msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

## V8.13.096.2025.10.09
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m34s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-09 23:02:18 +01:00
parent b140f0e03e
commit 38a6fe4a2c
6 changed files with 25 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
config/hooks/live/9996_auditd.chroot
View File

@@ -338,22 +338,23 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
-e 2 -e 2
EOF EOF
chmod 0640 /etc/audit/rules.d/*.rules
### Sanity checks: reject empty or malformed rulesets early. ### Sanity checks: reject empty or malformed rulesets early.
if ! /sbin/augenrules --check >/dev/null 2>&1; then if ! /sbin/augenrules --check >/dev/null 2>&1; then
log "ERROR: /sbin/augenrules --check failed. Please fix /etc/audit/rules.d/*.rules" log "ERROR: [/sbin/augenrules --check] failed. Please fix /etc/audit/rules.d/*.rules"
exit 1 exit 1
fi fi
if /sbin/augenrules --load; then if /sbin/augenrules; then
log "INFO: /sbin/augenrules --load, successful." log "INFO: [/sbin/augenrules] successful."
else else
log "ERROR: /sbin/augenrules --load failed." log "ERROR: [/sbin/augenrules] failed."
fi fi
@@ -362,7 +363,7 @@ fi
if [[ -f /etc/audit/audit.rules ]]; then if [[ -f /etc/audit/audit.rules ]]; then
chown root:root /etc/audit/audit.rules chown root:root /etc/audit/audit.rules
chmod 0600 /etc/audit/audit.rules chmod 0640 /etc/audit/audit.rules
else else
@@ -392,5 +393,7 @@ log "Done. /etc/audit/audit.rules is precompiled."
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
sleep 16
exit 0 exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

5
config/includes.chroot/etc/live/config.conf
View File

@@ -8,6 +8,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
LIVE_CONFIGS="username"
USERNAME=root # LIVE_CONFIG_CMDLINE=""
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
config/package-lists/live.list.common.chroot
View File

@@ -107,7 +107,6 @@ nodejs
openssl openssl
parted parted
perl perl
pollinate
pwgen pwgen
python3 python3
rkhunter rkhunter

2
lib/lib_cdi.sh
View File

@@ -44,7 +44,7 @@ cdi() {
tmp_entry="$(mktemp)" tmp_entry="$(mktemp)"
cat << EOF >| "${tmp_entry}" cat << EOF >| "${tmp_entry}"
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i { menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${VAR_KERNEL} initrd /live/initrd.img-${VAR_KERNEL}
} }
EOF EOF

30
lib/lib_hardening_root_pw.sh
View File

@@ -25,33 +25,32 @@ guard_sourcing
hardening_root_pw() { hardening_root_pw() {
if [[ -z ${VAR_HASHED_PWD} ]]; then if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
# sleep 1
return 0 return 0
fi fi
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
# sleep 1
declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live" declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
declare cfg_file="${cfg_dir}/config.conf" # declare cfg_file="${cfg_dir}/config.conf"
declare dropin_dir="${cfg_dir}/config.conf.d" declare dropin_dir="${cfg_dir}/config.conf.d"
declare dropin_file="${dropin_dir}/20-root-password.conf" # declare dropin_file="${dropin_dir}/20-root-password.conf"
mkdir -p "${dropin_dir}" mkdir -p "${dropin_dir}"
cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf # cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf
live-config.noautologin #noautologin
EOF #EOF
if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then # if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then
sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}" # sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}"
fi # fi
declare clean_hash="${VAR_HASHED_PWD//\"/}" declare clean_hash="${VAR_HASHED_PWD//\"/}"
printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}" # printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}"
chmod 0600 "${dropin_file}" # chmod 0600 "${dropin_file}"
chown root:root "${dropin_file}" # chown root:root "${dropin_file}"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root" mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root"
printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
@@ -70,10 +69,6 @@ EOF
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
tty1 tty1
tty2 tty2
tty3
tty4
tty5
tty6
EOF EOF
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
@@ -98,6 +93,5 @@ EOF
#chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" #chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
# sleep 1
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
lib/lib_lb_config_write_trixie.sh
View File

@@ -41,7 +41,7 @@ lb_config_write_trixie() {
--binary-filesystem fat32 \ --binary-filesystem fat32 \
--binary-image iso-hybrid \ --binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \ --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \ --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootloaders grub-efi \ --bootloaders grub-efi \
--cache true \ --cache true \
--checksums sha512 sha256 md5 \ --checksums sha512 sha256 md5 \