V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -85,7 +85,7 @@ debootstrap:                   # Provide a mirror for downloading the Debian pac
   mirror: "https://deb.debian.org/debian"
                                # The following packages MUST be included in the debootstrap.
   includes: "busybox,ca-certificates,locales,openssl,tzdata,zstd"
-distribution: "bookworm"       # MUST be "bookworm".
+distribution: "trixie"         # MUST be "bookworm".
 debian_suite: "stable"         # MUST be "stable". Not supported yet: "testing", "experimental".
 exit:
   halt: false                  # This is how to make the installer shutdown when finished, but not reboot.
@@ -96,7 +96,8 @@ firmware:
   lookup: "missing"            # - "never"   Completely disables the firmware search.
                                # - "missing" Searches only when the firmware is needed. (default)
                                # - "always"  Always searches and asks for any firmware that could be useful for the hardware.
-image: "linux-image-amd64"     # Could be a meta-package or a specific image like:
+image: "linux-image-6.12.38+deb13-amd64"
+                               # Could be a meta-package or a specific image like:
                                # "linux-image-amd64" || "linux-image-arm64"
                                # "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
                                # "linux-image-rt-amd64" || "linux-image-rt-arm64"
@@ -629,7 +630,6 @@ software:
   - locate
   - rsyslog
   - screen
-  - software-properties-common
   - spectre-meltdown-checker
   - sysstat
   ##############################################################################################################################
@@ -691,7 +691,6 @@ software:
   #- debootstrap
   #- linux-source
   #- lld
-  #- makedev
   - shellcheck
   #- ssl-cert
   ##############################################################################################################################
@@ -700,7 +699,6 @@ software:
   - expect
   - figlet
   - htop
-  - neofetch
   - neovim
   - python3
   - virt-what

func/cdi_5000_recovery/3.8.9.functions_installation_wrapper_recovery.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.2025.hardened.installer
 # SPDX-Security-Contact: security@coresecret.eu
 

func/cdi_5000_recovery/3.9.0.functions_installation_setup_recovery.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.2025.hardened.installer
 # SPDX-Security-Contact: security@coresecret.eu
 

func/cdi_5000_recovery/3.9.1.functions_installation_generate_files_recovery.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.2025.hardened.installer
 # SPDX-Security-Contact: security@coresecret.eu
 

includes/target/etc/login.defs

@@ -8,6 +8,224 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
+
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+
+# REQUIRED for useradd/userdel/usermod
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
+#   MAIL_DIR takes precedence.
+#
+#   Essentially:
+#      - MAIL_DIR defines the location of users mail spool files
+#        (for mbox use) by appending the username to MAIL_DIR as defined
+#        below.
+#      - MAIL_FILE defines the location of the users mail spool files as the
+#        fully-qualified filename obtained by prepending the user home
+#        directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
+#       job of the pam_mail PAM modules
+#       See default PAM configuration files provided for
+#       login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR        /var/mail
+#MAIL_FILE      .mail
+
+#
+# Enable display of unknown usernames when login(1) failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		no
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format similar to "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions for terminals after login(1).
+# These settings are ignored for remote and other logins.
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+#TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+#
+ERASECHAR	0177
+KILLCHAR	025
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+HOME_MODE	0700
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	99999
+PASS_MIN_DAYS	0
+PASS_WARN_AGE	7
+
+#
+# Min/max values for automatic uid selection in useradd(8)
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+#SYS_UID_MIN		  101
+#SYS_UID_MAX		  999
+# Extra per user uids
+SUB_UID_MIN		   100000
+SUB_UID_MAX		600100000
+SUB_UID_COUNT		    65536
+
+#
+# Min/max values for automatic gid selection in groupadd(8)
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+#SYS_GID_MIN		  101
+#SYS_GID_MAX		  999
+# Extra per user group ids
+SUB_GID_MIN		   100000
+SUB_GID_MAX		600100000
+SUB_GID_COUNT		    65536
+
+#
+# Max number of login(1) retries if password is bad
+# This will most likely be overriden by PAM, since the default pam_unix module
+# has it's own built in of 3 retries. However, this is a safe fallback in case
+# you are using an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login(1)
+#
+LOGIN_TIMEOUT		180
+
+#
+# Which fields may be changed by regular users using chfn(1) - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT		rwh
+
+#
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD YESCRYPT
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME	yes
+
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist.  Some system accounts intentionally do
+# not have a home directory.  Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT	/nonexistent
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If set to yes, userdel(8) will remove the user's group if it contains no more
+# members, and useradd(8) will create by default a group with the name of the
+# user.
+#
+# Other former uses of this variable are not used in PAM environments, such as
+# Debian.
+#
+USERGROUPS_ENAB yes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 # /etc/login.defs - Configuration control definitions for the login package.
 #

includes/target/etc/skel/.bashrc

@@ -1,4 +1,3 @@
-#!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -22,12 +21,15 @@ else
 fi
 export PATH
 
-trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/f2bchk.sh"
 . "${HOME}/.ciss/scan_libwrap"
 . "${HOME}/.ciss/shortcuts"
 
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
 ### Preferred editor for local and remote sessions.
 export EDITOR="nano"
 
@@ -51,7 +53,7 @@ export HISTSIZE="16384"
 export HISTTIMEFORMAT='%F %T %z  '
 
 # Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
-export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*'
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
 
 # With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
 # "-a": Appends new entries from RAM to the file.
@@ -108,25 +110,25 @@ export PS1="\
 
 ### Overwrite Protection.
 set -o noclobber
-alias cp="cp -iv"
+alias cp='cp -iv'
 alias mv='mv -iv'
 alias rm='rm -iv'
 
 ### Welcome message after login.
-printf "\n"
+#printf "\n"
-printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
+#printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
-printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
+#printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
-printf "\n"
+#printf "\n"
-printf "\n"
+#printf "\n"
 
-#printf "\n"
+printf "\n"
-#printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
-#printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
+printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
-#printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
-#printf "%b! Type%b " "${CGRE}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
-#printf "%b'celp'%b " "${CMAG}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
-#printf "%bfor shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
-#printf "\n"
+printf "\n"
-#printf "\n"
+printf "\n"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/skel/.zshrc

@@ -120,13 +120,16 @@ source ${ZSH}/oh-my-zsh.sh
 # alias ohmyzsh="mate ~/.oh-my-zsh"
 
 ### Added by CISS.debian.hardening-Installer ###
-trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/shortcuts"
 . "${HOME}/.ciss/scan_libwrap"
 . /usr/share/doc/fzf/examples/key-bindings.zsh
 . /usr/share/doc/fzf/examples/completion.zsh
 
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
 ### Define colors for bash prompt
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'

includes/target/root/.ciss/clean_logout.sh

@@ -37,6 +37,6 @@ echo -e "\e[92m          All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
 echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
 # shellcheck disable=SC2162
 read
+
 [[ -x /usr/bin/clear_console ]] && /usr/bin/clear_console -q
-exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.ciss/f2bchk.sh

@@ -1,17 +1,15 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-set -Ceuo pipefail
-
 #######################################
 # Wrapper for fail2ban filter checks against logs.
 # Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \

lib/cdi_0060_traps/0090_clean_up.sh

@@ -36,9 +36,13 @@ clean_up() {
   rm -f -- "${VAR_NOTES}"
 
   if [[ "${VAR_CHROOT_ACTIVATED}" == "system" ]]; then
+
     exiting_chroot_system
+
   elif [[ "${VAR_CHROOT_ACTIVATED}" == "recovery" ]]; then
+
     exiting_chroot_recovery
+
   fi
 
   ### Release advisory lock on FD 127.

var/bash.var.sh

@@ -27,8 +27,7 @@ shopt -s inherit_errexit # If set, command substitution inherits the value of th
                          # subshell environment. This option is enabled when POSIX mode is enabled.
 shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
                          # the background in the current shell environment.
-shopt -u expand_aliases  # If set, aliases are expanded as described below under Aliases, Aliases. This option is enabled by
+shopt -u expand_aliases  # If set, aliases are expanded as described. This option is enabled by default for interactive shells.
-                         # default for interactive shells.
 shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
 shopt -u extglob         # If set, enable the extended pattern matching features.
 shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.