V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-30 20:57:43 +02:00
parent 36d0ad7039
commit e1a9490a4d
6 changed files with 175 additions and 27 deletions
--- a/func/system/4040_generate_fstab.sh
+++ b/func/system/4040_generate_fstab.sh
@@ -67,7 +67,7 @@ generate_fstab() {
  : >| "${TARGET}/etc/fstab"
  chmod 0600 "${TARGET}/etc/fstab"

-  cat << "EOF" >> "${TARGET}/etc/fstab"
+  cat << EOF >> "${TARGET}/etc/fstab"
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -190,22 +190,6 @@ tmpfs                                      /run                        tmpfs   m
 # vim: number et ts=2 sw=2 sts=2 ai tw=192 ft=sh
 EOF

-  : >| "${DIR_LOG}/fstab.verify.log"
-  chmod 0600 "${DIR_LOG}/fstab.verify.log"
-
-  do_in_target_script "${TARGET}" "systemd-analyze verify /etc/fstab >> ${DIR_LOG}/fstab.verify.log" 2>&1
-  rc="$?"
-
-  if (( rc == 0 )); then
-
-    do_log "info" "file_only" "4040() '/etc/fstab' verified successfully with systemd-analyze."
-
-  else
-
-    do_log "warning" "file_only" "4040() '/etc/fstab' verification returned errors — see '${DIR_LOG}/fstab.verify.log'."
-
-  fi
-
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/system/4090_minimal_toolset.sh
+++ b/func/system/4090_minimal_toolset.sh
@@ -22,11 +22,9 @@ guard_sourcing
 #   0: on success
 #######################################
 minimal_toolset() {
-  declare var_bin
-
-  ### Define HashMap: command -> package
+  ### Declare Arrays, HashMaps, and Variables.
  # shellcheck disable=SC2154
-  declare -A hmp_tool_pkg=(
+  declare -A  hmp_tool_pkg=(
    [awk]="gawk"
    [busybox]="busybox"
    [cat]="coreutils"
@@ -48,12 +46,42 @@ minimal_toolset() {
    [zsh]="zsh"
  )

+  declare     var_bin=""
+
  for var_bin in "${!hmp_tool_pkg[@]}"; do
+
    if ! do_in_target_script "${TARGET}" "command -v ${var_bin} >/dev/null"; then
+
      do_in_target "${TARGET}" apt-get install -y "${hmp_tool_pkg[${var_bin}]}"
+
    fi
+
  done

+  ### Ensure systemd and machine-id are in place
+  if ! do_in_target_script "${TARGET}" "command -v systemctl >/dev/null"; then
+
+    do_log "info" "file_only" "4090() 'systemctl' not found — installing 'systemd' and dependencies."
+    do_in_target "${TARGET}" apt-get install -y systemd systemd-sysv dbus
+
+  else
+
+    do_log "info" "file_only" "4090() 'systemctl' found — skipping installation of systemd."
+
+  fi
+
+  ### Generate machine-id if missing
+  if ! do_in_target_script "${TARGET}" "[[ -s /etc/machine-id ]]"; then
+
+    do_log "info" "file_only" "4090() Generating /etc/machine-id via systemd-machine-id-setup."
+    do_in_target "${TARGET}" systemd-machine-id-setup
+
+  else
+
+    do_log "info" "file_only" "4090() Existing machine-id found — no action needed."
+
+  fi
+
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/system/4092_minimal_checks.sh
+++ b/func/system/4092_minimal_checks.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# TODO: Implement this function
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+minimal_checks() {
+  declare var_bin
+
+  : >| "${DIR_LOG}/fstab.verify.log"
+  chmod 0600 "${DIR_LOG}/fstab.verify.log"
+
+  do_in_target_script "${TARGET}" "systemd-analyze verify /etc/fstab >> ${DIR_LOG}/fstab.verify.log 2>&1"
+  rc="$?"
+
+  if (( rc == 0 )); then
+
+    do_log "info" "file_only" "4040() '/etc/fstab' verified successfully with systemd-analyze."
+
+  else
+
+    do_log "warning" "file_only" "4040() '/etc/fstab' verification returned errors — see '${DIR_LOG}/fstab.verify.log'."
+
+  fi
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/system/4900_verify_system.sh
+++ b/func/system/4900_verify_system.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# TODO: Implement this function.
+verify_system() {
+  ### Declare Arrays, HashMaps, and Variables.
+do_log "info" "file_only" "4100() Starting system integrity verification..."
+
+  ###########################################
+  ## Systemd & Identity Checks
+  ###########################################
+  do_log "info" "file_only" "4100() Checking systemd installation and machine-id."
+
+  do_in_target_script "${TARGET}" 'command -v systemctl && systemctl --version' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() systemd or systemctl not properly installed."
+
+  do_in_target_script "${TARGET}" '[ -s /etc/machine-id ]' || \
+    do_log "warning" "file_only" "4100() Missing or empty /etc/machine-id."
+
+  ###########################################
+  ## crypttab & fstab Validation
+  ###########################################
+  do_log "info" "file_only" "4100() Validating fstab and crypttab."
+
+  do_in_target_script "${TARGET}" 'systemd-analyze verify /etc/fstab /etc/crypttab' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() systemd-analyze verification failed. See ${LOG_FILE}."
+
+  do_in_target_script "${TARGET}" 'findmnt --verify' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() findmnt reports potential inconsistencies."
+
+  ###########################################
+  ## Essential Services
+  ###########################################
+  do_log "info" "file_only" "4100() Validating essential services."
+  do_in_target_script "${TARGET}" 'systemctl list-unit-files --state=enabled,disabled' >> "${LOG_FILE}" 2>&1
+
+  ###########################################
+  ## Init & Bootloader
+  ###########################################
+  do_log "info" "file_only" "4100() Checking init and GRUB presence."
+
+  do_in_target_script "${TARGET}" 'readlink -f /sbin/init' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() /sbin/init is missing or invalid."
+
+  do_in_target_script "${TARGET}" 'test -e /boot/grub/grub.cfg || test -e /boot/efi/EFI/debian/grubx64.efi' || \
+    do_log "warning" "file_only" "4100() GRUB config or EFI binary not found."
+
+  ###########################################
+  ## /etc Configuration Checks
+  ###########################################
+  do_log "info" "file_only" "4100() Validating core /etc configurations."
+
+  do_in_target_script "${TARGET}" 'grep -E "^127\.0\.1\.1" /etc/hosts' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() Missing 127.0.1.1 entry in /etc/hosts."
+
+  do_in_target_script "${TARGET}" '[ -s /etc/hostname ]' || \
+    do_log "warning" "file_only" "4100() /etc/hostname is missing or empty."
+
+  ###########################################
+  ## Permissions & Security
+  ###########################################
+  do_log "info" "file_only" "4100() Auditing /root permissions and login shell."
+
+  do_in_target_script "${TARGET}" 'stat -c "%A %U:%G" /root' >> "${LOG_FILE}" 2>&1
+  do_in_target_script "${TARGET}" 'grep ^root: /etc/passwd' >> "${LOG_FILE}" 2>&1
+
+  ###########################################
+  ## dpkg & apt status
+  ###########################################
+  do_log "info" "file_only" "4100() Verifying package integrity."
+
+  do_in_target_script "${TARGET}" 'dpkg --audit' >> "${LOG_FILE}" 2>&1 || true
+  do_in_target_script "${TARGET}" 'apt-get check' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() apt-get check reported errors."
+
+  do_log "info" "file_only" "4100() Verification completed. Output stored in: ${LOG_FILE}."
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh