## V8.13.128.2025.10.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-10 23:22:55 +01:00
parent cae8d68ecc
commit db9dca9fa2
18 changed files with 205 additions and 30 deletions
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -354,6 +354,65 @@ EOF
 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
 #######################################
 # Simple error terminal logger.
 # Arguments:
 #   None
 #######################################
 log(){ printf '[kbd-fix] %s\n' "$*" >&2; }
 log "Ensuring required packages…"
 export DEBIAN_FRONTEND=noninteractive
 apt-get install -y --no-install-recommends keyboard-configuration console-setup xkb-data
 log "Writing /etc/default/keyboard"
 rm -f /etc/default/keyboard
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
 XKBLAYOUT="de"
 XKBVARIANT=""
 XKBOPTIONS=""
 BACKSPACE="guess"
 EOF
 log "Removing remap fragments (if any)"
 rm -f /etc/console-setup/remap.inc /etc/console-setup/*remap* 2>/dev/null || true
 log "Purging cached console keymaps"
 rm -f /etc/console-setup/cached*.kmap.gz 2>/dev/null || true
 log "Rebuilding cached console keymap"
 setupcon --save-only --force --keyboard-only
 log "Validating via ckbcomp"
 err="$(mktemp)"
 if ! ckbcomp -model pc105 -layout de -variant '' -option '' >/dev/null 2>"${err}"; then
  log "ERROR: ckbcomp failed:"
  sed -n '1,200p' "${err}" >&2
  exit 127
 fi
 if grep -q 'Unknown X keysym' "${err}"; then
  log "ERROR: Unknown X keysyms remain; check custom remaps or xkb-data version:"
  sed -n '1,200p' "${err}" >&2
  exit 128
 fi
 rm -f "${err}"
 install -d /etc/systemd/system/keyboard-setup.service.d
 rm -f /etc/systemd/system/keyboard-setup.service.d/10-after-localfs.conf
 cat << 'EOF' >| /etc/systemd/system/keyboard-setup.service.d/10-after-localfs.conf
 [Unit]
 After=local-fs.target
 EOF
 log "Done. Remaps & caches cleaned; cached.kmap.gz regenerated; validation passed."
 ### Regenerate the initramfs for the live system kernel
 update-initramfs -u -k all -v
--- a/config/hooks/live/0005_tmpfile_dublette.chroot
+++ b/config/hooks/live/0005_tmpfile_dublette.chroot
@@ -0,0 +1,72 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # Purpose: Copy vendor 'legacy.conf' to '/etc/tmpfiles.d' and drop duplicate '/run/lock' lines.
 #######################################
 # Simple error terminal logger.
 # Arguments:
 #   None
 #######################################
 log() { printf '[tmpfiles-fix] %s\n' "$*" >&2; }
 ### Locate vendor 'legacy.conf' (The path can vary).
 declare vendor=""
 for p in /usr/lib/tmpfiles.d/legacy.conf /lib/tmpfiles.d/legacy.conf; do
  if [[ -f "${p}" ]]; then vendor="${p}"; break; fi
 done
 if [[ -z "${vendor}" ]]; then
  log "WARN: vendor legacy.conf not found; creating a minimal override"
  install -D -m 0644 /dev/null /etc/tmpfiles.d/legacy.conf
 else
  install -D -m 0644 "${vendor}" /etc/tmpfiles.d/legacy.conf
 fi
 ### Deduplicate: keep only the FIRST 'd /run/lock ' definition, drop subsequent ones.
 # shellcheck disable=SC2155
 declare tmpdir="$(mktemp -d)"
 declare out="${tmpdir}/legacy.conf"
 awk '
 BEGIN{seen=0}
 {
  # Preserve everything by default
  keep=1
  # Match tmpfiles "d /run/lock ..." (allowing variable spacing and case of directive)
  if ($1 ~ /^[dD]$/ && $2 == "/run/lock") {
    if (seen==1) { keep=0 } else { seen=1 }
  }
  if (keep) print
 }' /etc/tmpfiles.d/legacy.conf >| "${out}"
 ### Install the sanitized file atomically.
 install -m 0644 -o root -g root "${out}" /etc/tmpfiles.d/legacy.conf
 rm -rf -- "${tmpdir}"
 log "Deduplicated /etc/tmpfiles.d/legacy.conf (kept only first /run/lock entry)."
 command -v systemd-tmpfiles >/dev/null 2>&1 && systemd-tmpfiles --create --prefix /run/lock || true
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -12,7 +12,6 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
@@ -24,7 +23,8 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
-apt-get update -y
+export DEBIAN_FRONTEND="noninteractive"
 apt-get update
 apt-get install -y eza
 git clone https://github.com/eza-community/eza-themes.git
@@ -145,10 +145,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd
 unset repo latest_release download_url
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -12,17 +12,16 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
-apt-get update -y
+export DEBIAN_FRONTEND="noninteractive"
 apt-get update
 apt-get install -y lynis
 lynis show version
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -68,6 +68,8 @@ maxupdateskew 100.0
 rtcsync
 makestep 0.25 3
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 chmod 0644 /etc/chrony/chrony.conf
--- a/config/hooks/live/0820_kernel_hardening_checker.chroot
+++ b/config/hooks/live/0820_kernel_hardening_checker.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -12,7 +12,6 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 declare target_script="/etc/cron.d/restart-ssh"
@@ -21,7 +20,7 @@ cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh
 EOF
-chmod 644 "${target_script}"
+chmod 0644 "${target_script}"
 cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 #!/bin/bash
@@ -43,10 +42,8 @@ systemctl start ssh
 EOF
 chmod +x /usr/local/bin/restart-ssh.sh
 unset target_script
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0825_my_sqltuner_perl.chroot
+++ b/config/hooks/live/0825_my_sqltuner_perl.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0830_download_yq.chroot
+++ b/config/hooks/live/0830_download_yq.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0835_testssl.sh.chroot
+++ b/config/hooks/live/0835_testssl.sh.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -12,9 +12,8 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get install -y curl
+export DEBIAN_FRONTEND="noninteractive"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs
@@ -22,7 +21,6 @@ cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -0,0 +1,48 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 export DEBIAN_FRONTEND=noninteractive
 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
 case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
 esac
 cd /tmp
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
 cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
  --certificate    "sops-${SOPS_VER}.checksums.pem" \
  --signature      "sops-${SOPS_VER}.checksums.sig" \
  --certificate-identity-regexp="https://github.com/getsops" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
 sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
 install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
 sops --version --check-for-updates
 age --version
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y acct
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y usbguard
 ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -26,7 +26,6 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y auditd
 cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
@@ -390,9 +389,20 @@ cat << EOF >| /etc/systemd/system/audit-rules.service.d/10-ciss.conf
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #[Service]
 #ExecStart=
 #ExecStart=/sbin/auditctl -R /etc/audit/audit.rules >/dev/null 2>&1
 [Unit]
 After=auditd.service
 ConditionSecurity=audit
 [Service]
 Type=oneshot
 ExecStart=
 ExecStartPre=/bin/sh -c '/sbin/auditctl -D >/dev/null 2>&1 || true'
 ExecStart=/sbin/auditctl -R /etc/audit/audit.rules
 RemainAfterExit=yes
 EOF
--- a/config/includes.chroot/root/.ciss/check_chrony.sh
+++ b/config/includes.chroot/root/.ciss/check_chrony.sh
@@ -10,12 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Minimal leap-second probe for Debian/chrony systems
 # - Prints kernel leap flags & TAI offset (ΔAT)
 # - Reads tzdata's leap-seconds list (authoritative TAI-UTC)
 # - Shows chrony tracking summary (incl. leap status)
 # - Demonstrates 23:59:60 rendering via TZ=right/UTC
 set -Ceuo pipefail
 #######################################
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -9,6 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 adjtimex
 age
 apparmor
 apparmor-profiles-extra
 apparmor-utils
@@ -32,6 +33,7 @@ clamav
 clamav-daemon
 clang-18
 console-setup
 cosign
 cpuid
 cryptsetup
 cryptsetup-nuke-password
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -14,7 +14,10 @@ include_toc: true
 ## V8.13.128.2025.10.10
 * **Added**: Packages ``age``, ``cosign``
 * **Added**: Repository https://github.com/getsops/sops.git
 * **Added**: [0040_ssh_config_setup.chroot](../config/hooks/live/0040_ssh_config_setup.chroot)
 * **Added**: [0860_sops.chroot](../config/hooks/live/0860_sops.chroot)
 * **Added**: [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
 * **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)