Merge remote-tracking branch 'origin/master'

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -96,15 +96,15 @@ firmware:
   lookup: "missing"            # - "never"   Completely disables the firmware search.
                                # - "missing" Searches only when the firmware is needed. (default)
                                # - "always"  Always searches and asks for any firmware that could be useful for the hardware.
-image: "linux-image-6.12.41+deb13-amd64"
+image: "linux-image-6.16.3+deb13-amd64"
                                # Could be a meta-package or a specific image like:
                                # "linux-image-amd64" || "linux-image-arm64"
                                # "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
                                # "linux-image-rt-amd64" || "linux-image-rt-arm64"
-                               # "linux-image-6.12.30+bpo-amd64"
-                               # "linux-image-6.12.38+deb13-amd64"
+                               # "linux-image-6.16.3+deb13-amd64"
 needrun: false                 # Static linking to "${TARGET}/run" can cause problems if this data is "burned" into the target.
 provider: "netcup"             # MUST be one of "contabo", "hetzner", "netcup" or leave empty.
+security_ext: "selinux"        # MUST be one of "apparmor" or "selinux".
 
 ################################################################################################################################
 # Dropbear settings
@@ -133,7 +133,7 @@ grub_parameter:
   # default -1 = authorized (same as 1)
   # 0 = not authorized, 1 = authorized, 2 = authorized if a device connected to an internal port.
   ##############################################################################################################################
-  - usbcore.authorized_default=0
+  - "usbcore.authorized_default=0"
 
   ##############################################################################################################################
   # Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go
@@ -691,11 +691,13 @@ software:
   # ssh
   #
   ##############################################################################################################################
+  ### Installed by 4480_hardening_usb.sh
+  ##############################################################################################################################
+  # usbguard
+  #
+  ##############################################################################################################################
   ### Installed by 4490_hardening_virus.sh
   ##############################################################################################################################
-  # chkrootkit
-  # clamav
-  # clamav-daemon
   # rkhunter
   #
   ##############################################################################################################################
@@ -714,69 +716,74 @@ software:
   # wngerman
   #
   ##############################################################################################################################
-  # core software
+  # Installed by 4600_installation_packages.sh
   ##############################################################################################################################
-  - apt-utils
   - bat
-  - debconf
-  - debconf-utils
-  - dialog
-  - knot-dnssecutils
-  - knot-dnsutils
-  - locate
-  - rsyslog
-  - screen
-  - spectre-meltdown-checker
-  - sysstat
-  ##############################################################################################################################
-  # documentation
-  ##############################################################################################################################
-  - debian-kernel-handbook
-  - linux-doc-6.12
-  - man-db
-  ##############################################################################################################################
-  # encryption
-  ##############################################################################################################################
-  - pollinate
-  ##############################################################################################################################
-  # files
-  ##############################################################################################################################
-  - rsnapshot
-  - rsync
-  - zip
-  ##############################################################################################################################
-  # network
-  ##############################################################################################################################
+  - borgbackup
+  - borgbackup-doc
   - dhcpdump
   - dhcping
+  - dialog
+  - expect
+  - htop
   - iftop
+  - locate
+  - man-db
+  - manpages
+  - manpages-dev
+  - mdadm
   - mtr
   - ncat
-  - net-tools
-  - nmap
-  - tshark
+  - rsnapshot
+  - rsync
+  - sysstat
+  - unzip
+  - zip
   ##############################################################################################################################
-  # partitioning
+  # diagnostics
   ##############################################################################################################################
-  - mdadm
+  #- knot-dnssecutils
+  #- knot-dnsutils
+  #- nmap
+  #- spectre-meltdown-checker
+  #- tshark
   ##############################################################################################################################
   # sw dev
   ##############################################################################################################################
+  #- apt-utils
   #- build-essential
   #- clang
+  #- debconf
+  #- debconf-utils
   #- debootstrap
   #- linux-source
   #- lld
   #- shellcheck
   #- ssl-cert
   ##############################################################################################################################
-  # tools
+  # Installed by 4610_installation_security.sh
   ##############################################################################################################################
-  - expect
-  - figlet
-  - htop
-  - keychain
-  - virt-what
+  # apparmor
+  # apparmor-profiles
+  # apparmor-profiles-extra
+  # apparmor-utils
+  # selinux-basics
+  # selinux-policy-default
+  # selinux-utils
+  # setools
+  # semodule-utils
+  # sepol-utils
+  # policycoreutils
+  # policycoreutils-python-utils
+  # checkpolicy
+  # python3-setools
+  ##############################################################################################################################
+  # Installed by 4620_installation_verification.sh
+  ##############################################################################################################################
+  # aide
+  # aide-common
+  # audit
+  # debsums
 
 ################################################################################################################################
 # Time settings

ciss_debian_installer.sh

@@ -12,12 +12,10 @@
 
 ### Contributions so far see ./docs/CREDITS.md
 
-# TODO: Implement this function 4215_check_crypttab.sh
 # TODO: Update .dot files.
 # TODO: Update README.md for each lib and func dir.
 # TODO: Update MANPAGE.md for each func.
 # TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
-# TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
 # TODO: Hardening Scripts Integration
 # TODO: Recovery Partition Integration
 # TODO: Grub Boot Menu Update for Recovery Integration
@@ -333,6 +331,8 @@ info_echo "4470_hardening_ufw.sh"
 hardening_ufw
 info_echo "4480_hardening_usb.sh"
 hardening_usb
+info_echo "4490_hardening_virus.sh"
+hardening_virus
 
 ### CDI_4500
 info_echo "4500_accounts_preparation.sh"
@@ -343,7 +343,12 @@ info_echo "4520_accounts_setup.sh"
 accounts_setup
 
 ### CDI_4600
-#info_echo "4205_check_fstab.sh"
+info_echo "4600_installation_packages.sh"
+installation_packages
+info_echo "4610_installation_security.sh"
+installation_security
+info_echo "4620_installation_verification.sh"
+install_verification
 
 #info_echo "4610_finalize_system.sh"
 

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -43,7 +43,7 @@ yaml_reader() {
   declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
               VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
               VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
-              VAR_CHROOT_DEBUG="false"
+              VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true"
   ### Declare and substitute input files.
   declare -r  var_if="${VAR_PRESEED}"
   declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
@@ -143,6 +143,10 @@ END { print max }
   # shellcheck disable=SC2034
   VAR_DEB822="${apt_default_deb822,,}"
 
+  ### Extract Upgrade Policy.
+  # shellcheck disable=SC2034
+  VAR_APT_FULL_UPGRADE="${apt_full_upgrade,,}"
+
   ### Extract architecture.
   # shellcheck disable=SC2034
   VAR_ARCHITECTURE="${architecture,,}"
@@ -220,6 +224,10 @@ END { print max }
   # shellcheck disable=SC2034
   VAR_RECOVERY="${!recipe_recovery_var,,}"
 
+  ### Extract security extensions.
+  # shellcheck disable=SC2034
+  VAR_SEC_FW="${security_ext,,}"
+
   ### Extract ufw outgoing policy.
   # shellcheck disable=SC2034
   VAR_UFW_OUT="${security_ufw_out,,}"

func/cdi_4100_base/4105_generate_sources_822.sh

@@ -79,9 +79,9 @@ generate_sources822() {
 
 
   ### Main Repository
-  insert_header  "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  insert_header   "${TARGET}/etc/apt/sources.list.d/trixie.sources"
   insert_comments "${TARGET}/etc/apt/sources.list.d/trixie.sources"
-  cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie.sources"
+  cat << EOF >>   "${TARGET}/etc/apt/sources.list.d/trixie.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -98,9 +98,9 @@ EOF
 
   ### Security Repository
   if [[ "${apt_updates_security,,}" == "true" ]]; then
-    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    insert_header   "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
     insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
-    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
+    cat << EOF >>   "${TARGET}/etc/apt/sources.list.d/trixie-security.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -117,9 +117,9 @@ EOF
 
   ### Updates Repository
   if [[ "${apt_updates_release,,}" == "true" ]]; then
-    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    insert_header   "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
     insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
-    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
+    cat << EOF >>   "${TARGET}/etc/apt/sources.list.d/trixie-updates.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#
@@ -137,9 +137,9 @@ EOF
 
   ### Backports Repository
   if [[ "${apt_updates_backports,,}" == "true" ]]; then
-    insert_header  "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    insert_header   "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
     insert_comments "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
-    cat << EOF >>  "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
+    cat << EOF >>   "${TARGET}/etc/apt/sources.list.d/trixie-backports.sources"
 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
 #------------------------------------------------------------------------------------------------------------------------------#

func/cdi_4100_base/4121_installation_initramfs.sh

@@ -28,7 +28,14 @@ guard_sourcing
 #######################################
 installation_initramfs() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     var_modules=""
+  declare     var_modules="" var_whereiam=""
+
+  # shellcheck disable=SC2312
+  if [[ -x "$(command -v virt-what)" ]]; then
+    var_whereiam=$(virt-what | head -n1)
+  else
+    var_whereiam=$(grep -iE 'kvm|vmware|qemu' /sys/class/dmi/id/product_name 2>/dev/null || echo "baremetal")
+  fi
 
   mkdir -p "${TARGET}/etc/initramfs-tools/files"
 
@@ -41,13 +48,29 @@ installation_initramfs() {
   var_modules=$(grep_nic_driver_modules)
 
   cat << EOF >> "${TARGET}/etc/initramfs-tools/modules"
-
-### Custom NIC driver
+### Custom NIC driver:
 ${var_modules}
 
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
+  if [[ "${var_whereiam}" =~ ^(kvm|vmware|qemu)$ ]]; then
+
+    cat << EOF >> "${TARGET}/etc/initramfs-tools/modules"
+### QEMU Bochs-compatible virtual machine support:
+bochs
+
+### Virtio support:
+virtio_pci
+virtio_blk
+virtio_scsi
+virtio_console
+virtio_rng
+
+EOF
+  fi
+
+  printf "%s\n" '# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf' >> "${TARGET}/etc/initramfs-tools/modules"
+
   ### MODULES: [ most | netboot | dep | list ]
   ## 'most' - Add most filesystem and all hard-drive drivers.
   ## 'dep'  - Try and guess the modules to load.

func/cdi_4200_boot/4250_update_grub_bootparameter.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Options in "GRUB_CMDLINE_LINUX" are always effective.
+### Options in "GRUB_CMDLINE_LINUX" are always effective, (incl. recovery).
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
 
 guard_sourcing
@@ -25,6 +25,7 @@ guard_sourcing
 #   VAR_DROPBEAR
 #   VAR_NUKE
 #   VAR_NUKE_HASH
+#   VAR_SEC_FW
 #   VV_GRUB_CMDLINE_LINUX
 #   VV_GRUB_CMDLINE_LINUX_DEFAULT
 # Arguments:
@@ -55,6 +56,16 @@ update_grub_bootparameter() {
 
   done
 
+  if [[ "${VAR_SEC_FW}" == "apparmor" ]]; then
+
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} apparmor=1 security=apparmor lsm=lockdown,yama,integrity,apparmor,bpf"
+
+  elif [[ "${VAR_SEC_FW}" == "selinux" ]]; then
+
+    ### We start in permissive mode first, so we don't pass 'enforcing=1' through the command line.
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} selinux=1 security=selinux"
+
+  fi
 
   if [[ "${VAR_DROPBEAR}" == "true" ]]; then
     var_label="${HMP_PATH_ENCLABEL["/"]}"

