boot-profile <STRING> one of <debian-shim | ciss-uki>
    Selects the UEFI Secure Boot profile. Defaults to 'debian-shim'.
    'debian-shim' keeps the Microsoft-signed Debian shim and signed GRUB path.
    'ciss-uki' builds a CISS-signed UKI and installs it as 'EFI/BOOT/BOOTX64.EFI'.
    The 'ciss-uki' profile requires:
      <./ciss.secureboot/private/ciss-efi-image.key>
      <./ciss.secureboot/public/ciss-efi-image.crt>

  --signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=*
    The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is
    specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file.
    Specify the fingerprint of the key to use via '--signing_key_fpr=*'.
    Optionally import an offline GPG CA signing public key via: '--signing_ca=*'.
    Change '*' to your desired filename-only files / fingerprint. Filename-only values MUST NOT contain slashes or traversal.
    Files MUST be placed in:
    </dev/shm/cdlb_secrets>

  --sshfp
    Desired SSH id-files that should be incorporated in '/root/.ssh/id*'.
    Desired SSH host-files that should be incorporated in '/etc/ssh/ssh_host_*'.
    The respective id-files and / or host-files MUST be placed in:
    </dev/shm/cdlb_secrets/id*> / </dev/shm/cdlb_secrets/ssh_host_*>

  --ssh-port <INTEGER>
    The desired Port SSH should listen to.
    If not provided defaults to Port '22'.

  --ssh-pubkey </dev/shm/cdlb_secrets/>
    Imports the SSH Public Key from the file 'authorized_keys' into the Live ISO.
    Key file MUST be placed in:
    </dev/shm/cdlb_secrets/authorized_keys>

  --trixie
    Creates a Debian Trixie Live ISO. If omitted defaults to 'Trixie'. No other Debian Version is supported.

  --version, -v
    Show version of ./ciss_live_builder.sh.

💡 Notes:
🔵 You MUST be 'root' to run this script.
🔵 Private operator control does not remove the requirement for strict local secret path validation.
🔵 '/dev/shm/cdlb_secrets' MUST be tmpfs-backed, root-owned, mode 0700, and contain only single-link regular non-symlink files
   with mode 0400 or 0600. Secure deletion with shred is best-effort only on modern storage.

💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/

                        V9.14.022.2026.06.10                        2026-05-17                         CDLB(1)

3. Booting

3.1. Grub Menu

Boot Menu

3.2. Integrity checks

Integrity Check

Integrity Success

3.3. Console Login

Console Login

no tracking | no logging | no advertising | no profiling | no bullshit

Reference in New Issue View Git Blame Copy Permalink