V8.03.768.2025.06.23

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-23 18:46:10 +02:00
parent a5db5044f6
commit 87905d693c
35 changed files with 207 additions and 28 deletions
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Argument Parser
 # Globals:
--- a/lib/lib_arg_priority_check.sh
+++ b/lib/lib_arg_priority_check.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Check and setup Script Priorities
 # Globals:
--- a/lib/lib_boot_screen.sh
+++ b/lib/lib_boot_screen.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Set up a gauge Dialog Wrapper.
 # Globals:
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # CISS.2025.debian.installer GRUB and Autostart Generator
 # Globals:
--- a/lib/lib_change_splash.sh
+++ b/lib/lib_change_splash.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Change Grub Boot Screen Splash
 # Globals:
--- a/lib/lib_check_dhcp.sh
+++ b/lib/lib_check_dhcp.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Check if hardened Centurion DNS servers are desired.
 # Globals:
--- a/lib/lib_check_hooks.sh
+++ b/lib/lib_check_hooks.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
 # Globals:
--- a/lib/lib_check_kernel.sh
+++ b/lib/lib_check_kernel.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Kernel Image Selector
 # Globals:
--- a/lib/lib_check_pkgs.sh
+++ b/lib/lib_check_pkgs.sh
@@ -10,13 +10,15 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Check for required Deb Packages to run the script.
 # Arguments:
 #  None
 #######################################
 check_pkgs() {
-  apt-get update -y
+  apt-get update -y > /dev/null 2>&1

  if [[ -z "$(command -v lsb_release || true)" ]]; then
    apt-get install -y --no-install-recommends lsb-release
--- a/lib/lib_check_provider.sh
+++ b/lib/lib_check_provider.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Notes Textbox
 # Arguments:
--- a/lib/lib_check_stats.sh
+++ b/lib/lib_check_stats.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Check if analysis run is desired only.
 # Globals:
--- a/lib/lib_check_var.sh
+++ b/lib/lib_check_var.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Unbound Variable Check and call Trap on ERR
 # Globals:
--- a/lib/lib_clean_screen.sh
+++ b/lib/lib_clean_screen.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Terminal cleaner before Trap on Error
 # Arguments:
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Clean Up Wrapper on Trap on 'ERR' and 'EXIT'.
 # Globals:
--- a/lib/lib_copy_integrity.sh
+++ b/lib/lib_copy_integrity.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Copy Initial ISO aide Database into Host System
 # Globals:
--- a/lib/lib_debug.sh
+++ b/lib/lib_debug.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Debugger Wrapper for xtrace to Debug Log
 # Globals:
@@ -34,7 +36,7 @@ debugger() {
      declare -p "${var}" 2>/dev/null
    done < <(compgen -v | grep -Ev '^(BASH|_).*')
  } | sort >| "${VAR_DUMP_VARS_INITIAL}"
-  declare -gx VAR_EARLY_DEBUG=true
+  declare -gx VAR_EARLY_DEBUG="true"
  ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
  declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
  # shellcheck disable=SC2155
--- a/lib/lib_debug_header.sh
+++ b/lib/lib_debug_header.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Generates Debug Log Header
 # Globals:
@@ -30,11 +32,9 @@
 debug_header() {
  declare -r arg_counter="$1"
  declare -r arg_string="$2"
-  # shellcheck disable=SC2155
-  declare git_head=$(git rev-parse HEAD)
  {
    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
-    printf "\e[97m+\e[0m\e[92m%s: Git Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${git_head}"
+    printf "\e[97m+\e[0m\e[92m%s: Git Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD_FULL}"
    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
    printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
    printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
@@ -45,6 +45,7 @@ debug_header() {
    printf "\e[97m+\e[0m\e[92m%s: UID                       : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${UID}"
    printf "\e[97m+\e[0m\e[92m%s: EUID                      : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EUID}"
    printf "\e[97m+\e[0m\e[92m%s: Hostname                  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${HOSTNAME}"
+    printf "\e[97m+\e[0m\e[92m%s: Hostsystem                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_SYSTEM}"
    printf "\e[97m+\e[0m\e[92m%s: Script name               : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$0"
    printf "\e[97m+\e[0m\e[92m%s: Argument Counter          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_counter}"
    printf "\e[97m+\e[0m\e[92m%s: Argument String Original  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_string}"
@@ -53,6 +54,7 @@ debug_header() {
    printf "\e[97m+\e[0m\e[92m%s: Script work DIR           : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PWD}"
    printf "\e[97m+\e[0m\e[92m%s: Shell Options             : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$-"
    printf "\e[97m+\e[0m\e[92m%s: BASHOPTS                  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
+    printf "\e[97m+\e[0m\e[92m%s: SHELLOPTS                 : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SHELLOPTS}"
    printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
  } >&42
 }
--- a/lib/lib_debug_var_git.sh
+++ b/lib/lib_debug_var_git.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Define Git Repo related Variables.
+# Globals:
+#   VAR_GIT_HEAD
+#   VAR_GIT_REL
+#   VAR_GIT_REL_DATE
+#   VAR_GIT_REL_DATE_TIME
+#   VAR_GIT_REL_SHORT
+# Arguments:
+#   None
+#######################################
+check_git() {
+  # shellcheck disable=SC2155
+  if git rev-parse --is-inside-work-tree &>/dev/null; then
+    declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
+    declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
+    declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
+    declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
+    declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_guard_sourcing.sh
+++ b/lib/lib_guard_sourcing.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Prevent the caller LIB-file from being sourced twice.
+# Derive a safe guard-variable name from the caller script filename.
+# Globals:
+#   BASH_SOURCE
+# Arguments:
+#   $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.
+# Returns:
+#   0: Returns '0' in both cases as they are intended to be successful.
+#######################################
+guard_sourcing() {
+  ### Determine the caller script (the library being sourced).
+  declare var_src="${1:-${BASH_SOURCE[1]}}"
+  ### Strip path, keep only filename
+  declare var_file_name="${var_src##*/}"
+  ### Sanitize to valid var name.
+  declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
+  ### Build guard-variable name.
+  declare var_guard_var="_${var_safe_name}_LOADED"
+
+  ### If already loaded, abort sourcing
+  if [[ -n "${!var_guard_var:-}" ]]; then
+    return 0
+  fi
+
+  ### Mark as loaded (readonly + exported)
+  declare -grx "${var_guard_var}"=1
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_hardening_root_pw.sh
+++ b/lib/lib_hardening_root_pw.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Updates the Live ISO to use root password authentication for local console access.
 # Globals:
--- a/lib/lib_hardening_ssh.sh
+++ b/lib/lib_hardening_ssh.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # SSH Hardening Ultra via TCP Wrapper
 # Globals:
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
 # Globals:
--- a/lib/lib_helper_ip.sh
+++ b/lib/lib_helper_ip.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # IP Notation cleaner for pure IP output only
 # Globals:
--- a/lib/lib_lb_build_start.sh
+++ b/lib/lib_lb_build_start.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
--- a/lib/lib_lb_config_start.sh
+++ b/lib/lib_lb_config_start.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
 # Globals:
--- a/lib/lib_lb_config_write.sh
+++ b/lib/lib_lb_config_write.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Notes Textbox
 # Arguments:
--- a/lib/lib_run_analysis.sh
+++ b/lib/lib_run_analysis.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Wrapper for statistic functions of the final build.
 # Globals:
--- a/lib/lib_sanitizer.sh
+++ b/lib/lib_sanitizer.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Argument Check Wrapper
 # Arguments:
--- a/lib/lib_trap_on_err.sh
+++ b/lib/lib_trap_on_err.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Print Error Message for Trap on 'ERR' in ${ERROR_LOG}
 # Globals:
@@ -35,7 +37,7 @@ print_file_err() {
  {
    printf "❌ CISS.debian.live.builder Script failed. \n"
    printf "❌ Version             : %s \n" "${VAR_VERSION}"
-    printf "❌ Environment         : %s \n" "${VAR_SYSTEM}"
+    printf "❌ Hostsystem          : %s \n" "${VAR_SYSTEM}"
    printf "❌ Error               : %s \n" "${ERRCODE}"
    printf "❌ Line                : %s \n" "${ERRLINE}"
    printf "❌ Script              : %s \n" "${ERRSCRT}"
@@ -78,7 +80,7 @@ print_file_err() {
 print_scr_err() {
  printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2
  printf "\e[91m❌ Version             : %s \e[0m\n" "${VAR_VERSION}" >&2
-  printf "\e[91m❌ Environment         : %s \e[0m\n" "${VAR_SYSTEM}" >&2
+  printf "\e[91m❌ Hostsystem          : %s \e[0m\n" "${VAR_SYSTEM}" >&2
  printf "\e[91m❌ Error               : %s \e[0m\n" "${ERRCODE}" >&2
  printf "\e[91m❌ Line                : %s \e[0m\n" "${ERRLINE}" >&2
  printf "\e[91m❌ Script              : %s \e[0m\n" "${ERRSCRT}" >&2
--- a/lib/lib_trap_on_exit.sh
+++ b/lib/lib_trap_on_exit.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 #######################################
 # Trap function to be called on 'EXIT'.
 # Globals: