msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
a86bac896352f73e95cb3381b7ba1886322e4f1eb096c1845c463b6c06507b33
CISS.debian.live.builder/docs/DOCUMENTATION.html

129 lines
5.5 KiB
HTML
Raw Blame History

<h1 id="1-cissdebianlivebuilder">1. CISS.debian.live.builder</h1>
<p><strong>Centurion Intelligence Consulting Agency Information Security Standard</strong><br> <em>Debian Live Build Generator for hardened live environment and CISS Debian Installer</em><br> <strong>Master Version</strong>: 8.02<br> <strong>Build</strong>: V8.03.127.2025.06.02<br></p>
<h1 id="2-usage">2. Usage</h1>
<pre class="text"><code>CISS.debian.live.builder
Master V8.03.127.2025.06.02
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025
https://coresecret.eu/
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
&quot;./ciss_live_builder.sh &lt;option&gt;&quot;, where &lt;option&gt; is one or more of:
--help, -h
What you&#39;re looking at.
--architecture &lt;STRING&gt; one of &lt;amd64 | arm64&gt;
A string reflecting the architecture of the Live System.
MUST be provided.
--build-directory &lt;/path/to/build_directory&gt;
Where the Debian Live Build Image should be generated.
MUST be provided.
--change-splash &lt;STRING&gt; one of &lt;club | hexagon&gt;
A string reflecting the GRub Boot Screen Splash you want to use.
If omitted defaults to &quot;./.archive/background/club.png&quot;.
--cdi (Experimental Feature)
This option generates a boot menu entry to start the forthcoming
&#39;CISS.debian.installer&#39;, which will be executed after
the system has successfully booted up.
--contact, -c
Displays contact information of the author.
--control &lt;INTEGER&gt;
An integer that reflects the version of your Live ISO Image.
MUST be provided.
--debug
Enables debug logging for the main program routine. Detailed logging
information are written to &quot;/tmp/ciss_live_builder_3764286.log&quot;
--dhcp-centurion
If a DHCP lease is provided, the provider&#39;s nameserver will be overridden,
and only the hardened, privacy-focused Centurion DNS servers will be used:
- https://dns01.eddns.eu/
- https://dns02.eddns.de/
--jump-host &lt;IP | IP | ... &gt;
Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
If provided, than it MUST be a &lt;SPACE&gt; separated list.
IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
--log-statistics-only
Provides statistic only after successful building a
CISS.debian.live-ISO. While enabling &quot;--log-statistics-only&quot;
the argument &quot;--build-directory&quot; MUST be provided while
all further options MUST be omitted.
--provider-netcup-ipv6
Activates IPv6 support for Netcup Root Server. One unique
IPv6 address MUST be provided in this case.
--renice-priority &lt;PRIORITY&gt;
Reset the nice priority value of the script and all its children
to the desired PRIORITY. MUST be an integer (between &quot;-19&quot; and 19).
Negative (higher) values MUST be enclosed in double quotes &#39;&quot;&#39;.
--reionice-priority &lt;CLASS&gt; &lt;PRIORITY&gt;
Reset the ionice priority value of the script and all its children
to the desired CLASS. MUST be an integer:
1: realtime
2: best-effort
3: idle
defaults to &quot;2&quot;.
PRIORITY MUST be an integer:
between 0 (highest) and 7 (lowest) priority.
defaults to &quot;4&quot;.
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
--root-password-file &lt;/path/to/password.txt&gt;
Password file for &#39;root&#39;, if given, MUST be a string of 20 to 64 characters,
and MUST NOT contain the special character &#39;&quot;&#39;.
If the argument is omitted, no further login authentication is required for
the local console. The root password is hashed with an 16 Byte &#39;/dev/random&#39;
generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
after Hash generation all Variables containing plain password fragments are
deleted. Password file SHOULD be 0400 and root:root and is deleted without
further prompt after password hash has been successfully generated via:
shred -vfzu 5 -f.
No tracing of any plain text password fragment in any debug log.
--ssh-port &lt;INTEGER&gt;
The desired Port SSH should listen to.
If not provided defaults to Port 22.
--ssh-pubkey &lt;/path/to/.ssh/&gt;
Imports the SSH Public Key(s) from the FILE &#39;authorized_keys&#39; of the
specified PATH into the Live ISO. MUST be provided.
--version, -v
Displays version of ./ciss_live_builder.sh.
NOTES:
- You MUST be root to run this script.
Contact:
- https://coresecret.eu/
- security@coresecret.eu
- PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
- https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD</code></pre>
<h1 id="3-booting">3. Booting</h1>
<h2 id="31-grub-menu">3.1. Grub Menu</h2>
<p><img src="/docs/screenshots/20250517_boot_grub.jpg" alt="Boot Menu" /></p>
<h2 id="32-integrity-checks">3.2. Integrity checks</h2>
<p><img src="screenshots/20250517_boot_integrity_check.jpg" alt="Integrity Check" /></p>
<p><img src="screenshots/20250517_boot_integrity_success.jpg" alt="Integrity Success" /></p>
<h2 id="33-console-login">3.3. Console Login</h2>
<p><img src="screenshots/20250517_console_login.jpg" alt="Console Login" /></p>
<hr />
<p><strong><a href="https://coresecret.eu/">no tracking | no logging | no advertising | no profiling | no bullshit</a></strong></p>
Reference in New Issue View Git Blame Copy Permalink