msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 34s
Details
🔁 Render Graphviz Diagrams. / 🔁 Render Graphviz Diagrams. (push) Successful in 24s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m35s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-25 10:10:41 +02:00
parent 9c19212c00
commit e8d85a39ae
134 changed files with 13933 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

286
source/func/3.5.1.functions_installation_partition_encryption.sh Normal file
View File

@@ -0,0 +1,286 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.5.1. Functions - installation - partition encryption #
###########################################################################################
###########################################################################################
# Function to encrypt the respective partition on each device according to the recipe string chosen.
# Globals:
# DIR_BAK
# DIR_CNF
# MAP_EPHEMERAL_DEV
# MAP_EPHEMERAL_ENCLABEL
# MAP_PATH_CRYPT
# MAP_UUID_CRYPT
# MODULE_ERR
# MODULE_TXT
# RECIPE_DEV_PARTITIONS
# RECIPE_STRING
# Arguments:
# None
###########################################################################################
3_5_1_functions_installation_partition_encryption() {
declare -g -x MODULE_ERR="3_5_1_functions_installation_partition_encryption"
declare -g -x MODULE_TXT="Encrypting each partition on each device"
do_show_header "${MODULE_TXT}"
### Reminder ###
# Array: "${!RECIPE_DEV_PARTITIONS[@]}"
# ${DEVICE}: "${RECIPE_DEV_PARTITIONS[${DEVICE}]}"
# Declare local variables
declare DEV
declare NUM_PARTITIONS
declare PARTITION
# Iterate through each device
for DEV in "${!RECIPE_DEV_PARTITIONS[@]}"; do
NUM_PARTITIONS=${RECIPE_DEV_PARTITIONS[${DEV}]}
# Iterate through each partition of the current device
for PARTITION in $(seq 1 "${NUM_PARTITIONS}"); do
# Generate vars for the current partition
declare ENCRYPTION_ENABLE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_enable"
declare ENCRYPTION_EPHEMERAL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_ephemeral"
declare ENCRYPTION_INTEGRITY_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_integrity"
declare ENCRYPTION_NUKE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_nuke"
declare ENCRYPTION_CIPHER_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_cipher"
declare ENCRYPTION_HASH_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_hash"
declare ENCRYPTION_ITERTIME_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_itertime"
declare ENCRYPTION_KEY_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_key"
declare ENCRYPTION_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_label"
declare ENCRYPTION_METADATASIZE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_metadatasize"
declare ENCRYPTION_PBKDF_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_pbkdf"
declare ENCRYPTION_RNG_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_rng"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_label"
declare MOUNT_PATH_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_mount_path"
# Initialize variables
declare ENCRYPTION_ENABLE=${!ENCRYPTION_ENABLE_VAR}
declare EPHEMERAL_ENABLE=${!ENCRYPTION_EPHEMERAL_VAR}
declare INTEGRITY_ENABLE=${!ENCRYPTION_INTEGRITY_VAR}
declare ENCRYPTION_CIPHER=${!ENCRYPTION_CIPHER_VAR}
declare ENCRYPTION_HASH=${!ENCRYPTION_HASH_VAR}
declare ENCRYPTION_ITERTIME=${!ENCRYPTION_ITERTIME_VAR}
declare ENCRYPTION_KEY=${!ENCRYPTION_KEY_VAR}
declare ENCRYPTION_LABEL=${!ENCRYPTION_LABEL_VAR}
declare ENCRYPTION_METADATASIZE=${!ENCRYPTION_METADATASIZE_VAR}
declare ENCRYPTION_PBKDF=${!ENCRYPTION_PBKDF_VAR}
declare ENCRYPTION_RNG=${!ENCRYPTION_RNG_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare MOUNT_PATH=${!MOUNT_PATH_VAR}
declare NUKE_ENABLE=${!ENCRYPTION_NUKE_VAR}
# Encrypting partition
if [[ ${ENCRYPTION_ENABLE,,} == "true" ]]; then
if [[ ${EPHEMERAL_ENABLE,,} == "true" ]]; then
if [[ ${MOUNT_PATH} == "SWAP" ]]; then
mkfs.ext4 -L "${FILESYSTEM_LABEL}" /dev/"${DEV}""${PARTITION}" 1M
do_log "info" "false" "Ephemeral SWAP prepared on: '/dev/${DEV}${PARTITION}'."
MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_DEV: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]}'"
do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_ENCLABEL: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}'"
elif [[ ${MOUNT_PATH} == "/tmp" ]]; then
mkfs.ext4 -L "${FILESYSTEM_LABEL}" /dev/"${DEV}""${PARTITION}" 1M
do_log "info" "false" "Ephemeral /tmp prepared on: '/dev/${DEV}${PARTITION}'."
MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_DEV: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]}'"
do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_ENCLABEL: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}'"
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'MOUNT_PATH': '${MOUNT_PATH}'."
fi
elif [[ ${EPHEMERAL_ENABLE,,} == "false" ]]; then
if [[ ${INTEGRITY_ENABLE,,} == "true" ]]; then
if [[ ${NUKE_ENABLE,,} == "true" ]]; then
cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--type luks2 \
--cipher "${ENCRYPTION_CIPHER}" \
--hash "${ENCRYPTION_HASH}" \
--iter-time "${ENCRYPTION_ITERTIME}" \
--key-size "${ENCRYPTION_KEY}" \
--label "${ENCRYPTION_LABEL}" \
--luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
--pbkdf "${ENCRYPTION_PBKDF}" \
--"${ENCRYPTION_RNG}" \
--integrity hmac-sha512 \
--batch-mode --verbose
cryptsetup luksAddKey /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--new-keyfile="${DIR_CNF}"password_nuke.txt \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' dm-integrity encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
--header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
elif [[ ${NUKE_ENABLE,,} == "false" ]]; then
cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--type luks2 \
--cipher "${ENCRYPTION_CIPHER}" \
--hash "${ENCRYPTION_HASH}" \
--iter-time "${ENCRYPTION_ITERTIME}" \
--key-size "${ENCRYPTION_KEY}" \
--label "${ENCRYPTION_LABEL}" \
--luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
--pbkdf "${ENCRYPTION_PBKDF}" \
--"${ENCRYPTION_RNG}" \
--integrity hmac-sha512 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' dm-integrity encrypted."
cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
--header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'NUKE_ENABLE': '${NUKE_ENABLE}'."
fi
elif [[ ${INTEGRITY_ENABLE,,} == "false" ]]; then
if [[ ${NUKE_ENABLE,,} == "true" ]]; then
cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--type luks2 \
--cipher "${ENCRYPTION_CIPHER}" \
--hash "${ENCRYPTION_HASH}" \
--iter-time "${ENCRYPTION_ITERTIME}" \
--key-size "${ENCRYPTION_KEY}" \
--label "${ENCRYPTION_LABEL}" \
--luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
--pbkdf "${ENCRYPTION_PBKDF}" \
--"${ENCRYPTION_RNG}" \
--batch-mode --verbose
cryptsetup luksAddKey /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--new-keyfile="${DIR_CNF}"password_nuke.txt \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
--header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
elif [[ ${NUKE_ENABLE,,} == "false" ]]; then
cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--type luks2 \
--cipher "${ENCRYPTION_CIPHER}" \
--hash "${ENCRYPTION_HASH}" \
--iter-time "${ENCRYPTION_ITERTIME}" \
--key-size "${ENCRYPTION_KEY}" \
--label "${ENCRYPTION_LABEL}" \
--luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
--pbkdf "${ENCRYPTION_PBKDF}" \
--"${ENCRYPTION_RNG}" \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' encrypted."
cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
--header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'NUKE_ENABLE': '${NUKE_ENABLE}'."
fi
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'INTEGRITY_ENABLE': '${INTEGRITY_ENABLE}'."
fi
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'EPHEMERAL_ENABLE': '${EPHEMERAL_ENABLE}'."
fi
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'ENCRYPTION_ENABLE': '${ENCRYPTION_ENABLE}'."
fi
# Opening encrypted partition
if [[ ${ENCRYPTION_ENABLE,,} == "true" && ${EPHEMERAL_ENABLE,,} == "false" ]]; then
cryptsetup luksOpen /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
"${ENCRYPTION_LABEL}"
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' opened as '/dev/mapper/${ENCRYPTION_LABEL}'."
# Save UUID of the encrypted partition
declare UUID
UUID=$(blkid -s UUID -o value /dev/mapper/"${ENCRYPTION_LABEL}")
if [[ "${MOUNT_PATH}" = "/" ]]; then
CRYPT_ROOT="$(blkid -s UUID -o value "/dev/mapper/${ENCRYPTION_LABEL}")"
declare -g -r CRYPT_ROOT
fi
MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
do_log "info" "false" "Saved in HashMap MAP_UUID_CRYPT: '${ENCRYPTION_LABEL}' -> '${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]}'"
do_log "info" "false" "Saved in HashMap MAP_PATH_CRYPT: '${MOUNT_PATH}' -> '${MAP_PATH_CRYPT["${MOUNT_PATH}"]}'"
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Opening encrypted partition - Invalid value for 'ENCRYPTION_ENABLE': '${ENCRYPTION_ENABLE}' and 'EPHEMERAL_ENABLE': '${EPHEMERAL_ENABLE}'."
fi
done
done
do_show_footer
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

173
source/func/3.5.2.functions_installation_partition_formating.sh Normal file
View File

@@ -0,0 +1,173 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.5.2. Functions - installation - partition formatting #
###########################################################################################
###########################################################################################
# Function to format the respective partition on each device according to the recipe string chosen.
# Globals:
# DIR_LOG
# MODULE_ERR
# MODULE_TXT
# RECIPE_DEV_PARTITIONS
# RECIPE_STRING
# Arguments:
# None
###########################################################################################
3_5_2_functions_installation_partition_formating() {
declare -g -x MODULE_ERR="3_5_2_functions_installation_partition_formating"
declare -g -x MODULE_TXT="Formatting each partition on each device according to recipe"
do_show_header "${MODULE_TXT}"
### Reminder ###
# Array: "${!RECIPE_DEV_PARTITIONS[@]}"
# ${DEVICE}: ${RECIPE_DEV_PARTITIONS[$DEVICE]}"
# Declare local variables
declare DEV
declare NUM_PARTITIONS
declare PARTITION
# Iterate through each device
for DEV in "${!RECIPE_DEV_PARTITIONS[@]}"; do
NUM_PARTITIONS=${RECIPE_DEV_PARTITIONS[${DEV}]}
# Iterate through each partition of the current device
for PARTITION in $(seq 1 "${NUM_PARTITIONS}"); do
# Generate vars for current partition
declare ENCRYPTION_ENABLE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_enable"
declare ENCRYPTION_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_label"
declare FILESYSTEM_BTRFS_CHECKSUM_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_btrfs_checksum"
declare FILESYSTEM_BTRFS_COMPRESS_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_btrfs_compress"
declare FILESYSTEM_BTRFS_DEDUP_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_btrfs_dedup"
declare FILESYSTEM_FORMAT_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_format"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_label"
declare FILESYSTEM_OPTIONS_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_options"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_version"
declare MOUNT_PATH_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_mount_path"
# Initialize variables
declare ENCRYPTION_ENABLE=${!ENCRYPTION_ENABLE_VAR}
declare ENCRYPTION_LABEL=${!ENCRYPTION_LABEL_VAR}
declare BTRFS_CHECKSUM=${!FILESYSTEM_BTRFS_CHECKSUM_VAR}
declare BTRFS_COMPRESS=${!FILESYSTEM_BTRFS_COMPRESS_VAR}
declare BTRFS_DEDUP=${!FILESYSTEM_BTRFS_DEDUP_VAR}
declare FILESYSTEM_FORMAT=${!FILESYSTEM_FORMAT_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_OPTIONS=${!FILESYSTEM_OPTIONS_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_PATH=${!MOUNT_PATH_VAR}
# Formatting partition
if [[ ${ENCRYPTION_ENABLE,,} == "true" && ${MOUNT_PATH} != "SWAP" && ${MOUNT_PATH} != "/tmp" ]]; then
if [[ ${FILESYSTEM_FORMAT,,} == "true" && ${FILESYSTEM_FORMAT} == "btrfs" ]]; then
if [[ ${BTRFS_DEDUP,,} == "true" ]]; then
mkfs.btrfs -L "${FILESYSTEM_LABEL}" /dev/mapper/"${ENCRYPTION_LABEL}" -f --csum "${BTRFS_CHECKSUM}" -m dup -O compress="${BTRFS_COMPRESS}"
do_log "info" "false" "Partition: '/dev/mapper/${ENCRYPTION_LABEL}' formatted: '${FILESYSTEM_VERSION}'."
# shellcheck disable=SC2129
echo "Partition: '/dev/mapper/${ENCRYPTION_LABEL}':" >> "${DIR_LOG}"btrfs.log
btrfs filesystem show /dev/mapper/"${ENCRYPTION_LABEL}" >> "${DIR_LOG}"btrfs.log
echo "" >> "${DIR_LOG}"btrfs.log
elif [[ ${BTRFS_DEDUP,,} == "false" ]]; then
mkfs.btrfs -L "${FILESYSTEM_LABEL}" /dev/mapper/"${ENCRYPTION_LABEL}" -f --csum "${BTRFS_CHECKSUM}" -O compress="${BTRFS_COMPRESS}"
do_log "info" "false" "Partition: '/dev/mapper/${ENCRYPTION_LABEL}' formatted: '${FILESYSTEM_VERSION}'."
# shellcheck disable=SC2129
echo "Partition: '/dev/mapper/${ENCRYPTION_LABEL}':" >> "${DIR_LOG}"btrfs.log
btrfs filesystem show /dev/mapper/"${ENCRYPTION_LABEL}" >> "${DIR_LOG}"btrfs.log
echo "" >> "${DIR_LOG}"btrfs.log
else
do_log "error" "false" "Partition: '/dev/mapper/${ENCRYPTION_LABEL}': Unsupported deduplication method: '${BTRFS_DEDUP}'."
fi
elif [[ ${FILESYSTEM_FORMAT,,} == "true" && ${FILESYSTEM_FORMAT} == "ext4" ]]; then
mkfs.ext4 -L "${FILESYSTEM_LABEL}" /dev/mapper/"${ENCRYPTION_LABEL}" "${FILESYSTEM_OPTIONS:+ $FILESYSTEM_OPTIONS}"
do_log "info" "false" "Partition: '/dev/mapper/${ENCRYPTION_LABEL}' formatted: '${FILESYSTEM_VERSION}'."
# shellcheck disable=SC2129
echo "Partition: '/dev/mapper/${ENCRYPTION_LABEL}':" >> "${DIR_LOG}"ext4.log
tune2fs -l /dev/mapper/"${ENCRYPTION_LABEL}" >> "${DIR_LOG}"ext4.log
echo "" >> "${DIR_LOG}"ext4.log
else
do_log "error" "false" "Partition: '/dev/mapper/${ENCRYPTION_LABEL}': Unsupported filesystem format: '${FILESYSTEM_FORMAT}'."
fi
elif [[ ${ENCRYPTION_ENABLE,,} == "false" && ${MOUNT_PATH} != "SWAP" && ${MOUNT_PATH} != "/tmp" ]]; then
if [[ ${FILESYSTEM_FORMAT,,} == "true" && ${FILESYSTEM_FORMAT} == "btrfs" ]]; then
if [[ ${BTRFS_DEDUP,,} == "true" ]]; then
mkfs.btrfs -L "${FILESYSTEM_LABEL}" /dev/"${DEV}""${PARTITION}" -f --csum "${BTRFS_CHECKSUM}" -m dup -O compress="${BTRFS_COMPRESS}"
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' formatted: '${FILESYSTEM_VERSION}'."
# shellcheck disable=SC2129
echo "Partition: '/dev/${DEV}${PARTITION}':" >> "${DIR_LOG}"btrfs.log
btrfs filesystem show /dev/"${DEV}""${PARTITION}" >> "${DIR_LOG}"btrfs.log
echo "" >> "${DIR_LOG}"btrfs.log
elif [[ ${BTRFS_DEDUP,,} == "false" ]]; then
mkfs.btrfs -L "${FILESYSTEM_LABEL}" /dev/"${DEV}""${PARTITION}" -f --csum "${BTRFS_CHECKSUM}" -O compress="${BTRFS_COMPRESS}"
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' formatted: '${FILESYSTEM_VERSION}'."
# shellcheck disable=SC2129
echo "Partition: '/dev/${DEV}${PARTITION}':" >> "${DIR_LOG}"btrfs.log
btrfs filesystem show /dev/"${DEV}""${PARTITION}" >> "${DIR_LOG}"btrfs.log
echo "" >> "${DIR_LOG}"btrfs.log
else
do_log "error" "false" "Partition: '/dev/${DEV}${PARTITION}': Unsupported deduplication method: '${BTRFS_DEDUP}'."
fi
elif [[ ${FILESYSTEM_FORMAT,,} == "true" && ${FILESYSTEM_FORMAT} == "ext4" ]]; then
mkfs.ext4 -L "${FILESYSTEM_LABEL}" /dev/"${DEV}""${PARTITION}" "${FILESYSTEM_OPTIONS:+ $FILESYSTEM_OPTIONS}"
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' formatted: '${FILESYSTEM_VERSION}'."
# shellcheck disable=SC2129
echo "Partition: '/dev/${DEV}${PARTITION}':" >> "${DIR_LOG}"ext4.log
tune2fs -l /dev/"${DEV}""${PARTITION}" >> "${DIR_LOG}"ext4.log
echo "" >> "${DIR_LOG}"ext4.log
elif [[ ${FILESYSTEM_FORMAT,,} == "true" && ${FILESYSTEM_FORMAT} == "FAT32" ]]; then
mkfs.fat -F 32 /dev/"${DEV}""${PARTITION}"
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' formatted: '${FILESYSTEM_VERSION}'."
else
do_log "error" "false" "Partition: '/dev/${DEV}${PARTITION}': Unsupported filesystem format: '${FILESYSTEM_FORMAT}'."
fi
fi
done
done
do_show_footer
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

90
source/func/3.6.0.functions_installation_setup_filesystem.sh Normal file
View File

@@ -0,0 +1,90 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.6.0. Functions - installation - setup filesystem #
###########################################################################################
###########################################################################################
# Function to prepare the filesystem to mount each partition on the respective path.
# Globals:
# MAP_MOUNTPATH_DEV
# MODULE_ERR
# MODULE_TXT
# RECIPE_DEV_PARTITIONS
# RECIPE_STRING
# Arguments:
# None
###########################################################################################
3_6_0_functions_installation_setup_filesystem() {
declare -g -x MODULE_ERR="3_6_0_functions_installation_setup_filesystem"
declare -g -x MODULE_TXT="Prepare filesystem to mount each partition on the respective path"
do_show_header "${MODULE_TXT}"
# Declare local variables
declare DEV
declare NUM_PARTITIONS
declare PARTITION
# Iterate through each device
for DEV in "${!RECIPE_DEV_PARTITIONS[@]}"; do
NUM_PARTITIONS=${RECIPE_DEV_PARTITIONS[${DEV}]}
# Iterate through each partition of the current device
for PARTITION in $(seq 1 "${NUM_PARTITIONS}"); do
# Generate vars for the current partition
declare MOUNT_ENABLE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_mount_enable"
declare MOUNT_PATH_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_mount_path"
declare ENCRYPTION_ENABLE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_enable"
declare ENCRYPTION_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_label"
# Initialize variables
declare MOUNT_ENABLE=${!MOUNT_ENABLE_VAR}
declare MOUNT_PATH=${!MOUNT_PATH_VAR}
declare ENCRYPTION_ENABLE=${!ENCRYPTION_ENABLE_VAR}
declare ENCRYPTION_LABEL=${!ENCRYPTION_LABEL_VAR}
# Proceed if and only if "mount_enable" equals "true".
if [[ ${MOUNT_ENABLE,,} == "true" ]]; then
if [[ -n ${MOUNT_PATH} ]]; then
if [[ ${ENCRYPTION_ENABLE,,} == "true" && ${MOUNT_PATH} != "SWAP" && ${MOUNT_PATH} != "/tmp" ]]; then
# Encrypted partition
MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
do_log "info" "false" "Saved in HashMap MAP_MOUNTPATH_DEV: '${MOUNT_PATH}' -> '${MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]}'"
elif [[ ${ENCRYPTION_ENABLE,,} == "false" && ${MOUNT_PATH} != "SWAP" && ${MOUNT_PATH} != "/tmp" ]]; then
# Unencrypted partition
MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
do_log "info" "false" "Saved in HashMap MAP_MOUNTPATH_DEV: '${MOUNT_PATH}' -> '${MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]}'"
else
do_log "error" "false" "Invalid value for encryption_enable: '${ENCRYPTION_ENABLE}', should be either true or false."
fi
fi
fi
done
done
do_show_footer
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

267
source/func/3.6.1.functions_installation_mount_partition.sh Normal file
View File

@@ -0,0 +1,267 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.6.1. Functions - installation - mount partition #
###########################################################################################
###########################################################################################
# Function to generate btrfs-subvolumes.
# Globals:
# ERR_CREAT_SUB_VOL
# TARGET
# Arguments:
# 1: MOUNT_PATH
# 2: SUBVOLUME
###########################################################################################
create_btrfs_subvolume() {
declare MOUNT_PATH="$1"
declare SUBVOLUME="$2"
btrfs subvolume create "${TARGET}${MOUNT_PATH}/${SUBVOLUME}" || {
do_log "error" "false" "Error occurred at creation of subvolume: '${SUBVOLUME}' in: '${TARGET}${MOUNT_PATH}'."
exit "${ERR_CREAT_SUB_VOL}"
}
do_log "info" "false" "Created: '${SUBVOLUME}' at: '${TARGET}${MOUNT_PATH}'."
}
###########################################################################################
# Function to create the mount path and mount the respective device on it.
# Globals:
# ERR_MOUNTING_PATH
# TARGET
# Arguments:
# $1: MOUNT_PATH
# $2: MOUNT_DEVICE
# $3: MOUNT_OPTIONS
###########################################################################################
mount_with_dir() {
declare MOUNT_PATH="$1"
declare MOUNT_DEVICE="$2"
declare MOUNT_OPTIONS="$3"
if [[ ${MOUNT_PATH} == "/" ]]; then
MOUNT_PATH=""
fi
# Create directory
mkdir -p "${TARGET}${MOUNT_PATH}"
# Mount routine
mount "${MOUNT_OPTIONS:+-o $MOUNT_OPTIONS}" "${MOUNT_DEVICE}" "${TARGET}${MOUNT_PATH}" || {
do_log "error" "false" "Error occurred at mounting '${MOUNT_DEVICE}' on: '${TARGET}${MOUNT_PATH}'."
exit "${ERR_MOUNTING_PATH}"
}
do_log "info" "false" "Mounted: '${MOUNT_DEVICE}' on: '${TARGET}${MOUNT_PATH}' with: '${MOUNT_OPTIONS}'."
}
###########################################################################################
# Function for mounting all partitions for debootstrap incl. generating btrfs subvolumes.
# Globals:
# ERR_MOUNTING_ROOT
# ERR_NO_DEVIC_PATH
# ERR_NO_ENCR_LABEL
# MAP_EPHEMERAL_DEV
# MAP_MOUNTPATH_DEV
# MODULE_ERR
# MODULE_TXT
# RECIPE_STRING
# TARGET
# Arguments:
# None
###########################################################################################
3_6_1_functions_installation_mount_partition() {
declare -g -x MODULE_ERR="3_6_1_functions_installation_mount_partition"
declare -g -x MODULE_TXT="Mounting all partitions for debootstrap incl. generating btrfs subvolumes"
do_show_header "${MODULE_TXT}"
# Mount "/"-filesystem
declare -r MOUNT_PATH_ROOT="/"
if [[ -n ${MAP_MOUNTPATH_DEV[$MOUNT_PATH_ROOT]} ]]; then
mount_with_dir "${MOUNT_PATH_ROOT}" "${MAP_MOUNTPATH_DEV[$MOUNT_PATH_ROOT]}"
else
do_log "error" "false" "Root-filesystem '${MOUNT_PATH_ROOT}' not found in Hashmap."
exit "${ERR_MOUNTING_ROOT}"
fi
# Ensure order of "/boot" and "/boot/efi"
declare PATH
for PATH in "/boot" "/boot/efi"; do
if [[ -n ${MAP_MOUNTPATH_DEV[$PATH]} ]]; then
mount_with_dir "${PATH}" "${MAP_MOUNTPATH_DEV[$PATH]}"
else
do_log "info" "false" "Entry '${PATH}' not found in Hashmap."
fi
done
# Mounting all remaining keys of hashmap 'MAP_MOUNTPATH_DEV'.
declare KEY
declare TRANSFORMED_STRING
declare DEVICE_PATH
declare ENCRYPTION_LABEL
declare MATCHING_VAR
for KEY in "${!MAP_MOUNTPATH_DEV[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_([^_]+_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
declare ENCRYPTION_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_encryption_label"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
declare ENCRYPTION_LABEL=${!ENCRYPTION_LABEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
# Skip already mounted paths ("/", "/boot", "/boot/efi")
if [[ ${KEY} == "/" || ${KEY} == "/boot" || ${KEY} == "/boot/efi" ]]; then
continue
fi
if [[ ${FILESYSTEM_VERSION,,} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
mount_with_dir "${KEY}" "${DEVICE_PATH}" "${BTRFS_OPTIONS}"
[[ -n ${MOUNT_SUBVOLUME} ]] && create_btrfs_subvolume "${KEY}" "${MOUNT_SUBVOLUME}"
elif [[ ${FILESYSTEM_VERSION,,} == "ext4" ]]; then
mount_with_dir "${KEY}" "${DEVICE_PATH}"
else
do_log "error" "false" "No valid filesystem: '${FILESYSTEM_VERSION}' found for ${KEY}."
fi
done
# Reminder: MAP_EPHEMERALLABEL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
# Mounting remaining entries of hashmap 'MAP_EPHEMERALLABEL_DEV'.
declare KEY
declare TRANSFORMED_STRING
declare DEVICE_PATH
for KEY in "${!MAP_EPHEMERAL_DEV[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_EPHEMERAL_DEV[${KEY}]}"
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare ENCRYPTION_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_encryption_label"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare ENCRYPTION_LABEL=${!ENCRYPTION_LABEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
if [[ ${KEY} == "SWAP" ]]; then
cryptsetup open --type plain --key-file /dev/random \
--offset 2048 --cipher aes-xts-plain64 --key-size 512 \
--sector-size 4096 "/dev/disk/by-label/${FILESYSTEM_LABEL}" "${ENCRYPTION_LABEL}"
mkswap "/dev/mapper/${ENCRYPTION_LABEL}"
swapon "/dev/mapper/${ENCRYPTION_LABEL}"
do_log "info" "false" "Mounted: '${KEY}' on: '/dev/mapper/${ENCRYPTION_LABEL}'."
elif [[ ${KEY} == "/tmp" ]]; then
cryptsetup open --type plain --key-file /dev/random \
--offset 2048 --cipher aes-xts-plain64 --key-size 512 \
--sector-size 4096 "/dev/disk/by-label/${FILESYSTEM_LABEL}" "${ENCRYPTION_LABEL}"
mkdir -p "${TARGET}/tmp"
mount "${MOUNT_OPTIONS:+-o $MOUNT_OPTIONS}" "/dev/mapper/${ENCRYPTION_LABEL}" "${TARGET}/tmp"
do_log "info" "false" "Mounted: '${KEY}' on: '/dev/mapper/${ENCRYPTION_LABEL}'."
else
do_log "warn" "false" "Ephemeral configuration for ${KEY} is not valid or disabled."
fi
done
do_log "info" "false" "All devices of 'MAP_MOUNTPATH_DEV' and 'MAP_EPHEMERALLABEL_DEV' successfully mounted."
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

41
source/func/3.7.0.functions_installation_debootstrap.sh Normal file
View File

@@ -0,0 +1,41 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.0. Functions - installation - debootstrap #
###########################################################################################
###########################################################################################
# Install minimal Debian environment via debootstrap command.
# Globals:
# ERR_DE_BOOT_STRAP
# MODULE_ERR
# MODULE_TXT
# TARGET
# Arguments:
# None
###########################################################################################
3_7_0_functions_installation_debootstrap() {
declare -g -x MODULE_ERR="3_7_0_functions_installation_debootstrap"
declare -g -x MODULE_TXT="Executing debootstrap"
do_show_header "${MODULE_TXT}"
if debootstrap --arch amd64 bookworm "${TARGET}" https://deb.debian.org/debian; then
do_log "info" "false" "Executing 'debootstrap --arch amd64 bookworm '${TARGET}' https://deb.debian.org/debian' successful."
else
do_log "emergency" "false" "Executing 'debootstrap --arch amd64 bookworm '${TARGET}' https://deb.debian.org/debian' NOT successful."
exit "${ERR_DE_BOOT_STRAP}"
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

75
source/func/3.7.1.functions_installation_configure_system.sh Normal file
View File

@@ -0,0 +1,75 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.1. Functions - installation - configure system #
###########################################################################################
###########################################################################################
# Configure target system for chroot.
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# Arguments:
# None
###########################################################################################
3_7_1_functions_installation_configure_system() {
declare -g -x MODULE_ERR="3_7_1_functions_installation_configure_system"
declare -g -x MODULE_TXT="Configure and prepare system after debootstrap for setup"
do_show_header "${MODULE_TXT}"
### Reminder ###
# --rbind: recursive binding.
# --make-rslave: In this case, the mount point is marked as 'slave'.
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}"/proc).
# Conversely, changes to the target mount are not propagated back to the source mount.
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
if mount --make-rslave --rbind /proc "${TARGET}"/proc; then
do_log "info" "true" "'mount --make-rslave --rbind /proc ${TARGET}/proc'."
else
do_log "emergency" "false" "Failed: 'mount --make-rslave --rbind /proc ${TARGET}/proc'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /sys "${TARGET}"/sys; then
do_log "info" "true" "'mount --make-rslave --rbind /sys ${TARGET}/sys'."
else
do_log "emergency" "false" "Failed: 'mount --make-rslave --rbind /sys ${TARGET}/sys'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /dev "${TARGET}"/dev; then
do_log "info" "true" "'mount --make-rslave --rbind /dev ${TARGET}/dev'."
else
do_log "emergency" "false" "Failed: 'mount --make-rslave --rbind /dev ${TARGET}/dev'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /run "${TARGET}"/run; then
do_log "info" "true" "'mount --make-rslave --rbind /run ${TARGET}/run'."
else
do_log "emergency" "false" "Failed: 'mount --make-rslave --rbind /run ${TARGET}/run'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "info" "true" "Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${TARGET}'."
else
do_log "emergency" "false" "Failed: Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${TARGET}'."
exit "${ERR_CHROOT_MOUNTS}"
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

325
source/func/3.7.2.functions_installation_generate_fstab.sh Normal file
View File

@@ -0,0 +1,325 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.2. Functions - installation - generate fstab #
###########################################################################################
###########################################################################################
# Generate target '/etc/fstab' entries.
# Globals:
# ERR_NO_DEVIC_PATH
# ERR_NO_ENCR_LABEL
# MAP_EPHEMERAL_ENCLABEL
# MAP_MOUNTPATH_DEV
# MODULE_ERR
# MODULE_TXT
# RECIPE_STRING
# TARGET
# Arguments:
# None
###########################################################################################
3_7_2_functions_installation_generate_fstab() {
declare -g -x MODULE_ERR="3_7_2_functions_installation_generate_fstab"
declare -g -x MODULE_TXT="Generating '${TARGET}/etc/fstab'"
do_show_header "${MODULE_TXT}"
# Generate '${TARGET}/etc/fstab' header
touch "${TARGET}"/etc/fstab
chmod 0644 "${TARGET}"/etc/fstab
# shellcheck disable=SC2129
cat << 'EOF' >> "${TARGET}"/etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
EOF
### Reminder ###
# MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
# MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
# Generate '${TARGET}/etc/fstab' special entries '/' '/boot' '/boot/efi'.
# Define the order of the special keys.
declare -a KEY_ORDER
KEY_ORDER=("/" "/boot" "/boot/efi")
declare DEVICE_PATH
declare DEVICE_UUID
declare ENCRYPTION_LABEL
declare KEY
declare MATCHING_VAR
declare TRANSFORMED_STRING
for KEY in "${KEY_ORDER[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of a sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
if [[ ${KEY} == "/" ]]; then
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
elif [[ ${KEY} == "/boot" ]]; then
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
elif [[ ${KEY} == "/boot/efi" ]]; then
if [[ ${FILESYSTEM_VERSION} == "fat32" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
else
do_log "error" "false" "fstab entry - no valid '${KEY}' for '/', '/boot', '/boot/efi' found."
fi
done
# Generate '${TARGET}/etc/fstab' remaining entries
for KEY in "${!MAP_MOUNTPATH_DEV[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of a sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
# Skip already mounted paths ("/", "/boot", "/boot/efi")
if [[ " ${KEY_ORDER[*]} " == *" ${KEY} "* ]]; then
continue
fi
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
done
# TODO: flexible entries for more than one CD-ROM drives.
# Add entry for CD-ROM device
# shellcheck disable=2129
echo "# /media/cdrom0 was on /dev/sr0 during installation" >> "${TARGET}"/etc/fstab
echo "/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
# Add entry for proc and tmpfs device
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0" >> "${TARGET}"/etc/fstab
echo "tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0'."
do_log "info" "false" "fstab entry generated: 'tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0'."
# TODO: flexible 'SWAP' entry, not only ephemeral SWAP.
# Add entry for SWAP device
declare MOUNT_PATH="SWAP"
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0'."
# TODO: flexible '/tmp' entry, not only ephemeral SWAP.
# Add entry for '/tmp' device
declare MOUNT_PATH="/tmp"
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0'."
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

115
source/func/3.7.3.functions_installation_generate_crypttab.sh Normal file
View File

@@ -0,0 +1,115 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.3. Functions - installation - generate crypttab #
###########################################################################################
###########################################################################################
# Generate "${TARGET}" /etc/crypttab entries.
# Globals:
# MAP_PATH_CRYPT
# MAP_UUID_CRYPT
# MODULE_ERR
# MODULE_TXT
# TARGET
# Arguments:
# None
###########################################################################################
3_7_3_functions_installation_generate_crypttab() {
declare -g -x MODULE_ERR="3_7_3_functions_installation_generate_crypttab"
declare -g -x MODULE_TXT="Generating '${TARGET}/etc/crypttab' entries"
do_show_header "${MODULE_TXT}"
# Generate '${TARGET}/etc/crypttab'.
touch "${TARGET}"/etc/crypttab
chmod 0644 "${TARGET}"/etc/crypttab
# Generate '${TARGET}/etc/crypttab' header.
# shellcheck disable=SC2129
cat << 'EOF' >> "${TARGET}"/etc/crypttab
# <name> <device> <password-file-or-none> <options>
EOF
### Reminder ###
# MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
# MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
# do_log "info" "false" "Saved in HashMap MAP_UUID_CRYPT: '${ENCRYPTION_LABEL}' -> '${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]}'"
# do_log "info" "false" "Saved in HashMap MAP_PATH_CRYPT: '${MOUNT_PATH}' -> '${MAP_PATH_CRYPT["${MOUNT_PATH}"]}'"
# Generate '${TARGET}/etc/crypttab' entries.
declare KEY=""
declare ENCRYPTION_LABEL=""
for KEY in "${MAP_PATH_CRYPT[@]}"; do
ENCRYPTION_LABEL="${MAP_PATH_CRYPT["${KEY}"]}"
if [[ ${accounts_dropbear_unlock,,} == "true" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on /dev/mapper/${MAP_PATH_CRYPT["${KEY}"]} during installation" >> "${TARGET}"/etc/crypttab
echo "${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,initramfs" >> "${TARGET}"/etc/crypttab
echo "" >> "${TARGET}"/etc/crypttab
do_log "info" "false" "'${TARGET}/etc/crypttab' entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT[${ENCRYPTION_LABEL}]} none luks,discard,initramfs'."
elif [[ ${accounts_dropbear_unlock,,} == "false" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on /dev/mapper/${MAP_PATH_CRYPT["${KEY}"]} during installation" >> "${TARGET}"/etc/crypttab
echo "${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks" >> "${TARGET}"/etc/crypttab
echo "" >> "${TARGET}"/etc/crypttab
do_log "info" "false" "'${TARGET}/etc/crypttab' entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT[${ENCRYPTION_LABEL}]} none luks,discard'."
fi
done
# TODO: Update loop to iterate thru dynamic number of ephemeral drives.
# Generate '${TARGET}/etc/crypttab' special ephemeral entries.
declare -a EPHEMERAL_MOUNT_PATH=("SWAP" "/tmp")
declare KEY=""
# MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
# MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
for KEY in "${EPHEMERAL_MOUNT_PATH[@]}"; do
if [[ ${KEY} == "SWAP" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/crypttab
# TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" >> "${TARGET}"/etc/crypttab
echo "" >> "${TARGET}"/etc/crypttab
do_log "info" "false" "'${TARGET}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
elif [[ ${KEY} == "/tmp" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/crypttab
# TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" >> "${TARGET}"/etc/crypttab
echo "" >> "${TARGET}"/etc/crypttab
do_log "info" "false" "'${TARGET}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
else
do_log "info" "true" "${TARGET}/etc/crypttab entries written."
fi
done
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

176
source/func/3.7.4.functions_installation_generate_sources.sh Normal file
View File

@@ -0,0 +1,176 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.4. Functions - installation - generate sources #
###########################################################################################
###########################################################################################
# Generate target ${TARGET}/etc/apt/sources.list entries
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# apt_contrib
# apt_mirror_directory
# apt_mirror_hostname
# apt_mirror_protocol
# apt_non_free
# apt_non_free_firmware
# apt_security_string
# apt_updates_backports
# apt_updates_policy
# apt_updates_release
# apt_updates_security
# Arguments:
# None
###########################################################################################
3_7_4_functions_installation_generate_sources() {
declare -g -x MODULE_ERR="3_7_4_functions_installation_generate_sources"
declare -g -x MODULE_TXT="Generating '${TARGET}/etc/apt/sources.list'"
do_show_header "${MODULE_TXT}"
declare CONTRIB=""
declare DIR=""
declare HOSTNAME=""
declare HOSTSECURE=""
declare NON_FREE=""
declare NON_FREE_FIRMWARE=""
declare PROTOCOL=""
DIR="${apt_mirror_directory}"
HOSTNAME="${apt_mirror_hostname}"
HOSTSECURE="${apt_security_string}"
if [[ ${apt_contrib,,} == "true" ]]; then
CONTRIB="contrib"
fi
if [[ ${apt_non_free,,} == "true" ]]; then
NON_FREE="non-free"
fi
if [[ ${apt_non_free_firmware,,} == "true" ]]; then
NON_FREE_FIRMWARE="non-free-firmware"
fi
if [[ ${apt_mirror_protocol,,} == "https" ]]; then
PROTOCOL="https"
elif [[ ${apt_mirror_protocol,,} == "http" ]]; then
PROTOCOL="http"
fi
declare CODENAME
# apt-get install -y lsb-release
CODENAME=$(lsb_release --codename --short)
touch "${TARGET}"/etc/apt/sources.list
chmod 0644 "${TARGET}"/etc/apt/sources.list
cat << EOF >> "${TARGET}"/etc/apt/sources.list
#-----------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS #
#-----------------------------------------------------------------------------------------#
deb ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME} main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}
deb-src ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME} main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}
EOF
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME} main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME} main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}'."
if [[ ${apt_updates_security,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/apt/sources.list
deb ${PROTOCOL}://${HOSTSECURE}/debian-security ${CODENAME}-security main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}
deb-src ${PROTOCOL}://${HOSTSECURE}/debian-security ${CODENAME}-security main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}
EOF
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${PROTOCOL}://${HOSTSECURE}/debian-security ${CODENAME}-security main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${PROTOCOL}://${HOSTSECURE}/debian-security ${CODENAME}-security main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}'."
fi
if [[ ${apt_updates_release,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/apt/sources.list
deb ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME}-updates main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}
deb-src ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME}-updates main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}
EOF
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME}-updates main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME}-updates main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}'."
fi
if [[ ${apt_updates_backports,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/apt/sources.list
deb ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME}-backports main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}
deb-src ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME}-backports main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}
EOF
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME}-backports main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}'."
do_log "info" "false" "${TARGET}/etc/apt/sources.list entry generated: 'deb-src ${PROTOCOL}://${HOSTNAME}${DIR} ${CODENAME}-backports main ${CONTRIB} ${NON_FREE} ${NON_FREE_FIRMWARE}'."
fi
# Clean up 'source.list'
sed -i '/^#/!s/[[:space:]]\+/ /g' "${TARGET}"/etc/apt/sources.list
cat << EOF >> "${TARGET}"/etc/apt/sources.list
# Copyright 2018-2025; WEIDNER, Marc S., <cendev@coresecret.eu>
EOF
if do_in_target "${TARGET}" apt-get update -y; then
do_log "info" "true" "Command: 'apt-get update -y' executed in: '${TARGET}'."
else
do_log "emergency" "true" "Failed: Command: 'apt-get update -y' executed in: '${TARGET}'."
fi
if [[ ${apt_updates_policy,,} == "unattended" ]]; then
if do_in_target "${TARGET}" apt-get install -y unattended-upgrades; then
do_log "info" "true" "Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
else
do_log "emergency" "true" "Failed: Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
fi
do_log "info" "false" "The update policy was set at installation time to: '${apt_updates_policy}' executed in: '${TARGET}'."
elif [[ ${apt_updates_policy,,} == "security" ]]; then
if do_in_target "${TARGET}" apt-get install -y unattended-upgrades; then
do_log "info" "true" "Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
else
do_log "emergency" "true" "Failed: Command: 'apt-get install -y unattended-upgrades' executed in: '${TARGET}'."
fi
# shellcheck disable=SC2016
sed -i 's/^\s*"origin=Debian,codename=\${distro_codename},label=Debian";/\/\/ &/' "${TARGET}"/etc/apt/apt.conf.d/50unattended-upgrades
do_log "info" "false" "The update policy was set at installation time to '${apt_updates_policy}' executed in: '${TARGET}'."
elif [[ ${apt_updates_policy,,} == "none" ]]; then
do_log "info" "false" "The update policy was set at installation to: '${apt_updates_policy}'."
else
do_log "warning" "false" "Update policy '${apt_updates_policy}': is not supported. Using 'none' as default."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

43
source/func/3.7.5.functions_installation_setup_timezone.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.5. Functions - installation - setup timezone #
###########################################################################################
###########################################################################################
# Configure timezone
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# ntp_timezone
# Arguments:
# None
###########################################################################################
3_7_5_functions_installation_setup_timezone() {
declare -g -x MODULE_ERR="3_7_5_functions_installation_setup_timezone"
declare -g -x MODULE_TXT="Setup timezone"
do_show_header "${MODULE_TXT}"
### Reminder ###
# ls /usr/share/zoneinfo
do_in_target "${TARGET}" ln -sf /usr/share/zoneinfo/"${ntp_timezone}" /etc/localtime
do_in_target "${TARGET}" /bin/bash -c "echo ${ntp_timezone} | tee /etc/timezone"
do_in_target "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
do_log "info" "false" "Timezone changed to '${ntp_timezone}' executed in: '${TARGET}'."
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

61
source/func/3.7.6.functions_installation_setup_locales.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.6. Functions - installation - setup locales #
###########################################################################################
###########################################################################################
# Set locale and configure keyboard layout
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# locale_keyboard_layout
# locale_keyboard_xkb_keymap
# locale_locale
# Arguments:
# None
###########################################################################################
3_7_6_functions_installation_setup_locales() {
declare -g -x MODULE_ERR="3_7_6_functions_installation_setup_locales"
declare -g -x MODULE_TXT="Setup locales and configure keyboard layout"
do_show_header "${MODULE_TXT}"
do_in_target "${TARGET}" apt-get install -y locales
do_log "info" "true" "Command: 'apt-get install -y locales' executed in: '${TARGET}'."
# TODO: Alternative elif statement to use separately configured variables '{$locale_country}' and '{$locale_language}'.
# Give priority to '${locale_locale}' over separately configured variables '{$locale_country}' and '{$locale_language}'.
if [[ -n ${locale_locale} ]]; then
# Generate the specified locale
do_in_target "${TARGET}" locale-gen "${locale_locale}"
do_log "info" "true" "Command: 'locale-gen ${locale_locale}' executed in: '${TARGET}'."
# Set the standard locale
do_in_target "${TARGET}" update-locale LANG="${locale_locale}" LC_ALL="${locale_locale}"
do_log "info" "true" "Command: 'update-locale LANG=${locale_locale} LC_ALL=${locale_locale}' executed in: '${TARGET}'."
# Set the keyboard layout for the system (for consoles)
sed -i "s/^KEYMAP=.*/KEYMAP=${locale_keyboard_layout}/" "${TARGET}"/etc/default/keyboard
do_log "info" "false" "Keyboard layout updated: 'KEYMAP=${locale_keyboard_layout}' -> '${TARGET}/etc/default/keyboard'."
# Set the X11 keyboard layout (for graphical environments)
do_in_target "${TARGET}" localectl set-x11-keymap "${locale_keyboard_xkb_keymap}"
do_log "info" "true" "Command: 'localectl set-x11-keymap ${locale_keyboard_xkb_keymap}' executed in: '${TARGET}'."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

37
source/func/3.7.7.functions_installation_kernel.sh Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.7. Functions - installation - kernel #
###########################################################################################
###########################################################################################
# Installation of the specified kernel incl. dropbear SSH, LUKS Nuke.
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# kernel
# Arguments:
# None
###########################################################################################
3_7_7_functions_installation_kernel() {
declare -g -x MODULE_ERR="3_7_7_functions_installation_kernel"
declare -g -x MODULE_TXT="Install kernel: '${kernel}'"
do_show_header "${MODULE_TXT}"
# Installing the chosen Kernel Image according to preseed.yaml
do_in_target "${TARGET}" apt-get install -y "${kernel}"
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

362
source/func/3.7.8.functions_installation_setup_network.sh Normal file
View File

@@ -0,0 +1,362 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.8. Functions - installation - setup network #
###########################################################################################
# TODO collect Gateway and convert CCDIR ot n.n.n.n
###########################################################################################
# Setup network
# Globals:
# FINAL_FQDN
# FINAL_IPV4_ADDRESS
# FINAL_IPV6
# FINAL_IPV6_ADDRESS
# LOG_NIC
# MODULE_ERR
# MODULE_TXT
# TARGET
# network_autoconfig_enable
# network_choose_interface_auto
# network_choose_interface_static
# network_ipv6
# network_static_hostname
# network_static_ipv4address
# network_static_ipv4gateway
# network_static_ipv4nameserver_0
# network_static_ipv4nameserver_1
# network_static_ipv4nameserver_fallback_0
# network_static_ipv4netmask
# network_static_ipv6address
# network_static_ipv6gateway
# network_static_ipv6nameserver_0
# network_static_ipv6nameserver_1
# network_static_ipv6nameserver_fallback_0
# network_static_ipv6netmask
# network_timeout_dhcp
# Arguments:
# None
###########################################################################################
3_7_8_functions_installation_setup_network() {
declare -g -x MODULE_ERR="3_7_8_functions_installation_setup_network"
declare -g -x MODULE_TXT="Setup network"
do_show_header "${MODULE_TXT}"
# Initialize variables
declare ADDR_GI=""
declare ADDR_SI=""
declare ADDR_YI=""
declare DHCP_SRV=""
declare FQDN=""
declare HAS_NIC=""
declare HAS_IPV4=""
declare HAS_IPV6=""
declare HAS_IPV4_CCIDR=""
declare HAS_IPV6_CCIDR=""
declare HAS_LINKIPV4=""
declare HAS_LINKIPV6=""
declare NIC=""
# Check current network connection and configure variables
HAS_NIC=$(ip -o link show | awk -F': ' '/state UP/ {print $2; exit}')
HAS_IPV4_CCIDR=$(ip -4 -o addr show "${HAS_NIC}" | awk '{print $4; exit}')
HAS_IPV4_SUBNET=$(do_generate_subnet "${HAS_IPV4_CCIDR}")
HAS_IPV4=$(echo "$HAS_IPV4_CCIDR" | awk -F'/' '{print $1}')
HAS_IPV4_GATEWAY=$(ip route show default dev "${HAS_NIC}" | awk '/^default/ {print $3; exit}')
HAS_IPV6_CCIDR=$(ip -6 -o addr show "${HAS_NIC}" | awk '/scope global/ {print $4; exit}')
if [[ -n ${HAS_IPV6_CCIDR} ]]; then
HAS_IPV6=$(echo "${HAS_IPV6_CCIDR}" | awk -F'/' '{print $1}')
fi
HAS_LINKIPV4=$(ping -q -c 1 -W 1 -4 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
HAS_LINKIPV6=$(ping -q -c 1 -W 1 -6 debian.org > /dev/null 2>&1 && echo "true" || echo "false")
do_log "info" "false" "Live environment DHCP information collection: timeout='${network_timeout_dhcp}' seconds."
dhclient -v -1 "${HAS_NIC}" 2>&1 | timeout "${network_timeout_dhcp}" dhcpdump -i "${HAS_NIC}" >> "${LOG_NIC}" || true
awk 'BEGIN {RS="---------------------------------------------------------------------------"; \
ORS="---------------------------------------------------------------------------"} \
NF {last=$0} END {print last}' "${LOG_NIC}" > "${LOG_NIC}".tmp && mv "${LOG_NIC}".tmp "${LOG_NIC}"
do_log "info" "false" "Live environment DHCP information collection: collection completed."
# Extract 'FQDN' from '${LOG_NIC}'
FQDN=$(awk -F 'Host name' '/Host name/ {print $2}' "${LOG_NIC}" | xargs)
# Extract 'YIADDR' (Your IP Address) from '${LOG_NIC}'
ADDR_YI=$(awk -F 'YIADDR:' '/YIADDR/ {print $2}' "${LOG_NIC}" | awk '{print $1}' | xargs)
# Extract 'SIADDR' (Server IP Address) from '${LOG_NIC}'
ADDR_SI=$(awk -F 'SIADDR:' '/SIADDR/ {print $2}' "${LOG_NIC}" | awk '{print $1}' | xargs)
# Extract 'Server Identifier' from '${LOG_NIC}'
DHCP_SRV=$(awk -F 'Server identifier' '/Server identifier/ {print $2}' "${LOG_NIC}" | xargs)
# Extract 'GIADDR' (Gateway IP Address) from '${LOG_NIC}'
ADDR_GI=$(awk -F 'GIADDR:' '/GIADDR/ {print $2}' "${LOG_NIC}" | awk '{print $1}' | xargs)
do_log "info" "false" "Live environment network check: HAS_NIC='${HAS_NIC}'."
do_log "info" "false" "Live environment network check: HAS_IPV4_CCIDR='${HAS_IPV4_CCIDR}'."
do_log "info" "false" "Live environment network check: HAS_IPV4_SUBNET='${HAS_IPV4_SUBNET}'."
do_log "info" "false" "Live environment network check: HAS_IPV4_GATEWAY='${HAS_IPV4_GATEWAY}'."
do_log "info" "false" "Live environment network check: HAS_IPV6_CCIDR='${HAS_IPV6_CCIDR}'."
do_log "info" "false" "Live environment network check: HAS_LINKIPV4='${HAS_LINKIPV4}'."
do_log "info" "false" "Live environment network check: HAS_LINKIPV6='${HAS_LINKIPV6}'."
do_log "info" "false" "Live environment network check: FQDN='${FQDN}'."
do_log "info" "false" "Live environment network check: ADDR_YI='${ADDR_YI}'."
do_log "info" "false" "Live environment network check: ADDR_SI='${ADDR_SI}'."
do_log "info" "false" "Live environment network check: DHCP_SRV='${DHCP_SRV}'."
do_log "info" "false" "Live environment network check: ADDR_GI='${ADDR_GI}'."
# Create network configuration file header.
if [[ -f "${TARGET}"/etc/network/interfaces ]]; then
rm "${TARGET}"/etc/network/interfaces
do_log "info" "false" "Existing '${TARGET}/etc/network/interfaces' removed."
fi
touch "${TARGET}"/etc/network/interfaces
chmod 0644 "${TARGET}"/etc/network/interfaces
cat << EOF >> "${TARGET}"/etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
EOF
do_log "info" "false" "Header '${TARGET}/etc/network/interfaces' created."
# Configure network interfaces based on 'preseed.yaml' and create network configuration files for IPv4.
if [[ ${network_autoconfig_enable,,} == "true" && ${network_choose_interface_auto,,} == "true" ]]; then
declare IFACE
for IFACE in $(ls /sys/class/net || true); do
if [[ -d "/sys/class/net/${IFACE}/device" ]]; then
NIC="${IFACE}"
break
fi
done
if [[ -z ${NIC} ]]; then
NIC="${network_choose_interface_static}"
do_log "notice" "false" "No physical NIC detected automatically. Use the specified static NIC instead: '${network_choose_interface_static}'."
else
do_log "info" "false" "The first physical auto-detected NIC is: '${NIC}'."
fi
### Reminder ###
# auto:
# For servers or systems with static interfaces that should always be available (e.g., eth0 on a server).
# For configurations where the interface should be active regardless of the cable status.
# allow-hotplug:
# For systems with dynamic or removable network devices (e.g., laptops or USB adapters).
# To avoid boot delays when interfaces are unavailable.
cat << EOF >> "${TARGET}"/etc/network/interfaces
# The primary network interface IPv4
auto "${NIC}"
iface "${NIC}" inet dhcp
EOF
do_log "info" "false" "IPv4 on the primary NIC: '${NIC}' configured with DHCP."
elif [[ ${network_autoconfig_enable,,} == "true" && ${network_choose_interface_auto,,} == "false" ]]; then
NIC="${network_choose_interface_static}"
cat << EOF >> "${TARGET}"/etc/network/interfaces
# The primary network interface IPv4
auto "${NIC}"
iface "${NIC}" inet dhcp
EOF
do_log "info" "false" "IPv4 on the primary NIC: '${NIC}' configured with DHCP."
else
do_log "warning" "false" "No NIC specified. 'network_choose_interface_static' was: '${network_choose_interface_static}'."
fi
if [[ ${network_autoconfig_enable,,} == "false" ]]; then
cat << EOF >> "${TARGET}"/etc/network/interfaces
# The primary network interface IPv4
auto "${network_choose_interface_static}"
iface "${network_choose_interface_static}" inet static
address "${network_static_ipv4address}"
netmask "${network_static_ipv4netmask}"
gateway "${network_static_ipv4gateway}"
dns-nameservers "${network_static_ipv4nameserver_0}" "${network_static_ipv4nameserver_1}" "${network_static_ipv4nameserver_fallback_0}"
EOF
do_log "info" "false" "IPv4 on the primary NIC: '${network_choose_interface_static}' configured manually."
else
do_log "error" "false" "Network autoconfiguration 'network_autoconfig_enable' must be either 'true' or 'false'."
fi
# Configure network interfaces based on 'preseed.yaml' and create network configuration files for IPv6.
if [[ ${network_autoconfig_enable} == "true" && ${HAS_LINKIPV6} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/network/interfaces
# The primary network interface IPv6
iface "${HAS_NIC}" inet6 dhcp
EOF
do_log "info" "false" "IPv6 on the primary NIC: '${HAS_NIC}' configured with DHCP."
fi
if [[ ${network_autoconfig_enable,,} == "false" && ${network_ipv6,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/network/interfaces
# The primary network interface IPv6
iface "${HAS_NIC}" inet6 static
address "${network_static_ipv6address}"/"${network_static_ipv6netmask}"
gateway "${network_static_ipv6gateway}"
dns-nameservers "${network_static_ipv6nameserver_0}" "${network_static_ipv6nameserver_1}" "${network_static_ipv6nameserver_fallback_0}"
EOF
do_log "info" "false" "IPv6 on the primary NIC: '${HAS_NIC}' configured manually."
fi
# Until now, neither 'NetworkManager' nor 'systemd-resolved' are installed.
# Therefore, '/etc/resolv.conf' is updated, too.
# Create '/etc/resolv.conf' IPv4 entries.
if [[ -f "${TARGET}"/etc/resolv.conf ]]; then
rm "${TARGET}"/etc/resolv.conf
do_log "info" "false" "Existing '${TARGET}/etc/resolv.conf' removed."
fi
touch "${TARGET}"/etc/resolv.conf
chmod 0644 "${TARGET}"/etc/resolv.conf
cat << EOF >> "${TARGET}"/etc/resolv.conf
# Custom DNS IPv4 configuration for DHCP
nameserver ${network_static_ipv4nameserver_0}
nameserver ${network_static_ipv4nameserver_1}
nameserver ${network_static_ipv4nameserver_fallback_0}
EOF
do_log "info" "false" "IPv4 nameserver at: '${TARGET}/etc/resolv.conf' configured manually."
# Create '/etc/resolv.conf' IPv6 entries.
if [[ ${network_autoconfig_enable,,} == "true" && ${HAS_LINKIPV6,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/resolv.conf
# Custom DNS IPv6 configuration for DHCP
nameserver ${network_static_ipv6nameserver_0}
nameserver ${network_static_ipv6nameserver_1}
nameserver ${network_static_ipv6nameserver_fallback_0}
EOF
do_log "info" "false" "IPv6 nameserver at: '${TARGET}/etc/resolv.conf' configured manually."
elif [[ ${network_autoconfig_enable,,} == "false" && ${network_ipv6,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/resolv.conf
# Custom DNS IPv6 configuration for DHCP
nameserver ${network_static_ipv6nameserver_0}
nameserver ${network_static_ipv6nameserver_1}
nameserver ${network_static_ipv6nameserver_fallback_0}
EOF
do_log "info" "false" "IPv6 nameserver at: '${TARGET}/etc/resolv.conf' configured manually."
fi
# Ensure Internet Systems Consortium DHCP Client is not overwriting the static nameserver settings.
if [[ ${network_autoconfig_enable,,} == "true" && ${HAS_LINKIPV6,,} == "true" ]]; then
cat << EOF > "${TARGET}"/etc/dhcp/dhclient.conf
# Custom DNS IPv4 and IPv6 configuration for DHCP
supersede domain-name-servers \
${network_static_ipv4nameserver_0}, \
${network_static_ipv4nameserver_1}, \
${network_static_ipv4nameserver_fallback_0}, \
${network_static_ipv6nameserver_0}, \
${network_static_ipv6nameserver_1}, \
${network_static_ipv6nameserver_fallback_0};
EOF
do_log "info" "false" "DHCP client configuration for IPv4 and IPv6 at: '${TARGET}/etc/dhcp/dhclient.conf' configured."
elif [[ ${network_autoconfig_enable,,} == "false" && ${network_ipv6,,} == "true" ]]; then
cat << EOF > "${TARGET}"/etc/dhcp/dhclient.conf
# Custom DNS IPv4 and IPv6 configuration for DHCP
supersede domain-name-servers \
${network_static_ipv4nameserver_0}, \
${network_static_ipv4nameserver_1}, \
${network_static_ipv4nameserver_fallback_0}, \
${network_static_ipv6nameserver_0}, \
${network_static_ipv6nameserver_1}, \
${network_static_ipv6nameserver_fallback_0};
EOF
do_log "info" "false" "DHCP client configuration IPv4 and IPv6 at: '${TARGET}/etc/dhcp/dhclient.conf' configured."
else
cat << EOF > "${TARGET}"/etc/dhcp/dhclient.conf
# Custom DNS IPv4 only configuration for DHCP
supersede domain-name-servers \
${network_static_ipv4nameserver_0}, \
${network_static_ipv4nameserver_1}, \
${network_static_ipv4nameserver_fallback_0};
EOF
do_log "info" "false" "DHCP client configuration IPv4 only at: '${TARGET}/etc/dhcp/dhclient.conf' configured."
fi
# Export hostname and IPv4 and IPv6 addresses for further processing according to dynamic results and preseed.yaml settings.
if [[ ${network_autoconfig_enable,,} == "true" ]]; then
declare -g -r -x FINAL_FQDN="${FQDN}"
declare -g -r -x FINAL_IPV4_ADDRESS="${ADDR_YI}"
elif [[ ${network_autoconfig_enable,,} == "false" ]]; then
declare -g -r -x FINAL_FQDN="${network_static_hostname}"
declare -g -r -x FINAL_IPV4_ADDRESS="${network_static_ipv4address}"
fi
if [[ ${network_autoconfig_enable,,} == "true" && ${HAS_LINKIPV6,,} == "true" ]]; then
declare -g -r -x FINAL_IPV6_ADDRESS="${HAS_IPV6}"
declare -g -r -x FINAL_IPV6="${HAS_LINKIPV6}"
elif [[ ${network_autoconfig_enable,,} == "false" && ${network_ipv6,,} == "true" ]]; then
declare -g -r -x FINAL_IPV6_ADDRESS="${network_static_ipv6address}"
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

102
source/func/3.7.9.functions_installation_setup_hostname.sh Normal file
View File

@@ -0,0 +1,102 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.9. Functions - installation - setup hostname #
###########################################################################################
###########################################################################################
# Generate files: '/etc/hostname' | '/etc/hosts' | '/etc/mailname'
# Globals:
# FINAL_FQDN
# FINAL_IPV4_ADDRESS
# FINAL_IPV6
# FINAL_IPV6_ADDRESS
# MODULE_ERR
# MODULE_TXT
# TARGET
# network_hostname
# network_ipv6
# Arguments:
# None
###########################################################################################
3_7_9_functions_installation_setup_hostname() {
declare -g -x MODULE_ERR="3_7_9_functions_installation_setup_hostname"
declare -g -x MODULE_TXT="Setup hostname '${network_hostname}'"
do_show_header "${MODULE_TXT}"
# Create '${TARGET}/etc/hostname' file.
if [[ -f "${TARGET}"/etc/hostname ]]; then
rm "${TARGET}"/etc/hostname
do_log "info" "false" "Existing '${TARGET}/etc/hostname' removed."
fi
touch "${TARGET}"/etc/hostname
chmod 0644 "${TARGET}"/etc/hostname
cat << EOF >> "${TARGET}"/etc/hostname
"${FINAL_FQDN}"
EOF
do_log "info" "false" "File generated: '${TARGET}/etc/hostname' | hostname '${network_hostname}'."
# Create '${TARGET}/etc/mailname' file.
if [[ -f "${TARGET}"/etc/mailname ]]; then
rm "${TARGET}"/etc/mailname
do_log "info" "false" "Existing '${TARGET}/etc/mailname' removed."
fi
touch "${TARGET}"/etc/mailname
chmod 0644 "${TARGET}"/etc/mailname
cat << EOF >> "${TARGET}"/etc/mailname
"${FINAL_FQDN}"
EOF
do_log "info" "false" "File generated: '${TARGET}/etc/mailname' | mailname '${network_hostname}'."
# Generate '${TARGET}/etc/hosts' basic IPv4 entries
if [[ -f "${TARGET}"/etc/hosts ]]; then
rm "${TARGET}"/etc/hosts
do_log "info" "false" "Existing '${TARGET}/etc/hosts' removed."
fi
touch "${TARGET}"/etc/hosts
chmod 0644 "${TARGET}"/etc/hosts
cat << EOF >> "${TARGET}"/etc/hosts
127.0.0.1 localhost
"${FINAL_IPV4_ADDRESS}" "${FINAL_FQDN}"
EOF
do_log "info" "false" "File generated: '${TARGET}/etc/hosts' with basic IPv4 entries."
# Generate '${TARGET}/etc/hosts' basic IPv6 entries
if [[ ${FINAL_IPV6,,} == "true" || ${network_ipv6,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/hosts
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
"${FINAL_IPV6_ADDRESS}" "${FINAL_FQDN}"
EOF
do_log "info" "false" "File updated: '${TARGET}/etc/hosts' with basic IPv6 entries."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

196
source/func/3.8.0.functions_installation_setup_grub.sh Normal file
View File

@@ -0,0 +1,196 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.0. Functions - installation - setup grub #
###########################################################################################
###########################################################################################
# Installation and setup of the GRUB2 (backported) version.
# The backported version MUST be installed for LUKS2 '/boot' encryption.
# Globals:
# ERR_UNSUPPT_TABLE
# MODULE_ERR
# MODULE_TXT
# RECIPE_FIRMWARE
# RECIPE_TABLE
# TARGET
# grub_background_enable
# grub_background_path
# grub_bootdev
# grub_force
# grub_latest
# grub_prober
# grub_skip
# Arguments:
# None
###########################################################################################
3_8_0_functions_installation_setup_grub() {
declare -g -x MODULE_ERR="3_8_0_functions_installation_setup_grub"
declare -g -x MODULE_TXT="Setup GRUB"
do_show_header "${MODULE_TXT}"
if [[ ${grub_skip,,} == "false" ]]; then
# Install GRUB2 package
if [[ ${grub_latest,,} == "true" ]]; then
# Install the GRUB2 backported version from the Bookworm backports repository.
do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common
do_log "info" "true" "Command: 'apt-get install -y -t bookworm-backports grub2 grub2-common' executed in: '${TARGET}'."
else
# Install the GRUB2 stable version.
do_in_target "${TARGET}" apt-get install -y grub2 grub2-common
do_log "info" "true" "Command: 'apt-get install -y grub2 grub2-common' executed in: '${TARGET}'."
fi
# Install grub on the specific device.
if [[ ${grub_force-efi-extra-removable,,} == "false" ]]; then
if [[ ${RECIPE_TABLE,,} == "gpt" && ${RECIPE_FIRMWARE,,} == "uefi" ]]; then
do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt"
do_in_target "${TARGET}" update-grub
do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
do_log "info" "false" "Command: 'grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt\"' executed in: '${TARGET}'."
elif [[ ${RECIPE_TABLE,,} == "gpt" && ${RECIPE_FIRMWARE,,} == "bios" ]]; then
do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" --recheck "${grub_bootdev}"
do_in_target "${TARGET}" update-grub
do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
do_log "info" "false" "Command: 'grub-install --target=i386-pc --boot-directory=/boot --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt\" --recheck ${grub_bootdev}' executed in: '${TARGET}'."
elif [[ ${RECIPE_TABLE,,} == "msdos" && ${RECIPE_FIRMWARE,,} == "uefi" ]]; then
do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos"
do_in_target "${TARGET}" update-grub
do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
do_log "info" "false" "Command: 'grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos\"' executed in: '${TARGET}'."
elif [[ ${RECIPE_TABLE,,} == "msdos" && ${RECIPE_FIRMWARE,,} == "bios" ]]; then
do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos" --recheck "${grub_bootdev}"
do_in_target "${TARGET}" update-grub
do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
do_log "info" "false" "Command: 'grub-install --target=i386-pc --boot-directory=/boot --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos\" --recheck ${grub_bootdev}' executed in: '${TARGET}'."
else
do_log "emergency" "false" "Unsupported partition table: '${RECIPE_TABLE,,}' and / or firmware: '${RECIPE_FIRMWARE,,}'."
exit "${ERR_UNSUPPT_TABLE}"
fi
elif [[ ${grub_force-efi-extra-removable,,} == "true" ]]; then
if [[ ${RECIPE_TABLE,,} == "gpt" && ${RECIPE_FIRMWARE,,} == "uefi" ]]; then
do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" --force-extra-removable
do_in_target "${TARGET}" update-grub
do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
do_log "info" "false" "Command: 'grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt\" --force-extra-removable' executed in: '${TARGET}'."
else
do_log "emergency" "false" "Unsupported combination of partition table: '${RECIPE_TABLE,,}' and setting: grub_force-efi-extra-removable '${grub_force-efi-extra-removable,,}'."
exit "${ERR_UNSUPPT_TABLE}"
fi
fi
# Enable booting from LUKS encrypted devices by default.
cat << EOF >> "${TARGET}"/etc/default/grub
# Enable booting from LUKS encrypted devices by default.
GRUB_ENABLE_CRYPTODISK=y
EOF
do_in_target "${TARGET}" update-grub
do_log "info" "false" "Booting from LUKS encrypted devices by default enabled, executed in: '${TARGET}'."
# Install a boot menu background.
if [[ ${grub_background_enable,,} == "true" ]]; then
declare BACKGROUND
BACKGROUND=$(basename "${grub_background_path}")
cp "${grub_background_path}" "${TARGET}"/etc/default/grub.d/"${BACKGROUND}"
chmod 0640 "${TARGET}"/etc/default/grub.d/"${BACKGROUND}"
cat << EOF >> "${TARGET}"/etc/default/grub
# Enable boot menu background.
GRUB_BACKGROUND="/etc/default/grub.d/${BACKGROUND}"
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'vbeinfo'
GRUB_GFXMODE=1920x1080,1280x1024,800x600
GRUB_GFXPAYLOAD_LINUX=keep
EOF
do_in_target "${TARGET}" update-grub
do_log "info" "false" "Boot menu background enabled, executed in: '${TARGET}'."
fi
# Change GRUB OS detection configuration accordingly.
if [[ ${grub_prober,,} == "true" ]]; then
cat << EOF >> "${TARGET}"/etc/default/grub
# If your computer has multiple operating systems installed, then you
# probably want to run os-prober. However, if your computer is a host
# for guest OSes installed via LVM or raw disk devices, running
# os-prober can cause damage to those guest OSes as it mounts
# filesystems to look for things.
GRUB_DISABLE_OS_PROBER=false
EOF
do_in_target "${TARGET}" update-grub
do_log "info" "false" "GRUB OS detection configuration changed: 'GRUB_DISABLE_OS_PROBER=false' executed in: '${TARGET}'."
elif [[ ${grub_prober,,} == "false" ]]; then
cat << EOF >> "${TARGET}"/etc/default/grub
# If your computer has multiple operating systems installed, then you
# probably want to run os-prober. However, if your computer is a host
# for guest OSes installed via LVM or raw disk devices, running
# os-prober can cause damage to those guest OSes as it mounts
# filesystems to look for things.
GRUB_DISABLE_OS_PROBER=true
EOF
do_in_target "${TARGET}" update-grub
do_log "info" "false" "GRUB OS detection configuration changed: 'GRUB_DISABLE_OS_PROBER=true' executed in: '${TARGET}'."
fi
elif [[ ${grub_skip,,} == "true" ]]; then
do_log "info" "false" "GRUB2 setup skipped."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

361
source/func/3.8.1.functions_installation_setup_grub_bootparameter.sh Normal file
View File

@@ -0,0 +1,361 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.1. Functions - installation - setup grub hardening #
###########################################################################################
# TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
# TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
###########################################################################################
# Hardening Grub boot parameter
# Globals:
# DIR_BAK
# DIR_LOG
# GRUB_CMDLINE_LINUX
# MODULE_ERR
# MODULE_TXT
# PATH_ABS
# TARGET
# arch
# Arguments:
# None
###########################################################################################
3_8_1_functions_installation_setup_grub_bootparameter() {
declare -g -x MODULE_ERR="3_8_1_functions_installation_setup_grub_bootparameter"
declare -g -x MODULE_TXT="Setup GRUB bootparameter"
do_show_header "${MODULE_TXT}"
###########################################################################################
# Remarks: Kernel Hardening Preparation #
###########################################################################################
declare WHEREIAM
WHEREIAM=$(virt-what)
declare TIMESTAMP
TIMESTAMP=$(do_get_timestamp)
# shellcheck disable=SC2129
echo "${TIMESTAMP}" >> "${DIR_LOG}"cpu.log
grep . /sys/devices/system/cpu/vulnerabilities/* >> "${DIR_LOG}"cpu.log
spectre-meltdown-checker --explain >> "${DIR_LOG}"cpu.log
###########################################################################################
# Remarks: Setup Kernel Default- and Hardening-Presets #
###########################################################################################
cp "${PATH_ABS}"/.assets/99_local.hardened "${TARGET}"/etc/sysctl.d/99_local.hardened
chmod 0644 "${TARGET}"/etc/sysctl.d/99_local.hardened
cp "${PATH_ABS}"/.assets/99_local.defaults "${TARGET}"/etc/sysctl.d/99_local.defaults
chmod 0644 "${TARGET}"/etc/sysctl.d/99_local.defaults
###########################################################################################
# Remarks: Entropy collection improvements #
###########################################################################################
if [[ ! -d "${TARGET}"/usr/lib/modules-load.d ]]; then
mkdir -p "${TARGET}"/usr/lib/modules-load.d
fi
touch "${TARGET}"/usr/lib/modules-load.d/30_security-misc.conf
chmod 0644 "${TARGET}"/usr/lib/modules-load.d/30_security-misc.conf
cat << EOF >> "${TARGET}"/usr/lib/modules-load.d/30_security-misc.conf
## https://www.whonix.org/wiki/Dev/Entropy
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
## https://forums.whonix.org/t/jitterentropy-rngd/7204
jitterentropy_rng
EOF
do_help_grub_extract_current_string
declare -g -x MODULE_ERR="3_8_1_functions_installation_setup_grub_bootparameter"
###########################################################################################
# Remarks: Audit events need to be captured on processes that start up prior to auditd , #
# so that potential malicious activity cannot go undetected. During boot if audit=1, then #
# the backlog will hold 64 records. If more than 64 records are created during boot, #
# auditd records will be lost and potential malicious activity could go undetected #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} audit=1 audit_backlog_limit=8192"
###########################################################################################
# Remarks: Distrusts CPU bootloader for initial entropy at boot #
# Distrusts the CPU for initial entropy at boot, as it is not possible to audit, #
# may contain weaknesses or a backdoor. #
###########################################################################################
# https://en.wikipedia.org/wiki/RDRAND#Reception
# https://twitter.com/pid_eins/status/1149649806056280069
# https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
# https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
# https://lkml.org/lkml/2022/6/5/271
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} random.trust_cpu=off"
###########################################################################################
# Distrusts the bootloader for initial entropy at boot. #
# https://lkml.org/lkml/2022/6/5/271 #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} random.trust_bootloader=off"
###########################################################################################
# Remarks: Enables IOMMU to prevent DMA attacks. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} intel_iommu=on amd_iommu=force_isolation"
###########################################################################################
# Remarks: Disable the busmaster bit on all PCI bridges during very early boot to avoid #
# holes in IOMMU. #
# may contain weaknesses or a backdoor. #
###########################################################################################
# https://mjg59.dreamwidth.org/54433.html
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} efi=disable_early_pci_dma"
###########################################################################################
# Remarks: Enables strict enforcement of IOMMU TLB invalidation so devices will never be #
# able to access stale data contents. #
# https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 #
# Page 11 of https://lenovopress.lenovo.com/lp1467.pdf #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} iommu=force iommu.passthrough=0 iommu.strict=1"
###########################################################################################
# Remarks: Disables the merging of slabs of similar sizes. #
# Sometimes a slab can be used vulnerably, which an attacker can exploit. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} slab_nomerge"
###########################################################################################
# Remarks: Zero memory at allocation and free time. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} init_on_alloc=1 init_on_free=1"
###########################################################################################
# Remarks: This option randomizes page allocator freelists, improving security by making #
# page allocations less predictable. This also improves performance. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} page_alloc.shuffle=1"
###########################################################################################
# Remarks: Enables Kernel Page Table Isolation, which mitigates Meltdown, improves KASLR #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} pti=on"
###########################################################################################
# Remarks: vsyscall is obsolete, are at fixed addresses and are a target for ROP. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} vsyscall=none"
###########################################################################################
# Remarks: Enables randomization of the kernel stack offset on syscall entries #
# (introduced in kernel 5.13). https://lkml.org/lkml/2019/3/18/246 #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} randomize_kstack_offset=on"
###########################################################################################
# Remarks: Restrict access to debugfs since it can contain a lot of sensitive information.#
# https://lkml.org/lkml/2020/7/16/122 #
# https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} debugfs=off"
###########################################################################################
# Remarks: Force the kernel to panic on "oopses" (which may be due to false positives). #
# Reboot devices immediately if kernel experiences an Oops. #
# https://kspp.github.io/Recommended_Settings #
# https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} oops=panic panic=-1"
###########################################################################################
# Remarks: Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} mitigations=auto,nosmt"
###########################################################################################
# Remarks: Enable mitigations for both Spectre Variant 2 (indirect branch speculation) #
# and Intel branch history injection (BHI) vulnerabilities. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} spectre_v2=on spectre_v2_user=on spectre_bhi=on"
###########################################################################################
# Remarks: Disable Speculative Store Bypass (Spectre Variant 4). #
# https://www.suse.com/support/kb/doc/?id=000019189 #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} spec_store_bypass_disable=on nospec_store_bypass_disable=off"
###########################################################################################
# Remarks: Enable mitigations for the L1TF vulnerability through disabling SMT and L1D #
# flush runtime control. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} l1tf=full,force"
###########################################################################################
# Remarks: Enable mitigations for the MDS vulnerability through clearing buffer cache #
# and disabling SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} mds=full,nosmt"
###########################################################################################
# Remarks: Patches the TAA vulnerability by disabling TSX and enables mitigations using #
# TSX Async Abort along with disabling SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} tsx=off tsx_async_abort=full,nosmt"
###########################################################################################
# Remarks: Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} kvm.nx_huge_pages=force"
###########################################################################################
# Remarks: Force disable SMT as it has caused numerous CPU vulnerabilities. #
# The only full mitigation of cross-HT attacks is to disable SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html #
# https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} nosmt=force"
###########################################################################################
# Remarks: Enables the prctl interface to prevent leaks from L1D on context switches. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} l1d_flush=on"
###########################################################################################
# Remarks: Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} mmio_stale_data=full,nosmt"
###########################################################################################
# Remarks: Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with #
# Return Instructions) vulnerability and disable SMT. #
# https://www.suse.com/support/kb/doc/?id=000020693 #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} retbleed=auto,nosmt"
###########################################################################################
# Remarks: Enables kernel lockdown mode with a focus on confidentiality. The kernel is #
# configured in such a way that even privileged users (such as root) have limited access #
# to kernel data and debug mechanisms. 'confidentiality': Maximum restriction to ensure #
# the security and integrity of the system. This prevents direct access to hardware and #
# debug interfaces, for example. Useful for highly secure environments as it reduces the #
# attack surface to kernel data. However, some applications that require debugging or #
# hardware access may have problems. #
# https://blog.cloudflare.com/de-de/linux-kernel-hardening/ #
# https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} lockdown=confidentiality"
###########################################################################################
# Remarks: Enables 'Read-Only Data Protection', which implements read-only memory areas #
# for kernel data structures. This protects the kernel from certain types of exploit #
# (e.g., buffer overflows). 'on': Forces the corresponding areas to remain read-only. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} rodata=on"
###########################################################################################
# Remarks: Meaning:Enables initialization or overwriting of released memory so-called #
# 'poisoning' with special values. This helps to detect errors caused by the use of #
# already released memory (Use-After-Free). '1': Enables the function. Good for debugging #
# and security checks, but can slightly affect performance. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} page_poison=1"
###########################################################################################
# Remarks: Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety #
# error detector. KFENCE detects heap out-of-bounds access, use-after-free, and #
# invalid-free errors. KFENCE is designed to be enabled in production kernels, and has #
# near zero performance overhead. Compared to KASAN, KFENCE trades performance for #
# precision. The main motivation behind KFENCEs design is that with enough total uptime #
# KFENCE will detect bugs in code paths not typically exercised by non-production test #
# workloads. One way to quickly achieve a large enough total uptime is when the tool is #
# deployed across a large fleet of machines. #
# https://docs.kernel.org/dev-tools/kfence.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} kfence.sample_interval=100"
###########################################################################################
# Remarks: CFI Ensures that only controlled, predefined transitions are possible in the #
# programs' control flow. kcfi (Kernel Control Flow Integrity): Specific implementation of#
# CFI for the Linux kernel that is particularly robust and provides accurate control flow #
# validation. kcfi relies on compiler-based technologies (e.g., LLVM) that insert special #
# checks and instrumentation into the kernel code. #
# https://kspp.github.io/Recommended_Settings#kernel-command-line-options #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} cfi=kcfi"
###########################################################################################
# Remarks: Remove additional (32-bit) attack surface, unless you really need them. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
# https://kspp.github.io/Recommended_Settings#kernel-command-line-options #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} ia32_emulation=0"
do_help_grub_finalize_string
MODULE_ERR="3_8_1_functions_installation_setup_grub_bootparameter"
###########################################################################################
# Remarks: Generally, it is best to let the hypervisor handle CPU microcode updates #
###########################################################################################
case "${arch,,}" in
amd64)
if [[ -f "${TARGET}"/etc/default/amd64-microcode && ${WHEREIAM} != kvm ]]; then
cp -u /etc/default/amd64-microcode "${DIR_BAK}"amd64-microcode.bak
chmod 644 "${DIR_BAK}"amd64-microcode.bak
sed -i "s/#AMD64UCODE_INITRAMFS=auto/AMD64UCODE_INITRAMFS=early/" "${TARGET}"/etc/default/amd64-microcode
fi
if [[ -f "${TARGET}"/etc/modprobe.d/amd64-microcode-blacklist.conf && ${WHEREIAM} != kvm ]]; then
cp -u "${TARGET}"/etc/modprobe.d/amd64-microcode-blacklist.conf "${DIR_BAK}"amd64-microcode-blacklist.conf.bak
chmod 0644 "${DIR_BAK}"amd64-microcode-blacklist.conf.bak
sed -i "s/blacklist microcode/# blacklist microcode/" "${TARGET}"/etc/modprobe.d/amd64-microcode-blacklist.conf
fi
;;
intel64)
if [[ -f "${TARGET}"/etc/default/intel-microcode && ${WHEREIAM} != kvm ]]; then
cp -u "${TARGET}"/etc/default/intel-microcode "${DIR_BAK}"intel-microcode.bak
chmod 0644 "${DIR_BAK}"intel-microcode.bak
sed -i "s/#IUCODE_TOOL_INITRAMFS=auto/IUCODE_TOOL_INITRAMFS=early/" "${TARGET}"/etc/default/intel-microcode
sed -i "s/#IUCODE_TOOL_SCANCPUS=yes/IUCODE_TOOL_SCANCPUS=yes/" "${TARGET}"/etc/default/intel-microcode
fi
if [[ -f "${TARGET}"/etc/modprobe.d/intel-microcode-blacklist.conf && ${WHEREIAM} != kvm ]]; then
cp -u "${TARGET}"/etc/modprobe.d/intel-microcode-blacklist.conf "${DIR_BAK}"intel-microcode-blacklist.conf.bak
chmod 0644 "${DIR_BAK}"intel-microcode-blacklist.conf.bak
sed -i "s/blacklist microcode/# blacklist microcode/" "${TARGET}"/etc/modprobe.d/intel-microcode-blacklist.conf
fi
;;
esac
do_in_target "${TARGET}" update-grub
do_log "info" "false" "GRUB hardening of bootparameters, executed in: '${TARGET}'."
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

100
source/func/3.8.2.functions_installation_setup_ssh.sh Normal file
View File

@@ -0,0 +1,100 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.2. Functions - installation - setup ssh #
###########################################################################################
###########################################################################################
# Setup ssh server
# Globals:
# DIR_BAK
# DIR_LOG
# FINAL_FQDN
# FINAL_IPV4_ADDRESS
# FINAL_IPV6_ADDRESS
# MODULE_ERR
# MODULE_TXT
# PATH_ABS
# TARGET
# accounts_ssh
# accounts_user_login
# accounts_user_name
# Arguments:
# None
###########################################################################################
3_8_2_functions_installation_setup_ssh() {
declare -g -x MODULE_ERR="3_8_2_functions_installation_setup_ssh"
declare -g -x MODULE_TXT="Setup ssh"
do_show_header "${MODULE_TXT}"
do_in_target "${TARGET}" apt-get install -y ssh
do_log "info" "false" "Command: 'apt-get install -y ssh' executed in: '${TARGET}'."
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
do_in_target "${TARGET}" ssh-keygen -o -a "${accounts_ssh-keyrounds}" -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${FINAL_FQDN}-$(date -I)"
do_log "info" "false" "Generated ed25519 SSH Key, executed in: '${TARGET}'."
do_in_target "${TARGET}" ssh-keygen -o -a "${accounts_ssh-keyrounds}" -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${FINAL_FQDN}-$(date -I)"
do_log "info" "false" "Generated RSA4096 SSH Key, executed in chroot."
declare TIMESTAMP
TIMESTAMP=$(do_get_timestamp)
echo "${TIMESTAMP}" >> "${DIR_LOG}"sshd_config.log && sshd -T >> "${DIR_LOG}"sshd_config.log
echo "${TIMESTAMP}" >> "${DIR_LOG}"ssh.log && ssh-keygen -r @ >> "${DIR_LOG}"ssh.log
cp -u "${TARGET}"/etc/ssh/sshd_config "${DIR_BAK}"sshd_config.bak
chmod 0644 "${DIR_BAK}"sshd_config.bak
cp -u "${TARGET}"/etc/ssh/ssh_config "${DIR_BAK}"ssh_config.bak
chmod 0644 "${DIR_BAK}"ssh_config.bak
rm "${TARGET}"/etc/ssh/sshd_config
cp "${PATH_ABS}"/.assets/sshd_config "${TARGET}"/etc/ssh/sshd_config
sed -i "s/ListenAddress 0.0.0.0/ListenAddress ${FINAL_IPV4_ADDRESS}/" "${TARGET}"/etc/ssh/sshd_config
if [[ -n ${FINAL_IPV6_ADDRESS} ]]; then
sed -i "s/ListenAddress ::/ListenAddress ${FINAL_IPV6_ADDRESS}/" "${TARGET}"/etc/ssh/sshd_config
else
sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}"/etc/ssh/sshd_config
fi
sed -i "s/Port 22/Port ${accounts_ssh-port}/" "${TARGET}"/etc/ssh/sshd_config
if [[ ${accounts_user_login,,} == "true" ]]; then
sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root ${accounts_user_name}/" "${TARGET}"/etc/ssh/sshd_config
else
sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root/" "${TARGET}"/etc/ssh/sshd_config
fi
chmod 0600 "${TARGET}"/etc/ssh/sshd_config "${TARGET}"/etc/ssh/ssh_config
TIMESTAMP=$(do_get_timestamp)
echo "${TIMESTAMP}" >> "${DIR_LOG}"ssh.log
do_in_target "${TARGET}" /bin/bash -c "sshd -T >> ${DIR_LOG}ssh.log"
###########################################################################################
# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only #
# environment variables: TMOUT and HISTFILE. #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
echo "readonly TMOUT=14400" >> "${TARGET}"/etc/profile.d/idle-users.sh
echo "readonly HISTFILE" >> "${TARGET}"/etc/profile.d/idle-users.sh
chmod +x "${TARGET}"/etc/profile.d/idle-users.sh
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

275
source/func/3.8.2.z.functions_installation_dropbear.sh Normal file
View File

@@ -0,0 +1,275 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.7.7. Functions - installation - kernel #
###########################################################################################
lsinitramfs /boot/initrd.img-$(uname -r) | grep -E 'bin/(reboot|sync|sleep|sh)'
command="/usr/local/bin/coresecret.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICp+6S+qM87lLWUtvTGBV/GFNvYyvZ992X4/AcuraKwm 2025_run.coresecret.dev_root
***
run.coresecret.dev
/dev/sda5: UUID="468ad656-0e2f-4fff-9501-c691bab9f553" TYPE="crypto_LUKS" PARTLABEL="crypt_system" PARTUUID="78c0f711-f84f-425e-9455-a46430f40794"
echo "IP=65.21.249.232::172.31.1.1:255.255.255.255:run.coresecret.dev:enp1s0:none:135.181.207.105:89.58.62.53:192.53.103.108" >| /etc/initramfs-tools/conf.d/ip
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=468ad656-0e2f-4fff-9501-c691bab9f553:cryptroot root=/dev/mapper/vg_system-root"
***
/usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
# Vorher (Standard)
ASKPASS=/lib/cryptsetup/askpass
# Danach
ASKPASS=/lib/cryptsetup/askpass.cryptsetup
apt-get cryptsetup-nuke-password
dpkg-reconfigure cryptsetup-nuke-password
debconf-set-selections << END
cryptsetup-nuke-password cryptsetup-nuke-password/password string Th3Pa$$w0rd
cryptsetup-nuke-password cryptsetup-nuke-password/password-again string Th3Pa$$w0rd
END
sudo dpkg-reconfigure -f noninteractive cryptsetup-nuke-password
apt-get install -y busybox cryptsetup-initramfs dropbear-initramfs initramfs-tools
rm -f /etc/dropbear/initramfs/dropbear*key
dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key
chmod 600 /etc/dropbear/initramfs/dropbear*key
chown root:root /etc/dropbear/initramfs/dropbear*key
cp -af ~/.ssh/authorized_keys /etc/dropbear/initramfs
echo "IP=152.53.110.40::152.53.108.1:255.255.252.0:git.coresecret.dev:ens3:none:135.181.207.105:89.58.62.53:192.53.103.108" >| /etc/initramfs-tools/conf.d/ip
sed -i 's|#DROPBEAR_OPTIONS=""|DROPBEAR_OPTIONS="-p 37768 -s -j -k -I 300 -c coresecret.sh"|g' /etc/dropbear/initramfs/dropbear.conf
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root"
update-initramfs -u -v -k all
NIC_MODULE=$(lspci -k | grep -A2 -i ethernet | grep 'Kernel driver in use' | awk '{print $5}')
echo "$NIC_MODULE"
grep_nic_driver_modules() {
# Alle Treibernamen sammeln und unique sortieren
readarray -t _mods < <(
lspci -k \
| grep -A2 -i ethernet \
| grep 'Kernel driver in use' \
| awk '{print $5}' \
| sort -u
)
# Wenn nur ein Eintrag übrig bleibt, in NIC_MODULE speichern,
# sonst alternativ alle Module in NIC_MODULES
if [ "${#_mods[@]}" -eq 1 ]; then
NIC_MODULE="${_mods[0]}"
else
NIC_MODULES="${_mods[*]}"
fi
# Ausgabe zur Kontrolle
if [ -n "$NIC_MODULE" ]; then
echo "Einzelnes Modul: $NIC_MODULE"
else
echo "Mehrere Module: $NIC_MODULES"
fi
}
###########################################################################################
# Installation of the specified kernel incl. dropbear SSH, LUKS Nuke.
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# kernel
# Arguments:
# None
###########################################################################################
3_7_7_functions_installation_kernel() {
declare -g -x MODULE_ERR="3_7_7_functions_installation_kernel"
declare -g -x MODULE_TXT="Install kernel: '${kernel}'"
do_show_header "${MODULE_TXT}"
# Installing the chosen Kernel Image according to preseed.yaml
do_in_target "${TARGET}" apt-get install -y "${kernel}"
if [[ ${accounts_dropbear_ssh,,} == "true" ]]; then
do_in_target "${TARGET}" apt-get install -y busybox cryptsetup-initramfs dropbear-initramfs initramfs-tools
echo "DROPBEAR_OPTIONS=\"-p ${accounts_ssh_port} -s -j -k -I 300\"" > "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
cat > "${TARGET}/etc/dropbear/initramfs/authorized_keys" << EOF
command="/bin/security-rescue-shell",no-port-forwarding,no-pty,no-X11-forwarding ${accounts_dropbear_pubkey}
EOF
chmod 0644 "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
chown root:root "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
chown root:root "${TARGET}/etc/dropbear/initramfs/authorized_keys"
do_log "info" "true" "Command: 'echo \"DROPBEAR_OPTIONS=\"-p ${accounts_ssh_port} -s -j -k -I 300 -K curve25519-sha256 -c aes256-gcm@openssh.com -m hmac-sha2-256,hmac-sha2-512\" > ${TARGET}/etc/dropbear/initramfs/dropbear.conf' executed in: '${TARGET}'."
do_log "info" "true" "Command: 'echo ${accounts_dropbear_pubkey} > ${TARGET}/etc/dropbear/initramfs/authorized_keys' executed in: '${TARGET}'."
# Network-Pre-Script for initramfs DHCP
cat > "${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network" << 'EOF'
#!/bin/sh
# ^^ no bash in initramfs environment, only BusyBox
PREREQ=""
prereqs() { echo "${PREREQ}"; }
case $1 in
prereqs) prereqs; exit 0 ;;
esac
# NIC without ":" and VLAN-Suffix
iface=$(grep -E '^(eth|en)[^:.]*$' /sys/class/net | head -n1)
[ -n "${iface}" ] || exit 0
# Setup Link and dhclient or udhcpc
ip link set "${iface}" up
if command -v dhclient >/dev/null 2>&1; then
dhclient "${iface}"
else
udhcpc -i "${iface}"
fi
exit 0
EOF
chmod +x "${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network"
do_log "info" "true" "Generated: '${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network: '${TARGET}'."
cat > "${TARGET}/etc/initramfs-tools/scripts/init-bottom/dropbear_fw" << EOF
#!/bin/sh
# ^^ no bash in initramfs environment, only BusyBox
if command -v iptables >/dev/null 2>&1; then
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -p tcp --dport "${accounts_ssh_port}" -s "${accounts_bastion_vpn_ipv4}" -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
fi
if command -v ip6tables >/dev/null 2>&1; then
ip6tables -F
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -A INPUT -p tcp --dport "${accounts_ssh_port}" -s "${accounts_bastion_vpn_ipv6}" -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
fi
EOF
chmod +x "${TARGET}/etc/initramfs-tools/scripts/init-bottom/dropbear_fw"
cat > "${TARGET}/bin/remote-nuke.sh" << EOF
#!/bin/sh
# ^^ no bash in initramfs environment, only BusyBox
# remote-nuke.sh to be executed at the end of Initramfs
PREREQ="local-bottom"
prereqs() { echo "${PREREQ}"; }
case $1 in
prereqs) prereqs; exit 0 ;;
esac
message() {
if [ ${#*} -lt 76 ]; then
echo "$*" 1>&2
else
# use busybox's fold(1) and sed(1) at initramfs stage
echo "$*" | fold -s | sed '1! s/^/ /' 1>&2
fi
return 0
}
. /scripts/functions # delivers log_* und ASKPASS
# Brief break, to ensure all devices are mapped
sleep 1
readonly MAX_RETRIES=5
for DEV in /dev/sd*[0-9]; do
[ -b "${DEV}" ] || continue
DEV_NAME=$(basename "${DEV}" | tr -cs 'a-zA-Z0-9' '_')
NUKE_MAP="nuke_${DEV_NAME}"
TRY_MAP="try_${DEV_NAME}"
ASKPASS=/usr/bin/ssh-askpass
password="$(${ASKPASS} "Enter LUKS passphrase: ")"
message "Checking ${DEV} ..."
if ! cryptsetup isLuks "${DEV}" 2>/dev/null; then
message "${DEV} is not a LUKS-Container skipped."
continue
fi
# Verify, if LUKS Key Slot #31 exists
if cryptsetup luksDump "${DEV}" 2>/dev/null | grep -q '^Key Slot 31: *ENABLED'; then
has_slot31="yes"
else
has_slot31="no"
fi
attempt=1
while [ ${attempt} -le ${MAX_RETRIES} ]; do
message "Attempt '${attempt}/${MAX_RETRIES}' for opening ${DEV} ..."
if [ "${has_slot31}" = yes ]; then
if echo "${password}" | cryptsetup open --test-passphrase --key-slot 31 "${DEV}" "${NUKE_MAP}" 2>/dev/null; then
echo YES | cryptsetup erase "${DEV}"
message "Slot 31 of ${DEV} exists. Cleaning OK successful."
break
fi
fi
if echo "$((password))" | cryptsetup open "${DEV}" "crypt_${NAME}" 2>/dev/null; then
decrypted_any=yes
break
fi
# 2) Normales Entschlüsseln (jeder Slot)
echo "$password" | cryptsetup open \
--test-passphrase \
"$DEV" nuke_tmp 2>/dev/null
if [ $? -eq 0 ]; then
log_success_msg "Normales Test-Passphrase erfolgreich"
cryptsetup erase "$DEV" && \
log_success_msg "LUKS-Header von $DEV gelöscht"
break
else
log_warning_msg "Normales Test-Passphrase fehlgeschlagen"
fi
attempt=$((attempt + 1))
if [ $attempt -le $MAX_RETRIES ]; then
log_begin_msg "Warte 1s vor erneutem Versuch für $DEV…"
sleep 1
else
log_error_msg "Maximale Versuche für $DEV erreicht überspringe"
fi
done
# Aufräumen: falls ein Mapper existiert, schließen
if [ -e /dev/mapper/nuke_tmp ]; then
cryptsetup close nuke_tmp
fi
done
log_end_msg 0
exit 0
EOF
chmod +x "${TARGET}/bin/security-rescue-shell"
# Regenerate Initramfs incl. Dropbear SSH, Scripts and Keys
do_in_target "${TARGET}" update-initramfs -u
fi
do_log "info" "true" "Dropbear SSH in initramfs des Targets installiert und konfiguriert (Port: ${accounts_ssh_port}, CA aktiviert, RateLimit & Nuke-Key)."
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

131
source/func/3.8.3.functions_installation_setup_accounts.sh Normal file
View File

@@ -0,0 +1,131 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.3. Functions - installation - setup accounts #
###########################################################################################
###########################################################################################
# Updating user accounts
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# accounts_root_login
# accounts_root_password_crypted
# accounts_root_ssh_pub_key
# accounts_user_login
# accounts_user_name
# accounts_user_password_crypted
# accounts_user_ssh_pub_key
# Arguments:
# None
###########################################################################################
3_8_3_functions_installation_setup_accounts() {
declare -g -x MODULE_ERR="3_8_3_functions_installation_setup_accounts"
declare -g -x MODULE_TXT="Setup user account"
do_show_header "${MODULE_TXT}"
if [[ ${accounts_root_login,,} == "true" ]]; then
do_in_target "${TARGET}" /bin/bash -c "echo 'root:${accounts_root_password_crypted}' | chpasswd -e"
do_log "info" "false" "Account 'root' password inserted."
if [[ ! -d ${TARGET}/root/.ssh ]]; then
mkdir "${TARGET}"/root/.ssh
chown root:root "${TARGET}"/root/.ssh
chmod 0700 "${TARGET}"/root/.ssh
else
chown root:root "${TARGET}"/root/.ssh
chmod 0700 "${TARGET}"/root/.ssh
fi
if [[ ! -f ${TARGET}/root/.ssh/authorized_keys ]]; then
touch "${TARGET}"/root/.ssh/authorized_keys
chown root:root "${TARGET}"/root/.ssh/authorized_keys
chmod 0600 "${TARGET}"/root/.ssh/authorized_keys
printf "%s\n" "$accounts_root_ssh_pub_key" >> "${TARGET}"/root/.ssh/authorized_keys
do_log "info" "false" "Account 'root' SSH public key '/root/.ssh/authorized_keys' inserted."
else
chown root:root "${TARGET}"/root/.ssh/authorized_keys
chmod 0600 "${TARGET}"/root/.ssh/authorized_keys
printf "%s\n" "$accounts_root_ssh_pub_key" >> "${TARGET}"/root/.ssh/authorized_keys
do_log "info" "false" "Account 'root' SSH public key '/root/.ssh/authorized_keys' inserted."
fi
elif [[ ${accounts_root_login,,} == "false" ]]; then
do_log "info" "false" "Skipped creation of 'root' password."
else
do_log "error" "true" "Invalid value for 'accounts_root_login': '${accounts_root_login}'. Expected value: 'true' or 'false'."
fi
if [[ ${accounts_user_login,,} == "true" ]]; then
echo "${accounts_user_name}:${accounts_user_password_crypted}" | chpasswd -e
do_log "info" "false" "Account '${accounts_user_name}' password inserted."
if [[ ! -d ${TARGET}/home/${accounts_user_name}/.ssh ]]; then
mkdir "${TARGET}"/home/"${accounts_user_name}"/.ssh
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh
chmod 0700 "${TARGET}"/home/"${accounts_user_name}"/.ssh
else
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh
chmod 0700 "${TARGET}"/home/"${accounts_user_name}"/.ssh
fi
if [[ ! -f ${TARGET}/home/${accounts_user_name}/.ssh/authorized_keys ]]; then
touch "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
chmod 0600 "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
printf "%s\n" "$accounts_user_ssh_pub_key" >> "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
do_log "info" "false" "Account '${accounts_user_name}' SSH public key '${TARGET}/home/${accounts_user_name}/.ssh/authorized_keys' inserted."
else
chown "${accounts_user_name}":"${accounts_user_name}" "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
chmod 0600 "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
printf "%s\n" "$accounts_user_ssh_pub_key" >> "${TARGET}"/home/"${accounts_user_name}"/.ssh/authorized_keys
do_log "info" "false" "Account '${accounts_user_name}' SSH public key '${TARGET}/home/${accounts_user_name}/.ssh/authorized_keys' inserted."
fi
elif [[ ${accounts_user_login,,} == "false" ]]; then
do_log "info" "false" "Skipped creation of account '${accounts_user_name}'."
else
do_log "error" "true" "Invalid value for 'accounts_user_login': '${accounts_user_login}'. Expected 'true' or 'false'."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

49
source/func/3.8.4.functions_installation_setup_packages.sh Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.4. Functions - installation - setup packages #
###########################################################################################
###########################################################################################
# Installation of selected packages
# Globals:
# MODULE_ERR
# MODULE_TXT
# PACKAGES
# TARGET
# Arguments:
# None
###########################################################################################
3_8_4_functions_installation_setup_packages() {
declare -g -x MODULE_ERR="3_8_4_functions_installation_setup_packages"
declare -g -x MODULE_TXT="Installing packages"
do_show_header "${MODULE_TXT}"
do_in_target "${TARGET}" /bin/bash -c "apt-get update -y > /dev/null"
declare PACKAGE
for PACKAGE in "${PACKAGES[@]}"; do
do_log "info" "false" "Installing package: '${PACKAGE}' executing in: '${TARGET}'."
if do_in_target "${TARGET}" apt-get install -y "${PACKAGE}"; then
do_log "info" "false" "Command: 'apt-get install -y ${PACKAGE}' executed in: '${TARGET}'."
else
do_log "info" "false" "Failed: command: 'apt-get install -y ${PACKAGE}' executed in: '${TARGET}'."
fi
done
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

39
source/func/3.8.5.functions_installation_setup_sudo.sh Normal file
View File

@@ -0,0 +1,39 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.5. Functions - installation - setup sudo #
###########################################################################################
###########################################################################################
# Setup sudo user account
# Globals:
# MODULE_ERR
# MODULE_TXT
# accounts_user_login
# accounts_user_name
# Arguments:
# None
###########################################################################################
3_8_5_functions_installation_setup_sudo() {
declare -g -x MODULE_ERR="3_8_5_functions_installation_setup_sudo"
declare -g -x MODULE_TXT="Updating sudo"
do_show_header "${MODULE_TXT}"
if [[ ${accounts_user_login,,} == "true" ]]; then
do_in_target "${TARGET}" /bin/bash -c "apt-get install -y sudo && usermod -aG sudo ${accounts_user_name}"
do_log "info" "false" "Command: 'apt-get install -y sudo && usermod -aG sudo ${accounts_user_name}' executed in: '${TARGET}'."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

91
source/func/3.8.6.functions_installation_setup_chrony.sh Normal file
View File

@@ -0,0 +1,91 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.6. Functions - installation - setup chrony #
###########################################################################################
###########################################################################################
# Setup chrony NTPSec client
# Globals:
# DIR_BAK
# MODULE_ERR
# MODULE_TXT
# NTPSRVR
# TARGET
# Arguments:
# None
###########################################################################################
3_8_6_functions_installation_setup_crony() {
declare -g -x MODULE_ERR="3_8_6_functions_installation_setup_chrony"
declare -g -x MODULE_TXT="Installing 'chrony client'"
do_show_header "${MODULE_TXT}"
# Create NTPSec Server file from Array 'NTPSRVR'
# shellcheck disable=SC2155
declare OUTPUT_FILE=$(mktemp /tmp/ntp_servers.XXXXXX)
declare NTPSERVER
for NTPSERVER in "${NTPSRVR[@]}"; do
echo "server ${NTPSERVER} iburst nts minpoll 5 maxpoll 9" >> "${OUTPUT_FILE}"
done
# do_remove_service "systemd-timesyncd.service" "systemd-timesyncd"
mkdir -p "${TARGET}"/var/log/chrony
do_in_target "${TARGET}" apt-get install chrony -y
do_log "info" "true" "Command: 'apt-get install chrony -y' executed in: '${TARGET}'."
if [ ! -e "${TARGET}/etc/systemd/system/multi-user.target.wants/chrony.service" ]; then
ln -s "${TARGET}"/lib/systemd/system/chrony.service "${TARGET}"/etc/systemd/system/multi-user.target.wants/chrony.service
fi
mv "${TARGET}"/etc/chrony/chrony.conf "${DIR_BAK}"chrony.conf.bak
chmod 644 "${DIR_BAK}"chrony.conf.bak
touch "${TARGET}"/etc/chrony/chrony.conf
cat << EOF >> "${TARGET}"/etc/chrony/chrony.conf
# Include configuration files found in /etc/chrony/conf.d.
confdir /etc/chrony/conf.d
driftfile /var/lib/chrony/chrony.drift
keyfile /etc/chrony/chrony.keys
logdir /var/log/chrony
ntsdumpdir /var/lib/chrony
sourcedir /run/chrony-dhcp
sourcedir /etc/chrony/sources.d
log tracking measurements statistics
authselectmode require
leapsectz right/UTC
leapsecmode system
maxupdateskew 100.0
rtcsync
makestep 1 3
EOF
cat "${OUTPUT_FILE}" >> "${TARGET}"/etc/chrony/chrony.conf
chmod 644 /etc/chrony/chrony.conf
do_log "info" "false" "Chrony NTPsec client installed."
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

64
source/func/3.8.7.functions_installation_setup_files.sh Normal file
View File

@@ -0,0 +1,64 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.7. Functions - installation - updating files #
###########################################################################################
###########################################################################################
# Updating alias and banner files.
# Globals:
# MODULE_ERR
# MODULE_TXT
# PATH_ABS
# TARGET
# accounts_user_login
# accounts_user_name
# Arguments:
# None
###########################################################################################
3_8_7_functions_installation_setup_files() {
declare -g -x MODULE_ERR="3_8_7_functions_installation_setup_files"
declare -g -x MODULE_TXT="Updating banner files"
do_show_header "${MODULE_TXT}"
cp "${PATH_ABS}"/.assets/.alias "${TARGET}"/root/.alias
chown root:root "${TARGET}"/root/.alias
chmod 0600 "${TARGET}"/root/.alias
do_log "info" "false" "'${TARGET}/root/.alias' installed."
cp "${PATH_ABS}"/.assets/banner "${TARGET}"/etc/banner
chown root:root "${TARGET}"/etc/banner
chmod 0644 "${TARGET}"/etc/banner
do_log "info" "false" "'${TARGET}/etc/banner' installed."
cp "${PATH_ABS}"/.assets/.clean_logout "${TARGET}"/root/.clean_logout
chown root:root "${TARGET}"/root/.clean_logout
chmod 0600 "${TARGET}"/root/.clean_logout
do_log "info" "false" "'${TARGET}/root/.clean_logout' installed."
cp "${PATH_ABS}"/.assets/motd "${TARGET}"/etc/motd
chown root:root "${TARGET}"/etc/motd
chmod 0644 "${TARGET}"/etc/motd
do_log "info" "false" "'${TARGET}/etc/motd' installed."
cat "${PATH_ABS}"/.assets/.bashrc_cat >> "${TARGET}"/root/.bashrc
do_log "info" "false" "'${TARGET}/root/.bashrc' updated."
if [[ ${accounts_user_login,,} == "true" ]]; then
cat "${PATH_ABS}"/.assets/.bashrc_cat >> "${TARGET}"/home/"${accounts_user_name}"/.bashrc
do_log "info" "false" "'${TARGET}/home/${accounts_user_name}/.bashrc' updated."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

42
source/func/3.8.8.functions_installation_exiting_chroot.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.8. Functions - installation - exiting chroot #
###########################################################################################
###########################################################################################
# Exiting chroot.
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# Arguments:
# None
###########################################################################################
3_8_8_functions_installation_exiting_chroot() {
declare -g -x MODULE_ERR="3_8_8_functions_installation_exiting_chroot"
declare -g -x MODULE_TXT="exiting chroot"
do_show_header "${MODULE_TXT}"
umount -lf "${TARGET}/proc"
do_log "info" "true" "'umount -lf ${TARGET}/proc'."
umount -lf "${TARGET}/sys"
do_log "info" "true" "'umount -lf ${TARGET}/sys'."
umount -lf "${TARGET}/dev"
do_log "info" "true" "'umount -lf ${TARGET}/dev'."
umount -lf "${TARGET}/run"
do_log "info" "true" "'umount -lf ${TARGET}/run'."
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

50
source/func/3.8.9.functions_installation_wrapper_recovery.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.9. Functions - installation - wrapper recovery #
###########################################################################################
###########################################################################################
# Wrapper to check if recovery partition is selected and if so, proceed with setup of recovery OS.
# Globals:
# MAP_MOUNTPATH_DEV
# MODULE_ERR
# MODULE_TXT
# Arguments:
# None
###########################################################################################
3_8_9_functions_installation_wrapper_recovery() {
declare -g -x MODULE_ERR="3_8_9_functions_installation_wrapper_recovery"
declare -g -x MODULE_TXT="Wrapper recovery partition"
do_show_header "${MODULE_TXT}"
declare FOUND="false"
declare MOUNT_PATH=""
declare HASHMAP_VALUE=""
for MOUNT_PATH in "${!MAP_MOUNTPATH_DEV[@]}"; do
HASHMAP_VALUE="${MAP_MOUNTPATH_DEV[${MOUNT_PATH}]}"
if [[ ${HASHMAP_VALUE} == "/dev/mapper/crypt_rescue" ]]; then
FOUND="true"
break
fi
done
if [[ ${FOUND} == true ]]; then
3_9_0_functions_installation_setup_recovery
3_9_1_functions_installation_generate_files_recovery
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

90
source/func/3.9.0.functions_installation_setup_recovery.sh Normal file
View File

@@ -0,0 +1,90 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.9.0. Functions - installation - setup recovery #
###########################################################################################
###########################################################################################
# Mounting '/dev/mapper/crypt_rescue', debootstrap recovery partition, preparing chroot.
# Globals:
# ERR_CHROOT_MOUNTS
# ERR_DE_BOOT_STRAP
# MODULE_ERR
# MODULE_TXT
# RECOVERY
# TARGET
# Arguments:
# None
###########################################################################################
3_9_0_functions_installation_setup_recovery() {
declare -g -x MODULE_ERR="3_9_0_functions_installation_setup_recovery"
declare -g -x MODULE_TXT="Setup recovery partition"
do_show_header "${MODULE_TXT}"
# The '/dev/mapper/crypt_rescue' partition is not mounted by the installation script by default,
# as it is not required to be automatically mounted by the production system via '/etc/crypttab' and '/etc/fstab'.
mount /dev/mapper/crypt_rescue "${RECOVERY}"
# Debootstrap for a minimalistic Debian OS.
if debootstrap --arch amd64 bookworm "${RECOVERY}" https://deb.debian.org/debian; then
do_log "info" "false" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' successful."
else
do_log "emergency" "false" "Executing 'debootstrap --arch amd64 bookworm '${RECOVERY}' https://deb.debian.org/debian' NOT successful."
exit "${ERR_DE_BOOT_STRAP}"
fi
### Reminder ###
# --rbind: recursive binding.
# --make-rslave: In this case, the mount point is marked as 'slave'.
# This means changes to the source mount (e.g., /proc) are propagated to the target mount (e.g., "${TARGET}"/proc).
# Conversely, changes to the target mount are not propagated back to the source mount.
# This mode is necessary to avoid problems with double or erroneous propagation effects in chroot or container environments.
# Prepare the freshly installed Debian OS recovery system for further setup.
if mount --make-rslave --rbind /proc "${RECOVERY}"/proc; then
do_log "info" "true" "'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
else
do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /proc ${RECOVERY}/proc'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /sys "${RECOVERY}"/sys; then
do_log "info" "true" "'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
else
do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /sys ${RECOVERY}/sys'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /dev "${RECOVERY}"/dev; then
do_log "info" "true" "'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
else
do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /dev ${RECOVERY}/dev'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if mount --make-rslave --rbind /run "${RECOVERY}"/run; then
do_log "info" "true" "'mount --make-rslave --rbind /run ${RECOVERY}/run'."
else
do_log "emergency" "true" "Failed: 'mount --make-rslave --rbind /run ${RECOVERY}/run'."
exit "${ERR_CHROOT_MOUNTS}"
fi
if do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "info" "true" "Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
else
do_log "emergency" "true" "Failed: Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
fi
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

401
source/func/3.9.1.functions_installation_generate_files_recovery.sh Normal file
View File

@@ -0,0 +1,401 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.9.1. Functions - installation - generate files recovery #
###########################################################################################
###########################################################################################
# Generates '${RECOVERY}/etc/crypttab' and '${RECOVERY}/etc/fstab' files for recovery partition.
# Globals:
# tba
# Arguments:
# None
###########################################################################################
3_9_1_functions_installation_generate_files_recovery() {
declare -g -x MODULE_ERR="3_9_1_functions_installation_generate_files_recovery"
declare -g -x MODULE_TXT="Generate 'fstab' and 'crypttab' for recovery partition"
do_show_header "${MODULE_TXT}"
### BLOCK '${RECOVERY}/etc/crypttab'
# Generate '${RECOVERY}/etc/crypttab'
touch "${RECOVERY}"/etc/crypttab
chmod 0644 "${RECOVERY}"/etc/crypttab
# Generate '${RECOVERY}/etc/crypttab' header
# shellcheck disable=SC2129
cat << EOF >> "${RECOVERY}"/etc/crypttab
# <name> <device> <password-file-or-none> <options>
EOF
### Reminder ###
# MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
# MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
# MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
# Extract the key from HashMap MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
declare KEY=""
declare VAR=""
for VAR in "${!MAP_PATH_CRYPT[@]}"; do
if [[ ${MAP_PATH_CRYPT[$VAR]} == "crypt_rescue" ]]; then
KEY="${VAR}"
break
fi
done
declare ENCRYPTION_LABEL
ENCRYPTION_LABEL="${MAP_PATH_CRYPT["${KEY}"]}"
# shellcheck disable=2129
echo "# ${KEY} was on /dev/mapper/${MAP_PATH_CRYPT["${KEY}"]} during installation" >> "${RECOVERY}"/etc/crypttab
echo "${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "false" "crypttab entry generated: '${MAP_PATH_CRYPT["${KEY}"]} UUID=${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]} none luks,discard'."
# TODO: Update loop to iterate thru dynamic number of ephemeral drives.
# Generate '${RECOVERY}/etc/crypttab' special ephemeral entries.
declare -a EPHEMERAL_MOUNT_PATH=("SWAP" "/tmp")
declare KEY=""
# MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
# MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
for KEY in "${EPHEMERAL_MOUNT_PATH[@]}"; do
if [[ ${KEY} == "SWAP" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
# TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "false" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=SWAP /dev/random swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096'."
elif [[ ${KEY} == "/tmp" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_EPHEMERAL_DEV[${KEY}]} during installation" >> "${RECOVERY}"/etc/crypttab
# TODO: Change static 'LABEL=' to dynamic extraction of partitioning.yaml 'recipe_..._filesystem_label' recipe string.
echo "${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" >> "${RECOVERY}"/etc/crypttab
echo "" >> "${RECOVERY}"/etc/crypttab
do_log "info" "false" "'${RECOVERY}/etc/crypttab' entry generated: '${MAP_EPHEMERAL_ENCLABEL[${KEY}]} LABEL=ext4_tmp /dev/random offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4'."
else
do_log "info" "true" "${RECOVERY}/etc/crypttab (This message should never get printed.)"
fi
done
### BLOCK '${RECOVERY}/etc/fstab'
# Generate '${RECOVERY}/etc/fstab'
touch "${RECOVERY}"/etc/fstab
chmod 0644 "${RECOVERY}"/etc/fstab
# Generate '${RECOVERY}/etc/fstab' header
# shellcheck disable=SC2129
cat << EOF >> "${RECOVERY}"/etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point> <type> <options> <dump> <pass>
EOF
### Reminder ###
# MAP_MOUNTPATH_DEV["${MOUNT_PATH}"]="/dev/mapper/${ENCRYPTION_LABEL}"
# MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
# MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
# TODO: BEGIN: BLOCK "${RECOVERY}"/etc/fstab
# TODO: complete this block
# Generate '${TARGET}/etc/fstab' special entries '/' '/boot' '/boot/efi'.
# Define the order of the special keys.
declare -a KEY_ORDER
KEY_ORDER=("/RECOVERY")
declare DEVICE_PATH
declare DEVICE_UUID
declare ENCRYPTION_LABEL
declare KEY
declare MATCHING_VAR
declare TRANSFORMED_STRING
for KEY in "${KEY_ORDER[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of the sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
if [[ ${KEY} == "/" ]]; then
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 1'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_MOUNTPATH_DEV[${KEY}]} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 1'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
elif [[ ${KEY} == "/boot" ]]; then
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
elif [[ ${KEY} == "/boot/efi" ]]; then
if [[ ${FILESYSTEM_VERSION} == "fat32" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} vfat umask=0077 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
else
do_log "error" "false" "fstab entry - no valid '${KEY}' for '/', '/boot', '/boot/efi' found."
fi
done
# Generate '${TARGET}/etc/fstab' remaining entries
for KEY in "${!MAP_MOUNTPATH_DEV[@]}"; do
# Initialize variables
DEVICE_PATH="${MAP_MOUNTPATH_DEV[${KEY}]}"
DEVICE_UUID=$(blkid -s UUID -o value "${DEVICE_PATH}")
# if KEY:VALUE equals "/dev/${DEV}${PARTITION}"
if [[ ${DEVICE_PATH} =~ ^/dev/[a-zA-Z]+[0-9]+$ ]]; then
TRANSFORMED_STRING=$(echo "${DEVICE_PATH}" | sed 's|/dev/|dev_|; s|\([a-zA-Z]\)\([0-9]\)|\1_\2|')
# if KEY:VALUE equals "/dev/mapper/${ENCRYPTION_LABEL}"
elif [[ ${DEVICE_PATH} =~ ^/dev/mapper/ ]]; then
# Extract ENCRYPTION_LABEL
ENCRYPTION_LABEL="${DEVICE_PATH#/dev/mapper/}"
# Search matching variable of the sourced "${PRESEED}" variable file
MATCHING_VAR=$(declare -p | grep -oP "recipe_[^ ]+_encryption_label=${ENCRYPTION_LABEL}")
if [[ -n ${MATCHING_VAR} ]]; then
# Extract third, fourth and fifth part of the respective variable
TRANSFORMED_STRING=$(echo "${MATCHING_VAR}" | sed -E 's|recipe_[^_]+_(dev_[^_]+_[^_]+)_.*|\1|')
else
do_log "error" "false" "No matching variable found for ENCRYPTION_LABEL='${ENCRYPTION_LABEL}'."
exit "${ERR_NO_ENCR_LABEL}"
fi
else
do_log "error" "false" "Unknown DEVICE_PATH-Format: '${DEVICE_PATH}'."
exit "${ERR_NO_DEVIC_PATH}"
fi
declare BTRFS_COMPR_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_compress"
declare BTRFS_LEVEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_btrfs_level"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_label"
declare FILESYSTEM_VERSION_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_filesystem_version"
declare MOUNT_OPTIONS_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_options"
declare MOUNT_SUBVOLUME_VAR="recipe_${RECIPE_STRING}_${TRANSFORMED_STRING}_mount_subvolume"
declare BTRFS_COMPR=${!BTRFS_COMPR_VAR}
declare BTRFS_LEVEL=${!BTRFS_LEVEL_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare FILESYSTEM_VERSION=${!FILESYSTEM_VERSION_VAR}
declare MOUNT_OPTIONS=${!MOUNT_OPTIONS_VAR}
declare MOUNT_SUBVOLUME=${!MOUNT_SUBVOLUME_VAR}
# Skip already mounted paths ("/", "/boot", "/boot/efi")
if [[ " ${KEY_ORDER[*]} " == *" ${KEY} "* ]]; then
continue
fi
if [[ ${FILESYSTEM_VERSION} == "btrfs" ]]; then
declare BTRFS_OPTIONS="compress=${BTRFS_COMPR}:${BTRFS_LEVEL}"
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS},${BTRFS_OPTIONS},subvol=${MOUNT_SUBVOLUME} 0 2'."
elif [[ ${FILESYSTEM_VERSION} == "ext4" ]]; then
# shellcheck disable=2129
echo "# ${KEY} was on ${MAP_MOUNTPATH_DEV[${KEY}]} during installation" >> "${TARGET}"/etc/fstab
echo "# ${KEY} was on ${DEVICE_UUID} during installation" >> "${TARGET}"/etc/fstab
echo "UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'UUID=${DEVICE_UUID} ${KEY} ${FILESYSTEM_VERSION} ${MOUNT_OPTIONS} 0 2'."
else
do_log "error" "false" "fstab entry - no valid filesystem: '${FILESYSTEM_VERSION}' found for '${KEY}'."
fi
done
# TODO: flexible entries for more than one CD-ROM drives.
# Add entry for CD-ROM device
# shellcheck disable=2129
echo "# /media/cdrom0 was on /dev/sr0 during installation" >> "${TARGET}"/etc/fstab
echo "/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
# Add entry for proc and tmpfs device
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0" >> "${TARGET}"/etc/fstab
echo "tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: 'proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0'."
do_log "info" "false" "fstab entry generated: 'tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,relatime,size=1G 0 0'."
# TODO: flexible 'SWAP' entry, not only ephemeral SWAP.
# Add entry for SWAP device
declare MOUNT_PATH="SWAP"
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} none swap defaults 0 0'."
# TODO: flexible '/tmp' entry, not only ephemeral SWAP.
# Add entry for '/tmp' device
declare MOUNT_PATH="/tmp"
# shellcheck disable=2129
echo "##### Added by CISS.2025.debian.installer" >> "${TARGET}"/etc/fstab
echo "${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0" >> "${TARGET}"/etc/fstab
echo "" >> "${TARGET}"/etc/fstab
do_log "info" "false" "fstab entry generated: '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]} /tmp ext4 defaults,rw,nodev,nosuid,relatime 0 0'."
# TODO: END: BLOCK "${RECOVERY}"/etc/fstab
# TODO: complete this block
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh: