V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -343,10 +343,22 @@ grub_parameter:
   # 'confidentiality': Maximum restriction to ensure the security and integrity of the system. This prevents direct access to
   # hardware and debug interfaces, for example. Useful for highly secure environments as it reduces the attack surface to kernel
   # data. However, some applications that require debugging or hardware access may have problems.
+  # Note: Lockdown=confidentiality prevents the kernel reads required for the systemd eBPF program
+  # (e.g., bpf_probe_read_kernel()), the verifier aborts, Invalid argument, and bpf-restrict-fs cannot load. Functionally, this
+  # is "only" the failure of the systemd hardening module RestrictFileSystems= (and related BPF filters); the rest boots.
+  # Therefore, countermeasures without BPF/BTF:
+  # Strict least-privilege: CapabilityBoundingSet= (remove CAP_SYS_ADMIN), 'NoNewPrivileges=yes', 'SystemCallFilter=~mount',
+  # 'PrivateMounts=yes', 'ProtectKernelModules=yes'. On the network side: instead of BPF egress, nftables policies at host level
+  # per unit: BindToDevice=lo or disconnect network NS. File systems: 'ProtectSystem=strict', 'ReadOnlyPaths=',
+  # 'InaccessiblePaths=', 'ProtectHome=tmpfs|read-only'.
+  # Otherwise, countermeasures with 'lockdown=integrity':
+  # 'kernel.unprivileged_bpf_disabled=1', 'net.core.bpf_jit_harden=2', 'kernel.perf_event_paranoid=3', 'kernel.kptr_restrict=2',
+  # 'kernel.dmesg_restrict=1'. Optional: 'kernel.kexec_load_disabled=1'. One gets BPF hardening (Restrict-FS, Egress filter),
+  # but minimizes BPF abuse by unprivileged users & JIT hardening.
   # https://blog.cloudflare.com/de-de/linux-kernel-hardening/
   # https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode
   ##############################################################################################################################
-  - "lockdown=confidentiality"
+  - "lockdown=integrity"
 
   ##############################################################################################################################
   # Enables 'Read-Only Data Protection', which implements read-only memory areas for kernel data structures. This protects the

ciss_debian_installer.sh

@@ -230,6 +230,8 @@ uuid_logger
 ### CDI_4000
 info_echo "4000_debootstrap.sh"
 func_debootstrap
+info_echo "4005_check_usr_merge.sh"
+check_usr_merge
 info_echo "4010_prepare_mounts.sh"
 prepare_mounts
 info_echo "4020_remove_x509.sh"
@@ -321,6 +323,8 @@ info_echo "4460_hardening_memory.sh"
 hardening_memory
 
 ### CDI_4500
+info_echo "4500_check_usr_merge.sh"
+check_final_usr_merge
 info_echo "4500_installation_accounts.sh"
 installation_accounts # TODO: Checks ongoing
 

func/cdi_4000_debootstrap/4005_check_usr_merge.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Check if the target system is not 'tainted: unmerged-bin'.
+# Globals:
+#   TARGET
+#   architecture
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+check_usr_merge() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4005_check_usr_merge.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  # shellcheck disable=SC2312
+  chroot_script "${TARGET}" "
+    test -L /bin  && test $(readlink -f /bin)  = '/usr/bin'  || echo 'UNMERGED:/bin'  | tee -a ${var_logfile}
+    test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' || echo 'UNMERGED:/sbin' | tee -a ${var_logfile}
+    test -L /lib  && test $(readlink -f /lib)  = '/usr/lib'  || echo 'UNMERGED:/lib'  | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  if [[ "${architecture}" == "amd64" ]]; then
+    # shellcheck disable=SC2312
+    chroot_script "${TARGET}" "
+      test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' || echo 'UNMERGED:/lib64' | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    "
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4500_user/4500_check_usr_merge.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Check if the target system is not 'tainted: unmerged-bin'.
+# Globals:
+#   TARGET
+#   architecture
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+check_final_usr_merge() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4500_check_usr_merge.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  # shellcheck disable=SC2312
+  chroot_script "${TARGET}" "
+    test -L /bin  && test $(readlink -f /bin)  = '/usr/bin'  || echo 'UNMERGED:/bin'  | tee -a ${var_logfile}
+    test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' || echo 'UNMERGED:/sbin' | tee -a ${var_logfile}
+    test -L /lib  && test $(readlink -f /lib)  = '/usr/lib'  || echo 'UNMERGED:/lib'  | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  if [[ "${architecture}" == "amd64" ]]; then
+    # shellcheck disable=SC2312
+    chroot_script "${TARGET}" "
+      test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' || echo 'UNMERGED:/lib64' | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    "
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_func.sh

@@ -40,6 +40,7 @@ source_guard "./func/cdi_3200_partitioning/3295_get_label.sh"
 
 ### cdi_4000_debootstrap
 source_guard "./func/cdi_4000_debootstrap/4000_debootstrap.sh"
+source_guard "./func/cdi_4000_debootstrap/4005_check_usr_merge.sh"
 source_guard "./func/cdi_4000_debootstrap/4010_prepare_mounts.sh"
 source_guard "./func/cdi_4000_debootstrap/4020_remove_x509.sh"
 source_guard "./func/cdi_4000_debootstrap/4030_setup_hostname.sh"
@@ -89,6 +90,7 @@ source_guard "./func/cdi_4400_hardening/4450_hardening_haveged.sh"
 source_guard "./func/cdi_4400_hardening/4460_hardening_memory.sh"
 
 ### cdi_4500_user
+source_guard "./func/cdi_4500_user/4500_check_usr_merge.sh"
 source_guard "./func/cdi_4500_user/4500_installation_accounts.sh"
 
 ### cdi_4600_verification