V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-22 22:39:10 +01:00
parent c501b8de5a
commit bd614c17c9
4 changed files with 24 additions and 15 deletions
--- a/func/cdi_4200_boot/4230_installation_grub.sh
+++ b/func/cdi_4200_boot/4230_installation_grub.sh
@@ -266,7 +266,6 @@ readonly -f install_grub_bios
 # Globals:
 #   TARGET
 #   VAR_MODINFO_PATH
-#   grub_bootdev
 #   grub_update_nvram
 #   var_update_grub_required
 # Arguments:
@@ -300,8 +299,8 @@ install_grub_uefi() {

  [[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram )

-  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
-  do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]."
+  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" || return "${ERR_GRUB_INSTALL}"
+  do_log "info" "file_only" "4230() Installed: GRUB on [ESP]."
  var_update_grub_required="true"

  return 0
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -95,9 +95,19 @@ accounts_setup() {
      ;;

    true)
-      ### SSH Public Key per default, only.
-      sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
-      do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
+      if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
+
+        ### SSH Public Key per default, only.
+        sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'yes')|" "${var_target}/etc/ssh/sshd_config"
+        do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin yes]"
+
+      else
+
+        ### SSH Public Key per default, only.
+        sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
+        do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
+
+      fi
      ;;

    *)
@@ -895,12 +905,12 @@ write_google_authenticator_file() {

    printf '%s\n' "${var_secret}"
    printf '" RATE_LIMIT 3 30\n'
-    printf '" WINDOW_SIZE 10\n'
+    printf '" WINDOW_SIZE 04\n'
    printf '" DISALLOW_REUSE\n'
    printf '" TOTP_AUTH\n'

-    ### Emergency Codes (8x unbiased 8-digit, CSPRNG via OpenSSL).
-    for i in {1..8}; do
+    ### Emergency Codes (10x unbiased 8-digit, CSPRNG via OpenSSL).
+    for i in {1..10}; do

      ### Draw 32 bits; rejection sampling to avoid modulo bias.
      while :; do
--- a/func/cdi_4600_packages/4600_installation_packages.sh
+++ b/func/cdi_4600_packages/4600_installation_packages.sh
@@ -32,8 +32,8 @@ installation_packages() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-      apt-get update  -qq 2>&1 | tee -a ${var_logfile}
-      apt-get upgrade -y  2>&1 | tee -a ${var_logfile}
+      apt-get update -qq      2>&1 | tee -a ${var_logfile}
+      apt-get -y dist-upgrade 2>&1 | tee -a ${var_logfile}       # (= apt full-upgrade) allow installs/replacements/removals.
    "
  fi

@@ -46,9 +46,9 @@ installation_packages() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-    apt-get autoclean  -y 2>&1 | tee -a ${var_logfile}
-    apt-get autopurge  -y 2>&1 | tee -a ${var_logfile}
-    apt-get autoremove -y 2>&1 | tee -a ${var_logfile}
+    apt-get autoremove --purge  -y 2>&1 | tee -a ${var_logfile}  # 'autopurge' == 'autoremove --purge'; don't run both.
+    apt-get clean               -y 2>&1 | tee -a ${var_logfile}  # Stronger than autoclean: removes the entire '.deb'-cache.
+    rm -rf /var/lib/apt/lists/* -y 2>&1 | tee -a ${var_logfile}  # Will be repopulate on next 'apt update'.
  "

  guard_dir && return 0
--- a/func/cdi_4600_packages/4620_installation_verification.sh
+++ b/func/cdi_4600_packages/4620_installation_verification.sh
@@ -15,7 +15,7 @@ guard_sourcing
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules

 #######################################
-# Installs 'aide', 'audit', and 'debsums' audit and logging packages.
+# Installs 'acct', 'aide', 'audit', and 'debsums' audit and logging packages.
 # Finalizes 'rkhunter' baseline.
 # Globals:
 #   TARGET