V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

includes/target/etc/skel/.bashrc

@@ -25,34 +25,63 @@ export PATH
 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/f2bchk.sh"
-. "${HOME}/.ciss/shortcuts"
 . "${HOME}/.ciss/scan_libwrap"
+. "${HOME}/.ciss/shortcuts"
 
 ### Preferred editor for local and remote sessions.
 export EDITOR="nano"
 
 ### History-Settings
 # -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
-# -'erasedups' Causes all previous lines matching the current line to be removed from the history list before that line is saved.
-export HISTCONTROL="erasedups"
-# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history is
-# not saved when a shell exits.
+# -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
+export HISTCONTROL='ignoreboth:erasedups'
+
+# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
+# is not saved when a shell exits.
 export HISTFILE=~/.bash_history
+
 # The maximum number of lines contained in the history file.
 export HISTFILESIZE="16384"
+
 # The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
 # Numeric values less than zero result in every command being saved on the history list (there is no limit).
 export HISTSIZE="16384"
+
 # If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
-export HISTTIMEFORMAT='%F %T '
+export HISTTIMEFORMAT='%F %T %z  '
+
+# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*'
+
+# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
+# "-a": Appends new entries from RAM to the file.
+# "-c": Then empties only the RAM buffer. Not used here for performance reasons.
+# "-r": Loads the file back into RAM.
+__ciss_hist_pc__='history -a; history -n'
+if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
+  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
+fi
+unset __ciss_hist_pc__
+export PROMPT_COMMAND
 
 # Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
 shopt -s checkwinsize
+
 # Append to the history file, don't overwrite it.
 shopt -s histappend
+
 # If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
 shopt -s globstar
 
+# Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
+shopt -s cmdhist
+
+# Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
+shopt -s lithist
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
 ### Define colors for bash prompt.
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'
@@ -91,12 +120,12 @@ printf "\n"
 printf "\n"
 
 #printf "\n"
-#printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
-#printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
-#printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
-#printf "%s! Type%s " "${CGRE}" "${CRES}"
-#printf "%s'celp'%s " "${CMAG}" "${CRES}"
-#printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
+#printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+#printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
+#printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
+#printf "%b! Type%b " "${CGRE}" "${CRES}"
+#printf "%b'celp'%b " "${CMAG}" "${CRES}"
+#printf "%bfor shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 #printf "\n"
 #printf "\n"
 

includes/target/etc/skel/.zshrc

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-[[ $- != *i* ]] && return
+[[ -o interactive ]] || return
 
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
@@ -28,7 +28,7 @@ export PATH
 export ZSH="${HOME}/.oh-my-zsh"
 
 # Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
-# case, to know which specific one was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
+# case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
 export ZSH_THEME="robbyrussell"
 
 # Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
@@ -119,7 +119,7 @@ source ${ZSH}/oh-my-zsh.sh
 # alias zshconfig="mate ~/.zshrc"
 # alias ohmyzsh="mate ~/.oh-my-zsh"
 
-### Added by CISS.debian.hardening ###
+### Added by CISS.debian.hardening-Installer ###
 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/shortcuts"
@@ -148,10 +148,29 @@ alias rm='rm -iv'
 export EDITOR="nano"
 
 ### History
+# The name of the file in which command history is saved.
 export HISTFILE="${HOME}/.zsh_history"
-export HISTSIZE=4294967296
-export SAVEHIST=4294967296
+# The maximum number of lines contained in the history file.
+export HISTSIZE=16384
+# The number of commands to remember in the command history.
+export SAVEHIST=16384
+# Timestamp in the file: epoch:duration;command.
 setopt EXTENDED_HISTORY
+# Append, do not overwrite.
+setopt APPEND_HISTORY
+# Append lines immediately to the file.
+setopt INC_APPEND_HISTORY
+# Reload new lines from other sessions.
+setopt SHARE_HISTORY
+# Leading space do not log.
+setopt HIST_IGNORE_SPACE
+# When writing out the history file, older commands that duplicate newer ones are omitted.
+setopt HIST_SAVE_NO_DUPS
+# Remove superfluous blanks from each command line being added to the history list.
+setopt HIST_REDUCE_BLANKS
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
 
 ### Define Users
 if [ "${UID}" -eq 0 ]; then
@@ -166,12 +185,12 @@ RPROMPT='%h|[${USER_COLOR}%*%f]'
 
 ### Welcome message after login.
 printf "\n"
-printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
-printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
-printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
-printf "%s! Type%s " "${CGRE}" "${CRES}"
-printf "%s'celp'%s " "${CMAG}" "${CRES}"
-printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
+printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b " "${CGRE}" "${CRES}"
+printf "%b'celp'%b " "${CMAG}" "${CRES}"
+printf "%bfor shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "\n"
 printf "\n"
 

includes/target/etc/ssh/sshd_config

@@ -24,8 +24,8 @@ Compression                  no
 LogLevel                     VERBOSE
 
 AddressFamily                any
-ListenAddress                0.0.0.0
-ListenAddress                ::
+ListenAddressIPV4            0.0.0.0
+ListenAddressIPV6            ::
 Port                         MUST_BE_CHANGED
 AllowUsers                   root
 UseDNS                       no

includes/target/root/.ciss/alias

@@ -43,6 +43,7 @@ alias aptac='apt autoclean'
 alias aptap='apt autopurge'
 alias aptar='apt autoremove'
 alias aptcheck='apt-get check'
+alias aptcp='apt-cache policy'
 alias aptdep='apt-cache depends'
 alias aptdl='apt-get install --download-only'
 alias aptfug='apt full-upgrade'

includes/target/root/.ciss/clean_logout.sh

@@ -9,6 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
+
 clear
 
 cat << 'EOF'

includes/target/root/.ciss/f2bchk.sh

@@ -48,7 +48,7 @@ f2bchk(){
       --log=*)    log="${arg#--log=}";;
       --output=*) output="${arg#--output=}";;
       *)
-        printf "%s[ERROR]%s Unknown argument: '%s' %s" "${CRED}" "${CRES}" "${arg}" "${CRED}"
+        printf "%b[ERROR]%b Unknown argument: '%s' %b" "${CRED}" "${CRES}" "${arg}" "${CRED}"
         return 1
         ;;
     esac
@@ -60,7 +60,7 @@ f2bchk(){
     matched) flag="--print-all-matched"; suffix="all.matched";;
     missed)  flag="--print-all-missed";  suffix="all.missed";;
     *)
-      printf "%s[ERROR]%s Invalid mode: '%s' %s" "${CRED}" "${CRES}" "${mode}" "${NL}"
+      printf "%b[ERROR]%b Invalid mode: '%s' %b" "${CRED}" "${CRES}" "${mode}" "${NL}"
       return 1
       ;;
   esac
@@ -72,24 +72,24 @@ f2bchk(){
   fi
 
   if [[ ! -r "${log}" ]]; then
-    printf "%s[ERROR]%s Log file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${log}" "${NL}"
+    printf "%b[ERROR]%b Log file '%s' not found or not readable. %b" "${CRED}" "${CRES}" "${log}" "${NL}"
     return 1
   fi
 
   if [[ ! -r "${filter}" ]]; then
-    printf "%s[ERROR]%s Filter file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${filter}" "${NL}"
+    printf "%b[ERROR]%b Filter file '%s' not found or not readable. %b" "${CRED}" "${CRES}" "${filter}" "${NL}"
     return 1
   fi
 
-  printf "%s[INFO]%s Running: fail2ban-regex '%s %s %s' %s" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
+  printf "%b[INFO]%b Running: fail2ban-regex '%s %s %s' %b" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
 
   if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
 
-    printf "%s[SUCCESS]%s Saved log to: '%s' %s" "${CGRE}" "${CRES}" "${output}" "${NL}"
-    printf "You can view it with: cat %s%s" "${output}" "${NL}"
+    printf "%b[SUCCESS]%b Saved log to: '%s' %b" "${CGRE}" "${CRES}" "${output}" "${NL}"
+    printf "You can view it with: cat %s%b" "${output}" "${NL}"
   else
 
-    printf "%s[ERROR]%s fail2ban-regex execution failed. %s" "${CRED}" "${CRES}" "${NL}"
+    printf "%b[ERROR]%b fail2ban-regex execution failed. %b" "${CRED}" "${CRES}" "${NL}"
     return 1
 
   fi

includes/target/root/.ciss/scan_libwrap

@@ -20,7 +20,7 @@
 #   None
 #######################################
 scanlw() {
-  printf "%s🔍 Scanning all running processes for 'libwrap' usage ... %s%s" "${CGRE}" "${CRES}" "${NL}"
+  printf "%b🔍 Scanning all running processes for 'libwrap' usage ... %b%b" "${CGRE}" "${CRES}" "${NL}"
   printf "\n"
 
   ### Collect binaries from all running PIDs.
@@ -37,12 +37,12 @@ scanlw() {
     if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then
       comm=$(ps -p "${pid}" -o comm=)
       user=$(ps -p "${pid}" -o user=)
-      printf "%s✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %s%s" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
+      printf "%b✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %b%b" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
     fi
   done
 
   printf "\n"
-  printf "%s✅ Scan complete. %s%s" "${CGRE}" "${CRES}" "${NL}"
+  printf "%b✅ Scan complete. %b%b" "${CGRE}" "${CRES}" "${NL}"
 
   exit 0
 }

includes/target/root/.ciss/shortcuts

@@ -10,11 +10,12 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -ga shortcuts=(
+declare -ag shortcuts=(
   "aptac: apt autoclean"
   "aptap: apt autopurge"
   "aptar: apt autoremove"
   "aptcheck: apt-get check"
+  "aptcp: apt-cache policy"
   "aptdep: apt-cache depends"
   "aptdl: apti --download-only"
   "aptfug: apt full-upgrade"
@@ -98,11 +99,10 @@ declare -ga shortcuts=(
 #  None
 #######################################
 celp() {
-  declare arr=("${shortcuts[@]}")
-  declare cols=3
-  declare col_width=42
-  declare i=0
-  declare entry
+  declare -a arr=( "${shortcuts[@]}" )
+  declare -i cols=3 col_width=42 i=0
+  declare    entry=""
+
   for entry in "${arr[@]}"; do
     ### Print entry left-aligned in fixed width, colored.
     printf "${CMAG}%-${col_width}s${CRES}" "${entry}"