msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m41s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-26 19:58:34 +01:00
parent e01e686ae0
commit 748007d0cb
27 changed files with 698 additions and 863 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.preseed/preseed.yaml
View File

@@ -725,8 +725,7 @@ software:
- iftop - iftop
- locate - locate
- man-db - man-db
- mdadm - mtr-tiny
- mtr
- ncat - ncat
- rsync - rsync
- sysstat - sysstat
@@ -766,6 +765,7 @@ software:
# apparmor-profiles # apparmor-profiles
# apparmor-profiles-extra # apparmor-profiles-extra
# apparmor-utils # apparmor-utils
# OR #
# selinux-basics # selinux-basics
# selinux-policy-default # selinux-policy-default
# selinux-utils # selinux-utils

114
ciss_debian_installer.sh
View File

@@ -197,176 +197,264 @@ arg_priority_check
info_echo "0105_arg_nuke_converter.sh" info_echo "0105_arg_nuke_converter.sh"
nuke_passphrase nuke_passphrase
### CDI_1200
### CDI_1250 ### CDI_1250
info_echo "1250_yaml_parser.sh" info_echo "1250_yaml_parser.sh"
yaml_parser yaml_parser
info_echo "1251_yaml_reader.sh" info_echo "1251_yaml_reader.sh"
yaml_reader yaml_reader
info_echo "1252_yaml_validator.sh" info_echo "1252_yaml_validator.sh"
yaml_validator yaml_validator
### CDI_3200 ### CDI_3200
info_echo "3200_partitioning.sh" info_echo "3200_partitioning.sh"
partitioning partitioning
info_echo "3210_benchmarking_encryption.sh" info_echo "3210_benchmarking_encryption.sh"
benchmarking_encryption benchmarking_encryption
info_echo "3220_partition_encryption.sh" info_echo "3220_partition_encryption.sh"
partition_encryption partition_encryption
info_echo "3240_partition_formatting.sh" info_echo "3240_partition_formatting.sh"
partition_formatting partition_formatting
info_echo "3280_mount_partition.sh" info_echo "3280_mount_partition.sh"
mount_partition mount_partition
info_echo "3290_uuid_logger.sh" info_echo "3290_uuid_logger.sh"
uuid_logger uuid_logger
### CDI_4000 ### CDI_4000
info_echo "4000_debootstrap.sh" info_echo "4000_debootstrap.sh"
func_debootstrap func_debootstrap
info_echo "4005_debootstrap_checks.sh" info_echo "4005_debootstrap_checks.sh"
check_debootstrap check_debootstrap
info_echo "4010_prepare_mounts.sh" info_echo "4010_prepare_mounts.sh"
prepare_mounts prepare_mounts
info_echo "4015_check_usr_merge.sh" info_echo "4015_check_usr_merge.sh"
check_usr_merge check_usr_merge
info_echo "4020_remove_x509.sh" info_echo "4020_remove_x509.sh"
remove_x509 remove_x509
info_echo "4030_setup_hostname.sh" info_echo "4030_setup_hostname.sh"
setup_hostname setup_hostname
info_echo "4035_setup_resolv.sh" info_echo "4035_setup_resolv.sh"
setup_resolv setup_resolv
info_echo "4040_setup_timezone.sh" info_echo "4040_setup_timezone.sh"
setup_timezone setup_timezone
info_echo "4050_setup_locales.sh" info_echo "4050_setup_locales.sh"
setup_locales setup_locales
### CDI_4100 ### CDI_4100
if [[ "${VAR_DEB822}" == "true" ]]; then if [[ "${VAR_DEB822}" == "true" ]]; then
info_echo "4105_generate_sources822.sh" info_echo "4105_generate_sources822.sh"
generate_sources822 generate_sources822
else else
info_echo "4100_generate_sources.sh" info_echo "4100_generate_sources.sh"
generate_sources generate_sources
fi fi
info_echo "4110_update_sources.sh" info_echo "4110_update_sources.sh"
update_sources update_sources
info_echo "4120_installation_kernel.sh" info_echo "4120_installation_kernel.sh"
installation_kernel installation_kernel
info_echo "4121_installation_initramfs.sh" info_echo "4121_installation_initramfs.sh"
installation_initramfs installation_initramfs
info_echo "4130_installation_toolset.sh" info_echo "4130_installation_toolset.sh"
installation_toolset installation_toolset
info_echo "4131_installation_systemd.sh" info_echo "4131_installation_systemd.sh"
installation_systemd installation_systemd
info_echo "4132_installation_machineid.sh" info_echo "4132_installation_machineid.sh"
installation_machineid installation_machineid
info_echo "4133_installation_masking.sh" info_echo "4133_installation_masking.sh"
installation_masking installation_masking
info_echo "4140_installation_microcode.sh" info_echo "4140_installation_microcode.sh"
installation_microcode installation_microcode
info_echo "4145_installation_firmware.sh" info_echo "4145_installation_firmware.sh"
installation_firmware installation_firmware
info_echo "4150_installation_chrony.sh" info_echo "4150_installation_chrony.sh"
installation_chrony installation_chrony
info_echo "4160_installation_eza.sh" info_echo "4160_installation_eza.sh"
installation_eza installation_eza
info_echo "4170_installation_lynis.sh" info_echo "4170_installation_lynis.sh"
installation_lynis installation_lynis
### CDI_4200 ### CDI_4200
info_echo "4200_generate_fstab.sh" info_echo "4200_generate_fstab.sh"
generate_fstab generate_fstab
info_echo "4205_check_fstab.sh" info_echo "4205_check_fstab.sh"
check_fstab check_fstab
info_echo "4210_generate_crypttab.sh" info_echo "4210_generate_crypttab.sh"
generate_crypttab generate_crypttab
info_echo "4215_check_crypttab.sh"
check_crypttab
info_echo "4220_installation_cryptsetup.sh" info_echo "4220_installation_cryptsetup.sh"
installation_cryptsetup installation_cryptsetup
info_echo "4230_installation_grub.sh" info_echo "4230_installation_grub.sh"
installation_grub installation_grub
if [[ "${VAR_GRUB_PASSWORD}" == "true" ]]; then if [[ "${VAR_GRUB_PASSWORD}" == "true" ]]; then
info_echo "4240_update_grub_password.sh" info_echo "4240_update_grub_password.sh"
update_grub_password update_grub_password
fi fi
info_echo "4250_update_grub_bootparameter.sh" info_echo "4250_update_grub_bootparameter.sh"
update_grub_bootparameter update_grub_bootparameter
### CDI_4300 ### CDI_4300
info_echo "4300_installation_network.sh" info_echo "4300_installation_network.sh"
installation_network installation_network
info_echo "4305_installation_netsec.sh" info_echo "4305_installation_netsec.sh"
installation_netsec installation_netsec
if [[ "${VAR_DROPBEAR}" == "true" ]]; then if [[ "${VAR_DROPBEAR}" == "true" ]]; then
info_echo "4310_dropbear_build.sh" info_echo "4310_dropbear_build.sh"
dropbear_build dropbear_build
info_echo "4311_dropbear_initramfs.sh" info_echo "4311_dropbear_initramfs.sh"
dropbear_initramfs dropbear_initramfs
info_echo "4312_dropbear_setup.sh" info_echo "4312_dropbear_setup.sh"
dropbear_setup dropbear_setup
fi fi
info_echo "4320_update_initramfs.sh" info_echo "4320_update_initramfs.sh"
update_initramfs update_initramfs
info_echo "4330_installation_ssh.sh" info_echo "4330_installation_ssh.sh"
installation_ssh installation_ssh
### CDI_4400 ### CDI_4400
info_echo "4400_kernel_modules.sh" info_echo "4400_kernel_modules.sh"
kernel_modules && kernel_modprobe kernel_modules && kernel_modprobe
info_echo "4410_kernel_sysctl.sh" info_echo "4410_kernel_sysctl.sh"
kernel_sysctl kernel_sysctl
info_echo "4420_hardening_fail2ban.sh" info_echo "4420_hardening_fail2ban.sh"
hardening_fail2ban hardening_fail2ban
info_echo "4430_hardening_files.sh" info_echo "4430_hardening_files.sh"
hardening_files hardening_files
info_echo "4440_hardening_haveged.sh" info_echo "4440_hardening_haveged.sh"
hardening_haveged hardening_haveged
info_echo "4450_hardening_memory.sh" info_echo "4450_hardening_memory.sh"
hardening_memory hardening_memory
info_echo "4460_hardening_openssl.sh" info_echo "4460_hardening_openssl.sh"
hardening_openssl hardening_openssl
info_echo "4470_hardening_ufw.sh" info_echo "4470_hardening_ufw.sh"
hardening_ufw hardening_ufw
info_echo "4480_hardening_usb.sh" info_echo "4480_hardening_usb.sh"
hardening_usb hardening_usb
info_echo "4490_hardening_virus.sh" info_echo "4490_hardening_virus.sh"
hardening_virus hardening_virus
info_echo "4445_hardening_logrotate.sh" info_echo "4445_hardening_logrotate.sh"
hardening_logrotate hardening_logrotate
### CDI_4500 ### CDI_4500
info_echo "4500_accounts_preparation.sh" info_echo "4500_accounts_preparation.sh"
accounts_preparation accounts_preparation
info_echo "4510_accounts_hardening.sh" info_echo "4510_accounts_hardening.sh"
accounts_hardening accounts_hardening
info_echo "4520_accounts_setup.sh" info_echo "4520_accounts_setup.sh"
accounts_setup accounts_setup
### CDI_4600 ### CDI_4600
info_echo "4600_installation_packages.sh" info_echo "4600_installation_packages.sh"
installation_packages installation_packages
info_echo "4610_installation_security.sh" info_echo "4610_installation_security.sh"
installation_security installation_security
info_echo "4620_installation_verification.sh" info_echo "4620_installation_verification.sh"
install_verification install_verification
#info_echo "4610_finalize_system.sh" info_echo "4630_auditing_packages.sh"
auditing_packages
#info_echo "4670_verify_system.sh" ### CDI_4900
info_echo "4999_exiting_chroot_system.sh"
#info_echo "4680_check_sshd_config_integrity.sh"
#info_echo "4690_check_grub_cmdline.sh"
### CDI_4700
info_echo "4799_exiting_chroot_system.sh"
exiting_chroot_system exiting_chroot_system
### CDI_5000 ### CDI_5000
if [[ "${VAR_RECOVERY}" == "true" ]]; then if [[ "${VAR_RECOVERY}" == "true" ]]; then
wrapper_recovery
info_echo "5000_debootstrap.sh"
func_debootstrap_reco
info_echo "5005_debootstrap_checks.sh"
check_debootstrap_reco
info_echo "5010_prepare_mounts.sh"
prepare_mounts_reco
info_echo "5015_check_usr_merge.sh"
check_usr_merge_reco
info_echo "5020_remove_x509.sh"
remove_x509_reco
info_echo "5030_setup_hostname.sh"
setup_hostname_reco
info_echo "5035_setup_resolv.sh"
setup_resolv_reco
info_echo "5040_setup_timezone.sh"
setup_timezone_reco
info_echo "5999_exiting_chroot_recovery.sh"
exiting_chroot_recovery
fi fi
### Dialog Output for Initialization END ### Dialog Output for Initialization END

1
func/cdi_4000_debootstrap/4020_remove_x509.sh
View File

@@ -27,7 +27,6 @@ remove_x509() {
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \ install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
"${TARGET}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "${TARGET}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
do_log "warn" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed." do_log "warn" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."

16
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -612,13 +612,20 @@ EOF
if [[ ! -f "${var_sudoers_winscp_global}" ]]; then if [[ ! -f "${var_sudoers_winscp_global}" ]]; then
install_header "${var_sudoers_winscp_global}"
install_comments "${var_sudoers_winscp_global}"
cat << EOF >| "${var_sudoers_winscp_global}" cat << EOF >| "${var_sudoers_winscp_global}"
### Added by CISS.debian.installer. WinSCP SFTP-as-root (least privilege). ### Added by CISS.debian.installer. WinSCP SFTP-as-root (least privilege).
### Allow exactly the sftp-server binary, optionally with -e (stderr logging). ### Allow exactly the sftp-server binary, optionally with -e (stderr logging).
Cmnd_Alias CISS_SFTPROOT = ${var_sftp_bin}, ${var_sftp_bin} -e Cmnd_Alias CISS_SFTPROOT = ${var_sftp_bin}, ${var_sftp_bin} -e
# Harden per-command defaults: noexec to block execve(), and forbid env changes. # Command-scoped hardening for the alias:
Defaults!CISS_SFTPROOT noexec, !setenv # - noexec : disallow further exec()
# - !setenv : forbid env manipulation
# - timestamp_timeout=0: require re-auth each time (no caching)
Defaults!CISS_SFTPROOT noexec, !setenv, timestamp_timeout=0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
chmod 0440 "${var_sudoers_winscp_global}" chmod 0440 "${var_sudoers_winscp_global}"
@@ -641,7 +648,10 @@ EOF
else else
echo "${var_user} ALL=(root) NOPASSWD: CISS_SFTPROOT" >| "${var_sudoers_winscp_user}" install_header "${var_sudoers_winscp_user}"
install_comments "${var_sudoers_winscp_user}"
echo "${var_user} ALL=(root) PASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_sudoers_winscp_user}"
fi fi
chmod 0440 "${var_sudoers_winscp_user}" chmod 0440 "${var_sudoers_winscp_user}"

19
func/cdi_4600_packages/4600_installation_packages.sh
View File

@@ -28,20 +28,31 @@ installation_packages() {
chroot_logger "${TARGET}${var_logfile}" chroot_logger "${TARGET}${var_logfile}"
if [[ "${VAR_APT_FULL_UPGRADE}" == "true" ]]; then
chroot_script "${TARGET}" "
export INITRD=No
apt-get update 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
apt-get upgrade -y 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
chroot_script "${TARGET}" " chroot_script "${TARGET}" "
export INITRD=No export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests ${ARY_PACKAGES[*]} 2>&1 | tee -a ${var_logfile} apt-get install -y --no-install-recommends --no-install-suggests ${ARY_PACKAGES[*]} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile} echo ExitCode: \$? >> ${var_logfile}
" "
if [[ "${VAR_APT_FULL_UPGRADE}" == "true" ]]; then
chroot_script "${TARGET}" " chroot_script "${TARGET}" "
export INITRD=No export INITRD=No
apt-get update 2>&1 | tee -a ${var_logfile} apt-get autoclean -y 2>&1 | tee -a ${var_logfile}
apt-get upgrade -y 2>&1 | tee -a ${var_logfile} echo ExitCode: \$? >> ${var_logfile}
apt-get autopurge -y 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
apt-get autoremove -y 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile} echo ExitCode: \$? >> ${var_logfile}
" "
fi
guard_dir && return 0 guard_dir && return 0
} }

102
func/cdi_4600_packages/4630_auditing_packages.sh Normal file
View File

@@ -0,0 +1,102 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Final checks.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
auditing_packages() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4630_auditing_packages.log"
chroot_logger "${TARGET}${var_logfile}"
chroot_script "${TARGET}" "
if ! dpkg --audit 2>&1 | tee -a ${var_logfile}; then
echo \"[dpkg --audit] failed with ExitCode: \$? \" >> ${var_logfile}
else
echo \"[dpkg --audit] ExitCode: \$? \" >> ${var_logfile}
fi
echo +++ >> ${var_logfile}
if ! apt-get check 2>&1 | tee -a ${var_logfile}; then
echo \"[apt-get check] failed with ExitCode: \$? \" >> ${var_logfile}
else
echo \"[apt-get check] ExitCode: \$? \" >> ${var_logfile}
fi
echo +++ >> ${var_logfile}
### Only log anomalies from dpkg -V (no output == OK)
if ! dpkg -V 2>&1 | tee -a ${var_logfile}; then
echo \"[dpkg -V] failed with ExitCode: \$? \" >> ${var_logfile}
else
echo \"[dpkg -V] ExitCode: \$? \" >> ${var_logfile}
fi
echo +++ >> ${var_logfile}
### Simulations (no changes)
if ! apt-get -s autoremove --purge 2>&1 | tee -a ${var_logfile}; then
echo \"[apt-get -s autoremove --purge] failed with ExitCode: \$? \" >> ${var_logfile}
else
echo \"[apt-get -s autoremove --purge] ExitCode: \$? \" >> ${var_logfile}
fi
echo +++ >> ${var_logfile}
### Residual configs & holds
if ! apt-mark showhold 2>&1 | tee -a ${var_logfile}; then
echo \"[apt-mark showhold] failed with ExitCode: \$? \" >> ${var_logfile}
else
echo \"[apt-mark showhold] ExitCode: \$? \" >> ${var_logfile}
fi
echo +++ >> ${var_logfile}
### Apt pinning
if ! grep -R . /etc/apt/preferences.d/ 2>&1 | tee -a ${var_logfile}; then
echo \"[grep -R . /etc/apt/preferences.d/] failed with ExitCode: \$? \" >> ${var_logfile}
else
echo \"[grep -R . /etc/apt/preferences.d/] ExitCode: \$? \" >> ${var_logfile}
fi
echo +++ >> ${var_logfile}
### Diversions, statoverrides, alternatives
if ! dpkg-divert --list 2>&1 | tee -a ${var_logfile}; then
echo \"[dpkg-divert --list] failed with ExitCode: \$? \" >> ${var_logfile}
else
echo \"[dpkg-divert --list] ExitCode: \$? \" >> ${var_logfile}
fi
echo +++ >> ${var_logfile}
if ! dpkg-statoverride --list 2>&1 | tee -a ${var_logfile}; then
echo \"[dpkg-statoverride --list] failed with ExitCode: \$? \" >> ${var_logfile}
else
echo \"[dpkg-statoverride --list] ExitCode: \$? \" >> ${var_logfile}
fi
echo +++ >> ${var_logfile}
if ! update-alternatives --get-selections 2>&1 | tee -a ${var_logfile}; then
echo \"[update-alternatives --get-selections] failed with ExitCode: \$? \" >> ${var_logfile}
else
echo \"[update-alternatives --get-selections] ExitCode: \$? \" >> ${var_logfile}
fi
echo +++ >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

90
func/cdi_4700_verification/4670_verify_system.sh
View File

@@ -1,90 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
verify_system() {
### Declare Arrays, HashMaps, and Variables.
do_log "info" "file_only" "4100() Starting system integrity verification..."
###########################################
## Systemd & Identity Checks
###########################################
do_log "info" "file_only" "4100() Checking systemd installation and machine-id."
chroot_script "${TARGET}" 'command -v systemctl && systemctl --version' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() systemd or systemctl not properly installed."
chroot_script "${TARGET}" '[ -s /etc/machine-id ]' || \
do_log "warning" "file_only" "4100() Missing or empty /etc/machine-id."
###########################################
## crypttab & fstab Validation
###########################################
do_log "info" "file_only" "4100() Validating fstab and crypttab."
chroot_script "${TARGET}" 'systemd-analyze verify /etc/fstab /etc/crypttab' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() systemd-analyze verification failed. See ${LOG_FILE}."
chroot_script "${TARGET}" 'findmnt --verify' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() findmnt reports potential inconsistencies."
###########################################
## Essential Services
###########################################
do_log "info" "file_only" "4100() Validating essential services."
chroot_script "${TARGET}" 'systemctl list-unit-files --state=enabled,disabled' >> "${LOG_FILE}" 2>&1
###########################################
## Init & Bootloader
###########################################
do_log "info" "file_only" "4100() Checking init and GRUB presence."
chroot_script "${TARGET}" 'readlink -f /sbin/init' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() /sbin/init is missing or invalid."
chroot_script "${TARGET}" 'test -e /boot/grub/grub.cfg || test -e /boot/efi/EFI/debian/grubx64.efi' || \
do_log "warning" "file_only" "4100() GRUB config or EFI binary not found."
###########################################
## /etc Configuration Checks
###########################################
do_log "info" "file_only" "4100() Validating core /etc configurations."
chroot_script "${TARGET}" 'grep -E "^127\.0\.1\.1" /etc/hosts' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() Missing 127.0.1.1 entry in /etc/hosts."
chroot_script "${TARGET}" '[ -s /etc/hostname ]' || \
do_log "warning" "file_only" "4100() /etc/hostname is missing or empty."
###########################################
## Permissions & Security
###########################################
do_log "info" "file_only" "4100() Auditing /root permissions and login shell."
chroot_script "${TARGET}" 'stat -c "%A %U:%G" /root' >> "${LOG_FILE}" 2>&1
chroot_script "${TARGET}" 'grep ^root: /etc/passwd' >> "${LOG_FILE}" 2>&1
###########################################
## dpkg & apt status
###########################################
do_log "info" "file_only" "4100() Verifying package integrity."
chroot_script "${TARGET}" 'dpkg --audit' >> "${LOG_FILE}" 2>&1 || true
chroot_script "${TARGET}" 'apt-get check' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() apt-get check reported errors."
do_log "info" "file_only" "4100() Verification completed. Output stored in: ${LOG_FILE}."
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

74
func/cdi_4700_verification/4680_check_sshd_config_integrity.sh
View File

@@ -1,74 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: SSH-Hardening Integrity Check (Centurion SSH Audit Support)
set -Ceuo pipefail
IFS=$'\n\t'
declare -r REF_CONFIG="/path/to/includes/etc/ssh/sshd_config"
declare -r LIVE_CONFIG="/etc/ssh/sshd_config"
declare -r REF_SSHD_T="/path/to/includes/etc/ssh/sshd_config.sshdT"
hash_file() {
sha256sum "$1" | awk '{print $1}'
}
bold() { tput bold; echo "$1"; tput sgr0; }
red() { tput setaf 1; echo "$1"; tput sgr0; }
green() { tput setaf 2; echo "$1"; tput sgr0; }
echo
bold "Checking SSH Configuration Integrity..."
if [[ ! -f "${REF_CONFIG}" ]]; then
red "ERROR: Reference config '${REF_CONFIG}' not found."
exit 1
fi
if [[ ! -f "${LIVE_CONFIG}" ]]; then
red "ERROR: Live config '${LIVE_CONFIG}' not found."
exit 1
fi
declare -r HASH_REF=$(hash_file "${REF_CONFIG}")
declare -r HASH_LIVE=$(hash_file "${LIVE_CONFIG}")
if [[ "${HASH_REF}" == "${HASH_LIVE}" ]]; then
green "✓ sshd_config matches reference (SHA256: ${HASH_LIVE})"
else
red "✗ sshd_config has been modified!"
diff -u "${REF_CONFIG}" "${LIVE_CONFIG}" || true
fi
# Vergleich der sshd -T Ausgabe
echo
bold "🔍 Verifying sshd -T output..."
if [[ ! -f "${REF_SSHD_T}" ]]; then
red "ERROR: Reference sshd -T output not found: '${REF_SSHD_T}'"
exit 1
fi
TMP_SSHD_T=$(mktemp)
sshd -T > "${TMP_SSHD_T}"
if diff -q "${TMP_SSHD_T}" "${REF_SSHD_T}" >/dev/null; then
green "✓ sshd -T output matches expected configuration."
else
red "✗ sshd -T output has changed:"
diff -u "${REF_SSHD_T}" "${TMP_SSHD_T}" || true
fi
rm -f "${TMP_SSHD_T}"
echo
bold "✔ SSH config integrity check completed."
guard_dir && return 0

104
func/cdi_4700_verification/4690_check_grub_cmdline.sh
View File

@@ -1,104 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: GRUB Kernel Parameter Linter
set -Ceuo pipefail
#######################################
# Parse GRUB_CMDLINE string into array of unique options
# Arguments:
# 1: Grub file to parse
#######################################
parse_cmdline() {
declare var_input="${1}"
declare -a ary_input
### Remove outer quotes if present.
var_input="${var_input%\"}"
var_input="${var_input#\"}"
### Split into an array.
read -r -a ary_input <<< "${var_input}"
printf "%s\n" "${ary_input[@]}"
}
#######################################
# Key extractor: for 'console=tty0' -> 'console'
# Arguments:
# 1:
#######################################
extract_key() {
declare var_param="${1}"
if [[ "${var_param}" == *=* ]]; then
echo "${var_param%%=*}"
else
echo "${var_param}"
fi
}
#######################################
# Check Grub Command Lines for duplicate entries.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_grub_cmdline() {
### Variable and Array declaration.
declare var_grub_file="${TARGET}/etc/default/grub"
declare var_grub_linux_line="" var_grub_default_line="" dup="" key="" p="" source=""
declare -a ary_default_params=() ary_linux_params=()
### Combine for conflict analysis.
declare -A hmp_param_values=()
declare -A hmp_param_sources=()
declare -A hmp_duplicate_params=()
### Extract lines.
var_grub_linux_line=$(grep -E '^GRUB_CMDLINE_LINUX=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX=//')
var_grub_default_line=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX_DEFAULT=//')
### Parse both lines.
mapfile -t ary_linux_params < <(parse_cmdline "${var_grub_linux_line}")
mapfile -t ary_default_params < <(parse_cmdline "${var_grub_default_line}")
### Loop over all parameters.
for source in "linux" "default"; do
declare -n params="ary_${source}_params"
for p in "${params[@]}"; do
key=$(extract_key "${p}")
if [[ -v hmp_param_values["${key}"] ]]; then
if [[ "${hmp_param_values[${key}]}" != "${p}" ]]; then
echo "Conflict: Parameter '${key}' has multiple values:"
echo "- ${hmp_param_values[${key}]} (from ${hmp_param_sources[${key}]})"
echo "- ${p} (from ${source})"
else
hmp_duplicate_params["${p}"]=1
fi
else
hmp_param_values["${key}"]="${p}"
hmp_param_sources["${key}"]="${source}"
fi
done
done
### Report duplicates.
if (( ${#hmp_duplicate_params[@]} > 0 )); then
echo "Duplicate parameters found:"
for dup in "${!hmp_duplicate_params[@]}"; do
echo "- ${dup}"
done
fi
echo "GRUB_CMDLINE check complete."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

0
func/cdi_4700_xtended/4799_exiting_chroot_system.sh → func/cdi_4900_xtended/4999_exiting_chroot_system.sh
View File

41
func/cdi_5000_recovery/3.8.9.functions_installation_wrapper_recovery.sh
View File

@@ -1,41 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Wrapper to check if recovery partition is selected and if so, proceed with setup of recovery OS.
# Globals:
# MAP_MOUNTPATH_DEV
# MODULE_ERR
# MODULE_TXT
# Arguments:
# None
###########################################################################################
wrapper_recovery() {
declare FOUND="false"
declare MOUNT_PATH=""
declare HASHMAP_VALUE=""
for MOUNT_PATH in "${!MAP_MOUNTPATH_DEV[@]}"; do
HASHMAP_VALUE="${MAP_MOUNTPATH_DEV[${MOUNT_PATH}]}"
if [[ ${HASHMAP_VALUE} == "/dev/mapper/crypt_rescue" ]]; then
FOUND="true"
break
fi
done
if [[ ${FOUND} == true ]]; then
3_9_0_functions_installation_setup_recovery
3_9_1_functions_installation_generate_files_recovery
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

83
func/cdi_5000_recovery/3.9.0.functions_installation_setup_recovery.sh
View File

@@ -1,83 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Mounting '/dev/mapper/crypt_rescue', debootstrap recovery partition, preparing chroot.
# Globals:
# ERR_CHROOT_MOUNTS
# ERR_DE_BOOT_STRAP
# MODULE_ERR
# MODULE_TXT
# RECOVERY
# TARGET
# Arguments:
# None
###########################################################################################
setup_recovery() {
# The '/dev/mapper/crypt_rescue' partition is not mounted by the installation script by default,
# as it is not required to be automatically mounted by the production system via '/etc/crypttab' and '/etc/fstab'.
mount /dev/mapper/crypt_rescue "${RECOVERY}"
# Debootstrap for a minimalistic Debian OS.
if debootstrap --arch amd64 bookworm "${RECOVERY}" https://deb.debian.org/debian; then
do_log "info" "file_only" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' successful."
else
do_log "emergency" "file_only" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' NOT successful."
exit "${ERR_DE_BOOT_STRAP}"
fi
### Reminder ###
# --rbind: recursive binding.
# --make-rslave: In this case, the mount point is marked as 'slave'.
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}"/proc).
# Conversely, changes to the target mount are not propagated back to the source mount.
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
# Prepare the freshly installed Debian OS recovery system for further setup.
if mount --make-rslave --rbind /proc "${RECOVERY}"/proc; then
do_log "info" "file_only" "'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
else
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /sys "${RECOVERY}"/sys; then
do_log "info" "file_only" "'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
else
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /dev "${RECOVERY}"/dev; then
do_log "info" "file_only" "'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
else
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /run "${RECOVERY}"/run; then
do_log "info" "file_only" "'mount --make-rslave --rbind /run ${RECOVERY}/run'."
else
do_log "emergency" "file_only" "Failed: 'mount --make-rslave --rbind /run ${RECOVERY}/run'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "info" "file_only" "Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
else
do_log "emergency" "file_only" "Failed: Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

387
func/cdi_5000_recovery/3.9.1.functions_installation_generate_files_recovery.sh
View File

@@ -1,387 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Generates '${RECOVERY}/etc/crypttab' and '${RECOVERY}/etc/fstab' files for recovery partition.
# Globals:
# tba
# Arguments:
# None
###########################################################################################
generate_files_recovery() {
### BLOCK '${RECOVERY}/etc/crypttab'
# Generate '${RECOVERY}/etc/crypttab'
touch "${RECOVERY}"/etc/crypttab
chmod 0644 "${RECOVERY}"/etc/crypttab
# Generate '${RECOVERY}/etc/crypttab' header
# shellcheck disable=SC2129
cat << EOF >> "${RECOVERY}"/etc/crypttab
# <name> <device> <password-file-or-none> <options>
EOF
### Reminder ###
# MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
# MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
# MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
# Extract the key from HashMap MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
declare KEY=""
declare VAR=""
for VAR in "${!MAP_PATH_CRYPT[@]}"; do
if [[ ${MAP_PATH_CRYPT[$VAR]} == "crypt_rescue" ]]; then
KEY="${VAR}"
break
fi
done
declare ENCRYPTION_LABEL
ENCRYPTION_LABEL="${MAP_PATH_CRYPT["${KEY}"]}"
# shellcheck disable=2129
echo "# ${KEY} was on /dev/mapper/${MAP_PATH_CRYPT["${KEY}"]} during installation" >> "${RECOVERY}"/etc/crypttab
echo "${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "file_only" "crypttab entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard'."
# Generate '${RECOVERY}/etc/crypttab' special ephemeral entries.
declare -a EPHEMERAL_MOUNT_PATH=("SWAP" "/tmp")
declare KEY=""
# MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
# MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
for KEY in "${EPHEMERAL_MOUNT_PATH[@]}"; do
if [[ ${KEY} == "SWAP" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
elif [[ ${KEY} == "/tmp" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
else
do_log "info" "file_only" "${RECOVERY}/etc/crypttab (This message should never get printed.)"
fi
done
### BLOCK '${RECOVERY}/etc/fstab'
# Generate '${RECOVERY}/etc/fstab'
touch "${RECOVERY}"/etc/fstab
chmod 0644 "${RECOVERY}"/etc/fstab
# Generate '${RECOVERY}/etc/fstab' header
# shellcheck disable=SC2129
cat << EOF >> "${RECOVERY}"/etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
EOF
### Reminder ###
# MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
# MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
# MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
# Generate '${TARGET}/etc/fstab' special entries '/' '/boot' '/boot/efi'.
# Define the order of the special keys.
declare -a KEY_ORDER
KEY_ORDER=("/RECOVERY")
declare DEVICE_PATH
declare DEVICE_UUID
declare ENCRYPTION_LABEL
declare KEY
declare MATCHING_VAR
declare TRANSFORMED_STRING
for KEY in "${KEY_ORDER[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of the sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
if [[ ${KEY} == "/" ]]; then
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
elif [[ ${KEY} == "/boot" ]]; then
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
elif [[ ${KEY} == "/boot/efi" ]]; then
if [[ ${FILESYSTEM_VERSION} == "fat32" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
else
do_log "error" "false" "fstab entry - no valid '${KEY}' for '/', '/boot', '/boot/efi' found."
fi
done
# Generate '${TARGET}/etc/fstab' remaining entries
for KEY in "${!MAP_MOUNTPATH_DEV[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of the sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
# Skip already mounted paths ("/", "/boot", "/boot/efi")
if [[ " ${KEY_ORDER[*]} " == *" ${KEY} "* ]]; then
continue
fi
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
done
# Add entry for CD-ROM device
# shellcheck disable=2129
echo "# /media/cdrom0 was on /dev/sr0 during installation" >> "${TARGET}"/etc/fstab
echo "/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
# Add entry for proc and tmpfs device
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0" >> "${TARGET}"/etc/fstab
echo "tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: 'proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0'."
do_log "info" "file_only" "fstab entry generated: 'tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0'."
# Add entry for SWAP device
declare MOUNT_PATH="SWAP"
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0'."
# Add entry for '/tmp' device
declare MOUNT_PATH="/tmp"
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0'."
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

73
func/cdi_5000_recovery/5000_debootstrap.sh Normal file
View File

@@ -0,0 +1,73 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install a minimal Debian environment using the 'debootstrap' command.
# Globals:
# LOG_REC
# RECOVERY
# VAR_ARCHITECTURE
# VAR_CODENAME
# debootstrap_includes
# debootstrap_mirror
# Arguments:
# None
# Returns:
# 0: on success
# ERR_DEBOOTSTRAP
#######################################
func_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_arch="${VAR_ARCHITECTURE}"
declare -r var_dist="${VAR_CODENAME}"
declare -r var_target="${RECOVERY}"
declare -r var_mirror="${debootstrap_mirror}"
declare -r var_includes="${debootstrap_includes}"
declare -a ary_cmd=()
ary_cmd+=( "debootstrap" "--arch=${var_arch}" "--keep-debootstrap-dir" "--log-extra-deps" "--merged-usr" )
if [[ -n "${var_includes}" ]]; then ary_cmd+=( "--include=${var_includes}" ); fi
ary_cmd+=( "${var_dist}" "${var_target}" "${var_mirror}" )
do_log "debug" "file_only" "5000() Executing: [${ary_cmd[*]}]"
# shellcheck disable=SC2312
if "${ary_cmd[@]}" | tee "${LOG_REC}"; then
do_log "info" "file_only" "5000() [${ary_cmd[*]}] successful."
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/backup"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/debootstrap"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/keys"
install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
mv -T "${var_target}/debootstrap" "${var_target}/root/.ciss/cdi/debootstrap"
chmod 0700 "${var_target}/root/.ciss"
chmod 0700 "${var_target}/root/.ciss/cdi"
chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
guard_dir && return 0
else
do_log "emergency" "file_only" "5000() [${ary_cmd[*]}] failed."
return "${ERR_DEBOOTSTRAP}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

83
func/cdi_5000_recovery/5005_debootstrap_checks.sh Normal file
View File

@@ -0,0 +1,83 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Preliminary post debootstrap checks.
# Globals:
# RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_debootstrap_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5005_debootstrap_checks.log"
chroot_logger "${RECOVERY}${var_logfile}"
chroot_script "${RECOVERY}" "
{
### Header
echo '==[debootstrap checks]=='
date -Is 2>/dev/null || true
### dpkg audit (non-fatal)
echo '### dpkg --audit'
dpkg --audit || true
### essential subset (status & version)
echo '### dpkg-query essential subset'
dpkg-query -W -f='\${db:Status-Abbrev} \${binary:Package} \${Version}\n' dpkg libc6 coreutils bash apt systemd 2>/dev/null || true
### init presence (log explicit)
echo '### init presence'
if [[ -x /sbin/init ]] || [[ -x /lib/systemd/systemd ]]; then
echo 'init_present=yes'
else
echo 'init_present=no'
fi
### awk path and alternative link (if any)
echo '### awk'
awk_path=\$(command -v awk || true)
printf 'awk_path=%s\n' \"\$awk_path\"
if [[ -L /usr/bin/awk ]]; then
printf 'awk_link=/usr/bin/awk -> %s\n' \"\$(readlink -f /usr/bin/awk 2>/dev/null || true)\"
fi
### usr-merge / tainted check
echo '### usr-merge / taint'
usr_merge_ok=yes
for p in /bin /sbin /lib /lib64; do
[[ -e \"\$p\" ]] || continue
if [[ -L \"\$p\" ]]; then
tgt=\$(readlink -f \"\$p\" 2>/dev/null || true)
printf '%s -> %s\n' \"\$p\" \"\$tgt\"
else
usr_merge_ok=no
printf '%s is not a symlink (tainted: unmerged-bin)\n' \"\$p\"
fi
done
printf 'usr_merge_ok=%s\n' \"\$usr_merge_ok\"
### architecture
echo '### architecture'
dpkg --print-architecture 2>/dev/null || true
} >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

119
func/cdi_5000_recovery/5010_prepare_mounts.sh Normal file
View File

@@ -0,0 +1,119 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Configure the recovery system for chroot.
# Globals:
# ERR_CHRT_MOUNTS
# RECOVERY
# VAR_CHROOT_ACTIVATED
# VAR_NEED_RUN_IN_TARGET
# Arguments:
# None
# Returns:
# ERR_CHRT_MOUNTS
# 0: on success
#######################################
prepare_mounts_reco() {
### Notes
# This file mounts all necessary pseudo filesystems into the target root environment to enable chroot operations.
# --rbind: recursive binding.
# --make-rslave: In this case, the mount point is marked as 'slave'.
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${RECOVERY}/proc").
# Conversely, changes to the target mount are not propagated back to the source mount.
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
#
# Some subdirectories (such as /dev/pts, /dev/shm, /sys/fs/cgroup) are remounted with more restrictive options
# like 'noexec', 'nosuid', and 'nodev' to enhance security. This ensures they override the inherited bind-mounts and
# enforce proper runtime behavior in the chroot.
### Declare Arrays, HashMaps, and Variables.
declare -A HMP_SPECIAL_MOUNTS=(
["/dev"]="devtmpfs devtmpfs mode=0755,nosuid" # Base device node FS
["/dev/pts"]="devpts devpts noexec,nosuid" # Pseudoterminals
["/dev/shm"]="tmpfs tmpfs rw,nosuid,nodev" # Shared memory
["/dev/mqueue"]="mqueue mqueue rw,nosuid,nodev,noexec" # POSIX message queues
["/dev/hugepages"]="hugetlbfs hugetlbfs rw,nosuid,nodev" # Huge pages
["/proc"]="proc proc nosuid,noexec,nodev" # procfs
["/sys"]="sysfs sysfs nosuid,noexec,nodev" # sysfs
["/sys/fs/cgroup"]="cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime" # Unified cgroup2
)
declare var_path="" var_fs="" var_src="" var_opts=""
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
mkdir -p "${RECOVERY}${var_path}"
done
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
if mountpoint -q "${RECOVERY}${var_path}"; then
do_log "info" "file_only" "5010() Skipped: '${RECOVERY}${var_path}' is already a mountpoint."
continue
fi
if ! mount -t "${var_fs}" "${var_src}" "${RECOVERY}${var_path}" -o "${var_opts}"; then
do_log "emergency" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount -t ${var_fs} ${var_src} ${RECOVERY}${var_path} -o ${var_opts}] successful."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
mkdir -p "${RECOVERY}/run"
if ! mount --make-rslave --rbind /run "${RECOVERY}/run"; then
do_log "emergency" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [mount --make-rslave --rbind /run ${RECOVERY}/run] successful."
fi
if ! chroot_exec "${RECOVERY}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "emergency" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "5010() Command: [chroot_exec ${RECOVERY} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
mkdir -p "${RECOVERY}/media/cdrom0"
# shellcheck disable=SC2034
declare -gx VAR_CHROOT_ACTIVATED="recovery"
do_log "info" "file_only" "5010() Command: [declare -gx VAR_CHROOT_ACTIVATED=recovery]"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

49
func/cdi_5000_recovery/5015_check_usr_merge.sh Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check if the recovery system is not 'tainted: unmerged-usr'.
# Globals:
# RECOVERY
# architecture
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_usr_merge_reco() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/5015_check_usr_merge.log"
chroot_logger "${RECOVERY}${var_logfile}"
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /bin && test $(readlink -f /bin) = '/usr/bin' && echo 'MERGED:/bin' >> ${var_logfile} || echo 'UNMERGED:/bin' >> ${var_logfile}
test -L /sbin && test $(readlink -f /sbin) = '/usr/sbin' && echo 'MERGED:/sbin' >> ${var_logfile} || echo 'UNMERGED:/sbin' >> ${var_logfile}
test -L /lib && test $(readlink -f /lib) = '/usr/lib' && echo 'MERGED:/lib' >> ${var_logfile} || echo 'UNMERGED:/lib' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
if [[ "${architecture}" == "amd64" ]]; then
# shellcheck disable=SC2312
chroot_script "${RECOVERY}" "
test -L /lib64 && test $(readlink -f /lib64) = '/usr/lib64' && echo 'MERGED:/lib64' >> ${var_logfile} || echo 'UNMERGED:/lib64' >> ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
func/cdi_5000_recovery/5020_remove_x509.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Chroot hook for deleting all expired X.509 certificates in the recovery system.
# Globals:
# RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
remove_x509_reco() {
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4020_remove_x509.hooks.sh" \
"${RECOVERY}/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh"
if ! chroot_script "${RECOVERY}" "/root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh" "emergency"; then
do_log "warn" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] failed."
else
do_log "debug" "file_only" "5020() Command: [chroot_script ${RECOVERY} /root/.ciss/cdi/hooks/5020_remove_x509.hooks.sh emergency] successful."
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

12
func/cdi_4200_boot/4215_check_crypttab.sh → func/cdi_5000_recovery/5030_setup_hostname.sh
View File

@@ -13,19 +13,19 @@
guard_sourcing guard_sourcing
####################################### #######################################
# Basic '/etc/crypttab' checks inside chroot. # Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
# Globals: # Globals:
# RECOVERY
# TARGET # TARGET
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################
check_crypttab() { setup_hostname_reco() {
### Declare Arrays, HashMaps, and Variables. cp -a "${TARGET}/etc/hosts" "${RECOVERY}/etc/hosts"
#declare -r var_logfile="/root/.ciss/cdi/log/4215_check_crypttab.log" cp -a "${TARGET}/etc/hostname" "${RECOVERY}/etc/hostname"
cp -a "${TARGET}/etc/mailname" "${RECOVERY}/etc/mailname"
#chroot_logger "${TARGET}${var_logfile}"
guard_dir && return 0 guard_dir && return 0
} }

13
func/cdi_4700_verification/4610_finalize_system.sh → func/cdi_5000_recovery/5035_setup_resolv.sh
View File

@@ -13,15 +13,24 @@
guard_sourcing guard_sourcing
####################################### #######################################
# Finalize the system. # Configure the '/etc/resolv.conf' file.
# Globals: # Globals:
# RECOVERY
# TARGET # TARGET
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################
finalize_system() { setup_resolv_reco() {
if [[ -f "${RECOVERY}/etc/resolv.conf" ]]; then
mkdir -p "${RECOVERY}/root/.ciss/cdi/backup/etc"
mv "${RECOVERY}/etc/resolv.conf" "${RECOVERY}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
do_log "info" "file_only" "5035() Existing '${RECOVERY}/etc/resolv.conf' moved."
fi
cp -a "${TARGET}/etc/resolv.conf" "${RECOVERY}/etc/resolv.conf"
guard_dir && return 0 guard_dir && return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

27
func/system/4145_setup_machineid.sh → func/cdi_5000_recovery/5040_setup_timezone.sh
View File

@@ -13,28 +13,27 @@
guard_sourcing guard_sourcing
####################################### #######################################
# Updating 'machine-id' to 'whonix id'. # Configure the '/etc/timezone' | '/etc/localtime' files.
# Globals: # Globals:
# TARGET # RECOVERY
# VAR_SETUP_PATH # ntp_timezone
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################
setup_machineid() { setup_timezone_reco() {
if [[ -f "${TARGET}/var/lib/dbus/machine-id" ]]; then ### Create '${RECOVERY}/etc/timezone' file.
rm -f "${TARGET}/var/lib/dbus/machine-id" cat << EOF >| "${RECOVERY}/etc/timezone"
fi ${ntp_timezone:-UTC}
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/machine-id" "${TARGET}/var/lib/dbus/machine-id" EOF
chmod 0644 "${RECOVERY}/etc/timezone"
do_log "info" "file_only" "5040() File generated: '${RECOVERY}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
if [[ -f "${TARGET}/etc/machine-id" ]]; then chroot_exec "${RECOVERY}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
rm -f "${TARGET}/etc/machine-id"
fi
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/machine-id" "${TARGET}/etc/machine-id"
do_log "info" "file_only" "Machine ID updated: 'machine-id' to 'whonix id'." chroot_exec "${RECOVERY}" dpkg-reconfigure -f noninteractive tzdata
return 0 guard_dir && return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

48
func/cdi_5000_recovery/5999_exiting_chroot_recovery.sh Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Exiting chroot of the target system.
# Globals:
# RECOVERY
# VAR_NEED_RUN_IN_TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
exiting_chroot_recovery() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_umount=( "/sys/fs/cgroup" "/dev/hugepages" "/dev/mqueue" "/dev/shm" "/dev/pts" "/proc" "/sys" "/dev" )
declare var_path=""
for var_path in "${ary_umount[@]}"; do
umount -l "${RECOVERY}${var_path}" 2>/dev/null || true
do_log "info" "file_only" "5999() Command: [umount -l ${RECOVERY}${var_path} 2>/dev/null || true] issued."
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
umount -l "${RECOVERY}/run" 2>/dev/null || true
do_log "info" "file_only" "5999() Command: [umount -l ${RECOVERY}/run 2>/dev/null || true] issued."
fi
declare -gx VAR_CHROOT_ACTIVATED="false"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

23
func/system/4220_setup_sudo.sh
View File

@@ -1,23 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Setup sudo.
# Arguments:
# None
#######################################
setup_sudo() {
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
lib/cdi_0010_basic/0011_gen_dir_files.sh
View File

@@ -49,6 +49,7 @@ gen_dir_files() {
touch "${LOG_NIC}" && chmod 0600 "${LOG_NIC}" touch "${LOG_NIC}" && chmod 0600 "${LOG_NIC}"
touch "${LOG_UID}" && chmod 0600 "${LOG_UID}" touch "${LOG_UID}" && chmod 0600 "${LOG_UID}"
touch "${LOG_DBS}" && chmod 0600 "${LOG_DBS}" touch "${LOG_DBS}" && chmod 0600 "${LOG_DBS}"
touch "${LOG_REC}" && chmod 0600 "${LOG_REC}"
touch "${VAR_PRESEED}" && chmod 0600 "${VAR_PRESEED}" touch "${VAR_PRESEED}" && chmod 0600 "${VAR_PRESEED}"
return 0 return 0

1
lib/cdi_0060_traps/0090_clean_up.sh
View File

@@ -29,6 +29,7 @@ guard_sourcing
clean_up() { clean_up() {
declare var_clean_exit_code="$1" declare var_clean_exit_code="$1"
[[ "${VAR_RECOVERY}" == "false" ]] && rm -f -- "${LOG_REC}"
rm -f -- "${VAR_KERNEL_INF}" rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}" rm -f -- "${VAR_KERNEL_SRT}"
rm -f -- "${VAR_KERNEL_TMP}" rm -f -- "${VAR_KERNEL_TMP}"

24
meta_loader_func.sh
View File

@@ -69,7 +69,6 @@ source_guard "./func/cdi_4100_base/4170_installation_lynis.sh"
source_guard "./func/cdi_4200_boot/4200_generate_fstab.sh" source_guard "./func/cdi_4200_boot/4200_generate_fstab.sh"
source_guard "./func/cdi_4200_boot/4205_check_fstab.sh" source_guard "./func/cdi_4200_boot/4205_check_fstab.sh"
source_guard "./func/cdi_4200_boot/4210_generate_crypttab.sh" source_guard "./func/cdi_4200_boot/4210_generate_crypttab.sh"
source_guard "./func/cdi_4200_boot/4215_check_crypttab.sh"
source_guard "./func/cdi_4200_boot/4220_installation_cryptsetup.sh" source_guard "./func/cdi_4200_boot/4220_installation_cryptsetup.sh"
source_guard "./func/cdi_4200_boot/4230_installation_grub.sh" source_guard "./func/cdi_4200_boot/4230_installation_grub.sh"
source_guard "./func/cdi_4200_boot/4240_update_grub_password.sh" source_guard "./func/cdi_4200_boot/4240_update_grub_password.sh"
@@ -106,18 +105,21 @@ source_guard "./func/cdi_4500_user/4520_accounts_setup.sh"
source_guard "./func/cdi_4600_packages/4600_installation_packages.sh" source_guard "./func/cdi_4600_packages/4600_installation_packages.sh"
source_guard "./func/cdi_4600_packages/4610_installation_security.sh" source_guard "./func/cdi_4600_packages/4610_installation_security.sh"
source_guard "./func/cdi_4600_packages/4620_installation_verification.sh" source_guard "./func/cdi_4600_packages/4620_installation_verification.sh"
source_guard "./func/cdi_4600_packages/4630_auditing_packages.sh"
#source_guard "./func/cdi_4600_verification/4610_finalize_system.sh" ### cdi_4900_xtended
#source_guard "./func/cdi_4600_verification/4670_verify_system.sh" source_guard "./func/cdi_4900_xtended/4999_exiting_chroot_system.sh"
#source_guard "./func/cdi_4600_verification/4680_check_sshd_config_integrity.sh"
#source_guard "./func/cdi_4600_verification/4690_check_grub_cmdline.sh"
### cdi_4700_xtended
source_guard "./func/cdi_4700_xtended/4799_exiting_chroot_system.sh"
### cdi_5000_recovery ### cdi_5000_recovery
#source_guard "./func/cdi_5000_recovery/3.8.9.functions_installation_wrapper_recovery.sh" source_guard "./func/cdi_5000_recovery/5000_debootstrap.sh"
#source_guard "./func/cdi_5000_recovery/3.9.0.functions_installation_setup_recovery.sh" source_guard "./func/cdi_5000_recovery/5005_debootstrap_checks.sh"
#source_guard "./func/cdi_5000_recovery/3.9.1.functions_installation_generate_files_recovery.sh" source_guard "./func/cdi_5000_recovery/5010_prepare_mounts.sh"
source_guard "./func/cdi_5000_recovery/5015_check_usr_merge.sh"
source_guard "./func/cdi_5000_recovery/5020_remove_x509.sh"
source_guard "./func/cdi_5000_recovery/5030_setup_hostname.sh"
source_guard "./func/cdi_5000_recovery/5035_setup_resolv.sh"
source_guard "./func/cdi_5000_recovery/5040_setup_timezone.sh"
source_guard "./func/cdi_5000_recovery/5999_exiting_chroot_recovery.sh"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
var/global.var.sh
View File

@@ -41,6 +41,7 @@ declare -grx LOG_INS="${DIR_LOG}/ciss_debian_installer_$$_install.log"
declare -grx LOG_NIC="${DIR_LOG}/ciss_debian_installer_$$_nic.log" declare -grx LOG_NIC="${DIR_LOG}/ciss_debian_installer_$$_nic.log"
declare -grx LOG_UID="${DIR_LOG}/ciss_debian_installer_$$_uuid.log" declare -grx LOG_UID="${DIR_LOG}/ciss_debian_installer_$$_uuid.log"
declare -grx LOG_DBS="${DIR_LOG}/ciss_debian_installer_$$_debootstrap.log" declare -grx LOG_DBS="${DIR_LOG}/ciss_debian_installer_$$_debootstrap.log"
declare -grx LOG_REC="${DIR_LOG}/ciss_debian_installer_$$_recovery.log"
### Initialize the variable of imported and cleaned 'YAML' -> 'BASH-variable'-file. ### Initialize the variable of imported and cleaned 'YAML' -> 'BASH-variable'-file.
declare -grx VAR_PRESEED="${DIR_TMP}/combined.var" declare -grx VAR_PRESEED="${DIR_TMP}/combined.var"