msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m3s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-24 20:40:00 +01:00
parent 559a5a3b88
commit 1453f64a72
7 changed files with 73 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.preseed/SECRETS.yaml
View File

@@ -21,7 +21,6 @@ secrets:
name: "CISS.debian.installer" name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17" version: "V8.00.000.2025.06.17"
x_files: "false" x_files: "false"
x_files_key: "marc_s_weidner_msw@coresecret.dev_AGE_PRIVKEY"
################################################################################################################################ ################################################################################################################################
# Grub bootloader passphrase # Grub bootloader passphrase
################################################################################################################################ ################################################################################################################################
@@ -90,6 +89,7 @@ secrets:
type: "sshpubkey" type: "sshpubkey"
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY" value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
user0: user0:
name: "user"
password: password:
note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication." note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth" scope: "auth"
@@ -101,6 +101,7 @@ secrets:
type: "sshpubkey" type: "sshpubkey"
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY" value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
user1: user1:
name: "ansible"
password: password:
note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication." note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth" scope: "auth"

4
.sops.yaml
View File

@@ -8,10 +8,8 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
%YAML 1.2
---
creation_rules: creation_rules:
- path_regex: '(^|.*/)\.preseed/SECRETS\.ya?ml$' - path_regex: '(^|.*/)\.preseed/SECRETS\.yaml$'
encrypted_regex: '^value$' encrypted_regex: '^value$'
stores: stores:
yaml: yaml:

13
func/cdi_1250_yaml/1256_secret_parser.sh
View File

@@ -123,7 +123,8 @@ readonly -f ciss_secret_varname_from_path
####################################### #######################################
yaml_secret() { yaml_secret() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare secrets_encrypted="" secrets_privkey="" secrets_yaml="${CISS_SECRETS_SOURCE}" \ declare -r SOPS_AGE_KEY_FILE"/root/.config/sops/age/keys.txt"
declare secrets_encrypted="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
__path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname="" __yq_expr="" __path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname="" __yq_expr=""
secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false" secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false"
@@ -133,15 +134,11 @@ yaml_secret() {
if ! command -v sops >/dev/null 2>&1; then if ! command -v sops >/dev/null 2>&1; then
do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed." do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
return "${ERR_MISSING_AGE_KEY}" return "${ERR_MISSING_AGE_BIN}"
fi fi
secrets_privkey="$(yq -r '.secrets.x_files_key // ""' -- "${secrets_yaml}")" || secrets_privkey="" [[ -r "${SOPS_AGE_KEY_FILE}" ]] && return "${ERR_MISSING_AGE_KEY}"
[[ -z "${secrets_privkey}" ]] && return "${ERR_MISSING_AGE_KEY}"
secrets_privkey="${DIR_CNF}/${secrets_privkey}"
fi fi
@@ -167,7 +164,7 @@ yaml_secret() {
### Decrypt once, stream into yq; avoid storing full doc in memory. ### Decrypt once, stream into yq; avoid storing full doc in memory.
# shellcheck disable=SC1083,SC2312 # shellcheck disable=SC1083,SC2312
exec {__pipe_fd} < <( exec {__pipe_fd} < <(
SOPS_AGE_KEY_FILE="${secrets_privkey}" sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -rj "${__yq_expr}" - sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -rj "${__yq_expr}" -
) )
else else

6
func/cdi_4300_network/4330_installation_ssh.sh
View File

@@ -94,6 +94,12 @@ EOF
fi fi
done done
chroot_script "${var_target}" "
awk '\$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
rm -rf /etc/ssh/moduli
mv /etc/ssh/moduli.safe /etc/ssh/moduli
"
rm -rf "${var_target}"/etc/ssh/ssh_host_*key* rm -rf "${var_target}"/etc/ssh/ssh_host_*key*
if [[ -f "${var_target}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then if [[ -f "${var_target}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then

51
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -99,7 +99,7 @@ usedns = yes
[recidive] [recidive]
enabled = true enabled = true
banaction = %(banaction_allports)s banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 8d bantime = 8d
bantime.increment = true bantime.increment = true
bantime.factor = 1 bantime.factor = 1
@@ -133,27 +133,11 @@ maxretry = 4
# CISS aggressive approach: # CISS aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...). # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt. # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
# #
[icmp]
enabled = true
banaction = %(banaction_allports)s
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = ciss-icmp
findtime = 16m
logpath = /var/log/ufw.log
maxretry = 1
[ufw] [ufw]
enabled = true enabled = true
banaction = %(banaction_allports)s banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 1h bantime = 1h
bantime.increment = true bantime.increment = true
bantime.factor = 1 bantime.factor = 1
@@ -199,7 +183,7 @@ usedns = yes
[recidive] [recidive]
enabled = true enabled = true
banaction = %(banaction_allports)s banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 8d bantime = 8d
bantime.increment = true bantime.increment = true
bantime.factor = 1 bantime.factor = 1
@@ -233,27 +217,11 @@ maxretry = 4
# CISS aggressive approach: # CISS aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...). # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 3 attempts. # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 3 attempts.
# There is no necessity to ping our servers excessively. Any client pinging us more than 3 times will be blocked.
# #
[icmp]
enabled = true
banaction = %(banaction_allports)s
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
bantime.overalljails = true
bantime.rndtime = 877s
filter = ciss-icmp
findtime = 16m
logpath = /var/log/ufw.log
maxretry = 3
[ufw] [ufw]
enabled = true enabled = true
banaction = %(banaction_allports)s banaction = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
bantime = 1h bantime = 1h
bantime.increment = true bantime.increment = true
bantime.factor = 1 bantime.factor = 1
@@ -278,17 +246,6 @@ EOF
fi fi
insert_header "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
[Definition]
# Generic ICMP/ICMPv6 blocks
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMPv6\b.*$
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
insert_header "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf" insert_header "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf" insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf" cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"

98
includes/target/etc/initramfs-tools/modules
View File

@@ -21,57 +21,67 @@
# raid1 # raid1
# sd_mod # sd_mod
### Entropy source for '/dev/random': ### btrfs ----------------------------------------------------------------------------------------------------------------------
jitterentropy_rng btrfs
lzo
xor
xxhash
zstd
zstd_compress
### Device-mapper core module (required for all dm_* features): ### cryptography ---------------------------------------------------------------------------------------------------------------
dm_mod aes_generic
aesni_intel
### Device-mapper integrity target (provides integrity checking): blake2b_generic
dm_integrity crc32c_generic
cryptd
### Device-mapper crypt target (provides disk encryption):
dm_crypt
### Crypto primitives for LUKS2 / AES-XTS:
gf128mul gf128mul
libcrc32c
serpent_generic serpent_generic
sha256_generic
sha384_generic
sha512_generic
twofish_generic twofish_generic
xts xts
### Generic AES block cipher implementation (used by dm-crypt): ### cryptsetup -----------------------------------------------------------------------------------------------------------------
aes_generic dm_mod
aesni_intel dm_crypt
dm_integrity
dm_verity
### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets): ### Entropy --------------------------------------------------------------------------------------------------------------------
sha256_generic jitterentropy_rng
rng_core
### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets): ### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
sha384_generic
### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets):
sha512_generic
### Generic CRC32C checksum implementation (used by btrfs and other filesystems):
crc32c_generic
### Main btrfs filesystem module:
btrfs
### Ensure Btrfs root on LUKS works with zstd-compressed extents:
zstd
zstd_compress
xxhash
### XOR parity implementation for RAID functionality:
xor
### RAID6 parity generation module:
raid6_pq
### Combined RAID4/5/6 support module:
raid456
### Ensure ESP support:
fat fat
vfat vfat
#### nftables ------------------------------------------------------------------------------------------------------------------
#nf_log_common # built-in
#nft_counter # built-in
#nft_icmp # built-in
#nft_icmpv6 # built-in
#nft_meta # built-in
#nft_set_hash # built-in
#nft_set_rbtree # built-in
#nft_tcp # built-in
#nft_udp # built-in
nf_conntrack
nf_nat
nf_reject_ipv4
nf_reject_ipv6
nf_tables
nft_ct
nft_limit
nft_log
nft_masq
nft_nat
nft_reject_inet
nfnetlink
nfnetlink_log
### RAID -----------------------------------------------------------------------------------------------------------------------
raid456
raid6_pq

1
var/errors.var.sh
View File

@@ -60,6 +60,7 @@ declare -girx ERR_VERIFY_LOGROTATE=213 # Error verification by 'logrotate'.
declare -girx ERR_READ_AUTH_FILE=212 # Error reading the Luks Backup auth token file. declare -girx ERR_READ_AUTH_FILE=212 # Error reading the Luks Backup auth token file.
declare -girx ERR_ACCOUNT_CREATE=211 # Error creating user accounts. declare -girx ERR_ACCOUNT_CREATE=211 # Error creating user accounts.
declare -girx ERR_LUKS_HEADER_ENC=210 # Error encrypting LUKS Header backup. declare -girx ERR_LUKS_HEADER_ENC=210 # Error encrypting LUKS Header backup.
declare -girx ERR_MISSING_AGE_BIN=130 # SOPS binary for decryption SECRETS.yaml missing.
declare -girx ERR_MISSING_AGE_KEY=129 # AGE key for decryption SECRETS.yaml values missing. declare -girx ERR_MISSING_AGE_KEY=129 # AGE key for decryption SECRETS.yaml values missing.
declare -girx ERR_GUARD_SOURCE=128 # Module tried to load twice. declare -girx ERR_GUARD_SOURCE=128 # Module tried to load twice.