V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-05 17:21:59 +01:00 · 2025-10-05 17:21:48 +01:00
8 changed files with 26 additions and 1 deletions
--- a/func/cdi_3200_partitioning/3200_partitioning.sh
+++ b/func/cdi_3200_partitioning/3200_partitioning.sh
@@ -383,4 +383,7 @@ partitioning() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f partitioning
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -209,4 +209,7 @@ partition_encryption() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f partition_encryption
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
+++ b/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
@@ -116,4 +116,7 @@ prepare_mounts() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f prepare_mounts
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4100_base/4121_installation_initramfs.sh
+++ b/func/cdi_4100_base/4121_installation_initramfs.sh
@@ -104,4 +104,7 @@ EOF

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_initramfs
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4210_generate_crypttab.sh
+++ b/func/cdi_4200_boot/4210_generate_crypttab.sh
@@ -32,6 +32,9 @@ write_crypttab() {

  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_crypttab

 #######################################
 # Generate the '/etc/crypttab' target entries.
@@ -148,4 +151,7 @@ EOF

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_crypttab
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
+++ b/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
@@ -85,4 +85,7 @@ update_grub_bootparameter() {

  guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_grub_bootparameter
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/target/etc/sysctl.d/99_local.hardened
+++ b/includes/target/etc/sysctl.d/99_local.hardened
@@ -180,7 +180,7 @@ vm.mmap_rnd_compat_bits=16
 # settings.
 ###########################################################################################
 fs.suid_dumpable=0
-kernel.core_pattern=|/bin/false
+kernel.core_pattern='|/bin/false'

 ### Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
 #user.max_user_namespaces=0
--- a/var/bash.var.sh
+++ b/var/bash.var.sh
@@ -36,4 +36,8 @@ declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 declare -gx IFS=$' \t\n'
 umask 0022

+ulimit -c 0
+sysctl -w fs.suid_dumpable=0 >/dev/null 2>&1
+sysctl -w kernel.core_pattern='|/bin/false' >/dev/null 2>&1
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Author	SHA256	Message	Date
Marc S. Weidner	ebfba51df0	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m17s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-05 17:21:59 +01:00
Marc S. Weidner	51cb2f9f6a	V8.00.000.2025.06.17 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-05 17:21:48 +01:00