From 38a6fe4a2c993da630af1b657f461a9ea5902a0ea82b984da18d5803adba6f51 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Thu, 9 Oct 2025 23:02:18 +0100 Subject: [PATCH] ## V8.13.096.2025.10.09 Signed-off-by: Marc S. Weidner --- config/hooks/live/9996_auditd.chroot | 13 +++++---- config/includes.chroot/etc/live/config.conf | 5 ++-- config/package-lists/live.list.common.chroot | 1 - lib/lib_cdi.sh | 2 +- lib/lib_hardening_root_pw.sh | 30 ++++++++------------ lib/lib_lb_config_write_trixie.sh | 2 +- 6 files changed, 25 insertions(+), 28 deletions(-) diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot index 6ef837c..62fec8f 100644 --- a/config/hooks/live/9996_auditd.chroot +++ b/config/hooks/live/9996_auditd.chroot @@ -338,22 +338,23 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules -e 2 EOF +chmod 0640 /etc/audit/rules.d/*.rules ### Sanity checks: reject empty or malformed rulesets early. if ! /sbin/augenrules --check >/dev/null 2>&1; then - log "ERROR: /sbin/augenrules --check failed. Please fix /etc/audit/rules.d/*.rules" + log "ERROR: [/sbin/augenrules --check] failed. Please fix /etc/audit/rules.d/*.rules" exit 1 fi -if /sbin/augenrules --load; then +if /sbin/augenrules; then - log "INFO: /sbin/augenrules --load, successful." + log "INFO: [/sbin/augenrules] successful." else - log "ERROR: /sbin/augenrules --load failed." + log "ERROR: [/sbin/augenrules] failed." fi @@ -362,7 +363,7 @@ fi if [[ -f /etc/audit/audit.rules ]]; then chown root:root /etc/audit/audit.rules - chmod 0600 /etc/audit/audit.rules + chmod 0640 /etc/audit/audit.rules else @@ -392,5 +393,7 @@ log "Done. /etc/audit/audit.rules is precompiled." printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" +sleep 16 + exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/live/config.conf b/config/includes.chroot/etc/live/config.conf index a600cc2..290559b 100644 --- a/config/includes.chroot/etc/live/config.conf +++ b/config/includes.chroot/etc/live/config.conf @@ -8,6 +8,7 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -LIVE_CONFIGS="username" -USERNAME=root + +# LIVE_CONFIG_CMDLINE="" + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/package-lists/live.list.common.chroot b/config/package-lists/live.list.common.chroot index 3a25d77..95757f6 100644 --- a/config/package-lists/live.list.common.chroot +++ b/config/package-lists/live.list.common.chroot @@ -107,7 +107,6 @@ nodejs openssl parted perl -pollinate pwgen python3 rkhunter diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh index 9eeefc7..a9a7fc5 100644 --- a/lib/lib_cdi.sh +++ b/lib/lib_cdi.sh @@ -44,7 +44,7 @@ cdi() { tmp_entry="$(mktemp)" cat << EOF >| "${tmp_entry}" menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i { - linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} + linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} initrd /live/initrd.img-${VAR_KERNEL} } EOF diff --git a/lib/lib_hardening_root_pw.sh b/lib/lib_hardening_root_pw.sh index 2333e8e..2b5ed8a 100644 --- a/lib/lib_hardening_root_pw.sh +++ b/lib/lib_hardening_root_pw.sh @@ -25,33 +25,32 @@ guard_sourcing hardening_root_pw() { if [[ -z ${VAR_HASHED_PWD} ]]; then printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… No Root Password for Console set, skipping root password hook.\e[0m\n" - # sleep 1 + return 0 fi printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Setup Root Password for Console ... \e[0m\n" - # sleep 1 declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live" - declare cfg_file="${cfg_dir}/config.conf" +# declare cfg_file="${cfg_dir}/config.conf" declare dropin_dir="${cfg_dir}/config.conf.d" - declare dropin_file="${dropin_dir}/20-root-password.conf" +# declare dropin_file="${dropin_dir}/20-root-password.conf" mkdir -p "${dropin_dir}" - cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf -live-config.noautologin -EOF +# cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf +#noautologin +#EOF - if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then - sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}" - fi +# if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then +# sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}" +# fi declare clean_hash="${VAR_HASHED_PWD//\"/}" - printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}" - chmod 0600 "${dropin_file}" - chown root:root "${dropin_file}" +# printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}" +# chmod 0600 "${dropin_file}" +# chown root:root "${dropin_file}" mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root" printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" @@ -70,10 +69,6 @@ EOF cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty tty1 tty2 -tty3 -tty4 -tty5 -tty6 EOF mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin @@ -98,6 +93,5 @@ EOF #chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Setup Root Password for Console done. \e[0m\n" - # sleep 1 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh index 37888c4..f49c042 100644 --- a/lib/lib_lb_config_write_trixie.sh +++ b/lib/lib_lb_config_write_trixie.sh @@ -41,7 +41,7 @@ lb_config_write_trixie() { --binary-filesystem fat32 \ --binary-image iso-hybrid \ --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \ - --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \ + --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \ --bootloaders grub-efi \ --cache true \ --checksums sha512 sha256 md5 \