diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 4abfe38..ed00f64 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -214,12 +214,17 @@ hardening_ssh lb_config_start if [[ "${VAR_SUITE}" == "bookworm" ]]; then + lb_config_write rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot" + rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs" + else + lb_config_write_trixie rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot" rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot" + fi # shellcheck disable=SC2164 diff --git a/config/includes.chroot/etc/login.defs b/config/includes.chroot/etc/login.defs new file mode 100644 index 0000000..e688e47 --- /dev/null +++ b/config/includes.chroot/etc/login.defs @@ -0,0 +1,209 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# +# /etc/login.defs - Configuration control definitions for the shadow package. +# + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS yes + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format similar to "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions for terminals after login(1). +# These settings are ignored for remote and other logins. +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +#TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +ERASECHAR 0177 +KILLCHAR 025 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +HOME_MODE 0700 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 16384 +PASS_MIN_DAYS 1 +PASS_WARN_AGE 128 + +# +# Min/max values for automatic uid selection in useradd(8) +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 101 +#SYS_UID_MAX 999 +# Extra per user uids +SUB_UID_MIN 100000 +SUB_UID_MAX 600100000 +SUB_UID_COUNT 65536 + +# +# Min/max values for automatic gid selection in groupadd(8) +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 101 +#SYS_GID_MAX 999 +# Extra per user group ids +SUB_GID_MIN 100000 +SUB_GID_MAX 600100000 +SUB_GID_COUNT 65536 + +# +# Max number of login(1) retries if password is bad +# This will most likely be overriden by PAM, since the default pam_unix module +# has it's own built in of 3 retries. However, this is a safe fallback in case +# you are using an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login(1) +# +LOGIN_TIMEOUT 180 + +# +# Which fields may be changed by regular users using chfn(1) - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# If set to MD5, MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password +# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD YESCRYPT + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# The pwck(8) utility emits a warning for any system account with a home +# directory that does not exist. Some system accounts intentionally do +# not have a home directory. Such accounts may have this string as +# their home directory in /etc/passwd to avoid a spurious warning. +# +NONEXISTENT /nonexistent + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel(8) will remove the user's group if it contains no more +# members, and useradd(8) will create by default a group with the name of the +# user. +# +# Other former uses of this variable are not used in PAM environments, such as +# Debian. +# +USERGROUPS_ENAB yes + +# +# Added by CISS.debian.live.builder for redundance +umask 077 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 5641adc..02916af 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -21,6 +21,7 @@ include_toc: true * **Added**: [trixie-updates.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources) * **Bugfixes**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) * **Updated**: [bash.var.sh](../var/bash.var.sh) +* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) * **Updated**: Support for Debian Trixie via Argument ``--trixie`` * **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.1.0-37-amd64`` diff --git a/scripts/0010_dhcp_supersede.sh b/scripts/0010_dhcp_supersede.sh index 52b9b47..8cb2a2a 100644 --- a/scripts/0010_dhcp_supersede.sh +++ b/scripts/0010_dhcp_supersede.sh @@ -12,22 +12,60 @@ set -C -e -u -o pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" -# sleep 1 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp + fi -cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf +cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf # Custom dhclient config to override DHCP DNS # dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu; supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109; +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf +EOF + + +cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.conf + +# Enforce static DNS and prevent dhcpcd from writing resolv.conf +nooption domain_name_servers +nohook resolv.conf + +# Static resolvers (IPv4). +static domain_name_servers=135.181.207.105 89.58.62.53 138.199.237.109 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf +EOF + + +cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/resolv.conf +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# static /etc/resolv.conf (CISS) + +nameserver 135.181.207.105 +nameserver 89.58.62.53 +nameserver 138.199.237.109 +options edns0 + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}" -# sleep 1 + exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh