msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m43s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-02 13:10:24 +02:00
parent 0d39f3b5e1
commit 41eeb3a621
6 changed files with 33 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.preseed/preseed.yaml
View File

@@ -25,7 +25,7 @@ installer:
apt:
contrib: true # Optionally, install contrib software.
deb_sources: true # Optionally includes deb-src entries for source repositories.
default_list: false # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
default_list: false # By default, source repositories are listed in '/etc/apt/sources.list'.
default_deb822: true # Since Trixie, source repositories are listed in '/etc/apt/sources.list.d/' in deb.822 format.
full_upgrade: true # Whether to upgrade packages after debootstrap.
install_recommends: true # Configure APT to not install recommended packages by default.
@@ -114,7 +114,11 @@ dropbear:
firewall: false # Yet not implemented. MUST be "false".
# Additional ultra hardening of the dropbear initramfs environment via firewall.
# The "bastion_ipv4" MUST be provided.
pgp_key: "/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc"
# './path/to/pgp_public_key.asc' to check the signature of: 'unlock-wrapper.sh'
port: 42137 # SSH Port dropbear initramfs should listen.
sig_file: "/.preseed/unlock-wrapper.sh.sha512.sig"
# './path/to/unlock-wrapper.sh.sha512.sig' to verify the integrity of: 'unlock-wrapper.sh'
################################################################################################################################
# Grub Bootparameter

1
ciss_debian_installer.sh
View File

@@ -12,6 +12,7 @@
### Contributions so far see ./docs/CREDITS.md
# TODO: SSHFP Dropbear Keys Generate
# TODO: Install zsh Tools, eza
# TODO: Implement this function 4215_check_crypttab.sh
# TODO: Implement this function 4435_hardening_fail2ban.sh

10
func/cdi_4200_boot/4210_generate_crypttab.sh
View File

@@ -97,15 +97,15 @@ EOF
"${TARGET}/lib/cryptsetup/scripts/"
#write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=decrypt_keyctl,tries=1"
elif [[ "${var_key}" == "/usr" ]]; then
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=decrypt_keyctl,tries=1"
else
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=decrypt_keyctl,tries=1"
fi
@@ -128,12 +128,12 @@ EOF
swap)
#write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_host_fs_label}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,plain"
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_partuuid}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,plain"
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_partuuid}" "/dev/urandom" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,plain"
;;
/tmp)
#write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_host_fs_label}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,tmp=ext4"
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_partuuid}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,plain"
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_partuuid}" "/dev/urandom" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,plain"
chroot_script "${TARGET}" "systemctl mask tmp.mount"
do_log "info" "file_only" "4210() Masked: [tmp.mount]"
;;

2
func/cdi_4200_boot/4230_installation_grub.sh
View File

@@ -128,7 +128,7 @@ GRUB_BACKGROUND="/etc/default/grub.d/${var_background}"
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'vbeinfo'
# GRUB_GFXMODE=1920x1080,1280x1024,1024x768,800x600
GRUB_GFXMODE=1280x1024
GRUB_GFXMODE=auto
GRUB_GFXPAYLOAD_LINUX=keep
EOF

22
func/cdi_4400_hardening/4420_installation_ssh.sh
View File

@@ -111,25 +111,9 @@ installation_ssh() {
# environment variables: TMOUT #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
###########################################################################################
cat << EOF >| "${TARGET}/etc/profile.d/idle-users.sh"
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# Static file system information: /etc/profile.d/idle-users.sh
# Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture: ${VAR_ARCHITECTURE}
# Distribution: ${VAR_CODENAME}
EOF
cat << 'EOF' >> "${TARGET}/etc/profile.d/idle-users.sh"
insert_header "${TARGET}/etc/profile.d/idle-users.sh"
insert_comments "${TARGET}/etc/profile.d/idle-users.sh"
cat << EOF >> "${TARGET}/etc/profile.d/idle-users.sh"
case $- in
*i*)
TMOUT=14400

25
includes/target/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -74,7 +74,7 @@ extract_nuke_hash() {
for ARG in ${CMDLINE}; do
case "${ARG}" in
case "${ARG,,}" in
nuke=*)
NUKE_HASH="${ARG#nuke=}"
@@ -150,7 +150,9 @@ nuke() {
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
power_off 16
# TODO: DEBUGGER
drop_bash
#power_off 16
}
#######################################
@@ -299,7 +301,9 @@ trap_on_err() {
trap - ERR INT TERM
stty echo
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
power_off 16
# TODO: DEBUGGER
drop_bash
#power_off 16
}
#######################################
@@ -315,7 +319,9 @@ trap_on_term() {
stty echo
printf "%s" "${NL}"
color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds." >&2
power_off 3
# TODO: DEBUGGER
drop_bash
#power_off 3
}
#######################################
@@ -346,7 +352,8 @@ verify_script() {
gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
power_off 3
# TODO: DEBUGGER
#power_off 3
}
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
@@ -358,7 +365,8 @@ verify_script() {
if [[ "${computed}" != "${expected}" ]]; then
color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2
color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
power_off 3
# TODO: DEBUGGER
#power_off 3
fi
color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
@@ -412,7 +420,10 @@ main() {
if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
secure_unset_pass
exit 0
# TODO: DEBUGGER
echo "Inside if printf %s '${PASSPHRASE}' | cryptroot-unlock; then"
drop_bash
#exit 0
else