V8.13.536.2025.12.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -245,7 +245,6 @@ find /usr/lib/live/boot -type f -exec chmod 0755 {} +
   && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 
 ### Ensure proper systemd directories exist ------------------------------------------------------------------------------------
-mkdir -p /etc/systemd/networkd.conf.d
 mkdir -p /etc/systemd/resolved.conf.d
 mkdir -p /etc/systemd/system
 mkdir -p /etc/systemd/system/multi-user.target.wants
@@ -285,12 +284,6 @@ LLMNR=no
 MulticastDNS=no
 EOF
 
-cat << EOF >| /etc/systemd/networkd.conf.d/10-ciss-hardening.conf
-[Network]
-LLMNR=no
-MulticastDNS=no
-EOF
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh

@@ -382,7 +382,7 @@ main() {
 
     fi
 
-    if [[ "${COUNTER}" -eq 3 ]]; then
+    if [[ "${COUNTER}" -ge 3 && "${PASS_SENT}" -eq 0 ]]; then
 
       secure_unset_pass
       break
@@ -391,6 +391,8 @@ main() {
 
     if [[ "${PASS_SENT}" -eq 0 ]]; then
 
+      COUNTER=$((COUNTER + 1))
+
       # shellcheck disable=SC2310
       read_passphrase || continue
 

lib/lib_clean_up.sh

@@ -111,6 +111,17 @@ clean_up() {
 
   fi
 
+  ### Securely shred all regular files below ./chroot, then remove empty dirs.
+  if [[ -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then
+
+    # shellcheck disable=SC2312
+    find "${VAR_HANDLER_BUILD_DIR}/chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
+
+    ### Remove empty directories (bottom-up).
+    find "${VAR_HANDLER_BUILD_DIR}/chroot" -depth -xdev -type d -empty -delete
+
+  fi
+
   eval "${_old_nullglob}" 2>/dev/null || true
   eval "${_old_dotglob}"  2>/dev/null || true
   eval "${_old_failglob}" 2>/dev/null || true