V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_1250_yaml/1256_secret_parser.sh

@@ -123,7 +123,8 @@ readonly -f ciss_secret_varname_from_path
 #######################################
 yaml_secret() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     secrets_encrypted="" secrets_privkey="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
+  declare -r  SOPS_AGE_KEY_FILE"/root/.config/sops/age/keys.txt"
+  declare     secrets_encrypted="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
               __path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname="" __yq_expr=""
 
   secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false"
@@ -133,15 +134,11 @@ yaml_secret() {
     if ! command -v sops >/dev/null 2>&1; then
 
       do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
-      return "${ERR_MISSING_AGE_KEY}"
+      return "${ERR_MISSING_AGE_BIN}"
 
     fi
 
-    secrets_privkey="$(yq -r '.secrets.x_files_key // ""' -- "${secrets_yaml}")" || secrets_privkey=""
-
-    [[ -z "${secrets_privkey}" ]] && return "${ERR_MISSING_AGE_KEY}"
-
-    secrets_privkey="${DIR_CNF}/${secrets_privkey}"
+    [[ -r "${SOPS_AGE_KEY_FILE}" ]] && return "${ERR_MISSING_AGE_KEY}"
 
   fi
 
@@ -167,7 +164,7 @@ yaml_secret() {
     ### Decrypt once, stream into yq; avoid storing full doc in memory.
     # shellcheck disable=SC1083,SC2312
     exec {__pipe_fd} < <(
-      SOPS_AGE_KEY_FILE="${secrets_privkey}" sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -rj "${__yq_expr}" -
+      sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -rj "${__yq_expr}" -
     )
 
   else

func/cdi_4300_network/4330_installation_ssh.sh

@@ -94,6 +94,12 @@ EOF
     fi
   done
 
+  chroot_script "${var_target}" "
+    awk '\$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+    rm -rf /etc/ssh/moduli
+    mv /etc/ssh/moduli.safe /etc/ssh/moduli
+  "
+
   rm -rf "${var_target}"/etc/ssh/ssh_host_*key*
 
   if [[ -f "${var_target}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then

func/cdi_4400_hardening/4420_hardening_fail2ban.sh

@@ -99,7 +99,7 @@ usedns                = yes
 
 [recidive]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
@@ -133,27 +133,11 @@ maxretry              = 4
 # CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
-# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
 #
 
-[icmp]
-enabled               = true
-banaction             = %(banaction_allports)s
-bantime               = 1h
-bantime.increment     = true
-bantime.factor        = 1
-bantime.maxtime       = 16d
-bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-bantime.overalljails  = true
-bantime.rndtime       = 877s
-filter                = ciss-icmp
-findtime              = 16m
-logpath               = /var/log/ufw.log
-maxretry              = 1
-
 [ufw]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -199,7 +183,7 @@ usedns                = yes
 
 [recidive]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
@@ -233,27 +217,11 @@ maxretry              = 4
 # CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 3 attempts.
-# There is no necessity to ping our servers excessively. Any client pinging us more than 3 times will be blocked.
 #
 
-[icmp]
-enabled               = true
-banaction             = %(banaction_allports)s
-bantime               = 1h
-bantime.increment     = true
-bantime.factor        = 1
-bantime.maxtime       = 16d
-bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-bantime.overalljails  = true
-bantime.rndtime       = 877s
-filter                = ciss-icmp
-findtime              = 16m
-logpath               = /var/log/ufw.log
-maxretry              = 3
-
 [ufw]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -278,17 +246,6 @@ EOF
 
   fi
 
-  insert_header   "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
-  insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
-  cat << EOF >>   "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
-[Definition]
-# Generic ICMP/ICMPv6 blocks
-failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
-                        ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMPv6\b.*$
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-
   insert_header   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
   insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
   cat << EOF >>   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"