CISS.debian.live.builder/docs/CHANGELOG.md

Table of Contents

• 1. CISS.debian.live.builder
• 2. Changelog
• V8.13.544.2025.12.05
• V8.13.536.2025.12.04
• V8.13.528.2025.12.03
• V8.13.520.2025.12.02
• V8.13.512.2025.11.28
• V8.13.512.2025.11.27
• V8.13.512.2025.11.26
• V8.13.440.2025.11.19
• V8.13.432.2025.11.18
• V8.13.416.2025.11.17
• V8.13.408.2025.11.13
• V8.13.404.2025.11.10
• V8.13.400.2025.11.08
• V8.13.392.2025.11.07
• V8.13.384.2025.11.06
• V8.13.298.2025.10.30
• V8.13.296.2025.10.29
• V8.13.294.2025.10.28
• V8.13.292.2025.10.27
• V8.13.290.2025.10.26
• V8.13.288.2025.10.24
• V8.13.280.2025.10.23
• V8.13.272.2025.10.22
• V8.13.256.2025.10.21
• V8.13.224.2025.10.19
• V8.13.192.2025.10.18
• V8.13.144.2025.10.16
• V8.13.142.2025.10.14
• V8.13.132.2025.10.11
• V8.13.128.2025.10.10
• V8.13.096.2025.10.09
• V8.13.064.2025.10.07
• V8.13.048.2025.10.06
• V8.13.032.2025.10.03
• V8.13.016.2025.09.28
• V8.13.008.2025.08.22
• V8.13.004.2025.08.21
• V8.13.002.2025.08.11
• V8.03.920.2025.08.07
• V8.03.912.2025.07.23
• V8.03.896.2025.07.22
• V8.03.880.2025.07.19
• V8.03.864.2025.07.15
• V8.03.832.2025.06.25
• V8.03.832.2025.06.24
• V8.03.768.2025.06.23
• V8.03.768.2025.06.19
• V8.03.768.2025.06.18
• V8.03.768.2025.06.17
• V8.03.768.2025.06.11
• V8.03.768.2025.06.09
• V8.03.644.2025.06.07
• V8.03.512.2025.06.06
• V8.03.400.2025.06.05

1. CISS.debian.live.builder

Centurion Intelligence Consulting Agency Information Security Standard
Debian Live Build Generator for hardened live environment and CISS Debian Installer
Master Version: 8.13
Build: V8.13.544.2025.12.05

2. Changelog

V8.13.544.2025.12.05

• Added: 30-ciss-hardening.conf.md
• Added: 90-ciss-local.hardened.md
• • Bugfixes: zzzz_ciss_crypt_squash.hook.binary + Adjusted OVERHEAD_PCT for Gitea Runner

V8.13.536.2025.12.04

• Added: ciss_live_builder.sh.md
• Bugfixes: Unified network management via systemd-networkd
• Bugfixes: 0822_ssh_restart_hook.chroot + ssh restart cron job replaced by systemd override
• Bugfixes: unlock_wrapper.sh + : > /var/log/wtmp
• Bugfixes: 1000_ciss_fixpath.sh + : > /var/log/wtmp
• Bugfixes: 0000_ciss_fixpath.sh + : > /var/log/wtmp
• Bugfixes: 30-ciss-hardening.conf + UAS blacklisting
• Bugfixes: 0024-ciss-crypt-squash + unified kill & wait handling for BROKER & PROMPT PIDs
• Removed 0100_ciss_mem_wipe.chroot

V8.13.528.2025.12.03

• Bugfixes: Unified network management via systemd-networkd

V8.13.520.2025.12.02

• Bugfixes: Unified network management via systemd-networkd

V8.13.512.2025.11.28

• Bugfixes: Unified network management via systemd-networkd

V8.13.512.2025.11.27

• Global: Unified network management via systemd-networkd
• Global: Transition of license agreements to:
  • CCLA-1.1.txt
  • CNCL-1.1.txt
• Added: 90-ciss-ethernet.network
• Added: 90-ciss-networkd.preset
• Changed: unlock_wrapper.sh
• Changed: lib_provider_netcup.sh
• Changed: 0010_dhcp_supersede.sh

V8.13.512.2025.11.26

• Global: Final adjustments for LUKS dm-integrity integration

V8.13.440.2025.11.19

• Added: 9990-overlay.sh
• Bugfixes: 0022-ciss-overlay-tmpfs
• Bugfixes: 0024-ciss-crypt-squash
• Bugfixes: 0026-ciss-early-sysctl
• Bugfixes: 0030-ciss-verify-checksums
• Bugfixes: 0042_ciss_post_decrypt_attest

V8.13.432.2025.11.18

• Bugfixes: 0003_cdi_autostart.chroot
• Bugfixes: 9999_cdi_starter.sh

V8.13.416.2025.11.17

• Global: Explicit export INITRD="No"
• Changed: 0100_ciss_mem_wipe.chroot

V8.13.408.2025.11.13

• Added: 0002_hardening_overlay_tmpfs.chroot + Remount overlay root with nosuid,nodev.
• Added: 0100_ciss_mem_wipe.chroot + adding Tails-like memory wiping.
• Added: 0022-ciss-overlay-tmpfs.sh + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
• Added: 0024-ciss-crypt-squash + Open /live/ciss_rootfs.crypt (LUKS) and present its SquashFS as /run/live/rootfs.
• Added: 0026-ciss-early-sysctl.sh + Enforce early sysctls before services start.
• Added: 0042_ciss_post_decrypt_attest + Late rootfs attestation and dmsetup health checking.
• Added: MAN_CISS_ISO_BOOT_CHAIN.md
• Added: lib_ciss_signatures.sh + integrated dynamic GPG FPR injection.
• Bugfixes: 0021_dropbear_initramfs.chroot + mv original files to a safe backup location.
• Changed: 9999_zzzz.chroot + securing /.ciss, removing .keep.
• Changed: unlock_wrapper.sh + integrated dynamic GPG FPR injection.
• Changed: 9999_ciss_debian_live_builder.sh + dmsetup.
• Changed: 0030-ciss-verify-checksums + integrated dynamic GPG FPR injection.
• Changed: lib_arg_parser.sh + --signing_ca=*.
• Changed: lib_check_secrets.sh + updated shopt handling.
• Changed: lib_ciss_upgrades_boot.sh + integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts.
• Changed: lib_gnupg.sh + integration of optional import of offline GPG CA public keys.
• Changed: lib_primordial.sh + Updates for CISS and PhysNet primordial-workflow™.
• Changed: lib_usage.sh + --signing_ca=*.
• Changed: binary_checksums.sh + ! -path './live/filesystem.squashfs'
• Changed: 9999_cdi_starter.sh + increased verbosity.

V8.13.404.2025.11.10

• Added: 0020_dropbear_build.chroot
• Added: 0021_dropbear_initramfs.chroot
• Added: 0022_dropbear_setup.chroot
• Added: 9999_ciss_custom_prompt.sh
• Added: 9999_ciss_debian_live_builder.sh
• Added: 1000_ciss_fixpath.sh
• Added: 0000_ciss_fixpath.sh
• Added: dropbear
• Added: MAN_SSH_Host_Key_Policy.md
• Added: zzzz_luks_squash.hook.binary + Preparing squashfs LUKS encryption
• Bugfixes: generate_PRIVATE_trixie_0.yaml + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
• Bugfixes: generate_PRIVATE_trixie_1.yaml + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
• Bugfixes: generate_PUBLIC_iso.yaml + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
• Bugfixes: linter_char_scripts.yaml + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
• Bugfixes: render-dnssec-status.yaml + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
• Bugfixes: render-dot-to-png.yaml + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
• Bugfixes: 0030-ciss-verify-checksums
• Changed: localoptions.h
• Changed: .shellcheckrc
• Changed: 9940_hardening_memory.dump.chroot + added: 9999-ciss-coredump-disable.conf
• Changed: 9992_password_expiration.chroot + added: update_shadow()
• Changed: lib_clean_up.sh + added: Securely shred all regular files below ./includes.chroot, then remove empty dirs.
• Updated: AUDIT_LYNIS.md + updated: Lynis Version 3.1.6

V8.13.400.2025.11.08

• Bugfixes: 0030-ciss-verify-checksums - GPG key handling
• Changed: lib_ciss_upgrades_boot.sh - Unified naming scheme
• Changed: lib_gnupg.sh - Unified naming scheme
• Changed: binary_checksums.sh - Unified naming scheme, added verbosity output
• Changed: binary_rootfs.sh - added verbosity output
• Changed: 0000_basic_chroot_setup.chroot - bugfixes
• Changed: 0001_initramfs_modules.chroot - moved update-initramfs to:
• Changed: 9999_zzzz.chroot

V8.13.392.2025.11.07

• Global: Changed guard_sourcing to guard_sourcing || return "${ERR_GUARD_SRCE}"
• Added: lib_check_secrets.sh + Final secrets wiper before starting lb build.
• Added: lib_trap_on_err.sh + print_stacktrace()
• Added: lib_trap_on_exit.sh + Trap on EXIT handler for 'non-0' exit-code.
• Bugfixes: lib_gnupg.sh + modified passphrase handling

V8.13.384.2025.11.06

• Global: Debian bookworm support deprecated.
• Global: Changed shred -vfzu -n 5 to shred -fzu -n 5.
• Global: Live-hooks: apt-get commands safeguarded by export DEBIAN_FRONTEND="noninteractive" INITRD="No".
• Added: marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc
• Added: 0870_bashdb.chroot bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
• Added: 0030-ciss-verify-checksums Unified handling via includes.chroot.
• Added: lib_ciss_upgrades_boot.sh Updates for CISS and PhysNet primordial-workflow™.
• Added: lib_ciss_upgrades_build.sh Updates for CISS and PhysNet primordial-workflow™.
• Added: lib_gnupg.sh Updates for CISS and PhysNet primordial-workflow™.
• Added: lib_primordial.sh Updates for CISS and PhysNet primordial-workflow™.
• Added: 0030-ciss-verify-checksums Unified handling via includes.chroot.
• Bugfixes: linter_char_scripts.yaml - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
• Bugfixes: render-dnssec-status.yaml - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
• Bugfixes: render-dot-to-png.yaml - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
• Changed: generate_PRIVATE_trixie_1.yaml Rewritten for new secrets handling.
• Changed: 0000_basic_chroot_setup.chroot + VAR_DATE improvements.
• Changed: 0001_initramfs_modules.chroot + VAR_DATE improvements.
• Changed: 9930_hardening_ssh.chroot Rewritten for CISS and PhysNet primordial-workflow™.
• Changed: 9999_zzzz.chroot + Final update-initramfs
• Changed: sshd_config + Less strict MaxStartups settings.
• Changed: live.list.common.chroot + tmux
• Changed: lib_arg_parser.sh Rewritten for CISS and PhysNet primordial-workflow™.
• Changed: lib_arg_priority_check.sh Unified UI.
• Changed: lib_cdi.sh + Commandline parameters: verify-checksums=sha512,sha384 verify-checksums-signatures
• Changed: lib_change_splash.sh Unified UI.
• Changed: lib_check_dhcp.sh Unified UI.
• Changed: lib_check_hooks.sh Unified UI.
• Changed: lib_check_kernel.sh Minor declare unification.
• Changed: lib_check_pkgs.sh Improved command checks. Unified UI.
• Changed: lib_check_provider.sh Unified variables.
• Changed: lib_clean_up.sh Secure deletion of CISS and PhysNet primordial-workflow™ artifacts.
• Changed: lib_debug.sh + Integrated EPOCH in PS4.
• Changed: lib_debug_header.sh + Integrated SOURCE_DATE_EPOCH.
• Changed: lib_hardening_root_pw.sh Unified UI.
• Changed: lib_hardening_ultra.sh Rewritten for CISS and PhysNet primordial-workflow™.
• Changed: lib_hardening_ssh_tcp.sh Unified UI.
• Changed: lib_lb_build_start.sh Deterministic return code examination.
• Changed: lib_lb_config_start.sh Removed potential disown race condition.
• Changed: lib_lb_config_write_trixie.sh Unified config writing for deterministic workflow.
• Changed: lib_note_target.sh Unified UI.
• Changed: lib_provider_netcup.sh Added Centurion DNS Server 03.
• Changed: binary_checksums.sh + PGP signature verification.
• Changed: binary_rootfs.sh + mksquashfs-excludes.
• Changed: early.var.sh Unified variable declaration.
• Changed: global.var.sh Unified variable declaration.
• Changed: ciss_live_builder.sh Updated program workflow for deterministic environment creation.
• Updated: icon.lib + Emojis

V8.13.298.2025.10.30

• Added: 0870_bashdb.chroot
• Updated: live.list.common.chroot + tmux

V8.13.296.2025.10.29

• Changed: lockdown=confidentiality -> lockdown=integrity
• Updated: live.list.common.chroot - clamav, clamav-daemon
• Removed: 9985_clamav.chroot

V8.13.294.2025.10.28

• Added: lib_lb_config_write_trixie.sh + mksquashfs-excludes
• Added: lib_ciss_upgrades.sh + modifies '/usr/lib/live/build/...' scripts
• Added: lib_update_microcode.sh
• Added: binary_rootfs.sh + modifies binary_rootfs script
• Updated: generate_PRIVATE_trixie_1.yaml + --sshfp
• Updated: 0001_initramfs_modules.chroot + update_initramfs=all COMPRESSLEVEL=10
• Updated: 0007_update_logrotate.chroot = rotate 90; maxage 90
• Updated: 9999_yyyy_logrotate.chroot = rotate 90
• Updated: 9999-cdi-starter = unified logging

V8.13.292.2025.10.27

• Updated: alias = modified trel()

V8.13.290.2025.10.26

• Updated: 0001_initramfs_modules.chroot + ESP/FAT/UEFI mods
• Updated: 9950_hardening_fail2ban.chroot
• Updated: 9999-cdi-starter Preparations for CISS and PhysNet primordial-workflow™.

V8.13.288.2025.10.24

• Added: Preparations for CISS and PhysNet primordial-workflow™.
• Added: 0865_yq.chrootPreparations for CISS and PhysNet primordial-workflow™.
• Updated: 0001_initramfs_modules.chroot + nftables mods
• Updated: 9950_hardening_fail2ban.chroot + banaction = nftables-*
• Updated: 0900_ufw_setup.chroot changed var injection
• Updated: 9950_hardening_fail2ban.chroot changed var injection
• Updated: sshd_config changed var injection
• Updated: lib_hardening_ultra.sh changed var injection
• Removed: live.list.common.chroot - yq

V8.13.280.2025.10.23

• Updated: 9996_auditd.chroot + 10-ciss-noise-floor.rules
• Updated: lib_lb_config_write_trixie.sh changed: audit_backlog_limit=262144

V8.13.272.2025.10.22

• Updated: 0000_basic_chroot_setup.chroot + amd64-microcode intel-microcode
• Updated: 0090_jitterentropy.chroot removed --sp800-90b
• Updated: 9996_auditd.chroot unified auditd configuration, removed success rules
• Updated: 9998_sources_list_trixie.chroot + apt-get dist-upgrade -y
• Updated: login.defs
• Updated: 9999-cdi-starter

V8.13.256.2025.10.21

• Updated: 0007_update_logrotate.chroot
• Updated: 9950_hardening_fail2ban.chroot
• Updated: .zshenv

V8.13.224.2025.10.19

• Added: .zshenv
• Updated: 0090_jitterentropy.chroot
• Updated: 9950_hardening_fail2ban.chroot updated ignoreip
• Updated: 9999_yyyy_logrotate.chroot + rsyslog
• Updated: live.list.common.chroot - haveged, + jitterentropy-rngd

V8.13.192.2025.10.18

• Added: 0007_update_logrotate.chroot
• Added: 9999_yyyy_logrotate.chroot
• Added: 9999_zzzz.chroot
• Updated: 0000_basic_chroot_setup.chroot XDG Base Directory Support
• Updated: 9950_hardening_fail2ban.chroot
• Updated: sshd_config hardened MaxStartups
• Updated: alias removed haveged alias
• Updated: shortcuts removed haveged entry
• Updated: .bashrc added HISTIGNORE and EDITOR

V8.13.144.2025.10.16

• Bugfixes: 99_local.hardened
• Updated: check_chrony.sh
• Changed: 0090_jitterentropy.chroot

V8.13.142.2025.10.14

• Updated: 9999-cdi-starter

V8.13.132.2025.10.11

• Added: REPOSITORY.md

V8.13.128.2025.10.10

• Added: Packages age, cosign
• Added: Repository https://github.com/getsops/sops.git
• Added: 0040_ssh_config_setup.chroot
• Added: 0860_sops.chroot
• Added: check_chrony.sh
• Updated: 0810_chrony_setup.chroot
• Updated: 9996_auditd.chroot
• Updated: sshd_config
• Updated: live.list.common.chroot

V8.13.096.2025.10.09

• Added: 0010_install_apparmor.chroot
• Added: ssh_known_hosts
• Updated: 0000_basic_chroot_setup.chroot
• Updated: 0001_initramfs_modules.chroot
• Updated: 9996_auditd.chroot
• Updated: login.defs
• Updated: sshd_config
• Updated: lib_cdi.sh
• Updated: lib_lb_config_write_trixie.sh

V8.13.064.2025.10.07

• Added: An internal Gitea Action Runner switch for the CISS and PHYS central configuration source of truth.
• Added: Verbose status information screen on successful completion.
• Added: Verbose status information in 'CISS.debian.live.iso.'
• Added: Loop to desynchronize parallel workflows.
• Added: lib_note_target.sh
• Updated: lib_trap_on_err.sh
• Updated: lib_trap_on_exit.sh
• Updated: 9999-cdi-starter
• Updated: 9980_usb_guard.chroot
• Updated: 9998_sources_list_trixie.chroot
• Updated: 9999_interfaces_update.chroot
• Updated: lib_cdi.sh Unified Kernel bootparameter.
• Updated: lib_lb_config_write_trixie.sh Unified Kernel bootparameter.
• Updated: lib_run_analysis.sh

V8.13.048.2025.10.06

• Updated: Debian 13 LIVE ISO workflows to use Kernel: 6.16.3+deb13-amd64
• Updated: Debian 13 LIVE ISO workflows to use argument: --cdi
• Updated: 9000-cdi-starter

V8.13.032.2025.10.03

• Added: Internal Gitea Action Runner switch for static SSHFP records.

V8.13.016.2025.09.28

• Updated: Debian 13 LIVE ISO workflows to use Kernel: 6.12.48+deb13-amd64

V8.13.008.2025.08.22

• Removed: [0003_install_backports.chroot]

V8.13.004.2025.08.21

• Added: makefile

V8.13.002.2025.08.11

• Added: lib_source_guard.sh
• Added: sources.list
• Added: trixie.sources
• Added: trixie-backports.sources
• Added: trixie-security.sources
• Added: trixie-updates.sources
• Added: login.defs
• Bugfixes: 0001_initramfs_modules.chroot
• Bugfixes: 9996_auditd.chroot
• Updated: bash.var.sh
• Updated: 9998_sources_list_trixie.chroot
• Updated: Support for Debian Trixie via Argument --trixie
• Updated: Debian 12 LIVE ISO workflows to use Kernel: linux-image-6.1.0-37-amd64

V8.03.920.2025.08.07

• Updated: lib_arg_parser.sh
• Updated: ciss_live_builder.sh
• Updated: live.list.common.chroot

V8.03.912.2025.07.23

• Updated: alias
• Updated: clean_logout.sh
• Updated: f2bchk.sh
• Updated: scan_libwrap
• Updated: shortcuts
• Updated: .bashrc

V8.03.896.2025.07.22

• Added: .shellcheckrc
• Bugfixes: ciss_live_builder.sh
• Updated: 0810_chrony_setup.chroot

V8.03.880.2025.07.19

• Updated: alias
• Updated: shortcuts
• Added: Package ncdu: live.list.common.chroot
• Added: TrustedUserCAKeys none: sshd_config

V8.03.864.2025.07.15

• Updated: 0010_dhcp_supersede.sh
• Added: BOOTPARAMS.md
• Added: Package cpuid: live.list.common.chroot

V8.03.832.2025.06.25

• Added: lib_version.sh
• Updated:
  • lib_contact.sh
  • lib_usage.sh
• Packages added:
  • https://packages.debian.org/bookworm/fio
  • https://packages.debian.org/bookworm/stress
• Updated: Timezone changed to Etc/UTC

V8.03.832.2025.06.24

• Updated:
  • lib_check_provider.sh
  • lib_debug_header.sh
  • lib_trap_on_err.sh
• Added: The Debian package bat will be installed to enable smooth log reading.

V8.03.768.2025.06.23

• Updated: lib_clean_up.sh: Removal of Lock FD and Artifacts.
• Rearranged VARs sourcing: early.var.sh
• Rearranged DEBUG XTRACE sourcing: meta_sources_debug.sh
• Added: guard_sourcing(): lib_guard_sourcing.sh to prevent the caller LIB-file from being sourced twice.

V8.03.768.2025.06.19

• Minor main script improvements.
• Updated: lib_usage.sh output.

V8.03.768.2025.06.18

• Minor main script improvements.
• Updated: Contact section.
• Integrated third dns03.eddns.eu Centurion DNS Resolver.

V8.03.768.2025.06.17

• Updated: LIVE ISO workflows to use Kernel: linux-image-6.12.30+bpo-amd64

V8.03.768.2025.06.11

• Updated: LIVE ISO workflows to use Kernel: linux-image-6.12.27+bpo-amd64

V8.03.768.2025.06.09

• Added: f2bchk.sh
• Updated: alias
  • scurl()
  • swget()

V8.03.644.2025.06.07

• Updated: Workflows ISO Generators Runners.
• Installing bookworm-backports Versions of:
  • btrfs-progs
  • curl
  • debootstrap
  • iproute2
  • ncat
  • nmap
  • ssh
  • systemd
  • systemd-sysv
  • whois
• Changed default: /etc/login.defs LOGIN_TIMEOUT 60 to: LOGIN_TIMEOUT 180
• LIVE ISO generated by workflow tested against:
  • Netcup Root Server
  • Proxmox
• LIVE ISO generated by the script tested against:
  • Netcup Root Server

V8.03.512.2025.06.06

• Updated: Workflows:

  1. git stash push
  2. git fetch origin master
  3. git merge --no-edit origin/master
  4. git stash pop

• Changed workflows ISO Generators routines 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.

  • added wget --https-only flag
  • added verification step

V8.03.400.2025.06.05

• The workflow ISO Generators image was changed to debian:bookworm.
• Added a LIVE ISO workflow routine to build GnuPG from sources, since Bookworm GPG does not recognize key format 5.
• Changed verbosity of:
  • 9993_aide.chroot
  • 9997_debsums.chroot
• Added basic linter checks for:
  • *.sh,
  • *.zsh,
  • *.chroot,
  • all files with Shebang #! for:
    • Windows CRLF line endings
    • unauthorized control characters (C0 control characters except \t, \n)
    • non-ASCII (ambiguous UTF) characters
  • linter_char_scripts.yaml

---

no tracking | no logging | no advertising | no profiling | no bullshit