func/cdi_4400_hardening/4490_hardening_virus.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Installing anti-rootkit and antivirus packages.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_virus() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4490_hardening_virus.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests rkhunter 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4600_packages/4600_installation_packages.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Installs the desired packages.
+# Globals:
+#   ARY_PACKAGES
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_packages() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4600_installation_packages.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests ${ARY_PACKAGES[*]} 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  if [[ "${VAR_APT_FULL_UPGRADE}" == "true" ]]; then
+    chroot_script "${TARGET}" "
+      export INITRD=No
+      apt-get update     2>&1 | tee -a ${var_logfile}
+      apt-get upgrade -y 2>&1 | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    "
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4600_packages/4610_installation_security.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Installs the desired security extension framework.
+# Globals:
+#   TARGET
+#   VAR_SEC_FW
+#   VAR_SSH_PORT
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+installation_security() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4610_installation_security.log"
+  declare -ar ary_apparmor=( "apparmor" "apparmor-profiles" "apparmor-profiles-extra" "apparmor-utils" )
+  declare -ar ary_selinux=( "selinux-basics" "selinux-policy-default" "selinux-utils" "setools" "semodule-utils" "sepol-utils" \
+    "policycoreutils" "policycoreutils-python-utils" "checkpolicy" "python3-setools" )
+  declare -a  ary_fw=("${ary_selinux[@]}")
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  [[ "${VAR_SEC_FW}" == "apparmor" ]] && ary_fw=("${ary_apparmor[@]}")
+  [[ "${VAR_SEC_FW}" == "selinux"  ]] && ary_fw=("${ary_selinux[@]}")
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests ${ary_fw[*]} 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+
+    if [[ ${VAR_SEC_FW} == apparmor ]]; then
+      systemctl enable apparmor 2>&1 | tee -a ${var_logfile} || true
+    fi
+  "
+
+  if [[ "${VAR_SEC_FW}" == "selinux" ]]; then
+
+    mkdir -p "${TARGET}/etc/selinux" "${TARGET}/root/.ciss/cdi/backup/etc/selinux"
+
+    [[ -f "${TARGET}/etc/selinux/config" ]] && mv "${TARGET}/etc/selinux/config" "${TARGET}/root/.ciss/cdi/backup/etc/selinux"
+
+    insert_header   "${TARGET}/etc/selinux/config"
+    insert_comments "${TARGET}/etc/selinux/config"
+    cat << 'EOF' >> "${TARGET}/etc/selinux/config"
+# This file controls the state of SELinux on the system.
+
+# SELINUX= can take one of these three values:
+#   enforcing : SELinux security policy is enforced.
+#   permissive: SELinux prints warnings instead of enforcing.
+#   disabled  : SELinux policy is not loaded.
+SELINUX=permissive
+
+# SELINUXTYPE= can take one of these two values:
+#   default: equivalent to the old strict and targeted policies.
+#   mls    : Multi-Level Security (for military and educational use).
+#   src    : Custom policy built from source.
+SELINUXTYPE=default
+
+# SETLOCALDEFS= Check local definition changes
+SETLOCALDEFS=0
+
+EOF
+
+    ### Trigger a full relabeling on the first boot of the target.
+    touch "${TARGET}/.autorelabel"
+
+    chroot_script "${TARGET}" "
+      semanage port -a -t ssh_port_t -p tcp ${VAR_SSH_PORT}
+    "
+
+    ### Enable PAM SELinux modules in common-session configs
+    sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session"
+    sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session-noninteractive"
+
+    cat << 'EOF' >> "${TARGET}/etc/pam.d/common-session"
+session    required     pam_selinux.so close
+session    required     pam_selinux.so open
+EOF
+
+    cat << 'EOF' >> "${TARGET}/etc/pam.d/common-session-noninteractive"
+session    required     pam_selinux.so close
+session    required     pam_selinux.so open
+EOF
+
+  fi
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4600_packages/4620_installation_verification.sh

@@ -0,0 +1,376 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+### https://github.com/linux-audit/audit-userspace/tree/master/rules
+
+#######################################
+# Installs 'aide', 'audit', and 'debsums' audit and logging packages.
+# Globals:
+#   TARGET
+#   VAR_SEC_FW
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+install_verification() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_logfile="/root/.ciss/cdi/log/4620_installation_verification.log"
+
+  chroot_logger "${TARGET}${var_logfile}"
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests auditd 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  rm -f "${TARGET}/etc/audit/rules.d/audit.rules"
+
+  ############################################################### /etc/audit/rules.d/10-base-config.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/10-base-config.rules"
+## First rule - delete all
+-D
+
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 8192
+
+## This determine how long to wait in burst of events
+--backlog_wait_time 60000
+
+## Set failure mode to syslog
+-f 1
+EOF
+
+  ############################################################### /etc/audit/rules.d/11-loginuid.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/11-loginuid.rules"
+--loginuid-immutable
+EOF
+
+  ############################################################### /etc/audit/rules.d/20-dont-audit.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/20-dont-audit.rules"
+## This is for don't audit rules. We put these early because audit
+## is a first match wins system. Uncomment the rules you want.
+
+## Cron jobs fill the logs with stuff we normally don't want
+-a never,user
+
+## This prevents chrony from overwhelming the logs
+-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
+-a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
+
+## Human-attributable time changes
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
+
+### This is not very interesting and wastes a lot of space if
+### the server is public facing
+-a always,exclude -F msgtype=CRYPTO_KEY_USER
+EOF
+
+  ############################################################### /etc/audit/rules.d/21-no32bit.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/21-no32bit.rules"
+## If you are on a 64 bit platform, everything _should_ be running
+## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+## because this might be a sign of someone exploiting a hole in the 32
+## bit ABI.
+-a always,exit -F arch=b32 -S all -F key=32bit-abi
+EOF
+
+  ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/22-ignore-chrony.rules"
+## This rule suppresses the time-change event when chrony does time updates
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-failed.rules"
+## Unsuccessful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-success.rules"
+## Successful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules"
+## Unsuccessful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-success.rules"
+## Successful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-failed.rules"
+## Unsuccessful file access (any other opens) This has to go last.
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-success.rules"
+## Successful file access (any other opens) This has to go last.
+## These next two are likely to result in a whole lot of events
+-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules"
+## Unsuccessful file delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules"
+## Successful file delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules"
+## Unsuccessful permission change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules"
+## Successful permission change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules"
+## Unsuccessful ownership change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules"
+## Successful ownership change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
+EOF
+
+  ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42.rules"
+## The purpose of these rules is to meet the requirements for Operating
+## System Protection Profile (OSPP)v4.2. These rules depends on having
+## the following rule files copied to /etc/audit/rules.d:
+##
+## 10-base-config.rules, 11-loginuid.rules,
+## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
+## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
+## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
+## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
+## 30-ospp-v42-5-perm-change-failed.rules,
+## 30-ospp-v42-5-perm-change-success.rules,
+## 30-ospp-v42-6-owner-change-failed.rules,
+## 30-ospp-v42-6-owner-change-success.rules
+##
+## original copies may be found in /usr/share/audit-rules
+
+## User add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch passwd and
+## shadow for writes
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
+## User enable and disable. This is entirely handled by pam.
+
+## Group add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch group and
+## gshadow for writes
+-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+
+
+## Use of special rights for config changes. This would be use of setuid
+## programs that relate to user accts. This is not all setuid apps because
+## requirements are only for ones that affect system configuration.
+-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+
+## Privilege escalation via su or sudo. This is entirely handled by pam.
+## Special case for systemd-run. It is not audit aware, specifically watch it
+-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
+-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
+
+## Special case for pkexec. It is not audit aware, specifically watch it
+-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
+-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
+
+## Watch for configuration changes to privilege escalation.
+-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
+-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
+-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
+-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
+
+## Audit log access
+-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+
+## Attempts to Alter Process and Session Initiation Information
+-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+
+## Attempts to modify MAC controls
+-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
+-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
+
+## Application invocation. The requirements list an optional requirement
+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
+## state results from that policy. This would be handled entirely by
+## that daemon.
+EOF
+
+  ############################################################### /etc/audit/rules.d/99-finalize.rules
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/99-finalize.rules"
+-e 2
+EOF
+
+  chroot_script "${TARGET}" "
+    systemctl enable auditd.service 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
+  ### Validate and build audit rules now; fail early if syntax is wrong.
+  chroot_script "${TARGET}" "
+    if command -v augenrules >/dev/null 2>&1; then
+      augenrules --load 2>&1 | tee -a ${var_logfile}
+      echo ExitCode: \$? >> ${var_logfile}
+    else
+      ### Fallback: build consolidated rules file without loading into the kernel.
+      if command -v bash >/dev/null 2>&1; then
+        bash -lc 'cat /etc/audit/rules.d/*.rules > /etc/audit/audit.rules'
+      fi
+    fi
+  "
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests aide aide-common 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+    sed -i 's/Checksums = H/Checksums = sha512/' /etc/aide/aide.conf
+    aideinit > /dev/null 2>> ${var_logfile}
+  "
+
+  chroot_script "${TARGET}" "
+    export INITRD=No
+    apt-get install -y --no-install-recommends --no-install-suggests debsums 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+    if ! debsums -g >> ${var_logfile} 2>> ${var_logfile}; then
+      printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
+    fi
+  "
+  guard_dir && return 0
+}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/initramfs-tools/modules

@@ -21,51 +21,57 @@
 # raid1
 # sd_mod
 
-### QEMU Bochs-compatible virtual machine support
-bochs
+### Entropy source for '/dev/random':
+jitterentropy_rng
 
-### Device-mapper core module (required for all dm_* features)
+### Device-mapper core module (required for all dm_* features):
 dm_mod
 
-### Device-mapper integrity target (provides integrity checking)
+### Device-mapper integrity target (provides integrity checking):
 dm_integrity
 
-### Device-mapper crypt target (provides disk encryption)
+### Device-mapper crypt target (provides disk encryption):
 dm_crypt
 
-### Generic AES block cipher implementation (used by dm-crypt)
+### Crypto primitives for LUKS2 / AES-XTS:
+aes_x86_64
+xts
+serpent_generic
+twofish_generic
+
+### Generic AES block cipher implementation (used by dm-crypt):
 aes_generic
 
-### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
+### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets):
 sha256_generic
 
-### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets)
+### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets):
 sha384_generic
 
-### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets)
+### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets):
 sha512_generic
 
-### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
+### Generic CRC32C checksum implementation (used by btrfs and other filesystems):
 crc32c_generic
 crc32c_intel
 
-### Main btrfs filesystem module
+### Main btrfs filesystem module:
 btrfs
 
-### Ensure Btrfs root on LUKS works with zstd-compressed extents
+### Ensure Btrfs root on LUKS works with zstd-compressed extents:
 zstd
 zstd_compress
 xxhash
 
-### XOR parity implementation for RAID functionality
+### XOR parity implementation for RAID functionality:
 xor
 
-### RAID6 parity generation module
+### RAID6 parity generation module:
 raid6_pq
 
-### Combined RAID4/5/6 support module
+### Combined RAID4/5/6 support module:
 raid456
 
-### Ensure ESP support
+### Ensure ESP support:
 fat
 vfat

meta_loader_func.sh

@@ -94,13 +94,18 @@ source_guard "./func/cdi_4400_hardening/4450_hardening_memory.sh"
 source_guard "./func/cdi_4400_hardening/4460_hardening_openssl.sh"
 source_guard "./func/cdi_4400_hardening/4470_hardening_ufw.sh"
 source_guard "./func/cdi_4400_hardening/4480_hardening_usb.sh"
+source_guard "./func/cdi_4400_hardening/4490_hardening_virus.sh"
 
 ### cdi_4500_user
 source_guard "./func/cdi_4500_user/4500_accounts_preparation.sh"
 source_guard "./func/cdi_4500_user/4510_accounts_hardening.sh"
 source_guard "./func/cdi_4500_user/4520_accounts_setup.sh"
 
-### cdi_4600_verification
+### cdi_4600_packages
+source_guard "./func/cdi_4600_packages/4600_installation_packages.sh"
+source_guard "./func/cdi_4600_packages/4610_installation_security.sh"
+source_guard "./func/cdi_4600_packages/4620_installation_verification.sh"
+
 #source_guard "./func/cdi_4600_verification/4610_finalize_system.sh"
 #source_guard "./func/cdi_4600_verification/4670_verify_system.sh"
 #source_guard "./func/cdi_4600_verification/4680_check_sshd_config_integrity.sh"