msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m0s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-31 23:04:30 +02:00
parent 930f47f827
commit 45ff672479
103 changed files with 1011 additions and 266 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
includes/target/etc/banner Normal file
View File

@@ -0,0 +1,12 @@
#######################################################################
# #
## ##
###### ######## ### ## ######## ### ## ####### ### ####### ### ##
### #### ## ### ### ## ## ### ## #### ##
### ####### ####### ### ### ## ###### ### ## ## #######
### ### ### ### ### ### ## ## ## ### ## ## ### ###
###### ####### ### ## ### ##### ## ## ### ##### ### ##
# #
#######################################################################

33
includes/target/etc/chrony/chrony.cnf Normal file
View File

@@ -0,0 +1,33 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
driftfile /var/lib/chrony/chrony.drift
keyfile /etc/chrony/chrony.keys
logdir /var/log/chrony
ntsdumpdir /var/lib/chrony
sourcedir /run/chrony-dhcp
sourcedir /etc/chrony/sources.d
log tracking measurements statistics
authselectmode require
leapsectz right/UTC
leapsecmode system
maxupdateskew 100.0
rtcsync
makestep 1 3

14
includes/target/etc/initramfs-tools/files/dropbear_fw.cnf Normal file
View File

@@ -0,0 +1,14 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
DROPBEAR_FIREWALL_ENABLED=0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

66
includes/target/etc/initramfs-tools/files/dropbear_fw.sh Normal file
View File

@@ -0,0 +1,66 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# shellcheck shell=sh
# Firewall script for Dropbear SSH inside initramfs.
# This script runs at the "init-bottom" stage of the early boot process.
#
# It configures basic iptables rules to restrict SSH access to Dropbear
# while the system is in the pre-boot phase (before root is decrypted).
#
# IPv6 is not supported in initramfs at this stage due to complexity.
# Only trusted IPv4 addresses are allowed.
PREREQ="dropbear"
prereqs() { echo "${PREREQ}"; }
case "$1" in
prereqs) prereqs; exit 0 ;;
esac
### Check if the firewall is enabled via the config file.
DROPBEAR_FW_CONF="/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
if [ -f "${DROPBEAR_FW_CONF}" ]; then
# shellcheck disable=SC1090
. "${DROPBEAR_FW_CONF}"
else
DROPBEAR_FIREWALL_ENABLED=0
fi
### Abort if the firewall flag is not set or disabled.
if [ "${DROPBEAR_FIREWALL_ENABLED}" != "1" ]; then
echo "Dropbear firewall disabled by 'dropbear_fw.cnf'."
exit 0
fi
### Ensure iptables is available.
if command -v iptables >/dev/null 2>&1; then
### Reset any existing rules.
iptables -F
iptables -X
### Default policy: block everything unless explicitly allowed.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
### Allow local loopback.
iptables -A INPUT -i lo -j ACCEPT
### Infrastructure host / Jump-Server / VPN-Exit-Node: only allow SSH from the specified IPv4.
iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -s "${DROPBEAR_JUMP_SERVER_IP}" -j ACCEPT
fi
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

396
includes/target/etc/initramfs-tools/files/unlock_wrapper.sh Normal file
View File

@@ -0,0 +1,396 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
set -Ceuo pipefail
#######################################
# Variable declaration
#######################################
declare -r ASKPASS='/lib/cryptsetup/askpass'
declare -r REGEX='^\$[a-z0-9]+\$[./A-Za-z0-9]+\$[./A-Za-z0-9]+$'
# shellcheck disable=SC2155
declare -r CURRENTDATE=$(date +"%F %T")
declare -r GRE='\e[0;92m'
declare -r MAG='\e[0;95m'
declare -r RED='\e[0;91m'
declare -r RES='\e[0m'
declare -r NL='\n'
declare -g NUKE_ENABLED='false'
declare -g NUKE_HASH=''
declare -g PASSPHRASE=''
#######################################
# Print-colored text.
# Arguments:
# 1: Color code.
# *: Text to print.
#######################################
color_echo() { declare c="$1"; shift; declare msg="${*}"; printf "%s%s %s%s" "${c}" "${msg}" "${RES}" "${NL}"; }
#######################################
# Die helper: print and exit hard.
# Globals:
# NC
# RED
# Arguments:
# 1: Message string to print.
#######################################
die() { printf "%s✘ %s %s%s" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
#######################################
# Drop to bash environment.
# Arguments:
# None
#######################################
drop_bash() { stty echo; prompt_string; exec /bin/bash -i; }
#######################################
# Extract the 'nuke='-parameter from '/proc/cmdline'.
# Globals:
# NUKE_ENABLED
# NUKE_HASH
# RED
# Arguments:
# None
# Returns:
# 0: if 'nuke=' was found and extracted.
# 1: if not found.
#######################################
extract_nuke_hash() {
declare ARG="" CMDLINE=""
### Read '/proc/cmdline' into a single line safely.
read -r CMDLINE < /proc/cmdline
for ARG in ${CMDLINE}; do
case "${ARG}" in
nuke=*)
NUKE_HASH="${ARG#nuke=}"
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
NUKE_ENABLED="true"
return 0
else
### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]." >&2
color_echo "${RED}" "✘ Dropping to bash ...:" >&2
drop_bash
fi
;;
esac
done
### No 'nuke=HASH' entry found.
return 1
}
#######################################
# Gather information of all LUKS Devices available on the system.
# Arguments:
# None
#######################################
gather_luks_devices() {
declare prev=() curr=()
declare -i tries=0
while ((tries < 10)); do
# shellcheck disable=SC2312
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
break
fi
prev=("${curr[@]}")
tries=$((tries + 1))
sleep 1
done
printf '%s\n' "${curr[@]}"
}
#######################################
# Erase LUKS headers on all LUKS devices and shutdown system.
# Globals:
# DEVICES_LUKS
# RED
# Arguments:
# None
#######################################
nuke() {
declare dev=""
for dev in "${DEVICES_LUKS[@]}"; do
cryptsetup erase --batch-mode "${dev}" || true
color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
done
secure_unset_pass
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
power_off 16
}
#######################################
# Unified power-off routine.
# Arguments:
# 1: Sleep time before power-off in seconds (Default to 0 seconds).
#######################################
power_off() {
declare -r wait="${1:-0}"
sleep "${wait}"
sync
echo 1 >| /proc/sys/kernel/sysrq
echo o >| /proc/sysrq-trigger
### The System powers off immediately; no further code is executed.
}
#######################################
# Print Error Message for Trap on 'ERR' on Terminal.
# Globals:
# NL
# RED
# Arguments:
# 1: ${?}
# 2: ${BASH_SOURCE[0]}
# 3: ${LINENO}
# 4: ${FUNCNAME[0]:-main}
# 5: ${BASH_COMMAND}
#######################################
print_scr_err() {
declare -r scr_err_errcode="$1"
declare -r scr_err_errscrt="$2"
declare -r scr_err_errline="$3"
declare -r scr_err_errfunc="$4"
declare -r scr_err_errcmmd="$5"
printf "%s" "${NL}"
color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2
printf "%s" "${NL}"
color_echo "${RED}" "✘ Error : [${scr_err_errcode}]" >&2
color_echo "${RED}" "✘ Line : [${scr_err_errline}]" >&2
color_echo "${RED}" "✘ Script : [${scr_err_errscrt}]" >&2
color_echo "${RED}" "✘ Function : [${scr_err_errfunc}]" >&2
color_echo "${RED}" "✘ Command : [${scr_err_errcmmd}]" >&2
printf "%s" "${NL}"
}
#######################################
# Print Error Message for '0'-Exit-Code on Terminal.
# Globals:
# GRE
# Arguments:
# None
#######################################
print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; }
#######################################
# Generates informative shell prompt.
# Globals:
# PS1
# Arguments:
# None
#######################################
prompt_string() {
declare -gx PS1="\
\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
\[\033[1;95m\]\h\[\033[0m\]:\
\[\033[1;96m\]\w\[\033[0m\]/>>\
\$(if [[ \$? -eq 0 ]]; then \
# Show exit status in green if zero
echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
else \
# Show exit status in red otherwise
echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
fi)\
|~\$ "
}
#######################################
# Read Passphrase interactively.
# Globals:
# ASKPASS
# NUKE_ENABLED
# NUKE_HASH
# PASSPHRASE
# Arguments:
# None
# Returns:
# 0: on success
#######################################
read_passphrase() {
declare -a METHODS=("sha512crypt" "yescrypt" "scrypt" "bcrypt")
declare METHOD="" SALT=""
PASSPHRASE="$(${ASKPASS} "Enter passphrase: ")"
if [[ "${NUKE_ENABLED,,}" == 'true' ]]; then
### Validate NUKE_HASH format (e.g., $id$salt$hash)
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
SALT="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
for METHOD in "${METHODS[@]}"; do
if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then
nuke
fi
done
fi
fi
return 0
}
#######################################
# Securely unset the passphrase variable.
# Globals:
# PASSPHRASE
# Arguments:
# None
#######################################
secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; }
#######################################
# Trap function to be called on 'ERR'.
# Arguments:
# 1: ${?}
# 2: ${BASH_SOURCE[0]}
# 3: ${LINENO}
# 4: ${FUNCNAME[0]:-main}
# 5: ${BASH_COMMAND}
#######################################
trap_on_err() {
declare -r errcode="$1"
declare -r errscrt="$2"
declare -r errline="$3"
declare -r errfunc="$4"
declare -r errcmmd="$5"
trap - ERR INT TERM
stty echo
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
power_off 16
}
#######################################
# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
# Globals:
# NL
# RED
# Arguments:
# None
#######################################
trap_on_term() {
trap - ERR INT TERM
stty echo
printf "%s" "${NL}"
color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds." >&2
power_off 3
}
#######################################
# Check the integrity and authenticity of this script itself.
# Globals:
# GRE
# MAG
# RED
# Arguments:
# 0: Script Name
#######################################
verify_script() {
declare dir
# shellcheck disable=SC2312
dir="$(dirname "$(readlink -f "${0}")")"
declare script; script="$(basename "${0}")"
declare -a algo=("sha512" "sha384")
declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
for item in "${algo[@]}"; do
hashfile="${dir}/${script}.${item}"
sigfile="${hashfile}.sig"
cmd="${item}sum"
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
power_off 3
}
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
computed=$(${cmd} "${dir}/${script}" | awk '{print $1}')
expected=$(cat "${hashfile}")
if [[ "${computed}" != "${expected}" ]]; then
color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2
color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
power_off 3
fi
color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
done
color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
}
#######################################
# Main Program Sequence
# Globals:
# CURRENTDATE
# DEVICES_LUKS
# GRE
# MAG
# NL
# PASSPHRASE
# RED
# Arguments:
# None
#######################################
main() {
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
trap 'trap_on_term' INT TERM
color_echo "${RED}" "Coresecret Connection established."
color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
color_echo "${MAG}" "Integrity self-check ..."
printf "%s" "${NL}"
verify_script
### Read newline-separated output into an array.
color_echo "${MAG}" "Scanning for LUKS devices ..."
printf "%s" "${NL}"
# shellcheck disable=SC2312
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
### If there are no LUKS devices at all, drop to bash.
if (( ${#DEVICES_LUKS[@]} == 0 )); then
color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
drop_bash
fi
### Extract the 'nuke='-parameter from '/proc/cmdline'.
extract_nuke_hash
### Read passphrase interactively.
read_passphrase
if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
secure_unset_pass
exit 0
else
printf "%s" "${NL}"
color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
color_echo "${GRE}" "✘ No LUKS operations performed. Dropping to bash ..."
color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'."
drop_bash
fi
}
main "${@}"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

78
includes/target/etc/initramfs-tools/files/unlock_wrapper_signer.sh Normal file
View File

@@ -0,0 +1,78 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh
set -Ceuo pipefail
### Paths
declare -r SCRIPT="/etc/initramfs-tools/files/unlock_wrapper.sh"
declare -r KEYFILE="/root/.ciss/keys/dummy_0x12345678_SECRET.asc"
declare -r GNUPGHOME="/root/.ciss/gnupg"
### Output Files
declare -r HASH384="${SCRIPT}.sha384"
declare -r HASH512="${SCRIPT}.sha512"
declare -r SIG384="${HASH384}.sig"
declare -r SIG512="${HASH512}.sig"
### Ensure GNUPGHOME exists with secure permissions
mkdir -p "${GNUPGHOME}"
chmod 0700 "${GNUPGHOME}"
### Import private key only if not already present
if ! gpg --homedir "${GNUPGHOME}" --list-secret-keys | grep -q "sec"; then
printf "\e[0;92m✅ Importing private key ... \e[0m\n"
gpg --homedir "${GNUPGHOME}" --import "${KEYFILE}"
else
printf "\e[0;92m✅ Private key already present in keyring. \e[0m\n"
fi
### Extract fingerprint of the first secret key
# shellcheck disable=SC2155
declare -r FPR=$(gpg --homedir "${GNUPGHOME}" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
if [[ -z "${FPR}" ]]; then
printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2
exit 1
fi
printf "\e[0;92m✅ Using GPG key fingerprint: [%s] \e[0m\n" "${FPR}"
### Hashing (only the hash value, no filename)
printf "\e[0;95m🔢 Generating Hashes ... \e[0m\n"
if sha384sum "${SCRIPT}" | awk '{print $1}' >| "${HASH384}"; then
printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH384}" "${SCRIPT}"
fi
if sha512sum "${SCRIPT}" | awk '{print $1}' >| "${HASH512}"; then
printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH512}" "${SCRIPT}"
fi
printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
### Signing Hashes
printf "\e[0;95m🔑 Signing hashes ... \e[0m\n"
if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
fi
if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG512}" --detach-sign "${HASH512}"; then
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
fi
printf "\e[0;92m🔑 Signing hashes done. \e[0m\n"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

87
includes/target/etc/initramfs-tools/hooks/custom-initramfs.sh Normal file
View File

@@ -0,0 +1,87 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: Hook script (initramfs) for setting up the CISS.debian.installer hardened dropbear environment, incl. Luks Nuke.
set -e
PREREQ=""
prereqs() { echo "$PREREQ"; }
case $1 in
prereqs) prereqs; exit 0 ;;
esac
. /usr/share/initramfs-tools/hook-functions
if [ ! -e /etc/initramfs-tools/files/unlock-wrapper.sh ]; then
echo "Missing unlock-wrapper.sh in /etc/initramfs-tools/files/"
exit 1
fi
### Ensure directory structure in initramfs
mkdir -p "${DESTDIR}/etc/dropbear"
mkdir -p "${DESTDIR}/etc/keys"
mkdir -p "${DESTDIR}/usr/local/bin"
mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
### Include Bash
copy_exec /usr/bin/bash /usr/bin
### Include Busybox
copy_exec /usr/bin/busybox /usr/bin
copy_exec /usr/bin/busybox /bin
### Include lsblk (block device info tool)
copy_exec /usr/bin/lsblk /usr/bin
### Include mkpasswd
copy_exec /usr/bin/mkpasswd /usr/bin
### Include udevadm (udev management tool)
copy_exec /usr/bin/udevadm /usr/bin
### Include sha512sum e.g.
copy_exec /usr/bin/sha512sum /usr/bin
copy_exec /usr/bin/sha384sum /usr/bin
### Include Signature-Verifier
copy_exec /usr/bin/gpgv /usr/bin
### Include Whois
copy_exec /usr/bin/whois /usr/bin
### Link busybox applets for compatibility
for dir in bin usr/bin; do
ln -sf busybox "${DESTDIR}/${dir}/cat"
ln -sf busybox "${DESTDIR}/${dir}/sleep"
done
### Install Dropbear firewall configuration
install -m 0444 /etc/initramfs-tools/files/dropbear_fw.cnf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
### Install Dropbear configuration
install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
### Install Dropbear Cryptroot Unlock Wrapper
install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384"
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512"
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384.sig"
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512.sig"
### Install PGP Signing Keys
install -m 0444 /root/.ciss/keys/pubring.gpg "${DESTDIR}/etc/keys/pubring.gpg"
### Install Dropbear Banner
install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

34
includes/target/etc/initramfs-tools/hooks/custom-prompt.sh Normal file
View File

@@ -0,0 +1,34 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
set -e
PREREQ=""
prereqs() { echo "$PREREQ"; }
case $1 in
prereqs) prereqs; exit 0 ;;
esac
. /usr/share/initramfs-tools/hook-functions
mkdir -p "${DESTDIR}/etc"
cat >| "${DESTDIR}/etc/profile" << 'EOF'
export PS1='$( STATUS=$?; \
if [ "${STATUS}" -eq 0 ]; then \
printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;92m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
else \
printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
fi; ) '
EOF
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

64
includes/target/etc/initramfs-tools/modules Normal file
View File

@@ -0,0 +1,64 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax: module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
### QEMU Bochs-compatible virtual machine support
bochs
### Device-mapper core module (required for all dm_* features)
dm_mod
### Device-mapper integrity target (provides integrity checking)
dm-integrity
### Device-mapper crypt target (provides disk encryption)
dm-crypt
### Generic AES block cipher implementation (used by dm-crypt)
aes_generic
### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
sha256_generic
### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets)
sha384_generic
### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets)
sha512_generic
### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
crc32c_generic
### Main btrfs filesystem module
btrfs
### Zstandard compression support for btrfs
zstd_compress
### XOR parity implementation for RAID functionality
xor
### RAID6 parity generation module
raid6_pq
### Combined RAID4/5/6 support module
raid456

18
includes/target/etc/initramfs-tools/scripts/init-top/fixpath.sh Normal file
View File

@@ -0,0 +1,18 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
set -e
### Make sure /usr/local/bin is in front of 'PATH'.
export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

11
includes/target/etc/issue Normal file
View File

@@ -0,0 +1,11 @@
********************************************************************
* *
* This system is for the use of authorized users only. Usage of *
* this system may be monitored and recorded by system personnel. *
* *
* Anyone using this system expressly consents to such monitoring *
* and is advised that if such monitoring reveals possible *
* evidence of criminal activity, system personnel may provide the *
* evidence from such monitoring to law enforcement officials. *
* *
********************************************************************

11
includes/target/etc/issue.net Normal file
View File

@@ -0,0 +1,11 @@
********************************************************************
* *
* This system is for the use of authorized users only. Usage of *
* this system may be monitored and recorded by system personnel. *
* *
* Anyone using this system expressly consents to such monitoring *
* and is advised that if such monitoring reveals possible *
* evidence of criminal activity, system personnel may provide the *
* evidence from such monitoring to law enforcement officials. *
* *
********************************************************************

411
includes/target/etc/login.defs Normal file
View File

@@ -0,0 +1,411 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/login.defs - Configuration control definitions for the login package.
#
# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
# If unspecified, some arbitrary (and possibly incorrect) value will
# be assumed. All other items are optional - if not specified then
# the described action or option will be inhibited.
#
# Comment lines (lines beginning with "#") and blank lines are ignored.
#
# Modified for Linux. --marekm
# REQUIRED for useradd/userdel/usermod
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
# MAIL_DIR takes precedence.
#
# Essentially:
# - MAIL_DIR defines the location of users mail spool files
# (for mbox use) by appending the username to MAIL_DIR as defined
# below.
# - MAIL_FILE defines the location of the users mail spool files as the
# fully-qualified filename obtained by prepending the user home
# directory before $MAIL_FILE
#
# NOTE: This is no more used for setting up users MAIL environment variable
# which is, starting from shadow 4.0.12-1 in Debian, entirely the
# job of the pam_mail PAM modules
# See default PAM configuration files provided for
# login, su, etc.
#
# This is a temporary situation: setting these variables will soon
# move to /etc/default/useradd and the variables will then be
# no more supported
MAIL_DIR /var/mail
#MAIL_FILE .mail
#
# Enable logging and display of /var/log/faillog login failure info.
# This option conflicts with the pam_tally PAM module.
#
FAILLOG_ENAB yes
#
# Enable display of unknown usernames when login failures are recorded.
#
# WARNING: Unknown usernames may become world readable.
# See #290803 and #298773 for details about how this could become a security
# concern
LOG_UNKFAIL_ENAB no
#
# Enable logging of successful logins
#
LOG_OK_LOGINS no
#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
# If defined, all su activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
#
# If defined, login failures will be logged here in a utmp format
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE /var/log/btmp
#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su". If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME su
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
# However, the default and recommended value for TTYPERM is still 0600
# to not allow anyone to write to anyone else console or terminal
# Users can still allow other people to write them by issuing
# the "mesg y" command.
TTYGROUP tty
TTYPERM 0600
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# UMASK Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
#
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
#
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
# for private user groups, i. e. the uid is the same as gid, and username is
# the same as the primary group name: for these, the user permissions will be
# used as group permissions, e. g. 022 will become 002.
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
UMASK 077
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
#HOME_MODE 0700
#
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 16384
PASS_MIN_DAYS 1
PASS_WARN_AGE 128
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
#SYS_UID_MIN 100
#SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
#SYS_GID_MIN 100
#SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
#
# Max number of login retries if password is bad. This will most likely be
# overriden by PAM, since the default pam_unix module has it's own built
# in of 3 retries. However, this is a safe fallback in case you are using
# an authentication module that does not enforce PAM_MAXTRIES.
#
LOGIN_RETRIES 5
#
# Max time in seconds for login
#
LOGIN_TIMEOUT 180
#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
CHFN_RESTRICT rwh
#
# Should login be allowed if we can't cd to the home directory?
# Default is no.
#
DEFAULT_HOME yes
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If set to yes, userdel will remove the user's group if it contains no
# more members, and useradd will create by default a group with the name
# of the user.
#
# Other former uses of this variable such as setting the umask when
# user==primary group are not used in PAM environments, such as Debian
#
USERGROUPS_ENAB yes
#
# Instead of the real user shell, the program specified by this parameter
# will be launched, although its visible name (argv[0]) will be the shell's.
# The program may do whatever it wants (logging, additional authentification,
# banner, ...) before running the actual shell.
#
# FAKE_SHELL /bin/fakeshell
#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names. Root logins will be allowed only
# upon these devices.
#
# This variable is used by login and su.
#
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
#
# List of groups to add to the user's supplementary group set
# when logging in on the console (as determined by the CONSOLE
# setting). Default is none.
#
# Use with caution - it is possible for users to gain permanent
# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
# This variable is used by login and su.
#
#CONSOLE_GROUPS floppy:audio:cdrom
#
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no
#
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
# Overrides the MD5_CRYPT_ENAB option
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD YESCRYPT
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, the libc will choose the default number of rounds (5000),
# which is orders of magnitude too low for modern hardware.
# The values must be within the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
SHA_CRYPT_MIN_ROUNDS 8388608
SHA_CRYPT_MAX_ROUNDS 8388608
#
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
#
# Define the YESCRYPT cost factor.
# With a higher cost factor, it is more difficult to brute-force the password.
# However, more CPU time and more memory will be needed to authenticate users
# if this value is increased.
#
# If not specified, a cost factor of 5 will be used.
# The value must be within the 1-11 range.
#
YESCRYPT_COST_FACTOR 8
#
# The pwck(8) utility emits a warning for any system account with a home
# directory that does not exist. Some system accounts intentionally do
# not have a home directory. Such accounts may have this string as
# their home directory in /etc/passwd to avoid a spurious warning.
#
NONEXISTENT /nonexistent
#
# Allow newuidmap and newgidmap when running under an alternative
# primary group.
#
#GRANT_AUX_GROUP_SUBIDS yes
#
# Prevents an empty password field to be interpreted as "no authentication
# required".
# Set to "yes" to prevent for all accounts
# Set to "superuser" to prevent for UID 0 / root (default)
# Set to "no" to not prevent for any account (dangerous, historical default)
PREVENT_NO_AUTH superuser
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
# authentication code.
#
# Note: It is recommended to check hmac(3) to see the possible algorithms
# that are available in your system.
#
#HMAC_CRYPTO_ALGO SHA512
################# OBSOLETED BY PAM ##############
# #
# These options are now handled by PAM. Please #
# edit the appropriate file in /etc/pam.d/ to #
# enable the equivelants of them. #
# #
#################################################
#MOTD_FILE
#DIALUPS_CHECK_ENAB
#LASTLOG_ENAB
#MAIL_CHECK_ENAB
#OBSCURE_CHECKS_ENAB
#PORTTIME_CHECKS_ENAB
#SU_WHEEL_ONLY
#CRACKLIB_DICTPATH
#PASS_CHANGE_TRIES
#PASS_ALWAYS_WARN
#ENVIRON_FILE
#NOLOGINS_FILE
#ISSUE_FILE
#PASS_MIN_LEN
#PASS_MAX_LEN
#ULIMIT
#ENV_HZ
#CHFN_AUTH
#CHSH_AUTH
#FAIL_DELAY
################# OBSOLETED #######################
# #
# These options are no more handled by shadow. #
# #
# Shadow utilities will display a warning if they #
# still appear. #
# #
###################################################
# CLOSE_SESSIONS
# LOGIN_STRING
# NO_PASSWORD_CONSOLE
# QMAIL_DIR
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

1
includes/target/etc/machine-id Normal file
View File

@@ -0,0 +1 @@
b08dfa6083e7567a1921a715000001fb

124
includes/target/etc/modprobe.d/0000_ciss_debian_installer.cnf Normal file
View File

@@ -0,0 +1,124 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.864.2025.07.15
# The kernel allows unprivileged users to indirectly cause certain modules to be loaded via module auto-loading. This allows an
# attacker to auto-load a vulnerable module which is then exploited. One such example is CVE-2017-6074, in which an attacker
# could trigger the DCCP kernel module to be loaded by initiating a DCCP connection and then exploit a vulnerability in said
# kernel module. Specific kernel modules can be blacklisted by inserting files into '/etc/modprobe.d' with instructions on which
# kernel modules to blacklist.
##### Disable Uncommon Network Protocols #####
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install n-hdlc /bin/true
install ax25 /bin/true
install netrom /bin/true
install x25 /bin/true
install rose /bin/true
install decnet /bin/true
install econet /bin/true
install af_802154 /bin/true
install ipx /bin/true
install appletalk /bin/true
install psnap /bin/true
install p8023 /bin/true
install p8022 /bin/true
install can /bin/true
install atm /bin/true
# DCCP Datagram Congestion Control Protocol
# SCTP Stream Control Transmission Protocol
# RDS Reliable Datagram Sockets
# TIPC Transparent Inter-process Communication
# HDLC High-Level Data Link Control
# AX25 Amateur X.25
# NetRom
# X25
# ROSE
# DECnet
# Econet
# af_802154 IEEE 802.15.4
# IPX Internetwork Packet Exchange
# AppleTalk
# PSNAP Subnetwork Access Protocol
# p8023 Novell raw IEEE 802.3
# p8022 IEEE 802.2
# CAN Controller Area Network
# ATM
##### Disable Uncommon Filesystems #####
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
blacklist cramfs
blacklist freevxfs
blacklist jffs2
blacklist hfs
blacklist hfsplus
blacklist squashfs
blacklist udf
##### Disable Uncommon Network Filesystems #####
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install ksmbd /bin/true
install gfs2 /bin/true
blacklist cifs
blacklist nfs
blacklist nfsv3
blacklist nfsv4
blacklist ksmbd
blacklist gfs2
# The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
install vivid /bin/true
##### Disable access to USB #####
install usb_storage /bin/true
blacklist usb-storage
##### Disable access to IEEE1394 #####
install firewire-core /bin/true
##### Blacklist automatic loading of miscellaneous modules #####
##### https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco #####
# evbug is a debug tool that should be loaded explicitly
blacklist evbug
# these drivers are very simple
blacklist usbmouse
blacklist usbkbd
# causes no end of confusion by creating unexpected network interfaces
blacklist eth1394
# ugly and loud noise, getting on everyone's nerves
blacklist pcspkr
# Descriptions partly Copyright (c) 2022 madaidan, https://madaidans-insecurities.github.io/index.html
# Descriptions partly Copyright https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

7
includes/target/etc/motd Normal file
View File

@@ -0,0 +1,7 @@
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2018 - 2025
Centurion Intelligence Consulting Agency (tm)
https://coresecret.eu/
Please consider making a donation:
https://coresecret.eu/spenden/

86
includes/target/etc/security/pwquality.cnf Normal file
View File

@@ -0,0 +1,86 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Current recommendations for '/etc/security/pwquality.conf' based on common best practices, including NIST SP 800-63B,
### https://pages.nist.gov/800-63-3/sp800-63b.html and weighing usability against security.
### Configuration for systemwide password quality limits
### Defaults:
### Number of characters in the new password that must not be present in the old password.
difok = 4
### Length over complexity: Studies show that longer passphrases are significantly more resistant to brute-force and dictionary
### attacks. NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
### Twenty characters strike a good balance between security and user convenience. Minimum acceptable size for the new password
### (plus one if credits are not disabled, which is the default). Cannot be set to a lower value than 6.
minlen = 42
### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase) because they can lead users to adopt
### predictable patterns (e.g., "Pa$$word!"). Length and dictionary checks are more effective.
### The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new
### password.
dcredit = 0
### The maximum credit for having uppercase characters in the new password. If less than 0, it is the minimum number of
### uppercase characters in the new password.
ucredit = 0
### The maximum credit for having lowercase characters in the new password. If less than 0, it is the minimum number of
### lowercase characters in the new password.
lcredit = 0
### The maximum credit for having other characters in the new password. If less than 0, it is the minimum number of other
### characters in the new password.
ocredit = 0
### The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others).
minclass = 0
### The maximum number of allowed consecutive same characters in the new password. The check is disabled if the value is 0.
maxrepeat = 4
### The maximum number of allowed consecutive characters of the same class in the new password. The check is disabled if the
### value is 0.
maxclassrepeat = 0
### Whether to check for the words from the passwd entry GECOS string of the user. The check is enabled if the value is not 0.
### gecoscheck = 0
### Whether to check for the words from the cracklib dictionary. The check is enabled if the value is not 0.
dictcheck = 1
### Whether to check if it contains the username in some form. The check is enabled if the value is not 0.
usercheck = 1
### Length of substrings from the username to check for in the password. The check is enabled if the value is greater than 0,
### and the usercheck is enabled.
usersubstr = 3
### Whether the check is enforced by the PAM module and possibly other applications. The new password is rejected if it fails
### the check, and the value is not 0.
enforcing = 1
### Path to the cracklib dictionaries. The default is to use the cracklib default.
dictpath =
### Prompt user at most N times before returning with error. The default is 1.
retry = 3
#### Enforces pwquality checks on the root user password. Enabled if the option is present.
enforce_for_root
### Skip testing the password quality for users that are not present in the '/etc/passwd' file. Enabled if the option is present.
local_users_only
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

103
includes/target/etc/skel/.bashrc Normal file
View File

@@ -0,0 +1,103 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
[[ $- != *i* ]] && return
# shellcheck disable=SC2312
if [[ "$(id -u)" -eq 0 ]]; then
umask 0022
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
else
umask 0077
PATH="/usr/local/bin:/usr/bin:/bin"
fi
export PATH
trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
. "${HOME}/.ciss/alias"
. "${HOME}/.ciss/f2bchk.sh"
. "${HOME}/.ciss/shortcuts"
. "${HOME}/.ciss/scan_libwrap"
### Preferred editor for local and remote sessions.
export EDITOR="nano"
### History-Settings
# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
# -'erasedups' Causes all previous lines matching the current line to be removed from the history list before that line is saved.
export HISTCONTROL="erasedups"
# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history is
# not saved when a shell exits.
export HISTFILE=~/.bash_history
# The maximum number of lines contained in the history file.
export HISTFILESIZE="16384"
# The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
# Numeric values less than zero result in every command being saved on the history list (there is no limit).
export HISTSIZE="16384"
# If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
export HISTTIMEFORMAT='%F %T '
# Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
shopt -s checkwinsize
# Append to the history file, don't overwrite it.
shopt -s histappend
# If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
shopt -s globstar
### Define colors for bash prompt.
export CRED='\033[1;91m'
export CGRE='\033[1;92m'
export CYEL='\033[1;93m'
export CBLU='\033[1;94m'
export CMAG='\033[1;95m'
export CCYA='\033[1;96m'
export CWHI='\033[1;97m'
export CRES='\033[0m'
export NL='\n'
### Define color prompt incl. 'Exit Code' feedback.
export PS1="\
\[\033[1;91m\]\d\[\033[0m\]|\
\[\033[1;91m\]\u\[\033[0m\]@\
\[\033[1;95m\]\h\[\033[0m\]:\
\[\033[1;96m\]\w\[\033[0m\]/>>\
\$(if [[ \$? -eq 0 ]]; then \
echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
else \
echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
fi)\
\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
### Overwrite Protection.
set -o noclobber
alias cp="cp -iv"
alias mv='mv -iv'
alias rm='rm -iv'
### Welcome message after login.
printf "\n"
printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
printf "\n"
printf "\n"
#printf "\n"
#printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
#printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
#printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
#printf "%s! Type%s " "${CGRE}" "${CRES}"
#printf "%s'celp'%s " "${CMAG}" "${CRES}"
#printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
#printf "\n"
#printf "\n"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

178
includes/target/etc/skel/.zshrc Normal file
View File

@@ -0,0 +1,178 @@
#!/bin/zsh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
[[ $- != *i* ]] && return
# shellcheck disable=SC2312
if [[ "$(id -u)" -eq 0 ]]; then
umask 0022
# If you come from bash, you might have to change your $PATH.
PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
else
umask 0077
# If you come from bash, you might have to change your $PATH.
PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
fi
export PATH
### Path to your Oh My Zsh installation.
export ZSH="${HOME}/.oh-my-zsh"
# Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
# case, to know which specific one was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
export ZSH_THEME="robbyrussell"
# Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
# a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
# Uncomment the following line to use case-sensitive completion.
# CASE_SENSITIVE="true"
# Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
# interchangeable.
# HYPHEN_INSENSITIVE="true"
# Uncomment one of the following lines to change the auto-update behavior
# zstyle ':omz:update' mode disabled # disable automatic updates
# zstyle ':omz:update' mode auto # update automatically without asking
# zstyle ':omz:update' mode reminder # just remind me to update when it's time
# Uncomment the following line to change how often to auto-update (in days).
# zstyle ':omz:update' frequency 13
# Uncomment the following line if pasting URLs and other text is messed up.
# DISABLE_MAGIC_FUNCTIONS="true"
# Uncomment the following line to disable colors in ls.
# DISABLE_LS_COLORS="true"
# Uncomment the following line to disable auto-setting terminal title.
# DISABLE_AUTO_TITLE="true"
# Uncomment the following line to enable command autocorrection.
# ENABLE_CORRECTION="true"
# Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
# that is shown instead of the default red dots.
# e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
# Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
# COMPLETION_WAITING_DOTS="true"
# Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
# check for large repositories much, much faster.
# DISABLE_UNTRACKED_FILES_DIRTY="true"
# Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
# You can set one of the optional three formats:
# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
# or set a custom format using the strftime function format specifications, see 'man strftime' for details.
export HIST_STAMPS="yyyy-mm-dd"
# Would you like to use another custom folder than $ZSH/custom?
# ZSH_CUSTOM=/path/to/new-custom-folder
# Which plugins would you like to load?
# Standard plugins can be found in $ZSH/plugins/
# Custom plugins may be added to $ZSH_CUSTOM/plugins/
# Example format: plugins=(rails git textmate ruby lighthouse)
# Add wisely, as too many plugins slow down shell startup.
export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
source ${ZSH}/oh-my-zsh.sh
# User configuration
# export MANPATH="/usr/local/man:{$MANPATH}"
# You may need to manually set your language environment
# export LANG=en_US.UTF-8
# Preferred editor for local and remote sessions
# if [[ -n $SSH_CONNECTION ]]; then
# export EDITOR='vim'
# else
# export EDITOR='nvim'
# fi
# Compilation flags
# export ARCHFLAGS="-arch $(uname -m)"
# Set personal aliases, overriding those provided by Oh My Zsh libs,
# plugins, and themes. Aliases can be placed here, though Oh My Zsh
# users are encouraged to define aliases within a top-level file in
# the $ZSH_CUSTOM folder, with .zsh extension. Examples:
# - $ZSH_CUSTOM/aliases.zsh
# - $ZSH_CUSTOM/macos.zsh
# For a full list of active aliases, run `alias`.
#
# Example aliases
# alias zshconfig="mate ~/.zshrc"
# alias ohmyzsh="mate ~/.oh-my-zsh"
### Added by CISS.debian.hardening ###
trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
. "${HOME}/.ciss/alias"
. "${HOME}/.ciss/shortcuts"
. "${HOME}/.ciss/scan_libwrap"
. /usr/share/doc/fzf/examples/key-bindings.zsh
. /usr/share/doc/fzf/examples/completion.zsh
### Define colors for bash prompt
export CRED='\033[1;91m'
export CGRE='\033[1;92m'
export CYEL='\033[1;93m'
export CBLU='\033[1;94m'
export CMAG='\033[1;95m'
export CCYA='\033[1;96m'
export CWHI='\033[1;97m'
export CRES='\033[0m'
export NL='\n'
### Overwrite Protection
set -o noclobber
alias cp="cp -iv"
alias mv='mv -iv'
alias rm='rm -iv'
### Preferred editor for local and remote sessions
export EDITOR="nano"
### History
export HISTFILE="${HOME}/.zsh_history"
export HISTSIZE=4294967296
export SAVEHIST=4294967296
setopt EXTENDED_HISTORY
### Define Users
if [ "${UID}" -eq 0 ]; then
export USER_COLOR="%F{001}"
else
export USER_COLOR="%F{002}"
fi
### CISS.debian.hardening Prompt
PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
RPROMPT='%h|[${USER_COLOR}%*%f]'
### Welcome message after login.
printf "\n"
printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
printf "%s! Type%s " "${CGRE}" "${CRES}"
printf "%s'celp'%s " "${CMAG}" "${CRES}"
printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
printf "\n"
printf "\n"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

135
includes/target/etc/ssh/sshd_config Normal file
View File

@@ -0,0 +1,135 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.864.2025.07.15
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
Banner /etc/banner
DebianBanner no
VersionAddendum none
Compression no
LogLevel VERBOSE
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Port MUST_BE_CHANGED
AllowUsers root
UseDNS no
### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
### whichever occurs first.
RekeyLimit 1G 1h
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
TrustedUserCAKeys none
PubkeyAuthentication yes
PermitRootLogin prohibit-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
LoginGraceTime 2m
MaxAuthTries 3
MaxSessions 2
### Begin randomly dropping new unauthenticated connections after the 8th attempt,
### with a 64% chance to drop each additional connection, up to a hard limit of 16.
MaxStartups 08:64:16
### Restrict each individual source IP to only 4 unauthenticated connection slot
### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
PerSourceMaxStartups 8
ClientAliveInterval 300
ClientAliveCountMax 2
AuthorizedKeysFile %h/.ssh/authorized_keys
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
GatewayPorts no
### A+ Rating 100/100
RequiredRSASize 4096
Ciphers aes256-gcm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
KbdInteractiveAuthentication no
### Set this to 'yes' to enable PAM authentication, account processing,
### and session processing. If this is enabled, PAM authentication will
### be allowed through the ChallengeResponseAuthentication and
### PasswordAuthentication. Depending on your PAM configuration,
### PAM authentication via ChallengeResponseAuthentication may bypass
### the setting of "PermitRootLogin without-password".
### If you just want the PAM account and session checks to run without
### PAM authentication, then enable this but set PasswordAuthentication
### and ChallengeResponseAuthentication to 'no'.
UsePAM yes
### Allow client to pass locale environment variables
AcceptEnv LANG LC_*
### override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
PidFile /var/run/sshd.pid
PrintMotd no
PrintLastLog yes
TCPKeepAlive no
### For this to work you will also need host keys in /etc/ssh/ssh_known_hosts!
### Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication!
HostbasedAuthentication no
### Don't read the user's ~/.rhosts and ~/.shosts files
# IgnoreRhosts yes
# UsePrivilegeSeparation yes
### Kerberos options
# KerberosAuthentication no
# KerberosOrLocalPasswd yes
# KerberosTicketCleanup yes
# KerberosGetAFSToken no
### GSSAPI options
# GSSAPIAuthentication no
# GSSAPICleanupCredentials yes
# GSSAPIStrictAcceptorCheck yes
# GSSAPIKeyExchange no
# AuthorizedPrincipalsFile none
# AuthorizedKeysCommand none
# AuthorizedKeysCommandUser nobody
# PermitTunnel no
# ChrootDirectory none
# X11DisplayOffset 10
# X11UseLocalhost yes
# PermitTTY yes
# PermitUserEnvironment no
# IgnoreUserKnownHosts no
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

328
includes/target/etc/sysctl.d/99_local.hardened Normal file
View File

@@ -0,0 +1,328 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.864.2025.07.15
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
### https://kspp.github.io/
### https://linux-audit.com/tags/kernel/
###########################################################################################
# Warning
# Be careful not to lock yourself out of your system after a reboot due to incorrect
# settings. For example, 'kernel.modules_disabled=1' will generally prevent the network
# stack from being brought up after a reboot, which means NO SSH.
###########################################################################################
##### Linux Kernel #####
### Disable loading new modules. Be careful with using this option!
kernel.modules_disabled=1
### Restricting access to kernel pointers.
kernel.kptr_restrict=2
### Restricting access to kernel logs.
kernel.dmesg_restrict=1
###########################################################################################
# Despite the value of dmesg_restrict, the kernel log will still be displayed in the
# console during boot.
# This option prevents those information leaks.
###########################################################################################
kernel.printk=3 3 3 3
### Restricting eBPF to the CAP_BPF capability
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
### Restricting loading TTY line disciplines to the CAP_SYS_MODULE capability
dev.tty.ldisc_autoload=0
###########################################################################################
# The userfaultfd() syscall is often abused to exploit use-after-free flaws.
# This sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.
###########################################################################################
vm.unprivileged_userfaultfd=0
###########################################################################################
# kexec is a system call that is used to boot another kernel during runtime.
# This functionality can be abused to load a malicious kernel and gain arbitrary code
# execution in kernel mode, so this sysctl disables it.
###########################################################################################
kernel.kexec_load_disabled=1
###########################################################################################
# Prevents unprivileged users from creating their own user namespaces, potentially
# enabling exploits. This is a good additional safeguard.
###########################################################################################
kernel.unprivileged_userns_clone=0
###########################################################################################
# The SysRq key exposes a lot of potentially dangerous debugging functionality to
# unprivileged users. You can set the value to 0 to disable SysRq completely.
###########################################################################################
kernel.sysrq=0
### Randomize memory space.
kernel.randomize_va_space=2
###########################################################################################
# These prevent creating files in potentially attacker-controlled environments, such as
# world-writable directories.
###########################################################################################
fs.protected_fifos=2
fs.protected_regular=2
###########################################################################################
# This only permits symlinks to be followed when outside a world-writable sticky directory,
# when the owner of the symlink and follower match or when the directory owner matches the
# symlink's owner.
###########################################################################################
fs.protected_symlinks=1
fs.protected_hardlinks=1
###########################################################################################
# ptrace is a system call that allows a program to alter and inspect another running
# process, which allows attackers to trivially modify the memory of other running programs.
# 0 - classic ptrace permissions:
# a process can PTRACE_ATTACH to any other process running under the same uid,
# as long as it is dumpable (i.e., did not transition uids,
# start privileged, or have called prctl(PR_SET_DUMPABLE...) already).
# Similarly, PTRACE_TRACEME is unchanged.
#
# 1 - restricted ptrace:
# a process must have a predefined relationship with the inferior it wants to call
# PTRACE_ATTACH on. By default, this relationship is that of only its descendants when the
# above classic criteria is also met. To change the relationship, an inferior can call
# prctl(PR_SET_PTRACER, debugger, ...) to declare an allowed debugger PID to call
# PTRACE_ATTACH on the inferior. Using PTRACE_TRACEME is unchanged.
#
# 2 - admin-only attach:
# only processes with CAP_SYS_PTRACE may use ptrace, either with PTRACE_ATTACH or through
# children calling PTRACE_TRACEME.
#
# 3 - no attach:
# no processes may use ptrace with PTRACE_ATTACH nor via PTRACE_TRACEME. Once set, this
# sysctl value cannot be changed.
###########################################################################################
kernel.yama.ptrace_scope=2
### Use filename based on core_pattern value
kernel.core_uses_pid=1
###########################################################################################
# Performance events add considerable kernel attack surface and have caused abundant
# vulnerabilities. Be careful ! Performance might be affected ! Here turned off by default.
###########################################################################################
#kernel.perf_event_paranoid=2
###########################################################################################
# ASLR is a common exploit mitigation that randomizes the position of critical parts of a
# process in memory. This can make a wide variety of exploits harder to pull off, as they
# first require an information leak. The above settings increase the bits of entropy used
# for mmap ASLR, improving its effectiveness. The values of these sysctls must be set in
# relation to the CPU architecture. The above values are compatible with x86, but other
# architectures may differ.
###########################################################################################
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
###########################################################################################
# In addition to ASLR hardening, one could adjust the behavior for memory overbooking.
# Determines how the kernel provides the available memory for processes:
# - 0 (default): kernel decides heuristically whether memory allocations are allowed.
# - 1: Memory is always allocated, even if it is not physically available; can lead to
# out-of-memory errors.
# - 2: The kernel only allows memory allocations up to the available physical memory + swap
# (safe mode).
#vm.overcommit_memory=2
# Specifies how much of the available physical memory (plus swap) can be made available
# for memory allocations when vm.overcommit_memory=2 is active.
# The value is a percentage.
# 50: Up to 50% of the physical memory can be reserved for memory-intensive applications.
###########################################################################################
#vm.overcommit_ratio=50
###########################################################################################
# Reduces the likelihood of important data remaining unsecured in RAM for too long.
# Specifies the percentage of the total memory that can be filled with changed (dirty) data
# before it is written to the permanent memory (e.g., the hard disk).
# 15: If 15% of the RAM is occupied by dirty pages, a background flush process is triggered
# to write this data.
#vm.dirty_ratio=15
# Specifies the percentage of total memory at which the kernel starts writing dirty pages
# in the background before the dirty_ratio threshold is reached.
# 5: The kernel starts writing data in the background when 5% of RAM is occupied with
# dirty pages.
###########################################################################################
#vm.dirty_background_ratio=5
###########################################################################################
# Similar to core dumps, swapping or paging copies parts of memory to disk, which can
# contain sensitive information. The kernel should be configured to only swap if absolutely
# necessary.
###########################################################################################
#vm.swappiness=1
### This setting minimizes swapping, which is useful for servers.
### However, one could also consider vm.swappiness=0 if enough RAM is available.
# vm.swappiness=0
###########################################################################################
# Process that runs with elevated privileges may still dump their memory even after these
# settings.
###########################################################################################
fs.suid_dumpable=0
kernel.core_pattern= | /bin/false
### Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
#user.max_user_namespaces=0
###########################################################################################
# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2)
# If you want to set oops_limit greater than one, you will need to disable
# CONFIG_PANIC_ON_OOPS.
###########################################################################################
kernel.warn_limit=1
kernel.oops_limit=1
###########################################################################################
# Disable TIOCSTI, which is used to inject keypresses.
# (This will, however, break screen readers.)
###########################################################################################
dev.tty.legacy_tiocsti=0
###########################################################################################
# IO_uring has yielded some security concerns and vulnerabilities,
# particularly for those sticking to older versions of the Linux kernel.
# There have also been IO_uring integration issues with the Linux security subsystem.
###########################################################################################
#kernel.io_uring_disabled=2
##### Network Stack #####
### Disable IP source routing, we are not a router:
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
###########################################################################################
# This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make
# the device more difficult to enumerate on the network and prevent clock fingerprinting
# through ICMP timestamps.
###########################################################################################
net.ipv4.icmp_echo_ignore_all=1
### Enable ignoring broadcast request.
net.ipv4.icmp_echo_ignore_broadcasts=1
### This helps protect against SYN flood attacks
net.ipv4.tcp_syncookies=1
###########################################################################################
# This protects against time-wait assassination by dropping RST packets for sockets in
# the time-wait state.
###########################################################################################
net.ipv4.tcp_rfc1337=1
###########################################################################################
# These enable source validation of packets received from all interfaces of the machine.
# This protects against IP spoofing, in which an attacker sends a packet with a fraudulent
# IP address.
###########################################################################################
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
###########################################################################################
# This disables ICMP redirect acceptance and sending to prevent man-in-the-middle attacks
# and minimize information disclosure.
###########################################################################################
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
###########################################################################################
# A martian packet is a packet with a source address, which is obviously wrong -
# nothing could possibly be routed back to that address.
###########################################################################################
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
###########################################################################################
# Deactivates IP forwarding. This means that the system discards packets that are not
# intended for its own IP addresses. It therefore does not act as a router and does not
# forward data packets between network interfaces.
###########################################################################################
net.ipv4.conf.all.forwarding=0
###########################################################################################
# Disabling RA prevents the system from receiving routing information from potentially
# insecure or compromised routers. This is particularly important for servers that use
# static network configurations and should not dynamically accept new IPv6 routes or
# prefixes. An attacker could otherwise use forged RA messages to change the network route
# and redirect traffic, for example.
###########################################################################################
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
###########################################################################################
# These parameters relate to secure ICMP redirects. ICMP redirects are messages that a
# router sends to a device to inform it that there is a better route for the data traffic.
# This setting prevents the system from responding to redirects that have been spoofed by
# potential attackers to redirect traffic (e.g., for man-in-the-middle attacks).
###########################################################################################
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1
###########################################################################################
# This setting prevents the disclosure of TCP timestamps that can be used for system
# fingerprinting:
###########################################################################################
net.ipv4.tcp_timestamps=0
###########################################################################################
# To make ARP spoofing attacks more difficult. Defines how the system responds to ARP
# requests.
# - 0 (default): Responds to every request, including IPs configured on other interfaces.
# - 1: Only responds to requests that are specifically intended for the IP of the
# respective interface. Increases security by preventing ARP spoofing attacks, as the
# system does not send unnecessary ARP responses.
###########################################################################################
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.default.arp_ignore=1
###########################################################################################
# To minimize attacks on half-open connections.
# Specifies the maximum number of connection requests (SYN packets)
# that can be held in the connection establishment state (SYN_RECV) in the queue.
# 4096: A generous queue to better intercept SYN flood attacks.
# Useful for systems with high network traffic, or if protection against DoS attacks
# needs to be improved:
###########################################################################################
net.ipv4.tcp_max_syn_backlog=4096
###########################################################################################
# Specifies the maximum number of SYN/ACK retries before the connection is aborted:
# 2: The kernel will only send a SYN/ACK twice before dropping the connection.
# Reduces the time and effort wasted on inactive connection requests.
# This improves performance and protects against SYN flood attacks, but could cause
# problems on poor networks.
###########################################################################################
net.ipv4.tcp_synack_retries=2
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf