V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
121
.preseed/SECRETS.yaml
Normal file
121
.preseed/SECRETS.yaml
Normal file
@@ -0,0 +1,121 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
%YAML 1.2
|
||||
---
|
||||
### This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
|
||||
### Master V8.00.000.2025.06.17
|
||||
### YAML specification: 1.2
|
||||
|
||||
secrets:
|
||||
created_at: "2025-10-23"
|
||||
created_for: "host_domain_tld"
|
||||
name: "CISS.debian.installer"
|
||||
version: "V8.00.000.2025.06.17"
|
||||
description: "Secrets for automated installation of encrypted systems on this host via primordial-workflow™."
|
||||
|
||||
user:
|
||||
root:
|
||||
password:
|
||||
hashed: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
|
||||
description: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication."
|
||||
scope: "auth"
|
||||
type: "user-password"
|
||||
note: "Used to unlock the root user."
|
||||
sshpubkey:
|
||||
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
|
||||
description: "SSH public key for the root user."
|
||||
scope: "auth"
|
||||
type: "user-sshpubkey"
|
||||
note: "Used to unlock the root user."
|
||||
user0:
|
||||
password:
|
||||
hashed: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
|
||||
description: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
|
||||
scope: "auth"
|
||||
type: "user-password"
|
||||
note: "Used to unlock the specified user."
|
||||
sshpubkey:
|
||||
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
|
||||
description: "SSH public key for the specified user."
|
||||
scope: "auth"
|
||||
type: "user-sshpubkey"
|
||||
note: "Used to unlock the specified user."
|
||||
user1:
|
||||
password:
|
||||
hashed: ""
|
||||
description: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
|
||||
scope: "auth"
|
||||
type: "user-password"
|
||||
note: "Used to unlock the specified user."
|
||||
sshpubkey:
|
||||
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
|
||||
description: "SSH public key for the specified user."
|
||||
scope: "auth"
|
||||
type: "user-sshpubkey"
|
||||
note: "Used to unlock the specified user."
|
||||
|
||||
passwords:
|
||||
grub:
|
||||
plain: "PleASE_CHan3e_M!"
|
||||
description: "Password used to unlock the GRUB bootloader before system initialization."
|
||||
scope: "boot"
|
||||
type: "grub-password"
|
||||
notes: "Used to unlock the GRUB bootloader during early system initialization on encrypted systems."
|
||||
|
||||
boot:
|
||||
plain: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
|
||||
description: "LUKS passphrase used to decrypt the /boot partition during system boot."
|
||||
scope: "boot"
|
||||
type: "luks-passphrase"
|
||||
notes: "Dedicated passphrase for the /boot partition; chosen for easy manual input via the VPS web console."
|
||||
|
||||
luks:
|
||||
backup:
|
||||
plain: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
|
||||
description: "Credentials for the Nextcloud folder that stores encrypted LUKS header backups"
|
||||
scope: "offsite-backup"
|
||||
type: "nextcloud-share-credentials"
|
||||
notes: "The value is '<share-identifier>:<password>' (colon-separated). Use the same dedicated destination and credentials across servers."
|
||||
common:
|
||||
plain: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
|
||||
description: "Primary shared LUKS passphrase used by encrypted partitions during installation."
|
||||
scope: "installer"
|
||||
type: "luks-passphrase"
|
||||
notes: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only."
|
||||
nuke:
|
||||
plain: "THIS_IS_THE_NUKE_PASSWORD!"
|
||||
description: "Special LUKS passphrase that triggers secure wipe of all volumes when entered."
|
||||
scope: "emergency"
|
||||
type: "luks-passphrase-nuke"
|
||||
notes: "Use only to irreversibly destroy all encrypted volumes."
|
||||
|
||||
seeds:
|
||||
mfa:
|
||||
info:
|
||||
plain: "totp:v1"
|
||||
description: "MFA version identifier (e.g., 'totp:v1') for seamless mfa secrets rollover."
|
||||
scope: "auth"
|
||||
type: "mfa"
|
||||
notes: "Used to add version identifier to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
|
||||
salt:
|
||||
plain: "CISS:CDI:OTP"
|
||||
description: "Combination of <plain> and (Server_FQDN/Username)"
|
||||
scope: "auth"
|
||||
type: "mfa"
|
||||
notes: "Used to add salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
|
||||
secret:
|
||||
hex: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
|
||||
description: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication."
|
||||
scope: "auth"
|
||||
type: "mfa"
|
||||
notes: "Used solely for generating per-host one-time passwords (OTPs) utilized by MFA mechanisms for SSH, TTY, su, and sudo authentication"
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
|
||||
@@ -14,9 +14,12 @@
|
||||
### Master V8.00.000.2025.06.17
|
||||
### YAML specification: 1.2
|
||||
|
||||
installer:
|
||||
preseed:
|
||||
created_at: "2025-10-23"
|
||||
created_for: "host_domain_tld"
|
||||
name: "CISS.debian.installer"
|
||||
version: "V8.00.000.2025.06.17"
|
||||
description: "Configuration values for automated installation of encrypted systems on this host via primordial-workflow™."
|
||||
|
||||
################################################################################################################################
|
||||
# APT settings
|
||||
@@ -133,7 +136,7 @@ grub_parameter:
|
||||
# undetected. During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot,
|
||||
# auditd records will be lost, and potential malicious activity could go undetected.
|
||||
##############################################################################################################################
|
||||
- "audit_backlog_limit=16384"
|
||||
- "audit_backlog_limit=262144"
|
||||
- "audit=1"
|
||||
|
||||
##############################################################################################################################
|
||||
|
||||
@@ -53,8 +53,8 @@ install_verification() {
|
||||
|
||||
rm -f "${TARGET}/etc/audit/rules.d/audit.rules"
|
||||
|
||||
############################################################### /etc/audit/rules.d/10-base-config.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/10-base-config.rules"
|
||||
############################################################### /etc/audit/rules.d/00-base-config.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/00-base-config.rules"
|
||||
## First rule - delete all
|
||||
-D
|
||||
|
||||
@@ -70,6 +70,20 @@ install_verification() {
|
||||
|
||||
## Set failure mode to syslog.
|
||||
-f 1
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
|
||||
cat << EOF >| "${TARGET}/etc/audit/rules.d/10-ciss-noise-floor.rules"
|
||||
## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
|
||||
-a never,exit -F auid=4294967295
|
||||
|
||||
## Make privileged exec tracing user-initiated only (no boot-time daemons).
|
||||
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
|
||||
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
|
||||
|
||||
## (Optional, same principle for suid/sgid transitions).
|
||||
-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
|
||||
-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
|
||||
EOF
|
||||
|
||||
############################################################### /etc/audit/rules.d/11-loginuid.rules
|
||||
|
||||
@@ -14,7 +14,13 @@ guard_sourcing
|
||||
|
||||
### Definition of MUST set early variables.
|
||||
# shellcheck disable=SC2155
|
||||
declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
|
||||
declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{
|
||||
# Print $4 and $5; include $6 only if it exists
|
||||
out = $4
|
||||
if (NF >= 5) out = out " " $5
|
||||
if (NF >= 6) out = out " " $6
|
||||
print out
|
||||
}')"
|
||||
declare -grx VAR_CONTACT="security@coresecret.eu"
|
||||
# shellcheck disable=SC2155
|
||||
declare -grx VAR_DS_VER="$(debootstrap --version)"
|
||||
|
||||
Reference in New Issue
Block a user