V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-24 20:40:00 +01:00
parent 559a5a3b88
commit 1453f64a72
7 changed files with 73 additions and 103 deletions
--- a/.preseed/SECRETS.yaml
+++ b/.preseed/SECRETS.yaml
@@ -21,7 +21,6 @@ secrets:
  name: "CISS.debian.installer"
  version: "V8.00.000.2025.06.17"
  x_files: "false"
-  x_files_key: "marc_s_weidner_msw@coresecret.dev_AGE_PRIVKEY"
  ################################################################################################################################
  # Grub bootloader passphrase
  ################################################################################################################################
@@ -90,6 +89,7 @@ secrets:
        type: "sshpubkey"
        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
    user0:
+      name: "user"
      password:
        note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
        scope: "auth"
@@ -101,6 +101,7 @@ secrets:
        type: "sshpubkey"
        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
    user1:
+      name: "ansible"
      password:
        note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
        scope: "auth"
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -8,10 +8,8 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-%YAML 1.2
---
 creation_rules:
-  - path_regex: '(^|.*/)\.preseed/SECRETS\.ya?ml$'
+  - path_regex: '(^|.*/)\.preseed/SECRETS\.yaml$'
    encrypted_regex: '^value$'
 stores:
  yaml:
--- a/func/cdi_1250_yaml/1256_secret_parser.sh
+++ b/func/cdi_1250_yaml/1256_secret_parser.sh
@@ -123,7 +123,8 @@ readonly -f ciss_secret_varname_from_path
 #######################################
 yaml_secret() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare     secrets_encrypted="" secrets_privkey="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
+  declare -r  SOPS_AGE_KEY_FILE"/root/.config/sops/age/keys.txt"
+  declare     secrets_encrypted="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
              __path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname="" __yq_expr=""

  secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false"
@@ -133,15 +134,11 @@ yaml_secret() {
    if ! command -v sops >/dev/null 2>&1; then

      do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
-      return "${ERR_MISSING_AGE_KEY}"
+      return "${ERR_MISSING_AGE_BIN}"

    fi

-    secrets_privkey="$(yq -r '.secrets.x_files_key // ""' -- "${secrets_yaml}")" || secrets_privkey=""
-
-    [[ -z "${secrets_privkey}" ]] && return "${ERR_MISSING_AGE_KEY}"
-
-    secrets_privkey="${DIR_CNF}/${secrets_privkey}"
+    [[ -r "${SOPS_AGE_KEY_FILE}" ]] && return "${ERR_MISSING_AGE_KEY}"

  fi

@@ -167,7 +164,7 @@ yaml_secret() {
    ### Decrypt once, stream into yq; avoid storing full doc in memory.
    # shellcheck disable=SC1083,SC2312
    exec {__pipe_fd} < <(
-      SOPS_AGE_KEY_FILE="${secrets_privkey}" sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -rj "${__yq_expr}" -
+      sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -rj "${__yq_expr}" -
    )

  else
--- a/func/cdi_4300_network/4330_installation_ssh.sh
+++ b/func/cdi_4300_network/4330_installation_ssh.sh
@@ -94,6 +94,12 @@ EOF
    fi
  done

+  chroot_script "${var_target}" "
+    awk '\$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+    rm -rf /etc/ssh/moduli
+    mv /etc/ssh/moduli.safe /etc/ssh/moduli
+  "
+
  rm -rf "${var_target}"/etc/ssh/ssh_host_*key*

  if [[ -f "${var_target}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
--- a/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
+++ b/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
@@ -99,7 +99,7 @@ usedns                = yes

 [recidive]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
@@ -133,27 +133,11 @@ maxretry              = 4
 # CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
-# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
 #

-[icmp]
-enabled               = true
-banaction             = %(banaction_allports)s
-bantime               = 1h
-bantime.increment     = true
-bantime.factor        = 1
-bantime.maxtime       = 16d
-bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-bantime.overalljails  = true
-bantime.rndtime       = 877s
-filter                = ciss-icmp
-findtime              = 16m
-logpath               = /var/log/ufw.log
-maxretry              = 1
-
 [ufw]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -199,7 +183,7 @@ usedns                = yes

 [recidive]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
@@ -233,27 +217,11 @@ maxretry              = 4
 # CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 3 attempts.
-# There is no necessity to ping our servers excessively. Any client pinging us more than 3 times will be blocked.
 #

-[icmp]
-enabled               = true
-banaction             = %(banaction_allports)s
-bantime               = 1h
-bantime.increment     = true
-bantime.factor        = 1
-bantime.maxtime       = 16d
-bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-bantime.overalljails  = true
-bantime.rndtime       = 877s
-filter                = ciss-icmp
-findtime              = 16m
-logpath               = /var/log/ufw.log
-maxretry              = 3
-
 [ufw]
 enabled               = true
-banaction             = %(banaction_allports)s
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -278,17 +246,6 @@ EOF

  fi

-  insert_header   "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
-  insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
-  cat << EOF >>   "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
-[Definition]
-# Generic ICMP/ICMPv6 blocks
-failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
-                        ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMPv6\b.*$
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-
  insert_header   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
  insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
  cat << EOF >>   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
--- a/includes/target/etc/initramfs-tools/modules
+++ b/includes/target/etc/initramfs-tools/modules
@@ -21,57 +21,67 @@
 # raid1
 # sd_mod

-### Entropy source for '/dev/random':
-jitterentropy_rng
+### btrfs ----------------------------------------------------------------------------------------------------------------------
+btrfs
+lzo
+xor
+xxhash
+zstd
+zstd_compress

-### Device-mapper core module (required for all dm_* features):
-dm_mod
-
-### Device-mapper integrity target (provides integrity checking):
-dm_integrity
-
-### Device-mapper crypt target (provides disk encryption):
-dm_crypt
-
-### Crypto primitives for LUKS2 / AES-XTS:
+### cryptography ---------------------------------------------------------------------------------------------------------------
+aes_generic
+aesni_intel
+blake2b_generic
+crc32c_generic
+cryptd
 gf128mul
+libcrc32c
 serpent_generic
+sha256_generic
+sha384_generic
+sha512_generic
 twofish_generic
 xts

-### Generic AES block cipher implementation (used by dm-crypt):
-aes_generic
-aesni_intel
+### cryptsetup -----------------------------------------------------------------------------------------------------------------
+dm_mod
+dm_crypt
+dm_integrity
+dm_verity

-### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets):
-sha256_generic
+### Entropy --------------------------------------------------------------------------------------------------------------------
+jitterentropy_rng
+rng_core

-### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets):
-sha384_generic
-
-### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets):
-sha512_generic
-
-### Generic CRC32C checksum implementation (used by btrfs and other filesystems):
-crc32c_generic
-
-### Main btrfs filesystem module:
-btrfs
-
-### Ensure Btrfs root on LUKS works with zstd-compressed extents:
-zstd
-zstd_compress
-xxhash
-
-### XOR parity implementation for RAID functionality:
-xor
-
-### RAID6 parity generation module:
-raid6_pq
-
-### Combined RAID4/5/6 support module:
-raid456
-
-### Ensure ESP support:
+### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
 fat
 vfat
+
+#### nftables ------------------------------------------------------------------------------------------------------------------
+#nf_log_common  # built-in
+#nft_counter    # built-in
+#nft_icmp       # built-in
+#nft_icmpv6     # built-in
+#nft_meta       # built-in
+#nft_set_hash   # built-in
+#nft_set_rbtree # built-in
+#nft_tcp        # built-in
+#nft_udp        # built-in
+nf_conntrack
+nf_nat
+nf_reject_ipv4
+nf_reject_ipv6
+nf_tables
+nft_ct
+nft_limit
+nft_log
+nft_masq
+nft_nat
+nft_reject_inet
+nfnetlink
+nfnetlink_log
+
+### RAID -----------------------------------------------------------------------------------------------------------------------
+raid456
+raid6_pq
--- a/var/errors.var.sh
+++ b/var/errors.var.sh
@@ -60,6 +60,7 @@ declare -girx ERR_VERIFY_LOGROTATE=213  # Error verification by 'logrotate'.
 declare -girx ERR_READ_AUTH_FILE=212    # Error reading the Luks Backup auth token file.
 declare -girx ERR_ACCOUNT_CREATE=211    # Error creating user accounts.
 declare -girx ERR_LUKS_HEADER_ENC=210   # Error encrypting LUKS Header backup.
+declare -girx ERR_MISSING_AGE_BIN=130   # SOPS binary for decryption SECRETS.yaml missing.
 declare -girx ERR_MISSING_AGE_KEY=129   # AGE key for decryption SECRETS.yaml values missing.
 declare -girx ERR_GUARD_SOURCE=128      # Module tried to load twice.