V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-25 20:14:53 +01:00
parent 0b4ec1978e
commit 577827dc7a
17 changed files with 712 additions and 83 deletions
--- a/func/cdi_4700_verification/4610_finalize_system.sh
+++ b/func/cdi_4700_verification/4610_finalize_system.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Finalize the system.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+finalize_system() {
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4700_verification/4670_verify_system.sh
+++ b/func/cdi_4700_verification/4670_verify_system.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+verify_system() {
+  ### Declare Arrays, HashMaps, and Variables.
+do_log "info" "file_only" "4100() Starting system integrity verification..."
+
+  ###########################################
+  ## Systemd & Identity Checks
+  ###########################################
+  do_log "info" "file_only" "4100() Checking systemd installation and machine-id."
+
+  chroot_script "${TARGET}" 'command -v systemctl && systemctl --version' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() systemd or systemctl not properly installed."
+
+  chroot_script "${TARGET}" '[ -s /etc/machine-id ]' || \
+    do_log "warning" "file_only" "4100() Missing or empty /etc/machine-id."
+
+  ###########################################
+  ## crypttab & fstab Validation
+  ###########################################
+  do_log "info" "file_only" "4100() Validating fstab and crypttab."
+
+  chroot_script "${TARGET}" 'systemd-analyze verify /etc/fstab /etc/crypttab' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() systemd-analyze verification failed. See ${LOG_FILE}."
+
+  chroot_script "${TARGET}" 'findmnt --verify' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() findmnt reports potential inconsistencies."
+
+  ###########################################
+  ## Essential Services
+  ###########################################
+  do_log "info" "file_only" "4100() Validating essential services."
+  chroot_script "${TARGET}" 'systemctl list-unit-files --state=enabled,disabled' >> "${LOG_FILE}" 2>&1
+
+  ###########################################
+  ## Init & Bootloader
+  ###########################################
+  do_log "info" "file_only" "4100() Checking init and GRUB presence."
+
+  chroot_script "${TARGET}" 'readlink -f /sbin/init' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() /sbin/init is missing or invalid."
+
+  chroot_script "${TARGET}" 'test -e /boot/grub/grub.cfg || test -e /boot/efi/EFI/debian/grubx64.efi' || \
+    do_log "warning" "file_only" "4100() GRUB config or EFI binary not found."
+
+  ###########################################
+  ## /etc Configuration Checks
+  ###########################################
+  do_log "info" "file_only" "4100() Validating core /etc configurations."
+
+  chroot_script "${TARGET}" 'grep -E "^127\.0\.1\.1" /etc/hosts' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() Missing 127.0.1.1 entry in /etc/hosts."
+
+  chroot_script "${TARGET}" '[ -s /etc/hostname ]' || \
+    do_log "warning" "file_only" "4100() /etc/hostname is missing or empty."
+
+  ###########################################
+  ## Permissions & Security
+  ###########################################
+  do_log "info" "file_only" "4100() Auditing /root permissions and login shell."
+
+  chroot_script "${TARGET}" 'stat -c "%A %U:%G" /root' >> "${LOG_FILE}" 2>&1
+  chroot_script "${TARGET}" 'grep ^root: /etc/passwd' >> "${LOG_FILE}" 2>&1
+
+  ###########################################
+  ## dpkg & apt status
+  ###########################################
+  do_log "info" "file_only" "4100() Verifying package integrity."
+
+  chroot_script "${TARGET}" 'dpkg --audit' >> "${LOG_FILE}" 2>&1 || true
+  chroot_script "${TARGET}" 'apt-get check' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() apt-get check reported errors."
+
+  do_log "info" "file_only" "4100() Verification completed. Output stored in: ${LOG_FILE}."
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4700_verification/4680_check_sshd_config_integrity.sh
+++ b/func/cdi_4700_verification/4680_check_sshd_config_integrity.sh
@@ -0,0 +1,74 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: SSH-Hardening Integrity Check (Centurion SSH Audit Support)
+
+set -Ceuo pipefail
+IFS=$'\n\t'
+
+declare -r REF_CONFIG="/path/to/includes/etc/ssh/sshd_config"
+declare -r LIVE_CONFIG="/etc/ssh/sshd_config"
+declare -r REF_SSHD_T="/path/to/includes/etc/ssh/sshd_config.sshdT"
+
+hash_file() {
+  sha256sum "$1" | awk '{print $1}'
+}
+
+bold()  { tput bold; echo "$1"; tput sgr0; }
+red()   { tput setaf 1; echo "$1"; tput sgr0; }
+green() { tput setaf 2; echo "$1"; tput sgr0; }
+
+echo
+bold "Checking SSH Configuration Integrity..."
+
+if [[ ! -f "${REF_CONFIG}" ]]; then
+  red "ERROR: Reference config '${REF_CONFIG}' not found."
+  exit 1
+fi
+
+if [[ ! -f "${LIVE_CONFIG}" ]]; then
+  red "ERROR: Live config '${LIVE_CONFIG}' not found."
+  exit 1
+fi
+
+declare -r HASH_REF=$(hash_file "${REF_CONFIG}")
+declare -r HASH_LIVE=$(hash_file "${LIVE_CONFIG}")
+
+if [[ "${HASH_REF}" == "${HASH_LIVE}" ]]; then
+  green "✓ sshd_config matches reference (SHA256: ${HASH_LIVE})"
+else
+  red "✗ sshd_config has been modified!"
+  diff -u "${REF_CONFIG}" "${LIVE_CONFIG}" || true
+fi
+
+# Vergleich der sshd -T Ausgabe
+echo
+bold "🔍 Verifying sshd -T output..."
+
+if [[ ! -f "${REF_SSHD_T}" ]]; then
+  red "ERROR: Reference sshd -T output not found: '${REF_SSHD_T}'"
+  exit 1
+fi
+
+TMP_SSHD_T=$(mktemp)
+sshd -T > "${TMP_SSHD_T}"
+
+if diff -q "${TMP_SSHD_T}" "${REF_SSHD_T}" >/dev/null; then
+  green "✓ sshd -T output matches expected configuration."
+else
+  red "✗ sshd -T output has changed:"
+  diff -u "${REF_SSHD_T}" "${TMP_SSHD_T}" || true
+fi
+
+rm -f "${TMP_SSHD_T}"
+echo
+bold "✔ SSH config integrity check completed."
+guard_dir && return 0
--- a/func/cdi_4700_verification/4690_check_grub_cmdline.sh
+++ b/func/cdi_4700_verification/4690_check_grub_cmdline.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: GRUB Kernel Parameter Linter
+
+set -Ceuo pipefail
+
+#######################################
+# Parse GRUB_CMDLINE string into array of unique options
+# Arguments:
+#   1: Grub file to parse
+#######################################
+parse_cmdline() {
+  declare var_input="${1}"
+  declare -a ary_input
+  ### Remove outer quotes if present.
+  var_input="${var_input%\"}"
+  var_input="${var_input#\"}"
+  ### Split into an array.
+  read -r -a ary_input <<< "${var_input}"
+  printf "%s\n" "${ary_input[@]}"
+}
+
+#######################################
+# Key extractor: for 'console=tty0' -> 'console'
+# Arguments:
+#   1:
+#######################################
+extract_key() {
+  declare var_param="${1}"
+  if [[ "${var_param}" == *=* ]]; then
+    echo "${var_param%%=*}"
+  else
+    echo "${var_param}"
+  fi
+}
+
+#######################################
+# Check Grub Command Lines for duplicate entries.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+check_grub_cmdline() {
+  ### Variable and Array declaration.
+  declare var_grub_file="${TARGET}/etc/default/grub"
+  declare var_grub_linux_line="" var_grub_default_line="" dup="" key="" p="" source=""
+  declare -a ary_default_params=() ary_linux_params=()
+  ### Combine for conflict analysis.
+  declare -A hmp_param_values=()
+  declare -A hmp_param_sources=()
+  declare -A hmp_duplicate_params=()
+
+  ### Extract lines.
+  var_grub_linux_line=$(grep -E '^GRUB_CMDLINE_LINUX=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX=//')
+  var_grub_default_line=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX_DEFAULT=//')
+
+  ### Parse both lines.
+  mapfile -t ary_linux_params < <(parse_cmdline "${var_grub_linux_line}")
+  mapfile -t ary_default_params < <(parse_cmdline "${var_grub_default_line}")
+
+  ### Loop over all parameters.
+  for source in "linux" "default"; do
+    declare -n params="ary_${source}_params"
+    for p in "${params[@]}"; do
+      key=$(extract_key "${p}")
+      if [[ -v hmp_param_values["${key}"] ]]; then
+        if [[ "${hmp_param_values[${key}]}" != "${p}" ]]; then
+          echo "Conflict: Parameter '${key}' has multiple values:"
+          echo "- ${hmp_param_values[${key}]} (from ${hmp_param_sources[${key}]})"
+          echo "- ${p} (from ${source})"
+        else
+          hmp_duplicate_params["${p}"]=1
+        fi
+      else
+        hmp_param_values["${key}"]="${p}"
+        hmp_param_sources["${key}"]="${source}"
+      fi
+    done
+  done
+
+### Report duplicates.
+if (( ${#hmp_duplicate_params[@]} > 0 )); then
+  echo "Duplicate parameters found:"
+  for dup in "${!hmp_duplicate_params[@]}"; do
+    echo "- ${dup}"
+  done
+fi
+
+echo "GRUB_CMDLINE check complete."
+return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4700_verification/4699_check_usr_merge.sh
+++ b/func/cdi_4700_verification/4699_check_usr_merge.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Check if the target system is not 'tainted: unmerged-bin'.
+# Globals:
+#   TARGET
+#   architecture
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+check_final_usr_merge() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4699_check_usr_merge.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  # shellcheck disable=SC2312
+  chroot_script "${TARGET}" "
+    test -L /bin  && test $(readlink -f /bin)  = '/usr/bin'  || echo 'UNMERGED:/bin'  | tee -a ${var_logfile}
+    test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' || echo 'UNMERGED:/sbin' | tee -a ${var_logfile}
+    test -L /lib  && test $(readlink -f /lib)  = '/usr/lib'  || echo 'UNMERGED:/lib'  | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  if [[ "${architecture}" == "amd64" ]]; then
+    # shellcheck disable=SC2312
+    chroot_script "${TARGET}" "
+      test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' || echo 'UNMERGED:/lib64' | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    "
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh