V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-31 23:04:30 +02:00
parent 930f47f827
commit 45ff672479
103 changed files with 1011 additions and 266 deletions
--- a/includes/target/root/.ciss/alias
+++ b/includes/target/root/.ciss/alias
@@ -0,0 +1,271 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+########################################################################################### Alpha
+alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
+
+########################################################################################### Bash
+alias clear="printf '\033c'"
+alias c='clear'
+alias q='exit'
+
+########################################################################################### Chrony
+alias cytr='echo "tracking -a -v" | chronyc'
+alias cysd='echo "selectdata -a -v" | chronyc'
+alias cyss='echo "sourcestats -a -v" | chronyc'
+
+########################################################################################### fail2ban & ufw
+alias f2ball='fail2ban-client status'
+alias f2bubn='fail2ban-client unban --all'
+alias f2bufw='fail2ban-client status ufw'
+alias usn='ufw status numbered'
+alias usv='ufw status verbose'
+
+########################################################################################### ls
+alias ls='eza --group-directories-first --icons=always --oneline --long --all --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension'
+alias lsf='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension'
+alias lss='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension --extended'
+alias la='ls'
+alias ll=ls
+alias l=ls
+
+########################################################################################### Package Management
+alias aptac='apt autoclean'
+alias aptap='apt autopurge'
+alias aptar='apt autoremove'
+alias aptcheck='apt-get check'
+alias aptdep='apt-cache depends'
+alias aptdl='apt-get install --download-only'
+alias aptfug='apt full-upgrade'
+alias aptupd='apt update'
+alias aptupg='apt upgrade'
+alias apti='apt install'
+alias aptp='apt purge'
+alias aptpp='dpkg --purge'
+alias aptr='apt remove'
+alias aptse='apt search'
+alias aptsh='apt show'
+alias aptimage='apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "dbg" | grep -v "meta-package" | grep -v "cloud" | grep -v "PREEMPT"'
+
+########################################################################################### Readability
+alias df='df -h'
+alias free='free -m'
+alias mkdir='mkdir -pv'
+
+########################################################################################### Service restart
+alias rsban='systemctl restart fail2ban'
+alias rsweb='systemctl restart nginx php8.4-fpm redis'
+
+########################################################################################### System maintaining
+alias boot='reboot -h now'
+alias cscan='clamscan -r --bell -i'
+alias chkhvg='haveged -n 0 | dieharder -g 200 -a'
+alias dev='lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH'
+alias i='echo "$(whoami) @ $(uname -a)"'
+alias ipunused='iptables -L -v -n'
+alias jboot='journalctl --boot=0'
+alias lsadt='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency'
+alias lsadtdoc='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency > /root/lynis-$(date +%F_%H-%M-%S).txt 2>&1'
+alias n='nano'
+alias nstat='netstat -tlpnvWa'
+alias s='sudo -i'
+alias sas='systemd-analyze security'
+alias shut='shutdown -h now'
+alias ssa='systemctl status'
+alias ssf='systemctl status --failed'
+alias sysdr='systemctl daemon-reload'
+alias syses='systemctl edit'
+alias sysrl='systemctl reload'
+alias sysrs='systemctl restart'
+alias syssp='systemctl stop'
+alias sysst='systemctl start'
+alias v='nvim'
+alias whatdelete='lsof | grep deleted'
+alias whatimage='dpkg --list | grep linux-image'
+alias whatpurge='dpkg --get-selections | grep deinstall'
+
+########################################################################################### Functions
+
+#######################################
+# Generates Secure (/dev/random) Passwords
+# Arguments:
+#    Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
+#######################################
+# shellcheck disable=SC2317
+genpasswd() {
+  declare -i length=32
+  declare -i usebase64=0
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --base64)
+        usebase64=1
+        ;;
+      '' | *[!0-9]*) ;;
+      *)
+         length="$1"
+        ;;
+    esac
+    shift
+  done
+
+  declare passwd
+  # shellcheck disable=SC2312
+  passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")
+
+  if [[ ${usebase64} -eq 1 ]]; then
+    echo -n "${passwd}" | base64
+  else
+    echo "${passwd}"
+  fi
+}
+
+#######################################
+# Generates Secure (/dev/random) Passwords.
+# Arguments:
+#   none
+#######################################
+# shellcheck disable=SC2317
+genpasswdhash() {
+  declare salt
+  # shellcheck disable=SC2312
+  salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
+  mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
+}
+
+#######################################
+# Outputs a 16-character random printable string
+# Arguments:
+#   None
+#######################################
+genstring() {
+  # shellcheck disable=SC2312
+  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
+}
+
+#######################################
+# Wrapper for secure curl
+# Globals:
+#   CRED
+#   CRES
+#   NL
+# Arguments:
+#   1: URL from which to download a specific file
+#   2: /path/to/file to be saved to
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
+scurl() {
+  if [[ $# -ne 2 ]]; then
+    printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
+    return 1
+  fi
+  declare url="$1"
+  declare output_path="$2"
+  if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
+            --doh-cert-status \
+            --tlsv1.3 \
+            -sSf \
+            -o "${output_path}" \
+            "${url}"
+  then
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
+    return 2
+  fi
+  return 0
+}
+
+#######################################
+# Wrapper for secure wget
+# Globals:
+#   CRED
+#   CRES
+#   NL
+# Arguments:
+#   1: URL from which to download a specific file
+#   2: /path/to/file to be saved to
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
+swget() {
+  if [[ $# -ne 2 ]]; then
+    printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
+    return 1
+  fi
+  declare url="$1"
+  declare output_path="$2"
+  mkdir -p "$(dirname "${output_path}")"
+  if ! wget --show-progress \
+            --no-clobber \
+            --https-only \
+            --secure-protocol=TLSv1_3 \
+            -qO "${output_path}" \
+            "${url}"
+  then
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
+    return 2
+  fi
+  return 0
+}
+
+#######################################
+# Wrapper for loading CISS.2025 hardened Kernel Parameters.
+# Arguments:
+#   None
+#######################################
+sysp() {
+  sysctl -p /etc/sysctl.d/99_local.hardened
+  # sleep 1
+  # shellcheck disable=SC2312
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+}
+
+#######################################
+# Wrapper for tree
+# Arguments:
+#   1: Depth of Directory Listing
+#######################################
+trel() {
+  declare depth=${1:-3}
+  tree -C -h --dirsfirst -L "${depth}"
+}
+
+#######################################
+# Wrapper for package and path to bin.
+# Arguments:
+#   1: Program
+#######################################
+whichpackage() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
+    exit 1
+  fi
+  # shellcheck disable=SC2230,SC2312
+  dpkg -S "$(which "$1")"
+}
+
+#######################################
+# Wrapper for Diskspace used in Path.
+# Arguments:
+#   1: Path (defaults /var)
+#   2: Depth (defaults 1)
+#   3: Number of Entries (defaults 16)
+#######################################
+whichused() {
+  # shellcheck disable=SC2312
+  du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh