V8.04.002.2025.08.11

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

ciss_live_builder.sh

@@ -20,6 +20,22 @@
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
 
+### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
+# shellcheck disable=SC2155
+declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
+declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
+declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
+declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
+declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
+declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
+# shellcheck disable=SC2155
+declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
+# shellcheck disable=SC2155
+declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
+# shellcheck disable=SC2155
+declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
+
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
 # shellcheck disable=2292
@@ -82,7 +98,8 @@
 ### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
-. ./lib/lib_git_var.sh
+. ./lib/lib_source_guard.sh
+source_guard "./lib/lib_git_var.sh"
 
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
@@ -96,41 +113,42 @@ declare -gx VAR_SETUP="true"
 
 ### SOURCING VARIABLES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./var/bash.var.sh
-  . ./var/color.var.sh
-  . ./var/global.var.sh
+  source_guard "./var/bash.var.sh"
+  source_guard "./var/color.var.sh"
+  source_guard "./var/global.var.sh"
 }
 
 ### SOURCING LIBRARIES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./lib/lib_arg_parser.sh
-  . ./lib/lib_arg_priority_check.sh
-  . ./lib/lib_boot_screen.sh
-  . ./lib/lib_cdi.sh
-  . ./lib/lib_change_splash.sh
-  . ./lib/lib_check_dhcp.sh
-  . ./lib/lib_check_hooks.sh
-  . ./lib/lib_check_kernel.sh
-  . ./lib/lib_check_pkgs.sh
-  . ./lib/lib_check_provider.sh
-  . ./lib/lib_check_stats.sh
-  . ./lib/lib_check_var.sh
-  . ./lib/lib_clean_screen.sh
-  . ./lib/lib_clean_up.sh
-  . ./lib/lib_copy_integrity.sh
-  . ./lib/lib_hardening_root_pw.sh
-  . ./lib/lib_hardening_ssh.sh
-  . ./lib/lib_hardening_ultra.sh
-  . ./lib/lib_helper_ip.sh
-  . ./lib/lib_lb_build_start.sh
-  . ./lib/lib_lb_config_start.sh
-  . ./lib/lib_lb_config_write.sh
-  . ./lib/lib_provider_netcup.sh
-  . ./lib/lib_run_analysis.sh
-  . ./lib/lib_sanitizer.sh
-  . ./lib/lib_trap_on_err.sh
-  . ./lib/lib_trap_on_exit.sh
-  . ./lib/lib_usage.sh
+  source_guard "./lib/lib_arg_parser.sh"
+  source_guard "./lib/lib_arg_priority_check.sh"
+  source_guard "./lib/lib_boot_screen.sh"
+  source_guard "./lib/lib_cdi.sh"
+  source_guard "./lib/lib_change_splash.sh"
+  source_guard "./lib/lib_check_dhcp.sh"
+  source_guard "./lib/lib_check_hooks.sh"
+  source_guard "./lib/lib_check_kernel.sh"
+  source_guard "./lib/lib_check_pkgs.sh"
+  source_guard "./lib/lib_check_provider.sh"
+  source_guard "./lib/lib_check_stats.sh"
+  source_guard "./lib/lib_check_var.sh"
+  source_guard "./lib/lib_clean_screen.sh"
+  source_guard "./lib/lib_clean_up.sh"
+  source_guard "./lib/lib_copy_integrity.sh"
+  source_guard "./lib/lib_hardening_root_pw.sh"
+  source_guard "./lib/lib_hardening_ssh.sh"
+  source_guard "./lib/lib_hardening_ultra.sh"
+  source_guard "./lib/lib_helper_ip.sh"
+  source_guard "./lib/lib_lb_build_start.sh"
+  source_guard "./lib/lib_lb_config_start.sh"
+  source_guard "./lib/lib_lb_config_write.sh"
+  source_guard "./lib/lib_lb_config_write_trixie.sh"
+  source_guard "./lib/lib_provider_netcup.sh"
+  source_guard "./lib/lib_run_analysis.sh"
+  source_guard "./lib/lib_sanitizer.sh"
+  source_guard "./lib/lib_trap_on_err.sh"
+  source_guard "./lib/lib_trap_on_exit.sh"
+  source_guard "./lib/lib_usage.sh"
 }
 
 ### ADVISORY LOCK
@@ -160,17 +178,6 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n
 ### Updating Status of Dialog Gauge Bar
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 
-### Initialization
-declare -gr ARGUMENTS_COUNT="$#"
-declare -gr ARG_STR_ORG_INPUT="$*"
-#declare -ar ARG_ARY_ORG_INPUT=("$@")
-# shellcheck disable=SC2155
-declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
-# shellcheck disable=SC2155
-declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
-# shellcheck disable=SC2155
-declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
-
 ### Updating Status of Dialog Gauge Bar
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
@@ -213,7 +220,9 @@ else
   rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
 fi
 
+# shellcheck disable=SC2164
 cd "${VAR_WORKDIR}"
+
 hardening_ultra
 hardening_root_pw
 change_splash

lib/lib_guard_sourcing.sh

@@ -23,7 +23,7 @@
 guard_sourcing() {
   ### Determine the caller script (the library being sourced).
   declare var_src="${1:-${BASH_SOURCE[1]}}"
-  ### Strip path, keep only filename
+  ### Strip path, keep only the filename
   declare var_file_name="${var_src##*/}"
   ### Sanitize to valid var name.
   declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"

lib/lib_source_guard.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Prevent the file to be sourced twice.
+# Arguments:
+#   1: File to source.
+#######################################
+source_guard() {
+  declare var_file="${1}"
+  declare var_name="${var_file##*/}"
+  declare var_guard="_${var_name//[^a-zA-Z0-9_]/_}_LOADED"
+
+  if ! declare -p "${var_guard}" &>/dev/null; then
+    # shellcheck disable=SC1090
+    . "${var_file}"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_trap_on_err.sh

@@ -15,8 +15,8 @@ guard_sourcing
 #######################################
 # Print Error Message for Trap on 'ERR' in ${ERROR_LOG}
 # Globals:
-#   ARGUMENTS_COUNT
-#   ARG_STR_ORG_INPUT
+#   VAR_PARAM_COUNT
+#   VAR_PARAM_STRING
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -45,8 +45,8 @@ print_file_err() {
     printf "❌ Function               : %s \n" "${ERRFUNC}"
     printf "❌ Command                : %s \n" "${ERRCMMD}"
     printf "❌ Script Runtime         : %s \n" "${SECONDS}"
-    printf "❌ Arguments Counter      : %s \n" "${ARGUMENTS_COUNT}"
-    printf "❌ Arguments Original     : %s \n" "${ARG_STR_ORG_INPUT}"
+    printf "❌ Arguments Counter      : %s \n" "${VAR_PARAM_COUNT}"
+    printf "❌ Arguments Original     : %s \n" "${VAR_PARAM_STRING}"
     printf "❌ Arguments Sanitized    : %s \n" "${VAR_ARG_SANITIZED}"
     if "${VAR_EARLY_DEBUG}"; then
       printf "❌ Vars Dump saved at     : %s \n" "${LOG_VAR}"
@@ -60,8 +60,8 @@ print_file_err() {
 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal
 # Globals:
-#   ARGUMENTS_COUNT
-#   ARG_STR_ORG_INPUT
+#   VAR_PARAM_COUNT
+#   VAR_PARAM_STRING
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -89,8 +89,8 @@ print_scr_err() {
   printf "\e[91m❌ Function               : %s \e[0m\n" "${ERRFUNC}" >&2
   printf "\e[91m❌ Command                : %s \e[0m\n" "${ERRCMMD}" >&2
   printf "\e[91m❌ Script Runtime         : %s \e[0m\n" "${SECONDS}" >&2
-  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
-  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
+  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${VAR_PARAM_COUNT}" >&2
+  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${VAR_PARAM_STRING}" >&2
   printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
   printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" >&2
   printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2

var/bash.var.sh

@@ -10,12 +10,31 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
-set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
-set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
-set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
-set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
-set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
-set -o noclobber # Prevent overwriting, the same as "set -C".
+set -o errexit           # Exit script when a command exits with non-zero status, the same as "set -e".
+set -o errtrace          # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
+set -o functrace         # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
+set -o ignoreeof         # An interactive shell will not exit upon reading EOF.
+set -o noclobber         # Prevent overwriting, the same as "set -C".
+set -o nounset           # Exit script on use of an undefined variable, the same as "set -u".
+set -o pipefail          # Makes pipelines return the exit status of the last command in the pipe that failed.
+
+### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin
+shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
+shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the
+                         # subshell environment. This option is enabled when POSIX mode is enabled.
+shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
+                         # the background in the current shell environment.
+shopt -u expand_aliases  # If set, aliases are expanded as described below under Aliases, Aliases. This option is enabled by
+                         # default for interactive shells.
+shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
+shopt -u extglob         # If set, enable the extended pattern matching features.
+shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.
+
+declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+declare -gx IFS=$' \t\n'
+umask 0022
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/color.var.sh

@@ -10,6 +10,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
+### Definition of color variables.
+
 declare -grx BLA='\e[90m' # Beautiful black For the techno fans.
 declare -grx RED='\e[91m' # Bright red.
 declare -grx GRE='\e[92m' # Vibrant green.

var/early.var.sh

@@ -13,13 +13,10 @@
 ### Definition of MUST set early Variables
 
 # shellcheck disable=SC2155
-declare -agx ARY_PARAM_ARRAY=("$@")
-declare -grx VAR_PARAM_COUNT="$#"
-declare -grx VAR_PARAM_STRNG="$*"
 declare -grx VAR_CONTACT="security@coresecret.eu"
 declare -grx VAR_VERSION="Master V8.04.002.2025.08.11"
 declare -grx VAR_SYSTEM="$(uname -a)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"
-umask 0022
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/global.var.sh

@@ -10,11 +10,18 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
+### Definition of MUST set global variables.
 # shellcheck disable=SC2155
 declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)"
+# shellcheck disable=SC2155
 declare -gr VAR_KERNEL_INF="$(mktemp)"
+# shellcheck disable=SC2155
 declare -gr VAR_KERNEL_TMP="$(mktemp)"
+# shellcheck disable=SC2155
 declare -gr VAR_KERNEL_SRT="$(mktemp)"
+# shellcheck disable=SC2155
 declare -gr VAR_NOTES="$(mktemp)"
 
 declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"