V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-16 23:25:32 +02:00
parent fe62d8cd0f
commit 81bcb407fd
31 changed files with 249 additions and 39 deletions
--- a/.archive/func/4195_installation_dropbear.sh
+++ b/.archive/func/4195_installation_dropbear.sh
@@ -0,0 +1,13 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 lsinitramfs /boot/initrd.img-"$(uname -r)" | grep -E 'bin/(bash|sha|reboot|sync|sleep|sh)'
--- a/func/1030_check_nic.sh
+++ b/func/1030_check_nic.sh
@@ -19,7 +19,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 check_nic() {
  ip -o link show | awk -F': ' '{print $2}' | sed 's!lo!!' | sed '/^$/d' | awk '{$1=$1};1' >| "${DIR_TMP}nic.tmp"
--- a/func/1080_helper_chroot.sh
+++ b/func/1080_helper_chroot.sh
@@ -12,6 +12,13 @@
 guard_sourcing
 #######################################
 # Use do_in_target() for:
 #   simple commands (e.g., dpkg, ln, mkdir, apt, etc.)
 # Use do_in_target_script() for:
 #   all shell scripts, redirects, pipes, conditions, loops, or subshells
 #######################################
 #######################################
 # Wrapper for executing commands in the desired chroot environment.
 # Globals:
@@ -21,24 +28,84 @@ guard_sourcing
 #   1: Target of the chroot environment.
 #   2: Commands and options and parameters to be executed in chroot.
 # Returns:
-#   ERR_CHRT_COMMAND: Unsuccessfully executed commands.
+#   0: on success
-#   0: Successfully executed commands.
+#   ERR_CHRT_COMMAND: on failure
 #######################################
 do_in_target() {
  declare var_chroot_target="$1"
  shift
  declare -a ary_chroot_command=("$@")
  if (( ${#ary_chroot_command[@]} == 0 )); then
    do_log "emergency" "true" "Empty command passed to 'do_in_target()'."
    return "${ERR_CHRT_COMMAND}"
  fi
  if chroot "${var_chroot_target}" /usr/bin/env -i \
    HOME=/root \
    PATH=/usr/sbin:/usr/bin:/sbin:/bin \
    TERM="${TERM}" \
    "${ary_chroot_command[@]}"
  then
-    do_log "info" "true" "Success: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
+    do_log "info" "true" "Success: chroot '${var_chroot_target}': '${ary_chroot_command[*]}'."
    return 0
  else
-    do_log "emergency" "true" "Failed: chroot ${var_chroot_target}: ${ary_chroot_command[*]}"
+    do_log "emergency" "true" "Failed: chroot '${var_chroot_target}': '${ary_chroot_command[*]}'."
    return "${ERR_CHRT_COMMAND}"
  fi
 }
 #######################################
 # Execute a full shell script line inside the chroot via bash -c.
 # Supports interactive debug shell on error.
 # Globals:
 #   ERR_CHRT_COMMAND
 #   TERM
 #   DEBUG_INTERACTIVE (optional boolean)
 # Arguments:
 #   1: Target of the chroot environment
 #   2: Command string to execute inside a shell (quoted)
 # Returns:
 #   0: on success
 #   ERR_CHRT_COMMAND: on failure
 #######################################
 do_in_target_script() {
  declare var_chroot_target="$1"
  shift
  declare var_chroot_script="$1"
  if [[ -z "${var_chroot_script}" ]]; then
    do_log "emergency" "true" "Empty command passed to 'do_in_target_script()'."
    return "${ERR_CHRT_COMMAND}"
  fi
  do_log "debug" "true" "Evaluating chroot script in '${var_chroot_target}': '${var_chroot_script}'."
  if chroot "${var_chroot_target}" /usr/bin/env -i \
    HOME=/root \
    PATH=/usr/sbin:/usr/bin:/sbin:/bin \
    TERM="${TERM}" \
    /bin/bash -c "${var_chroot_script}"
  then
    do_log "info" "true" "Success: chroot '${var_chroot_target}': '${var_chroot_script}'."
    return 0
  else
    declare -i var_chroot_rc="${?}"
    do_log "emergency" "true" "Failure: chroot '${var_chroot_target}': '${var_chroot_script}'."
    do_log "debug" "true" "Return code: '${var_chroot_rc}'."
    # TODO: Tests with Dialog Wrapper in interactive mode.
    #if [[ "${DEBUG_INTERACTIVE}" == "true" ]]; then
    #  do_log "warning" "true" "Launching interactive debug shell in chroot: '${var_chroot_target}'."
    #  chroot "${var_chroot_target}" /bin/bash -l
    #fi
    return "${ERR_CHRT_COMMAND}"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/1082_helper_modules.sh
+++ b/func/1082_helper_modules.sh
@@ -17,7 +17,7 @@ guard_sourcing
 # Arguments:
 #   1: IPv4 in CCDIR Notation, e.g.,: 192.168.128.128/24
 # Returns:
-#   0: In every case a zero return value is delivered.
+#   0: on success
 #######################################
 generate_subnetmask() {
  declare var_arg="$1"
@@ -35,13 +35,13 @@ generate_subnetmask() {
 }
 #######################################
-# Helper module for full upgrade, autoremove and autoclean.
+# Helper module for update, full dist-upgrade, autoclean, autopurge and autoremove.
 # Arguments:
 #   None
 #######################################
 update_upgrade() {
  apt-get update -y
-  apt-get upgrade -y
+  apt-get dist-upgrade -y
  apt-get autoclean -y
  apt-get autopurge -y
  apt-get autoremove -y
--- a/func/3200_partitioning.sh
+++ b/func/3200_partitioning.sh
@@ -27,7 +27,7 @@ guard_sourcing
 #   ERR_PART_READ
 #   ERR_TABLE_CREATE
 #   ERR_TABLE_DELETE
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 partitioning() {
  ### Declare Arrays and Variables.
--- a/func/3220_partition_encryption.sh
+++ b/func/3220_partition_encryption.sh
@@ -28,7 +28,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 partition_encryption() {
  ### Declare Arrays and Variables.
--- a/func/3240_partition_formatting.sh
+++ b/func/3240_partition_formatting.sh
@@ -22,7 +22,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 partition_formatting() {
  ### Declare Arrays and Variables.
--- a/func/3260_setup_filesystem.sh
+++ b/func/3260_setup_filesystem.sh
@@ -21,7 +21,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_filesystem() {
  ### Declare Arrays and Variables.
--- a/func/3280_mount_partition.sh
+++ b/func/3280_mount_partition.sh
@@ -101,7 +101,7 @@ validate_btrfs_compression() {
 #   ERR_BTRFS_SUBVOL
 #   ERR_MOUNTING_DEV
 #   ERR_MOUNTING_ROOT
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 mount_partition() {
  ### Mount "/"-filesystem
--- a/func/3290_uuid_logger.sh
+++ b/func/3290_uuid_logger.sh
@@ -22,7 +22,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 uuid_logger() {
  declare var_key var_mountpoint var_uuid
--- a/func/4000_debootstrap.sh
+++ b/func/4000_debootstrap.sh
@@ -22,7 +22,7 @@ guard_sourcing
 #   None
 # Returns:
 #   ERR_DEBOOTSTRAP
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 func_debootstrap() {
  # shellcheck disable=SC2154 # "${architecture}" "${distribution}"
--- a/func/4020_configure_system.sh
+++ b/func/4020_configure_system.sh
@@ -21,7 +21,7 @@ guard_sourcing
 #   None
 # Returns:
 #   ERR_CHRT_MOUNTS
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 configure_system() {
--- a/func/4040_generate_fstab.sh
+++ b/func/4040_generate_fstab.sh
@@ -23,7 +23,7 @@ guard_sourcing
 #   4: Mount Options
 #   5: Pass value, while Dump value is hardcoded always "0", e.g., "1"
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 write_fstab() {
  declare _uuid="$1" _path="$2" _fs="$3" _opts="$4" _pass="$5"
@@ -44,12 +44,12 @@ write_fstab() {
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 generate_fstab() {
  ### Generate '${TARGET}/etc/fstab' header.
  : >| "${TARGET}/etc/fstab"
-  chmod 0644 "${TARGET}/etc/fstab"
+  chmod 0600 "${TARGET}/etc/fstab"
  cat << 'EOF' >> "${TARGET}/etc/fstab"
 # /etc/fstab: static file system information.
--- a/func/4060_generate_crypttab.sh
+++ b/func/4060_generate_crypttab.sh
@@ -22,7 +22,7 @@ guard_sourcing
 #   3: Keyfile or none
 #   4: LUKS Options
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 write_crypttab() {
  declare _label="$1" _device="$2" _key_file="$3" _opts="$4"
@@ -43,14 +43,14 @@ write_crypttab() {
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 generate_crypttab() {
  declare var_key var_encryption_label var_luks_uuid
  ### Generate '${TARGET}/etc/crypttab' header.
  : >| "${TARGET}/etc/crypttab"
-  chmod 0644 "${TARGET}/etc/crypttab"
+  chmod 0600 "${TARGET}/etc/crypttab"
  cat << 'EOF' >> "${TARGET}/etc/crypttab"
 # /etc/crypttab: static file system information.
--- a/func/4080_generate_sources.sh
+++ b/func/4080_generate_sources.sh
@@ -33,7 +33,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 generate_sources() {
  declare -a ary_components
--- a/func/4090_minimal_toolset.sh
+++ b/func/4090_minimal_toolset.sh
@@ -0,0 +1,54 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Check and set up the minimum required tools for the next installation steps.
 # Globals:
 #   TARGET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 minimal_toolset() {
  declare var_bin
  declare -A hmp_tool_pkg=(
    ["awk"]="gawk"
    ["busybox"]="busybox"
    ["cat"]="coreutils"
    ["chmod"]="coreutils"
    ["chown"]="coreutils"
    ["cp"]="coreutils"
    ["cryptsetup"]="cryptsetup-initramfs"
    ["echo"]="coreutils"
    ["grep"]="grep"
    ["ip"]="iproute2"
    ["ln"]="coreutils"
    ["mkdir"]="coreutils"
    ["ping"]="iputils-ping"
    ["sed"]="sed"
    ["update-initramfs"]="initramfs-tools"
  )
  for var_bin in "${!hmp_tool_pkg[@]}"; do
    if ! do_in_target_script "${TARGET}" "command -v ${var_bin} >/dev/null"; then
      do_in_target "${TARGET}" apt-get install -y "${hmp_tool_pkg[${var_bin}]}"
      do_log "debug" "true" "Tool '${var_bin}' missing – installing '${hmp_tool_pkg[${var_bin}]}'."
    fi
  done
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4100_setup_timezone.sh
+++ b/func/4100_setup_timezone.sh
@@ -20,12 +20,11 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_timezone() {
  # shellcheck disable=SC2154 # "${ntp_timezone}"
  do_in_target "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
-  do_in_target "${TARGET}" /bin/bash -c "echo ${ntp_timezone} | tee /etc/timezone"
+  do_in_target_script "${TARGET}" "echo ${ntp_timezone} | tee /etc/timezone"
  do_in_target "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
  return 0
 }
--- a/func/4110_setup_locales.sh
+++ b/func/4110_setup_locales.sh
@@ -24,7 +24,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_locales() {
  do_in_target "${TARGET}" apt-get install -y locales
--- a/func/4120_installation_kernel.sh
+++ b/func/4120_installation_kernel.sh
@@ -20,7 +20,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 installation_kernel() {
  # Installing the chosen Kernel Image according to preseed.yaml
--- a/func/4130_setup_network.sh
+++ b/func/4130_setup_network.sh
@@ -44,7 +44,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_network() {
  do_in_target "${TARGET}" apt-get install -y isc-dhcp-client ifupdown
--- a/func/4140_setup_hostname.sh
+++ b/func/4140_setup_hostname.sh
@@ -24,7 +24,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_hostname() {
  ### Create '${TARGET}/etc/hostname' file.
--- a/func/4150_setup_grub.sh
+++ b/func/4150_setup_grub.sh
@@ -33,7 +33,7 @@ guard_sourcing
 # Returns:
 #   ERR_GRUB_BACKGROUND
 #   ERR_GRUB_EFI_FORCE
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_grub() {
  declare var_update_grub_required="false"
--- a/func/4160_grub_bootparameter.sh
+++ b/func/4160_grub_bootparameter.sh
@@ -21,7 +21,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_grub_bootparameter() {
  ### Install Kernel Hardening-Presets
--- a/func/4170_installation_microcode.sh
+++ b/func/4170_installation_microcode.sh
@@ -19,7 +19,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 installation_microcode() {
  declare var_microcode_pkgs=""
--- a/func/4180_setup_ssh.sh
+++ b/func/4180_setup_ssh.sh
@@ -27,7 +27,7 @@ guard_sourcing
 # Arguments:
 #   None
 # Returns:
-#   0: Successfully executed commands.
+#   0: on success
 #######################################
 setup_ssh() {
  do_in_target "${TARGET}" apt-get install -y ssh
--- a/func/4190_build_dropbear.sh
+++ b/func/4190_build_dropbear.sh
@@ -0,0 +1,51 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Build Ultra Hardened dropbear-2025.88 from sources.
 # Globals:
 #   DIR_TMP
 #   ERR_PATH_NOT_VALID
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   ERR_PATH_NOT_VALID
 #   0: on success
 #######################################
 build_dropbear() {
  declare file
  mkdir -p "${DIR_TMP}/build"
  cp "${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-2025.88.tar.bz2" "${DIR_TMP}/build"
  tar xjf "${DIR_TMP}/build/dropbear-2025.88.tar.bz2"
  cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${DIR_TMP}/build/dropbear-2025.88"
  cd "${DIR_TMP}/build/dropbear-2025.88" || return "${ERR_PATH_NOT_VALID}"
  CC=musl-gcc \
    CFLAGS="-Os -Wno-undef" \
    LDFLAGS="-static -s -L/usr/local/lib" \
    ./configure \
      --enable-static \
      --enable-openpty \
      --disable-pam \
      --disable-zlib
  make -j"$(nproc)"
  do_log "info" "true" "Ultra Hardened dropbear-2025.88 build successfully from sources."
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4191_install_dropbear_initramfs.sh
+++ b/func/4191_install_dropbear_initramfs.sh
@@ -0,0 +1,28 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #   0: on success
 #######################################
 install_dropbear_initramfs() {
  declare var_file
  do_in_target "${TARGET}" apt-get install -y dropbear-initramfs
  for var_file in dbclient dropbear dropbearconvert dropbearkey; do
    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/sbin/"
  done
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4195_installation_dropbear.sh
+++ b/func/4195_installation_dropbear.sh
@@ -14,10 +14,7 @@ guard_sourcing
 # TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
 # TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
-###########################################################################################
+
 # 3.7.7. Functions - installation - kernel                                                #
 ###########################################################################################
 lsinitramfs /boot/initrd.img-$(uname -r) | grep -E 'bin/(reboot|sync|sleep|sh)'
 command="/usr/local/bin/coresecret.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICp+6S+qM87lLWUtvTGBV/GFNvYyvZ992X4/AcuraKwm 2025_run.coresecret.dev_root
--- a/meta_loader_func.sh
+++ b/meta_loader_func.sh
@@ -43,6 +43,6 @@
 . ./func/4160_grub_bootparameter.sh
 . ./func/4170_installation_microcode.sh
 . ./func/4180_setup_ssh.sh
-. ./func/4190_installation_dropbear.sh
+. ./func/4195_installation_dropbear.sh
 . ./func/
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/upgrades/dropbear/dropbear-2025.88.tar.bz2
+++ b/upgrades/dropbear/dropbear-2025.88.tar.bz2
--- a/var/errors.var.sh
+++ b/var/errors.var.sh
@@ -42,6 +42,7 @@ declare -girx ERR_CHRT_MOUNTS=228       # Failure occurred while mounting system
 declare -girx ERR_CHRT_COMMAND=227      # Failure occurred while executing chroot environment command.
 declare -girx ERR_GRUB_EFI_FORCE=226    # Invalid combination of Partition Table and grub_force_efi.
 declare -girx ERR_GRUB_BACKGROUND=225   # Failure occurred on setting up the GRUB-background.
 declare -girx ERR_PATH_NOT_VALID=224    # Specific path is not existing.
 ### Definition of error trap vars