msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.022.2026.06.10

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-10 17:57:31 +01:00
parent ae87d7ac54
commit 800cd175fc
55 changed files with 379 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/lib_arg_parser.sh
+18
View File
@@ -38,6 +38,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# VAR_ISO8601
# VAR_LUKS
# VAR_LUKS_KEY
# VAR_PRIMORDIAL_SSH_PORT
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# VAR_SIGNER
@@ -287,6 +288,23 @@ arg_parser() {
shift 1
;;
--primordial-ssh)
if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
# shellcheck disable=SC2034
declare -gix VAR_PRIMORDIAL_SSH_PORT="${2}"
shift 2
else
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --primordial-ssh MUST be an integer between '1' and '65535'.\e[0m\n" >&2
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR__SSH__PORT}"
fi
;;
--provider-netcup-ipv6)
if [[ -n "${2-}" && "${2}" != -* ]]; then
declare -i count=0
lib/lib_hardening_ultra.sh
+20 -5
View File
@@ -13,13 +13,14 @@
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image.
# Module for following all 'CISS.debian.hardening' features into the Live ISO image.
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# BASH_SOURCE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_PRIMORDIAL_SSH_PORT
# VAR_SSHFP
# VAR_SSHPORT
# VAR_SSHPUBKEY
@@ -196,12 +197,26 @@ hardening_ultra() {
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
### /config/hooks/live/0900_ufw_setup.chroot
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
declare ufw_file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${ufw_file}"
declare primordial_ssh_port="${VAR_PRIMORDIAL_SSH_PORT:-}"
if [[ -n "${primordial_ssh_port}" ]]; then
sed -i "s|^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$|declare -r PRIMORDIAL_SSH_PORT=\"${primordial_ssh_port}\"|" "${ufw_file}"
sed -i "s|^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$| ufw allow out \"\${PRIMORDIAL_SSH_PORT}\"/tcp comment 'Outgoing Primordial SSH'|" "${ufw_file}"
else
sed -i '/^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$/d' "${ufw_file}"
sed -i '/^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$/d' "${ufw_file}"
fi
### /config/hooks/live/0900_ufw_setup.chroot
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
declare file="${ufw_file}"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
@@ -251,7 +266,7 @@ hardening_ultra() {
### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
printf "\e[95m🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
printf "\e[95m🧪 Updating fail2ban Jump-hosts IPs ... \e[0m\n"
# Join array entries with spaces, preserving any newlines
declare ips="${ARY_HANDLER_JUMPHOST[*]}"
@@ -265,7 +280,7 @@ hardening_ultra() {
# Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list
sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
printf "\e[92m✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
printf "\e[92m✅ Updating fail2ban Jump-hosts IPs done. \e[0m\n"
else
lib/lib_primordial.sh
+1 -1
View File
@@ -90,7 +90,7 @@ init_primordial() {
fi
### Check for SSH CISS and PhysNet primordial-workflow(tm) integration -------------------------------------------------------
### Check for SSH CISS and PhysNet Primordial-Workflow integration -------------------------------------------------------
if [[ "${VAR_SSHFP,,}" == "true" ]]; then
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
lib/lib_usage.sh
+8 -2
View File
@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
# shellcheck disable=SC2155
declare var_footer=$(center "V9.14.020.2026.06.08 2026-06-08 CDLB(1)" "${var_cols}")
declare var_footer=$(center "V9.14.022.2026.06.10 2026-06-10 CDLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
echo -e "\e[92mMaster V9.14.020.2026.06.08\e[0m"
echo -e "\e[92mMaster V9.14.022.2026.06.10\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -120,6 +120,12 @@ usage() {
echo " Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
echo " the argument '--build-directory' MUST be provided."
echo
echo -e "\e[97m --primordial-ssh <INTEGER> \e[0m"
echo " Adds one outgoing UFW TCP exception for a bootstrap SSH port."
echo " Outgoing only: no incoming firewall rule is added, and this option does not replace '--ssh-port'."
echo " Effective only when the Live System's UFW outgoing policy is 'deny'."
echo " Port MUST be a decimal integer between '1' and '65535'."
echo
echo -e "\e[97m --provider-netcup-ipv6 \e[0m"
echo " Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be"
echo " encapsulated with [], e.g., [1234::abcd]."