msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m42s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-20 21:51:17 +02:00
parent 0d942298ee
commit 7f474e5fa9
13 changed files with 658 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
func/4090_minimal_toolset.sh
View File

@@ -45,7 +45,7 @@ minimal_toolset() {
for var_bin in "${!hmp_tool_pkg[@]}"; do for var_bin in "${!hmp_tool_pkg[@]}"; do
if ! do_in_target_script "${TARGET}" "command -v ${var_bin} >/dev/null"; then if ! do_in_target_script "${TARGET}" "command -v ${var_bin} >/dev/null"; then
do_in_target "${TARGET}" apt-get install -y "${hmp_tool_pkg[${var_bin}]}" do_in_target "${TARGET}" apt-get install -y "${hmp_tool_pkg[${var_bin}]}"
do_log "debug" "true" "Tool '${var_bin}' missing installing '${hmp_tool_pkg[${var_bin}]}'." do_log "debug" "true" "Tool '${var_bin}' missing, installing '${hmp_tool_pkg[${var_bin}]}'."
fi fi
done done

2
func/4160_grub_bootparameter.sh
View File

@@ -22,7 +22,7 @@ guard_sourcing
# TARGET # TARGET
# VAR_GRUB_CMDLINE_LINUX_DEFAULT # VAR_GRUB_CMDLINE_LINUX_DEFAULT
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################

2
func/4165_kernel_modules.sh
View File

@@ -28,7 +28,7 @@ setup_kernel_modules() {
## The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring ## The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
## minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in ## minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
## physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware ## physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
## features like TPMs or Intel's RDRANDwhich may not be available or trustedjitterentropy_rng works across all platforms, ## features like TPMs or Intel's RDRAND, which may not be available or trusted, jitterentropy_rng works across all platforms,
## including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure ## including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure
## entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure, ## entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure,
## standards-compliant, and universally applicable entropy source for hardened Linux environments. ## standards-compliant, and universally applicable entropy source for hardened Linux environments.

2
func/4170_installation_microcode.sh
View File

@@ -32,7 +32,7 @@ installation_microcode() {
case "${var_cpu_vendor}" in case "${var_cpu_vendor}" in
*AuthenticAMD*) var_microcode_pkgs="amd64-microcode" ;; *AuthenticAMD*) var_microcode_pkgs="amd64-microcode" ;;
*GenuineIntel*) var_microcode_pkgs="intel-microcode" ;; *GenuineIntel*) var_microcode_pkgs="intel-microcode" ;;
""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "true" "ARM or unknown CPU detected skipping microcode install" ;; ""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "true" "ARM or unknown CPU detected, skipping microcode installation." ;;
esac esac
########################################################################################### ###########################################################################################

82
func/9997_check_grub_cmdline.sh
View File

@@ -1,82 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: GRUB Kernel Parameter Linter
set -Ceuo pipefail
GRUB_FILE="${1:-/etc/default/grub}"
# Parse GRUB_CMDLINE string into array of unique options
parse_cmdline() {
local input="${1}"
# Remove outer quotes if present
input="${input%\"}"
input="${input#\"}"
# Split into array
read -r -a ary <<< "${input}"
printf "%s\n" "${ary[@]}"
}
# Key extractor: for console=tty0 → console
extract_key() {
local param="${1}"
if [[ "${param}" == *=* ]]; then
echo "${param%%=*}"
else
echo "${param}"
fi
}
# Extract lines
GRUB_LINUX_LINE=$(grep -E '^GRUB_CMDLINE_LINUX=' "${GRUB_FILE}" | sed -E 's/GRUB_CMDLINE_LINUX=//')
GRUB_DEFAULT_LINE=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${GRUB_FILE}" | sed -E 's/GRUB_CMDLINE_LINUX_DEFAULT=//')
# Parse both lines
mapfile -t linux_params < <(parse_cmdline "${GRUB_LINUX_LINE}")
mapfile -t default_params < <(parse_cmdline "${GRUB_DEFAULT_LINE}")
# Combine for conflict analysis
declare -A param_values=()
declare -A param_sources=()
declare -A duplicate_params=()
# Loop over all parameter
for source in "linux" "default"; do
declare -n params="${source}_params"
for p in "${params[@]}"; do
key=$(extract_key "${p}")
if [[ -v param_values["${key}"] ]]; then
if [[ "${param_values[${key}]}" != "${p}" ]]; then
echo "⚠️ Conflict: Parameter '${key}' has multiple values:"
echo " - ${param_values[${key}]} (from ${param_sources[${key}]})"
echo " - ${p} (from ${source})"
else
duplicate_params["${p}"]=1
fi
else
param_values["${key}"]="${p}"
param_sources["${key}"]="${source}"
fi
done
done
# Report duplicates
if (( ${#duplicate_params[@]} > 0 )); then
echo " Duplicate parameters found:"
for dup in "${!duplicate_params[@]}"; do
echo " - ${dup}"
done
fi
echo "✅ GRUB_CMDLINE check complete."
eit 0

2
func/9998_check_sshd_config_integrity.sh
View File

@@ -27,7 +27,7 @@ red() { tput setaf 1; echo "$1"; tput sgr0; }
green() { tput setaf 2; echo "$1"; tput sgr0; } green() { tput setaf 2; echo "$1"; tput sgr0; }
echo echo
bold "🛡️ Checking SSH Configuration Integrity..." bold "Checking SSH Configuration Integrity..."
if [[ ! -f "${REF_CONFIG}" ]]; then if [[ ! -f "${REF_CONFIG}" ]]; then
red "ERROR: Reference config '${REF_CONFIG}' not found." red "ERROR: Reference config '${REF_CONFIG}' not found."

104
func/9999_check_grub_cmdline.sh Normal file
View File

@@ -0,0 +1,104 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: GRUB Kernel Parameter Linter
set -Ceuo pipefail
#######################################
# Parse GRUB_CMDLINE string into array of unique options
# Arguments:
# 1: Grub file to parse
#######################################
parse_cmdline() {
declare var_input="${1}"
declare -a ary_input
### Remove outer quotes if present.
var_input="${var_input%\"}"
var_input="${var_input#\"}"
### Split into an array.
read -r -a ary_input <<< "${var_input}"
printf "%s\n" "${ary_input[@]}"
}
#######################################
# Key extractor: for 'console=tty0' -> 'console'
# Arguments:
# 1:
#######################################
extract_key() {
declare var_param="${1}"
if [[ "${var_param}" == *=* ]]; then
echo "${var_param%%=*}"
else
echo "${var_param}"
fi
}
#######################################
# Check Grub Command Lines for duplicate entries.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_grub_cmdline() {
### Variable and Array declaration.
declare var_grub_file="${TARGET}/etc/default/grub"
declare var_grub_linux_line="" var_grub_default_line="" dup="" key="" p="" source=""
declare -a ary_default_params=() ary_linux_params=()
### Combine for conflict analysis.
declare -A hmp_param_values=()
declare -A hmp_param_sources=()
declare -A hmp_duplicate_params=()
### Extract lines.
var_grub_linux_line=$(grep -E '^GRUB_CMDLINE_LINUX=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX=//')
var_grub_default_line=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX_DEFAULT=//')
### Parse both lines.
mapfile -t ary_linux_params < <(parse_cmdline "${var_grub_linux_line}")
mapfile -t ary_default_params < <(parse_cmdline "${var_grub_default_line}")
### Loop over all parameters.
for source in "linux" "default"; do
declare -n params="ary_${source}_params"
for p in "${params[@]}"; do
key=$(extract_key "${p}")
if [[ -v hmp_param_values["${key}"] ]]; then
if [[ "${hmp_param_values[${key}]}" != "${p}" ]]; then
echo "Conflict: Parameter '${key}' has multiple values:"
echo "- ${hmp_param_values[${key}]} (from ${hmp_param_sources[${key}]})"
echo "- ${p} (from ${source})"
else
hmp_duplicate_params["${p}"]=1
fi
else
hmp_param_values["${key}"]="${p}"
hmp_param_sources["${key}"]="${source}"
fi
done
done
### Report duplicates.
if (( ${#hmp_duplicate_params[@]} > 0 )); then
echo "Duplicate parameters found:"
for dup in "${!hmp_duplicate_params[@]}"; do
echo "- ${dup}"
done
fi
echo "GRUB_CMDLINE check complete."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
includes/initramfs-tools/files/unlock_wrapper_signer.sh
View File

@@ -61,7 +61,7 @@ fi
printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n" printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
### Signing Hashes ### Signing Hashes
printf "\e[0;95m✍️ Signing hashes ... \e[0m\n" printf "\e[0;95m🔑 Signing hashes ... \e[0m\n"
if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}" printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
@@ -71,7 +71,7 @@ if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}" printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
fi fi
printf "\e[0;92m✍️ Signing hashes done. \e[0m\n" printf "\e[0;92m🔑 Signing hashes done. \e[0m\n"
exit 0 exit 0

257
includes/root/.ciss/alias Normal file
View File

@@ -0,0 +1,257 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
########################################################################################### Alpha
alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
########################################################################################### Bash
alias clear="printf '\033c'"
alias c='clear'
alias q='exit'
########################################################################################### Chrony
alias cytr='echo "tracking -a -v" | chronyc'
alias cysd='echo "selectdata -a -v" | chronyc'
alias cyss='echo "sourcestats -a -v" | chronyc'
########################################################################################### fail2ban & ufw
alias f2ball='fail2ban-client status'
alias f2bubn='fail2ban-client unban --all'
alias f2bufw='fail2ban-client status ufw'
alias usn='ufw status numbered'
alias usv='ufw status verbose'
########################################################################################### ls
alias ls='eza --group-directories-first --icons=always --oneline --long --all --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension'
alias lsf='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension'
alias lss='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension --extended'
alias la='ls'
alias ll=ls
alias l=ls
########################################################################################### Package Management
alias aptac='apt autoclean'
alias aptap='apt autopurge'
alias aptar='apt autoremove'
alias aptcheck='apt-get check'
alias aptdep='apt-cache depends'
alias aptdl='apt-get install --download-only'
alias aptfug='apt full-upgrade'
alias aptupd='apt update'
alias aptupg='apt upgrade'
alias apti='apt install'
alias aptp='apt purge'
alias aptpp='dpkg --purge'
alias aptr='apt remove'
alias aptse='apt search'
alias aptsh='apt show'
alias aptimage='apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "dbg" | grep -v "meta-package" | grep -v "cloud" | grep -v "PREEMPT"'
########################################################################################### Readability
alias df='df -h'
alias free='free -m'
alias mkdir='mkdir -pv'
########################################################################################### Service restart
alias rsban='systemctl restart fail2ban'
alias rsweb='systemctl restart nginx php8.4-fpm redis'
########################################################################################### System maintaining
alias boot='reboot -h now'
alias cscan='clamscan -r --bell -i'
alias chkhvg='haveged -n 0 | dieharder -g 200 -a'
alias dev='lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH'
alias i='echo "$(whoami) @ $(uname -a)"'
alias ipunused='iptables -L -v -n'
alias jboot='journalctl --boot=0'
alias lsadt='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency'
alias lsadtdoc='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency > /root/lynis-$(date +%F_%H-%M-%S).txt 2>&1'
alias n='nano'
alias nstat='netstat -tlpnvWa'
alias s='sudo -i'
alias sas='systemd-analyze security'
alias shut='shutdown -h now'
alias ssa='systemctl status'
alias ssf='systemctl status --failed'
alias sysdr='systemctl daemon-reload'
alias syses='systemctl edit'
alias sysrl='systemctl reload'
alias sysrs='systemctl restart'
alias syssp='systemctl stop'
alias sysst='systemctl start'
alias v='nvim'
alias whatdelete='lsof | grep deleted'
alias whatimage='dpkg --list | grep linux-image'
alias whatpurge='dpkg --get-selections | grep deinstall'
########################################################################################### Functions
#######################################
# Generates Secure (/dev/random) Passwords
# Arguments:
# Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
#######################################
# shellcheck disable=SC2317
genpasswd() {
declare -i length=32
declare -i usebase64=0
while [[ $# -gt 0 ]]; do
case "$1" in
--base64)
usebase64=1
;;
'' | *[!0-9]*) ;;
*)
length="$1"
;;
esac
shift
done
declare passwd
passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")
if [[ ${usebase64} -eq 1 ]]; then
echo -n "${passwd}" | base64
else
echo "${passwd}"
fi
}
#######################################
# Generates Secure (/dev/random) Passwords.
# Arguments:
# none
#######################################
# shellcheck disable=SC2317
genpasswdhash() {
declare salt
salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
}
#######################################
# Outputs a 16-character random printable string
# Arguments:
# None
#######################################
genstring() {
(haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
}
#######################################
# Wrapper for secure curl
# Arguments:
# 1: URL from which to download a specific file
# 2: /path/to/file to be saved to
# Returns:
# 0: Download successful
# 1: Usage error
# 2: Download failure
#######################################
scurl() {
if [[ $# -ne 2 ]]; then
printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
return 1
fi
declare url="$1"
declare output_path="$2"
if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
--doh-cert-status \
--tlsv1.3 \
-sSf \
-o "${output_path}" \
"${url}"
then
printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
return 2
fi
return 0
}
#######################################
# Wrapper for secure wget
# Arguments:
# 1: URL from which to download a specific file
# 2: /path/to/file to be saved to
# Returns:
# 0: Download successful
# 1: Usage error
# 2: Download failure
#######################################
swget() {
if [[ $# -ne 2 ]]; then
printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
return 1
fi
declare url="$1"
declare output_path="$2"
mkdir -p "$(dirname "${output_path}")"
if ! wget --show-progress \
--no-clobber \
--https-only \
--secure-protocol=TLSv1_3 \
-qO "${output_path}" \
"${url}"
then
printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
return 2
fi
return 0
}
#######################################
# Wrapper for loading CISS.2025 hardened Kernel Parameters
# Arguments:
# None
#######################################
sysp() {
sysctl -p /etc/sysctl.d/99_local.hardened
# sleep 1
sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
}
#######################################
# Wrapper for tree
# Arguments:
# 1: Depth of Directory Listing
#######################################
trel() {
declare depth=${1:-3}
tree -C -h --dirsfirst -L "${depth}"
}
#######################################
# Wrapper for package and path to bin.
# Arguments:
# 1: Program
#######################################
whichpackage() {
if ! command -v "$1" >/dev/null 2>&1; then
printf 'Error: Program '%s' not found.\n' "$1" >&2
exit 1
fi
dpkg -S "$(which "$1")"
}
#######################################
# Wrapper for Diskspace used in Path.
# Arguments:
# 1: Path (defaults /var)
# 2: Depth (defaults 1)
# 3: Number of Entries (defaults 16)
#######################################
whichused() {
du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
includes/root/.ciss/clean_logout.sh Normal file
View File

@@ -0,0 +1,39 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
clear
cat << 'EOF'
#######################################################################
# #
## ##
###### ######## ### ## ######## ### ## ####### ### ####### ### ##
### #### ## ### ### ## ## ### ## #### ##
### ####### ####### ### ### ## ###### ### ## ## #######
### ### ### ### ### ### ## ## ## ### ## ## ### ###
###### ####### ### ## ### ##### ## ## ### ##### ### ##
# #
#######################################################################
EOF
echo ""
echo -e "\e[97m (c) Marc S. Weidner, 2018 - 2025 \e[0m"
echo -e "\e[97m (p) Centurion Press, 2018 - 2025 \e[0m"
echo -e "\e[97m Centurion Intelligence Consulting Agency (tm) \e[0m"
echo -e "\e[97m https://coresecret.eu/ \e[0m"
echo -e "\e[95m Please consider making a donation: \e[0m"
echo -e "\e[95m https://coresecret.eu/spenden/ \e[0m"
echo ""
echo -e "\e[92m All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
echo -e "\e[92m Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
# shellcheck disable=SC2162
read
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

90
includes/root/.ciss/f2bchk.sh Normal file
View File

@@ -0,0 +1,90 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
#######################################
# Wrapper for fail2ban filter checks against logs.
# Usage: f2bchk --mode=ignored || --mode=matched || --mode=missed \
# --filter=/etc/fail2ban/filter.d/ufw.aggressive.conf \
# --log=/var/log/ufw.log \
# --output=/tmp/f2bchk.log
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
# 1: In case of any errors
#######################################
f2bchk(){
# Declare default values (readonly)
declare -r DEFAULT_MODE="matched"
declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
declare -r DEFAULT_LOG="/var/log/ufw.log"
declare mode="${DEFAULT_MODE}"
declare filter="${DEFAULT_FILTER}"
declare log="${DEFAULT_LOG}"
declare output=""
declare arg=""
for arg in "$@"; do
case "${arg}" in
--mode=*) mode="${arg#--mode=}";;
--filter=*) filter="${arg#--filter=}";;
--log=*) log="${arg#--log=}";;
--output=*) output="${arg#--output=}";;
*)
printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
return 1
;;
esac
done
declare flag suffix
case "${mode}" in
ignored) flag="--print-all-ignored"; suffix="all.ignored";;
matched) flag="--print-all-matched"; suffix="all.matched";;
missed) flag="--print-all-missed"; suffix="all.missed";;
*)
printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
return 1
;;
esac
if [[ -z "${output}" ]]; then
declare filter_name="${filter##*/}"
filter_name="${filter_name%.conf}"
output="/tmp/${filter_name}.${suffix}.log"
fi
if [[ ! -r "${log}" ]]; then
printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
return 1
fi
if [[ ! -r "${filter}" ]]; then
printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
return 1
fi
printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
printf "You can view it with: cat %s\n" "$output"
else
printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
return 1
fi
exit 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
includes/root/.ciss/scan_libwrap Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Scanner for 'libwrap' usage.
# Arguments:
# None
#######################################
scanlw() {
printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n"
printf "\n"
# Collect binaries from all running PIDs
declare pid exe_path comm user
for pid in $(ps -e -o pid=); do
exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)
# Skip if not a regular executable
[[ -x "${exe_path}" ]] || continue
# Check if the binary is linked with libwrap
if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then
comm=$(ps -p "$pid" -o comm=)
user=$(ps -p "$pid" -o user=)
printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}"
fi
done
printf "\n"
printf "\e[92m✅ Scan complete. \e[0m\n"
exit 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

119
includes/root/.ciss/shortcuts Normal file
View File

@@ -0,0 +1,119 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
declare -ga shortcuts=(
"aptac: apt autoclean"
"aptap: apt autopurge"
"aptar: apt autoremove"
"aptcheck: apt-get check"
"aptdep: apt-cache depends"
"aptdl: apti --download-only"
"aptfug: apt full-upgrade"
"apti: apt install"
"aptimage: get Kernel Img"
"aptp: apt purge"
"aptpp: dpkg --purge"
"aptr: apt remove"
"aptse: apt search"
"aptsh: apt show"
"aptupd: apt update"
"aptupg: apt upgrade"
"boot: reboot -h now"
"c: clear"
"clear: printf \033c"
"cscan: clamscan -r --bell -i"
"chkhvg: hvg -n 0 | dieharder -g 200 -a"
"cysd: chrony selectdata"
"cyss: chrony sourcestats"
"cytr: chrony tracking"
"dev: lsblk -o ..."
"df: df -h"
"f2ball: f2b status all"
"f2bubn: f2b unban --all"
"f2bufw: f2b status ufw"
"free: free -m"
"genkeyfile: 1MiBi"
"genpasswd: PWD"
"genpasswdhash: PWD Hash"
"genstring: Random String"
"i: who you are"
"ipunused: iptables -L -v -n"
"jboot: journalctl --boot=0"
"l: ls"
"la: ls"
"ll: ls"
"ls: eza"
"lsadt: lynis audit system"
"lsadtdoc: lynis audit system"
"lsf: eza --absolute"
"lss: eza --extended"
"mkdir: mkdir -pv"
"n: nano"
"nstat: netstat -tlpnvWa"
"q: exit"
"rsban: restart fail2ban"
"rsweb: restart nginx php8.4-fpm redis"
"s: sudo -i"
"sas: systemd-analyze security"
"scanlw: scan libwrap"
"scurl: TLS1.3 curl"
"shut: shutdown -h now"
"ssa: systemctl status"
"ssf: systemctl status --failed"
"swget: TLS1.3 wget"
"sysdr: systemctl daemon-reload"
"syses: systemctl edit"
"sysp: load 99_local.hardened"
"sysrl: systemctl reload"
"sysrs: systemctl restart'"
"syssp: systemctl stop"
"sysst: systemctl start"
"trel: tree"
"usn: ufw status numbered"
"usv: ufw status verbose"
"v: nvim"
"whatdelete: lsof | grep deleted"
"whatimage: dpkg --list | grep linux"
"whatpurge: dpkg --get-selections"
"whichpackage <PROGRAM>"
"whichused <PATH> <DEPTH> <ENTRIES>"
)
#######################################
# Show available Aliases
# Globals:
# CMAG
# CRES
# shortcuts
# Arguments:
# None
#######################################
celp() {
declare arr=("${shortcuts[@]}")
declare cols=3
declare col_width=42
declare i=0
declare entry
for entry in "${arr[@]}"; do
# Print entry left-aligned in fixed width, colored
printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
((i++))
if ((i % cols == 0)); then
printf "\n"
fi
done
# If last line not full, add a newline
if ((i % cols != 0)); then
printf "\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh