V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4400_hardening/4400_kernel_modules.sh

@@ -49,6 +49,9 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f kernel_modules
 
 #######################################
 # Blacklist some kind of potential hazardous modules via '/etc/modprobe.d/0000_ciss_debian_installer.conf'.
@@ -70,4 +73,7 @@ kernel_modprobe() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f kernel_modprobe
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4410_kernel_sysctl.sh

@@ -13,7 +13,7 @@
 guard_sourcing
 
 #######################################
-# Install Kernel Hardening-Presets '/etc/sysctl.d/99_local.hardened'.
+# Install Kernel Hardening-Presets '/etc/sysctl.d/9999_ciss_debian_installer.hardened'.
 # Globals:
 #   TARGET
 #   VAR_SETUP_PATH
@@ -23,13 +23,16 @@ guard_sourcing
 #   0: on success
 #######################################
 kernel_sysctl() {
-  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/99_local.hardened" \
-    "${TARGET}/etc/sysctl.d/99_local.hardened"
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/9999_ciss_debian_installer.hardened" \
+    "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
 
-  insert_comments "${TARGET}/etc/sysctl.d/99_local.hardened"
+  insert_comments "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
 
-  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/99_local.hardened'."
+  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/9999_ciss_debian_installer.hardened'."
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f kernel_sysctl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4440_hardening_haveged.sh

@@ -38,4 +38,7 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_haveged
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4442_hardening_jitterentropy.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Hardening hardening_jitterentropy.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_jitterentropy() {
+  declare    var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  mkdir -p "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d"
+
+  cat << EOF >> "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d/override.conf"
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/jitterentropy-rngd --sp800-90b --osr=7
+EOF
+
+  guard_dir && return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_jitterentropy
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4445_hardening_logrotate.sh

@@ -73,4 +73,7 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_logrotate
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4450_hardening_memory.sh

@@ -102,6 +102,9 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_memory
 
 #######################################
 # Ensure 'pam_limits.so' is activated in:
@@ -158,4 +161,7 @@ guard_pam_limits() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f guard_pam_limits
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4460_hardening_openssl.sh

@@ -32,4 +32,7 @@ hardening_openssl() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_openssl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4470_hardening_ufw.sh

@@ -97,4 +97,7 @@ hardening_ufw() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_ufw
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4480_hardening_usb.sh

@@ -30,6 +30,7 @@ hardening_usb() {
   ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests usbguard 2>&1 | tee -a ${var_logfile}
 
     touch /tmp/rules.conf

func/cdi_4400_hardening/4490_hardening_virus.sh

@@ -29,6 +29,7 @@ hardening_virus() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests rkhunter 2>&1 | tee -a ${var_logfile}
   "