msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-08 17:54:25 +02:00
parent 166186a8f0
commit 06c093e0a1
26 changed files with 156 additions and 2050 deletions
Download Patch File Download Diff File Expand all files Collapse all files

503
.archive/0000_partitioning.yaml
View File

@@ -1,503 +0,0 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
recipe:
guben0afx256r: # g=GPT || m=MBR
# u=UEFI || b=BIOS
# b=btrfs || 4=ext4 only
# e=ephemeral "/tmp" and "SWAP" || n=non-ephemeral "/tmp" and "SWAP" (yet not supported)
# n0=non RAID || m6=mdadm RAID6 || m5=mdadm RAID5 || b1=btrfs RAID1 (yet not supported)
# a="/dev/sda" only setup || b="/dev/sdb" || c="/dev/sdc" and so forth
# f=fixed size || a=automatic size (yet not supported)
# x256=size of device in GiB
# r=rescue partition || n=no rescue partition
#######################################
# EFI System Partition | EF00 | UEFI Bootloader (ESP, FAT32) | filesystem.version: fat32
# BIOS Boot Partition | EF02 | BIOS Bootloader area (GRUB) | filesystem.version: BIOS
# Linux SWAP | 8200 | Linux Swap | filesystem.version: SWAP
# Linux ext4/btrfs | 8300 | Linux Filesystem (root, home)| filesystem.version: ext4 || btrfs
#######################################
active: true # Choose this recipe.
control:
description: "CISS 2025 - GPT - BTRFS - Ephemeral - non RAID - 256GiB - rescue"
firmware: "UEFI" # MUST be "UEFI" for "gpt" || "BIOS":
id: "guben0afx256r" # MUST be equal to the second part of the recipe-variables string.
name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
nuke: true # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command.
raid: # mdadm RAID settings only (not yet supported).
enable: false
disks:
member: 4
spare: 1
level: 6 # Only Level "1", "5", "6" and "10" are supported.
meta: 1.2 # Metadata Format. Default to '1.2'.
table: "gpt" # MUST be "gpt" for "UEFI" || "msdos":
syntax: true # This is set to "false" by default, otherwise if the recipe is tested by the authors to "true".
### Version of the specific recipe.
version: "1.1.7"
dev:
sda:
1:
begin: "2MiB"
end: "1024MiB"
bootable: false
encryption:
enable: false # MUST be "false" for "/boot/efi"
ephemeral: false # MUST be "false" for "/boot/efi"
integrity: false # MUST be "false" for "/boot/efi"
cipher: ""
hash: ""
itertime: ""
key: ""
label: ""
metadatasize: ""
pbkdf: ""
rng: ""
filesystem:
btrfs:
checksum: ""
compress: ""
level: ""
mdup: ""
subvolume: ""
snapshot: ""
format: true
label: "ESP"
options: ""
version: "fat32"
label: ""
mount:
enable: true # MUST be "true" for "/boot/efi"
options: "umask=0077,uid=0,gid=0"
optsnap: ""
path: "/boot/efi"
primary: primary
2:
begin: "1024MiB"
end: "2GiB"
bootable: false
encryption:
enable: true
ephemeral: false # MUST be "false" for "/boot"
integrity: false # MUST be "false" for "/boot"
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_boot"
metadatasize: "4096k"
pbkdf: "pbkdf2" # MUST be "pbkdf2" for "/boot"
rng: "use-random"
filesystem:
btrfs:
checksum: "sha256"
compress: "zstd"
level: "0"
mdup: true
subvolume: "@boot"
snapshot: ""
format: true
version: "btrfs"
label: "btrfs_boot"
options: ""
label: "part_boot"
mount:
enable: true # MUST be "true" for "/boot"
options: "defaults,nodev,nosuid,noexec,noatime,compress=no,discard=async,subvol=@boot"
optsnap: ""
path: "/boot"
primary: primary
3:
begin: "2GiB"
end: "10GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_rescue"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: ""
compress: ""
level: ""
mdup: ""
subvolume: ""
snapshot: ""
format: true
label: "ext4_rescue"
options: ""
version: "ext4"
label: "part_recovery"
mount:
enable: true
options: "defaults,nodev"
optsnap: ""
path: "/recovery"
primary: primary
4:
begin: "10GiB"
end: "14GiB"
bootable: false
encryption:
enable: true # MUST be "true" for ephemeral "SWAP"
ephemeral: true # MUST be "true" for ephemeral "SWAP"
integrity: false # MUST be "false" for ephemeral "SWAP"
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_ephemeral_swap"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: ""
compress: ""
level: ""
mdup: ""
subvolume: ""
snapshot: ""
format: true
label: "host_swap" # MUST be "host_swap" for ephemeral "SWAP"
options: ""
version: "ext4" # MUST be "ext4" for ephemeral "SWAP"
label: "part_ephem_swap"
mount:
enable: true
options: "defaults,discard"
optsnap: ""
path: "SWAP"
primary: primary
5:
begin: "14GiB"
end: "18GiB"
bootable: false
encryption:
enable: true # MUST be "true" for ephemeral "/tmp"
ephemeral: true # MUST be "true" for ephemeral "/tmp"
integrity: false # MUST be "false" for ephemeral "/tmp"
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_ephemeral_tmp"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: ""
compress: ""
level: ""
mdup: ""
subvolume: ""
snapshot: ""
format: true
label: "host_tmp" # MUST be "host_tmp" for ephemeral "/tmp"
options: ""
version: "ext4" # MUST be "ext4" for ephemeral "/tmp"
label: "part_ephem_tmp"
mount:
enable: true
options: "defaults,rw,nodev,nosuid,noatime,discard,mode=1777"
optsnap: ""
path: "/tmp"
primary: primary
6:
begin: "18GiB"
end: "42GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_root"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
mdup: true
subvolume: "@root"
snapshot: "@root_snap"
format: true
label: "btrfs_root"
options: ""
version: "btrfs"
label: "part_root"
mount:
enable: true
options: "defaults,errors=remount-ro,noatime,discard=async,autodefrag,subvol=@root"
optsnap: "ro,nodev,nosuid,noexec,nodatacow,subvol=@root_snap"
path: "/"
primary: primary
7:
begin: "42GiB"
end: "84GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_home"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
mdup: true
subvolume: "@home"
snapshot: "@home_snap"
format: true
label: "btrfs_home"
options: ""
version: "btrfs"
label: "part_home"
mount:
enable: true
options: "defaults,nodev,nosuid,relatime,discard=async,autodefrag,subvol=@home"
optsnap: "ro,nodev,nosuid,noexec,nodatacow,subvol=@home_snap"
path: "/home"
primary: primary
8:
begin: "84GiB"
end: "126GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_usr"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
mdup: true
subvolume: "@usr"
snapshot: ""
format: true
label: "btrfs_usr"
options: ""
version: "btrfs"
label: "part_usr"
mount:
enable: true
options: "defaults,nodev,relatime,discard=async,subvol=@usr"
optsnap: ""
path: "/usr"
primary: primary
9:
begin: "126GiB"
end: "190GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_var"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
mdup: true
subvolume: "@var"
snapshot: "@var_snap"
format: true
label: "btrfs_var"
options: ""
version: "btrfs"
label: "part_var"
mount:
enable: true
options: "defaults,nodev,nosuid,relatime,discard=async,subvol=@var"
optsnap: "ro,nodev,nosuid,noexec,nodatacow,subvol=@var_snap"
path: "/var"
primary: primary
10:
begin: "190GiB"
end: "206GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_var_log"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
mdup: true
subvolume: "@var_log"
snapshot: ""
format: true
label: "btrfs_var_log"
options: ""
version: "btrfs"
label: "part_var_log"
mount:
enable: true
options: "defaults,nodev,nosuid,noexec,noatime,nodatacow,discard=async,subvol=@var_log"
optsnap: ""
path: "/var/log"
primary: primary
11:
begin: "206GiB"
end: "222GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_var_log_audit"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
mdup: true
subvolume: "@var_log_audit"
snapshot: ""
format: true
label: "btrfs_var_log_audit"
options: ""
version: "btrfs"
label: "part_var_log_audit"
mount:
enable: true
options: "defaults,nodev,nosuid,noexec,noatime,nodatacow,discard=async,subvol=@var_log_audit"
optsnap: ""
path: "/var/log/audit"
primary: primary
12:
begin: "222GiB"
end: "238GiB"
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_var_tmp"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
mdup: true
subvolume: "@var_tmp"
snapshot: ""
format: true
label: "btrfs_var_tmp"
options: ""
version: "btrfs"
label: "part_var_tmp"
mount:
enable: true
options: "defaults,nodev,nosuid,noatime,nodatacow,discard=async,subvol=@var_tmp"
optsnap: ""
path: "/var/tmp"
primary: primary
13:
begin: "238GiB"
end: "max" # The last 16 MiB will be reserved for GPT metadata.
bootable: false
encryption:
enable: true
ephemeral: false
integrity: false
cipher: "aes-xts-plain64"
hash: "sha512"
itertime: "3000"
key: "512"
label: "crypt_opt"
metadatasize: "4096k"
pbkdf: "argon2id"
rng: "use-random"
filesystem:
btrfs:
checksum: "sha256"
compress: "zstd"
level: "7"
mdup: true
subvolume: "@opt"
snapshot: ""
format: true
label: "btrfs_opt"
options: ""
version: "btrfs"
label: "part_opt"
mount:
enable: true
options: "defaults,nodev,nosuid,relatime,discard=async,subvol=@opt"
optsnap: ""
path: "/opt"
primary: primary
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

81
.archive/func/0000_performing_branch_confirmation.sh
View File

@@ -1,81 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Performing Branch Selection
# Globals:
# BASH_COMMAND
# BRANCH_URL
# HANDLER_BRA
# LINENO
# LOG_ERR
# MODULE_ERR
# PPID
# PWD
# Arguments:
# None
#######################################
0000_performing_branch_confirmation() {
clear
declare BRANCH_SELECTION=""
exec 2>&1
if [[ ${HANDLER_BRA,,} = 1 ]]; then
dialog --create-rc ~/.dialogrc
sed -i 's/screen_color = (CYAN,BLUE,ON)/screen_color = (WHITE,RED,ON)/' ~/.dialogrc
sed -i 's/title_color = (BLUE,WHITE,ON)/title_color = (RED,WHITE,ON)/' ~/.dialogrc
if BRANCH_SELECTION=$(dialog --ascii-lines \
--colors \
--title "! WARNING !" \
--backtitle "CISS.2025.hardened.debian.installer" \
--yes-label "yes" \
--no-label "No" \
--yesno "You are on:\nBranch 'Testing'.\nPlease confirm to proceed.\nHit 'Yes' to stay on Branch 'Testing'.\nHit 'No' to exit." 9 60 3>&1 1>&2 2>&3 3>&-); then
declare -g -r -x BRANCH_URL="https://cendev.eu/marc.weidner/CISS.2025.debian.installer/raw/branch/testing/"
else
clear
rm -f ~/.dialogrc
do_clean_exit "0" "${LINENO}" "${BASH_COMMAND}" "${MODULE_ERR}" "$$" "${PPID}" "${PWD}" "$-"
fi
else
declare -g -r -x BRANCH_URL="https://cendev.eu/marc.weidner/CISS.2025.debian.installer/raw/branch/master/"
fi
exec 2>> "${LOG_ERR}"
clear
if [[ ${HANDLER_BRA} = 1 ]]; then
do_log "info" "file_only" "Branch 'testing' confirmed: '${BRANCH_SELECTION}'."
fi
if [[ -f ~/.dialogrc ]]; then
rm -f ~/.dialogrc
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

164
.archive/func/1251_yaml_reader_highest_device.sh
View File

@@ -1,164 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Reading and extracting variables from "${PRESEED}".
# Globals:
# HMP_RECIPE_DEV_PARTITIONS
# VAR_ARCHITECTURE
# VAR_NUKE
# VAR_PRESEED
# VAR_RECIPE_FIRMWARE
# VAR_RECIPE_HIGHEST_DEVICE
# VAR_RECIPE_STRING
# VAR_RECIPE_TABLE
# architecture
# Arguments:
# None
# Returns:
# 0: on success
# ERR_NO_VALID_RECIPE
#######################################
yaml_reader() {
### Declare Arrays, HashMaps, and Variables.
declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
VAR_RECIPE_TABLE=""
### Declare and substitute input files
declare -r var_if="${VAR_PRESEED}"
### Search pattern for variables (recipe_<string>_active='true')
declare -r var_search_pattern="^recipe_.*_active='true'"
declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
recipe_firmware_var="" recipe_nuke_var="" recipe_table_var=""
### Read "${var_if}" line by line
while IFS= read -r var_line; do
### Check, if line matches the search pattern
if [[ "${var_line}" =~ ^recipe_([^_]+)_active=\'true\' ]]; then
var_middle_part="${BASH_REMATCH[1]}"
VAR_RECIPE_STRING="${var_middle_part}"
break
fi
#if [[ "${var_line}" =~ ${var_search_pattern} ]]; then
# ### Extract the middle part or second position
# var_middle_part=$(echo "${var_line}" | sed -E "s/^recipe_([^_]+)_active='true'/\1/")
# VAR_RECIPE_STRING="${var_middle_part}"
# ### Exit after first occurrence
# break
#fi
done < "${var_if}"
if [[ -n "${VAR_RECIPE_STRING}" ]]; then
do_log "info" "file_only" "1251() Found active recipe string: '${VAR_RECIPE_STRING}'."
else
do_log "fatal" "file_only" "1251() Found NO active recipe string: '${VAR_RECIPE_STRING}'."
exit "${ERR_NO_VALID_RECIPE}"
fi
### Search "${var_if}" for matching recipe_${VAR_RECIPE_STRING}_dev_* entries and find the highest dev letter.
# shellcheck disable=SC2312
var_highest_dev=$(grep -E "^recipe_${VAR_RECIPE_STRING}_dev_" "${var_if}" | awk -F'_' '
{
if (NF >= 4) {
### Extract 4th position (e.g., "recipe_${VAR_RECIPE_STRING}_dev_sda" or "recipe_${VAR_RECIPE_STRING}_dev_vda")
device_field = $4
### Check, if field is at least 3 char wide and last char contains a letter
if (length(device_field) >= 3) {
last_char = substr(device_field, length(device_field), 1) ### Extract last letter of respective field
if (last_char ~ /^[a-z]$/ && last_char > max) {
max = last_char
}
}
}
}
END { print max }
')
### Save the result in VAR_RECIPE_HIGHEST_DEVICE.
VAR_RECIPE_HIGHEST_DEVICE="${var_highest_dev}"
if [[ -n "${VAR_RECIPE_HIGHEST_DEVICE}" ]]; then
do_log "info" "file_only" "1251() Found highest recipe device: '${VAR_RECIPE_HIGHEST_DEVICE}'."
else
do_log "fatal" "file_only" "1251() Found NO highest recipe device: '${VAR_RECIPE_HIGHEST_DEVICE}'."
exit "${ERR_NO_VALID_RECIPE}"
fi
### Read var_if and iterate through all matching entries without executing in a subshell
# shellcheck disable=SC2312
while read -r var_line; do
### Extract fields of line
IFS='_' read -ra var_fields <<< "${var_line}"
### Check that enough fields are available
if [[ "${#var_fields[@]}" -ge 5 ]]; then
var_device="${var_fields[3]}" ### The fourth position includes the device (e.g., sda, vda, xvda)
var_partition="${var_fields[4]}" ### The fifth position includes the partition (e.g., 13)
### Check, if the partition is a number and higher than the current value
if [[ "${var_partition}" =~ ^[0-9]+$ ]]; then
declare -i cur="${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-0}"
if (( var_partition > cur )); then
#if [[ -z "${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-}" || "${var_partition}" -gt ${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-0} ]]; then
# shellcheck disable=SC2004
HMP_RECIPE_DEV_PARTITIONS[${var_device}]="${var_partition}"
fi
fi
fi
done < <(grep -E "^recipe_${VAR_RECIPE_STRING}_dev_" "${var_if}")
for var_device in "${!HMP_RECIPE_DEV_PARTITIONS[@]}"; do
do_log "info" "file_only" "1251() Highest number of partitions: [${var_device}:${HMP_RECIPE_DEV_PARTITIONS[${var_device}]}]."
done
### Extract architecture.
VAR_ARCHITECTURE="${architecture}"
### Extract chosen firmware.
recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
VAR_RECIPE_FIRMWARE="${!recipe_firmware_var}"
### Extract the chosen Nuke mechanism.
recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
VAR_NUKE="${!recipe_nuke_var}"
### Extract chosen partition table.
recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
VAR_RECIPE_TABLE="${!recipe_table_var}"
if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP 'EF00' necessary."
elif [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > BIOS Boot Partition 'EF02' necessary."
elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP on MBR needs partition type '0xEF'."
elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

200
.archive/func/3220_partition_encryption_double_loop.sh
View File

@@ -1,200 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Function to encrypt the respective partition on each device according to the chosen recipe string.
# Globals:
# DIR_BAK
# DIR_CNF
# DIR_LOG
# HMP_EPHEMERAL_ENCLABEL
# HMP_EPHEMERAL_FS_LABEL
# HMP_PATH_ENCLABEL
# HMP_PATH_LUKSUUID
# VAR_CRYPT_RECOVERY
# VAR_CRYPT_ROOT
# VAR_ITER_TIME
# VAR_KDF_ITERATIONS
# VAR_KDF_MEMORY
# VAR_KDF_THREADS
# VAR_RECIPE_STRING
# VAR_SETUP_PART
# Arguments:
# None
# Returns:
# 0: on success
#######################################
partition_encryption() {
### Declare Arrays, HashMaps, and Variables.
declare -Ag HMP_PATH_LUKSUUID # Used in: 3290() - [Mount Path:LUKS UUID].
# Used in: 4060() - [Mount Path:LUKS UUID].
declare -Ag HMP_EPHEMERAL_ENCLABEL
declare -Ag HMP_EPHEMERAL_FS_LABEL
declare -Ag HMP_PATH_ENCLABEL
declare -gx VAR_CRYPT_ROOT="" # LUKS UUID of '/'.
declare -gx VAR_CRYPT_RECOVERY="" # LUKS UUID of '/recovery'.
declare var_dev="" var_part="" \
var_encryption_enable="" var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" \
var_encryption_hash="" var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs=""
declare -a ary_devs=() ary_parts=() ary_luks_opts=()
### Iterate over all devices in the recipe.
# shellcheck disable=SC2312
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
for var_dev in "${ary_devs[@]}"; do
touch "${DIR_LOG}/${var_dev}_cryptsetup_luksdump.log"
chmod 0600 "${DIR_LOG}/${var_dev}_cryptsetup_luksdump.log"
### Iterate over all partitions for this device.
# shellcheck disable=SC2312
readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
for var_part in "${ary_parts[@]}"; do
### Extract parameters from YAML.
var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable" "${VAR_SETUP_PART}")
var_encryption_ephemeral=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.ephemeral" "${VAR_SETUP_PART}")
var_encryption_integrity=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.integrity" "${VAR_SETUP_PART}")
var_encryption_cipher=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.cipher" "${VAR_SETUP_PART}")
var_encryption_hash=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.hash" "${VAR_SETUP_PART}")
var_encryption_key=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.key" "${VAR_SETUP_PART}")
var_encryption_slot=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.keyslotssize" "${VAR_SETUP_PART}")
var_encryption_meta=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.metadatasize" "${VAR_SETUP_PART}")
var_encryption_pbkdf=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.pbkdf" "${VAR_SETUP_PART}")
var_encryption_rng=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.rng" "${VAR_SETUP_PART}")
var_fs=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version" "${VAR_SETUP_PART}")
var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}")
if [[ "${var_encryption_enable,,}" != "true" ]]; then
continue
fi
var_encryption_label=$(get_label "${var_mount_path}" "${var_fs}" "luks")
if [[ "${var_mount_path,,}" == "/boot" ]]; then
ary_luks_opts=( --key-file "${DIR_CNF}/password_luks_boot.txt" )
ary_luks_opts+=(
--iter-time "${VAR_ITER_TIME:-3000}"
)
else
ary_luks_opts=( --key-file "${DIR_CNF}/password_luks_common.txt" )
ary_luks_opts+=(
--pbkdf-parallel "${VAR_KDF_THREADS:-1}"
--pbkdf-memory "${VAR_KDF_MEMORY:-4}"
--pbkdf-force-iterations "${VAR_KDF_ITERATIONS:-4}"
)
fi
ary_luks_opts+=(
--type luks2
--cipher "${var_encryption_cipher:-aes-xts-plain64}"
--hash "${var_encryption_hash:-sha512}"
--key-size "${var_encryption_key:-512}"
--label "${var_encryption_label}"
--luks2-keyslots-size "${var_encryption_slot:-16777216}"
--luks2-metadata-size "${var_encryption_meta:-4194304}"
--pbkdf "${var_encryption_pbkdf:-argon2id}"
"--${var_encryption_rng}"
--batch-mode
--verbose
)
[[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=( --integrity hmac-sha512 )
if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then
case "${var_mount_path,,}" in
swap|/tmp)
var_filesystem_label=$(get_label "${var_mount_path}" "${var_fs}" "file")
mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
do_log "info" "file_only" "3220() Ephemeral: '${var_mount_path}' prepared on: '/dev/${var_dev}${var_part}'."
HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
HMP_EPHEMERAL_FS_LABEL["${var_mount_path}"]="${var_filesystem_label}"
do_log "debug" "file_only" "3220() Stored in HashMap [HMP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
do_log "debug" "file_only" "3220() Stored in HashMap [HMP_EPHEMERAL_FS_LABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_FS_LABEL["${var_mount_path}"]}'"
continue
;;
*)
do_log "error" "file_only" "3220() Invalid mount path: '${var_mount_path}' for partition: '/dev/${var_dev}${var_part}'."
continue
;;
esac
fi
cryptsetup luksFormat "${ary_luks_opts[@]}" "/dev/${var_dev}${var_part}"
if [[ "${var_encryption_integrity,,}" == "true" ]]; then
do_log "debug" "file_only" "3220() [cryptsetup luksFormat ${ary_luks_opts[*]} /dev/${var_dev}${var_part}]."
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
else
do_log "debug" "file_only" "3220() [cryptsetup luksFormat ${ary_luks_opts[*]} /dev/${var_dev}${var_part}]."
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}${var_part}' encrypted."
fi
cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak" "/dev/${var_dev}${var_part}"
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
### Opening encrypted container.
if [[ "${var_mount_path,,}" == "/boot" ]]; then
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password_luks_boot.txt" \
"${var_encryption_label}"
else
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password_luks_common.txt" \
"${var_encryption_label}"
fi
do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
### Create luksDump log entry.
printf "#------------------------------------------------------------------#\n" >> "${DIR_LOG}/${var_dev}_cryptsetup_luksdump.log"
cryptsetup luksDump "/dev/${var_dev}${var_part}" >> "${DIR_LOG}/${var_dev}_cryptsetup_luksdump.log"
### Store UUID of the LUKS container.
var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}${var_part}")
[[ "${var_mount_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
[[ "${var_mount_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}"
HMP_PATH_LUKSUUID["${var_mount_path}"]="${var_uuid}"
HMP_PATH_ENCLABEL["LABEL_${var_mount_path}"]="${var_encryption_label}"
do_log "debug" "file_only" "3220() Stored in HashMap [HMP_PATH_LUKSUUID] : '${var_mount_path}' -> '${HMP_PATH_LUKSUUID["${var_mount_path}"]}'"
do_log "debug" "file_only" "3220() Stored in HashMap [HMP_PATH_ENCLABEL] : '${var_mount_path}' -> '${HMP_PATH_ENCLABEL["LABEL_${var_mount_path}"]}'"
done
done
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

138
.archive/func/3240_partition_formatting_double_loop.sh
View File

@@ -1,138 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Function to format the respective partition on each device according to the recipe string chosen.
# Globals:
# DIR_LOG
# HMP_PATH_FSUUID
# VAR_RECIPE_STRING
# VAR_SETUP_PART
# Arguments:
# None
# Returns:
# 0: on success
#######################################
partition_formatting() {
### Declare Arrays, HashMaps, and Variables.
declare -Ag HMP_PATH_FSUUID # Used in: 3290() - [Mount Path:Filesystem UUID].
# Used in: 4060() - [Mount Path:Filesystem UUID].
declare var_dev="" var_part="" \
var_encryption_enable="" var_encryption_label="" var_fs_btrfs_checksum="" var_fs_btrfs_compress="" var_fs_btrfs_mdup="" \
var_fs_format="" var_fs_label="" var_fs_options="" var_fs_version="" var_mount_path="" var_node="" var_fs_uuid=""
declare -a ary_devs=() ary_parts=() ary_opts=() ary_fmt_opts=()
### Iterate over all devices in the recipe.
# shellcheck disable=SC2312
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
for var_dev in "${ary_devs[@]}"; do
### Iterate over all partitions for this device.
# shellcheck disable=SC2312
readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
for var_part in "${ary_parts[@]}"; do
### Extract parameters from YAML.
var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable" "${VAR_SETUP_PART}")
var_fs_btrfs_checksum=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.checksum" "${VAR_SETUP_PART}")
var_fs_btrfs_compress=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.compress" "${VAR_SETUP_PART}")
var_fs_btrfs_mdup=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.mdup" "${VAR_SETUP_PART}")
var_fs_format=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.format" "${VAR_SETUP_PART}")
var_fs_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.options" "${VAR_SETUP_PART}")
var_fs_version=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version" "${VAR_SETUP_PART}")
var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}")
[[ "${var_fs_format,,}" != "true" ]] && continue
### Preparation of Ephemeral 'SWAP' and '/tmp' as per https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#UUID_and_LABEL
case "${var_mount_path,,}" in
swap|/tmp)
do_log "info" "file_only" "3240() Partition: '/dev/${var_dev}${var_part}' ephemeral encryption already prepared in 3220(): '${var_mount_path}'."
continue
;;
esac
if [[ "${var_encryption_enable,,}" == "true" ]]; then
var_encryption_label=$(get_label "${var_mount_path}" "${var_fs_version}" "luks")
var_node="/dev/mapper/${var_encryption_label}"
else
var_node="/dev/${var_dev}${var_part}"
fi
var_fs_label=$(get_label "${var_mount_path}" "${var_fs_version}" "file")
case "${var_fs_version,,}" in
btrfs)
ary_opts=( -L "${var_fs_label}" -f --csum "${var_fs_btrfs_checksum}" )
[[ "${var_fs_btrfs_mdup,,}" == "true" ]] && ary_opts+=( -m dup )
mkfs.btrfs "${ary_opts[@]}" "${var_node}"
do_log "debug" "file_only" "3240() [mkfs.btrfs ${ary_opts[*]} ${var_node}]."
do_log "info" "file_only" "3240() Partition: '${var_node}' formatted: 'btrfs' options: '${ary_opts[*]}'."
echo "Partition: '${var_node}':" >> "${DIR_LOG}/btrfs.log"
btrfs filesystem show "${var_node}" >> "${DIR_LOG}/btrfs.log"
var_fs_uuid=$(blkid -s UUID -o value "${var_node}")
### Gathering information for '/etc/fstab'-generation in 4040().
HMP_PATH_FSUUID["${var_mount_path}"]="${var_fs_uuid}"
;;
ext4)
read -r -a ary_fmt_opts <<< "${var_fs_options}"
mkfs.ext4 -L "${var_fs_label}" "${ary_fmt_opts[@]}" "${var_node}"
do_log "debug" "file_only" "3240() [mkfs.ext4 -L ${var_fs_label} ${ary_fmt_opts[*]} ${var_node}]."
do_log "info" "file_only" "3240() Partition: '${var_node}' formatted: 'ext4' options: '${ary_fmt_opts[*]}'."
echo "Partition: '${var_node}':" >> "${DIR_LOG}/ext4.log"
tune2fs -l "${var_node}" >> "${DIR_LOG}/ext4.log"
var_fs_uuid=$(blkid -s UUID -o value "${var_node}")
### Gathering information for '/etc/fstab'-generation in 4040().
HMP_PATH_FSUUID["${var_mount_path}"]="${var_fs_uuid}"
;;
fat32)
mkfs.fat -F 32 -n "${var_fs_label}" "${var_node}"
do_log "debug" "file_only" "3240() [mkfs.fat -F 32 -n ${var_fs_label} ${var_node}]."
do_log "info" "file_only" "3240() Partition: '${var_node}' formatted: 'FAT32'."
var_fs_uuid=$(blkid -s UUID -o value "${var_node}")
### Gathering information for '/etc/fstab'-generation in 4040().
HMP_PATH_FSUUID["${var_mount_path}"]="${var_fs_uuid}"
;;
*)
do_log "error" "file_only" "3240() Unsupported filesystem format: '${var_fs_version}'."
;;
esac
done
lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH "/dev/${var_dev}" >| "${DIR_LOG}/${var_dev}_overview.log"
printf "%b" "${NL}" >> "${DIR_LOG}/${var_dev}_overview.log"
lsblk "/dev/${var_dev}" >> "${DIR_LOG}/${var_dev}_overview.log"
done
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

82
.archive/func/3260_setup_filesystem.sh
View File

@@ -1,82 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Function to prepare the filesystem to mount each partition on the respective path.
# Globals:
# HMP_MOUNTPATH_DEV
# VAR_RECIPE_STRING
# VAR_SETUP_PART
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_filesystem() {
### Declare Arrays, HashMaps, and Variables.
declare -Ag HMP_MOUNTPATH_DEV # HMP_MOUNTPATH_DEV["${var_mount_path}"]="${var_node}"
declare var_dev="" var_part="" \
var_encryption_enable="" var_encryption_label="" var_fs_version="" var_mount_enable="" var_mount_path="" var_node=""
declare -a ary_devs ary_parts
### Iterate over all devices in the recipe.
# shellcheck disable=SC2312
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
for var_dev in "${ary_devs[@]}"; do
### Iterate over all partitions for this device.
# shellcheck disable=SC2312
readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
for var_part in "${ary_parts[@]}"; do
### Extract parameters from YAML.
var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable" "${VAR_SETUP_PART}")
var_fs_version=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version" "${VAR_SETUP_PART}")
var_mount_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.enable" "${VAR_SETUP_PART}")
var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}")
[[ -z "${var_mount_path}" ]] && continue
[[ "${var_mount_enable,,}" != "true" ]] && continue
[[ "${var_mount_path,,}" == "swap" || "${var_mount_path,,}" == "/tmp" ]] && continue
if [[ "${var_encryption_enable}" == "true" ]]; then
var_encryption_label=$(get_label "${var_mount_path}" "${var_fs_version}" "luks")
var_node="/dev/mapper/${var_encryption_label}"
elif [[ "${var_encryption_enable}" == "false" ]]; then
var_node="/dev/${var_dev}${var_part}"
else
do_log "error" "file_only" "3260() Invalid value for encryption_enable: '${var_encryption_enable}', should be true or false."
continue
fi
HMP_MOUNTPATH_DEV["${var_mount_path}"]="${var_node}"
do_log "info" "file_only" "3260() Saved in HashMap HMP_MOUNTPATH_DEV: '${var_mount_path}' -> '${HMP_MOUNTPATH_DEV["${var_mount_path}"]}'"
done
done
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

323
.archive/func/3280_mount_partition_double_loop.sh
View File

@@ -1,323 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Validates var_mount_path to be processed.
# Arguments:
# 1 var_mount_path
# Returns:
# 0: Skip mounting
# 1: Process mount
#######################################
skip_path() {
declare -a ary_skip=( "/" "/boot" "/boot/efi" "/recovery" )
declare p=""
for p in "${ary_skip[@]}"; do [[ "$1" == "${p}" ]] && return 0; done
return 1
}
#######################################
# Function to create the mount command, incl. mount path and options, and mount the respective device.
# Globals:
# ERR_MOUNTING_DEV
# TARGET
# Arguments:
# 1: MOUNT_PATH
# 2: MOUNT_DEVICE
# 3: MOUNT_OPTIONS
# Returns:
# 0: on success
#######################################
mount_with_dir() {
declare var_mount_path="$1" var_mount_device="$2" var_mount_options="${3:-}"
declare -a ary_cmd=(mount)
if [[ "${var_mount_device}" =~ ^[0-9a-fA-F-]{8,}$ ]]; then
if [[ -e "/dev/disk/by-uuid/${var_mount_device}" ]]; then
var_mount_device="/dev/disk/by-uuid/${var_mount_device}"
else
do_log "error" "file_only" "3280() FS-UUID for mount path: '${var_mount_device}' not found by '/dev/disk/by-uuid/${var_mount_device}'."
return "${ERR_MOUNTING_DEV}"
fi
fi
[[ "${var_mount_path}" != "/" ]] && mkdir -p "${TARGET}${var_mount_path}"
### Build the command in an array to keep word boundaries intact.
[[ -n "${var_mount_options}" ]] && ary_cmd+=("-o" "${var_mount_options}")
ary_cmd+=("${var_mount_device}" "${TARGET}${var_mount_path}")
safe_exec "${ary_cmd[@]}" "${ERR_MOUNTING_DEV}" || return
do_log "debug" "file_only" "3280() [safe_exec ${ary_cmd[*]} ${ERR_MOUNTING_DEV}]."
do_log "info" "file_only" "3280() Mounted: '${var_mount_device}' on: '${TARGET}${var_mount_path}' (Options='${var_mount_options}')."
return 0
}
#######################################
# Device Path Resolver.
# Outputs '/dev/mapper/<encryption_label>'
# Outputs '/dev/<dev><partition>'
# Arguments:
# 1: Device
# 2: Partition
# 3: Boolean Encryption
# 4: Encryption Label
#######################################
resolve_device() {
declare local_var_dev="$1" local_var_partition="$2" local_var_enc_boolean="$3" local_var_enc_label="$4"
if [[ "${local_var_enc_boolean,,}" == "true" ]]; then
printf '/dev/mapper/%s' "${local_var_enc_label}"
else
printf '/dev/%s%s' "${local_var_dev}" "${local_var_partition}"
fi
}
#######################################
# Validates btrfs compression algo and level.
# Arguments:
# 1 var_fs_btrfs_compress
# 2 var_fs_btrfs_level
# Returns:
# 0: Valid combination.
# 1: Invalid combination.
#######################################
validate_btrfs_compression() {
declare var_algo="$1" var_level="$2"
case "${var_algo}:${var_level}" in
zstd:|zstd:[0-9]|zstd:1[0-9]|zstd:2[0-2]|lzo:) return 0 ;;
*) do_log "error" "file_only" "3280() Invalid btrfs compression: '${var_algo}:${var_level}'"; return "${ERR_BTRFS_OPTION}" ;;
esac
}
#######################################
# Function for mounting all partitions for debootstrap, including the generation of btrfs subvolumes.
# Globals:
# HMP_MOUNTPATH_DEV
# TARGET
# VAR_RECIPE_STRING
# VAR_SAFE_MNT_BASE
# VAR_SETUP_PART
# Arguments:
# None
# Returns:
# 0: on success
# ERR_BTRFS_INITPH
# ERR_BTRFS_OPTION
# ERR_BTRFS_SUBVOL
# ERR_MOUNTING_DEV
# ERR_MOUNTING_ROOT
#######################################
mount_partition() {
### Declare Arrays, HashMaps, and Variables.
declare -Ag HMP_FSTAB_MOUNT_OPTS # Used in: 4040() - [Mount Path:Mount Options].
declare -r var_mount_path_root="/"
declare var_path="" var_dev="" var_part="" \
var_fs_btrfs_compress="" var_fs_btrfs_level="" var_fs_btrfs_subvolume="" var_fs_btrfs_snapshot="" \
var_encryption_enable="" var_encryption_label="" var_fs_options="" var_fs_version="" var_mount_path="" \
var_mount_options="" var_snapshot="" var_mount_optsnap="" var_fs_uuid=""
declare -a ary_devs=() ary_parts=()
### Mount "/"-filesystem
if [[ -n "${HMP_PATH_FSUUID["${var_mount_path_root}"]}" ]]; then
mount_with_dir "${var_mount_path_root}" "${HMP_PATH_FSUUID["${var_mount_path_root}"]}" || return "${ERR_MOUNTING_DEV}"
else
do_log "error" "file_only" "3280() Root-filesystem '${var_mount_path_root}' not found in Hashmap: 'HMP_PATH_FSUUID'."
return "${ERR_MOUNTING_ROOT}"
fi
#if [[ -n "${HMP_MOUNTPATH_DEV[${var_mount_path_root}]}" ]]; then
# mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[${var_mount_path_root}]}" || return "${ERR_MOUNTING_DEV}"
#else
# do_log "error" "file_only" "3280() Root-filesystem '${var_mount_path_root}' not found in Hashmap: 'HMP_MOUNTPATH_DEV'."
# return "${ERR_MOUNTING_ROOT}"
#fi
### Ensure order of "/boot" and "/boot/efi"
for var_path in "/boot" "/boot/efi"; do
if [[ -n "${HMP_PATH_FSUUID["${var_path}"]}" ]]; then
mount_with_dir "${var_path}" "${HMP_PATH_FSUUID["${var_path}"]}" || return "${ERR_MOUNTING_DEV}"
else
do_log "info" "file_only" "3280() Entry '${var_path}' not found in Hashmap: 'HMP_PATH_FSUUID'."
fi
done
#for var_path in "/boot" "/boot/efi"; do
# if [[ -n "${HMP_MOUNTPATH_DEV[${var_path}]}" ]]; then
# mount_with_dir "${var_path}" "${HMP_MOUNTPATH_DEV[${var_path}]}" || return "${ERR_MOUNTING_DEV}"
# else
# do_log "info" "file_only" "3280() Entry '${var_path}' not found in Hashmap: 'HMP_MOUNTPATH_DEV'."
# fi
#done
### Iterate over all devices in the recipe.
# shellcheck disable=SC2312
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
for var_dev in "${ary_devs[@]}"; do
### Iterate over all partitions for this device.
# shellcheck disable=SC2312
readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
for var_part in "${ary_parts[@]}"; do
### Extract parameters from YAML.
var_fs_btrfs_compress=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.compress" "${VAR_SETUP_PART}")
var_fs_btrfs_level=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.level" "${VAR_SETUP_PART}")
var_fs_btrfs_snapshot=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.snapshot" "${VAR_SETUP_PART}")
var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable" "${VAR_SETUP_PART}")
var_fs_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.options" "${VAR_SETUP_PART}")
var_fs_version=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version" "${VAR_SETUP_PART}")
var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}")
var_mount_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.options" "${VAR_SETUP_PART}")
var_mount_optsnap=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.optsnap" "${VAR_SETUP_PART}")
### Skip already mounted paths ("/", "/boot", "/boot/efi") and skip ("/recovery")
skip_path "${var_mount_path}" && continue
var_encryption_label=$(get_label "${var_mount_path}" "${var_fs_version}" "luks")
var_fs_uuid="${HMP_PATH_FSUUID["${var_path}"]}"
if [[ "${var_mount_path,,}" == "swap" ]]; then
#var_fs_label=$(get_label "${var_mount_path}" "${var_fs_version}" "file")
cryptsetup open --type plain --key-file /dev/random \
--offset 2048 --cipher aes-xts-plain64 --key-size 512 \
--sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
#--sector-size 4096 "/dev/disk/by-label/${var_fs_label}" "${var_encryption_label}"
mkswap "/dev/mapper/${var_encryption_label}"
do_log "debug" "file_only" "3280() [mkswap /dev/mapper/${var_encryption_label}]."
swapon "/dev/mapper/${var_encryption_label}"
do_log "debug" "file_only" "3280() [swapon /dev/mapper/${var_encryption_label}]."
do_log "info" "file_only" "3280() Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
continue
elif [[ "${var_mount_path,,}" == "/tmp" ]]; then
cryptsetup open --type plain --key-file /dev/random \
--offset 2048 --cipher aes-xts-plain64 --key-size 512 \
--sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
mkdir -p "${TARGET}/tmp"
echo "safe_exec mkfs.ext4 -E nodiscard,lazy_itable_init=1,lazy_journal_init=1 /dev/mapper/${var_encryption_label} ${ERR_MOUNTING_DEV}"
safe_exec mkfs.ext4 -E nodiscard,lazy_itable_init=1,lazy_journal_init=1 "/dev/mapper/${var_encryption_label}" "${ERR_MOUNTING_DEV}" || return "${ERR_MOUNTING_DEV}"
### Build the command in an array to keep word boundaries intact
declare -a ary_cmd2=(mount)
ary_cmd2+=("/dev/mapper/${var_encryption_label}" "${TARGET}${var_mount_path}")
safe_exec "${ary_cmd2[@]}" "${ERR_MOUNTING_DEV}" || return "${ERR_MOUNTING_DEV}"
do_log "info" "file_only" "3280() Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
continue
fi
#var_resolved_dev=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
if [[ "${var_fs_version,,}" == "btrfs" ]]; then
var_fs_btrfs_subvolume=$(get_label "${var_mount_path}" "${var_fs_version}" "sub")
### Mount toplevel (subvolid=0) without extra options.
declare -a ary_cmd_mount=(mount -o "subvolid=0" "${var_fs_uuid}" "${VAR_SAFE_MNT_BASE}")
safe_exec "${ary_cmd_mount[@]}" "${ERR_BTRFS_INITPH}" || return "${ERR_BTRFS_INITPH}"
btrfs subvolume create "${VAR_SAFE_MNT_BASE}/${var_fs_btrfs_subvolume}"
do_log "debug" "file_only" "3280() [btrfs subvolume create ${VAR_SAFE_MNT_BASE}/${var_fs_btrfs_subvolume}]."
do_log "info" "file_only" "3280() btrfs subvolid=0 created: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
if [[ "${var_fs_btrfs_snapshot}" == "true" ]]; then
var_snapshot=$(get_label "${var_mount_path}" "${var_fs_version}" "snap")
btrfs subvolume create "${VAR_SAFE_MNT_BASE}/${var_snapshot}" || return "${ERR_BTRFS_SUBVOL}"
do_log "debug" "file_only" "3280() [btrfs subvolume create ${VAR_SAFE_MNT_BASE}/${var_snapshot}]."
do_log "info" "file_only" "3280() btrfs subvolid=${var_snapshot} created: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
fi
umount "${VAR_SAFE_MNT_BASE}"
do_log "info" "file_only" "3280() btrfs subvolume umount: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
fi
case "${var_fs_version,,}:${var_encryption_enable,,}" in
btrfs:*)
validate_btrfs_compression "${var_fs_btrfs_compress}" "${var_fs_btrfs_level}" || return "${ERR_BTRFS_OPTION}"
declare var_btrfs_compression_options="compress=${var_fs_btrfs_compress}:${var_fs_btrfs_level}"
[[ -n "${var_mount_options}" ]] && var_btrfs_compression_options+=",${var_mount_options},subvol=${var_fs_btrfs_subvolume}"
### Gathering information for '/etc/fstab'-generation in 4040().
HMP_FSTAB_MOUNT_OPTS["${var_mount_path}"]="${var_btrfs_compression_options[*]}"
do_log "debug" "file_only" "3280() Stored in HashMap [HMP_FSTAB_MOUNT_OPTS] : '${var_mount_path}' -> '${HMP_FSTAB_MOUNT_OPTS["${var_mount_path}"]}'."
mount_with_dir "${var_mount_path}" "${var_fs_uuid}" "${var_btrfs_compression_options}" || return "${ERR_MOUNTING_DEV}"
if [[ "${var_fs_btrfs_snapshot}" == "true" ]]; then
### Preparing "/.snapshot"-directory
mkdir -p "${TARGET}${var_mount_path}/.snapshots"
do_log "info" "file_only" "3280() Created: '${TARGET}${var_mount_path}/.snapshots'."
var_mount_optsnap="${var_mount_optsnap},subvol=${var_snapshot}"
### Gathering information for '/etc/fstab'-generation in 4040().
HMP_FSTAB_MOUNT_OPTS["${var_mount_path}/.snapshots"]="${var_mount_optsnap[*]}"
do_log "debug" "file_only" "3280() Stored in HashMap [HMP_FSTAB_MOUNT_OPTS] : '${var_mount_path}/.snapshots' -> '${HMP_FSTAB_MOUNT_OPTS["${var_mount_path}/.snapshots"]}'."
mount_with_dir "${var_mount_path}/.snapshots" "${var_fs_uuid}" "${var_mount_optsnap}"
do_log "info" "file_only" "3280() Mounted: '${var_fs_uuid}' on: '${TARGET}${var_mount_path}/.snapshots' (Options='${var_mount_optsnap}')."
fi
;;
ext4:*)
mount_with_dir "${var_mount_path}" "${var_fs_uuid}" "${var_mount_options}" || return "${ERR_MOUNTING_DEV}"
;;
*) do_log "error" "file_only" "3280() Unsupported fs/encryption combination."
return "${ERR_MOUNTING_DEV}" ;;
esac
done
lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH "/dev/${var_dev}" >| "${DIR_LOG}/${var_dev}_overview_full.log"
printf "%b" "${NL}" >> "${DIR_LOG}/${var_dev}_overview_full.log"
lsblk "/dev/${var_dev}" >> "${DIR_LOG}/${var_dev}_overview_full.log"
done
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

24
.archive/func/4130_setup_network.sh
View File

@@ -1,24 +0,0 @@
#!/bin/bash
do_log "info" "file_only" "Live environment DHCP information collection: timeout='${network_timeout_dhcp}' seconds. Please wait."
dhclient -v -1 "${var_auto_nic}" 2>&1 | timeout "${network_timeout_dhcp}" dhcpdump -i "${var_auto_nic}" >> "${LOG_NIC}" || true
awk 'BEGIN {RS="---------------------------------------------------------------------------"; \
ORS="---------------------------------------------------------------------------"} \
NF {last=$0} END {print last}' "${LOG_NIC}" > "${LOG_NIC}".tmp && mv "${LOG_NIC}".tmp "${LOG_NIC}"
do_log "info" "file_only" "Live environment DHCP information collection: collection completed."
### Extract 'FQDN' from '${LOG_NIC}'
var_auto_fqdn=$(awk -F 'Host name' '/Host name/ {print $2}' "${LOG_NIC}" | xargs)
### Extract 'YIADDR' (Your IP Address) from '${LOG_NIC}'
var_dhcp_yiaddr=$(awk -F 'YIADDR:' '/YIADDR/ {print $2}' "${LOG_NIC}" | awk '{print $1}' | xargs)
### Extract 'SIADDR' (Server IP Address) from '${LOG_NIC}'
var_dhcp_siaddr=$(awk -F 'SIADDR:' '/SIADDR/ {print $2}' "${LOG_NIC}" | awk '{print $1}' | xargs)
### Extract 'Server Identifier' from '${LOG_NIC}'
var_dhcp_srv=$(awk -F 'Server identifier' '/Server identifier/ {print $2}' "${LOG_NIC}" | xargs)
### Extract 'GIADDR' (Gateway IP Address) from '${LOG_NIC}'
var_dhcp_giaddr=$(awk -F 'GIADDR:' '/GIADDR/ {print $2}' "${LOG_NIC}" | awk '{print $1}' | xargs)

37
.archive/func/4195_setup_dropbear.sh
View File

@@ -1,37 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Remarks
# lsinitramfs /boot/initrd.img-"$(uname -r)" | grep -E 'bin/(bash|sha|reboot|sync|sleep|sh)'
# readelf -h /bin/busybox | grep Type
# command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 ...
# /usr/share/initramfs-tools/scripts/init-premount
# /dev/sdaN: UUID="468ad656-0e2f-4fff-9501-c691bab9f553" TYPE="crypto_LUKS" PARTLABEL="crypt_system" PARTUUID="78c0f711-f84f-425e-9455-a46430f40794"
# GRUB_CMDLINE_LINUX="cryptdevice=UUID=468ad656-0e2f-4fff-9501-c691bab9f553:cryptroot root=/dev/mapper/vg_system-root"
# declare var_nic_module; var_nic_module=$(lspci -k | grep -A2 -i ethernet | grep 'Kernel driver in use' | awk '{print $5}')
# echo "${var_nic_module}"
### Nuke Hints
# /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
# Before (Default)
# ASKPASS=/lib/cryptsetup/askpass
# After
# ASKPASS=/lib/cryptsetup/askpass.cryptsetup
# apt-get cryptsetup-nuke-password
# dpkg-reconfigure cryptsetup-nuke-password
#debconf-set-selections << END
#cryptsetup-nuke-password cryptsetup-nuke-password/password string Th3Pa$$w0rd
#cryptsetup-nuke-password cryptsetup-nuke-password/password-again string Th3Pa$$w0rd
#END
#sudo dpkg-reconfigure -f noninteractive cryptsetup-nuke-password

56
.archive/func/4230_update_grub.sh
View File

@@ -1,56 +0,0 @@
#!/bin/bash
#######################################
# Detects and collects all boot devices for GRUB installation.
# Supports /dev/sdX, /dev/vdX, /dev/hdX, /dev/nvmeXn1, /dev/mmcblkX.
# Globals:
# VAR_RECIPE_HIGHEST_DEVICE
# ary_bootdev_all
# grub_bootdev
# Arguments:
# None
# Returns:
# 0: on success
#######################################
get_all_boot_devs() {
### Declare Arrays, HashMaps, and Variables.
declare -ag ary_bootdev_all=()
declare dev="" dev_prefix="" dev_path="" letter=""
declare -i ascii=0 ascii_end=0 ascii_start=0
### Determine prefix from grub_bootdev (e.g., "sd", "vd", "nvme", "mmcblk")
dev_prefix=$(basename "${grub_bootdev}" | sed -E 's/^([a-z]+)[a-z0-9]*$/\1/')
case "${dev_prefix}" in
sd|vd|hd)
ascii_start=$(printf '%d' "'a")
ascii_end=$(printf '%d' "'${VAR_RECIPE_HIGHEST_DEVICE}")
for ((ascii = ascii_start; ascii <= ascii_end; ascii++)); do
letter=$(printf "%b" "\\$(printf '%03o' "${ascii}")")
dev_path="/dev/${dev_prefix}${letter}"
[[ -b "${dev_path}" ]] && ary_bootdev_all+=("${dev_path}")
done
;;
nvme)
# shellcheck disable=SC2312
while read -r dev; do
ary_bootdev_all+=("/dev/${dev}")
done < <(lsblk -dn -o NAME | grep -E '^nvme[0-9]+n1$')
;;
mmcblk)
# shellcheck disable=SC2312
while read -r dev; do
ary_bootdev_all+=("/dev/${dev}")
done < <(lsblk -dn -o NAME | grep -E '^mmcblk[0-9]+$')
;;
*)
do_log "warning" "file_only" "4230() Unrecognized boot device prefix: ${dev_prefix}"
;;
esac
return 0
}

376
.archive/func/unlock_wrapper.sh
View File

@@ -1,376 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command
set -Ceuo pipefail
IFS=$(printf ' \n\t')
# shellcheck disable=SC2155
declare -gr CURRENTDATE=$(date +"%F %T")
declare -gir MAX_RETRIES=2
#######################################
# Generates informative shell prompt.
# Globals:
# PS1
# Arguments:
# None
#######################################
prompt_string() {
declare -gx PS1="\
\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
\[\033[1;95m\]\h\[\033[0m\]:\
\[\033[1;96m\]\w\[\033[0m\]/>>\
\$(if [[ \$? -eq 0 ]]; then \
# Show exit status in green if zero
echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
else \
# Show exit status in red otherwise
echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
fi)\
|~\$ "
}
#######################################
# Trap function to be called on 'ERR'.
# Arguments:
# $1: ${?}
# $2: ${BASH_SOURCE[0]}
# $3: ${LINENO}
# $4: ${FUNCNAME[0]:-main}
# $5: ${BASH_COMMAND}
#######################################
trap_on_err() {
declare -r errcode="$1"
declare -r errscrt="$2"
declare -r errline="$3"
declare -r errfunc="$4"
declare -r errcmmd="$5"
trap - ERR
stty echo
if [[ ${errcode} -eq 0 ]]; then
print_scr_scc
prompt_string
exit 0
else
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
sleep 15
sync
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
fi
}
#######################################
# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the Nuke Routine
# Globals:
# DEVICES_LUKS
# DEVICES_NUKE
# Arguments:
# None
#######################################
trap_on_term() {
trap - INT
stty echo
printf "\n"
printf "\e[0;91m✘ System caught a 'SIGINT'. System Power Off in 3 seconds. \e[0m\n" >&2
sync
sleep 3
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
}
#######################################
# Print Error Message for 'non-0' Trap on 'EXIT' on Terminal.
# Arguments:
# $1: ${?}
# $2: ${BASH_SOURCE[0]}
# $3: ${LINENO}
# $4: ${FUNCNAME[0]:-main}
# $5: ${BASH_COMMAND}
#######################################
print_scr_err() {
declare -r scr_err_errcode="$1"
declare -r scr_err_errscrt="$2"
declare -r scr_err_errline="$3"
declare -r scr_err_errfunc="$4"
declare -r scr_err_errcmmd="$5"
printf "\n"
printf "\e[0;91m✘ System caught an 'ERROR'. System Power Off in 15 seconds. \e[0m\n" >&2
printf "\n"
printf "\e[0;91m✘ Error : %s \e[0m\n" "${scr_err_errcode}" >&2
printf "\e[0;91m✘ Line : %s \e[0m\n" "${scr_err_errline}" >&2
printf "\e[0;91m✘ Script : %s \e[0m\n" "${scr_err_errscrt}" >&2
printf "\e[0;91m✘ Function : %s \e[0m\n" "${scr_err_errfunc}" >&2
printf "\e[0;91m✘ Command : %s \e[0m\n" "${scr_err_errcmmd}" >&2
printf "\n"
}
#######################################
# Print Error Message for '0' Trap on 'ERR' on Terminal.
# Arguments:
# none
#######################################
print_scr_scc() {
printf "\e[0;92m✅ Script exited successfully. Proceeding with booting. \e[0m\n"
printf "\n"
}
#######################################
# Gather information of all LUKS Devices available on the system
# Arguments:
# None
#######################################
gather_luks_devices() {
declare prev=() curr=() dev="" tries=0
while ((tries < 10)); do
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device)
if [[ ${curr[*]} == "${prev[*]}" ]]; then
break
fi
prev=("${curr[@]}")
tries=$((tries + 1))
sleep 1
done
### Print one device per line for mapfile compatibility
for dev in "${curr[@]}"; do
printf '%s\n' "${dev}"
done
}
#######################################
# Gather information of all NUKE Devices available on the system
# Globals:
# DEVICES_LUKS
# Arguments:
# None
#######################################
gather_nuke_devices() {
### 'DEVICES_LUKS' must already be a bash array of device paths
declare dev=""
declare result=()
for dev in "${DEVICES_LUKS[@]}"; do
### Check slot 31 for 'luks2'
if cryptsetup luksDump "${dev}" 2> /dev/null | grep -qE '^[[:space:]]*31: luks2'; then
result+=("${dev}")
fi
done
### Print one device per line for mapfile compatibility
for dev in "${result[@]}"; do
printf '%s\n' "${dev}"
done
}
#######################################
# Read passphrase interactively.
# Arguments:
# None
#######################################
passphrase_ask() {
declare -g PASSPHRASE=""
printf "\n"
stty -echo
printf "\e[0;95m🔐 Enter passphrase for decryption: \e[0m\n"
read -r PASSPHRASE
stty echo
printf "\n"
}
#######################################
# Test the entered passphrase against the dedicated Nuke Keyslot #31.
# Arguments:
# $1: DEVICE
# $2: PASSWD
#######################################
passphrase_test() {
declare -r DEVICE="$1"
declare -r PASPHR="$2"
printf '%s' "${PASPHR}" | cryptsetup open --batch-mode --test-passphrase --key-slot 31 "${DEVICE}" > /dev/null 2>&1
}
#######################################
# Check the integrity and authenticity of this script itself.
# Arguments:
# $0: Script Name
#######################################
verify_coresecret() {
### Directory of this script
# shellcheck disable=SC2155
declare dir="$(dirname "$(readlink -f "${0}")")"
# shellcheck disable=SC2155
declare script="$(basename "${0}")"
declare algo
for algo in sha512 sha384; do
# shellcheck disable=SC2155
declare hashfile="${dir}/${script}.${algo}"
# shellcheck disable=SC2155
declare sigfile="${hashfile}.sig"
# shellcheck disable=SC2155
declare cmd="${algo}sum"
printf "\e[0;95m🔏 Verifying signature of: [%s] \e[0m\n" "${hashfile}"
gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
printf "\e[0;91m✘ Signature verification failed for: [%s] \e[0m\n" "${hashfile}" >&2
printf "\e[0;91m✘ System Power Off in 3 seconds. \e[0m\n" >&2
sync
sleep 3
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
}
printf "\e[0;92m🔏 Verifying signature of: [%s] successful. \e[0m\n" "${hashfile}"
printf "\e[0;95m🔢 Recomputing Hash: [%s] \e[0m\n" "${algo}"
# shellcheck disable=SC2155
declare computed=$($cmd "${dir}/${script}" | awk '{print $1}')
# shellcheck disable=SC2155
declare expected=$(cat "${hashfile}")
if [[ ${computed} != "${expected}" ]]; then
printf "\e[0;91m✘ Hash mismatch for: [%s] \e[0m\n" "${algo}" >&2
printf "\e[0;91m✘ System Power Off in 3 seconds. \e[0m\n" >&2
sync
sleep 3
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
fi
printf "\e[0;92m🔢 Recomputing Hash: [%s] successful. \e[0m\n" "${algo}"
done
printf "\e[0;92m🔏 All signatures and hashes verified successfully. Proceeding. \e[0m\n"
}
### Main Programm
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
trap 'trap_on_term' INT TERM
printf "\e[0;91mCoresecret Connection established.\e[0m\n"
printf "\e[0;91mStarting Time: %s\e[0m\n" "${CURRENTDATE}"
printf "\n"
verify_coresecret
### Read newline-separated output into an array
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
mapfile -t DEVICES_NUKE < <(gather_nuke_devices)
### Debug output: list each element with its index
#for idx in "${!DEVICES_LUKS[@]}"; do
# printf 'Luks[%d]: %s\n' "${idx}" "${DEVICES_LUKS[${idx}]}"
#done
### Debug output: list each element with its index
#for idx in "${!DEVICES_NUKE[@]}"; do
# printf 'Nuke[%d]: %s\n' "${idx}" "${DEVICES_NUKE[${idx}]}"
#done
### # If there are no LUKS devices at all, drop to bash
[[ -n ${DEVICES_LUKS[*]} ]] || {
printf "\e[0;92m✘ No LUKS Devices found. Dropping to bash ... \e[0m\n"
prompt_string
exec /bin/bash -i
}
### If there are LUKS devices but no Nuke devices, try unlocking flow
if [[ -n ${DEVICES_LUKS[*]} ]] && [[ -z ${DEVICES_NUKE[*]} ]]; then
### Attempt interactive unlock with cryptroot-unlock
if cryptroot-unlock; then
exit 0
else
printf "\n"
printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
prompt_string
exec /bin/bash -i
fi
elif [[ -n ${DEVICES_LUKS[*]} ]] && [[ -n ${DEVICES_NUKE[*]} ]]; then
declare -i attempt=1
declare NUKED=false
declare TEST_DEV="${DEVICES_NUKE[0]}"
while ((attempt <= MAX_RETRIES)); do
printf "\e[0;95m🔐Attempt %s/%s: \e[0m\n" "${attempt}" "${MAX_RETRIES}"
passphrase_ask
declare -g PASSWD="${PASSPHRASE}"
if passphrase_test "${TEST_DEV}" "${PASSWD}"; then
for dev in "${DEVICES_NUKE[@]}"; do
cryptsetup erase --batch-mode "${dev}" > /dev/null 2>&1
printf "%s:\e[0;95m✘ LUKS Device Header malfunction. \e[0m\n" "${dev}"
done
declare -r NUKED=true
unset PASSWD
break
else
declare code="$?"
case "${code}" in
1) printf "\e[0;91m✘ No usable key slot is available. \e[0m\n" ;;
2) printf "\e[0;91m✘ No key available with this passphrase. \e[0m\n" ;;
3) printf "\e[0;93m✘ Out of memory. \e[0m\n" ;;
*) printf "\e[0;91m✘ Unexpected Return Code. \e[0m\n" ;;
esac
fi
attempt=$((attempt + 1))
done
if [[ ${NUKED} == true ]]; then
stty echo
sleep 3
sync
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
fi
if cryptroot-unlock; then
exit 0
else
printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
prompt_string
exec /bin/bash -i
fi
fi
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
ciss_debian_installer.sh
View File

@@ -12,6 +12,7 @@
### Contributions so far see ./docs/CREDITS.md ### Contributions so far see ./docs/CREDITS.md
# TODO: Update .dot files.
# TODO: Move this command later than 4131_installation_systemd.sh # TODO: Move this command later than 4131_installation_systemd.sh
### Set the X11 keyboard layout (for graphical environments). ### Set the X11 keyboard layout (for graphical environments).
#do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}" #do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}"
@@ -270,8 +271,8 @@ installation_chrony
### CDI_4200 ### CDI_4200
echo "MAIN PROGRAM SEQUENCE: 4200_generate_fstab.sh ..." echo "MAIN PROGRAM SEQUENCE: 4200_generate_fstab.sh ..."
generate_fstab generate_fstab
#echo "MAIN PROGRAM SEQUENCE: 4205_check_fstab.sh ..." echo "MAIN PROGRAM SEQUENCE: 4205_check_fstab.sh ..."
#check_fstab check_fstab
echo "MAIN PROGRAM SEQUENCE: 4210_generate_crypttab.sh ..." echo "MAIN PROGRAM SEQUENCE: 4210_generate_crypttab.sh ..."
generate_crypttab generate_crypttab
echo "MAIN PROGRAM SEQUENCE: 4220_installation_cryptsetup.sh ..." echo "MAIN PROGRAM SEQUENCE: 4220_installation_cryptsetup.sh ..."
@@ -309,7 +310,7 @@ hardening_files
### CDI_4500 ### CDI_4500
echo "MAIN PROGRAM SEQUENCE: 4500_installation_accounts.sh ..." echo "MAIN PROGRAM SEQUENCE: 4500_installation_accounts.sh ..."
installation_accounts installation_accounts # TODO: Checks ongoing
### CDI_4600 ### CDI_4600
#echo "MAIN PROGRAM SEQUENCE: 4205_check_fstab.sh ..." #echo "MAIN PROGRAM SEQUENCE: 4205_check_fstab.sh ..."

1
func/cdi_1000_helper/1081_helper_grub.sh
View File

@@ -146,6 +146,7 @@ EOF
umask 0022 umask 0022
{ {
printf "GRUB_CMDLINE_LINUX='%s'\n" "${var_linux}" printf "GRUB_CMDLINE_LINUX='%s'\n" "${var_linux}"
printf "\n"
printf "GRUB_CMDLINE_LINUX_DEFAULT='%s'\n" "${var_linux_default}" printf "GRUB_CMDLINE_LINUX_DEFAULT='%s'\n" "${var_linux_default}"
printf "\n" printf "\n"
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh\n" printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh\n"

13
func/cdi_1000_helper/1082_helper_modules.sh
View File

@@ -82,14 +82,21 @@ grep_nic_driver_modules() {
# 0: on success # 0: on success
####################################### #######################################
insert_comments() { insert_comments() {
declare file="${1}" declare of_file="${1}" var_name=""
case "${of_file}" in
/target/*) var_name="${of_file#/target}" ;;
/recovery/*) var_name="${of_file#/recovery}" ;;
*) var_name="${of_file}" ;;
esac
sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\ sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\
\ \
# Static file system information: '"${file}"'\ # Static file system information: '"${var_name}"'\
# Generated by CISS.debian.installer '"${VAR_VERSION}"'\ # Generated by CISS.debian.installer '"${VAR_VERSION}"'\
# Architecture: '"${VAR_ARCHITECTURE}"'\ # Architecture: '"${VAR_ARCHITECTURE}"'\
# Distribution: '"${VAR_CODENAME}"' # Distribution: '"${VAR_CODENAME}"'
' "${file}" ' "${of_file}"
return 0 return 0
} }

2
func/cdi_4300_network/4310_dropbear_build.sh
View File

@@ -71,7 +71,7 @@ dropbear_build() {
# shellcheck disable=2312 # shellcheck disable=2312
make -j"$(nproc)" make -j"$(nproc)"
' 2>&1 | tee -a "${TARGET}${var_logfile}" ' >> "${TARGET}${var_logfile}" 2>&1
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
guard_dir && return 0 guard_dir && return 0

4
func/cdi_4300_network/4312_dropbear_setup.sh
View File

@@ -22,9 +22,9 @@ guard_sourcing
# VAR_FINAL_IPV4_SUBNET # VAR_FINAL_IPV4_SUBNET
# VAR_FINAL_NIC # VAR_FINAL_NIC
# VAR_SETUP_PATH # VAR_SETUP_PATH
# dropbear_dhcp
# dropbear_firewall # dropbear_firewall
# dropbear_port # dropbear_port
# network_autoconfig_enable
# network_static_ipv4nameserver_0 # network_static_ipv4nameserver_0
# network_static_ipv4nameserver_1 # network_static_ipv4nameserver_1
# ssh_allow_ipv4_0 # ssh_allow_ipv4_0
@@ -36,7 +36,7 @@ guard_sourcing
####################################### #######################################
dropbear_setup() { dropbear_setup() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare network_static_ipv4ntpserver_0="192.53.103.108" var_modules="" declare network_static_ipv4ntpserver_0="192.53.103.108"
### Prepare strong dropbear host keys ### Prepare strong dropbear host keys
rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key

51
func/cdi_4400_hardening/4420_installation_ssh.sh
View File

@@ -70,18 +70,14 @@ installation_ssh() {
insert_comments "${TARGET}/etc/ssh/sshd_config" insert_comments "${TARGET}/etc/ssh/sshd_config"
# shellcheck disable=SC2153 # shellcheck disable=SC2153
#sed -i -E "s|^\s*ListenAddress\s+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config" sed -i -E "s|^[[:space:]]*ListenAddressIPV4[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
sed -i -E "s|^[[:space:]]*ListenAddress[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
if [[ -n "${VAR_FINAL_IPV6}" ]]; then if [[ -n "${VAR_FINAL_IPV6}" ]]; then
#sed -i -E "s|^\s*ListenAddress\s+::.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config" sed -i -E "s|^[[:space:]]*ListenAddressIPV6[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
sed -i -E "s|^[[:space:]]*ListenAddress[[:space:]]+::.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
else else
#sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config" sed -i "/^[[:space:]]*ListenAddressIPV6[[:space:]]*/d" "${TARGET}/etc/ssh/sshd_config"
sed -i "/^[[:space:]]*ListenAddress[[:space:]]*::/d" "${TARGET}/etc/ssh/sshd_config"
fi fi
#sed -i -E "s|^\s*Port\s+.*$|$(printf '%-29s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config" sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
if (( ${#ary_user[@]} > 0 )); then if (( ${#ary_user[@]} > 0 )); then
@@ -111,16 +107,41 @@ installation_ssh() {
do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log" do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
########################################################################################### ###########################################################################################
# The file /etc/profile.d/idle-users.sh is created to set two read-only # # The file /etc/profile.d/idle-users.sh is created to set the read-only #
# environment variables: TMOUT and HISTFILE. # # environment variables: TMOUT #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.# # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
########################################################################################### ###########################################################################################
echo "readonly TMOUT=14400" >| "${TARGET}/etc/profile.d/idle-users.sh" cat << EOF >| "${TARGET}/etc/profile.d/idle-users.sh"
# TODO: Decide: set HISTFILE=/dev/null or leave unset (readonly var requires value!) # SPDX-Version: 3.0
#echo "readonly HISTFILE" >> "${TARGET}/etc/profile.d/idle-users.sh" # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
chmod +x "${TARGET}/etc/profile.d/idle-users.sh" # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# Static file system information: /etc/profile.d/idle-users.sh
# Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture: ${VAR_ARCHITECTURE}
# Distribution: ${VAR_CODENAME}
EOF
cat << 'EOF' >> "${TARGET}/etc/profile.d/idle-users.sh"
case $- in
*i*)
TMOUT=14400
export TMOUT
readonly TMOUT
;;
esac
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0644 "${TARGET}/etc/profile.d/idle-users.sh"
insert_comments "${TARGET}/etc/profile.d/idle-users.sh"
guard_dir && return 0 guard_dir && return 0
} }

10
func/cdi_4400_hardening/4430_installation_skel.sh
View File

@@ -29,8 +29,18 @@ installation_skel() {
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc" install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias" install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh" install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk.sh" "${TARGET}/etc/skel/.ciss/f2bchk.sh"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/scan_libwrap"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts" install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
insert_comments "${TARGET}/etc/skel/.bashrc"
insert_comments "${TARGET}/etc/skel/.zshrc"
insert_comments "${TARGET}/etc/skel/.ciss/alias"
insert_comments "${TARGET}/etc/skel/.ciss/clean_logout.sh"
insert_comments "${TARGET}/etc/skel/.ciss/f2bchk.sh"
insert_comments "${TARGET}/etc/skel/.ciss/scan_libwrap"
insert_comments "${TARGET}/etc/skel/.ciss/shortcuts"
### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content: ### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc" echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
chmod 0644 "${TARGET}/etc/skel/.vimrc" chmod 0644 "${TARGET}/etc/skel/.vimrc"

53
includes/target/etc/skel/.bashrc
View File

@@ -25,34 +25,63 @@ export PATH
trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
. "${HOME}/.ciss/alias" . "${HOME}/.ciss/alias"
. "${HOME}/.ciss/f2bchk.sh" . "${HOME}/.ciss/f2bchk.sh"
. "${HOME}/.ciss/shortcuts"
. "${HOME}/.ciss/scan_libwrap" . "${HOME}/.ciss/scan_libwrap"
. "${HOME}/.ciss/shortcuts"
### Preferred editor for local and remote sessions. ### Preferred editor for local and remote sessions.
export EDITOR="nano" export EDITOR="nano"
### History-Settings ### History-Settings
# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history. # -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
# -'erasedups' Causes all previous lines matching the current line to be removed from the history list before that line is saved. # -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
export HISTCONTROL="erasedups" export HISTCONTROL='ignoreboth:erasedups'
# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history is
# not saved when a shell exits. # The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
# is not saved when a shell exits.
export HISTFILE=~/.bash_history export HISTFILE=~/.bash_history
# The maximum number of lines contained in the history file. # The maximum number of lines contained in the history file.
export HISTFILESIZE="16384" export HISTFILESIZE="16384"
# The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list. # The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
# Numeric values less than zero result in every command being saved on the history list (there is no limit). # Numeric values less than zero result in every command being saved on the history list (there is no limit).
export HISTSIZE="16384" export HISTSIZE="16384"
# If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions. # If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
export HISTTIMEFORMAT='%F %T ' export HISTTIMEFORMAT='%F %T %z '
# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*'
# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
# "-a": Appends new entries from RAM to the file.
# "-c": Then empties only the RAM buffer. Not used here for performance reasons.
# "-r": Loads the file back into RAM.
__ciss_hist_pc__='history -a; history -n'
if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
fi
unset __ciss_hist_pc__
export PROMPT_COMMAND
# Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS". # Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
shopt -s checkwinsize shopt -s checkwinsize
# Append to the history file, don't overwrite it. # Append to the history file, don't overwrite it.
shopt -s histappend shopt -s histappend
# If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories. # If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
shopt -s globstar shopt -s globstar
# Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
shopt -s cmdhist
# Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
shopt -s lithist
# Check History permissions.
[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
### Define colors for bash prompt. ### Define colors for bash prompt.
export CRED='\033[1;91m' export CRED='\033[1;91m'
export CGRE='\033[1;92m' export CGRE='\033[1;92m'
@@ -91,12 +120,12 @@ printf "\n"
printf "\n" printf "\n"
#printf "\n" #printf "\n"
#printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}" #printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
#printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}" #printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
#printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}" #printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
#printf "%s! Type%s " "${CGRE}" "${CRES}" #printf "%b! Type%b " "${CGRE}" "${CRES}"
#printf "%s'celp'%s " "${CMAG}" "${CRES}" #printf "%b'celp'%b " "${CMAG}" "${CRES}"
#printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}" #printf "%bfor shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
#printf "\n" #printf "\n"
#printf "\n" #printf "\n"

41
includes/target/etc/skel/.zshrc
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
[[ $- != *i* ]] && return [[ -o interactive ]] || return
# shellcheck disable=SC2312 # shellcheck disable=SC2312
if [[ "$(id -u)" -eq 0 ]]; then if [[ "$(id -u)" -eq 0 ]]; then
@@ -28,7 +28,7 @@ export PATH
export ZSH="${HOME}/.oh-my-zsh" export ZSH="${HOME}/.oh-my-zsh"
# Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which # Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
# case, to know which specific one was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes # case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
export ZSH_THEME="robbyrussell" export ZSH_THEME="robbyrussell"
# Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load # Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
@@ -119,7 +119,7 @@ source ${ZSH}/oh-my-zsh.sh
# alias zshconfig="mate ~/.zshrc" # alias zshconfig="mate ~/.zshrc"
# alias ohmyzsh="mate ~/.oh-my-zsh" # alias ohmyzsh="mate ~/.oh-my-zsh"
### Added by CISS.debian.hardening ### ### Added by CISS.debian.hardening-Installer ###
trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
. "${HOME}/.ciss/alias" . "${HOME}/.ciss/alias"
. "${HOME}/.ciss/shortcuts" . "${HOME}/.ciss/shortcuts"
@@ -148,10 +148,29 @@ alias rm='rm -iv'
export EDITOR="nano" export EDITOR="nano"
### History ### History
# The name of the file in which command history is saved.
export HISTFILE="${HOME}/.zsh_history" export HISTFILE="${HOME}/.zsh_history"
export HISTSIZE=4294967296 # The maximum number of lines contained in the history file.
export SAVEHIST=4294967296 export HISTSIZE=16384
# The number of commands to remember in the command history.
export SAVEHIST=16384
# Timestamp in the file: epoch:duration;command.
setopt EXTENDED_HISTORY setopt EXTENDED_HISTORY
# Append, do not overwrite.
setopt APPEND_HISTORY
# Append lines immediately to the file.
setopt INC_APPEND_HISTORY
# Reload new lines from other sessions.
setopt SHARE_HISTORY
# Leading space do not log.
setopt HIST_IGNORE_SPACE
# When writing out the history file, older commands that duplicate newer ones are omitted.
setopt HIST_SAVE_NO_DUPS
# Remove superfluous blanks from each command line being added to the history list.
setopt HIST_REDUCE_BLANKS
# Check History permissions.
[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
### Define Users ### Define Users
if [ "${UID}" -eq 0 ]; then if [ "${UID}" -eq 0 ]; then
@@ -166,12 +185,12 @@ RPROMPT='%h|[${USER_COLOR}%*%f]'
### Welcome message after login. ### Welcome message after login.
printf "\n" printf "\n"
printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}" printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}" printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}" printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
printf "%s! Type%s " "${CGRE}" "${CRES}" printf "%b! Type%b " "${CGRE}" "${CRES}"
printf "%s'celp'%s " "${CMAG}" "${CRES}" printf "%b'celp'%b " "${CMAG}" "${CRES}"
printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}" printf "%bfor shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
printf "\n" printf "\n"
printf "\n" printf "\n"

4
includes/target/etc/ssh/sshd_config
View File

@@ -24,8 +24,8 @@ Compression no
LogLevel VERBOSE LogLevel VERBOSE
AddressFamily any AddressFamily any
ListenAddress 0.0.0.0 ListenAddressIPV4 0.0.0.0
ListenAddress :: ListenAddressIPV6 ::
Port MUST_BE_CHANGED Port MUST_BE_CHANGED
AllowUsers root AllowUsers root
UseDNS no UseDNS no

1
includes/target/root/.ciss/alias
View File

@@ -43,6 +43,7 @@ alias aptac='apt autoclean'
alias aptap='apt autopurge' alias aptap='apt autopurge'
alias aptar='apt autoremove' alias aptar='apt autoremove'
alias aptcheck='apt-get check' alias aptcheck='apt-get check'
alias aptcp='apt-cache policy'
alias aptdep='apt-cache depends' alias aptdep='apt-cache depends'
alias aptdl='apt-get install --download-only' alias aptdl='apt-get install --download-only'
alias aptfug='apt full-upgrade' alias aptfug='apt full-upgrade'

1
includes/target/root/.ciss/clean_logout.sh
View File

@@ -9,6 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
clear clear
cat << 'EOF' cat << 'EOF'

16
includes/target/root/.ciss/f2bchk.sh
View File

@@ -48,7 +48,7 @@ f2bchk(){
--log=*) log="${arg#--log=}";; --log=*) log="${arg#--log=}";;
--output=*) output="${arg#--output=}";; --output=*) output="${arg#--output=}";;
*) *)
printf "%s[ERROR]%s Unknown argument: '%s' %s" "${CRED}" "${CRES}" "${arg}" "${CRED}" printf "%b[ERROR]%b Unknown argument: '%s' %b" "${CRED}" "${CRES}" "${arg}" "${CRED}"
return 1 return 1
;; ;;
esac esac
@@ -60,7 +60,7 @@ f2bchk(){
matched) flag="--print-all-matched"; suffix="all.matched";; matched) flag="--print-all-matched"; suffix="all.matched";;
missed) flag="--print-all-missed"; suffix="all.missed";; missed) flag="--print-all-missed"; suffix="all.missed";;
*) *)
printf "%s[ERROR]%s Invalid mode: '%s' %s" "${CRED}" "${CRES}" "${mode}" "${NL}" printf "%b[ERROR]%b Invalid mode: '%s' %b" "${CRED}" "${CRES}" "${mode}" "${NL}"
return 1 return 1
;; ;;
esac esac
@@ -72,24 +72,24 @@ f2bchk(){
fi fi
if [[ ! -r "${log}" ]]; then if [[ ! -r "${log}" ]]; then
printf "%s[ERROR]%s Log file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${log}" "${NL}" printf "%b[ERROR]%b Log file '%s' not found or not readable. %b" "${CRED}" "${CRES}" "${log}" "${NL}"
return 1 return 1
fi fi
if [[ ! -r "${filter}" ]]; then if [[ ! -r "${filter}" ]]; then
printf "%s[ERROR]%s Filter file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${filter}" "${NL}" printf "%b[ERROR]%b Filter file '%s' not found or not readable. %b" "${CRED}" "${CRES}" "${filter}" "${NL}"
return 1 return 1
fi fi
printf "%s[INFO]%s Running: fail2ban-regex '%s %s %s' %s" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}" printf "%b[INFO]%b Running: fail2ban-regex '%s %s %s' %b" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
printf "%s[SUCCESS]%s Saved log to: '%s' %s" "${CGRE}" "${CRES}" "${output}" "${NL}" printf "%b[SUCCESS]%b Saved log to: '%s' %b" "${CGRE}" "${CRES}" "${output}" "${NL}"
printf "You can view it with: cat %s%s" "${output}" "${NL}" printf "You can view it with: cat %s%b" "${output}" "${NL}"
else else
printf "%s[ERROR]%s fail2ban-regex execution failed. %s" "${CRED}" "${CRES}" "${NL}" printf "%b[ERROR]%b fail2ban-regex execution failed. %b" "${CRED}" "${CRES}" "${NL}"
return 1 return 1
fi fi

6
includes/target/root/.ciss/scan_libwrap
View File

@@ -20,7 +20,7 @@
# None # None
####################################### #######################################
scanlw() { scanlw() {
printf "%s🔍 Scanning all running processes for 'libwrap' usage ... %s%s" "${CGRE}" "${CRES}" "${NL}" printf "%b🔍 Scanning all running processes for 'libwrap' usage ... %b%b" "${CGRE}" "${CRES}" "${NL}"
printf "\n" printf "\n"
### Collect binaries from all running PIDs. ### Collect binaries from all running PIDs.
@@ -37,12 +37,12 @@ scanlw() {
if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then
comm=$(ps -p "${pid}" -o comm=) comm=$(ps -p "${pid}" -o comm=)
user=$(ps -p "${pid}" -o user=) user=$(ps -p "${pid}" -o user=)
printf "%s✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %s%s" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}" printf "%b✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %b%b" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
fi fi
done done
printf "\n" printf "\n"
printf "%s✅ Scan complete. %s%s" "${CGRE}" "${CRES}" "${NL}" printf "%b✅ Scan complete. %b%b" "${CGRE}" "${CRES}" "${NL}"
exit 0 exit 0
} }

12
includes/target/root/.ciss/shortcuts
View File

@@ -10,11 +10,12 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
declare -ga shortcuts=( declare -ag shortcuts=(
"aptac: apt autoclean" "aptac: apt autoclean"
"aptap: apt autopurge" "aptap: apt autopurge"
"aptar: apt autoremove" "aptar: apt autoremove"
"aptcheck: apt-get check" "aptcheck: apt-get check"
"aptcp: apt-cache policy"
"aptdep: apt-cache depends" "aptdep: apt-cache depends"
"aptdl: apti --download-only" "aptdl: apti --download-only"
"aptfug: apt full-upgrade" "aptfug: apt full-upgrade"
@@ -98,11 +99,10 @@ declare -ga shortcuts=(
# None # None
####################################### #######################################
celp() { celp() {
declare arr=("${shortcuts[@]}") declare -a arr=( "${shortcuts[@]}" )
declare cols=3 declare -i cols=3 col_width=42 i=0
declare col_width=42 declare entry=""
declare i=0
declare entry
for entry in "${arr[@]}"; do for entry in "${arr[@]}"; do
### Print entry left-aligned in fixed width, colored. ### Print entry left-aligned in fixed width, colored.
printf "${CMAG}%-${col_width}s${CRES}" "${entry}" printf "${CMAG}%-${col_width}s${CRES}" "${entry}"