msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 34s
Details
🔁 Render Graphviz Diagrams. / 🔁 Render Graphviz Diagrams. (push) Successful in 24s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m35s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-25 10:10:41 +02:00
parent 9c19212c00
commit e8d85a39ae
134 changed files with 13933 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
lib/1000_usage.sh Normal file
View File

@@ -0,0 +1,95 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Usage Wrapper 'CISS.debian.installer'.
# Arguments:
# $0: Script Name
#######################################
usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.installer\e[0m")
$(echo -e "\e[92mMaster V8.00.000.2025.06.17\e[0m")
$(echo -e "\e[92mA powerful Debian installer for setting up a hardened Debian environment.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
"${0} <option>", where <option> is one or more of:
--help, -h
What you're looking at.
--autoinstall, -a
No user interaction is required in autoinstall mode.
$(echo -e "\e[93m ⚡ All data on the disks specified in './.preseed/partitioning.yaml' will be destroyed! ⚡\e[0m")
--contact, -c
Displays contact information of the author.
--debug, -d <MODE>
Whereas <MODE> can be one or both of the following: 'TRAP' or 'XTRACE'.
• XTRACE uses the 'set -x' capability to trace every command executed.
• TRAP uses the bash 'trap DEBUG' capability.
$(echo -e "\e[93m Detailed debugging information is written to:\e[0m")
- /tmp/ciss_debian_installer_$$_debug.log
- /tmp/ciss_debian_installer_$$_trace.log
- /tmp/ciss_debian_installer_$$_var.log
$(echo -e "\e[93m Errors are always written to:\e[0m")
- /tmp/ciss_debian_installer_$$_error.log.
--log <LEVEL>
This changes the default log level from 'info' to one of the following values:
6: 'info'
5: 'notice'
4: 'warn'
3: 'error'
0: 'emergency'
$(echo -e "\e[93m The installation log is written to:\e[0m")
- /tmp/ciss_debian_installer_$$_install.log
--renice-priority <PRIORITY>
Reset the nice priority value of the script and all its children
to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
Negative (higher) values MUST be enclosed in double quotes '"'.
--reionice-priority <CLASS> <PRIORITY>
Reset the ionice priority value of the script and all its children
to the desired <CLASS>. MUST be an integer:
1: realtime
2: best-effort
3: idle
Defaults to '2'.
Whereas <PRIORITY> MUST be an integer as well between:
0: highest priority and
7: lowest priority.
Defaults to '4'.
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
--version, -v
Displays version of ${0}.
$(echo -e "\e[93m💡 Notes:\e[0m")
🔵 You MUST be 'root' to run this script.
🔵 You MUST edit './.preseed/preseed.yaml' in advance.
🔵 You MUST edit './.preseed/partitioning.yaml' in advance.
🔵 You MUST edit './.preseed/password.txt' in advance.
🔵 You SHOULD use the provided YAML-Configuration-File Editor.
$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m")
EOF
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
lib/1001_contact.sh Normal file
View File

@@ -0,0 +1,39 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Contact Wrapper 'CISS.debian.installer'.
# Arguments:
# None
#######################################
contact() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.installer\e[0m")
$(echo -e "\e[92mMaster V8.00.000.2025.06.17\e[0m")
$(echo -e "\e[92mA powerful Debian installer for setting up a hardened Debian environment.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
$(echo -e "\e[95m💬 Contact:\e[0m")
$(echo -e "\e[95m🌐 https://coresecret.eu/ \e[0m")
$(echo -e "\e[95m📧 security@coresecret.eu \e[0m")
$(echo -e "\e[95m🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
$(echo -e "\e[95m🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m")
EOF
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
lib/1003_gen_dir_files.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Creates the DIRs, prepares the files and mounting paths for installation.
# Globals:
# DIR_LOG
# LOG_ERR
# LOG_INS
# LOG_NIC
# VAR_PRESEED
# Arguments:
# None
#######################################
gen_dir_files() {
### MAKE DIRS
mkdir -p /tmp/.ciss/{backup,log,tmp} && chmod -R 0700 /tmp/.ciss
mkdir -p /target
mkdir -p /recovery
### TOUCH FILES
touch "${LOG_ERR}" && chmod 0600 "${LOG_ERR}"
touch "${LOG_INS}" && chmod 0600 "${LOG_INS}"
touch "${LOG_NIC}" && chmod 0600 "${LOG_NIC}"
touch "${VAR_PRESEED}" && chmod 0600 "${VAR_PRESEED}"
touch "${DIR_LOG}/btrfs.log" && chmod 0600 "${DIR_LOG}/btrfs.log"
touch "${DIR_LOG}/cpu.log" && chmod 0600 "${DIR_LOG}/cpu.log"
touch "${DIR_LOG}/ext4.log" && chmod 0600 "${DIR_LOG}/ext4.log"
touch "${DIR_LOG}/sshd_config.log" && chmod 0600 "${DIR_LOG}/sshd_config.log"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
lib/1007_guard_sorucing.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Prevent the caller LIB-file from being sourced twice.
# Derive a safe guard-variable name from the caller script filename.
# Globals:
# BASH_SOURCE
# Arguments:
# $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
# Returns:
# 0: Returns '0' in both cases as they are intended to be successful.
#######################################
1007_guard_sourcing() {
### Determine the caller script (the library being sourced).
declare var_src="${1:-${BASH_SOURCE[1]}}"
### Strip path, keep only filename
declare var_file_name="${var_src##*/}"
### Sanitize to valid var name.
declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
### Build guard-variable name.
declare var_guard_var="_${var_safe_name}_LOADED"
### If already loaded, abort sourcing
if [[ -n "${!var_guard_var:-}" ]]; then
return 0
fi
### Mark as loaded (readonly + exported)
declare -grx "${var_guard_var}"=1
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

78
lib/1010_check_pkgs.sh Normal file
View File

@@ -0,0 +1,78 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check for required Deb Packages to run the script.
# Globals:
# VAR_AUTO_INSTALL
# Arguments:
# None
#######################################
check_pkgs() {
apt-get update -y > /dev/null 2>&1
### Define HashMap: command -> package
declare -A hmp_command_packages=(
[apt-transport-https]=apt-transport-https
[bzip2]=bzip2
[ca-certificates]=ca-certificates
[curl]=curl
[expect]=expect
[fdisk]=fdisk
[gdisk]=gdisk
[git]=git
[gpg]=gnupg
[lsb_release]=lsb-release
[mkfs.btrfs]=btrfs-progs
[mkfs.ext4]=e2fsprogs
[mkfs.fat]=dosfstools
[mkswap]=util-linux
[mkfs.xfs]=xfsprogs
[parted]=parted
[pwgen]=pwgen
[tar]=tar
[wget]=wget
[whois]=whois
[xz]=xz-utils
[yq]=yq
)
### Iterate over HashMap
declare var_cmd var_pkg
for var_cmd in "${!hmp_command_packages[@]}"; do
var_pkg="${hmp_command_packages[${var_cmd}]}"
if ! command -v "${var_cmd}" &>/dev/null; then
do_log "info" "true" "Installing ${var_pkg} ..."
apt-get install -y --no-install-recommends "${var_pkg}"
do_log "info" "true" "Installing ${var_pkg} done."
else
do_log "info" "true" "${var_cmd} already installed."
fi
done
if [[ -z "$(command -v debootstrap || true)" ]]; then
if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
# shellcheck disable=SC2155
declare codename=$(lsb_release -sc)
apt-get install -y -t "${codename}-backports" debootstrap
else
apt-get install -y debootstrap
fi
fi
if [[ -z "$(command -v dialog || true)" ]]; then
if ! ${VAR_AUTO_INSTALL}; then apt-get install -y --no-install-recommends dialog; fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
lib/1011_check_git.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Define Git Repo related Variables.
# Globals:
# VAR_GIT_HEAD
# VAR_GIT_REL
# VAR_GIT_REL_DATE
# VAR_GIT_REL_DATE_TIME
# VAR_GIT_REL_SHORT
# Arguments:
# None
#######################################
check_git() {
# shellcheck disable=SC2155
if git rev-parse --is-inside-work-tree &>/dev/null; then
declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
declare -grx VAR_GIT_HEAD="$(git rev-parse HEAD)"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

66
lib/1015_debug_pre_scan.sh Normal file
View File

@@ -0,0 +1,66 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Check for DEBUG mode.
# Arguments:
# None
#######################################
pre_scan_debug() {
# shellcheck disable=SC2155
declare script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
. "${script_dir}/1040_arg_mismatch.sh"
declare args=("$@")
declare dbg_index=-1
declare dbg_count=0
declare i j
for i in "${!args[@]}"; do
if [[ "${args[i]}" == "-d" || "${args[i]}" == "--debug" ]]; then
dbg_index=$i
. "${script_dir}/1016_debug_var_dump.sh"
declare -grx LOG_VAR="/tmp/ciss_debian_installer_$$_var.log"
touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
dump_vars_initial
break
fi
done
if (( dbg_index >= 0 )); then
for (( j=dbg_index+1; j<${#args[@]} && dbg_count<2; j++ )); do
[[ "${args[j]}" =~ ^- ]] && break
case "${args[j],,}" in
xtrace)
declare -gx VAR_DEBUG_TRACE="true"
. "${script_dir}/1020_debug_trace.sh"
. "${script_dir}/1021_debug_trace_header.sh"
debug_trace "$@"
;;
trap)
declare -gx VAR_DEBUG_TRAP="true"
. "${script_dir}/1025_debug_trap.sh"
. "${script_dir}/1026_debug_trap_header.sh"
trap 'debug_trap' DEBUG
;;
*)
arg_mismatch "Invalid debug option: '${args[j]}'." ;;
esac
(( dbg_count++ ))
done
if (( dbg_count == 0 )); then arg_mismatch "--debug MUST NOT be empty."; fi
if (( dbg_count > 2 )); then arg_mismatch "--debug accepts at most two options (XTRACE, TRAP)."; fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

72
lib/1016_debug_var_dump.sh Normal file
View File

@@ -0,0 +1,72 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Capture an initial snapshot of all variables (excluding '^(BASH|_).*').
# Globals:
# VAR_DUMP_VARS_INITIAL
# Arguments:
# None
#######################################
dump_vars_initial() {
# shellcheck disable=SC2155
declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
{
declare var
while IFS= read -r var; do
declare -p "${var}" 2> /dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*')
} | sort >| "${VAR_DUMP_VARS_INITIAL}"
}
#######################################
# Gather all user-defined variables (name and value)
# Globals:
# LOG_VAR
# VAR_DUMP_VARS_INITIAL
# VAR_VERSION
# Arguments:
# None
#######################################
dump_vars_exiting() {
### Capture the final snapshot of all variables (excluding '^(BASH|_).*')
# shellcheck disable=SC2155
declare var_dump_vars_final=$(mktemp)
set +x
{
declare var
while IFS= read -r var; do
declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*')
} | sort >| "${var_dump_vars_final}"
set -x
{
printf "✅ CISS.debian.installer Config Variable Dump. \n"
printf "✅ Version : %s \n" "${VAR_VERSION}"
printf "\n"
printf "===== Initial VAR Environment ===== \n"
} >> "${LOG_VAR}"
comm -23 "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}" >> "${LOG_VAR}" || true
{
printf "\n"
printf "===== Final VAR Environment ===== \n"
} >> "${LOG_VAR}"
comm -13 "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}" >> "${LOG_VAR}" || true
rm -f "${VAR_DUMP_VARS_INITIAL}" "${var_dump_vars_final}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

43
lib/1020_debug_trace.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Wrapper for XTRACE Debug.
# Globals:
# BASH_XTRACEFD
# LOG_TRACE
# PS4
# SHELLOPTS
# Arguments:
# None
#######################################
debug_trace() {
### Set a verbose PS4 prompt including timestamp, source, line, exit status of previous command, and function name
declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
# shellcheck disable=SC2155
declare -grx LOG_TRACE="/tmp/ciss_debian_installer_$$_trace.log"
### Generates empty LOG_TRACE
touch "${LOG_TRACE}" && chmod 0600 "${LOG_TRACE}"
### Open file descriptor 42 for writing to the debug log
exec 42>| "${LOG_TRACE}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
debug_header "$#" "$*"
### Tell Bash to send xtrace output to FD 42
export BASH_XTRACEFD=42
### Enable inheritable shell options
export SHELLOPTS
### Turn on xtrace
set -x
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

64
lib/1021_debug_trace_header.sh Normal file
View File

@@ -0,0 +1,64 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Generates XTRACE Debug Log Header.
# Globals:
# BASHOPTS
# BASH_VERSINFO
# EPOCHREALTIME
# EUID
# HOSTNAME
# PPID
# PWD
# SHELLOPTS
# UID
# VAR_GIT_HEAD
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# $0: Script Name $0
# $1: Argument Counter $#
# $2: Argument String $*
#######################################
debug_trace_header() {
declare -r arg_counter="$1"
declare -r arg_string="$2"
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.installer Debug XTRACE Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
printf "\e[97m+\e[0m\e[92m%s: GIT Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD}"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Build Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[3]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[4]}"
printf "\e[97m+\e[0m\e[92m%s: UID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${UID}"
printf "\e[97m+\e[0m\e[92m%s: EUID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EUID}"
printf "\e[97m+\e[0m\e[92m%s: Hostname : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${HOSTNAME}"
printf "\e[97m+\e[0m\e[92m%s: Hostsystem : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_SYSTEM}"
printf "\e[97m+\e[0m\e[92m%s: Script name : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$0"
printf "\e[97m+\e[0m\e[92m%s: Argument Counter : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_counter}"
printf "\e[97m+\e[0m\e[92m%s: Argument String Original : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_string}"
printf "\e[97m+\e[0m\e[92m%s: Script PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$$"
printf "\e[97m+\e[0m\e[92m%s: Script Parent PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PPID}"
printf "\e[97m+\e[0m\e[92m%s: Script work DIR : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PWD}"
printf "\e[97m+\e[0m\e[92m%s: Shell Options : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$-"
printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
printf "\e[97m+\e[0m\e[92m%s: SHELLOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SHELLOPTS}"
printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
} >&42
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

102
lib/1025_debug_trap.sh Normal file
View File

@@ -0,0 +1,102 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
declare -g VAR_LAST_CMD=""
declare -g __preexec_invoke=""
# shellcheck disable=SC2155
declare -grx LOG_DEBUG="/tmp/ciss_debian_installer_$$_debug.log"
### Generates empty LOG_DEBUG
touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
debug_trace_header "$#" "$*"
### Define patterns and mask replacements
declare -Ag MASK_PATTERNS=(
["API_KEY"]="********"
["api_key"]="********"
["password"]="********"
["priv_key"]="********"
["secret"]="********"
["token"]="********"
)
#######################################
# Wrapper to write to DEBUG Logfile.
# Globals:
# BASH_LINENO
# BASH_SOURCE
# FUNCNAME
# LOG_DEBUG
# Arguments:
# None
#######################################
debug_trap_logger() {
declare var_rc="$1"; shift
declare var_msg="$*"
# shellcheck disable=SC2155
declare var_ts="$(date -u '+%Y-%m-%dT%H:%M:%S.%4N%z')"
declare -i i=0
for (( i=0; i<${#FUNCNAME[@]}; i++ )); do
if [[ ${FUNCNAME[i]} != "debug_trap_logger" && \
${FUNCNAME[i]} != "debug_trap" ]]; then
break
fi
done
declare var_func="${FUNCNAME[i]:-MAIN}"
declare var_line="${BASH_LINENO[i-1]:-?}"
declare var_script="${BASH_SOURCE[i]:-${BASH_SOURCE[0]}}"
declare var_script_rel="${var_script#"${PWD}"/}"
printf '%s [%s:%s] %s() |%s| RC:%s \n' "${var_ts}" "${var_script_rel}" "${var_line}" "${var_func}" "${var_msg}" "${var_rc}">> "${LOG_DEBUG}"
}
#######################################
# Trap function to be called on 'DEBUG'.
# Globals:
# BASH_COMMAND
# MASK_PATTERNS
# VAR_LAST_CMD
# __preexec_invoke
# Arguments:
# None
# Returns:
# 0: In all cases
#######################################
debug_trap() {
declare rc="$?" var_cmd="${BASH_COMMAND}"
### Skip any xtrace output or explicit set -x/+x calls
if [[ "${var_cmd}" == +* ]] || [[ "${var_cmd}" == "set -x" ]] || [[ "${var_cmd}" == "set +x" ]]; then
return 0
fi
### Mask sensitive substrings
declare key
for key in "${!MASK_PATTERNS[@]}"; do
#if [[ "${var_cmd}" =~ ${key} ]]; then
# var_cmd="${var_cmd//${key}/${MASK_PATTERNS[${key}]}}"
#fi
case "${var_cmd}" in
*"${key}"*) var_cmd="${var_cmd//${key}/${MASK_PATTERNS[${key}]}}" ;;
esac
done
if [[ -n "${__preexec_invoke:-}" ]]; then
debug_trap_logger "${rc}" "${VAR_LAST_CMD}"
declare -g __preexec_invoke=""
fi
declare -g __preexec_invoke=1
declare -g VAR_LAST_CMD="${var_cmd}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

63
lib/1026_debug_trap_header.sh Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Generates TRAP Debug Log Header.
# Globals:
# BASHOPTS
# BASH_VERSINFO
# EPOCHREALTIME
# EUID
# HOSTNAME
# LOG_DEBUG
# PPID
# PWD
# SHELLOPTS
# UID
# VAR_GIT_HEAD
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# $0: Script Name $0
# $1: Argument Counter $#
# $2: Argument String $*
#######################################
debug_trace_header() {
declare -r arg_counter="$1"
declare -r arg_string="$2"
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.installer Debug TRAP Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
printf "\e[97m+\e[0m\e[92m%s: GIT Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD}"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Build Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[3]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[4]}"
printf "\e[97m+\e[0m\e[92m%s: UID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${UID}"
printf "\e[97m+\e[0m\e[92m%s: EUID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EUID}"
printf "\e[97m+\e[0m\e[92m%s: Hostname : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${HOSTNAME}"
printf "\e[97m+\e[0m\e[92m%s: Hostsystem : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_SYSTEM}"
printf "\e[97m+\e[0m\e[92m%s: Script name : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$0"
printf "\e[97m+\e[0m\e[92m%s: Argument Counter : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_counter}"
printf "\e[97m+\e[0m\e[92m%s: Argument String Original : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_string}"
printf "\e[97m+\e[0m\e[92m%s: Script PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$$"
printf "\e[97m+\e[0m\e[92m%s: Script Parent PID : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PPID}"
printf "\e[97m+\e[0m\e[92m%s: Script work DIR : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PWD}"
printf "\e[97m+\e[0m\e[92m%s: Shell Options : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$-"
printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
printf "\e[97m+\e[0m\e[92m%s: SHELLOPTS : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SHELLOPTS}"
printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
} >| "${LOG_DEBUG}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

156
lib/1030_trap_err.sh Normal file
View File

@@ -0,0 +1,156 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Print Error Message for Trap on 'ERR' in '${ERROR_LOG}'.
# Globals:
# ARGUMENTS_COUNT
# ARG_STR_ORG_INPUT
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_DEBUG
# LOG_ERROR
# LOG_TRACE
# LOG_VAR
# SECONDS
# VAR_ARG_SANITIZED
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# VAR_GIT_HEAD
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# None
#######################################
print_file_err() {
{
printf "❌ CISS.debian.installer Script failed. \n"
printf "❌ GIT Commit : %s \n" "${VAR_GIT_HEAD}"
printf "❌ Version : %s \n" "${VAR_VERSION}"
printf "❌ Hostsystem : %s \n" "${VAR_SYSTEM}"
printf "❌ Error : %s \n" "${ERRCODE}"
printf "❌ Line : %s \n" "${ERRLINE}"
printf "❌ Script : %s \n" "${ERRSCRT}"
printf "❌ Function : %s \n" "${ERRFUNC}"
printf "❌ Command : %s \n" "${ERRCMMD}"
printf "❌ Script PID : %s \n" "${$}"
printf "❌ Script Runtime : %s \n" "${SECONDS}"
printf "❌ Arguments Counter : %s \n" "${ARGUMENTS_COUNT}"
printf "❌ Arguments Original : %s \n" "${ARG_STR_ORG_INPUT}"
printf "❌ Arguments Sanitized : %s \n" "${VAR_ARG_SANITIZED}"
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
printf "❌ Vars Dump saved at : %s \n" "${LOG_VAR}"
fi
if "${VAR_DEBUG_TRAP}"; then
printf "❌ DEBUG Log saved at : %s \n" "${LOG_DEBUG}"
printf "❌ cat %s \n" "${LOG_DEBUG}"
fi
if "${VAR_DEBUG_TRACE}"; then
printf "❌ TRACE Log saved at : %s \n" "${LOG_TRACE}"
printf "❌ cat %s \n" "${LOG_TRACE}"
fi
printf "\n"
} >> "${LOG_ERROR}"
}
#######################################
# Print Error Message for Trap on 'ERR' on Terminal.
# Globals:
# ARGUMENTS_COUNT
# ARG_STR_ORG_INPUT
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_DEBUG
# LOG_ERROR
# LOG_TRACE
# LOG_VAR
# SECONDS
# VAR_ARG_SANITIZED
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# VAR_GIT_HEAD
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# None
#######################################
print_scr_err() {
printf "\e[91m❌ CISS.debian.installer Script failed. \e[0m\n" >&2
printf "\e[91m❌ GIT Commit : %s \e[0m\n" "${VAR_GIT_HEAD}" >&2
printf "\e[91m❌ Version : %s \e[0m\n" "${VAR_VERSION}" >&2
printf "\e[91m❌ Hostsystem : %s \e[0m\n" "${VAR_SYSTEM}" >&2
printf "\e[91m❌ Error : %s \e[0m\n" "${ERRCODE}" >&2
printf "\e[91m❌ Line : %s \e[0m\n" "${ERRLINE}" >&2
printf "\e[91m❌ Script : %s \e[0m\n" "${ERRSCRT}" >&2
printf "\e[91m❌ Function : %s \e[0m\n" "${ERRFUNC}" >&2
printf "\e[91m❌ Command : %s \e[0m\n" "${ERRCMMD}" >&2
printf "\e[91m❌ Script PID : %s \e[0m\n" "${$}" >&2
printf "\e[91m❌ Script Runtime : %s \e[0m\n" "${SECONDS}" >&2
printf "\e[91m❌ Arguments Counter : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
printf "\e[91m❌ Arguments Original : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${LOG_ERROR}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_ERROR}" >&2
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
printf "\e[91m❌ Vars Dump saved at : %s \e[0m\n" "${LOG_VAR}" >&2
fi
if "${VAR_DEBUG_TRAP}"; then
printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${LOG_DEBUG}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_DEBUG}" >&2
fi
if "${VAR_DEBUG_TRACE}"; then
printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${LOG_TRACE}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_TRACE}" >&2
fi
printf "\n"
}
#######################################
# Trap function to be called on 'ERR'.
# Globals:
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# VAR_IN_DIALOG_WR
# Arguments:
# $1: "$?"
# $2: "${BASH_SOURCE[0]}"
# $3: "${LINENO}"
# $4: "${FUNCNAME[0]:-main}"
# $5: "${BASH_COMMAND}"
#######################################
trap_err() {
trap - DEBUG ERR INT
declare -g ERRCODE="$1"
declare -g ERRSCRT="$2"
declare -g ERRLINE="$3"
declare -g ERRFUNC="$4"
declare -g ERRCMMD="$5"
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then dump_vars_exiting; fi
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;
esac
print_file_err
print_scr_err
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

80
lib/1031_trap_exit.sh Normal file
View File

@@ -0,0 +1,80 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Trap function to be called on 'EXIT'.
# Globals:
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# Arguments:
# $1: "$?"
#######################################
trap_exit() {
trap - DEBUG ERR EXIT INT
declare -r var_trap_on_exit_code="$1"
if [[ -n "${__preexec_invoke:-}" ]]; then
debug_trap_logger "${var_trap_on_exit_code}" "${VAR_LAST_CMD}"
unset __preexec_invoke
fi
if (( var_trap_on_exit_code == 0 )); then
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then dump_vars_exiting; fi
clean_up "${var_trap_on_exit_code}"
print_scr_exit "${var_trap_on_exit_code}"
exit "${var_trap_on_exit_code}"
else
clean_up "${var_trap_on_exit_code}"
exit "${var_trap_on_exit_code}"
fi
}
#######################################
# Print Success Message for Trap on 'EXIT' on 'stdout'.
# Globals:
# LOG_DEBUG
# LOG_TRACE
# LOG_VAR
# VAR_DEBUG_TRACE
# VAR_DEBUG_TRAP
# VAR_SCRIPT_SUCCESS
# Arguments:
# $1: ${var_trap_on_exit_code} of trap_exit()
#######################################
print_scr_exit() {
declare -r var_print_scr_exit_code="$1"
if (( var_print_scr_exit_code == 0 )); then
if [[ "${VAR_SCRIPT_SUCCESS}" == true ]]; then
printf "\n"
printf "\e[92m✅ CISS.debian.installer Script successful. \e[0m\n"
printf "\e[92m✅ Exited with Status : %s \e[0m\n" "${var_print_scr_exit_code}"
printf "\n"
if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
printf "\e[92m✅ Vars Dump saved at : %s \e[0m\n" "${LOG_VAR}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_VAR}"
fi
if "${VAR_DEBUG_TRAP}"; then
printf "\e[92m✅ DEBUG Log saved at : %s \e[0m\n" "${LOG_DEBUG}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_DEBUG}"
fi
if "${VAR_DEBUG_TRACE}"; then
printf "\e[92m✅ TRACE Log saved at : %s \e[0m\n" "${LOG_TRACE}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_TRACE}"
fi
printf "\n"
printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"
printf "\e[95m🔗 https://coresecret.eu/spenden/ \e[0m\n"
printf "\n"
fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

82
lib/1032_trap_int.sh Normal file
View File

@@ -0,0 +1,82 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Restart Dialog Wrapper in case of unintentional SIGINT.
# Arguments:
# $1: Dialog Wrapper in use.
#######################################
restart_dialog() {
trap 'trap_int' INT
trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
case "$1" in
box ) dialog_box ;;
gauge ) dialog_gauge ;;
* ) ;;
esac
}
#######################################
# Trap function to be called on 'SIGINT'.
# Globals:
# ERR_TRAPPED_SIG_INT
# VAR_IN_DIALOG_WR
# Arguments:
# None
# Returns:
# 0: In case of unintentional SIGINT.
#######################################
trap_int() {
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner; declare var_helper_dialog=box ;;
gauge ) dialog_gauge_cleaner; declare var_helper_dialog=gauge ;;
* ) declare var_helper_dialog=false ;;
esac
trap '' ERR INT
declare answer
if ! read -r -t 16 -p $'\n\e[93mCISS.debian.installer caught an INT.\e[0m \e[92mDo you want to abort the Installer? (y/N) \e[0m' answer; then
printf "\e[92mCISS.debian.installer caught an INT. No User confirmation after 16 seconds. Proceeding with Installer. \e[0m\n" >&2
if [[ "${var_helper_dialog}" == box ]]; then
restart_dialog "${var_helper_dialog}"
return 0
elif [[ "${var_helper_dialog}" == gauge ]]; then
restart_dialog "${var_helper_dialog}"
return 0
else
restart_dialog "${var_helper_dialog}"
return 0
fi
fi
case "${answer,,}" in
y|yes)
printf "\e[91mCISS.debian.installer caught an INT. SIGINT confirmed by User, exiting Installer. \e[0m\n" >&2
exit "${ERR_TRAPPED_SIG_INT}"
;;
*)
printf "\e[92mCISS.debian.installer caught an INT. SIGINT NOT confirmed by User, proceeding with Installer. \e[0m\n" >&2
if [[ "${var_helper_dialog}" == box ]]; then
restart_dialog "${var_helper_dialog}"
return 0
elif [[ "${var_helper_dialog}" == gauge ]]; then
restart_dialog "${var_helper_dialog}"
return 0
else
restart_dialog "${var_helper_dialog}"
return 0
fi
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
lib/1035_clean_up.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Clean Up Wrapper on Trap on 'EXIT'.
# Globals:
# LOG_ERROR
# VAR_KERNEL_INF
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# VAR_WORKDIR
# Arguments:
# $1: ${var_trap_on_exit_code} of trap_exit()
#######################################
clean_up() {
declare var_clean_exit_code="$1"
rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}"
rm -f -- "${VAR_KERNEL_TMP}"
rm -f -- "${VAR_NOTES}"
# Release advisory lock on FD 127.
flock -u 127
# Close file descriptor 127.
exec 127>&-
# Remove the lockfile artifact.
rm -f /run/lock/ciss_debian_installer.lock
if (( var_clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
lib/1040_arg_mismatch.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for mismatched Arguments.
# Globals:
# ERR_ARG_MISMATCH
# VAR_AUTO_INSTALL
# VAR_IN_DIALOG_WR
# Arguments:
# $1: Error message to be printed.
#######################################
arg_mismatch() {
### Call cleaner if and only if not in auto-install mode.
if [[ "${VAR_AUTO_INSTALL}" == false ]]; then
### Dynamically select the cleaner based on the dialog wrapper type.
case "${VAR_IN_DIALOG_WR}" in
box|gauge)
"dialog_${VAR_IN_DIALOG_WR}_cleaner"
;;
esac
fi
printf "\e[91m❌ Error: %s\e[0m\n" "${1}" >&2
read -pr $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MISMATCH}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

87
lib/1041_arg_sanitizer.sh Normal file
View File

@@ -0,0 +1,87 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Argument Check Wrapper.
# Arguments:
# $1: "$@" of ./setup.sh
#######################################
arg_check() {
declare a
declare sanitized_args=()
for a in "$@"; do
sanitized_args+=("$( sanitize_arg "${a}")")
done
set -- "${sanitized_args[@]}"
}
#######################################
# Function to sanitize a single argument
# Globals:
# ERR_UNSAFE_CHARACTER
# LOG_ERROR
# Arguments:
# $1: Argument to check
#######################################
sanitize_arg() {
declare input="${1}"
declare disallowed_ctrl=""
### Step 1: Check for control characters
if printf '%s' "${input}" | grep -qP '[[:cntrl:]]'; then
disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \
| while read -r c; do printf "%02X " "'$c"; done)
{
printf "❌ Control character : '%s'. \n" "${disallowed_ctrl}"
printf "❌ in argument : '%s'. \n" "${input}"
printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
printf "\n"
} >> "${LOG_ERROR}"
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;
esac
printf "\e[91m❌ Control character : '%s'. \e[0m\n" "${disallowed_ctrl}" >&2
printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2
printf "\e[91m❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_UNSAFE_CHARACTER}"
fi
### Step 2: Define allowed characters:
### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
declare disallowed
disallowed=$(printf '%s' "${input}" | tr -d "${allowed}")
if [[ -n ${disallowed} ]]; then
{
printf "❌ Invalid character : '%s'. \n" "${disallowed//?/& }"
printf "❌ in argument : '%s'. \n" "${input}"
printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
printf "\n"
} >> "${LOG_ERROR}"
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;
esac
printf "\e[91m❌ Invalid character : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2
printf "\e[91m❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_UNSAFE_CHARACTER}"
else
printf '%s' "${input}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

127
lib/1042_arg_parser.sh Normal file
View File

@@ -0,0 +1,127 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Argument Parser
# Globals:
# VAR_AUTO_INSTALL
# VAR_IN_DIALOG_WR
# VAR_PRIORITY
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# Arguments:
# None
#######################################
arg_parser() {
while [[ $# -gt 0 ]]; do
declare argument="${1}"
case "${argument,,}" in
-a | --autoinstall)
if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--autoinstall MUST NOT be followed by an argument."; fi
shift 1
;;
-c | --contact)
if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--contact MUST NOT be followed by an argument."; fi
shift 1
;;
-d | --debug)
shift 1
while [[ $# -gt 0 && ! "$1" =~ ^- ]]; do
shift 1
done
;;
-h | --help)
if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--help MUST NOT be followed by an argument."; fi
shift 1
;;
-l | --log)
case "${2,,}" in
info)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
notice)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
warn)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
error)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
emergency)
declare -gx DEFAULT_LOG_LEVEL="$2"
shift 2
;;
*)
if [[ "${VAR_AUTO_INSTALL}" == false && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_gauge_cleaner; fi
usage
;;
esac
;;
-v | --version)
if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--version MUST NOT be followed by an argument."; fi
shift 1
;;
--renice-priority)
if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
declare -gix VAR_PRIORITY="${2}"
shift 2
else
arg_mismatch "--renice-priority MUST be an integer between '-19' and '19'."
fi
;;
--reionice-priority)
if [[ -z "${2}" ]]; then
arg_mismatch "--reionice-priority no values provided."
else
if [[ "${2}" =~ ^[1-3]$ ]]; then
declare -gix VAR_REIONICE_CLASS="${2}"
if [[ -z "${3}" ]]; then
:
else
if [[ "${3}" =~ ^[0-7]$ ]]; then
declare -gix VAR_REIONICE_PRIORITY="${3}"
else
arg_mismatch "--reionice-priority PRIORITY MUST be an integer between '0' and '7'."
fi
fi
else
arg_mismatch "--reionice-priority CLASS MUST be an integer between '1' and '3'."
fi
fi
if [[ -n ${VAR_REIONICE_PRIORITY} ]]; then
shift 3
else
shift 2
fi
;;
*)
if [[ "${VAR_AUTO_INSTALL}" == false && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_gauge_cleaner; fi
usage
;;
esac
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
lib/1043_arg_priority_check.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check and setup Script Priorities
# Globals:
# VAR_PRIORITY
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# Arguments:
# None
#######################################
arg_priority_check() {
declare var
### Check if nice PRIORITY is set and adjust nice priority.
if [[ -n ${VAR_PRIORITY} ]]; then
renice "${VAR_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1
printf "\e[92m✅ New renice value: %s\e[0m\n" "${var}"
fi
# Check if ionice PRIORITY is set and adjust ionice priority.
if [[ -n ${VAR_REIONICE_CLASS} ]]; then
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1
printf "\e[92m✅ New ionice value: %s\e[0m\n" "${var}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

151
lib/1050_dialog_helper.sh Normal file
View File

@@ -0,0 +1,151 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Terminal cleaner for Dialog Wrappers.
# Arguments:
# None
#######################################
clean_screen() {
tput cnorm > /dev/tty # Cursor visible
tput sgr0 > /dev/tty # Attributes off
stty sane < /dev/tty # Sane modes
tput rmcup > /dev/tty # Back to the main buffer
clear > /dev/tty # Clear residual
#lines=$(tput lines)
#tput cup $((lines-1)) 0 > /dev/tty
#printf "\n" > /dev/tty
}
#######################################
# Wrapper for Dialog Gauge Bar.
# Globals:
# PID_DIALOG_GAUGE
# PIPE_DIALOG_GAUGE
# VAR_IN_DIALOG_WR
# Arguments:
# None
#######################################
dialog_gauge() {
clear
declare -gx VAR_IN_DIALOG_WR="gauge"
declare -gr PIPE_DIALOG_GAUGE="/tmp/dialog_gauge_$$.fifo"
if [[ -e "${PIPE_DIALOG_GAUGE}" && ! -p "${PIPE_DIALOG_GAUGE}" ]]; then
rm -f "${PIPE_DIALOG_GAUGE}"
fi
[[ -p "${PIPE_DIALOG_GAUGE}" ]] || mkfifo "${PIPE_DIALOG_GAUGE}"
setsid dialog --no-collapse \
--ascii-lines \
--keep-tite \
--title "CISS.debian.installer" \
--gauge "Starting installation..." \
10 70 0 \
< "${PIPE_DIALOG_GAUGE}" &
declare -gr PID_DIALOG_GAUGE="$!"
exec {FD_GAUGE}> "${PIPE_DIALOG_GAUGE}"
}
#######################################
# Wrapper for Dialog Program Box.
# Globals:
# COLS_USE
# PID_DIALOG_BOX
# PIPE_DIALOG_BOX
# ROWS_USE
# VAR_IN_DIALOG_WR
# Arguments:
# None
#######################################
dialog_box() {
### Save original stdout
exec {FD_SAVE_OUT}>&1
clear
declare -gx VAR_IN_DIALOG_WR="box"
declare -gr PIPE_DIALOG_BOX="/tmp/dialog_box_$$.fifo"
if [[ -e "${PIPE_DIALOG_BOX}" && ! -p "${PIPE_DIALOG_BOX}" ]]; then
rm -f "${PIPE_DIALOG_BOX}"
fi
[[ -p "${PIPE_DIALOG_BOX}" ]] || mkfifo "${PIPE_DIALOG_BOX}"
dialog --create-rc ~/.dialogrc
sed -i 's/screen_color = (CYAN,BLUE,ON)/screen_color = (WHITE,RED,ON)/' ~/.dialogrc
sed -i 's/title_color = (BLUE,WHITE,ON)/title_color = (BLACK,WHITE,ON,ON)/' ~/.dialogrc
sed -i 's/use_scrollbar = OFF/use_scrollbar = ON/' ~/.dialogrc
sed -i 's/dialog_color = (BLACK,WHITE,OFF)/dialog_color = (WHITE,BLACK,OFF)/' ~/.dialogrc
sed -i 's/border2_color = dialog_color/border2_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/inputbox_border_color = dialog_color/inputbox_border_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/inputbox_border2_color = dialog_color/inputbox_border2_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/menubox_border_color = border_color/menubox_border_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/menubox_border2_color = dialog_color/menubox_border2_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
sed -i 's/searchbox_border2_color = dialog_color/searchbox_border2_color = (BLACK,WHITE,OFF)/' ~/.dialogrc
chmod 0440 ~/.dialogrc
setsid dialog --colors \
--ascii-lines \
--title "Installation Progress" \
--backtitle "CISS.2025.debian.installer" \
--programbox "${ROWS_USE}" "${COLS_USE}" \
< "${PIPE_DIALOG_BOX}" &
declare -gr PID_DIALOG_BOX="$!"
### Redirect both stdout and stderr into FIFO
exec 1> "${PIPE_DIALOG_BOX}" 2>&1
}
#######################################
# Dialog Program Box Cleaner.
# Globals:
# PID_DIALOG_BOX
# PIPE_DIALOG_BOX
# Arguments:
# None
#######################################
dialog_box_cleaner() {
[[ -n "${FD_SAVE_OUT-}" ]] && exec 1>&"${FD_SAVE_OUT}" 2>&"${FD_SAVE_OUT}"
[[ -n "${FD_SAVE_OUT-}" ]] && exec {FD_SAVE_OUT}>&-
[[ -n "${FD_SAVE_OUT-}" ]] && unset FD_SAVE_OUT
kill -TERM -- -"${PID_DIALOG_BOX}" 2>/dev/null || true
wait "${PID_DIALOG_BOX}" 2>/dev/null || true
unset PID_DIALOG_BOX
rm -f "${PIPE_DIALOG_BOX}"
unset PIPE_DIALOG_BOX
rm -f ~/.dialogrc
declare -gx VAR_IN_DIALOG_WR="false"
clean_screen
sleep 1
}
#######################################
# Dialog Gauge Bar Cleaner.
# Globals:
# PID_DIALOG_GAUGE
# PIPE_DIALOG_GAUGE
# Arguments:
# None
#######################################
dialog_gauge_cleaner() {
if [[ -n "${FD_GAUGE-}" ]]; then
exec {FD_GAUGE}>&-
unset FD_GAUGE
fi
kill -TERM -- -"${PID_DIALOG_GAUGE}" 2>/dev/null || true
wait "${PID_DIALOG_GAUGE}" 2>/dev/null || true
unset PID_DIALOG_GAUGE
rm -f "${PIPE_DIALOG_GAUGE}"
unset PIPE_DIALOG_GAUGE
declare -gx VAR_IN_DIALOG_WR="false"
clean_screen
sleep 1
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

62
lib/lib_cdi.sh Normal file
View File

@@ -0,0 +1,62 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# CISS.2025.debian.installer GRUB and Autostart Generator
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_CDI
# VAR_KERNEL
# VAR_WORKDIR
# Arguments:
# None
#######################################
cdi() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
fi
cp "${VAR_WORKDIR}/scripts/9000-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chmod 0750 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
declare tmp_entry
tmp_entry="$(mktemp)"
cat << EOF >| "${tmp_entry}"
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${VAR_KERNEL}
}
EOF
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
rm -f "${tmp_entry}"
else
# shellcheck disable=SC1003
sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
lib/lib_change_splash.sh Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Change Grub Boot Screen Splash
# Globals:
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_SPLASH
# VAR_WORKDIR
# Arguments:
# None
#######################################
change_splash() {
if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

26
lib/lib_check_dhcp.sh Normal file
View File

@@ -0,0 +1,26 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check if hardened Centurion DNS servers are desired.
# Globals:
# VAR_HANDLER_DHCP
# VAR_WORKDIR
# Arguments:
# None
#######################################
check_dhcp() {
if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
lib/lib_check_hooks.sh Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
# Globals:
# ERR_UNCRITICAL
# VAR_WORKDIR
# Arguments:
# None
#######################################
check_hooks() {
declare ifs
ifs=$'\n\t'
shopt -s nullglob
declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
if (( ${#files[@]} == 0 )); then
printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
exit "${ERR_UNCRITICAL}"
fi
declare file
for file in "${files[@]}"; do
chmod 0755 "${file}"
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

72
lib/lib_check_kernel.sh Normal file
View File

@@ -0,0 +1,72 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Kernel Image Selector
# Globals:
# VAR_ARCHITECTURE
# VAR_KERNEL
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# Arguments:
# None
# Returns:
# 42: Sorting Error.
#######################################
check_kernel() {
clear
declare -i counter=1
declare first_string=""
declare line=""
declare -gx VAR_KERNEL=""
declare name=""
declare options=""
if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
else
apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
fi
sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
printf "❌ Error check_kernel() Line 40 sort failed\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
return 42
}
while IFS= read -r line; do
first_string=${line%% *}
name=${first_string#linux-image-}
options+=("${name}" "${counter}" off)
((counter++))
done < "${VAR_KERNEL_SRT}"
# shellcheck disable=SC2155
if declare -g VAR_KERNEL=$(dialog \
--no-collapse \
--ascii-lines \
--clear \
--backtitle "CISS.debian.live.builder" \
--title "Select the Kernel for the CISS Hardened Debian Live Image ISO" \
--radiolist "Kernel available \n *+bpo* : Debian Backported Kernel \n *cloud* : Special lightweight images for KVM \n *unsigned* : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-); then
clear
else
clear
if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
declare -gr VAR_KERNEL="amd64"
elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
declare -gr VAR_KERNEL="arm64"
fi
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

65
lib/lib_check_provider.sh Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Notes Textbox
# Arguments:
# None
#######################################
check_provider() {
clear
cat << 'EOF' >| "${VAR_NOTES}"
Build: Master V8.03.768.2025.06.17
Press 'EXIT' to continue with CISS.debian.live.builder.
When you provision ISO images using the Netcup provider, you MUST always supply a globally unique identifier
for each image via the --control argument. If you omit this flag or reuse an existing identifier, Netcup's
backend will automatically locate and mount the oldest ISO carrying that same name. In practice, this means
you might believe you're booting a freshly uploaded image, but in fact, the system silently reattaches an
earlier one-leading to confusing failures and wasted troubleshooting time.
A separate but related issue emerges when booting certain Debian "cloud" kernel images-specifically those
matching the patterns *.+bpo-cloud-amd64 or *.+bpo-cloud-arm64-on a Netcup G11 instance or on a Hetzner VM.
After the initramfs is loaded, the console output often becomes garbled or completely unreadable. This is not
due to a kernel panic, but rather to a mismatch between the framebuffer mode expected by the initramfs and the
one actually provided by the virtual hardware. Common workarounds, like editing the boot entry (e) and appending
- 'nomodeset', or
- 'vga=0x318',
do not resolve the issue because they address legacy VGA modes rather than the EFI framebuffer parameters used
in modern cloud images.
To mitigate this, you can:
- Use a plain Debian kernel (e.g., linux-image-amd64) instead of the bpo-cloud variants, which are optimized
for cloud-init but presume a different console setup.
- Explicitly set an EFI-compatible framebuffer by adding something like 'video=efifb:mode=auto' to the kernel
command line. This aligns the initramfs console driver with the actual firmware framebuffer.
- Build a custom initramfs that includes the correct video modules or switches back to a serial console. For
example, adding 'console=ttyS0,115200' can force all early messages to the serial port bypassing the
graphical framebuffer entirely.
EOF
dialog --no-collapse \
--ascii-lines \
--clear \
--backtitle "CISS.debian.live.builder" \
--title "Important Notes" \
--scrollbar \
--textbox "${VAR_NOTES}" 32 128
clear
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

27
lib/lib_check_stats.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Check if analysis run is desired only.
# Globals:
# VAR_HANDLER_STA
# Arguments:
# None
#######################################
check_stats() {
if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
clear
run_analysis
exit 0
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

35
lib/lib_check_var.sh Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Unbound Variable Check and call Trap on ERR
# Globals:
# ERR_UNBOUNDVAR
# Arguments:
# $1: VAR_NAME to check
# Returns:
# "${ERR_UNBOUNDVAR}"
#######################################
check_var() {
declare var_name_to_check="$1"
if [[ -n "${!var_name_to_check+exists}" ]]; then
if [[ -n "${!var_name_to_check}" ]]; then
printf "\e[92m✅ Variable: '%s' exists and is NOT empty: '%s' \e[0m\n" "${var_name_to_check}" "${!var_name_to_check}"
else
printf "\e[92m✅ Variable: '%s' exists but is empty. \e[0m\n" "${var_name_to_check}"
fi
else
printf "\e[91m❌ Variable: '%s' is not declared. Exiting Script. \e[0m\n" "${var_name_to_check}" >&2
return "${ERR_UNBOUNDVAR}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
lib/lib_copy_integrity.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Copy Initial ISO aide Database into Host System
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
# Returns:
# 0 : Aide Init DB copying successful.
#######################################
copy_db() {
# printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
fi
if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
# printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

101
lib/lib_hardening_root_pw.sh Normal file
View File

@@ -0,0 +1,101 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Updates the Live ISO to use root password authentication for local console access.
# Globals:
# VAR_HANDLER_BUILD_DIR
# VAR_HASHED_PWD
# Arguments:
# None
# Returns:
# 0: In case no root password is desired.
#######################################
hardening_root_pw() {
if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
# sleep 1
return 0
fi
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
# sleep 1
declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
declare cfg_file="${cfg_dir}/config.conf"
declare dropin_dir="${cfg_dir}/config.conf.d"
declare dropin_file="${dropin_dir}/20-root-password.conf"
mkdir -p "${dropin_dir}"
cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf
live-config.noautologin
EOF
if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then
sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}"
fi
declare clean_hash="${VAR_HASHED_PWD//\"/}"
printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}"
chmod 0600 "${dropin_file}"
chown root:root "${dropin_file}"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root"
printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
[Service]
ExecStart=
#ExecStart=-/usr/sbin/agetty --noclear %I $TERM
ExecStart=-agetty --noclear %I $TERM
EOF
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
tty1
tty2
tty3
tty4
tty5
tty6
EOF
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
### Hotfix I
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
#!/bin/sh
# bypass live-config-getty-generator
exit 0
EOF
chmod +x "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
### Hotfix II
#mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
#touch "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
#chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
# sleep 1
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

63
lib/lib_hardening_ssh.sh Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# SSH Hardening Ultra via TCP Wrapper
# Globals:
# ARY_HANDLER_JUMPHOST
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ssh() {
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
declare allowed=""
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
EOF
allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked-up hostnames still leave understandable logs. In past
# versions of Debian, this has been the default.
# ALL: PARANOID
ALL: ALL
EOF
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

221
lib/lib_hardening_ultra.sh Normal file
View File

@@ -0,0 +1,221 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_SSHPORT
# VAR_SSHPUBKEY
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ultra() {
# shellcheck disable=SC2164
cd "${VAR_WORKDIR}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
fi
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
fi
cp -af ./config/package-lists/live.list.common.chroot "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
case "${VAR_ARCHITECTURE}" in
amd64)
declare arch_list="./config/package-lists/live.list.amd64.chroot"
declare arch_comment="# amd64 specific packages"
;;
arm64)
declare arch_list="./config/package-lists/live.list.arm64.chroot"
declare arch_comment="# arm64 specific packages"
;;
*)
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
exit 1
;;
esac
declare pkgs
mapfile -t pkgs < <(
grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d'
)
awk -v comment="${arch_comment}" -v n_pkgs="${#pkgs[@]}" -v pkgs="$(printf '%s\n' "${pkgs[@]}")" '
BEGIN {
split(pkgs, pkg_arr, "\n")
inserted = 0
}
{
# Detect the vim-modeline (last line marker)
if ($0 ~ /^# vim:.*$/ && !inserted) {
print comment
for (i = 1; i <= length(pkg_arr); i++) {
print pkg_arr[i]
}
inserted = 1
}
print
}
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
fi
else
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m❌ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
fi
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${VAR_WORKDIR}/hosts.allow"
rm -f "${VAR_WORKDIR}/hosts.deny"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
fi
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
# Join array entries with spaces, preserving any newlines
declare ips="${ARY_HANDLER_JUMPHOST[*]}"
# Flatten to a single line and strip literal brackets []
declare flat_ips
flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
# flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"
# Perform an in-place replacement of MUST_BE_SET with the cleaned list
sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
sed -i \
-e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \
-e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
lib/lib_helper_ip.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# IP Notation cleaner for pure IP output only
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# Arguments:
# None
#######################################
clean_ip() {
declare host
declare stripped
for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
# Remove leading '[' and trailing ']'
stripped="${host#\[}"
stripped="${stripped%\]}"
# Skip if it contains a slash (CIDR range)
if [[ ${stripped} == */* ]]; then
continue
fi
# Directly append, no duplicate check
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

46
lib/lib_lb_build_start.sh Normal file
View File

@@ -0,0 +1,46 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# ERR_UNCRITICAL
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
#######################################
lb_build_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
# sleep 1
# shellcheck disable=SC2164
cd "${SCRIPT_BASEPATH}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
printf "\e[92m✅ Build successfully completed.\e[0m\n"
else
printf "\e[91m❌ Build failed!\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
# shellcheck disable=SC2155
declare iso_file=$(find . -maxdepth 1 -type f -name "*.iso" | sort | tail -n1)
if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then
printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

55
lib/lib_lb_config_start.sh Normal file
View File

@@ -0,0 +1,55 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
# Globals:
# VAR_HANDLER_BUILD_DIR
# Arguments:
# $0: Script-name
#######################################
lb_config_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
else
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
fi
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
# Start lb config in a completely detached shell
bash -c "lb config" &
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Preparing environment done.\e[0m\n"
else
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
rm -f ./config/binary
rm -f ./config/bootstrap
rm -f ./config/chroot
rm -f ./config/common
rm -f ./config/source
rm -f ./*.{contents,files,iso,bz2,packages}
# Start lb clean in a completely detached shell
bash -c "lb clean && lb clean --binary --cache" &
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

121
lib/lib_lb_config_write.sh Normal file
View File

@@ -0,0 +1,121 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# VAR_HANDLER_ISO_COUNTER
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_KERNEL
# VAR_WORKDIR
# VAR_VERSION
# Arguments:
# None
#######################################
#######################################
# description
# Globals:
# Arguments:
# None
#######################################
lb_config_write() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
lb config \
--apt apt \
--apt-indices true \
--apt-recommends true \
--apt-secure true \
--apt-source-archives true \
--architecture "${VAR_ARCHITECTURE}" \
--archive-areas main contrib non-free non-free-firmware \
--backports true \
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha256 md5 \
--chroot-filesystem squashfs \
--chroot-squashfs-compression-level 22 \
--chroot-squashfs-compression-type zstd \
--color \
--compression bzip2 \
--debconf-frontend noninteractive \
--debconf-priority critical \
--debian-installer cdrom \
--debian-installer-distribution bookworm \
--debian-installer-gui true \
--debian-installer-preseedfile "preseed.cfg" \
--debug \
--distribution bookworm \
--distribution-binary bookworm \
--distribution-chroot bookworm \
--firmware-binary true \
--firmware-chroot true \
--hdd-label "CENTURIONLIVE" \
--image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
--initramfs "live-boot" \
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
--iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
--loadlin true \
--memtest memtest86+ \
--mirror-binary 'https://deb/debian.org/debian/' \
--mirror-binary-security 'https://security.debian.org/' \
--mirror-bootstrap 'https://deb.debian.org/debian/' \
--mirror-chroot 'https://deb.debian.org/debian/' \
--mirror-chroot-security 'https://security.debian.org/' \
--mirror-debian-installer 'https://deb.debian.org/debian/' \
--mode debian \
--parent-archive-areas main contrib non-free non-free-firmware \
--parent-debian-installer-distribution bookworm \
--parent-distribution bookworm \
--parent-distribution-binary bookworm \
--parent-distribution-chroot bookworm \
--parent-mirror-binary 'https://deb.debian.org/debian/' \
--parent-mirror-binary-security 'https://security.debian.org/' \
--parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
--parent-mirror-chroot 'https://deb.debian.org/debian/' \
--parent-mirror-chroot-security 'https://security.debian.org/' \
--parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
--security true \
--system live \
--source false \
--source-images tar \
--uefi-secure-boot auto \
--updates true \
--utc-time true \
--verbose
sleep 1
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

45
lib/lib_provider_netcup.sh Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Notes Textbox
# Arguments:
# None
#######################################
provider_netcup() {
if "${VAR_HANDLER_NETCUP_IPV6}"; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
### Static IPv6 Address for Netcup Root Server
iface ens3 inet6 static
address ${handler_netcup_ipv6_string}/128
### dns01.eddns.eu dns02.eddns.de
dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53
gateway fe80::1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

96
lib/lib_run_analysis.sh Normal file
View File

@@ -0,0 +1,96 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-07; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: ZIMNOL, Andre H.; Private Contributor
# SPDX-FileCopyrightText: 2025; ZIMNOL, Andre H.; <debian@zimnol.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for statistic functions of the final build.
# Globals:
# ERR_UNCRITICAL
# VAR_BUILD_LOG
# VAR_CHROOT_DIR
# VAR_HANDLER_BUILD_DIR
# VAR_PACKAGES_FILE
# Arguments:
# None
#######################################
run_analysis() {
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2155
declare iso_file=$(find . -maxdepth 1 -name "*.iso" -printf "%f\n" | sort | tail -n1)
if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then
printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
fi
printf "\e[92m📊 Start analysis of : %s ... \e[0m\n" "${iso_file}"
# shellcheck disable=SC2155
declare iso_size_hr=$(du -h "${iso_file}" | awk '{print $1}')
# shellcheck disable=SC2155
declare iso_size_bytes=$(du -b "${iso_file}" | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_hr=$(du -sh "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_bytes=$(du -sb "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare compression=$(awk -v iso="${iso_size_bytes}" -v chroot="${chroot_size_bytes}" 'BEGIN { printf "%.2f%%", 100 * iso / chroot }')
# shellcheck disable=SC2155
declare package_count=$(wc -l < "${VAR_PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
# shellcheck disable=SC2155
declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${VAR_BUILD_LOG}")"
if [[ -f "${VAR_BUILD_LOG}" ]]; then
# shellcheck disable=SC2155
declare start_line=$(grep 'lb build' "${VAR_BUILD_LOG}" | head -n1 || true)
# shellcheck disable=SC2155
declare end_line=$(grep 'lb source' "${VAR_BUILD_LOG}" | tail -n1 || true)
if [[ -n "${start_line}" && -n "${end_line}" ]]; then
# shellcheck disable=SC2155
declare start_epoch=$(echo "${start_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s)
# shellcheck disable=SC2155
declare end_epoch=$(echo "${end_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s)
# shellcheck disable=SC2155
declare duration_sec=$((end_epoch - start_epoch))
# shellcheck disable=SC2155
declare duration_min=$((duration_sec / 60))
# shellcheck disable=SC2155
declare duration_rest=$((duration_sec % 60))
# shellcheck disable=SC2155
declare build_duration=$(printf "%02dm:%02ds" "${duration_min}" "${duration_rest}")
else
declare build_duration="(Timestamp not found)"
fi
else
declare build_duration="(No log file found)"
fi
# shellcheck disable=SC2155
declare sha_sum=$(sha256sum "$iso_file" | tee "$iso_file.sha256" | awk '{print $1}')
# shellcheck disable=SC2155
declare time=$(date '+%Y-%m-%d %H:%M:%S')
printf "\e[92m🧾 === Build summary === \e[0m\n"
printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
printf "\e[97m📦 ISO-File : %s \e[0m\n" "${iso_file}"
printf "\e[97m📀 ISO-Size : %s \e[0m\n" "${iso_size_hr}"
printf "\e[97m📂 Chroot-Size : %s \e[0m\n" "${chroot_size_hr}"
printf "\e[97m📉 Compression-level : %s \e[0m\n" "${compression}"
printf "\e[97m📦 Packages : %s \e[0m\n" "${package_count}"
printf "\e[97m🕐 Build Time : %s \e[0m\n" "${build_duration}"
printf "\e[97m🧠 CPUs for SquashFS : %s \e[0m\n" "${squash_cpu_used}"
printf "\e[97m🔐 SHA256SUM : %s \e[0m\n" "${sha_sum}"
printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n"
printf "\e[97m📅 Analysis Time : %s \e[0m\n" "${time}"
printf "\e[92m✅ Analysis completed.\e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh