msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 52s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-03 17:10:34 +02:00
parent a022769093
commit 525e7db19f
38 changed files with 288 additions and 182 deletions
Download Patch File Download Diff File Expand all files Collapse all files

195
func/system/4040_generate_fstab.sh
View File

@@ -1,195 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Wrapper to write '/etc/fstab' entries.
# Globals:
# TARGET
# Arguments:
# 1: UUID or /dev/mapper
# 2: Mount Path
# 3: Filesystem
# 4: Mount Options
# 5: Pass value, while Dump value is hardcoded always "0".
# Returns:
# 0: on success
#######################################
write_fstab() {
declare write_maps="$1" write_path="$2" write_type="$3" write_opts="$4" write_pass="$5"
if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then
printf "%-43s%-28s%-18s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4040() fstab entry generated: [UUID=${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
elif [[ "${write_maps}" == /dev/mapper/* ]]; then
printf "%-43s%-28s%-18s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4040() fstab entry generated: [${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
fi
return 0
}
#######################################
# Generate target '/etc/fstab' entries.
# Globals:
# ARY_PATHS_SORTED
# HMP_EPHEMERAL_ENCLABEL
# HMP_FSTAB_MOUNT_FTYPE
# HMP_FSTAB_MOUNT_OPTS
# HMP_PATH_FSUUID
# TARGET
# VAR_VERSION
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_fstab() {
### Declare Arrays, HashMaps, and Variables.
declare var_path="" var_dmapper="" var_fs_uuid="" var_fs_path="" var_fs_type="" var_fs_opts="" var_fs_pass=""
### Generate '${TARGET}/etc/fstab' header.
: >| "${TARGET}/etc/fstab"
chmod 0600 "${TARGET}/etc/fstab"
cat << EOF >> "${TARGET}/etc/fstab"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/fstab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information '/etc/fstab'.
#
# Use 'blkid' to print the universally unique identifier for a device; this may be used with [UUID=] as a more robust way to
# name devices that work even if disks are added and removed. See fstab(5).
#
# 'systemd' generates mount units based on this file. See systemd.mount(5). Please run 'systemctl daemon-reload' after making
# changes here.
#
# <file system UUID> <mount point> <type> <options> <dump> <pass>
EOF
### Generate dynamic '${TARGET}/etc/fstab' entries.
for var_path in "${ARY_PATHS_SORTED[@]}"; do
case "${var_path,,}" in
swap|SWAP) continue;;
/tmp)
var_dmapper="${HMP_EPHEMERAL_ENCLABEL["${var_path}"]}"
var_fs_uuid="/dev/mapper/${var_dmapper}"
var_fs_path="${var_path}"
var_fs_type="${HMP_FSTAB_MOUNT_FTYPE["${var_path}"]}"
var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}"]}"
var_fs_pass="0"
;;
*)
var_fs_uuid="${HMP_PATH_FSUUID["${var_path}"]}"
var_fs_path="${var_path}"
var_fs_type="${HMP_FSTAB_MOUNT_FTYPE["${var_path}"]}"
var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}"]}"
case "${var_path,,}" in
/) var_fs_pass="1" ;;
/boot/efi) var_fs_pass="0" ;;
*) var_fs_pass="2" ;;
esac
;;
esac
case "${var_fs_type,,}" in
btrfs)
write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
if [[ -v HMP_FSTAB_MOUNT_OPTS["${var_path}/.snapshots"] ]]; then
var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}/.snapshots"]}"
if [[ "${var_fs_path}" == "/" ]]; then
write_fstab "${var_fs_uuid}" "/.snapshots" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
else
write_fstab "${var_fs_uuid}" "${var_fs_path}/.snapshots" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
fi
fi
continue
;;
ext4)
write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
continue
;;
fat32)
write_fstab "${var_fs_uuid}" "${var_fs_path}" "vfat" "${var_fs_opts}" "${var_fs_pass}"
continue
;;
esac
done
### Generate separate SWAP entry.
var_dmapper="${HMP_EPHEMERAL_ENCLABEL["SWAP"]}"
var_fs_uuid="/dev/mapper/${var_dmapper}"
var_fs_path="none"
var_fs_type="swap"
var_fs_opts="defaults"
var_fs_pass="0"
write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
cat << 'EOF' >> "${TARGET}/etc/fstab"
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
EOF
do_log "info" "file_only" "4040() fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
cat << 'EOF' >> "${TARGET}/etc/fstab"
### Secure tmpfs mounts for a hardened system
# Mount the 'proc' filesystem to provide process and kernel information.
# Mount 'sysfs' to expose kernel device information to user space.
# Mount the 'devpts' filesystem to enable pseudo-terminal support for user sessions.
# Restrict '/dev/shm' to shared memory, limit size, prevent code execution.
# System runtime directory in RAM. Do not set 'noexec' here for compatibility.
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
sysfs /sys sysfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,size=1G 0 0
tmpfs /run tmpfs mode=0755,nodev,nosuid 0 0
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

150
func/system/4060_generate_crypttab.sh
View File

@@ -1,150 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# '/etc/crypttab' entry writer and logger.
# Globals:
# TARGET
# Arguments:
# 1: Encryption Label
# 2: LUKS Container UUID
# 3: Keyfile or none
# 4: LUKS Options
# Returns:
# 0: on success
#######################################
write_crypttab() {
declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4"
printf "%-43s%-46s%-40s%s \n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
do_log "info" "file_only" "4060() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]."
return 0
}
#######################################
# Generate target '/etc/crypttab' entries.
# Globals:
# HMP_EPHEMERAL_ENCLABEL
# HMP_PATH_ENCLABEL
# HMP_PATH_FSUUID
# HMP_PATH_LUKSUUID
# TARGET
# VAR_NUKE
# VAR_VERSION
# dropbear_boot
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_crypttab() {
### Declare Arrays, HashMaps, and Variables.
declare var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_uuid=""
### Generate '${TARGET}/etc/crypttab' header.
: >| "${TARGET}/etc/crypttab"
chmod 0600 "${TARGET}/etc/crypttab"
cat << EOF >> "${TARGET}/etc/crypttab"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/crypttab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information: '/etc/crypttab'.
#
# Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
# 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). The crypttab determines whether
# the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the physical drive or not. The '/etc/fstab' determines
# whether and how the file system itself generates the discard operations and sends them down through the LUKS layer.
#
# RECOMMENDED: 'discard' enables the TRIM commands to be forwarded by the dm-crypt layer to the SSD/physical device. If ones do
# not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab'
# ineffective.
#
# <name> <device> <password-file-or-none> <options>
EOF
### Generate '${TARGET}/etc/crypttab' entries.
for var_key in "${!HMP_PATH_LUKSUUID[@]}"; do
var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}"
var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}"
if [[ "${dropbear_boot,,}" == "true" ]]; then
if [[ "${VAR_NUKE,,}" == "true" && "${var_key,,}" == "/" ]]; then
# TODO: Check for cryptsetup installation errors while unlock_wrapper.sh is not yet installed.
#write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
continue
fi
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
else
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard"
fi
done
### Generate '${TARGET}/etc/crypttab' ephemeral entries.
for var_key in "${!HMP_EPHEMERAL_ENCLABEL[@]}"; do
var_ephemeral_enclabel="${HMP_EPHEMERAL_ENCLABEL["${var_key}"]}"
var_host_uuid="${HMP_PATH_FSUUID["${var_key}"]}"
case "${var_key}" in
SWAP)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096"
;;
/tmp)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4"
;;
*)
do_log "error" "file_only" "4060() Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
continue
;;
esac
done
cat << 'EOF' >> "${TARGET}/etc/crypttab"
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

45
func/system/4092_minimal_checks.sh
View File

@@ -1,45 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# TODO: Implement this function
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
minimal_checks() {
declare var_bin
: >| "${DIR_LOG}/fstab.verify.log"
chmod 0600 "${DIR_LOG}/fstab.verify.log"
do_in_target_script "${TARGET}" "systemd-analyze verify /etc/fstab >> ${DIR_LOG}/fstab.verify.log 2>&1"
rc="$?"
if (( rc == 0 )); then
do_log "info" "file_only" "4040() '/etc/fstab' verified successfully with systemd-analyze."
else
do_log "warning" "file_only" "4040() '/etc/fstab' verification returned errors, see '${DIR_LOG}/fstab.verify.log'."
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
func/system/4095_setup_skel.sh
View File

@@ -1,42 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Prepare '/etc/skel'-Directory.
# Globals:
# TARGET
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_skel() {
mkdir -p "${TARGET}/etc/skel/.ciss"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
chmod 0644 "${TARGET}/etc/skel/.vimrc"
do_log "info" "file_only" "4095() Installed: '/etc/skel'-Files."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

31
func/system/4100_finalzie_system.sh
View File

@@ -1,31 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Set locale, locale overrides and configure keyboard layout.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_locales() {
### Set the X11 keyboard layout (for graphical environments).
do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

276
func/system/4130_setup_network.sh
View File

@@ -1,276 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Setup network.
# Globals:
# DIR_BAK
# TARGET
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV4_GW
# VAR_FINAL_IPV4_SUBNET
# VAR_FINAL_IPV6
# VAR_FINAL_NIC
# VAR_LINK_IPV6
# network_autoconfig_enable
# network_choose_interface_auto
# network_choose_interface_static
# network_hostname
# network_static_ipv4address
# network_static_ipv4gateway
# network_static_ipv4nameserver_0
# network_static_ipv4nameserver_1
# network_static_ipv4nameserver_2
# network_static_ipv4nameserver_fallback_0
# network_static_ipv4nameserver_fallback_1
# network_static_ipv4netmask
# network_static_ipv6address
# network_static_ipv6gateway
# network_static_ipv6nameserver_0
# network_static_ipv6nameserver_1
# network_static_ipv6nameserver_2
# network_static_ipv6nameserver_fallback_0
# network_static_ipv6nameserver_fallback_1
# network_static_ipv6netmask
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_network() {
do_in_target "${TARGET}" apt-get install -y isc-dhcp-client ifupdown
mkdir -p "${TARGET}/etc/network/interfaces/interfaces.d"
declare var_auto_nic="" var_auto_ipv4_ccidr="" var_auto_ipv4_subnet="" var_auto_ipv4="" var_auto_ipv4_gw="" \
var_auto_ipv6_ccidr="" var_auto_ipv6="" var_auto_ipv6_gw="" var_link_ipv4="" var_link_ipv6="" var_auto_fqdn="" ns=""
declare -a ary_ipv4_ns=() ary_ipv6_ns=()
### Create network configuration file header.
if [[ -f "${TARGET}/etc/network/interfaces" ]]; then
mkdir -p "${DIR_BAK}/etc/network"
mv "${TARGET}/etc/network/interfaces" "${DIR_BAK}/etc/network/interfaces.bak"
do_log "info" "file_only" "4130() Existing '${TARGET}/etc/network/interfaces' moved."
fi
cat << EOF >| "${TARGET}/etc/network/interfaces"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0644 "${TARGET}/etc/network/interfaces"
do_log "info" "file_only" "4130() Header '${TARGET}/etc/network/interfaces' created."
### Configure network interfaces based on 'preseed.yaml' and create network configuration files for IPv4.
if [[ "${network_autoconfig_enable,,}" == "true" && "${network_choose_interface_auto,,}" == "true" ]]; then
### Reminder ###
# auto:
# For servers or systems with static interfaces that should always be available (e.g., eth0 on a server).
# For configurations where the interface should be active regardless of the cable status.
# allow-hotplug:
# For systems with dynamic or removable network devices (e.g., laptops or USB adapters).
# To avoid boot delays when interfaces are unavailable.
cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-dhcp"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# The primary network interface IPv4
auto ${var_auto_nic}
iface ${var_auto_nic} inet dhcp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0644 "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-dhcp"
do_log "info" "file_only" "4130() IPv4 on the primary NIC: '${var_auto_nic}' configured with DHCP."
elif [[ "${network_autoconfig_enable,,}" == "true" && "${network_choose_interface_auto,,}" == "false" ]]; then
cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-dhcp"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# The primary network interface IPv4
auto ${network_choose_interface_static}
iface ${network_choose_interface_static} inet dhcp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0644 "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-dhcp"
do_log "info" "file_only" "4130() IPv4 on the primary NIC: '${network_choose_interface_static}' configured with DHCP."
fi
if [[ "${network_autoconfig_enable,,}" == "false" ]]; then
cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-static"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# The primary network interface IPv4
auto ${network_choose_interface_static}
iface ${network_choose_interface_static} inet static
address ${network_static_ipv4address}
netmask ${network_static_ipv4netmask}
gateway ${network_static_ipv4gateway}
dns-nameservers ${ary_ipv4_ns[*]}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0644 "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-static"
do_log "info" "file_only" "4130() IPv4 on the primary NIC: '${network_choose_interface_static}' configured statically."
fi
### Configure network interfaces based on 'preseed.yaml' and create network configuration files for IPv6.
if [[ "${network_autoconfig_enable,,}" == "true" && "${var_link_ipv6,,}" == "true" ]]; then
cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv6-dhcp"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# The primary network interface IPv6
auto ${var_auto_nic}
iface ${var_auto_nic} inet6 dhcp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0644 "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv6-dhcp"
do_log "info" "file_only" "4130() IPv6 on the primary NIC: '${var_auto_nic}' configured with DHCP."
fi
if [[ "${network_autoconfig_enable,,}" == "false" && -n "${network_static_ipv6address}" ]]; then
cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv6-static"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# The primary network interface IPv6
auto ${network_choose_interface_static}
iface ${network_choose_interface_static} inet6 static
address ${network_static_ipv6address}/${network_static_ipv6netmask}
gateway ${network_static_ipv6gateway}
dns-nameservers ${ary_ipv6_ns[*]}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0644 "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv6-static"
do_log "info" "file_only" "4130() IPv6 on the primary NIC: '${network_choose_interface_static}' configured statically."
fi
### Ensure Internet Systems Consortium DHCP Client is not overwriting the static nameserver settings.
if [[ -f "${TARGET}/etc/dhcp/dhclient.conf" ]]; then
mkdir -p "${DIR_BAK}/etc/dhcp"
cp "${TARGET}/etc/dhcp/dhclient.conf" "${DIR_BAK}/etc/dhcp/dhclient.conf.bak"
do_log "info" "file_only" "4130() Existing '${TARGET}/etc/dhcp/dhclient.conf' saved."
fi
if [[ "${network_autoconfig_enable,,}" == "true" && -n "${network_static_ipv4nameserver_0}" ]]; then
cat << EOF >> "${TARGET}/etc/dhcp/dhclient.conf"
# Custom dhclient config to override DHCP DNS
EOF
declare var_supersede; var_supersede=$(printf "%s, " "${ary_ipv4_ns[@]}")
var_supersede="${var_supersede%, }"
echo "supersede domain-name-servers ${var_supersede};" >> "${TARGET}/etc/dhcp/dhclient.conf"
do_log "info" "file_only" "4130() DHCP client configuration for IPv4: '${TARGET}/etc/dhcp/dhclient.conf' configured."
fi
if [[ "${network_autoconfig_enable,,}" == "false" && -n "${network_static_ipv6nameserver_0}" ]]; then
declare var_supersede_ipv6; var_supersede_ipv6=$(printf "%s, " "${ary_ipv6_ns[@]}")
var_supersede_ipv6="${var_supersede_ipv6%, }"
echo "supersede domain-name-servers ${var_supersede_ipv6};" >> "${TARGET}/etc/dhcp/dhclient.conf"
do_log "info" "file_only" "4130() DHCP client configuration for IPv6: '${TARGET}/etc/dhcp/dhclient.conf' configured."
fi
if [[ "${network_autoconfig_enable,,}" == "true" && -n "${network_static_ipv4nameserver_0}" ]]; then
cat << EOF >> "${TARGET}/etc/dhcp/dhclient.conf"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

88
func/system/4155_setup_grub_password.sh
View File

@@ -1,88 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Append GRUB superuser block to '/etc/grub.d/40_custom'.
# Globals:
# DIR_CNF
# ERR_READ_GRUB_FILE
# TARGET
# VAR_DEBUG_TRACE
# Arguments:
# None
# Returns:
# 0: on success
# ERR_READ_GRUB_FILE
#######################################
setup_grub_password() {
declare var_username="superadmin"
declare var_password=""
declare var_password_file="${DIR_CNF}/password_grub.txt"
declare var_of="${TARGET}/etc/grub.d/40_custom"
declare var_grub_entry
### No tracing for security reasons
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
if [[ ! -f "${var_password_file}" ]] || ! IFS= read -r var_password < "${var_password_file}"; then
return "${ERR_READ_GRUB_FILE}"
fi
### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
### Append if not already present
if ! grep -q "set superusers=" "${var_of}"; then
{
echo ""
echo "### Added by CISS.debian.installer ###"
echo "${var_grub_entry}"
echo "### End by CISS.debian.installer ###"
} >> "${var_of}"
fi
do_in_target "${TARGET}" update-grub
return 0
}
#######################################
# Generate PBKDF2 password hash for GRUB.
# Arguments:
# 1: Username (default to superadmin).
# 2: User password.
# Returns:
# 0: on success
#######################################
generate_grub_password_pbkdf2() {
declare var_user="${1:-superadmin}"
declare var_pass="${2:?error: password required}"
expect <<EOF
log_user 0
spawn grub-mkpasswd-pbkdf2 --iteration-count=131072 --salt=64 --buflen=64
expect "Enter password:"
send "${var_pass}\r"
expect "Reenter password:"
send "${var_pass}\r"
expect {
-re {PBKDF2 hash of your password is (\S+)} {
puts "set superusers=\"${var_user}\"\npassword_pbkdf2 ${var_user} \$expect_out(1,string)"
}
}
EOF
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

63
func/system/4160_grub_bootparameter.sh
View File

@@ -1,63 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Options in "GRUB_CMDLINE_LINUX" are always effective.
### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
guard_sourcing
#######################################
# Hardening Grub boot parameter.
# Globals:
# ARY_BOOTPARAM
# TARGET
# VAR_GRUB_CMDLINE_LINUX_DEFAULT
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_grub_bootparameter() {
declare var_nuke_string="" var_param=""
grub_extract_current_string
for var_param in "${ARY_BOOTPARAM[@]}"; do
if [[ -z "${var_param}" ]]; then
do_log "warn" "file_only" "Empty GRUB parameter detected and skipped."
continue
fi
if grep -q --word-regexp "${var_param%%=*}" <<< "${VAR_GRUB_CMDLINE_LINUX_DEFAULT}"; then
do_log "info" "file_only" "Skipping duplicate kernel parameter: '${var_param}'."
continue
fi
VAR_GRUB_CMDLINE_LINUX_DEFAULT+=" ${var_param}"
done
if [[ "${VAR_NUKE}" == "true" ]]; then
var_nuke_string="nuke=${VAR_NUKE_HASH}"
VAR_GRUB_CMDLINE_LINUX+=" ${var_nuke_string}"
fi
grub_finalize_string
do_in_target "${TARGET}" update-grub
do_log "info" "file_only" "Setting GRUB kernel parameters: ${VAR_GRUB_CMDLINE_LINUX_DEFAULT}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

61
func/system/4165_kernel_modules.sh
View File

@@ -1,61 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Entropy collection improvements '/usr/lib/modules-load.d/30_security-misc.conf'.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_kernel_modules() {
### Entropy collection improvements
mkdir -p "${TARGET}/usr/lib/modules-load.d"
cat << EOF >| "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
## The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
## minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
## physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
## features like TPMs or Intel's RDRAND, which may not be available or trusted, jitterentropy_rng works across all platforms,
## including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure
## entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure,
## standards-compliant, and universally applicable entropy source for hardened Linux environments.
## https://www.whonix.org/wiki/Dev/Entropy
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
## https://forums.whonix.org/t/jitterentropy-rngd/7204
jitterentropy_rng
EOF
chmod 0644 "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
do_log "info" "file_only" "Installed: '/usr/lib/modules-load.d/30_security-misc.conf'."
return 0
}
#######################################
# Blacklist some kind of potential hazardous modules via '/etc/modprobe.d/0000_ciss_debian_installer.conf'.
# Globals:
# TARGET
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_modprobe() {
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/modprobe.d/0000_ciss_debian_installer.cnf" \
"${TARGET}/etc/modprobe.d/0000_ciss_debian_installer.conf"
do_log "info" "file_only" "Installed: '/etc/modprobe.d/0000_ciss_debian_installer.conf'."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

31
func/system/4166_kernel_sysctl.sh
View File

@@ -1,31 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install Kernel Hardening-Presets '/etc/sysctl.d/99_local.hardened'.
# Globals:
# TARGET
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_kernel_sysctl() {
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/sysctl.d/99_local.hardened.ini" \
"${TARGET}/etc/sysctl.d/99_local.hardened"
do_log "info" "file_only" "Installed: '/etc/sysctl.d/99_local.hardened'."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

59
func/system/4170_installation_microcode.sh
View File

@@ -1,59 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_microcode() {
declare var_microcode_pkgs=""
declare var_whereiam
# shellcheck disable=SC2312
var_whereiam=$(virt-what | head -n1)
[[ -z "${var_whereiam}" ]] && var_whereiam="baremetal"
declare var_cpu_vendor
# shellcheck disable=SC2312
var_cpu_vendor=$(lscpu | awk -F: '/Vendor ID/ {print $2}' | xargs)
case "${var_cpu_vendor}" in
*AuthenticAMD*) var_microcode_pkgs="amd64-microcode" ;;
*GenuineIntel*) var_microcode_pkgs="intel-microcode" ;;
""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "file_only" "ARM or unknown CPU detected, skipping microcode installation." ;;
esac
###########################################################################################
# Generally, it is best to let the hypervisor handle CPU microcode updates. #
###########################################################################################
if [[ "${var_whereiam}" != "kvm" && -n "${var_microcode_pkgs}" ]]; then
if ! do_in_target_script "${TARGET}" "dpkg -l ${var_microcode_pkgs} >/dev/null 2>&1"; then
do_in_target "${TARGET}" apt-get install -y "${var_microcode_pkgs}"
fi
else
do_log "info" "file_only" "Skipping microcode install (${var_whereiam}, ${var_microcode_pkgs:-none})"
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

112
func/system/4180_setup_ssh.sh
View File

@@ -1,112 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Setup ssh server.
# Globals:
# BASH_REMATCH
# DIR_BAK
# DIR_LOG
# TARGET
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_SETUP_PATH
# ssh_port
# ssh_root_ca
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_ssh() {
do_in_target "${TARGET}" apt-get install -y ssh
#######################################
# Variable declaration
#######################################
declare -a ary_user=()
declare -i i
declare var_auth="" var_name=""
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/motd" "${TARGET}/etc/"
do_log "info" "file_only" "Installed SSH banner and motd to '${TARGET}/etc/'."
### Only process those for which both *_name and *_authentication_access_ssh are set.
for ((i = 0; i <= VAR_USER_MAX; i++)); do
var_auth="user_user${i}_authentication_access_ssh"
var_name="user_user${i}_name"
if [[ -v "${var_auth}" && -v "${var_name}" && "${!var_auth}" == "true" ]]; then
ary_user+=("${!var_name}")
fi
done
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
#shellcheck disable=SC2312
do_in_target "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
#shellcheck disable=SC2312
do_in_target "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
mkdir -p "${DIR_BAK}/etc/ssh"
cp "${TARGET}/etc/ssh/sshd_config" "${DIR_BAK}/etc/ssh/sshd_config.bak"
chmod 0644 "${DIR_BAK}/etc/ssh/sshd_config.bak"
cp "${TARGET}/etc/ssh/ssh_config" "${DIR_BAK}/etc/ssh/ssh_config.bak"
chmod 0644 "${DIR_BAK}/etc/ssh/ssh_config.bak"
rm -f "${TARGET}/etc/ssh/sshd_config"
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
chmod 0600 "${TARGET}/etc/ssh/ssh_config"
# shellcheck disable=SC2153
sed -i -E "s|^\s*ListenAddress\s+.*$|$(printf '%-30s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
if [[ -n "${VAR_FINAL_IPV6}" ]]; then
sed -i -E "s|^\s*ListenAddress\s+::.*$|$(printf '%-30s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
else
sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config"
fi
sed -i -E "s|^\s*Port\s+.*$|$(printf '%-30s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
if (( ${#ary_user[@]} > 0 )); then
sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-30s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config"
fi
if [[ -n "${ssh_root_ca}" ]]; then
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${ssh_root_ca}" "${TARGET}/etc/ssh/"
sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-30s%s' 'TrustedUserCAKeys' "/etc/ssh/${ssh_root_ca}")|" "${TARGET}/etc/ssh/sshd_config"
fi
do_in_target_script "${TARGET}" "sshd -T >| ${DIR_LOG}/sshd_config.log"
do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| ${DIR_LOG}/ssh.log"
###########################################################################################
# The file /etc/profile.d/idle-users.sh is created to set two read-only #
# environment variables: TMOUT and HISTFILE. #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
echo "readonly TMOUT=14400" >| "${TARGET}/etc/profile.d/idle-users.sh"
# TODO: Decide: set HISTFILE=/dev/null or leave unset (readonly var requires value!)
#echo "readonly HISTFILE" >> "${TARGET}/etc/profile.d/idle-users.sh"
chmod +x "${TARGET}/etc/profile.d/idle-users.sh"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

61
func/system/4190_build_dropbear.sh
View File

@@ -1,61 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Build Ultra Hardened dropbear-2025.88 from sources.
# Globals:
# DIR_TMP
# ERR_PATH_NOT_VALID
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# ERR_PATH_NOT_VALID
# 0: on success
#######################################
build_dropbear() {
declare var_dropbear_version="2025.88"
declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
declare var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}"
mkdir -p "${DIR_TMP}/build"
cp "${var_tar}" "${DIR_TMP}/build"
tar xjf "${DIR_TMP}/build/dropbear-${var_dropbear_version}.tar.bz2" -C "${DIR_TMP}/build" || return "${ERR_PATH_NOT_VALID}"
cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${var_build_dir}"
cd "${var_build_dir}" || return "${ERR_PATH_NOT_VALID}"
# Flag Purpose
# -fPIE: Generate position-independent executable code
# -pie: Link the executable as PIE (so that ASLR works)
# -static: Fully statically linked against musl
# -s: Strip unnecessary symbols directly during linking
# -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
CC=musl-gcc \
CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
./configure \
--enable-static \
--enable-openpty \
--disable-pam \
--disable-zlib
# shellcheck disable=2312
make -j"$(nproc)"
do_log "info" "file_only" "Ultra Hardened dropbear-2025.88 build successfully from sources."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

40
func/system/4191_install_dropbear_initramfs.sh
View File

@@ -1,40 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install Dropbear Initramfs and replace the binaries with the previous Ultra Hardened build.
# Globals:
# DIR_TMP
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
install_dropbear_initramfs() {
declare var_file
do_in_target "${TARGET}" apt-get install -y dropbear-initramfs
do_in_target "${TARGET}" apt-mark hold -y dropbear dropbear-initramfs
mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.2022.83"
install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/"
for var_file in dbclient dropbearconvert dropbearkey; do
mv "${TARGET}/usr/bin/${var_file}" "${TARGET}/usr/bin/${var_file}.2022.83"
install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/bin/"
done
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

252
func/system/4195_setup_dropbear.sh
View File

@@ -1,252 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Setup Dropbear Initramfs Environment.
# Globals:
# HMP_PATH_ENCLABEL
# TARGET
# VAR_CRYPT_ROOT
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV4_GW
# VAR_FINAL_IPV4_SUBNET
# VAR_FINAL_NIC
# VAR_GRUB_CMDLINE_LINUX
# VAR_SETUP_PATH
# dropbear_dhcp
# dropbear_firewall
# dropbear_port
# network_static_ipv4nameserver_0
# network_static_ipv4nameserver_1
# ssh_allow_ipv4_0
# user_root_ssh_pubkeys_0
# user_root_ssh_pubkeys_1
# user_root_ssh_pubkeys_2
# user_root_ssh_pubkeys_3
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_dropbear() {
### Prepare strong dropbear host keys
rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
do_in_target "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
do_in_target "${TARGET}" /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key
chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
### Prepare dropbear authorized_keys
touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
printf "%s\n" "${user_root_sshpubkey}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.
if [[ "${dropbear_dhcp,,}" != "true" ]]; then
declare network_static_ipv4ntpserver_0="192.53.103.108"
### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
printf "IP=%s::%s:%s:%s:%s:none:%s:%s:%s\n" \
"${VAR_FINAL_IPV4}" \
"${VAR_FINAL_IPV4_GW}" \
"${VAR_FINAL_IPV4_SUBNET}" \
"${VAR_FINAL_FQDN}" \
"${VAR_FINAL_NIC}" \
"${network_static_ipv4nameserver_0:-135.181.207.105}" \
"${network_static_ipv4nameserver_1:-89.58.62.53}" \
"${network_static_ipv4ntpserver_0:-192.53.103.104}" \
>| "${TARGET}/etc/initramfs-tools/conf.d/ip"
else
### "IP=:::::<NIC>:dhcp"
printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
fi
### Generate dropbear configuration file
write_dropbear_conf
### Prepare Grub Bootparameter for LUKS decryption of '/root' and '/recovery'.
# Options in "GRUB_CMDLINE_LINUX" are always effective.
# Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
grub_extract_current_string
declare var_label="${HMP_PATH_ENCLABEL["LABEL_/"]}"
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
grub_finalize_string
### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/scripts/init-top/fixpath.sh" \
"${TARGET}/includes/initramfs-tools/scripts/init-top/"
### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-initramfs.sh" \
"${TARGET}/includes/initramfs-tools/hooks/"
### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-prompt.sh" \
"${TARGET}/includes/initramfs-tools/hooks/"
### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
"${TARGET}/includes/initramfs-tools/files/"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
"${TARGET}/usr/lib/cryptsetup/scripts/"
# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
### Install the script to be called inside Host environment for signing 'unlock_wrapper.sh'-script.
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper_signer.sh" \
"${TARGET}/includes/initramfs-tools/files/"
### Install the script to be called by 'update-initramfs' for installing the necessary modules to load into initramfs environment.
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/modules" \
"${TARGET}/includes/initramfs-tools/"
declare var_modules; var_modules=$(grep_nic_driver_modules)
cat << EOF >> "${TARGET}/includes/initramfs-tools/modules"
### Custom NIC driver
${var_modules}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
### Install the script to be called inside initramfs environment for preparing dropbear execution.
do_in_target "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.2022.83
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
"${TARGET}/includes/usr/share/initramfs-tools/scripts/init-premount/"
### Install the variable file to be called inside initramfs environment for setting up dropbear firewall.
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.cnf" \
"${TARGET}/includes/initramfs-tools/files/dropbear_fw.conf"
### Install the firewall script to be called inside initramfs environment for setting up dropbear firewall.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.sh" \
"${TARGET}/includes/initramfs-tools/files/"
if [[ "${dropbear_firewall,,}" == "true" && -n "${ssh_allow_ipv4_0}" ]]; then
sed -i 's/^DROPBEAR_FIREWALL_ENABLED=0$/DROPBEAR_FIREWALL_ENABLED=1/' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
sed -i '/^# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh$/d' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
cat << EOF >> "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
DROPBEAR_PORT=${dropbear_port}
DROPBEAR_JUMP_SERVER_IP=${ssh_allow_ipv4_0}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
fi
### Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
do_in_target "${TARGET}" update-grub
do_in_target "${TARGET}" update-initramfs -u -v -k all
return 0
}
#######################################
# Write '/etc/dropbear/initramfs/dropbear.conf'.
# Globals:
# TARGET
# ssh_port
# Arguments:
# None
# Returns:
# 0: on success
#######################################
write_dropbear_conf() {
[[ -z "${dropbear_port:-}" ]] && dropbear_port="2222"
cat << EOF >| "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
#
# Configuration options for the dropbear-initramfs boot scripts.
# Variable assignment follow shell semantics and escaping/quoting rules.
# You must run update-initramfs(8) to effect changes to this file (like
# for other files in the '/etc/dropbear/initramfs' directory).
#
# Command line options to pass to dropbear(8)
# Dropbear options for 2025+:
# -b: Display the contents of bannerfile before user login
# -E: Log to stderr
# -I: Idle timeout in seconds
# -K: Keepalive interval in seconds
# -p: Specify port (and optionally address)
# -w: Disable root login (SHOULD NOT be implemented for initramfs)
DROPBEAR_OPTIONS="-b /etc/dropbear/banner -c /usr/local/bin/unlock_wrapper.sh -E -I 300 -K 60 -p ${dropbear_port}"
#
# On local (non-NFS) mounts, interfaces matching this pattern are
# brought down before exiting the ramdisk to avoid dirty network
# configuration in the normal kernel.
# The special value 'none' keeps all interfaces up and preserves routing
# tables and addresses.
#
#IFDOWN="*"
#
# On local (non-NFS) mounts, the network stack and dropbear are started
# asynchronously at init-premount stage. This value specifies the
# maximum number of seconds to wait (while the network/dropbear are
# being configured) at init-bottom stage before terminating dropbear and
# bringing the network down.
# If the timeout is too short, and if the boot process is not blocking
# on user input supplied via SSHd (ie no remote unlocking), then the
# initrd might pivot to init(1) too early, thereby causing a race
# condition between network configuration from initramfs vs from the
# normal system.
#
#DROPBEAR_SHUTDOWN_TIMEOUT=60
EOF
do_log "info" "file_only" "Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
return 0
}
#######################################
# Collect NIC driver modules for initramfs installation.
# Arguments:
# None
# Returns:
# 0: on success
#######################################
grep_nic_driver_modules() {
### Collect all ethernet driver names and sort them uniquely.
declare -a _mods
declare var_nic_module var_nic_modules
# shellcheck disable=SC2312
readarray -t _mods < <(
lspci -k \
| grep -A2 -i ethernet \
| grep 'Kernel driver in use' \
| awk '{print $5}' \
| sort -u
)
### If only one entry remains, save it in 'var_nic_module', otherwise save all modules in 'var_nic_modules'.
if [[ "${#_mods[@]}" -eq 1 ]]; then
var_nic_module="${_mods[0]}"
else
var_nic_modules="${_mods[*]}"
fi
if [[ -n "${var_nic_module}" ]]; then
echo "${var_nic_module}"
else
echo "${var_nic_modules}"
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

164
func/system/4200_setup_accounts.sh
View File

@@ -1,164 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Updating user accounts.
# Globals:
# TARGET
# VAR_SETUP_PATH
# VAR_USER_MAX
# user_root_authentication_access_ssh
# user_root_password
# user_root_shell
# user_root_sshpubkey
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_accounts() {
#######################################
# Declare Variables
#######################################
declare -i i
declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
tmp_restricted=""
declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
var_restricted="" var_chpasswd="" var_sshdir=""
### Hardening '/etc/login.defs'
rm -f "${TARGET}/etc/login.defs"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/login.defs" "${TARGET}/etc/"
### Hardening '/etc/security/pwquality.conf'
rm -f "${TARGET}/etc/security/pwquality.conf"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/security/pwquality.cnf" "${TARGET}/etc/security/pwquality.conf"
### Preparing the root account
chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/shadow" "${TARGET}/etc/group" "${TARGET}/etc/gshadow"
chmod 0644 "${TARGET}/etc/passwd" "${TARGET}/etc/group"
chmod 0600 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
if [[ -x "${TARGET}${user_root_shell}" ]]; then
do_in_target "${TARGET}" chsh -s "${user_root_shell}" root
else
do_log "warn" "file_only" "Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
fi
var_chpasswd="root:${user_root_password}"
do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
var_chpasswd=""
install -d -m 0700 -o root -g root "${TARGET}/root/.ssh"
install -m 0600 -o root -g root /dev/null "${TARGET}/root/.ssh/authorized_keys"
grep -qxF "${user_root_sshpubkey}" "${TARGET}/root/.ssh/authorized_keys" || \
printf "%s\n" "${user_root_sshpubkey}" >> "${TARGET}/root/.ssh/authorized_keys"
if [[ "${user_root_authentication_access_ssh}" == "false" ]]; then
if grep -q '^\s*PermitRootLogin' "${TARGET}/etc/ssh/sshd_config"; then
sed -i 's/^\s*PermitRootLogin\s\+.*/PermitRootLogin no/' "${TARGET}/etc/ssh/sshd_config"
else
echo 'PermitRootLogin no' >> "${TARGET}/etc/ssh/sshd_config"
fi
fi
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.bashrc" "${TARGET}/root/"
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.zshrc" "${TARGET}/root/"
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/root/.ciss/"
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/root/.ciss/"
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/root/.ciss/"
# To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content:
echo 'set clipboard=unnamed' >| "${TARGET}/root/.vimrc"
chmod 0600 "${TARGET}/root/.vimrc"
do_log "info" "file_only" "User: 'root' updated."
### Install all user accounts.
for ((i = 0; i <= VAR_USER_MAX; i++)); do
tmp_username="user_user${i}_name"
tmp_fullname="user_user${i}_fullname"
tmp_uid="user_user${i}_uid"
tmp_gid="user_user${i}_gid"
tmp_shell="user_user${i}_shell"
tmp_password="user_user${i}_password"
tmp_sshpubkey="user_user${i}_sshpubkey"
tmp_sudo="user_user${i}_privileges_sudo"
tmp_restricted="user_user${i}_privileges_restricted"
var_username="${!tmp_username}"
var_fullname="${!tmp_fullname}"
var_uid="${!tmp_uid}"
var_gid="${!tmp_gid}"
var_shell="${!tmp_shell}"
var_password="${!tmp_password}"
var_sshpubkey="${!tmp_sshpubkey}"
var_sudo="${!tmp_sudo}"
var_restricted="${!tmp_restricted}"
do_in_target "${TARGET}" getent group "${var_username}" >/dev/null || \
do_in_target "${TARGET}" groupadd --gid "${var_gid}" "${var_username}"
if [[ "${var_restricted}" == "false" ]]; then
do_in_target "${TARGET}" useradd \
--comment "${var_fullname}" \
--create-home \
--expiredate 2102-12-31 \
--gid "${var_gid}" \
--home-dir /home/"${var_username}" \
--inactive 0 \
--shell "${var_shell}" \
--uid "${var_uid}" \
"${var_username}"
else
do_in_target "${TARGET}" useradd \
--comment "${var_fullname}" \
--expiredate 2102-12-31 \
--gid "${var_gid}" \
--home-dir /home/"${var_username}" \
--inactive 0 \
--no-create-home \
--shell "${var_shell}" \
--uid "${var_uid}" \
"${var_username}"
fi
var_chpasswd="${var_username}:${var_password}"
do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
var_chpasswd=""
if [[ "${var_sudo}" == "true" ]]; then
do_in_target "${TARGET}" usermod -aG sudo "${var_username}"
fi
if [[ -n "${var_sshpubkey}" ]]; then
var_sshdir="${TARGET}/home/${var_username}/.ssh"
install -d -m 0700 -o "${var_username}" -g "${var_username}" "${var_sshdir}"
install -m 0600 -o "${var_username}" -g "${var_username}" /dev/null "${var_sshdir}/authorized_keys"
grep -qxF "${var_sshpubkey}" "${var_sshdir}/authorized_keys" || \
printf "%s\n" "${var_sshpubkey}" >> "${var_sshdir}/authorized_keys"
fi
do_log "info" "file_only" "Created user: [${var_username}] UID: [${var_uid}], GID: [${var_gid}]"
done
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
func/system/4210_setup_packages.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install Debian Packages as specified in 'preseed.yaml'.
# Globals:
# ARY_PACKAGES
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_packages() {
do_in_target_script "${TARGET}" "apt-get update -y > /dev/null"
declare var_install_candidate=""
for var_install_candidate in "${ARY_PACKAGES[@]}"; do
do_in_target "${TARGET}" apt-get install -y "${var_install_candidate}"
done
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

58
func/system/4230_setup_chrony.sh
View File

@@ -1,58 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Setup chrony NTPSec client.
# Globals:
# ARY_NTPSRVR
# DIR_BAK
# NL
# TARGET
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_chrony() {
# shellcheck disable=SC2155
declare var_of=$(mktemp var_of.XXXXXXXX)
declare var_ntp_server
for var_ntp_server in "${ARY_NTPSRVR[@]}"; do
printf "server %s iburst nts minpoll 5 maxpoll 9 %s" "${var_ntp_server}" "${NL}" >> "${var_of}"
done
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh %s" "${NL}" >> "${var_of}"
mkdir -p "${TARGET}/var/log/chrony"
do_in_target "${TARGET}" apt-get install chrony -y
if [[ ! -e "${TARGET}/etc/systemd/system/multi-user.target.wants/chrony.service" ]]; then
ln -s "${TARGET}/lib/systemd/system/chrony.service" "${TARGET}/etc/systemd/system/multi-user.target.wants/chrony.service"
fi
mkdir -p "${DIR_BAK}/etc/chrony"
mv "${TARGET}/etc/chrony/chrony.conf" "${DIR_BAK}/etc/chrony/chrony.conf.bak"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/chrony/chrony.cnf" "${TARGET}/etc/chrony/chrony.conf"
cat "${var_of}" >> "${TARGET}/etc/chrony/chrony.conf"
do_log "info" "file_only" "Chrony NTPsec client installed."
rm -f "${var_of}"
unset var_of
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

91
func/system/4900_verify_system.sh
View File

@@ -1,91 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# TODO: Implement this function.
verify_system() {
### Declare Arrays, HashMaps, and Variables.
do_log "info" "file_only" "4100() Starting system integrity verification..."
###########################################
## Systemd & Identity Checks
###########################################
do_log "info" "file_only" "4100() Checking systemd installation and machine-id."
do_in_target_script "${TARGET}" 'command -v systemctl && systemctl --version' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() systemd or systemctl not properly installed."
do_in_target_script "${TARGET}" '[ -s /etc/machine-id ]' || \
do_log "warning" "file_only" "4100() Missing or empty /etc/machine-id."
###########################################
## crypttab & fstab Validation
###########################################
do_log "info" "file_only" "4100() Validating fstab and crypttab."
do_in_target_script "${TARGET}" 'systemd-analyze verify /etc/fstab /etc/crypttab' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() systemd-analyze verification failed. See ${LOG_FILE}."
do_in_target_script "${TARGET}" 'findmnt --verify' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() findmnt reports potential inconsistencies."
###########################################
## Essential Services
###########################################
do_log "info" "file_only" "4100() Validating essential services."
do_in_target_script "${TARGET}" 'systemctl list-unit-files --state=enabled,disabled' >> "${LOG_FILE}" 2>&1
###########################################
## Init & Bootloader
###########################################
do_log "info" "file_only" "4100() Checking init and GRUB presence."
do_in_target_script "${TARGET}" 'readlink -f /sbin/init' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() /sbin/init is missing or invalid."
do_in_target_script "${TARGET}" 'test -e /boot/grub/grub.cfg || test -e /boot/efi/EFI/debian/grubx64.efi' || \
do_log "warning" "file_only" "4100() GRUB config or EFI binary not found."
###########################################
## /etc Configuration Checks
###########################################
do_log "info" "file_only" "4100() Validating core /etc configurations."
do_in_target_script "${TARGET}" 'grep -E "^127\.0\.1\.1" /etc/hosts' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() Missing 127.0.1.1 entry in /etc/hosts."
do_in_target_script "${TARGET}" '[ -s /etc/hostname ]' || \
do_log "warning" "file_only" "4100() /etc/hostname is missing or empty."
###########################################
## Permissions & Security
###########################################
do_log "info" "file_only" "4100() Auditing /root permissions and login shell."
do_in_target_script "${TARGET}" 'stat -c "%A %U:%G" /root' >> "${LOG_FILE}" 2>&1
do_in_target_script "${TARGET}" 'grep ^root: /etc/passwd' >> "${LOG_FILE}" 2>&1
###########################################
## dpkg & apt status
###########################################
do_log "info" "file_only" "4100() Verifying package integrity."
do_in_target_script "${TARGET}" 'dpkg --audit' >> "${LOG_FILE}" 2>&1 || true
do_in_target_script "${TARGET}" 'apt-get check' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() apt-get check reported errors."
do_log "info" "file_only" "4100() Verification completed. Output stored in: ${LOG_FILE}."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

48
func/system/4999_exiting_chroot_system.sh
View File

@@ -1,48 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Exiting chroot of the target system.
# Globals:
# TARGET
# VAR_NEED_RUN_IN_TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
exiting_chroot_system() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_umount=( "/sys/fs/cgroup" "/dev/hugepages" "/dev/mqueue" "/dev/shm" "/dev/pts" "/proc" "/sys" "/dev" )
declare var_path=""
for var_path in "${ary_umount[@]}"; do
umount -l "${TARGET}${var_path}" 2>/dev/null || true
do_log "info" "file_only" "4999() Command: [umount -l ${TARGET}${var_path} 2>/dev/null || true] issued."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
umount -l "${TARGET}/run" 2>/dev/null || true
do_log "info" "file_only" "4999() Command: [umount -l ${TARGET}/run 2>/dev/null || true] issued."
fi
declare -gx VAR_CHROOT_ACTIVATED="false"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

27
func/system/5000_hardening_files.sh
View File

@@ -1,27 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
###########################################################################################
# Hardening files and directories.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
###########################################################################################
hardening_files() {
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh