I’m excited to announce my latest project: CISS.debian.live.builder, a shell wrapper designed to automate the creation of a secure and reproducible Debian Bookworm live ISO image. This tool follows best practices for server and service security, providing an isolated and robust environment ideal for cloud deployments or unattended installations.
Immutable and Deterministic Source-of-Truth
One of the core principles of this ISO is its immutable, deterministic design. All system components, configurations, and installation routines are defined and embedded at build time, resulting in a fully static and self-verifying boot environment. This immutability guarantees a trustworthy Source-of-Truth system, which ensures consistent behavior every time the environment is booted.
Secure Provisioning Workflow
Upon booting, the ISO optionally triggers a fully scripted installer (the forthcoming CISS.debian.installer) that securely provisions the target system. Crucially, this installer pulls dependencies exclusively from verified Debian repositories without exposing the target system to external threats during the installation process. The installation process includes default checksum verifications, strict firewall configurations, and embedded security checks.
For even stricter security requirements, a headless, unattended version can be generated. This variant excludes active network interfaces or shell access, relying entirely on pre-embedded installation artifacts. Upon installation completion, it reboots into a fully encrypted system that only accepts SSH public-key authentication through an embedded Dropbear SSH server within the initramfs. Additionally, it supports encrypted /boot partitions via grub2 (version 2.12-1~bpo12+1), ensuring maximum protection.
Automated, Reproducible CI Workflows
Leveraging Gitea Actions, CISS.debian.live.builder integrates seamlessly into CI pipelines. Any significant change automatically triggers the creation of a new generic ISO, which is immediately available for public download. This process ensures transparency and reproducibility, with the latest generic ISO always accessible.
You can download the latest ISO here:
Audit-Friendly Design
After installation, the ISO environment provides several built-in auditing tools and commands, ensuring ongoing security validation:
- Haveged Audit Report: Validate the entropy daemon and ensure effective random number seeding (
chkhvg). - Lynis Audit Report: Perform detailed security assessments with recommended improvements and hardening baselines achieving scores above 91% (
lsadt). - SSH Audit Report: Ensure compliance with latest cryptographic standards for SSH servers (
ssh-audit <IP>:<PORT>).
Detailed examples of these audit reports are integrated into the ISO environment, providing immediate and actionable insights.
Get Started
Explore the source code, documentation, and automated build workflows at the following repository:
CISS.debian.live.builder Repository
Join the movement towards secure, immutable, and reproducible Debian environments with CISS.debian.live.builder.