From 08a0291f16014ff6f06e016f8ce7028b88376fe3947a45c98bf51b57ef8ea5fd Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Thu, 4 Dec 2025 09:36:33 +0100 Subject: [PATCH] V8.13.536.2025.12.04 Signed-off-by: Marc S. Weidner --- config/hooks/live/0000_basic_chroot_setup.chroot | 7 ------- .../etc/initramfs-tools/files/unlock_wrapper.sh | 4 +++- lib/lib_clean_up.sh | 11 +++++++++++ 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot index 1e3d851..e95b60f 100644 --- a/config/hooks/live/0000_basic_chroot_setup.chroot +++ b/config/hooks/live/0000_basic_chroot_setup.chroot @@ -245,7 +245,6 @@ find /usr/lib/live/boot -type f -exec chmod 0755 {} + && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ### Ensure proper systemd directories exist ------------------------------------------------------------------------------------ -mkdir -p /etc/systemd/networkd.conf.d mkdir -p /etc/systemd/resolved.conf.d mkdir -p /etc/systemd/system mkdir -p /etc/systemd/system/multi-user.target.wants @@ -285,12 +284,6 @@ LLMNR=no MulticastDNS=no EOF -cat << EOF >| /etc/systemd/networkd.conf.d/10-ciss-hardening.conf -[Network] -LLMNR=no -MulticastDNS=no -EOF - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh index 0e25510..4a56078 100644 --- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh +++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh @@ -382,7 +382,7 @@ main() { fi - if [[ "${COUNTER}" -eq 3 ]]; then + if [[ "${COUNTER}" -ge 3 && "${PASS_SENT}" -eq 0 ]]; then secure_unset_pass break @@ -391,6 +391,8 @@ main() { if [[ "${PASS_SENT}" -eq 0 ]]; then + COUNTER=$((COUNTER + 1)) + # shellcheck disable=SC2310 read_passphrase || continue diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh index 9be1f14..2cccdcd 100644 --- a/lib/lib_clean_up.sh +++ b/lib/lib_clean_up.sh @@ -111,6 +111,17 @@ clean_up() { fi + ### Securely shred all regular files below ./chroot, then remove empty dirs. + if [[ -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then + + # shellcheck disable=SC2312 + find "${VAR_HANDLER_BUILD_DIR}/chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- + + ### Remove empty directories (bottom-up). + find "${VAR_HANDLER_BUILD_DIR}/chroot" -depth -xdev -type d -empty -delete + + fi + eval "${_old_nullglob}" 2>/dev/null || true eval "${_old_dotglob}" 2>/dev/null || true eval "${_old_failglob}" 2>/dev/null || true