From e72ef95b86986cb46b4917213715b4731f0680f38c9eb75500041547ffc29050 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Mon, 11 Aug 2025 18:52:29 +0200 Subject: [PATCH] V8.04.002.2025.08.11 Signed-off-by: Marc S. Weidner --- ciss_live_builder.sh | 95 +++++++++++++++++++++------------------ lib/lib_guard_sourcing.sh | 2 +- lib/lib_source_guard.sh | 28 ++++++++++++ lib/lib_trap_on_err.sh | 16 +++---- var/bash.var.sh | 31 ++++++++++--- var/color.var.sh | 4 ++ var/early.var.sh | 5 +-- var/global.var.sh | 7 +++ 8 files changed, 126 insertions(+), 62 deletions(-) create mode 100644 lib/lib_source_guard.sh diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 239d93c..a1c2731 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -20,6 +20,22 @@ # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2, # or Cygwin on Windows systems. +### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES. +# shellcheck disable=SC2155 +declare -girx VAR_START_TIME="${SECONDS}" # Start time of script execution. +declare -grx VAR_PARAM_COUNT="$#" # Arguments passed to script. +declare -grx VAR_PARAM_STRNG="$*" # Arguments passed to script as string. +declare -ag ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array. +declare -grx VAR_SETUP_FILE="${0##*/}" # 'ciss_debian_live_builder.sh' +declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/opt/git/CISS.debian.live.builder' +declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh' +# shellcheck disable=SC2155 +declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")" +# shellcheck disable=SC2155 +declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")" +# shellcheck disable=SC2155 +declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")" + ### PRELIMINARY CHECKS. ### No ash, dash, ksh, sh. # shellcheck disable=2292 @@ -82,7 +98,8 @@ ### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT() . ./var/early.var.sh . ./lib/lib_guard_sourcing.sh -. ./lib/lib_git_var.sh +. ./lib/lib_source_guard.sh +source_guard "./lib/lib_git_var.sh" ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done @@ -96,41 +113,42 @@ declare -gx VAR_SETUP="true" ### SOURCING VARIABLES [[ "${VAR_SETUP}" == true ]] && { - . ./var/bash.var.sh - . ./var/color.var.sh - . ./var/global.var.sh + source_guard "./var/bash.var.sh" + source_guard "./var/color.var.sh" + source_guard "./var/global.var.sh" } ### SOURCING LIBRARIES [[ "${VAR_SETUP}" == true ]] && { - . ./lib/lib_arg_parser.sh - . ./lib/lib_arg_priority_check.sh - . ./lib/lib_boot_screen.sh - . ./lib/lib_cdi.sh - . ./lib/lib_change_splash.sh - . ./lib/lib_check_dhcp.sh - . ./lib/lib_check_hooks.sh - . ./lib/lib_check_kernel.sh - . ./lib/lib_check_pkgs.sh - . ./lib/lib_check_provider.sh - . ./lib/lib_check_stats.sh - . ./lib/lib_check_var.sh - . ./lib/lib_clean_screen.sh - . ./lib/lib_clean_up.sh - . ./lib/lib_copy_integrity.sh - . ./lib/lib_hardening_root_pw.sh - . ./lib/lib_hardening_ssh.sh - . ./lib/lib_hardening_ultra.sh - . ./lib/lib_helper_ip.sh - . ./lib/lib_lb_build_start.sh - . ./lib/lib_lb_config_start.sh - . ./lib/lib_lb_config_write.sh - . ./lib/lib_provider_netcup.sh - . ./lib/lib_run_analysis.sh - . ./lib/lib_sanitizer.sh - . ./lib/lib_trap_on_err.sh - . ./lib/lib_trap_on_exit.sh - . ./lib/lib_usage.sh + source_guard "./lib/lib_arg_parser.sh" + source_guard "./lib/lib_arg_priority_check.sh" + source_guard "./lib/lib_boot_screen.sh" + source_guard "./lib/lib_cdi.sh" + source_guard "./lib/lib_change_splash.sh" + source_guard "./lib/lib_check_dhcp.sh" + source_guard "./lib/lib_check_hooks.sh" + source_guard "./lib/lib_check_kernel.sh" + source_guard "./lib/lib_check_pkgs.sh" + source_guard "./lib/lib_check_provider.sh" + source_guard "./lib/lib_check_stats.sh" + source_guard "./lib/lib_check_var.sh" + source_guard "./lib/lib_clean_screen.sh" + source_guard "./lib/lib_clean_up.sh" + source_guard "./lib/lib_copy_integrity.sh" + source_guard "./lib/lib_hardening_root_pw.sh" + source_guard "./lib/lib_hardening_ssh.sh" + source_guard "./lib/lib_hardening_ultra.sh" + source_guard "./lib/lib_helper_ip.sh" + source_guard "./lib/lib_lb_build_start.sh" + source_guard "./lib/lib_lb_config_start.sh" + source_guard "./lib/lib_lb_config_write.sh" + source_guard "./lib/lib_lb_config_write_trixie.sh" + source_guard "./lib/lib_provider_netcup.sh" + source_guard "./lib/lib_run_analysis.sh" + source_guard "./lib/lib_sanitizer.sh" + source_guard "./lib/lib_trap_on_err.sh" + source_guard "./lib/lib_trap_on_exit.sh" + source_guard "./lib/lib_usage.sh" } ### ADVISORY LOCK @@ -160,17 +178,6 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n ### Updating Status of Dialog Gauge Bar if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi -### Initialization -declare -gr ARGUMENTS_COUNT="$#" -declare -gr ARG_STR_ORG_INPUT="$*" -#declare -ar ARG_ARY_ORG_INPUT=("$@") -# shellcheck disable=SC2155 -declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")" -# shellcheck disable=SC2155 -declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")" -# shellcheck disable=SC2155 -declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")" - ### Updating Status of Dialog Gauge Bar if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi ### Following the CISS Bash naming and ordering scheme: @@ -213,7 +220,9 @@ else rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot" fi +# shellcheck disable=SC2164 cd "${VAR_WORKDIR}" + hardening_ultra hardening_root_pw change_splash diff --git a/lib/lib_guard_sourcing.sh b/lib/lib_guard_sourcing.sh index ce48c83..05654b1 100644 --- a/lib/lib_guard_sourcing.sh +++ b/lib/lib_guard_sourcing.sh @@ -23,7 +23,7 @@ guard_sourcing() { ### Determine the caller script (the library being sourced). declare var_src="${1:-${BASH_SOURCE[1]}}" - ### Strip path, keep only filename + ### Strip path, keep only the filename declare var_file_name="${var_src##*/}" ### Sanitize to valid var name. declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}" diff --git a/lib/lib_source_guard.sh b/lib/lib_source_guard.sh new file mode 100644 index 0000000..d7a655d --- /dev/null +++ b/lib/lib_source_guard.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +####################################### +# Prevent the file to be sourced twice. +# Arguments: +# 1: File to source. +####################################### +source_guard() { + declare var_file="${1}" + declare var_name="${var_file##*/}" + declare var_guard="_${var_name//[^a-zA-Z0-9_]/_}_LOADED" + + if ! declare -p "${var_guard}" &>/dev/null; then + # shellcheck disable=SC1090 + . "${var_file}" + fi +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_trap_on_err.sh b/lib/lib_trap_on_err.sh index d109cba..becaa37 100644 --- a/lib/lib_trap_on_err.sh +++ b/lib/lib_trap_on_err.sh @@ -15,8 +15,8 @@ guard_sourcing ####################################### # Print Error Message for Trap on 'ERR' in ${ERROR_LOG} # Globals: -# ARGUMENTS_COUNT -# ARG_STR_ORG_INPUT +# VAR_PARAM_COUNT +# VAR_PARAM_STRING # VAR_ARG_SANITIZED # LOG_DEBUG # ERRCMMD @@ -45,8 +45,8 @@ print_file_err() { printf "❌ Function : %s \n" "${ERRFUNC}" printf "❌ Command : %s \n" "${ERRCMMD}" printf "❌ Script Runtime : %s \n" "${SECONDS}" - printf "❌ Arguments Counter : %s \n" "${ARGUMENTS_COUNT}" - printf "❌ Arguments Original : %s \n" "${ARG_STR_ORG_INPUT}" + printf "❌ Arguments Counter : %s \n" "${VAR_PARAM_COUNT}" + printf "❌ Arguments Original : %s \n" "${VAR_PARAM_STRING}" printf "❌ Arguments Sanitized : %s \n" "${VAR_ARG_SANITIZED}" if "${VAR_EARLY_DEBUG}"; then printf "❌ Vars Dump saved at : %s \n" "${LOG_VAR}" @@ -60,8 +60,8 @@ print_file_err() { ####################################### # Print Error Message for Trap on 'ERR' on Terminal # Globals: -# ARGUMENTS_COUNT -# ARG_STR_ORG_INPUT +# VAR_PARAM_COUNT +# VAR_PARAM_STRING # VAR_ARG_SANITIZED # LOG_DEBUG # ERRCMMD @@ -89,8 +89,8 @@ print_scr_err() { printf "\e[91m❌ Function : %s \e[0m\n" "${ERRFUNC}" >&2 printf "\e[91m❌ Command : %s \e[0m\n" "${ERRCMMD}" >&2 printf "\e[91m❌ Script Runtime : %s \e[0m\n" "${SECONDS}" >&2 - printf "\e[91m❌ Arguments Counter : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2 - printf "\e[91m❌ Arguments Original : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2 + printf "\e[91m❌ Arguments Counter : %s \e[0m\n" "${VAR_PARAM_COUNT}" >&2 + printf "\e[91m❌ Arguments Original : %s \e[0m\n" "${VAR_PARAM_STRING}" >&2 printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2 printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${LOG_ERROR}" >&2 printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2 diff --git a/var/bash.var.sh b/var/bash.var.sh index 3f99bb0..70e91db 100644 --- a/var/bash.var.sh +++ b/var/bash.var.sh @@ -10,12 +10,31 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu +guard_sourcing + ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin -set -o errexit # Exit script when a command exits with non-zero status, the same as "set -e". -set -o errtrace # Any traps on ERR are inherited in a subshell environment, the same as "set -E". -set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T". -set -o nounset # Exit script on use of an undefined variable, the same as "set -u". -set -o pipefail # Makes pipelines return the exit status of the last command in the pipe that failed. -set -o noclobber # Prevent overwriting, the same as "set -C". +set -o errexit # Exit script when a command exits with non-zero status, the same as "set -e". +set -o errtrace # Any traps on ERR are inherited in a subshell environment, the same as "set -E". +set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T". +set -o ignoreeof # An interactive shell will not exit upon reading EOF. +set -o noclobber # Prevent overwriting, the same as "set -C". +set -o nounset # Exit script on use of an undefined variable, the same as "set -u". +set -o pipefail # Makes pipelines return the exit status of the last command in the pipe that failed. + +### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin +shopt -s failglob # If set, patterns that fail to match filenames during filename expansion result in an expansion error. +shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the + # subshell environment. This option is enabled when POSIX mode is enabled. +shopt -s lastpipe # If set, and job control is not active, the shell runs the last command of a pipeline not executed in + # the background in the current shell environment. +shopt -u expand_aliases # If set, aliases are expanded as described below under Aliases, Aliases. This option is enabled by + # default for interactive shells. +shopt -u dotglob # If set, Bash includes filenames beginning with a '.' in the results of filename expansion. +shopt -u extglob # If set, enable the extended pattern matching features. +shopt -u nullglob # If set, filename expansion patterns that match no files expand to nothing and are removed. + +declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +declare -gx IFS=$' \t\n' +umask 0022 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/var/color.var.sh b/var/color.var.sh index 143b98f..797ce9f 100644 --- a/var/color.var.sh +++ b/var/color.var.sh @@ -10,6 +10,10 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu +guard_sourcing + +### Definition of color variables. + declare -grx BLA='\e[90m' # Beautiful black For the techno fans. declare -grx RED='\e[91m' # Bright red. declare -grx GRE='\e[92m' # Vibrant green. diff --git a/var/early.var.sh b/var/early.var.sh index e424b0a..04ceb0e 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -13,13 +13,10 @@ ### Definition of MUST set early Variables # shellcheck disable=SC2155 -declare -agx ARY_PARAM_ARRAY=("$@") -declare -grx VAR_PARAM_COUNT="$#" -declare -grx VAR_PARAM_STRNG="$*" declare -grx VAR_CONTACT="security@coresecret.eu" declare -grx VAR_VERSION="Master V8.04.002.2025.08.11" declare -grx VAR_SYSTEM="$(uname -a)" declare -gx VAR_EARLY_DEBUG="false" declare -gx VAR_HANDLER_AUTOBUILD="false" -umask 0022 + # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/var/global.var.sh b/var/global.var.sh index 3836f93..114744d 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -10,11 +10,18 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu +guard_sourcing + +### Definition of MUST set global variables. # shellcheck disable=SC2155 declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)" +# shellcheck disable=SC2155 declare -gr VAR_KERNEL_INF="$(mktemp)" +# shellcheck disable=SC2155 declare -gr VAR_KERNEL_TMP="$(mktemp)" +# shellcheck disable=SC2155 declare -gr VAR_KERNEL_SRT="$(mktemp)" +# shellcheck disable=SC2155 declare -gr VAR_NOTES="$(mktemp)" declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"