diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh index c6536b6..8558fdf 100644 --- a/.archive/.0000_lib_usage.sh +++ b/.archive/.0000_lib_usage.sh @@ -1,6 +1,6 @@ #!/bin/bash # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -21,7 +21,7 @@ usage() { clear cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.13.400.2025.11.08\e[0m") +$(echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") @@ -46,7 +46,7 @@ $(echo -e "\e[97m --build-directory \e[0m") MUST be provided. $(echo -e "\e[97m --change-splash one of \e[0m") - A string reflecting the GRub Boot Screen Splash you want to use. + A string reflecting the Grub Boot Screen Splash you want to use. If omitted defaults to "./.archive/background/club.png". $(echo -e "\e[97m --cdi (Experimental Feature)\e[0m") diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml index 49cf2f6..ffa428d 100644 --- a/.archive/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index e3a0059..95ee696 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml index 4df6943..185d24c 100644 --- a/.archive/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 name: ๐Ÿ’™ Generating a PUBLIC Live ISO. diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 390b7b5..e95d016 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.13.400.2025.11.08" + placeholder: "e.g., Master V8.13.404.2025.11.10" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index ed6a09f..d353f04 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 022bc1a..0a238e0 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 name: ๐Ÿ” Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 3c06eac..41179f0 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.400.2025.11.08 + version: V8.13.404.2025.11.10 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index 7862535..f95f772 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. @@ -106,10 +106,18 @@ jobs: ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev + BatchMode yes + ConnectTimeout 5 + ControlMaster auto + ControlPath ~/.ssh/cm-%r@%h:%p + ControlPersist 5m HostName git.coresecret.dev - Port 42842 IdentityFile ~/.ssh/id_ed25519 + Port 42842 + ServerAliveCountMax 3 + ServerAliveInterval 10 StrictHostKeyChecking yes + User git UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 0600 ~/.ssh/config diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 41d2a9b..171e648 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. @@ -106,10 +106,18 @@ jobs: ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev + BatchMode yes + ConnectTimeout 5 + ControlMaster auto + ControlPath ~/.ssh/cm-%r@%h:%p + ControlPersist 5m HostName git.coresecret.dev - Port 42842 IdentityFile ~/.ssh/id_ed25519 + Port 42842 + ServerAliveCountMax 3 + ServerAliveInterval 10 StrictHostKeyChecking yes + User git UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 0600 ~/.ssh/config diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index ee8a9bb..c11624a 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 name: ๐Ÿ’™ Generating a PUBLIC Live ISO. @@ -106,10 +106,18 @@ jobs: ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev + BatchMode yes + ConnectTimeout 5 + ControlMaster auto + ControlPath ~/.ssh/cm-%r@%h:%p + ControlPersist 5m HostName git.coresecret.dev - Port 42842 IdentityFile ~/.ssh/id_ed25519 + Port 42842 + ServerAliveCountMax 3 + ServerAliveInterval 10 StrictHostKeyChecking yes + User git UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 0600 ~/.ssh/config diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 14b5460..eea5073 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index a8e5cc0..266fc13 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 name: ๐Ÿ›ก๏ธ Retrieve DNSSEC status of coresecret.dev. @@ -58,10 +58,18 @@ jobs: ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev + BatchMode yes + ConnectTimeout 5 + ControlMaster auto + ControlPath ~/.ssh/cm-%r@%h:%p + ControlPersist 5m HostName git.coresecret.dev - Port 42842 IdentityFile ~/.ssh/id_ed25519 + Port 42842 + ServerAliveCountMax 3 + ServerAliveInterval 10 StrictHostKeyChecking yes + User git UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 0600 ~/.ssh/config diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index ddebc29..90840c0 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 name: ๐Ÿ” Render Graphviz Diagrams. @@ -59,10 +59,18 @@ jobs: ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config Host git.coresecret.dev + BatchMode yes + ConnectTimeout 5 + ControlMaster auto + ControlPath ~/.ssh/cm-%r@%h:%p + ControlPersist 5m HostName git.coresecret.dev - Port 42842 IdentityFile ~/.ssh/id_ed25519 + Port 42842 + ServerAliveCountMax 3 + ServerAliveInterval 10 StrictHostKeyChecking yes + User git UserKnownHostsFile ~/.ssh/known_hosts EOF chmod 0600 ~/.ssh/config diff --git a/.shellcheckrc b/.shellcheckrc index 4a170c0..c4fdfc9 100644 --- a/.shellcheckrc +++ b/.shellcheckrc @@ -1,14 +1,17 @@ # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.installer +# SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu +# https://github.com/koalaman/shellcheck/wiki/directive +# https://github.com/koalaman/shellcheck/wiki/Optional + encoding=utf-8 external-sources=true shell=bash @@ -16,6 +19,8 @@ source-path=~/lib source-path=~/scripts source-path=~/var +enable=add-default-case +enable=avoid-negated-conditions enable=avoid-nullary-conditions enable=check-extra-masked-returns enable=check-set-e-suppressed @@ -24,5 +29,6 @@ enable=deprecate-which enable=quote-safe-variables enable=require-double-brackets enable=require-variable-braces +enable=useless-use-of-cat # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/.version.properties b/.version.properties index b2aa29f..9aa19db 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.13.400.2025.11.08" +properties_version="V8.13.404.2025.11.10" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index f5b1d77..0c076f5 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.13.400.2025.11.08 +PackageVersion: Master V8.13.404.2025.11.10 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 4165503..67c42d1 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.400.2025.11.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.404.2025.11.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V8.13.400.2025.11.08` +Example: `V8.13.404.2025.11.10` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/REPOSITORY.md b/REPOSITORY.md index bb21733..4f6afab 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2.1. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) โ€” Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **8.13**, Build **V8.13.400.2025.11.08** (as of 2025-10-11) +**Repository State:** Master Version **8.13**, Build **V8.13.404.2025.11.10** (as of 2025-10-11) ## 2.2. Top-Level Layout diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot index 98e57df..165739f 100644 --- a/config/hooks/live/0001_initramfs_modules.chroot +++ b/config/hooks/live/0001_initramfs_modules.chroot @@ -1,6 +1,6 @@ #!/bin/bash # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -339,138 +339,10 @@ FSTYPE=auto EOF -cat << EOF >| /etc/initramfs-tools/hooks/ciss_debian_live_builder -#!/bin/sh -# SPDX-Version: 3.0 -# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -EOF - -cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder -set -e - -printf "\e[95mStarting: [ciss_debian_live_builder] \n\e[0m" - -PREREQ="" -prereqs() { echo "${PREREQ}"; } -# shellcheck disable=SC2249 -case "${1}" in - prereqs) prereqs; exit 0 ;; -esac - -. /usr/share/initramfs-tools/hook-functions - - -### Ensure directory structure in initramfs ------------------------------------------------------------------------------------ -install -d -m 0755 "${DESTDIR}/etc/ciss/keys" -install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d" -install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount" -install -d -m 0755 "${DESTDIR}/usr/bin" -install -d -m 0755 "${DESTDIR}/usr/local/bin" -install -d -m 0755 "${DESTDIR}/usr/sbin" - - -### Include 'bash' ------------------------------------------------------------------------------------------------------------- -copy_exec /usr/bin/bash /usr/bin/bash -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m" - - -### Include 'blkid' ------------------------------------------------------------------------------------------------------------ -copy_exec /usr/sbin/blkid /usr/sbin/blkid -printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m" - - -### Include 'busybox' ---------------------------------------------------------------------------------------------------------- -copy_exec /usr/bin/busybox /usr/busybox -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m" - - -### Include GNU coreutils 'sort' (has -V) -------------------------------------------------------------------------------------- -copy_exec /usr/bin/sort /usr/bin/sort -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m" - - -### Include 'gpgv' ------------------------------------------------------------------------------------------------------------- -copy_exec /usr/bin/gpgv /usr/bin/gpgv -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m" - - -### Include 'lsblk' ------------------------------------------------------------------------------------------------------------ -copy_exec /usr/bin/lsblk /usr/bin/lsblk -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m" - - -### Include 'mkpasswd' --------------------------------------------------------------------------------------------------------- -copy_exec /usr/bin/mkpasswd /usr/mkpasswd -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m" -copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m" - - -### Include 'udevadm' (udev management tool) ----------------------------------------------------------------------------------- -copy_exec /usr/bin/udevadm /usr/bin/udevadm -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m" - - -### Include 'sha384sum' 'sha512sum' -------------------------------------------------------------------------------------------- -copy_exec /usr/bin/sha384sum /usr/bin/sha384sum -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m" -copy_exec /usr/bin/sha512sum /usr/bin/sha512sum -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m" - - -### Include 'tree' ------------------------------------------------------------------------------------------------------------- -copy_exec /usr/bin/tree /usr/bin/tree -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m" - - -### Include 'whois' ------------------------------------------------------------------------------------------------------------ -copy_exec /usr/bin/whois /usr/bin/whois -printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m" - - -### Link busybox applets for compatibility ------------------------------------------------------------------------------------- -for dir in bin usr/bin; do - ln -sf busybox "${DESTDIR}/${dir}/cat" - ln -sf busybox "${DESTDIR}/${dir}/sleep" -done - - -### Install GPG signing keys --------------------------------------------------------------------------------------------------- -src_dir="/etc/ciss/keys" -dst_dir="${DESTDIR}/etc/ciss/keys" -key="" - -if [ -d "${src_dir}" ]; then - - install -d -m 0755 "${dst_dir}" - - for key in "${src_dir}"/*.gpg; do - - [ -e "${key}" ] || continue - - install -m 0444 "${key}" "${dst_dir}/" - - printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}" - - done - -fi - -printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m" - -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh -EOF - -chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder +chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh +chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh +chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh +chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" diff --git a/config/hooks/live/0020_dropbear_build.chroot b/config/hooks/live/0020_dropbear_build.chroot index 5af4538..0c46646 100644 --- a/config/hooks/live/0020_dropbear_build.chroot +++ b/config/hooks/live/0020_dropbear_build.chroot @@ -36,13 +36,22 @@ cd "${var_build_dir}" # -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup) # shellcheck disable=SC2016,SC2312 -setsid bash -c ' +if ! setsid bash -c ' ### Sterile environment for the build-process. - export -n SHELLOPTS + + export -n SHELLOPTS || true + set +u + unset PATH_SEPARATOR PATH_SEPARATOR=":" PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + + if ! command -v musl-gcc >/dev/null 2>&1; then + echo "ERROR: musl-gcc not found. Install musl-tools in chroot." >&2 + exit 1 + fi + CC=musl-gcc \ CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \ LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \ @@ -55,6 +64,13 @@ setsid bash -c ' # shellcheck disable=2312 make -j"$(nproc)" ' >| "${var_logfile}" 2>&1 +then + + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2 + tail -n 42 "${var_logfile}" >&2 || true + exit 42 + +fi rm -rf /root/dropbear diff --git a/config/hooks/live/0021_dropbear_initramfs.chroot b/config/hooks/live/0021_dropbear_initramfs.chroot index d06ea54..39f1295 100644 --- a/config/hooks/live/0021_dropbear_initramfs.chroot +++ b/config/hooks/live/0021_dropbear_initramfs.chroot @@ -1,6 +1,6 @@ #!/bin/bash # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -13,60 +13,45 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" +### Declare Arrays, HashMaps, and Variables. +declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log" + [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" INITRD="No" -### Declare Arrays, HashMaps, and Variables. -declare var_file="" -declare -r var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log" -declare var_target="${TARGET}" +apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}" +apt-get purge -y dropbear dropbear-run 2>&1 | tee -a "${var_logfile}" +apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}" +apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}" -### Check for TARGET / RECOVERY. -[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}" - -chroot_logger "${var_target}${var_logfile}" - -chroot_script "${var_target}" " - export INITRD=No - [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh - apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a ${var_logfile} - " - -chroot_script "${var_target}" " - export INITRD=No - [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh - apt-get purge -y dropbear dropbear-run || true - " - -chroot_script "${var_target}" " - export INITRD=No - [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh - apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a ${var_logfile} - " - -chroot_script "${var_target}" " - export INITRD=No - [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh - apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a ${var_logfile} - " - -mv "${var_target}/usr/sbin/dropbear" "${var_target}/usr/sbin/dropbear.trixie" -install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${var_target}/usr/sbin/" -do_log "debug" "file_only" "4311() Installation [dropbear] successful." +mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie +install -m 0755 -o root -g root /root/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear +rm -f /root/dropbear +mv /usr/sbin/dropbear /usr/sbin/dropbear.trixie +install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/ for var_file in dbclient dropbearconvert dropbearkey; do - mv "${var_target}/usr/bin/${var_file}" "${var_target}/usr/bin/${var_file}.trixie" - install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${var_target}/usr/bin/" - do_log "debug" "file_only" "4311() Installation [${var_file}] successful." + mv "/usr/bin/${var_file}" "/usr/bin/${var_file}.trixie" + install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/ done -mkdir -p "${var_target}/etc/initramfs-tools/scripts/init-bottom" +mkdir -p /etc/initramfs-tools/scripts/init-bottom -cat << 'EOF' >| "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill" +cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill #!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu PREREQ="" prereqs() { echo "${PREREQ}"; } @@ -91,12 +76,22 @@ exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF -chmod 0755 "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill" +chmod 0755 /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill + +cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu -insert_header "${var_target}/etc/apt/preferences.d/99-mask-dropbear" -insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear" -cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear" # Never install the dropbear daemon package at all. + Package: dropbear Pin: release * Pin-Priority: -1 @@ -104,10 +99,20 @@ Pin-Priority: -1 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF -insert_header "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs" -insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs" -cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs" +cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear-initramfs +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + # Keep the currently installed initramfs integration; never upgrade it. + Package: dropbear-initramfs Pin: release * Pin-Priority: -1 @@ -115,8 +120,7 @@ Pin-Priority: -1 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF -chroot_script "${var_target}" "systemctl mask dropbear.service dropbear.socket" -do_log "info" "file_only" "4311() Masked: [dropbear.service dropbear.socket]" +systemctl mask dropbear.service dropbear.socket printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" diff --git a/config/hooks/live/0022_dropbear_setup.chroot b/config/hooks/live/0022_dropbear_setup.chroot new file mode 100644 index 0000000..c2d246c --- /dev/null +++ b/config/hooks/live/0022_dropbear_setup.chroot @@ -0,0 +1,149 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -Ceuo pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" + +[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh +export DEBIAN_FRONTEND="noninteractive" INITRD="No" + +####################################### +# Set up the 'dropbear-initramfs' environment. +# Globals: +# None +# Arguments: +# None +# Returns: +# 0: on success +####################################### +dropbear_setup() { + ### Declare Arrays, HashMaps, and Variables. + declare network_static_ipv4ntpserver_0="192.53.103.108" + # shellcheck disable=SC2155 + declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)" + declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ' + + ### Prepare strong dropbear host keys. + rm -f /etc/dropbear/initramfs/dropbear*key* + + if [[ -d /root/ssh ]]; then + + dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key /etc/dropbear/initramfs/dropbear_ed25519_host_key + dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key /etc/dropbear/initramfs/dropbear_rsa_host_key + dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub + dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/dropbear/initramfs/dropbear_rsa_host_key.pub + + else + + # shellcheck disable=SC2312 + /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@live-$(date -I)" + + # shellcheck disable=SC2312 + /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key -C "root@live-$(date -I)" + + fi + + ### Prepare dropbear authorized_keys. + printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys + chmod 0600 /etc/dropbear/initramfs/authorized_keys + install -m 0644 -o root -g root /etc/banner /etc/dropbear/initramfs/banner + + ### "IP=::::::none:::" + ### "IP=::::::dhcp" + printf "IP=::::::dhcp\n" >| /etc/initramfs-tools/conf.d/ip + + ### Generate dropbear configuration file. + write_dropbear_conf + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f dropbear_setup + +####################################### +# Write '/etc/dropbear/initramfs/dropbear.conf'. +# Globals: +# None +# Arguments: +# None +# Returns: +# 0: on success +####################################### +write_dropbear_conf() { + # shellcheck disable=SC2155 + declare sshport="$(< /root/sshport)" + rm -f /root/sshport + + [[ -z "${sshport:-}" ]] && sshport="2222" + + cat << EOF >| /etc/dropbear/initramfs/dropbear.conf +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# Configuration options for the dropbear-initramfs boot scripts. +# Variable assignment follow shell semantics and escaping/quoting rules. +# You must run update-initramfs(8) to effect changes to this file (like +# for other files in the '/etc/dropbear/initramfs' directory). + +# Command line options to pass to dropbear(8). +# Dropbear options for 2025+: +# -b: Display the contents of bannerfile before user login +# -E: Log to stderr +# -I: Idle timeout in seconds +# -K: Keepalive interval in seconds +# -p: Specify port (and optionally address) +# -w: Disable root login (SHOULD NOT be implemented for initramfs) +DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${sshport}" + +# On local (non-NFS) mounts, interfaces matching this pattern are +# brought down before exiting the ramdisk to avoid dirty network +# configuration in the normal kernel. +# The special value 'none' keeps all interfaces up and preserves routing +# tables and addresses. +#IFDOWN="*" + +# On local (non-NFS) mounts, the network stack and dropbear are started +# asynchronously at init-premount stage. This value specifies the +# maximum number of seconds to wait (while the network/dropbear are +# being configured) at init-bottom stage before terminating dropbear and +# bringing the network down. +# If the timeout is too short, and if the boot process is not blocking +# on user input supplied via SSHd (ie no remote unlocking), then the +# initrd might pivot to init(1) too early, thereby causing a race +# condition between network configuration from initramfs vs from the +# normal system. +#DROPBEAR_SHUTDOWN_TIMEOUT=60 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f write_dropbear_conf + +dropbear_setup + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh new file mode 100644 index 0000000..743b6f9 --- /dev/null +++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh @@ -0,0 +1,490 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.installer +# SPDX-Security-Contact: security@coresecret.eu +# SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command. + +set -Ceu -o pipefail -o ignoreeof +shopt -s failglob +shopt -s lastpipe +shopt -u nullglob +umask 0077 +export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr" + +####################################### +# Variable declaration +####################################### +# shellcheck disable=SC2016 +declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$' +# shellcheck disable=SC2155 +declare -r CURRENTDATE=$(date +"%F %T") +declare -g ERRTRAP='false' +declare -r GRE='\e[0;92m' +declare -r MAG='\e[0;95m' +declare -r RED='\e[0;91m' +declare -r RES='\e[0m' +declare -r NL='\n' +declare -g NUKE_ENABLED='false' +declare -g NUKE_HASH='' +declare -g PASSPHRASE='' + +####################################### +# Read passphrase strictly from STDIN (SSH channel), not '/dev/console'. +# Arguments: +# 1: Prompt to print on terminal +# 2: Variable name to capture passphrase +####################################### +ask_via_stdin() { + declare -r prompt="$1" + declare -r varname="$2" + ### Prompt to STDERR so pipes don't capture it. + printf "%s" "${prompt}" >&2 + ### Silent, canonical read from FD 0 (SSH channel when forced-command). + IFS= read -r -s "${varname?}" <&0 + printf "\n" >&2 + return 0 +} + +####################################### +# Printed text in color. +# Arguments: +# 1: Color code. +# *: Text to print. +####################################### +color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; } + +####################################### +# Die Helper: print and then exit hard. +# Globals: +# NC +# RED +# Arguments: +# 1: Message string to print. +####################################### +die() { printf "%bโœ˜ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; } + +####################################### +# Drop into the bash environment. +# Arguments: +# None +####################################### +drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; } + +####################################### +# Extract the 'nuke=' parameter from '/proc/cmdline'. +# Globals: +# GRE +# NUKE_ENABLED +# NUKE_HASH +# RED +# REGEX +# Arguments: +# None +# Returns: +# 0: on success +####################################### +extract_nuke_hash() { + declare ARG="" CMDLINE="" + + ### Read '/proc/cmdline' into a single line safely. + read -r CMDLINE < /proc/cmdline + + for ARG in ${CMDLINE}; do + + case "${ARG,,}" in + + nuke=*) + NUKE_HASH="${ARG#*=}" + if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then + + declare -g NUKE_ENABLED="true" + color_echo "${GRE}" "โœ… System self check: [ok]" + return 0 + + else + + ### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash. + color_echo "${RED}" "โœ˜ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]." + color_echo "${RED}" "โœ˜ Dropping to bash ...:" + drop_bash + + fi + ;; + + esac + + done + + color_echo "${GRE}" "โœ… No Nuke Hash found." + + return 0 +} + +####################################### +# Gather information of all LUKS Devices available on the system. +# Arguments: +# None +####################################### +gather_luks_devices() { + declare prev=() curr=() + declare -i tries=0 + + while ((tries < 10)); do + + # shellcheck disable=SC2312 + mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V) + + if [[ "${curr[*]}" == "${prev[*]}" ]]; then + break + fi + + prev=("${curr[@]}") + tries=$((tries + 1)) + sleep 1 + + done + + printf '%s\n' "${curr[@]}" + + return 0 +} + +####################################### +# Erase the LUKS headers on all LUKS devices, then shut down the system. +# Globals: +# DEVICES_LUKS +# RED +# Arguments: +# None +####################################### +nuke() { + declare dev="" + + for dev in "${DEVICES_LUKS[@]}"; do + + cryptsetup erase --batch-mode "${dev}" || true + color_echo "${RED}" "โœ˜ Error: LUKS Device Header malfunction: [${dev}]." + + done + + secure_unset_pass + + color_echo "${RED}" "โœ˜ Error: LUKS Device malfunction. System Power Off in 16 seconds." + + power_off 16 +} + +####################################### +# Unified power-off routine. +# Arguments: +# 1: Sleep time before power-off in seconds (Default to 0 seconds). +####################################### +power_off() { + declare -r wait="${1:-0}" + sleep "${wait}" + sync + echo 1 >| /proc/sys/kernel/sysrq + echo o >| /proc/sysrq-trigger + ### The System powers off immediately; no further code is executed. +} + +####################################### +# Print Error Message for Trap on 'ERR' on Terminal. +# Globals: +# NL +# RED +# Arguments: +# 1: ${?} +# 2: ${BASH_SOURCE[0]} +# 3: ${LINENO} +# 4: ${FUNCNAME[0]:-main} +# 5: ${BASH_COMMAND} +####################################### +print_scr_err() { + declare -r scr_err_errcode="$1" + declare -r scr_err_errscrt="$2" + declare -r scr_err_errline="$3" + declare -r scr_err_errfunc="$4" + declare -r scr_err_errcmmd="$5" + + printf "%b" "${NL}" >&2 + + color_echo "${RED}" "โœ˜ System caught an 'ERROR'. System Power Off in 16 seconds." >&2 + printf "%b" "${NL}" >&2 + color_echo "${RED}" "โœ˜ Error : [${scr_err_errcode}]" >&2 + color_echo "${RED}" "โœ˜ Line : [${scr_err_errline}]" >&2 + color_echo "${RED}" "โœ˜ Script : [${scr_err_errscrt}]" >&2 + color_echo "${RED}" "โœ˜ Function : [${scr_err_errfunc}]" >&2 + color_echo "${RED}" "โœ˜ Command : [${scr_err_errcmmd}]" >&2 + printf "%b" "${NL}" >&2 + + return 0 +} + +####################################### +# Print Error Message for '0'-Exit-Code on Terminal. +# Globals: +# GRE +# Arguments: +# None +####################################### +print_scr_scc() { color_echo "${GRE}" "โœ… Script exited successfully. Proceeding with booting."; sleep 3; } + +####################################### +# Generates an informative shell prompt. +# Globals: +# PS1 +# Arguments: +# None +####################################### +prompt_string() { + declare -gx PS1="\ +\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\ +\[\033[1;95m\]\h\[\033[0m\]:\ +\[\033[1;96m\]\w\[\033[0m\]/>>\ +\$(if [[ \$? -eq 0 ]]; then \ + # Show exit status in green if zero + echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \ +else \ + # Show exit status in red otherwise + echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \ +fi)\ +|~\$ " +} + +####################################### +# Read the passphrase interactively. +# Globals: +# NUKE_ENABLED +# NUKE_HASH +# PASSPHRASE +# Arguments: +# None +# Returns: +# 0: on success +####################################### +read_passphrase() { + declare -i ROUNDS=0 + declare CAND="" SALT="" + + ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'. + ask_via_stdin "Enter passphrase: " PASSPHRASE + + ### NUKE pre-check. + if [[ "${NUKE_ENABLED,,}" == "true" ]]; then + + ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")" + ROUNDS="${ROUNDS#rounds=}" + SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")" + CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}") + + ### NUKE final check. + if [[ "${CAND}" == "${NUKE_HASH}" ]]; then + + nuke + + fi + + fi + + return 0 +} + +####################################### +# Securely unset the 'PASSPHRASE'-variable. +# Globals: +# PASSPHRASE +# Arguments: +# None +####################################### +secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; } + +####################################### +# Trap function to be called on 'ERR'. +# Arguments: +# 1: ${?} +# 2: ${BASH_SOURCE[0]} +# 3: ${LINENO} +# 4: ${FUNCNAME[0]:-main} +# 5: ${BASH_COMMAND} +####################################### +trap_on_err() { + declare -r errcode="$1" + declare -r errscrt="$2" + declare -r errline="$3" + declare -r errfunc="$4" + declare -r errcmmd="$5" + declare -g ERRTRAP='true' + + trap - ERR INT TERM + stty echo 2>/dev/null || true + print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}" + power_off 16 +} + +####################################### +# Security Trap on 'EXIT'. +# Globals: +# ERRTRAP +# Arguments: +# None +####################################### +trap_on_exit() { + trap - ERR EXIT INT TERM + [[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc +} + +####################################### +# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine. +# Globals: +# NL +# RED +# Arguments: +# None +####################################### +trap_on_term() { + trap - ERR INT TERM + stty echo 2>/dev/null || true + printf "%b" "${NL}" + color_echo "${RED}" "โœ˜ Received termination signal. System Power Off in 3 seconds." + power_off 3 +} + +####################################### +# Check the integrity and authenticity of this script itself. +# Globals: +# GRE +# MAG +# RED +# Arguments: +# 0: Script Name +####################################### +verify_script() { + declare dir + # shellcheck disable=SC2312 + dir="$(dirname "$(readlink -f "${0}")")" + declare script; script="$(basename "${0}")" + declare -a algo=( "sha512" ) + declare cmd="" computed="" expected="" hashfile="" item="" sigfile="" + + for item in "${algo[@]}"; do + + hashfile="${dir}/${script}.${item}" + sigfile="${hashfile}.sig" + cmd="${item}sum" + + color_echo "${MAG}" "๐Ÿ” Verifying signature of: [${hashfile}]" + + if ! gpgv --keyring /etc/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then + + color_echo "${RED}" "โœ˜ Signature verification failed for: [${hashfile}]" + color_echo "${RED}" "โœ˜ System Power Off in 3 seconds." + power_off 3 + + else + + color_echo "${GRE}" "๐Ÿ” Verifying signature of: [${hashfile}] successful." + + fi + + + color_echo "${MAG}" "๐Ÿ”ข Recomputing Hash: [${item}]" + + # shellcheck disable=SC2312 + read -r computed _ < <("${cmd}" "${dir}/${script}") + read -r expected < "${hashfile}" + + if [[ "${computed}" != "${expected}" ]]; then + + color_echo "${RED}" "โœ˜ Recomputed hash mismatch for : [${item}]" + color_echo "${RED}" "โœ˜ System Power Off in 3 seconds." + power_off 3 + + fi + + color_echo "${GRE}" "๐Ÿ”ข Recomputing Hash: [${item}] successful." + + done + + color_echo "${GRE}" "๐Ÿ” All signatures and hashes verified successfully. Proceeding." + return 0 +} + +####################################### +# Main Program Sequence. +# Globals: +# CURRENTDATE +# DEVICES_LUKS +# GRE +# MAG +# NL +# PASSPHRASE +# RED +# Arguments: +# None +####################################### +main() { + exec 1>&2 + + trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR + trap 'trap_on_exit' EXIT + trap 'trap_on_term' INT TERM + + uname -a + + printf "%b" "${NL}" + color_echo "${RED}" "Coresecret Connection established." + color_echo "${RED}" "Starting Time: ${CURRENTDATE}" + + printf "%b" "${NL}" + color_echo "${MAG}" "Integrity self-check ..." + verify_script + + ### Read newline-separated output into an array. + printf "%b" "${NL}" + color_echo "${MAG}" "Scanning for LUKS devices ..." + # shellcheck disable=SC2312 + mapfile -t DEVICES_LUKS < <(gather_luks_devices) + + ### If there are no LUKS devices at all, drop to bash. + if (( ${#DEVICES_LUKS[@]} == 0 )); then + printf "%b" "${NL}" + color_echo "${RED}" "โœ˜ No LUKS Devices found. Dropping to bash ..." + drop_bash + fi + + ### Extract the 'nuke='-parameter from '/proc/cmdline'. + printf "%b" "${NL}" + extract_nuke_hash + + ### Read passphrase interactively. + read_passphrase + + if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then + + secure_unset_pass + exit 0 + + else + + secure_unset_pass + + printf "%b" "${NL}" + color_echo "${RED}" "โœ˜ Unsuccessful command 'cryptroot-unlock'." + color_echo "${GRE}" " No LUKS operations performed. Dropping to bash ..." + color_echo "${GRE}" " To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'." + + drop_bash + + fi +} + +main "${@}" +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 new file mode 100644 index 0000000..704aaa3 --- /dev/null +++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 @@ -0,0 +1 @@ +2d90783e0ffba3c6972b3a0d5335cca4a37c03b417f43b62b082a83734d4e4148390ac22509e68d63aaca11baf4fb081747f83347eab08176fb647e5445372f6 diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig new file mode 100644 index 0000000..2cf5fb8 Binary files /dev/null and b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig differ diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg new file mode 100644 index 0000000..c190cd1 Binary files /dev/null and b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg differ diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh new file mode 100644 index 0000000..6d9d4f7 --- /dev/null +++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh @@ -0,0 +1,78 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.installer +# SPDX-Security-Contact: security@coresecret.eu +# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh + +set -Ceuo pipefail + +### Paths +declare -r SCRIPT="/etc/initramfs-tools/files/unlock_wrapper.sh" +declare -r KEYFILE="/root/.ciss/keys/dummy_0x12345678_SECRET.asc" +declare -r GNUPGHOME="/root/.ciss/gnupg" + +### Output Files +declare -r HASH384="${SCRIPT}.sha384" +declare -r HASH512="${SCRIPT}.sha512" +declare -r SIG384="${HASH384}.sig" +declare -r SIG512="${HASH512}.sig" + +### Ensure GNUPGHOME exists with secure permissions +mkdir -p "${GNUPGHOME}" +chmod 0700 "${GNUPGHOME}" + +### Import private key only if not already present +if ! gpg --homedir "${GNUPGHOME}" --list-secret-keys | grep -q "sec"; then + printf "\e[0;92mโœ… Importing private key ... \e[0m\n" + gpg --homedir "${GNUPGHOME}" --import "${KEYFILE}" +else + printf "\e[0;92mโœ… Private key already present in keyring. \e[0m\n" +fi + +### Extract fingerprint of the first secret key +# shellcheck disable=SC2155 +declare -r FPR=$(gpg --homedir "${GNUPGHOME}" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }') + +if [[ -z "${FPR}" ]]; then + printf "\e[0;91mโœ˜ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2 + exit 1 +fi + +printf "\e[0;92mโœ… Using GPG key fingerprint: [%s] \e[0m\n" "${FPR}" + +### Hashing (only the hash value, no filename) +printf "\e[0;95m๐Ÿ”ข Generating Hashes ... \e[0m\n" + +if sha384sum "${SCRIPT}" | awk '{print $1}' >| "${HASH384}"; then + printf "\e[0;92mโœ… Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH384}" "${SCRIPT}" +fi + +if sha512sum "${SCRIPT}" | awk '{print $1}' >| "${HASH512}"; then + printf "\e[0;92mโœ… Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH512}" "${SCRIPT}" +fi + +printf "\e[0;92m๐Ÿ”ข Generating Hashes done. \e[0m\n" + +### Signing Hashes +printf "\e[0;95m๐Ÿ”‘ Signing hashes ... \e[0m\n" + +if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then + printf "\e[0;92mโœ… Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}" +fi + +if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG512}" --detach-sign "${HASH512}"; then + printf "\e[0;92mโœ… Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}" +fi + +printf "\e[0;92m๐Ÿ”‘ Signing hashes done. \e[0m\n" + +exit 0 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh new file mode 100644 index 0000000..deea012 --- /dev/null +++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +set -e + +printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m" + +PREREQ="" +prereqs() { echo "${PREREQ}"; } +# shellcheck disable=SC2249 +case "${1}" in + prereqs) prereqs; exit 0 ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +mkdir -p "${DESTDIR}/etc" + +cat >| "${DESTDIR}/etc/profile" << 'EOF' +export PS1='$( STATUS=$?; \ + if [ "${STATUS}" -eq 0 ]; then \ + printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;92m\002%d\001\e[0m\002|~#> " "${STATUS}"; \ + else \ + printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \ + fi; ) ' +EOF + +printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m" + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh new file mode 100644 index 0000000..504e24d --- /dev/null +++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh @@ -0,0 +1,155 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +set -e + +printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m" + +PREREQ="" +prereqs() { echo "${PREREQ}"; } +# shellcheck disable=SC2249 +case "${1}" in + prereqs) prereqs; exit 0 ;; +esac + +. /usr/share/initramfs-tools/hook-functions + + +### Ensure directory structure in initramfs ------------------------------------------------------------------------------------ +install -d -m 0755 "${DESTDIR}/etc/ciss/keys" +install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d" +install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount" +install -d -m 0755 "${DESTDIR}/usr/bin" +install -d -m 0755 "${DESTDIR}/usr/local/bin" +install -d -m 0755 "${DESTDIR}/usr/sbin" + + +### Include 'bash' ------------------------------------------------------------------------------------------------------------- +copy_exec /usr/bin/bash /usr/bin/bash +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m" + + +### Include 'blkid' ------------------------------------------------------------------------------------------------------------ +copy_exec /usr/sbin/blkid /usr/sbin/blkid +printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m" + + +### Include 'busybox' ---------------------------------------------------------------------------------------------------------- +copy_exec /usr/bin/busybox /usr/busybox +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m" + + +### Include GNU coreutils 'sort' (has -V) -------------------------------------------------------------------------------------- +copy_exec /usr/bin/sort /usr/bin/sort +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m" + + +### Include 'gpgv' ------------------------------------------------------------------------------------------------------------- +copy_exec /usr/bin/gpgv /usr/bin/gpgv +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m" + + +### Include 'lsblk' ------------------------------------------------------------------------------------------------------------ +copy_exec /usr/bin/lsblk /usr/bin/lsblk +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m" + + +### Include 'mkpasswd' --------------------------------------------------------------------------------------------------------- +copy_exec /usr/bin/mkpasswd /usr/mkpasswd +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m" +copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m" + + +### Include 'udevadm' (udev management tool) ----------------------------------------------------------------------------------- +copy_exec /usr/bin/udevadm /usr/bin/udevadm +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m" + + +### Include 'sha384sum' 'sha512sum' -------------------------------------------------------------------------------------------- +copy_exec /usr/bin/sha384sum /usr/bin/sha384sum +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m" +copy_exec /usr/bin/sha512sum /usr/bin/sha512sum +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m" + + +### Include 'tree' ------------------------------------------------------------------------------------------------------------- +copy_exec /usr/bin/tree /usr/bin/tree +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m" + + +### Include 'whois' ------------------------------------------------------------------------------------------------------------ +copy_exec /usr/bin/whois /usr/bin/whois +printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m" + + +### Link busybox applets for compatibility ------------------------------------------------------------------------------------- +for dir in bin usr/bin; do + ln -sf busybox "${DESTDIR}/${dir}/cat" + ln -sf busybox "${DESTDIR}/${dir}/sleep" +done + + +### Install GPG signing keys --------------------------------------------------------------------------------------------------- +src_dir="/etc/ciss/keys" +dst_dir="${DESTDIR}/etc/ciss/keys" +key="" + +if [ -d "${src_dir}" ]; then + + install -d -m 0755 "${dst_dir}" + + for key in "${src_dir}"/*.gpg; do + + [ -e "${key}" ] || continue + + install -m 0444 "${key}" "${dst_dir}/" + + printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}" + + done + +fi + +### Install Dropbear configuration --------------------------------------------------------------------------------------------- +install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf" +printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}" + +# TODO: Update the scripts to be usable for upcoming Live ISO encryption +# TODO: Integrate online signing +### Install Dropbear 'cryptroot-unlock'-Wrapper -------------------------------------------------------------------------------- +install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh" +printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}" + +install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512" +printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 %s/usr/local/bin/unlock_wrapper.sh.sha512] \n\e[0m" "${DESTDIR}" + +install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig" +printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig %s/usr/local/bin/unlock_wrapper.sh.sha512.sig] \n\e[0m" "${DESTDIR}" + +# TODO: Refactor with online signing +### Install Dropbear GPG Signing Keys ------------------------------------------------------------------------------------------ +install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.gpg "${DESTDIR}/etc/keys/unlock_wrapper_pubring.gpg" +printf "\e[92mSuccessfully executed: [install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.gpg %s/etc/keys/unlock_wrapper_pubring.gpg] \n\e[0m" "${DESTDIR}" + +### Install Dropbear Banner ---------------------------------------------------------------------------------------------------- +install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner" +printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}" + +### EOS + +printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m" + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh b/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh new file mode 100644 index 0000000..b430fb1 --- /dev/null +++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh @@ -0,0 +1,33 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +set -e + +PREREQ="" +prereqs() { echo "${PREREQ}"; } +# shellcheck disable=SC2249 +case "${1}" in + prereqs) prereqs; exit 0 ;; +esac + +mkdir -p /run/ciss +printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_early.log + +### Make sure /usr/local/bin is in front of 'PATH'. +export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr" + +printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_late.log + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh b/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh new file mode 100644 index 0000000..229794f --- /dev/null +++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh @@ -0,0 +1,33 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +set -e + +PREREQ="" +prereqs() { echo "${PREREQ}"; } +# shellcheck disable=SC2249 +case "${1}" in + prereqs) prereqs; exit 0 ;; +esac + +mkdir -p /run/ciss +printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_early.log + +### Make sure /usr/local/bin is in front of 'PATH'. +export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr" + +printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_late.log + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index 32d3628..2fdad1b 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index d1b4245..bbfc098 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index 938c81e..50b98fd 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -11,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.400.2025.11.08 +# Version Master V8.13.404.2025.11.10 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 684628f..74bf2a7 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.13.400.2025.11.08" +declare -gr VERSION="Master V8.13.404.2025.11.10" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 3c88b58..55288fe 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.13.400.2025.11.08 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.13.404.2025.11.10 at: 10:18:37.9542 diff --git a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums index 9fbb28a..3dd7b9a 100644 --- a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums +++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums @@ -209,12 +209,12 @@ Verify_checksums() { if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then _RETURN_SHA="${?}" - printf "\e[92m[INFO] Found: [%s] successful done, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" + printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" else _RETURN_SHA="${?}" - printf "\e[91m[FATAL] Found: [%s] failed, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" + printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" fi diff --git a/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear b/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear new file mode 100644 index 0000000..50ff764 --- /dev/null +++ b/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear @@ -0,0 +1,65 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + +PREREQ="udev" + +prereqs() { + echo "${PREREQ}" +} + +# shellcheck disable=SC2249 +case "$1" in + prereqs) + prereqs + exit 0 + ;; +esac + +# shellcheck disable=SC2292 +[ -x /sbin/dropbear ] || exit 0 + + +run_dropbear() { + ### CISS.debian.live.builder + ### Remove old flags for dropbear version 2025.88-2. + ### Only accepts flags from '/etc/dropbear/dropbear.conf'. + + #local flags="Fs" + # shellcheck disable=SC2034,SC2154,SC2292 + [ "${debug}" != y ] || flags="E${flags}" # log to standard error + + # Always run configure_networking() before dropbear(8); on NFS + # mounts this has been done already + + # shellcheck disable=SC2292 + [ "${BOOT}" = nfs ] || configure_networking + + log_begin_msg "Starting dropbear" + # Using exec and keeping dropbear in the foreground enables the + # init-bottom script to kill the remaining ipconfig processes if + # someone unlocks the rootfs from the console while the network is + # being configured + # shellcheck disable=SC2086 + exec /sbin/dropbear ${DROPBEAR_OPTIONS-} +} + +# shellcheck disable=SC2292 +if [ -e /etc/dropbear/dropbear.conf ]; then + . /etc/dropbear/dropbear.conf +fi +. /scripts/functions + +# On NFS mounts, wait until the network is configured. On local mounts, +# configure the network in the background (in run_dropbear()) so someone +# with console access can enter the passphrase immediately. (With the +# default ip=dhcp, configure_networking hangs for 5mins or so when the +# network is unavailable, for instance.) + +# shellcheck disable=SC2292 +[ "${BOOT}" != nfs ] || configure_networking + +run_dropbear & +echo $! >/run/dropbear.pid + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index 1839a4a..71a4dcf 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index b58801a..a2077a1 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 84186f0..0075fee 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index fd22f7b..90e6e80 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index f891840..b990b2f 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index ac98075..b91d234 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 2961708..d9ad38f 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,29 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Changelog +## V8.13.404.2025.11.10 +* **Added**: [0020_dropbear_build.chroot](../config/hooks/live/0020_dropbear_build.chroot) +* **Added**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) +* **Added**: [0022_dropbear_setup.chroot](../config/hooks/live/0022_dropbear_setup.chroot) +* **Added**: [9999_ciss_custom_prompt.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh) +* **Added**: [9999_ciss_debian_live_builder.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh) +* **Added**: [1000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh) +* **Added**: [0000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh) +* **Added**: [dropbear](../config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear) +* **Bugfixes**: [generate_PRIVATE_trixie_0.yaml](../.gitea/workflows/generate_PRIVATE_trixie_0.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. +* **Bugfixes**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. +* **Bugfixes**: [generate_PUBLIC_iso.yaml](../.gitea/workflows/generate_PUBLIC_iso.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. +* **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. +* **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. +* **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. +* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) +* **Changed**: [localoptions.h](../upgrades/dropbear/localoptions.h) +* **Changed**: [.shellcheckrc](../.shellcheckrc) + ## V8.13.400.2025.11.08 * **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling * **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme diff --git a/docs/CNET.md b/docs/CNET.md index 28281a7..d0570d7 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 95b3265..c91a7c5 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 277c9bf..4c80ca6 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index d79983e..78650fb 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 384dc70..eb0cabd 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 8ac0d9c..0c877b3 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,14 +8,14 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2.1. Usage ````text CDLB(1) CISS.debian.live.builder CDLB(1) CISS.debian.live.builder from https://git.coresecret.dev/msw -Master V8.13.400.2025.11.08 +Master V8.13.404.2025.11.10 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 @@ -145,7 +145,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. ๐Ÿ’ท Please consider donating to my work at: ๐ŸŒ https://coresecret.eu/spenden/ - V8.13.400.2025.11.08 2025-11-06 CDLB(1) + V8.13.404.2025.11.10 2025-11-06 CDLB(1) ```` # 3. Booting diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index 424016c..97d415a 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.400.2025.11.08
+**Build**: V8.13.404.2025.11.10
# 2. Resources diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh index f546cd4..c514442 100644 --- a/lib/lib_clean_up.sh +++ b/lib/lib_clean_up.sh @@ -30,9 +30,15 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" # 0: on success ####################################### clean_up() { - declare clean_exit_code="$1" fs_type="" + declare clean_exit_code="$1" fs_type="" _old_nullglob="" _old_dotglob="" _old_failglob="" + + ### Enable nullglob/dotglob, disable failglob for safe globbing. + _old_nullglob="$(shopt -p nullglob || true)" + _old_dotglob="$( shopt -p dotglob || true)" + _old_failglob="$(shopt -p failglob || true)" shopt -s nullglob dotglob + shopt -u failglob rm -f -- "${VAR_KERNEL_INF}" rm -f -- "${VAR_KERNEL_SRT}" @@ -90,7 +96,21 @@ clean_up() { find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete - shopt -u nullglob dotglob + # TODO: Activate shred + ### Securely shred all regular files below ./includes.chroot, then remove empty dirs. + #if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then + + # shellcheck disable=SC2312 + # find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 -- + + ### Remove empty directories (bottom-up). + # find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete + + #fi + + eval "${_old_nullglob}" 2>/dev/null || true + eval "${_old_dotglob}" 2>/dev/null || true + eval "${_old_failglob}" 2>/dev/null || true return 0 } diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh index 878f378..26a95e4 100644 --- a/lib/lib_hardening_ultra.sh +++ b/lib/lib_hardening_ultra.sh @@ -185,6 +185,7 @@ hardening_ultra() { install -m 0600 -o root -g root "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/" declare -r sshport="${VAR_SSHPORT:-22}" + printf "%s" "${sshport}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/sshport" ### /config/includes.chroot/etc/ssh/sshd_config # shellcheck disable=SC2155 diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh index d9e6eb7..dd4dbba 100644 --- a/lib/lib_primordial.sh +++ b/lib/lib_primordial.sh @@ -38,6 +38,8 @@ init_primordial() { "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h" + install -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \ + "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear" ### Check for SOPS AGE key integration --------------------------------------------------------------------------------------- if [[ "${VAR_AGE,,}" == "true" ]]; then @@ -115,7 +117,7 @@ normalize_ssh_key_file() { if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}" + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}" return "${ERR_SANITIZING}" fi @@ -144,13 +146,21 @@ readonly -f normalize_ssh_key_file # ERR_SANITIZING: on failure ####################################### normalize_ssh_keys_in_dir() { - declare var_key_dir="" var_key_file="" + declare var_key_dir="" var_key_file="" _old_nullglob="" _old_dotglob="" _old_failglob="" var_key_dir="$1" + ### Enable nullglob/dotglob, disable failglob for safe globbing. + _old_nullglob="$(shopt -p nullglob || true)" + _old_dotglob="$( shopt -p dotglob || true)" + _old_failglob="$(shopt -p failglob || true)" + shopt -s nullglob dotglob + shopt -u failglob if [[ ! -d "${var_key_dir}" ]]; then - shopt -u nullglob dotglob + eval "${_old_nullglob}" 2>/dev/null || true + eval "${_old_dotglob}" 2>/dev/null || true + eval "${_old_failglob}" 2>/dev/null || true return 0 fi @@ -160,13 +170,17 @@ normalize_ssh_keys_in_dir() { [[ -e "${var_key_file}" ]] || continue if ! normalize_ssh_key_file "${var_key_file}"; then - shopt -u nullglob dotglob + eval "${_old_nullglob}" 2>/dev/null || true + eval "${_old_dotglob}" 2>/dev/null || true + eval "${_old_failglob}" 2>/dev/null || true return "${ERR_SANITIZING}" fi done - shopt -u nullglob dotglob + eval "${_old_nullglob}" 2>/dev/null || true + eval "${_old_dotglob}" 2>/dev/null || true + eval "${_old_failglob}" 2>/dev/null || true return 0 } diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index c8b9c56..c3c968e 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -39,13 +39,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V8.13.400.2025.11.08 2025-11-06 CDLB(1)" "${var_cols}") + declare var_footer=$(center "V8.13.404.2025.11.10 2025-11-06 CDLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V8.13.400.2025.11.08\e[0m" + echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m" diff --git a/scripts/usr/lib/live/boot/0030-verify-checksums b/scripts/usr/lib/live/boot/0030-verify-checksums index 4528a1d..3dd7b9a 100644 --- a/scripts/usr/lib/live/boot/0030-verify-checksums +++ b/scripts/usr/lib/live/boot/0030-verify-checksums @@ -28,14 +28,24 @@ # 0 : Successful verification ####################################### Verify_checksums() { + printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m" + + ### Declare variables -------------------------------------------------------------------------------------------------------- _MOUNTPOINT="${1}" + _PARAMETER="" + _TTY="/dev/tty8" LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" LIVE_VERIFY_CHECKSUMS_SIGNATURES="false" + _KEYFILE="" + + _MP="" + + ### Parse commandline arguments ---------------------------------------------------------------------------------------------- for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do case "${_PARAMETER}" in @@ -60,6 +70,20 @@ Verify_checksums() { done + ### Check GPG pubkey file correct path --------------------------------------------------------------------------------------- + for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do + + if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then + + _KEYFILE="${_MP}/0030-verify-checksums.gpg" + + break + + fi + + done + + ### Check if the function should be skipped ---------------------------------------------------------------------------------- case "${LIVE_VERIFY_CHECKSUMS}" in true) @@ -78,54 +102,59 @@ Verify_checksums() { ### CDLB verification of script integrity itself ----------------------------------------------------------------------------- if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then - log_begin_msg "Verifying integrity of '0030-verify-checksums' ..." + log_begin_msg "Verifying integrity of: [0030-verify-checksums]" printf "\n" - CDLB_SCRIPT="$(basename "${0}")" + _CAND="" + CDLB_SCRIPT_SELF="" CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE="" + + CDLB_CMD="/usr/bin/sha512sum" CDLB_SHA="sha512" - CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE="" - for CDLB_ITEM in ${CDLB_SHA}; do + for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do - CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}" - CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" - CDLB_CMD="${CDLB_ITEM}sum" - - printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}" - - if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then - - printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}" - sleep 8 - # TODO: Remove debug mode - # return 0 - - else - - printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}" - - fi - - printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}" - - CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; }) - read -r CDLB_EXPECTED < "${CDLB_HASHFILE}" - - if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then - - printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}" - sleep 8 - # TODO: Remove debug mode - # return 0 - - fi - - printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}" + [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; } done - printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding." + CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}" + CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}" + CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}" + CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt" + CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" + + printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}" + + printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}" + + if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then + + printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}" + sleep 16 + panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed." + + else + + printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}" + + fi + + printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}" + + CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; }) + IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}" + + if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then + + printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}" + sleep 16 + panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed." + + fi + + printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}" + printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SCRIPT_FULL}" log_end_msg printf "\n" @@ -134,6 +163,7 @@ Verify_checksums() { ### Checksum and checksum signature verification ----------------------------------------------------------------------------- log_begin_msg "Verifying checksums" printf "\n" + printf "\e[95m[INFO] Verifying checksums ... \n\e[0m" # shellcheck disable=SC2001 for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do @@ -145,16 +175,29 @@ Verify_checksums() { if [ -e "${_CHECKSUM}" ]; then - printf "Found [%s] ...\n" "${_CHECKSUM}" + printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}" - if [ -e "/bin/${_DIGEST}sum" ]; then + if [ -e "/usr/bin/${_DIGEST}sum" ]; then + + printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum" if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then - printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}" + printf "\e[95m[INFO] Checking signature of: [%s] ... \n\e[0m" "${_CHECKSUM}" + _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig" - gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}" - _RETURN_PGP="${?}" + + if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then + + _RETURN_PGP="${?}" + printf "\e[92m[INFO] Checking signature of: [%s] successful. \n\e[0m" "${_CHECKSUM}" + + else + + _RETURN_PGP="${?}" + printf "\e[91m[FATAL] Checking signature of: [%s] failed. \n\e[0m" "${_CHECKSUM}" + + fi else @@ -162,18 +205,26 @@ Verify_checksums() { fi - printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}" - # shellcheck disable=SC2312 - grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" - _RETURN_SHA="${?}" + if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then + + _RETURN_SHA="${?}" + printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" + + else + + _RETURN_SHA="${?}" + printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}" + + fi # Stop after the first verification. break 2 else - printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum" + _RETURN_SHA="255" + printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum" fi @@ -184,26 +235,44 @@ Verify_checksums() { done log_end_msg + printf "\n" case "${_RETURN_PGP},${_RETURN_SHA}" in - 0,0) - log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds." + "0,0") + printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m" + printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" sleep 8 + log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds." return 0 ;; - na,0) - log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds." + "na,0") + printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m" + printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" sleep 8 + log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds." return 0 ;; - *,0) - panic "Verification of signature file failed while verification of checksum file successful." + "0,"*) + printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m" + printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" + sleep 8 + panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed." ;; - na,*) + *",0") + printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m" + printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" + sleep 8 + panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful." + ;; + + "na,"*) + printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m" + printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}" + sleep 8 panic "Verification of checksum file failed." ;; diff --git a/scripts/usr/local/sbin/9999-cdi-starter b/scripts/usr/local/sbin/9999-cdi-starter index 127b31e..29b62ae 100644 --- a/scripts/usr/local/sbin/9999-cdi-starter +++ b/scripts/usr/local/sbin/9999-cdi-starter @@ -127,7 +127,7 @@ main() { # shellcheck disable=SC2312 exec > >(tee -a "${var_log}") 2>&1 - printf "CISS.debian.installer Master V8.13.400.2025.11.08 is up! \n" >> "${var_log}" + printf "CISS.debian.installer Master V8.13.404.2025.11.10 is up! \n" >> "${var_log}" ### Sleep a moment to settle boot artifacts. sleep 8 @@ -182,7 +182,7 @@ main() { ### Timeout reached without acceptable semaphore. logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle." - printf "CISS.debian.installer Master V8.13.400.2025.11.08: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" + printf "CISS.debian.installer Master V8.13.404.2025.11.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" exit 0 } diff --git a/upgrades/dropbear/localoptions.h b/upgrades/dropbear/localoptions.h index 6b6a9a0..9662a5b 100644 --- a/upgrades/dropbear/localoptions.h +++ b/upgrades/dropbear/localoptions.h @@ -1,12 +1,12 @@ /* # SPDX-Version: 3.0 */ -/* # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; */ -/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git */ +/* # SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; */ +/* # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git */ /* # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency */ /* # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; */ /* # SPDX-FileType: SOURCE */ /* # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 */ /* # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. */ -/* # SPDX-PackageName: CISS.debian.installer */ +/* # SPDX-PackageName: CISS.debian.live.builder */ /* # SPDX-Security-Contact: security@coresecret.eu */ #ifndef DROPBEAR_LOCALOPTIONS_H_ diff --git a/var/early.var.sh b/var/early.var.sh index b446f25..7c25dce 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" declare -grx VAR_HOST="$(uname -n)" declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" declare -grx VAR_SYSTEM="$(uname -mnosv)" -declare -grx VAR_VERSION="Master V8.13.400.2025.11.08" +declare -grx VAR_VERSION="Master V8.13.404.2025.11.10" declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{ # Print $4 and $5; include $6 only if it exists out = $4 diff --git a/var/global.var.sh b/var/global.var.sh index 82f76b3..fa344b1 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -66,7 +66,7 @@ declare -gir ERR_FLOCK_WRTG=129 # Cannot open lockfile for writing declare -gir ERR_FLOCK_COLL=130 # The Script is already running declare -gir ERR_GUARD_SRCE=131 # Module tried to load twice. declare -gir ERR_GPG__AGENT=132 # GNUPG agent error. -declare -gir ERR_SANITIZING=133 # Error occurred while sanitizing file. +declare -gir ERR_SANITIZING=133 # The error occurred while sanitizing a file. declare -gir ERR_SPLASH_PNG=200 # --change-splash MUST be 'club' or 'hexagon' declare -gir ERR_CONTROL_CT=201 # --control MUST be an integer between '1' and '65535' declare -gir ERR_RENICE_PRI=202 # --renice-priority MUST an integer between '-19' and '19'