V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -17,7 +17,6 @@
 installer:
   name: "CISS.debian.installer"
   version: "V8.00.000.2025.06.17"
-  log: "info"
 
 ################################################################################################################################
 # APT settings
@@ -79,6 +78,7 @@ apt:
 # Basic settings
 ################################################################################################################################
 architecture: "amd64"          # MUST be one of "amd64" or "arm64".
+chroot_debug: "true"           # Enable debug mode in the chroot environment in case of errors.
 debootstrap:                   # Provide a mirror for downloading the Debian packages for debootstrap.
                                # Specify the packages to be included in the debootstrapping process. Include a comma-separated
                                # list of official Debian packages.
@@ -651,7 +651,6 @@ software:
   # Installed by 4510_accounts_hardening.sh
   ##############################################################################################################################
   # libpam-google-authenticator
-  # keychain
   # wamerican
   # wbritish
   # wfrench
@@ -729,6 +728,7 @@ software:
   - expect
   - figlet
   - htop
+  - keychain
   - python3
   - virt-what
 
@@ -787,7 +787,7 @@ user:
     ensure: present            # Must always be 'present'.
     protected: true            # Prevent unintentional edits or deletions.
     shell: /bin/zsh            # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
-    password: ""
+    password: "47110815"
     sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
     authentication:
       access:

ciss_debian_installer.sh

@@ -17,7 +17,6 @@
 # TODO: Update .dot files.
 # TODO: Update README.md for each lib and func dir.
 # TODO: Update MANPAGE.md for each func.
-# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock_wrapper.sh
 # TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
 # TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
 # TODO: What do we need for CISS environment?
@@ -29,7 +28,6 @@
 # TODO: Copying Log Files to final System
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
 # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
-# TODO: 0105_arg_nuke_converter.sh - implement HashRounds as argument
 # TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
 # TODO: Implement / Integrate IP, Port validation CDI_1200
 
@@ -147,8 +145,8 @@ color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: PREPARING DIRECTORIES AN
 gen_dir_files
 
 ### CHECKING REQUIRED PACKAGES.
-#color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING REQUIRED PACKAGES"
-#check_pkgs
+color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING REQUIRED PACKAGES"
+check_pkgs
 color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING GIT VARIABLES"
 check_git
 

func/cdi_1000_helper/1080_helper_chroot.sh

@@ -77,10 +77,13 @@ chroot_exec() {
 
 #######################################
 # Execute a full shell script line inside the chroot via bash -c.
-# TODO: Supports interactive debug shell on error.
 # Globals:
 #   BASH_SOURCE
 #   TERM
+#   VAR_CHROOT_DEBUG
+#   VAR_DEBUG_TRACE
+#   VAR_DEBUG_TRAP
+#   VAR_IN_DIALOG_WR
 # Arguments:
 #   1: Target of the chroot environment
 #   2: Command string to execute inside a shell (quoted)
@@ -117,14 +120,26 @@ chroot_script() {
   then
 
     do_log "${var_log_level_on_error}" "file_only" "1080() Command of ${var_mod} [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none /bin/bash -c ${var_chroot_script}] failed."
-    return "${ERR_CHRT_COMMAND}"
 
-    # TODO: Test with Dialog Wrapper in interactive mode.
-    # TODO: Call clean screen first to terminate dialog wrapper !
-    #if [[ "${DEBUG_INTERACTIVE}" == "true" ]]; then
-    #  do_log "warning" "true" "Launching interactive debug shell in chroot: '${var_chroot_target}'."
-    #  chroot "${var_chroot_target}" /bin/bash -l
-    #fi
+    if [[ "${VAR_CHROOT_DEBUG}" == "true" ]]; then
+
+      if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then dump_vars_exiting; fi
+
+      case "${VAR_IN_DIALOG_WR}" in
+        box   ) dialog_box_cleaner   ;;
+        gauge ) dialog_gauge_cleaner ;;
+        text  ) dialog_text_cleaner  ;;
+      esac
+
+      do_log "emergency" "tty" "1080() Launching interactive debug shell in chroot: '${var_chroot_target}'."
+
+      chroot "${var_chroot_target}" /bin/bash -l
+
+    else
+
+      return "${ERR_CHRT_COMMAND}"
+
+    fi
 
   else
 

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -42,7 +42,8 @@ yaml_reader() {
   declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
   declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
               VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
-              VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny"
+              VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
+              VAR_CHROOT_DEBUG="false"
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
@@ -146,6 +147,10 @@ END { print max }
   # shellcheck disable=SC2034
   VAR_ARCHITECTURE="${architecture,,}"
 
+  ### Extract chroot debug policy.
+  # shellcheck disable=SC2034
+  VAR_CHROOT_DEBUG="${chroot_debug,,}"
+
   ### Extract distribution.
   # shellcheck disable=SC2034
   VAR_CODENAME="${distribution,,}"

func/cdi_4200_boot/4230_installation_grub.sh

@@ -12,6 +12,7 @@
 
 guard_sourcing
 
+#######################################
 # --- UEFI GRUB Installation Strategy ---
 #
 # We explicitly install GRUB using '--no-nvram' to avoid modifying NVRAM entries inside the chroot environment, which is
@@ -22,6 +23,7 @@ guard_sourcing
 # - GRUB is available under 'EFI/debian/grubx64.efi' (for manual boot entries).
 # - GRUB is also available as 'EFI/BOOT/BOOTX64.EFI' (UEFI fallback path, no NVRAM needed).
 # This setup ensures compatibility with systems that do not retain NVRAM entries (e.g., removable drives, VM firmware).
+#######################################
 
 #######################################
 # Installation and setup of the GRUB2 (backported) version.

func/cdi_4300_network/4312_dropbear_setup.sh

@@ -111,9 +111,8 @@ dropbear_setup() {
 
   ### Install the script to be called inside the initramfs environment for preparing dropbear execution.
   mkdir -p "${TARGET}/root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount"
-  chroot_exec "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear \
-    /root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
-  chmod 0644 "${TARGET}/root/.ciss/cdi/backup/dropbear.trixie"
+  mv "${TARGET}/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
+    "${TARGET}/root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie"
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
     "${TARGET}/usr/share/initramfs-tools/scripts/init-premount/"
 

func/cdi_4400_hardening/4430_hardening_files.sh

@@ -31,6 +31,8 @@ hardening_files() {
   install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${TARGET}/etc/issue"
   install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${TARGET}/etc/issue.net"
 
+  install -d -m 0700 -o root -g root "${TARGET}/root/.ansible"
+
   guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4500_user/4500_accounts_preparation.sh

@@ -25,13 +25,13 @@ guard_sourcing
 accounts_preparation() {
   mkdir -p "${TARGET}/etc/skel/.ciss"
 
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk.sh" "${TARGET}/etc/skel/.ciss/f2bchk.sh"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/scan_libwrap"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk.sh" "${TARGET}/etc/skel/.ciss/f2bchk.sh"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/scan_libwrap"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
 
   insert_comments "${TARGET}/etc/skel/.bashrc"
   insert_comments "${TARGET}/etc/skel/.zshrc"
@@ -43,7 +43,7 @@ accounts_preparation() {
 
   ### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
   echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
-  chmod 0644 "${TARGET}/etc/skel/.vimrc"
+  chmod 0600 "${TARGET}/etc/skel/.vimrc"
 
   guard_dir && return 0
 }

func/cdi_4500_user/4510_accounts_hardening.sh

@@ -13,15 +13,62 @@
 guard_sourcing
 
 #######################################
-#
+# Hardening accounts: Google TOTP, Wordlists, masking ttys, expiration of accounts.
 # Globals:
 #   TARGET
+#   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 accounts_hardening() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -a  ary_security_pkgs=()
+  declare -r  var_logfile="/root/.ciss/cdi/log/4510_accounts_hardening.log"
+  declare     t=""
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  ### Installing Google TOTP, Wordlists.
+  ary_security_pkgs=( "libpam-google-authenticator" "wamerican" "wbritish" "wfrench" "wngerman" )
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests ${ary_security_pkgs[*]} 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  ### Keep 'tty1' active, disable the rest (VTs).
+  chroot_script "${TARGET}" "
+    systemctl unmask getty@tty1.service
+    systemctl enable getty@tty1.service
+    for t in tty2 tty3 tty4 tty5 tty6; do
+      systemctl mask getty@${t}.service
+    done
+    "
+
+  ### Hardening '/etc/login.defs'.
+  mv "${TARGET}/etc/login.defs" "${TARGET}/root/.ciss/cdi/backup/etc/login.defs.bak"
+  insert_header   "${TARGET}/etc/login.defs"
+  insert_comments "${TARGET}/etc/login.defs"
+  cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${TARGET}/etc/login.defs"
+
+  ### Hardening '/etc/security/pwquality.conf'.
+  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/security"
+  mv "${TARGET}/etc/security/pwquality.conf" "${TARGET}/root/.ciss/cdi/backup/etc/security/pwquality.conf.bak"
+  insert_header   "${TARGET}/etc/security/pwquality.conf"
+  insert_comments "${TARGET}/etc/security/pwquality.conf"
+  cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
+
+  ### Hardening password expiration; defaults to 16,384 days.
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4510_password_expiration.hooks.sh" \
+    "${TARGET}/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh"
+
+  if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh" "emergency"; then
+    do_log "warn" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] failed."
+  else
+    do_log "debug" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] successful."
+  fi
 
   guard_dir && return 0
 }

func/cdi_4500_user/4520_accounts_setup.sh

@@ -29,23 +29,13 @@ guard_sourcing
 #######################################
 accounts_setup() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare -i i
-  declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
-    tmp_restricted=""
-  declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
-    var_restricted="" var_chpasswd="" var_sshdir=""
+  declare -i  i=0
+  declare     tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
+              tmp_restricted=""
+  declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
+              var_restricted="" var_chpasswd="" var_sshdir=""
 
-  ### Hardening '/etc/login.defs'
-  rm -f "${TARGET}/etc/login.defs"
-  insert_header "${TARGET}/etc/login.defs"
-  insert_comments "${TARGET}/etc/login.defs"
-  cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${TARGET}/etc/login.defs"
 
-  ### Hardening '/etc/security/pwquality.conf'
-  rm -f "${TARGET}/etc/security/pwquality.conf"
-  insert_header "${TARGET}/etc/security/pwquality.conf"
-  insert_comments "${TARGET}/etc/security/pwquality.conf"
-  cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
 
   ### Preparing the root account
   chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/shadow" "${TARGET}/etc/group" "${TARGET}/etc/gshadow"
@@ -55,6 +45,7 @@ accounts_setup() {
   if [[ -x "${TARGET}${user_root_shell}" ]]; then
     chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
   else
+    chroot_exec "${TARGET}" chsh -s /bin/bash root
     do_log "warn" "file_only" "4500() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
   fi
 
@@ -185,8 +176,7 @@ write_google_authenticator_file() {
   esac
   declare -i  i=0
 
-  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  #guard_trace on
+  guard_trace on
 
   var_secret="$(generate_totp_secret "${var_user}")"
 
@@ -202,8 +192,7 @@ write_google_authenticator_file() {
     for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
   } >| "${var_base}/.google_authenticator"
 
-  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
-  #guard_trace off
+  guard_trace off
 
   chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
 
@@ -235,8 +224,7 @@ generate_totp_secret() {
   declare  var_info="${user_mfa_info}"
   declare  var_secret=""
 
-  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  #guard_trace on
+  guard_trace on
 
   ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
   # shellcheck disable=SC2312
@@ -245,8 +233,7 @@ generate_totp_secret() {
       -kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
   )"
 
-  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
-  #guard_trace off
+  guard_trace off
 
   printf '%s\n' "${var_secret}"
   return 0
@@ -268,8 +255,7 @@ read_totp_seed(){
   declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
   declare -g VAR_TEMP_PLAIN_MFA_SEED=""
 
-  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  #guard_trace on
+  guard_trace on
 
   if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
 
@@ -280,8 +266,7 @@ read_totp_seed(){
   ### Validate: exactly 64 hex.
   [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
 
-  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
-  #guard_trace off
+  guard_trace off
 
   return 0
 }

func/cdi_4600_verification/4670_verify_system.sh

@@ -13,7 +13,6 @@
 guard_sourcing
 
 #######################################
-# TODO: Implement this function.
 verify_system() {
   ### Declare Arrays, HashMaps, and Variables.
 do_log "info" "file_only" "4100() Starting system integrity verification..."

func/cdi_5000_recovery/3.9.1.functions_installation_generate_files_recovery.sh

@@ -57,7 +57,7 @@ EOF
   echo "" >> "${RECOVERY}"/etc/crypttab
   do_log "info" "file_only" "crypttab entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard'."
 
-  # TODO: Update loop to iterate thru dynamic number of ephemeral drives.
+
   # Generate '${RECOVERY}/etc/crypttab' special ephemeral entries.
   declare -a EPHEMERAL_MOUNT_PATH=("SWAP" "/tmp")
   declare KEY=""
@@ -70,7 +70,6 @@ EOF
 
       # shellcheck disable=2129
       echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
-      # TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
       echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=SWAP  /dev/random  swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" >> "${RECOVERY}"/etc/crypttab
       echo "" >> "${RECOVERY}"/etc/crypttab
       do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=SWAP  /dev/random  swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
@@ -79,7 +78,6 @@ EOF
 
       # shellcheck disable=2129
       echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
-      # TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
       echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=ext4_tmp  /dev/random  offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" >> "${RECOVERY}"/etc/crypttab
       echo "" >> "${RECOVERY}"/etc/crypttab
       do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=ext4_tmp  /dev/random  offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
@@ -119,9 +117,6 @@ EOF
   # MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
   # MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
 
-  # TODO: BEGIN: BLOCK "${RECOVERY}"/etc/fstab
-  # TODO: complete this block
-
   # Generate '${TARGET}/etc/fstab' special entries '/' '/boot' '/boot/efi'.
   # Define the order of the special keys.
   declare -a KEY_ORDER
@@ -351,7 +346,6 @@ EOF
 
   done
 
-  # TODO: flexible entries for more than one CD-ROM drives.
   # Add entry for CD-ROM device
   # shellcheck disable=2129
   echo "# /media/cdrom0 was on /dev/sr0 during installation" >> "${TARGET}"/etc/fstab
@@ -368,7 +362,7 @@ EOF
   do_log "info" "file_only" "fstab entry generated: 'proc  /proc  proc  nodev,nosuid,noexec,hidepid=2  0  0'."
   do_log "info" "file_only" "fstab entry generated: 'tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,relatime,size=1G  0  0'."
 
-  # TODO: flexible 'SWAP' entry, not only ephemeral SWAP.
+
   # Add entry for SWAP device
   declare MOUNT_PATH="SWAP"
   # shellcheck disable=2129
@@ -377,7 +371,7 @@ EOF
   echo "" >> "${TARGET}"/etc/fstab
   do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}  none  swap  defaults  0  0'."
 
-  # TODO: flexible '/tmp' entry, not only ephemeral SWAP.
+
   # Add entry for '/tmp' device
   declare MOUNT_PATH="/tmp"
   # shellcheck disable=2129
@@ -386,9 +380,8 @@ EOF
   echo "" >> "${TARGET}"/etc/fstab
   do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}  /tmp  ext4  defaults,rw,nodev,nosuid,relatime  0  0'."
 
-  # TODO: END: BLOCK "${RECOVERY}"/etc/fstab
-  # TODO: complete this block
 
-  do_show_footer "${MODULE_TXT}"
+
+
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

includes/chroot/hooks/4510_password_expiration.hooks.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+#######################################
+# Password expiration hook to run inside chroot.
+# Globals:
+#   ary_users_to_update
+#   var_max_days
+#   var_user
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+main() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -a  ary_users_to_update=()
+  declare -i  var_max_days=16384
+  declare     var_user=""
+
+  printf "Chroot hook: [%s] starting ... \n" "${0}"
+
+  # shellcheck disable=SC2312
+  mapfile -t ary_users_to_update < <( awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow )
+
+  if [[ ${#ary_users_to_update[@]} -eq 0 ]]; then
+    printf "No enabled-login accounts found in [/etc/shadow]. Exiting hook ... \n"
+    printf "Chroot hook: [%s] applied successfully. \n" "${0}"
+    exit 0
+  fi
+
+  for var_user in "${ary_users_to_update[@]}"; do
+    printf "Setting max password age for user: [%s] to: [%s] days. \n" "${var_user}" "${var_max_days}"
+    chage --maxdays "${var_max_days}" "${var_user}"
+  done
+
+  unset var_max_days var_user ary_users_to_update
+
+  awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
+
+  printf "All applicable accounts have been updated. \n"
+  printf "Chroot hook: [%s] applied successfully. \n" "${0}"
+
+  exit 0
+}
+
+main "$@"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/security/pwquality.cnf

@@ -72,4 +72,4 @@ enforce_for_root
 ### Skip testing the password quality for users that are not present in the '/etc/passwd' file. Enabled if the option is present.
 local_users_only
 
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

includes/target/etc/skel/.zshrc

@@ -119,7 +119,7 @@ source ${ZSH}/oh-my-zsh.sh
 # alias zshconfig="mate ~/.zshrc"
 # alias ohmyzsh="mate ~/.oh-my-zsh"
 
-### Added by CISS.debian.hardening-Installer ###
+### Added by CISS.debian.installer ###
 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/shortcuts"
@@ -182,7 +182,7 @@ else
   export USER_COLOR="%F{002}"
 fi
 
-### CISS.debian.hardening Prompt
+### CISS.debian.installer Prompt
 PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
 RPROMPT='%h|[${USER_COLOR}%*%f]'
 
@@ -191,9 +191,9 @@ printf "\n"
 printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
 printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
 printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
-printf "%b! Type%b " "${CGRE}" "${CRES}"
-printf "%b'celp'%b " "${CMAG}" "${CRES}"
-printf "%bfor shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "\n"
 printf "\n"
 

lib/cdi_0030_checks/0030_check_pkgs.sh

@@ -13,54 +13,64 @@
 guard_sourcing
 
 #######################################
-# Check for required Deb Packages to run the script.
+# Check for required deb packages to run the script.
 # Globals:
 #   VAR_AUTO_INSTALL
 # Arguments:
 #   None
 #######################################
 check_pkgs() {
-  apt-get update -y > /dev/null 2>&1
-
-  # TODO: Only activate in case CISS.debian.live.builder does not include the following packages as per default.
-  ### Define HashMap: command -> package
+  ### Declare Arrays, HashMaps, and Variables.
   # shellcheck disable=SC2154
-  #declare -A hmp_command_packages=(
-  #  [apt-transport-https]=apt-transport-https
-  #  [bzip2]=bzip2
-  #  [ca-certificates]=ca-certificates
-  #  [curl]=curl
-  #  [expect]=expect
-  #  [fdisk]=fdisk
-  #  [gdisk]=gdisk
-  #  [git]=git
-  #  [gpg]=gnupg
-  #  [lsb_release]=lsb-release
-  #  [mkfs.btrfs]=btrfs-progs
-  #  [mkfs.ext4]=e2fsprogs
-  #  [mkfs.fat]=dosfstools
-  #  [mkswap]=util-linux
-  #  [mkfs.xfs]=xfsprogs
-  #  [parted]=parted
-  #  [pwgen]=pwgen
-  #  [tar]=tar
-  #  [wget]=wget
-  #  [whois]=whois
-  #  [xz]=xz-utils
-  #  [yq]=yq
-  #)
+  declare -A  hmp_command_packages=(
+    [apt-transport-https]=apt-transport-https
+    [bzip2]=bzip2
+    [ca-certificates]=ca-certificates
+    [curl]=curl
+    [expect]=expect
+    [fdisk]=fdisk
+    [gdisk]=gdisk
+    [git]=git
+    [gpg]=gnupg
+    [lsb_release]=lsb-release
+    [mkfs.btrfs]=btrfs-progs
+    [mkfs.ext4]=e2fsprogs
+    [mkfs.fat]=dosfstools
+    [mkswap]=util-linux
+    [mkfs.xfs]=xfsprogs
+    [parted]=parted
+    [pwgen]=pwgen
+    [tar]=tar
+    [wget]=wget
+    [whois]=whois
+    [xz]=xz-utils
+    [yq]=yq
+  )
+  declare -a  ary_missing_pkgs=() ary_unique_pkgs=()
+  declare     var_cmd=""
 
-  ### Iterate over HashMap
-  #declare var_cmd var_pkg
-  #for var_cmd in "${!hmp_command_packages[@]}"; do
-  #  var_pkg="${hmp_command_packages[${var_cmd}]}"
-  #  if ! command -v "${var_cmd}" &>/dev/null; then
-  #    apt-get install -y --no-install-recommends "${var_pkg}"
-  #    do_log "info" "file_only" "Installing ${var_pkg} done."
-  #  else
-  #    do_log "info" "file_only" "${var_cmd} already installed."
-  #  fi
-  #done
+  ### Collecting missing binaries.
+  for var_cmd in "${!hmp_command_packages[@]}"; do
+
+    if ! command -v "${var_cmd}" &>/dev/null; then
+
+      ary_missing_pkgs+=("${hmp_command_packages[${var_cmd}]}")
+
+    fi
+
+  done
+  do_log "debug" "file_only" "0030() [ary_missing_pkgs]='${ary_missing_pkgs[*]}'."
+
+  ### Installing unique list of packages.
+  apt-get update > /dev/null 2>&1
+  if ((${#ary_missing_pkgs[@]})); then
+
+    # shellcheck disable=SC2312
+    mapfile -t ary_unique_pkgs < <(printf '%s\n' "${ary_missing_pkgs[@]}" | sort -u)
+    do_log "debug" "file_only" "0030() [ary_unique_pkgs]='${ary_unique_pkgs[*]}'."
+    apt-get install -y --no-install-recommends --no-install-suggests "${ary_unique_pkgs[*]}" 2>&1
+
+  fi
 
   if [[ -z "$(command -v debootstrap || true)" ]]; then
     if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
@@ -76,6 +86,6 @@ check_pkgs() {
     if ! "${VAR_AUTO_INSTALL}"; then apt-get install -y --no-install-recommends dialog; fi
   fi
 
-  return 0
+  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0060_traps/0060_trap_err.sh

@@ -228,7 +228,7 @@ trap_err() {
   case "${VAR_IN_DIALOG_WR}" in
     box   ) dialog_box_cleaner   ;;
     gauge ) dialog_gauge_cleaner ;;
-    text )  dialog_text_cleaner  ;;
+    text  ) dialog_text_cleaner  ;;
   esac
 
   calculate_runtime

lib/cdi_0100_arg/0104_arg_passphrase_modules.sh

@@ -54,9 +54,8 @@ generate_salt() {
 read_password_file() {
   declare -r var_input_file="${1}"
   declare -n var_output_file="${2}"
-  declare -a lines=()
+  declare -a ary_lines=()
 
-  ### TODO: PASSWORD REMINDER START
   guard_trace on
 
   if [[ ! -f "${var_input_file}" ]]; then
@@ -66,16 +65,16 @@ read_password_file() {
 
   fi
 
-  mapfile -t lines < "${var_input_file}"
+  mapfile -t ary_lines < "${var_input_file}"
 
-  if (( ${#lines[@]} != 1 )); then
+  if (( ${#ary_lines[@]} != 1 )); then
 
     do_log "fatal" "file_only" "0104() Password file '${var_input_file}' MUST contain exactly one line."
     return "${ERR_READ_PASS_FILE}"
 
   fi
 
-  var_output_file="${lines[0]}"
+  var_output_file="${ary_lines[0]}"
   ### Trim leading and trailing whitespace.
   var_output_file="${var_output_file#"${var_output_file%%[![:space:]]*}"}" ### leading
   var_output_file="${var_output_file%"${var_output_file##*[![:space:]]}"}" ### trailing
@@ -87,7 +86,6 @@ read_password_file() {
 
   fi
 
-  ### TODO: PASSWORD REMINDER STOP
   guard_trace off
 
   sync
@@ -104,7 +102,7 @@ read_password_file() {
 
   sync
 
-  unset lines
+  unset ary_lines
 
   return 0
 }

var/global.var.sh

@@ -53,6 +53,9 @@ declare -grx RECOVERY="/recovery"
 declare -grx VAR_SAFE_MNT_BASE="/run/ciss/bootstrap"
 declare -gx  VAR_NEED_RUN_IN_TARGET="false"
 
+### Default chroot debug policy.
+declare -gx VAR_CHROOT_DEBUG="false"
+
 ### Default log level.
 declare -gx VAR_DEFAULT_LOG_LEVEL="info"