V8.03.768.2025.06.09

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-09 22:38:15 +02:00
parent 64689d00b2
commit 68eb879c8a
40 changed files with 159 additions and 47 deletions
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.644.2025.06.07"
+      placeholder: "e.g., Master V8.03.768.2025.06.09"
    validations:
      required: true

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.09

 FROM debian:bookworm

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.09

 name: 🔁 Render README.md to README.html.

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.09
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.09
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.09
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.09
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.09

 name: 🔐 Generating a Private Live ISO FLV 0.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.512.2025.06.06
+### Version Master V8.03.768.2025.06.09

 name: 🔐 Generating a Private Live ISO FLV 1.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.09

 name: 💙 Generating a PUBLIC Live ISO.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.09

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.09

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.09

 name: 🔁 Render Graphviz Diagrams.

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.644.2025.06.07"
+properties_version="V8.03.768.2025.06.09"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.644.2025.06.07
+PackageVersion: Master V8.03.768.2025.06.09
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.644.2025.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.768.2025.06.09-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -40,7 +40,7 @@

 declare -g VAR_HANDLER_AUTOBUILD="false"
 declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.03.644.2025.06.07"
+declare -gr VAR_VERSION="Master V8.03.768.2025.06.09"

 ### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
 declare arg
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.09

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.09

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.03.644.2025.06.07"
+declare -gr VERSION="Master V8.03.768.2025.06.09"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.644.2025.06.07 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.768.2025.06.09 at: 10:18:37.9542
@@ -33,6 +33,7 @@

 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
 source /root/.ciss/alias
+source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
 source /root/.ciss/scan_libwrap

@@ -158,14 +158,22 @@ genpasswdhash() {
 # shellcheck disable=SC2317
 scurl() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
    return 1
  fi
-
-  if ! curl --proto '=https' --tlsv1.3 -sSf -o "${2}" "${1}"; then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  declare url="$1"
+  declare output_path="$2"
+  if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
+            --doh-cert-status \
+            --tlsv1.3 \
+            -sSf \
+            -o "${output_path}" \
+            "${url}"
+  then
+    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
    return 2
  fi
+  return 0
 }

 ###########################################################################################
@@ -177,14 +185,23 @@ scurl() {
 # shellcheck disable=SC2317
 swget() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
    return 1
  fi
-
-  if ! wget --no-clobber --https-only --secure-protocol=TLSv1_3 -qO "${2}" "${1}"; then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  declare url="$1"
+  declare output_path="$2"
+  mkdir -p "$(dirname "${output_path}")"
+  if ! wget --show-progress \
+            --no-clobber \
+            --https-only \
+            --secure-protocol=TLSv1_3 \
+            -qO "${output_path}" \
+            "${url}"
+  then
+    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
    return 2
  fi
+  return 0
 }

 ###########################################################################################
@@ -0,0 +1,87 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Wrapper for fail2ban filter checks against logs.
+# Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
+#               --filter=/etc/fail2ban/filter.d/ufw.aggressive.conf \
+#               --log=/var/log/ufw.log \
+#               --output=/tmp/f2bchk.log
+# Globals:
+#   DEFAULT_FILTER
+#   DEFAULT_LOG
+#   DEFAULT_MODE
+# Arguments:
+#  None
+# Returns:
+#   1 In case of any errors
+#######################################
+f2bchk(){
+  # Declare default values (readonly)
+  declare -r DEFAULT_MODE="matched"
+  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
+  declare -r DEFAULT_LOG="/var/log/ufw.log"
+
+  declare mode="${DEFAULT_MODE}"
+  declare filter="${DEFAULT_FILTER}"
+  declare log="${DEFAULT_LOG}"
+  declare output=""
+  declare arg=""
+
+  for arg in "$@"; do
+    case "${arg}" in
+      --mode=*)   mode="${arg#--mode=}";;
+      --filter=*) filter="${arg#--filter=}";;
+      --log=*)    log="${arg#--log=}";;
+      --output=*) output="${arg#--output=}";;
+      *)
+        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        return 1
+        ;;
+    esac
+  done
+
+  declare flag suffix
+  case "${mode}" in
+    ignored) flag="--print-all-ignored"; suffix="all.ignored";;
+    matched) flag="--print-all-matched"; suffix="all.matched";;
+    missed)  flag="--print-all-missed";  suffix="all.missed";;
+    *)
+      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      return 1
+      ;;
+  esac
+
+  if [[ -z "${output}" ]]; then
+    declare filter_name="${filter##*/}"
+    filter_name="${filter_name%.conf}"
+    output="/tmp/${filter_name}.${suffix}.log"
+  fi
+  if [[ ! -r "${log}" ]]; then
+    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
+    return 1
+  fi
+  if [[ ! -r "${filter}" ]]; then
+    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
+    return 1
+  fi
+
+  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
+  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
+    printf "You can view it with: cat %s\n" "$output"
+  else
+    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
+    return 1
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. DNSSEC Status

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Lynis Audit:

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. SSH Audit by ssh-audit.com

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. TLS Audit:

@@ -8,10 +8,17 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Changelog

+## V8.03.768.2025.06.09
+
+* Added: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+  * ``scurl()``
+  * ``swget()``
+
 ## V8.03.644.2025.06.07

 * Updated workflows ISO Generators Runners. 
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Coding Style

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Contributing / participating

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Credits

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.644.2025.06.07
+Master V8.03.768.2025.06.09

 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.09<br>

 # 2. Resources

@@ -18,7 +18,7 @@
 check_provider() {
  clear
  cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.03.644.2025.06.07
+Build: Master V8.03.768.2025.06.09

 Press 'EXIT' to continue with CISS.debian.live.builder.

@@ -22,7 +22,7 @@ usage() {
  cat << EOF

 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.644.2025.06.07\e[0m")
+$(echo -e "\e[92mMaster V8.03.768.2025.06.09\e[0m")

 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1

 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.644.2025.06.07 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.768.2025.06.09 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log

 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh