V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_1000_helper/1082_helper_modules.sh

@@ -120,17 +120,15 @@ insert_comments() {
 #######################################
 # Wrapper to insert the SPDX Header into the specified file.
 # Globals:
-#   None
+#   VAR_DATE
 # Arguments:
 #   1: /path/to/file
 # Returns:
 #   0: on success
 #######################################
 insert_header() {
-  # shellcheck disable=SC2155
-  declare var_date="$(date +%F)"
   cat << EOF >| "${1}"
-# SPDX-CreationInfo: ${var_date}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -45,7 +45,7 @@ yaml_reader() {
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
-              recipe_firmware_var="" recipe_nuke_var="" recipe_table_var="" recipe_recovery_var=""
+              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var=""
 
   ### Read "${var_if}" line by line.
   while IFS= read -r var_line; do
@@ -116,7 +116,7 @@ END { print max }
       var_device="${var_fields[3]}"    ### The fourth position includes the device (e.g., sda, vda, xvda)
       var_partition="${var_fields[4]}" ### The fifth position includes the partition (e.g., 13)
 
-      ### Check, if the partition is a number and higher than the current value
+      ### Check if the partition is a number and higher than the current value
       if [[ "${var_partition}" =~ ^[0-9]+$ ]]; then
         declare -i cur="${HMP_RECIPE_DEV_PARTITIONS[${var_device}]:-0}"
         if (( var_partition > cur )); then
@@ -160,6 +160,11 @@ END { print max }
   # shellcheck disable=SC2034
   VAR_NUKE="${!recipe_nuke_var,,}"
 
+  ### Extract the chosen Nuke SHA512 KDF rounds.
+  recipe_nuke_rounds_var="recipe_${VAR_RECIPE_STRING}_control_nuke_rounds"
+  # shellcheck disable=SC2034
+  VAR_NUKE_ROUNDS="${!recipe_nuke_rounds_var}"
+
   ### Extract chosen partition table.
   recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
   VAR_RECIPE_TABLE="${!recipe_table_var,,}"

func/cdi_4000_debootstrap/4035_setup_resolv.sh

@@ -47,7 +47,7 @@ setup_resolv() {
   ### Create '/etc/resolv.conf' IPv4 entries for static configuration.
     cat << EOF >> "${TARGET}/etc/resolv.conf"
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

func/cdi_4000_debootstrap/4050_setup_locales.sh

@@ -53,7 +53,7 @@ setup_locales() {
   cat << EOF >| "${TARGET}${var_locale_hook}"
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -118,7 +118,7 @@ EOF
   ### Set the keyboard layout for the system (for consoles).
   cat << EOF >| "${TARGET}/etc/default/keyboard"
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

func/cdi_4100_base/4100_generate_sources.sh

@@ -84,7 +84,7 @@ generate_sources() {
   # shellcheck disable=SC2153
   cat << EOF >> "${TARGET}/etc/apt/sources.list"
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

func/cdi_4100_base/4105_generate_sources_822.sh

@@ -0,0 +1,148 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Generate target '/etc/apt/sources.list.d/' deb.822 entries.
+# Globals:
+#   TARGET
+#   apt_contrib
+#   apt_deb_sources
+#   apt_mirror_directory
+#   apt_mirror_hostname
+#   apt_mirror_protocol
+#   apt_non_free
+#   apt_non_free_firmware
+#   apt_sec
+#   apt_updates_backports
+#   apt_updates_release
+#   apt_updates_security
+#   architecture
+#   distribution
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_sources822() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -a ary_components=() ary_types=()
+  declare    var_arch="" var_codename="" var_deb_src="" var_dir="" var_hostname="" var_hostsecure="" var_url="" var_surl=""
+
+  # shellcheck disable=SC2154 # "${architecture}"
+  var_arch="${architecture,,}"
+  # shellcheck disable=SC2154 # "${distribution}"
+  var_codename="${distribution,,}"
+  # shellcheck disable=SC2154 # "${apt_deb_sources}"
+  var_deb_src="${apt_deb_sources,,}"
+  # shellcheck disable=SC2154 # "${apt_mirror_directory}"
+  var_dir="${apt_mirror_directory,,}"
+  # shellcheck disable=SC2154 # "${apt_mirror_hostname}"
+  var_hostname="${apt_mirror_hostname,,}"
+  # shellcheck disable=SC2154 # "${apt_sec}"
+  var_hostsecure="${apt_sec,,}"
+
+  ary_components=( "main" )
+  [[ "${apt_contrib,,}" == "true" ]] && ary_components+=( "contrib" )
+  [[ "${apt_non_free,,}" == "true" ]] && ary_components+=( "non-free" )
+  [[ "${apt_non_free_firmware,,}" == "true" ]] && ary_components+=( "non-free-firmware" )
+
+  ary_types=( "deb" )
+  [[ "${apt_deb_sources,,}" == "true" ]] && ary_types+=( "deb-src" )
+
+  if [[ "${apt_mirror_protocol,,}" == "https" ]]; then
+
+    var_url="https://${var_hostname}${var_dir}"
+    var_surl="https://${var_hostsecure}/debian-security"
+
+  elif [[ "${apt_mirror_protocol,,}" == "http" ]]; then
+
+    var_url="http://${var_hostname}${var_dir}"
+    var_surl="http://${var_hostsecure}/debian-security"
+
+  else
+
+    var_url="https://${var_hostname}${var_dir}"
+    var_surl="https://${var_hostsecure}/debian-security"
+
+  fi
+
+
+  ### Main Repository
+  insert_header  "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  inser_comments "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+Types: ${ary_types[*]}
+URIs: ${var_url}
+Suites: ${var_codename}
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+
+  ### Security Repository
+  if [[ "${apt_updates_security,,}" == "true" ]]; then
+    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+Types: ${ary_types[*]}
+URIs: ${var_surl}
+Suites: ${var_codename}-security
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  fi
+
+  ### Updates Repository
+  if [[ "${apt_updates_release,,}" == "true" ]]; then
+    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+Types: ${ary_types[*]}
+URIs: ${var_url}
+Suites: ${var_codename}-updates
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  fi
+
+
+  ### Backports Repository
+  if [[ "${apt_updates_backports,,}" == "true" ]]; then
+    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    inser_comments "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+Types: ${ary_types[*]}
+URIs: ${var_url}
+Suites: ${var_codename}-backports
+Components: ${ary_components[*]}
+Enabled: yes
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4460_hardening_memory.sh

@@ -12,6 +12,29 @@
 
 guard_sourcing
 
+#######################################
+# NOTE:
+#   According to the manual pages of limits.conf(5) and pam_limits(8),
+#   entries in '/etc/security/limits.conf' or drop-ins under
+#   '/etc/security/limits.d/' are NOT applied automatically by the system.
+#   The actual enforcement of these ulimit(2) constraints — including
+#   '* soft core 0' and '* hard core 0' to disable kernel core dumps —
+#   requires that the PAM module 'pam_limits.so' is invoked in the
+#   'session' stack of the respective service (e.g., via
+#   '/etc/pam.d/common-session' and
+#   '/etc/pam.d/common-session-noninteractive').
+#
+#   Without 'pam_limits.so' present in these PAM configuration files,
+#   the configured limits remain ineffective for PAM-based logins
+#   (SSH, local TTY, sudo, su, cron, etc.).
+#   Services launched by systemd bypass PAM and must have 'LimitCORE=0'
+#   or 'DefaultLimitCORE=0' set in their unit or in system.conf.d(5).
+#
+# References:
+#   - man 5 limits.conf
+#   - man 8 pam_limits
+#######################################
+
 #######################################
 # Hardening memory dump via:
 #   '/etc/systemd/coredump.conf.d/disable.conf'
@@ -161,6 +184,6 @@ guard_pam_limits() {
 
   (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
 
-  return 0
+  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4500_user/4500_installation_accounts.sh

@@ -28,10 +28,6 @@ guard_sourcing
 #   0: on success
 #######################################
 installation_accounts() {
-
-  #######################################
-  # Declare Variables
-  #######################################
   declare -i i
   declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
     tmp_restricted=""
@@ -159,6 +155,132 @@ installation_accounts() {
 
   done
 
+
+  unset VAR_TEMP_PLAIN_MFA_SEED
+
   guard_dir && return 0
 }
+
+#######################################
+# Writes '.google_authenticator'-file for the respective user.
+# Globals:
+#   RANDOM
+#   TARGET
+# Arguments:
+#   1: Username
+# Returns:
+#   0: on success
+#######################################
+write_google_authenticator_file() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_user="${1}" var_secret=""
+  case "${1}" in
+    root) declare var_base="${TARGET}/root"             ;;
+    *)    declare var_base="${TARGET}/home/${var_user}" ;;
+  esac
+  declare -i  i=0
+
+  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+
+  var_secret="$(generate_totp_secret "${var_user}")"
+
+  umask 0077
+
+  {
+    printf '%s\n' "${var_secret}"
+    printf '"RATE_LIMIT 3 30"\n'
+    printf '"WINDOW 10"\n'
+    printf '"DISALLOW_REUSE"\n'
+    printf '"TOTP_AUTH"\n'
+    ### Emergency Codes:
+    for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
+  } >| "${var_base}/.google_authenticator"
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+
+  chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
+
+  chmod 0600 "${var_base}/.google_authenticator"
+
+  umask 0022
+
+  return 0
+}
+
+#######################################
+# Generates a deterministic TOTP secret based on:
+# Username, FQDN, MFA salt, MFA master seed
+# Globals:
+#   VAR_FINAL_FQDN
+#   VAR_TEMP_PLAIN_MFA_SEED
+#   user_mfa_info
+#   user_mfa_salt
+# Arguments:
+#   1: Username
+# Returns:
+#   0: on success
+#######################################
+generate_totp_secret() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare  var_user="${1}"
+  declare  var_host_id="${VAR_FINAL_FQDN}"
+  declare  var_salt="${user_mfa_salt}:${var_host_id}:${var_user}"
+  declare  var_info="${user_mfa_info}"
+  declare  var_secret=""
+
+  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+
+  ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
+  # shellcheck disable=SC2312
+  var_secret="$(
+    printf '%s' "${VAR_TEMP_PLAIN_MFA_SEED}" | xxd -r -p | openssl kdf -keylen 20 -kdfopt digest:SHA256 \
+      -kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
+  )"
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+
+  printf '%s\n' "${var_secret}"
+  return 0
+}
+
+#######################################
+# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
+# Globals:
+#   DIR_CNF
+#   VAR_TEMP_PLAIN_MFA_SEED
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_READ_SEED_FILE
+#######################################
+read_totp_seed(){
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
+  declare -g VAR_TEMP_PLAIN_MFA_SEED=""
+
+  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
+    return "${ERR_READ_SEED_FILE}"
+  fi
+
+  ### Validate: exactly 64 hex.
+  [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+
+  return 0
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh