msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
47eaa39e3dbe0488f155443b84ea1ccaf802a4fed7a316babdd77eeea7b6c27f
CISS.debian.live.builder/docs/CHANGELOG.md
Marc S. Weidner 47eaa39e3d
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
Details
V8.13.294.2025.10.28 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-28 14:16:22 +01:00

303 lines
15 KiB
Markdown
Raw Blame History

---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.294.2025.10.28<br>
# 2. Changelog
## V8.13.294.2025.10.28
* **Added**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) + mksquashfs-excludes
* **Added**: [lib_ciss_upgrades.sh](../lib/lib_ciss_upgrades.sh) + modifies '/usr/lib/live/build/...' scripts
* **Added**: [lib_update_microcode.sh](../lib/lib_update_microcode.sh)
* **Added**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + modifies binary_rootfs script
* **Updated**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + --sshfp
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10
* **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90
* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) = rotate 90
* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) = unified logging
## V8.13.292.2025.10.27
* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) = modified trel()
## V8.13.290.2025.10.26
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
## V8.13.288.2025.10.24
* **Added**: Preparations for CISS and PhysNet primordial-workflow™.
* **Added**: [0865_yq.chroot](../config/hooks/live/0865_yq.chroot)Preparations for CISS and PhysNet primordial-workflow™.
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + nftables mods
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) + banaction = nftables-*
* **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) changed var injection
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection
* **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection
* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - yq
## V8.13.280.2025.10.23
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) changed: audit_backlog_limit=262144
## V8.13.272.2025.10.22
* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + amd64-microcode intel-microcode
* **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot) removed --sp800-90b
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) + apt-get dist-upgrade -y
* **Updated**: [login.defs](../config/includes.chroot/etc/login.defs)
* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
## V8.13.256.2025.10.21
* **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
* **Updated**: [.zshenv](../config/includes.chroot/root/.zshenv)
## V8.13.224.2025.10.19
* **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
* **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) updated ignoreip
* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd
## V8.13.192.2025.10.18
* **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
* **Added**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot)
* **Added**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)
* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) XDG Base Directory Support
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) hardened MaxStartups
* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) removed haveged alias
* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) removed haveged entry
* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc) added HISTIGNORE and EDITOR
## V8.13.144.2025.10.16
* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/99_local.hardened)
* **Updated**: [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
* **Changed**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
## V8.13.142.2025.10.14
* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
## V8.13.132.2025.10.11
* **Added**: [REPOSITORY.md](../REPOSITORY.md)
## V8.13.128.2025.10.10
* **Added**: Packages ``age``, ``cosign``
* **Added**: Repository https://github.com/getsops/sops.git
* **Added**: [0040_ssh_config_setup.chroot](../config/hooks/live/0040_ssh_config_setup.chroot)
* **Added**: [0860_sops.chroot](../config/hooks/live/0860_sops.chroot)
* **Added**: [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
* **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
## V8.13.096.2025.10.09
* **Added**: [0010_install_apparmor.chroot](../config/hooks/live/0010_install_apparmor.chroot)
* **Added**: [ssh_known_hosts](../config/includes.chroot/etc/ssh/ssh_known_hosts)
* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot)
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
* **Updated**: [login.defs](../config/includes.chroot/etc/login.defs)
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh)
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh)
## V8.13.064.2025.10.07
* **Added**: An internal Gitea Action Runner switch for the CISS and PHYS central configuration source of truth.
* **Added**: Verbose status information screen on successful completion.
* **Added**: Verbose status information in 'CISS.debian.live.iso.'
* **Added**: Loop to desynchronize parallel workflows.
* **Added**: [lib_note_target.sh](../lib/lib_note_target.sh)
* **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
* **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
* **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
* **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
* **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified Kernel bootparameter.
* **Updated**: [lib_run_analysis.sh](../lib/lib_run_analysis.sh)
## V8.13.048.2025.10.06
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
* **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
* **Updated**: [9000-cdi-starter](../scripts/9999-cdi-starter)
## V8.13.032.2025.10.03
* **Added**: Internal Gitea Action Runner switch for static SSHFP records.
## V8.13.016.2025.09.28
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
## V8.13.008.2025.08.22
* **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
## V8.13.004.2025.08.21
* **Added**: [makefile](../makefile)
## V8.13.002.2025.08.11
* **Added**: [lib_source_guard.sh](../lib/lib_source_guard.sh)
* **Added**: [sources.list](../config/includes.chroot/etc/apt/sources.list)
* **Added**: [trixie.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie.sources)
* **Added**: [trixie-backports.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources)
* **Added**: [trixie-security.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources)
* **Added**: [trixie-updates.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources)
* **Added**: [login.defs](../config/includes.chroot/etc/login.defs)
* **Bugfixes**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
* **Bugfixes**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
* **Updated**: [bash.var.sh](../var/bash.var.sh)
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
* **Updated**: Support for Debian Trixie via Argument ``--trixie``
* **Updated**: Debian 12 LIVE ISO workflows to use Kernel: ``linux-image-6.1.0-37-amd64``
## V8.03.920.2025.08.07
* **Updated**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh)
* **Updated**: [ciss_live_builder.sh](../ciss_live_builder.sh)
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
## V8.03.912.2025.07.23
* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
* **Updated**: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh)
* **Updated**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
* **Updated**: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap)
* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc)
## V8.03.896.2025.07.22
* **Added**: [.shellcheckrc](../.shellcheckrc)
* **Bugfixes**: [ciss_live_builder.sh](../ciss_live_builder.sh)
* **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
## V8.03.880.2025.07.19
* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
* **Added**: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
* **Added**: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
## V8.03.864.2025.07.15
* **Updated**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
* **Added**: [BOOTPARAMS.md](BOOTPARAMS.md)
* **Added**: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
## V8.03.832.2025.06.25
* **Added**: [lib_version.sh](../lib/lib_version.sh)
* **Updated**:
* [lib_contact.sh](../lib/lib_contact.sh)
* [lib_usage.sh](../lib/lib_usage.sh)
* **Packages added**:
* https://packages.debian.org/bookworm/fio
* https://packages.debian.org/bookworm/stress
* **Updated**: Timezone changed to ``Etc/UTC``
## V8.03.832.2025.06.24
* **Updated**:
* [lib_check_provider.sh](../lib/lib_check_provider.sh)
* [lib_debug_header.sh](../lib/lib_debug_header.sh)
* [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
* **Added**: The Debian package ``bat`` will be installed to enable smooth log reading.
## V8.03.768.2025.06.23
* **Updated**: [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
* Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
* Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
* **Added**: Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
* **Added**: ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
to prevent the caller LIB-file from being sourced twice.
## V8.03.768.2025.06.19
* Minor main script improvements.
* **Updated**: [lib_usage.sh](../lib/lib_usage.sh) output.
## V8.03.768.2025.06.18
* Minor main script improvements.
* **Updated**: Contact section.
* Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver.
## V8.03.768.2025.06.17
* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``
## V8.03.768.2025.06.11
* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
## V8.03.768.2025.06.09
* **Added**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
* ``scurl()``
* ``swget()``
## V8.03.644.2025.06.07
* **Updated**: Workflows ISO Generators Runners.
* Installing ``bookworm-backports`` Versions of:
* ``btrfs-progs``
* ``curl``
* ``debootstrap``
* ``iproute2``
* ``ncat``
* ``nmap``
* ``ssh``
* ``systemd``
* ``systemd-sysv``
* ``whois``
* Changed default: ``/etc/login.defs`` ``LOGIN_TIMEOUT 60`` to: ``LOGIN_TIMEOUT 180``
* LIVE ISO generated by workflow tested against:
* Netcup Root Server
* Proxmox
* LIVE ISO generated by the script tested against:
* Netcup Root Server
## V8.03.512.2025.06.06
* **Updated**: Workflows:
1. ``git stash push``
2. ``git fetch origin master``
3. ``git merge --no-edit origin/master``
4. ``git stash pop``
* Changed workflows ISO Generators routines ``🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.``
* added ``wget --https-only`` flag
* added verification step
## V8.03.400.2025.06.05
* The workflow ISO Generators image was changed to ``debian:bookworm``.
* Added a LIVE ISO workflow routine to build GnuPG from sources, since Bookworm GPG does not recognize key format 5.
* Changed verbosity of:
* [9993_aide.chroot](../config/hooks/live/9993_aide.chroot)
* [9997_debsums.chroot](../config/hooks/live/9997_debsums.chroot)
* Added basic linter checks for:
* **``*.sh``**,
* **``*.zsh``**,
* **``*.chroot``**,
* all files with Shebang **``#``**! for:
* Windows CRLF line endings
* unauthorized control characters (C0 control characters except \t, \n)
* non-ASCII (ambiguous UTF) characters
* [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml)
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
Reference in New Issue View Git Blame Copy Permalink