V8.13.536.2025.12.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-12-04 07:43:43 +01:00
parent 52f12b3915
commit 9813656088
2 changed files with 7 additions and 8 deletions
--- a/config/hooks/live/9935_hardening_ssl.chroot
+++ b/config/hooks/live/9935_hardening_ssl.chroot
@@ -440,9 +440,9 @@ Groups = X448:P-521:P-384
 SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
 # Operational flags:
-# -SessionTicket   ⇒ disable TLS session tickets (TLS 1.2 + 1.3)
+# -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
-# ServerPreference ⇒ honor server cipher order (TLS 1.2)
+# ServerPreference: honor server cipher order (TLS 1.2)
-# NoRenegotiation  ⇒ disallow TLS 1.2 renegotiation
+# NoRenegotiation : disallow TLS 1.2 renegotiation
 Options = -SessionTicket,ServerPreference,NoRenegotiation
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -100,17 +100,16 @@ clean_up() {
  find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
  find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
  # TODO: activate
  ### Securely shred all regular files below ./includes.chroot, then remove empty dirs.
-  #if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
+  if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
    # shellcheck disable=SC2312
-  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
+    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
    ### Remove empty directories (bottom-up).
-  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
+    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
-  #fi
+  fi
  eval "${_old_nullglob}" 2>/dev/null || true
  eval "${_old_dotglob}"  2>/dev/null || true