V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_1000_helper/1080_helper_chroot.sh

@@ -77,10 +77,13 @@ chroot_exec() {
 
 #######################################
 # Execute a full shell script line inside the chroot via bash -c.
-# TODO: Supports interactive debug shell on error.
 # Globals:
 #   BASH_SOURCE
 #   TERM
+#   VAR_CHROOT_DEBUG
+#   VAR_DEBUG_TRACE
+#   VAR_DEBUG_TRAP
+#   VAR_IN_DIALOG_WR
 # Arguments:
 #   1: Target of the chroot environment
 #   2: Command string to execute inside a shell (quoted)
@@ -117,14 +120,26 @@ chroot_script() {
   then
 
     do_log "${var_log_level_on_error}" "file_only" "1080() Command of ${var_mod} [chroot ${var_chroot_target} /usr/bin/env -i HOME=/root PATH=${var_default_path} TERM=${TERM} LANG=C.UTF-8 LC_ALL=C.UTF-8 DEBIAN_FRONTEND=noninteractive APT_LISTCHANGES_FRONTEND=none /bin/bash -c ${var_chroot_script}] failed."
-    return "${ERR_CHRT_COMMAND}"
 
-    # TODO: Test with Dialog Wrapper in interactive mode.
-    # TODO: Call clean screen first to terminate dialog wrapper !
-    #if [[ "${DEBUG_INTERACTIVE}" == "true" ]]; then
-    #  do_log "warning" "true" "Launching interactive debug shell in chroot: '${var_chroot_target}'."
-    #  chroot "${var_chroot_target}" /bin/bash -l
-    #fi
+    if [[ "${VAR_CHROOT_DEBUG}" == "true" ]]; then
+
+      if [[ "${VAR_DEBUG_TRACE}" == "true" || "${VAR_DEBUG_TRAP}" == "true" ]]; then dump_vars_exiting; fi
+
+      case "${VAR_IN_DIALOG_WR}" in
+        box   ) dialog_box_cleaner   ;;
+        gauge ) dialog_gauge_cleaner ;;
+        text  ) dialog_text_cleaner  ;;
+      esac
+
+      do_log "emergency" "tty" "1080() Launching interactive debug shell in chroot: '${var_chroot_target}'."
+
+      chroot "${var_chroot_target}" /bin/bash -l
+
+    else
+
+      return "${ERR_CHRT_COMMAND}"
+
+    fi
 
   else
 

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -42,7 +42,8 @@ yaml_reader() {
   declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
   declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
               VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
-              VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny"
+              VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
+              VAR_CHROOT_DEBUG="false"
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
@@ -146,6 +147,10 @@ END { print max }
   # shellcheck disable=SC2034
   VAR_ARCHITECTURE="${architecture,,}"
 
+  ### Extract chroot debug policy.
+  # shellcheck disable=SC2034
+  VAR_CHROOT_DEBUG="${chroot_debug,,}"
+
   ### Extract distribution.
   # shellcheck disable=SC2034
   VAR_CODENAME="${distribution,,}"

func/cdi_4200_boot/4230_installation_grub.sh

@@ -12,6 +12,7 @@
 
 guard_sourcing
 
+#######################################
 # --- UEFI GRUB Installation Strategy ---
 #
 # We explicitly install GRUB using '--no-nvram' to avoid modifying NVRAM entries inside the chroot environment, which is
@@ -22,6 +23,7 @@ guard_sourcing
 # - GRUB is available under 'EFI/debian/grubx64.efi' (for manual boot entries).
 # - GRUB is also available as 'EFI/BOOT/BOOTX64.EFI' (UEFI fallback path, no NVRAM needed).
 # This setup ensures compatibility with systems that do not retain NVRAM entries (e.g., removable drives, VM firmware).
+#######################################
 
 #######################################
 # Installation and setup of the GRUB2 (backported) version.

func/cdi_4300_network/4312_dropbear_setup.sh

@@ -111,9 +111,8 @@ dropbear_setup() {
 
   ### Install the script to be called inside the initramfs environment for preparing dropbear execution.
   mkdir -p "${TARGET}/root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount"
-  chroot_exec "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear \
-    /root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
-  chmod 0644 "${TARGET}/root/.ciss/cdi/backup/dropbear.trixie"
+  mv "${TARGET}/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
+    "${TARGET}/root/.ciss/cdi/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie"
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
     "${TARGET}/usr/share/initramfs-tools/scripts/init-premount/"
 

func/cdi_4400_hardening/4430_hardening_files.sh

@@ -31,6 +31,8 @@ hardening_files() {
   install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${TARGET}/etc/issue"
   install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${TARGET}/etc/issue.net"
 
+  install -d -m 0700 -o root -g root "${TARGET}/root/.ansible"
+
   guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4500_user/4500_accounts_preparation.sh

@@ -25,13 +25,13 @@ guard_sourcing
 accounts_preparation() {
   mkdir -p "${TARGET}/etc/skel/.ciss"
 
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk.sh" "${TARGET}/etc/skel/.ciss/f2bchk.sh"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/scan_libwrap"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk.sh" "${TARGET}/etc/skel/.ciss/f2bchk.sh"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/scan_libwrap"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
 
   insert_comments "${TARGET}/etc/skel/.bashrc"
   insert_comments "${TARGET}/etc/skel/.zshrc"
@@ -43,7 +43,7 @@ accounts_preparation() {
 
   ### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
   echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
-  chmod 0644 "${TARGET}/etc/skel/.vimrc"
+  chmod 0600 "${TARGET}/etc/skel/.vimrc"
 
   guard_dir && return 0
 }

func/cdi_4500_user/4510_accounts_hardening.sh

@@ -13,15 +13,62 @@
 guard_sourcing
 
 #######################################
-#
+# Hardening accounts: Google TOTP, Wordlists, masking ttys, expiration of accounts.
 # Globals:
 #   TARGET
+#   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 accounts_hardening() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -a  ary_security_pkgs=()
+  declare -r  var_logfile="/root/.ciss/cdi/log/4510_accounts_hardening.log"
+  declare     t=""
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  ### Installing Google TOTP, Wordlists.
+  ary_security_pkgs=( "libpam-google-authenticator" "wamerican" "wbritish" "wfrench" "wngerman" )
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests ${ary_security_pkgs[*]} 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  ### Keep 'tty1' active, disable the rest (VTs).
+  chroot_script "${TARGET}" "
+    systemctl unmask getty@tty1.service
+    systemctl enable getty@tty1.service
+    for t in tty2 tty3 tty4 tty5 tty6; do
+      systemctl mask getty@${t}.service
+    done
+    "
+
+  ### Hardening '/etc/login.defs'.
+  mv "${TARGET}/etc/login.defs" "${TARGET}/root/.ciss/cdi/backup/etc/login.defs.bak"
+  insert_header   "${TARGET}/etc/login.defs"
+  insert_comments "${TARGET}/etc/login.defs"
+  cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${TARGET}/etc/login.defs"
+
+  ### Hardening '/etc/security/pwquality.conf'.
+  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/security"
+  mv "${TARGET}/etc/security/pwquality.conf" "${TARGET}/root/.ciss/cdi/backup/etc/security/pwquality.conf.bak"
+  insert_header   "${TARGET}/etc/security/pwquality.conf"
+  insert_comments "${TARGET}/etc/security/pwquality.conf"
+  cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
+
+  ### Hardening password expiration; defaults to 16,384 days.
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4510_password_expiration.hooks.sh" \
+    "${TARGET}/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh"
+
+  if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh" "emergency"; then
+    do_log "warn" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] failed."
+  else
+    do_log "debug" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] successful."
+  fi
 
   guard_dir && return 0
 }

func/cdi_4500_user/4520_accounts_setup.sh

@@ -29,23 +29,13 @@ guard_sourcing
 #######################################
 accounts_setup() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare -i i
-  declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
-    tmp_restricted=""
-  declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
-    var_restricted="" var_chpasswd="" var_sshdir=""
+  declare -i  i=0
+  declare     tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
+              tmp_restricted=""
+  declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
+              var_restricted="" var_chpasswd="" var_sshdir=""
 
-  ### Hardening '/etc/login.defs'
-  rm -f "${TARGET}/etc/login.defs"
-  insert_header "${TARGET}/etc/login.defs"
-  insert_comments "${TARGET}/etc/login.defs"
-  cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${TARGET}/etc/login.defs"
 
-  ### Hardening '/etc/security/pwquality.conf'
-  rm -f "${TARGET}/etc/security/pwquality.conf"
-  insert_header "${TARGET}/etc/security/pwquality.conf"
-  insert_comments "${TARGET}/etc/security/pwquality.conf"
-  cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
 
   ### Preparing the root account
   chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/shadow" "${TARGET}/etc/group" "${TARGET}/etc/gshadow"
@@ -55,6 +45,7 @@ accounts_setup() {
   if [[ -x "${TARGET}${user_root_shell}" ]]; then
     chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
   else
+    chroot_exec "${TARGET}" chsh -s /bin/bash root
     do_log "warn" "file_only" "4500() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
   fi
 
@@ -185,8 +176,7 @@ write_google_authenticator_file() {
   esac
   declare -i  i=0
 
-  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  #guard_trace on
+  guard_trace on
 
   var_secret="$(generate_totp_secret "${var_user}")"
 
@@ -202,8 +192,7 @@ write_google_authenticator_file() {
     for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
   } >| "${var_base}/.google_authenticator"
 
-  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
-  #guard_trace off
+  guard_trace off
 
   chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
 
@@ -235,8 +224,7 @@ generate_totp_secret() {
   declare  var_info="${user_mfa_info}"
   declare  var_secret=""
 
-  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  #guard_trace on
+  guard_trace on
 
   ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
   # shellcheck disable=SC2312
@@ -245,8 +233,7 @@ generate_totp_secret() {
       -kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
   )"
 
-  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
-  #guard_trace off
+  guard_trace off
 
   printf '%s\n' "${var_secret}"
   return 0
@@ -268,8 +255,7 @@ read_totp_seed(){
   declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
   declare -g VAR_TEMP_PLAIN_MFA_SEED=""
 
-  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  #guard_trace on
+  guard_trace on
 
   if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
 
@@ -280,8 +266,7 @@ read_totp_seed(){
   ### Validate: exactly 64 hex.
   [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
 
-  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
-  #guard_trace off
+  guard_trace off
 
   return 0
 }

func/cdi_4600_verification/4670_verify_system.sh

@@ -13,7 +13,6 @@
 guard_sourcing
 
 #######################################
-# TODO: Implement this function.
 verify_system() {
   ### Declare Arrays, HashMaps, and Variables.
 do_log "info" "file_only" "4100() Starting system integrity verification..."

func/cdi_5000_recovery/3.9.1.functions_installation_generate_files_recovery.sh

@@ -57,7 +57,7 @@ EOF
   echo "" >> "${RECOVERY}"/etc/crypttab
   do_log "info" "file_only" "crypttab entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard'."
 
-  # TODO: Update loop to iterate thru dynamic number of ephemeral drives.
+
   # Generate '${RECOVERY}/etc/crypttab' special ephemeral entries.
   declare -a EPHEMERAL_MOUNT_PATH=("SWAP" "/tmp")
   declare KEY=""
@@ -70,7 +70,6 @@ EOF
 
       # shellcheck disable=2129
       echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
-      # TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
       echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=SWAP  /dev/random  swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" >> "${RECOVERY}"/etc/crypttab
       echo "" >> "${RECOVERY}"/etc/crypttab
       do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=SWAP  /dev/random  swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
@@ -79,7 +78,6 @@ EOF
 
       # shellcheck disable=2129
       echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
-      # TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
       echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=ext4_tmp  /dev/random  offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" >> "${RECOVERY}"/etc/crypttab
       echo "" >> "${RECOVERY}"/etc/crypttab
       do_log "info" "file_only" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]}  LABEL=ext4_tmp  /dev/random  offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
@@ -119,9 +117,6 @@ EOF
   # MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
   # MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
 
-  # TODO: BEGIN: BLOCK "${RECOVERY}"/etc/fstab
-  # TODO: complete this block
-
   # Generate '${TARGET}/etc/fstab' special entries '/' '/boot' '/boot/efi'.
   # Define the order of the special keys.
   declare -a KEY_ORDER
@@ -351,7 +346,6 @@ EOF
 
   done
 
-  # TODO: flexible entries for more than one CD-ROM drives.
   # Add entry for CD-ROM device
   # shellcheck disable=2129
   echo "# /media/cdrom0 was on /dev/sr0 during installation" >> "${TARGET}"/etc/fstab
@@ -368,7 +362,7 @@ EOF
   do_log "info" "file_only" "fstab entry generated: 'proc  /proc  proc  nodev,nosuid,noexec,hidepid=2  0  0'."
   do_log "info" "file_only" "fstab entry generated: 'tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,relatime,size=1G  0  0'."
 
-  # TODO: flexible 'SWAP' entry, not only ephemeral SWAP.
+
   # Add entry for SWAP device
   declare MOUNT_PATH="SWAP"
   # shellcheck disable=2129
@@ -377,7 +371,7 @@ EOF
   echo "" >> "${TARGET}"/etc/fstab
   do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}  none  swap  defaults  0  0'."
 
-  # TODO: flexible '/tmp' entry, not only ephemeral SWAP.
+
   # Add entry for '/tmp' device
   declare MOUNT_PATH="/tmp"
   # shellcheck disable=2129
@@ -386,9 +380,8 @@ EOF
   echo "" >> "${TARGET}"/etc/fstab
   do_log "info" "file_only" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}  /tmp  ext4  defaults,rw,nodev,nosuid,relatime  0  0'."
 
-  # TODO: END: BLOCK "${RECOVERY}"/etc/fstab
-  # TODO: complete this block
 
-  do_show_footer "${MODULE_TXT}"
+
+
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh: