V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-12 18:58:03 +01:00
parent 5f36d27c62
commit 140f82829e
8 changed files with 67 additions and 24 deletions
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -115,7 +115,7 @@ dropbear:
  firewall: false              # Yet not implemented. MUST be "false".
                               # Additional ultra hardening of the dropbear initramfs environment via firewall.
                               # The "bastion_ipv4" MUST be provided.
-  port: 42137                  # SSH Port dropbear initramfs should listen.
+  port: 44137                  # SSH Port dropbear initramfs should listen.
  pub_key:  "/.preseed/unlock_wrapper_pubring.gpg"
                               # './path/to/unlock_wrapper_pubring.pgp' to check the signature of: 'unlock-wrapper.sh.sha512.sig'
  sha_file: "/.preseed/unlock_wrapper.sh.sha512"
@@ -133,7 +133,7 @@ grub_parameter:
  # undetected. During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot,
  # auditd records will be lost, and potential malicious activity could go undetected.
  ##############################################################################################################################
-  - "audit_backlog_limit=8192"
+  - "audit_backlog_limit=16384"
  - "audit=1"

  ##############################################################################################################################
@@ -268,7 +268,7 @@ grub_parameter:
  # 6 (KERN_INFO)           informational
  # 7 (KERN_DEBUG)          debug-level messages
  ##############################################################################################################################
-  - "loglevel=7"
+  - "loglevel=0"

  ##############################################################################################################################
  # If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
@@ -432,7 +432,7 @@ grub_parameter:
 grub:
  background:                  # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
    enable: true               # If you want to add a GRUB background.
-    path: "/includes/target/etc/default/grub.d/club_1280_720.png"
+    path: "/includes/target/etc/default/grub.d/hexagon_1280_720.png"
  bootdev: "/dev/sda"          # Due notably to potential USB sticks, the location of the primary drive cannot be determined
                               # safely in general, so this needs to be specified.
  force_efi: true              # Force GRUB installation to the EFI removable media path?
@@ -681,7 +681,9 @@ software:
  ##############################################################################################################################
  ### Installed by 4310_dropbear_build.sh
  ##############################################################################################################################
+  # dropbear-bin
  # dropbear-initramfs
+  # gpgv
  #
  ##############################################################################################################################
  ### Installed by 4330_installation_ssh.sh
@@ -843,12 +845,12 @@ user:
    sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
    authentication:
      access:
-        ssh: false             # Allow SSH access.
-        tty: false             # Allow TTY (local console) login.
-      password: false          # Allow password login. SSH password login is always disabled.
+        ssh: true              # Allow SSH access.
+        tty: true              # Allow TTY (local console) login.
+      password: true           # Allow password login. SSH password login is always disabled.
      2fa:
-        ssh: true              # Require 2FA for SSH access.
-        tty: true              # Require 2FA for TTY (local console) login.
+        ssh: false             # Require 2FA for SSH access.
+        tty: false             # Require 2FA for TTY (local console) login.
    privileges:
      description: "Root user with full system access and administrative privileges."
      restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
@@ -876,8 +878,8 @@ user:
        tty: true              # Allow TTY (local console) login.
      password: true           # Allow password login. SSH password login is always disabled.
      2fa:
-        ssh: true              # Require 2FA for SSH access.
-        tty: true              # Require 2FA for TTY (local console) login.
+        ssh: false             # Require 2FA for SSH access.
+        tty: false             # Require 2FA for TTY (local console) login.
    privileges:
      description: "Primary admin user with full sudo access and interactive login."
      sudo: true               # Whether the user can escalate to root using sudo.