Merge remote-tracking branch 'origin/master'

V8.00.000.2025.06.17
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-15 07:09:48 +01:00 · 2025-10-15 07:08:52 +01:00
6 changed files with 69 additions and 55 deletions
--- a/.preseed/partitioning.yaml
+++ b/.preseed/partitioning.yaml
@@ -34,9 +34,12 @@ recipe:
        time: 256              # The number of milliseconds to spend with PBKDF passphrase processing.
      luks_backup: true        # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
                               # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
-                               # Also provide the cloud access token and access passwords via ./.preseed/password_luks_backup.txt
-                               # Yet Nextcloud only is supported.
+                               # Also provide the cloud access token and access passwords via
+                               # ./.preseed/password_luks_backup.txt. Yet Nextcloud only is supported.
      luks_backup_url: "https://cloud.e2ee.li/"
+      luks_backup_pgp: "ciss"  # Specify the trigger for use of the LUKS Header backup encryption key.
+                               # Allowed values are: 'ciss', and 'physnet'. MUST be provided.
+                               # Otherwise, the backup is NOT created.
      name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
      nuke: true               # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command.
      nuke_rounds: 16384       # SHA512 KDF Rounds for Nuke Passphrase. If omitted, the default value is '8,388,608'.
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -863,7 +863,8 @@ user:
      shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
      sudo: false              # Whether the user can escalate to root using sudo.
      system: true             # Whether this is a low-UID system user (e.g., for automation).
-    specific: "ciss"           # Also used for LUKS Header encryption.
+    specific: "ciss"           # Adjust the settings for the user account as required. Allowed values are 'none', 'ciss', and
+                               # 'physnet'.

  ##############################################################################################################################
  # Primary administrative user with full sudo access
@@ -892,7 +893,8 @@ user:
      system: false            # Whether this is a low-UID system user (e.g., for automation).
      restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
      shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
-    specific: "ciss"
+    specific: "ciss"           # Adjust the settings for the user account as required. Allowed values are 'none', 'ciss', and
+                               # 'physnet'.

  ##############################################################################################################################
  # ansible – System user for automation, no interactive shell
@@ -921,6 +923,7 @@ user:
      system: true             # Whether this is a low-UID system user (e.g., for automation).
      restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
      shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
-    specific: "none"
+    specific: "none"           # Adjust the settings for the user account as required. Allowed values are 'none', 'ciss', and
+                               # 'physnet'.

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/func/cdi_1250_yaml/1251_yaml_reader.sh
+++ b/func/cdi_1250_yaml/1251_yaml_reader.sh
@@ -25,6 +25,7 @@ guard_sourcing
 #   VAR_DROPBEAR
 #   VAR_GRUB_PASSWORD
 #   VAR_LUKS_BACKUP
+#   VAR_LUKS_PGP
 #   VAR_LUKS_URL
 #   VAR_NEED_RUN_IN_TARGET
 #   VAR_NUKE
@@ -57,7 +58,7 @@ guard_sourcing
 #   None
 # Returns:
 #   0: on success
-#   ERR_NO_VALID_RECIPE
+#   ERR_NO_VALID_RECIPE: on failure
 #######################################
 yaml_reader() {
  ### Declare Arrays, HashMaps, and Variables.
@@ -67,12 +68,12 @@ yaml_reader() {
              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
              VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
              VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true" VAR_LUKS_BACKUP="false" \
-              VAR_LUKS_URL=""
+              VAR_LUKS_URL="" VAR_LUKS_PGP=""
  ### Declare and substitute input files.
  declare -r  var_if="${VAR_PRESEED}"
  declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var="" \
-              recipe_luks_var="" recipe_luks_url=""
+              recipe_luks_var="" recipe_luks_url="" recipe_luks_pgp=""

  ### Read "${var_if}" line by line.
  while IFS= read -r var_line; do
@@ -209,12 +210,17 @@ END { print max }
  VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"

  ### Extract the chosen LUKS Backup strategy.
-  recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
-  # shellcheck disable=SC2034
-  VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
-  recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
-  # shellcheck disable=SC2034
-  VAR_LUKS_URL="${!recipe_luks_url,,}"
+    recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
+    # shellcheck disable=SC2034
+    VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
+
+    recipe_luks_pgp="recipe_${VAR_RECIPE_STRING}_control_luks_backup_pgp"
+    # shellcheck disable=SC2034
+    VAR_LUKS_PGP="${!recipe_luks_url,,}"
+
+    recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
+    # shellcheck disable=SC2034
+    VAR_LUKS_URL="${!recipe_luks_url,,}"

  ### Extract the chosen Nuke mechanism.
  recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -174,20 +174,50 @@ partition_encryption() {

    fi

+    ### Opening the encrypted container.
+    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
+      cryptsetup luksOpen "/dev/${var_dev}" \
+        --key-file="${DIR_CNF}/password_luks_boot.txt" \
+        "${var_encryption_label}"
+    else
+      cryptsetup luksOpen "/dev/${var_dev}" \
+        --key-file="${DIR_CNF}/password_luks_common.txt" \
+        "${var_encryption_label}"
+    fi
+    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
+
+    ### Create luksDump log entry.
+    cryptsetup luksDump "/dev/${var_dev}" >> "${DIR_LOG}/3220_cryptsetup_luksdump_${var_dev}.log"
+
+    ### Store UUID of the LUKS container.
+    var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
+
+    [[ "${var_encryption_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
+    [[ "${var_encryption_path}" == "/boot" ]] && declare -grx VAR_CRYPT_BOOT="${var_uuid}"
+    [[ "${var_encryption_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}"
+
+    HMP_PATH_LUKSUUID["${var_encryption_path}"]="${var_uuid}"
+    HMP_PATH_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
+
+    do_log "debug" "file_only" "3220() [HMP_PATH_LUKSUUID]: '${var_encryption_path}' -> '${HMP_PATH_LUKSUUID["${var_encryption_path}"]}'"
+    do_log "debug" "file_only" "3220() [HMP_PATH_ENCLABEL]: '${var_encryption_path}' -> '${HMP_PATH_ENCLABEL["${var_encryption_path}"]}'"
+
+    ### Backup the LUKS Header.
    if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then

-      case "${user_root_specific}" in
-
-        ciss)    var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;;
-        physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;;
-        *)       do_log "error" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;;
-
-      esac
-
      var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
      var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak.pgp"
      var_luks_backup_pgp="${DIR_BAK}/luks_header_${var_dev}.bak.pgp"

+      case "${VAR_LUKS_PGP}" in
+
+        ciss)    var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;;
+        physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;;
+        none)    do_log "error" "file_only" "3220() No PGP public key for LUKS Header encryption provided."; continue ;;
+        *)       do_log "fatal" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;;
+
+      esac
+
      if cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"; then

        do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
@@ -207,11 +237,11 @@ partition_encryption() {

        if command -v shred >/dev/null 2>&1; then

-          shred -u -- "${var_luks_backup_file}" || rm -f -- "${var_luks_backup_file}"
+          shred -vfzu -n 5 "${var_luks_backup_file}" || rm -f "${var_luks_backup_file}"

        else

-          rm -f -- "${var_luks_backup_file}"
+          rm -f "${var_luks_backup_file}"

        fi

@@ -245,34 +275,6 @@ partition_encryption() {

    fi

-    ### Opening the encrypted container.
-    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
-      cryptsetup luksOpen "/dev/${var_dev}" \
-        --key-file="${DIR_CNF}/password_luks_boot.txt" \
-        "${var_encryption_label}"
-    else
-      cryptsetup luksOpen "/dev/${var_dev}" \
-        --key-file="${DIR_CNF}/password_luks_common.txt" \
-        "${var_encryption_label}"
-    fi
-    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
-
-    ### Create luksDump log entry.
-    cryptsetup luksDump "/dev/${var_dev}" >> "${DIR_LOG}/3220_cryptsetup_luksdump_${var_dev}.log"
-
-    ### Store UUID of the LUKS container.
-    var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
-
-    [[ "${var_encryption_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
-    [[ "${var_encryption_path}" == "/boot" ]] && declare -grx VAR_CRYPT_BOOT="${var_uuid}"
-    [[ "${var_encryption_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}"
-
-    HMP_PATH_LUKSUUID["${var_encryption_path}"]="${var_uuid}"
-    HMP_PATH_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
-
-    do_log "debug" "file_only" "3220() [HMP_PATH_LUKSUUID]: '${var_encryption_path}' -> '${HMP_PATH_LUKSUUID["${var_encryption_path}"]}'"
-    do_log "debug" "file_only" "3220() [HMP_PATH_ENCLABEL]: '${var_encryption_path}' -> '${HMP_PATH_ENCLABEL["${var_encryption_path}"]}'"
-
  done

  [[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH
--- a/func/cdi_4400_hardening/4470_hardening_ufw.sh
+++ b/func/cdi_4400_hardening/4470_hardening_ufw.sh
@@ -82,11 +82,11 @@ hardening_ufw() {
  sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}"
  sed -i "/^# BEGIN custom MLD OUTPUT rules/,/^# END custom MLD OUTPUT rules/d" "${var_rules}"

-  ### Inbound MLD (INPUT chain) – insert before the existing echo-request rule.
+  ### Inbound MLD (INPUT chain), insert before the existing echo-request rule.
  ### Allows MLDv1 (130/131/132) and MLDv2 (143) to link-local multicast (ff02::/16)
  sed -i "/-A ufw6-before-input .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD rules\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 130 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 132 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD rules" "${var_rules}"

-  ### Outbound MLD (OUTPUT chain) – insert before echo-request.
+  ### Outbound MLD (OUTPUT chain), insert before echo-request.
  ### Useful if local daemons join multicast groups, and you want clean logs.
  sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}"

--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -1308,7 +1308,7 @@ session    required    pam_env.so readenv=1 envfile=/etc/default/locale
 # If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
 auth  [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore

-# Listed users: show a clear hint and then require GA. No 'nullok': missing secret → fail.
+# Listed users: show a clear hint and then require GA. No 'nullok': missing secret -> fail.
 auth  required                    pam_echo.so file=/etc/ciss/login_totp.prompt
 auth  required                    pam_google_authenticator.so
Author	SHA256	Message	Date
Marc S. Weidner	3a50fc5050	Merge remote-tracking branch 'origin/master' All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m38s Details	2025-10-15 07:09:48 +01:00
Marc S. Weidner	f0bbc6094d	V8.00.000.2025.06.17 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-15 07:08:52 +01:00