V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

includes/target/root/.ciss/alias

@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-########################################################################################### Alpha
-alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
-
 ########################################################################################### Bash
 alias clear="printf '\033c'"
 alias c='clear'
@@ -115,7 +112,7 @@ genpasswd() {
         ;;
       '' | *[!0-9]*) ;;
       *)
-         length="$1"
+        length="$1"
         ;;
     esac
     shift
@@ -177,11 +174,11 @@ scurl() {
   declare url="$1"
   declare output_path="$2"
   if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
-            --doh-cert-status \
-            --tlsv1.3 \
-            -sSf \
-            -o "${output_path}" \
-            "${url}"
+    --doh-cert-status \
+    --tlsv1.3 \
+    -sSf \
+    -o "${output_path}" \
+    "${url}"
   then
     printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
     return 2
@@ -212,11 +209,11 @@ swget() {
   declare output_path="$2"
   mkdir -p "$(dirname "${output_path}")"
   if ! wget --show-progress \
-            --no-clobber \
-            --https-only \
-            --secure-protocol=TLSv1_3 \
-            -qO "${output_path}" \
-            "${url}"
+    --no-clobber \
+    --https-only \
+    --secure-protocol=TLSv1_3 \
+    -qO "${output_path}" \
+    "${url}"
   then
     printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
     return 2
@@ -225,12 +222,12 @@ swget() {
 }
 
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters.
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
 #   None
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/9999_ciss_debian_installer.hardened
   # sleep 1
   # shellcheck disable=SC2312
   sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log

includes/target/root/.ciss/check_chrony.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -Ceuo pipefail
+
+#######################################
+# Minimal leap-second probe for Debian/chrony systems.
+# - Prints kernel leap flags & TAI offset (delta AT).
+# - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
+# - Shows chrony tracking summary (incl. leap status).
+# - Demonstrates 23:59:60 rendering via TZ=right/UTC.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+main() {
+  ### 1) System TZ and tzdata source.
+  printf "System TZ link: [%s]\n\n" "$(readlink -f /etc/localtime || true)"
+
+  if [[ -f /usr/share/zoneinfo/leap-seconds.list ]]; then
+
+    declare tz_leap_line tz_tai tz_ntp ts_human
+
+    tz_leap_line="$(awk '($1 !~ /^#/) {L=$0} END{print L}' /usr/share/zoneinfo/leap-seconds.list)"
+    tz_ntp="$(awk '{print $1}' <<<"${tz_leap_line}")"
+    tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
+    ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
+
+    printf "tzdata delta AT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
+
+  else
+
+    printf "tzdata leap-seconds.list not found.\n"
+
+  fi
+
+  ### 2) Kernel view (requires adjtimex).
+  if command -v adjtimex >/dev/null 2>&1; then
+
+    printf "Kernel time status (adjtimex -p):\n"
+    adjtimex -p | sed 's/^/  /'
+    declare k_tai
+    k_tai="$(adjtimex -p | awk '/^tai:/ {print $2}')"
+
+    if [[ -n "${k_tai:-}" ]]; then
+
+      printf "Kernel-exported delta AT [tai]: %s s\n" "${k_tai}"
+
+    fi
+
+  else
+
+    printf "Package: 'adjtimex' not found. Install 'adjtimex' for kernel leap/TAI details.\n\n"
+
+  fi
+
+  ### 3) Chrony summary.
+  if command -v chronyc >/dev/null 2>&1; then
+
+    printf "\n"
+    printf "chronyc tracking:\n"
+    chronyc -n tracking | sed 's/^/  /'
+
+  else
+
+    printf "Package: 'chronyc' not found. Skipping chrony status.\n\n"
+
+  fi
+
+  ### 4) right/UTC demonstration of 23:59:60 (uses 2016-12-31 leap).
+  if [[ -f /usr/share/zoneinfo/right/UTC ]]; then
+
+    printf "\n"
+    printf "right/UTC leap rendering check (expect 23:59:60):\n\n"
+    TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
+
+  else
+
+    printf "\n"
+    printf "File: 'tzdata right/UTC' zone not installed; skipping 23:59:60 demo.\n\n"
+
+  fi
+
+  printf "\n"
+  printf "Hint:\n"
+
+  printf "  - delta AT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
+  printf "  - For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
+
+  return 0
+}
+
+### Build right/UTC from tzdata leap table if missing.
+if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  install -d -m 0755 /usr/share/zoneinfo/right
+
+  ### Minimal zic source for a fixed UTC zone.
+  declare -r tmp_src="/tmp/UTC.src"
+  printf 'Zone UTC  0  -  UTC\n' > "${tmp_src}"
+
+  ### Prefer the zic-format leapseconds file.
+  declare leap_zic="/usr/share/zoneinfo/leapseconds"
+
+  if [[ -s "${leap_zic}" ]]; then
+
+    zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
+
+  else
+
+    echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
+    zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
+
+  fi
+
+  rm -f "${tmp_src}"
+
+fi
+
+if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  ### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
+  TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
+
+fi
+
+main "$@"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.ciss/theme_eza_ciss.yml

@@ -0,0 +1,125 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+%YAML 1.2
+---
+
+colourful: true
+
+filekinds:
+  normal: {foreground: Default}
+  directory: {foreground: Purple, is_bold: true}
+  symlink: {foreground: Cyan}
+  pipe: {foreground: Yellow}
+  block_device: {foreground: Yellow, is_bold: true}
+  char_device: {foreground: Yellow, is_bold: true}
+  socket: {foreground: Red, is_bold: true}
+  special: {foreground: Yellow}
+  executable: {foreground: Green, is_bold: true}
+  mount_point: {foreground: Purple, is_bold: true, is_underlined: true}
+
+perms:
+  user_read: {foreground: Yellow, is_bold: true}
+  user_write: {foreground: Red, is_bold: true}
+  user_execute_file: {foreground: Green, is_bold: true, is_underlined: true}
+  user_execute_other: {foreground: Green, is_bold: true}
+  group_read: {foreground: Yellow}
+  group_write: {foreground: Red}
+  group_execute: {foreground: Green}
+  other_read: {foreground: Yellow}
+  other_write: {foreground: Red}
+  other_execute: {foreground: Green}
+  special_user_file: {foreground: Purple}
+  special_other: {foreground: Purple}
+  attribute: {foreground: Default}
+
+size:
+  major: {foreground: Green, is_bold: true}
+  minor: {foreground: Green}
+  number_byte: {foreground: Green, is_bold: true}
+  number_kilo: {foreground: Green, is_bold: true}
+  number_mega: {foreground: Green, is_bold: true}
+  number_giga: {foreground: Green, is_bold: true}
+  number_huge: {foreground: Green, is_bold: true}
+  unit_byte: {foreground: Green}
+  unit_kilo: {foreground: Green}
+  unit_mega: {foreground: Green}
+  unit_giga: {foreground: Green}
+  unit_huge: {foreground: Green}
+
+users:
+  user_you: {foreground: Yellow, is_bold: true}
+  user_root: {foreground: Default}
+  user_other: {foreground: Default}
+  group_yours: {foreground: Yellow, is_bold: true}
+  group_other: {foreground: Default}
+  group_root: {foreground: Default}
+
+links:
+  normal: {foreground: Red, is_bold: true}
+  multi_link_file: {foreground: Red, background: Yellow}
+
+git:
+  new: {foreground: Green}
+  modified: {foreground: Blue}
+  deleted: {foreground: Red}
+  renamed: {foreground: Yellow}
+  typechange: {foreground: Purple}
+  ignored: {foreground: Default, is_dimmed: true}
+  conflicted: {foreground: Red}
+
+git_repo:
+  branch_main: {foreground: Green}
+  branch_other: {foreground: Yellow}
+  git_clean: {foreground: Green}
+  git_dirty: {foreground: Yellow}
+
+security_context:
+  colon: {foreground: Default, is_dimmed: true}
+  user: {foreground: Blue}
+  role: {foreground: Green}
+  typ: {foreground: Yellow}
+  range: {foreground: Cyan}
+
+file_type:
+  image: {foreground: Purple}
+  video: {foreground: Purple, is_bold: true}
+  music: {foreground: Cyan}
+  lossless: {foreground: Cyan, is_bold: true}
+  crypto: {foreground: Green, is_bold: true}
+  document: {foreground: Green}
+  compressed: {foreground: Red}
+  temp: {foreground: White}
+  compiled: {foreground: Yellow}
+  build: {foreground: Yellow, is_bold: true, is_underlined: true}
+  source: {foreground: Yellow, is_bold: true}
+
+punctuation: {foreground: DarkGray, is_bold: true}
+date: {foreground: Cyan}
+inode: {foreground: Purple}
+blocks: {foreground: Cyan}
+header: {foreground: White, is_bold: true, is_underlined: true}
+octal: {foreground: Purple}
+flags: {foreground: Default}
+
+symlink_path: {foreground: Cyan}
+control_char: {foreground: Red}
+broken_symlink: {foreground: Red}
+broken_path_overlay: {foreground: Default, is_underlined: true}
+
+filenames:
+# Custom filename-based overrides
+# Cargo.toml: {icon: {glyph: 🦀}}
+
+extensions:
+# Custom extension-based overrides
+# rs: {filename: {foreground: Red}, icon: {glyph: 🦀}}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml