msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-23 13:37:10 +01:00
parent a0a04173ab
commit 947458d174
4 changed files with 149 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
.preseed/SECRETS.yaml Normal file
View File

@@ -0,0 +1,121 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
%YAML 1.2
---
### This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
### Master V8.00.000.2025.06.17
### YAML specification: 1.2
secrets:
created_at: "2025-10-23"
created_for: "host_domain_tld"
name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17"
description: "Secrets for automated installation of encrypted systems on this host via primordial-workflow™."
user:
root:
password:
hashed: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
description: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication."
scope: "auth"
type: "user-password"
note: "Used to unlock the root user."
sshpubkey:
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
description: "SSH public key for the root user."
scope: "auth"
type: "user-sshpubkey"
note: "Used to unlock the root user."
user0:
password:
hashed: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
description: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth"
type: "user-password"
note: "Used to unlock the specified user."
sshpubkey:
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
description: "SSH public key for the specified user."
scope: "auth"
type: "user-sshpubkey"
note: "Used to unlock the specified user."
user1:
password:
hashed: ""
description: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
scope: "auth"
type: "user-password"
note: "Used to unlock the specified user."
sshpubkey:
value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
description: "SSH public key for the specified user."
scope: "auth"
type: "user-sshpubkey"
note: "Used to unlock the specified user."
passwords:
grub:
plain: "PleASE_CHan3e_M!"
description: "Password used to unlock the GRUB bootloader before system initialization."
scope: "boot"
type: "grub-password"
notes: "Used to unlock the GRUB bootloader during early system initialization on encrypted systems."
boot:
plain: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
description: "LUKS passphrase used to decrypt the /boot partition during system boot."
scope: "boot"
type: "luks-passphrase"
notes: "Dedicated passphrase for the /boot partition; chosen for easy manual input via the VPS web console."
luks:
backup:
plain: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
description: "Credentials for the Nextcloud folder that stores encrypted LUKS header backups"
scope: "offsite-backup"
type: "nextcloud-share-credentials"
notes: "The value is '<share-identifier>:<password>' (colon-separated). Use the same dedicated destination and credentials across servers."
common:
plain: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
description: "Primary shared LUKS passphrase used by encrypted partitions during installation."
scope: "installer"
type: "luks-passphrase"
notes: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only."
nuke:
plain: "THIS_IS_THE_NUKE_PASSWORD!"
description: "Special LUKS passphrase that triggers secure wipe of all volumes when entered."
scope: "emergency"
type: "luks-passphrase-nuke"
notes: "Use only to irreversibly destroy all encrypted volumes."
seeds:
mfa:
info:
plain: "totp:v1"
description: "MFA version identifier (e.g., 'totp:v1') for seamless mfa secrets rollover."
scope: "auth"
type: "mfa"
notes: "Used to add version identifier to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
salt:
plain: "CISS:CDI:OTP"
description: "Combination of <plain> and (Server_FQDN/Username)"
scope: "auth"
type: "mfa"
notes: "Used to add salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
secret:
hex: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
description: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication."
scope: "auth"
type: "mfa"
notes: "Used solely for generating per-host one-time passwords (OTPs) utilized by MFA mechanisms for SSH, TTY, su, and sudo authentication"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

7
.preseed/preseed.yaml
View File

@@ -14,9 +14,12 @@
### Master V8.00.000.2025.06.17 ### Master V8.00.000.2025.06.17
### YAML specification: 1.2 ### YAML specification: 1.2
installer: preseed:
created_at: "2025-10-23"
created_for: "host_domain_tld"
name: "CISS.debian.installer" name: "CISS.debian.installer"
version: "V8.00.000.2025.06.17" version: "V8.00.000.2025.06.17"
description: "Configuration values for automated installation of encrypted systems on this host via primordial-workflow™."
################################################################################################################################ ################################################################################################################################
# APT settings # APT settings
@@ -133,7 +136,7 @@ grub_parameter:
# undetected. During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot, # undetected. During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot,
# auditd records will be lost, and potential malicious activity could go undetected. # auditd records will be lost, and potential malicious activity could go undetected.
############################################################################################################################## ##############################################################################################################################
- "audit_backlog_limit=16384" - "audit_backlog_limit=262144"
- "audit=1" - "audit=1"
############################################################################################################################## ##############################################################################################################################

18
func/cdi_4600_packages/4620_installation_verification.sh
View File

@@ -53,8 +53,8 @@ install_verification() {
rm -f "${TARGET}/etc/audit/rules.d/audit.rules" rm -f "${TARGET}/etc/audit/rules.d/audit.rules"
############################################################### /etc/audit/rules.d/10-base-config.rules ############################################################### /etc/audit/rules.d/00-base-config.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/10-base-config.rules" cat << EOF >| "${TARGET}/etc/audit/rules.d/00-base-config.rules"
## First rule - delete all ## First rule - delete all
-D -D
@@ -70,6 +70,20 @@ install_verification() {
## Set failure mode to syslog. ## Set failure mode to syslog.
-f 1 -f 1
EOF
############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/10-ciss-noise-floor.rules"
## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
-a never,exit -F auid=4294967295
## Make privileged exec tracing user-initiated only (no boot-time daemons).
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
## (Optional, same principle for suid/sgid transitions).
-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
EOF EOF
############################################################### /etc/audit/rules.d/11-loginuid.rules ############################################################### /etc/audit/rules.d/11-loginuid.rules

8
var/early.var.sh
View File

@@ -14,7 +14,13 @@ guard_sourcing
### Definition of MUST set early variables. ### Definition of MUST set early variables.
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')" declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{
# Print $4 and $5; include $6 only if it exists
out = $4
if (NF >= 5) out = out " " $5
if (NF >= 6) out = out " " $6
print out
}')"
declare -grx VAR_CONTACT="security@coresecret.eu" declare -grx VAR_CONTACT="security@coresecret.eu"
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -grx VAR_DS_VER="$(debootstrap --version)" declare -grx VAR_DS_VER="$(debootstrap --version)"