V9.14.022.2026.06.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/lib_hardening_ultra.sh

@@ -13,13 +13,14 @@
 guard_sourcing || return "${ERR_GUARD_SRCE}"
 
 #######################################
-# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image.
+# Module for following all 'CISS.debian.hardening' features into the Live ISO image.
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_JUMPHOST_UNIQUE
 #   BASH_SOURCE
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
+#   VAR_PRIMORDIAL_SSH_PORT
 #   VAR_SSHFP
 #   VAR_SSHPORT
 #   VAR_SSHPUBKEY
@@ -196,12 +197,26 @@ hardening_ultra() {
   sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
 
   ### /config/hooks/live/0900_ufw_setup.chroot
-  sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+  declare ufw_file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+  sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${ufw_file}"
+
+  declare primordial_ssh_port="${VAR_PRIMORDIAL_SSH_PORT:-}"
+  if [[ -n "${primordial_ssh_port}" ]]; then
+
+    sed -i "s|^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$|declare -r PRIMORDIAL_SSH_PORT=\"${primordial_ssh_port}\"|" "${ufw_file}"
+    sed -i "s|^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$|  ufw allow out \"\${PRIMORDIAL_SSH_PORT}\"/tcp comment 'Outgoing Primordial SSH'|" "${ufw_file}"
+
+  else
+
+    sed -i '/^# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET$/d' "${ufw_file}"
+    sed -i '/^[[:space:]]*# PRIMORDIAL_SSH_RULE_MUST_BE_SET$/d' "${ufw_file}"
+
+  fi
 
   ### /config/hooks/live/0900_ufw_setup.chroot
   if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
 
-    declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+    declare file="${ufw_file}"
 
     sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
 
@@ -251,7 +266,7 @@ hardening_ultra() {
   ### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
   if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
 
-    printf "\e[95m🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
+    printf "\e[95m🧪 Updating fail2ban Jump-hosts IPs ... \e[0m\n"
 
     # Join array entries with spaces, preserving any newlines
     declare ips="${ARY_HANDLER_JUMPHOST[*]}"
@@ -265,7 +280,7 @@ hardening_ultra() {
     # Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list
     sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
 
-    printf "\e[92m✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
+    printf "\e[92m✅ Updating fail2ban Jump-hosts IPs done. \e[0m\n"
 
   else