msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.536.2025.12.04
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m11s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-12-04 22:17:40 +01:00
parent 1b5fc26993
commit aedd03513e
8 changed files with 150 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
config/hooks/live/0822_ssh_restart_hook.chroot
View File

@@ -13,36 +13,17 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
cd /root
declare target_script="/etc/cron.d/restart-ssh"
mkdir -p /etc/systemd/system/ssh.service.d
cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh
cat << EOF >| /etc/systemd/system/ssh.service.d/10-ciss-network.conf
[Unit]
After=network-online.target ufw.service fail2ban.service
Wants=network-online.target
[Service]
ExecStartPre=/bin/sleep 5
EOF
chmod 0444 "${target_script}"
cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Script to restart SSH at boot
systemctl stop ssh
sleep 5
systemctl start ssh
EOF
chmod +x /usr/local/bin/restart-ssh.sh
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0

3
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -354,6 +354,9 @@ readonly -f verify_script
main() {
declare PASS="" COUNTER=0 PASS_SENT=0 WAIT_LOOP=0
mkdir -p /var/log
: >| /var/log/wtmp
exec 1>&2
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR

3
config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
View File

@@ -22,6 +22,9 @@ case "${1}" in
prereqs) prereqs; exit 0 ;;
esac
mkdir -p /var/log
: >| /var/log/wtmp
mkdir -p /run/ciss
printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_early.log

3
config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
View File

@@ -22,6 +22,9 @@ case "${1}" in
prereqs) prereqs; exit 0 ;;
esac
mkdir -p /var/log
: >| /var/log/wtmp
mkdir -p /run/ciss
printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_early.log

6
config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf → config/includes.chroot/etc/modprobe.d/30-ciss-hardening.conf
View File

@@ -94,9 +94,11 @@ blacklist gfs2
# The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
install vivid /bin/true
##### Disable access to USB #####
install usb_storage /bin/true
##### Disable access to USB and UAS #####
install usb-storage /bin/true
install uas /bin/true
blacklist usb-storage
blacklist uas
##### Disable access to IEEE1394 #####
install firewire-core /bin/true

9
config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
View File

@@ -364,17 +364,26 @@ done
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
kill "${PID_PROMPT}" 2>/dev/null || true
kill "${PID_BROKER}" 2>/dev/null || true
wait "${PID_PROMPT}" 2>/dev/null || true
wait "${PID_BROKER}" 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
sleep 60
log "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
panic "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
fi
kill "${PID_PROMPT}" 2>/dev/null || true
kill "${PID_BROKER}" 2>/dev/null || true
wait "${PID_PROMPT}" 2>/dev/null || true
wait "${PID_BROKER}" 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"