msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🔁 Render Graphviz Diagrams. / 🔁 Render Graphviz Diagrams. (push) Successful in 32s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 47s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-24 18:28:35 +02:00
parent e9681e87c5
commit 0a2d983c7d
64 changed files with 525 additions and 1423 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
ciss_debian_installer.sh
View File

@@ -13,20 +13,15 @@
### Contributions so far see ./docs/CREDITS.md
### WHY BASH?
# Ease of installation.
# No compiling or installing gems, CPAN modules, pip packages, etc.
# Simple to use and read. Clear syntax and straightforward output interpretation.
# Built-in power.
# Pattern matching, line processing, and regular expression support are available natively,
# no external binaries required.
# Cross-platform consistency.
# '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
# macOS compatibility.
# Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
# Windows support.
# You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
# or Cygwin on Windows systems.
### PRELIMINARY CHECKS
# shellcheck disable=2292
[ -z "${BASH_VERSINFO[0]}" ] && {
. ./meta_loader_early.sh
printf "%s❌ Please make sure you are using 'bash'! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
@@ -39,6 +34,7 @@
exit "${ERR_USER_IS_NOT_ROOT}"
}
# shellcheck disable=2312
[[ $(kill -l | grep -c SIG) -eq 0 ]] && {
. ./meta_loader_early.sh
printf "%s❌ Please make sure you are calling the script without leading 'sh'! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
@@ -60,17 +56,25 @@
[[ ${#} -eq 0 ]] && {
. ./lib/0000_usage.sh; usage >&2; exit 1; }
### SOURCING MUST SET EARLY VARIABLES
### SOURCING MUST SET EARLY VARIABLES. SOURCING GUARD_SOURCING()
. ./var/early.var.sh
. ./lib/0010_guard_sourcing.sh
### CHECK FOR CONTACT, HELP, AND VERSION STRING
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/0001_contact.sh; contact; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/0000_usage.sh; usage; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/0002_version.sh; version; exit 0;; esac; done
### ALL CHECKS DONE. READY TO START THE SCRIPT. SOURCING GUARD_SOURCING()
### PRE SCAN FOR DEBUG MODE
. ./lib/0050_debug_pre_scan.sh
pre_scan_debug "$@"
### SOURCING BASH OPTIONS
. ./var/bash.var.sh
umask 0022
### ALL CHECKS DONE. READY TO START THE SCRIPT.
declare -grx VAR_SETUP="true"
. ./lib/0010_guard_sourcing.sh
### CHECK FOR AUTO INSTALL MODE
for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_INSTALL="true";; esac; done; unset arg
@@ -81,32 +85,28 @@ for arg in "$@"; do case "${arg,,}" in -a|--autoinstall) declare -gx VAR_AUTO_IN
check_pkgs
check_git
### PRE SCAN FOR DEBUG MODE
. ./lib/0050_debug_pre_scan.sh
pre_scan_debug "$@"
### ADVISORY LOCK
exec 127>/var/lock/ciss_debian_installer.lock || {
. ./meta_loader_early.sh
printf "%s❌ Cannot open lockfile for writing! Bye... %s%s" "${RED}" "${RES}" "${NL}" >&2
exit "${ERR_FLOCK_PROTECTED}"
}
if ! flock -x -n 127; then
. ./meta_loader_early.sh
printf "%s❌ Another instance is running! Bye...%s%s" "${RED}" "${RES}" "${NL}" >&2
exit "${ERR_FLOCK_COLLISION}"
fi
### SOURCING
[[ "${VAR_SETUP}" == "true" ]] && {
### SOURCING BASH OPTIONS
. ./var/bash.var.sh
### SOURCING FUNCTIONS, LIBRARIES, VARIABLES
if [[ "${VAR_SETUP}" == "true" ]]; then
### SOURCING FUNCTIONS
. ./meta_loader_func.sh
### SOURCING LIBRARIES
. ./meta_loader_lib.sh
### SOURCING VARIABLES
. ./meta_loader_var.sh
}
fi
### ACTIVATING TRAPS
trap 'trap_exit "$?"' EXIT
@@ -116,82 +116,90 @@ trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BA
### PREPARING DIRECTORIES AND FILES
gen_dir_files
### INTERACTIVE MODE NOTES AND KERNEL SELECTION
# TODO: Update 0110_check_kernel.sh & sourcing
# TODO: Update 0120_check_provider.sh & sourcing
#if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi
#if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi
# TODO: Implement Debian Style Gauge Bar as Alternative Dialog Wrapper
### Dialog Output for Initialization START
if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box; fi
### Dialog Output for Initialization
if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_gauge; fi
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
### Initialization
declare -gr ARGUMENTS_COUNT="$#"
declare -gr ARG_STR_ORG_INPUT="$*"
#declare -ar ARG_ARY_ORG_INPUT=("$@")
# shellcheck disable=SC2155
declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
# shellcheck disable=SC2155
declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
# shellcheck disable=SC2155
declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
# TODO Update temp File Cleaner on trap on ERR / EXIT
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
### Following the CISS Bash naming and ordering scheme
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
arg_check "$@"
declare -ar ARY_ARG_SANITIZED=("$@")
declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
arg_parser "$@"
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
clean_ip
### Updating Status of Dialog Gauge Bar
if ! $VAR_AUTO_INSTALL; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
if ! $VAR_AUTO_INSTALL; then dialog_gauge_cleaner; fi
### MAIN Program
### MAIN PROGRAM SEQUENCE
arg_priority_check
check_stats
if ! $VAR_AUTO_INSTALL; then check_provider; fi
if ! $VAR_AUTO_INSTALL; then check_kernel; fi
check_hooks
hardening_ssh
lb_config_start
lb_config_write
cd "${VAR_WORKDIR}"
hardening_ultra
hardening_root_pw
change_splash
check_dhcp
cdi
provider_netcup
yaml_parser
yaml_reader
### Start the build process
set +o errtrace
lb_build_start
# TODO: Implement / Activate IP, Port validation
# 1222_validation_preseed.sh 1221_validation_ip.sh
# validation_preseed
### PARTITIONING
partitioning
partition_encryption
partition_formatting
setup_filesystem
mount_partition
uuid_logger
### DEBOOTSTRAP
func_debootstrap
configure_system
generate_fstab
generate_crypttab
generate_sources
minimal_toolset
setup_skel
setup_timezone
setup_locales
# TODO: Implement Clang Build Chain and MOK Signing Workflow
installation_kernel
setup_network
setup_hostname
setup_machineid
# TODO: Implement Clang Build Chain and MOK Signing Workflow and integrate GRUB, if needed
setup_grub
setup_grub_password
setup_grub_bootparameter
setup_kernel_modules
setup_kernel_sysctl
installation_microcode
setup_ssh
build_dropbear
install_dropbear_initramfs
# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
setup_dropbear
# TODO: Implement Console Login Deactivation and 2fa as advertised in preseed.yaml
setup_accounts
# TODO: Check Packages for installation
setup_packages
# TODO: What do we need for CISS environment?
setup_sudo
# TODO: Any changes to the NTPSec Servers?
setup_chrony
exiting_chroot
# TODO: Hardening Scripts Integration
# TODO: SSH 2fa integration
# TODO: Recovery Partition Integration
# TODO: Grub Boot Menu Update for Recovery Integration
# TODO: update-grub Post Hook
# TODO: Copying Log Files to final System
# TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
# TODO: Reboot function for Autoinstall
### Dialog Output for Initialization END
if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box_cleaner; fi
declare -gx VAR_SCRIPT_SUCCESS="true"
set -o errtrace
run_analysis
copy_db
declare -g VAR_SCRIPT_SUCCESS=true
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

30
docs/graphviz/ciss.debian.installer.secure.boot.dot Normal file
View File

@@ -0,0 +1,30 @@
digraph boot_chain {
rankdir=LR;
node [shape=box style=filled fillcolor="#e3f2fd"];
UEFI [label="UEFI Firmware\n(SECURE BOOT)", fillcolor="#90caf9"];
GRUB [label="grubx64.efi\n(Secure Boot-signed)", fillcolor="#64b5f6"];
DecryptBoot [label="GRUB decrypts\n/boot (LUKS2)", fillcolor="#4fc3f7"];
GRUBCFG [label="Load grub.cfg\n(from decrypted /boot)"];
Kernel [label="Load Kernel:\n/boot/vmlinuz-<ver>"];
Initrd [label="Load Initrd:\n/boot/initrd.img-<ver>"];
Initramfs [label="initramfs:\nUnlock Root (/)", fillcolor="#81d4fa"];
PivotRoot [label="pivot_root/switch_root", fillcolor="#80cbc4"];
Systemd [label="systemd (PID 1)", fillcolor="#a5d6a7"];
MountRest [label="Decrypt + Mount:\n/home, /usr, /var, etc."];
Ephemeral [label="Create ephemeral\nswap & /tmp", fillcolor="#ffe082"];
Login [label="User login"];
UEFI -> GRUB [label="Launch EFI bootloader"];
GRUB -> DecryptBoot [label="Prompt for /boot passphrase"];
DecryptBoot -> GRUBCFG [label="Parse GRUB config"];
GRUBCFG -> Kernel;
GRUBCFG -> Initrd;
Kernel -> Initramfs [label="initrd is unpacked\nand executed"];
Initramfs -> PivotRoot [label="Root unlocked\n(mount /)"];
PivotRoot -> Systemd;
Systemd -> MountRest;
Systemd -> Ephemeral;
MountRest -> Login;
Ephemeral -> Login;
}

64
func/3.8.7.functions_installation_setup_files.sh
View File

@@ -1,64 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.7. Functions - installation - updating files #
###########################################################################################
###########################################################################################
# Updating alias and banner files.
# Globals:
# MODULE_ERR
# MODULE_TXT
# PATH_ABS
# TARGET
# accounts_user_login
# accounts_user_name
# Arguments:
# None
###########################################################################################
3_8_7_functions_installation_setup_files() {
declare -g -x MODULE_ERR="3_8_7_functions_installation_setup_files"
declare -g -x MODULE_TXT="Updating banner files"
do_show_header "${MODULE_TXT}"
cp "${PATH_ABS}"/.assets/.alias "${TARGET}"/root/.alias
chown root:root "${TARGET}"/root/.alias
chmod 0600 "${TARGET}"/root/.alias
do_log "info" "false" "'${TARGET}/root/.alias' installed."
cp "${PATH_ABS}"/.assets/banner "${TARGET}"/etc/banner
chown root:root "${TARGET}"/etc/banner
chmod 0644 "${TARGET}"/etc/banner
do_log "info" "false" "'${TARGET}/etc/banner' installed."
cp "${PATH_ABS}"/.assets/.clean_logout "${TARGET}"/root/.clean_logout
chown root:root "${TARGET}"/root/.clean_logout
chmod 0600 "${TARGET}"/root/.clean_logout
do_log "info" "false" "'${TARGET}/root/.clean_logout' installed."
cp "${PATH_ABS}"/.assets/motd "${TARGET}"/etc/motd
chown root:root "${TARGET}"/etc/motd
chmod 0644 "${TARGET}"/etc/motd
do_log "info" "false" "'${TARGET}/etc/motd' installed."
cat "${PATH_ABS}"/.assets/.bashrc_cat >> "${TARGET}"/root/.bashrc
do_log "info" "false" "'${TARGET}/root/.bashrc' updated."
if [[ ${accounts_user_login,,} == "true" ]]; then
cat "${PATH_ABS}"/.assets/.bashrc_cat >> "${TARGET}"/home/"${accounts_user_name}"/.bashrc
do_log "info" "false" "'${TARGET}/home/${accounts_user_name}/.bashrc' updated."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

42
func/3.8.8.functions_installation_exiting_chroot.sh
View File

@@ -1,42 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.8. Functions - installation - exiting chroot #
###########################################################################################
###########################################################################################
# Exiting chroot.
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# Arguments:
# None
###########################################################################################
3_8_8_functions_installation_exiting_chroot() {
declare -g -x MODULE_ERR="3_8_8_functions_installation_exiting_chroot"
declare -g -x MODULE_TXT="exiting chroot"
do_show_header "${MODULE_TXT}"
umount -lf "${TARGET}/proc"
do_log "info" "true" "'umount -lf ${TARGET}/proc'."
umount -lf "${TARGET}/sys"
do_log "info" "true" "'umount -lf ${TARGET}/sys'."
umount -lf "${TARGET}/dev"
do_log "info" "true" "'umount -lf ${TARGET}/dev'."
umount -lf "${TARGET}/run"
do_log "info" "true" "'umount -lf ${TARGET}/run'."
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

4
func/helper/1080_helper_chroot.sh
View File

@@ -45,6 +45,8 @@ do_in_target() {
HOME=/root \
PATH=/usr/sbin:/usr/bin:/sbin:/bin \
TERM="${TERM}" \
LANG=C.UTF-8 \
LC_ALL=C.UTF-8 \
"${ary_chroot_command[@]}"
then
do_log "info" "true" "Success: chroot '${var_chroot_target}': '${ary_chroot_command[*]}'."
@@ -85,6 +87,8 @@ do_in_target_script() {
HOME=/root \
PATH=/usr/sbin:/usr/bin:/sbin:/bin \
TERM="${TERM}" \
LANG=C.UTF-8 \
LC_ALL=C.UTF-8 \
/bin/bash -c "${var_chroot_script}"
then

3
func/helper/1081_helper_grub.sh
View File

@@ -15,6 +15,9 @@
guard_sourcing
### Variable to finish GRUB CMDLINE strings.
declare -grx VAR_H='"'
#######################################
# Helper module to extract the current GRUB CMDLINE strings.
# Globals:

6
func/helper/1120_logging_modules.sh
View File

@@ -33,7 +33,7 @@ log_level_value() {
#######################################
# Filter and compare log levels.
# Globals:
# DEFAULT_LOG_LEVEL
# VAR_DEFAULT_LOG_LEVEL
# Arguments:
# 1: "${LOG_LEVEL}" one of: "debug" | "info" | "notice" | "warn" | "error" | "critical" | "fatal" | "emergency"
#######################################
@@ -41,9 +41,9 @@ do_should_log() {
# shellcheck disable=SC2155
declare -i var_desired_log_value=$(log_level_value "$1") # Desired log level
# shellcheck disable=SC2155
declare -i var_default_log_value=$(log_level_value "${DEFAULT_LOG_LEVEL}") # Current threshold
declare -i var_default_log_value=$(log_level_value "${VAR_DEFAULT_LOG_LEVEL}") # Current threshold
### Return true if a message should be logged.
[[ $var_desired_log_value -le $var_default_log_value ]]
[[ ${var_desired_log_value} -le ${var_default_log_value} ]]
}
#######################################

25
func/helper/1251_yaml_reader.sh
View File

@@ -58,6 +58,7 @@ yaml_reader() {
declare var_highest_dev
### Search "${var_if}" for matching recipe_${VAR_RECIPE_STRING}_dev_* entries and find the highest dev letter
# shellcheck disable=SC2312
var_highest_dev=$(grep -E "^recipe_${VAR_RECIPE_STRING}_dev_" "${var_if}" | awk -F'_' '
{
if (NF >= 4) {
@@ -78,7 +79,7 @@ END { print max }
### Save the result in VAR_RECIPE_DEV_COUNTER
declare -gx VAR_RECIPE_DEV_COUNTER="${var_highest_dev}"
if [[ -n ${VAR_RECIPE_DEV_COUNTER} ]]; then
if [[ -n "${VAR_RECIPE_DEV_COUNTER}" ]]; then
do_log "info" "true" "Found highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'."
else
do_log "fatal" "true" "Found NO highest recipe device: '${VAR_RECIPE_DEV_COUNTER}'." >&2
@@ -86,9 +87,10 @@ END { print max }
fi
declare var_device="" var_fields="" var_line="" var_partition=""
declare -Agx HMP_RECIPE_DEV_PARTITIONS=()
declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
### Read var_if and iterate through all matching entries without executing in a subshell
# shellcheck disable=SC2312
while read -r var_line; do
### Extract fields of line
IFS='_' read -ra var_fields <<< "${var_line}"
@@ -115,6 +117,13 @@ END { print max }
do_log "info" "false" "Highest number of partitions for ${var_device}: ${HMP_RECIPE_DEV_PARTITIONS[${var_device}]}"
done
### Extract architecture
declare -gx VAR_ARCHITECTURE="${architecture}"
### Extract chosen firmware
declare recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
declare -gx VAR_RECIPE_FIRMWARE="${!recipe_firmware_var}"
### Extract the chosen Nuke mechanism
declare recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
declare -gx VAR_NUKE="${!recipe_nuke_var}"
@@ -123,25 +132,21 @@ END { print max }
declare recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
declare -gx VAR_RECIPE_TABLE="${!recipe_table_var}"
### Extract chosen firmware
declare recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
declare -gx VAR_RECIPE_FIRMWARE="${!recipe_firmware_var}"
if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP 'EF00' necessary."
do_log "info" "true" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP 'EF00' necessary."
elif [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > BIOS Boot Partition 'EF02' necessary."
do_log "info" "true" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > BIOS Boot Partition 'EF02' necessary."
elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP on MBR needs partition type '0xEF'."
do_log "info" "true" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP on MBR needs partition type '0xEF'."
elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."
do_log "info" "true" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."
fi

2
func/partitioning/3200_partitioning.sh
View File

@@ -36,6 +36,7 @@ partitioning() {
declare -a ary_devs ary_parts
### Iterate over all devices in the recipe.
# shellcheck disable=SC2312
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
for var_dev in "${ary_devs[@]}"; do
@@ -64,6 +65,7 @@ partitioning() {
esac
### Iterate over all partitions for this device.
# shellcheck disable=SC2312
readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
for var_part in "${ary_parts[@]}"; do

4
func/partitioning/3220_partition_encryption.sh
View File

@@ -32,7 +32,7 @@ guard_sourcing
#######################################
partition_encryption() {
### Declare Arrays and Variables.
declare -Agx HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL HMP_EPHEMERAL_FS_LABEL HMP_PATH_LUKSUUID HMP_PATH_ENCLABEL
declare -Ag HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL HMP_EPHEMERAL_FS_LABEL HMP_PATH_LUKSUUID HMP_PATH_ENCLABEL
declare var_dev var_part \
var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_cipher \
var_encryption_hash var_encryption_iter var_encryption_key var_encryption_label var_encryption_meta \
@@ -40,10 +40,12 @@ partition_encryption() {
declare -a ary_devs=() ary_parts=() ary_luks_opts=()
### Iterate over all devices in the recipe.
# shellcheck disable=SC2312
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
for var_dev in "${ary_devs[@]}"; do
### Iterate over all partitions for this device.
# shellcheck disable=SC2312
readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
for var_part in "${ary_parts[@]}"; do

2
func/partitioning/3240_partition_formatting.sh
View File

@@ -33,10 +33,12 @@ partition_formatting() {
declare -a ary_devs ary_parts ary_opts ary_fmt_opts
### Iterate over all devices in the recipe.
# shellcheck disable=SC2312
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
for var_dev in "${ary_devs[@]}"; do
### Iterate over all partitions for this device.
# shellcheck disable=SC2312
readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
for var_part in "${ary_parts[@]}"; do

2
func/partitioning/3260_setup_filesystem.sh
View File

@@ -30,10 +30,12 @@ setup_filesystem() {
declare -a ary_devs ary_parts
### Iterate over all devices in the recipe.
# shellcheck disable=SC2312
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
for var_dev in "${ary_devs[@]}"; do
### Iterate over all partitions for this device.
# shellcheck disable=SC2312
readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
for var_part in "${ary_parts[@]}"; do

8
func/partitioning/3280_mount_partition.sh
View File

@@ -23,7 +23,7 @@ guard_sourcing
skip_path() {
declare -a ary_skip=( "/" "/boot" "/boot/efi" "/recovery" )
declare p
for p in "${ary_skip[@]}"; do [[ "$1" == "$p" ]] && return 0; done
for p in "${ary_skip[@]}"; do [[ "$1" == "${p}" ]] && return 0; done
return 1
}
@@ -107,9 +107,9 @@ mount_partition() {
### Mount "/"-filesystem
declare -r var_mount_path_root="/"
if [[ -n ${HMP_MOUNTPATH_DEV[$var_mount_path_root]} ]]; then
if [[ -n ${HMP_MOUNTPATH_DEV[${var_mount_path_root}]} ]]; then
mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[$var_mount_path_root]}" || return "${ERR_MOUNTING_DEV}"
mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[${var_mount_path_root}]}" || return "${ERR_MOUNTING_DEV}"
else
@@ -142,10 +142,12 @@ mount_partition() {
declare -a ary_devs ary_parts
### Iterate over all devices in the recipe.
# shellcheck disable=SC2312
readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
for var_dev in "${ary_devs[@]}"; do
### Iterate over all partitions for this device.
# shellcheck disable=SC2312
readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
for var_part in "${ary_parts[@]}"; do

10
func/partitioning/3290_uuid_logger.sh
View File

@@ -28,10 +28,10 @@ uuid_logger() {
declare var_key var_mountpoint var_uuid
printf 'UUID Partition:\n' >> "${LOG_UID}"
for var_key in "${!HMP_PATH_PARTUUID[@]}"; do
# Remove Prefix "UUID_"
### Remove Prefix "UUID_"
var_mountpoint="${var_key#UUID_}"
var_uuid="${HMP_PATH_PARTUUID[${var_key}]}"
# Left-aligned field width 63; "UUID=" starts directly after column 64.
### Left-aligned field width 63; "UUID=" starts directly after column 64.
printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}"
done
@@ -40,17 +40,17 @@ uuid_logger() {
for var_key in "${!HMP_PATH_ENCLABEL[@]}"; do
var_mountpoint="${HMP_PATH_ENCLABEL[${var_key}]}"
var_uuid="${HMP_PATH_PARTUUID[${var_key}]}"
# Left-aligned field width 63; "UUID=" starts directly after column 64.
### Left-aligned field width 63; "UUID=" starts directly after column 64.
printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}"
done
printf '\n' >> "${LOG_UID}"
printf 'UUID Filesystem:\n' >> "${LOG_UID}"
for var_key in "${!HMP_PATH_FSUUID[@]}"; do
# Remove Prefix "UUID_"
### Remove Prefix "UUID_"
var_mountpoint="${var_key#UUID_}"
var_uuid="${HMP_PATH_FSUUID[${var_key}]}"
# Left-aligned field width 63; "UUID=" starts directly after column 64.
### Left-aligned field width 63; "UUID=" starts directly after column 64.
printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}"
done

2
func/system/4000_debootstrap.sh
View File

@@ -25,7 +25,7 @@ guard_sourcing
# 0: on success
#######################################
func_debootstrap() {
# shellcheck disable=SC2154 # "${architecture}" "${distribution}"
# shellcheck disable=SC2312
if debootstrap --arch="${architecture}" "${distribution}" "${TARGET}" https://deb.debian.org/debian | tee "${LOG_DBS}"; then
do_log "info" "false" "Executing 'debootstrap --arch=${architecture} ${distribution} '${TARGET}' https://deb.debian.org/debian' successful."
return 0

11
func/system/4130_setup_network.sh
View File

@@ -70,19 +70,30 @@ setup_network() {
[[ -v network_static_ipv6nameserver_fallback_1 ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_1}")
### Check current network connection and configure variables
# shellcheck disable=SC2312
var_auto_nic=$(ip -o link show | awk -F': ' '/state UP/ && $2!="lo" {print $2; exit}')
# shellcheck disable=SC2312
var_auto_ipv4_ccidr=$(ip -4 -o addr show "${var_auto_nic}" | awk '{print $4; exit}')
# shellcheck disable=SC2312
var_auto_ipv4_subnet=$(generate_subnetmask "${var_auto_ipv4_ccidr}")
# shellcheck disable=SC2312
var_auto_ipv4=$(echo "${var_auto_ipv4_ccidr}" | awk -F'/' '{print $1}')
# shellcheck disable=SC2312
var_auto_ipv4_gw=$(ip route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
# shellcheck disable=SC2312
var_auto_ipv6_ccidr=$(ip -6 -o addr show "${var_auto_nic}" | awk '/scope global/ {print $4; exit}')
if [[ -n "${var_auto_ipv6_ccidr}" ]]; then
# shellcheck disable=SC2312
var_auto_ipv6=$(echo "${var_auto_ipv6_ccidr}" | awk -F'/' '{print $1}')
# shellcheck disable=SC2312
var_auto_ipv6_gw=$(ip -6 route show default dev "${var_auto_nic}" | awk '/^default/ {print $3; exit}')
fi
# shellcheck disable=SC2312
var_link_ipv4=$(ping -q -c 1 -W 1 -4 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
# shellcheck disable=SC2312
var_link_ipv6=$(ping -q -c 1 -W 1 -6 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
if [[ -f "/var/lib/dhcp/dhclient.${var_auto_nic}.leases" ]]; then
# shellcheck disable=SC2312
var_auto_fqdn=$(grep -m1 'option host-name' "/var/lib/dhcp/dhclient.${var_auto_nic}.leases" | sed -E 's/.*"([^"]+)".*/\1/')
else
var_auto_fqdn=""

173
func/system/4150_setup_grub.sh
View File

@@ -36,7 +36,9 @@ guard_sourcing
# 0: on success
#######################################
setup_grub() {
declare var_update_grub_required="false"
declare -gx var_update_grub_required="false"
get_all_boot_devs
if [[ "${grub_skip,,}" != "true" ]]; then
@@ -44,37 +46,51 @@ setup_grub() {
if [[ "${grub_latest,,}" == "true" ]]; then
### Install the GRUB2 backported version from the Bookworm backports repository.
do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common
if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
case "${VAR_ARCHITECTURE,,}" in
amd64) do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-amd64 ;;
arm64) do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-arm64 ;;
i386) do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-ia32 ;;
*) do_log "emergency" "true" "Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
esac
else
do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-pc
fi
else
### Install the GRUB2 stable version.
do_in_target "${TARGET}" apt-get install -y grub2 grub2-common
if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
case "${VAR_ARCHITECTURE,,}" in
amd64) do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-amd64 ;;
arm64) do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-arm64 ;;
i386) do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-ia32 ;;
*) do_log "emergency" "true" "Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
esac
else
do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-pc
fi
fi
### Install grub on the specific device.
if [[ "${grub_force_efi,,}" == "false" ]]; then
if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt"
var_update_grub_required="true"
install_grub_uefi_all
elif [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
elif [[ "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" --recheck "${grub_bootdev}"
var_update_grub_required="true"
elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos"
var_update_grub_required="true"
elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos" --recheck "${grub_bootdev}"
var_update_grub_required="true"
install_grub_bios_all
fi
@@ -173,4 +189,123 @@ EOF
return 0
}
#######################################
# Detects and collects all boot devices for GRUB installation.
# Supports /dev/sdX, /dev/vdX, /dev/hdX, /dev/nvmeXn1, /dev/mmcblkX.
# Globals:
# VAR_RECIPE_DEV_COUNTER
# ary_bootdev_all
# grub_bootdev
# Arguments:
# None
# Returns:
# 0: on success
#######################################
get_all_boot_devs() {
declare -ag ary_bootdev_all=()
declare dev="" dev_prefix="" dev_path="" letter=""
declare -i ascii ascii_end ascii_start
### Determine prefix from grub_bootdev (e.g., "sd", "vd", "nvme", "mmcblk")
dev_prefix=$(basename "${grub_bootdev}" | sed -E 's/^([a-z]+)[a-z0-9]*$/\1/')
case "${dev_prefix}" in
sd|vd|hd)
ascii_start=$(printf '%d' "'a")
ascii_end=$(printf '%d' "'${VAR_RECIPE_DEV_COUNTER}")
for ((ascii = ascii_start; ascii <= ascii_end; ascii++)); do
letter=$(printf "%b" "\\$(printf '%03o' "${ascii}")")
dev_path="/dev/${dev_prefix}${letter}"
[[ -b "${dev_path}" ]] && ary_bootdev_all+=("${dev_path}")
done
;;
nvme)
# shellcheck disable=SC2312
while read -r dev; do
ary_bootdev_all+=("/dev/${dev}")
done < <(lsblk -dn -o NAME | grep -E '^nvme[0-9]+n1$')
;;
mmcblk)
# shellcheck disable=SC2312
while read -r dev; do
ary_bootdev_all+=("/dev/${dev}")
done < <(lsblk -dn -o NAME | grep -E '^mmcblk[0-9]+$')
;;
*)
do_log "warning" "true" "Unrecognized boot device prefix: ${dev_prefix}"
;;
esac
return 0
}
#######################################
# Installs GRUB in BIOS mode on all block devices.
# Globals:
# TARGET
# VAR_RECIPE_TABLE
# ary_bootdev_all
# var_update_grub_required
# Arguments:
# None
# Returns:
# 0: on success
# ERR_PARTITIONTBL on failure
#######################################
install_grub_bios_all() {
declare dev="" partmod=""
case "${VAR_RECIPE_TABLE,,}" in
gpt) partmod="part_gpt" ;;
msdos|mbr) partmod="part_msdos" ;;
*) do_log "emergency" "true" "Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
esac
declare var_modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
declare -a args=(--target=i386-pc --boot-directory=/boot "--modules=${var_modules}")
args+=(--recheck)
for dev in "${ary_bootdev_all[@]}"; do
do_in_target "${TARGET}" grub-install "${args[@]}" "${dev}"
do_log "info" "true" "Installed: GRUB on Device: '${dev}' (BIOS)."
var_update_grub_required="true"
done
return 0
}
#######################################
# Installs GRUB to all ESPs in UEFI mode.
# Globals:
# TARGET
# VAR_RECIPE_TABLE
# ary_bootdev_all
# var_update_grub_required
# Arguments:
# None
# Returns:
# 0: on success
# ERR_PARTITIONTBL on failure
#######################################
install_grub_uefi_all() {
declare dev="" partmod=""
case "${VAR_RECIPE_TABLE,,}" in
gpt) partmod="part_gpt" ;;
msdos|mbr) partmod="part_msdos" ;;
*) do_log "emergency" "true" "Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
esac
declare var_modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
declare -a args=(--target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian "--modules=${var_modules}")
for dev in "${ary_bootdev_all[@]}"; do
do_in_target "${TARGET}" grub-install "${args[@]}"
do_log "info" "true" "Installed: GRUB on Device: '${dev}' (UEFI)."
var_update_grub_required="true"
done
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
func/system/4155_setup_grub_password.sh
View File

@@ -54,9 +54,9 @@ setup_grub_password() {
{
echo ""
echo "### Added by CISS.debian.installer ###"
echo "$var_grub_entry"
echo "${var_grub_entry}"
echo "### End by CISS.debian.installer ###"
} >> "$var_of"
} >> "${var_of}"
fi
do_in_target "${TARGET}" update-grub
@@ -80,12 +80,12 @@ generate_grub_password_pbkdf2() {
log_user 0
spawn grub-mkpasswd-pbkdf2 --iteration-count=131072 --salt=64 --buflen=64
expect "Enter password:"
send "$var_pass\r"
send "${var_pass}\r"
expect "Reenter password:"
send "$var_pass\r"
send "${var_pass}\r"
expect {
-re {PBKDF2 hash of your password is (\S+)} {
puts "set superusers=\"$var_user\"\npassword_pbkdf2 $var_user \$expect_out(1,string)"
puts "set superusers=\"${var_user}\"\npassword_pbkdf2 ${var_user} \$expect_out(1,string)"
}
}
EOF

8
func/system/4170_installation_microcode.sh
View File

@@ -24,10 +24,14 @@ guard_sourcing
installation_microcode() {
declare var_microcode_pkgs=""
declare var_whereiam; var_whereiam=$(virt-what | head -n1)
declare var_whereiam
# shellcheck disable=SC2312
var_whereiam=$(virt-what | head -n1)
[[ -z "${var_whereiam}" ]] && var_whereiam="baremetal"
declare var_cpu_vendor; var_cpu_vendor=$(lscpu | awk -F: '/Vendor ID/ {print $2}' | xargs)
declare var_cpu_vendor
# shellcheck disable=SC2312
var_cpu_vendor=$(lscpu | awk -F: '/Vendor ID/ {print $2}' | xargs)
case "${var_cpu_vendor}" in
*AuthenticAMD*) var_microcode_pkgs="amd64-microcode" ;;

1
func/system/4190_build_dropbear.sh
View File

@@ -51,6 +51,7 @@ build_dropbear() {
--disable-pam \
--disable-zlib
# shellcheck disable=2312
make -j"$(nproc)"
do_log "info" "true" "Ultra Hardened dropbear-2025.88 build successfully from sources."

4
func/system/4195_setup_dropbear.sh
View File

@@ -103,6 +103,7 @@ setup_dropbear() {
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
"${TARGET}/usr/lib/cryptsetup/scripts/"
# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
### Install the script to be called inside Host environment for signing 'unlock_wrapper.sh'-script.
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper_signer.sh" \
"${TARGET}/includes/initramfs-tools/files/"
@@ -224,6 +225,7 @@ grep_nic_driver_modules() {
### Collect all ethernet driver names and sort them uniquely.
declare -a _mods
declare var_nic_module var_nic_modules
# shellcheck disable=SC2312
readarray -t _mods < <(
lspci -k \
| grep -A2 -i ethernet \
@@ -239,7 +241,7 @@ grep_nic_driver_modules() {
var_nic_modules="${_mods[*]}"
fi
if [[ -n "$var_nic_module" ]]; then
if [[ -n "${var_nic_module}" ]]; then
echo "${var_nic_module}"
else
echo "${var_nic_modules}"

32
lib/lib_check_dhcp.sh → func/system/4999_exiting_chroot_system.sh
View File

@@ -1,26 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check if hardened Centurion DNS servers are desired.
# Exiting chroot.
# Globals:
# VAR_HANDLER_DHCP
# VAR_WORKDIR
# TARGET
# Arguments:
# None
# None
# Returns:
# 0: on success
#######################################
check_dhcp() {
if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
fi
exiting_chroot() {
umount -lf "${TARGET}/proc"
do_log "info" "true" "'umount -lf ${TARGET}/proc'."
umount -lf "${TARGET}/sys"
do_log "info" "true" "'umount -lf ${TARGET}/sys'."
umount -lf "${TARGET}/dev"
do_log "info" "true" "'umount -lf ${TARGET}/dev'."
umount -lf "${TARGET}/run"
do_log "info" "true" "'umount -lf ${TARGET}/run'."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

28
lib/lib_check_stats.sh → func/system/5000_hardening_files.sh
View File

@@ -1,27 +1,27 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check if analysis run is desired only.
guard_sourcing
###########################################################################################
# Hardening files and directories.
# Globals:
# VAR_HANDLER_STA
# None
# Arguments:
# None
#######################################
check_stats() {
if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
clear
run_analysis
exit 0
fi
# None
# Returns:
# 0: on success
###########################################################################################
hardening_files() {
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
includes/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -101,7 +101,7 @@ gather_luks_devices() {
declare -i tries=0
while ((tries < 10)); do
# shellcheck disable=SC2312
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
@@ -299,7 +299,9 @@ trap_on_term() {
# 0: Script Name
#######################################
verify_script() {
declare dir; dir="$(dirname "$(readlink -f "${0}")")"
declare dir
# shellcheck disable=SC2312
dir="$(dirname "$(readlink -f "${0}")")"
declare script; script="$(basename "${0}")"
declare -a algo=("sha512" "sha384")
declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
@@ -359,6 +361,7 @@ main() {
### Read newline-separated output into an array.
color_echo "${MAG}" "Scanning for LUKS devices ..."
printf "%s" "${NL}"
# shellcheck disable=SC2312
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
### If there are no LUKS devices at all, drop to bash.

2
includes/initramfs-tools/files/unlock_wrapper_signer.sh
View File

@@ -38,7 +38,7 @@ fi
### Extract fingerprint of the first secret key
# shellcheck disable=SC2155
declare -r FPR=$(gpg --homedir "$GNUPGHOME" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
declare -r FPR=$(gpg --homedir "${GNUPGHOME}" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
if [[ -z "${FPR}" ]]; then
printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2

2
lib/0010_guard_sourcing.sh
View File

@@ -16,7 +16,7 @@
# Globals:
# BASH_SOURCE
# Arguments:
# $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
# 1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
# Returns:
# 0: Returns '0' in both cases as they are intended to be successful.
#######################################

3
lib/0030_check_pkgs.sh
View File

@@ -23,6 +23,7 @@ check_pkgs() {
apt-get update -y > /dev/null 2>&1
### Define HashMap: command -> package
# shellcheck disable=SC2154
declare -A hmp_command_packages=(
[apt-transport-https]=apt-transport-https
[bzip2]=bzip2
@@ -72,7 +73,7 @@ check_pkgs() {
fi
if [[ -z "$(command -v dialog || true)" ]]; then
if ! ${VAR_AUTO_INSTALL}; then apt-get install -y --no-install-recommends dialog; fi
if ! "${VAR_AUTO_INSTALL}"; then apt-get install -y --no-install-recommends dialog; fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

20
lib/lib_check_var.sh → lib/0040_check_var.sh
View File

@@ -1,23 +1,25 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Unbound Variable Check and call Trap on ERR
# Unbound Variable Check and call Trap on ERR.
# Globals:
# ERR_UNBOUNDVAR
# ERR_UNBOUND_VARIABLE
# Arguments:
# $1: VAR_NAME to check
# 1: VAR_NAME to check
# Returns:
# "${ERR_UNBOUNDVAR}"
# ERR_UNBOUND_VARIABLE
#######################################
check_var() {
declare var_name_to_check="$1"
@@ -29,7 +31,7 @@ check_var() {
fi
else
printf "\e[91m❌ Variable: '%s' is not declared. Exiting Script. \e[0m\n" "${var_name_to_check}" >&2
return "${ERR_UNBOUNDVAR}"
return "${ERR_UNBOUND_VARIABLE}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
lib/0050_debug_pre_scan.sh
View File

@@ -28,7 +28,7 @@ pre_scan_debug() {
for i in "${!args[@]}"; do
if [[ "${args[i]}" == "-d" || "${args[i]}" == "--debug" ]]; then
dbg_index=$i
dbg_index=${i}
. "${script_dir}/0051_debug_var_dump.sh"
declare -grx LOG_VAR="/tmp/ciss_debian_installer_$$_var.log"
touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"

4
lib/0051_debug_var_dump.sh
View File

@@ -22,6 +22,7 @@ guard_sourcing
dump_vars_initial() {
# shellcheck disable=SC2155
declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
# shellcheck disable=SC2312
{
declare var
while IFS= read -r var; do
@@ -44,13 +45,13 @@ dump_vars_exiting() {
# shellcheck disable=SC2155
declare var_dump_vars_final=$(mktemp)
set +x
# shellcheck disable=SC2312
{
declare var
while IFS= read -r var; do
declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*')
} | sort >| "${var_dump_vars_final}"
set -x
{
printf "✅ CISS.debian.installer Config Variable Dump. \n"
@@ -67,6 +68,7 @@ dump_vars_exiting() {
} >> "${LOG_VAR}"
comm -13 "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}" >> "${LOG_VAR}" || true
set -x
rm -f "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
lib/0052_debug_trace.sh
View File

@@ -16,7 +16,7 @@ guard_sourcing
# Wrapper for XTRACE Debug.
# Globals:
# BASH_XTRACEFD
# LOG_TRACE
# LOG_TRC
# PS4
# SHELLOPTS
# Arguments:
@@ -26,11 +26,11 @@ debug_trace() {
### Set a verbose PS4 prompt including timestamp, source, line, exit status of previous command, and function name
declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
# shellcheck disable=SC2155
declare -grx LOG_TRACE="/tmp/ciss_debian_installer_$$_trace.log"
### Generates empty LOG_TRACE
touch "${LOG_TRACE}" && chmod 0600 "${LOG_TRACE}"
declare -grx LOG_TRC="${DIR_LOG}/ciss_debian_installer_$$_trace.log"
### Generates empty LOG_TRC
touch "${LOG_TRC}" && chmod 0600 "${LOG_TRC}"
### Open file descriptor 42 for writing to the debug log
exec 42>| "${LOG_TRACE}"
exec 42>| "${LOG_TRC}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
debug_header "$#" "$*"
### Tell Bash to send xtrace output to FD 42

1
lib/0053_debug_trace_header.sh
View File

@@ -35,6 +35,7 @@ guard_sourcing
debug_trace_header() {
declare -r arg_counter="$1"
declare -r arg_string="$2"
#shellcheck disable=SC2312
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.installer Debug XTRACE Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
printf "\e[97m+\e[0m\e[92m%s: GIT Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD}"

10
lib/0054_debug_trap.sh
View File

@@ -15,9 +15,9 @@ guard_sourcing
declare -g VAR_LAST_CMD=""
declare -g __preexec_invoke=""
# shellcheck disable=SC2155
declare -grx LOG_DEBUG="/tmp/ciss_debian_installer_$$_debug.log"
### Generates empty LOG_DEBUG
touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
declare -grx LOG_DBG="${DIR_LOG}/ciss_debian_installer_$$_debug.log"
### Generates empty LOG_DBG
touch "${LOG_DBG}" && chmod 0600 "${LOG_DBG}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
debug_trace_header "$#" "$*"
### Define patterns and mask replacements
@@ -36,7 +36,7 @@ declare -Ag MASK_PATTERNS=(
# BASH_LINENO
# BASH_SOURCE
# FUNCNAME
# LOG_DEBUG
# LOG_DBG
# Arguments:
# None
#######################################
@@ -56,7 +56,7 @@ debug_trap_logger() {
declare var_line="${BASH_LINENO[i-1]:-?}"
declare var_script="${BASH_SOURCE[i]:-${BASH_SOURCE[0]}}"
declare var_script_rel="${var_script#"${PWD}"/}"
printf '%s [%s:%s] %s() |%s| RC:%s \n' "${var_ts}" "${var_script_rel}" "${var_line}" "${var_func}" "${var_msg}" "${var_rc}">> "${LOG_DEBUG}"
printf '%s [%s:%s] %s() |%s| RC:%s \n' "${var_ts}" "${var_script_rel}" "${var_line}" "${var_func}" "${var_msg}" "${var_rc}">> "${LOG_DBG}"
}
#######################################

5
lib/0055_debug_trap_header.sh
View File

@@ -18,7 +18,7 @@
# EPOCHREALTIME
# EUID
# HOSTNAME
# LOG_DEBUG
# LOG_DBG
# PPID
# PWD
# SHELLOPTS
@@ -34,6 +34,7 @@
debug_trace_header() {
declare -r arg_counter="$1"
declare -r arg_string="$2"
# shellcheck disable=SC2312
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.installer Debug TRAP Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
printf "\e[97m+\e[0m\e[92m%s: GIT Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD}"
@@ -58,6 +59,6 @@ debug_trace_header() {
printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
printf "\e[97m+\e[0m\e[92m%s: SHELLOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SHELLOPTS}"
printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
} >| "${LOG_DEBUG}"
} >| "${LOG_DBG}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
lib/0060_trap_err.sh
View File

@@ -15,16 +15,16 @@ guard_sourcing
#######################################
# Print Error Message for Trap on 'ERR' in '${ERROR_LOG}'.
# Globals:
# ARGUMENTS_COUNT
# VAR_PARAM_COUNT
# ARG_STR_ORG_INPUT
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_DEBUG
# LOG_ERROR
# LOG_TRACE
# LOG_DBG
# LOG_ERR
# LOG_TRC
# LOG_VAR
# NL
# SECONDS
@@ -50,28 +50,28 @@ print_file_err() {
printf "❌ Command : %s %s" "${ERRCMMD}" "${NL}"
printf "❌ Script PID : %s %s" "${$}" "${NL}"
printf "❌ Script Runtime : %s %s" "${SECONDS}" "${NL}"
printf "❌ Arguments Counter : %s %s" "${ARGUMENTS_COUNT}" "${NL}"
printf "❌ Arguments Counter : %s %s" "${VAR_PARAM_COUNT}" "${NL}"
printf "❌ Arguments Original : %s %s" "${ARG_STR_ORG_INPUT}" "${NL}"
printf "❌ Arguments Sanitized : %s %s" "${VAR_ARG_SANITIZED}" "${NL}"
if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then
printf "❌ Vars Dump saved at : %s %s" "${LOG_VAR}" "${NL}"
fi
if "${VAR_DEBUG_TRAP}"; then
printf "❌ DEBUG Log saved at : %s %s" "${LOG_DEBUG}" "${NL}"
printf "❌ cat %s %s" "${LOG_DEBUG}" "${NL}"
printf "❌ DEBUG Log saved at : %s %s" "${LOG_DBG}" "${NL}"
printf "❌ cat %s %s" "${LOG_DBG}" "${NL}"
fi
if "${VAR_DEBUG_TRACE}"; then
printf "❌ TRACE Log saved at : %s %s" "${LOG_TRACE}" "${NL}"
printf "❌ cat %s %s" "${LOG_TRACE}" "${NL}"
printf "❌ TRACE Log saved at : %s %s" "${LOG_TRC}" "${NL}"
printf "❌ cat %s %s" "${LOG_TRC}" "${NL}"
fi
printf "%s" "${NL}"
} >> "${LOG_ERROR}"
} >> "${LOG_ERR}"
}
#######################################
# Print Error Message for Trap on 'ERR' on Terminal.
# Globals:
# ARGUMENTS_COUNT
# VAR_PARAM_COUNT
# ARG_STR_ORG_INPUT
# RED
# RES
@@ -80,9 +80,9 @@ print_file_err() {
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_DEBUG
# LOG_ERROR
# LOG_TRACE
# LOG_DBG
# LOG_ERR
# LOG_TRC
# LOG_VAR
# NL
# SECONDS
@@ -107,21 +107,21 @@ print_scr_err() {
printf "%s❌ Command : %s %s%s" "${RED}" "${ERRCMMD}" "${RES}" "${NL}" >&2
printf "%s❌ Script PID : %s %s%s" "${RED}" "${$}" "${RES}" "${NL}" >&2
printf "%s❌ Script Runtime : %s %s%s" "${RED}" "${SECONDS}" "${RES}" "${NL}" >&2
printf "%s❌ Arguments Counter : %s %s%s" "${RED}" "${ARGUMENTS_COUNT}" "${RES}" "${NL}" >&2
printf "%s❌ Arguments Counter : %s %s%s" "${RED}" "${VAR_PARAM_COUNT}" "${RES}" "${NL}" >&2
printf "%s❌ Arguments Original : %s %s%s" "${RED}" "${ARG_STR_ORG_INPUT}" "${RES}" "${NL}" >&2
printf "%s❌ Arguments Sanitized : %s %s%s" "${RED}" "${VAR_ARG_SANITIZED}" "${RES}" "${NL}" >&2
printf "%s❌ Error Log saved at : %s %s%s" "${RED}" "${LOG_ERROR}" "${RES}" "${NL}" >&2
printf "%s❌ cat %s %s%s" "${RED}" "${LOG_ERROR}" "${RES}" "${NL}" >&2
printf "%s❌ Error Log saved at : %s %s%s" "${RED}" "${LOG_ERR}" "${RES}" "${NL}" >&2
printf "%s❌ cat %s %s%s" "${RED}" "${LOG_ERR}" "${RES}" "${NL}" >&2
if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then
printf "%s❌ Vars Dump saved at : %s %s%s" "${RED}" "${LOG_VAR}" "${RES}" "${NL}" >&2
fi
if "${VAR_DEBUG_TRAP}"; then
printf "%s❌ Debug Log saved at : %s %s%s" "${RED}" "${LOG_DEBUG}" "${RES}" "${NL}" >&2
printf "%s❌ cat %s %s%s" "${RED}" "${LOG_DEBUG}" "${RES}" "${NL}" >&2
printf "%s❌ Debug Log saved at : %s %s%s" "${RED}" "${LOG_DBG}" "${RES}" "${NL}" >&2
printf "%s❌ cat %s %s%s" "${RED}" "${LOG_DBG}" "${RES}" "${NL}" >&2
fi
if "${VAR_DEBUG_TRACE}"; then
printf "%s❌ Debug Log saved at : %s %s%s" "${RED}" "${LOG_TRACE}" "${RES}" "${NL}" >&2
printf "%s❌ cat %s %s%s" "${RED}" "${LOG_TRACE}" "${RES}" "${NL}" >&2
printf "%s❌ Debug Log saved at : %s %s%s" "${RED}" "${LOG_TRC}" "${RES}" "${NL}" >&2
printf "%s❌ cat %s %s%s" "${RED}" "${LOG_TRC}" "${RES}" "${NL}" >&2
fi
printf "%s" "${NL}"
}

15
lib/0070_trap_exit.sh
View File

@@ -34,6 +34,7 @@ trap_exit() {
exit "${var_trap_on_exit_code}"
else
clean_up "${var_trap_on_exit_code}"
print_scr_exit "${var_trap_on_exit_code}"
exit "${var_trap_on_exit_code}"
fi
}
@@ -41,8 +42,8 @@ trap_exit() {
#######################################
# Print Success Message for Trap on 'EXIT' on 'stdout'.
# Globals:
# LOG_DEBUG
# LOG_TRACE
# LOG_DBG
# LOG_TRC
# LOG_VAR
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
@@ -53,7 +54,7 @@ trap_exit() {
print_scr_exit() {
declare -r var_print_scr_exit_code="$1"
if (( var_print_scr_exit_code == 0 )); then
if [[ "${VAR_SCRIPT_SUCCESS}" == true ]]; then
if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
printf "\n"
printf "\e[92m✅ CISS.debian.installer Script successful. \e[0m\n"
printf "\e[92m✅ Exited with Status : %s \e[0m\n" "${var_print_scr_exit_code}"
@@ -63,12 +64,12 @@ print_scr_exit() {
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_VAR}"
fi
if "${VAR_DEBUG_TRAP}"; then
printf "\e[92m✅ DEBUG Log saved at : %s \e[0m\n" "${LOG_DEBUG}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_DEBUG}"
printf "\e[92m✅ DEBUG Log saved at : %s \e[0m\n" "${LOG_DBG}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_DBG}"
fi
if "${VAR_DEBUG_TRACE}"; then
printf "\e[92m✅ TRACE Log saved at : %s \e[0m\n" "${LOG_TRACE}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_TRACE}"
printf "\e[92m✅ TRACE Log saved at : %s \e[0m\n" "${LOG_TRC}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_TRC}"
fi
printf "\n"
printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"

4
lib/0090_clean_up.sh
View File

@@ -13,7 +13,7 @@
#######################################
# Clean Up Wrapper on Trap on 'EXIT'.
# Globals:
# LOG_ERROR
# LOG_ERR
# VAR_KERNEL_INF
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
@@ -33,6 +33,6 @@ clean_up() {
exec 127>&-
# Remove the lockfile artifact.
rm -f /run/lock/ciss_debian_installer.lock
if (( var_clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
if (( var_clean_exit_code == 0 )); then rm -f -- "${LOG_ERR}"; fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
lib/0100_arg_mismatch.sh
View File

@@ -26,12 +26,10 @@ guard_sourcing
#######################################
arg_mismatch() {
### Call cleaner if and only if not in auto-install mode.
if [[ "${VAR_AUTO_INSTALL}" == false ]]; then
if [[ "${VAR_AUTO_INSTALL}" == "false" ]]; then
### Dynamically select the cleaner based on the dialog wrapper type.
case "${VAR_IN_DIALOG_WR}" in
box|gauge)
"dialog_${VAR_IN_DIALOG_WR}_cleaner"
;;
box|gauge) "dialog_${VAR_IN_DIALOG_WR}_cleaner" ;;
esac
fi
printf "%s❌ Error: '%s'. %s%s" "${RED}" "${1}" "${RES}" "${NL}" >&2

9
lib/0101_arg_sanitizer.sh
View File

@@ -32,7 +32,7 @@ arg_check() {
# RED
# RES
# ERR_UNSAFE_CHARACTER
# LOG_ERROR
# LOG_ERR
# NL
# VAR_IN_DIALOG_WR
# Arguments:
@@ -43,14 +43,15 @@ sanitize_arg() {
declare disallowed_ctrl=""
### Step 1: Check for control characters
if printf '%s' "${input}" | grep -qP '[[:cntrl:]]'; then
# shellcheck disable=SC2312
disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \
| while read -r c; do printf "%02X " "'$c"; done)
| while read -r c; do printf "%02X " "'${c}"; done)
{
printf "❌ Control character : '%s'. %s" "${disallowed_ctrl}" "${NL}"
printf "❌ in argument : '%s'. %s" "${input}" "${NL}"
printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s" "${NL}"
printf "%s" "${NL}"
} >> "${LOG_ERROR}"
} >> "${LOG_ERR}"
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;
@@ -74,7 +75,7 @@ sanitize_arg() {
printf "❌ in argument : '%s'. %s" "${input}" "${NL}"
printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s" "${NL}"
printf "%s" "${NL}"
} >> "${LOG_ERROR}"
} >> "${LOG_ERR}"
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;

31
lib/0102_arg_parser.sh
View File

@@ -15,7 +15,7 @@ guard_sourcing
#######################################
# Argument Parser
# Globals:
# DEFAULT_LOG_LEVEL
# VAR_DEFAULT_LOG_LEVEL
# VAR_AUTO_INSTALL
# VAR_IN_DIALOG_WR
# VAR_PRIORITY
@@ -53,28 +53,9 @@ arg_parser() {
-l | --log)
case "${2,,}" in
info)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
notice)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
warn)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
error)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
emergency)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
info|notice|warn|error|emergency) declare -gx VAR_DEFAULT_LOG_LEVEL="$2"; shift 2 ;;
*)
if [[ "${VAR_AUTO_INSTALL}" == false && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_gauge_cleaner; fi
if [[ "${VAR_AUTO_INSTALL}" == "false" && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_box_cleaner; fi
usage
;;
esac
@@ -121,7 +102,11 @@ arg_parser() {
;;
*)
if [[ "${VAR_AUTO_INSTALL}" == false && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_gauge_cleaner; fi
if [[ "${VAR_AUTO_INSTALL}" == "false" && "${VAR_IN_DIALOG_WR}" == "box" ]]; then
dialog_box_cleaner
elif [[ "${VAR_AUTO_INSTALL}" == "false" && "${VAR_IN_DIALOG_WR}" == "gauge" ]]; then
dialog_gauge_cleaner
fi
usage
;;
esac

6
lib/0103_arg_priority_check.sh
View File

@@ -30,14 +30,14 @@ arg_priority_check() {
if [[ -n ${VAR_PRIORITY} ]]; then
renice "${VAR_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1
printf "%s✅ New renice value: '%s'. %s%s" "${GRE}" "${var}" "${RES}" "${NL}"
do_log "info" "true" "New renice value: '${var}'."
fi
# Check if ionice PRIORITY is set and adjust ionice priority.
### Check if ionice PRIORITY is set and adjust ionice priority.
if [[ -n ${VAR_REIONICE_CLASS} ]]; then
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1
printf "%s✅ New ionice value: '%s'. %s%s" "${GRE}" "${var}" "${RES}" "${NL}"
do_log "info" "true" "New ionice value: '${var}'."
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

8
lib/lib_check_kernel.sh → lib/0110_check_kernel.sh
View File

@@ -1,15 +1,17 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Kernel Image Selector
# Globals:

8
lib/lib_check_provider.sh → lib/0120_check_provider.sh
View File

@@ -1,15 +1,17 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Notes Textbox
# Arguments:

62
lib/lib_cdi.sh
View File

@@ -1,62 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# CISS.2025.debian.installer GRUB and Autostart Generator
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_CDI
# VAR_KERNEL
# VAR_WORKDIR
# Arguments:
# None
#######################################
cdi() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
fi
cp "${VAR_WORKDIR}/scripts/9000-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chmod 0750 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
declare tmp_entry
tmp_entry="$(mktemp)"
cat << EOF >| "${tmp_entry}"
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${VAR_KERNEL}
}
EOF
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
rm -f "${tmp_entry}"
else
# shellcheck disable=SC1003
sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
lib/lib_change_splash.sh
View File

@@ -1,37 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Change Grub Boot Screen Splash
# Globals:
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_SPLASH
# VAR_WORKDIR
# Arguments:
# None
#######################################
change_splash() {
if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
lib/lib_check_hooks.sh
View File

@@ -1,37 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
# Globals:
# ERR_UNCRITICAL
# VAR_WORKDIR
# Arguments:
# None
#######################################
check_hooks() {
declare ifs
ifs=$'\n\t'
shopt -s nullglob
declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
if (( ${#files[@]} == 0 )); then
printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
exit "${ERR_UNCRITICAL}"
fi
declare file
for file in "${files[@]}"; do
chmod 0755 "${file}"
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
lib/lib_copy_integrity.sh
View File

@@ -1,38 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Copy Initial ISO aide Database into Host System
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
# Returns:
# 0 : Aide Init DB copying successful.
#######################################
copy_db() {
# printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
fi
if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
# printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

101
lib/lib_hardening_root_pw.sh
View File

@@ -1,101 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Updates the Live ISO to use root password authentication for local console access.
# Globals:
# VAR_HANDLER_BUILD_DIR
# VAR_HASHED_PWD
# Arguments:
# None
# Returns:
# 0: In case no root password is desired.
#######################################
hardening_root_pw() {
if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
# sleep 1
return 0
fi
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
# sleep 1
declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
declare cfg_file="${cfg_dir}/config.conf"
declare dropin_dir="${cfg_dir}/config.conf.d"
declare dropin_file="${dropin_dir}/20-root-password.conf"
mkdir -p "${dropin_dir}"
cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf
live-config.noautologin
EOF
if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then
sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}"
fi
declare clean_hash="${VAR_HASHED_PWD//\"/}"
printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}"
chmod 0600 "${dropin_file}"
chown root:root "${dropin_file}"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root"
printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
[Service]
ExecStart=
#ExecStart=-/usr/sbin/agetty --noclear %I $TERM
ExecStart=-agetty --noclear %I $TERM
EOF
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
tty1
tty2
tty3
tty4
tty5
tty6
EOF
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
### Hotfix I
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
#!/bin/sh
# bypass live-config-getty-generator
exit 0
EOF
chmod +x "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
### Hotfix II
#mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
#touch "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
#chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
# sleep 1
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

63
lib/lib_hardening_ssh.sh
View File

@@ -1,63 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# SSH Hardening Ultra via TCP Wrapper
# Globals:
# ARY_HANDLER_JUMPHOST
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ssh() {
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
declare allowed=""
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
EOF
allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked-up hostnames still leave understandable logs. In past
# versions of Debian, this has been the default.
# ALL: PARANOID
ALL: ALL
EOF
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

221
lib/lib_hardening_ultra.sh
View File

@@ -1,221 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_SSHPORT
# VAR_SSHPUBKEY
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ultra() {
# shellcheck disable=SC2164
cd "${VAR_WORKDIR}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
fi
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
fi
cp -af ./config/package-lists/live.list.common.chroot "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
case "${VAR_ARCHITECTURE}" in
amd64)
declare arch_list="./config/package-lists/live.list.amd64.chroot"
declare arch_comment="# amd64 specific packages"
;;
arm64)
declare arch_list="./config/package-lists/live.list.arm64.chroot"
declare arch_comment="# arm64 specific packages"
;;
*)
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
exit 1
;;
esac
declare pkgs
mapfile -t pkgs < <(
grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d'
)
awk -v comment="${arch_comment}" -v n_pkgs="${#pkgs[@]}" -v pkgs="$(printf '%s\n' "${pkgs[@]}")" '
BEGIN {
split(pkgs, pkg_arr, "\n")
inserted = 0
}
{
# Detect the vim-modeline (last line marker)
if ($0 ~ /^# vim:.*$/ && !inserted) {
print comment
for (i = 1; i <= length(pkg_arr); i++) {
print pkg_arr[i]
}
inserted = 1
}
print
}
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
fi
else
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m❌ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
fi
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${VAR_WORKDIR}/hosts.allow"
rm -f "${VAR_WORKDIR}/hosts.deny"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
fi
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
# Join array entries with spaces, preserving any newlines
declare ips="${ARY_HANDLER_JUMPHOST[*]}"
# Flatten to a single line and strip literal brackets []
declare flat_ips
flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
# flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"
# Perform an in-place replacement of MUST_BE_SET with the cleaned list
sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
sed -i \
-e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \
-e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
lib/lib_helper_ip.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# IP Notation cleaner for pure IP output only
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# Arguments:
# None
#######################################
clean_ip() {
declare host
declare stripped
for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
# Remove leading '[' and trailing ']'
stripped="${host#\[}"
stripped="${stripped%\]}"
# Skip if it contains a slash (CIDR range)
if [[ ${stripped} == */* ]]; then
continue
fi
# Directly append, no duplicate check
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

46
lib/lib_lb_build_start.sh
View File

@@ -1,46 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# ERR_UNCRITICAL
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
#######################################
lb_build_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
# sleep 1
# shellcheck disable=SC2164
cd "${SCRIPT_BASEPATH}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
printf "\e[92m✅ Build successfully completed.\e[0m\n"
else
printf "\e[91m❌ Build failed!\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
# shellcheck disable=SC2155
declare iso_file=$(find . -maxdepth 1 -type f -name "*.iso" | sort | tail -n1)
if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then
printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

55
lib/lib_lb_config_start.sh
View File

@@ -1,55 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
# Globals:
# VAR_HANDLER_BUILD_DIR
# Arguments:
# $0: Script-name
#######################################
lb_config_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
else
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
fi
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
# Start lb config in a completely detached shell
bash -c "lb config" &
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Preparing environment done.\e[0m\n"
else
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
rm -f ./config/binary
rm -f ./config/bootstrap
rm -f ./config/chroot
rm -f ./config/common
rm -f ./config/source
rm -f ./*.{contents,files,iso,bz2,packages}
# Start lb clean in a completely detached shell
bash -c "lb clean && lb clean --binary --cache" &
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

121
lib/lib_lb_config_write.sh
View File

@@ -1,121 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# VAR_HANDLER_ISO_COUNTER
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_KERNEL
# VAR_WORKDIR
# VAR_VERSION
# Arguments:
# None
#######################################
#######################################
# description
# Globals:
# Arguments:
# None
#######################################
lb_config_write() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
lb config \
--apt apt \
--apt-indices true \
--apt-recommends true \
--apt-secure true \
--apt-source-archives true \
--architecture "${VAR_ARCHITECTURE}" \
--archive-areas main contrib non-free non-free-firmware \
--backports true \
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha256 md5 \
--chroot-filesystem squashfs \
--chroot-squashfs-compression-level 22 \
--chroot-squashfs-compression-type zstd \
--color \
--compression bzip2 \
--debconf-frontend noninteractive \
--debconf-priority critical \
--debian-installer cdrom \
--debian-installer-distribution bookworm \
--debian-installer-gui true \
--debian-installer-preseedfile "preseed.cfg" \
--debug \
--distribution bookworm \
--distribution-binary bookworm \
--distribution-chroot bookworm \
--firmware-binary true \
--firmware-chroot true \
--hdd-label "CENTURIONLIVE" \
--image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
--initramfs "live-boot" \
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
--iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
--loadlin true \
--memtest memtest86+ \
--mirror-binary 'https://deb/debian.org/debian/' \
--mirror-binary-security 'https://security.debian.org/' \
--mirror-bootstrap 'https://deb.debian.org/debian/' \
--mirror-chroot 'https://deb.debian.org/debian/' \
--mirror-chroot-security 'https://security.debian.org/' \
--mirror-debian-installer 'https://deb.debian.org/debian/' \
--mode debian \
--parent-archive-areas main contrib non-free non-free-firmware \
--parent-debian-installer-distribution bookworm \
--parent-distribution bookworm \
--parent-distribution-binary bookworm \
--parent-distribution-chroot bookworm \
--parent-mirror-binary 'https://deb.debian.org/debian/' \
--parent-mirror-binary-security 'https://security.debian.org/' \
--parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
--parent-mirror-chroot 'https://deb.debian.org/debian/' \
--parent-mirror-chroot-security 'https://security.debian.org/' \
--parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
--security true \
--system live \
--source false \
--source-images tar \
--uefi-secure-boot auto \
--updates true \
--utc-time true \
--verbose
sleep 1
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

45
lib/lib_provider_netcup.sh
View File

@@ -1,45 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Notes Textbox
# Arguments:
# None
#######################################
provider_netcup() {
if "${VAR_HANDLER_NETCUP_IPV6}"; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
### Static IPv6 Address for Netcup Root Server
iface ens3 inet6 static
address ${handler_netcup_ipv6_string}/128
### dns01.eddns.eu dns02.eddns.de
dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53
gateway fe80::1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

96
lib/lib_run_analysis.sh
View File

@@ -1,96 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-07; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: ZIMNOL, Andre H.; Private Contributor
# SPDX-FileCopyrightText: 2025; ZIMNOL, Andre H.; <debian@zimnol.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for statistic functions of the final build.
# Globals:
# ERR_UNCRITICAL
# VAR_BUILD_LOG
# VAR_CHROOT_DIR
# VAR_HANDLER_BUILD_DIR
# VAR_PACKAGES_FILE
# Arguments:
# None
#######################################
run_analysis() {
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2155
declare iso_file=$(find . -maxdepth 1 -name "*.iso" -printf "%f\n" | sort | tail -n1)
if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then
printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
printf "\e[92m📊 Start analysis of : %s ... \e[0m\n" "${iso_file}"
# shellcheck disable=SC2155
declare iso_size_hr=$(du -h "${iso_file}" | awk '{print $1}')
# shellcheck disable=SC2155
declare iso_size_bytes=$(du -b "${iso_file}" | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_hr=$(du -sh "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_bytes=$(du -sb "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare compression=$(awk -v iso="${iso_size_bytes}" -v chroot="${chroot_size_bytes}" 'BEGIN { printf "%.2f%%", 100 * iso / chroot }')
# shellcheck disable=SC2155
declare package_count=$(wc -l < "${VAR_PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
# shellcheck disable=SC2155
declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${VAR_BUILD_LOG}")"
if [[ -f "${VAR_BUILD_LOG}" ]]; then
# shellcheck disable=SC2155
declare start_line=$(grep 'lb build' "${VAR_BUILD_LOG}" | head -n1 || true)
# shellcheck disable=SC2155
declare end_line=$(grep 'lb source' "${VAR_BUILD_LOG}" | tail -n1 || true)
if [[ -n "${start_line}" && -n "${end_line}" ]]; then
# shellcheck disable=SC2155
declare start_epoch=$(echo "${start_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s)
# shellcheck disable=SC2155
declare end_epoch=$(echo "${end_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s)
# shellcheck disable=SC2155
declare duration_sec=$((end_epoch - start_epoch))
# shellcheck disable=SC2155
declare duration_min=$((duration_sec / 60))
# shellcheck disable=SC2155
declare duration_rest=$((duration_sec % 60))
# shellcheck disable=SC2155
declare build_duration=$(printf "%02dm:%02ds" "${duration_min}" "${duration_rest}")
else
declare build_duration="(Timestamp not found)"
fi
else
declare build_duration="(No log file found)"
fi
# shellcheck disable=SC2155
declare sha_sum=$(sha256sum "$iso_file" | tee "$iso_file.sha256" | awk '{print $1}')
# shellcheck disable=SC2155
declare time=$(date '+%Y-%m-%d %H:%M:%S')
printf "\e[92m🧾 === Build summary === \e[0m\n"
printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
printf "\e[97m📦 ISO-File : %s \e[0m\n" "${iso_file}"
printf "\e[97m📀 ISO-Size : %s \e[0m\n" "${iso_size_hr}"
printf "\e[97m📂 Chroot-Size : %s \e[0m\n" "${chroot_size_hr}"
printf "\e[97m📉 Compression-level : %s \e[0m\n" "${compression}"
printf "\e[97m📦 Packages : %s \e[0m\n" "${package_count}"
printf "\e[97m🕐 Build Time : %s \e[0m\n" "${build_duration}"
printf "\e[97m🧠 CPUs for SquashFS : %s \e[0m\n" "${squash_cpu_used}"
printf "\e[97m🔐 SHA256SUM : %s \e[0m\n" "${sha_sum}"
printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
printf "\e[97m📅 Analysis Time : %s \e[0m\n" "${time}"
printf "\e[92m✅ Analysis completed.\e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
meta_loader_early.sh
View File

@@ -9,6 +9,8 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
. ./var/colors.var.sh
. ./var/errors.var.sh
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

25
meta_loader_func.sh
View File

@@ -9,6 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
. ./func/helper/1030_check_nic.sh
. ./func/helper/1080_helper_chroot.sh
. ./func/helper/1081_helper_grub.sh
@@ -23,26 +24,48 @@
. ./func/helper/1222_validation_preseed.sh
. ./func/helper/1250_yaml_parser.sh
. ./func/helper/1251_yaml_reader.sh
. ./func/partitioning/3200_partitioning.sh
. ./func/partitioning/3220_partition_encryption.sh
. ./func/partitioning/3240_partition_formatting.sh
. ./func/partitioning/3260_setup_filesystem.sh
. ./func/partitioning/3280_mount_partition.sh
. ./func/partitioning/3290_uuid_logger.sh
. ./func/system/4000_debootstrap.sh
. ./func/system/4020_configure_system.sh
. ./func/system/4040_generate_fstab.sh
. ./func/system/4060_generate_crypttab.sh
. ./func/system/4080_generate_sources.sh
. ./func/system/4090_minimal_toolset.sh
. ./func/system/4095_setup_skel.sh
. ./func/system/4100_setup_timezone.sh
. ./func/system/4110_setup_locales.sh
. ./func/system/4120_installation_kernel.sh
. ./func/system/4130_setup_network.sh
. ./func/system/4140_setup_hostname.sh
. ./func/system/4150_setup_grub.sh
. ./func/system/4155_setup_grub_password.sh
. ./func/system/4160_grub_bootparameter.sh
. ./func/system/4165_kernel_modules.sh
. ./func/system/4166_kernel_sysctl.sh
. ./func/system/4170_installation_microcode.sh
. ./func/system/4180_setup_ssh.sh
. ./func/system/4190_build_dropbear.sh
. ./func/system/4191_install_dropbear_initramfs.sh
. ./func/system/4195_setup_dropbear.sh
. ./func/
. ./func/system/4200_setup_accounts.sh
. ./func/system/4210_setup_packages.sh
. ./func/system/4220_setup_sudo.sh
. ./func/system/4230_setup_chrony.sh
. ./func/system/4999_exiting_chroot_system.sh
. ./func/system/5000_hardening_files.sh
#. ./func/recovery/3.8.9.functions_installation_wrapper_recovery.sh
#. ./func/recovery/3.9.0.functions_installation_setup_recovery.sh
#. ./func/recovery/3.9.1.functions_installation_generate_files_recovery.sh
#. ./func/9998_check_sshd_config_integrity.sh
#. ./func/9999_check_grub_cmdline.sh
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

8
meta_loader_lib.sh
View File

@@ -9,10 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
. ./lib/0000_usage.sh
. ./lib/0001_contact.sh
. ./lib/0002_version.sh
. ./lib/0010_guard_sourcing.sh
. ./lib/0011_guard_safe_exec.sh
. ./lib/0020_gen_dir_files.sh
. ./lib/0030_check_pkgs.sh
@@ -31,6 +28,7 @@
. ./lib/0101_arg_sanitizer.sh
. ./lib/0102_arg_parser.sh
. ./lib/0103_arg_priority_check.sh
. ./lib/0104_arg_nuke_converter.sh
. ./lib/0200_dialog_helper.sh
. ./lib/
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
meta_loader_var.sh
View File

@@ -9,8 +9,10 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
. ./var/colors.var.sh
. ./var/errors.var.sh
. ./var/global.var.sh
. ./var/terminal.var.sh
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
var/early.var.sh
View File

@@ -13,7 +13,7 @@
### Definition of MUST set early Variables
# shellcheck disable=SC2155
declare -agx ARY_PARAM_ARRAY=("$@")
declare -ag ARY_PARAM_ARRAY=("$@")
declare -grx VAR_PARAM_COUNT="$#"
declare -grx VAR_PARAM_STRNG="$*"
declare -grx VAR_CONTACT="security@coresecret.eu"
@@ -24,5 +24,5 @@ declare -gx VAR_AUTO_INSTALL="false"
declare -gx VAR_DEBUG_TRACE="false"
declare -gx VAR_DEBUG_TRAP="false"
declare -gx VAR_IN_DIALOG_WR="false"
umask 0022
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
var/errors.var.sh
View File

@@ -34,7 +34,7 @@ declare -girx ERR_BTRFS_INITPH=236 # The btrfs subvolume could not be initi
declare -girx ERR_BTRFS_SUBVOL=235 # The btrfs subvolume could not be created.
declare -girx ERR_BTRFS_OPTION=234 # Compression options algo:level not valid btrfs pairs.
declare -girx ERR_MOUNTING_DEV=233 # The Device could not be mounted.
declare -girx ERR_MOUNTING_ROOT=232 # The / Volume could not be mounted.
declare -girx ERR_MOUNTING_ROOT=232 # The '/' Volume could not be mounted.
declare -girx ERR_MOUNTING_LUKS=231 # The LUKS Volume could not be mounted.
declare -girx ERR_UNKNOWN_DEV=230 # Unknown Device Path.
declare -girx ERR_DEBOOTSTRAP=229 # Failure occurred on debootstrap.
@@ -42,9 +42,10 @@ declare -girx ERR_CHRT_MOUNTS=228 # Failure occurred while mounting system
declare -girx ERR_CHRT_COMMAND=227 # Failure occurred while executing chroot environment command.
declare -girx ERR_GRUB_EFI_FORCE=226 # Invalid combination of Partition Table and grub_force_efi.
declare -girx ERR_GRUB_BACKGROUND=225 # Failure occurred on setting up the GRUB-background.
declare -girx ERR_PATH_NOT_VALID=224 # Specific path is not existing.
declare -girx ERR_READ_NUKE_FILE=223 # Error reading Luks Nuke password file.
declare -girx ERR_READ_GRUB_FILE=222 # Error reading Grub password file.
declare -girx ERR_GRUB_ARCHITECTURE=224 # Architecture is not supported by Grub.
declare -girx ERR_PATH_NOT_VALID=223 # Specific path is not existing.
declare -girx ERR_READ_NUKE_FILE=222 # Error reading Luks Nuke password file.
declare -girx ERR_READ_GRUB_FILE=221 # Error reading Grub password file.
### Definition of error trap vars
declare -gx ERRCODE="" # = $? = $1 = ERRCODE

84
var/global.var.sh
View File

@@ -17,7 +17,6 @@ declare -grx VAR_KERNEL_INF="$(mktemp --tmpdir --mode=0600 /tmp/var_kernel_inf.X
declare -grx VAR_KERNEL_TMP="$(mktemp --tmpdir --mode=0600 /tmp/var_kernel_tmp.XXXXXXXX)"
declare -grx VAR_KERNEL_SRT="$(mktemp --tmpdir --mode=0600 /tmp/var_kernel_srt.XXXXXXXX)"
declare -grx VAR_NOTES="$(mktemp --tmpdir --mode=0600 /tmp/var_notes.XXXXXXXX)"
declare -grx LOG_ERROR="/tmp/ciss_debian_installer_$$_error.log"
declare -grx VAR_SETUP_CONF="preseed.yaml"
declare -grx VAR_SETUP_PART="partitioning.yaml"
declare -grx VAR_SETUP_FILE="${0##*/}" # 'setup.sh'
@@ -47,87 +46,6 @@ declare -grx RECOVERY="/recovery"
declare -grx VAR_SAFE_MNT_BASE="/run/ciss/bootstrap"
### Default log level.
declare -gx DEFAULT_LOG_LEVEL="info"
declare -gx VAR_DEFAULT_LOG_LEVEL="info"
### 1081_helper_grub.sh:
### Variable to finish GRUB CMDLINE strings.
declare -grx VAR_H='"'
### 1250_yaml_parser.sh:
### Indexed Arrays for 'Debian Packages' to install and 'NTPSec Server' to use.
#declare -ag ARY_BOOTPARAM=()
#declare -ag ARY_PACKAGES=()
#declare -ag ARY_NTPSRVR=()
### 1251_yaml_reader.sh:
### Variable for highest device count e.g., /dev/sdf = "f"
declare -gx VAR_RECIPE_DEV_COUNTER=""
### Variable for firmware ("UEFI" || "BIOS")
declare -gx VAR_RECIPE_FIRMWARE=""
### Variable for active recipe (e.g., "gben0afx256")
declare -gx VAR_RECIPE_STRING=""
### Variable partition table ("gpt" || "mbr")
declare -gx VAR_RECIPE_TABLE=""
### Assoziative Array (HashMap) for devices and accompanying partitions
declare -Ag HMP_RECIPE_DEV_PARTITIONS
### 3200_partitioning.sh
### Assoziative Array (HashMap) to store UUIDs for each partition
### HMP_UUID_PARTITION["UUID_${var_dev}${var_part}"]="${var_uuid}"
declare -Ag HMP_UUID_PARTITION
### 3220_partition_encryption.sh
### Assoziative Array (HashMap) to store Ephemeral Device for each Mount Path
### HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
declare -Ag HMP_EPHEMERAL_DEV
### Assoziative Array (HashMap) to store Ephemeral Device Encryption Label for each Mount Path
### HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
declare -Ag HMP_EPHEMERAL_ENCLABEL
### Assoziative Array (HashMap) to store UUID for each Encryption Label
### HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]="${var_uuid}"
declare -Ag HMP_ENCRYPTIONLABEL_UUID
### Assoziative Array (HashMap) to store Encryption Label for each Mount Path
### HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]="${var_encryption_label}"
declare -Ag HMP_MOUNTPATH_ENCRYPTIONLABEL
### 3260_setup_filesystem.sh
### Assoziative Array (HashMap) to store Crypt Mapper OR Device for each Mount Path
### HMP_MOUNTPATH_DEV["${var_mount_path}"]="/dev/mapper/${var_encryption_label}"
### HMP_MOUNTPATH_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
declare -Ag HMP_MOUNTPATH_DEV
### TODO
# [3_5_1_functions_installation_partition_encryption()] Create a hashmap to store the device path for each ephemeral partition
# MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
declare -g -A MAP_EPHEMERAL_DEV=()
# [3_5_1_functions_installation_partition_encryption()] Create a hashmap to store the encryption label for each ephemeral partition
# MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
declare -g -A MAP_EPHEMERAL_ENCLABEL=()
# [3_5_1_functions_installation_partition_encryption()] Create a hashmap to store UUIDs for each encrypted partition
# MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
declare -g -A MAP_UUID_CRYPT=()
# [3_5_1_functions_installation_partition_encryption()] Create a hashmap to store the device path for each encrypted partition
# MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
declare -g -A MAP_PATH_CRYPT=()
# [3_6_0_functions_installation_setup_filesystem()] Create a hashmap to store the mount paths of each partition
declare -g -A MAP_MOUNTPATH_DEV=()
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
var/terminal.var.sh
View File

@@ -16,4 +16,4 @@ declare -gix COLS=$(tput cols)
declare -gix ROWS_USE=$(($(tput lines) - 8))
declare -gix COLS_USE=$(($(tput cols) - 8))
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh