V8.13.192.2025.10.18

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0007_update_logrotate.chroot

@@ -20,7 +20,7 @@ declare     var_file="" var_log=""
 export DEBIAN_FRONTEND="noninteractive"
 
 rm -f         "/etc/logrotate.conf"
-cat << EOF >> "/etc/logrotate.conf"
+cat << EOF >| "/etc/logrotate.conf"
 # See "man logrotate" for details. Global options do not affect preceding include directives.
 
 # rotate log files daily
@@ -52,16 +52,6 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-for var_log in "${ary_logrotate[@]}"; do
-  var_file="$/etc/logrotate.d/${var_log}"
-  [[ -e "${var_file}" ]] || continue
-  ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
-  sed -E -i \
-    -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-    -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 384\3\4/' \
-    "${var_file}"
-done
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0810_chrony_setup.chroot

@@ -111,6 +111,8 @@ if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
 
 fi
 
+chronyd -Q -f /etc/chrony/chrony.conf 2>&1
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -44,6 +44,15 @@ maxretry  = 8
 findtime  = 24h
 bantime   = 24h
 
+[recidive]
+enabled   = true
+filter    = recidive
+logpath   = /var/log/fail2ban/fail2ban.log*
+banaction = iptables-allports
+bantime   = 32d
+findtime  = 384d
+maxretry  = 4
+
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 
@@ -82,25 +91,43 @@ maxretry  = 1
 bantime   = 24h
 findtime  = 24h
 
-[recidive]
-enabled   = true
-filter    = recidive
-logpath   = /var/log/fail2ban/fail2ban.log*
-banaction = iptables-allports
-bantime   = 32d
-findtime  = 384d
-maxretry  = 4
-
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
 cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
 [Definition]
 failregex = \[UFW BLOCK\].+SRC=<HOST> DST
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
 cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
 [Definition]
 failregex = ^refused connect from \S+ \(<HOST>\)
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
 ###########################################################################################
@@ -114,7 +141,7 @@ EOF
 # allows Fail2ban to have write access on required paths.                                 #
 ###########################################################################################
 mkdir -p /etc/systemd/system/fail2ban.service.d
-mkdir /var/log/fail2ban
+mkdir -p /var/log/fail2ban
 
 cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
 [Service]

config/hooks/live/9999_yyyy_logrotate.chroot

@@ -0,0 +1,45 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+### Declare Arrays, HashMaps, and Variables.
+declare -ar ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
+declare     var_file="" var_log=""
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+
+for var_log in "${ary_logrotate[@]}"; do
+  var_file="$/etc/logrotate.d/${var_log}"
+  [[ -e "${var_file}" ]] || continue
+  ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
+  sed -E -i \
+    -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
+    -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 384\3\4/' \
+    "${var_file}"
+done
+
+if ! logrotate -d /etc/logrotate.conf; then
+
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
+
+else
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
+
+fi
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

docs/CHANGELOG.md

@@ -14,6 +14,7 @@ include_toc: true
 
 ## V8.13.192.2025.10.18
 * **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
+* **Added**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot)
 * **Added**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)
 * **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) XDG Base Directory Support
 * **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot)