V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_1000_helper/1081_helper_grub.sh

@@ -19,28 +19,6 @@ guard_sourcing
 # Helper module to extract the current GRUB CMDLINE strings.
 # Globals:
 #   TARGET
-#   VAR_GRUB_CMDLINE_LINUX
-#   VAR_GRUB_CMDLINE_LINUX_DEFAULT
-#   VAR_ORIG_GRUB_CMDLINE_LINUX
-#   VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT
-# Arguments:
-#   None
-#######################################
-old_grub_extract_current_string() {
-  # shellcheck disable=SC2155
-  declare -gx VAR_ORIG_GRUB_CMDLINE_LINUX=$(grep -E 'GRUB_CMDLINE_LINUX=' "${TARGET}/etc/default/grub")
-  # shellcheck disable=SC2155
-  declare -gx VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT=$(grep -E 'GRUB_CMDLINE_LINUX_DEFAULT=' "${TARGET}/etc/default/grub")
-  # shellcheck disable=SC2155
-  declare -gx VAR_GRUB_CMDLINE_LINUX=$(grep -E 'GRUB_CMDLINE_LINUX=' "${TARGET}/etc/default/grub" | sed 's/.$//')
-  # shellcheck disable=SC2155
-  declare -gx VAR_GRUB_CMDLINE_LINUX_DEFAULT=$(grep -E 'GRUB_CMDLINE_LINUX_DEFAULT=' "${TARGET}/etc/default/grub" | sed 's/.$//')
-}
-
-#######################################
-# description
-# Globals:
-#   TARGET
 #   VAR_ORIG_GRUB_CMDLINE_LINUX
 #   VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT
 #   VK_GRUB_CMDLINE_LINUX
@@ -49,6 +27,8 @@ old_grub_extract_current_string() {
 #   VV_GRUB_CMDLINE_LINUX_DEFAULT
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 grub_extract_current_string() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -61,31 +41,19 @@ grub_extract_current_string() {
   VAR_ORIG_GRUB_CMDLINE_LINUX=$(grep -E '^GRUB_CMDLINE_LINUX=' "${TARGET}/etc/default/grub")
   VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${TARGET}/etc/default/grub")
 
-  # TODO REMOVE DEBUG LOGGER
+  do_log "debug" "file_only" "1081() VAR_ORIG_GRUB_CMDLINE_LINUX: [${VAR_ORIG_GRUB_CMDLINE_LINUX}]."
-  do_log "debug" "file_only" "1081() Value of VAR_ORIG_GRUB_CMDLINE_LINUX: [${VAR_ORIG_GRUB_CMDLINE_LINUX}]."
+  do_log "debug" "file_only" "1081() VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT: [${VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  do_log "debug" "file_only" "1081() Value of VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT: [${VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
 
   ### Keys (fixed prefixes).
   VK_GRUB_CMDLINE_LINUX='GRUB_CMDLINE_LINUX='
   VK_GRUB_CMDLINE_LINUX_DEFAULT='GRUB_CMDLINE_LINUX_DEFAULT='
 
-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "1081() Value of VK_GRUB_CMDLINE_LINUX: [${VK_GRUB_CMDLINE_LINUX}]."
-  do_log "debug" "file_only" "1081() Value of VK_GRUB_CMDLINE_LINUX_DEFAULT: [${VK_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
-
   ### Raw values (with quotes if necessary).
   # shellcheck disable=SC2295
   vv_raw_lin="${VAR_ORIG_GRUB_CMDLINE_LINUX#${VK_GRUB_CMDLINE_LINUX}}"
   # shellcheck disable=SC2295
   vv_raw_lin_def="${VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT#${VK_GRUB_CMDLINE_LINUX_DEFAULT}}"
 
-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "1081() Value of vv_raw_lin: [${vv_raw_lin}]."
-  do_log "debug" "file_only" "1081() Value of vv_raw_lin_def: [${vv_raw_lin_def}]."
-  # TODO REMOVE DEBUG LOGGER
-
   ### Remove outer quotes symmetrically.
   if [[ -n ${vv_raw_lin} ]]; then
 
@@ -124,10 +92,15 @@ grub_extract_current_string() {
   VV_GRUB_CMDLINE_LINUX="${vv_raw_lin}"
   # shellcheck disable=SC2034
   VV_GRUB_CMDLINE_LINUX_DEFAULT="${vv_raw_lin_def}"
+
+  do_log "debug" "file_only" "1081() VV_GRUB_CMDLINE_LINUX: [${VV_GRUB_CMDLINE_LINUX}]."
+  do_log "debug" "file_only" "1081() VV_GRUB_CMDLINE_LINUX_DEFAULT: [${VV_GRUB_CMDLINE_LINUX_DEFAULT}]."
+
+  return 0
 }
 
 #######################################
-# description
+# Helper module to finish the modified GRUB CMDLINE strings.
 # Globals:
 #   TARGET
 #   VAR_GRUB_CMDLINE_LINUX
@@ -137,91 +110,50 @@ grub_extract_current_string() {
 #   VV_GRUB_CMDLINE_LINUX
 #   VV_GRUB_CMDLINE_LINUX_DEFAULT
 # Arguments:
-#  None
+#   None
+# Returns:
+#   0: on success
 #######################################
 grub_finalize_string() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare -a  ary_out=()
+  declare     var_file="${TARGET}/etc/default/grub.d/99-ciss-cmdline.cfg"
-  declare     var_file="${TARGET}/etc/default/grub"
+  declare     var_linux="${VV_GRUB_CMDLINE_LINUX//\'/\'\"\'\"\'}"
-  declare     var_new_lin="${VK_GRUB_CMDLINE_LINUX}'${VV_GRUB_CMDLINE_LINUX}'"
+  declare     var_linux_default="${VV_GRUB_CMDLINE_LINUX_DEFAULT//\'/\'\"\'\"\'}"
-  declare     var_new_lin_def="${VK_GRUB_CMDLINE_LINUX_DEFAULT}'${VV_GRUB_CMDLINE_LINUX_DEFAULT}'"
+  declare -gx VAR_GRUB_CMDLINE_LINUX="${VK_GRUB_CMDLINE_LINUX}'${VV_GRUB_CMDLINE_LINUX}'"
-  declare -i  var_found_lin=0 var_found_lin_def=0 var_line=0
+  declare -gx VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VK_GRUB_CMDLINE_LINUX_DEFAULT}'${VV_GRUB_CMDLINE_LINUX_DEFAULT}'"
 
-  # TODO REMOVE DEBUG LOGGER
+  mkdir -p "${TARGET}/etc/default/grub.d"
-  do_log "debug" "file_only" "1081() var_new_lin [${var_new_lin}]."
-  do_log "debug" "file_only" "1081() var_new_lin [${var_new_lin_def}]."
-  do_log "debug" "file_only" "1081() Before [mapfile -t ary_lines < ${var_file}]."
-  # TODO REMOVE DEBUG LOGGER
 
-  ### Read file line by line; robust against missing a final newline.
+  cat << EOF >| "${var_file}"
-  while IFS= read -r var_line || [[ -n "${var_line}" ]]; do
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
 
-    case "${var_line}" in
+### Options in "GRUB_CMDLINE_LINUX" are always effective.
+### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
 
-      "${VK_GRUB_CMDLINE_LINUX}"*)
+EOF
 
-        ary_out+=("${var_new_lin}")
+  insert_comments "${TARGET}/etc/default/grub.d/99-ciss-cmdline.cfg"
-        var_found_lin=1
-        ;;
 
-      "${VK_GRUB_CMDLINE_LINUX_DEFAULT}"*)
+  umask 0022
-
-        ary_out+=("${var_new_lin_def}")
-        var_found_lin_def=1
-        ;;
-
-      *)
-        ary_out+=("${var_line}")
-        ;;
-
-    esac
-
-  done < "${var_file}"
-
-  ### If Key is missing in the file, add it at the end (robust against minimal templates).
-  (( var_found_lin == 0 ))      && ary_out+=( "${var_new_lin}" )
-  (( var_found_lin_def == 0 ))  && ary_out+=( "${var_new_lin_def}" )
-
-  ### Write back (without sed/awk, only built-ins).
   {
-    for var_line in "${ary_out[@]}"; do
+    printf "GRUB_CMDLINE_LINUX='%s'\n" "${var_linux}"
-      printf '%s\n' "${var_line}"
+    printf "GRUB_CMDLINE_LINUX_DEFAULT='%s'\n" "${var_linux_default}"
-    done
+    printf "\n"
-  } >| "${var_file}"
+    printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh\n"
+  } >> "${var_file}"
 
-  ### For subsequent use, export the complete lines as well.
+  do_log "debug" "file_only" "1081() [${VAR_GRUB_CMDLINE_LINUX}]."
-  declare -gx VAR_GRUB_CMDLINE_LINUX="${var_new_lin}"
+  do_log "debug" "file_only" "1081() [${VAR_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  declare -gx VAR_GRUB_CMDLINE_LINUX_DEFAULT="${var_new_lin_def}"
 
-  # TODO REMOVE DEBUG LOGGER
+  return 0
-  do_log "debug" "file_only" "1081() VAR_GRUB_CMDLINE_LINUX [${VAR_GRUB_CMDLINE_LINUX}]."
-  do_log "debug" "file_only" "1081() VAR_GRUB_CMDLINE_LINUX_DEFAULT [${VAR_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
-}
-
-
-#######################################
-# Helper module to finish the modified GRUB CMDLINE strings.
-# Globals:
-#   TARGET
-#   VAR_GRUB_CMDLINE_LINUX
-#   VAR_GRUB_CMDLINE_LINUX_DEFAULT
-#   VAR_H
-#   VAR_ORIG_GRUB_CMDLINE_LINUX
-#   VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT
-# Arguments:
-#   None
-#######################################
-old_grub_finalize_string() {
-  declare var_grub_cmdline_linux="" var_grub_cmdline_linux_default=""
-
-  var_grub_cmdline_linux="${VAR_GRUB_CMDLINE_LINUX}${VAR_H}"
-  var_grub_cmdline_linux_default="${VAR_GRUB_CMDLINE_LINUX_DEFAULT}${VAR_H}"
-
-  VAR_GRUB_CMDLINE_LINUX=$(printf '%s' "${var_grub_cmdline_linux}" | sed -e 's/[\/&\$]/\\&/g' )
-  VAR_GRUB_CMDLINE_LINUX_DEFAULT=$(printf '%s' "${var_grub_cmdline_linux_default}" | sed -e 's/[\/&\$]/\\&/g' )
-
-  sed -i "s|${VAR_ORIG_GRUB_CMDLINE_LINUX}|${VAR_GRUB_CMDLINE_LINUX}|" "${TARGET}/etc/default/grub"
-  sed -i "s|${VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT}|${VAR_GRUB_CMDLINE_LINUX_DEFAULT}|" "${TARGET}/etc/default/grub"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1000_helper/1082_helper_modules.sh

@@ -70,6 +70,29 @@ grep_nic_driver_modules() {
   return 0
 }
 
+#######################################
+# Wrapper to insert the metadata field into the specified file.
+# Globals:
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
+#   VAR_VERSION
+# Arguments:
+#   1: /path/to/file
+# Returns:
+#   0: on success
+#######################################
+insert_comments() {
+  declare file="${1}"
+  sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\
+\
+# Static file system information: '"${file}"'\
+# Generated by CISS.debian.installer '"${VAR_VERSION}"'\
+# Architecture: '"${VAR_ARCHITECTURE}"'\
+# Distribution: '"${VAR_CODENAME}"'
+' "${file}"
+  return 0
+}
+
 #######################################
 # Helper module for update, full dist-upgrade, autoclean, autopurge and autoremove.
 # Arguments:

func/cdi_4000_debootstrap/4035_setup_resolv.sh

@@ -57,11 +57,10 @@ setup_resolv() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/resolv.conf                             : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/resolv.conf
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
-
+# Distribution: ${VAR_CODENAME}
-# Static file system information '/etc/resolv.conf '.
 
 ### Custom DNS IPv4 configuration
 EOF

func/cdi_4100_base/4100_generate_sources.sh

@@ -94,9 +94,10 @@ generate_sources() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/apt/sources.list                        : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/apt/sources.list
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #

func/cdi_4100_base/4121_installation_initramfs.sh

@@ -34,7 +34,7 @@ installation_initramfs() {
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/modules" \
     "${TARGET}/etc/initramfs-tools/"
 
-  insert_initramfs_comments "${TARGET}/etc/initramfs-tools/modules"
+  insert_comments "${TARGET}/etc/initramfs-tools/modules"
 
   var_modules=$(grep_nic_driver_modules)
 
@@ -62,12 +62,13 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/initramfs-tools/conf.d/driver-policy    : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/initramfs-tools/conf.d/driver-policy
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
 # Driver inclusion policy selected during installation.
-# Note: this setting overrides the value set in the file '/etc/initramfs-tools/initramfs.conf'.
+# Note: This setting overrides the value set in the file '/etc/initramfs-tools/initramfs.conf'.
 
 MODULES=dep
 
@@ -76,26 +77,4 @@ EOF
 
   guard_dir && return 0
 }
-
-#######################################
-# Helper to insert the Metadata field into '/etc/initramfs-tools/modules'.
-# Globals:
-#   VAR_ARCHITECTURE
-#   VAR_CODENAME
-#   VAR_VERSION
-# Arguments:
-#   1: /etc/initramfs-tools/modules
-# Returns:
-#   0: on success
-#######################################
-insert_initramfs_comments() {
-  declare file="${1}"
-  sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\
-\
-# /etc/initramfs-tools/modules                 : Generated by CISS.debian.installer '"${VAR_VERSION}"'\
-# Architecture                                 : '"${VAR_ARCHITECTURE}"'\
-# Distribution                                 : '"${VAR_CODENAME}"'
-' "${file}"
-  return 0
-}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4150_installation_chrony.sh

@@ -64,7 +64,7 @@ installation_chrony() {
 
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/chrony/chrony.cnf" "${TARGET}/etc/chrony/chrony.conf"
 
-  insert_chrony_comments "${TARGET}/etc/chrony/chrony.conf"
+  insert_comments "${TARGET}/etc/chrony/chrony.conf"
 
   cat "${var_of}" >> "${TARGET}/etc/chrony/chrony.conf"
 
@@ -80,26 +80,4 @@ installation_chrony() {
 
   guard_dir && return 0
 }
-
-#######################################
-# Helper to insert the Metadata field into '/etc/chrony/chrony.conf'.
-# Globals:
-#   VAR_ARCHITECTURE
-#   VAR_CODENAME
-#   VAR_VERSION
-# Arguments:
-#   1: /etc/chrony/chrony.conf
-# Returns:
-#   0: on success
-#######################################
-insert_chrony_comments() {
-  declare file="${1}"
-  sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\
-\
-# /etc/chrony/conf.d                           : Generated by CISS.debian.installer '"${VAR_VERSION}"'\
-# Architecture                                 : '"${VAR_ARCHITECTURE}"'\
-# Distribution                                 : '"${VAR_CODENAME}"'
-' "${file}"
-  return 0
-}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4200_boot/4200_generate_fstab.sh

@@ -78,12 +78,11 @@ generate_fstab() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/fstab                                   : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/fstab
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
-# Static file system information '/etc/fstab'.
-#
 # Use 'blkid' to print the universally unique identifier for a device; this may be used with [UUID=] as a more robust way to
 # name devices that work even if disks are added and removed. See fstab(5).
 #

func/cdi_4200_boot/4210_generate_crypttab.sh

@@ -71,12 +71,11 @@ generate_crypttab() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/crypttab                                : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/crypttab
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
-# Static file system information: '/etc/crypttab'.
-#
 # Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
 # 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). The crypttab determines whether
 # the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the physical drive or not. The '/etc/fstab' determines

func/cdi_4200_boot/4250_update_grub_bootparameter.sh

@@ -35,13 +35,6 @@ update_grub_bootparameter() {
 
   grub_extract_current_string
 
-  # TODO REMOVE DEBUG LOGGER
-  # shellcheck disable=SC2153
-  do_log "debug" "file_only" "4250() Value of GRUB_CMDLINE_LINUX: [${VV_GRUB_CMDLINE_LINUX}]."
-  # shellcheck disable=SC2153
-  do_log "debug" "file_only" "4250() Value of GRUB_CMDLINE_LINUX_DEFAULT: [${VV_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
-
   # shellcheck disable=SC2034
   for var_param in "${ARY_BOOTPARAM[@]}"; do
 
@@ -59,43 +52,19 @@ update_grub_bootparameter() {
 
   done
 
-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "4250() Value of VV_GRUB_CMDLINE_LINUX_DEFAULT: [${VV_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
-
 
   if [[ "${VAR_DROPBEAR}" == "true" ]]; then
     var_label="${HMP_PATH_ENCLABEL["/"]}"
     VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
-    # TODO REMOVE DEBUG LOGGER
-    do_log "debug" "file_only" "4250() Value of VV_GRUB_CMDLINE_LINUX: [${VV_GRUB_CMDLINE_LINUX}]."
-    # TODO REMOVE DEBUG LOGGER
   fi
 
   if [[ "${VAR_NUKE}" == "true" ]]; then
     var_nuke_string="nuke=${VAR_NUKE_HASH}"
     # shellcheck disable=SC2034
     VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} ${var_nuke_string}"
-    # TODO REMOVE DEBUG LOGGER
-    do_log "debug" "file_only" "4250() Value of VV_GRUB_CMDLINE_LINUX: [${VV_GRUB_CMDLINE_LINUX}]."
-    # TODO REMOVE DEBUG LOGGER
   fi
 
-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "4250() Calling [grub_finalize_string]."
-  # TODO REMOVE DEBUG LOGGER
   grub_finalize_string
-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "4250() Back from [grub_finalize_string]."
-  # TODO REMOVE DEBUG LOGGER
-
-  # TODO REMOVE DEBUG LOGGER
-  # shellcheck disable=SC2153
-  do_log "debug" "file_only" "4250() GRUB_CMDLINE_LINUX: [${VAR_GRUB_CMDLINE_LINUX}]."
-  # shellcheck disable=SC2153
-  do_log "debug" "file_only" "4250() GRUB_CMDLINE_LINUX_DEFAULT: [${VAR_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  sleep 5
-  # TODO REMOVE DEBUG LOGGER
 
   do_in_target "${TARGET}" update-grub
 

func/cdi_4300_network/4300_installation_network.sh

@@ -65,9 +65,10 @@ installation_network() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/network/interfaces                      : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/network/interfaces
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
@@ -106,9 +107,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/network/interfaces.d/10-ipv4-dhcp       : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/network/interfaces.d/10-ipv4-dhcp
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
 # The primary network interface IPv4
 auto ${VAR_FINAL_NIC}
@@ -133,9 +135,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/network/interfaces.d/10-ipv4-dhcp       : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/network/interfaces.d/10-ipv4-dhcp
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
 # The primary network interface IPv4
 auto ${VAR_FINAL_NIC}
@@ -163,9 +166,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/network/interfaces.d/10-ipv4-static     : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/network/interfaces.d/10-ipv4-static
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
 # The primary network interface IPv4
 auto ${VAR_FINAL_NIC}
@@ -197,9 +201,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/network/interfaces.d/10-ipv6-dhcp       : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/network/interfaces.d/10-ipv6-dhcp
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
 # The primary network interface IPv6
 auto ${VAR_FINAL_NIC}
@@ -227,9 +232,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/network/interfaces.d/10-ipv6-static     : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/network/interfaces.d/10-ipv6-static
-# Architecture                                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
 
 # The primary network interface IPv6
 auto ${VAR_FINAL_NIC}

func/cdi_4300_network/4312_dropbear_setup.sh

@@ -152,11 +152,10 @@ write_dropbear_conf() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-# /etc/dropbear/dropbear.conf  : Generated by CISS.debian.installer ${VAR_VERSION}
+# Static file system information: /etc/dropbear/dropbear.conf
-# Architecture                 : ${VAR_ARCHITECTURE}
+# Generated by CISS.debian.installer ${VAR_VERSION}
-# Distribution                 : ${VAR_CODENAME}
+# Architecture: ${VAR_ARCHITECTURE}
-
+# Distribution: ${VAR_CODENAME}
-# Static file system information: '/etc/dropbear/initramfs/dropbear.conf'.
 
 # Configuration options for the dropbear-initramfs boot scripts.
 # Variable assignment follow shell semantics and escaping/quoting rules.

func/cdi_4400_hardening/4400_kernel_modules.sh

@@ -25,20 +25,41 @@ kernel_modules() {
   ### Entropy collection improvements
   mkdir -p "${TARGET}/usr/lib/modules-load.d"
   cat << EOF >| "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
-## The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
+# SPDX-Version: 3.0
-## minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-## physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-## features like TPMs or Intel's RDRAND, which may not be available or trusted, jitterentropy_rng works across all platforms,
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-## including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-## entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure,
+# SPDX-FileType: SOURCE
-## standards-compliant, and universally applicable entropy source for hardened Linux environments.
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-## https://www.whonix.org/wiki/Dev/Entropy
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
+# SPDX-PackageName: CISS.debian.installer
-## https://forums.whonix.org/t/jitterentropy-rngd/7204
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Static file system information: /usr/lib/modules-load.d/30_security-misc.conf
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
+
+# The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
+# minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
+# physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
+# features like TPMs or Intel's RDRAND, which may not be available or trusted, jitterentropy_rng works across all platforms,
+# including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure
+# entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure,
+# standards-compliant, and universally applicable entropy source for hardened Linux environments.
+# https://www.whonix.org/wiki/Dev/Entropy
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
+# https://forums.whonix.org/t/jitterentropy-rngd/7204
+
 jitterentropy_rng
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
   chmod 0644 "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
+
   do_log "info" "file_only" "4400() Installed: '/usr/lib/modules-load.d/30_security-misc.conf'."
+
   guard_dir && return 0
 }
 
@@ -55,7 +76,11 @@ EOF
 kernel_modprobe() {
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/modprobe.d/0000_ciss_debian_installer.cnf" \
     "${TARGET}/etc/modprobe.d/0000_ciss_debian_installer.conf"
+
+  insert_comments "${TARGET}/etc/modprobe.d/0000_ciss_debian_installer.conf"
+
   do_log "info" "file_only" "4400() Installed: '/etc/modprobe.d/0000_ciss_debian_installer.conf'."
+
   guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4410_kernel_sysctl.sh

@@ -25,7 +25,11 @@ guard_sourcing
 kernel_sysctl() {
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/99_local.hardened" \
     "${TARGET}/etc/sysctl.d/99_local.hardened"
+
+  insert_comments "${TARGET}/etc/sysctl.d/99_local.hardened"
+
   do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/99_local.hardened'."
+
   guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4420_installation_ssh.sh

@@ -34,13 +34,13 @@ installation_ssh() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -a ary_user=()
   declare -i i=0
-  declare    var_auth="" var_name=""
+  declare    var_auth="" var_name="" var_ca=""
 
   do_in_target "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh
 
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/"
   install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${TARGET}/etc/"
-  do_log "info" "file_only" "4420() Installed SSH banner and motd to '${TARGET}/etc/'."
+  do_log "info" "file_only" "4420() Installed SSH '/etc/banner' and '/etc/motd'."
 
   ### Only process those for which both *_name and *_authentication_access_ssh are set.
   for ((i = 0; i <= VAR_USER_MAX; i++)); do
@@ -59,39 +59,56 @@ installation_ssh() {
   #shellcheck disable=SC2312
   do_in_target "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
 
-  mkdir -p "${DIR_BAK}/etc/ssh"
+  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
-  cp "${TARGET}/etc/ssh/sshd_config" "${DIR_BAK}/etc/ssh/sshd_config.bak"
+  cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
-  chmod 0644 "${DIR_BAK}/etc/ssh/sshd_config.bak"
+  cp "${TARGET}/etc/ssh/ssh_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/ssh_config.bak"
-  cp "${TARGET}/etc/ssh/ssh_config" "${DIR_BAK}/etc/ssh/ssh_config.bak"
-  chmod 0644 "${DIR_BAK}/etc/ssh/ssh_config.bak"
-
   rm -f "${TARGET}/etc/ssh/sshd_config"
 
   install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
   chmod 0600 "${TARGET}/etc/ssh/ssh_config"
 
+  insert_comments "${TARGET}/etc/ssh/sshd_config"
+
   # shellcheck disable=SC2153
-  sed -i -E "s|^\s*ListenAddress\s+.*$|$(printf '%-30s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
+  #sed -i -E "s|^\s*ListenAddress\s+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
+  sed -i -E "s|^[[:space:]]*ListenAddress[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
 
   if [[ -n "${VAR_FINAL_IPV6}" ]]; then
-    sed -i -E "s|^\s*ListenAddress\s+::.*$|$(printf '%-30s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
+    #sed -i -E "s|^\s*ListenAddress\s+::.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
+    sed -i -E "s|^[[:space:]]*ListenAddress[[:space:]]+::.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
   else
-    sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config"
+    #sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config"
+    sed -i "/^[[:space:]]*ListenAddress[[:space:]]*::/d" "${TARGET}/etc/ssh/sshd_config"
   fi
 
-  sed -i -E "s|^\s*Port\s+.*$|$(printf '%-30s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
+  #sed -i -E "s|^\s*Port\s+.*$|$(printf '%-29s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
+  sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
 
   if (( ${#ary_user[@]} > 0 )); then
-    sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-30s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config"
+    sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-29s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config"
   fi
 
   if [[ -n "${ssh_root_ca}" ]]; then
+    var_ca="${ssh_root_ca##*/}"
     install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${ssh_root_ca}" "${TARGET}/etc/ssh/"
-     sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-30s%s' 'TrustedUserCAKeys' "/etc/ssh/${ssh_root_ca}")|" "${TARGET}/etc/ssh/sshd_config"
+    sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-29s%s' 'TrustedUserCAKeys' "/etc/ssh/${var_ca}")|" "${TARGET}/etc/ssh/sshd_config"
   fi
 
-  do_in_target_script "${TARGET}" "sshd -T >| /root/.ciss/cdi/log/sshd_config.log"
+  ### Preparing the test environment in chroot.
-  do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/ssh.log"
+  do_in_target "${TARGET}" install -d -o root -g root -m 0755 /run/sshd
+
+  ### Syntax test (hard).
+  if ! do_in_target_script "${TARGET}" "sshd -t -f /etc/ssh/sshd_config"; then
+    do_log "emergency" "file_only" "4420() [sshd -t -f /etc/ssh/sshd_config] failed."
+    return "${ERR_CONF_VALIDATION}"
+  fi
+
+  ### Effective configuration (soft, purely informative).
+  if ! do_in_target_script "${TARGET}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
+    do_log "warn" "file_only" "4420() [sshd -T -f /etc/ssh/sshd_config] failed. Likely env. Continuing."
+  fi
+
+  do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
 
   ###########################################################################################
   # The file /etc/profile.d/idle-users.sh is created to set two read-only                   #

includes/target/etc/modprobe.d/0000_ciss_debian_installer.cnf

@@ -9,8 +9,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.00.000.2025.06.17
-
 # The kernel allows unprivileged users to indirectly cause certain modules to be loaded via module auto-loading. This allows an
 # attacker to auto-load a vulnerable module which is then exploited. One such example is CVE-2017-6074, in which an attacker
 # could trigger the DCCP kernel module to be loaded by initiating a DCCP connection and then exploit a vulnerability in said

includes/target/etc/ssh/sshd_config

@@ -9,8 +9,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.864.2025.07.15
-
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
 

var/errors.var.sh

@@ -52,6 +52,7 @@ declare -girx ERR_READ_GRUB_FILE=221    # Error reading the Grub password file.
 declare -girx ERR_READ_PASS_FILE=220    # Error reading the password file.
 declare -girx ERR_GENERATE_SALT=219     # Error generating salt.
 declare -girx ERR_VAR_REGEX_CHK=218     # Error checking VAR against REGEX.
+declare -girx ERR_CONF_VALIDATION=217   # Error checking the respective configuration files.
 
 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE