msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-07 22:51:29 +02:00
parent 95a7f618e8
commit 3ddadce56b
46 changed files with 54 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ciss_debian_installer.sh
View File

@@ -12,6 +12,9 @@
### Contributions so far see ./docs/CREDITS.md
# TODO: Move this command later than 4131_installation_systemd.sh
### Set the X11 keyboard layout (for graphical environments).
#do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}"
# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock_wrapper.sh
# TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
# TODO: Update preseed.yaml for pgp signing key OR implementation of presigned unlock_wrapper.sh
@@ -290,7 +293,7 @@ update_initramfs
### CDI_4400
echo "MAIN PROGRAM SEQUENCE: 4400_kernel_modules.sh ..."
kernel_modules
kernel_modules && kernel_modprobe
echo "MAIN PROGRAM SEQUENCE: 4410_kernel_sysctl.sh ..."
kernel_sysctl
echo "MAIN PROGRAM SEQUENCE: 4420_installation_ssh.sh ..."

2
func/cdi_3200_partitioning/3200_partitioning.sh
View File

@@ -302,6 +302,6 @@ partitioning() {
printf "%s\n" "${ary_paths_unsorted[@]}" >| "${DIR_LOG}/mount_paths_unsorted.log"
printf "%s\n" "${ARY_PATHS_SORTED[@]}" >| "${DIR_LOG}/mount_paths_sorted.log"
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
View File

@@ -53,6 +53,6 @@ benchmarking_encryption() {
# shellcheck disable=SC2155
declare -girx VAR_KDF_MEMORY=$(awk -F'[ ,]+' '{print $4}' <<<"${var_result}")
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_3200_partitioning/3220_partition_encryption.sh
View File

@@ -202,6 +202,6 @@ partition_encryption() {
done
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_3200_partitioning/3240_partition_formatting.sh
View File

@@ -137,6 +137,6 @@ partition_formatting() {
done
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_3200_partitioning/3280_mount_partition.sh
View File

@@ -363,6 +363,6 @@ mount_partition() {
done
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_3200_partitioning/3290_uuid_logger.sh
View File

@@ -53,6 +53,6 @@ uuid_logger() {
printf '%-63sUUID=%s\n' "${var_mountpoint}" "${var_uuid}" >> "${LOG_UID}"
done
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4000_debootstrap/4000_debootstrap.sh
View File

@@ -52,7 +52,7 @@ func_debootstrap() {
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/backup"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
return 0
guard_dir && return 0
else

2
func/cdi_4000_debootstrap/4010_prepare_mounts.sh
View File

@@ -112,6 +112,6 @@ prepare_mounts() {
declare -gx VAR_CHROOT_ACTIVATED="system"
do_log "info" "file_only" "4010() Command: [declare -gx VAR_CHROOT_ACTIVATED=system]"
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4000_debootstrap/4020_remove_x509.sh
View File

@@ -38,6 +38,6 @@ remove_x509() {
fi
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4000_debootstrap/4030_setup_hostname.sh
View File

@@ -72,6 +72,6 @@ EOF
fi
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4000_debootstrap/4035_setup_resolv.sh
View File

@@ -100,6 +100,6 @@ EOF
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
func/cdi_4000_debootstrap/4040_setup_timezone.sh
View File

@@ -34,8 +34,6 @@ EOF
do_in_target "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
do_log "info" "file_only" "4040() Timezone updated successfully."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4000_debootstrap/4050_setup_locales.sh
View File

@@ -150,6 +150,6 @@ EOF
### Set the X11 keyboard layout (for graphical environments).
#do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}"
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
func/cdi_4100_base/4100_generate_sources.sh
View File

@@ -178,8 +178,6 @@ EOF
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
do_log "info" "file_only" "4100() Sources lists: generated successfully."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4100_base/4110_update_sources.sh
View File

@@ -69,6 +69,6 @@ update_sources() {
fi
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
func/cdi_4100_base/4120_installation_kernel.sh
View File

@@ -42,7 +42,7 @@ installation_kernel() {
do_log "info" "file_only" "4120() Kernel image: '${VAR_KERNEL}' installed successfully."
return 0
guard_dir && return 0
else
@@ -54,7 +54,7 @@ installation_kernel() {
do_log "info" "file_only" "4120() Kernel image: '${image}' installed successfully."
return 0
guard_dir && return 0
fi

2
func/cdi_4100_base/4130_installation_toolset.sh
View File

@@ -127,6 +127,6 @@ installation_toolset() {
fi
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4100_base/4131_installation_systemd.sh
View File

@@ -49,6 +49,6 @@ installation_systemd() {
systemctl --version 2>&1 | tee -a ${var_logfile} | grep -qi 'systemd' || echo '[WARN]: systemd not verifiable' >> ${var_logfile}
"
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4100_base/4132_installation_machineid.sh
View File

@@ -33,6 +33,6 @@ installation_machineid() {
fi
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4100_base/4133_installation_masking.sh
View File

@@ -28,6 +28,6 @@ installation_masking() {
do_log "info" "file_only" "4133() Masked: [ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target]."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4100_base/4140_installation_microcode.sh
View File

@@ -76,6 +76,6 @@ installation_microcode() {
fi
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4100_base/4150_installation_chrony.sh
View File

@@ -78,7 +78,7 @@ installation_chrony() {
rm -f "${var_of}"
return 0
guard_dir && return 0
}
#######################################

4
func/cdi_4200_boot/4200_generate_fstab.sh
View File

@@ -199,8 +199,6 @@ tmpfs /run tmpfs
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
do_log "info" "file_only" "4200() fstab generated successfully."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
func/cdi_4200_boot/4210_generate_crypttab.sh
View File

@@ -104,12 +104,12 @@ EOF
mkdir -p "${TARGET}/usr/lib/cryptsetup/scripts"
### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock-wrapper.sh" \
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
"${TARGET}/etc/initramfs-tools/files/"
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock-wrapper.sh" \
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
"${TARGET}/lib/cryptsetup/scripts/"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock-wrapper.sh"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
else
@@ -155,8 +155,6 @@ EOF
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
do_log "info" "file_only" "4210() crypttab generated successfully."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4200_boot/4220_installation_cryptsetup.sh
View File

@@ -38,6 +38,6 @@ installation_cryptsetup() {
do_log "info" "file_only" "4220() Installation [cryptsetup cryptsetup-initramfs] successful."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4200_boot/4230_installation_grub.sh
View File

@@ -227,7 +227,7 @@ EOF
fi
chmod -R 0700 "${TARGET}/etc/grub.d"
return 0
guard_dir && return 0
}
#######################################

3
func/cdi_4200_boot/4240_update_grub_password.sh
View File

@@ -51,9 +51,8 @@ update_grub_password() {
fi
do_in_target "${TARGET}" update-grub
do_log "info" "file_only" "4240() GRUB Password installed successfully."
return 0
guard_dir && return 0
}
#######################################

2
func/cdi_4200_boot/4250_update_grub_bootparameter.sh
View File

@@ -72,6 +72,6 @@ update_grub_bootparameter() {
do_log "info" "file_only" "4250() Setting GRUB_CMDLINE_LINUX_DEFAULT: [${VAR_GRUB_CMDLINE_LINUX_DEFAULT}]."
do_log "info" "file_only" "4250() Setting GRUB_CMDLINE_LINUX: [${VAR_GRUB_CMDLINE_LINUX}]."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4300_network/4300_installation_network.sh
View File

@@ -280,6 +280,6 @@ EOF
EOF
fi
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

5
func/cdi_4300_network/4310_dropbear_build.sh
View File

@@ -74,11 +74,6 @@ dropbear_build() {
' 2>&1 | tee -a "${TARGET}${var_logfile}"
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
# shellcheck disable=SC2164
#cd "${VAR_SETUP_PATH}"
#do_log "info" "file_only" "4310() Ultra Hardened [dropbear-${var_dropbear_version}] build successfully from sources."
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
func/cdi_4300_network/4311_dropbear_initramfs.sh
View File

@@ -51,8 +51,6 @@ dropbear_initramfs() {
do_log "debug" "file_only" "4311() Installation [${var_file}] successful."
done
do_log "info" "file_only" "4311() Installation [dropbear-initramfs] successful."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4300_network/4312_dropbear_setup.sh
View File

@@ -137,7 +137,7 @@ EOF
fi
return 0
guard_dir && return 0
}
#######################################

2
func/cdi_4300_network/4320_update_initramfs.sh
View File

@@ -38,6 +38,6 @@ update_initramfs() {
echo ExitCode: \$? >> ${var_logfile}
"
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
func/cdi_4400_hardening/4400_kernel_modules.sh
View File

@@ -39,7 +39,7 @@ jitterentropy_rng
EOF
chmod 0644 "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
do_log "info" "file_only" "4400() Installed: '/usr/lib/modules-load.d/30_security-misc.conf'."
return 0
guard_dir && return 0
}
#######################################
@@ -52,10 +52,10 @@ EOF
# Returns:
# 0: on success
#######################################
setup_modprobe() {
kernel_modprobe() {
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/modprobe.d/0000_ciss_debian_installer.cnf" \
"${TARGET}/etc/modprobe.d/0000_ciss_debian_installer.conf"
do_log "info" "file_only" "4400() Installed: '/etc/modprobe.d/0000_ciss_debian_installer.conf'."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4400_hardening/4410_kernel_sysctl.sh
View File

@@ -26,6 +26,6 @@ kernel_sysctl() {
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/99_local.hardened" \
"${TARGET}/etc/sysctl.d/99_local.hardened"
do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/99_local.hardened'."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
func/cdi_4400_hardening/4420_installation_ssh.sh
View File

@@ -105,8 +105,6 @@ installation_ssh() {
#echo "readonly HISTFILE" >> "${TARGET}/etc/profile.d/idle-users.sh"
chmod +x "${TARGET}/etc/profile.d/idle-users.sh"
do_log "info" "file_only" "4420() Installed: [ssh] successfully."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
func/cdi_4400_hardening/4430_installation_skel.sh
View File

@@ -35,8 +35,6 @@ installation_skel() {
echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
chmod 0644 "${TARGET}/etc/skel/.vimrc"
do_log "info" "file_only" "4430() Installed: [/etc/skel]-Files successfully."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4400_hardening/4440_hardening_files.sh
View File

@@ -22,6 +22,6 @@ guard_sourcing
# 0: on success
###########################################################################################
hardening_files() {
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4500_user/4500_installation_accounts.sh
View File

@@ -159,6 +159,6 @@ installation_accounts() {
done
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4600_verification/4600_minimal_checks.sh
View File

@@ -40,6 +40,6 @@ minimal_checks() {
fi
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4600_verification/4610_finalize_system.sh
View File

@@ -26,6 +26,6 @@ setup_locales() {
### Set the X11 keyboard layout (for graphical environments).
do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}"
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4600_verification/4670_verify_system.sh
View File

@@ -86,6 +86,6 @@ do_log "info" "file_only" "4100() Starting system integrity verification..."
do_log "warning" "file_only" "4100() apt-get check reported errors."
do_log "info" "file_only" "4100() Verification completed. Output stored in: ${LOG_FILE}."
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4600_verification/4680_check_sshd_config_integrity.sh
View File

@@ -71,4 +71,4 @@ fi
rm -f "${TMP_SSHD_T}"
echo
bold "✔ SSH config integrity check completed."
exit 0
guard_dir && return 0

2
func/cdi_4700_xtended/4700_setup_packages.sh
View File

@@ -31,6 +31,6 @@ setup_packages() {
do_in_target "${TARGET}" apt-get install -y "${var_install_candidate}"
done
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4700_xtended/4799_exiting_chroot_system.sh
View File

@@ -43,6 +43,6 @@ exiting_chroot_system() {
declare -gx VAR_CHROOT_ACTIVATED="false"
return 0
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh