V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

ciss_debian_installer.sh

@@ -128,7 +128,6 @@ clear
 declare -grx VAR_DIALOG=$(mktemp var_dialog.XXXXXXXX)
 color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: ALL CHECKS DONE. READY TO START THE SCRIPT ..."
 declare -grx VAR_SETUP="true"
-umask 0022
 
 ### SOURCING FUNCTIONS, LIBRARIES, VARIABLES.
 if [[ "${VAR_SETUP}" == "true" ]]; then

func/cdi_4400_hardening/4450_hardening_haveged.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+###########################################################################################
+# Hardening haveged.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+###########################################################################################
+hardening_haveged() {
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/sysctl.d/99_local.hardened

@@ -9,8 +9,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.864.2025.07.15
-
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
 ### https://kspp.github.io/

var/bash.var.sh

@@ -17,8 +17,23 @@ set -o errexit   # Exit script when a command exits with non-zero status, the sa
 set -o errtrace          # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
 set -o functrace         # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
 set -o ignoreeof         # An interactive shell will not exit upon reading EOF.
+set -o noclobber         # Prevent overwriting, the same as "set -C".
 set -o nounset           # Exit script on use of an undefined variable, the same as "set -u".
 set -o pipefail          # Makes pipelines return the exit status of the last command in the pipe that failed.
-set -o noclobber # Prevent overwriting, the same as "set -C".
+
+shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
+shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option, instead of unsetting it in the
+                         # subshell environment. This option is enabled when POSIX mode is enabled.
+shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
+                         # the background in the current shell environment.
+shopt -u expand_aliases  # If set, aliases are expanded as described below under Aliases, Aliases. This option is enabled by
+                         # default for interactive shells.
+shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
+shopt -u extglob         # If set, enable the extended pattern matching features.
+shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.
+
+declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+declare -gx IFS=$' \t\n'
+umask 0022
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh