diff --git a/.archive/background/club.png b/.archive/background/club.png new file mode 100644 index 0000000..1135dfc Binary files /dev/null and b/.archive/background/club.png differ diff --git a/.archive/background/hexagon.png b/.archive/background/hexagon.png new file mode 100644 index 0000000..deab51e Binary files /dev/null and b/.archive/background/hexagon.png differ diff --git a/.archive/icon.lib b/.archive/icon.lib new file mode 100644 index 0000000..fd686bb --- /dev/null +++ b/.archive/icon.lib @@ -0,0 +1,42 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +βœ… +πŸ”§ +πŸ”‘ +πŸ–₯️ +πŸ› οΈ +πŸ“₯ +πŸ“¦ +πŸ“‘ +πŸ“‚ +πŸ”’ +πŸ” +βš™οΈ +❌ +🌌 +πŸŽ‰ +πŸ–₯️ +πŸ”‘ +πŸ“‚ +πŸ“© +πŸ”΅ +😺 +πŸ§ͺ +πŸ“Š +🧾 +πŸ“€ +πŸ“‰ +⏱ +🧠 +πŸ“… +πŸ’™ +🚫 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..d484480 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,53 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# EditorConfig is awesome: https://editorconfig.org + +root = true + +[*] +indent_style = space +indent_size = 2 +tab_width = 2 +max_line_length = 128 + +[*.conf] +end_of_line = lf +charset = utf-8 +insert_final_newline = true +trim_trailing_whitespace = true + +[*.md] +end_of_line = lf +# Markdown benefits from a final newline for POSIX tools +insert_final_newline = true +# Do not trim trailing whitespace: two spaces at end-of-line signal a hard line break in Markdown +trim_trailing_whitespace = false + +#[*.toml] +#end_of_line = lf +#insert_final_newline = true +## TOML values can include strings where trailing spaces may matter; better not trim +#trim_trailing_whitespace = false +#charset = utf-8 + +[*.{yaml,yml}] +end_of_line = lf +insert_final_newline = true +# Trim trailing whitespace (safe, since YAML does not rely on trailing spaces) +trim_trailing_whitespace = true + +[*.{sh,bash,zsh}] +end_of_line = lf +charset = utf-8 +insert_final_newline = true +trim_trailing_whitespace = true +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml new file mode 100644 index 0000000..620b548 --- /dev/null +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -0,0 +1,94 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +--- +name: "Bug Report" +about: "Create a report to help us improve" +title: "[BUG | possible BUG]: " +labels: "bug:to be reproduced,bug:needs triage/confirmation" +assignees: "" +--- +body: + # Instructions for the reporter + - type: markdown + attributes: + value: | + _Please provide concise information to reproduce the bug; issues lacking detail may be closed._ + # Version information + - type: input + id: version + attributes: + label: "Version" + description: "Which version are you running? Use `./ciss_live_builder.sh -v`." + placeholder: "e.g., Master V8.02.080.2025.05.19" + validations: + required: true + + # Known issues check + - type: textarea + id: known_issue + attributes: + label: "Search for known issues" + description: "Is this a known problem? Link to related issues or state 'none found'." + placeholder: "e.g., #1234 or none found" + validations: + required: true + + # Reproduction steps + - type: textarea + id: reproduction + attributes: + label: "Command line" + description: | + Which command did you run, and against which target? + If you prefer not to disclose publicly, use `security@coresecret.eu`. + placeholder: "e.g., ./ciss_live_builder.sh --debug" + validations: + required: true + + # Expected behavior + - type: textarea + id: expected + attributes: + label: "Expected behavior" + description: "Describe clearly what you expected to happen." + placeholder: "e.g., Build completes without errors" + validations: + required: true + + # System information + - type: input + id: os + attributes: + label: "Operating System" + description: "Retrieve via `awk -F\" '/PRETTY_NAME/ { print $2 }' /etc/os-release`." + placeholder: "e.g., Debian GNU/Linux 12 (bookworm)" + validations: + required: true + + - type: input + id: platform + attributes: + label: "Platform" + description: "Retrieve via `uname -srm`." + placeholder: "e.g., Linux 6.12.22+bpo-amd64 x86_64" + validations: + required: true + + # Additional context + - type: textarea + id: additional_context + attributes: + label: "Additional context" + description: "Any other information about the problem." + placeholder: "e.g., Logs, screenshots, configuration snippets" + validations: + required: false +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml new file mode 100644 index 0000000..bb143b7 --- /dev/null +++ b/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml @@ -0,0 +1,55 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +--- +name: "Standard-PR" +about: "Please answer the following questions before submitting the PR." +title: "[PR]: " +ref: "master" +body: + - type: markdown + attributes: + value: | + Thank you for your PR. + # Section for free-form description + - type: textarea + id: description + attributes: + label: "Describe your changes" + description: "Please refer to an issue here or describe the change thoroughly in your PR." + placeholder: "e.g., Fix typo in README" + validations: + required: true + # Section for categorizing the PR + - type: checkboxes + id: pr-type + attributes: + label: "What is your pull request about?" + options: + - label: "Bug fix" + - label: "Improvement" + - label: "New feature (adds functionality)" + - label: "Breaking change (existing functionality may not work)" + - label: "Typo fix" + - label: "Documentation update" + - label: "Update of other files" + # Section for code-quality checklist + - type: checkboxes + id: code-checklist + attributes: + label: "If this is a code change, please check all that apply:" + options: + - label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace" + - label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md" + - label: "I have tested this fix or improvement on β‰₯2 VMs without issues" + - label: "I have tested this new feature on β‰₯2 VMs with and without it to avoid side effects" + - label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature" + - label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md" +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/properties/json/gitea-issue-config.json b/.gitea/properties/json/gitea-issue-config.json new file mode 100644 index 0000000..70e4525 --- /dev/null +++ b/.gitea/properties/json/gitea-issue-config.json @@ -0,0 +1,45 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://json.schemastore.org/gitea-issue-config.json", + "$comment": "https://docs.gitea.com/usage/issue-pull-request-templates#syntax-for-issue-config", + "properties": { + "blank_issues_enabled": { + "description": "Specify whether forms have to be used or blank issue are allowed\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options", + "type": "boolean" + }, + "contact_links": { + "title": "contact links", + "description": "Contact links\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options", + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "required": ["name", "url", "about"], + "properties": { + "name": { + "description": "The name of your link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link", + "type": "string", + "minLength": 1, + "examples": ["Sample name"] + }, + "url": { + "description": "The URL of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link", + "type": "string", + "pattern": "^https?://", + "examples": ["https://sample/url"] + }, + "about": { + "description": "A short description of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link", + "type": "string", + "minLength": 1, + "examples": ["Sample description"] + } + }, + "additionalProperties": false + } + } + }, + "additionalProperties": false, + "title": "Gitea issue template chooser config file schema", + "type": "object" +} diff --git a/.gitea/properties/json/gitea-workflow-config.json b/.gitea/properties/json/gitea-workflow-config.json new file mode 100644 index 0000000..0e1c5a6 --- /dev/null +++ b/.gitea/properties/json/gitea-workflow-config.json @@ -0,0 +1,12 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "allOf": [ + { "$ref": "https://json.schemastore.org/github-workflow.json" }, + { + "properties": { + "kind": { "type": "string", "enum": ["pipeline"] }, + "type": { "type": "string", "enum": ["docker"] } + } + } + ] +} diff --git a/.gitea/properties/json/github-workflow.json b/.gitea/properties/json/github-workflow.json new file mode 100644 index 0000000..169c087 --- /dev/null +++ b/.gitea/properties/json/github-workflow.json @@ -0,0 +1,1715 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "https://json.schemastore.org/github-workflow.json", + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions", + "additionalProperties": false, + "definitions": { + "architecture": { + "type": "string", + "enum": ["ARM32", "x64", "x86"] + }, + "branch": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestbranchestags", + "$ref": "#/definitions/globs", + "description": "When using the push and pull_request events, you can configure a workflow to run on specific branches or tags. If you only define only tags or only branches, the workflow won't run for events affecting the undefined Git ref.\nThe branches, branches-ignore, tags, and tags-ignore keywords accept glob patterns that use the * and ** wildcard characters to match more than one branch or tag name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nThe patterns defined in branches and tags are evaluated against the Git ref's name. For example, defining the pattern mona/octocat in branches will match the refs/heads/mona/octocat Git ref. The pattern releases/** will match the refs/heads/releases/10 Git ref.\nYou can use two types of filters to prevent a workflow from running on pushes and pull requests to tags and branches:\n- branches or branches-ignore - You cannot use both the branches and branches-ignore filters for the same event in a workflow. Use the branches filter when you need to filter branches for positive matches and exclude branches. Use the branches-ignore filter when you only need to exclude branch names.\n- tags or tags-ignore - You cannot use both the tags and tags-ignore filters for the same event in a workflow. Use the tags filter when you need to filter tags for positive matches and exclude tags. Use the tags-ignore filter when you only need to exclude tag names.\nYou can exclude tags and branches using the ! character. The order that you define patterns matters.\n- A matching negative pattern (prefixed with !) after a positive match will exclude the Git ref.\n- A matching positive pattern after a negative match will include the Git ref again." + }, + "concurrency": { + "type": "object", + "properties": { + "group": { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run-1", + "description": "When a concurrent job or workflow is queued, if another job or workflow using the same concurrency group in the repository is in progress, the queued job or workflow will be pending. Any previously pending job or workflow in the concurrency group will be canceled.", + "type": "string" + }, + "cancel-in-progress": { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run-1", + "description": "To cancel any currently running job or workflow in the same concurrency group, specify cancel-in-progress: true.", + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "#/definitions/expressionSyntax" + } + ] + } + }, + "required": ["group"], + "additionalProperties": false + }, + "configuration": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + }, + { + "type": "boolean" + }, + { + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/configuration" + } + }, + { + "type": "array", + "items": { + "$ref": "#/definitions/configuration" + } + } + ] + }, + "container": { + "type": "object", + "properties": { + "image": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerimage", + "description": "The Docker image to use as the container to run the action. The value can be the Docker Hub image name or a registry name.", + "type": "string" + }, + "credentials": { + "$comment": "https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontainercredentials", + "description": "If the image's container registry requires authentication to pull the image, you can use credentials to set a map of the username and password. The credentials are the same values that you would provide to the `docker login` command.", + "type": "object", + "properties": { + "username": { + "type": "string" + }, + "password": { + "type": "string" + } + } + }, + "env": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerenv", + "$ref": "#/definitions/env", + "description": "Sets an array of environment variables in the container." + }, + "ports": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainerports", + "description": "Sets an array of ports to expose on the container.", + "type": "array", + "items": { + "oneOf": [ + { + "type": "number" + }, + { + "type": "string" + } + ] + }, + "minItems": 1 + }, + "volumes": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainervolumes", + "description": "Sets an array of volumes for the container to use. You can use volumes to share data between services or other steps in a job. You can specify named Docker volumes, anonymous Docker volumes, or bind mounts on the host.\nTo specify a volume, you specify the source and destination path: :\nThe is a volume name or an absolute path on the host machine, and is an absolute path in the container.", + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "options": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontaineroptions", + "description": "Additional Docker container resource options. For a list of options, see https://docs.docker.com/engine/reference/commandline/create/#options.", + "type": "string" + } + }, + "required": ["image"], + "additionalProperties": false + }, + "defaults": { + "type": "object", + "properties": { + "run": { + "type": "object", + "properties": { + "shell": { + "$ref": "#/definitions/shell" + }, + "working-directory": { + "$ref": "#/definitions/working-directory" + } + }, + "minProperties": 1, + "additionalProperties": false + } + }, + "minProperties": 1, + "additionalProperties": false + }, + "permissions": { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions", + "description": "You can modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access.", + "oneOf": [ + { + "type": "string", + "enum": ["read-all", "write-all"] + }, + { + "$ref": "#/definitions/permissions-event" + } + ] + }, + "permissions-event": { + "type": "object", + "additionalProperties": false, + "properties": { + "actions": { + "$ref": "#/definitions/permissions-level" + }, + "attestations": { + "$ref": "#/definitions/permissions-level" + }, + "checks": { + "$ref": "#/definitions/permissions-level" + }, + "contents": { + "$ref": "#/definitions/permissions-level" + }, + "deployments": { + "$ref": "#/definitions/permissions-level" + }, + "discussions": { + "$ref": "#/definitions/permissions-level" + }, + "id-token": { + "$ref": "#/definitions/permissions-level" + }, + "issues": { + "$ref": "#/definitions/permissions-level" + }, + "models": { + "type": "string", + "enum": ["read", "none"] + }, + "packages": { + "$ref": "#/definitions/permissions-level" + }, + "pages": { + "$ref": "#/definitions/permissions-level" + }, + "pull-requests": { + "$ref": "#/definitions/permissions-level" + }, + "repository-projects": { + "$ref": "#/definitions/permissions-level" + }, + "security-events": { + "$ref": "#/definitions/permissions-level" + }, + "statuses": { + "$ref": "#/definitions/permissions-level" + } + } + }, + "permissions-level": { + "type": "string", + "enum": ["read", "write", "none"] + }, + "env": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/environment-variables", + "description": "To set custom environment variables, you need to specify the variables in the workflow file. You can define environment variables for a step, job, or entire workflow using the jobs..steps[*].env, jobs..env, and env keywords. For more information, see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv", + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "number" + }, + { + "type": "boolean" + } + ] + } + }, + { + "$ref": "#/definitions/stringContainingExpressionSyntax" + } + ] + }, + "environment": { + "$comment": "https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment", + "description": "The environment that the job references", + "type": "object", + "properties": { + "name": { + "$comment": "https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-a-single-environment-name", + "description": "The name of the environment configured in the repo.", + "type": "string" + }, + "url": { + "$comment": "https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-environment-name-and-url", + "description": "A deployment URL", + "type": "string" + } + }, + "required": ["name"], + "additionalProperties": false + }, + "event": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows", + "type": "string", + "enum": [ + "branch_protection_rule", + "check_run", + "check_suite", + "create", + "delete", + "deployment", + "deployment_status", + "discussion", + "discussion_comment", + "fork", + "gollum", + "issue_comment", + "issues", + "label", + "merge_group", + "milestone", + "page_build", + "project", + "project_card", + "project_column", + "public", + "pull_request", + "pull_request_review", + "pull_request_review_comment", + "pull_request_target", + "push", + "registry_package", + "release", + "status", + "watch", + "workflow_call", + "workflow_dispatch", + "workflow_run", + "repository_dispatch" + ] + }, + "eventObject": { + "oneOf": [ + { + "type": "object" + }, + { + "type": "null" + } + ], + "additionalProperties": true + }, + "expressionSyntax": { + "$comment": "escape `{` and `}` in pattern to be unicode compatible (#1360)", + "type": "string", + "pattern": "^\\$\\{\\{(.|[\r\n])*\\}\\}$" + }, + "stringContainingExpressionSyntax": { + "$comment": "escape `{` and `}` in pattern to be unicode compatible (#1360)", + "type": "string", + "pattern": "^.*\\$\\{\\{(.|[\r\n])*\\}\\}.*$" + }, + "globs": { + "type": "array", + "items": { + "type": "string", + "minLength": 1 + }, + "minItems": 1 + }, + "machine": { + "type": "string", + "enum": ["linux", "macos", "windows"] + }, + "name": { + "type": "string", + "pattern": "^[_a-zA-Z][a-zA-Z0-9_-]*$" + }, + "path": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpaths", + "$ref": "#/definitions/globs", + "description": "When using the push and pull_request events, you can configure a workflow to run when at least one file does not match paths-ignore or at least one modified file matches the configured paths. Path filters are not evaluated for pushes to tags.\nThe paths-ignore and paths keywords accept glob patterns that use the * and ** wildcard characters to match more than one path name. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.\nYou can exclude paths using two types of filters. You cannot use both of these filters for the same event in a workflow.\n- paths-ignore - Use the paths-ignore filter when you only need to exclude path names.\n- paths - Use the paths filter when you need to filter paths for positive matches and exclude paths." + }, + "ref": { + "properties": { + "branches": { + "$ref": "#/definitions/branch" + }, + "branches-ignore": { + "$ref": "#/definitions/branch" + }, + "tags": { + "$ref": "#/definitions/branch" + }, + "tags-ignore": { + "$ref": "#/definitions/branch" + }, + "paths": { + "$ref": "#/definitions/path" + }, + "paths-ignore": { + "$ref": "#/definitions/path" + } + }, + "oneOf": [ + { + "type": "object", + "allOf": [ + { + "not": { + "required": ["branches", "branches-ignore"] + } + }, + { + "not": { + "required": ["tags", "tags-ignore"] + } + }, + { + "not": { + "required": ["paths", "paths-ignore"] + } + } + ] + }, + { + "type": "null" + } + ] + }, + "shell": { + "$comment": "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell", + "description": "You can override the default shell settings in the runner's operating system using the shell keyword. You can use built-in shell keywords, or you can define a custom set of shell options.", + "anyOf": [ + { + "type": "string" + }, + { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#custom-shell", + "type": "string", + "enum": ["bash", "pwsh", "python", "sh", "cmd", "powershell"] + } + ] + }, + "step": { + "type": "object", + "additionalProperties": false, + "dependencies": { + "working-directory": ["run"], + "shell": ["run"] + }, + "oneOf": [ + { + "required": ["uses"] + }, + { + "required": ["run"] + } + ], + "properties": { + "id": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsid", + "description": "A unique identifier for the step. You can use the id to reference the step in contexts. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": "string" + }, + "if": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsif", + "description": "You can use the if conditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": ["boolean", "number", "string"] + }, + "name": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsname", + "description": "A name for your step to display on GitHub.", + "type": "string" + }, + "uses": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsuses", + "description": "Selects an action to run as part of a step in your job. An action is a reusable unit of code. You can use an action defined in the same repository as the workflow, a public repository, or in a published Docker container image (https://hub.docker.com/).\nWe strongly recommend that you include the version of the action you are using by specifying a Git ref, SHA, or Docker tag number. If you don't specify a version, it could break your workflows or cause unexpected behavior when the action owner publishes an update.\n- Using the commit SHA of a released action version is the safest for stability and security.\n- Using the specific major action version allows you to receive critical fixes and security patches while still maintaining compatibility. It also assures that your workflow should still work.\n- Using the master branch of an action may be convenient, but if someone releases a new major version with a breaking change, your workflow could break.\nSome actions require inputs that you must set using the with keyword. Review the action's README file to determine the inputs required.\nActions are either JavaScript files or Docker containers. If the action you're using is a Docker container you must run the job in a Linux virtual environment. For more details, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "type": "string" + }, + "run": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsrun", + "description": "Runs command-line programs using the operating system's shell. If you do not provide a name, the step name will default to the text specified in the run command.\nCommands run using non-login shells by default. You can choose a different shell and customize the shell used to run commands. For more information, see https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#using-a-specific-shell.\nEach run keyword represents a new process and shell in the virtual environment. When you provide multi-line commands, each line runs in the same shell.", + "type": "string" + }, + "working-directory": { + "$ref": "#/definitions/working-directory" + }, + "shell": { + "$ref": "#/definitions/shell" + }, + "with": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswith", + "$ref": "#/definitions/env", + "description": "A map of the input parameters defined by the action. Each input parameter is a key/value pair. Input parameters are set as environment variables. The variable is prefixed with INPUT_ and converted to upper case.", + "properties": { + "args": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithargs", + "type": "string" + }, + "entrypoint": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepswithentrypoint", + "type": "string" + } + } + }, + "env": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepsenv", + "$ref": "#/definitions/env", + "description": "Sets environment variables for steps to use in the virtual environment. You can also set environment variables for the entire workflow or a job." + }, + "continue-on-error": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error", + "description": "Prevents a job from failing when a step fails. Set to true to allow a job to pass when this step fails.", + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "#/definitions/expressionSyntax" + } + ], + "default": false + }, + "timeout-minutes": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes", + "description": "The maximum number of minutes to run the step before killing the process.", + "oneOf": [ + { + "type": "number" + }, + { + "$ref": "#/definitions/expressionSyntax" + } + ] + } + } + }, + "types": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#onevent_nametypes", + "description": "Selects the types of activity that will trigger a workflow run. Most GitHub events are triggered by more than one type of activity. For example, the event for the release resource is triggered when a release is published, unpublished, created, edited, deleted, or prereleased. The types keyword enables you to narrow down activity that causes the workflow to run. When only one activity type triggers a webhook event, the types keyword is unnecessary.\nYou can use an array of event types. For more information about each event and their activity types, see https://help.github.com/en/articles/events-that-trigger-workflows#webhook-events.", + "oneOf": [ + { + "type": "array", + "minItems": 1 + }, + { + "type": "string" + } + ] + }, + "working-directory": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun", + "description": "Using the working-directory keyword, you can specify the working directory of where to run the command.", + "type": "string" + }, + "jobNeeds": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idneeds", + "description": "Identifies any jobs that must complete successfully before this job will run. It can be a string or array of strings. If a job fails, all jobs that need it are skipped unless the jobs use a conditional statement that causes the job to continue.", + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/name" + }, + "minItems": 1 + }, + { + "$ref": "#/definitions/name" + } + ] + }, + "matrix": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix", + "description": "A build matrix is a set of different configurations of the virtual environment. For example you might run a job against more than one supported version of a language, operating system, or tool. Each configuration is a copy of the job that runs and reports a status.\nYou can specify a matrix by supplying an array for the configuration options. For example, if the GitHub virtual environment supports Node.js versions 6, 8, and 10 you could specify an array of those versions in the matrix.\nWhen you define a matrix of operating systems, you must set the required runs-on keyword to the operating system of the current job, rather than hard-coding the operating system name. To access the operating system name, you can use the matrix.os context parameter to set runs-on. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "oneOf": [ + { + "type": "object", + "patternProperties": { + "^(in|ex)clude$": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#example-including-configurations-in-a-matrix-build", + "oneOf": [ + { + "$ref": "#/definitions/expressionSyntax" + }, + { + "type": "array", + "items": { + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/configuration" + } + }, + "minItems": 1 + } + ] + } + }, + "additionalProperties": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/configuration" + }, + "minItems": 1 + }, + { + "$ref": "#/definitions/expressionSyntax" + } + ] + }, + "minProperties": 1 + }, + { + "$ref": "#/definitions/expressionSyntax" + } + ] + }, + "reusableWorkflowCallJob": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/reusing-workflows#calling-a-reusable-workflow", + "description": "Each job must have an id to associate with the job. The key job_id is a string and its value is a map of the job's configuration data. You must replace with a string that is unique to the jobs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", + "type": "object", + "properties": { + "name": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idname", + "description": "The name of the job displayed on GitHub.", + "type": "string" + }, + "needs": { + "$ref": "#/definitions/jobNeeds" + }, + "permissions": { + "$ref": "#/definitions/permissions" + }, + "if": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idif", + "description": "You can use the if conditional to prevent a job from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": ["boolean", "number", "string"] + }, + "uses": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_iduses", + "description": "The location and version of a reusable workflow file to run as a job, of the form './{path/to}/{localfile}.yml' or '{owner}/{repo}/{path}/{filename}@{ref}'. {ref} can be a SHA, a release tag, or a branch name. Using the commit SHA is the safest for stability and security.", + "type": "string", + "pattern": "^(.+\\/)+(.+)\\.(ya?ml)(@.+)?$" + }, + "with": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idwith", + "$ref": "#/definitions/env", + "description": "A map of inputs that are passed to the called workflow. Any inputs that you pass must match the input specifications defined in the called workflow. Unlike 'jobs..steps[*].with', the inputs you pass with 'jobs..with' are not be available as environment variables in the called workflow. Instead, you can reference the inputs by using the inputs context." + }, + "secrets": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#jobsjob_idsecrets", + "description": "When a job is used to call a reusable workflow, you can use 'secrets' to provide a map of secrets that are passed to the called workflow. Any secrets that you pass must match the names defined in the called workflow.", + "oneOf": [ + { + "$ref": "#/definitions/env" + }, + { + "type": "string", + "enum": ["inherit"] + } + ] + }, + "strategy": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy", + "description": "A strategy creates a build matrix for your jobs. You can define different variations of an environment to run each job in.", + "type": "object", + "properties": { + "matrix": { + "$ref": "#/definitions/matrix" + }, + "fail-fast": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast", + "description": "When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true", + "type": ["boolean", "string"], + "default": true + }, + "max-parallel": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel", + "description": "The maximum number of jobs that can run simultaneously when using a matrix job strategy. By default, GitHub will maximize the number of jobs run in parallel depending on the available runners on GitHub-hosted virtual machines.", + "type": ["number", "string"] + } + }, + "required": ["matrix"], + "additionalProperties": false + }, + "concurrency": { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idconcurrency", + "description": "Concurrency ensures that only a single job or workflow using the same concurrency group will run at a time. A concurrency group can be any string or expression. The expression can use any context except for the secrets context. \nYou can also specify concurrency at the workflow level. \nWhen a concurrent job or workflow is queued, if another job or workflow using the same concurrency group in the repository is in progress, the queued job or workflow will be pending. Any previously pending job or workflow in the concurrency group will be canceled. To also cancel any currently running job or workflow in the same concurrency group, specify cancel-in-progress: true.", + "oneOf": [ + { + "type": "string" + }, + { + "$ref": "#/definitions/concurrency" + } + ] + } + }, + "required": ["uses"], + "additionalProperties": false + }, + "normalJob": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_id", + "description": "Each job must have an id to associate with the job. The key job_id is a string and its value is a map of the job's configuration data. You must replace with a string that is unique to the jobs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", + "type": "object", + "properties": { + "name": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idname", + "description": "The name of the job displayed on GitHub.", + "type": "string" + }, + "needs": { + "$ref": "#/definitions/jobNeeds" + }, + "permissions": { + "$ref": "#/definitions/permissions" + }, + "runs-on": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idruns-on", + "description": "The type of machine to run the job on. The machine can be either a GitHub-hosted runner, or a self-hosted runner.", + "anyOf": [ + { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#github-hosted-runners", + "type": "string" + }, + { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#self-hosted-runners", + "type": "array", + "anyOf": [ + { + "items": [ + { + "type": "string" + } + ], + "minItems": 1, + "additionalItems": { + "type": "string" + } + } + ] + }, + { + "$comment": "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#choosing-runners-in-a-group", + "type": "object", + "properties": { + "group": { + "type": "string" + }, + "labels": { + "oneOf": [ + { + "type": "string" + }, + { + "type": "array", + "items": { + "type": "string" + } + } + ] + } + } + }, + { + "$ref": "#/definitions/stringContainingExpressionSyntax" + }, + { + "$ref": "#/definitions/expressionSyntax" + } + ] + }, + "environment": { + "$comment": "https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment", + "description": "The environment that the job references.", + "oneOf": [ + { + "type": "string" + }, + { + "$ref": "#/definitions/environment" + } + ] + }, + "outputs": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idoutputs", + "description": "A map of outputs for a job. Job outputs are available to all downstream jobs that depend on this job.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "env": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idenv", + "$ref": "#/definitions/env", + "description": "A map of environment variables that are available to all steps in the job." + }, + "defaults": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_iddefaults", + "$ref": "#/definitions/defaults", + "description": "A map of default settings that will apply to all steps in the job." + }, + "if": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idif", + "description": "You can use the if conditional to prevent a job from running unless a condition is met. You can use any supported context and expression to create a conditional.\nExpressions in an if conditional do not require the ${{ }} syntax. For more information, see https://help.github.com/en/articles/contexts-and-expression-syntax-for-github-actions.", + "type": ["boolean", "number", "string"] + }, + "steps": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idsteps", + "description": "A job contains a sequence of tasks called steps. Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry. Not all steps run actions, but all actions run as a step. Each step runs in its own process in the virtual environment and has access to the workspace and filesystem. Because steps run in their own process, changes to environment variables are not preserved between steps. GitHub provides built-in steps to set up and complete a job.\nMust contain either `uses` or `run`\n", + "type": "array", + "items": { + "$ref": "#/definitions/step" + }, + "minItems": 1 + }, + "timeout-minutes": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes", + "description": "The maximum number of minutes to let a workflow run before GitHub automatically cancels it. Default: 360", + "oneOf": [ + { + "type": "number" + }, + { + "$ref": "#/definitions/expressionSyntax" + } + ], + "default": 360 + }, + "strategy": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategy", + "description": "A strategy creates a build matrix for your jobs. You can define different variations of an environment to run each job in.", + "type": "object", + "properties": { + "matrix": { + "$ref": "#/definitions/matrix" + }, + "fail-fast": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast", + "description": "When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true", + "type": ["boolean", "string"], + "default": true + }, + "max-parallel": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idstrategymax-parallel", + "description": "The maximum number of jobs that can run simultaneously when using a matrix job strategy. By default, GitHub will maximize the number of jobs run in parallel depending on the available runners on GitHub-hosted virtual machines.", + "type": ["number", "string"] + } + }, + "required": ["matrix"], + "additionalProperties": false + }, + "continue-on-error": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error", + "description": "Prevents a workflow run from failing when a job fails. Set to true to allow a workflow run to pass when this job fails.", + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "#/definitions/expressionSyntax" + } + ] + }, + "container": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idcontainer", + "description": "A container to run any steps in a job that don't already specify a container. If you have steps that use both script and container actions, the container actions will run as sibling containers on the same network with the same volume mounts.\nIf you do not set a container, all steps will run directly on the host specified by runs-on unless a step refers to an action configured to run in a container.", + "oneOf": [ + { + "type": "string" + }, + { + "$ref": "#/definitions/container" + } + ] + }, + "services": { + "$comment": "https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobsjob_idservices", + "description": "Additional containers to host services for a job in a workflow. These are useful for creating databases or cache services like redis. The runner on the virtual machine will automatically create a network and manage the life cycle of the service containers.\nWhen you use a service container for a job or your step uses container actions, you don't need to set port information to access the service. Docker automatically exposes all ports between containers on the same network.\nWhen both the job and the action run in a container, you can directly reference the container by its hostname. The hostname is automatically mapped to the service name.\nWhen a step does not use a container action, you must access the service using localhost and bind the ports.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/container" + } + }, + "concurrency": { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idconcurrency", + "description": "Concurrency ensures that only a single job or workflow using the same concurrency group will run at a time. A concurrency group can be any string or expression. The expression can use any context except for the secrets context. \nYou can also specify concurrency at the workflow level. \nWhen a concurrent job or workflow is queued, if another job or workflow using the same concurrency group in the repository is in progress, the queued job or workflow will be pending. Any previously pending job or workflow in the concurrency group will be canceled. To also cancel any currently running job or workflow in the same concurrency group, specify cancel-in-progress: true.", + "oneOf": [ + { + "type": "string" + }, + { + "$ref": "#/definitions/concurrency" + } + ] + } + }, + "required": ["runs-on"], + "additionalProperties": false + }, + "workflowDispatchInput": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_id", + "description": "A string identifier to associate with the input. The value of is a map of the input's metadata. The must be a unique identifier within the inputs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", + "type": "object", + "properties": { + "description": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddescription", + "description": "A string description of the input parameter.", + "type": "string" + }, + "deprecationMessage": { + "description": "A string shown to users using the deprecated input.", + "type": "string" + }, + "required": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_idrequired", + "description": "A boolean to indicate whether the action requires the input parameter. Set to true when the parameter is required.", + "type": "boolean" + }, + "default": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddefault", + "description": "A string representing the default value. The default value is used when an input parameter isn't specified in a workflow file." + }, + "type": { + "$comment": "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatchinputsinput_idtype", + "description": "A string representing the type of the input.", + "type": "string", + "enum": ["string", "choice", "boolean", "number", "environment"] + }, + "options": { + "$comment": "https://github.blog/changelog/2021-11-10-github-actions-input-types-for-manual-workflows", + "description": "The options of the dropdown list, if the type is a choice.", + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + } + }, + "allOf": [ + { + "if": { + "properties": { + "type": { + "const": "string" + } + }, + "required": ["type"] + }, + "then": { + "properties": { + "default": { + "type": "string" + } + } + } + }, + { + "if": { + "properties": { + "type": { + "const": "boolean" + } + }, + "required": ["type"] + }, + "then": { + "properties": { + "default": { + "type": "boolean" + } + } + } + }, + { + "if": { + "properties": { + "type": { + "const": "number" + } + }, + "required": ["type"] + }, + "then": { + "properties": { + "default": { + "type": "number" + } + } + } + }, + { + "if": { + "properties": { + "type": { + "const": "environment" + } + }, + "required": ["type"] + }, + "then": { + "properties": { + "default": { + "type": "string" + } + } + } + }, + { + "if": { + "properties": { + "type": { + "const": "choice" + } + }, + "required": ["type"] + }, + "then": { + "required": ["options"] + } + } + ], + "required": ["description"], + "additionalProperties": false + } + }, + "properties": { + "name": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#name", + "description": "The name of your workflow. GitHub displays the names of your workflows on your repository's actions page. If you omit this field, GitHub sets the name to the workflow's filename.", + "type": "string" + }, + "on": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#on", + "description": "The name of the GitHub event that triggers the workflow. You can provide a single event string, array of events, array of event types, or an event configuration map that schedules a workflow or restricts the execution of a workflow to specific files, tags, or branch changes. For a list of available events, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows.", + "oneOf": [ + { + "$ref": "#/definitions/event" + }, + { + "type": "array", + "items": { + "$ref": "#/definitions/event" + }, + "minItems": 1 + }, + { + "type": "object", + "properties": { + "branch_protection_rule": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#branch_protection_rule", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the branch_protection_rule event occurs. More than one activity type triggers this event.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] + } + } + }, + "check_run": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-run-event-check_run", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the check_run event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/runs.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "created", + "rerequested", + "completed", + "requested_action" + ] + }, + "default": [ + "created", + "rerequested", + "completed", + "requested_action" + ] + } + } + }, + "check_suite": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#check-suite-event-check_suite", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the check_suite event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/checks/suites/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["completed", "requested", "rerequested"] + }, + "default": ["completed", "requested", "rerequested"] + } + } + }, + "create": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#create-event-create", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone creates a branch or tag, which triggers the create event. For information about the REST API, see https://developer.github.com/v3/git/refs/#create-a-reference." + }, + "delete": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#delete-event-delete", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone deletes a branch or tag, which triggers the delete event. For information about the REST API, see https://developer.github.com/v3/git/refs/#delete-a-reference." + }, + "deployment": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#deployment-event-deployment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone creates a deployment, which triggers the deployment event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/." + }, + "deployment_status": { + "$comment": "https://docs.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime a third party provides a deployment status, which triggers the deployment_status event. Deployments created with a commit SHA may not have a Git ref. For information about the REST API, see https://developer.github.com/v3/repos/deployments/#create-a-deployment-status." + }, + "discussion": { + "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#discussion", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the discussion event occurs. More than one activity type triggers this event. For information about the GraphQL API, see https://docs.github.com/en/graphql/guides/using-the-graphql-api-for-discussions", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "created", + "edited", + "deleted", + "transferred", + "pinned", + "unpinned", + "labeled", + "unlabeled", + "locked", + "unlocked", + "category_changed", + "answered", + "unanswered" + ] + }, + "default": [ + "created", + "edited", + "deleted", + "transferred", + "pinned", + "unpinned", + "labeled", + "unlabeled", + "locked", + "unlocked", + "category_changed", + "answered", + "unanswered" + ] + } + } + }, + "discussion_comment": { + "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#discussion_comment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the discussion_comment event occurs. More than one activity type triggers this event. For information about the GraphQL API, see https://docs.github.com/en/graphql/guides/using-the-graphql-api-for-discussions", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] + } + } + }, + "fork": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#fork-event-fork", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime when someone forks a repository, which triggers the fork event. For information about the REST API, see https://developer.github.com/v3/repos/forks/#create-a-fork." + }, + "gollum": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#gollum-event-gollum", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow when someone creates or updates a Wiki page, which triggers the gollum event." + }, + "issue_comment": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issue-comment-event-issue_comment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the issue_comment event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/comments/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] + } + } + }, + "issues": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#issues-event-issues", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the issues event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "opened", + "edited", + "deleted", + "transferred", + "pinned", + "unpinned", + "closed", + "reopened", + "assigned", + "unassigned", + "labeled", + "unlabeled", + "locked", + "unlocked", + "milestoned", + "demilestoned" + ] + }, + "default": [ + "opened", + "edited", + "deleted", + "transferred", + "pinned", + "unpinned", + "closed", + "reopened", + "assigned", + "unassigned", + "labeled", + "unlabeled", + "locked", + "unlocked", + "milestoned", + "demilestoned" + ] + } + } + }, + "label": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#label-event-label", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the label event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/labels/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] + } + } + }, + "merge_group": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#merge_group", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow when a pull request is added to a merge queue, which adds the pull request to a merge group. For information about the merge queue, see https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request-with-a-merge-queue .", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["checks_requested"] + }, + "default": ["checks_requested"] + } + } + }, + "milestone": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#milestone-event-milestone", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the milestone event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/issues/milestones/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "closed", "opened", "edited", "deleted"] + }, + "default": [ + "created", + "closed", + "opened", + "edited", + "deleted" + ] + } + } + }, + "page_build": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#page-build-event-page_build", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone pushes to a GitHub Pages-enabled branch, which triggers the page_build event. For information about the REST API, see https://developer.github.com/v3/repos/pages/." + }, + "project": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-event-project", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the project event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "created", + "updated", + "closed", + "reopened", + "edited", + "deleted" + ] + }, + "default": [ + "created", + "updated", + "closed", + "reopened", + "edited", + "deleted" + ] + } + } + }, + "project_card": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-card-event-project_card", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the project_card event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/cards.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "created", + "moved", + "converted", + "edited", + "deleted" + ] + }, + "default": [ + "created", + "moved", + "converted", + "edited", + "deleted" + ] + } + } + }, + "project_column": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#project-column-event-project_column", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the project_column event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/projects/columns.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "updated", "moved", "deleted"] + }, + "default": ["created", "updated", "moved", "deleted"] + } + } + }, + "public": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#public-event-public", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime someone makes a private repository public, which triggers the public event. For information about the REST API, see https://developer.github.com/v3/repos/#edit." + }, + "pull_request": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-event-pull_request", + "$ref": "#/definitions/ref", + "description": "Runs your workflow anytime the pull_request event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "assigned", + "unassigned", + "labeled", + "unlabeled", + "opened", + "edited", + "closed", + "reopened", + "synchronize", + "converted_to_draft", + "ready_for_review", + "locked", + "unlocked", + "milestoned", + "demilestoned", + "review_requested", + "review_request_removed", + "auto_merge_enabled", + "auto_merge_disabled", + "enqueued", + "dequeued" + ] + }, + "default": ["opened", "synchronize", "reopened"] + } + }, + "patternProperties": { + "^(branche|tag|path)s(-ignore)?$": { + "type": "array" + } + }, + "additionalProperties": false + }, + "pull_request_review": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-event-pull_request_review", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the pull_request_review event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/reviews.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["submitted", "edited", "dismissed"] + }, + "default": ["submitted", "edited", "dismissed"] + } + } + }, + "pull_request_review_comment": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#pull-request-review-comment-event-pull_request_review_comment", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime a comment on a pull request's unified diff is modified, which triggers the pull_request_review_comment event. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/pulls/comments.\nNote: Workflows do not run on private base repositories when you open a pull request from a forked repository.\nWhen you create a pull request from a forked repository to the base repository, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository.\nWorkflows don't run on forked repositories by default. You must enable GitHub Actions in the Actions tab of the forked repository.\nThe permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information about the GITHUB_TOKEN, see https://help.github.com/en/articles/virtual-environments-for-github-actions.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["created", "edited", "deleted"] + }, + "default": ["created", "edited", "deleted"] + } + } + }, + "pull_request_target": { + "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target", + "$ref": "#/definitions/ref", + "description": "This event is similar to pull_request, except that it runs in the context of the base repository of the pull request, rather than in the merge commit. This means that you can more safely make your secrets available to the workflows triggered by the pull request, because only workflows defined in the commit on the base repository are run. For example, this event allows you to create workflows that label and comment on pull requests, based on the contents of the event payload.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "assigned", + "unassigned", + "labeled", + "unlabeled", + "opened", + "edited", + "closed", + "reopened", + "synchronize", + "converted_to_draft", + "ready_for_review", + "locked", + "unlocked", + "review_requested", + "review_request_removed", + "auto_merge_enabled", + "auto_merge_disabled" + ] + }, + "default": ["opened", "synchronize", "reopened"] + } + }, + "patternProperties": { + "^(branche|tag|path)s(-ignore)?$": {} + }, + "additionalProperties": false + }, + "push": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#push-event-push", + "$ref": "#/definitions/ref", + "description": "Runs your workflow when someone pushes to a repository branch, which triggers the push event.\nNote: The webhook payload available to GitHub Actions does not include the added, removed, and modified attributes in the commit object. You can retrieve the full commit object using the REST API. For more information, see https://developer.github.com/v3/repos/commits/#get-a-single-commit.", + "patternProperties": { + "^(branche|tag|path)s(-ignore)?$": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "additionalProperties": false + }, + "registry_package": { + "$comment": "https://help.github.com/en/actions/reference/events-that-trigger-workflows#registry-package-event-registry_package", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime a package is published or updated. For more information, see https://help.github.com/en/github/managing-packages-with-github-packages.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["published", "updated"] + }, + "default": ["published", "updated"] + } + } + }, + "release": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#release-event-release", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the release event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/repos/releases/ in the GitHub Developer documentation.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": [ + "published", + "unpublished", + "created", + "edited", + "deleted", + "prereleased", + "released" + ] + }, + "default": [ + "published", + "unpublished", + "created", + "edited", + "deleted", + "prereleased", + "released" + ] + } + } + }, + "status": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#status-event-status", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the status of a Git commit changes, which triggers the status event. For information about the REST API, see https://developer.github.com/v3/repos/statuses/." + }, + "watch": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#watch-event-watch", + "$ref": "#/definitions/eventObject", + "description": "Runs your workflow anytime the watch event occurs. More than one activity type triggers this event. For information about the REST API, see https://developer.github.com/v3/activity/starring/." + }, + "workflow_call": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#workflow_call", + "description": "Allows workflows to be reused by other workflows.", + "properties": { + "inputs": { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onworkflow_callinputs", + "description": "When using the workflow_call keyword, you can optionally specify inputs that are passed to the called workflow from the caller workflow.", + "type": "object", + "patternProperties": { + "^[_a-zA-Z][a-zA-Z0-9_-]*$": { + "$comment": "https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputsinput_id", + "description": "A string identifier to associate with the input. The value of is a map of the input's metadata. The must be a unique identifier within the inputs object. The must start with a letter or _ and contain only alphanumeric characters, -, or _.", + "type": "object", + "properties": { + "description": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddescription", + "description": "A string description of the input parameter.", + "type": "string" + }, + "required": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_idrequired", + "description": "A boolean to indicate whether the action requires the input parameter. Set to true when the parameter is required.", + "type": "boolean" + }, + "type": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callinput_idtype", + "description": "Required if input is defined for the on.workflow_call keyword. The value of this parameter is a string specifying the data type of the input. This must be one of: boolean, number, or string.", + "type": "string", + "enum": ["boolean", "number", "string"] + }, + "default": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputsinput_iddefault", + "description": "The default value is used when an input parameter isn't specified in a workflow file.", + "type": ["boolean", "number", "string"] + } + }, + "required": ["type"], + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "secrets": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecrets", + "description": "A map of the secrets that can be used in the called workflow. Within the called workflow, you can use the secrets context to refer to a secret.", + "patternProperties": { + "^[_a-zA-Z][a-zA-Z0-9_-]*$": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecretssecret_id", + "description": "A string identifier to associate with the secret.", + "properties": { + "description": { + "description": "A string description of the secret parameter.", + "type": "string" + }, + "required": { + "$comment": "https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onworkflow_callsecretssecret_idrequired", + "description": "A boolean specifying whether the secret must be supplied.", + "type": "boolean" + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + } + }, + "workflow_dispatch": { + "$comment": "https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/", + "description": "You can now create workflows that are manually triggered with the new workflow_dispatch event. You will then see a 'Run workflow' button on the Actions tab, enabling you to easily trigger a run.", + "properties": { + "inputs": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/metadata-syntax-for-github-actions#inputs", + "description": "Input parameters allow you to specify data that the action expects to use during runtime. GitHub stores input parameters as environment variables. Input ids with uppercase letters are converted to lowercase during runtime. We recommended using lowercase input ids.", + "type": "object", + "patternProperties": { + "^[_a-zA-Z][a-zA-Z0-9_-]*$": { + "$ref": "#/definitions/workflowDispatchInput" + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + }, + "workflow_run": { + "$comment": "https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_run", + "$ref": "#/definitions/eventObject", + "description": "This event occurs when a workflow run is requested or completed, and allows you to execute a workflow based on the finished result of another workflow. For example, if your pull_request workflow generates build artifacts, you can create a new workflow that uses workflow_run to analyze the results and add a comment to the original pull request.", + "properties": { + "types": { + "$ref": "#/definitions/types", + "items": { + "type": "string", + "enum": ["requested", "completed", "in_progress"] + }, + "default": ["requested", "completed"] + }, + "workflows": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + } + }, + "patternProperties": { + "^branches(-ignore)?$": {} + } + }, + "repository_dispatch": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#external-events-repository_dispatch", + "$ref": "#/definitions/eventObject", + "description": "You can use the GitHub API to trigger a webhook event called repository_dispatch when you want to trigger a workflow for activity that happens outside of GitHub. For more information, see https://developer.github.com/v3/repos/#create-a-repository-dispatch-event.\nTo trigger the custom repository_dispatch webhook event, you must send a POST request to a GitHub API endpoint and provide an event_type name to describe the activity type. To trigger a workflow run, you must also configure your workflow to use the repository_dispatch event." + }, + "schedule": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows#scheduled-events-schedule", + "description": "You can schedule a workflow to run at specific UTC times using POSIX cron syntax (https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). Scheduled workflows run on the latest commit on the default or base branch. The shortest interval you can run scheduled workflows is once every 5 minutes.\nNote: GitHub Actions does not support the non-standard syntax @yearly, @monthly, @weekly, @daily, @hourly, and @reboot.\nYou can use crontab guru (https://crontab.guru/). to help generate your cron syntax and confirm what time it will run. To help you get started, there is also a list of crontab guru examples (https://crontab.guru/examples.html).", + "type": "array", + "items": { + "type": "object", + "properties": { + "cron": { + "type": "string" + } + }, + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + ] + }, + "env": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#env", + "$ref": "#/definitions/env", + "description": "A map of environment variables that are available to all jobs and steps in the workflow." + }, + "defaults": { + "$comment": "https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#defaults", + "$ref": "#/definitions/defaults", + "description": "A map of default settings that will apply to all jobs in the workflow." + }, + "concurrency": { + "$comment": "https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency", + "description": "Concurrency ensures that only a single job or workflow using the same concurrency group will run at a time. A concurrency group can be any string or expression. The expression can use any context except for the secrets context. \nYou can also specify concurrency at the workflow level. \nWhen a concurrent job or workflow is queued, if another job or workflow using the same concurrency group in the repository is in progress, the queued job or workflow will be pending. Any previously pending job or workflow in the concurrency group will be canceled. To also cancel any currently running job or workflow in the same concurrency group, specify cancel-in-progress: true.", + "oneOf": [ + { + "type": "string" + }, + { + "$ref": "#/definitions/concurrency" + } + ] + }, + "jobs": { + "$comment": "https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#jobs", + "description": "A workflow run is made up of one or more jobs. Jobs run in parallel by default. To run jobs sequentially, you can define dependencies on other jobs using the jobs..needs keyword.\nEach job runs in a fresh instance of the virtual environment specified by runs-on.\nYou can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see https://help.github.com/en/github/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions#usage-limits.", + "type": "object", + "patternProperties": { + "^[_a-zA-Z][a-zA-Z0-9_-]*$": { + "oneOf": [ + { + "$ref": "#/definitions/normalJob" + }, + { + "$ref": "#/definitions/reusableWorkflowCallJob" + } + ] + } + }, + "minProperties": 1, + "additionalProperties": false + }, + "run-name": { + "$comment": "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#run-name", + "description": "The name for workflow runs generated from the workflow. GitHub displays the workflow run name in the list of workflow runs on your repository's 'Actions' tab.", + "type": "string" + }, + "permissions": { + "$ref": "#/definitions/permissions" + } + }, + "required": ["on", "jobs"], + "type": "object" +} diff --git a/.gitea/properties/lua/linkfix.lua b/.gitea/properties/lua/linkfix.lua new file mode 100644 index 0000000..b192cce --- /dev/null +++ b/.gitea/properties/lua/linkfix.lua @@ -0,0 +1,8 @@ +-- Linkfix.lua +function Link (el) + -- wenn Linkziel auf .md endet, Γ€ndere es zu .html + if el.target:match('%.md$') then + el.target = el.target:gsub('%.md$', '.html') + end + return el +end diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0baf6ec --- /dev/null +++ b/.gitignore @@ -0,0 +1,20 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +.checklist/ +.idea/ +build/ +out/ +target/ +*.DS_Store +*.log +*.ps1 +Thumbs.db +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/.pubkey/centurion_intelligence_consulting_agency_2025_root_x448_Master_Signing_Key_Offline_0x4EADE462_public.asc b/.pubkey/centurion_intelligence_consulting_agency_2025_root_x448_Master_Signing_Key_Offline_0x4EADE462_public.asc new file mode 100644 index 0000000..aee5ddf --- /dev/null +++ b/.pubkey/centurion_intelligence_consulting_agency_2025_root_x448_Master_Signing_Key_Offline_0x4EADE462_public.asc @@ -0,0 +1,12 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mEkFaDXW/RYAAAA/AytlcQHI0wBCQVlX/T1P1op2zxMcvSXsIO6Ry5dVxzJyWFkB +SB0utYV5PVOcoparGuxuVV5h5q538FMowsAAtFZDZW50dXJpb24gSW50ZWxsaWdl +bmNlIENvbnN1bHRpbmcgQWdlbmN5IDIwMjUgUm9vdCB4NDQ4IChNYXN0ZXIgU2ln +bmluZyBLZXkgW09mZmxpbmVdKYjNBRMWCABNAhsBBQsJCAcCAiICBhUKCQgLAgQW +AgMBAh4HAheAIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmg1 +4c0FCRezg7YAAJycAcdFA+KOZ0U3+AhnNJWm4SXCgzwfJ2Rg10uUt/iiKNtiagDG +xifwXGd5fh2Om/oFdYkgf48GAVVDE4ABx1x6OmN6dt6GWHCKgienVOgKhu+Cl/04 +c3Sth4dGCosfFJNUaNmfja5GQ/wQKLVQ0C4TjuJXHCkEAA== +=bk/i +-----END PGP PUBLIC KEY BLOCK----- diff --git a/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.asc b/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.asc new file mode 100644 index 0000000..b422300 --- /dev/null +++ b/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEaDcItBYJKwYBBAHaRw8BAQdAFyGLpFASTiK4vBgycV2wjb3ZaNqhjZ33E1ir +MiU98Fu0LE1hcmMgUy4gV2VpZG5lciBCT1QgPG1zdytib3RAY29yZXNlY3JldC5k +ZXY+iJkEExYIAEEWIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaDcItAIbAwUJCKVq +fAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRA85KY4hzOwIVOoAQD9WXoh +Isjs4q7RCAtCXXWO4y4p8Dmn1AjCRN07vBYskQEAu/LjJYpjC553SnLPEN2PjZBt +pNkwp/fMg2oigxRkygyI1AUQFggAVCIhBW/TwxZOreRiASSn6MzNd4l1ywe1QKfL +3kbW7jRInWnCBQJoNwjMBYMIpYaAJBSAAAAAAA0ADnJlbUBnbnVwZy5vcmdDZW50 +dXJpb24sQ0lDQQAA3TABxjNpYGUWhvt6x3h688F1KJfeWrrMetflFZBA3UzoIAAg +SltgMYRnCzpZFGnQILKgj9jyakwckxFLAAHHY/I0Fxmc5ujfkGScUhUKPhruVT2x +w4aHogEuE9Ebu94JuvBQX3+RlHjG+47qG7bmAT81E47Hih0AuDgEaDcItBIKKwYB +BAGXVQEFAQEHQOKAnInWn3Wy1fUJJD7bycrXEx6SoLejW5/0jGIG2VdGAwEIB4h+ +BBgWCAAmFiEEqmJzzDShs+vWn8hwPOSmOIczsCEFAmg3CLQCGwwFCQilanwACgkQ +POSmOIczsCHztAEA2AWCPQ8V8hNdEBvYHwRye8Q9FJO7IyciwwpjH1nOBLMBAJS2 +OSrjMYBFaumow950s7T2d7BEpnxJBtCwfuF+RwgI +=QwhF +-----END PGP PUBLIC KEY BLOCK----- diff --git a/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc b/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc new file mode 100644 index 0000000..7af609f --- /dev/null +++ b/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc @@ -0,0 +1,13 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEaCxYpRYJKwYBBAHaRw8BAQdAr9mRwJ44x3qirCRbE+qjgwBDzZLVkKXvC4UI +AHxvyMK0JE1hcmMgUy4gV2VpZG5lciA8bXN3QGNvcmVzZWNyZXQuZGV2PoiZBBMW +CABBFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgFAmgsWKUCGwMFCQiwGosFCwkIBwIC +IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQhAKZkeYuhPhWnQEAulGegHfBva0ezN5/ +VVqLqDVTe+etr3crCcxKpj8gg7wA/3OfkCvgPht18OoIQbR1IA7jDBSOKvY8OfcR +1632dZIIuDgEaCxYpRIKKwYBBAGXVQEFAQEHQP34OGSMdCMM8Ku/QY7NC81xbL0h +kOFdDGlKlA865+kpAwEIB4h+BBgWCAAmFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgF +AmgsWKUCGwwFCQiwGosACgkQhAKZkeYuhPhnjgD+IHh9XhE+s3VB3ItDIgtT9gTA +S8ET80dQcFmFGYfjs/oBALmXXxceE+aSd2VO6dumqhtzWCGE7S52/50hxRgLsi8G +=C3ox +-----END PGP PUBLIC KEY BLOCK----- diff --git a/.pubkey/marc_s_weidner_rfc.editor@coresecret.eu_0x9A3D8CF6_public.asc b/.pubkey/marc_s_weidner_rfc.editor@coresecret.eu_0x9A3D8CF6_public.asc new file mode 100644 index 0000000..961c317 --- /dev/null +++ b/.pubkey/marc_s_weidner_rfc.editor@coresecret.eu_0x9A3D8CF6_public.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGgKhAABEADKXAZwxkr4Wlo0KKjvvxUNycajqFLSEf8CNSkZCzE6/Ya5SlCy +p/yO8bqMUiL6zFO3A7bt0HYZo3jjU7nyOap0nq2qKgSvLJPeiJF6wk3XQDvJbpCh +NBi6vlKicWMyJqVtbqQZeX7q4MFrJPQX5JurSOsauAsJ8xz8vOnhesVwh44m7jTf +Yvuelz0zh/LQkypTaeMA1CXhCtLhoS8V359azO0VHdVaFmxIjsiiU4wKUCNiUgC5 +Z/QhG3v1TlIS5R8tnPrke39TkjRVBXAnW5mVTxE7+hauDhefGlpIDkIr8ACCpgLf +ZN0sEXH1+DNTvCwDsP9eoEuf5+2l+w0pQ5c0Rsi2RIbrE/Ct9PL9+cXDYOkNk4fa +5pws7LzldacBB3XTHhSgTAkF+knk+RNxyrlJ42FAo6HiP+pM3ym/ElFGF0cS/qnU +h6JR3SDUybI/89t3lPDHEj24+GLxHd/6d0WY0xYMwNElm7DK+BOgKpEQO/ZBqtRP +crpx81IDInJYjck5z8BAYwnW+CPsAi1cSSFtGBGvem7iKvz7e1nvQcxn9i9HUbiM +FjrfrFztkSE2ZINoTPUPYNEtLyAm/TQKBCS08uyYjSPaivN1yQ75dm6pIS1OJmGe +i7SwhU6j4Y8CXdpo3OioemrUuccPbxu18Iw+PovLUvmkAhqFIY6EvYw9ZwARAQAB +tCpNYXJjIFMuIFdlaWRuZXIgPHJmYy5lZGl0b3JAY29yZXNlY3JldC5ldT6JAlcE +EwEIAEEWIQR6g0Hl8VcDGdgPRBihHohRmj2M9gUCaAqEAAIbAwUJCrMisAULCQgH +AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRChHohRmj2M9o5aD/0ceZqsJC98RyvN +HM9+Ke+1yhwRGXJ3AdFPMdhhzajBdRpOx/N/xY9sqeWpm4S1/UsLBZsaGxASJvXq +HXOzOXY+RPlOocBcm3yAzlrz+UU/NhvSnpMOU63mR3pvf6qwwfgqGbtxozNgbb2Y +g+tV4sG+DhCWO4G0Pb2+qlitBY4vbY9W7TdA805bAWwf7E9Pb2x5kLj7uQUKi3dy +2YCqgHYqQ9yS7UztiA39zmHh2IRl72ZUKGcBMWFfSpO0Mfgr+mCe+5sTymPfIRqk +IrTmugCXgCV/xs3nE4lv8C/4eSJsLEmMaFELL7dBjn6dhl+0hEblKQYUgURZaG20 +hh/uaR0X1iwA4D9ipHXCr4CM9/fq5ny2uCihPxI/6xeNU9/rOCDZ+LMpJoe/cwTM +9aY+toC4tyv4f8lm46XPWm+SujJOaVEI7NNKX/kJR9UZZBii8YYGQ1gSs4HX9PxZ +G1Nf7qG5cfFBV77M9uQsrKnsXRMZjRtyxnclU9r8NKg4jfNvzqpqAVoynhG+YjKM +krQreCr1LU9uT3O0ABf1s457C0oNr+YMva9PL5LdXEGHwAL93YgyerzEs1TIik80 +YLEVDeTunMWtb1v/h516q+fk1p2bdNflQUMD3X1Cmj6qRMe1f4ku1I3zcjK0kikI +MGgOoag7efnNBDDsyhKUP/ZtNzOB9LkCDQRoCoQAARAAnoqlViizlICxSBmWkq3D +dSBfyK98uY6uA8H/lUhsG/ZTUG0y3kqEZ6JoU2G+QwTMm0/8VutwFoc38142FhqQ +Gs2imUN+sQRlKdyk8wtoq2Kv4G7XhXBGFsEfScHKQb8VTz8eoHAgtqAzJcLXDO0u +gHHk5OoOqc93TsT9rimHNNNyKqU20rRe+AJ2Yjn92dIuSQ7B7R7O9U5OflZKrVMO +e6KSXbbMx+Z/tOOoAC2EWpPE8Vcogs8CFlAUaCKaKcSTwYUZMKJg67voeIZHLKAE +k4hth+1oGcawfuA7duJBVFlK2u6Vu14c26y7tgZQWge6e7DuXlp0qGyu349M10qF +p+d0v1oN8h6cfYjDPPvTAdO20iB/c3KaDMNqcGBDUWd366YcLBAzHZO4YDjE4CF1 +7TnZQNMuelg83jl4OIcyDqzATDEY+amOgzvkxsgHw+tihSulGBeliph1n5pfpD3w +wjrtMskCo4PaFWk8YofO3ZzpMCdIDXg0hR1PvThkXQQR6fccOYd8t5QEOdS9NS53 +fL3ayRvMt5fgwYeo9yfzl5ByTSXeT4BSpz596SG/BdcHxHky7lM8++LuRNrOiy9Q +xLohwgPonceF4bjL944Ec13lneZunJN8nel8yrjd0cX0ZikWMWoRFk9GejNN6HLo +/FrIKxSjf8h5UK5Gtn2OgtMAEQEAAYkCPAQYAQgAJhYhBHqDQeXxVwMZ2A9EGKEe +iFGaPYz2BQJoCoQAAhsMBQkKsyKwAAoJEKEeiFGaPYz2SkMQALjeSyg8HzMLXwN4 +Trt7aW5ef/38J89cav0ouvlY1OggZDiHSXjck7wI0uc0oiB9uVjBj8VfJC4op3bJ +FNlXANE2j9wDR2idQF6hFWVibznMiYOLdmAv3UPGEwm5mJw3h3oGTMqMxKllOKYk +sjRD4PwMOz9x43385PO1q0UQO69kQfnLcRm1gR5w8UHM6j1Mp6HcBapnOluf4PZj +o+5etx3MZBQtDEN5Q80ou3sS2FY23ydmpbn1AGQverr7wUH0ofAgC/xAQ/QJaxWE +ISVm+6F6gC67UU/DMtw2iq9G/CsBKOglC6anU75UEAQnhkiCaFXlghCX0LGWyVbM +OQzjlfBgswTQ4lvYV2I8FHbvgKCYuRvEeAqrIgnpK4BfoBZOXhrsanbtXth4Cl82 +euveI/dbSnEa0iXucP39VbvDrzfNmpUlE9HTpiad10YmrYWIR0yEv4TGPnvtWzgj +ldqhMToXTbuz4bcIEfLLNBEVOXOpEehhpwiXPBmWjCbiSTdt9wcmMXTzjzGyVWoF +N37P3BcodQWrsIJD5rlBN+mlga2JBfaJndOoYDLTuCNp63O3QO+/B+37hOYHphyu +Z1UsyA0biHQ2exoMtUn8VrfrVaVjqeKzD5E2C2w8jKh2bNFYjbNoEhmw/ld+wTC4 +h9Da4wsNzL2ADzBfxBgFgm0uI6+7 +=5Jh4 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc b/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc new file mode 100644 index 0000000..b35458d --- /dev/null +++ b/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc @@ -0,0 +1,20 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEaDcAphYJKwYBBAHaRw8BAQdA/9UGPKzDSRCGirPMrePXMMynIida/McCOYe6 +PVcCPpG0MVpJTU5PTCwgQW5kcsOpIEguIFtkZXZlbG9wZXJdIDxnaXQuY3NAcGh5 +c25ldC5ldT6IkQQTFgoAORYhBBmJL29uc6075RFbVoplnMe01jrmBQJoNwCmAhsB +BQkIpLt+AwsJCAQVCgkIAxYCAwIeBQIXgAAKCRCKZZzHtNY65jKyAQDrk2x/laEP +YIaRmS7STGBnZjWVwv/eJ5ILFqRhV3sSGQEAwfT2wgporMER+EHz2mRPAaE5TtPB +SMm4DHug4Yka2A24MwRoNwDmFgkrBgEEAdpHDwEBB0Bx3cbRd0Q/Dn73IcbEvKx5 ++KcP7unYv3rNeirZTGtTfoj1BBgWCgAmFiEEGYkvb25zrTvlEVtWimWcx7TWOuYF +Amg3AOYCGwIFCQL/zz4AgQkQimWcx7TWOuZ2IAQZFgoAHRYhBEVoBW4odEqUQpSB +D1za7swLMHUzBQJoNwDmAAoJEFza7swLMHUzYw0A/05Y5GoEsbHH5+LqVf9EI8WN +ud1kp3M4WRto2KQ2abicAP0W71sTY2Po1XbBDVbFi2fvXkjuCUVeSlotaQgh1YrP +BtIXAQDabJERY+nNU9T/8pAlFhC3ImAJAXWSpxlIZWU3q12DpQEA3zCIMXBTc7w1 +eREXUft3CupIIT70bCjcTbH5dIYX1w24OARoNwEMEgorBgEEAZdVAQUBAQdAmvb9 +1f/tWoR4ADQytUwrXlXfp/U5Jt7KvWS5URWCjRMDAQgHiH4EGBYKACYWIQQZiS9v +bnOtO+URW1aKZZzHtNY65gUCaDcBDAIbDAUJAv/PGAAKCRCKZZzHtNY65n/UAQCR +0W40F4QaD2SnXZS8fmDBK341LTbyhy8JACmKKKB3PAD/Tq/0SfDC0i905OdWcbJ0 +AQfwlnC0kTOkPh2bO1vyfwg= +=YZAU +-----END PGP PUBLIC KEY BLOCK----- diff --git a/.version.properties b/.version.properties new file mode 100644 index 0000000..6419347 --- /dev/null +++ b/.version.properties @@ -0,0 +1,19 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +properties_SPDX-Version="3.0" +properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git" +properties_SPDX-FileCopyrightText="2024–2025; WEIDNER, Marc S.; " +properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" +properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework." +properties_SPDX-PackageName="CISS.debian.live.builder" +properties_SPDX-Security-Contact="security@coresecret.eu" +properties_version="V8.02.512.2025.05.30" +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \ No newline at end of file diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx new file mode 100644 index 0000000..902a10c --- /dev/null +++ b/CISS.debian.live.builder.spdx @@ -0,0 +1,23 @@ +SPDXVersion: SPDX-3.0 +DataLicense: CC0-1.0 +SPDX-DocumentName: CISS.debian.live.builder.SPDX +SPDX-DocumentNamespace: https://git.coresecret.dev/msw/CISS.debian.live.builder +Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) +Created: 2025-05-07T12:00:00Z +Package: CISS.debian.live.builder +PackageName: CISS.debian.live.builder +PackageVersion: Master V8.02.512.2025.05.30 +PackageSupplier: Organization: Centurion Intelligence Consulting Agency +PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder +PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder +PackageLicenseDeclared: EUPL-1.2 OR LicenseRef-CCLA-1.0 +PackageLicenseConcluded: EUPL-1.2 +License: EUPL-1.2 +LicenseID: EUPL-1.2 +LicenseName: European Union Public License 1.2 +LicenseCrossReference: https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12 +License: LicenseRef-CCLA-1.0 +LicenseID: LicenseRef-CCLA-1.0 +LicenseName: Centurion Commercial License Agreement 1.0 +LicenseCrossReference: https://coresecret.eu/imprint/licenses/ +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \ No newline at end of file diff --git a/LICENSE b/LICENSE index 385cb4e..2dd5cb8 100644 --- a/LICENSE +++ b/LICENSE @@ -1,89 +1,121 @@ +# SPDX-License-Identifier: EUPL-1.2 + +EUPL-1.2 + EUROPEAN UNION PUBLIC LICENCE v. 1.2 EUPL Β© the European Union 2007, 2016 -This European Union Public Licence (the β€˜EUPL’) applies to the Work (as defined below) which is provided under the +This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such -use is covered by a right of the copyright holder of the Work). +a use is covered by a right of the copyright holder of the Work). + The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following notice immediately following the copyright notice for the Work: + Licensed under the EUPL + or has expressed by any other means his willingness to license under the EUPL. 1.Definitions + In this Licence, the following terms have the following meaning: -β€” β€˜The Licence’:this Licence. -β€” β€˜The Original Work’:the work or software distributed or communicated by the Licensor under this Licence, available + +β€” 'The Licence':this Licence. + +β€” 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available as Source Code and also as Executable Code as the case may be. -β€” β€˜Derivative Works’:the works or software that could be created by the Licensee, based upon the Original Work or + +β€” 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in the country mentioned in Article 15. -β€” β€˜The Work’:the Original Work or its Derivative Works. -β€” β€˜The Source Code’:the human-readable form of the Work which is the most convenient for people to study and + +β€” 'The Work':the Original Work or its Derivative Works. + +β€” 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and modify. -β€” β€˜The Executable Code’:any code which has generally been compiled and which is meant to be interpreted by + +β€” 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by a computer as a program. -β€” β€˜The Licensor’:the natural or legal person that distributes or communicates the Work under the Licence. -β€” β€˜Contributor(s)’:any natural or legal person who modifies the Work under the Licence, or otherwise contributes to + +β€” 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence. + +β€” 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to the creation of a Derivative Work. -β€” β€˜The Licensee’ or β€˜You’:any natural or legal person who makes any usage of the Work under the terms of the + +β€” 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the Licence. -β€” β€˜Distribution’ or β€˜Communication’:any act of selling, giving, lending, renting, distributing, communicating, -transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential + +β€” 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating, +transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential functionalities at the disposal of any other natural or legal person. 2.Scope of the rights granted by the Licence + The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for the duration of copyright vested in the Original Work: -β€” use the Work in any circumstance and for all usage, + +β€” use the Work in any circumstances and for all usage, + β€” reproduce the Work, -β€” modify the Work, and make Derivative Works based upon the Work, + +β€” modify the Work and make Derivative Works based upon the Work, + β€” communicate to the public, including the right to make available or display the Work or copies thereof to the public and perform publicly, as the case may be, the Work, + β€” distribute the Work or copies thereof, + β€” lend and rent the Work or copies thereof, + β€” sublicense rights in the Work or copies thereof. -Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the + +Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the applicable law permits so. + In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed by law in order to make effective the licence of the economic rights here above listed. + The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the extent necessary to make use of the rights granted on the Work under this Licence. 3.Communication of the Source Code -The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as + +The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to distribute or communicate the Work. 4.Limitations on copyright + Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the -exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations +exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations thereto. 5.Obligations of the Licensee + The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those obligations are the following: Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to -the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the +the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work to carry prominent notices stating that the Work has been modified and the date of modification. Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless -the Original Work is expressly distributed only under this version of the Licence β€” for example by communicating -β€˜EUPL v. 1.2 only’. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the +the Original Work is expressly distributed only under this version of the Licence β€” for example, by communicating +'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the Work or Derivative Work that alter or restrict the terms of the Licence. Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done -under the terms of this Compatible Licence. For the sake of this clause, β€˜Compatible Licence’ refers to the licences listed +under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail. -Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide +The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available for as long as the Licensee continues to distribute or communicate the Work. Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names @@ -91,100 +123,134 @@ of the Licensor, except as required for reasonable and customary use in describi reproducing the content of the copyright notice. 6.Chain of Authorship + The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or licensed to him/her and that he/she has the power and authority to grant the Licence. -Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or + +Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or licensed to him/her and that he/she has the power and authority to grant the Licence. + Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions to the Work, under the terms of this Licence. 7.Disclaimer of Warranty -The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work -and may therefore contain defects or β€˜bugs’ inherent to this type of development. -For the above reason, the Work is provided under the Licence on an β€˜as is’ basis and without warranties of any kind + +The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work +and may therefore contain defects or 'bugs' inherent to this type of development. + +For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this Licence. + This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work. 8.Disclaimer of Liability + Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss -of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However, -the Licensor will be liable under statutory product liability laws as far such laws apply to the Work. +of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However, +the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work. 9.Additional agreements + While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify, -defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by +defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by the fact You have accepted any warranty or additional liability. 10.Acceptance of the Licence -The provisions of this Licence can be accepted by clicking on an icon β€˜I agree’ placed under the bottom of a window + +The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms and conditions. + Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution or Communication by You of the Work or copies thereof. 11.Information to the public + In case of any Distribution or Communication of the Work by means of electronic communication by You (for example, by offering to download the Work from a remote location) the distribution channel or media (for example, a website) -must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence -and the way it may be accessible, concluded, stored and reproduced by the Licensee. +must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence, +and the way it may be accessible, concluded, stored, and reproduced by the Licensee. 12.Termination of the Licence + The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms of the Licence. + Such a termination will not terminate the licences of any person who has received the Work from the Licensee under the Licence, provided such persons remain in full compliance with the Licence. 13.Miscellaneous + Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the Work. + If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid and enforceable. + The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence. New versions of the Licence will be published with a unique version number. + All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take advantage of the linguistic version of their choice. 14.Jurisdiction + Without prejudice to specific agreement between parties, + β€” any litigation resulting from the interpretation of this License, arising between the European Union institutions, -bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice +bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union, -β€” any litigation arising between other parties and resulting from the interpretation of this License, will be subject to + +β€” any litigation arising between other parties and resulting from the interpretation of this License will be subject to the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business. 15.Applicable Law + Without prejudice to specific agreement between parties, + β€” this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat, -resides or has his registered office, -β€” this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside +resides, or has his registered office + +β€” this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside a European Union Member State. Appendix -β€˜Compatible Licences’ according to Article 5 EUPL are: +'Compatible Licences' according to Article 5 EUPL are: + β€” GNU General Public License (GPL) v. 2, v. 3 + β€” GNU Affero General Public License (AGPL) v. 3 + β€” Open Software License (OSL) v. 2.1, v. 3.0 + β€” Eclipse Public License (EPL) v. 1.0 + β€” CeCILL v. 2.0, v. 2.1 + β€” Mozilla Public Licence (MPL) v. 2 + β€” GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 + β€” Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software + β€” European Union Public Licence (EUPL) v. 1.1, v. 1.2 + β€” QuΓ©bec Free and Open-Source Licence β€” Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+). The European Commission may update this Appendix to later versions of the above licences without producing a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the covered Source Code from exclusive appropriation. -All other changes or additions to this Appendix require the production of a new EUPL version. + +All other changes or additions to this Appendix require the production of a new EUPL version. \ No newline at end of file diff --git a/README.md b/README.md index 0449ad4..85d8e09 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,404 @@ -# CISS.debian.live.builder +--- +gitea: none +include_toc: true +--- +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.512.2025.05.30-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer) +  +[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   +[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   +[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)   +[![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/)   +[![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)   +[![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html) +  +[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)   +[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)   +[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)   +[![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)   +[![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)   +[![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu)   +[![Static Badge](https://badges.coresecret.dev/badge/Donation-Donation-white?style=plastic&logo=sepa&logoColor=white&logoSize=auto&label=&color=%230F243E)](https://coresecret.eu/spenden/)   +[![Static Badge](https://badges.coresecret.dev/badge/bitcoin-Bitcoin-white?style=plastic&logo=bitcoin&logoColor=white&logoSize=auto&label=Donation&color=%23F7931A)](https://coresecret.eu/spenden/)   +[![Static Badge](https://badges.coresecret.dev/badge/simplex-Simplex-white?style=plastic&logo=simplex&logoColor=white&logoSize=auto&label=Contact&color=%23000000)](https://simplex.chat/)   -Debian Live Build Generator for hardened live environment and CISS Debian Installer \ No newline at end of file +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server +and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for +cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. + +Check out more: +* [CenturionNet Services](https://coresecret.eu/cnet/) +* [CenturionDNS Resolver](https://dns.eddns.eu/) +* [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) +* [CenturionNet Status](https://uptime.coresecret.eu/) +* [CenturionMeet](https://talk.e2ee.li/) +* [Contact the author](https://coresecret.eu/contact/) + +> Please note: All my signing keys are contained in an HSM and the signing environment is air gapped. Next step: move to +> a room-gapped environment ^^ + +## 1.1. Immutable Source-of-Truth System + +This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static +source-code definitions. All configurations, system components, and installation routines are embedded during build time and +locked for runtime immutability. This ensures that the live environment functions as a trusted **Source of Truth** β€” not only +for boot-time operations, but for deploying entire systems in a secure and reproducible way.
+ +Once booted, the environment optionally launches a fully scripted installer, via the forthcoming `CISS.debian.installer`, +yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external +dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not +secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully +secured provisioning. Combined with checksum verification, **activated by default**, at boot and strict firewall defaults, this +architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.
+ +An even more secure deployment variant β€” an unattended and headless version β€” can be built without any active network interface +or shell-access, also via the forthcoming `CISS.debian.installer`. Such a version performs all verification steps autonomously, +provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then +awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports +without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of +`grub2 (2.12-1~bpo12+1)`.
+ +This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in +source-defined infrastructure logic.
+ +After build and configuration, the following audit reports can be generated: + +* **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance. + Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md) +* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline. + Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md) +* **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations. + Type `ssh-audit :`. See example report: [SSH Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md) + +## 1.2. Preview + +![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg) + +## 1.3. Caution. Significant information for those considering using D-I. + +**The Debian Installer (d-i) will ALWAYS boot a new system.**
+ +Regardless of whether you start it: +* via the boot menu of your Live ISO (grub, isolinux) like **CISS.2025.debian.live.builder**, +* via kexec in the running system, +* via the debian-installer-launcher package, +* or even via a graphical installer shortcut. + +The following happens in all cases: +* The installer kernel (/install/vmlinuz) + initrd.gz are started. +* The existing live system is exited. +* The memory is overwritten. +* All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist. + +The Debian Installer loads: +* its own kernel, +* its own initramfs, +* its own minimal root filesystem (BusyBox + udeb packages), +* no SSH access (unless explicitly enabled via preseed) +* no firewall, AppArmor, logging, etc. pp., +* it disables all running network services, even if you were previously in the live system. + +This means function status of the **CISS.2025.debian.live.builder** ISO after d-i start: +* ufw, iptables, nftables ✘ disabled, not loaded, +* sshd with hardening ✘ stopped (processes gone), +* the running kernel ✘ replaced, +* Logging (rsyslog, journald) ✘ not active, +* preseed control over the network is possible (but without any protection). + +# 2. Features & Rationale + +Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture. + +## 2.1. Kernel Hardening + +### 2.1.1. Boot Parameters + +* **Description**: Customizes kernel command‑line flags to disable unused features and enable mitigations. +* **Key Parameters**: + * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads. + * `audit=1`: Enables kernel auditing from boot to record system calls and security events. + * `cfi=kcfi`: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking. + * `debugfs=off`: Disables debugfs to prevent non-privileged access to kernel internals. + * `efi=disable_early_pci_dma`: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot. + * `efi_no_storage_paranoia`: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity. + * `hardened_usercopy=1`: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows. + * `ia32_emulation=0`: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts. + * `init_on_alloc=1`: Zeroes memory on allocation to prevent leakage of previous data. + * `init_on_free=1`: Initializes memory on free to catch use-after-free bugs. + * `iommu=force`: Enforces IOMMU for all devices to isolate DMA-capable hardware. + * `kfence.sample_interval=100`: Configures the kernel fence memory safety tool to sample every 100 allocations. + * `kvm.nx_huge_pages=force`: Enforces non-executable huge pages in KVM to mitigate code injection. + * `l1d_flush=on`: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities. + * `lockdown=confidentiality`: Puts the kernel in confidentiality lockdown to restrict direct hardware access. + * `loglevel=0`: Suppresses non-critical kernel messages to reduce information leakage. + * `mce=0`: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting. + * `mitigations=auto,nosmt`: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks. + * `mmio_stale_data=full,nosmt`: Ensures stale MMIO data is fully flushed and disables SMT for added protection. + * `oops=panic`: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state. + * `page_alloc.shuffle=1`: Randomizes physical page allocation to hinder memory layout prediction attacks. + * `page_poison=1`: Fills freed pages with a poison pattern to detect use-after-free. + * `panic=-1`: Disables automatic reboot on panic to preserve the system state for forensic analysis. + * `pti=on`: Enables page table isolation to mitigate Meltdown attacks. + * `random.trust_bootloader=off`: Prevents trusting entropy provided by the bootloader. + * `random.trust_cpu=off`: Disables trusting CPU-provided randomness, enforcing external entropy sources. + * `randomize_kstack_offset=on`: Randomizes the kernel stack offset on each syscall entry to harden against stack probing. + * `randomize_va_space=2`: Enables full address space layout randomization (ASLR) for user space. + * `retbleed=auto,nosmt`: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance. + * `rodata=on`: Marks kernel read-only data sections to prevent runtime modification. + * `tsx=off`: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities. + * `vdso32=0`: Disables 32-bit vDSO to prevent unintended cross-mode calls. + * `vsyscall=none`: Disables legacy vsyscall support to close a potential attack vector. +* **Rationale**: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots. + +### 2.1.2. CPU Vulnerability Mitigations + +* **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.). +* **Rationale**: Prevents side‑channel attacks that exploit speculative execution, which remain a high‑risk vector in + multi‑tenant cloud environments. + +### 2.1.3. Kernel Self-Protection + +* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self‑protections. +* **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies. + +### 2.1.4. Local Kernel Hardening + +* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`: +````bash +########################################################################################### +# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters +# Arguments: +# none +########################################################################################### +# shellcheck disable=SC2317 +sysp() { + sysctl -p /etc/sysctl.d/99_local.hardened + # sleep 1 + sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log +} +```` +* **Key measures loaded by this file include:** + * Disabling module loading `kernel.modules_disabled=1` + * Restricting kernel pointers & logs `kernel.kptr_restrict=2`, `kernel.dmesg_restrict=1`, `kernel.printk=3 3 3 3` + * Disabling unprivileged BPF and userfaultfd + * Disabling kexec and unprivileged user namespaces + * Locking down ptrace scope `kernel.yama.ptrace_scope=2` + * Protecting filesystem links and FIFOs `fs.protected_*` + +**Warning** +Once applied, some hardening settings cannot be undone via `sysctl` without a reboot, and dynamic module loading remains disabled +until the next boot. Automatic enforcement at startup is therefore omitted by designβ€”run `sysp()` manually and plan a reboot to +apply or revert these controls. + +## 2.2. Module Blacklisting + +* **Description**: Disables and blacklists non‑essential or insecure kernel modules. +* **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment. + +## 2.3. Network Hardening + +* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict + inbound/outbound traffic behaviors. +* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man‑in‑the‑middle on internal networks. + +## 2.4. Core Dump & Kernel Hardening + +* **Description**: Limits core dump generation paths, enforces `Yama` restrictions, and configures `kernel.kptr_restrict`. +* **Rationale**: Prevents leakage of sensitive memory contents and reduces information disclosure from unintentional crash + dumps. + +## 2.5. Entropy Collection Improvements + +* **Description**: Installs and configures `haveged`, seeds `/dev/random` early. +* **Rationale**: Cloud instances frequently suffer low entropy at the start; improving randomness ensures strong cryptographic key + generation for SSH and other services. + +## 2.6. Permissions & Authentication + +* **Description**: Sets strict directory and file permissions, integrates with PAM modules (e.g., `pam_faillock`). +* **Rationale**: Enforces the principle of least privilege at file‑system level and strengthens authentication policies. + +## 2.7. High-Security Baseline (Lynis Audit) + +* **Description**: Run a baseline audit via [Lynis](https://cisofy.com/lynis/) after build completion. + The generated live environment consistently achieves a 91%+ score in Lynis security audits. +* **Rationale**: Provides independent verification of security posture and flags any configuration drifts or missing + hardening steps. + +## 2.8. SSH Tunnel & Access Security + +* **Description**: The SSH tunnel and access are secured through multiple layers of defense: + * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs. + * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts. + * **One‑Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host + that touches closed ports. + * Additionally, the `fail2ban` service is hardened as well according to: + [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) + * **SSH Ultra‑Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to + [SSH Audit Guide Debian 12](https://www.ssh-audit.com/hardening_guides.html#debian_12): + * `RekeyLimit 1G 1h` + * `HostKey /etc/ssh/ssh_host_ed25519_key` + * `HostKey /etc/ssh/ssh_host_rsa_key (8192-bit RSA)` + * `PubkeyAuthentication yes` + * `PermitRootLogin prohibit-password` + * `PasswordAuthentication no` + * `PermitEmptyPasswords no` + * `LoginGraceTime 2m` + * `MaxAuthTries 3` + * `MaxSessions 2` + * `MaxStartups 08:64:16` + * `PerSourceMaxStartups 4` + * `RequiredRSASize 4096` + * `Ciphers aes256-gcm@openssh.com` + * `KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-` + * `MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com` +* **Rationale**: These measures ensure that only authorized hosts can establish SSH tunnels, with strict cryptographic and usage + policies enforced. Minimizes brute force, passive sniffing, and reduces credentials' exposure by limiting protocol features to + vetted algorithms. + +## 2.9. UFW Hardening + +* **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports. +* **Rationale**: Implements a default‑deny firewall, reducing lateral movement and data exfiltration risks immediately after + deployment. + +## 2.10. Fail2Ban Enhancements + +* **Description**: + * Bans any connection to a closed port for 24 hours + * Automatically ignores designated bastion/jump host subnets + * Hardened via `systemd` policy override to limit privileges of the Fail2Ban service itself +* **Rationale**: Provides proactive defense against port scans and brute‑force attacks, while isolating the ban daemon in a + minimal‑privilege context. + +## 2.11. NTPsec & Chrony + +* **Description**: Installs `chrony`, selects PTB NTPsec servers by default. +* **Rationale**: Ensures tamper‑resistant time synchronization, which is essential for log integrity, certificate validation, + and forensic accuracy. + +# 3. Script Features & Rationale + +## 3.1. Input Validation & Security + +* **Description**: All script arguments are validated using a robust input sanitizer. +* **Rationale**: Prevents injection attacks and ensures only expected data types and values are processed. + +## 3.2. Debug Mode with Detailed Logging + +* **Description**: A built-in debug mode outputs clear, timestamped logs including: + + * Script Name and Path of called Function, + * Line Number, + * Function Name, + * Exit Code of the previous Command, + * Executed Command. +* **Rationale**: Simplifies troubleshooting and provides precise error tracing. + +## 3.3. Secure Debug Logging + +* **Description**: No hardcoded plaintext password fragments or sensitive artifacts appear in debug logs. +* **Rationale**: Prevents accidental exposure of credentials during troubleshooting. + +## 3.4. Secure Password Handling + +* **Description**: Password files, if provided, are shredded immediately after being hashed. +* **Rationale**: Prevents password recovery from temporary files. + +## 3.5. Variable Declaration & Validation + +* **Description**: All variables are declared and validated before use. +* **Rationale**: Avoids unintended behavior from unset or improperly set variables. + +## 3.6. Pure Bash Implementation + +* **Description**: The entire wrapper and all its functions are written in pure Bash, without external dependencies. +* **Rationale**: Ensures maximum portability and compatibility with standard Debian environments. + +## 3.7. Bash Error Handling + +* **Description**: The implemented xtrace wrapper `set -x` enforces comprehensive Bash error handling to ensure + * robust, + * predictable execution, + * and early detection of failures. + + and delivers full information, which command failed to execute: + * Script Name and Path of called Function, + * Line Number, + * Function Name, + * Exit Code of the previous Command, + * Executed Command, + * Environment Settings, + * Argument Counter passed to Script, + * Argument String passed to Script. + +* The following `set` options are applied at the beginning of the script (see + [Bash Manual, The Set Builtin](https://www.gnu.org/software/bash/manual/bash.html#The-Set-BuiltinGNU)): +```bash +set -o errexit # Exit script when a command exits with non-zero status (same as "set -e"). +set -o errtrace # Inherit ERR traps in subshells (same as "set -E"). +set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as "set -T"). +set -o nounset # Exit script on use of an undefined variable (same as "set -u"). +set -o pipefail # Return the exit status of the last failed command in a pipeline. +set -o noclobber # Prevent overwriting files via redirection (same as "set -C"). +``` +* **Rationale**: These options enforce strict error checking and handling, reducing silent failures and ensuring +predictable script behavior. + +# 4. Prerequisites + +* **Host**: Debian Bookworm or newer with `live-build` package installed. +* **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts. +* **Network**: Outbound access to Debian repositories and PTB NTPsec pool. + +# 5. Installation & Usage + +1. Clone the repository: + + ```bash + git clone https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git + cd CISS.2025.debian.live.builder + ``` +2. Run the config builder and the integrated `lb build` command (example): + + ```bash + ./ciss_live_builder.sh --architecture amd64 \ + --build-directory /opt/livebuild \ + --change-splash hexagon \ + --control 384 \ + --debug \ + --dhcp-centurion \ + --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \ + --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \ + --renice-priority "-19" \ + --reionice-priority 1 2 \ + --root-password-file /opt/gitea/CISS.2025.debian.live.builder/password.txt \ + --ssh-port 4242 \ + --ssh-pubkey /opt/gitea/CISS.2025.debian.live.builder + ``` +3. Locate your ISO in the `--build-directory`. +4. Boot from the ISO and login to the live image via the console, or the multi-layer secured coresecret SSH tunnel. +5. Type `sysp` for the final kernel hardening features. +6. Check the boot log with `jboot` and via `ssf` that all services are up. +7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit. +8. Type `celp` for some shortcuts. + +# 6. Licensing & Compliance + +This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure +clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX +standard for license expressions and metadata. + +# 7. Disclaimer + +This README is provided "as‑is" without any warranty. Review your organization's policies before deploying to production. + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..add77fe --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,23 @@ +# Security Policy + +## Reporting vulnerabilities + +Please send your vulnerability reports to `security@coresecret.eu` + +To make sure that your report reaches me, please: + +Include the words `CISS.debian.live.builder` and `vulnerability` to the subject line as well as a short description of the vulnerability. + +Make sure that the message body contains a clear description of the vulnerability. + +If you have not received a reply to your email within seven days, please make sure to follow up with me again at `security@coresecret.eu` + +Once again, make sure that the word `vulnerability` is in the subject line. + +My security policy is available at: + +[https://coresecret.eu/security-policy/](https://coresecret.eu/security-policy/) + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh new file mode 100644 index 0000000..cf11d0d --- /dev/null +++ b/ciss_live_builder.sh @@ -0,0 +1,188 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Contributions so far see ./docs/CREDITS.md + +### WHY BASH? +# Ease of installation. +# No compiling or installing gems, CPAN modules, pip packages, etc. +# Simple to use and read. Clear syntax and straightforward output interpretation. +# Built-in power. +# Pattern matching, line processing, and regular expression support are available natively, +# no external binaries required. +# Cross-platform consistency. +# '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems. +# macOS compatibility. +# Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'. +# Windows support. +# You can use bash via WSL, MSYS2, or Cygwin on Windows systems. + +### Preliminary checks +[ -z "${BASH_VERSINFO[0]}" ] && { + . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; } +[[ ${EUID} -ne 0 ]] && { + . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_NOT_USER_0}"; } +[[ $(kill -l | grep -c SIG) -eq 0 ]] && { + . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; } +[[ ${BASH_VERSINFO[0]} -lt 5 ]] && { + . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; } +[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && { + . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; } + +declare -gr VERSION="Master V8.02.512.2025.05.30" +declare -gr CONTACT="security@coresecret.eu" + +### VERY EARLY CHECK FOR CONTACT, USAGE, AND VERSION STRING +declare arg +if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi +for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${CONTACT}"; exit 0;; esac; done +for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done +for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VERSION}"; exit 0;; esac; done +unset arg + +### VERY EARLY CHECK FOR XTRACE DEBUGGING +if [[ $* == *" --debug "* ]]; then + . ./lib/lib_debug.sh + debugger "${@}" +else + declare -grx EARLY_DEBUG=false +fi + +### Advisory Lock +exec 127>/var/lock/ciss_live_builder.lock || { + . ./var/global.var.sh + printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2 + exit "${ERR_FLOCK_WRTG}" +} + +if ! flock -x -n 127; then + . ./var/global.var.sh + printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2 + exit "${ERR_FLOCK_COLL}" +fi + +### Checking required packages +. ./lib/lib_check_pkgs.sh +check_pkgs + +### Dialog Output for Initialization +. ./lib/lib_boot_screen.sh && boot_screen + +### Updating Status of Dialog Gauge Bar +printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3 +. ./var/global.var.sh +. ./var/colors.var.sh + +### Updating Status of Dialog Gauge Bar +printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3 +### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin +set -o errexit # Exit script when a command exits with non-zero status, the same as "set -e". +set -o errtrace # Any traps on ERR are inherited in a subshell environment, the same as "set -E". +set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T". +set -o nounset # Exit script on use of an undefined variable, the same as "set -u". +set -o pipefail # Makes pipelines return the exit status of the last command in the pipe that failed. +set -o noclobber # Prevent overwriting, the same as "set -C". + +### Updating Status of Dialog Gauge Bar +printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3 +### Initialization +declare -gr ARGUMENTS_COUNT="$#" +declare -gr ARG_STR_ORG_INPUT="$*" +declare -ar ARG_ARY_ORG_INPUT=("$@") +# shellcheck disable=SC2155 +declare -gr SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")" +# shellcheck disable=SC2155 +declare -grx WORKDIR="$(dirname "${SCRIPT_FULLPATH}")" + +### Updating Status of Dialog Gauge Bar +printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3 +. ./lib/lib_arg_parser.sh +. ./lib/lib_arg_priority_check.sh +. ./lib/lib_cdi.sh +. ./lib/lib_change_splash.sh +. ./lib/lib_check_dhcp.sh +. ./lib/lib_check_hooks.sh +. ./lib/lib_check_kernel.sh +. ./lib/lib_check_provider.sh +. ./lib/lib_check_stats.sh +. ./lib/lib_check_var.sh +. ./lib/lib_clean_screen.sh +. ./lib/lib_clean_up.sh +. ./lib/lib_copy_integrity.sh +. ./lib/lib_hardening_root_pw.sh +. ./lib/lib_hardening_ssh.sh +. ./lib/lib_hardening_ultra.sh +. ./lib/lib_helper_ip.sh +. ./lib/lib_lb_build_start.sh +. ./lib/lib_lb_config_start.sh +. ./lib/lib_lb_config_write.sh +. ./lib/lib_provider_netcup.sh +. ./lib/lib_run_analysis.sh +. ./lib/lib_sanitizer.sh +. ./lib/lib_trap_on_err.sh +. ./lib/lib_trap_on_exit.sh +. ./lib/lib_usage.sh + +### Updating Status of Dialog Gauge Bar +printf "XXX\nActivate traps ... \nXXX\n55\n" >&3 +### Following the CISS Bash naming and ordering scheme +trap 'trap_on_exit "$?"' EXIT +trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR + +### Updating Status of Dialog Gauge Bar +printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3 +arg_check "$@" +declare -ar ARG_ARY_SANITIZED=("$@") +declare -gr ARG_STR_SANITIZED="${ARG_ARY_SANITIZED[*]}" + +### Updating Status of Dialog Gauge Bar +printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3 +arg_parser "$@" + +### Updating Status of Dialog Gauge Bar +printf "XXX\nFinal checks ... \nXXX\n95\n" >&3 +clean_ip + +### Updating Status of Dialog Gauge Bar +printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3 +sleep 1 + +boot_screen_cleaner + +### MAIN Program +arg_priority_check +check_stats +check_provider +check_kernel +check_hooks +hardening_ssh +lb_config_start +lb_config_write + +cd "${WORKDIR}" +hardening_ultra +hardening_root_pw +change_splash +check_dhcp +cdi +provider_netcup + +### Start the build process +set +o errtrace +lb_build_start + +set -o errtrace +run_analysis +copy_db +declare -g handler_success=true +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/bootloaders/grub-efi/grub.cfg b/config/bootloaders/grub-efi/grub.cfg new file mode 100644 index 0000000..50b273b --- /dev/null +++ b/config/bootloaders/grub-efi/grub.cfg @@ -0,0 +1,46 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +source /boot/grub/config.cfg + +GRUB_DEFAULT=0 +GRUB_TIMEOUT=16 +GRUB_DISTRIBUTOR="CISS.debian.live.builder" + +# Live boot +@LINUX_LIVE@ + +### CISS.2025 BOB +#MUST_BE_REPLACED +### CISS.2025 EOB + +submenu 'CISS CoreSecret Legacy DI ...' --hotkey=c { + source /boot/grub/theme.cfg + menuentry "CISS CoreSecret Legacy DI" --hotkey=s { + linux @KERNEL_GI@ @APPEND_GI@ + initrd @INITRD_GI@ + } + } + +submenu 'Utilities ...' --hotkey=u { + source /boot/grub/theme.cfg + # Memtest (if any) + if @ENABLE_MEMTEST@; then + source /boot/grub/memtest.cfg + fi + # Firmware setup (UEFI) + if [ "${grub_platform}" = "efi" ]; then + menuentry "UEFI Firmware Settings" --hotkey=e { + fwsetup + } + fi + } +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/bootloaders/grub-efi/splash.png b/config/bootloaders/grub-efi/splash.png new file mode 100644 index 0000000..1135dfc Binary files /dev/null and b/config/bootloaders/grub-efi/splash.png differ diff --git a/config/bootloaders/grub-pc/grub.cfg b/config/bootloaders/grub-pc/grub.cfg new file mode 100644 index 0000000..c3770ce --- /dev/null +++ b/config/bootloaders/grub-pc/grub.cfg @@ -0,0 +1,46 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +source /boot/grub/config.cfg + +GRUB_DEFAULT=0 +GRUB_TIMEOUT=16 +GRUB_DISTRIBUTOR="CISS.debian.live.builder" + +# Live boot +@LINUX_LIVE@ + +### CISS.2025 BOB +#MUST_BE_REPLACED +### CISS.2025 EOB + +submenu 'CISS CoreSecret Legacy DI ...' --hotkey=c { + source /boot/grub/theme.cfg + menuentry "CISS CoreSecret Legacy DI" --hotkey=s { + linux @KERNEL_GI@ @APPEND_GI@ + initrd @INITRD_GI@ + } + } + +submenu 'Utilities ...' --hotkey=u { + source /boot/grub/theme.cfg + # Memtest (if any) + if @ENABLE_MEMTEST@; then + source /boot/grub/memtest.cfg + fi + # Firmware setup (UEFI) + if [ "${grub_platform}" = "efi" ]; then + menuentry "UEFI Firmware Settings" --hotkey=e { + fwsetup + } + fi + } +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/bootloaders/grub-pc/splash.png b/config/bootloaders/grub-pc/splash.png new file mode 100644 index 0000000..1135dfc Binary files /dev/null and b/config/bootloaders/grub-pc/splash.png differ diff --git a/config/bootloaders/splash.png b/config/bootloaders/splash.png new file mode 100644 index 0000000..1135dfc Binary files /dev/null and b/config/bootloaders/splash.png differ diff --git a/config/hooks/live/0000_generate_backup_dir.chroot b/config/hooks/live/0000_generate_backup_dir.chroot new file mode 100644 index 0000000..82c2873 --- /dev/null +++ b/config/hooks/live/0000_generate_backup_dir.chroot @@ -0,0 +1,27 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +mkdir -p /root/.ciss/dlb/backup +chmod 0700 /root/.ciss/dlb/backup + +mkdir -p /root/git +chmod 0700 /root/git + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot new file mode 100644 index 0000000..78ca7c3 --- /dev/null +++ b/config/hooks/live/0001_initramfs_modules.chroot @@ -0,0 +1,294 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +####################################### +# Get all NIC Driver of the current Host-machine +# Arguments: +# None +####################################### +grep_nic_driver_modules() { + declare _mods + # Gather all Driver and sort unique + readarray -t _mods < <( + lspci -k \ + | grep -A2 -i ethernet \ + | grep 'Kernel driver in use' \ + | awk '{print $5}' \ + | sort -u + ) + + declare nic_module + declare nic_modules + if [[ "${#_mods[@]}" -eq 1 ]]; then + nic_module="${_mods[0]}" + echo "${nic_module}" + else + nic_modules="${_mods[*]}" + echo "${nic_modules}" + fi +} + +# shellcheck disable=SC2155 +declare nic_driver="$(grep_nic_driver_modules)" +cat << EOF >| /etc/initramfs-tools/modules +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# List of modules that you want to include in your initramfs. +# They will be loaded at boot time in the order below. +# +# Syntax: module_name [args ...] +# +# You must run update-initramfs(8) to effect this change. +# +# Examples: +# +# raid1 +# sd_mod + +### QEMU Bochs-compatible virtual machine support +bochs + +### Device-mapper core module (required for all dm_* features) +dm_mod + +### Device-mapper integrity target (provides integrity checking) +dm-integrity + +### Device-mapper crypt target (provides disk encryption) +dm-crypt + +### Generic AES block cipher implementation (used by dm-crypt) +aes_generic + +### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets) +sha256_generic + +### Generic CRC32C checksum implementation (used by btrfs and other filesystems) +crc32c_generic + +### Main btrfs filesystem module +btrfs + +### Zstandard compression support for btrfs +zstd_compress + +### XOR parity implementation for RAID functionality +xor + +### RAID6 parity generation module +raid6_pq + +### Combined RAID4/5/6 support module +raid456 + +### Network Driver Host-machine +"${nic_driver}" + +EOF + +cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# +# The Configuration file for update-initramfs(8) +# + +# +# update_initramfs [ yes | all | no ] +# +# Default is yes +# If set to all update-initramfs will update all initramfs +# If set to no disables any update to initramfs besides kernel upgrade + +update_initramfs=yes + +# +# backup_initramfs [ yes | no ] +# +# Default is no +# If set to no leaves no .bak backup files. + +backup_initramfs=no + +EOF + +cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# +# initramfs.conf +# Configuration file for mkinitramfs(8). See initramfs.conf(5). +# +# Note that configuration options from this file can be overridden +# by config files in the /etc/initramfs-tools/conf.d directory. + +# +# MODULES: [ most | netboot | dep | list ] +# +# most - Add most filesystem and all hard-drive drivers. +# +# dep - Try and guess that module to load. +# +# netboot - Add the base modules, network modules, but skip block devices. +# +# list - Only include modules from the 'additional modules' list +# + +MODULES=most + +# +# BUSYBOX: [ y | n | auto ] +# +# Use busybox shell and utilities. If set to n, klibc utilities will be used. +# If set to auto (or unset), busybox will be used if installed and klibc will +# be used otherwise. +# + +BUSYBOX=auto + +# +# KEYMAP: [ y | n ] +# +# Load a keymap during the initramfs stage. +# + +KEYMAP=n + +# +# COMPRESS: [ gzip | bzip2 | lz4 | lzma | lzop | xz | zstd ] +# + +COMPRESS=zstd + +# +# COMPRESSLEVEL: ... +# +# Set a compression level for the compressor. +# Defaults vary by compressor. +# +# Valid values are: +# 1–9 for gzip|bzip2|lzma|lzop +# 0–9 for lz4|xz +# 0–19 for zstd +# COMPRESSLEVEL=3 + +# +# DEVICE: ... +# +# Specify a specific network interface, like eth0 +# Overridden by optional ip= or BOOTIF= bootarg +# + +DEVICE= + +# +# NFSROOT: [ auto | HOST:MOUNT ] +# + +NFSROOT=auto + +# +# RUNSIZE: ... +# +# The size of the /run tmpfs mount point, like 256M or 10% +# Overridden by optional initramfs.runsize= bootarg +# + +RUNSIZE=10% + +# +# FSTYPE: ... +# +# The filesystem type(s) to support, or "auto" to use the current root +# filesystem type +# + +FSTYPE=auto + +EOF + +cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder +#!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +set -e + +PREREQ="" +prereqs() { echo "$PREREQ"; } +case $1 in + prereqs) prereqs; exit 0 ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin" + +# Include Bash +copy_exec /usr/bin/bash /usr/bin + +# Include lsblk (block device information tool) +copy_exec /usr/bin/lsblk /usr/bin + +# Include udevadm (udev management tool) +copy_exec /usr/bin/udevadm /usr/bin +EOF + +chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder + +### Regenerate the initramfs for the live system kernel +update-initramfs -u -k all + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0002_verify_checksums.chroot b/config/hooks/live/0002_verify_checksums.chroot new file mode 100644 index 0000000..c54bbdf --- /dev/null +++ b/config/hooks/live/0002_verify_checksums.chroot @@ -0,0 +1,144 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +target="/usr/lib/live/boot/0030-verify-checksums" +src="$(mktemp)" + +if [[ ! -d /usr/lib/live/boot ]]; then + mkdir -p /usr/lib/live/boot +fi + +cat << 'EOF' >| "${src}" +#!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' +### In case of successful verification of the offered checksums, proceed with booting, else panic. + +### Inside 0002_verify_checksums.chroot ### + +####################################### +# Live build ISO with the modified checksum verification script for continuing the boot process. +# Globals: +# LIVE_BOOT_CMDLINE +# LIVE_VERIFY_CHECKSUMS +# LIVE_VERIFY_CHECKSUMS_DIGESTS +# _CHECKSUM +# _CHECKSUMS +# _DIGEST +# _MOUNTPOINT +# _PARAMETER +# _RETURN +# _TTY +# Arguments: +# $1: ${_PARAMETER} +# Returns: +# 0 : Successful Verification +####################################### +Verify_checksums() { + for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do + case "${_PARAMETER}" in + live-boot.verify-checksums=* | verify-checksums=*) + LIVE_VERIFY_CHECKSUMS="true" + LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" + ;; + + live-boot.verify-checksums | verify-checksums) + LIVE_VERIFY_CHECKSUMS="true" + ;; + esac + done + + case "${LIVE_VERIFY_CHECKSUMS}" in + true) ;; + + *) + return 0 + ;; + esac + + _MOUNTPOINT="${1}" + + LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" + _TTY="/dev/tty8" + + log_begin_msg "Verifying checksums" + + # shellcheck disable=SC2164 + cd "${_MOUNTPOINT}" + + for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do + # shellcheck disable=SC2060 + _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" + + for _CHECKSUM in ${_CHECKSUMS}; do + if [ -e "${_CHECKSUM}" ]; then + echo "Found ${_CHECKSUM}..." > "${_TTY}" + + if [ -e "/bin/${_DIGEST}sum" ]; then + echo "Checking ${_CHECKSUM}..." > "${_TTY}" + + # Verify checksums + grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" + _RETURN="${?}" + + # Stop after the first verification + # break 2 + else + echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" + fi + fi + done + done + + log_end_msg + + case "${_RETURN}" in + 0) + log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds." + sleep 10 + return 0 + ;; + + *) + panic "Verification failed, $(basename ${_TTY}) for more information." + ;; + esac +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + +# Copy and make executable +install -Dm755 "${src}" "${target}" + +rm -f "${src}" + +unset target src + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0050_activate_root.chroot b/config/hooks/live/0050_activate_root.chroot new file mode 100644 index 0000000..de68861 --- /dev/null +++ b/config/hooks/live/0050_activate_root.chroot @@ -0,0 +1,53 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +if [[ ! -f /root/.pwd ]]; then + printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n" + # sleep 1 + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n" + # sleep 1 + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' done. Nothing changed. \e[0m\n" "${0}" + exit 0 +fi + +cd /root + +cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)" +chmod 600 /root/.ciss/dlb/backup/shadow.bak.* + +declare hashed_pwd +declare safe_hashed_pwd +IFS= read -r hashed_pwd < /root/.pwd + +safe_hashed_pwd=$(printf '%s' "${hashed_pwd}" | sed 's/[\/&]/\\&/g') +sed -i "s|^root:[^:]*:\(.*\)|root:${safe_hashed_pwd}:\1|" /etc/shadow +sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow +unset hashed_pwd safe_hashed_pwd + +cat /etc/shadow +# sleep 1 + +if shred -vfzu -n 5 /root/.pwd; then + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n" +else + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2 +fi + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0080_keyboard_layout.chroot b/config/hooks/live/0080_keyboard_layout.chroot new file mode 100644 index 0000000..e6bc1a2 --- /dev/null +++ b/config/hooks/live/0080_keyboard_layout.chroot @@ -0,0 +1,31 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cat << 'EOF' >| /etc/default/keyboard +XKBMODEL="pc105" +XKBLAYOUT="de" +XKBVARIANT="" +XKBOPTIONS="" +BACKSPACE="guess" +EOF + +dpkg-reconfigure -f noninteractive keyboard-configuration + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0090_haveged.chroot b/config/hooks/live/0090_haveged.chroot new file mode 100644 index 0000000..ba14808 --- /dev/null +++ b/config/hooks/live/0090_haveged.chroot @@ -0,0 +1,42 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +apt-get update -y +apt-get install --no-install-recommends haveged -y + +cd /root +cat << 'EOF' >| /etc/default/haveged +# Configuration file for haveged + +# Options to pass to haveged: +DAEMON_ARGS="-w 2048 -v 1" +EOF + +#mkdir -p /etc/systemd/system/haveged.service.d +#cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf +#[Service] +#NoNewPrivileges=yes +#ReadWritePaths=/dev/random /dev/urandom +#AmbientCapabilities= +#User=haveged +#Group=nogroup +#EOF + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0120_set_hostname.chroot b/config/hooks/live/0120_set_hostname.chroot new file mode 100644 index 0000000..fc8c94b --- /dev/null +++ b/config/hooks/live/0120_set_hostname.chroot @@ -0,0 +1,34 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak +mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak + +cat << 'EOF' >| /etc/hostname +live.local + +EOF + +cat << 'EOF' >| /etc/mailname +localhost.local + +EOF + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0130_machineid.chroot b/config/hooks/live/0130_machineid.chroot new file mode 100644 index 0000000..bf63f57 --- /dev/null +++ b/config/hooks/live/0130_machineid.chroot @@ -0,0 +1,40 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root +if [[ -f /var/lib/dbus/machine-id ]]; then + rm /var/lib/dbus/machine-id +fi + +cat << 'EOF' >| /var/lib/dbus/machine-id +b08dfa6083e7567a1921a715000001fb +EOF +chmod 644 /var/lib/dbus/machine-id + +if [[ -f /etc/machine-id ]]; then + rm /etc/machine-id +fi + +cat << 'EOF' >| /etc/machine-id +b08dfa6083e7567a1921a715000001fb +EOF +chmod 644 /etc/machine-id + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0400_eza_install.chroot b/config/hooks/live/0400_eza_install.chroot new file mode 100644 index 0000000..72f754a --- /dev/null +++ b/config/hooks/live/0400_eza_install.chroot @@ -0,0 +1,162 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root + +repo="ryanoasis/nerd-fonts" +latest_release=$(curl -s "https://api.github.com/repos/${repo}/releases/latest" | jq -r .tag_name) +download_url="https://github.com/${repo}/releases/download/${latest_release}/Hack.zip" + +wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg --dearmor -o /etc/apt/keyrings/gierens.gpg +echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list +chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list + +apt-get update -y +apt-get install -y eza + +git clone https://github.com/eza-community/eza-themes.git +mkdir -p /root/.config/eza + +cat << 'EOF' >| "/root/eza-themes/themes/centurion.yml" +colourful: true + +filekinds: + normal: {foreground: Default} + directory: {foreground: Purple, is_bold: true} + symlink: {foreground: Cyan} + pipe: {foreground: Yellow} + block_device: {foreground: Yellow, is_bold: true} + char_device: {foreground: Yellow, is_bold: true} + socket: {foreground: Red, is_bold: true} + special: {foreground: Yellow} + executable: {foreground: Green, is_bold: true} + mount_point: {foreground: Purple, is_bold: true, is_underlined: true} + +perms: + user_read: {foreground: Yellow, is_bold: true} + user_write: {foreground: Red, is_bold: true} + user_execute_file: {foreground: Green, is_bold: true, is_underlined: true} + user_execute_other: {foreground: Green, is_bold: true} + group_read: {foreground: Yellow} + group_write: {foreground: Red} + group_execute: {foreground: Green} + other_read: {foreground: Yellow} + other_write: {foreground: Red} + other_execute: {foreground: Green} + special_user_file: {foreground: Purple} + special_other: {foreground: Purple} + attribute: {foreground: Default} + +size: + major: {foreground: Green, is_bold: true} + minor: {foreground: Green} + number_byte: {foreground: Green, is_bold: true} + number_kilo: {foreground: Green, is_bold: true} + number_mega: {foreground: Green, is_bold: true} + number_giga: {foreground: Green, is_bold: true} + number_huge: {foreground: Green, is_bold: true} + unit_byte: {foreground: Green} + unit_kilo: {foreground: Green} + unit_mega: {foreground: Green} + unit_giga: {foreground: Green} + unit_huge: {foreground: Green} + +users: + user_you: {foreground: Yellow, is_bold: true} + user_root: {foreground: Default} + user_other: {foreground: Default} + group_yours: {foreground: Yellow, is_bold: true} + group_other: {foreground: Default} + group_root: {foreground: Default} + +links: + normal: {foreground: Red, is_bold: true} + multi_link_file: {foreground: Red, background: Yellow} + +git: + new: {foreground: Green} + modified: {foreground: Blue} + deleted: {foreground: Red} + renamed: {foreground: Yellow} + typechange: {foreground: Purple} + ignored: {foreground: Default, is_dimmed: true} + conflicted: {foreground: Red} + +git_repo: + branch_main: {foreground: Green} + branch_other: {foreground: Yellow} + git_clean: {foreground: Green} + git_dirty: {foreground: Yellow} + +security_context: + colon: {foreground: Default, is_dimmed: true} + user: {foreground: Blue} + role: {foreground: Green} + typ: {foreground: Yellow} + range: {foreground: Cyan} + +file_type: + image: {foreground: Purple} + video: {foreground: Purple, is_bold: true} + music: {foreground: Cyan} + lossless: {foreground: Cyan, is_bold: true} + crypto: {foreground: Green, is_bold: true} + document: {foreground: Green} + compressed: {foreground: Red} + temp: {foreground: White} + compiled: {foreground: Yellow} + build: {foreground: Yellow, is_bold: true, is_underlined: true} + source: {foreground: Yellow, is_bold: true} + +punctuation: {foreground: DarkGray, is_bold: true} +date: {foreground: Cyan} +inode: {foreground: Purple} +blocks: {foreground: Cyan} +header: {foreground: White, is_bold: true, is_underlined: true} +octal: {foreground: Purple} +flags: {foreground: Default} + +symlink_path: {foreground: Cyan} +control_char: {foreground: Red} +broken_symlink: {foreground: Red} +broken_path_overlay: {foreground: Default, is_underlined: true} + +filenames: + # Custom filename-based overrides + # Cargo.toml: {icon: {glyph: 🦀}} + +extensions: + # Custom extension-based overrides + # rs: {filename: {foreground: Red}, icon: {glyph: 🦀}} +EOF + +chmod 0644 "/root/eza-themes/themes/centurion.yml" +ln -sf "/root/eza-themes/themes/centurion.yml" /root/.config/eza/theme.yml + +mkdir -p /tmp/nerd +mkdir -p /root/.local/share/fonts +wget --no-clobber --https-only --secure-protocol=TLSv1_3 -P /tmp/nerd "${download_url}" +unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts +fc-cache -fv +rm -rf /tmp/nerd + +unset repo latest_release download_url + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0800_lynis_setup.chroot b/config/hooks/live/0800_lynis_setup.chroot new file mode 100644 index 0000000..0df42da --- /dev/null +++ b/config/hooks/live/0800_lynis_setup.chroot @@ -0,0 +1,28 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg +echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list + +apt-get update -y +apt-get install -y lynis +lynis show version + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0810_chrony_setup.chroot b/config/hooks/live/0810_chrony_setup.chroot new file mode 100644 index 0000000..b558a5a --- /dev/null +++ b/config/hooks/live/0810_chrony_setup.chroot @@ -0,0 +1,68 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +mkdir -p /var/log/chrony +# See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages. +apt-get install chrony -y +systemctl enable chrony.service + +mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak +chmod 644 /root/.ciss/dlb/backup/chrony.conf.bak + +cat << 'EOF' >| /etc/chrony/chrony.conf +# Include configuration files found in /etc/chrony/conf.d. +confdir /etc/chrony/conf.d +driftfile /var/lib/chrony/chrony.drift +keyfile /etc/chrony/chrony.keys +logdir /var/log/chrony +ntsdumpdir /var/lib/chrony +sourcedir /run/chrony-dhcp +sourcedir /etc/chrony/sources.d + +log tracking measurements statistics + +authselectmode require + +server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9 +server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9 +server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9 +server ptbtime4.ptb.de iburst nts noselect minpoll 5 maxpoll 9 +# server nts.netnod.se iburst nts minpoll 5 maxpoll 9 + +# server ntp.ripe.net iburst nts minpoll 5 maxpoll 9 +# server ntp12.metas.ch iburst nts minpoll 5 maxpoll 9 +# server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9 +# server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9 +server ntp0.fau.de iburst nts minpoll 5 maxpoll 9 + +leapsectz right/UTC + +leapsecmode system + +maxupdateskew 100.0 + +rtcsync + +makestep 1 3 +EOF + +chmod 644 /etc/chrony/chrony.conf + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0820_kernel_hardening_checker.chroot b/config/hooks/live/0820_kernel_hardening_checker.chroot new file mode 100644 index 0000000..5ec566d --- /dev/null +++ b/config/hooks/live/0820_kernel_hardening_checker.chroot @@ -0,0 +1,24 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root/git +git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0822_ssh_restart_hook.chroot b/config/hooks/live/0822_ssh_restart_hook.chroot new file mode 100644 index 0000000..46c5e8e --- /dev/null +++ b/config/hooks/live/0822_ssh_restart_hook.chroot @@ -0,0 +1,52 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root +declare target_script="/etc/cron.d/restart-ssh" + +cat << 'EOF' >| "${target_script}" +@reboot root /usr/local/bin/restart-ssh.sh +EOF + +chmod 644 "${target_script}" + +cat << 'EOF' >| /usr/local/bin/restart-ssh.sh +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# Script to restart SSH at boot +systemctl stop ssh +sleep 5 +systemctl start ssh +EOF + +chmod +x /usr/local/bin/restart-ssh.sh +unset target_script + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0825_my_sqltuner_perl.chroot b/config/hooks/live/0825_my_sqltuner_perl.chroot new file mode 100644 index 0000000..7d3e9ef --- /dev/null +++ b/config/hooks/live/0825_my_sqltuner_perl.chroot @@ -0,0 +1,24 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root/git +git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0830_download_yq.chroot b/config/hooks/live/0830_download_yq.chroot new file mode 100644 index 0000000..58210c8 --- /dev/null +++ b/config/hooks/live/0830_download_yq.chroot @@ -0,0 +1,24 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq +chmod +x /usr/bin/yq + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0835_testssl.sh.chroot b/config/hooks/live/0835_testssl.sh.chroot new file mode 100644 index 0000000..220f572 --- /dev/null +++ b/config/hooks/live/0835_testssl.sh.chroot @@ -0,0 +1,24 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root/git +git clone https://github.com/testssl/testssl.sh.git + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot new file mode 100644 index 0000000..50a8fd5 --- /dev/null +++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot @@ -0,0 +1,28 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +apt-get install -y curl +curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \ +apt-get install -y nodejs + +cd /root/git +git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0845_harbian_audit.chroot b/config/hooks/live/0845_harbian_audit.chroot new file mode 100644 index 0000000..139d827 --- /dev/null +++ b/config/hooks/live/0845_harbian_audit.chroot @@ -0,0 +1,24 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root/git +git clone https://github.com/hardenedlinux/harbian-audit.git + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0850_ssh_audit.chroot b/config/hooks/live/0850_ssh_audit.chroot new file mode 100644 index 0000000..1377e34 --- /dev/null +++ b/config/hooks/live/0850_ssh_audit.chroot @@ -0,0 +1,24 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root/git +git clone https://github.com/jtesta/ssh-audit.git + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0900_ufw_setup.chroot b/config/hooks/live/0900_ufw_setup.chroot new file mode 100644 index 0000000..8a78394 --- /dev/null +++ b/config/hooks/live/0900_ufw_setup.chroot @@ -0,0 +1,67 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +declare -r UFW_OUT_POLICY="deny" +declare -r SSHPORT="MUST_BE_SET" + +ufw --force reset + +ufw logging medium + +ufw default deny incoming + +ufw default "${UFW_OUT_POLICY}" outgoing + +ufw default deny forward + +ufw allow in "${SSHPORT}"/tcp comment 'Incoming SSH (Custom-Port)' + +ufw limit "${SSHPORT}"/tcp comment 'Rate-Limit for SSH (Custom-Port)' + +if [[ ${UFW_OUT_POLICY,,} == "deny" ]]; then + ufw allow out 21/tcp comment 'Outgoing FTP' + ufw allow out 22/tcp comment 'Outgoing SSH' + ufw allow out 25/tcp comment 'Outgoing SMTP' + ufw allow out 53/tcp comment 'Outgoing DNS' + ufw allow out 80/tcp comment 'Outgoing HTTP' + ufw allow out 123/tcp comment 'Outgoing NTP' + ufw allow out 143/tcp comment 'Outgoing IMAP' + ufw allow out 443/tcp comment 'Outgoing HTTPS' + ufw allow out 465/tcp comment 'Outgoing SMTPS' + ufw allow out 587/tcp comment 'Outgoing SMTPS' + ufw allow out 993/tcp comment 'Outgoing IMAPS' + ufw allow out 4460/tcp comment 'Outgoing NTS' + ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)' + ufw allow out 53/udp comment 'Outgoing DNS' + ufw allow out 123/udp comment 'Outgoing NTP' + ufw allow out 443/udp comment 'Outgoing QUIC' + ufw allow out 853/udp comment 'Outgoing DoQ' +fi + +sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules +sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules +sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules +sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" /etc/ufw/before.rules +sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" /etc/ufw/before.rules + +sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf +ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot new file mode 100644 index 0000000..40174a8 --- /dev/null +++ b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot @@ -0,0 +1,25 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +# TODO: MUST be uncommented +cd /root/git +# git clone https://git.coresecret.dev/msw/CISS.debian.installer.git + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9900_process_accounting.chroot b/config/hooks/live/9900_process_accounting.chroot new file mode 100644 index 0000000..03eb93f --- /dev/null +++ b/config/hooks/live/9900_process_accounting.chroot @@ -0,0 +1,33 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +apt-get install -y acct + +if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then + mkdir -p /etc/systemd/system/multi-user.target.wants +fi + +if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… 'Process Accounting' enabled successful. \e[0m\n" +else + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2 +fi + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9910_motd.chroot b/config/hooks/live/9910_motd.chroot new file mode 100644 index 0000000..431f066 --- /dev/null +++ b/config/hooks/live/9910_motd.chroot @@ -0,0 +1,31 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +mkdir -p /root/.ciss/dlb/backup/update-motd.d +cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d + +cat << 'EOF' >| /etc/update-motd.d/10-uname +#!/bin/sh +uname -snrm +EOF + +chmod 0755 /etc/update-motd.d/10-uname + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' successful applied. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9920_deleting_invalid_x509.chroot b/config/hooks/live/9920_deleting_invalid_x509.chroot new file mode 100644 index 0000000..e12e8c2 --- /dev/null +++ b/config/hooks/live/9920_deleting_invalid_x509.chroot @@ -0,0 +1,170 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt") +declare backup_dir="/root/.ciss/dlb/backup/certificates" +declare current_date +current_date=$(date +%s) +declare -ax expired_certificates=() + +####################################### +# Backup Wrapper for all x509 Root CA Certs +# Globals: +# backup_dir +# search_dirs +# dir +# Arguments: +# None +####################################### +create_backup() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}" + mkdir -p "${backup_dir}" + declare dir="" + for dir in "${search_dirs[@]}"; do + if [ -d "${dir}" ] && compgen -G "${dir}"/* > /dev/null; then + cp -r "${dir}"/* "${backup_dir}" + fi + done + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}" +} + +####################################### +# Check the validity of each certificate. +# Globals: +# CERT +# CERT_DATE +# CERT_DATE_SECONDS +# CURRENT_DATE +# DIR +# EXPIRED_CERTIFICATES +# SEARCH_DIRS +# Arguments: +# None +####################################### +check_certificates() { + declare dir="" + declare cert="" + declare cert_date="" + declare cert_date_seconds="" + for dir in "${search_dirs[@]}"; do + while IFS= read -r -d '' cert; do + cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//') + cert_date_seconds=$(date -d "${cert_date}" +%s) + if [[ ${cert_date_seconds} -lt ${current_date} ]]; then + declare -g expired_certificates+=("${cert}") + fi + done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0) + done +} +# done < <(find "${dir}" -type f -name "*.crt" -o -name "*.pem" -print0) +# done < <(find "${DIR}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0) + +####################################### +# Find and clean all ca-certificates.crt files in SEARCH_DIRS. +# Globals: +# CURRENT_DATE +# SEARCH_DIRS +# cert +# line +# Arguments: +# None +####################################### +delete_expired_from_all_bundles() { + declare dir bundle + for dir in "${search_dirs[@]}"; do + bundle="${dir}/ca-certificates.crt" + if [[ -f ${bundle} ]]; then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}" + declare tmp_bundle="${bundle}.tmp" + declare -a block=() + declare expired=0 + declare enddate cert_date_seconds + + : > "${tmp_bundle}" + + declare line="" + while IFS= read -r line; do + block+=("${line}") + if [[ ${line} == "-----END CERTIFICATE-----" ]]; then + cert=$(printf "%s\n" "${block[@]}") + enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//') + if [[ -n ${enddate} ]]; then + declare cert_date_seconds="" + cert_date_seconds=$(date -d "${enddate}" +%s) + if [[ ${cert_date_seconds} -lt ${current_date} ]]; then + expired=1 + else + expired=0 + fi + else + expired=0 + fi + if [[ ${expired} -eq 0 ]]; then + printf "%s\n" "${block[@]}" >> "${tmp_bundle}" + else + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}" + fi + block=() + fi + done < "${bundle}" + + mv -f "${tmp_bundle}" "${bundle}" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}" + fi + done +} + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}" +create_backup +delete_expired_from_all_bundles +check_certificates + +if [[ ${#expired_certificates[@]} -eq 0 ]]; then + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… No expired certificates found.\e[0m\n" + +else + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Expired certificates found:\e[0m\n" + + for exp_cert in "${expired_certificates[@]}"; do + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}" + done + + for exp_cert in "${expired_certificates[@]}"; do + rm -f "${exp_cert}" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Certificate deleted: '%s'.\e[0m\n" "${exp_cert}" + basename=$(basename "${exp_cert}") + mozilla_entry="mozilla/${basename%.pem}.crt" + mozilla_entry="${mozilla_entry%.crt}.crt" + declare ca_conf="/etc/ca-certificates.conf" + if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then + sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}" + fi + done + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Updating the certificate cache ... \e[0m\n" + update-ca-certificates --fresh + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Updating the certificate cache done.\e[0m\n" + # sleep 1 +fi + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9930_hardening_ssh.chroot b/config/hooks/live/9930_hardening_ssh.chroot new file mode 100644 index 0000000..7b92f57 --- /dev/null +++ b/config/hooks/live/9930_hardening_ssh.chroot @@ -0,0 +1,64 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /etc/ssh || { + printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n" +} +rm -rf ssh_host_*key* + +ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)" +ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)" + +awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe +rm -rf /etc/ssh/moduli +mv /etc/ssh/moduli.safe /etc/ssh/moduli + +chmod 0600 /etc/ssh/ssh_host_*_key +chown root:root /etc/ssh/ssh_host_*_key +chmod 0644 /etc/ssh/ssh_host_*_key.pub +chown root:root /etc/ssh/ssh_host_*_key.pub + +chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config + +touch /root/sshfp +ssh-keygen -r @ >| /root/sshfp + +########################################################################################### +# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only # +# environment variables: TMOUT and HISTFILE. # +# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.# +# readonly HISTFILE ensures that the command history cannot be changed. # +# The chmod +x command ensures that the file is executed in every shell session. # +########################################################################################### +cat << 'EOF' >| /etc/profile.d/idle-users.sh +declare -girx TMOUT=14400 +EOF + +chmod +x /etc/profile.d/idle-users.sh + +mkdir -p /etc/systemd/system/ssh.service.d +cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf +[Unit] +After=ufw.service +Requires=ufw.service +EOF +chmod 0644 /etc/systemd/system/ssh.service.d/override.conf + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9940_hardening_memory.dump.chroot b/config/hooks/live/9940_hardening_memory.dump.chroot new file mode 100644 index 0000000..e12be78 --- /dev/null +++ b/config/hooks/live/9940_hardening_memory.dump.chroot @@ -0,0 +1,37 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak +chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak +sed -i "/#* soft core 0/ i\* soft core 0" /etc/security/limits.conf +sed -i "/#root hard core 100000/ i\* hard core 0" /etc/security/limits.conf + +if [[ ! -d /etc/systemd/coredump.conf.d ]]; then + mkdir -p /etc/systemd/coredump.conf.d +fi + +touch /etc/systemd/coredump.conf.d/disable.conf +chmod 0644 /etc/systemd/coredump.conf.d/disable.conf +cat << EOF >| /etc/systemd/coredump.conf.d/disable.conf +[Coredump] +Storage=none +EOF + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_fail2ban_hardening.chroot new file mode 100644 index 0000000..2b98801 --- /dev/null +++ b/config/hooks/live/9950_fail2ban_hardening.chroot @@ -0,0 +1,148 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root + +cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak +chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak + +### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305 +sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf + +mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak +chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak + +cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. +# SPDX-PackageName: CISS.2025.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +[DEFAULT] +usedns = yes +# local | vpn +ignoreip = 127.0.0.0/8 ::1 MUST_BE_SET +maxretry = 8 +findtime = 24h +bantime = 24h + +### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused] +### Jump host mistyped 1–3 times: no ban, only after four attempts [sshd] + +[sshd] +enabled = true +backend = systemd +filter = sshd +mode = normal +port = MUST_BE_SET +protocol = tcp +logpath = /var/log/auth.log +maxretry = 4 +findtime = 24h +bantime = 24h + +[sshd-refused] +enabled = true +filter = sshd-refused +port = MUST_BE_SET +protocol = tcp +logpath = /var/log/auth.log +maxretry = 1 +findtime = 24h +bantime = 24h + +# ufw aggressive approach: +# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...). +# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt. + +[ufw] +enabled = true +filter = ufw.aggressive +action = iptables-allports +logpath = /var/log/ufw.log +maxretry = 1 +findtime = 24h +bantime = 24h +protocol = tcp,udp + +EOF + +cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf +[Definition] +failregex = ^.*UFW BLOCK.* SRC= .*DPT=\d+ .* +EOF + +cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf +[Definition] +failregex = ^refused connect from \S+ \(\) +EOF + +########################################################################################### +# Remarks: hardening of fail2ban systemd # +########################################################################################### +# https://wiki.archlinux.org/title/fail2ban#Service_hardening # +# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read # +# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to # +# operate # on any firewall that has a command-line shell interface. By using # +# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths # +# allows Fail2ban to have write access on required paths. # +########################################################################################### +mkdir -p /etc/systemd/system/fail2ban.service.d +mkdir /var/log/fail2ban + +cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf +[Service] +PrivateDevices=yes +PrivateTmp=yes +ProtectHome=read-only +ProtectSystem=strict +ReadWritePaths=-/var/run/fail2ban +ReadWritePaths=-/var/lib/fail2ban +ReadWritePaths=-/var/log/fail2ban +ReadWritePaths=-/var/spool/postfix/maildrop +ReadWritePaths=-/run/xtables.lock +CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW + +### Added by CISS.debian.live.builder +ProtectClock=true +ProtectHostname=true + +EOF + +cat << 'EOF' >> /etc/fail2ban/fail2ban.local +[Definition] +logtarget = /var/log/fail2ban/fail2ban.log +EOF + +########################################################################################### +# Remarks: Logrotate must be updated either # +########################################################################################### +cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak +sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban +touch /var/log/fail2ban/fail2ban.log +chmod 640 /var/log/fail2ban/fail2ban.log + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9960_disable_services.chroot b/config/hooks/live/9960_disable_services.chroot new file mode 100644 index 0000000..a970eb4 --- /dev/null +++ b/config/hooks/live/9960_disable_services.chroot @@ -0,0 +1,31 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +########################################################################################### +# Remarks: Turn off Energy saving mode and ctrl-alt-del # +########################################################################################### +declare target="" +for target in sleep.target suspend.target hibernate.target hybrid-sleep.target ctrl-alt-del.target; do + ln -sf /dev/null "/etc/systemd/system/${target}" +done + +unset target + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9970_remove_exim.chroot b/config/hooks/live/9970_remove_exim.chroot new file mode 100644 index 0000000..4756426 --- /dev/null +++ b/config/hooks/live/9970_remove_exim.chroot @@ -0,0 +1,40 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /etc + +apt-get purge exim4 -y +apt-get purge exim4-base -y +apt-get purge exim4-config -y + +apt-get autoremove -y +apt-get autoclean -y +apt-get autopurge -y + +apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config + +apt-get update -y +apt-get upgrade -y + +if [[ -d /etc/exim4 ]]; then + rm -rf /etc/exim4 +fi + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9980_usb_guard.chroot b/config/hooks/live/9980_usb_guard.chroot new file mode 100644 index 0000000..0a1d35c --- /dev/null +++ b/config/hooks/live/9980_usb_guard.chroot @@ -0,0 +1,45 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +apt-get install -y usbguard + +# sleep 1 + +# Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm +touch /tmp/rules.conf +usbguard generate-policy >> /tmp/rules.conf + +if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then + mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak + cp -a /tmp/rules.conf /etc/usbguard/rules.conf + chmod 0600 /etc/usbguard/rules.conf +else + rm -f /etc/usbguard/rules.conf + cp -a /tmp/rules.conf /etc/usbguard/rules.conf + chmod 0600 /etc/usbguard/rules.conf +fi + +cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak +sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf +# sleep 1 + +rm -f /tmp/rules.conf + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9985_clamav.chroot b/config/hooks/live/9985_clamav.chroot new file mode 100644 index 0000000..61513c6 --- /dev/null +++ b/config/hooks/live/9985_clamav.chroot @@ -0,0 +1,77 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +mkdir -p /etc/systemd/system/clamav-daemon.service.d +cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf +[Service] +User=clamav +Group=clamav +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +NoNewPrivileges=yes +PermissionsStartOnly=true +ExecStartPre=/bin/mkdir -p /run/clamav +ExecStartPre=/bin/chown clamav:clamav /run/clamav +ExecStartPre=/bin/chmod 750 /run/clamav + +ReadOnlyPaths=/ +ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav + +MemoryDenyWriteExecute=yes +MemoryLimit=512M +CPUShares=512 + +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallFilter=@system-service +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE + +EOF +chmod 0644 /etc/systemd/system/clamav-daemon.service.d/override.conf + +mkdir -p /etc/systemd/system/clamav-freshclam.service.d +cat << 'EOF' >| /etc/systemd/system/clamav-freshclam.service.d/override.conf +[Service] +User=clamav +Group=clamav +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +NoNewPrivileges=yes + +ReadOnlyPaths=/ +ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav + +MemoryDenyWriteExecute=yes +MemoryLimit=512M +CPUShares=512 + +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallFilter=@system-service +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE + +EOF +chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9990_final_purge.chroot b/config/hooks/live/9990_final_purge.chroot new file mode 100644 index 0000000..7623a1d --- /dev/null +++ b/config/hooks/live/9990_final_purge.chroot @@ -0,0 +1,59 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +apt-get update -y + +apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \ +qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc + +apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \ +qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc + +dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true + +if [[ -s /tmp/deinstall.log ]]; then + printf "\n" + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Packages to purge ... \e[0m\n" + sed -i 's!deinstall!!' /tmp/deinstall.log + while IFS= read -r line; do + declare trimmed_string + trimmed_string=$(echo "$line" | awk '{$1=$1};1') + echo "y" | apt-get purge "${trimmed_string}" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Package '%s' purged. \e[0m\n" "${trimmed_string}" + # sleep 1 + done < /tmp/deinstall.log + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Packages to purge done. \e[0m\n" +else + printf "\n" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… No Packages to purge, proceeding with clean up. \e[0m\n" +fi + +apt-get update -y +apt-get upgrade -y + +rm -f /tmp/deinstall.log +rm -fr /opt/udebs +apt-get autoclean -y +apt-get autoremove -y +apt-get autopurge -y + +updatedb + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' successful applied. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9991_file_permissions.chroot b/config/hooks/live/9991_file_permissions.chroot new file mode 100644 index 0000000..6f034b4 --- /dev/null +++ b/config/hooks/live/9991_file_permissions.chroot @@ -0,0 +1,105 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +chmod 0644 /etc/banner +chmod 0644 /etc/issue +chmod 0644 /etc/issue.net + +if [[ -f /etc/motd ]]; then + cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak + chmod 0644 /root/.ciss/dlb/backup/motd.bak + rm /etc/motd +fi + +touch /etc/motd +cat << EOF >| /etc/motd + + (c) Marc S. Weidner, 2018 - 2025 + (p) Centurion Press, 2018 - 2025 + Centurion Intelligence Consulting Agency (tm) + https://coresecret.eu/ + Please consider making a donation: + https://coresecret.eu/spenden/ + + +EOF + +cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak + +sed -i 's/UMASK 022/UMASK 077/' /etc/login.defs +sed -i 's/PASS_MAX_DAYS 99999/PASS_MAX_DAYS 16384/' /etc/login.defs +sed -i 's/PASS_MIN_DAYS 0/PASS_MIN_DAYS 1/' /etc/login.defs +sed -i 's/PASS_WARN_AGE 7/PASS_WARN_AGE 128/' /etc/login.defs +sed -i 's/ENCRYPT_METHOD SHA512/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs +sed -i 's/#SHA_CRYPT_MIN_ROUNDS 5000/SHA_CRYPT_MIN_ROUNDS 8388608/' /etc/login.defs +sed -i 's/#SHA_CRYPT_MAX_ROUNDS 5000/SHA_CRYPT_MAX_ROUNDS 8388608/' /etc/login.defs +sed -i 's/#YESCRYPT_COST_FACTOR 5/YESCRYPT_COST_FACTOR 8/' /etc/login.defs + +if [[ -f /etc/cron.deny ]]; then + rm /etc/cron.deny +fi + +if [[ -f /etc/cron.allow ]]; then + cp -u /etc/cron.allow /root/.backup/cron.allow.bak + chmod 644 /root/.backup/cron.allow.bak + chmod 600 /etc/cron.allow + cat << EOF >| /etc/cron.allow +root +EOF + +else + touch /etc/cron.allow + chmod 0600 /etc/cron.allow + cat << EOF >| /etc/cron.allow +root +EOF +fi + +chmod g-wx,o-rwx /etc/cron.allow +chown root:root /etc/cron.allow +chmod 0640 /etc/shadow +chown root:shadow /etc/shadow + +chmod 0700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly +chmod 0700 /etc/sudoers.d +chmod 0600 /etc/crontab + +chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config + +chmod 0750 /home + +if chmod 0750 /var/spool/apt-mirror; then :; fi + +mkdir /root/.ansible + +declare bin +declare target +for bin in as gcc g++ cc clang; do + target=$(readlink -f "/usr/bin/${bin}") || { + printf "\e[92mβœ… Info: '%s' not found, skipping. \e[0m\n" "${bin}" + continue + } + chmod 700 "${target}" || { + printf "\e[92m❌ Error: chmod failed for '%s', skipping. \e[0m\n" "${bin}" + } +done +unset bin target + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' successful applied. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9992_password_expiration.chroot b/config/hooks/live/9992_password_expiration.chroot new file mode 100644 index 0000000..6b236ad --- /dev/null +++ b/config/hooks/live/9992_password_expiration.chroot @@ -0,0 +1,52 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +if ! command -v chage &>/dev/null; then + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Info: 'chage' NOT found. Exiting hook ... \e[0m\n" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" + # sleep 1 + exit 0 +fi + +declare -i max_days=16384 +mapfile -t users_to_update < <( + awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow +) + +if [[ ${#users_to_update[@]} -eq 0 ]]; then + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" + # sleep 1 + exit 0 +fi + +declare user +for user in "${users_to_update[@]}"; do + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}" + chage --maxdays "$max_days" "$user" +done + +unset max_days user users_to_update + +awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… All applicable accounts have been updated. \e[0m\n" + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9993_aide.chroot b/config/hooks/live/9993_aide.chroot new file mode 100644 index 0000000..dea2987 --- /dev/null +++ b/config/hooks/live/9993_aide.chroot @@ -0,0 +1,32 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +apt-get install -y aide + +cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak +sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf + +if aideinit; then + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… 'aideinit' successful. \e[0m\n" +else + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2 +fi + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9994_password_policy.chroot b/config/hooks/live/9994_password_policy.chroot new file mode 100644 index 0000000..9b8fe3c --- /dev/null +++ b/config/hooks/live/9994_password_policy.chroot @@ -0,0 +1,135 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### NIST recommends at least eight characters but advises longer passphrases (e.g., 12–64) for increased security. +### NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html + +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak +chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak + +cat << 'EOF' >| /etc/security/pwquality.conf +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Current recommendations for '/etc/security/pwquality.conf' based on common best practices, +### including NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html +### and weighing usability against security. + +### Configuration for systemwide password quality limits +### Defaults: + +### Number of characters in the new password that must not be present in the +### old password. +difok = 4 + +### Length over complexity: Studies show that longer passphrases are significantly more +### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters +### but advises longer passphrases (e.g., 12–64) for increased security. Twenty characters strike a +### good balance between security and user convenience. +### Minimum acceptable size for the new password (plus one if +### credits are not disabled, which is the default). (See pam_cracklib manual.) +### Cannot be set to a lower value than 6. +minlen = 20 + +### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0 +### NIST SP 800–63B advises against rigid complexity rules (numbers, symbols, uppercase) +### because they can lead users to adopt predictable patterns (e.g., β€œPa$$word!”). +### Length and dictionary checks are more effective. + + ### The maximum credit for having digits in the new password. If less than 0 + ### it is the minimum number of digits in the new password. + dcredit = 0 + + ### The maximum credit for having uppercase characters in the new password. + ### If less than 0, it is the minimum number of uppercase characters in the new + ### password. + ucredit = 0 + + ### The maximum credit for having lowercase characters in the new password. + ### If less than 0, it is the minimum number of lowercase characters in the new + ### password. + lcredit = 0 + + ### The maximum credit for having other characters in the new password. + ### If less than 0, it is the minimum number of other characters in the new + ### password. + ocredit = 0 + + ### The minimum number of required classes of characters for the new + ### password (digits, uppercase, lowercase, others). + minclass = 0 + +### The maximum number of allowed consecutive same characters in the new password. +### The check is disabled if the value is 0. +maxrepeat = 2 + +### The maximum number of allowed consecutive characters of the same class in the +### new password. +### The check is disabled if the value is 0. +maxclassrepeat = 4 + +### Whether to check for the words from the passwd entry GECOS string of the user. +### The check is enabled if the value is not 0. +### gecoscheck = 0 + +### Whether to check for the words from the cracklib dictionary. +### The check is enabled if the value is not 0. +dictcheck = 1 + +### Whether to check if it contains the username in some form. +### The check is enabled if the value is not 0. +usercheck = 1 + +### Length of substrings from the username to check for in the password +### The check is enabled if the value is greater than 0, and the usercheck is enabled. +usersubstr = 3 + +### Whether the check is enforced by the PAM module and possibly other +### applications. +### The new password is rejected if it fails the check, and the value is not 0. +enforcing = 1 + +### Path to the cracklib dictionaries. The default is to use the cracklib default. +dictpath = + +# Prompt user at most N times before returning with error. The default is 1. +retry = 3 + +# Enforces pwquality checks on the root user password. +# Enabled if the option is present. +enforce_for_root + +# Skip testing the password quality for users that are not present in the +# /etc/passwd file. +# Enabled if the option is present. +local_users_only + +EOF + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9995_sysstat.chroot b/config/hooks/live/9995_sysstat.chroot new file mode 100644 index 0000000..25d26e2 --- /dev/null +++ b/config/hooks/live/9995_sysstat.chroot @@ -0,0 +1,23 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot new file mode 100644 index 0000000..13fc4fe --- /dev/null +++ b/config/hooks/live/9996_auditd.chroot @@ -0,0 +1,332 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### https://github.com/linux-audit/audit-userspace/tree/master/rules + +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root + +apt-get install auditd -y + +cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak +cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak +cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak +rm -rf /etc/audit/rules.d/audit.rules + +############################################################### /etc/audit/rules.d/10-base-config.rules +cat << EOF >| /etc/audit/rules.d/10-base-config.rules +## First rule - delete all +-D + +## Increase the buffers to survive stress events. +## Make this bigger for busy systems +-b 8192 + +## This determine how long to wait in burst of events +--backlog_wait_time 60000 + +## Set failure mode to syslog +-f 1 +EOF + +############################################################### /etc/audit/rules.d/11-loginuid.rules +cat << EOF >| /etc/audit/rules.d/11-loginuid.rules +--loginuid-immutable +EOF + +############################################################### /etc/audit/rules.d/20-dont-audit.rules +cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules +## This is for don't audit rules. We put these early because audit +### is a first match wins system. Uncomment the rules you want. + +## Cron jobs fill the logs with stuff we normally don't want +-a never,user -F subj_type=crond_t + +## This prevents chrony from overwhelming the logs +-a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t + +### This is not very interesting and wastes a lot of space if +### the server is public facing +-a always,exclude -F msgtype=CRYPTO_KEY_USER +EOF + +############################################################### /etc/audit/rules.d/21-no32bit.rules +cat << EOF >| /etc/audit/rules.d/21-no32bit.rules +## If you are on a 64 bit platform, everything _should_ be running +## in 64 bit mode. This rule will detect any use of the 32 bit syscalls +## because this might be a sign of someone exploiting a hole in the 32 +## bit ABI. +-a always,exit -F arch=b32 -S all -F key=32bit-abi +EOF + +############################################################### /etc/audit/rules.d/22-ignore-chrony.rules +cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules +## This rule suppresses the time-change event when chrony does time updates +-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t +-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules +## Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules +## Successful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules +## Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules +## Successful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules +## Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules +## Successful file access (any other opens) This has to go last. +## These next two are likely to result in a whole lot of events +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules +## Unsuccessful file delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules +## Successful file delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules +## Unsuccessful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules +## Successful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules +## Unsuccessful ownership change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules +## Successful ownership change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change +EOF + +############################################################### /etc/audit/rules.d/30-ospp-v42.rules +cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## the following rule files copied to /etc/audit/rules.d: +## +## 10-base-config.rules, 11-loginuid.rules, +## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules, +## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules, +## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules, +## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules, +## 30-ospp-v42-5-perm-change-failed.rules, +## 30-ospp-v42-5-perm-change-success.rules, +## 30-ospp-v42-6-owner-change-failed.rules, +## 30-ospp-v42-6-owner-change-success.rules +## +## original copies may be found in /usr/share/audit-rules + + +## User add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch passwd and +## shadow for writes +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + +## User enable and disable. This is entirely handled by pam. + +## Group add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch group and +## gshadow for writes +-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify +-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify +-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify +-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify + + +## Use of special rights for config changes. This would be use of setuid +## programs that relate to user accts. This is not all setuid apps because +## requirements are only for ones that affect system configuration. +-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + +## Privilege escalation via su or sudo. This is entirely handled by pam. +## Special case for systemd-run. It is not audit aware, specifically watch it +-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation +-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation +## Special case for pkexec. It is not audit aware, specifically watch it +-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation +-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + + +## Watch for configuration changes to privilege escalation. +-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes +-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes +-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes +-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes + +## Audit log access +-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail +-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail +## Attempts to Alter Process and Session Initiation Information +-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session + +## Attempts to modify MAC controls +-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy +-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy + +## Software updates. This is entirely handled by rpm. + +## System start and shutdown. This is entirely handled by systemd + +## Kernel Module loading. This is handled in 43-module-load.rules + +## Application invocation. The requirements list an optional requirement +## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to +## state results from that policy. This would be handled entirely by +## that daemon. +EOF + +############################################################### /etc/audit/rules.d/99-finalize.rules +cat << EOF >| /etc/audit/rules.d/99-finalize.rules +-e 2 +EOF + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9997_debsums.chroot b/config/hooks/live/9997_debsums.chroot new file mode 100644 index 0000000..7bedd45 --- /dev/null +++ b/config/hooks/live/9997_debsums.chroot @@ -0,0 +1,36 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root + +apt-get install --no-install-recommends debsums -y + +cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak +chmod 0644 /root/.ciss/dlb/backup/debsums.bak +sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums + +if debsums -g; then + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… 'debsums -g' successful. \e[0m\n" +else + # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup. + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n" > /dev/null 2>&1 +fi + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/hooks/live/9998_sources_list.chroot b/config/hooks/live/9998_sources_list.chroot new file mode 100644 index 0000000..3e4fc44 --- /dev/null +++ b/config/hooks/live/9998_sources_list.chroot @@ -0,0 +1,59 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +cd /root + +if [[ -f /etc/apt/sources.list ]]; then + mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak +fi + +cat << 'EOF' >| /etc/apt/sources.list +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. +# SPDX-PackageName: CISS.2025.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +#-----------------------------------------------------------------------------------------# +# OFFICIAL DEBIAN REPOS +#-----------------------------------------------------------------------------------------# + +### Debian Main Repos Bookworm + +deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware +deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware + +deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware +deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware + +deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware +deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware + +deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware +deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/hooks/live/9999_interfaces_update.chroot b/config/hooks/live/9999_interfaces_update.chroot new file mode 100644 index 0000000..533a28d --- /dev/null +++ b/config/hooks/live/9999_interfaces_update.chroot @@ -0,0 +1,65 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" +# sleep 1 + +mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot +rm -f /etc/network/interfaces + +cat << 'EOF' >| /etc/network/interfaces +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +### The loopback network interface +auto lo +iface lo inet loopback + +### Fully dynamic interface +auto dynamic +iface dynamic inet dhcp + pre-up \ + IFACE=$(ip -o link show \ + | awk -F': ' '{print $2}' \ + | grep -m1 -v lo) && \ + echo "Using interface $IFACE as dynamic" && \ + ip link set dev "$IFACE" up && \ + ip link set dev "$IFACE" name dynamic + + post-down \ + ip link set dev dynamic name "$IFACE" && \ + echo "Restored interface name $IFACE" + +source /etc/network/interfaces.d/* + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + +chmod 0644 /etc/network/interfaces + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' applied successfully. \e[0m\n" "${0}" +# sleep 1 + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.binary/boot/grub/config.cfg b/config/includes.binary/boot/grub/config.cfg new file mode 100644 index 0000000..fa353ad --- /dev/null +++ b/config/includes.binary/boot/grub/config.cfg @@ -0,0 +1,43 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +set timeout=16 +set default=0 + +if [ x$feature_default_font_path = xy ] ; then + font=unicode +else + font=$prefix/unicode.pf2 +fi + +# Copied from the netinst image +if loadfont $font ; then + set gfxmode=800x600 + set gfxpayload=keep + insmod efi_gop + insmod efi_uga + insmod video_bochs + insmod video_cirrus +else + set gfxmode=auto + insmod all_video +fi + +insmod gfxterm +insmod png + +source /boot/grub/theme.cfg + +terminal_output gfxterm + +insmod play +play 960 440 1 0 4 440 1 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/banner b/config/includes.chroot/etc/banner new file mode 100644 index 0000000..8b522c3 --- /dev/null +++ b/config/includes.chroot/etc/banner @@ -0,0 +1,12 @@ + +####################################################################### + # # + ## ## + ###### ######## ### ## ######## ### ## ####### ### ####### ### ## +### #### ## ### ### ## ## ### ## #### ## +### ####### ####### ### ### ## ###### ### ## ## ####### +### ### ### ### ### ### ## ## ## ### ## ## ### ### + ###### ####### ### ## ### ##### ## ## ### ##### ### ## + # # +####################################################################### + diff --git a/config/includes.chroot/etc/issue b/config/includes.chroot/etc/issue new file mode 100644 index 0000000..5d7db26 --- /dev/null +++ b/config/includes.chroot/etc/issue @@ -0,0 +1,11 @@ +******************************************************************** +* * +* This system is for the use of authorized users only. Usage of * +* this system may be monitored and recorded by system personnel. * +* * +* Anyone using this system expressly consents to such monitoring * +* and is advised that if such monitoring reveals possible * +* evidence of criminal activity, system personnel may provide the * +* evidence from such monitoring to law enforcement officials. * +* * +******************************************************************** diff --git a/config/includes.chroot/etc/issue.net b/config/includes.chroot/etc/issue.net new file mode 100644 index 0000000..5d7db26 --- /dev/null +++ b/config/includes.chroot/etc/issue.net @@ -0,0 +1,11 @@ +******************************************************************** +* * +* This system is for the use of authorized users only. Usage of * +* this system may be monitored and recorded by system personnel. * +* * +* Anyone using this system expressly consents to such monitoring * +* and is advised that if such monitoring reveals possible * +* evidence of criminal activity, system personnel may provide the * +* evidence from such monitoring to law enforcement officials. * +* * +******************************************************************** diff --git a/config/includes.chroot/etc/live/config.conf b/config/includes.chroot/etc/live/config.conf new file mode 100644 index 0000000..3b838ef --- /dev/null +++ b/config/includes.chroot/etc/live/config.conf @@ -0,0 +1,13 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +LIVE_CONFIGS="username" +USERNAME=root +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf b/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf new file mode 100644 index 0000000..376ec04 --- /dev/null +++ b/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf @@ -0,0 +1,114 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# The kernel allows unprivileged users to indirectly cause certain modules to be loaded +# via module auto-loading. This allows an attacker to auto-load a vulnerable module which +# is then exploited. One such example is CVE-2017-6074, in which an attacker could trigger +# the DCCP kernel module to be loaded by initiating a DCCP connection and then exploit a +# vulnerability in said kernel module. +# Specific kernel modules can be blacklisted by inserting files into /etc/modprobe.d with +# instructions on which kernel modules to blacklist. + +##### Disable Uncommon Network Protocols ##### + +install dccp /bin/true +install sctp /bin/true +install rds /bin/true +install tipc /bin/true +install n-hdlc /bin/true +install ax25 /bin/true +install netrom /bin/true +install x25 /bin/true +install rose /bin/true +install decnet /bin/true +install econet /bin/true +install af_802154 /bin/true +install ipx /bin/true +install appletalk /bin/true +install psnap /bin/true +install p8023 /bin/true +install p8022 /bin/true +install can /bin/true +install atm /bin/true + +# DCCP Datagram Congestion Control Protocol +# SCTP Stream Control Transmission Protocol +# RDS Reliable Datagram Sockets +# TIPC Transparent Inter-process Communication +# HDLC High-Level Data Link Control +# AX25 Amateur X.25 +# NetRom +# X25 +# ROSE +# DECnet +# Econet +# af_802154 IEEE 802.15.4 +# IPX Internetwork Packet Exchange +# AppleTalk +# PSNAP Subnetwork Access Protocol +# p8023 Novell raw IEEE 802.3 +# p8022 IEEE 802.2 +# CAN Controller Area Network +# ATM + +##### Disable Uncommon Filesystems ##### +install cramfs /bin/true +install freevxfs /bin/true +install jffs2 /bin/true +install hfs /bin/true +install hfsplus /bin/true +install udf /bin/true + +blacklist cramfs +blacklist freevxfs +blacklist jffs2 +blacklist hfs +blacklist hfsplus +blacklist udf + +##### Disable Uncommon Network Filesystems ##### +install cifs /bin/true +install nfs /bin/true +install nfsv3 /bin/true +install nfsv4 /bin/true +install ksmbd /bin/true +install gfs2 /bin/true + +blacklist cifs +blacklist nfs +blacklist nfsv3 +blacklist nfsv4 +blacklist ksmbd +blacklist gfs2 + +# The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled. +install vivid /bin/true + +##### Disable access to USB ##### +install usb_storage /bin/true +blacklist usb-storage + +##### Disable access to IEEE1394 ##### +install firewire-core /bin/true + +##### Blacklist automatic loading of miscellaneous modules ##### +##### https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ##### +# evbug is a debug tool that should be loaded explicitly +blacklist evbug +# these drivers are very simple +blacklist usbmouse +blacklist usbkbd +# causes no end of confusion by creating unexpected network interfaces +blacklist eth1394 +# ugly and loud noise, getting on everyone's nerves +blacklist pcspkr + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/network/interfaces b/config/includes.chroot/etc/network/interfaces new file mode 100644 index 0000000..ebd5a9a --- /dev/null +++ b/config/includes.chroot/etc/network/interfaces @@ -0,0 +1,36 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +### The loopback network interface +auto lo +iface lo inet loopback + +### Fully dynamic interface +auto dynamic +iface dynamic inet dhcp + pre-up \ + IFACE=$(ip -o link show \ + | awk -F': ' '{print $2}' \ + | grep -m1 -v lo) && \ + echo "Using interface $IFACE as dynamic" && \ + ip link set dev "$IFACE" up && \ + ip link set dev "$IFACE" name dynamic + + post-down \ + ip link set dev dynamic name "$IFACE" && \ + echo "Restored interface name $IFACE" + +source /etc/network/interfaces.d/* + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config new file mode 100644 index 0000000..6032c2b --- /dev/null +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -0,0 +1,134 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Version Master V8.02.512.2025.05.30 + +### https://www.ssh-audit.com/ +### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig + +Include /etc/ssh/sshd_config.d/*.conf + +Protocol 2 + +Banner /etc/banner +DebianBanner no +VersionAddendum none + +Compression no +LogLevel VERBOSE + +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: +Port MUST_BE_CHANGED +AllowUsers root +UseDNS no +### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, +### whichever occurs first. +RekeyLimit 1G 1h + +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key + +PubkeyAuthentication yes +PermitRootLogin prohibit-password +PasswordAuthentication no +PermitEmptyPasswords no +StrictModes yes +LoginGraceTime 2m +MaxAuthTries 3 +MaxSessions 2 +### Begin randomly dropping new unauthenticated connections after the 8th attempt, +### with a 64% chance to drop each additional connection, up to a hard limit of 16. +MaxStartups 08:64:16 +### Restrict each individual source IP to only 4 unauthenticated connection slot +### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots. +PerSourceMaxStartups 4 +ClientAliveInterval 300 +ClientAliveCountMax 2 + +AuthorizedKeysFile %h/.ssh/authorized_keys + +AllowAgentForwarding no +AllowTcpForwarding no +X11Forwarding no +GatewayPorts no + +### A+ Rating 100/100 +RequiredRSASize 4096 +Ciphers aes256-gcm@openssh.com +KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256- +HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com +CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512- +HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 +PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 + +### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads) +KbdInteractiveAuthentication no + +### Set this to 'yes' to enable PAM authentication, account processing, +### and session processing. If this is enabled, PAM authentication will +### be allowed through the ChallengeResponseAuthentication and +### PasswordAuthentication. Depending on your PAM configuration, +### PAM authentication via ChallengeResponseAuthentication may bypass +### the setting of "PermitRootLogin without-password". +### If you just want the PAM account and session checks to run without +### PAM authentication, then enable this but set PasswordAuthentication +### and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +### Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +### override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +PidFile /var/run/sshd.pid +PrintMotd no +PrintLastLog yes +TCPKeepAlive no + +### For this to work you will also need host keys in /etc/ssh/ssh_known_hosts! +### Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication! +HostbasedAuthentication no + +### Don't read the user's ~/.rhosts and ~/.shosts files +# IgnoreRhosts yes + +# UsePrivilegeSeparation yes + +### Kerberos options +# KerberosAuthentication no +# KerberosOrLocalPasswd yes +# KerberosTicketCleanup yes +# KerberosGetAFSToken no + +### GSSAPI options +# GSSAPIAuthentication no +# GSSAPICleanupCredentials yes +# GSSAPIStrictAcceptorCheck yes +# GSSAPIKeyExchange no + +# AuthorizedPrincipalsFile none +# AuthorizedKeysCommand none +# AuthorizedKeysCommandUser nobody + +# PermitTunnel no +# ChrootDirectory none +# X11DisplayOffset 10 +# X11UseLocalhost yes +# PermitTTY yes +# PermitUserEnvironment no +# IgnoreUserKnownHosts no + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened new file mode 100644 index 0000000..d11c1f9 --- /dev/null +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -0,0 +1,328 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Version Master V8.02.512.2025.05.30 + +### https://docs.kernel.org/ +### https://github.com/a13xp0p0v/kernel-hardening-checker/ +### https://kspp.github.io/ +### https://linux-audit.com/tags/kernel/ + +########################################################################################### +# Warning +# Be careful not to lock yourself out of your system after a reboot due to incorrect +# settings. For example, 'kernel.modules_disabled=1' will generally prevent the network +# stack from being brought up after a reboot, which means NO SSH. +########################################################################################### + +##### Linux Kernel ##### + +### Disable loading new modules. Be careful with using this option! +kernel.modules_disabled=1 + +### Restricting access to kernel pointers. +kernel.kptr_restrict=2 + +### Restricting access to kernel logs. +kernel.dmesg_restrict=1 + +########################################################################################### +# Despite the value of dmesg_restrict, the kernel log will still be displayed in the +# console during boot. +# This option prevents those information leaks. +########################################################################################### +kernel.printk=3 3 3 3 + +### Restricting eBPF to the CAP_BPF capability +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 + +### Restricting loading TTY line disciplines to the CAP_SYS_MODULE capability +dev.tty.ldisc_autoload=0 + +########################################################################################### +# The userfaultfd() syscall is often abused to exploit use-after-free flaws. +# This sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability. +########################################################################################### +vm.unprivileged_userfaultfd=0 + +########################################################################################### +# kexec is a system call that is used to boot another kernel during runtime. +# This functionality can be abused to load a malicious kernel and gain arbitrary code +# execution in kernel mode, so this sysctl disables it. +########################################################################################### +kernel.kexec_load_disabled=1 + +########################################################################################### +# Prevents unprivileged users from creating their own user namespaces, potentially +# enabling exploits. This is a good additional safeguard. +########################################################################################### +kernel.unprivileged_userns_clone=0 + +########################################################################################### +# The SysRq key exposes a lot of potentially dangerous debugging functionality to +# unprivileged users. You can set the value to 0 to disable SysRq completely. +########################################################################################### +kernel.sysrq=0 + +### Randomize memory space. +kernel.randomize_va_space=2 + +########################################################################################### +# These prevent creating files in potentially attacker-controlled environments, such as +# world-writable directories. +########################################################################################### +fs.protected_fifos=2 +fs.protected_regular=2 + +########################################################################################### +# This only permits symlinks to be followed when outside a world-writable sticky directory, +# when the owner of the symlink and follower match or when the directory owner matches the +# symlink's owner. +########################################################################################### +fs.protected_symlinks=1 +fs.protected_hardlinks=1 + +########################################################################################### +# ptrace is a system call that allows a program to alter and inspect another running +# process, which allows attackers to trivially modify the memory of other running programs. +# 0 - classic ptrace permissions: +# a process can PTRACE_ATTACH to any other process running under the same uid, +# as long as it is dumpable (i.e., did not transition uids, +# start privileged, or have called prctl(PR_SET_DUMPABLE...) already). +# Similarly, PTRACE_TRACEME is unchanged. +# +# 1 - restricted ptrace: +# a process must have a predefined relationship with the inferior it wants to call +# PTRACE_ATTACH on. By default, this relationship is that of only its descendants when the +# above classic criteria is also met. To change the relationship, an inferior can call +# prctl(PR_SET_PTRACER, debugger, ...) to declare an allowed debugger PID to call +# PTRACE_ATTACH on the inferior. Using PTRACE_TRACEME is unchanged. +# +# 2 - admin-only attach: +# only processes with CAP_SYS_PTRACE may use ptrace, either with PTRACE_ATTACH or through +# children calling PTRACE_TRACEME. +# +# 3 - no attach: +# no processes may use ptrace with PTRACE_ATTACH nor via PTRACE_TRACEME. Once set, this +# sysctl value cannot be changed. +########################################################################################### +kernel.yama.ptrace_scope=2 + +### Use filename based on core_pattern value +kernel.core_uses_pid=1 + +########################################################################################### +# Performance events add considerable kernel attack surface and have caused abundant +# vulnerabilities. Be careful ! Performance might be affected ! Here turned off by default. +########################################################################################### +#kernel.perf_event_paranoid=2 + +########################################################################################### +# ASLR is a common exploit mitigation that randomizes the position of critical parts of a +# process in memory. This can make a wide variety of exploits harder to pull off, as they +# first require an information leak. The above settings increase the bits of entropy used +# for mmap ASLR, improving its effectiveness. The values of these sysctls must be set in +# relation to the CPU architecture. The above values are compatible with x86, but other +# architectures may differ. +########################################################################################### +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 + +########################################################################################### +# In addition to ASLR hardening, one could adjust the behavior for memory overbooking. +# Determines how the kernel provides the available memory for processes: +# - 0 (default): kernel decides heuristically whether memory allocations are allowed. +# - 1: Memory is always allocated, even if it is not physically available; can lead to +# out-of-memory errors. +# - 2: The kernel only allows memory allocations up to the available physical memory + swap +# (safe mode). +#vm.overcommit_memory=2 +# Specifies how much of the available physical memory (plus swap) can be made available +# for memory allocations when vm.overcommit_memory=2 is active. +# The value is a percentage. +# 50: Up to 50% of the physical memory can be reserved for memory-intensive applications. +########################################################################################### +#vm.overcommit_ratio=50 + +########################################################################################### +# Reduces the likelihood of important data remaining unsecured in RAM for too long. +# Specifies the percentage of the total memory that can be filled with changed (dirty) data +# before it is written to the permanent memory (e.g., the hard disk). +# 15: If 15% of the RAM is occupied by dirty pages, a background flush process is triggered +# to write this data. +#vm.dirty_ratio=15 +# Specifies the percentage of total memory at which the kernel starts writing dirty pages +# in the background before the dirty_ratio threshold is reached. +# 5: The kernel starts writing data in the background when 5% of RAM is occupied with +# dirty pages. +########################################################################################### +#vm.dirty_background_ratio=5 + +########################################################################################### +# Similar to core dumps, swapping or paging copies parts of memory to disk, which can +# contain sensitive information. The kernel should be configured to only swap if absolutely +# necessary. +########################################################################################### +#vm.swappiness=1 + ### This setting minimizes swapping, which is useful for servers. + ### However, one could also consider vm.swappiness=0 if enough RAM is available. + # vm.swappiness=0 + +########################################################################################### +# Process that runs with elevated privileges may still dump their memory even after these +# settings. +########################################################################################### +fs.suid_dumpable=0 +kernel.core_pattern= | /bin/false + +### Disable User Namespaces, as it opens up a large attack surface to unprivileged users. +#user.max_user_namespaces=0 + +########################################################################################### +# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2) +# If you want to set oops_limit greater than one, you will need to disable +# CONFIG_PANIC_ON_OOPS. +########################################################################################### +kernel.warn_limit=1 +kernel.oops_limit=1 + +########################################################################################### +# Disable TIOCSTI, which is used to inject keypresses. +# (This will, however, break screen readers.) +########################################################################################### +dev.tty.legacy_tiocsti=0 + +########################################################################################### +# IO_uring has yielded some security concerns and vulnerabilities, +# particularly for those sticking to older versions of the Linux kernel. +# There have also been IO_uring integration issues with the Linux security subsystem. +########################################################################################### +#kernel.io_uring_disabled=2 + +##### Network Stack ##### + +### Disable IP source routing, we are not a router: +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.default.accept_source_route=0 + +########################################################################################### +# This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make +# the device more difficult to enumerate on the network and prevent clock fingerprinting +# through ICMP timestamps. +########################################################################################### +net.ipv4.icmp_echo_ignore_all=1 + +### Enable ignoring broadcast request. +net.ipv4.icmp_echo_ignore_broadcasts=1 + +### This helps protect against SYN flood attacks +net.ipv4.tcp_syncookies=1 + +########################################################################################### +# This protects against time-wait assassination by dropping RST packets for sockets in +# the time-wait state. +########################################################################################### +net.ipv4.tcp_rfc1337=1 + +########################################################################################### +# These enable source validation of packets received from all interfaces of the machine. +# This protects against IP spoofing, in which an attacker sends a packet with a fraudulent +# IP address. +########################################################################################### +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 + +########################################################################################### +# This disables ICMP redirect acceptance and sending to prevent man-in-the-middle attacks +# and minimize information disclosure. +########################################################################################### +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 + +########################################################################################### +# A martian packet is a packet with a source address, which is obviously wrong - +# nothing could possibly be routed back to that address. +########################################################################################### +net.ipv4.conf.all.log_martians=1 +net.ipv4.conf.default.log_martians=1 + +########################################################################################### +# Deactivates IP forwarding. This means that the system discards packets that are not +# intended for its own IP addresses. It therefore does not act as a router and does not +# forward data packets between network interfaces. +########################################################################################### +net.ipv4.conf.all.forwarding=0 + +########################################################################################### +# Disabling RA prevents the system from receiving routing information from potentially +# insecure or compromised routers. This is particularly important for servers that use +# static network configurations and should not dynamically accept new IPv6 routes or +# prefixes. An attacker could otherwise use forged RA messages to change the network route +# and redirect traffic, for example. +########################################################################################### +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.accept_ra=0 + +########################################################################################### +# These parameters relate to secure ICMP redirects. ICMP redirects are messages that a +# router sends to a device to inform it that there is a better route for the data traffic. +# This setting prevents the system from responding to redirects that have been spoofed by +# potential attackers to redirect traffic (e.g., for man-in-the-middle attacks). +########################################################################################### +net.ipv4.conf.all.secure_redirects=1 +net.ipv4.conf.default.secure_redirects=1 + +########################################################################################### +# This setting prevents the disclosure of TCP timestamps that can be used for system +# fingerprinting: +########################################################################################### +net.ipv4.tcp_timestamps=0 + +########################################################################################### +# To make ARP spoofing attacks more difficult. Defines how the system responds to ARP +# requests. +# - 0 (default): Responds to every request, including IPs configured on other interfaces. +# - 1: Only responds to requests that are specifically intended for the IP of the +# respective interface. Increases security by preventing ARP spoofing attacks, as the +# system does not send unnecessary ARP responses. +########################################################################################### +net.ipv4.conf.all.arp_ignore=1 +net.ipv4.conf.default.arp_ignore=1 + +########################################################################################### +# To minimize attacks on half-open connections. +# Specifies the maximum number of connection requests (SYN packets) +# that can be held in the connection establishment state (SYN_RECV) in the queue. +# 4096: A generous queue to better intercept SYN flood attacks. +# Useful for systems with high network traffic, or if protection against DoS attacks +# needs to be improved: +########################################################################################### +net.ipv4.tcp_max_syn_backlog=4096 + +########################################################################################### +# Specifies the maximum number of SYN/ACK retries before the connection is aborted: +# 2: The kernel will only send a SYN/ACK twice before dropping the connection. +# Reduces the time and effort wasted on inactive connection requests. +# This improves performance and protects against SYN flood attacks, but could cause +# problems on poor networks. +########################################################################################### +net.ipv4.tcp_synack_retries=2 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf b/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf new file mode 100644 index 0000000..2428164 --- /dev/null +++ b/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf @@ -0,0 +1,14 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +[Service] +ExecStart= +ExecStart=-/sbin/agetty --autologin root --noclear %I $TERM +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh b/config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh new file mode 100644 index 0000000..9f181d4 --- /dev/null +++ b/config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh @@ -0,0 +1,31 @@ +#!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# No bash in the installer environment, only BusyBox. + +set -o errexit +set -o nounset +set -o noclobber + +export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash" + +echo '152.53.35.74 coresecret.eu' >> /etc/hosts + +touch /tmp/late-command-script +chmod 0700 /tmp/late-command-script + +. /.ciss/install/.ash/di_scripting_flexibility.sh + +sh /.ciss/install/.ash/di_scripting_password.sh + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh b/config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh new file mode 100644 index 0000000..3dfeffa --- /dev/null +++ b/config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh @@ -0,0 +1,24 @@ +#!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# No bash in the installer environment, only BusyBox. + +set -o errexit +set -o nounset +set -o noclobber + +export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash" + +. /.ciss/install/.ash/di_scripting_flexibility.sh + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh b/config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh new file mode 100644 index 0000000..9f33aae --- /dev/null +++ b/config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh @@ -0,0 +1,415 @@ +#!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# No bash in the installer environment, only BusyBox. + +set -o errexit +set -o nounset +set -o noclobber + +export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash" +. /.ciss/install/.ash/di_scripting_flexibility.sh + +readonly DISK_NAME="sda" +readonly DISK_PATH="/dev/${DISK_NAME}" +readonly SLEEPTIMER="2" + +do_sleep() { + sleep "${SLEEPTIMER}" +} + +modprobe btrfs || true +modprobe ext4 || true + +blkdiscard "${DISK_PATH}" +parted "${DISK_PATH}" --script -- mklabel gpt + +#/dev/sda1 -- ESP +do_dev_sda1() { + parted "${DISK_PATH}" --script -- mkpart ESP fat32 1MiB 512MiB set 1 esp on + do_sleep + + FORMAT_LABEL="ESP" + PARTITION="${DISK_PATH}1" + + format_partition() { + if mkfs.fat -F32 -n "${FORMAT_LABEL}" "${PARTITION}"; then + echo "Partition: ${PARTITION} successfully formatted with FAT32." + else + echo "Partition: ${PARTITION} NOT successfully formated with FAT32." + fi + + if blkid "${PARTITION}" | grep -q 'TYPE="vfat"'; then + echo "Partition: ${PARTITION} correctly formatted with FAT32." + else + echo "Partition: ${PARTITION} NOT correctly formatted with FAT32." + fi + } + + ATTEMPTS=0 + MAX_ATTEMPTS=3 + while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do + echo "Repeat formatting... attempt $((ATTEMPTS + 1))" + ATTEMPTS=$((ATTEMPTS + 1)) + done + + if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then + echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts." + else + echo "Partition ${PARTITION} successfully formatted and checked." + fi +} +do_dev_sda1 + +#/dev/sda2 -- /boot +do_dev_sda2() { + parted "${DISK_PATH}" --script -- mkpart primary ext4 512MiB 4096MiB + do_sleep + + FORMAT_LABEL="boot" + PARTITION="${DISK_PATH}2" + + format_partition() { + if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then + echo "Partition: ${PARTITION} successfully formatted with ext4." + else + echo "Partition: ${PARTITION} NOT successfully formated with ext4." + fi + + if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then + echo "Partition: ${PARTITION} correctly formatted with ext4." + else + echo "Partition: ${PARTITION} NOT correctly formatted with ext4." + fi + } + + ATTEMPTS=0 + MAX_ATTEMPTS=3 + while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do + echo "Repeat formatting... attempt $((ATTEMPTS + 1))" + ATTEMPTS=$((ATTEMPTS + 1)) + done + + if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then + echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts." + else + echo "Partition ${PARTITION} successfully formatted and checked." + fi +} +do_dev_sda2 + +#/dev/sda3 -- preparing for crypt_ephemeral_swap +parted "${DISK_PATH}" --script -- mkpart primary 4096MiB 8192MiB +do_sleep + +#/dev/sda4 -- preparing for crypt_ephemeral_tmp +parted "${DISK_PATH}" --script -- mkpart primary 8192MiB 12288MiB +do_sleep + +#/dev/sda5 -- /home +parted "${DISK_PATH}" --script -- mkpart primary 12288MiB 45056MiB +do_sleep + +#/dev/sda6 -- / +parted "${DISK_PATH}" --script -- mkpart primary 45056MiB 77824MiB +do_sleep + +#/dev/sda7 -- /usr +parted "${DISK_PATH}" --script -- mkpart primary 77824MiB 143360MiB +do_sleep + +#/dev/sda8 -- /var +parted "${DISK_PATH}" --script -- mkpart primary 143360MiB 208896MiB +do_sleep + +#/dev/sda9 -- /var/log +parted "${DISK_PATH}" --script -- mkpart primary 208896MiB 225280MiB +do_sleep + +#/dev/sda10 -- /var/log/audit +parted "${DISK_PATH}" --script -- mkpart primary 225280MiB 241664MiB +do_sleep + +#/dev/sda11 -- /var/tmp +parted "${DISK_PATH}" --script -- mkpart primary 241664MiB 258048MiB +do_sleep + +#/dev/sda12 -- temporary installation /tmp +do_dev_sda12() { + parted "${DISK_PATH}" --script -- mkpart primary 258048MiB 261120MiB + do_sleep + + FORMAT_LABEL="installation_tmp" + PARTITION="${DISK_PATH}12" + + format_partition() { + if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then + echo "Partition: ${PARTITION} successfully formatted with ext4." + else + echo "Partition: ${PARTITION} NOT successfully formated with ext4." + fi + + if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then + echo "Partition: ${PARTITION} correctly formatted with ext4." + else + echo "Partition: ${PARTITION} NOT correctly formatted with ext4." + fi + } + + ATTEMPTS=0 + MAX_ATTEMPTS=3 + while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do + echo "Repeat formatting... attempt $((ATTEMPTS + 1))" + ATTEMPTS=$((ATTEMPTS + 1)) + done + + if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then + echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts." + else + echo "Partition ${PARTITION} successfully formatted and checked." + fi +} +do_dev_sda12 + +# Encrypt and open /dev/sda5 to /dev/sda11 +i=5 +while [ "${i}" -lt 12 ]; do + PARTITION="/dev/${DISK_NAME}${i}" + MAPPER_NAME="crypt_${DISK_NAME}${i}" + + if cryptsetup luksFormat "${PARTITION}" --key-file=/.ciss/install/.cfg/.password.cfg --batch-mode --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 --use-random --verbose; then + echo "Partition: ${PARTITION} successfully encrypted." + do_sleep + + if cryptsetup open "${PARTITION}" "${MAPPER_NAME}" --key-file=/.ciss/install/.cfg/.password.cfg; then + echo "Partition: ${PARTITION} successfully opened as: ${MAPPER_NAME}." + + if mkfs.btrfs -L "${MAPPER_NAME}" /dev/mapper/"${MAPPER_NAME}"; then + echo "Partition: ${PARTITION} successfully formatted." + else + echo "Partition: ${PARTITION} NOT successfully formatted." + fi + + else + echo "Partition: ${PARTITION} NOT successfully opened as: ${MAPPER_NAME}." + fi + + else + echo "Partition: ${PARTITION} NOT successfully encrypted." + fi + + i=$((i + 1)) +done + +do_sleep + +# Generate /target directories- +FILE_DIR="/.ciss/install/.cfg/.directories.cfg" + +# Check that the file exists. +if [ ! -f "${FILE_DIR}" ]; then + echo "Error: File ${FILE_DIR} cannot be read." >&2 + exit 1 +fi + +while read -r DIR; do + sleep 1 + # Proceed only if the row is not empty. + if [ -n "${DIR}" ]; then + # Verify if the directory already exists. + if [ -d "${DIR}" ]; then + echo "Directory ${DIR} already exists." + else + # Try to create a directory. + until [ -d "${DIR}" ]; do + mkdir -p "${DIR}" + if [ ! -d "${DIR}" ]; then + echo "Error: Creating ${DIR} directory failed. Try again. " >&2 + sleep 1 + fi + done + echo "Directory ${DIR} created successfully". + fi + fi +done < "${FILE_DIR}" + +do_sleep + +mount /dev/mapper/crypt_sda6 /target +do_sleep + +mkdir /target/boot +mount /dev/sda2 /target/boot +do_sleep + +mkdir /target/boot/efi +mount /dev/sda1 /target/boot/efi +do_sleep + +mkdir /target/home +mount /dev/mapper/crypt_sda5 /target/home +do_sleep + +mkdir /target/usr +mount /dev/mapper/crypt_sda7 /target/usr +do_sleep + +mkdir /target/var +mount /dev/mapper/crypt_sda8 /target/var +do_sleep + +mkdir /target/var/log +mount /dev/mapper/crypt_sda9 /target/var/log +do_sleep + +mkdir /target/var/log/audit +mount /dev/mapper/crypt_sda10 /target/var/log/audit +do_sleep + +mkdir /target/var/tmp +mount /dev/mapper/crypt_sda11 /target/var/tmp +do_sleep + +mkdir /target/tmp +mount /dev/sda12 /target/tmp +do_sleep + +mkdir /target/dev +mount --bind /dev /target/dev +do_sleep +if [ -d "/target/dev/pts" ]; then + echo "Directory /target/dev/pts already exists." +else + mkdir /target/dev/pts +fi + +mkdir /target/proc +mount --bind /proc /target/proc +do_sleep + +mkdir /target/sys +mount --bind /sys /target/sys +do_sleep + +mkdir /target/run +mount --bind /run /target/run +do_sleep +if [ -d "/target/run/lock" ]; then + echo "Directory /target/run/lock already exists." +else + mkdir /target/run/lock +fi + +mkdir /target/etc +mkdir /target/etc/apt +mkdir /target/etc/network +touch /target/etc/fstab +chmod 0644 /target/etc/fstab + +# shellcheck disable=SC2129 +cat << EOF >> /target/etc/fstab +# /etc/fstab: static file system information. +# +# Use 'blkid' to print the universally unique identifier for a +# device; this may be used with UUID= as a more robust way to name devices +# that works even if disks are added and removed. See fstab(5). +# +# systemd generates mount units based on this file, see systemd.mount(5). +# Please run 'systemctl daemon-reload' after making changes here. +# +# + +EOF + +echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) / btrfs defaults,errors=remount-ro 0 1" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /boot was on /dev/sda2 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/sda2) /boot ext4 defaults 0 2" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /boot/efi was on /dev/sda1 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/sda1) /boot/efi vfat umask=0077 0 1" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) /home btrfs defaults 0 2" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) /usr btrfs defaults 0 2" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) /var btrfs defaults 0 2" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) /var/log btrfs defaults 0 2" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) /var/log/audit btrfs defaults 0 2" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) /var/tmp btrfs defaults 0 2" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /tmp was on /dev/sda12 during installation" >> /target/etc/fstab +echo "UUID=$(blkid -s UUID -o value /dev/sda12) /tmp ext4 defaults 0 2" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +echo "# /media/cdrom0 was on /dev/sr0 during installation" >> /target/etc/fstab +echo "/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0" >> /target/etc/fstab +echo "" >> /target/etc/fstab + +touch /target/etc/crypttab +chmod 0644 /target/etc/crypttab + +# shellcheck disable=SC2129 +cat << EOF >> /target/etc/crypttab +# + +EOF + +echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/crypttab +echo "crypt_sda6 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) none luks,discard" >> /target/etc/crypttab +echo "" >> /target/etc/crypttab + +echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/crypttab +echo "crypt_sda5 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) none luks,discard" >> /target/etc/crypttab +echo "" >> /target/etc/crypttab + +echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/crypttab +echo "crypt_sda7 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) none luks,discard" >> /target/etc/crypttab +echo "" >> /target/etc/crypttab + +echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/crypttab +echo "crypt_sda8 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) none luks,discard" >> /target/etc/crypttab +echo "" >> /target/etc/crypttab + +echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/crypttab +echo "crypt_sda9 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) none luks,discard" >> /target/etc/crypttab +echo "" >> /target/etc/crypttab + +echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/crypttab +echo "crypt_sda10 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) none luks,discard" >> /target/etc/crypttab +echo "" >> /target/etc/crypttab + +echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/crypttab +echo "crypt_sda11 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) none luks,discard" >> /target/etc/crypttab +echo "" >> /target/etc/crypttab + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh b/config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh new file mode 100644 index 0000000..14d9615 --- /dev/null +++ b/config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh @@ -0,0 +1,32 @@ +#!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# No bash in the installer environment, only BusyBox. + +set -o errexit +set -o nounset +set -o noclobber + +export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash" + +. /.ciss/install/.ash/di_scripting_flexibility.sh + +mkdir -m 0700 /target/root/.d-i-backup + +if [ -f /tmp/late-command-script ]; then + sh /tmp/late-command-script +fi + +sh /.ciss/install/.ash/di_scripting_ssh.sh + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh b/config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh new file mode 100644 index 0000000..a88d0f9 --- /dev/null +++ b/config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh @@ -0,0 +1,35 @@ +#!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# No bash in the installer environment, only BusyBox. + +set -o errexit +set -o nounset +set -o noclobber + +readonly RED="\033[91m" + export RED +readonly GREEN="\033[92m" + export GREEN +readonly YELLOW="\033[93m" + export YELLOW +readonly BLUE="\033[94m" + export BLUE +readonly MAGENTA="\033[95m" + export MAGENTA +readonly CYAN="\033[96m" + export CYAN +readonly WHITE="\033[97m" + export WHITE +readonly NORMAL="\033[0m" + export NORMAL +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.ash/di_scripting_password.sh b/config/includes.chroot/preseed/.ash/di_scripting_password.sh new file mode 100644 index 0000000..ad46f5e --- /dev/null +++ b/config/includes.chroot/preseed/.ash/di_scripting_password.sh @@ -0,0 +1,93 @@ +#!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# No bash in the installer environment, only BusyBox. + +set -o errexit +set -o nounset +set -o noclobber + +# Create a passphrase by pulling only characters in the range '!' to '~' (ASCII 0x21 to 0x7e) from /dev/random. +umask 0077 +TMP_PASSPHRASE_FILE=$(mktemp) +readonly TMP_PASSPHRASE_FILE +grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}" + +# Create an include file for debian-installer with the passphrase as answers to the questions. +DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp) +readonly DEB_INSTALLER_CRYPT_INC_FILE + +# Read the first line (the passphrase) – POSIX-compliant +# IFS= prevents leading/trailing spaces from being truncated, +# -r ensures that backslashes are not interpreted. +IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}" + +# A single printf call with exactly one redirect +# – ShellCheck-compliant and valid in POSIX-sh +printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE" + +printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE" + +# Echo the file to be included, so debian-installer will do that - assuming this command is being run via 'preseed/include_command'. +# Without file:// will try and fetch from the webserver this preseed was served from. +echo "file://${DEB_INSTALLER_CRYPT_INC_FILE}" + +# Add extra commands to the file that should be run using 'preseed/late_command' to ensure the passphrase is included in the new installation. +readonly IN_TARGET_KEY_FILE=/etc/keys/luks-lvm.key + +cat - >> /tmp/late-command-script << LATE_EOF +##### BEGIN ADDED BY preseed-crypto-key preseed/include_command + +umask 0077 + +mkdir -p /target$(dirname "${IN_TARGET_KEY_FILE}") + +cp "${TMP_PASSPHRASE_FILE}" /target"${IN_TARGET_KEY_FILE}" + +# Use /root as /tmp might be noexec + +cat - >/target/root/configure-crypt-unlock <>/etc/initramfs-tools/initramfs.conf +fi + +# Include keyfile in initramfs +sed -i 's-^#\?KEYFILE_PATTERN=.*\\\$-KEYFILE_PATTERN=$(dirname ${IN_TARGET_KEY_FILE})/*.key-' /etc/cryptsetup-initramfs/conf-hook + +# Configure crypt to use keyfile to unlock encrypted partition(s) +sed -i 's#\(UUID=[^ ]\+\) none#\1 ${IN_TARGET_KEY_FILE}#' /etc/crypttab + +# Update initramfs with key file +update-initramfs -u +exit 0 +EOF + +sleep 1 + +chmod 500 /target/root/configure-crypt-unlock +in-target /root/configure-crypt-unlock +rm /target/root/configure-crypt-unlock + +exit 0 +##### END ADDED BY preseed-crypto-key preseed/include_command +LATE_EOF + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.ash/di_scripting_ssh.sh b/config/includes.chroot/preseed/.ash/di_scripting_ssh.sh new file mode 100644 index 0000000..44b23fa --- /dev/null +++ b/config/includes.chroot/preseed/.ash/di_scripting_ssh.sh @@ -0,0 +1,50 @@ +#!/bin/sh +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# No bash in the installer environment, only BusyBox. + +set -o errexit +set -o nounset +set -o noclobber + +if [ ! -d /target/root/.ssh ]; then + mkdir -m 0700 /target/root/.ssh +fi + +if [ -f /target/etc/ssh/ssh_host_ed25519_key ]; then + rm -f /target/etc/ssh/ssh_host_ed25519_key +fi + +if [ -f /target/etc/ssh/ssh_host_rsa_key ]; then + rm -f /target/etc/ssh/ssh_host_rsa_key +fi + +in-target ssh-keygen -o -a 1024 -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root d-i $(date -I)" +in-target ssh-keygen -o -a 1024 -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root d-i $(date -I)" + +cp -a /target/etc/ssh/sshd_config /target/root/.d-i-backup/sshd_config.bak +rm -f /target/etc/ssh/sshd_config + +cp /cdrom/install/.lib/sshd_config.lib /target/etc/ssh/sshd_config +chmod 0600 /target/etc/ssh/sshd_config + +sed -i "s/Port 22/Port 37768/" /target/etc/ssh/sshd_config +sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root/" /target/etc/ssh/sshd_config + +cp /cdrom/install/.lib/banner.lib /target/etc/banner +chmod 0644 /target/etc/banner + +umask 0077 +wget --https-only --secure-protocol=TLSv1_3 -c -O /target/root/.ssh/authorized_keys https://coresecret.eu/download/developer/2024_rsa4096_developer_root.pub.key + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.cfg/.directories.cfg b/config/includes.chroot/preseed/.cfg/.directories.cfg new file mode 100644 index 0000000..f8741dc --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/.directories.cfg @@ -0,0 +1,32 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +/target +/target/boot +/target/boot/efi +/target/etc +/target/etc/apt +/target/etc/network +/target/dev +/target/dev/pts +/target/home +/target/proc +/target/root +/target/run +/target/run/lock +/target/sys +/target/usr +/target/var +/target/var/log +/target/var/log/audit +/target/var/log/ciss +/target/var/tmp +/target/tmp +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/apt.cfg b/config/includes.chroot/preseed/.cfg/apt.cfg new file mode 100644 index 0000000..2cdb925 --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/apt.cfg @@ -0,0 +1,78 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# apt settings # +########################################################################################### +# Choose, if you want to scan additional installation media (default: false): +d-i apt-setup/cdrom/set-first boolean false + +# By default source repositories are listed in /etc/apt/sources.list: +d-i apt-setup/enable-source-repositories boolean true + +# A network mirror can be used to supplement the software that is not included on the +# installation media. This may also make newer versions of software available: +d-i apt-setup/use_mirror boolean true + +# Uncomment the following line, if you don't want to have the sources.list entry for a +# DVD/BD installation image active in the installed system: +d-i apt-setup/disable-cdrom-entries boolean true + +# You can choose to install non-free firmware: +d-i apt-setup/non-free-firmware boolean true + +# You can choose to install non-free and contrib software: +d-i apt-setup/non-free boolean true +d-i apt-setup/contrib boolean true + +# Debian has two services that provide updates to releases: +# +# security and release updates. +# . +# Security updates help to keep your system secured against attacks. +# Enabling this service is strongly recommended. +# . +# Release updates provide more current versions for software that changes relatively +# frequently and where not having the latest version could reduce the usability of the +# software. It also provides regression fixes. This service is only available for stable +# and oldstable releases. +# . +# Backported software are adapted from the development version to work with this release. +# Although this software has not gone through such complete testing as that contained in +# the release, it includes newer versions of some applications which may provide useful +# features. Enabling backports here does not cause any of them to be installed by default; +# it only allows you to manually select backports to use. +# https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt +d-i apt-setup/services-select multiselect security updates, release updates, backported software +# Different spelling: +# d-i apt-setup/services-select multiselect security, updates, backports + +d-i apt-setup/security_host string security.debian.org + +# Whether to upgrade packages after debootstrap. Allowed values: none, safe-upgrade, full-upgrade +d-i pkgsel/upgrade select full-upgrade + +# Applying updates on a frequent basis is an important part of keeping the system secure. +# +# . +# By default, security updates are not automatically installed, as security advisories should be +# reviewed before manual installation of the updates using standard package management tools. +# . +# Alternatively the unattended-upgrades package can be installed, which will install security +# updates automatically. Note however that automatic installation of updates may occasionally +# cause unexpected downtime of services provided by this machine in the rare cases where the +# update is not fully backward-compatible, or where the security advisory requires the +# administrator to perform some other manual operation. +# . +# Possible choices: No automatic updates, Install security updates automatically + +d-i pkgsel/update-policy select Install security updates automatically +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/base.cfg b/config/includes.chroot/preseed/.cfg/base.cfg new file mode 100644 index 0000000..6fbcfdb --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/base.cfg @@ -0,0 +1,24 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Base installer # +########################################################################################### +# Configure APT to not install recommended packages by default. Use of this option can +# result in an incomplete system and should only be used by very experienced users: +d-i base-installer/install-recommends boolean true + +# The kernel image to be installed; "none" can be used if no kernel is to be installed: +d-i base-installer/kernel/image string linux-image-amd64 + +# Choose to not get the tasksel dialog displayed at all (and don't install any packages): +d-i pkgsel/run_tasksel boolean false +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/finished.cfg b/config/includes.chroot/preseed/.cfg/finished.cfg new file mode 100644 index 0000000..390d8c4 --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/finished.cfg @@ -0,0 +1,26 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Finishing installation # +########################################################################################### +# Avoid that last message about the install being complete: +d-i finish-install/reboot_in_progress note + +# This will prevent the installer from ejecting the CD during the reboot: +d-i cdrom-detect/eject boolean true + +# This is how to make the installer shutdown when finished, but not reboot: +d-i debian-installer/exit/halt boolean false + +# This will power off the machine instead of just halting it: +d-i debian-installer/exit/poweroff boolean true +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/firmware.cfg b/config/includes.chroot/preseed/.cfg/firmware.cfg new file mode 100644 index 0000000..92479a1 --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/firmware.cfg @@ -0,0 +1,19 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Firmware settings # +########################################################################################### +# never : Completely disables the firmware search. +# missing (default) : Searches only when the firmware is needed. +# always : Always searches and asks for any firmware that could be useful for the hardware. +d-i hw-detect/firmware-lookup string missing +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/grub.cfg b/config/includes.chroot/preseed/.cfg/grub.cfg new file mode 100644 index 0000000..5129e6f --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/grub.cfg @@ -0,0 +1,62 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# GRUB2 settings # +########################################################################################### +# Due notably to potential USB sticks, the location of the primary drive can not be +# determined safely in general, so this needs to be specified: +d-i grub-installer/bootdev string /dev/sda +# To install to the primary device (assuming it is not a USB stick): +# d-i grub-installer/bootdev string default + +# Set this to false to install GRUB Legacy rather than GRUB 2, if possible: +d-i grub-installer/grub2_instead_of_grub_legacy boolean true + +# This is fairly safe to set, it makes grub install automatically to the UEFI partition/boot +# record if no other operating system is detected on the machine: +d-i grub-installer/only_debian boolean true + +# This one makes grub-installer install to the UEFI partition/boot record, if it also finds +# some other OS, which is less safe as it might not be able to boot that other OS: +d-i grub-installer/with_other_os boolean true + +# OS-prober did not detect any other operating systems on your computer at this time, but you +# may still wish to enable it in case you install more in the future: +d-i grub-installer/enable_os_prober_otheros_no boolean true + +# Skip installing grub: +d-i grub-installer/skip boolean false + +# Force GRUB installation to the EFI removable media path? +# . +# It seems that this computer is configured to boot via EFI, but maybe that configuration will +# not work for booting from the hard drive. Some EFI firmware implementations do not meet the +# EFI specification (i.e. they are buggy!) and do not support proper configuration of boot +# options from system hard drives. +# . +# A workaround for this problem is to install an extra copy of the EFI version of the GRUB +# boot loader to a fallback location, the "removable media path". Almost all EFI systems, no +# matter how buggy, will boot GRUB that way. +# . +# Warning: If the installer failed to detect another operating system that is present on your +# computer that also depends on this fallback, installing GRUB there will make that operating +# system temporarily unbootable. GRUB can be manually configured later to boot it if necessary. +d-i grub-installer/force-efi-extra-removable boolean false + +# Description: Update NVRAM variables to automatically boot into Debian? +# . +# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically +# when powered on. However, you may prefer to disable this behavior and avoid changes to your +# boot configuration. For example, if your NVRAM variables have been set up such that your +# system contacts a PXE server on every boot, this would preserve that behavior. +d-i grub-installer/update-nvram boolean true +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/locale.cfg b/config/includes.chroot/preseed/.cfg/locale.cfg new file mode 100644 index 0000000..5c6d8be --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/locale.cfg @@ -0,0 +1,25 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Locale settings # +########################################################################################### +# Preseeding only locale sets language, country and locale: +# d-i debian-installer/locale string en_US +# The values can also be preseeded individually for greater flexibility: +# d-i debian-installer/language string en +# d-i debian-installer/country string NL +# d-i debian-installer/locale string en_GB.UTF-8 +d-i debian-installer/locale string en_US.UTF-8 + +d-i keyboard-configuration/layoutcode string de +d-i keyboard-configuration/xkb-keymap select German +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/md5sum.txt b/config/includes.chroot/preseed/.cfg/md5sum.txt new file mode 100644 index 0000000..e1fe408 --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/md5sum.txt @@ -0,0 +1,15 @@ +336de475a23be401db656485fe2134e5 apt.cfg +9b2768bf48aada9e1fc33cfe94571826 base.cfg +95c0feba9a9ed2a1f3d86cc2bf1910f8 finished.cfg +bccbc23588d19b3057e4b4915b03538b firmware.cfg +d80da843499d8d797703b8aef2bf28d5 grub.cfg +e876c113af0630f113811e5bade71b06 locale.cfg +2b85692b087100a0535fe8711cdbcb63 modules.cfg +1c0c74ed939c34d620bde9b8f1a91a1c network.cfg +da7738a8db3d4e2c220bf3f5b3e50dcb packages.cfg +5dff498042e3d095a792951ba1bd9d2f partitioning.cfg +7f71ea76c629c4e4f0ab2f9a6c8b28ea security.cfg +8e6b49c07d678060b661f7dd2fad6f39 software.cfg +f526221c741e4e2c5090f2ff60e53d62 ssh.cfg +1ffc41f4c70be83fd6524262494bdf11 time.cfg +67b9d1aa4bb4a4b8610ca42fa45521cf user.cfg diff --git a/config/includes.chroot/preseed/.cfg/modules.cfg b/config/includes.chroot/preseed/.cfg/modules.cfg new file mode 100644 index 0000000..1e92378 --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/modules.cfg @@ -0,0 +1,39 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Modules # +########################################################################################### +# Install standard modules: +d-i anna/standard_modules boolean true +d-i anna/choose_modules string \ +crypto-dm-modules \ +crypto-dm-setup-udeb \ +ethdetect \ +fdisk-udeb \ +grub-installer \ +hw-detect \ +lowmem \ +lvm2 \ +mbr \ +netcfg \ +network-console \ +parted \ +partman-auto \ +partman-auto-crypto \ +partman-basicfilesystems \ +partman-btrfs \ +partman-crypto \ +partman-ext4 \ +partman-lvm \ +partman-md \ +rescue-mode +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/network.cfg b/config/includes.chroot/preseed/.cfg/network.cfg new file mode 100644 index 0000000..bb68f67 --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/network.cfg @@ -0,0 +1,56 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Network setting # +########################################################################################### +# netcfg will choose an interface that has link if possible. This makes it # skip +# displaying a list if there is more than one interface: +d-i netcfg/choose_interface select auto +# To pick a particular interface instead: +# d-i netcfg/choose_interface select eth1 + +# To set a different link detection timeout (default is 3 seconds). +d-i netcfg/link_wait_timeout string 10 + +# If dhcp server is slow and the installer times out waiting for it, this might be useful. +d-i netcfg/dhcp_timeout string 60 +d-i netcfg/dhcpv6_timeout string 60 + +########################################################################################### +# Automatic network configuration is the default. If you prefer to configure the network # +# manually, uncomment this line and the static network configuration below. # +########################################################################################### +# d-i netcfg/disable_autoconfig boolean true + +########################################################################################### +# If you want the preconfiguration file to work on systems both with and without a dhcp # +# server, uncomment these lines and the static network configuration below. # +########################################################################################### +d-i netcfg/dhcp_failed note +d-i netcfg/dhcp_options select Configure network manually + +########################################################################################### +# Static network configuration. # +########################################################################################### +# d-i netcfg/get_nameservers string 192.168.128.254 +# d-i netcfg/get_ipaddress string 192.168.128.128 +# d-i netcfg/get_netmask string 255.255.255.0 +# d-i netcfg/get_gateway string 192.168.128.254 +# d-i netcfg/confirm_static boolean true + +########################################################################################### +# If non-free firmware is needed for the network or other hardware, you can configure the # +# installer to always try to load it, without prompting. Or change to false to disable # +# asking. # +########################################################################################### +d-i hw-detect/load_firmware boolean true +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/packages.cfg b/config/includes.chroot/preseed/.cfg/packages.cfg new file mode 100644 index 0000000..4e294cd --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/packages.cfg @@ -0,0 +1,44 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Deb packages settings # +########################################################################################### +# Please select the protocol to be used for downloading files. If unsure, select "http": +d-i mirror/protocol string https + +# Country code or "manual": +d-i mirror/country string US + +# Suite to install: +d-i mirror/suite string stable +# Suite to use for loading installer components (optional): +d-i mirror/udeb/suite string stable + +# Debian archive mirror hostname. Please enter the hostname of the mirror from which +# Debian will be downloaded. An alternate port can be specified using the standard +# [hostname]:[port] format: +d-i mirror/http/hostname string deb.debian.org + +# Debian archive mirror directory. Please enter the directory in which the mirror of +# the Debian archive is located: +d-i mirror/http/directory string /debian/ + +# HTTP proxy information (blank for none). If you need to use a HTTP proxy to access the +# outside world, enter the proxy information here. Otherwise, leave this blank. The proxy +# information should be given in the standard form of "http://[[user][:pass]@]host[:port]/". +d-i mirror/http/proxy string + +# Debian archive mirror country. The goal is to find a mirror of the Debian archive that +# is close to you on the network -- be aware that nearby countries, or even your own, may +# not be the best choice. +d-i mirror/https/countries select US +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/partitioning.cfg b/config/includes.chroot/preseed/.cfg/partitioning.cfg new file mode 100644 index 0000000..34f2045 --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/partitioning.cfg @@ -0,0 +1,360 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Partitioning CISS.partitioning # +########################################################################################### +# If the system has free space you can choose to only partition that space. This is only +# honoured if partman-auto/method is NOT set. Alternatively, choose 'use_entire_disk': +# d-i partman-auto/init_automatically_partition select biggest_free +# Alternatively, you may specify a disk to partition. +###d-i partman-auto/disk string /dev/sda + +# In addition, you'll need to specify the method to use. Presently available methods are: +# - regular : use the usual partition types for your architecture +# - lvm : use LVM to partition the disk +# - crypto : use LVM within an encrypted partition +###d-i partman-auto/method string crypto + +# When disk encryption is enabled, skip wiping the partitions beforehand: +###d-i partman-auto-crypto/erase_disks boolean false + +# You can define the amount of space that will be used for the LVM volume group. It can +# either be a size with its unit (eg. 20 GB), a percentage of free space or 'max' keyword: +###d-i partman-auto-lvm/guided_size string max + +# Name of the volume group for the new system: +###d-i partman-auto-lvm/new_vg_name string vg_ciss + +# Force UEFI booting ('BIOS compatibility' will be lost). Default: false: +###d-i partman-efi/non_efi_system boolean false + +# If one of the disks that are going to be automatically partitioned contains an old LVM +# configuration, the user will normally receive a warning. This can be preseeded away: +###d-i partman-lvm/device_remove_lvm boolean true +# The same applies to pre-existing software RAID array: +###d-i partman-md/device_remove_md boolean true +# And the same goes for the confirmation to write the lvm partitions: +###d-i partman-lvm/confirm boolean true +###d-i partman-lvm/confirm_nooverwrite boolean true + +########################################################################################### +# This makes partman automatically partition without confirmation, provided that it was # +# told what to do using one of the methods specified. # +########################################################################################### +# The following debconfvariables are often important for the basic configuration and for # +# mounting after manual partitioning. These ensure that the installer does not attempt to # +# make changes or overwrite already mounted partitions. They help to 'switch off' the # +# installer when it tries to apply partitioning automatically. # +########################################################################################### +# Confirm whether you actually want to create a new partition table and write it to disk: +###d-i partman-partitioning/confirm_write_new_label boolean true +###d-i partman/choose_partition select finish +###d-i partman/confirm boolean true +###d-i partman/confirm_nooverwrite boolean true + +# Ensure the partition table is GPT - this is required for EFI: +###d-i partman-partitioning/choose_label select gpt +###d-i partman-partitioning/default_label string gpt + +# This setting ensures that partitions without a mount point do not trigger a warning dialogue. +###d-i partman-basicfilesystems/no_mount_point boolean true + +# This setting tells the Debian installer not to issue a warning if no swap partition is set up. +###d-i partman-basicfilesystems/no_swap boolean true + +# Encryption settings +# d-i partman-crypto/passphrase password < set by ./preseed/.ash/0_di_preseed_include_command.sh > +# d-i partman-crypto/passphrase-again password < set by ./preseed/.ash/0_di_preseed_include_command.sh > +###d-i partman-crypto/passphrase password DEFAULT +###d-i partman-crypto/passphrase-again password DEFAULT +###d-i partman-crypto/weak_passphrase boolean true + +# https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt +###d-i partman-crypto/entropy entropy 256 +# debconf-set-selections -c ./preseed/.cfg/partitioning.cfg: "warning: Unknown type entropy, skipping line" therefore as string: +###d-i partman-crypto/entropy string 256 + +# Are you sure you want to use a random key? +###d-i partman-crypto/use_random_for_nonswap boolean false + +########################################################################################### +# This command is run immediately before the partitioner starts. It may be useful to # +# apply dynamic partitioner preseeding that depends on the state of the disks (which may # +# not be visible when preseed/early_command runs). # +########################################################################################### +# d-i partman/early_command string /sh /.ciss/install/.ash/2_di_partman_early_command.sh + +###d-i partman-auto/expert_recipe string \ +\ +511MiB 511MiB 511MiB EFS \ +label{ ESP } \ +$defaultignore{ } \ +$primary{ } \ +$bootable{ } \ +method{ efi } \ +format{ } \ +use_filesystem{ } \ +filesystem{ EFS } \ +device{ /dev/sda } \ +mountpoint{ /boot } \ +. \ +rescue :: \ +3584MiB 3584MiB 3584MiB ext4 \ +label{ rescue } \ +$defaultignore{ } \ +$primary{ } \ +method{ format } \ +format{ } \ +use_filesystem{ } \ +filesystem{ ext4 } \ +device{ /dev/sda } \ +mountpoint{ /mnt/rescue } \ +. \ +crypt_boot :: \ +4096MiB 4096MiB 4096MiB ext4 \ +label{ boot } \ +$defaultignore{ } \ +$primary{ } \ +method{ format } \ +format{ } \ +use_filesystem{ } \ +filesystem{ ext4 } \ +device{ /dev/sda } \ +mountpoint{ /boot } \ +. \ +crypt_ephemeral_swap :: \ +4096MiB 4096MiB 4096MiB none \ +label{ crypt_swap } \ +$defaultignore{ } \ +$primary{ } \ +method{ keep } \ +device{ /dev/sda } \ +. \ +crypt_ephemeral_tmp :: \ +4096MiB 4096MiB 4096MiB none \ +label{ crypt_tmp } \ +$defaultignore{ } \ +$primary{ } \ +method{ keep } \ +device{ /dev/sda } \ +. \ +crypt_home :: \ +32768MiB 32768MiB 32768MiB crypto \ +$primary{ } \ +method{ crypto } \ +format{ } \ +use_filesystem{ } \ +filesystem{ btrfs } \ +label{ btrfs_home } \ +options/subvol{ @snapshots } \ +device{ /dev/sda } \ +mountpoint{ /home } \ +. \ +crypt_root :: \ +32768MiB 32768MiB 32768MiB crypto \ +$primary{ } \ +method{ crypto } \ +format{ } \ +use_filesystem{ } \ +filesystem{ btrfs } \ +label{ btrfs_root } \ +options/subvol{ @snapshots } \ +device{ /dev/sda } \ +mountpoint{ / } \ +. \ +crypt_usr :: \ +40960MiB 40960MiB 40960MiB crypto \ +$primary{ } \ +method{ crypto } \ +format{ } \ +use_filesystem{ } \ +filesystem{ btrfs } \ +label{ btrfs_usr } \ +options/subvol{ @snapshots } \ +device{ /dev/sda } \ +mountpoint{ /usr } \ +. \ +crypt_var :: \ +40960MiB 40960MiB 40960MiB crypto \ +$primary{ } \ +method{ crypto } \ +format{ } \ +use_filesystem{ } \ +filesystem{ btrfs } \ +label{ btrfs_var } \ +options/subvol{ @snapshots } \ +device{ /dev/sda } \ +mountpoint{ /var } \ +. \ +crypt_var_log :: \ +16384MiB 16384MiB 16384MiB crypto \ +$primary{ } \ +method{ crypto } \ +format{ } \ +use_filesystem{ } \ +filesystem{ btrfs } \ +label{ btrfs_var_log } \ +options/subvol{ @snapshots } \ +device{ /dev/sda } \ +mountpoint{ /var/log } \ +. \ +crypt_var_log_audit :: \ +16384MiB 16384MiB 16384MiB crypto \ +$primary{ } \ +method{ crypto } \ +format{ } \ +use_filesystem{ } \ +filesystem{ btrfs } \ +label{ btrfs_var_log_audit } \ +options/subvol{ @snapshots } \ +device{ /dev/sda } \ +mountpoint{ /var/log/audit } \ +. \ +crypt_var_tmp :: \ +16384MiB 16384MiB 16384MiB crypto \ +$primary{ } \ +method{ crypto } \ +format{ } \ +use_filesystem{ } \ +filesystem{ btrfs } \ +label{ btrfs_var_tmp } \ +options/subvol{ @snapshots } \ +device{ /dev/sda } \ +mountpoint{ /var/tmp } \ +. \ +installer_tmp :: \ +1024MiB 16384MiB -1 ext4 \ +$defaultignore{ } \ +$primary{ } \ +method{ format } \ +format{ } \ +use_filesystem{ } \ +filesystem{ ext4 } \ +mountpoint{ /tmp } \ +device{ /dev/sda } \ +label{ installer_tmp } \ +. +########################################################################################### +#d-i partman-auto/choose_recipe select ciss-2025-btrfs-ultra +#d-i partman-auto/expert_recipe string \ +ciss-2025-btrfs-ultra :: \ +ESP : \ +511 511 511 free \ +$defaultignore{ } \ +$primary{ } \ +$bootable{ } \ +method{ efi } format{ } \ +label{ ESP } \ +. \ +boot : \ +3584 3584 3584 ext4 \ +$defaultignore{ } \ +$primary{ } \ +method{ format } format{ } \ +use_filesystem{ } filesystem{ ext4 } \ +mountpoint{ /boot } \ +label{ boot } \ +. \ +crypt_ephemeral_swap : \ +4096 4096 4096 none \ +$defaultignore{ } \ +$primary{ } \ +method{ keep } \ +label{ crypt_sda3 } \ +. \ +crypt_ephemeral_tmp : \ +4096 4096 4096 none \ +$defaultignore{ } \ +$primary{ } \ +method{ keep } \ +label{ crypt_sda4 } \ +. \ +lv_home : \ +32768 32768 32768 btrfs \ +$lvmok{ } \ +lv_name{ lv_home } \ +method{ format } format{ } \ +use_filesystem{ } filesystem{ btrfs } \ +label{ btrfs_home } \ +options/subvol{ @snapshots } \ +mountpoint{ /home } \ +. \ +lv_root : \ +32768 32768 32768 btrfs \ +$lvmok{ } \ +lv_name{ lv_root } \ +method{ format } format{ } \ +use_filesystem{ } filesystem{ btrfs } \ +label{ btrfs_root } \ +options/subvol{ @snapshots } \ +mountpoint{ / } \ +. \ +lv_usr : \ +65536 65536 65536 btrfs \ +$lvmok{ } } \ +lv_name{ lv_usr } \ +method{ format } format{ } \ +use_filesystem{ } filesystem{ btrfs } \ +label{ btrfs_usr } \ +options/subvol{ @snapshots } \ +mountpoint{ /usr } \ +. \ +lv_var : \ +65536 65536 65536 btrfs \ +$lvmok{ } \ +lv_name{ lv_var } \ +method{ format } format{ } \ +use_filesystem{ } filesystem{ btrfs } \ +label{ btrfs_var } \ +options/subvol{ @snapshots } \ +mountpoint{ /var } \ +. \ +lv_var_log : \ +16384 16384 16384 btrfs \ +$lvmok{ } \ +lv_name{ lv_var_log } \ +method{ format } format{ } \ +use_filesystem{ } filesystem{ btrfs } \ +label{ btrfs_var_log } \ +options/subvol{ @snapshots } \ +mountpoint{ /var/log } \ +. \ +lv_var_log_audit : \ +16384 16384 16384 \ +$lvmok{ } \ +lv_name{ lv_var_log_audit } \ +method{ format } format{ } \ +use_filesystem{ } filesystem{ btrfs } \ +label{ btrfs_var_log_audit } \ +options/subvol{ @snapshots } \ +mountpoint{ /var/log/audit } \ +. \ +lv_var_tmp : \ +1 16384 -1 \ +$lvmok{ } \ +lv_name{ lv_var_tmp } \ +method{ format } format{ } \ +use_filesystem{ } filesystem{ btrfs } \ +label{ btrfs_var_tmp } \ +options/subvol{ @snapshots } \ +mountpoint{ /var/tmp } \ +. \ +rescue : \ +1024 8192 -1 \ +$defaultignore{ } \ +$primary{ } \ +method{ format } format{ } \ +use_filesystem{ } filesystem{ ext4 } \ +mountpoint{ /tmp } \ +label{ rescue } \ +. +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/security.cfg b/config/includes.chroot/preseed/.cfg/security.cfg new file mode 100644 index 0000000..95731fe --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/security.cfg @@ -0,0 +1,21 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Security settings # +########################################################################################### +# The installer will ensure that any packages are signed and authenticated. +d-i debian-installer/allow_unauthenticated boolean false + +# This ensures that the connection between the installer and the server from which files +# are downloaded is encrypted and signed by a trusted certificate authority. +d-i debian-installer/allow_unauthenticated_ssl boolean false +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/software.cfg b/config/includes.chroot/preseed/.cfg/software.cfg new file mode 100644 index 0000000..0b4900b --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/software.cfg @@ -0,0 +1,59 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Software installation # +########################################################################################### +d-i pkgsel/include string \ +apt-show-versions \ +apt-transport-https \ +apt-utils \ +bat \ +bc \ +ca-certificates \ +curl \ +debconf \ +debconf-utils \ +dialog \ +expect \ +figlet \ +fzf \ +gawk \ +git \ +gnupg2 \ +haveged \ +htop \ +iftop \ +iputils-ping \ +jq \ +keychain \ +libpam-google-authenticator \ +libpam-pwquality \ +locate \ +lsb-release \ +lvm2 \ +makepasswd \ +man \ +mtr \ +nano \ +ncat \ +neofetch \ +net-tools \ +parted \ +pollinate \ +pwgen \ +openssh-server \ +unzip \ +virt-what \ +whois \ +wget \ +zip +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/ssh.cfg b/config/includes.chroot/preseed/.cfg/ssh.cfg new file mode 100644 index 0000000..14f6b56 --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/ssh.cfg @@ -0,0 +1,22 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# SSH settings # +########################################################################################### +# Use the following settings if you wish to make use of the network-console component for # +# remote installation over SSH. This only makes sense if you intend to perform the # +# remainder of the installation manually. # +########################################################################################### +d-i network-console/authorized_keys_url string https : //coresecret.eu/download/developer/2024_rsa4096_developer_root.pub.key +# d-i network-console/password password < never ever use plain hardcoded credentials > +# d-i network-console/password-again password < never ever use plain hardcoded credentials > +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/time.cfg b/config/includes.chroot/preseed/.cfg/time.cfg new file mode 100644 index 0000000..bb923f0 --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/time.cfg @@ -0,0 +1,33 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# Time settings # +########################################################################################### +# Germany : https://www.ptb.de/cms/ptb/fachabteilungen/abtq/gruppe-q4/ref-q42/zeitsynchronisation-von-rechnern-mit-hilfe-des-network-time-protocol-ntp.html +# Germany : ptbtime1.ptb.de ptbtime2.ptb.de ptbtime3.ptb.de +# Portugal : https://si.tecnico.ulisboa.pt/en/servicos/servidores-e-dados/ntp/ +# Portugal : ntp1.tecnico.ulisboa.pt ntp2.tecnico.ulisboa.pt +# Switzerland : https://www.metas.ch/metas/de/home/fabe/zeit-und-frequenz/time-dissemination.html +# Switzerland : ntp11.metas.ch ntp12.metas.ch ntp13.metas.ch +# USA : https://tf.nist.gov/tf-cgi/servers.cgi +# USA : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu +d-i clock-setup/ntp-server string ntp.ripe.net ptbtime3.ptb.de ptbtime2.ptb.de ntp12.metas.ch ntp2.tecnico.ulisboa.pt time-c-b.nist.gov + +# Controls whether or not the hardware clock is set to UTC: +d-i clock-setup/utc boolean true + +# Any valid setting for $TZ; see the contents of /usr/share/zoneinfo/ for valid values: +d-i time/zone string Europe/Lisbon + +# Controls whether to use NTP to set the clock during the install: +d-i clock-setup/ntp boolean true +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.cfg/user.cfg b/config/includes.chroot/preseed/.cfg/user.cfg new file mode 100644 index 0000000..797f0be --- /dev/null +++ b/config/includes.chroot/preseed/.cfg/user.cfg @@ -0,0 +1,30 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### +# User settings # +########################################################################################### +# Skip creation of a root account (normal user account will be able to use sudo): +d-i passwd/root-login boolean true +d-i passwd/root-password-crypted password $6$rounds = 4194304$4QhOp0Tdthmfky4f$1fRa/D45can2j0ttQDRoK9x8ovBFCftxn0hvyyU3.BlRRafsgs48wpikr1XODyhmgUySZHqXF3zeQeBZNYTul0 + +# Alternatively, to skip creation of a normal user account: +d-i passwd/make-user boolean false +# To create a normal user account: +d-i passwd/user-fullname string Debian User +d-i passwd/username string debian +d-i passwd/user-password-crypted password $6$rounds=8388608$bwnJ5ZlnOmYxFE21$LDJ4QBBmoob3pAu5JL4e4RkCt5qFnS2ZFIOm9bOEuADCcsLfOagGmkmh7Lj8OtqdgGSLg8TMXDbizLaZx.hiS1 + +########################################################################################### +# SALT=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16) # +# mkpasswd --method=sha-512 --salt="${SALT}" --rounds=8388608 # which seems p4ranoid # +########################################################################################### +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/.iso/iso.sh b/config/includes.chroot/preseed/.iso/iso.sh new file mode 100644 index 0000000..a5d30df --- /dev/null +++ b/config/includes.chroot/preseed/.iso/iso.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -C -e -u -o pipefail + +# The example names get mapped to their roles here +declare timestamp +timestamp=$(date +"%Y%m%d%H%M") +declare -r LABEL="${timestamp:0:4}_${timestamp:4:2}_${timestamp:6:2}-${timestamp:8:2}_${timestamp:10:2}" +declare -r SEQNO="${timestamp:0:4}.${timestamp:4:2}.${timestamp:6:2}-${timestamp:8:2}:${timestamp:10:2}" +declare -r ISO_ORIGINAL="/opt/netinstaller/debian-12.8.0-amd64-netinst.iso" +declare -r IMGCENTURION="/mnt/debian-original" +declare -r ISO_MODIFIED="/root/${LABEL}-CISS-12.8.0-amd64-netinst.iso" +declare -r MBR_TEMPLATE="isohdpfx.bin" +declare size +size=$(xorriso -as mkisofs -print-size "${IMGCENTURION}" | tail -n 1 | awk '{print $1}') +clear + +echo "Sequence No. : ${SEQNO}" +echo "Estimated Size : ${size}" + +# Extract MBR template file to disk +dd if="${ISO_ORIGINAL}" bs=1 count=432 of="${MBR_TEMPLATE}" + +# Create the new ISO image +xorriso -as mkisofs \ + -r \ + -volid 'CISS Debian 12.8.0 x86_64' \ + -appid 'Centurion Debian Installer' \ + -volset 'CISS.hardened.bookworm' \ + -volset-seqno "${SEQNO}" \ + -volset-size "${size}" \ + -publisher 'Centurion Intelligence Consulting Agency' \ + -sysid 'GNU/Linux amd64' \ + -copyright 'COPYRIGHT' \ + -o "${ISO_MODIFIED}" \ + -J -J -joliet-long -cache-inodes \ + -isohybrid-mbr "${MBR_TEMPLATE}" \ + -b isolinux/isolinux.bin \ + -c isolinux/boot.cat \ + -boot-load-size 4 -boot-info-table -no-emul-boot \ + -eltorito-alt-boot \ + -e boot/grub/efi.img \ + -no-emul-boot -isohybrid-gpt-basdat -isohybrid-apm-hfsplus \ + "${IMGCENTURION}" + +# Check output of new ISO image +echo "" +file "${ISO_MODIFIED}" +echo "" +isoinfo -d -i "${ISO_MODIFIED}" +echo "" +file "${ISO_MODIFIED}" +echo "" + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh new file mode 100644 index 0000000..32310b1 --- /dev/null +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -0,0 +1,238 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +declare -gr VERSION="Master V8.02.512.2025.05.30" + +### VERY EARLY CHECK FOR DEBUGGING +if [[ $* == *" --debug "* ]]; then + declare -gr EARLY_DEBUG=true + # Set a verbose PS4 prompt including timestamp, source, line, exit status and function name + declare -gr PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m$?\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m ' + # shellcheck disable=SC2155 + declare -gr DEBUG_LOG="/tmp/ciss_live_builder_$$.log" + # Generates empty DEBUG_LOG + touch "${DEBUG_LOG}" && chmod 0600 "${DEBUG_LOG}" + # Open file descriptor 42 for writing to the debug log + exec 42>| "${DEBUG_LOG}" + # Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables + { + printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)" + printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%T.%4N)" "${VERSION}" + printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}" + printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}" + printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}" + printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[2]}" + printf "\e[97m+\e[0m\e[92m%s: Bash Build Version : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[3]}" + printf "\e[97m+\e[0m\e[92m%s: Bash Release : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[4]}" + printf "\e[97m+\e[0m\e[92m%s: UID : %s \e[0m\n" "$(date +%T.%4N)" "${UID}" + printf "\e[97m+\e[0m\e[92m%s: EUID : %s \e[0m\n" "$(date +%T.%4N)" "${EUID}" + printf "\e[97m+\e[0m\e[92m%s: Hostname : %s \e[0m\n" "$(date +%T.%4N)" "${HOSTNAME}" + printf "\e[97m+\e[0m\e[92m%s: Script name : %s \e[0m\n" "$(date +%T.%4N)" "$0" + printf "\e[97m+\e[0m\e[92m%s: Argument counter : %s \e[0m\n" "$(date +%T.%4N)" "$#" + printf "\e[97m+\e[0m\e[92m%s: Argument string : %s \e[0m\n" "$(date +%T.%4N)" "$*" + printf "\e[97m+\e[0m\e[92m%s: Script PID : %s \e[0m\n" "$(date +%T.%4N)" "$$" + printf "\e[97m+\e[0m\e[92m%s: Script Parent PID : %s \e[0m\n" "$(date +%T.%4N)" "${PPID}" + printf "\e[97m+\e[0m\e[92m%s: Script work DIR : %s \e[0m\n" "$(date +%T.%4N)" "${PWD}" + printf "\e[97m+\e[0m\e[92m%s: Shell Options : %s \e[0m\n" "$(date +%T.%4N)" "$-" + printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date +%T.%4N)" "${BASHOPTS}" + printf "\e[97m+\e[0m\e[92m%s: === Debug Log === : \e[0m\n" "$(date +%T.%4N)" + } >&42 + # Tell Bash to send xtrace output to FD 42 + export BASH_XTRACEFD=42 + # Enable inheritable shell options + export SHELLOPTS + # Turn on xtrace + set -x +else + declare -gr EARLY_DEBUG=false +fi + +### Definition of error codes +declare -gir ERR_NOT_USER_0=128 +declare -gir ERR_UNSPPTBASH=255 + +### Definition of error trap vars +# declare -g errcode="" # = $? = $1 = ERRCODE +# declare -g errscrt="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT +# declare -g errline="" # = ${LINENO} = $3 = ERRLINE +# declare -g errfunc="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC +# declare -g errcmmd="" # = ${$BASH_COMMAND} = $5 = ERRCMMD + +### Preliminary vars declaration +declare -gr argument_count="$#" +declare -gr argument_string="$*" + +### Preliminary checks +[[ ${EUID} -ne 0 ]] \ + && printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2 && exit "${ERR_NOT_USER_0}" +[[ -z ${BASH_VERSINFO[0]} ]] \ + && printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2 && exit "${ERR_UNSPPTBASH}" +[[ $(kill -l | grep -c SIG) -eq 0 ]] \ + && printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2 && exit "${ERR_UNSPPTBASH}" +[[ ${BASH_VERSINFO[0]} -lt 5 ]] \ + && printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2 && exit "${ERR_UNSPPTBASH}" +[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] \ + && printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2 && exit "${ERR_UNSPPTBASH}" + +### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin +set -o errexit # Exit script when a command exits with non-zero status, the same as "set -e". +set -o nounset # Exit script on use of an undefined variable, the same as "set -u". +set -o pipefail # Makes pipelines return the exit status of the last command in the pipe that failed. +set -o noclobber # Prevent overwriting, the same as "set -C". + +####################################### +# Trap function to be called on 'ERR'. +# Globals: +# DEBUG_LOG +# EARLY_DEBUG +# VERSION +# argument_count +# argument_string +# Arguments: +# $1: $? +# $2: ${BASH_SOURCE[0]} +# $3: ${LINENO} +# $4: ${FUNCNAME[0]:-main} +# $5: ${BASH_COMMAND} +####################################### +# shellcheck disable=SC2317 +trap_on_err() { + declare -r errcode="$1" + declare -r errscrt="$2" + declare -r errline="$3" + declare -r errfunc="$4" + declare -r errcmmd="$5" + trap - ERR + if [[ "${errcode}" -ne 127 ]]; then + printf "\e[91m❌ Hash Generation Process failed.\e[0m\n" >&2 + printf "\e[91m❌ Version : '%s' \e[0m\n" "${VERSION}" >&2 + printf "\e[91m❌ Error : '%s' \e[0m\n" "${errcode}" >&2 + printf "\e[91m❌ Line : '%s' \e[0m\n" "${errline}" >&2 + printf "\e[91m❌ Script : '%s' \e[0m\n" "${errscrt}" >&2 + printf "\e[91m❌ Function : '%s' \e[0m\n" "${errfunc}" >&2 + printf "\e[91m❌ Command : '%s' \e[0m\n" "${errcmmd}" >&2 + printf "\e[91m❌ Arguments # : '%s' \e[0m\n" "${argument_count}" >&2 + printf "\e[91m❌ Arguments : '%s' \e[0m\n" "${argument_string}" >&2 + if "${EARLY_DEBUG}"; then + printf "\e[91m❌ Debug Log : '%s' \e[0m\n" "${DEBUG_LOG}" >&2 + printf "\e[91m❌ cat %s \e[0m\n" "${DEBUG_LOG}" >&2 + fi + printf "\n" + fi +} + +trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR + +### Initialization +# shellcheck disable=SC2155 +declare -gr SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")" +# shellcheck disable=SC2155 +declare -gr WORK_DIR="$(dirname "${SCRIPT_FULLPATH}")" +declare -gr BASE_DIR="${WORK_DIR%/.iso}" +declare -gr CFG_DIR="${BASE_DIR}/.cfg" +declare -gr PRES_FILE="${BASE_DIR}/preseed.cfg" +declare -gr HASH_FILE="${CFG_DIR}/md5sum.txt" +declare -ga hashes=() + +# shellcheck disable=SC2188 +>| "${HASH_FILE}" + +####################################### +# Generator for md5 Hashes +# Globals: +# CFG_DIR +# HASH_FILE +# hash +# hashes +# Arguments: +# None +####################################### +gen_hash() { + # Enable nullglob so that non-matching patterns expand to nothing + shopt -s nullglob + declare file + declare filename + # Loop over all *.cfg files in CFG_DIR + for file in "${CFG_DIR}"/*.cfg; do + # Only process if it's a regular file + if [[ -f "${file}" ]]; then + # Calculate md5 hash (only the hash value) + hash=$(md5sum "${file}" | awk '{ print $1 }') + # Extract the filename without a path + filename=${file##*/} + # Append "hash filename" to HASH_FILE + echo "${hash} ${filename}" >> "${HASH_FILE}" + # Add hash to array + hashes+=("${hash}") + fi + done +} + +gen_hash + +{ + declare in_hash_block=false + declare outer_line + declare hash + while IFS= read -r outer_line; do + # Check if a line contains "#BOH" and start the hash insertion block + if [[ ${outer_line} == "#BOH" ]]; then + echo "${outer_line}" + # shellcheck disable=SC1003 + echo 'd-i preseed/include/checksum string \' + + # Add all new hashes from the array "hashes" except the last one + for ((i = 0; i < ${#hashes[@]} - 1; i++)); do + hash="${hashes[i]}" + echo "${hash} \\" + done + + # Output the last hash without the trailing backslash. + echo "${hashes[@]: -1}" + + # Set the flag for the hash block to "true". + in_hash_block=true + continue + fi + + # Check if the line "#EOH" has been reached to end the hash block. + if [[ ${outer_line} == "#EOH" && ${in_hash_block} == true ]]; then + echo "${outer_line}" + in_hash_block=false + continue + fi + + # Skip lines within the hash block (old hashes and d-i line). + if [[ ${in_hash_block} == true ]]; then + # Skip the line "d-i preseed/include/checksum string". + if [[ ${outer_line} =~ ^d-i\ preseed/include/checksum\ string ]]; then + continue + fi + # Skip lines with old hashes. + if [[ ${outer_line} =~ [a-f0-9]{32} ]]; then + continue + fi + fi + + # Leave all other rows unchanged. + echo "${outer_line}" + + done < "${PRES_FILE}" +} >| "${PRES_FILE}.tmp" + +mv -f "${PRES_FILE}.tmp" "${PRES_FILE}" +sed -i ':a;N;/\n#EOH/!ba;s/\(\n\)\+\(#EOH\)/\n#EOH/' "${PRES_FILE}" +sed -i '$d' "$PRES_FILE" +echo "# Written by: $0 Version: ${VERSION} at: $(date +%T.%4N)" >> "${PRES_FILE}" +printf "\e[92mβœ… '%s' Process successful.\e[0m\n" "${0}" +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/preseed/.lib/banner.lib b/config/includes.chroot/preseed/.lib/banner.lib new file mode 100644 index 0000000..8b522c3 --- /dev/null +++ b/config/includes.chroot/preseed/.lib/banner.lib @@ -0,0 +1,12 @@ + +####################################################################### + # # + ## ## + ###### ######## ### ## ######## ### ## ####### ### ####### ### ## +### #### ## ### ### ## ## ### ## #### ## +### ####### ####### ### ### ## ###### ### ## ## ####### +### ### ### ### ### ### ## ## ## ### ## ## ### ### + ###### ####### ### ## ### ##### ## ## ### ##### ### ## + # # +####################################################################### + diff --git a/config/includes.chroot/preseed/.lib/sshd_config.lib b/config/includes.chroot/preseed/.lib/sshd_config.lib new file mode 100644 index 0000000..285895a --- /dev/null +++ b/config/includes.chroot/preseed/.lib/sshd_config.lib @@ -0,0 +1,118 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. +# SPDX-PackageName: CISS.2025.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +Include /etc/ssh/sshd_config.d/*.conf + +Protocol 2 + +Banner /etc/banner +DebianBanner no +VersionAddendum none + +Compression no +LogLevel VERBOSE + +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: +Port MUST_BE_CHANGED +AllowUsers root +UseDNS no +RekeyLimit 1G 1h + +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key + +PubkeyAuthentication yes +PermitRootLogin prohibit-password +PasswordAuthentication no +PermitEmptyPasswords no +StrictModes yes +LoginGraceTime 2m +MaxAuthTries 3 +MaxSessions 2 +MaxStartups 10:30:60 +ClientAliveInterval 300 +ClientAliveCountMax 2 + +AuthorizedKeysFile %h/.ssh/authorized_keys + +AllowAgentForwarding no +AllowTcpForwarding no +X11Forwarding no +GatewayPorts no + +# ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig +Ciphers aes256-gcm@openssh.com +KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 +HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-ed25519 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com +CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp384,ssh-ed25519,sk-ssh-ed25519@openssh.com + +# Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads) +KbdInteractiveAuthentication no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +PidFile /var/run/sshd.pid +PrintMotd no +PrintLastLog yes +TCPKeepAlive no + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts! +# Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication! +HostbasedAuthentication no + +# Don't read the user's ~/.rhosts and ~/.shosts files +# IgnoreRhosts yes + +# UsePrivilegeSeparation yes + +# Kerberos options +# KerberosAuthentication no +# KerberosOrLocalPasswd yes +# KerberosTicketCleanup yes +# KerberosGetAFSToken no + +# GSSAPI options +# GSSAPIAuthentication no +# GSSAPICleanupCredentials yes +# GSSAPIStrictAcceptorCheck yes +# GSSAPIKeyExchange no + +# AuthorizedPrincipalsFile none +# AuthorizedKeysCommand none +# AuthorizedKeysCommandUser nobody + +# PermitTunnel no +# ChrootDirectory none +# X11DisplayOffset 10 +# X11UseLocalhost yes +# PermitTTY yes +# PermitUserEnvironment no +# IgnoreUserKnownHosts no + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/includes.chroot/preseed/CCLA-1.0.md b/config/includes.chroot/preseed/CCLA-1.0.md new file mode 100644 index 0000000..3cbe742 --- /dev/null +++ b/config/includes.chroot/preseed/CCLA-1.0.md @@ -0,0 +1,81 @@ +# Centurion Commercial License Agreement 1.0 + +## **1. General Terms** + +1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software"). + +1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license. + +1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below. + +1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only. + +## **2. Grant of License** + +2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a + +- non-exclusive, +- non-transferable, +- time-limited, + +right to use the Software for commercial purposes. + +2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement. + +## **3. Subscription Fees and Payment** + +3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable. + +3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice. + +## **4. Restrictions** + +4.1. Licensee shall not: + +- Distribute, sublicense, or resell the Software. +- Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law. + +4.2. The Software may not be used for illegal or unethical purposes. + +## **5. Support and Updates** + +5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying +support agreement. + +5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees. + +## **6. Termination** + +6.1. This Agreement is valid for the subscription term unless terminated earlier: + +- By Licensee, with a 30-day written notice. +- By Licensor, in the event of Licensees breach of this Agreement. + +6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies. + +## **7. Liability and Warranty** + +7.1. The Software is provided "as is" without warranties of any kind, except as required by law. + +7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months. + +## **8. Governing Law** + +8.1. This Agreement shall be governed by the laws of Portugal. + +8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal. + +## **9. Miscellaneous** + +9.1. Any changes to this Agreement must be in writing and signed by both parties. + +9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable. + +## 10. **Contact Information** + +* Licensor : Centurion Intelligence Consulting Agency +* Email : legal@coresecret.eu + +--- + +This Subscription License Agreement was last updated at 09.05.2025. diff --git a/config/includes.chroot/preseed/LICENSE b/config/includes.chroot/preseed/LICENSE new file mode 100644 index 0000000..2dd5cb8 --- /dev/null +++ b/config/includes.chroot/preseed/LICENSE @@ -0,0 +1,256 @@ +# SPDX-License-Identifier: EUPL-1.2 + +EUPL-1.2 + +EUROPEAN UNION PUBLIC LICENCE v. 1.2 +EUPL Β© the European Union 2007, 2016 + +This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the +terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such +a use is covered by a right of the copyright holder of the Work). + +The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following +notice immediately following the copyright notice for the Work: + + Licensed under the EUPL + +or has expressed by any other means his willingness to license under the EUPL. + +1.Definitions + +In this Licence, the following terms have the following meaning: + +β€” 'The Licence':this Licence. + +β€” 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available +as Source Code and also as Executable Code as the case may be. + +β€” 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or +modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work +required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in +the country mentioned in Article 15. + +β€” 'The Work':the Original Work or its Derivative Works. + +β€” 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and +modify. + +β€” 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by +a computer as a program. + +β€” 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence. + +β€” 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to +the creation of a Derivative Work. + +β€” 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the +Licence. + +β€” 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating, +transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential +functionalities at the disposal of any other natural or legal person. + +2.Scope of the rights granted by the Licence + +The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for +the duration of copyright vested in the Original Work: + +β€” use the Work in any circumstances and for all usage, + +β€” reproduce the Work, + +β€” modify the Work and make Derivative Works based upon the Work, + +β€” communicate to the public, including the right to make available or display the Work or copies thereof to the public +and perform publicly, as the case may be, the Work, + +β€” distribute the Work or copies thereof, + +β€” lend and rent the Work or copies thereof, + +β€” sublicense rights in the Work or copies thereof. + +Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the +applicable law permits so. + +In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed +by law in order to make effective the licence of the economic rights here above listed. + +The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the +extent necessary to make use of the rights granted on the Work under this Licence. + +3.Communication of the Source Code + +The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as +Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with +each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to +the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to +distribute or communicate the Work. + +4.Limitations on copyright + +Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the +exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations +thereto. + +5.Obligations of the Licensee + +The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those +obligations are the following: + +Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to +the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the +Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work +to carry prominent notices stating that the Work has been modified and the date of modification. + +Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this +Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless +the Original Work is expressly distributed only under this version of the Licence β€” for example, by communicating +'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the +Work or Derivative Work that alter or restrict the terms of the Licence. + +Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both +the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done +under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed +in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with +his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail. + +The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide +a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available +for as long as the Licensee continues to distribute or communicate the Work. +Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names +of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and +reproducing the content of the copyright notice. + +6.Chain of Authorship + +The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or +licensed to him/her and that he/she has the power and authority to grant the Licence. + +Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or +licensed to him/her and that he/she has the power and authority to grant the Licence. + +Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions +to the Work, under the terms of this Licence. + +7.Disclaimer of Warranty + +The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work +and may therefore contain defects or 'bugs' inherent to this type of development. + +For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind +concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or +errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this +Licence. + +This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work. + +8.Disclaimer of Liability + +Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be +liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the +Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss +of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However, +the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work. + +9.Additional agreements + +While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services +consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole +responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify, +defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by +the fact You have accepted any warranty or additional liability. + +10.Acceptance of the Licence + +The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window +displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of +applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms +and conditions. + +Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You +by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution +or Communication by You of the Work or copies thereof. + +11.Information to the public + +In case of any Distribution or Communication of the Work by means of electronic communication by You (for example, +by offering to download the Work from a remote location) the distribution channel or media (for example, a website) +must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence, +and the way it may be accessible, concluded, stored, and reproduced by the Licensee. + +12.Termination of the Licence + +The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms +of the Licence. + +Such a termination will not terminate the licences of any person who has received the Work from the Licensee under +the Licence, provided such persons remain in full compliance with the Licence. + +13.Miscellaneous + +Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the +Work. + +If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or +enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid +and enforceable. + +The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of +the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence. +New versions of the Licence will be published with a unique version number. + +All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take +advantage of the linguistic version of their choice. + +14.Jurisdiction + +Without prejudice to specific agreement between parties, + +β€” any litigation resulting from the interpretation of this License, arising between the European Union institutions, +bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice +of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union, + +β€” any litigation arising between other parties and resulting from the interpretation of this License will be subject to +the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business. + +15.Applicable Law + +Without prejudice to specific agreement between parties, + +β€” this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat, +resides, or has his registered office + +β€” this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside +a European Union Member State. + + + Appendix + +'Compatible Licences' according to Article 5 EUPL are: + +β€” GNU General Public License (GPL) v. 2, v. 3 + +β€” GNU Affero General Public License (AGPL) v. 3 + +β€” Open Software License (OSL) v. 2.1, v. 3.0 + +β€” Eclipse Public License (EPL) v. 1.0 + +β€” CeCILL v. 2.0, v. 2.1 + +β€” Mozilla Public Licence (MPL) v. 2 + +β€” GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 + +β€” Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software + +β€” European Union Public Licence (EUPL) v. 1.1, v. 1.2 + +β€” QuΓ©bec Free and Open-Source Licence β€” Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+). + +The European Commission may update this Appendix to later versions of the above licences without producing +a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the +covered Source Code from exclusive appropriation. + +All other changes or additions to this Appendix require the production of a new EUPL version. \ No newline at end of file diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg new file mode 100644 index 0000000..54ac294 --- /dev/null +++ b/config/includes.chroot/preseed/preseed.cfg @@ -0,0 +1,115 @@ +#_preseed_V1 + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024Γ’β‚¬β€œ2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# https://d-i.debian.org/doc/internals/ +# https://d-i.debian.org/doc/internals/ch02.html +# https://preseed.debian.net/debian-preseed/ +# https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt +# https://wiki.debian.org/DebianInstaller/Preseed +# https://wiki.debian.org/RepackBootableISO +# https://www.debian.org/releases/stable/amd64/apb.en.html +# file:///lib/partman/recipes-amd64-efi/ + +########################################################################################### +# debconf-set-selections -c preseed.cfg # checked # +########################################################################################### +# Preseeded encrypted partitions need to use LVM: # +# https://www.linuxjournal.com/content/preseeding-full-disk-encryption # +########################################################################################### +# d-i preseeding is inherently not secure. Nothing in the installer checks for attempts # +# at buffer overflows or other exploits of the values of a # preconfiguration file like # +# this one. Only use preconfiguration files from # trusted locations! To drive that home, # +# and because it's generally useful, here's a way to run any shell command you'd like # +# inside the installer, automatically. # +########################################################################################### +# Sequence of execution: # +########################################################################################### +# d-i preseed/include_command # +# This command is executed first and dynamically loads additional preseeding settings # +# before further configuration steps start. This makes it possible for all settings # +# downloaded or generated by this command to be available early and influence other # +# preseeding commands or partitioning steps. # +########################################################################################### +# d-i preseed/early_command # +# After running include_command, preseed/early_command is executed. This command is often # +# used to apply custom tweaks or settings just before partitioning. # +########################################################################################### +# d-i partman/early_command # +# This is run immediately before the partitioning process (Partman) is started and is # +# used to perform system- or volume-specific settings or checks. # +########################################################################################### +# Remaining configuration and installation # +# After these early commands, all further installation and configuration steps specified # +# in the preseed file follow. # +########################################################################################### +d-i preseed/include string \ +/preseed/.cfg/apt.cfg \ +/preseed/.cfg/base.cfg \ +/preseed/.cfg/finished.cfg \ +/preseed/.cfg/firmware.cfg \ +/preseed/.cfg/grub.cfg \ +/preseed/.cfg/locale.cfg \ +/preseed/.cfg/modules.cfg \ +/preseed/.cfg/network.cfg \ +/preseed/.cfg/packages.cfg \ +/preseed/.cfg/partitioning.cfg \ +/preseed/.cfg/security.cfg \ +/preseed/.cfg/software.cfg \ +/preseed/.cfg/ssh.cfg \ +/preseed/.cfg/time.cfg \ +/preseed/.cfg/user.cfg + +#BOH +d-i preseed/include/checksum string \ +336de475a23be401db656485fe2134e5 \ +9b2768bf48aada9e1fc33cfe94571826 \ +95c0feba9a9ed2a1f3d86cc2bf1910f8 \ +bccbc23588d19b3057e4b4915b03538b \ +d80da843499d8d797703b8aef2bf28d5 \ +e876c113af0630f113811e5bade71b06 \ +2b85692b087100a0535fe8711cdbcb63 \ +1c0c74ed939c34d620bde9b8f1a91a1c \ +da7738a8db3d4e2c220bf3f5b3e50dcb \ +5dff498042e3d095a792951ba1bd9d2f \ +7f71ea76c629c4e4f0ab2f9a6c8b28ea \ +8e6b49c07d678060b661f7dd2fad6f39 \ +f526221c741e4e2c5090f2ff60e53d62 \ +1ffc41f4c70be83fd6524262494bdf11 \ +67b9d1aa4bb4a4b8610ca42fa45521cf +#EOH + +d-i debconf/priority string critical +popularity-contest popularity-contest/participate boolean false + +########################################################################################### +# This command is executed first and dynamically loads additional preseeding settings # +# before further configuration steps start. # +########################################################################################### +d-i preseed/include_command string sh /preseed/.ash/0_di_preseed_include_command.sh + +########################################################################################### +# This first command is run as early as possible, just after preseeding is read. # +########################################################################################### +d-i preseed/early_command string sh /preseed/.ash/1_di_preseed_early_command.sh + +########################################################################################### +# This command is run just before the install finishes, but when there is still a usable # +# /target directory. You can chroot to /target and use it directly or use the apt-install # +# and in-target commands to easily install packages and run commands in the target system.# +########################################################################################### +d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh + + +# Please consider donating to my work at: https://coresecret.eu/spenden/ +########################################################################################### +# Written by: ./preseed_hash_generator.sh Version: Master V8.02.512.2025.05.30 at: 10:18:37.9542 diff --git a/config/includes.chroot/root/.bashrc b/config/includes.chroot/root/.bashrc new file mode 100644 index 0000000..2020dc0 --- /dev/null +++ b/config/includes.chroot/root/.bashrc @@ -0,0 +1,92 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# ~/.bashrc: executed by bash(1) for non-login shells. + +# Note: PS1 and umask are already set in /etc/profile. You should not +# need this unless you want different defaults for root. +# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ ' +# umask 022 + +# You may uncomment the following lines if you want `ls' to be colorized: +# export LS_OPTIONS='--color=auto' +# eval "$(dircolors)" +# alias ls='ls $LS_OPTIONS' +# alias ll='ls $LS_OPTIONS -l' +# alias l='ls $LS_OPTIONS -lA' +# +# Some more alias to avoid making mistakes: +# alias rm='rm -i' +# alias cp='cp -i' +# alias mv='mv -i' + +[[ $- != *i* ]] && return + +trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0 +source /root/.ciss/alias +source /root/.ciss/shortcuts +source /root/.ciss/scan_libwrap + +### History +touch /tmp/.bash_history +chmod 0660 /tmp/.bash_history +chown root:root /tmp/.bash_history +export HISTFILE=/tmp/.bash_history +export HISTSIZE=2048 +export HISTFILESIZE=2048 +shopt -s histappend + +### Define colors for bash prompt +export CRED='\033[1;91m' +export CGRE='\033[1;92m' +export CYEL='\033[1;93m' +export CBLU='\033[1;94m' +export CMAG='\033[1;95m' +export CCYA='\033[1;96m' +export CWHI='\033[1;97m' +export CRES='\033[0m' + +#if [[ "${UID}" -eq 0 ]]; then +# export user_color="${CRED}" +#else +# export user_color="${CGRE}" +#fi + +### Define bash colorful prompt +# PS1="${user_color}\d${CRES}|${user_color}\u${CRES}@${CMAG}\h${CRES}:${CCYA}\w${CRES}/>>\$(if [[ \$? -eq 0 ]]; then echo -e \"${CGRE}\$?${CRES}\"; else echo -e \"${CRED}\$?${CRES}\"; fi)|~\$ " +PS1="\ +\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\ +\[\033[1;95m\]\h\[\033[0m\]:\ +\[\033[1;96m\]\w\[\033[0m\]/>>\ +\$(if [[ \$? -eq 0 ]]; then \ + # Show exit status in green if zero + echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \ + else \ + # Show exit status in red otherwise + echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \ + fi)\ +|~\$ " + +### Overwrite Protection +set -o noclobber +alias cp="cp -iv" +alias mv='mv -iv' +alias rm='rm -iv' + +# Welcome message after login +printf "\n" +printf "\e[91mπŸ” Coresecret Channel Established. \e[0m\n" +printf "\e[92mβœ… Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n" +printf "\n" +printf "\n" + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/root/.ciss/alias b/config/includes.chroot/root/.ciss/alias new file mode 100644 index 0000000..02a2523 --- /dev/null +++ b/config/includes.chroot/root/.ciss/alias @@ -0,0 +1,212 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +########################################################################################### β„΅ +####################################### +# Outputs a 16-character random printable string +# Arguments: +# None +####################################### +genstring() { + (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head +} + +# Generates 1,048,576 random bytes into a timestamped file +alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)' + +########################################################################################### Bash +alias clear="printf '\033c'" +alias c='clear' +alias q='exit' + +########################################################################################### Chrony +alias cytr='echo "tracking -a -v" | chronyc' +alias cysd='echo "selectdata -a -v" | chronyc' +alias cyss='echo "sourcestats -a -v" | chronyc' + +########################################################################################### fail2ban & ufw +alias f2ball='fail2ban-client status' +alias f2bubn='fail2ban-client unban --all' +alias f2bufw='fail2ban-client status ufw' +alias usn='ufw status numbered' +alias usv='ufw status verbose' + +########################################################################################### ls +alias ls='eza --group-directories-first --icons=always --oneline --long --all --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension' +alias lsf='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension' +alias lss='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension --extended' +alias la='ls' +alias ll=ls +alias l=ls + +########################################################################################### Package Management +alias aptac='apt autoclean' +alias aptap='apt autopurge' +alias aptar='apt autoremove' +alias aptcheck='apt-get check' +alias aptdep='apt-cache depends' +alias aptdl='apt-get install --download-only' +alias aptfug='apt full-upgrade' +alias aptupd='apt update' +alias aptupg='apt upgrade' +alias apti='apt install' +alias aptp='apt purge' +alias aptr='apt remove' +alias aptse='apt search' +alias aptsh='apt show' +alias aptimage='apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "dbg" | grep -v "meta-package" | grep -v "cloud" | grep -v "PREEMPT"' + +########################################################################################### Readability +alias df='df -h' +alias free='free -m' +alias mkdir='mkdir -pv' + +########################################################################################### Service restart +alias rsban='systemctl restart fail2ban' +alias rsweb='systemctl restart nginx php8.4-fpm redis' + +########################################################################################### System maintaining +alias boot='reboot -h now' +alias cscan='clamscan -r --bell -i' +alias chkhvg='haveged -n 0 | dieharder -g 200 -a' +alias dev='lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH' +alias i='echo "$(whoami) @ $(uname -a)"' +alias ipunused='iptables -L -v -n' +alias jboot='journalctl --boot=0' +alias lsadt='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency' +alias lsadtdoc='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency > /root/lynis-$(date +%F_%H-%M-%S).txt 2>&1' +alias n='nano' +alias nstat='netstat -tlpnvWa' +alias s='sudo -i' +alias sas='systemd-analyze security' +alias shut='shutdown -h now' +alias ssa='systemctl status' +alias ssf='systemctl status --failed' +alias sysdr='systemctl daemon-reload' +alias syses='systemctl edit' +alias sysrl='systemctl reload' +alias sysrs='systemctl restart' +alias syssp='systemctl stop' +alias sysst='systemctl start' +alias v='nvim' +alias whatdelete='lsof | grep deleted' +alias whatimage='dpkg --list | grep linux-image' +alias whatpurge='dpkg --get-selections | grep deinstall' + +########################################################################################### Functions + +########################################################################################### +# Generates Secure (/dev/random) Passwords +# Arguments: +# Length of Password, e.g., 32, and --base64 in case of encoding in BASE64. +########################################################################################### +# shellcheck disable=SC2317 +genpasswd() { + declare -i length=32 + declare -i usebase64=0 + + while [[ $# -gt 0 ]]; do + case "$1" in + --base64) + usebase64=1 + ;; + '' | *[!0-9]*) ;; + *) + length="$1" + ;; + esac + shift + done + + declare passwd + passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}") + + if [[ ${usebase64} -eq 1 ]]; then + echo -n "${passwd}" | base64 + else + echo "${passwd}" + fi +} + +########################################################################################### +# Generates Secure (/dev/random) Passwords +# Arguments: +# none +########################################################################################### +# shellcheck disable=SC2317 +genpasswdhash() { + declare salt + salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16) + mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 +} + +########################################################################################### +# Globals: Wrapper for secure curl +# Arguments: +# $1: URL from which to download a specific file +# $2: /path/to/file to be saved to +########################################################################################### +# shellcheck disable=SC2317 +scurl() { + if [[ $# -ne 2 ]]; then + printf "\e[91m❌ Error: Usage: scurl . \e[0m\n" >&2 + return 1 + fi + + if ! curl --proto '=https' --tlsv1.3 -sSf -o "${2}" "${1}"; then + printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2 + return 2 + fi +} + +########################################################################################### +# Globals: Wrapper for secure wget +# Arguments: +# $1: URL from which to download a specific file +# $2: /path/to/file to be saved to +########################################################################################### +# shellcheck disable=SC2317 +swget() { + if [[ $# -ne 2 ]]; then + printf "\e[91m❌ Error: Usage: swget . \e[0m\n" >&2 + return 1 + fi + + if ! wget --no-clobber --https-only --secure-protocol=TLSv1_3 -qO "${2}" "${1}"; then + printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2 + return 2 + fi +} + +########################################################################################### +# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters +# Arguments: +# none +########################################################################################### +# shellcheck disable=SC2317 +sysp() { + sysctl -p /etc/sysctl.d/99_local.hardened + # sleep 1 + sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log +} + +########################################################################################### +# Globals: Wrapper for tree +# Arguments: +# $1: Depth of Directory Listing +########################################################################################### +# shellcheck disable=SC2317 +trel() { + declare depth=${1:-3} + tree -C -h --dirsfirst -L "${depth}" +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/root/.ciss/clean_logout.sh b/config/includes.chroot/root/.ciss/clean_logout.sh new file mode 100644 index 0000000..77a9cd9 --- /dev/null +++ b/config/includes.chroot/root/.ciss/clean_logout.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +clear + +cat << 'EOF' +####################################################################### + # # + ## ## + ###### ######## ### ## ######## ### ## ####### ### ####### ### ## +### #### ## ### ### ## ## ### ## #### ## +### ####### ####### ### ### ## ###### ### ## ## ####### +### ### ### ### ### ### ## ## ## ### ## ## ### ### + ###### ####### ### ## ### ##### ## ## ### ##### ### ## + # # +####################################################################### +EOF + +echo "" +echo -e "\e[97m (c) Marc S. Weidner, 2018 - 2025 \e[0m" +echo -e "\e[97m (p) Centurion Press, 2018 - 2025 \e[0m" +echo -e "\e[97m Centurion Intelligence Consulting Agency (tm) \e[0m" +echo -e "\e[97m https://coresecret.eu/ \e[0m" +echo -e "\e[95m Please consider making a donation: \e[0m" +echo -e "\e[95m https://coresecret.eu/spenden/ \e[0m" +echo "" +echo -e "\e[92m All done" "\e[95m'${USER}'" "\e[92m! \e[0m" +echo -e "\e[92m Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m" +# shellcheck disable=SC2162 +read +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/root/.ciss/scan_libwrap b/config/includes.chroot/root/.ciss/scan_libwrap new file mode 100644 index 0000000..9b78123 --- /dev/null +++ b/config/includes.chroot/root/.ciss/scan_libwrap @@ -0,0 +1,41 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Scanner for 'libwrap' usage. +# Arguments: +# None +####################################### +scanlw() { + printf "\e[92mπŸ” Scanning all running processes for 'libwrap' usage ... \e[0m\n" + printf "\n" + + # Collect binaries from all running PIDs + declare pid exe_path comm user + + for pid in $(ps -e -o pid=); do + exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null) + + # Skip if not a regular executable + [[ -x "${exe_path}" ]] || continue + + # Check if the binary is linked with libwrap + if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then + comm=$(ps -p "$pid" -o comm=) + user=$(ps -p "$pid" -o user=) + printf "\e[92mβœ… PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}" + fi + done + printf "\n" + printf "\e[92mβœ… Scan complete. \e[0m\n" +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/root/.ciss/shortcuts b/config/includes.chroot/root/.ciss/shortcuts new file mode 100644 index 0000000..549b1f3 --- /dev/null +++ b/config/includes.chroot/root/.ciss/shortcuts @@ -0,0 +1,116 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +declare -ga shortcuts=( + "aptac: apt autoclean" + "aptap: apt autopurge" + "aptar: apt autoremove" + "aptcheck: apt-get check" + "aptdep: apt-cache depends" + "aptdl: apti --download-only" + "aptfug: apt full-upgrade" + "apti: apt install" + "aptimage: get Kernel Img" + "aptp: apt purge" + "aptr: apt remove" + "aptse: apt search" + "aptsh: apt show" + "aptupd: apt update" + "aptupg: apt upgrade" + "boot: reboot -h now" + "c: clear" + "clear: printf \033c" + "cscan: clamscan -r --bell -i" + "chkhvg: hvg -n 0 | dieharder -g 200 -a" + "cysd: chrony selectdata" + "cyss: chrony sourcestats" + "cytr: chrony tracking" + "dev: lsblk -o ..." + "df: df -h" + "f2ball: f2b status all" + "f2bubn: f2b unban --all" + "f2bufw: f2b status ufw" + "free: free -m" + "genkeyfile: 1MiBi" + "genpasswd: PWD" + "genpasswdhash: PWD Hash" + "genstring: Random String" + "i: who you are" + "ipunused: iptables -L -v -n" + "jboot: journalctl --boot=0" + "l: ls" + "la: ls" + "ll: ls" + "ls: eza" + "lsadt: lynis audit system" + "lsadtdoc: lynis audit system" + "lsf: eza --absolute" + "lss: eza --extended" + "mkdir: mkdir -pv" + "n: nano" + "nstat: netstat -tlpnvWa" + "q: exit" + "rsban: restart fail2ban" + "rsweb: restart nginx php8.4-fpm redis" + "s: sudo -i" + "sas: systemd-analyze security" + "scanlw: scan libwrap" + "scurl: TLS1.3 curl" + "shut: shutdown -h now" + "ssa: systemctl status" + "ssf: systemctl status --failed" + "swget: TLS1.3 wget" + "sysdr: systemctl daemon-reload" + "syses: systemctl edit" + "sysp: load 99_local.hardened" + "sysrl: systemctl reload" + "sysrs: systemctl restart'" + "syssp: systemctl stop" + "sysst: systemctl start" + "trel: tree" + "usn: ufw status numbered" + "usv: ufw status verbose" + "v: nvim" + "whatdelete: lsof | grep deleted" + "whatimage: dpkg --list | grep linux" + "whatpurge: dpkg --get-selections" +) + +####################################### +# Show available Aliases +# Globals: +# CMAG +# CRES +# shortcuts +# Arguments: +# None +####################################### +celp() { + declare arr=("${shortcuts[@]}") + declare cols=3 + declare col_width=42 + declare i=0 + declare entry + for entry in "${arr[@]}"; do + # Print entry left-aligned in fixed width, colored + printf "${CMAG}%-${col_width}s${CRES}" "${entry}" + ((i++)) + if ((i % cols == 0)); then + printf "\n" + fi + done + # If last line not full, add a newline + if ((i % cols != 0)); then + printf "\n" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/root/.ssh/authorized_keys b/config/includes.chroot/root/.ssh/authorized_keys new file mode 100644 index 0000000..473a0f4 diff --git a/config/package-lists/live.list.amd64.chroot b/config/package-lists/live.list.amd64.chroot new file mode 100644 index 0000000..428103e --- /dev/null +++ b/config/package-lists/live.list.amd64.chroot @@ -0,0 +1,12 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +grub-efi-amd64-signed +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/package-lists/live.list.arm64.chroot b/config/package-lists/live.list.arm64.chroot new file mode 100644 index 0000000..3d4136f --- /dev/null +++ b/config/package-lists/live.list.arm64.chroot @@ -0,0 +1,12 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +grub-efi-arm64-signed +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/config/package-lists/live.list.common.chroot b/config/package-lists/live.list.common.chroot new file mode 100644 index 0000000..f3167d5 --- /dev/null +++ b/config/package-lists/live.list.common.chroot @@ -0,0 +1,127 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +apparmor +apparmor-profiles-extra +apparmor-utils +apt-file +apt-mirror +apt-show-versions +apt-transport-https +bash-completion +bat +bc +bind9-dnsutils +bsdmainutils +btrfs-progs +ca-certificates +chkrootkit +clamav +clamav-daemon +console-setup +cryptsetup +cryptsetup-nuke-password +curl +debconf +debconf-utils +debian-installer +debian-installer-launcher +debian-kernel-handbook +debootstrap +dhcpdump +dhcping +dialog +dieharder +dirmngr +dmsetup +dosfstools +efibootmgr +expect +fail2ban +figlet +fzf +gawk +gdisk +git +gnupg2 +haveged +htop +iftop +iproute2 +iputils-ping +jq +keyboard-configuration +keychain +knot-dnssecutils +knot-dnsutils +libpam-google-authenticator +libpam-pwquality +libpwquality-tools +linux-doc-6.12 +linux-source +live-boot +live-config +live-config-systemd +locate +logrotate +lsb-release +lvm2 +makedev +makepasswd +man +man-db +manpages +manpages-dev +mtr +nano +ncat +neofetch +neovim +net-tools +netselect-apt +nmap +nodejs +openssl +parted +perl +pollinate +pwgen +python3 +rkhunter +rng-tools +rsnapshot +rsync +rsyslog +screen +shellcheck +software-properties-common +spectre-meltdown-checker +speedtest-cli +squashfs-tools +ssh +ssl-cert +sudo +sysstat +systemd-sysv +tree +tshark +ufw +unattended-upgrades +unzip +virt-what +wamerican +wbritish +wfrench +wget +whois +wngerman +zip +zsh +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh \ No newline at end of file diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md new file mode 100644 index 0000000..ddb4e3b --- /dev/null +++ b/docs/AUDIT_HAVEGED.md @@ -0,0 +1,151 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +# 2. Haveged Audit on Netcup RS 2000 G11 + +````text +Mon May 19|root@live:~/>>0|~$ haveged -n 0 | dieharder -g 200 -a +haveged: command socket is listening at fd 3 +Writing unlimited bytes to stdout +#=============================================================================# +# dieharder version 3.31.1 Copyright 2003 Robert G. Brown # +#=============================================================================# + rng_name |rands/second| Seed | +stdin_input_raw| 1.77e+07 |1806134257| +#=============================================================================# + test_name |ntup| tsamples |psamples| p-value |Assessment +#=============================================================================# + diehard_birthdays| 0| 100| 100|0.21358950| PASSED + diehard_operm5| 0| 1000000| 100|0.23365564| PASSED + diehard_rank_32x32| 0| 40000| 100|0.33364435| PASSED + diehard_rank_6x8| 0| 100000| 100|0.83680113| PASSED + diehard_bitstream| 0| 2097152| 100|0.89183344| PASSED + diehard_opso| 0| 2097152| 100|0.95817018| PASSED + diehard_oqso| 0| 2097152| 100|0.25923499| PASSED + diehard_dna| 0| 2097152| 100|0.28604687| PASSED +diehard_count_1s_str| 0| 256000| 100|0.25146863| PASSED +diehard_count_1s_byt| 0| 256000| 100|0.64817854| PASSED + diehard_parking_lot| 0| 12000| 100|0.68180941| PASSED + diehard_2dsphere| 2| 8000| 100|0.52576112| PASSED + diehard_3dsphere| 3| 4000| 100|0.02636962| PASSED + diehard_squeeze| 0| 100000| 100|0.81226498| PASSED + diehard_sums| 0| 100| 100|0.54642776| PASSED + diehard_runs| 0| 100000| 100|0.98440072| PASSED + diehard_runs| 0| 100000| 100|0.75118526| PASSED + diehard_craps| 0| 200000| 100|0.93104571| PASSED + diehard_craps| 0| 200000| 100|0.45994663| PASSED + marsaglia_tsang_gcd| 0| 10000000| 100|0.38263075| PASSED + marsaglia_tsang_gcd| 0| 10000000| 100|0.16784328| PASSED + sts_monobit| 1| 100000| 100|0.26368088| PASSED + sts_runs| 2| 100000| 100|0.10069666| PASSED + sts_serial| 1| 100000| 100|0.53426480| PASSED + sts_serial| 2| 100000| 100|0.95654933| PASSED + sts_serial| 3| 100000| 100|0.75042664| PASSED + sts_serial| 3| 100000| 100|0.27693306| PASSED + sts_serial| 4| 100000| 100|0.79225401| PASSED + sts_serial| 4| 100000| 100|0.49273684| PASSED + sts_serial| 5| 100000| 100|0.58017632| PASSED + sts_serial| 5| 100000| 100|0.39423250| PASSED + sts_serial| 6| 100000| 100|0.72811005| PASSED + sts_serial| 6| 100000| 100|0.94342669| PASSED + sts_serial| 7| 100000| 100|0.98343053| PASSED + sts_serial| 7| 100000| 100|0.74692814| PASSED + sts_serial| 8| 100000| 100|0.56538653| PASSED + sts_serial| 8| 100000| 100|0.91826111| PASSED + sts_serial| 9| 100000| 100|0.63502589| PASSED + sts_serial| 9| 100000| 100|0.28959825| PASSED + sts_serial| 10| 100000| 100|0.74650890| PASSED + sts_serial| 10| 100000| 100|0.95475310| PASSED + sts_serial| 11| 100000| 100|0.35838186| PASSED + sts_serial| 11| 100000| 100|0.80481197| PASSED + sts_serial| 12| 100000| 100|0.74700860| PASSED + sts_serial| 12| 100000| 100|0.49849890| PASSED + sts_serial| 13| 100000| 100|0.55828107| PASSED + sts_serial| 13| 100000| 100|0.23244603| PASSED + sts_serial| 14| 100000| 100|0.23080285| PASSED + sts_serial| 14| 100000| 100|0.83936220| PASSED + sts_serial| 15| 100000| 100|0.64411755| PASSED + sts_serial| 15| 100000| 100|0.99255934| PASSED + sts_serial| 16| 100000| 100|0.00563047| PASSED + sts_serial| 16| 100000| 100|0.31608374| PASSED + rgb_bitdist| 1| 100000| 100|0.64550890| PASSED + rgb_bitdist| 2| 100000| 100|0.87656240| PASSED + rgb_bitdist| 3| 100000| 100|0.67169827| PASSED + rgb_bitdist| 4| 100000| 100|0.44406906| PASSED + rgb_bitdist| 5| 100000| 100|0.67772729| PASSED + rgb_bitdist| 6| 100000| 100|0.73853919| PASSED + rgb_bitdist| 7| 100000| 100|0.86999808| PASSED + rgb_bitdist| 8| 100000| 100|0.01313259| PASSED + rgb_bitdist| 9| 100000| 100|0.55009611| PASSED + rgb_bitdist| 10| 100000| 100|0.70726109| PASSED + rgb_bitdist| 11| 100000| 100|0.03154815| PASSED + rgb_bitdist| 12| 100000| 100|0.84462282| PASSED +rgb_minimum_distance| 2| 10000| 1000|0.83132423| PASSED +rgb_minimum_distance| 3| 10000| 1000|0.68188237| PASSED +rgb_minimum_distance| 4| 10000| 1000|0.51409655| PASSED +rgb_minimum_distance| 5| 10000| 1000|0.42544360| PASSED + rgb_permutations| 2| 100000| 100|0.66313395| PASSED + rgb_permutations| 3| 100000| 100|0.95535890| PASSED + rgb_permutations| 4| 100000| 100|0.45758425| PASSED + rgb_permutations| 5| 100000| 100|0.98313853| PASSED + rgb_lagged_sum| 0| 1000000| 100|0.41578816| PASSED + rgb_lagged_sum| 1| 1000000| 100|0.76861829| PASSED + rgb_lagged_sum| 2| 1000000| 100|0.43447789| PASSED + rgb_lagged_sum| 3| 1000000| 100|0.49698037| PASSED + rgb_lagged_sum| 4| 1000000| 100|0.02212798| PASSED + rgb_lagged_sum| 5| 1000000| 100|0.04465057| PASSED + rgb_lagged_sum| 6| 1000000| 100|0.10526977| PASSED + rgb_lagged_sum| 7| 1000000| 100|0.79849751| PASSED + rgb_lagged_sum| 8| 1000000| 100|0.83675235| PASSED + rgb_lagged_sum| 9| 1000000| 100|0.37604856| PASSED + rgb_lagged_sum| 10| 1000000| 100|0.46712205| PASSED + rgb_lagged_sum| 11| 1000000| 100|0.16098525| PASSED + rgb_lagged_sum| 12| 1000000| 100|0.81557499| PASSED + rgb_lagged_sum| 13| 1000000| 100|0.11553821| PASSED + rgb_lagged_sum| 14| 1000000| 100|0.85637944| PASSED + rgb_lagged_sum| 15| 1000000| 100|0.91125298| PASSED + rgb_lagged_sum| 16| 1000000| 100|0.59747378| PASSED + rgb_lagged_sum| 17| 1000000| 100|0.70077562| PASSED + rgb_lagged_sum| 18| 1000000| 100|0.66815407| PASSED + rgb_lagged_sum| 19| 1000000| 100|0.04941226| PASSED + rgb_lagged_sum| 20| 1000000| 100|0.37939018| PASSED + rgb_lagged_sum| 21| 1000000| 100|0.42653722| PASSED + rgb_lagged_sum| 22| 1000000| 100|0.86316011| PASSED + rgb_lagged_sum| 23| 1000000| 100|0.43038293| PASSED + rgb_lagged_sum| 24| 1000000| 100|0.34472083| PASSED + rgb_lagged_sum| 25| 1000000| 100|0.73741194| PASSED + rgb_lagged_sum| 26| 1000000| 100|0.05584980| PASSED + rgb_lagged_sum| 27| 1000000| 100|0.80601600| PASSED + rgb_lagged_sum| 28| 1000000| 100|0.99361052| PASSED + rgb_lagged_sum| 29| 1000000| 100|0.27812997| PASSED + rgb_lagged_sum| 30| 1000000| 100|0.94547008| PASSED + rgb_lagged_sum| 31| 1000000| 100|0.02400797| PASSED + rgb_lagged_sum| 32| 1000000| 100|0.98890248| PASSED + rgb_kstest_test| 0| 10000| 1000|0.53680166| PASSED + dab_bytedistrib| 0| 51200000| 1|0.38634245| PASSED + dab_dct| 256| 50000| 1|0.02760776| PASSED +Preparing to run test 207. ntuple = 0 + dab_filltree| 32| 15000000| 1|0.47264235| PASSED + dab_filltree| 32| 15000000| 1|0.49416126| PASSED +Preparing to run test 208. ntuple = 0 + dab_filltree2| 0| 5000000| 1|0.12940766| PASSED + dab_filltree2| 1| 5000000| 1|0.40415388| PASSED +Preparing to run test 209. ntuple = 0 + dab_monobit2| 12| 65000000| 1|0.51567978| PASSED +haveged: Cannot write data in file: Broken pipe +tot tests(BA8): A:1/1 B:1/1 last entropy estimate 8.00294 +fills: 470064, generated: 229.5 G bytes +```` + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md new file mode 100644 index 0000000..18ac32a --- /dev/null +++ b/docs/AUDIT_LYNIS.md @@ -0,0 +1,625 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +# 2. Lynis Audit: + +````text +[ Lynis 3.1.4 ] + +################################################################################ + Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are + welcome to redistribute it under the terms of the GNU General Public License. + See the LICENSE file for details about using this software. + + 2007-2024, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) +################################################################################ + + +[+] Initializing program +------------------------------------ + - Detecting OS... [ DONE ] + - Checking profiles... [ DONE ] + + --------------------------------------------------- + Program version: 3.1.4 + Operating system: Linux + Operating system name: Debian + Operating system version: 12 + Kernel version: 6.12.22+bpo + Hardware platform: x86_64 + Hostname: live + --------------------------------------------------- + Profiles: /etc/lynis/default.prf + Log file: /var/log/lynis.log + Report file: /var/log/lynis-report.dat + Report version: 1.0 + Plugin directory: /usr/share/lynis/plugins + --------------------------------------------------- + Auditor: Centurion_Intelligence_Consulting_Agency + Language: en + Test category: all + Test group: all + --------------------------------------------------- + - Program update status... [ NO UPDATE ] + +[+] System tools +------------------------------------ + - Scanning available tools... + - Checking system binaries... + +[+] Plugins (phase 1) +------------------------------------ + Note: plugins have more extensive tests and may take several minutes to complete + + - Plugins enabled [ NONE ] + +[+] Boot and services +------------------------------------ + - Service Manager [ systemd ] + - Checking UEFI boot [ ENABLED ] + - Checking Secure Boot [ DISABLED ] + - Boot loader [ NONE FOUND ] + - Check running services (systemctl) [ DONE ] + Result: found 17 running services + - Check enabled services at boot (systemctl) [ DONE ] + Result: found 24 enabled services + - Check startup files (permissions) [ OK ] + - Running 'systemd-analyze security' + Unit name (exposure value) and predicate + -------------------------------- + - auditd.service (value=8.7) [ EXPOSED ] + - chrony.service (value=3.5) [ PROTECTED ] + - clamav-daemon.service (value=3.5) [ PROTECTED ] + - cron.service (value=9.6) [ UNSAFE ] + - dbus.service (value=9.6) [ UNSAFE ] + - dm-event.service (value=9.5) [ UNSAFE ] + - emergency.service (value=9.5) [ UNSAFE ] + - fail2ban.service (value=6.5) [ MEDIUM ] + - getty@tty1.service (value=9.6) [ UNSAFE ] + - haveged.service (value=3.0) [ PROTECTED ] + - ifup@ens3.service (value=9.5) [ UNSAFE ] + - ifup@ens4.service (value=9.5) [ UNSAFE ] + - lvm2-lvmpolld.service (value=9.5) [ UNSAFE ] + - polkit.service (value=9.6) [ UNSAFE ] + - rc-local.service (value=9.6) [ UNSAFE ] + - rescue.service (value=9.5) [ UNSAFE ] + - rsyslog.service (value=9.6) [ UNSAFE ] + - ssh.service (value=9.6) [ UNSAFE ] + - systemd-ask-password-console.service (value=9.4) [ UNSAFE ] + - systemd-ask-password-wall.service (value=9.4) [ UNSAFE ] + - systemd-fsckd.service (value=9.5) [ UNSAFE ] + - systemd-initctl.service (value=9.4) [ UNSAFE ] + - systemd-journald.service (value=4.3) [ PROTECTED ] + - systemd-logind.service (value=2.8) [ PROTECTED ] + - systemd-networkd.service (value=2.6) [ PROTECTED ] + - systemd-udevd.service (value=7.1) [ MEDIUM ] + - unattended-upgrades.service (value=9.6) [ UNSAFE ] + - usbguard-dbus.service (value=9.6) [ UNSAFE ] + - usbguard.service (value=2.8) [ PROTECTED ] + - user@0.service (value=9.8) [ UNSAFE ] + - uuidd.service (value=5.8) [ MEDIUM ] + +[+] Kernel +------------------------------------ + - Checking default runlevel [ runlevel 5 ] + - Checking CPU support (NX/PAE) + CPU support: PAE and/or NoeXecute supported [ FOUND ] + - Checking kernel version and release [ DONE ] + - Checking kernel type [ DONE ] + - Checking loaded kernel modules [ DONE ] + Found 84 active modules + - Checking Linux kernel configuration file [ FOUND ] + - Checking default I/O kernel scheduler [ NOT FOUND ] + - Checking for available kernel update [ OK ] + - Checking core dumps configuration + - configuration in systemd conf files [ DEFAULT ] + - configuration in /etc/profile [ DEFAULT ] + - 'hard' configuration in /etc/security/limits.conf [ DISABLED ] + - 'soft' configuration in /etc/security/limits.conf [ DISABLED ] + - Checking setuid core dumps configuration [ DISABLED ] + - Check if reboot is needed [ NO ] + +[+] Memory and Processes +------------------------------------ + - Checking /proc/meminfo [ FOUND ] + - Searching for dead/zombie processes [ NOT FOUND ] + - Searching for IO waiting processes [ NOT FOUND ] + - Search prelink tooling [ NOT FOUND ] + +[+] Users, Groups and Authentication +------------------------------------ + - Administrator accounts [ OK ] + - Unique UIDs [ OK ] + - Consistency of group files (grpck) [ OK ] + - Unique group IDs [ OK ] + - Unique group names [ OK ] + - Password file consistency [ OK ] + - Password hashing methods [ OK ] + - Password hashing rounds (minimum) [ CONFIGURED ] + - Query system users (non daemons) [ DONE ] + - NIS+ authentication support [ NOT ENABLED ] + - NIS authentication support [ NOT ENABLED ] + - Sudoers file(s) [ FOUND ] + - Permissions for directory: /etc/sudoers.d [ OK ] + - Permissions for: /etc/sudoers [ OK ] + - Permissions for: /etc/sudoers.d/README [ OK ] + - Permissions for: /etc/sudoers.d/live [ OK ] + - PAM password strength tools [ OK ] + - PAM configuration files (pam.conf) [ FOUND ] + - PAM configuration files (pam.d) [ FOUND ] + - PAM modules [ FOUND ] + - LDAP module in PAM [ NOT FOUND ] + - Accounts without expire date [ OK ] + - Accounts without password [ OK ] + - Locked accounts [ OK ] + - User password aging (minimum) [ CONFIGURED ] + - User password aging (maximum) [ CONFIGURED ] + - Checking expired passwords [ OK ] + - Checking Linux single user mode authentication [ OK ] + - Determining default umask + - umask (/etc/profile) [ NOT FOUND ] + - umask (/etc/login.defs) [ OK ] + - LDAP authentication support [ NOT ENABLED ] + - Logging failed login attempts [ ENABLED ] + +[+] Kerberos +------------------------------------ + - Check for Kerberos KDC and principals [ NOT FOUND ] + +[+] Shells +------------------------------------ + - Checking shells from /etc/shells + Result: found 12 shells (valid shells: 12). + - Session timeout settings/tools [ FOUND ] + - Checking default umask values + - Checking default umask in /etc/bash.bashrc [ NONE ] + - Checking default umask in /etc/profile [ NONE ] + +[+] File systems +------------------------------------ + - Checking mount points + - Checking /home mount point [ SUGGESTION ] + - Checking /tmp mount point [ OK ] + - Checking /var mount point [ SUGGESTION ] + - Query swap partitions (fstab) [ NONE ] + - Testing swap partitions [ OK ] + - Testing /proc mount (hidepid) [ SUGGESTION ] + - Checking for old files in /tmp [ OK ] + - Checking /tmp sticky bit [ OK ] + - Checking /var/tmp sticky bit [ OK ] + - ACL support root file system [ ENABLED ] + - Mount options of / [ NON DEFAULT ] + - Mount options of /dev [ PARTIALLY HARDENED ] + - Mount options of /dev/shm [ PARTIALLY HARDENED ] + - Mount options of /run [ HARDENED ] + - Mount options of /tmp [ PARTIALLY HARDENED ] + - Total without nodev:11 noexec:13 nosuid:9 ro or noexec (W^X): 9 of total 33 + - Checking Locate database [ FOUND ] + - Disable kernel support of some filesystems + - Module cramfs is blacklisted [ OK ] + - Module freevxfs is blacklisted [ OK ] + - Module hfs is blacklisted [ OK ] + - Module hfsplus is blacklisted [ OK ] + - Module jffs2 is blacklisted [ OK ] + - Module udf is blacklisted [ OK ] + +[+] USB Devices +------------------------------------ + - Checking usb-storage driver (modprobe config) [ DISABLED ] + - Checking USB devices authorization [ ENABLED ] + - Checking USBGuard [ FOUND ] + - Configuration [ FOUND ] + - Restore controller device state [ false ] + - Rule for controllers connected before daemon starts [ keep ] + - Rule for devices connected before daemon starts [ allow ] + - Rule for devices inserted after daemon starts [ apply-policy ] + - Rule for devices not in RuleFile [ block ] + - RuleFile [ FOUND ] + - Controllers & Devices allow [ 2 ] + - Controllers & Devices block [ 0 ] + - Controllers & Devices reject [ 0 ] + +[+] Storage +------------------------------------ + - Checking firewire ohci driver (modprobe config) [ DISABLED ] + +[+] NFS +------------------------------------ + - Check running NFS daemon [ NOT FOUND ] + +[+] Name services +------------------------------------ + - Searching DNS domain name [ FOUND ] + Domain name: local + - Checking /etc/hosts + - Duplicate entries in hosts file [ NONE ] + - Presence of configured hostname in /etc/hosts [ FOUND ] + - Hostname mapped to localhost [ NOT FOUND ] + - Localhost mapping to IP address [ OK ] + +[+] Ports and packages +------------------------------------ + - Searching package managers + - Searching dpkg package manager [ FOUND ] + - Querying package manager + - Query unpurged packages [ NONE ] + - debsums utility [ FOUND ] + - Cron job for debsums [ FOUND ] + - Checking security repository in sources.list file [ OK ] + - Checking APT package database [ OK ] + - Checking vulnerable packages (apt-get only) [ DONE ] + - Checking upgradeable packages [ NONE ] + - Checking package audit tool [ INSTALLED ] + Found: apt-get + - Toolkit for automatic upgrades (unattended-upgrade) [ FOUND ] + +[+] Networking +------------------------------------ + - Checking IPv6 configuration [ ENABLED ] + Configuration method [ MANUAL ] + IPv6 only [ NO ] + - Checking configured nameservers + - Testing nameservers + Nameserver: 135.181.207.105 [ OK ] + Nameserver: 89.58.62.53 [ OK ] + - Minimal of 2 responsive nameservers [ OK ] + - Checking default gateway [ DONE ] + - Getting listening ports (TCP/UDP) [ DONE ] + - Checking promiscuous interfaces [ OK ] + - Checking waiting connections [ OK ] + - Checking status DHCP client [ RUNNING ] + - Checking for ARP monitoring software [ NOT FOUND ] + - Uncommon network protocols [ NOT FOUND ] + +[+] Printers and Spools +------------------------------------ + - Checking cups daemon [ NOT FOUND ] + - Checking lp daemon [ NOT RUNNING ] + +[+] Software: e-mail and messaging +------------------------------------ + +[+] Software: firewalls +------------------------------------ + - Checking iptables kernel module [ FOUND ] + - Checking iptables policies of chains [ FOUND ] + - Chain INPUT (table: filter, target: DROP) [ DROP ] + - Chain INPUT (table: security, target: ACCEPT) [ ACCEPT ] + - Checking for empty ruleset [ OK ] + - Checking for unused rules [ FOUND ] + - Checking host based firewall [ ACTIVE ] + +[+] Software: webserver +------------------------------------ + - Checking Apache [ NOT FOUND ] + - Checking nginx [ NOT FOUND ] + +[+] SSH Support +------------------------------------ + - Checking running SSH daemon [ FOUND ] + - Searching SSH configuration [ FOUND ] + - OpenSSH option: AllowTcpForwarding [ OK ] + - OpenSSH option: ClientAliveCountMax [ OK ] + - OpenSSH option: ClientAliveInterval [ OK ] + - OpenSSH option: FingerprintHash [ OK ] + - OpenSSH option: GatewayPorts [ OK ] + - OpenSSH option: IgnoreRhosts [ OK ] + - OpenSSH option: LoginGraceTime [ OK ] + - OpenSSH option: LogLevel [ OK ] + - OpenSSH option: MaxAuthTries [ OK ] + - OpenSSH option: MaxSessions [ OK ] + - OpenSSH option: PermitRootLogin [ OK ] + - OpenSSH option: PermitUserEnvironment [ OK ] + - OpenSSH option: PermitTunnel [ OK ] + - OpenSSH option: Port [ OK ] + - OpenSSH option: PrintLastLog [ OK ] + - OpenSSH option: StrictModes [ OK ] + - OpenSSH option: TCPKeepAlive [ OK ] + - OpenSSH option: UseDNS [ OK ] + - OpenSSH option: X11Forwarding [ OK ] + - OpenSSH option: AllowAgentForwarding [ OK ] + - OpenSSH option: AllowUsers [ FOUND ] + - OpenSSH option: AllowGroups [ NOT FOUND ] + +[+] SNMP Support +------------------------------------ + - Checking running SNMP daemon [ NOT FOUND ] + +[+] Databases +------------------------------------ + No database engines found + +[+] LDAP Services +------------------------------------ + - Checking OpenLDAP instance [ NOT FOUND ] + +[+] PHP +------------------------------------ + - Checking PHP [ NOT FOUND ] + +[+] Squid Support +------------------------------------ + - Checking running Squid daemon [ NOT FOUND ] + +[+] Logging and files +------------------------------------ + - Checking for a running log daemon [ OK ] + - Checking Syslog-NG status [ NOT FOUND ] + - Checking systemd journal status [ FOUND ] + - Checking Metalog status [ NOT FOUND ] + - Checking RSyslog status [ FOUND ] + - Checking RFC 3195 daemon status [ NOT FOUND ] + - Checking minilogd instances [ NOT FOUND ] + - Checking wazuh-agent daemon status [ NOT FOUND ] + - Checking logrotate presence [ OK ] + - Checking remote logging [ NOT ENABLED ] + - Checking log directories (static list) [ DONE ] + - Checking open log files [ DONE ] + - Checking deleted files in use [ DONE ] + +[+] Insecure services +------------------------------------ + - Installed inetd package [ NOT FOUND ] + - Installed xinetd package [ OK ] + - xinetd status [ NOT ACTIVE ] + - Installed rsh client package [ OK ] + - Installed rsh server package [ OK ] + - Installed telnet client package [ OK ] + - Installed telnet server package [ NOT FOUND ] + - Checking NIS client installation [ OK ] + - Checking NIS server installation [ OK ] + - Checking TFTP client installation [ OK ] + - Checking TFTP server installation [ OK ] + +[+] Banners and identification +------------------------------------ + - /etc/issue [ FOUND ] + - /etc/issue contents [ OK ] + - /etc/issue.net [ FOUND ] + - /etc/issue.net contents [ OK ] + +[+] Scheduled tasks +------------------------------------ + - Checking crontab and cronjob files [ DONE ] + +[+] Accounting +------------------------------------ + - Checking accounting information [ OK ] + - Checking sysstat accounting data [ ENABLED ] + - Checking auditd [ ENABLED ] + - Checking audit rules [ OK ] + - Checking audit configuration file [ OK ] + - Checking auditd log file [ FOUND ] + +[+] Time and Synchronization +------------------------------------ + - NTP daemon found: chronyd [ FOUND ] + - Checking for a running NTP daemon or client [ OK ] + +[+] Cryptography +------------------------------------ + - Checking for expired SSL certificates [0/139] [ NONE ] + + [WARNING]: Test CRYP-7902 had a long execution: 20.445007 seconds + + - Found 0 encrypted and 0 unencrypted swap devices in use. [ OK ] + - Kernel entropy is sufficient [ YES ] + - HW RNG & rngd [ NO ] + - SW prng [ YES ] + - MOR variable not found [ WEAK ] + +[+] Virtualization +------------------------------------ + +[+] Containers +------------------------------------ + +[+] Security frameworks +------------------------------------ + - Checking presence AppArmor [ FOUND ] + - Checking AppArmor status [ DISABLED ] + - Checking presence SELinux [ NOT FOUND ] + - Checking presence TOMOYO Linux [ NOT FOUND ] + - Checking presence grsecurity [ NOT FOUND ] + - Checking for implemented MAC framework [ NONE ] + +[+] Software: file integrity +------------------------------------ + - Checking file integrity tools + - AIDE [ FOUND ] + - AIDE config file [ FOUND ] + - AIDE database [ FOUND ] + - dm-integrity (status) [ DISABLED ] + - dm-verity (status) [ DISABLED ] + - AIDE config (Checksum) [ OK ] + - Checking presence integrity tool [ FOUND ] + +[+] Software: System tooling +------------------------------------ + - Checking automation tooling + - Ansible artifact [ FOUND ] + - Automation tooling [ FOUND ] + - Checking presence of Fail2ban [ FOUND ] + - Checking Fail2ban jails [ ENABLED ] + - Checking for IDS/IPS tooling [ FOUND ] + +[+] Software: Malware +------------------------------------ + - Checking chkrootkit [ FOUND ] + - Checking Rootkit Hunter [ FOUND ] + - Checking ClamAV scanner [ FOUND ] + - Malware software components [ FOUND ] + - Active agent [ NOT FOUND ] + - Rootkit scanner [ FOUND ] + +[+] File Permissions +------------------------------------ + - Starting file permissions check + File: /etc/cron.allow [ OK ] + File: /etc/crontab [ OK ] + File: /etc/group [ OK ] + File: /etc/group- [ OK ] + File: /etc/hosts.allow [ OK ] + File: /etc/hosts.deny [ OK ] + File: /etc/issue [ OK ] + File: /etc/issue.net [ OK ] + File: /etc/motd [ OK ] + File: /etc/passwd [ OK ] + File: /etc/passwd- [ OK ] + File: /etc/ssh/sshd_config [ OK ] + Directory: /root/.ssh [ OK ] + Directory: /etc/cron.d [ OK ] + Directory: /etc/cron.daily [ OK ] + Directory: /etc/cron.hourly [ OK ] + Directory: /etc/cron.weekly [ OK ] + Directory: /etc/cron.monthly [ OK ] + +[+] Home directories +------------------------------------ + - Permissions of home directories [ OK ] + - Ownership of home directories [ OK ] + - Checking shell history files [ OK ] + +[+] Kernel Hardening +------------------------------------ + - Comparing sysctl key pairs with scan profile + - dev.tty.ldisc_autoload (exp: 0) [ OK ] + - fs.protected_fifos (exp: 2) [ OK ] + - fs.protected_hardlinks (exp: 1) [ OK ] + - fs.protected_regular (exp: 2) [ OK ] + - fs.protected_symlinks (exp: 1) [ OK ] + - fs.suid_dumpable (exp: 0) [ OK ] + - kernel.core_uses_pid (exp: 1) [ OK ] + - kernel.ctrl-alt-del (exp: 0) [ OK ] + - kernel.dmesg_restrict (exp: 1) [ OK ] + - kernel.kptr_restrict (exp: 2) [ OK ] + - kernel.modules_disabled (exp: 1) [ OK ] + - kernel.perf_event_paranoid (exp: 2 3 4) [ OK ] + - kernel.randomize_va_space (exp: 2) [ OK ] + - kernel.sysrq (exp: 0) [ OK ] + - kernel.unprivileged_bpf_disabled (exp: 1) [ OK ] + - kernel.yama.ptrace_scope (exp: 1 2 3) [ OK ] + - net.core.bpf_jit_harden (exp: 2) [ OK ] + - net.ipv4.conf.all.accept_redirects (exp: 0) [ OK ] + - net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ] + - net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ] + - net.ipv4.conf.all.forwarding (exp: 0) [ OK ] + - net.ipv4.conf.all.log_martians (exp: 1) [ OK ] + - net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ] + - net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ] + - net.ipv4.conf.all.rp_filter (exp: 1) [ OK ] + - net.ipv4.conf.all.send_redirects (exp: 0) [ OK ] + - net.ipv4.conf.default.accept_redirects (exp: 0) [ OK ] + - net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ] + - net.ipv4.conf.default.log_martians (exp: 1) [ OK ] + - net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ] + - net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ] + - net.ipv4.tcp_syncookies (exp: 1) [ OK ] + - net.ipv4.tcp_timestamps (exp: 0 1) [ OK ] + - net.ipv6.conf.all.accept_redirects (exp: 0) [ OK ] + - net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ] + - net.ipv6.conf.default.accept_redirects (exp: 0) [ OK ] + - net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ] + +[+] Hardening +------------------------------------ + - Installed compiler(s) [ FOUND ] + - Installed malware scanner [ FOUND ] + - Non-native binary formats [ FOUND ] + +[+] Custom tests +------------------------------------ + - Running custom tests... [ NONE ] + +[+] Plugins (phase 2) +------------------------------------ + +================================================================================ + + -[ Lynis 3.1.4 Results ]- + + Great, no warnings + + Suggestions (5): + ---------------------------- + * Consider hardening system services [BOOT-5264] + - Details : Run '/usr/bin/systemd-analyze security SERVICE' for each service + - Related resources + * Article: Systemd features to secure service files: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/ + * Website: https://cisofy.com/lynis/controls/BOOT-5264/ + + * To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310] + - Related resources + * Website: https://cisofy.com/lynis/controls/FILE-6310/ + + * To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310] + - Related resources + * Website: https://cisofy.com/lynis/controls/FILE-6310/ + + * Check iptables rules to see which rules are currently not used [FIRE-4513] + - Related resources + * Website: https://cisofy.com/lynis/controls/FIRE-4513/ + + * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154] + - Related resources + * Website: https://cisofy.com/lynis/controls/LOGG-2154/ + + Follow-up: + ---------------------------- + - Show details of a test (lynis show details TEST-ID) + - Check the logfile for all details (less /var/log/lynis.log) + - Read security controls texts (https://cisofy.com) + - Use --upload to upload data to central system (Lynis Enterprise users) + +================================================================================ + + Lynis security scan details: + + Hardening index : 92 [################## ] + Tests performed : 261 + Plugins enabled : 0 + + Components: + - Firewall [V] + - Malware scanner [V] + + Scan mode: + Normal [V] Forensics [ ] Integration [ ] Pentest [ ] + + Lynis modules: + - Compliance status [?] + - Security audit [V] + - Vulnerability scan [V] + + Files: + - Test and debug information : /var/log/lynis.log + - Report data : /var/log/lynis-report.dat + +================================================================================ + + Lynis 3.1.4 + + Auditing, system hardening, and compliance for UNIX-based systems + (Linux, macOS, BSD, and others) + + 2007-2024, CISOfy - https://cisofy.com/lynis/ + Enterprise support available (compliance, plugins, interface and tools) + +================================================================================ + + [TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings) +```` + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md new file mode 100644 index 0000000..6320e59 --- /dev/null +++ b/docs/AUDIT_SSH.md @@ -0,0 +1,56 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +# 2. SSH Audit by ssh-audit.com + +![CISS.2025.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_ssh_audit.png) + +# 3. SSH Audit by https://github.com/jtesta/ssh-audit + +````text +# general +(gen) banner: SSH-2.0-OpenSSH_9.2p1 +(gen) software: OpenSSH 9.2p1 +(gen) compatibility: OpenSSH 9.9+, Dropbear SSH 2020.79+ +(gen) compression: disabled + +# key exchange algorithms +(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5 + `- [info] default key exchange from OpenSSH 9.0 to 9.8 + `- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm +(kex) sntrup761x25519-sha512 -- [info] available since OpenSSH 9.9 + `- [info] default key exchange since OpenSSH 9.9 + `- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm +(kex) kex-strict-s-v00@openssh.com -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795) + +# host-key algorithms +(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 +(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2 +(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2, Dropbear SSH 2020.79 + +# encryption algorithms (ciphers) +(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 +(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 + +# message authentication code algorithms +(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 +(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 + +# algorithm recommendations (for OpenSSH 9.2) +(rec) +aes128-ctr -- enc algorithm to append +(rec) +aes128-gcm@openssh.com -- enc algorithm to append +(rec) +aes192-ctr -- enc algorithm to append +```` + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md new file mode 100644 index 0000000..3f8f829 --- /dev/null +++ b/docs/CHANGELOG.md @@ -0,0 +1,17 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +# TBA + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md new file mode 100644 index 0000000..a3505bf --- /dev/null +++ b/docs/CODING_CONVENTION.md @@ -0,0 +1,80 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +# 2. Coding Style + +## 2.1. PR + +You'd make the life of the maintainers easier if you submit only _one_ patch with _one_ functional change per PR. + +## 2.2 Documentation + +Some people really read that ! New features would need to be documented in the appropriate section in `usage()` and in +`~/docs/DOCUMENTATION.md`. + +## 2.3. Coding + +### 2.3.1. Shell / bash + +Bash is actually quite powerfulβ€”not only with respect to sockets. It's not as mighty as perl or python, but there are a lot of +neat features. Here's how you make use of them. Besides those short hints here, there's a wealth of information there. + +* Don't use backticks anymore, use `$(..)` instead +* Use double square `[[]]` brackets (_conditional expressions)_ instead of single square `[]` brackets +* In double square brackets, avoid quoting at the right-hand side if not necessary. For regex matching (`=~`) you shouldn't + quote at all. +* The [BashPitfalls](http://mywiki.wooledge.org/BashPitfalls) is a good read! +* Whenever possible try to avoid `tr` `sed` `awk` and use bash internal functions instead, see + e.g., [bash shell parameter substitution](http://www.cyberciti.biz/tips/bash-shell-parameter-substitution-2.html). It is + slower as it forks, fopens and pipes back the result. +* `read` often can replace `awk`: `IFS=, read -ra a b c <<< "$line_with_comma"` +* Bash can also deal perfectly with regular expressions, see + e.g., [here](https://www.networkworld.com/article/2693361/unix-tip-using-bash-s-regular-expressions.html) + and [here](https://unix.stackexchange.com/questions/421460/bash-regex-and-https-regex101-com). You can as well have a look @ + `is_ipv4addr()` or `is_ipv6addr()`. +* If you still need to use any of `tr`, `sed` and `awk`: try to avoid a mix of several external binaries e.g., if you can + achieve the same with e.g. `awk`. +* Be careful with very advanced bash features. Mac OS X is still using bash version + 3 ([differences](http://tldp.org/LDP/abs/html/bashver4.html)). +* Always use a return value for a function/method. 0 means all is fine. +* Make use of [shellcheck](https://github.com/koalaman/shellcheck) if possible. +* Follow the [shellformat](https://google.github.io/styleguide/shellguide.html) Shell-Style Guide. + +### 2.3.2. Shell specific + +* Security: + * Watch out for any input especially (but not only) supplied from the server. Input should never be trusted. + * Unless you're really sure where the values come from, variables need to be put in quotes. + +### 2.3.3. Variables + +* Use **"speaking variables"** but don't overdo it with the length. +* No _camelCase_, please. We distinguish between lowercase and uppercase only. + * Global variables: + * use them only when really necessary, + * in CAPS, + * initialize them (`declare -g VAR=""`), + * use `declare -g` and use typing (variable types) if possible. + * Local variables: + * are lower case, + * declare them before usage (`declare`), + * initialize them (`declare VAR=""`). + * Preferred declaration and initialization: + * VAR: `declare -g VAR=""` and `declare -a ARRAY=()`. + +# 3. Misc + +* Test before doing a PR! Best if you check with two bad and two good examples, which should then work as expected. + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md new file mode 100644 index 0000000..20f3cbd --- /dev/null +++ b/docs/CONTRIBUTING.md @@ -0,0 +1,25 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +# 2. Contributors + +## X + +I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism. + +## Ξ– + +* Zimnol, AndrΓ© H.; Private Contributor + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/docs/CREDITS.md b/docs/CREDITS.md new file mode 100644 index 0000000..faf24e6 --- /dev/null +++ b/docs/CREDITS.md @@ -0,0 +1,29 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +# 2. Credits + +## 2.2. Authors + +## 2.3. Contributors + +### X + +I would like to express my sincere gratitude to Mr., Who-wants-to-live-forever, for his gracious support and insightful and profound criticism. + +### Ξ– + +* Zimnol, AndrΓ© H.; Private Contributor + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md new file mode 100644 index 0000000..b48fbfa --- /dev/null +++ b/docs/DOCUMENTATION.md @@ -0,0 +1,146 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +# 2. Usage +````text +CISS.debian.live.builder +Master V8.02.512.2025.05.30 + +(c) Marc S. Weidner, 2018 - 2025 +(p) Centurion Press, 2024 - 2025 + +https://coresecret.eu/ + +A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. + +"./ciss_live_builder.sh + Where the Debian Live Build Image should be generated. + MUST be provided. + + --change-splash one of + A string reflecting the GRub Boot Screen Splash you want to use. + If omitted defaults to "./.archive/background/club.png". + + --cdi (Experimental Feature) + This option generates a boot menu entry to start the forthcoming + 'CISS.debian.installer', which will be executed after + the system has successfully booted up. + + --contact, -c + Displays contact information of the author. + + --control + An integer that reflects the version of your Live ISO Image. + MUST be provided. + + --debug + Enables debug logging for the main program routine. Detailed logging + information are written to "/tmp/ciss_live_builder_3764286.log" + + --dhcp-centurion + If a DHCP lease is provided, the provider's nameserver will be overridden, + and only the hardened, privacy-focused Centurion DNS servers will be used: + - https://dns01.eddns.eu/ + - https://dns02.eddns.de/ + + --jump-host + Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access. + Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation. + If provided, than it MUST be a separated list. + IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64]. + + --log-statistics-only + Provides statistic only after successful building a + CISS.debian.live-ISO. While enabling "--log-statistics-only" + the argument "--build-directory" MUST be provided while + all further options MUST be omitted. + + --provider-netcup-ipv6 + Activates IPv6 support for Netcup Root Server. One unique + IPv6 address MUST be provided in this case. + + --renice-priority + Reset the nice priority value of the script and all its children + to the desired PRIORITY. MUST be an integer (between "-19" and 19). + Negative (higher) values MUST be enclosed in double quotes '"'. + + --reionice-priority + Reset the ionice priority value of the script and all its children + to the desired CLASS. MUST be an integer: + 1: realtime + 2: best-effort + 3: idle + defaults to "2". + PRIORITY MUST be an integer: + between 0 (highest) and 7 (lowest) priority. + defaults to "4". + A real-time I/O process can significantly slow down other processes + or even cause them to starve if it continuously requests I/O. + + --root-password-file + Password file for 'root', if given, MUST be a string of 20 to 64 characters, + and MUST NOT contain the special character '"'. + If the argument is omitted, no further login authentication is required for + the local console. The root password is hashed with an 16 Byte '/dev/random' + generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately + after Hash generation all Variables containing plain password fragments are + deleted. Password file SHOULD be 0400 and root:root and is deleted without + further prompt after password hash has been successfully generated via: + shred -vfzu 5 -f. + No tracing of any plain text password fragment in any debug log. + + --ssh-port + The desired Port SSH should listen to. + If not provided defaults to Port 22. + + --ssh-pubkey + Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the + specified PATH into the Live ISO. MUST be provided. + + --version, -v + Displays version of ./ciss_live_builder.sh. + +NOTES: + - You MUST be root to run this script. + +Contact: + - https://coresecret.eu/ + - security@coresecret.eu + - PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD + - https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD +```` + +# 3. Booting + +## 3.1. Grub Menu +![Boot Menu](/docs/screenshots/20250517_boot_grub.jpg) + +## 3.2. Integrity checks +![Integrity Check](screenshots/20250517_boot_integrity_check.jpg) + +![Integrity Success](screenshots/20250517_boot_integrity_success.jpg) + +## 3.3. Console Login +![Console Login](screenshots/20250517_console_login.jpg) + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/docs/LICENSES/CC-BY-NC-ND-4.0.txt b/docs/LICENSES/CC-BY-NC-ND-4.0.txt new file mode 100644 index 0000000..d12951d --- /dev/null +++ b/docs/LICENSES/CC-BY-NC-ND-4.0.txt @@ -0,0 +1,155 @@ +Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International + + Creative Commons Corporation (β€œCreative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an β€œas-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible. + +Using Creative Commons Public Licenses + +Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses. + +Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors. + +Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensors' permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright - then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public. + +Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License + +By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. + +Section 1 – Definitions. + + a. Adapted Material means material subject to Copyright and Similar Rights that are derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synced in timed relation with a moving image. + + b. Copyright and Similar Rights mean copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. + + c. Effective Technological Measures mean those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. + + d. Exceptions and Limitations mean fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. + + e. Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License. + + f. Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material, and that the Licensor has authority to license. + + g. Licensor means the individual(s) or entity(ies) granting rights under this Public License. + + h. NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subjects to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange. + + i. Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. + + j. Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. + + k. You mean the individual or entity exercising the Licensed Rights under this Public License. 'Your' has a corresponding meaning. + +Section 2 – Scope. + + a. License grant. + + 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: + + A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and + + B. produce and reproduce, but not Share, Adapted Material for NonCommercial purposes only. + + 2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. + + 3. Term. The term of this Public License is specified in Section 6(a). + + 4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. + + 5. Downstream recipients. + A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. + + B. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. + + 6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). + + b. Other rights. + + 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. + + 2. Patent and trademark rights are not licensed under this Public License. + + 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases, the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes. + +Section 3 – License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the following conditions. + + a. Attribution. + + 1. If You Share the Licensed Material, You must: + + A. retain the following if it is supplied by the Licensor with the Licensed Material: + + i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of warranties; + + v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; + + B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and + + C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. + + For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material. + + 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. + + 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. + +Section 4 – Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: + + a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all, or a substantial portion of the contents of the database for NonCommercial purposes only and provided You do not Share Adapted Material; + + b. if You include all, or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and + + c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. +For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. + +Section 5 – Disclaimer of Warranties and Limitation of Liability. + + a. Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You. + + b. To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You. + + c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. + +Section 6 – Term and Termination. + + a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. + + b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or + + 2. upon express reinstatement by the Licensor. + + For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. + + c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. + + d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. + +Section 7 – Other Terms and Conditions. + + a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. + + b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. + +Section 8 – Interpretation. + + a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. + + b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. + + c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. + + d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. + +Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the β€œLicensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark β€œCreative Commons” or any other trademark or logo of Creative Commons without its prior written consent, including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. + +Creative Commons may be contacted at creativecommons.org. \ No newline at end of file diff --git a/docs/LICENSES/CCLA-1.0.md b/docs/LICENSES/CCLA-1.0.md new file mode 100644 index 0000000..a8ac9df --- /dev/null +++ b/docs/LICENSES/CCLA-1.0.md @@ -0,0 +1,84 @@ +# SPDX-License-Identifier: LicenseRef-CCLA-1.0 + +# Centurion Commercial License Agreement 1.0 + +## **1. General Terms** + +1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software"). + +1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license. + +1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below. + +1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only. + +## **2. Grant of License** + +2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a + +- non-exclusive, +- non-transferable, +- time-limited, + +right to use the Software for commercial purposes. + +2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement. + +## **3. Subscription Fees and Payment** + +3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable. + +3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice. + +## **4. Restrictions** + +4.1. Licensee shall not: + +- Distribute, sublicense, or resell the Software. +- Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law. + +4.2. The Software may not be used for illegal or unethical purposes. + +## **5. Support and Updates** + +5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying +support agreement. + +5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees. + +## **6. Termination** + +6.1. This Agreement is valid for the subscription term unless terminated earlier: + +- By Licensee, with a 30-day written notice. +- By Licensor, in the event of Licensees breach of this Agreement. + +6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies. + +## **7. Liability and Warranty** + +7.1. The Software is provided "as is" without warranties of any kind, except as required by law. + +7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months. + +## **8. Governing Law** + +8.1. This Agreement shall be governed by the laws of Portugal. + +8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal. + +## **9. Miscellaneous** + +9.1. Any changes to this Agreement must be in writing and signed by both parties. + +9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable. + +## 10. **Contact Information** + +* Licensor : Centurion Intelligence Consulting Agency +* Email : legal@coresecret.eu + +--- + +This Subscription License Agreement was last updated at 09.05.2025. + diff --git a/docs/LICENSES/CCLA-1.0.spdx b/docs/LICENSES/CCLA-1.0.spdx new file mode 100644 index 0000000..fb9c723 --- /dev/null +++ b/docs/LICENSES/CCLA-1.0.spdx @@ -0,0 +1,5 @@ +SPDX-License-Identifier: LicenseRef-CCLA-1.0 +SPDX-FileCopyrightText: 2024-2025 Centurion Intelligence Consulting Agency + +LicenseRef-CCLA-1.0 is a custom Commercial License Agreement used for projects maintained by Centurion Intelligence Consulting Agency. +The full license text can be found at: https://coresecret.eu/imprint/licenses/ or in the same directory: CCLA-1.0.md diff --git a/docs/LICENSES/EUPL-1.2.txt b/docs/LICENSES/EUPL-1.2.txt new file mode 100644 index 0000000..2dd5cb8 --- /dev/null +++ b/docs/LICENSES/EUPL-1.2.txt @@ -0,0 +1,256 @@ +# SPDX-License-Identifier: EUPL-1.2 + +EUPL-1.2 + +EUROPEAN UNION PUBLIC LICENCE v. 1.2 +EUPL Β© the European Union 2007, 2016 + +This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the +terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such +a use is covered by a right of the copyright holder of the Work). + +The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following +notice immediately following the copyright notice for the Work: + + Licensed under the EUPL + +or has expressed by any other means his willingness to license under the EUPL. + +1.Definitions + +In this Licence, the following terms have the following meaning: + +β€” 'The Licence':this Licence. + +β€” 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available +as Source Code and also as Executable Code as the case may be. + +β€” 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or +modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work +required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in +the country mentioned in Article 15. + +β€” 'The Work':the Original Work or its Derivative Works. + +β€” 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and +modify. + +β€” 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by +a computer as a program. + +β€” 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence. + +β€” 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to +the creation of a Derivative Work. + +β€” 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the +Licence. + +β€” 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating, +transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential +functionalities at the disposal of any other natural or legal person. + +2.Scope of the rights granted by the Licence + +The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for +the duration of copyright vested in the Original Work: + +β€” use the Work in any circumstances and for all usage, + +β€” reproduce the Work, + +β€” modify the Work and make Derivative Works based upon the Work, + +β€” communicate to the public, including the right to make available or display the Work or copies thereof to the public +and perform publicly, as the case may be, the Work, + +β€” distribute the Work or copies thereof, + +β€” lend and rent the Work or copies thereof, + +β€” sublicense rights in the Work or copies thereof. + +Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the +applicable law permits so. + +In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed +by law in order to make effective the licence of the economic rights here above listed. + +The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the +extent necessary to make use of the rights granted on the Work under this Licence. + +3.Communication of the Source Code + +The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as +Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with +each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to +the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to +distribute or communicate the Work. + +4.Limitations on copyright + +Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the +exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations +thereto. + +5.Obligations of the Licensee + +The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those +obligations are the following: + +Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to +the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the +Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work +to carry prominent notices stating that the Work has been modified and the date of modification. + +Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this +Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless +the Original Work is expressly distributed only under this version of the Licence β€” for example, by communicating +'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the +Work or Derivative Work that alter or restrict the terms of the Licence. + +Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both +the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done +under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed +in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with +his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail. + +The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide +a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available +for as long as the Licensee continues to distribute or communicate the Work. +Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names +of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and +reproducing the content of the copyright notice. + +6.Chain of Authorship + +The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or +licensed to him/her and that he/she has the power and authority to grant the Licence. + +Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or +licensed to him/her and that he/she has the power and authority to grant the Licence. + +Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions +to the Work, under the terms of this Licence. + +7.Disclaimer of Warranty + +The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work +and may therefore contain defects or 'bugs' inherent to this type of development. + +For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind +concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or +errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this +Licence. + +This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work. + +8.Disclaimer of Liability + +Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be +liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the +Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss +of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However, +the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work. + +9.Additional agreements + +While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services +consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole +responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify, +defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by +the fact You have accepted any warranty or additional liability. + +10.Acceptance of the Licence + +The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window +displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of +applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms +and conditions. + +Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You +by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution +or Communication by You of the Work or copies thereof. + +11.Information to the public + +In case of any Distribution or Communication of the Work by means of electronic communication by You (for example, +by offering to download the Work from a remote location) the distribution channel or media (for example, a website) +must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence, +and the way it may be accessible, concluded, stored, and reproduced by the Licensee. + +12.Termination of the Licence + +The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms +of the Licence. + +Such a termination will not terminate the licences of any person who has received the Work from the Licensee under +the Licence, provided such persons remain in full compliance with the Licence. + +13.Miscellaneous + +Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the +Work. + +If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or +enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid +and enforceable. + +The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of +the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence. +New versions of the Licence will be published with a unique version number. + +All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take +advantage of the linguistic version of their choice. + +14.Jurisdiction + +Without prejudice to specific agreement between parties, + +β€” any litigation resulting from the interpretation of this License, arising between the European Union institutions, +bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice +of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union, + +β€” any litigation arising between other parties and resulting from the interpretation of this License will be subject to +the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business. + +15.Applicable Law + +Without prejudice to specific agreement between parties, + +β€” this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat, +resides, or has his registered office + +β€” this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside +a European Union Member State. + + + Appendix + +'Compatible Licences' according to Article 5 EUPL are: + +β€” GNU General Public License (GPL) v. 2, v. 3 + +β€” GNU Affero General Public License (AGPL) v. 3 + +β€” Open Software License (OSL) v. 2.1, v. 3.0 + +β€” Eclipse Public License (EPL) v. 1.0 + +β€” CeCILL v. 2.0, v. 2.1 + +β€” Mozilla Public Licence (MPL) v. 2 + +β€” GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 + +β€” Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software + +β€” European Union Public Licence (EUPL) v. 1.1, v. 1.2 + +β€” QuΓ©bec Free and Open-Source Licence β€” Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+). + +The European Commission may update this Appendix to later versions of the above licences without producing +a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the +covered Source Code from exclusive appropriation. + +All other changes or additions to this Appendix require the production of a new EUPL version. \ No newline at end of file diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md new file mode 100644 index 0000000..a988338 --- /dev/null +++ b/docs/REFERENCES.md @@ -0,0 +1,80 @@ +--- +gitea: none +include_toc: true +--- + +# 1. CISS.debian.live.builder + +**Centurion Intelligence Consulting Agency Information Security Standard**
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
+**Master Version**: 8.02
+**Build**: V8.02.512.2025.05.30
+ +# 2. Resources + +## 2.1. Debian Live related + +- [Debian live-boot](https://salsa.debian.org/live-team/live-boot) +- [Debian Live Manual](https://live-team.pages.debian.net/live-manual/html/live-manual/index.en.html) +- [Debian Live Boot Doc](https://manpages.debian.org/bookworm/live-boot-doc/live-boot.7.en.html) +- [Debian Live Build](https://manpages.debian.org/bookworm/live-build/index.html) +- [Debian Live Config](https://manpages.debian.org/bookworm/live-config-doc/index.html) +- [Debian Live Tools](https://manpages.debian.org/bookworm/live-tools/index.html) + +## 2.2. Disk Encryption related + +- [https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system) +- [https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)) +- [https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode) +- [https://wiki.archlinux.org/title/GRUB#Encrypted_/boot](https://wiki.archlinux.org/title/GRUB#Encrypted_/boot) +- [https://wiki.archlinux.org/title/GRUB#LUKS2](https://wiki.archlinux.org/title/GRUB#LUKS2) +- [https://wiki.archlinux.org/title/Advanced_Format](https://wiki.archlinux.org/title/Advanced_Format) +- [https://packages.debian.org/bookworm-backports/grub-common](https://packages.debian.org/bookworm-backports/grub-common) +- [https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html](https://www.kernel.org/doc/html/v5.5/admin-guide/device-mapper/dm-integrity.html) +- [https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) +- [https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#2-setup) + +## 2.3. Kernel related + +- [https://wiki.archlinux.org/title/Kernel](https://wiki.archlinux.org/title/Kernel) +- [https://wiki.archlinux.org/title/Kernel_parameters](https://wiki.archlinux.org/title/Kernel_parameters) +- [https://www.kernel.org/](https://www.kernel.org/) +- [https://github.com/anthraxx/linux-hardened](https://github.com/anthraxx/linux-hardened) + +## 2.4. Policy related + +- [https://www.debian.org/doc/manuals/securing-debian-manual/](https://www.debian.org/doc/manuals/securing-debian-manual/) +- [https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server](https://www.tenable.com/audits/CIS_Debian_Linux_12_v1.0.1_L1_Server) +- [https://www.cisecurity.org/cis-benchmarks](https://www.cisecurity.org/cis-benchmarks) +- [https://github.com/CISOfy/lynis](https://github.com/CISOfy/lynis) +- [https://github.com/lateralblast/lunar](https://github.com/lateralblast/lunar) +- [https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html](https://complianceascode.github.io/content-pages/guides/ssg-debian12-guide-standard.html) + +## 2.5. Security related + +- [https://wiki.archlinux.org/title/General_recommendations](https://wiki.archlinux.org/title/General_recommendations) +- [https://wiki.archlinux.org/title/Security](https://wiki.archlinux.org/title/Security) +- [https://wiki.archlinux.org/title/Identity_management](https://wiki.archlinux.org/title/Identity_management) +- [https://wiki.archlinux.org/title/Capabilities](https://wiki.archlinux.org/title/Capabilities) +- [https://privsec.dev/posts/linux/desktop-linux-hardening/](https://privsec.dev/posts/linux/desktop-linux-hardening/) +- [https://wiki.archlinux.org/title/fail2ban#Service_hardenin](https://wiki.archlinux.org/title/fail2ban#Service_hardenin) +- [https://theprivacyguide1.github.io/linux_hardening_guide](https://theprivacyguide1.github.io/linux_hardening_guide) +- [https://github.com/zabbly/linux](https://github.com/zabbly/linux) + +## 2.6. Bash related + +- [https://www.gnu.org/software/bash/manual/](https://www.gnu.org/software/bash/manual/) +- [https://www.shellcheck.net/](https://www.shellcheck.net/) +- [https://explainshell.com/](https://explainshell.com/) +- [https://google.github.io/styleguide/shellguide.html](https://google.github.io/styleguide/shellguide.html) +- [https://github.com/mvdan/sh](https://github.com/mvdan/sh) +- [https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab](https://gist.github.com/Potherca/4f4ce1c8d4bcf4cd4aab) + +### 2.6.1. Error handling + +- [Use set -e - Writing Robust Bash Shell Scripts - David Pashley](https://www.davidpashley.com/articles/writing-robust-shell-scripts/#id2596016) +- [Why doesn't set -e (or set -o errexit, or trap ERR) do what I expected? - BashFAQ/105 - Greg's Wiki](https://mywiki.wooledge.org/BashFAQ/105) + +--- +**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** + diff --git a/docs/screenshots/20250517_boot_grub.jpg b/docs/screenshots/20250517_boot_grub.jpg new file mode 100644 index 0000000..b7d6c77 Binary files /dev/null and b/docs/screenshots/20250517_boot_grub.jpg differ diff --git a/docs/screenshots/20250517_boot_integrity_check.jpg b/docs/screenshots/20250517_boot_integrity_check.jpg new file mode 100644 index 0000000..b8f11f9 Binary files /dev/null and b/docs/screenshots/20250517_boot_integrity_check.jpg differ diff --git a/docs/screenshots/20250517_boot_integrity_success.jpg b/docs/screenshots/20250517_boot_integrity_success.jpg new file mode 100644 index 0000000..eb8a579 Binary files /dev/null and b/docs/screenshots/20250517_boot_integrity_success.jpg differ diff --git a/docs/screenshots/20250517_console_login.jpg b/docs/screenshots/20250517_console_login.jpg new file mode 100644 index 0000000..1396a93 Binary files /dev/null and b/docs/screenshots/20250517_console_login.jpg differ diff --git a/docs/screenshots/CISS.debian.live.builder_preview.jpeg b/docs/screenshots/CISS.debian.live.builder_preview.jpeg new file mode 100644 index 0000000..24abf98 Binary files /dev/null and b/docs/screenshots/CISS.debian.live.builder_preview.jpeg differ diff --git a/docs/screenshots/CISS.debian.live.builder_ssh_audit.png b/docs/screenshots/CISS.debian.live.builder_ssh_audit.png new file mode 100644 index 0000000..778562f Binary files /dev/null and b/docs/screenshots/CISS.debian.live.builder_ssh_audit.png differ diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh new file mode 100644 index 0000000..e0144f8 --- /dev/null +++ b/lib/lib_arg_parser.sh @@ -0,0 +1,386 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Argument Parser +# Globals: +# BUILD_LOG +# DEBUG +# EARLY_DEBUG +# ERR_CONTROL_CT +# ERR_MISS_PWD_F +# ERR_MISS_PWD_P +# ERR_OWNS_PWD_F +# ERR_PASS_LENGH +# ERR_PASS_PLICY +# ERR_REIONICE_P +# ERR_REIO_C_VAL +# ERR_REIO_P_VAL +# ERR_RENICE_PRI +# ERR_RGHT_PWD_F +# ERR_SPLASH_PNG +# ERR_UNCRITICAL +# ERR__SSH__PORT +# HANDLER_ARCHITECTURE +# HANDLER_BUILD_DIR +# HANDLER_CDI +# HANDLER_DHCP +# HANDLER_ISO_COUNTER +# HANDLER_PRIORITY +# HANDLER_SPLASH +# HANDLER_SSHPORT +# HANDLER_SSHPUBKEY +# HANDLER_STA +# HASHED_PWD +# ISO8601 +# REIONICE_CLASS +# REIONICE_PRIORITY +# VERSION +# handler_jumphost +# Arguments: +# None +####################################### +arg_parser() { + while [[ $# -gt 0 ]]; do + declare argument="${1}" + case "${argument,,}" in + + -c | --contact) + if [[ -n "${2}" && "${2}" != -* ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --contact MUST NOT be followed by an argument.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + shift 1 + ;; + + -h | --help) + if [[ -n "${2}" && "${2}" != -* ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --help MUST NOT be followed by an argument.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + shift 1 + ;; + + -v | --version) + if [[ -n "${2}" && "${2}" != -* ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --version MUST NOT be followed by an argument.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + shift 1 + ;; + + --architecture) + if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then + declare -gx HANDLER_ARCHITECTURE="$2" + shift 2 + else + boot_screen_cleaner + printf "\e[91m❌ Error: --architecture MUST be 'amd64' or 'arm64'.\e[0m\n" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_UNCRITICAL}" + fi + ;; + + --build-directory) + declare -gx HANDLER_BUILD_DIR="${2}" + declare -gx BUILD_LOG="${HANDLER_BUILD_DIR}/${ISO8601}_build.log" + shift 2 + ;; + + --cdi) + if [[ -n "${2}" && "${2}" != -* ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --cdi MUST NOT be followed by an argument.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + declare -g HANDLER_CDI=true + shift 1 + ;; + + --change-splash ) + if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then + declare -g HANDLER_SPLASH="${2}" + shift 2 + else + boot_screen_cleaner + printf "\e[91m❌ Error: --change-splash MUST be 'club' or 'hexagon'.\e[0m\n" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_SPLASH_PNG}" + fi + ;; + + --control) + if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65536 ]]; then + declare -gi HANDLER_ISO_COUNTER="$2" + shift 2 + else + boot_screen_cleaner + printf "\e[91m❌ Error: --control MUST be an integer between '1' and '65535'.\e[0m\n" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_CONTROL_CT}" + fi + ;; + + --debug) + if [[ -n "${2}" && "${2}" != -* ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --debug MUST NOT be followed by an argument.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + shift 1 + ;; + + --dhcp-centurion) + if [[ -n "${2}" && "${2}" != -* ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --dhcp-centurion MUST NOT be followed by an argument.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + declare -gi HANDLER_DHCP=1 + shift 1 + ;; + + --jump-host) + if [[ -n "${2}" && "${2}" != -* ]]; then + declare -i count=0 + shift + while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do + declare -g handler_jumphost+=("$1") + count=$((count + 1)) + shift + done + while [[ "${#}" -gt 0 && "${1}" != -* ]]; do + shift + done + else + boot_screen_cleaner + printf "\e[91m❌ Error: --jump-host MUST contain one or up to ten IPs.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + ;; + + --log-statistics-only) + if [[ -n "${2}" && "${2}" != -* ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --log-statistics-only MUST NOT be followed by an argument.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + declare -gi HANDLER_STA=1 + shift 1 + ;; + + --provider-netcup-ipv6) + if [[ -n "${2}" && "${2}" != -* ]]; then + declare -i count=0 + declare -g handler_netcup_ipv6=true + shift + while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do + declare cleaned="${1//[\[\]]/}" + declare -g handler_netcup_ipv6_array+=("${cleaned}") + count=$((count + 1)) + shift + done + while [[ "${#}" -gt 0 && "${1}" != -* ]]; do + shift + done + else + boot_screen_cleaner + printf "\e[91m❌ Error: --provider-netcup-ipv6 MUST provide one IPv6.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_ARG_MSMTCH}" + fi + ;; + + --renice-priority) + if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then + declare -gi HANDLER_PRIORITY="$2" + shift 2 + else + boot_screen_cleaner + printf "\e[91m❌ Error: --renice-priority MUST an integer between '-19' and '19'.\e[0m\n" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_RENICE_PRI}" + fi + ;; + + --reionice-priority) + if [[ -z "${2}" ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --reionice-priority no values provided.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_REIONICE_P}" + else + if [[ "${2}" =~ ^[1-3]$ ]]; then + declare -gi REIONICE_CLASS="${2}" + if [[ -z "${3}" ]]; then + : + else + if [[ "${3}" =~ ^[0-7]$ ]]; then + declare -gi REIONICE_PRIORITY="${3}" + else + boot_screen_cleaner + printf "\e[91m❌ Error: --reionice-priority PRIORITY MUST be an integer between '0' and '7'.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_REIO_P_VAL}" + fi + fi + else + boot_screen_cleaner + printf "\e[91m❌ Error: --reionice-priority CLASS MUST be an integer between '1' and '3'.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_REIO_C_VAL}" + fi + fi + if [[ -n ${REIONICE_PRIORITY} ]]; then + shift 3 + else + shift 2 + fi + ;; + + --root-password-file) + declare pw_file="${2}" + if [[ -z "${pw_file}" ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --root-password-file missing password file path argument.\e[0m\n" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_MISS_PWD_P}" + fi + + if [[ ! -f "${pw_file}" ]]; then + boot_screen_cleaner + printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_MISS_PWD_F}" + fi + + declare owner + owner=$(stat -c '%U:%G' "${pw_file}") + if [[ "${owner}" != "root:root" ]]; then + chown root:root "${pw_file}" || { + boot_screen_cleaner + printf "\e[91m❌ Error: --root-password-file failed to set owner root:root on '%s'.\e[0m\n" "${pw_file}" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_OWNS_PWD_F}" + } + fi + + declare perms + perms=$(stat -c '%a' "${pw_file}") + if [[ "${perms}" -ne 400 ]]; then + chmod 400 "${pw_file}" || { + boot_screen_cleaner + printf "\e[91m❌ Error: --root-password-file failed to set permissions 0400 on '%s'.\e[0m\n" "${pw_file}" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_RGHT_PWD_F}" + } + fi + + declare plaintext_pw + [[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons + if ! IFS= read -r plaintext_pw < "${pw_file}"; then + : + fi + [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + + declare pw_length + pw_length=${#plaintext_pw} + if (( pw_length < 20 || pw_length > 64 )); then + boot_screen_cleaner + printf "\e[91m❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_PASS_LENGH}" + fi + + [[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons + if [[ "${plaintext_pw}" == *\"* ]]; then + [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + boot_screen_cleaner + printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_PASS_PLICY}" + fi + [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + + declare salt + set +o pipefail + while :; do + salt=$(tr -dc 'A-Za-z0-9' /dev/null 2>&1; then + printf "\e[92mβœ… Password file '%s': shred -vfzu -n 5 >> done. \e[0m\n" "${pw_file}" > /dev/null 2>&1 + else + printf "\e[91m❌ Password file '%s': shred -vfzu -n 5 >> NOT successful. \e[0m\n" "${pw_file}" > /dev/null 2>&1 + fi + sync + + shift 2 + ;; + + --ssh-port) + if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then + declare -gi HANDLER_SSHPORT="${2}" + shift 2 + else + boot_screen_cleaner + printf "\e[91m❌ Error: --ssh-port MUST be an integer between '1' and '65535'.\e[0m\n" >&2 + read -p -r $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR__SSH__PORT}" + fi + ;; + + --ssh-pubkey) + declare -g HANDLER_SSHPUBKEY="${2}" + shift 2 + ;; + + *) + boot_screen_cleaner + usage + ;; + esac + done +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_arg_priority_check.sh b/lib/lib_arg_priority_check.sh new file mode 100644 index 0000000..93417f5 --- /dev/null +++ b/lib/lib_arg_priority_check.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Check and setup Script Priorities +# Globals: +# HANDLER_PRIORITY +# REIONICE_CLASS +# REIONICE_PRIORITY +# Arguments: +# None +####################################### +arg_priority_check() { + declare var + # Check if nice PRIORITY is set and adjust nice priority. + if [[ -n ${HANDLER_PRIORITY} ]]; then + renice "${HANDLER_PRIORITY}" -p "$$" + var=$(ps -o ni= -p $$) > /dev/null 2>&1 + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… New renice value: %s\e[0m\n" "${var}" + # sleep 1 + unset var + fi + + # Check if ionice PRIORITY is set and adjust ionice priority. + if [[ -n ${REIONICE_CLASS} ]]; then + ionice -c"${REIONICE_CLASS:-2}" -n"${REIONICE_PRIORITY:-4}" -p "$$" + var=$(ionice -p $$) > /dev/null 2>&1 + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… New ionice value: %s\e[0m\n" "${var}" + # sleep 1 + unset var + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_boot_screen.sh b/lib/lib_boot_screen.sh new file mode 100644 index 0000000..2ba4bc4 --- /dev/null +++ b/lib/lib_boot_screen.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Change Grub Boot Screen Splash +# Globals: +# boot_screen_pid +# boot_screen_pipe +# Arguments: +# None +####################################### +boot_screen() { + clear + declare -gr boot_screen_pipe="/tmp/progress.fifo" + [[ -p "${boot_screen_pipe}" ]] || mkfifo "${boot_screen_pipe}" + + setsid dialog --no-collapse \ + --ascii-lines \ + --keep-tite \ + --title "CISS.debian.live.builder" \ + --gauge "Starting initialization..." \ + 10 70 0 \ + < "${boot_screen_pipe}" & + declare -gr boot_screen_pid="$!" + exec 3> "${boot_screen_pipe}" +} + +####################################### +# Boot Screen Terminal Cleaner +# Globals: +# boot_screen_pid +# boot_screen_pipe +# Arguments: +# None +####################################### +boot_screen_cleaner() { + exec 3>&- + kill -TERM -- -"${boot_screen_pid}" 2>/dev/null || true + wait "${boot_screen_pid}" 2>/dev/null || true + rm -f "${boot_screen_pipe}" + clean_screen + sleep 1 +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh new file mode 100644 index 0000000..a841279 --- /dev/null +++ b/lib/lib_cdi.sh @@ -0,0 +1,62 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# CISS.2025.debian.installer GRUB and Autostart Generator +# Globals: +# BASH_SOURCE +# HANDLER_BUILD_DIR +# HANDLER_CDI +# WORKDIR +# kernel +# Arguments: +# None +####################################### +cdi() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + + if [[ "${HANDLER_CDI}" == "true" ]]; then + + if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then + mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" + fi + + cp "${WORKDIR}/scripts/9000-cdi-starter" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter" + chmod 0750 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter" + chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter" + + declare tmp_entry + tmp_entry="$(mktemp)" + cat << EOF >| "${tmp_entry}" +menuentry "CISS Hardened DI (${kernel})" --hotkey=i { + linux /live/vmlinuz-${kernel} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path} + initrd /live/initrd.img-${kernel} +} +EOF + sed -i "/#MUST_BE_REPLACED/{ + r ${tmp_entry} + d +}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg" + + sed -i "/#MUST_BE_REPLACED/{ + r ${tmp_entry} + d +}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg" + + rm -f "${tmp_entry}" + else + # shellcheck disable=SC1003 + sed -i '/#MUST_BE_REPLACED/c\\' "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg" + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}" +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_change_splash.sh b/lib/lib_change_splash.sh new file mode 100644 index 0000000..37fd476 --- /dev/null +++ b/lib/lib_change_splash.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Change Grub Boot Screen Splash +# Globals: +# HANDLER_BUILD_DIR +# HANDLER_SPLASH +# WORKDIR +# Arguments: +# None +####################################### +change_splash() { + if [[ ${HANDLER_SPLASH} == "club" ]]; then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Grub Splash 'club.png' selected ...\e[0m\n" + cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png + cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png + cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Grub Splash 'club.png' selected done. \e[0m\n" + elif [[ ${HANDLER_SPLASH} == "hexagon" ]]; then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Grub Splash 'hexagon.png' selected ...\e[0m\n" + cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png + cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png + cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Grub Splash 'hexagon.png' selected done. \e[0m\n" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_dhcp.sh b/lib/lib_check_dhcp.sh new file mode 100644 index 0000000..d3857b3 --- /dev/null +++ b/lib/lib_check_dhcp.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Check if hardened Centurion DNS servers are desired. +# Globals: +# HANDLER_DHCP +# WORKDIR +# Arguments: +# None +####################################### +check_dhcp() { + if [[ ${HANDLER_DHCP} -eq 1 ]]; then + chmod +x "${WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${WORKDIR}"/scripts/0010_dhcp_supersede.sh + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_hooks.sh b/lib/lib_check_hooks.sh new file mode 100644 index 0000000..34c158c --- /dev/null +++ b/lib/lib_check_hooks.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file +# Globals: +# ERR_UNCRITICAL +# WORKDIR +# Arguments: +# None +####################################### +check_hooks() { + declare ifs + ifs=$'\n\t' + shopt -s nullglob + declare -a files=("${WORKDIR}"/config/hooks/live/*.chroot) + + if (( ${#files[@]} == 0 )); then + printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${WORKDIR}" >&2 + exit "${ERR_UNCRITICAL}" + fi + + declare file + for file in "${files[@]}"; do + chmod 0755 "${file}" + done +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_kernel.sh b/lib/lib_check_kernel.sh new file mode 100644 index 0000000..4ae6cbf --- /dev/null +++ b/lib/lib_check_kernel.sh @@ -0,0 +1,72 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Kernel Image Selector +# Globals: +# HANDLER_ARCHITECTURE +# KERNEL_SRT +# KERNEL_TMP +# kernel +# Arguments: +# None +# Returns: +# 42: Sorting Error. +####################################### +check_kernel() { + clear + declare -i counter=1 + declare first_string="" + declare line="" + declare -gx kernel="" + declare name="" + declare options="" + + if [[ ${HANDLER_ARCHITECTURE} != arm64 ]]; then + apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}" + else + apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}" + fi + + sort --output="${KERNEL_SRT}" "${KERNEL_TMP}" || { + printf "❌ Error check_kernel() Line 40 sort failed\n" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + return 42 + } + + while IFS= read -r line; do + first_string=${line%% *} + name=${first_string#linux-image-} + options+=("${name}" "${counter}" off) + ((counter++)) + done < "${KERNEL_SRT}" + + # shellcheck disable=SC2155 + if declare -g kernel=$(dialog \ + --no-collapse \ + --ascii-lines \ + --clear \ + --backtitle "CISS.debian.live.builder" \ + --title "Select the Kernel for the CISS Hardened Debian Live Image ISO" \ + --radiolist "Kernel available \n *+bpo* : Debian Backported Kernel \n *cloud* : Special lightweight images for KVM \n *unsigned* : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-); then + clear + else + clear + if [[ "${HANDLER_ARCHITECTURE}" == "amd64" ]]; then + declare -gr kernel="amd64" + elif [[ "${HANDLER_ARCHITECTURE}" == "arm64" ]]; then + declare -gr kernel="arm64" + fi + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_pkgs.sh b/lib/lib_check_pkgs.sh new file mode 100644 index 0000000..b504e24 --- /dev/null +++ b/lib/lib_check_pkgs.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Check for required Deb Packages to run the script. +# Arguments: +# None +####################################### +check_pkgs() { + if [[ ! -f /usr/share/live/build/VERSION ]]; then + apt-get update -y + apt-get install live-build -y + fi + + if [[ -z "$(command -v dialog || true)" ]]; then + apt-get install --no-install-recommends dialog -y + fi + + if [[ -z "$(command -v mkpasswd || true)" ]]; then + apt-get install --no-install-recommends whois -y + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_provider.sh b/lib/lib_check_provider.sh new file mode 100644 index 0000000..bc7d8d4 --- /dev/null +++ b/lib/lib_check_provider.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Notes Textbox +# Arguments: +# None +####################################### +check_provider() { + clear + cat << 'EOF' >| "${notes}" +Build: Master V8.02.512.2025.05.30 + +Press 'EXIT' to continue with CISS.debian.live.builder. + +When you provision ISO images using the Netcup provider, you MUST always supply a globally unique identifier +for each image via the --control argument. If you omit this flag or reuse an existing identifier, Netcup's +backend will automatically locate and mount the oldest ISO carrying that same name. In practice, this means +you might believe you're booting a freshly uploaded image, but in fact the system silently reattaches an +earlier oneβ€”leading to confusing failures and wasted troubleshooting time. + +A separate but related issue emerges when booting certain Debian "cloud" kernel imagesβ€”specifically those +matching the patterns *.+bpo-cloud-amd64 or *.+bpo-cloud-arm64β€”on a Netcup G11 instance or on a Hetzner VM. +After the initramfs is loaded, the console output often becomes garbled or completely unreadable. This is not +due to a kernel panic, but rather to a mismatch between the framebuffer mode expected by the initramfs and the +one actually provided by the virtual hardware. Common workarounds, like editing the boot entry (e) and appending + +β€” 'nomodeset', or +β€” 'vga=0x318', + +do not resolve the issue because they address legacy VGA modes rather than the EFI framebuffer parameters used +in modern cloud images. + +To mitigate this, you can: + +β€” Use a plain Debian kernel (e.g., linux-image-amd64) instead of the bpo-cloud variants, which are optimized + for cloud-init but presume a different console setup. + +β€” Explicitly set an EFI-compatible framebuffer by adding something like 'video=efifb:mode=auto' to the kernel + command line. This aligns the initramfs console driver with the actual firmware framebuffer. + +β€” Build a custom initramfs that includes the correct video modules or switches back to a serial console. For + example, adding 'console=ttyS0,115200' can force all early messages to the serial port bypassing the + graphical framebuffer entirely. +EOF + + dialog --no-collapse \ + --ascii-lines \ + --clear \ + --backtitle "CISS.debian.live.builder" \ + --title "Important Notes" \ + --scrollbar \ + --textbox "${notes}" 32 128 + clear +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_stats.sh b/lib/lib_check_stats.sh new file mode 100644 index 0000000..56f9505 --- /dev/null +++ b/lib/lib_check_stats.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Check if analysis run is desired only. +# Globals: +# HANDLER_STA +# Arguments: +# None +####################################### +check_stats() { + if [[ ${HANDLER_STA} -eq 1 ]]; then + clear + run_analysis + exit 0 + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_var.sh b/lib/lib_check_var.sh new file mode 100644 index 0000000..adfb3c4 --- /dev/null +++ b/lib/lib_check_var.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Unbound Variable Check and call Trap on ERR +# Globals: +# ERR_UNBOUNDVAR +# Arguments: +# $1: VAR_NAME to check +# Returns: +# "${ERR_UNBOUNDVAR}" +####################################### +check_var() { + declare var_name_to_check="$1" + if [[ -n "${!var_name_to_check+exists}" ]]; then + if [[ -n "${!var_name_to_check}" ]]; then + printf "\e[92mβœ… Variable: '%s' exists and is NOT empty: Β»%sΒ« \e[0m\n" "${var_name_to_check}" "${!var_name_to_check}" + else + printf "\e[92mβœ… Variable: '%s' exists but is empty. \e[0m\n" "${var_name_to_check}" + fi + else + printf "\e[91m❌ Variable: '%s' is not declared. Exiting Script. \e[0m\n" "${var_name_to_check}" >&2 + return "${ERR_UNBOUNDVAR}" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_clean_screen.sh b/lib/lib_clean_screen.sh new file mode 100644 index 0000000..2c4fc7a --- /dev/null +++ b/lib/lib_clean_screen.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Terminal cleaner before Trap on Error +# Arguments: +# None +####################################### +clean_screen() { + tput cnorm > /dev/tty # Cursor visible + tput sgr0 > /dev/tty # Attributes off + stty sane < /dev/tty # Sane modes + tput rmcup > /dev/tty # Back to the main buffer + clear > /dev/tty # Clear residual + #lines=$(tput lines) + #tput cup $((lines-1)) 0 > /dev/tty + #printf "\n" > /dev/tty +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh new file mode 100644 index 0000000..36ae7e2 --- /dev/null +++ b/lib/lib_clean_up.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Clean Up Wrapper on Trap on 'ERR' and 'EXIT'. +# Globals: +# ERROR_LOG +# KERNEL_INF +# KERNEL_SRT +# KERNEL_TMP +# WORKDIR +# Arguments: +# 1 : ${trap_on_exit_code} of trap_on_exit() +####################################### +clean_up() { + declare clean_exit_code="$1" + rm -f -- "${KERNEL_INF}" + rm -f -- "${KERNEL_SRT}" + rm -f -- "${KERNEL_TMP}" + rm -f /run/lock/ciss_live_builder.lock + if (( clean_exit_code == 0 )); then rm -f -- "${ERROR_LOG}"; fi + if [[ -f "${WORKDIR}/hosts.allow" ]]; then + rm -f "${WORKDIR}/hosts.allow" + fi + if [[ -f "${WORKDIR}/hosts.deny" ]]; then + rm -f "${WORKDIR}/hosts.deny" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_copy_integrity.sh b/lib/lib_copy_integrity.sh new file mode 100644 index 0000000..74caff7 --- /dev/null +++ b/lib/lib_copy_integrity.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Copy Initial ISO aide Database into Host System +# Globals: +# BASH_SOURCE +# HANDLER_BUILD_DIR +# Arguments: +# None +# Returns: +# 0 : Aide Init DB copying successful. +####################################### +copy_db() { + # printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}" + + if [[ ! -d "${HANDLER_BUILD_DIR}/.integrity" ]]; then + mkdir -p "${HANDLER_BUILD_DIR}/.integrity" + fi + + if cp -p "${HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${HANDLER_BUILD_DIR}/.integrity/"; then + chmod 0400 "${HANDLER_BUILD_DIR}/.integrity/"* + # printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' successful applied. \e[0m\n" "${BASH_SOURCE[0]}" + return 0 + else + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successful applied. \e[0m\n" "${BASH_SOURCE[0]}" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_debug.sh b/lib/lib_debug.sh new file mode 100644 index 0000000..5e5aac9 --- /dev/null +++ b/lib/lib_debug.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Debugger Wrapper for xtrace to Debug Log +# Globals: +# BASH_XTRACEFD +# DEBUG_LOG +# EARLY_DEBUG +# PS4 +# SHELLOPTS +# dump_vars_initial +# var +# Arguments: +# None +####################################### +debugger() { + ### Capture an initial snapshot of all variables (excluding '^(BASH|_).*') + # shellcheck disable=SC2155 + declare -grx dump_vars_initial=$(mktemp) + { + declare var + while IFS= read -r var; do + declare -p "${var}" 2>/dev/null + done < <(compgen -v | grep -Ev '^(BASH|_).*') + } | sort >| "${dump_vars_initial}" + declare -grx EARLY_DEBUG=true + ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name + declare -grx PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m ' + # shellcheck disable=SC2155 + declare -grx DEBUG_LOG="/tmp/ciss_live_builder_$$_debug.log" + ### Generates empty DEBUG_LOG + touch "${DEBUG_LOG}" && chmod 0600 "${DEBUG_LOG}" + ### Open file descriptor 42 for writing to the debug log + exec 42>| "${DEBUG_LOG}" + ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables + ### Determine the directory of this script, even if sourced. + # shellcheck disable=SC2155 + declare script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + ### Source the header from the same directory. This ensures we always load lib/lib_debug_header.sh correctly. + . "${script_dir}/lib_debug_header.sh" + # shellcheck disable=SC2119 + debug_header "$#" "$*" + ### Tell Bash to send xtrace output to FD 42 + export BASH_XTRACEFD=42 + ### Enable inheritable shell options + export SHELLOPTS + ### Turn on xtrace + set -x +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_debug_header.sh b/lib/lib_debug_header.sh new file mode 100644 index 0000000..76c9245 --- /dev/null +++ b/lib/lib_debug_header.sh @@ -0,0 +1,56 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Generates Debug Log Header +# Globals: +# BASHOPTS +# BASH_VERSINFO +# EPOCHREALTIME +# EUID +# HOSTNAME +# PPID +# PWD +# UID +# VERSION +# Arguments: +# $0: Script Name $0 +# $1: Argument Counter $# +# $2: Argument String $* +####################################### +debug_header() { + declare -r arg_counter="$1" + declare -r arg_string="$2" + { + printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)" + printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%T.%4N)" "${VERSION}" + printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}" + printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}" + printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}" + printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[2]}" + printf "\e[97m+\e[0m\e[92m%s: Bash Build Version : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[3]}" + printf "\e[97m+\e[0m\e[92m%s: Bash Release : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[4]}" + printf "\e[97m+\e[0m\e[92m%s: UID : %s \e[0m\n" "$(date +%T.%4N)" "${UID}" + printf "\e[97m+\e[0m\e[92m%s: EUID : %s \e[0m\n" "$(date +%T.%4N)" "${EUID}" + printf "\e[97m+\e[0m\e[92m%s: Hostname : %s \e[0m\n" "$(date +%T.%4N)" "${HOSTNAME}" + printf "\e[97m+\e[0m\e[92m%s: Script name : %s \e[0m\n" "$(date +%T.%4N)" "$0" + printf "\e[97m+\e[0m\e[92m%s: Argument Counter : %s \e[0m\n" "$(date +%T.%4N)" "${arg_counter}" + printf "\e[97m+\e[0m\e[92m%s: Argument String Original : %s \e[0m\n" "$(date +%T.%4N)" "${arg_string}" + printf "\e[97m+\e[0m\e[92m%s: Script PID : %s \e[0m\n" "$(date +%T.%4N)" "$$" + printf "\e[97m+\e[0m\e[92m%s: Script Parent PID : %s \e[0m\n" "$(date +%T.%4N)" "${PPID}" + printf "\e[97m+\e[0m\e[92m%s: Script work DIR : %s \e[0m\n" "$(date +%T.%4N)" "${PWD}" + printf "\e[97m+\e[0m\e[92m%s: Shell Options : %s \e[0m\n" "$(date +%T.%4N)" "$-" + printf "\e[97m+\e[0m\e[92m%s: BASHOPTS : %s \e[0m\n" "$(date +%T.%4N)" "${BASHOPTS}" + printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date +%T.%4N)" + } >&42 +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_hardening_root_pw.sh b/lib/lib_hardening_root_pw.sh new file mode 100644 index 0000000..c1d6298 --- /dev/null +++ b/lib/lib_hardening_root_pw.sh @@ -0,0 +1,101 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Updates the Live ISO to use root password authentication for local console access. +# Globals: +# HANDLER_BUILD_DIR +# HASHED_PWD +# Arguments: +# None +# Returns: +# 0: In case no root password is desired. +####################################### +hardening_root_pw() { + if [[ -z ${HASHED_PWD} ]]; then + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… No Root Password for Console set, skipping root password hook.\e[0m\n" + # sleep 1 + return 0 + fi + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Setup Root Password for Console ... \e[0m\n" + # sleep 1 + + declare cfg_dir="${HANDLER_BUILD_DIR}/config/includes.chroot/etc/live" + declare cfg_file="${cfg_dir}/config.conf" + declare dropin_dir="${cfg_dir}/config.conf.d" + declare dropin_file="${dropin_dir}/20-root-password.conf" + + mkdir -p "${dropin_dir}" + + cat << 'EOF' >| "${dropin_dir}"/10-disable-autologin.conf +live-config.noautologin +EOF + + if ! grep -q 'LIVE_CONFIGS=.*root-password' "${cfg_file}"; then + sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}" + fi + + declare clean_hash="${HASHED_PWD//\"/}" + + printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}" + chmod 0600 "${dropin_file}" + chown root:root "${dropin_file}" + + mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root" + printf '%s\n' "${clean_hash}" >| "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" + chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" + chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" + + mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d + cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf +[Service] +ExecStart= +#ExecStart=-/usr/sbin/agetty --noclear %I $TERM +ExecStart=-agetty --noclear %I $TERM +EOF + + mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc + cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +EOF + + mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin + mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin + mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/sbin + cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty" + cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty" + cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty" + + ### Hotfix I + mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators" + cat << 'EOF' >| "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" +#!/bin/sh +# bypass live-config-getty-generator +exit 0 +EOF + chmod +x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" + + ### Hotfix II + #mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators" + #touch "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" + #chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Setup Root Password for Console done. \e[0m\n" + # sleep 1 +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_hardening_ssh.sh b/lib/lib_hardening_ssh.sh new file mode 100644 index 0000000..b56eed7 --- /dev/null +++ b/lib/lib_hardening_ssh.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# SSH Hardening Ultra via TCP Wrapper +# Globals: +# WORKDIR +# handler_jumphost +# Arguments: +# None +####################################### +hardening_ssh() { + if ((${#handler_jumphost[@]} > 0)); then + declare allowed="" + cat << 'EOF' >| "${WORKDIR}/hosts.allow" +# /etc/hosts.allow: list of hosts that are allowed to access the system. +# See the manual pages hosts_access(5) and hosts_options(5). +# +# Example: ALL: LOCAL @some_netgroup +# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu +# +# If you're going to protect the portmapper use the name "rpcbind" for the +# daemon name. See rpcbind(8) and rpc.mountd(8) for further information. +# + +EOF + + allowed=$(echo "${handler_jumphost[*]}" | tr '\n' ' ') + printf 'sshd: %s\n' "${allowed}" >> "${WORKDIR}/hosts.allow" + + cat << 'EOF' >| "${WORKDIR}/hosts.deny" +# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. +# See the manual pages hosts_access(5) and hosts_options(5). +# +# Example: ALL: some.host.name, .some.domain +# ALL EXCEPT in.fingerd: other.host.name, .other.domain +# +# If you're going to protect the portmapper use the name "rpcbind" for the +# daemon name. See rpcbind(8) and rpc.mountd(8) for further information. +# +# The PARANOID wildcard matches any host whose name does not match its +# address. +# +# You may wish to enable this to ensure any programs that don't +# validate looked-up hostnames still leave understandable logs. In past +# versions of Debian this has been the default. +# ALL: PARANOID + +ALL: ALL + +EOF + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh new file mode 100644 index 0000000..d33cdd9 --- /dev/null +++ b/lib/lib_hardening_ultra.sh @@ -0,0 +1,210 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Wrapper for accompanying all CISS.2025 hardening features into the Live ISO image. +# Globals: +# HANDLER_ARCHITECTURE +# HANDLER_BUILD_DIR +# HANDLER_SSHPORT +# HANDLER_SSHPUBKEY +# WORKDIR +# handler_jumphost +# handler_jumphost_unique +# Arguments: +# None +####################################### +hardening_ultra() { + # shellcheck disable=SC2164 + cd "${WORKDIR}" + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Copying ./config/bootloaders ... \e[0m\n" + if [[ ! -d "${HANDLER_BUILD_DIR}/config/bootloaders" ]]; then + mkdir -p "${HANDLER_BUILD_DIR}/config/bootloaders" + cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config" + else + cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config" + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Copying ./config/bootloaders done.\e[0m\n" + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Copying ./config/includes.binary ... \e[0m\n" + if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then + mkdir -p "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" + cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config" + else + cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config" + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Copying ./config/includes.binary done.\e[0m\n" + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Copying ./config/hooks/live ... \e[0m\n" + if [[ ! -d "${HANDLER_BUILD_DIR}/config/hooks/live" ]]; then + mkdir -p "${HANDLER_BUILD_DIR}/config/hooks/live" + cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks" + else + cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks" + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Copying ./config/hooks/live done.\e[0m\n" + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Copying ./config/includes.chroot ... \e[0m\n" + if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then + mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot" + cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config" + else + cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config" + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Copying ./config/includes.chroot done.\e[0m\n" + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Copying ./config/package-lists ... \e[0m\n" + if [[ ! -d "${HANDLER_BUILD_DIR}/config/package-lists" ]]; then + mkdir -p "${HANDLER_BUILD_DIR}/config/package-lists" + fi + cp -af ./config/package-lists/live.list.common.chroot "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" + + case "${HANDLER_ARCHITECTURE}" in + amd64) + declare arch_list="./config/package-lists/live.list.amd64.chroot" + declare arch_comment="# amd64 specific packages" + ;; + arm64) + declare arch_list="./config/package-lists/live.list.arm64.chroot" + declare arch_comment="# arm64 specific packages" + ;; + *) + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${HANDLER_ARCHITECTURE}" + exit 1 + ;; + esac + + declare pkgs + mapfile -t pkgs < <( + grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d' + ) + + awk -v comment="${arch_comment}" -v n_pkgs="${#pkgs[@]}" -v pkgs="$(printf '%s\n' "${pkgs[@]}")" ' + BEGIN { + split(pkgs, pkg_arr, "\n") + inserted = 0 + } + { + # Detect the vim-modeline (last line marker) + if ($0 ~ /^# vim:.*$/ && !inserted) { + print comment + for (i = 1; i <= length(pkg_arr); i++) { + print pkg_arr[i] + } + inserted = 1 + } + print + } + ' "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Copying ./config/package-lists done.\e[0m\n" + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Updating SSH Keys, Ports ... \e[0m\n" + if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then + + mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" + cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" + chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + + declare -r sshport="${HANDLER_SSHPORT:-22}" + + sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + + if [[ ${#handler_jumphost[@]} -gt 0 ]]; then + + declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" + declare line + line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) + + if [[ -z "${line}" ]]; then + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2 + exit 1 + fi + + declare host + for host in "${handler_jumphost_unique[@]}"; do + ((line++)) + sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file" + done + fi + + else + + cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" + chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + + declare -r sshport="${HANDLER_SSHPORT:-22}" + + sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + + if [[ ${#handler_jumphost_unique[@]} -gt 0 ]]; then + + declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" + declare line + line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) + + if [[ -z "${line}" ]]; then + printf "\e[91m❌ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2 + exit 1 + fi + + declare host + for host in "${handler_jumphost_unique[@]}"; do + ((line++)) + sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file" + done + fi + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Updating SSH Keys, Ports done. \e[0m\n" + + if [[ -f "${WORKDIR}/hosts.allow" ]]; then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ SSH Hardening Ultra ... \e[0m\n" + cp -af "${WORKDIR}/hosts.allow" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc" + cp -af "${WORKDIR}/hosts.deny" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc" + chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow" + chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny" + rm -f "${WORKDIR}/hosts.allow" + rm -f "${WORKDIR}/hosts.deny" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… SSH Hardening Ultra done.\e[0m\n" + fi + + if ((${#handler_jumphost[@]} > 0)); then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Updating fail2ban Jumphosts IPs ... \e[0m\n" + # Join array entries with spaces, preserving any newlines + declare ips="${handler_jumphost[*]}" + # Flatten to a single line and strip literal brackets [] + declare flat_ips + flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]') + # flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64" + + # Perform an in-place replacement of MUST_BE_SET with the cleaned list + sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \ + "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Updating fail2ban Jumphosts IPs done. \e[0m\n" + else + printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ No jump hosts configured, removing placeholder ... \e[0m\n" + sed -i \ + -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \ + -e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \ + "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Placeholder removed. \e[0m\n" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_helper_ip.sh b/lib/lib_helper_ip.sh new file mode 100644 index 0000000..1cbcd50 --- /dev/null +++ b/lib/lib_helper_ip.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# IP Notation cleaner for pure IP output only +# Globals: +# handler_jumphost +# handler_jumphost_unique +# Arguments: +# None +####################################### +clean_ip() { + declare host + declare stripped + for host in "${handler_jumphost[@]}"; do + # Remove leading '[' and trailing ']' + stripped="${host#\[}" + stripped="${stripped%\]}" + # Skip if it contains a slash (CIDR range) + if [[ ${stripped} == */* ]]; then + continue + fi + # Directly append, no duplicate check + declare -ga handler_jumphost_unique+=("${stripped}") + done +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_build_start.sh b/lib/lib_lb_build_start.sh new file mode 100644 index 0000000..8c840f4 --- /dev/null +++ b/lib/lib_lb_build_start.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Wrapper to write a new 'lb config' environment. +# Globals: +# BUILD_LOG +# ERR_UNCRITICAL +# HANDLER_BUILD_DIR +# Arguments: +# None +####################################### +lb_build_start() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ”¨ Start Build... Log file: %s \e[0m\n" "${BUILD_LOG}" + # sleep 1 + + # shellcheck disable=SC2164 + cd "${HANDLER_BUILD_DIR}" + + if lb build --color 2>&1 | tee "${BUILD_LOG}"; then + printf "\e[92mβœ… Build successfully completed.\e[0m\n" + else + printf "\e[91m❌ Build failed!\e[0m\n" >&2 + exit "${ERR_UNCRITICAL}" + fi + + # shellcheck disable=SC2155 + declare iso_file=$(find . -maxdepth 1 -type f -name "*.iso" | sort | tail -n1) + + if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then + printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2 + exit "${ERR_UNCRITICAL}" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_config_start.sh b/lib/lib_lb_config_start.sh new file mode 100644 index 0000000..f663941 --- /dev/null +++ b/lib/lib_lb_config_start.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Wrapper for 'lb config' - set up a build environment or deleting old build artifacts. +# Globals: +# HANDLER_BUILD_DIR +# Arguments: +# $0: Script-name +####################################### +lb_config_start() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ '%s' starting ... \e[0m\n" "${0}" + + if [[ ! -d ${HANDLER_BUILD_DIR} ]]; then + mkdir -p "${HANDLER_BUILD_DIR}" + # shellcheck disable=SC2164 + cd "${HANDLER_BUILD_DIR}" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… '%s' created. \e[0m\n" "${HANDLER_BUILD_DIR}" + else + # shellcheck disable=SC2164 + cd "${HANDLER_BUILD_DIR}" + fi + + if [[ ! -d "${HANDLER_BUILD_DIR}/.build" ]]; then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Preparing environment ... \e[0m\n" + # Start lb config in a completely detached shell + bash -c "lb config" & + disown + sleep 1 + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Preparing environment done.\e[0m\n" + else + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Deleting former config, binary and cache ... \e[0m\n" + rm -f ./config/binary + rm -f ./config/bootstrap + rm -f ./config/chroot + rm -f ./config/common + rm -f ./config/source + rm -f ./*.{contents,files,iso,bz2,packages} + # Start lb clean in a completely detached shell + bash -c "lb clean && lb clean --binary --cache" & + disown + sleep 1 + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Deleting former config, binary and cache done.\e[0m\n" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_config_write.sh b/lib/lib_lb_config_write.sh new file mode 100644 index 0000000..0b1b679 --- /dev/null +++ b/lib/lib_lb_config_write.sh @@ -0,0 +1,113 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Wrapper to write a new 'lb config' environment. +# Globals: +# HANDLER_ARCHITECTURE +# HANDLER_BUILD_DIR +# HANDLER_ISO_COUNTER +# VERSION +# WORKDIR +# kernel +# Arguments: +# None +####################################### +lb_config_write() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ Writing new config ... \e[0m\n" + + lb config \ + --apt apt \ + --apt-indices true \ + --apt-recommends true \ + --apt-secure true \ + --apt-source-archives true \ + --architecture "${HANDLER_ARCHITECTURE}" \ + --archive-areas main contrib non-free non-free-firmware \ + --backports true \ + --binary-filesystem fat32 \ + --binary-image iso-hybrid \ + --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \ + --bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \ + --bootloaders grub-efi \ + --cache true \ + --checksums sha512 sha256 md5 \ + --chroot-filesystem squashfs \ + --chroot-squashfs-compression-level 22 \ + --chroot-squashfs-compression-type zstd \ + --color \ + --compression bzip2 \ + --debconf-frontend noninteractive \ + --debconf-priority critical \ + --debian-installer cdrom \ + --debian-installer-distribution bookworm \ + --debian-installer-gui true \ + --debian-installer-preseedfile "preseed.cfg" \ + --debug \ + --distribution bookworm \ + --distribution-binary bookworm \ + --distribution-chroot bookworm \ + --firmware-binary true \ + --firmware-chroot true \ + --hdd-label "CENTURIONLIVE" \ + --image-name "ciss-debian-live-${HANDLER_ISO_COUNTER}" \ + --initramfs "live-boot" \ + --initramfs-compression gzip \ + --initsystem systemd \ + --iso-application "CISS.debian.live.builder: ${VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \ + --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \ + --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \ + --iso-volume 'CISS.debian.live' \ + --linux-flavours "${kernel}" \ + --linux-packages linux-image \ + --loadlin true \ + --memtest memtest86+ \ + --mirror-binary 'https://deb/debian.org/debian/' \ + --mirror-binary-security 'https://security.debian.org/' \ + --mirror-bootstrap 'https://deb.debian.org/debian/' \ + --mirror-chroot 'https://deb.debian.org/debian/' \ + --mirror-chroot-security 'https://security.debian.org/' \ + --mirror-debian-installer 'https://deb.debian.org/debian/' \ + --mode debian \ + --parent-archive-areas main contrib non-free non-free-firmware \ + --parent-debian-installer-distribution bookworm \ + --parent-distribution bookworm \ + --parent-distribution-binary bookworm \ + --parent-distribution-chroot bookworm \ + --parent-mirror-binary 'https://deb.debian.org/debian/' \ + --parent-mirror-binary-security 'https://security.debian.org/' \ + --parent-mirror-bootstrap 'https://deb.debian.org/debian/' \ + --parent-mirror-chroot 'https://deb.debian.org/debian/' \ + --parent-mirror-chroot-security 'https://security.debian.org/' \ + --parent-mirror-debian-installer 'https://deb.debian.org/debian/' \ + --security true \ + --system live \ + --source false \ + --source-images tar \ + --uefi-secure-boot auto \ + --updates true \ + --utc-time true \ + --verbose + + sleep 1 + + sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary + sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary + + mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot + cp -a "${WORKDIR}/scripts/live-boot/0030-verify-checksums" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" + chmod 0755 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" + chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… Writing new config done.\e[0m\n" +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_provider_netcup.sh b/lib/lib_provider_netcup.sh new file mode 100644 index 0000000..5895cda --- /dev/null +++ b/lib/lib_provider_netcup.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Notes Textbox +# Arguments: +# None +####################################### +provider_netcup() { + if "${handler_netcup_ipv6}"; then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ πŸ§ͺ %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + + declare handler_netcup_ipv6_string="${handler_netcup_ipv6_array[*]}" + + mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d + + cat << EOF >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static +### Static IPv6 Address for Netcup Root Server +iface ens3 inet6 static + address ${handler_netcup_ipv6_string}/128 + ### dns01.eddns.eu dns02.eddns.de + dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53 + gateway fe80::1 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + + sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" + rm -f "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + cp "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + chmod 0755 "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ βœ… %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_run_analysis.sh b/lib/lib_run_analysis.sh new file mode 100644 index 0000000..77d5986 --- /dev/null +++ b/lib/lib_run_analysis.sh @@ -0,0 +1,96 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-07; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: ZIMNOL, AndrΓ© H.; Private Contributor +# SPDX-FileCopyrightText: 2025; ZIMNOL, AndrΓ© H.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Wrapper for statistic functions of the final build. +# Globals: +# BUILD_LOG +# CHROOT_DIR +# ERR_UNCRITICAL +# HANDLER_BUILD_DIR +# PACKAGES_FILE +# Arguments: +# None +####################################### +run_analysis() { + # shellcheck disable=SC2164 + cd "${HANDLER_BUILD_DIR}" + # shellcheck disable=SC2155 + declare iso_file=$(find . -maxdepth 1 -name "*.iso" -printf "%f\n" | sort | tail -n1) + + if [[ -z ${iso_file} || ! -f ${iso_file} ]]; then + printf "\e[91m❌ No ISO Image found.\e[0m\n" >&2 + exit "${ERR_UNCRITICAL}" + fi + + printf "\e[92mπŸ“Š Start analysis of : %s ... \e[0m\n" "${iso_file}" + # shellcheck disable=SC2155 + declare iso_size_hr=$(du -h "${iso_file}" | awk '{print $1}') + # shellcheck disable=SC2155 + declare iso_size_bytes=$(du -b "${iso_file}" | awk '{print $1}') + # shellcheck disable=SC2155 + declare chroot_size_hr=$(du -sh "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}') + # shellcheck disable=SC2155 + declare chroot_size_bytes=$(du -sb "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}') + # shellcheck disable=SC2155 + declare compression=$(awk -v iso="${iso_size_bytes}" -v chroot="${chroot_size_bytes}" 'BEGIN { printf "%.2f%%", 100 * iso / chroot }') + # shellcheck disable=SC2155 + declare package_count=$(wc -l < "${PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden") + # shellcheck disable=SC2155 + declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${BUILD_LOG}")" + + if [[ -f "${BUILD_LOG}" ]]; then + # shellcheck disable=SC2155 + declare start_line=$(grep 'lb build' "${BUILD_LOG}" | head -n1 || true) + # shellcheck disable=SC2155 + declare end_line=$(grep 'lb source' "${BUILD_LOG}" | tail -n1 || true) + + if [[ -n "${start_line}" && -n "${end_line}" ]]; then + # shellcheck disable=SC2155 + declare start_epoch=$(echo "${start_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s) + # shellcheck disable=SC2155 + declare end_epoch=$(echo "${end_line}" | sed -E 's/^\[([0-9:-]+ [0-9:]+)\].*/\1/' | xargs -I{} date -d "{}" +%s) + # shellcheck disable=SC2155 + declare duration_sec=$((end_epoch - start_epoch)) + # shellcheck disable=SC2155 + declare duration_min=$((duration_sec / 60)) + # shellcheck disable=SC2155 + declare duration_rest=$((duration_sec % 60)) + # shellcheck disable=SC2155 + declare build_duration=$(printf "%02dm:%02ds" "${duration_min}" "${duration_rest}") + else + declare build_duration="(Timestamp not found)" + fi + else + declare build_duration="(No log file found)" + fi + + # shellcheck disable=SC2155 + declare sha_sum=$(sha256sum "$iso_file" | tee "$iso_file.sha256" | awk '{print $1}') + # shellcheck disable=SC2155 + declare time=$(date '+%Y-%m-%d %H:%M:%S') + + printf "\e[92m🧾 === Build summary === \e[0m\n" + printf "\e[92m────────────────────────────────────────────────────────────────────────────────────────\e[0m\n" + printf "\e[97mπŸ“¦ ISO-File : %s \e[0m\n" "${iso_file}" + printf "\e[97mπŸ“€ ISO-Size : %s \e[0m\n" "${iso_size_hr}" + printf "\e[97mπŸ“‚ Chroot-Size : %s \e[0m\n" "${chroot_size_hr}" + printf "\e[97mπŸ“‰ Compression-level : %s \e[0m\n" "${compression}" + printf "\e[97mπŸ“¦ Packages : %s \e[0m\n" "${package_count}" + printf "\e[97m⏱ Build Time : %s \e[0m\n" "${build_duration}" + printf "\e[97m🧠 CPUs for SquashFS : %s \e[0m\n" "${squash_cpu_used}" + printf "\e[97mπŸ” SHA256SUM : %s \e[0m\n" "${sha_sum}" + printf "\e[92m────────────────────────────────────────────────────────────────────────────────────────\e[0m\n" + printf "\e[97mπŸ“… Analysis Time : %s \e[0m\n" "${time}" + printf "\e[92mβœ… Analysis completed.\e[0m\n" +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_sanitizer.sh b/lib/lib_sanitizer.sh new file mode 100644 index 0000000..a212d78 --- /dev/null +++ b/lib/lib_sanitizer.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Argument Check Wrapper +# Arguments: +# $1: "$@" of ./ciss_live_builder.sh +####################################### +arg_check() { + declare a + declare sanitized_args=() + for a in "$@"; do + sanitized_args+=( "$(sanitize_arg "${a}")" ) + done + set -- "${sanitized_args[@]}" +} + +####################################### +# Function to sanitize a single argument +# Globals: +# ERROR_LOG +# ERR_INVLD_CHAR +# Arguments: +# $1: Argument to check +####################################### +sanitize_arg() { + declare input="$1" + # Define allowed characters: + # letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space. + declare allowed='a-zA-Z0-9._/=\[\]:"\- ' + declare disallowed + disallowed=$(printf '%s' "${input}" | tr -d "${allowed}") + + if [[ -n ${disallowed} ]]; then + { + printf "❌ Invalid character : '%s'. \n" "${disallowed//?/& }" + printf "❌ in argument : '%s'. \n" "${input}" + printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - ' \n" + printf "\n" + } >> "${ERROR_LOG}" + boot_screen_cleaner + printf "\e[91m❌ Invalid character : '%s'. \e[0m\n" "${disallowed//?/& }" >&2 + printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2 + printf "\e[91m❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - ' \e[0m\n" >&2 + # shellcheck disable=SC2162 + read -p $'\e[92mβœ… Press \'ENTER\' to exit the script ... \e[0m' + exit "${ERR_INVLD_CHAR}" + else + printf '%s' "${input}" + fi +} + +####################################### +# Function to remove any character not in the allowed set +# Arguments: +# $1: String to Sanitize +####################################### +sanitize_string() { + declare input="$1" + # Define allowed characters: + # letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space. + declare allowed='a-zA-Z0-9._/=\[\]:"\- ' + printf '%s' "${input}" | tr -cd "${allowed}" +} + +####################################### +# Function to escape all shell metacharacters +# Arguments: +# $1: String to Sanitize +####################################### +sanitize_shell_literal() { + declare input="$1" + # %q quotes the string so that the shell re-reads it as the original literal + printf '%q' "${input}" +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_trap_on_err.sh b/lib/lib_trap_on_err.sh new file mode 100644 index 0000000..794f316 --- /dev/null +++ b/lib/lib_trap_on_err.sh @@ -0,0 +1,162 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Print Error Message for Trap on 'ERR' in ${ERROR_LOG} +# Globals: +# ARGUMENTS_COUNT +# ARG_STR_ORG_INPUT +# ARG_STR_SANITIZED +# DEBUG_LOG +# EARLY_DEBUG +# ERROR_LOG +# VAR_LOG +# VERSION +# errcmmd +# errcode +# errfunc +# errline +# errscrt +# Arguments: +# None +####################################### +print_file_err() { + { + printf "❌ CISS.debian.live.builder Script failed. \n" + printf "❌ Version : %s \n" "${VERSION}" + printf "❌ Environment : %s \n" "${SYSTEM_VAR}" + printf "❌ Error : %s \n" "${errcode}" + printf "❌ Line : %s \n" "${errline}" + printf "❌ Script : %s \n" "${errscrt}" + printf "❌ Function : %s \n" "${errfunc}" + printf "❌ Command : %s \n" "${errcmmd}" + printf "❌ Script Runtime : %s \n" "${SECONDS}" + printf "❌ Arguments Counter : %s \n" "${ARGUMENTS_COUNT}" + printf "❌ Arguments Original : %s \n" "${ARG_STR_ORG_INPUT}" + printf "❌ Arguments Sanitized : %s \n" "${ARG_STR_SANITIZED}" + if "${EARLY_DEBUG}"; then + printf "❌ Vars Dump saved at : %s \n" "${VAR_LOG}" + printf "❌ Debug Log saved at : %s \n" "${DEBUG_LOG}" + printf "❌ cat %s \n" "${DEBUG_LOG}" + fi + printf "\n" + } >> "${ERROR_LOG}" +} + +####################################### +# Print Error Message for Trap on 'ERR' on Terminal +# Globals: +# ARGUMENTS_COUNT +# ARG_STR_ORG_INPUT +# ARG_STR_SANITIZED +# DEBUG_LOG +# EARLY_DEBUG +# ERROR_LOG +# VAR_LOG +# VERSION +# errcmmd +# errcode +# errfunc +# errline +# errscrt +# Arguments: +# None +####################################### +print_scr_err() { + printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2 + printf "\e[91m❌ Version : %s \e[0m\n" "${VERSION}" >&2 + printf "\e[91m❌ Environment : %s \e[0m\n" "${SYSTEM_VAR}" >&2 + printf "\e[91m❌ Error : %s \e[0m\n" "${errcode}" >&2 + printf "\e[91m❌ Line : %s \e[0m\n" "${errline}" >&2 + printf "\e[91m❌ Script : %s \e[0m\n" "${errscrt}" >&2 + printf "\e[91m❌ Function : %s \e[0m\n" "${errfunc}" >&2 + printf "\e[91m❌ Command : %s \e[0m\n" "${errcmmd}" >&2 + printf "\e[91m❌ Script Runtime : %s \e[0m\n" "${SECONDS}" >&2 + printf "\e[91m❌ Arguments Counter : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2 + printf "\e[91m❌ Arguments Original : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2 + printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${ARG_STR_SANITIZED}" >&2 + printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${ERROR_LOG}" >&2 + printf "\e[91m❌ cat %s \e[0m\n" "${ERROR_LOG}" >&2 + if "${EARLY_DEBUG}"; then + printf "\e[91m❌ Vars Dump saved at : %s \e[0m\n" "${VAR_LOG}" >&2 + printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${DEBUG_LOG}" >&2 + printf "\e[91m❌ cat %s \e[0m\n" "${DEBUG_LOG}" >&2 + fi + printf "\n" +} + +####################################### +# Trap function to be called on 'ERR'. +# Globals: +# EARLY_DEBUG +# Arguments: +# $1: $? +# $2: ${BASH_SOURCE[0]} +# $3: ${LINENO} +# $4: ${FUNCNAME[0]:-main} +# $5: ${BASH_COMMAND} +####################################### +trap_on_err() { + declare -g errcode="$1" + declare -g errscrt="$2" + declare -g errline="$3" + declare -g errfunc="$4" + declare -g errcmmd="$5" + trap - ERR + if "${EARLY_DEBUG}"; then dump_user_vars; fi + clean_up "${errcode}" + clean_screen + print_file_err + print_scr_err +} + +####################################### +# Gather all user-defined variables (name and value) +# Globals: +# VAR_LOG +# VERSION +# dump_vars_initial +# var +# Arguments: +# None +####################################### +dump_user_vars() { + ### Capture the final snapshot of all variables (excluding '^(BASH|_).*') + # shellcheck disable=SC2155 + declare dump_vars_final=$(mktemp) + set +x + { + declare var + while IFS= read -r var; do + declare -p "${var}" 2>/dev/null + done < <(compgen -v | grep -Ev '^(BASH|_).*') + } | sort >| "${dump_vars_final}" + set -x + + { + printf "βœ… CISS.debian.live.builder Config Variable Dump. \n" + printf "βœ… Version : %s \n" "${VERSION}" + printf "\n" + printf "===== Initial VAR Environment ===== \n" + } >> "${VAR_LOG}" + + comm -23 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}" || true + + { + printf "\n" + printf "===== Final VAR Environment ===== \n" + } >> "${VAR_LOG}" + + comm -13 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}" || true + rm "${dump_vars_initial}" "${dump_vars_final}" +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_trap_on_exit.sh b/lib/lib_trap_on_exit.sh new file mode 100644 index 0000000..2ff8b82 --- /dev/null +++ b/lib/lib_trap_on_exit.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Trap function to be called on 'EXIT'. +# Globals: +# EARLY_DEBUG +# Arguments: +# $1: $? +####################################### +trap_on_exit() { + declare -r trap_on_exit_code="$1" + trap - EXIT + if (( trap_on_exit_code == 0 )); then + if "${EARLY_DEBUG}"; then dump_user_vars; fi + clean_up "${trap_on_exit_code}" + print_scr_exit "${trap_on_exit_code}" + exit 0 + else + exit "${trap_on_exit_code}" + fi +} + +####################################### +# Print Success Message for Trap on 'EXIT' on 'stdout' +# Globals: +# DEBUG +# DEBUG_LOG +# HANDLER_BUILD_DIR +# VAR_LOG +# handler_success +# Arguments: +# $1: ${trap_on_exit_code} of trap_on_exit() +####################################### +print_scr_exit() { + declare -r print_scr_exit_code="$1" + if (( print_scr_exit_code == 0 )); then + if [[ "${handler_success}" == "true" ]]; then + printf "\n" + printf "\e[92mβœ… CISS.debian.live.builder Script successful. \e[0m\n" + printf "\e[92mβœ… Aide Initial DB at: %s \e[0m\n" "${HANDLER_BUILD_DIR}/.integrity/" + printf "\e[92mβœ… Exited with Status: %s \e[0m\n" "${print_scr_exit_code}" + printf "\n" + if [[ "${EARLY_DEBUG}" == "true" ]]; then + printf "\e[92mβœ… Script Runtime : %s \e[0m\n" "${SECONDS}" + printf "\e[92mβœ… Vars Dump saved at: %s \e[0m\n" "${VAR_LOG}" + printf "\e[92mβœ… Debug Log saved at: %s \e[0m\n" "${DEBUG_LOG}" + printf "\e[92mβœ… cat %s \e[0m\n" "${DEBUG_LOG}" + printf "\n" + fi + printf "\e[95mπŸ’· Please consider donating to my work at: \e[0m\n" + printf "\e[95mπŸ”— https://coresecret.eu/spenden/ \e[0m\n" + printf "\n" + fi + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh new file mode 100644 index 0000000..7107275 --- /dev/null +++ b/lib/lib_usage.sh @@ -0,0 +1,141 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Usage Wrapper CISS.debian.live.builder +# Globals: +# ERR_UNCRITICAL +# Arguments: +# $0: Script name +####################################### +usage() { + clear + cat << EOF + +$(echo -e "\e[92mCISS.debian.live.builder\e[0m") +$(echo -e "\e[92mMaster V8.02.512.2025.05.30\e[0m") + +$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") +$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m") + +$(echo -e "\e[95mhttps://coresecret.eu/\e[0m") + +$(echo -e "\e[97mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m") + +"${0}