From 68c803550b88db4de1ad1103c7c00a5dd3c75339b339559c52a6bb597767a241 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 7 Oct 2025 12:51:05 +0100 Subject: [PATCH] V8.13.064.2025.10.07 Signed-off-by: Marc S. Weidner --- .archive/.0000_lib_usage.sh | 2 +- .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/dockerfile | 2 +- .gitea/TODO/render-md-to-html.yaml | 2 +- .../trigger/t_generate_PRIVATE_trixie_0.yaml | 2 +- .../trigger/t_generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/trigger/t_generate_PUBLIC.yaml | 2 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_0.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/workflows/generate_PUBLIC_iso.yaml | 2 +- .gitea/workflows/linter_char_scripts.yaml | 2 +- .gitea/workflows/render-dnssec-status.yaml | 2 +- .gitea/workflows/render-dot-to-png.yaml | 2 +- .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 6 +- ciss_live_builder.sh | 2 + config/hooks/live/9980_usb_guard.chroot | 13 ++-- config/includes.chroot/etc/ssh/sshd_config | 2 +- .../etc/sysctl.d/99_local.hardened | 2 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- config/includes.chroot/root/.bashrc | 33 +++------ docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/BOOTPARAMS.md | 2 +- docs/CHANGELOG.md | 10 ++- docs/CNET.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 6 +- docs/REFERENCES.md | 2 +- lib/lib_arg_parser.sh | 2 +- lib/lib_cdi.sh | 2 +- lib/lib_check_pkgs.sh | 5 ++ lib/lib_lb_config_write_trixie.sh | 11 ++- lib/lib_note_target.sh | 61 ++++++++++++++++ lib/lib_run_analysis.sh | 22 +++++- lib/lib_trap_on_err.sh | 71 ++++++++++++++----- lib/lib_trap_on_exit.sh | 42 ++++++++++- lib/lib_usage.sh | 10 +-- scripts/9000-cdi-starter | 8 +-- var/early.var.sh | 2 +- var/global.var.sh | 13 ++-- 50 files changed, 273 insertions(+), 110 deletions(-) create mode 100644 lib/lib_note_target.sh diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh index 56a6afa..13a5ca8 100644 --- a/.archive/.0000_lib_usage.sh +++ b/.archive/.0000_lib_usage.sh @@ -21,7 +21,7 @@ usage() { clear cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.13.048.2025.10.06\e[0m") +$(echo -e "\e[92mMaster V8.13.064.2025.10.07\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 67c3bc8..b540b46 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.13.048.2025.10.06" + placeholder: "e.g., Master V8.13.064.2025.10.07" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index bf5fa01..cf705d0 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index d00bbbc..868d67d 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 name: ๐Ÿ” Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index 4888026..8f50145 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.048.2025.10.06 + version: V8.13.064.2025.10.07 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index 4888026..8f50145 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.048.2025.10.06 + version: V8.13.064.2025.10.07 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index f5d522a..7d4e9dd 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.048.2025.10.06 + version: V8.13.064.2025.10.07 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index f5d522a..7d4e9dd 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.048.2025.10.06 + version: V8.13.064.2025.10.07 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index 15025e2..10c13db 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 5f47862..386d38d 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 005c69c..69665c4 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 name: ๐Ÿ’™ Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 48a4ae7..ae182bf 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index d9ea57a..b12c4ab 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 name: ๐Ÿ›ก๏ธ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 6c2befe..681e306 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 name: ๐Ÿ” Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index 6a92690..ddcd2d1 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.13.048.2025.10.06" +properties_version="V8.13.064.2025.10.07" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 5d6019a..fda5780 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.13.048.2025.10.06 +PackageVersion: Master V8.13.064.2025.10.07 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 25a787a..a8a195d 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.048.2025.10.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.064.2025.10.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -26,7 +26,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V8.13.048.2025.10.06` +Example: `V8.13.064.2025.10.07` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index b6e604d..a2c236b 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -143,6 +143,7 @@ declare -gx VAR_SETUP="true" source_guard "./lib/lib_lb_config_start.sh" source_guard "./lib/lib_lb_config_write.sh" source_guard "./lib/lib_lb_config_write_trixie.sh" + source_guard "./lib/lib_note_target.sh" source_guard "./lib/lib_provider_netcup.sh" source_guard "./lib/lib_run_analysis.sh" source_guard "./lib/lib_sanitizer.sh" @@ -236,6 +237,7 @@ change_splash check_dhcp cdi provider_netcup +note_target ### Start the build process set +o errtrace diff --git a/config/hooks/live/9980_usb_guard.chroot b/config/hooks/live/9980_usb_guard.chroot index a4ce582..8f24f79 100644 --- a/config/hooks/live/9980_usb_guard.chroot +++ b/config/hooks/live/9980_usb_guard.chroot @@ -12,34 +12,33 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" -# sleep 1 apt-get install -y usbguard -# sleep 1 - -# Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm +### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm touch /tmp/rules.conf usbguard generate-policy >> /tmp/rules.conf if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then + mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak cp -a /tmp/rules.conf /etc/usbguard/rules.conf chmod 0600 /etc/usbguard/rules.conf + else + rm -f /etc/usbguard/rules.conf cp -a /tmp/rules.conf /etc/usbguard/rules.conf chmod 0600 /etc/usbguard/rules.conf + fi cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak -sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf -# sleep 1 +#sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf rm -f /tmp/rules.conf printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" -# sleep 1 exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index ac7ff39..2586ced 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index fdfc185..119b5ac 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.13.048.2025.10.06 +### Version Master V8.13.064.2025.10.07 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 79360b0..a2b87e2 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.13.048.2025.10.06" +declare -gr VERSION="Master V8.13.064.2025.10.07" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 601453b..3d566c0 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.13.048.2025.10.06 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.13.064.2025.10.07 at: 10:18:37.9542 diff --git a/config/includes.chroot/root/.bashrc b/config/includes.chroot/root/.bashrc index 81dfe82..478e9b0 100644 --- a/config/includes.chroot/root/.bashrc +++ b/config/includes.chroot/root/.bashrc @@ -11,8 +11,8 @@ [[ $- != *i* ]] && return -### Never use errexit/pipefail in interactive shells -set +o errexit +o pipefail +### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells. +set +o errexit +o nounset +o pipefail trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT source /root/.ciss/alias @@ -20,9 +20,6 @@ source /root/.ciss/f2bchk.sh source /root/.ciss/shortcuts source /root/.ciss/scan_libwrap -### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells. -set +o errexit +o nounset +o pipefail - ### History touch /tmp/.bash_history chmod 0660 /tmp/.bash_history @@ -62,23 +59,15 @@ alias cp="cp -iv" alias mv='mv -iv' alias rm='rm -iv' -### Welcome message after login -printf "\n" -printf "\e[91m๐Ÿ” Coresecret Channel Established. \e[0m\n" -printf "\e[92mโœ… Welcome back\e[0m" -printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n" -printf "\n" -printf "\n" - ### Welcome message after login. -#printf "\n" -#printf "%s๐Ÿ” Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}" -#printf "%sโœ… Welcome back %s " "${CGRE}" "${CRES}" -#printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}" -#printf "%s! Type%s " "${CGRE}" "${CRES}" -#printf "%s'celp'%s " "${CMAG}" "${CRES}" -#printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}" -#printf "\n" -#printf "\n" +printf "%b" "${NL}" +printf "%b๐Ÿ” Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}" +printf "%bโœ… Welcome back %b " "${CGRE}" "${CRES}" +printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}" +printf "%b! Type%b" "${CGRE}" "${CRES}" +printf "%b 'celp'%b" "${CMAG}" "${CRES}" +printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}" +printf "%b" "${NL}" +printf "%b" "${NL}" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index 42c862c..44278b3 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index afd4883..172105f 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index ab14352..bef165e 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index b2a1828..538cb3f 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index 04dd600..b552b88 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 362c9c3..66d1328 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index eabbb13..c72f016 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,18 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Changelog +## V8.13.064.2025.10.07 +* **Added**: Verbose status information screen on successful completion. +* **Added**: Verbose status information in 'CISS.debian.live.iso.' +* **Updated**: [9000-cdi-starter](../scripts/9000-cdi-starter) +* **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot) +* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter. +* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified Kernel bootparameter. + ## V8.13.048.2025.10.06 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64`` * **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi`` diff --git a/docs/CNET.md b/docs/CNET.md index 0625883..214c3cc 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 971c588..8f61bf1 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index e0f0667..dbe4e8c 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index 7368338..5c880dc 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index bd40ffe..4647516 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 9bed0ef..2b91b95 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,12 +8,12 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2.1. Usage ````text CISS.debian.live.builder -Master V8.13.048.2025.10.06 +Master V8.13.064.2025.10.07 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 @@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima # 2.2. Contact ````text CISS.debian.live.builder -Master V8.13.048.2025.10.06 +Master V8.13.064.2025.10.07 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index 0a6b55a..d209111 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.048.2025.10.06
+**Build**: V8.13.064.2025.10.07
# 2. Resources diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh index ebf9fa7..47e0119 100644 --- a/lib/lib_arg_parser.sh +++ b/lib/lib_arg_parser.sh @@ -13,7 +13,7 @@ guard_sourcing ####################################### -# Argument Parser +# Argument Parser. # Globals: # ARY_HANDLER_JUMPHOST # ARY_HANDLER_NETCUP_IPV6 diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh index 8a88a3b..ceaea0b 100644 --- a/lib/lib_cdi.sh +++ b/lib/lib_cdi.sh @@ -44,7 +44,7 @@ cdi() { tmp_entry="$(mktemp)" cat << EOF >| "${tmp_entry}" menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i { - linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path} + linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} initrd /live/initrd.img-${VAR_KERNEL} } EOF diff --git a/lib/lib_check_pkgs.sh b/lib/lib_check_pkgs.sh index 068026b..a340997 100644 --- a/lib/lib_check_pkgs.sh +++ b/lib/lib_check_pkgs.sh @@ -72,6 +72,11 @@ check_pkgs() { fi + # shellcheck disable=SC2034,SC2155 + declare -gr VAR_LB_VER="$(lb -v)" + # shellcheck disable=SC2034,SC2155 + declare -gr VAR_DS_VER="$(debootstrap --version)" + return 0 } ### Prevents accidental 'unset -f'. diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh index 036b384..5b26144 100644 --- a/lib/lib_lb_config_write_trixie.sh +++ b/lib/lib_lb_config_write_trixie.sh @@ -22,7 +22,9 @@ guard_sourcing # VAR_VERSION # VAR_WORKDIR # Arguments: -# None +# None +# Returns: +# 0: on success ####################################### lb_config_write_trixie() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Writing new config ... \e[0m\n" @@ -39,7 +41,7 @@ lb_config_write_trixie() { --binary-filesystem fat32 \ --binary-image iso-hybrid \ --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \ - --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \ + --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \ --bootloaders grub-efi \ --cache true \ --checksums sha512 sha256 md5 \ @@ -111,5 +113,10 @@ lb_config_write_trixie() { chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Writing new config done.\e[0m\n" + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f lb_config_write_trixie # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_note_target.sh b/lib/lib_note_target.sh new file mode 100644 index 0000000..a4228d1 --- /dev/null +++ b/lib/lib_note_target.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-07; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Version file generator for '/root/cdlb.txt' of Live ISO. +# Globals: +# VAR_VERSION +# Arguments: +# None +# Returns: +# 0: on success +####################################### +note_target() { + + cat << EOF >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/cdlb.txt" +################################################################################ + This CISS.debian.live ISO was built by: + + CISS.debian.live.builder from https://git.coresecret.dev/msw + A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. + + Version : ${VAR_VERSION} + Git : ${VAR_GIT_REL} + Date : ${VAR_DATE_INFO} + Host : ${VAR_HOST} + Bash : ${VAR_BASH_VER} + Debootstrap : ${VAR_DS_VER} + Live-Build : ${VAR_LB_VER} + + This program is free software. Distribution and modification under + EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! + + Please file bugs @ + https://git.coresecret.dev/msw/CISS.debian.live.builder/issues + + Contact + https://coresecret.eu/ + security@coresecret.eu + PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD + https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD + + Please consider donating to my work at: + https://coresecret.eu/spenden/ +################################################################################ +EOF + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f note_target +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_run_analysis.sh b/lib/lib_run_analysis.sh index a9959d6..d286a0b 100644 --- a/lib/lib_run_analysis.sh +++ b/lib/lib_run_analysis.sh @@ -15,15 +15,18 @@ guard_sourcing ####################################### # Wrapper for statistic functions of the final build. # Globals: -# ERR_UNCRITICAL # VAR_BUILD_LOG # VAR_CHROOT_DIR # VAR_HANDLER_BUILD_DIR # VAR_PACKAGES_FILE # Arguments: -# None +# None +# Returns: +# 0: on success +# ERR_UNCRITICAL: on failure ####################################### run_analysis() { + clear # shellcheck disable=SC2164 cd "${VAR_HANDLER_BUILD_DIR}" # shellcheck disable=SC2155 @@ -51,12 +54,14 @@ run_analysis() { declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${VAR_BUILD_LOG}")" if [[ -f "${VAR_BUILD_LOG}" ]]; then + # shellcheck disable=SC2155 declare start_line=$(grep 'lb build' "${VAR_BUILD_LOG}" | head -n1 || true) # shellcheck disable=SC2155 declare end_line=$(grep 'lb source' "${VAR_BUILD_LOG}" | tail -n1 || true) if [[ -n "${start_line}" && -n "${end_line}" ]]; then + # shellcheck disable=SC2155 declare start_epoch=$(echo "${start_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s) # shellcheck disable=SC2155 @@ -69,15 +74,21 @@ run_analysis() { declare duration_rest=$((duration_sec % 60)) # shellcheck disable=SC2155 declare build_duration=$(printf "%02dm:%02ds" "${duration_min}" "${duration_rest}") + else + declare build_duration="(Timestamp not found)" + fi + else + declare build_duration="(No log file found)" + fi # shellcheck disable=SC2155 - declare sha_sum=$(sha256sum "$iso_file" | tee "$iso_file.sha256" | awk '{print $1}') + declare sha_sum=$(sha256sum "${iso_file}" | tee "${iso_file}.sha256" | awk '{print $1}') # shellcheck disable=SC2155 declare time=$(date '+%Y-%m-%d %H:%M:%S') @@ -94,5 +105,10 @@ run_analysis() { printf "\e[92m----------------------------------------------------------------------------------------\e[0m\n" printf "\e[97m๐Ÿ“… Analysis Time : %s \e[0m\n" "${time}" printf "\e[92mโœ… Analysis completed.\e[0m\n" + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f run_analysis # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_trap_on_err.sh b/lib/lib_trap_on_err.sh index 5f94ad2..b5343e0 100644 --- a/lib/lib_trap_on_err.sh +++ b/lib/lib_trap_on_err.sh @@ -15,23 +15,27 @@ guard_sourcing ####################################### # Print Error Message for Trap on 'ERR' in ${ERROR_LOG} # Globals: -# VAR_PARAM_COUNT -# VAR_PARAM_STRNG -# VAR_ARG_SANITIZED -# LOG_DEBUG # ERRCMMD # ERRCODE # ERRFUNC # ERRLINE # ERRSCRT +# LOG_DEBUG # LOG_ERROR # LOG_VAR # SECONDS +# VAR_ARG_SANITIZED +# VAR_BASH_VER +# VAR_DS_VER # VAR_EARLY_DEBUG +# VAR_GIT_REL +# VAR_LB_VER +# VAR_PARAM_COUNT +# VAR_PARAM_STRNG # VAR_SYSTEM # VAR_VERSION # Arguments: -# None +# None ####################################### print_file_err() { { @@ -39,6 +43,9 @@ print_file_err() { printf "โŒ Git Commit : %s \n" "${VAR_GIT_REL}" printf "โŒ Version : %s \n" "${VAR_VERSION}" printf "โŒ Hostsystem : %s \n" "${VAR_SYSTEM}" + printf "โŒ Bash : %s \n" "${VAR_BASH_VER}" + printf "โŒ Live-Build : %s \n" "${VAR_LB_VER}" + printf "โŒ Debootstrap : %s \n" "${VAR_DS_VER}" printf "โŒ Error : %s \n" "${ERRCODE}" printf "โŒ Line : %s \n" "${ERRLINE}" printf "โŒ Script : %s \n" "${ERRSCRT}" @@ -48,41 +55,55 @@ print_file_err() { printf "โŒ Arguments Counter : %s \n" "${VAR_PARAM_COUNT}" printf "โŒ Arguments Original : %s \n" "${VAR_PARAM_STRNG}" printf "โŒ Arguments Sanitized : %s \n" "${VAR_ARG_SANITIZED}" + if "${VAR_EARLY_DEBUG}"; then + printf "โŒ Vars Dump saved at : %s \n" "${LOG_VAR}" printf "โŒ Debug Log saved at : %s \n" "${LOG_DEBUG}" printf "โŒ batcat --pager='less -r' %s \n" "${LOG_DEBUG}" + fi + printf "\n" } >> "${LOG_ERROR}" } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f print_file_err ####################################### # Print Error Message for Trap on 'ERR' on Terminal # Globals: -# VAR_PARAM_COUNT -# VAR_PARAM_STRNG -# VAR_ARG_SANITIZED -# LOG_DEBUG # ERRCMMD # ERRCODE # ERRFUNC # ERRLINE # ERRSCRT +# LOG_DEBUG # LOG_ERROR # LOG_VAR # SECONDS +# VAR_ARG_SANITIZED +# VAR_BASH_VER +# VAR_DS_VER # VAR_EARLY_DEBUG +# VAR_GIT_REL +# VAR_LB_VER +# VAR_PARAM_COUNT +# VAR_PARAM_STRNG # VAR_SYSTEM # VAR_VERSION # Arguments: -# None +# None ####################################### print_scr_err() { printf "\e[91mโŒ CISS.debian.live.builder Script failed. \e[0m\n" >&2 printf "\e[91mโŒ Git Commit : %s \e[0m\n" "${VAR_GIT_REL}" >&2 printf "\e[91mโŒ Version : %s \e[0m\n" "${VAR_VERSION}" >&2 printf "\e[91mโŒ Hostsystem : %s \e[0m\n" "${VAR_SYSTEM}" >&2 + printf "\e[91mโŒ Bash : %s \e[0m\n" "${VAR_BASH_VER}" >&2 + printf "\e[91mโŒ Live-Build : %s \e[0m\n" "${VAR_LB_VER}" >&2 + printf "\e[91mโŒ Debootstrap : %s \e[0m\n" "${VAR_DS_VER}" >&2 printf "\e[91mโŒ Error : %s \e[0m\n" "${ERRCODE}" >&2 printf "\e[91mโŒ Line : %s \e[0m\n" "${ERRLINE}" >&2 printf "\e[91mโŒ Script : %s \e[0m\n" "${ERRSCRT}" >&2 @@ -94,13 +115,20 @@ print_scr_err() { printf "\e[91mโŒ Arguments Sanitized : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2 printf "\e[91mโŒ Error Log saved at : %s \e[0m\n" "${LOG_ERROR}" >&2 printf "\e[91mโŒ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2 + if "${VAR_EARLY_DEBUG}"; then + printf "\e[91mโŒ Vars Dump saved at : %s \e[0m\n" "${LOG_VAR}" >&2 printf "\e[91mโŒ Debug Log saved at : %s \e[0m\n" "${LOG_DEBUG}" >&2 printf "\e[91mโŒ batcat --pager='less -r' %s \e[0m\n" "${LOG_DEBUG}" >&2 + fi + printf "\n" } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f print_scr_err ####################################### # Trap function to be called on 'ERR'. @@ -112,14 +140,15 @@ print_scr_err() { # ERRSCRT # VAR_EARLY_DEBUG # Arguments: -# $1: $? -# $2: ${BASH_SOURCE[0]} -# $3: ${LINENO} -# $4: ${FUNCNAME[0]:-main} -# $5: ${BASH_COMMAND} +# 1: $? +# 2: ${BASH_SOURCE[0]} +# 3: ${LINENO} +# 4: ${FUNCNAME[0]:-main} +# 5: ${BASH_COMMAND} ####################################### trap_on_err() { trap - DEBUG ERR INT TERM + declare -g ERRCODE="$1" declare -g ERRSCRT="$2" declare -g ERRLINE="$3" @@ -129,11 +158,18 @@ trap_on_err() { declare -g ERRTRAP="true" if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi + clean_up "${ERRCODE}" + if ! "${VAR_HANDLER_AUTOBUILD}"; then clean_screen; fi + print_file_err + print_scr_err } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f trap_on_err ####################################### # Gather all user-defined variables (name and value) @@ -142,7 +178,7 @@ trap_on_err() { # VAR_DUMP_VARS_INITIAL # VAR_VERSION # Arguments: -# None +# None ####################################### dump_user_vars() { ### Capture the final snapshot of all variables (excluding '^(BASH|_).*') @@ -175,4 +211,7 @@ dump_user_vars() { comm -13 "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" >> "${LOG_VAR}" || true rm "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f dump_user_vars # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_trap_on_exit.sh b/lib/lib_trap_on_exit.sh index 21dcec6..be7a367 100644 --- a/lib/lib_trap_on_exit.sh +++ b/lib/lib_trap_on_exit.sh @@ -17,20 +17,32 @@ guard_sourcing # Globals: # VAR_EARLY_DEBUG # Arguments: -# $1: $? +# 1: $? ####################################### trap_on_exit() { trap - DEBUG ERR EXIT INT TERM + declare -r var_trap_on_exit_code="$1" + if (( var_trap_on_exit_code == 0 )); then + if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi + clean_up "${var_trap_on_exit_code}" + print_scr_exit "${var_trap_on_exit_code}" + exit "${var_trap_on_exit_code}" + else + exit "${var_trap_on_exit_code}" + fi } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f trap_on_exit ####################################### # Print Success Message for Trap on 'EXIT' on 'stdout'. @@ -38,32 +50,56 @@ trap_on_exit() { # LOG_DEBUG # LOG_VAR # SECONDS +# VAR_BASH_VER +# VAR_DS_VER # VAR_EARLY_DEBUG +# VAR_GIT_REL # VAR_HANDLER_BUILD_DIR +# VAR_LB_VER # VAR_SCRIPT_SUCCESS +# VAR_SYSTEM +# VAR_VERSION # Arguments: -# $1: ${var_trap_on_exit_code} of trap_on_exit() +# 1: ${var_trap_on_exit_code} of trap_on_exit() ####################################### print_scr_exit() { declare -r var_print_scr_exit_code="$1" + if (( var_print_scr_exit_code == 0 )); then + if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then + printf "\n" - printf "\e[92mโœ… CISS.debian.live.builder Script successful. \e[0m\n" + printf "\e[92mโœ… CISS.debian.live.builder Script successfully completed. \e[0m\n" + printf "\e[92mโœ… Git Commit : %s \e[0m\n" "${VAR_GIT_REL}" + printf "\e[92mโœ… Version : %s \e[0m\n" "${VAR_VERSION}" + printf "\e[92mโœ… Hostsystem : %s \e[0m\n" "${VAR_SYSTEM}" + printf "\e[92mโœ… Bash : %s \e[0m\n" "${VAR_BASH_VER}" + printf "\e[92mโœ… Live-Build : %s \e[0m\n" "${VAR_LB_VER}" + printf "\e[92mโœ… Debootstrap : %s \e[0m\n" "${VAR_DS_VER}" printf "\e[92mโœ… Aide Initial DB at : %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/" printf "\e[92mโœ… Exited with Status : %s \e[0m\n" "${var_print_scr_exit_code}" printf "\n" + if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then + printf "\e[92mโœ… Script Runtime : %s \e[0m\n" "${SECONDS}" printf "\e[92mโœ… Vars Dump saved at : %s \e[0m\n" "${LOG_VAR}" printf "\e[92mโœ… Debug Log saved at : %s \e[0m\n" "${LOG_DEBUG}" printf "\e[92mโœ… batcat --pager='less -r' %s \e[0m\n" "${LOG_DEBUG}" printf "\n" + fi + printf "\e[95m๐Ÿ’ท Please consider donating to my work at: \e[0m\n" printf "\e[95m๐Ÿ”— https://coresecret.eu/spenden/ \e[0m\n" printf "\n" + fi + fi } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f print_scr_exit # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index dbf2e02..27b3548 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -13,7 +13,7 @@ ####################################### # Usage Wrapper CISS.debian.live.builder # Arguments: -# $0: Script name +# 0: Script name ####################################### usage() { # shellcheck disable=SC2155 @@ -22,8 +22,8 @@ usage() { ####################################### # Header, Footer wrapper for dynamical output. # Arguments: - # $1: Text. - # $2: Width of Terminal. + # 1: Text. + # 2: Width of Terminal. ####################################### center() { declare var_text="$1" @@ -35,13 +35,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V8.13.048.2025.10.06 2025-08-11 CLB(1)" "${var_cols}") + declare var_footer=$(center "V8.13.064.2025.10.07 2025-10-07 CLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V8.13.048.2025.10.06\e[0m" + echo -e "\e[92mMaster V8.13.064.2025.10.07\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m" diff --git a/scripts/9000-cdi-starter b/scripts/9000-cdi-starter index 2480c9f..2b76b99 100644 --- a/scripts/9000-cdi-starter +++ b/scripts/9000-cdi-starter @@ -39,13 +39,13 @@ main() { declare -r repo_url="https://git.coresecret.dev/msw/CISS.debian.installer.git" declare -r repo_dir="/root/git/CISS.debian.installer" - install -d -m 0700 /root/.cdi/log + install -d -m 0700 /root/.ciss/cdi/log # shellcheck disable=SC2155 - declare -r log="/root/.cdi/log/9000-cdi-starter_$(date +'%F_%H-%M-%S').log" + declare -r log="/root/.ciss/cdi/log/9000-cdi-starter_$(date +'%F_%H-%M-%S').log" # shellcheck disable=SC2312 exec > >(tee -a "${log}") 2>&1 - printf "CISS.debian.installer Master V8.13.048.2025.10.06 is up! \n" >| /root/.cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log + printf "CISS.debian.installer Master V8.13.064.2025.10.07 is up! \n" >| /root/.cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log net_wait @@ -66,7 +66,7 @@ main() { # --reionice-priority 1 0 \ # --renice-priority "-19" - printf "CISS.debian.installer Master V8.13.048.2025.10.06 successfully executed! \n" >| /root/.cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log + printf "CISS.debian.installer Master V8.13.064.2025.10.07 successfully executed! \n" >| /root/.cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log exit 0 } diff --git a/var/early.var.sh b/var/early.var.sh index 15d4b82..717214c 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -14,7 +14,7 @@ # shellcheck disable=SC2155 declare -grx VAR_CONTACT="security@coresecret.eu" -declare -grx VAR_VERSION="Master V8.13.048.2025.10.06" +declare -grx VAR_VERSION="Master V8.13.064.2025.10.07" declare -grx VAR_SYSTEM="$(uname -a)" declare -gx VAR_EARLY_DEBUG="false" declare -gx VAR_HANDLER_AUTOBUILD="false" diff --git a/var/global.var.sh b/var/global.var.sh index 9f6c133..fa71a81 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -9,19 +9,19 @@ # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu +# shellcheck disable=SC2155,SC2034 guard_sourcing ### Definition of MUST set global variables. -# shellcheck disable=SC2155 -declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)" -# shellcheck disable=SC2155 +declare -gr VAR_BASH_VER="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')" +declare -gr VAR_HOST="$(uname -n)" +declare -gr VAR_DATE_EPOCH="$(date -u +%s)" +declare -gr VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" +declare -gr VAR_DATE_INFO="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%S %z')" declare -gr VAR_KERNEL_INF="$(mktemp)" -# shellcheck disable=SC2155 declare -gr VAR_KERNEL_TMP="$(mktemp)" -# shellcheck disable=SC2155 declare -gr VAR_KERNEL_SRT="$(mktemp)" -# shellcheck disable=SC2155 declare -gr VAR_NOTES="$(mktemp)" declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log" @@ -79,4 +79,5 @@ declare -g ERRSCRT="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT declare -g ERRLINE="" # = ${LINENO} = $3 = ERRLINE declare -g ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC declare -g ERRCMMD="" # = ${$BASH_COMMAND} = $5 = ERRCMMD + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh