msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
128050b9e847f518854f990ec43a9537e54a3485143eb41c6bba4d3748417d80
CISS.debian.live.builder/docs/DOCUMENTATION.md
Marc S. Weidner 11b6971419 V8.13.296.2025.10.29 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-29 09:15:46 +01:00

5.9 KiB
Raw Blame History

Table of Contents

1. CISS.debian.live.builder

Centurion Intelligence Consulting Agency Information Security Standard
Debian Live Build Generator for hardened live environment and CISS Debian Installer
Master Version: 8.13
Build: V8.13.296.2025.10.29

2.1. Usage

CISS.debian.live.builder
Master V8.13.296.2025.10.29
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025

"./ciss_live_builder.sh <option>", where <option> is one or more of:

  --help, -h
    What you're looking at.

  --autobuild=*, -a=*
    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
    selector dialog. Change '*' to your desired Linux kernel and trim the
    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.

  --architecture <STRING> one of <amd64 | arm64>
    A string reflecting the architecture of the Live System.
    MUST be provided.

  --build-directory </path/to/build_directory>
    Where the Debian Live Build Image should be generated.
    MUST be provided.

  --change-splash <STRING> one of <club | hexagon>
    A string reflecting the GRub Boot Screen Splash you want to use.
    If omitted defaults to "./.archive/background/club.png".

  --cdi (Experimental Feature)
    This option generates a boot menu entry to start the forthcoming
    'CISS.debian.installer', which will be executed after
    the system has successfully booted up.

  --contact, -c
    Displays contact information of the author.

  --control <INTEGER>
    An integer that reflects the version of your Live ISO Image.
    MUST be provided.

  --debug
    Enables debug logging for the main program routine. Detailed logging
    information are written to "/tmp/ciss_live_builder_1136873.log"

  --dhcp-centurion
    If a DHCP lease is provided, the provider's nameserver will be overridden,
    and only the hardened, privacy-focused Centurion DNS servers will be used:
      - https://dns01.eddns.eu/
      - https://dns02.eddns.de/
      - https://dns03.eddns.eu/

  --jump-host <IP | IP | ... >
    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
    If provided, than it MUST be a <SPACE> separated list.
    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.

  --log-statistics-only
    Provides statistic only after successful building a
    CISS.debian.live-ISO. While enabling "--log-statistics-only"
    the argument "--build-directory" MUST be provided while
    all further options MUST be omitted.

  --provider-netcup-ipv6
    Activates IPv6 support for Netcup Root Server. One unique
    IPv6 address MUST be provided in this case and MUST be encapsulated
    with [], e.g., [1234::abcd].

  --renice-priority <PRIORITY>
    Reset the nice priority value of the script and all its children
    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
    Negative (higher) values MUST be enclosed in double quotes '"'.

  --reionice-priority <CLASS> <PRIORITY>
    Reset the ionice priority value of the script and all its children
    to the desired <CLASS>. MUST be an integer:
      1: realtime
      2: best-effort
      3: idle
    Defaults to '2'.
    Whereas <PRIORITY> MUST be an integer as well between:
      0: highest priority and
      7: lowest priority.
    Defaults to '4'.
    A real-time I/O process can significantly slow down other processes
    or even cause them to starve if it continuously requests I/O.

  --root-password-file </path/to/password.txt>
    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
    and MUST NOT contain the special character '"'.
    If the argument is omitted, no further login authentication is required for
    the local console. The root password is hashed with an 16 Byte '/dev/random'
    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
    after Hash generation all Variables containing plain password fragments are
    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
    further prompt after password hash has been successfully generated via:
    'shred -vfzu 5 -f'.
    No tracing of any plain text password fragment in any debug log.

  --ssh-port <INTEGER>
    The desired Port SSH should listen to.
    If not provided defaults to Port 22.

  --ssh-pubkey </path/to/.ssh/>
    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
    specified PATH into the Live ISO. MUST be provided.

  --trixie
    Create a Debian Trixie Live ISO.

  --version, -v
    Displays version of ./ciss_live_builder.sh.

💡 Notes:
🔵 You MUST be 'root' to run this script.

💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/

2.2. Contact

CISS.debian.live.builder
Master V8.13.296.2025.10.29
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025

💬 Contact:
🌐 https://coresecret.eu/
📧 security@coresecret.eu
🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD

💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/

3. Booting

3.1. Grub Menu

Boot Menu

3.2. Integrity checks

Integrity Check

Integrity Success

3.3. Console Login

Console Login

no tracking | no logging | no advertising | no profiling | no bullshit

Reference in New Issue View Git Blame Copy Permalink