From 925cdae81c813b951211aa310affc287ef76b6403ebbb2948cb7c9c22a6716ed Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Mon, 8 Jun 2026 15:21:48 +0100 Subject: [PATCH] V9.14.002.2026.06.08 Signed-off-by: Marc S. Weidner --- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .gitea/workflows/linter_char_scripts.yaml | 2 +- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 2 +- .preseed/SECRETS.yaml | 4 ++-- .preseed/preseed.yaml | 12 +++++----- .version.properties | 2 +- CISS.debian.installer.spdx | 2 +- README.md | 4 ++-- docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/CHANGELOG.md | 4 ++-- docs/CNET.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DOCUMENTATION.md | 13 +++++++---- docs/MANPAGES.md | 2 +- docs/REFERENCES.md | 2 +- docs/man/BOOTPARAMS.md | 2 +- docs/man/DEBUG_HANDLING.md | 2 +- docs/man/ERROR_HANDLING.md | 2 +- docs/man/LINTER_CHAR.md | 2 +- docs/man/TRAP_MECHANISM.md | 2 +- func/cdi_1000_helper/README/README_1080.md | 2 +- .../README/README_4000.md | 2 +- func/cdi_4300_network/4310_dropbear_build.sh | 12 ++++++---- .../4311_dropbear_initramfs.sh | 23 ++++++++++++++++--- lib/cdi_0000_preliminary/0002_usage.sh | 14 +++++++---- lib/cdi_0000_preliminary/README.md | 2 +- lib/cdi_0005_guard/README.md | 2 +- lib/cdi_0100_arg/0100_arg_mismatch.sh | 8 +++++-- lib/cdi_0100_arg/0102_arg_parser.sh | 19 +++++++++++++++ var/README/README_BASH_VAR.md | 2 +- var/early.var.sh | 2 +- var/errors.var.sh | 5 ++-- var/global.var.sh | 2 ++ 38 files changed, 114 insertions(+), 58 deletions(-) diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 7af5dbe..2dae5b8 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./setup.sh -v`." - placeholder: "e.g., Master V9.14.000.2026.06.07" + placeholder: "e.g., Master V9.14.002.2026.06.08" validations: required: true diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 18391f9..ede96fb 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.000.2026.06.07 + version: V9.14.002.2026.06.08 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index a198101..cdf76bf 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu -### Version Master V9.14.000.2026.06.07 +### Version Master V9.14.002.2026.06.08 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 183283c..26eb1c2 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu -### Version Master V9.14.000.2026.06.07 +### Version Master V9.14.002.2026.06.08 name: 🛡️ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 9d811b6..6b0019c 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu -### Version Master V9.14.000.2026.06.07 +### Version Master V9.14.002.2026.06.08 name: 🔁 Render Graphviz Diagrams. diff --git a/.preseed/SECRETS.yaml b/.preseed/SECRETS.yaml index d03820b..c2ee631 100644 --- a/.preseed/SECRETS.yaml +++ b/.preseed/SECRETS.yaml @@ -11,7 +11,7 @@ # # # This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer -# Master V9.14.000.2026.06.07 +# Master V9.14.002.2026.06.08 # YAML specification: 1.2 # secrets: @@ -19,7 +19,7 @@ secrets: created_at: "2025-10-23" created_for: "host_domain_tld" name: "CISS.debian.installer" - version: "V9.14.000.2026.06.07" + version: "V9.14.002.2026.06.08" x_files: "false" ################################################################################################################################ # Grub bootloader passphrase diff --git a/.preseed/preseed.yaml b/.preseed/preseed.yaml index 1b60acd..1eede7f 100644 --- a/.preseed/preseed.yaml +++ b/.preseed/preseed.yaml @@ -11,7 +11,7 @@ %YAML 1.2 --- # This file contains configurations for the CISS.debian.installer -# Master V9.14.000.2026.06.07 +# Master V9.14.002.2026.06.08 # YAML specification: 1.2 # preseed: @@ -19,7 +19,7 @@ preseed: created_at: "2025-10-23" created_for: "host_domain_tld" name: "CISS.debian.installer" - version: "V9.14.000.2026.06.07" + version: "V9.14.002.2026.06.08" # ################################################################################################################################ # APT settings @@ -28,7 +28,7 @@ apt: contrib: true # Optionally, install contrib software. deb_sources: true # Optionally includes deb-src entries for source repositories. default_list: false # By default, source repositories are listed in '/etc/apt/sources.list'. - default_deb822: true # Since Trixie, source repositories are listed in '/etc/apt/sources.list.d/' in deb.822 format. + default_deb822: true # Since Trixie, source repositories have been listed in '/etc/apt/sources.list.d/' in deb.822 format. full_upgrade: true # Whether to upgrade packages after debootstrap. install_recommends: true # Configure APT to not install recommended packages by default. non_free: true # Optionally, install non-free software. @@ -107,7 +107,7 @@ image: "linux-image-6.16.3+deb13-amd64" # "linux-image-6.16.3+deb13-amd64" needrun: false # Static linking to "${TARGET}/run" can cause problems if this data is "burned" into the target. provider: "netcup" # MUST be one of "contabo", "hetzner", "netcup" or leave empty. -security_ext: "apparmor" # MUST be one of "apparmor" or "selinux". +security_ext: "apparmor" # MUST be one of "apparmor" or "selinux". ################################################################################################################################ # Dropbear settings @@ -156,7 +156,7 @@ grub_parameter: - "debugfs=off" ############################################################################################################################## - # Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU. + # Disable the bus master bit on all PCI bridges during very early boot to avoid holes in IOMMU. # https://mjg59.dreamwidth.org/54433.html # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 ############################################################################################################################## @@ -262,7 +262,7 @@ grub_parameter: ############################################################################################################################## # All Kernel Messages with a loglevel smaller than the console loglevel will be printed to the console. It can also be # changed with 'klogd' or other programs. The log levels are defined as follows: - # 0 (KERN_EMERG) system is unusable + # 0 (KERN_EMERG) the system is unusable # 1 (KERN_ALERT) action must be taken immediately # 2 (KERN_CRIT) critical conditions # 3 (KERN_ERR) error conditions diff --git a/.version.properties b/.version.properties index f3bbd79..eec3ab1 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.installer" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V9.14.000.2026.06.07" +properties_version="V9.14.002.2026.06.08" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.installer.spdx b/CISS.debian.installer.spdx index 5b6205b..c563fb1 100644 --- a/CISS.debian.installer.spdx +++ b/CISS.debian.installer.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-06-17T12:00:00Z Package: CISS.debian.installer PackageName: CISS.debian.installer -PackageVersion: Master V9.14.000.2026.06.07 +PackageVersion: Master V9.14.002.2026.06.08 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.installer PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.installer diff --git a/README.md b/README.md index 3650b11..412f9cc 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.000.2026.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.002.2026.06.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
This is a digitally signed, self-verifying shell script for installing a hardened Debian Bookworm server environment, based on the latest server and service hardening best practices. Compared to the original Debian installer, this installer offers much diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index c6a5b62..22fee56 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. DNSSEC Status diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index d08313a..dba21d2 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. TLS Audit: diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 83775ed..212ce9a 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,11 +8,11 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Changelog -## V9.14.000.2026.06.07 +## V9.14.002.2026.06.08 * Initial Release diff --git a/docs/CNET.md b/docs/CNET.md index 69e46ca..79fe1f4 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 33cddd7..285a175 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Purpose diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 2376bd4..dbd85ee 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index c4fd444..c2c1fcb 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Credits diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index d80b300..a131244 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,15 +8,15 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Usage ````text CISS.debian.installer -Master V9.14.000.2026.06.07 +Master V9.14.002.2026.06.08 -(c) Marc S. Weidner, 2018 - 2025 -(p) Centurion Press, 2024 - 2025 +(c) Marc S. Weidner, 2018 - 2026 +(p) Centurion Press, 2024 - 2026 https://coresecret.eu/ @@ -34,6 +34,11 @@ A powerful Debian installer for setting up a hardened Debian environment. Enables debug logging for the main program routine. Detailed logging information are written to "/tmp/ciss_live_builder_516151.log" + --dropbear-version . + Sets the Dropbear source version used for the hardened Dropbear build. + Also accepts "--dropbear-version=.". + Defaults to "2026.91". + --renice-priority Reset the nice priority value of the script and all its children to the desired PRIORITY. MUST be an integer (between "-19" and 19). diff --git a/docs/MANPAGES.md b/docs/MANPAGES.md index 7f89aa2..e558dba 100644 --- a/docs/MANPAGES.md +++ b/docs/MANPAGES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. ToC diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index 52bce3c..7c0b50d 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Resources diff --git a/docs/man/BOOTPARAMS.md b/docs/man/BOOTPARAMS.md index a17357d..a7b0a9a 100644 --- a/docs/man/BOOTPARAMS.md +++ b/docs/man/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Hardened Kernel Boot Parameters diff --git a/docs/man/DEBUG_HANDLING.md b/docs/man/DEBUG_HANDLING.md index 17fecac..709b0ed 100644 --- a/docs/man/DEBUG_HANDLING.md +++ b/docs/man/DEBUG_HANDLING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Debugging and Tracing Infrastructure diff --git a/docs/man/ERROR_HANDLING.md b/docs/man/ERROR_HANDLING.md index 471b686..d5c46ca 100644 --- a/docs/man/ERROR_HANDLING.md +++ b/docs/man/ERROR_HANDLING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Global Environment and Error Handling in CISS.debian.installer diff --git a/docs/man/LINTER_CHAR.md b/docs/man/LINTER_CHAR.md index 3e330e8..5f6ed2c 100644 --- a/docs/man/LINTER_CHAR.md +++ b/docs/man/LINTER_CHAR.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Git Workflow Linter — Character Set Policy Enforcement diff --git a/docs/man/TRAP_MECHANISM.md b/docs/man/TRAP_MECHANISM.md index db6024a..540881a 100644 --- a/docs/man/TRAP_MECHANISM.md +++ b/docs/man/TRAP_MECHANISM.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Interplay Between Global Hardening Settings and TRAP Mechanisms diff --git a/func/cdi_1000_helper/README/README_1080.md b/func/cdi_1000_helper/README/README_1080.md index b733ea6..9b783d2 100644 --- a/func/cdi_1000_helper/README/README_1080.md +++ b/func/cdi_1000_helper/README/README_1080.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. [1080_helper_chroot.sh](../1080_helper_chroot.sh) **Scope:** This note explains *what to use when* among diff --git a/func/cdi_4000_debootstrap/README/README_4000.md b/func/cdi_4000_debootstrap/README/README_4000.md index feef5df..a2c983b 100644 --- a/func/cdi_4000_debootstrap/README/README_4000.md +++ b/func/cdi_4000_debootstrap/README/README_4000.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. [4000_debootstrap.sh](../4000_debootstrap.sh) This module provisions a minimal Debian userspace into the installers target root (`$TARGET`) using `debootstrap`. diff --git a/func/cdi_4300_network/4310_dropbear_build.sh b/func/cdi_4300_network/4310_dropbear_build.sh index d6cbff7..5279644 100644 --- a/func/cdi_4300_network/4310_dropbear_build.sh +++ b/func/cdi_4300_network/4310_dropbear_build.sh @@ -15,7 +15,10 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### # Build Ultra Hardened dropbear from sources. # Globals: +# PATH # TARGET +# VAR_DROPBEAR_BUILD_ROOT +# VAR_DROPBEAR_VERSION # VAR_SETUP_PATH # Arguments: # None @@ -27,10 +30,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### dropbear_build() { ### Declare Arrays, HashMaps, and Variables. - declare var_dropbear_version="2026.91" - declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" - declare var_build_root="/opt/.ciss/build" - declare var_build_dir="${var_build_root}/dropbear-${var_dropbear_version}" + declare -r var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${VAR_DROPBEAR_VERSION}.tar.bz2" + declare -r var_build_root="${VAR_DROPBEAR_BUILD_ROOT}" + declare -r var_build_dir="${var_build_root}/dropbear-${VAR_DROPBEAR_VERSION}" declare -r var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log" declare -r var_build_log="${TARGET}${var_logfile}" declare -r var_build_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" @@ -49,7 +51,7 @@ dropbear_build() { fi case "${var_build_dir}" in - /opt/.ciss/build/dropbear-*) ;; + "${VAR_DROPBEAR_BUILD_ROOT}"/dropbear-*) ;; *) do_log "error" "file_only" "4310() Refusing to clean unexpected Dropbear build directory: '${var_build_dir}'." return "${ERR_PATH_NOT_VALID}" diff --git a/func/cdi_4300_network/4311_dropbear_initramfs.sh b/func/cdi_4300_network/4311_dropbear_initramfs.sh index adcaa9d..0f48a0e 100644 --- a/func/cdi_4300_network/4311_dropbear_initramfs.sh +++ b/func/cdi_4300_network/4311_dropbear_initramfs.sh @@ -15,9 +15,10 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### # Install the 'dropbear-initramfs' and replace the binaries with those from the previous Ultra Hardened build. # Globals: -# DIR_TMP # RECOVERY # TARGET +# VAR_DROPBEAR_BUILD_ROOT +# VAR_DROPBEAR_VERSION # VAR_RUN_RECOVERY # Arguments: # None @@ -27,6 +28,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" dropbear_initramfs() { ### Declare Arrays, HashMaps, and Variables. declare var_file="" + declare -r var_build_dir="${VAR_DROPBEAR_BUILD_ROOT}/dropbear-${VAR_DROPBEAR_VERSION}" declare -r var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log" declare var_target="${TARGET}" @@ -35,6 +37,21 @@ dropbear_initramfs() { chroot_logger "${var_target}${var_logfile}" + case "${var_build_dir}" in + "${VAR_DROPBEAR_BUILD_ROOT}"/dropbear-*) ;; + *) + do_log "error" "file_only" "4311() Refusing unexpected Dropbear build directory: '${var_build_dir}'." + return "${ERR_PATH_NOT_VALID}" + ;; + esac + + for var_file in dropbear dbclient dropbearconvert dropbearkey; do + if [[ ! -x "${var_build_dir}/${var_file}" ]]; then + do_log "error" "file_only" "4311() Dropbear build artifact missing or not executable: '${var_build_dir}/${var_file}'." + return "${ERR_PATH_NOT_VALID}" + fi + done + chroot_script "${var_target}" " export INITRD=No [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh @@ -60,14 +77,14 @@ dropbear_initramfs() { " mv "${var_target}/usr/sbin/dropbear" "${var_target}/usr/sbin/dropbear.trixie" - install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${var_target}/usr/sbin/" + install -D -m 0755 -o root -g root "${var_build_dir}/dropbear" "${var_target}/usr/sbin/" do_log "debug" "file_only" "4311() Installation [dropbear] successful." for var_file in dbclient dropbearconvert dropbearkey; do mv "${var_target}/usr/bin/${var_file}" "${var_target}/usr/bin/${var_file}.trixie" - install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${var_target}/usr/bin/" + install -D -m 0755 -o root -g root "${var_build_dir}/${var_file}" "${var_target}/usr/bin/" do_log "debug" "file_only" "4311() Installation [${var_file}] successful." done diff --git a/lib/cdi_0000_preliminary/0002_usage.sh b/lib/cdi_0000_preliminary/0002_usage.sh index 6b3cbe6..e951b18 100644 --- a/lib/cdi_0000_preliminary/0002_usage.sh +++ b/lib/cdi_0000_preliminary/0002_usage.sh @@ -37,9 +37,9 @@ usage() { declare var_cols=$(tput cols 2> /dev/null || echo 80) # shellcheck disable=SC2155 - declare var_header=$(center "V9.14.000.2026.06.07 CISS.debian.installer" "${var_cols}") + declare var_header=$(center "V9.14.002.2026.06.08 CISS.debian.installer" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V9.14.000.2026.06.07 CISS.debian.installer" "${var_cols}") + declare var_footer=$(center "V9.14.002.2026.06.08 CISS.debian.installer" "${var_cols}") { echo -e "\e[97m${var_header} \e[0m" @@ -48,8 +48,8 @@ usage() { echo -e "\e[92m${VAR_VERSION} \e[0m" echo -e "\e[92mA powerful Debian installer for setting up a hardened Debian environment. \e[0m" echo - echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m" - echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m" + echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m" + echo -e "\e[97m(p) Centurion Press, 2024 - 2026 \e[0m" echo echo -e "\e[91mUse only in trusted, non-production environments unless code audited! \e[0m" echo @@ -75,6 +75,12 @@ usage() { echo " - /tmp/.ciss/log/ciss_debian_installer_$$_trace.log" echo " - /tmp/.ciss/log/ciss_debian_installer_$$_var.log" echo + echo -e "\e[97m --dropbear-version . \e[0m" + echo " Set the Dropbear source version used for the hardened Dropbear build." + echo " Also accepts '--dropbear-version=.'." + echo " Example: --dropbear-version 2026.91" + echo " Defaults to '${VAR_DROPBEAR_VERSION:-2026.91}'." + echo echo -e "\e[97m --log, -l \e[0m" echo " This changes the default log level from 'info' to one of the following values:" echo " debug" diff --git a/lib/cdi_0000_preliminary/README.md b/lib/cdi_0000_preliminary/README.md index 24330d3..e0586ac 100644 --- a/lib/cdi_0000_preliminary/README.md +++ b/lib/cdi_0000_preliminary/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Preliminary Components – `cdi_0000_preliminary` diff --git a/lib/cdi_0005_guard/README.md b/lib/cdi_0005_guard/README.md index 6df8925..9c96928 100644 --- a/lib/cdi_0005_guard/README.md +++ b/lib/cdi_0005_guard/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Guarding and Safe Execution – `cdi_0005_guard` diff --git a/lib/cdi_0100_arg/0100_arg_mismatch.sh b/lib/cdi_0100_arg/0100_arg_mismatch.sh index 1384c20..0baeec4 100644 --- a/lib/cdi_0100_arg/0100_arg_mismatch.sh +++ b/lib/cdi_0100_arg/0100_arg_mismatch.sh @@ -23,17 +23,21 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" # VAR_IN_DIALOG_WR # Arguments: # 1: Message to be printed. +# 2: Optional exit code. ####################################### arg_mismatch() { + declare -i err_code="${2:-${ERR_ARG_MISMATCH}}" + ### Call cleaner if and only if not in auto-install mode. if [[ "${VAR_AUTO_INSTALL}" == "false" ]]; then ### Dynamically select the cleaner based on the dialog wrapper type. + # shellcheck disable=SC2249 case "${VAR_IN_DIALOG_WR}" in box|gauge) "dialog_${VAR_IN_DIALOG_WR}_cleaner" ;; esac fi printf "%b❌ Error: '%s'. %b%b" "${RED}" "${1}" "${RES}" "${NL}" >&2 - read -pr $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' - exit "${ERR_ARG_MISMATCH}" + read -rp $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' + exit "${err_code}" } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/cdi_0100_arg/0102_arg_parser.sh b/lib/cdi_0100_arg/0102_arg_parser.sh index 4791a6c..3b2bce0 100644 --- a/lib/cdi_0100_arg/0102_arg_parser.sh +++ b/lib/cdi_0100_arg/0102_arg_parser.sh @@ -17,6 +17,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}" # Globals: # VAR_DEFAULT_LOG_LEVEL # VAR_AUTO_INSTALL +# VAR_DROPBEAR_VERSION # VAR_IN_DIALOG_WR # VAR_PRIORITY # VAR_REIONICE_CLASS @@ -51,6 +52,24 @@ arg_parser() { shift 1 ;; + --dropbear-version) + if [[ -n "${2-}" && "${2}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then + declare -gx VAR_DROPBEAR_VERSION="${2}" + shift 2 + else + arg_mismatch "--dropbear-version MUST match .." "${ERR_DROPBEAR_V}" + fi + ;; + + --dropbear-version=*) + if [[ "${argument#*=}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then + declare -gx VAR_DROPBEAR_VERSION="${argument#*=}" + shift 1 + else + arg_mismatch "--dropbear-version MUST match .." "${ERR_DROPBEAR_V}" + fi + ;; + -l | --log) case "${2,,}" in debug|info|notice|warn|error|critical|fatal|emergency) declare -gx VAR_DEFAULT_LOG_LEVEL="$2"; shift 2 ;; diff --git a/var/README/README_BASH_VAR.md b/var/README/README_BASH_VAR.md index f83edac..198fa34 100644 --- a/var/README/README_BASH_VAR.md +++ b/var/README/README_BASH_VAR.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. [bash.var.sh](../bash.var.sh) This module establishes the global execution profile for all modules of the `CISS.debian.installer`. It is sourced at the very diff --git a/var/early.var.sh b/var/early.var.sh index 6fe4a27..debe9e6 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -24,7 +24,7 @@ declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{ declare -grx VAR_CONTACT="security@coresecret.eu" # shellcheck disable=SC2155 declare -grx VAR_DS_VER="$(debootstrap --version)" -declare -grx VAR_VERSION="Master V9.14.000.2026.06.07" +declare -grx VAR_VERSION="Master V9.14.002.2026.06.08" # shellcheck disable=SC2155 declare -grx VAR_SYSTEM="$(uname -mnosv)" declare -gx VAR_ARG_SANITIZED="" diff --git a/var/errors.var.sh b/var/errors.var.sh index 7fc4052..e5c18e3 100644 --- a/var/errors.var.sh +++ b/var/errors.var.sh @@ -42,10 +42,10 @@ declare -girx ERR_MOUNTING_LUKS=231 # The LUKS Volume could not be mounted. declare -girx ERR_UNKNOWN_DEV=230 # Unknown Device Path. declare -girx ERR_DEBOOTSTRAP=229 # Failure occurred on the debootstrap. declare -girx ERR_CHRT_MOUNTS=228 # Failure occurred while mounting system devices. -declare -girx ERR_CHRT_COMMAND=227 # Failure occurred while executing chroot environment command. +declare -girx ERR_CHRT_COMMAND=227 # Failure occurred while executing the chroot environment command. declare -girx ERR_GRUB_INSTALL=226 # Error while installing Grub on the specified device. declare -girx ERR_GRUB_BACKGROUND=225 # Failure occurred on setting up the GRUB-background. -declare -girx ERR_GRUB_ARCHITECTURE=224 # Architecture is not supported by Grub. +declare -girx ERR_GRUB_ARCHITECTURE=224 # Grub does not support architecture. declare -girx ERR_PATH_NOT_VALID=223 # A specific path is not existing. declare -girx ERR_READ_NUKE_FILE=222 # Error reading the Luks Nuke password file. declare -girx ERR_READ_GRUB_FILE=221 # Error reading the Grub password file. @@ -60,6 +60,7 @@ declare -girx ERR_VERIFY_LOGROTATE=213 # Error verification by 'logrotate'. declare -girx ERR_READ_AUTH_FILE=212 # Error reading the Luks Backup auth token file. declare -girx ERR_ACCOUNT_CREATE=211 # Error creating user accounts. declare -girx ERR_LUKS_HEADER_ENC=210 # Error encrypting LUKS Header backup. +declare -girx ERR_DROPBEAR_V=209 # Invalid Dropbear version argument. declare -girx ERR_DECRYPTION_SOPS=132 # An error occurred while decrypting SECRETS.yaml. declare -girx ERR_MISSING_AGE_BIN=130 # SOPS binary for decryption SECRETS.yaml missing. declare -girx ERR_MISSING_AGE_KEY=129 # AGE key for decryption SECRETS.yaml values missing. diff --git a/var/global.var.sh b/var/global.var.sh index 47fc59b..f9bdae6 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -87,6 +87,8 @@ declare -gx VAR_GRUB_PASSWORD="false" ### 4310_dropbear_build.sh declare -gx VAR_DROPBEAR="" +declare -gx VAR_DROPBEAR_VERSION="2026.91" +declare -gx VAR_DROPBEAR_BUILD_ROOT="/opt/.ciss/build" ### 4330_installation_ssh.sh declare -gx VAR_SSH_PORT=""