msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.404.2025.11.10
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m15s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-10 11:57:27 +01:00
parent fc263c95e3
commit 6c00891cd4
62 changed files with 1419 additions and 312 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
lib/lib_clean_up.sh
View File

@@ -30,9 +30,15 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
#######################################
clean_up() {
declare clean_exit_code="$1" fs_type=""
declare clean_exit_code="$1" fs_type="" _old_nullglob="" _old_dotglob="" _old_failglob=""
### Enable nullglob/dotglob, disable failglob for safe globbing.
_old_nullglob="$(shopt -p nullglob || true)"
_old_dotglob="$( shopt -p dotglob || true)"
_old_failglob="$(shopt -p failglob || true)"
shopt -s nullglob dotglob
shopt -u failglob
rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}"
@@ -90,7 +96,21 @@ clean_up() {
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
shopt -u nullglob dotglob
# TODO: Activate shred
### Securely shred all regular files below ./includes.chroot, then remove empty dirs.
#if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
# shellcheck disable=SC2312
# find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
### Remove empty directories (bottom-up).
# find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
#fi
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true
return 0
}

1
lib/lib_hardening_ultra.sh
View File

@@ -185,6 +185,7 @@ hardening_ultra() {
install -m 0600 -o root -g root "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
declare -r sshport="${VAR_SSHPORT:-22}"
printf "%s" "${sshport}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/sshport"
### /config/includes.chroot/etc/ssh/sshd_config
# shellcheck disable=SC2155

24
lib/lib_primordial.sh
View File

@@ -38,6 +38,8 @@ init_primordial() {
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h"
install -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"
### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
if [[ "${VAR_AGE,,}" == "true" ]]; then
@@ -115,7 +117,7 @@ normalize_ssh_key_file() {
if ! ssh-keygen -yf "${var_key_file}" >/dev/null; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -lf: [%s] \e[0m\n" "${var_key_file}"
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed check ssh-keygen -yf: [%s] \e[0m\n" "${var_key_file}"
return "${ERR_SANITIZING}"
fi
@@ -144,13 +146,21 @@ readonly -f normalize_ssh_key_file
# ERR_SANITIZING: on failure
#######################################
normalize_ssh_keys_in_dir() {
declare var_key_dir="" var_key_file=""
declare var_key_dir="" var_key_file="" _old_nullglob="" _old_dotglob="" _old_failglob=""
var_key_dir="$1"
### Enable nullglob/dotglob, disable failglob for safe globbing.
_old_nullglob="$(shopt -p nullglob || true)"
_old_dotglob="$( shopt -p dotglob || true)"
_old_failglob="$(shopt -p failglob || true)"
shopt -s nullglob dotglob
shopt -u failglob
if [[ ! -d "${var_key_dir}" ]]; then
shopt -u nullglob dotglob
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true
return 0
fi
@@ -160,13 +170,17 @@ normalize_ssh_keys_in_dir() {
[[ -e "${var_key_file}" ]] || continue
if ! normalize_ssh_key_file "${var_key_file}"; then
shopt -u nullglob dotglob
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true
return "${ERR_SANITIZING}"
fi
done
shopt -u nullglob dotglob
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true
return 0
}

4
lib/lib_usage.sh
View File

@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
# shellcheck disable=SC2155
declare var_footer=$(center "V8.13.400.2025.11.08 2025-11-06 CDLB(1)" "${var_cols}")
declare var_footer=$(center "V8.13.404.2025.11.10 2025-11-06 CDLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
echo -e "\e[92mMaster V8.13.400.2025.11.08\e[0m"
echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"