V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -25,6 +25,7 @@ guard_sourcing
 #   VAR_DROPBEAR
 #   VAR_GRUB_PASSWORD
 #   VAR_LUKS_BACKUP
+#   VAR_LUKS_PGP
 #   VAR_LUKS_URL
 #   VAR_NEED_RUN_IN_TARGET
 #   VAR_NUKE
@@ -57,7 +58,7 @@ guard_sourcing
 #   None
 # Returns:
 #   0: on success
-#   ERR_NO_VALID_RECIPE
+#   ERR_NO_VALID_RECIPE: on failure
 #######################################
 yaml_reader() {
   ### Declare Arrays, HashMaps, and Variables.
@@ -67,12 +68,12 @@ yaml_reader() {
               VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
               VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
               VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true" VAR_LUKS_BACKUP="false" \
-              VAR_LUKS_URL=""
+              VAR_LUKS_URL="" VAR_LUKS_PGP=""
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
               recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var="" \
-              recipe_luks_var="" recipe_luks_url=""
+              recipe_luks_var="" recipe_luks_url="" recipe_luks_pgp=""
 
   ### Read "${var_if}" line by line.
   while IFS= read -r var_line; do
@@ -209,12 +210,17 @@ END { print max }
   VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"
 
   ### Extract the chosen LUKS Backup strategy.
-  recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
-  # shellcheck disable=SC2034
-  VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
-  recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
-  # shellcheck disable=SC2034
-  VAR_LUKS_URL="${!recipe_luks_url,,}"
+    recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
+    # shellcheck disable=SC2034
+    VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
+
+    recipe_luks_pgp="recipe_${VAR_RECIPE_STRING}_control_luks_backup_pgp"
+    # shellcheck disable=SC2034
+    VAR_LUKS_PGP="${!recipe_luks_url,,}"
+
+    recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
+    # shellcheck disable=SC2034
+    VAR_LUKS_URL="${!recipe_luks_url,,}"
 
   ### Extract the chosen Nuke mechanism.
   recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"

func/cdi_3200_partitioning/3220_partition_encryption.sh

@@ -174,20 +174,50 @@ partition_encryption() {
 
     fi
 
+    ### Opening the encrypted container.
+    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
+      cryptsetup luksOpen "/dev/${var_dev}" \
+        --key-file="${DIR_CNF}/password_luks_boot.txt" \
+        "${var_encryption_label}"
+    else
+      cryptsetup luksOpen "/dev/${var_dev}" \
+        --key-file="${DIR_CNF}/password_luks_common.txt" \
+        "${var_encryption_label}"
+    fi
+    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
+
+    ### Create luksDump log entry.
+    cryptsetup luksDump "/dev/${var_dev}" >> "${DIR_LOG}/3220_cryptsetup_luksdump_${var_dev}.log"
+
+    ### Store UUID of the LUKS container.
+    var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
+
+    [[ "${var_encryption_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
+    [[ "${var_encryption_path}" == "/boot" ]] && declare -grx VAR_CRYPT_BOOT="${var_uuid}"
+    [[ "${var_encryption_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}"
+
+    HMP_PATH_LUKSUUID["${var_encryption_path}"]="${var_uuid}"
+    HMP_PATH_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
+
+    do_log "debug" "file_only" "3220() [HMP_PATH_LUKSUUID]: '${var_encryption_path}' -> '${HMP_PATH_LUKSUUID["${var_encryption_path}"]}'"
+    do_log "debug" "file_only" "3220() [HMP_PATH_ENCLABEL]: '${var_encryption_path}' -> '${HMP_PATH_ENCLABEL["${var_encryption_path}"]}'"
+
+    ### Backup the LUKS Header.
     if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then
 
-      case "${user_root_specific}" in
-
-        ciss)    var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;;
-        physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;;
-        *)       do_log "error" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;;
-
-      esac
-
       var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
       var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak.pgp"
       var_luks_backup_pgp="${DIR_BAK}/luks_header_${var_dev}.bak.pgp"
 
+      case "${VAR_LUKS_PGP}" in
+
+        ciss)    var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;;
+        physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;;
+        none)    do_log "error" "file_only" "3220() No PGP public key for LUKS Header encryption provided."; continue ;;
+        *)       do_log "fatal" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;;
+
+      esac
+
       if cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"; then
 
         do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
@@ -207,11 +237,11 @@ partition_encryption() {
 
         if command -v shred >/dev/null 2>&1; then
 
-          shred -u -- "${var_luks_backup_file}" || rm -f -- "${var_luks_backup_file}"
+          shred -vfzu -n 5 "${var_luks_backup_file}" || rm -f "${var_luks_backup_file}"
 
         else
 
-          rm -f -- "${var_luks_backup_file}"
+          rm -f "${var_luks_backup_file}"
 
         fi
 
@@ -245,34 +275,6 @@ partition_encryption() {
 
     fi
 
-    ### Opening the encrypted container.
-    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
-      cryptsetup luksOpen "/dev/${var_dev}" \
-        --key-file="${DIR_CNF}/password_luks_boot.txt" \
-        "${var_encryption_label}"
-    else
-      cryptsetup luksOpen "/dev/${var_dev}" \
-        --key-file="${DIR_CNF}/password_luks_common.txt" \
-        "${var_encryption_label}"
-    fi
-    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
-
-    ### Create luksDump log entry.
-    cryptsetup luksDump "/dev/${var_dev}" >> "${DIR_LOG}/3220_cryptsetup_luksdump_${var_dev}.log"
-
-    ### Store UUID of the LUKS container.
-    var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
-
-    [[ "${var_encryption_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
-    [[ "${var_encryption_path}" == "/boot" ]] && declare -grx VAR_CRYPT_BOOT="${var_uuid}"
-    [[ "${var_encryption_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}"
-
-    HMP_PATH_LUKSUUID["${var_encryption_path}"]="${var_uuid}"
-    HMP_PATH_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
-
-    do_log "debug" "file_only" "3220() [HMP_PATH_LUKSUUID]: '${var_encryption_path}' -> '${HMP_PATH_LUKSUUID["${var_encryption_path}"]}'"
-    do_log "debug" "file_only" "3220() [HMP_PATH_ENCLABEL]: '${var_encryption_path}' -> '${HMP_PATH_ENCLABEL["${var_encryption_path}"]}'"
-
   done
 
   [[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH

func/cdi_4400_hardening/4470_hardening_ufw.sh

@@ -82,11 +82,11 @@ hardening_ufw() {
   sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}"
   sed -i "/^# BEGIN custom MLD OUTPUT rules/,/^# END custom MLD OUTPUT rules/d" "${var_rules}"
 
-  ### Inbound MLD (INPUT chain) – insert before the existing echo-request rule.
+  ### Inbound MLD (INPUT chain), insert before the existing echo-request rule.
   ### Allows MLDv1 (130/131/132) and MLDv2 (143) to link-local multicast (ff02::/16)
   sed -i "/-A ufw6-before-input .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD rules\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 130 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 132 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD rules" "${var_rules}"
 
-  ### Outbound MLD (OUTPUT chain) – insert before echo-request.
+  ### Outbound MLD (OUTPUT chain), insert before echo-request.
   ### Useful if local daemons join multicast groups, and you want clean logs.
   sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}"
 

func/cdi_4500_user/4520_accounts_setup.sh

@@ -1308,7 +1308,7 @@ session    required    pam_env.so readenv=1 envfile=/etc/default/locale
 # If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
 auth  [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
 
-# Listed users: show a clear hint and then require GA. No 'nullok': missing secret → fail.
+# Listed users: show a clear hint and then require GA. No 'nullok': missing secret -> fail.
 auth  required                    pam_echo.so file=/etc/ciss/login_totp.prompt
 auth  required                    pam_google_authenticator.so