V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 52s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 52s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -12,9 +12,9 @@
|
||||
|
||||
### Contributions so far see ./docs/CREDITS.md
|
||||
|
||||
# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
|
||||
# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock_wrapper.sh
|
||||
# TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
|
||||
# TODO: Update preseed.yaml for pgp signing key OR implementation of presigned unlock-wrapper.sh
|
||||
# TODO: Update preseed.yaml for pgp signing key OR implementation of presigned unlock_wrapper.sh
|
||||
# TODO: Implement Console Login Deactivation and 2fa as advertised in preseed.yaml Refactor 4500_installation_accounts.sh
|
||||
# TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
|
||||
# TODO: What do we need for CISS environment?
|
||||
|
||||
@@ -104,12 +104,12 @@ EOF
|
||||
mkdir -p "${TARGET}/usr/lib/cryptsetup/scripts"
|
||||
|
||||
### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
|
||||
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
|
||||
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock-wrapper.sh" \
|
||||
"${TARGET}/etc/initramfs-tools/files/"
|
||||
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
|
||||
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock-wrapper.sh" \
|
||||
"${TARGET}/lib/cryptsetup/scripts/"
|
||||
|
||||
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
|
||||
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock-wrapper.sh"
|
||||
|
||||
else
|
||||
|
||||
|
||||
@@ -90,7 +90,7 @@ dropbear_setup() {
|
||||
"${TARGET}/etc/initramfs-tools/hooks/"
|
||||
|
||||
### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
|
||||
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
|
||||
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock-wrapper.sh" \
|
||||
"${TARGET}/etc/initramfs-tools/files/"
|
||||
|
||||
### Install the script to be called inside the Host environment for signing 'unlock_wrapper.sh'-script.
|
||||
|
||||
@@ -90,8 +90,8 @@ installation_ssh() {
|
||||
sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-30s%s' 'TrustedUserCAKeys' "/etc/ssh/${ssh_root_ca}")|" "${TARGET}/etc/ssh/sshd_config"
|
||||
fi
|
||||
|
||||
do_in_target_script "${TARGET}" "sshd -T >| ${DIR_LOG}/sshd_config.log"
|
||||
do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| ${DIR_LOG}/ssh.log"
|
||||
do_in_target_script "${TARGET}" "sshd -T >| /root/.ciss/cdi/log/sshd_config.log"
|
||||
do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/ssh.log"
|
||||
|
||||
###########################################################################################
|
||||
# The file /etc/profile.d/idle-users.sh is created to set two read-only #
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# SPDX-Comment: Hook script (initramfs) for setting up the CISS.debian.installer hardened dropbear environment, incl. Luks Nuke.
|
||||
|
||||
# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
|
||||
# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock_wrapper.sh
|
||||
|
||||
set -e
|
||||
|
||||
@@ -69,17 +69,17 @@ for dir in bin usr/bin; do
|
||||
done
|
||||
|
||||
### Install Dropbear firewall configuration
|
||||
install -m 0444 /etc/initramfs-tools/files/dropbear_fw.cnf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
|
||||
install -m 0444 /etc/initramfs-tools/files/dropbear_fw.conf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.conf"
|
||||
|
||||
### Install Dropbear configuration
|
||||
install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
|
||||
|
||||
### Install Dropbear Cryptroot Unlock Wrapper
|
||||
install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
|
||||
#install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384"
|
||||
#install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512"
|
||||
#install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384.sig"
|
||||
#install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512.sig"
|
||||
install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh"
|
||||
#install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha384"
|
||||
#install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512"
|
||||
#install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha384.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha384.sig"
|
||||
#install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig"
|
||||
|
||||
### Install PGP Signing Keys
|
||||
#install -m 0444 /root/.ciss/keys/pubring.gpg "${DESTDIR}/etc/keys/pubring.gpg"
|
||||
|
||||
@@ -18,7 +18,7 @@ guard_sourcing
|
||||
# None
|
||||
#######################################
|
||||
guard_dir() {
|
||||
declare mod="${BASH_SOURCE[0]##*/}"; mod="${mod%%_*}()"
|
||||
declare mod="${BASH_SOURCE[1]##*/}"; mod="${mod%%_*}()"
|
||||
# shellcheck disable=SC2164
|
||||
cd "${VAR_SETUP_PATH}"
|
||||
do_log "info" "file_only" "${mod} Finished successfully."
|
||||
|
||||
Reference in New Issue
Block a user