## V8.13.128.2025.10.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-10 23:22:55 +01:00
parent cae8d68ecc
commit db9dca9fa2
18 changed files with 205 additions and 30 deletions
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -354,6 +354,65 @@ EOF

 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder

+#######################################
+# Simple error terminal logger.
+# Arguments:
+#   None
+#######################################
+log(){ printf '[kbd-fix] %s\n' "$*" >&2; }
+
+log "Ensuring required packages…"
+export DEBIAN_FRONTEND=noninteractive
+apt-get install -y --no-install-recommends keyboard-configuration console-setup xkb-data
+
+log "Writing /etc/default/keyboard"
+rm -f /etc/default/keyboard
+cat << 'EOF' >| /etc/default/keyboard
+XKBMODEL="pc105"
+XKBLAYOUT="de"
+XKBVARIANT=""
+XKBOPTIONS=""
+BACKSPACE="guess"
+EOF
+
+log "Removing remap fragments (if any)"
+rm -f /etc/console-setup/remap.inc /etc/console-setup/*remap* 2>/dev/null || true
+
+log "Purging cached console keymaps"
+rm -f /etc/console-setup/cached*.kmap.gz 2>/dev/null || true
+
+log "Rebuilding cached console keymap"
+setupcon --save-only --force --keyboard-only
+
+log "Validating via ckbcomp"
+err="$(mktemp)"
+if ! ckbcomp -model pc105 -layout de -variant '' -option '' >/dev/null 2>"${err}"; then
+
+  log "ERROR: ckbcomp failed:"
+  sed -n '1,200p' "${err}" >&2
+  exit 127
+
+fi
+
+if grep -q 'Unknown X keysym' "${err}"; then
+
+  log "ERROR: Unknown X keysyms remain; check custom remaps or xkb-data version:"
+  sed -n '1,200p' "${err}" >&2
+  exit 128
+
+fi
+
+rm -f "${err}"
+
+install -d /etc/systemd/system/keyboard-setup.service.d
+rm -f /etc/systemd/system/keyboard-setup.service.d/10-after-localfs.conf
+cat << 'EOF' >| /etc/systemd/system/keyboard-setup.service.d/10-after-localfs.conf
+[Unit]
+After=local-fs.target
+EOF
+
+log "Done. Remaps & caches cleaned; cached.kmap.gz regenerated; validation passed."
+
 ### Regenerate the initramfs for the live system kernel
 update-initramfs -u -k all -v

--- a/config/hooks/live/0005_tmpfile_dublette.chroot
+++ b/config/hooks/live/0005_tmpfile_dublette.chroot
@@ -0,0 +1,72 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+# Purpose: Copy vendor 'legacy.conf' to '/etc/tmpfiles.d' and drop duplicate '/run/lock' lines.
+
+#######################################
+# Simple error terminal logger.
+# Arguments:
+#   None
+#######################################
+log() { printf '[tmpfiles-fix] %s\n' "$*" >&2; }
+
+### Locate vendor 'legacy.conf' (The path can vary).
+declare vendor=""
+
+for p in /usr/lib/tmpfiles.d/legacy.conf /lib/tmpfiles.d/legacy.conf; do
+
+  if [[ -f "${p}" ]]; then vendor="${p}"; break; fi
+
+done
+
+if [[ -z "${vendor}" ]]; then
+  log "WARN: vendor legacy.conf not found; creating a minimal override"
+  install -D -m 0644 /dev/null /etc/tmpfiles.d/legacy.conf
+
+else
+
+  install -D -m 0644 "${vendor}" /etc/tmpfiles.d/legacy.conf
+
+fi
+
+### Deduplicate: keep only the FIRST 'd /run/lock ' definition, drop subsequent ones.
+# shellcheck disable=SC2155
+declare tmpdir="$(mktemp -d)"
+declare out="${tmpdir}/legacy.conf"
+
+awk '
+BEGIN{seen=0}
+{
+  # Preserve everything by default
+  keep=1
+  # Match tmpfiles "d /run/lock ..." (allowing variable spacing and case of directive)
+  if ($1 ~ /^[dD]$/ && $2 == "/run/lock") {
+    if (seen==1) { keep=0 } else { seen=1 }
+  }
+  if (keep) print
+}' /etc/tmpfiles.d/legacy.conf >| "${out}"
+
+### Install the sanitized file atomically.
+install -m 0644 -o root -g root "${out}" /etc/tmpfiles.d/legacy.conf
+rm -rf -- "${tmpdir}"
+
+log "Deduplicated /etc/tmpfiles.d/legacy.conf (kept only first /run/lock entry)."
+
+command -v systemd-tmpfiles >/dev/null 2>&1 && systemd-tmpfiles --create --prefix /run/lock || true
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -12,7 +12,6 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 cd /root

@@ -24,7 +23,8 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list

-apt-get update -y
+export DEBIAN_FRONTEND="noninteractive"
+apt-get update
 apt-get install -y eza

 git clone https://github.com/eza-community/eza-themes.git
@@ -145,10 +145,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd

-unset repo latest_release download_url
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -12,17 +12,16 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list

-apt-get update -y
+export DEBIAN_FRONTEND="noninteractive"
+apt-get update
 apt-get install -y lynis
 lynis show version

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -68,6 +68,8 @@ maxupdateskew 100.0
 rtcsync

 makestep 0.25 3
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

 chmod 0644 /etc/chrony/chrony.conf
--- a/config/hooks/live/0820_kernel_hardening_checker.chroot
+++ b/config/hooks/live/0820_kernel_hardening_checker.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -12,7 +12,6 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 cd /root
 declare target_script="/etc/cron.d/restart-ssh"
@@ -21,7 +20,7 @@ cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh
 EOF

-chmod 644 "${target_script}"
+chmod 0644 "${target_script}"

 cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 #!/bin/bash
@@ -43,10 +42,8 @@ systemctl start ssh
 EOF

 chmod +x /usr/local/bin/restart-ssh.sh
-unset target_script

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0825_my_sqltuner_perl.chroot
+++ b/config/hooks/live/0825_my_sqltuner_perl.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0830_download_yq.chroot
+++ b/config/hooks/live/0830_download_yq.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0835_testssl.sh.chroot
+++ b/config/hooks/live/0835_testssl.sh.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -12,9 +12,8 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

-apt-get install -y curl
+export DEBIAN_FRONTEND="noninteractive"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs

@@ -22,7 +21,6 @@ cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -0,0 +1,48 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+export DEBIAN_FRONTEND=noninteractive
+
+SOPS_VER="v3.11.0"
+ARCH="$(dpkg --print-architecture)"
+case "${ARCH}" in
+  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
+  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
+  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
+esac
+
+cd /tmp
+
+curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
+curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
+curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
+curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
+
+cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
+  --certificate    "sops-${SOPS_VER}.checksums.pem" \
+  --signature      "sops-${SOPS_VER}.checksums.sig" \
+  --certificate-identity-regexp="https://github.com/getsops" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+
+sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
+
+install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
+sops --version --check-for-updates
+age --version
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

+export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y acct

 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

+export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y usbguard

 ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -26,7 +26,6 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root

 export DEBIAN_FRONTEND="noninteractive"
-
 apt-get install -y auditd

 cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
@@ -390,9 +389,20 @@ cat << EOF >| /etc/systemd/system/audit-rules.service.d/10-ciss.conf
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+#[Service]
+#ExecStart=
+#ExecStart=/sbin/auditctl -R /etc/audit/audit.rules >/dev/null 2>&1
+
+[Unit]
+After=auditd.service
+ConditionSecurity=audit
+
 [Service]
+Type=oneshot
 ExecStart=
+ExecStartPre=/bin/sh -c '/sbin/auditctl -D >/dev/null 2>&1 || true'
 ExecStart=/sbin/auditctl -R /etc/audit/audit.rules
+RemainAfterExit=yes

 EOF

--- a/config/includes.chroot/root/.ciss/check_chrony.sh
+++ b/config/includes.chroot/root/.ciss/check_chrony.sh
@@ -10,12 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Minimal leap-second probe for Debian/chrony systems
-# - Prints kernel leap flags & TAI offset (ΔAT)
-# - Reads tzdata's leap-seconds list (authoritative TAI-UTC)
-# - Shows chrony tracking summary (incl. leap status)
-# - Demonstrates 23:59:60 rendering via TZ=right/UTC
-
 set -Ceuo pipefail

 #######################################
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -9,6 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 adjtimex
+age
 apparmor
 apparmor-profiles-extra
 apparmor-utils
@@ -32,6 +33,7 @@ clamav
 clamav-daemon
 clang-18
 console-setup
+cosign
 cpuid
 cryptsetup
 cryptsetup-nuke-password
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -14,7 +14,10 @@ include_toc: true

 ## V8.13.128.2025.10.10

+* **Added**: Packages ``age``, ``cosign``
+* **Added**: Repository https://github.com/getsops/sops.git
 * **Added**: [0040_ssh_config_setup.chroot](../config/hooks/live/0040_ssh_config_setup.chroot)
+* **Added**: [0860_sops.chroot](../config/hooks/live/0860_sops.chroot)
 * **Added**: [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
 * **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)