V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m42s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m42s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -45,7 +45,7 @@ minimal_toolset() {
|
||||
for var_bin in "${!hmp_tool_pkg[@]}"; do
|
||||
if ! do_in_target_script "${TARGET}" "command -v ${var_bin} >/dev/null"; then
|
||||
do_in_target "${TARGET}" apt-get install -y "${hmp_tool_pkg[${var_bin}]}"
|
||||
do_log "debug" "true" "Tool '${var_bin}' missing – installing '${hmp_tool_pkg[${var_bin}]}'."
|
||||
do_log "debug" "true" "Tool '${var_bin}' missing, installing '${hmp_tool_pkg[${var_bin}]}'."
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
@@ -22,7 +22,7 @@ guard_sourcing
|
||||
# TARGET
|
||||
# VAR_GRUB_CMDLINE_LINUX_DEFAULT
|
||||
# Arguments:
|
||||
# None
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
|
||||
@@ -28,7 +28,7 @@ setup_kernel_modules() {
|
||||
## The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
|
||||
## minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
|
||||
## physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
|
||||
## features like TPMs or Intel's RDRAND—which may not be available or trusted—jitterentropy_rng works across all platforms,
|
||||
## features like TPMs or Intel's RDRAND, which may not be available or trusted, jitterentropy_rng works across all platforms,
|
||||
## including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure
|
||||
## entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure,
|
||||
## standards-compliant, and universally applicable entropy source for hardened Linux environments.
|
||||
|
||||
@@ -32,7 +32,7 @@ installation_microcode() {
|
||||
case "${var_cpu_vendor}" in
|
||||
*AuthenticAMD*) var_microcode_pkgs="amd64-microcode" ;;
|
||||
*GenuineIntel*) var_microcode_pkgs="intel-microcode" ;;
|
||||
""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "true" "ARM or unknown CPU detected – skipping microcode install" ;;
|
||||
""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "true" "ARM or unknown CPU detected, skipping microcode installation." ;;
|
||||
esac
|
||||
|
||||
###########################################################################################
|
||||
|
||||
@@ -1,82 +0,0 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# SPDX-Comment: GRUB Kernel Parameter Linter
|
||||
|
||||
set -Ceuo pipefail
|
||||
|
||||
GRUB_FILE="${1:-/etc/default/grub}"
|
||||
|
||||
# Parse GRUB_CMDLINE string into array of unique options
|
||||
parse_cmdline() {
|
||||
local input="${1}"
|
||||
# Remove outer quotes if present
|
||||
input="${input%\"}"
|
||||
input="${input#\"}"
|
||||
# Split into array
|
||||
read -r -a ary <<< "${input}"
|
||||
printf "%s\n" "${ary[@]}"
|
||||
}
|
||||
|
||||
# Key extractor: for console=tty0 → console
|
||||
extract_key() {
|
||||
local param="${1}"
|
||||
if [[ "${param}" == *=* ]]; then
|
||||
echo "${param%%=*}"
|
||||
else
|
||||
echo "${param}"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
# Extract lines
|
||||
GRUB_LINUX_LINE=$(grep -E '^GRUB_CMDLINE_LINUX=' "${GRUB_FILE}" | sed -E 's/GRUB_CMDLINE_LINUX=//')
|
||||
GRUB_DEFAULT_LINE=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${GRUB_FILE}" | sed -E 's/GRUB_CMDLINE_LINUX_DEFAULT=//')
|
||||
|
||||
# Parse both lines
|
||||
mapfile -t linux_params < <(parse_cmdline "${GRUB_LINUX_LINE}")
|
||||
mapfile -t default_params < <(parse_cmdline "${GRUB_DEFAULT_LINE}")
|
||||
|
||||
# Combine for conflict analysis
|
||||
declare -A param_values=()
|
||||
declare -A param_sources=()
|
||||
declare -A duplicate_params=()
|
||||
|
||||
# Loop over all parameter
|
||||
for source in "linux" "default"; do
|
||||
declare -n params="${source}_params"
|
||||
for p in "${params[@]}"; do
|
||||
key=$(extract_key "${p}")
|
||||
if [[ -v param_values["${key}"] ]]; then
|
||||
if [[ "${param_values[${key}]}" != "${p}" ]]; then
|
||||
echo "⚠️ Conflict: Parameter '${key}' has multiple values:"
|
||||
echo " - ${param_values[${key}]} (from ${param_sources[${key}]})"
|
||||
echo " - ${p} (from ${source})"
|
||||
else
|
||||
duplicate_params["${p}"]=1
|
||||
fi
|
||||
else
|
||||
param_values["${key}"]="${p}"
|
||||
param_sources["${key}"]="${source}"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Report duplicates
|
||||
if (( ${#duplicate_params[@]} > 0 )); then
|
||||
echo "ℹ️ Duplicate parameters found:"
|
||||
for dup in "${!duplicate_params[@]}"; do
|
||||
echo " - ${dup}"
|
||||
done
|
||||
fi
|
||||
|
||||
echo "✅ GRUB_CMDLINE check complete."
|
||||
eit 0
|
||||
@@ -27,7 +27,7 @@ red() { tput setaf 1; echo "$1"; tput sgr0; }
|
||||
green() { tput setaf 2; echo "$1"; tput sgr0; }
|
||||
|
||||
echo
|
||||
bold "🛡️ Checking SSH Configuration Integrity..."
|
||||
bold "Checking SSH Configuration Integrity..."
|
||||
|
||||
if [[ ! -f "${REF_CONFIG}" ]]; then
|
||||
red "ERROR: Reference config '${REF_CONFIG}' not found."
|
||||
|
||||
104
func/9999_check_grub_cmdline.sh
Normal file
104
func/9999_check_grub_cmdline.sh
Normal file
@@ -0,0 +1,104 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# SPDX-Comment: GRUB Kernel Parameter Linter
|
||||
|
||||
set -Ceuo pipefail
|
||||
|
||||
#######################################
|
||||
# Parse GRUB_CMDLINE string into array of unique options
|
||||
# Arguments:
|
||||
# 1: Grub file to parse
|
||||
#######################################
|
||||
parse_cmdline() {
|
||||
declare var_input="${1}"
|
||||
declare -a ary_input
|
||||
### Remove outer quotes if present.
|
||||
var_input="${var_input%\"}"
|
||||
var_input="${var_input#\"}"
|
||||
### Split into an array.
|
||||
read -r -a ary_input <<< "${var_input}"
|
||||
printf "%s\n" "${ary_input[@]}"
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Key extractor: for 'console=tty0' -> 'console'
|
||||
# Arguments:
|
||||
# 1:
|
||||
#######################################
|
||||
extract_key() {
|
||||
declare var_param="${1}"
|
||||
if [[ "${var_param}" == *=* ]]; then
|
||||
echo "${var_param%%=*}"
|
||||
else
|
||||
echo "${var_param}"
|
||||
fi
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Check Grub Command Lines for duplicate entries.
|
||||
# Globals:
|
||||
# TARGET
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
check_grub_cmdline() {
|
||||
### Variable and Array declaration.
|
||||
declare var_grub_file="${TARGET}/etc/default/grub"
|
||||
declare var_grub_linux_line="" var_grub_default_line="" dup="" key="" p="" source=""
|
||||
declare -a ary_default_params=() ary_linux_params=()
|
||||
### Combine for conflict analysis.
|
||||
declare -A hmp_param_values=()
|
||||
declare -A hmp_param_sources=()
|
||||
declare -A hmp_duplicate_params=()
|
||||
|
||||
### Extract lines.
|
||||
var_grub_linux_line=$(grep -E '^GRUB_CMDLINE_LINUX=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX=//')
|
||||
var_grub_default_line=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX_DEFAULT=//')
|
||||
|
||||
### Parse both lines.
|
||||
mapfile -t ary_linux_params < <(parse_cmdline "${var_grub_linux_line}")
|
||||
mapfile -t ary_default_params < <(parse_cmdline "${var_grub_default_line}")
|
||||
|
||||
### Loop over all parameters.
|
||||
for source in "linux" "default"; do
|
||||
declare -n params="ary_${source}_params"
|
||||
for p in "${params[@]}"; do
|
||||
key=$(extract_key "${p}")
|
||||
if [[ -v hmp_param_values["${key}"] ]]; then
|
||||
if [[ "${hmp_param_values[${key}]}" != "${p}" ]]; then
|
||||
echo "Conflict: Parameter '${key}' has multiple values:"
|
||||
echo "- ${hmp_param_values[${key}]} (from ${hmp_param_sources[${key}]})"
|
||||
echo "- ${p} (from ${source})"
|
||||
else
|
||||
hmp_duplicate_params["${p}"]=1
|
||||
fi
|
||||
else
|
||||
hmp_param_values["${key}"]="${p}"
|
||||
hmp_param_sources["${key}"]="${source}"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
### Report duplicates.
|
||||
if (( ${#hmp_duplicate_params[@]} > 0 )); then
|
||||
echo "Duplicate parameters found:"
|
||||
for dup in "${!hmp_duplicate_params[@]}"; do
|
||||
echo "- ${dup}"
|
||||
done
|
||||
fi
|
||||
|
||||
echo "GRUB_CMDLINE check complete."
|
||||
return 0
|
||||
}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
Reference in New Issue
Block a user