V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -125,8 +125,16 @@ dropbear:
 
 ################################################################################################################################
 # Grub Bootparameter
+# https://docs.kernel.org/admin-guide/kernel-parameters.html
 ################################################################################################################################
 grub_parameter:
+  ##############################################################################################################################
+  # [ USB ] Default USB device authorization:
+  # default -1 = authorized (same as 1)
+  # 0 = not authorized, 1 = authorized, 2 = authorized if a device connected to an internal port.
+  ##############################################################################################################################
+  - usbcore.authorized_default=0
+
   ##############################################################################################################################
   # Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go
   # undetected. During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot,
@@ -644,6 +652,11 @@ software:
   # chrony
   #
   ##############################################################################################################################
+  ### Installed by 4160_installation_lynis.sh
+  ##############################################################################################################################
+  # lynis
+  #
+  ##############################################################################################################################
   ### Installed by 4220_installation_cryptsetup.sh
   ##############################################################################################################################
   # cryptsetup
@@ -848,7 +861,7 @@ user:
       access:
         ssh: true              # Allow SSH access.
         tty: true              # Allow TTY (local console) login.
-      password: false          # Allow password login. SSH password login is always disabled.
+      password: true           # Allow password login. SSH password login is always disabled.
       2fa:
         ssh: true              # Require 2FA for SSH access.
         tty: true              # Require 2FA for TTY (local console) login.
@@ -869,9 +882,9 @@ user:
     fullname: "ansible"        # The full name of the user account holder.
     uid: 137                   # Ensures that the same user has the same UID on all systems.
     gid: 137                   # Ensures that the same user has the same GID on all systems.
-    shell: /usr/sbin/nologin   # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
+    shell: /bin/bash           # Login shell (e.g., '/bin/bash', '/bin/zsh'); use '/usr/sbin/nologin' for non-interactive users.
-    password: ""               # No password set for ansible user
+    password: ""               # No password set for ansible user.
-    sshpubkey: ""
+    sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
     authentication:
       access:
         ssh: true              # Allow SSH access.
@@ -881,10 +894,10 @@ user:
         ssh: false             # Require 2FA for SSH access.
         tty: false             # Require 2FA for TTY (local console) login.
     privileges:
-      description: "Automation user without interactive shell and no sudo."
+      description: "Ansible automation user with sudo, key-only SSH, no TTY."
       sudo: true               # Whether the user can escalate to root using sudo.
       system: true             # Whether this is a low-UID system user (e.g., for automation).
       restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
-      shell: false             # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
+      shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

ciss_debian_installer.sh

@@ -274,6 +274,8 @@ info_echo "4145_installation_firmware.sh"
 installation_firmware
 info_echo "4150_installation_chrony.sh"
 installation_chrony
+info_echo "4160_installation_lynis.sh"
+installation_lynis
 
 ### CDI_4200
 info_echo "4200_generate_fstab.sh"
@@ -330,6 +332,8 @@ info_echo "4460_hardening_openssl.sh"
 hardening_openssl
 info_echo "4470_hardening_ufw.sh"
 hardening_ufw
+info_echo "4480_hardening_usb.sh"
+hardening_usb
 
 ### CDI_4500
 info_echo "4500_accounts_preparation.sh"

func/cdi_4100_base/4160_installation_lynis.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Install Cisofy Lynis.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_lynis() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4160_installation_lynis.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  # shellcheck disable=SC2312
+  curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | \
+    gpg --dearmor -o  "${TARGET}/etc/apt/trusted.gpg.d/cisofy-software-public.gpg"
+
+  deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main
+
+  insert_header   "${TARGET}/etc/apt/sources.list.d/cisofy-lynis.sources"
+  insert_comments "${TARGET}/etc/apt/sources.list.d/cisofy-lynis.sources"
+  cat << 'EOF' >> "${TARGET}/etc/apt/sources.list.d/cisofy-lynis.sources"
+#------------------------------------------------------------------------------------------------------------------------------#
+#                                                     OFFICIAL CISOFY REPOS                                                    #
+#------------------------------------------------------------------------------------------------------------------------------#
+Types: deb
+URIs: https://packages.cisofy.com/community/lynis/deb/
+Suites: stable
+Components: main
+Enabled: yes
+Signed-By: /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get update
+    apt-get install -y --no-install-recommends --no-install-suggests lynis 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4480_hardening_usb.sh

@@ -16,8 +16,6 @@ guard_sourcing
 # Hardening 'usb-guard'.
 # Globals:
 #   TARGET
-#   VAR_SSH_PORT
-#   VAR_UFW_OUT
 # Arguments:
 #   None
 # Returns:
@@ -29,6 +27,30 @@ hardening_usb() {
 
   chroot_logger "${TARGET}${var_logfile}"
 
+  ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests usb-guard 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+
+    touch /tmp/rules.conf
+    usbguard generate-policy >| /tmp/rules.conf
+
+    if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
+      mkdir -p /root/.ciss/cdi/backup/etc/usbguard
+      mv /etc/usbguard/rules.conf /root/.ciss/cdi/backup/etc/usbguard/usbguard_rules.conf
+      mv /tmp/rules.conf /etc/usbguard/rules.conf
+      chmod 0600 /etc/usbguard/rules.conf
+    else
+      rm -f /etc/usbguard/rules.conf
+      mv /tmp/rules.conf /etc/usbguard/rules.conf
+      chmod 0600 /etc/usbguard/rules.conf
+    fi
+
+    cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdi/backup/etc/usbguard/usbguard-daemon.conf
+    sed -i 's/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/' /etc/usbguard/usbguard-daemon.conf
+  "
+
   guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_func.sh

@@ -62,6 +62,7 @@ source_guard "./func/cdi_4100_base/4133_installation_masking.sh"
 source_guard "./func/cdi_4100_base/4140_installation_microcode.sh"
 source_guard "./func/cdi_4100_base/4145_installation_firmware.sh"
 source_guard "./func/cdi_4100_base/4150_installation_chrony.sh"
+source_guard "./func/cdi_4100_base/4160_installation_lynis.sh"
 
 ### cdi_4200_boot
 source_guard "./func/cdi_4200_boot/4200_generate_fstab.sh"
@@ -91,6 +92,7 @@ source_guard "./func/cdi_4400_hardening/4440_hardening_haveged.sh"
 source_guard "./func/cdi_4400_hardening/4450_hardening_memory.sh"
 source_guard "./func/cdi_4400_hardening/4460_hardening_openssl.sh"
 source_guard "./func/cdi_4400_hardening/4470_hardening_ufw.sh"
+source_guard "./func/cdi_4400_hardening/4480_hardening_usb.sh"
 
 ### cdi_4500_user
 source_guard "./func/cdi_4500_user/4500_accounts_preparation.sh"