V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-10 19:40:04 +01:00
parent 826d8607cb
commit e1928caf4a
5 changed files with 94 additions and 61 deletions
--- a/config/hooks/live/zzzz_luks_squash.hook.binary
+++ b/config/hooks/live/zzzz_luks_squash.hook.binary
@@ -0,0 +1,19 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -13,14 +13,14 @@ include_toc: true
 # 2. Lynis Audit:
 ````text
-[ Lynis 3.1.4 ]
+[ Lynis 3.1.6 ]
 ################################################################################
  Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
  welcome to redistribute it under the terms of the GNU General Public License.
  See the LICENSE file for details about using this software.
-  2007-2024, CISOfy - https://cisofy.com/lynis/
+  2007-2025, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
 ################################################################################
@@ -31,11 +31,12 @@ include_toc: true
  - Checking profiles...                                      [ DONE ]
  ---------------------------------------------------
-  Program version:           3.1.4
+  Program version:           3.1.6
  Operating system:          Linux
  Operating system name:     Debian
-  Operating system version:  12
+  Operating system version:  13
-  Kernel version:            6.12.22+bpo
+  End-of-life:               UNKNOWN
  Kernel version:            6.16.3+deb13
  Hardware platform:         x86_64
  Hostname:                  live
  ---------------------------------------------------
@@ -70,38 +71,40 @@ include_toc: true
  - Checking Secure Boot                                      [ DISABLED ]
    - Boot loader                                             [ NONE FOUND ]
  - Check running services (systemctl)                        [ DONE ]
-        Result: found 17 running services
+        Result: found 16 running services
  - Check enabled services at boot (systemctl)                [ DONE ]
-        Result: found 24 enabled services
+        Result: found 30 enabled services
  - Check startup files (permissions)                         [ OK ]
  - Running 'systemd-analyze security'
      Unit name (exposure value) and predicate
      --------------------------------
-    - auditd.service (value=8.7)                              [ EXPOSED ]
+    - auditd.service (value=8.9)                              [ EXPOSED ]
    - chrony.service (value=3.5)                              [ PROTECTED ]
    - clamav-daemon.service (value=3.5)                       [ PROTECTED ]
    - cron.service (value=9.6)                                [ UNSAFE ]
-    - dbus.service (value=9.6)                                [ UNSAFE ]
+    - dbus.service (value=9.3)                                [ UNSAFE ]
    - dm-event.service (value=9.5)                            [ UNSAFE ]
    - emergency.service (value=9.5)                           [ UNSAFE ]
    - fail2ban.service (value=6.5)                            [ MEDIUM ]
    - getty@tty1.service (value=9.6)                          [ UNSAFE ]
    - haveged.service (value=3.0)                             [ PROTECTED ]
    - ifup@ens3.service (value=9.5)                           [ UNSAFE ]
    - ifup@ens4.service (value=9.5)                           [ UNSAFE ]
    - jitterentropy.service (value=2.5)                       [ PROTECTED ]
    - lvm2-lvmpolld.service (value=9.5)                       [ UNSAFE ]
    - polkit.service (value=9.6)                              [ UNSAFE ]
    - rc-local.service (value=9.6)                            [ UNSAFE ]
    - rescue.service (value=9.5)                              [ UNSAFE ]
-    - rsyslog.service (value=9.6)                             [ UNSAFE ]
+    - rng-tools-debian.service (value=9.1)                    [ UNSAFE ]
    - rsyslog.service (value=4.5)                             [ PROTECTED ]
    - ssh.service (value=9.6)                                 [ UNSAFE ]
    - sshd@sshd-keygen.service (value=9.6)                    [ UNSAFE ]
    - systemd-ask-password-console.service (value=9.4)        [ UNSAFE ]
    - systemd-ask-password-wall.service (value=9.4)           [ UNSAFE ]
-    - systemd-fsckd.service (value=9.5)                       [ UNSAFE ]
+    - systemd-bsod.service (value=9.5)                        [ UNSAFE ]
    - systemd-hostnamed.service (value=1.7)                   [ PROTECTED ]
    - systemd-initctl.service (value=9.4)                     [ UNSAFE ]
-    - systemd-journald.service (value=4.3)                    [ PROTECTED ]
+    - systemd-journald.service (value=4.9)                    [ PROTECTED ]
    - systemd-logind.service (value=2.8)                      [ PROTECTED ]
-    - systemd-networkd.service (value=2.6)                    [ PROTECTED ]
+    - systemd-networkd.service (value=2.9)                    [ PROTECTED ]
    - systemd-rfkill.service (value=9.4)                      [ UNSAFE ]
    - systemd-udevd.service (value=7.1)                       [ MEDIUM ]
    - unattended-upgrades.service (value=9.6)                 [ UNSAFE ]
    - usbguard-dbus.service (value=9.6)                       [ UNSAFE ]
@@ -111,23 +114,21 @@ include_toc: true
 [+] Kernel
 ------------------------------------
-  - Checking default runlevel                                 [ runlevel 5 ]
+  - Checking default runlevel                                 [ runlevel 3 ]
  - Checking CPU support (NX/PAE)
    CPU support: PAE and/or NoeXecute supported               [ FOUND ]
  - Checking kernel version and release                       [ DONE ]
  - Checking kernel type                                      [ DONE ]
  - Checking loaded kernel modules                            [ DONE ]
-      Found 84 active modules
+      Found 139 active modules
  - Checking Linux kernel configuration file                  [ FOUND ]
  - Checking default I/O kernel scheduler                     [ NOT FOUND ]
  - Checking for available kernel update                      [ OK ]
  - Checking core dumps configuration
-    - configuration in systemd conf files                     [ DEFAULT ]
+    - configuration in systemd conf files                     [ DISABLED ]
    - configuration in /etc/profile                           [ DEFAULT ]
    - 'hard' configuration in /etc/security/limits.conf       [ DISABLED ]
    - 'soft' configuration in /etc/security/limits.conf       [ DISABLED ]
    - Checking setuid core dumps configuration                [ DISABLED ]
  - Check if reboot is needed                                 [ NO ]
 [+] Memory and Processes
 ------------------------------------
@@ -144,7 +145,6 @@ include_toc: true
  - Unique group IDs                                          [ OK ]
  - Unique group names                                        [ OK ]
  - Password file consistency                                 [ OK ]
  - Password hashing methods                                  [ OK ]
  - Password hashing rounds (minimum)                         [ CONFIGURED ]
  - Query system users (non daemons)                          [ DONE ]
  - NIS+ authentication support                               [ NOT ENABLED ]
@@ -167,10 +167,9 @@ include_toc: true
  - Checking expired passwords                                [ OK ]
  - Checking Linux single user mode authentication            [ OK ]
  - Determining default umask
    - umask (/etc/profile)                                    [ NOT FOUND ]
    - umask (/etc/login.defs)                                 [ OK ]
  - LDAP authentication support                               [ NOT ENABLED ]
-  - Logging failed login attempts                             [ ENABLED ]
+  - Logging failed login attempts                             [ DISABLED ]
 [+] Kerberos
 ------------------------------------
@@ -179,7 +178,7 @@ include_toc: true
 [+] Shells
 ------------------------------------
  - Checking shells from /etc/shells
-    Result: found 12 shells (valid shells: 12).
+    Result: found 11 shells (valid shells: 11).
    - Session timeout settings/tools                          [ FOUND ]
  - Checking default umask values
    - Checking default umask in /etc/bash.bashrc              [ NONE ]
@@ -203,15 +202,9 @@ include_toc: true
  - Mount options of /dev/shm                                 [ PARTIALLY HARDENED ]
  - Mount options of /run                                     [ HARDENED ]
  - Mount options of /tmp                                     [ PARTIALLY HARDENED ]
-  - Total without nodev:11 noexec:13 nosuid:9 ro or noexec (W^X): 9 of total 33
+  - Total without nodev:8 noexec:11 nosuid:6 ro or noexec (W^X): 8 of total 28
  - Checking Locate database                                  [ FOUND ]
  - Disable kernel support of some filesystems
    - Module cramfs is blacklisted                            [ OK ]
    - Module freevxfs is blacklisted                          [ OK ]
    - Module hfs is blacklisted                               [ OK ]
    - Module hfsplus is blacklisted                           [ OK ]
    - Module jffs2 is blacklisted                             [ OK ]
    - Module udf is blacklisted                               [ OK ]
 [+] USB Devices
 ------------------------------------
@@ -221,7 +214,7 @@ include_toc: true
    - Configuration                                           [ FOUND ]
      - Restore controller device state                       [ false ]
      - Rule for controllers connected before daemon starts   [ keep ]
-      - Rule for devices connected before daemon starts       [ allow ]
+      - Rule for devices connected before daemon starts       [ apply-policy ]
      - Rule for devices inserted after daemon starts         [ apply-policy ]
      - Rule for devices not in RuleFile                      [ block ]
    - RuleFile                                                [ FOUND ]
@@ -239,6 +232,7 @@ include_toc: true
 [+] Name services
 ------------------------------------
  - Checking /etc/resolv.conf options                         [ FOUND ]
  - Searching DNS domain name                                 [ FOUND ]
      Domain name: local
  - Checking /etc/hosts
@@ -256,8 +250,13 @@ include_toc: true
    - debsums utility                                         [ FOUND ]
      - Cron job for debsums                                  [ FOUND ]
  - Checking security repository in sources.list file         [ OK ]
  - Checking security repository in sources.list.d directory  [ OK ]
  - Checking APT package database                             [ OK ]
 W: https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease: Policy will reject signature within a year, see --audit for details
  - Checking vulnerable packages (apt-get only)               [ DONE ]
  [WARNING]: Test PKGS-7392 had a long execution: 21.028694 seconds
  - Checking upgradeable packages                             [ NONE ]
  - Checking package audit tool                               [ INSTALLED ]
    Found: apt-get
@@ -272,6 +271,7 @@ include_toc: true
    - Testing nameservers
        Nameserver: 135.181.207.105                           [ OK ]
        Nameserver: 89.58.62.53                               [ OK ]
        Nameserver: 138.199.237.109                           [ OK ]
    - Minimal of 2 responsive nameservers                     [ OK ]
  - Checking default gateway                                  [ DONE ]
  - Getting listening ports (TCP/UDP)                         [ DONE ]
@@ -408,10 +408,11 @@ include_toc: true
 [+] Cryptography
 ------------------------------------
-  - Checking for expired SSL certificates [0/139]             [ NONE ]
+  - Checking for expired SSL certificates [0/151]             [ NONE ]
-  [WARNING]: Test CRYP-7902 had a long execution: 20.445007 seconds
+  [WARNING]: Test CRYP-7902 had a long execution: 31.463606 seconds
  - Found 10 LUKS encrypted block devices.                    [ OK ]
  - Found 0 encrypted and 0 unencrypted swap devices in use.  [ OK ]
  - Kernel entropy is sufficient                              [ YES ]
  - HW RNG & rngd                                             [ NO ]
@@ -427,11 +428,12 @@ include_toc: true
 [+] Security frameworks
 ------------------------------------
  - Checking presence AppArmor                                [ FOUND ]
-    - Checking AppArmor status                                [ DISABLED ]
+    - Checking AppArmor status                                [ ENABLED ]
        Found 43 unconfined processes
  - Checking presence SELinux                                 [ NOT FOUND ]
  - Checking presence TOMOYO Linux                            [ NOT FOUND ]
  - Checking presence grsecurity                              [ NOT FOUND ]
-  - Checking for implemented MAC framework                    [ NONE ]
+  - Checking for implemented MAC framework                    [ OK ]
 [+] Software: file integrity
 ------------------------------------
@@ -455,9 +457,7 @@ include_toc: true
 [+] Software: Malware
 ------------------------------------
  - Checking chkrootkit                                       [ FOUND ]
  - Checking Rootkit Hunter                                   [ FOUND ]
  - Checking ClamAV scanner                                   [ FOUND ]
  - Malware software components                               [ FOUND ]
    - Active agent                                            [ NOT FOUND ]
    - Rootkit scanner                                         [ FOUND ]
@@ -546,12 +546,16 @@ include_toc: true
 ================================================================================
-  -[ Lynis 3.1.4 Results ]-
+  -[ Lynis 3.1.6 Results ]-
  Great, no warnings
-  Suggestions (5):
+  Suggestions (6):
  ----------------------------
  * Determine runlevel and services at startup [BOOT-5180]
    - Related resources
      * Website: https://cisofy.com/lynis/controls/BOOT-5180/
  * Consider hardening system services [BOOT-5264]
    - Details  : Run '/usr/bin/systemd-analyze security SERVICE' for each service
    - Related resources
@@ -585,34 +589,44 @@ include_toc: true
  Lynis security scan details:
  Hardening index : 92 [##################  ]
  Tests performed : 261
  Plugins enabled : 0
  Components:
  - Firewall               [V]
  - Malware scanner        [V]
  Scan mode:
-  Normal [V]  Forensics [ ]  Integration [ ]  Pentest [ ]
+  Normal [▆]  Forensics [ ]  Integration [ ]  Pentest [ ]
  Lynis modules:
  - Compliance status      [?]
  - Security audit         [V]
  - Vulnerability scan     [V]
  Details:
  Hardening index : 93 [##################  ]
  Tests performed : 258
  Plugins enabled : 0
  Software components:
  - Firewall               [V]
  - Intrusion software     [V]
  - Malware scanner        [V]
  Files:
  - Test and debug information      : /var/log/lynis.log
  - Report data                     : /var/log/lynis-report.dat
 ================================================================================
-  Lynis 3.1.4
+  Notice: No OS entry was found in the end-of-life database
  What to do:
  Please submit a pull request on GitHub to include your OS version and the end date of this OS version is being supported
  URL: https://github.com/CISOfy/lynis
 ================================================================================
  Lynis 3.1.6
  Auditing, system hardening, and compliance for UNIX-based systems
  (Linux, macOS, BSD, and others)
-  2007-2024, CISOfy - https://cisofy.com/lynis/
+  2007-2025, CISOfy - https://cisofy.com/lynis/
  Enterprise support available (compliance, plugins, interface and tools)
 ================================================================================
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -34,6 +34,7 @@ include_toc: true
 * **Changed**: [9940_hardening_memory.dump.chroot](../config/hooks/live/9940_hardening_memory.dump.chroot) + added: 9999-ciss-coredump-disable.conf
 * **Changed**: [9992_password_expiration.chroot](../config/hooks/live/9992_password_expiration.chroot) + added: ``update_shadow()``
 * **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) + added: Securely shred all regular files below ./includes.chroot, then remove empty dirs.
 * **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6
 ## V8.13.400.2025.11.08
 * **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling
@@ -121,7 +122,7 @@ include_toc: true
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90
 * **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) = rotate 90
-* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) = unified logging
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) = unified logging
 ## V8.13.292.2025.10.27
 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) = modified trel()
@@ -129,7 +130,7 @@ include_toc: true
 ## V8.13.290.2025.10.26
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
-* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) Preparations for CISS and PhysNet primordial-workflow™.
 ## V8.13.288.2025.10.24
 * **Added**: Preparations for CISS and PhysNet primordial-workflow™.
@@ -152,7 +153,7 @@ include_toc: true
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) + apt-get dist-upgrade -y
 * **Updated**: [login.defs](../config/includes.chroot/etc/login.defs) 
-* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) 
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) 
 ## V8.13.256.2025.10.21
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
@@ -183,7 +184,7 @@ include_toc: true
 * **Changed**:  [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 ## V8.13.142.2025.10.14
-* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)
 ## V8.13.132.2025.10.11
 * **Added**: [REPOSITORY.md](../REPOSITORY.md)
@@ -218,7 +219,7 @@ include_toc: true
 * **Added**: [lib_note_target.sh](../lib/lib_note_target.sh)
 * **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
 * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
-* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
 * **Updated**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
@@ -230,7 +231,7 @@ include_toc: true
 ## V8.13.048.2025.10.06
 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
 * **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
-* **Updated**: [9000-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
+* **Updated**: [9000-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)
 ## V8.13.032.2025.10.03
 * **Added**: Internal Gitea Action Runner switch for static SSHFP records.
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -30,7 +30,7 @@ cdi() {
  if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
-    install -m 0400 -o root -g root /dev/null /root/.cdi
+    install -m 0400 -o root -g root /dev/null "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" ]]; then
@@ -38,7 +38,7 @@ cdi() {
    fi
-    install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
+    install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999_cdi_starter.sh" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999_cdi_starter.sh"
    declare tmp_entry
    tmp_entry="$(mktemp)"
--- a/scripts/usr/local/sbin/9999_cdi_starter.sh
+++ b/scripts/usr/local/sbin/9999_cdi_starter.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
 # bashsupport disable=BP5004
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git