V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-16 23:25:32 +02:00
parent fe62d8cd0f
commit 81bcb407fd
31 changed files with 249 additions and 39 deletions
--- a/func/1030_check_nic.sh
+++ b/func/1030_check_nic.sh
@@ -19,7 +19,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 check_nic() {
  ip -o link show | awk -F': ' '{print $2}' | sed 's!lo!!' | sed '/^$/d' | awk '{$1=$1};1' >| "${DIR_TMP}nic.tmp"
--- a/func/1080_helper_chroot.sh
+++ b/func/1080_helper_chroot.sh
@@ -12,6 +12,13 @@

 guard_sourcing

+#######################################
+# Use do_in_target() for:
+#   simple commands (e.g., dpkg, ln, mkdir, apt, etc.)
+# Use do_in_target_script() for:
+#   all shell scripts, redirects, pipes, conditions, loops, or subshells
+#######################################
+
 #######################################
 # Wrapper for executing commands in the desired chroot environment.
 # Globals:
@@ -21,24 +28,84 @@ guard_sourcing
 #   1: Target of the chroot environment.
 #   2: Commands and options and parameters to be executed in chroot.
 # Returns:
-#   ERR_CHRT_COMMAND: Unsuccessfully executed commands.
-#   0: Successfully executed commands.
+#   0: on success
+#   ERR_CHRT_COMMAND: on failure
 #######################################
 do_in_target() {
  declare var_chroot_target="$1"
  shift
  declare -a ary_chroot_command=("$@")
+
+  if (( ${#ary_chroot_command[@]} == 0 )); then
+    do_log "emergency" "true" "Empty command passed to 'do_in_target()'."
+    return "${ERR_CHRT_COMMAND}"
+  fi
+
  if chroot "${var_chroot_target}" /usr/bin/env -i \
    HOME=/root \
    PATH=/usr/sbin:/usr/bin:/sbin:/bin \
    TERM="${TERM}" \
    "${ary_chroot_command[@]}"
  then
-    do_log "info" "true" "Success: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
+    do_log "info" "true" "Success: chroot '${var_chroot_target}': '${ary_chroot_command[*]}'."
    return 0
  else
-    do_log "emergency" "true" "Failed: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
+    do_log "emergency" "true" "Failed: chroot '${var_chroot_target}': '${ary_chroot_command[*]}'."
    return "${ERR_CHRT_COMMAND}"
  fi
 }
+
+#######################################
+# Execute a full shell script line inside the chroot via bash -c.
+# Supports interactive debug shell on error.
+# Globals:
+#   ERR_CHRT_COMMAND
+#   TERM
+#   DEBUG_INTERACTIVE (optional boolean)
+# Arguments:
+#   1: Target of the chroot environment
+#   2: Command string to execute inside a shell (quoted)
+# Returns:
+#   0: on success
+#   ERR_CHRT_COMMAND: on failure
+#######################################
+do_in_target_script() {
+  declare var_chroot_target="$1"
+  shift
+  declare var_chroot_script="$1"
+
+  if [[ -z "${var_chroot_script}" ]]; then
+    do_log "emergency" "true" "Empty command passed to 'do_in_target_script()'."
+    return "${ERR_CHRT_COMMAND}"
+  fi
+
+  do_log "debug" "true" "Evaluating chroot script in '${var_chroot_target}': '${var_chroot_script}'."
+
+  if chroot "${var_chroot_target}" /usr/bin/env -i \
+    HOME=/root \
+    PATH=/usr/sbin:/usr/bin:/sbin:/bin \
+    TERM="${TERM}" \
+    /bin/bash -c "${var_chroot_script}"
+
+  then
+
+    do_log "info" "true" "Success: chroot '${var_chroot_target}': '${var_chroot_script}'."
+    return 0
+
+  else
+
+    declare -i var_chroot_rc="${?}"
+    do_log "emergency" "true" "Failure: chroot '${var_chroot_target}': '${var_chroot_script}'."
+    do_log "debug" "true" "Return code: '${var_chroot_rc}'."
+
+    # TODO: Tests with Dialog Wrapper in interactive mode.
+    #if [[ "${DEBUG_INTERACTIVE}" == "true" ]]; then
+    #  do_log "warning" "true" "Launching interactive debug shell in chroot: '${var_chroot_target}'."
+    #  chroot "${var_chroot_target}" /bin/bash -l
+    #fi
+
+    return "${ERR_CHRT_COMMAND}"
+
+  fi
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/1082_helper_modules.sh
+++ b/func/1082_helper_modules.sh
@@ -17,7 +17,7 @@ guard_sourcing
 # Arguments:
 #   1: IPv4 in CCDIR Notation, e.g.,: 192.168.128.128/24
 # Returns:
-#   0: In every case a zero return value is delivered.
+#   0: on success
 #######################################
 generate_subnetmask() {
  declare var_arg="$1"
@@ -35,13 +35,13 @@ generate_subnetmask() {
 }

 #######################################
-# Helper module for full upgrade, autoremove and autoclean.
+# Helper module for update, full dist-upgrade, autoclean, autopurge and autoremove.
 # Arguments:
 #   None
 #######################################
 update_upgrade() {
  apt-get update -y
-  apt-get upgrade -y
+  apt-get dist-upgrade -y
  apt-get autoclean -y
  apt-get autopurge -y
  apt-get autoremove -y
--- a/func/3200_partitioning.sh
+++ b/func/3200_partitioning.sh
@@ -27,7 +27,7 @@ guard_sourcing
 #   ERR_PART_READ
 #   ERR_TABLE_CREATE
 #   ERR_TABLE_DELETE
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 partitioning() {
  ### Declare Arrays and Variables.
--- a/func/3220_partition_encryption.sh
+++ b/func/3220_partition_encryption.sh
@@ -28,7 +28,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 partition_encryption() {
  ### Declare Arrays and Variables.
--- a/func/3240_partition_formatting.sh
+++ b/func/3240_partition_formatting.sh
@@ -22,7 +22,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 partition_formatting() {
  ### Declare Arrays and Variables.
--- a/func/3260_setup_filesystem.sh
+++ b/func/3260_setup_filesystem.sh
@@ -21,7 +21,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_filesystem() {
  ### Declare Arrays and Variables.
--- a/func/3280_mount_partition.sh
+++ b/func/3280_mount_partition.sh
@@ -101,7 +101,7 @@ validate_btrfs_compression() {
 #   ERR_BTRFS_SUBVOL
 #   ERR_MOUNTING_DEV
 #   ERR_MOUNTING_ROOT
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 mount_partition() {
  ### Mount "/"-filesystem
--- a/func/3290_uuid_logger.sh
+++ b/func/3290_uuid_logger.sh
@@ -22,7 +22,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 uuid_logger() {
  declare var_key var_mountpoint var_uuid
--- a/func/4000_debootstrap.sh
+++ b/func/4000_debootstrap.sh
@@ -22,7 +22,7 @@ guard_sourcing
 #   None
 # Returns:
 #   ERR_DEBOOTSTRAP
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 func_debootstrap() {
  # shellcheck disable=SC2154 # "${architecture}" "${distribution}"
--- a/func/4020_configure_system.sh
+++ b/func/4020_configure_system.sh
@@ -21,7 +21,7 @@ guard_sourcing
 #   None
 # Returns:
 #   ERR_CHRT_MOUNTS
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 configure_system() {

--- a/func/4040_generate_fstab.sh
+++ b/func/4040_generate_fstab.sh
@@ -23,7 +23,7 @@ guard_sourcing
 #   4: Mount Options
 #   5: Pass value, while Dump value is hardcoded always "0", e.g., "1"
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 write_fstab() {
  declare _uuid="$1" _path="$2" _fs="$3" _opts="$4" _pass="$5"
@@ -44,12 +44,12 @@ write_fstab() {
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 generate_fstab() {
  ### Generate '${TARGET}/etc/fstab' header.
  : >| "${TARGET}/etc/fstab"
-  chmod 0644 "${TARGET}/etc/fstab"
+  chmod 0600 "${TARGET}/etc/fstab"

  cat << 'EOF' >> "${TARGET}/etc/fstab"
 # /etc/fstab: static file system information.
--- a/func/4060_generate_crypttab.sh
+++ b/func/4060_generate_crypttab.sh
@@ -22,7 +22,7 @@ guard_sourcing
 #   3: Keyfile or none
 #   4: LUKS Options
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 write_crypttab() {
  declare _label="$1" _device="$2" _key_file="$3" _opts="$4"
@@ -43,14 +43,14 @@ write_crypttab() {
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 generate_crypttab() {
  declare var_key var_encryption_label var_luks_uuid

  ### Generate '${TARGET}/etc/crypttab' header.
  : >| "${TARGET}/etc/crypttab"
-  chmod 0644 "${TARGET}/etc/crypttab"
+  chmod 0600 "${TARGET}/etc/crypttab"

  cat << 'EOF' >> "${TARGET}/etc/crypttab"
 # /etc/crypttab: static file system information.
--- a/func/4080_generate_sources.sh
+++ b/func/4080_generate_sources.sh
@@ -33,7 +33,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 generate_sources() {
  declare -a ary_components
--- a/func/4090_minimal_toolset.sh
+++ b/func/4090_minimal_toolset.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Check and set up the minimum required tools for the next installation steps.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+minimal_toolset() {
+  declare var_bin
+
+  declare -A hmp_tool_pkg=(
+    ["awk"]="gawk"
+    ["busybox"]="busybox"
+    ["cat"]="coreutils"
+    ["chmod"]="coreutils"
+    ["chown"]="coreutils"
+    ["cp"]="coreutils"
+    ["cryptsetup"]="cryptsetup-initramfs"
+    ["echo"]="coreutils"
+    ["grep"]="grep"
+    ["ip"]="iproute2"
+    ["ln"]="coreutils"
+    ["mkdir"]="coreutils"
+    ["ping"]="iputils-ping"
+    ["sed"]="sed"
+    ["update-initramfs"]="initramfs-tools"
+  )
+
+  for var_bin in "${!hmp_tool_pkg[@]}"; do
+    if ! do_in_target_script "${TARGET}" "command -v ${var_bin} >/dev/null"; then
+      do_in_target "${TARGET}" apt-get install -y "${hmp_tool_pkg[${var_bin}]}"
+      do_log "debug" "true" "Tool '${var_bin}' missing – installing '${hmp_tool_pkg[${var_bin}]}'."
+    fi
+  done
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4100_setup_timezone.sh
+++ b/func/4100_setup_timezone.sh
@@ -20,12 +20,11 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_timezone() {
-  # shellcheck disable=SC2154 # "${ntp_timezone}"
  do_in_target "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
-  do_in_target "${TARGET}" /bin/bash -c "echo ${ntp_timezone} | tee /etc/timezone"
+  do_in_target_script "${TARGET}" "echo ${ntp_timezone} | tee /etc/timezone"
  do_in_target "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
  return 0
 }
--- a/func/4110_setup_locales.sh
+++ b/func/4110_setup_locales.sh
@@ -24,7 +24,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_locales() {
  do_in_target "${TARGET}" apt-get install -y locales
--- a/func/4120_installation_kernel.sh
+++ b/func/4120_installation_kernel.sh
@@ -20,7 +20,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 installation_kernel() {
  # Installing the chosen Kernel Image according to preseed.yaml
--- a/func/4130_setup_network.sh
+++ b/func/4130_setup_network.sh
@@ -44,7 +44,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_network() {
  do_in_target "${TARGET}" apt-get install -y isc-dhcp-client ifupdown
--- a/func/4140_setup_hostname.sh
+++ b/func/4140_setup_hostname.sh
@@ -24,7 +24,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_hostname() {
  ### Create '${TARGET}/etc/hostname' file.
--- a/func/4150_setup_grub.sh
+++ b/func/4150_setup_grub.sh
@@ -33,7 +33,7 @@ guard_sourcing
 # Returns:
 #   ERR_GRUB_BACKGROUND
 #   ERR_GRUB_EFI_FORCE
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_grub() {
  declare var_update_grub_required="false"
--- a/func/4160_grub_bootparameter.sh
+++ b/func/4160_grub_bootparameter.sh
@@ -21,7 +21,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_grub_bootparameter() {
  ### Install Kernel Hardening-Presets
--- a/func/4170_installation_microcode.sh
+++ b/func/4170_installation_microcode.sh
@@ -19,7 +19,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 installation_microcode() {
  declare var_microcode_pkgs=""
--- a/func/4180_setup_ssh.sh
+++ b/func/4180_setup_ssh.sh
@@ -27,7 +27,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_ssh() {
  do_in_target "${TARGET}" apt-get install -y ssh
--- a/func/4190_build_dropbear.sh
+++ b/func/4190_build_dropbear.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Build Ultra Hardened dropbear-2025.88 from sources.
+# Globals:
+#   DIR_TMP
+#   ERR_PATH_NOT_VALID
+#   VAR_SETUP_PATH
+# Arguments:
+#   None
+# Returns:
+#   ERR_PATH_NOT_VALID
+#   0: on success
+#######################################
+build_dropbear() {
+  declare file
+  mkdir -p "${DIR_TMP}/build"
+
+  cp "${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-2025.88.tar.bz2" "${DIR_TMP}/build"
+  tar xjf "${DIR_TMP}/build/dropbear-2025.88.tar.bz2"
+  cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${DIR_TMP}/build/dropbear-2025.88"
+  cd "${DIR_TMP}/build/dropbear-2025.88" || return "${ERR_PATH_NOT_VALID}"
+
+  CC=musl-gcc \
+    CFLAGS="-Os -Wno-undef" \
+    LDFLAGS="-static -s -L/usr/local/lib" \
+    ./configure \
+      --enable-static \
+      --enable-openpty \
+      --disable-pam \
+      --disable-zlib
+
+  make -j"$(nproc)"
+
+  do_log "info" "true" "Ultra Hardened dropbear-2025.88 build successfully from sources."
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4191_install_dropbear_initramfs.sh
+++ b/func/4191_install_dropbear_initramfs.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+
+#   0: on success
+#######################################
+install_dropbear_initramfs() {
+  declare var_file
+  do_in_target "${TARGET}" apt-get install -y dropbear-initramfs
+
+  for var_file in dbclient dropbear dropbearconvert dropbearkey; do
+    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/sbin/"
+  done
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4195_installation_dropbear.sh
+++ b/func/4195_installation_dropbear.sh
@@ -14,10 +14,7 @@ guard_sourcing

 # TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
 # TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
-###########################################################################################
-# 3.7.7. Functions - installation - kernel                                                #
-###########################################################################################
-lsinitramfs /boot/initrd.img-$(uname -r) | grep -E 'bin/(reboot|sync|sleep|sh)'
+

 command="/usr/local/bin/coresecret.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICp+6S+qM87lLWUtvTGBV/GFNvYyvZ992X4/AcuraKwm 2025_run.coresecret.dev_root