diff --git a/.archive/0010_dhcp_supersede.sh b/.archive/0010_dhcp_supersede.sh index 6f68612..5cd0c4f 100644 --- a/.archive/0010_dhcp_supersede.sh +++ b/.archive/0010_dhcp_supersede.sh @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then diff --git a/.archive/0100_ciss_mem_wipe.chroot b/.archive/0100_ciss_mem_wipe.chroot index 0127abf..4893d09 100644 --- a/.archive/0100_ciss_mem_wipe.chroot +++ b/.archive/0100_ciss_mem_wipe.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -296,7 +296,7 @@ ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.t systemctl enable ciss-memwipe.service -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/9985_clamav.chroot b/.archive/9985_clamav.chroot index b91c2ae..7849f6a 100644 --- a/.archive/9985_clamav.chroot +++ b/.archive/9985_clamav.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" mkdir -p /etc/systemd/system/clamav-daemon.service.d cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf @@ -69,7 +69,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE EOF chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/9999_interfaces_update.chroot b/.archive/9999_interfaces_update.chroot index 6538865..772a17b 100644 --- a/.archive/9999_interfaces_update.chroot +++ b/.archive/9999_interfaces_update.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" # shellcheck disable=SC2155 declare -r VAR_DATE="$(date +%F)" @@ -63,7 +63,7 @@ EOF chmod 0644 /etc/network/interfaces -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml index 55eee11..2d29921 100644 --- a/.archive/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index 1a08ed9..bec406e 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml index ed374a6..d795d8f 100644 --- a/.archive/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 997c938..74fb50e 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V9.14.004.2026.05.17" + placeholder: "e.g., Master V9.14.008.2026.06.04" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index c145c21..268946b 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 7288cc9..fa5dbfb 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 name: 🔁 Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index 82a4fb2..1d01549 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.004.2026.05.17 + version: V9.14.008.2026.06.04 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index 0462a1c..8a6c0e5 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.004.2026.05.17 + version: V9.14.008.2026.06.04 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index 0462a1c..8a6c0e5 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.004.2026.05.17 + version: V9.14.008.2026.06.04 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index 4bb58d5..4877a98 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 88f31ff..a8c1532 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index c88e571..2bff21e 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index 5d7ac90..fd469e3 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 3c3cb79..22f262a 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 name: 🛡️ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 2517f64..cebd19c 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 name: 🔁 Render Graphviz Diagrams. diff --git a/.gitignore b/.gitignore index 52a232d..bfae2a3 100644 --- a/.gitignore +++ b/.gitignore @@ -16,5 +16,11 @@ target/ *.log *.ps1 config.mk +ciss.secureboot/private/* +!ciss.secureboot/private/README.md +ciss.secureboot/manifests/* +!ciss.secureboot/manifests/.gitkeep +ciss.secureboot/uki/* +!ciss.secureboot/uki/.gitkeep Thumbs.db # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/.version.properties b/.version.properties index 8bfce75..a8bb1a2 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 " properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V9.14.004.2026.05.17" +properties_version="V9.14.008.2026.06.04" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/AGENTS.md b/AGENTS.md index ee6ad7e..731b0ac 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,85 +1,124 @@ # AGENTS.md -## Repository purpose +## Purpose -This repository builds and maintains Debian-based live/installer infrastructure. -Treat changes as security-sensitive and boot-chain-sensitive. -Follow `docs/CODING_CONVENTION.md` for coding style and `code_review.md` for reviews. +This repository builds and maintains the CISS Debian Live Builder for Debian 13 Trixie. +Treat every change as security-sensitive and boot-chain-sensitive. + +Persistent coding details live in `docs/CODING_CONVENTION.md`. +Review-only instructions live in `code_review.md`. + +## Instruction precedence for this repository + +Use this order when instructions differ: + +1. The current user task prompt defines the immediate objective and task-specific acceptance criteria. +2. This `AGENTS.md` defines repository-wide constraints and routing guidance. +3. `docs/CODING_CONVENTION.md` defines detailed coding conventions. +4. `code_review.md` applies when performing a review or final self-review. +5. Personal/global Codex instructions apply only where they do not conflict with repository rules. + +When in doubt, choose the safer, smaller, more easily reviewable change and explain the uncertainty. ## Non-negotiable constraints -- Target distribution: Debian 13 Trixie unless explicitly stated otherwise. +- Target Debian 13 Trixie unless the task explicitly states otherwise. - Do not introduce Ubuntu-specific assumptions. -- Do not invent live-build, initramfs, cryptsetup, systemd, GRUB, or Debian package behavior. Verify against existing files or - official documentation. -- Do not add phase-argument gates to live-boot/initramfs scripts. Script execution is controlled by Debian hook placement. -- Preserve encrypted-root / encrypted-SquashFS architecture unless the task explicitly changes it. -- Prefer simple, inspectable Bash over clever abstractions. +- Do not invent live-build, live-boot, initramfs, cryptsetup, systemd, GRUB, Debian package, or upstream tool behavior. +- Verify uncertain behavior against existing repository code or authoritative upstream documentation. +- Do not add phase-argument gates to live-boot or initramfs scripts. Execution phase is controlled by Debian hook placement. +- Preserve encrypted-root and encrypted-SquashFS architecture unless the task explicitly changes it. +- Prefer simple, explicit, inspectable Bash over clever abstraction. +- Do not use `eval`. +- Do not print secrets, private keys, passphrases, tokens, or sensitive environment values. -## Repository workflow +## Repository map + +Common areas: + +- `ciss_live_builder.sh`, `lib/*.sh`: host-side orchestration and argument handling. +- `makefile`: local wrapper for composing and executing builder invocations. +- `config/hooks/live/*.chroot`: live-build chroot hooks. +- `config/hooks/live/*.binary`: live-build binary-image hooks. +- `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks. +- `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts. +- `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts. +- `scripts/*`: helper scripts or files copied into the generated image. +- `docs/*`: project documentation and conventions. + +## Working method Before editing: -- Inspect the relevant scripts, hooks, config files, README files, and existing naming conventions. -- Identify the exact boot/build phase affected by the change. -- Explain the minimal intended change. -Boot/build phases: -- host-side orchestration: `ciss_live_builder.sh`, `lib/*.sh`, `makefile` -- live-build hooks: `config/hooks/live/*.chroot` and `config/hooks/live/*.binary` -- initramfs hooks/scripts: `config/includes.chroot/etc/initramfs-tools/*` -- live-boot runtime scripts: `config/includes.chroot/usr/lib/live/boot/*` +1. Inspect the relevant scripts, hooks, configuration files, documentation, tests, and naming conventions. +2. Identify the affected build or boot phase. +3. Give a concise implementation plan and list the likely files to touch, unless the change is trivial. + +While editing: + +- Keep changes minimal and local to the task. +- Preserve existing architecture, naming style, error handling, formatting, and security posture. +- Do not perform unrelated cleanup or formatting churn. +- Reuse existing helper functions for logging, fatal errors, validation, downloads, temporary files, and tool checks where available. +- Do not introduce new runtime dependencies unless technically necessary and justified. After editing: -- Run the most relevant available checks. -- At minimum, run syntax checks for changed shell scripts: - - `bash -n ` - - `shellcheck ` if available -- If POSIX shell scripts are changed, run `sh -n ` where Bash syntax is not expected. -- If the make wrapper or builder argument composition changes, run `make dry-run`. -- If Python files are introduced or changed: - - `ruff check` - - `mypy` - - `pytest` if tests exist -- If CLI options or user-facing behavior change, update `usage()` and the relevant README/docs. -- If live-build, initramfs, or ISO behavior changes, describe the required Debian Trixie live-build or ISO validation command. -## Bash conventions +- Run only the narrowest checks that prove the change. +- Changed Bash files: run `bash -n ` and `shellcheck ` if ShellCheck is available. +- Changed POSIX shell files, if any exist and must remain POSIX: run `sh -n `. +- Make wrapper or builder argument-composition changes: run the relevant dry-run or help/parser check, usually `make dry-run` if available. +- Changed Python files: run the repository's relevant Python checks if present. +- CLI or user-facing behavior changes: update `usage()` and relevant documentation. +- Live-build, initramfs, or ISO behavior changes: state the required Debian Trixie validation command. Do not run a full live build unless requested or necessary. -- Use explicit error handling. -- Quote expansions. -- Prefer arrays where word splitting matters. -- Avoid `eval`. +## Bash conventions summary + +See `docs/CODING_CONVENTION.md` for detail. + +- Use Bash for new and modified project scripts unless an existing Debian interface file explicitly requires POSIX shell. +- Prefer `set -Ceuo pipefail` where feasible. +- Use `declare` for variables inside functions. +- Quote expansions unless word splitting or globbing is explicitly required. +- Prefer arrays where argument boundaries matter. +- Use `[[ ... ]]` for Bash conditionals. +- Use `case` for option dispatch and multi-branch string handling. - Avoid parsing `ls`. +- Prefer `command -v` over `which`. - Keep functions small and readable. -- Use English comments. -- Explain security-sensitive fallbacks. -- Fail closed where possible. +- End functions explicitly with `return 0` where consistent with surrounding code. +- Code comments must be in English. -## Python conventions - -- Use Python 3.14-compatible code unless the project states otherwise. -- Use pathlib. -- Add type hints. -- Keep ruff and mypy compatibility. -- Avoid broad `except Exception` unless justified and logged. -- Prefer explicit models/config objects over unstructured dictionaries for durable interfaces. - -## Security review checklist +## Security-sensitive areas Before finalizing a change, check whether it affects: + - boot trust - initramfs behavior +- live-boot runtime behavior - cryptsetup/LUKS handling +- encrypted SquashFS handling - key material - remote unlock -- TLS/mTLS verification -- signature/hash verification +- TLS, mTLS, signature, checksum, or provenance verification +- package sources or remote downloads - network exposure - file permissions - persistence - logging of sensitive values -If affected, document the risk and mitigation in the final response. +If affected, document the concrete risk and mitigation in the final response. + +## Final response + +Return a concise implementation report: + +- changed files +- what changed +- checks run and result +- real remaining risks or follow-up steps + +Do not claim success for checks that were not run. --- **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 9fc2f3f..74fc15b 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V9.14.004.2026.05.17 +PackageVersion: Master V9.14.008.2026.06.04 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index a623f98..31c40fa 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.004.2026.05.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.008.2026.06.04-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
**CISS.debian.live.builder — First of its own.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.** @@ -175,7 +175,7 @@ installer toolchain. This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V9.14.004.2026.05.17` +Example: `V9.14.008.2026.06.04` `x.y.z` represents major (x), minor (y), and patch (z) version increments. @@ -237,7 +237,7 @@ deliberate design decision. ### 2.1.2. CPU Vulnerability Mitigations -I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. +I build the kernels with the relevant mitigations for Specter, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the context I am targeting; stale mitigations can be revisited, but missing mitigations will not be. @@ -514,6 +514,8 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e --reionice-priority 1 2 \ --renice-priority "-19" \ --root-password-file /dev/shm/cdlb_secrets/password.txt \ + --secure-boot-profile debian-shim \ + --sops-version 3.13.0 \ --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \ --signing_key_pass=signing_key_pass.txt \ --signing_key=signing_key.asc \ @@ -523,6 +525,11 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e --trixie ```` + `--sops-version` selects the upstream SOPS release installed into the live system. If omitted, the builder uses + `VAR_SOPS_VERSION` from `var/global.var.sh`. The SOPS hook verifies the upstream checksums file with Cosign and supports + both the newer Sigstore bundle asset and the legacy split certificate/signature assets before checking the downloaded + SOPS binary with `sha256sum -c --ignore-missing`. + 4. Locate your ISO in the `--build-directory`. 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel. 6. Type `sysp` for the final kernel hardening features. @@ -556,6 +563,8 @@ preview it or run it. ````bash BUILD_DIR=/opt/cdlb ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt + SECURE_BOOT_PROFILE=debian-shim + SOPS_VERSION=3.13.0 SSH_PORT=4242 SSH_PUBKEY=/dev/shm/cdlb_secrets @@ -569,7 +578,31 @@ preview it or run it. 4. Execute the build: ````make live```` -## 5.3. CI/CD Gitea Runner Workflow Example +## 5.3. Secure Boot Profiles + +The default build profile is ``--secure-boot-profile debian-shim``. It keeps the ISO broadly portable: ``lb config`` uses an +``iso-hybrid`` image with both ``grub-pc`` and ``grub-efi`` bootloaders, and UEFI Secure Boot remains delegated to live-build's +standard Microsoft-signed Debian shim plus Debian-signed GRUB path. + +The custom profile is ``--secure-boot-profile ciss-uki``. It is intended for amd64 systems whose firmware trusts the CISS Secure +Boot key material through the platform Secure Boot database, or a custom PK/KEK/db model. In this profile a late binary hook +builds a Unified Kernel Image from the final ``binary/live/vmlinuz-*`` and ``binary/live/initrd.img-*`` artifacts, signs it with +``ciss.secureboot/private/ciss-efi-image.key`` and ``ciss.secureboot/public/ciss-efi-image.crt``, rebuilds +``binary/boot/grub/efi.img``, installs the signed UKI as ``EFI/BOOT/BOOTX64.EFI``, and mirrors it into the ISO EFI tree when +live-build created one. + +Required files for ``ciss-uki``: + +````text +ciss.secureboot/private/ciss-efi-image.key +ciss.secureboot/public/ciss-efi-image.crt +```` + +The private directory is ignored by Git. The hooks fail if the CISS EFI image signing key or module signing key appears below +``binary/``, ``chroot/`` or ``config/includes.*``. Build-time UKI manifests are written below the build directory in +``ciss.secureboot/manifests`` and can be checked with ``ukify inspect`` and ``sbverify``. + +## 5.4. CI/CD Gitea Runner Workflow Example 1. Clone the repository: diff --git a/REPOSITORY.md b/REPOSITORY.md index 5b8bbfb..e0dac96 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **9.14**, Build **V9.14.004.2026.05.17** (as of 2025-10-11) +**Repository State:** Master Version **9.14**, Build **V9.14.008.2026.06.04** (as of 2025-10-11) ## 3.1. Top-Level Layout diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index abe4af8..0f2ec73 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -167,12 +167,29 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} + source_guard "./lib/lib_provider_netcup.sh" source_guard "./lib/lib_run_analysis.sh" source_guard "./lib/lib_sanitizer.sh" + source_guard "./lib/lib_secureboot_profile.sh" source_guard "./lib/lib_trap_on_err.sh" source_guard "./lib/lib_trap_on_exit.sh" source_guard "./lib/lib_update_microcode.sh" source_guard "./lib/lib_usage.sh" } +### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS. +### Formal validation still happens in arg_parser(). +for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do + case "${ARY_PARAM_ARRAY[idx],,}" in + --secure-boot-profile=*) + declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}" + ;; + --secure-boot-profile) + if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then + declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}" + fi + ;; + esac +done +unset idx + ### CHECKING REQUIRED PACKAGES. check_pkgs @@ -248,6 +265,7 @@ init_primordial ### Integrate the CISS.debian.live.builder repository into the build directory. ### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'. hardening_ultra +secureboot_profile_apply ### CISS.debian.installer 'GRUB' and 'autostart' generator. cdi diff --git a/code_review.md b/code_review.md index ec63867..f84069d 100644 --- a/code_review.md +++ b/code_review.md @@ -1,49 +1,78 @@ # code_review.md -Review priorities, in order: +Use this file for explicit review tasks and final self-review after implementation. +Do not treat it as a mandate for an unlimited audit unless the user asks for one. + +## Review priorities + +Review findings in this order: 1. Correctness 2. Security regressions 3. Boot/build reproducibility 4. Data loss risk 5. Error handling -6. Test coverage +6. Test or validation coverage 7. Maintainability 8. Minimality of diff 9. Style consistency -Finding classes: -- BLOCKER: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before - merge -- RISK: plausible issue or security concern that is not fully proven from the available context -- CLEANUP: maintainability, readability, or consistency improvement that is not required for correctness -- NOTE: observation only; no change requested +## Finding classes -Review output format: -- List findings first, ordered by severity. -- Cite file paths and line numbers where possible. -- For each finding, explain the concrete impact, and the smallest reasonable fix. -- Separate observations, inferences, and recommendations. -- After findings, list missing checks or residual risks. -- If there are no findings, say so explicitly and still mention relevant test gaps. +- `BLOCKER`: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before merge. +- `RISK`: plausible issue or security concern that is not fully proven from the available context. +- `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness. +- `NOTE`: observation only; no change requested. -Do not nitpick formatting if automated tooling exists. -Do not invent requirements not present in the task, repository, or documentation. +## Review output format + +List findings first, ordered by severity. + +For each finding include: + +- class +- file path and line number where possible +- observation +- concrete impact +- smallest reasonable fix + +Then include: + +- missing checks or validation gaps +- residual risks +- concise final recommendation + +If there are no findings, say so explicitly and still mention relevant validation gaps. + +## Scope control + +- Do not nitpick formatting when automated tooling exists. +- Do not invent requirements not present in the task, repository, or documentation. +- Do not expand a small implementation task into a broad quality-management audit. +- Do not request a full live build unless the changed code path affects image generation in a way that cannot be checked narrowly. +- Prefer a small actionable finding over a broad speculative warning. + +## Security-sensitive checklist + +Check whether the change affects: -Security-sensitive review checklist: - boot trust - initramfs behavior +- live-boot runtime behavior - cryptsetup/LUKS handling - encrypted SquashFS handling - key material -- remotely unlock -- TLS/mTLS verification -- signature/hash verification +- remote unlock +- TLS or mTLS verification +- signature, checksum, or provenance verification +- package sources or remote downloads - network exposure - file permissions - persistence - logging of sensitive values +For affected areas, separate observation, inference, and recommendation. + --- **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** diff --git a/config.mk.sample b/config.mk.sample index e45a21d..4f4ba66 100644 --- a/config.mk.sample +++ b/config.mk.sample @@ -13,8 +13,12 @@ BUILD_DIR ?= ### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh: DROPBEAR_VERSION ?= +### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh: +SOPS_VERSION ?= PROVIDER_NETCUP_IPV6 ?= ROOT_PASSWORD_FILE ?= +### Secure Boot profile; debian-shim or ciss-uki: +SECURE_BOOT_PROFILE ?= debian-shim SSH_PORT ?= SSH_PUBKEY ?= diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot index e95b60f..64cae78 100644 --- a/config/hooks/live/0000_basic_chroot_setup.chroot +++ b/config/hooks/live/0000_basic_chroot_setup.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" # shellcheck disable=SC2155 declare -gx VAR_DATE="$(date +%F)" @@ -284,7 +284,7 @@ LLMNR=no MulticastDNS=no EOF -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot index 1a41a36..49cba67 100644 --- a/config/hooks/live/0001_initramfs_modules.chroot +++ b/config/hooks/live/0001_initramfs_modules.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" ####################################### # Get all NIC drivers of the current Host machine. @@ -345,7 +345,7 @@ chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0002_hardening_overlay_tmpfs.chroot b/config/hooks/live/0002_hardening_overlay_tmpfs.chroot index 4423876..676ad44 100644 --- a/config/hooks/live/0002_hardening_overlay_tmpfs.chroot +++ b/config/hooks/live/0002_hardening_overlay_tmpfs.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" VAR_DATE="$(date +%F)" @@ -57,7 +57,7 @@ EOF systemctl enable ciss-remount-root.service -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0003_cdi_autostart.chroot b/config/hooks/live/0003_cdi_autostart.chroot index f424bea..5fdcfde 100644 --- a/config/hooks/live/0003_cdi_autostart.chroot +++ b/config/hooks/live/0003_cdi_autostart.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" if [[ -f /root/.cdi ]]; then @@ -48,7 +48,7 @@ EOF fi -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0007_update_logrotate.chroot b/config/hooks/live/0007_update_logrotate.chroot index 2823e15..8c326bb 100644 --- a/config/hooks/live/0007_update_logrotate.chroot +++ b/config/hooks/live/0007_update_logrotate.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -72,7 +72,7 @@ include /etc/logrotate.d # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0010_install_apparmor.chroot b/config/hooks/live/0010_install_apparmor.chroot index d8e3543..7547480 100644 --- a/config/hooks/live/0010_install_apparmor.chroot +++ b/config/hooks/live/0010_install_apparmor.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -30,7 +30,7 @@ EOF install -d -m 0755 /var/cache/apparmor -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0020_dropbear_build.chroot b/config/hooks/live/0020_dropbear_build.chroot index aaf810a..ce0e6e6 100644 --- a/config/hooks/live/0020_dropbear_build.chroot +++ b/config/hooks/live/0020_dropbear_build.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -20,7 +20,7 @@ export INITRD="No" ### Declare Arrays, HashMaps, and Variables. declare var_dropbear_env="/root/dropbear.env" [[ -r "${var_dropbear_env}" ]] || { - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2 + printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2 exit 43 } @@ -28,7 +28,7 @@ declare var_dropbear_env="/root/dropbear.env" . "${var_dropbear_env}" declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}" [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || { - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2 + printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2 exit 43 } @@ -39,7 +39,7 @@ declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log" mkdir -p "/root/build" [[ -r "${var_tar}" ]] || { - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2 + printf "\e[91m❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2 exit 43 } @@ -86,7 +86,7 @@ if ! setsid bash -c ' ' >| "${var_logfile}" 2>&1 then - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2 + printf "\e[91m❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2 tail -n 42 "${var_logfile}" >&2 || true exit 42 @@ -94,7 +94,7 @@ fi rm -rf /root/dropbear -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0021_dropbear_initramfs.chroot b/config/hooks/live/0021_dropbear_initramfs.chroot index cf25484..639d262 100644 --- a/config/hooks/live/0021_dropbear_initramfs.chroot +++ b/config/hooks/live/0021_dropbear_initramfs.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -20,7 +20,7 @@ export INITRD="No" ### Declare Arrays, HashMaps, and Variables. declare var_dropbear_env="/root/dropbear.env" [[ -r "${var_dropbear_env}" ]] || { - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2 + printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2 exit 43 } @@ -28,7 +28,7 @@ declare var_dropbear_env="/root/dropbear.env" . "${var_dropbear_env}" declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}" [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || { - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2 + printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2 exit 43 } @@ -143,7 +143,7 @@ EOF systemctl mask dropbear.service dropbear.socket -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0022_dropbear_setup.chroot b/config/hooks/live/0022_dropbear_setup.chroot index 25b9ef8..bcfddc9 100644 --- a/config/hooks/live/0022_dropbear_setup.chroot +++ b/config/hooks/live/0022_dropbear_setup.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -154,7 +154,7 @@ readonly -f write_dropbear_conf dropbear_setup -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0040_ssh_config_setup.chroot b/config/hooks/live/0040_ssh_config_setup.chroot index 5a19dc8..25c5dd7 100644 --- a/config/hooks/live/0040_ssh_config_setup.chroot +++ b/config/hooks/live/0040_ssh_config_setup.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf # SPDX-Version: 3.0 @@ -38,7 +38,7 @@ Host git.coresecret.dev # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0050_activate_root.chroot b/config/hooks/live/0050_activate_root.chroot index f9f7036..7e478cc 100644 --- a/config/hooks/live/0050_activate_root.chroot +++ b/config/hooks/live/0050_activate_root.chroot @@ -11,13 +11,13 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" if [[ ! -f /root/.pwd ]]; then - printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}" + printf "\e[92m❌ /root/.pwd NOT found. \e[0m\n" + printf "\e[92m❌ Exiting Hook ... \e[0m\n" + printf "\e[92m✅ '%s' done. Nothing changed. \e[0m\n" "${0}" exit 0 fi @@ -39,15 +39,15 @@ unset hashed_pwd safe_hashed_pwd if shred -fzu -n 5 /root/.pwd; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n" + printf "\e[92m✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n" else - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2 + printf "\e[91m❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2 fi -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0080_keyboard_layout.chroot b/config/hooks/live/0080_keyboard_layout.chroot index fc39774..daf97a0 100644 --- a/config/hooks/live/0080_keyboard_layout.chroot +++ b/config/hooks/live/0080_keyboard_layout.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cat << 'EOF' >| /etc/default/keyboard XKBMODEL="pc105" @@ -26,7 +26,7 @@ export DEBIAN_FRONTEND="noninteractive" export INITRD="No" dpkg-reconfigure -f noninteractive keyboard-configuration -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0090_jitterentropy.chroot b/config/hooks/live/0090_jitterentropy.chroot index 9edc6e8..300c55d 100644 --- a/config/hooks/live/0090_jitterentropy.chroot +++ b/config/hooks/live/0090_jitterentropy.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -28,7 +28,7 @@ ExecStart= ExecStart=/usr/sbin/jitterentropy-rngd --osr=2 EOF -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0120_set_hostname.chroot b/config/hooks/live/0120_set_hostname.chroot index 7d68447..f919c14 100644 --- a/config/hooks/live/0120_set_hostname.chroot +++ b/config/hooks/live/0120_set_hostname.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak @@ -26,7 +26,7 @@ localhost.local EOF -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0130_machineid.chroot b/config/hooks/live/0130_machineid.chroot index f20afec..f9be0f9 100644 --- a/config/hooks/live/0130_machineid.chroot +++ b/config/hooks/live/0130_machineid.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root if [[ -f /var/lib/dbus/machine-id ]]; then @@ -32,7 +32,7 @@ b08dfa6083e7567a1921a715000001fb EOF chmod 644 /etc/machine-id -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0400_eza_install.chroot b/config/hooks/live/0400_eza_install.chroot index ca41f59..6dd84cf 100644 --- a/config/hooks/live/0400_eza_install.chroot +++ b/config/hooks/live/0400_eza_install.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root @@ -147,7 +147,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts fc-cache -fv rm -rf /tmp/nerd -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0800_lynis_setup.chroot b/config/hooks/live/0800_lynis_setup.chroot index afe8f75..d94eef0 100644 --- a/config/hooks/live/0800_lynis_setup.chroot +++ b/config/hooks/live/0800_lynis_setup.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list @@ -463,7 +463,7 @@ upload-options= #EOF EOF_LYNIS -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0810_chrony_setup.chroot b/config/hooks/live/0810_chrony_setup.chroot index b19ff04..702b0ad 100644 --- a/config/hooks/live/0810_chrony_setup.chroot +++ b/config/hooks/live/0810_chrony_setup.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" mkdir -p /var/log/chrony @@ -114,7 +114,7 @@ fi chronyd -Q -f /etc/chrony/chrony.conf 2>&1 -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0820_kernel_hardening_checker.chroot b/config/hooks/live/0820_kernel_hardening_checker.chroot index a0a50f4..74d617f 100644 --- a/config/hooks/live/0820_kernel_hardening_checker.chroot +++ b/config/hooks/live/0820_kernel_hardening_checker.chroot @@ -11,12 +11,12 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root/git git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0822_ssh_restart_hook.chroot b/config/hooks/live/0822_ssh_restart_hook.chroot index eda735f..66cfffe 100644 --- a/config/hooks/live/0822_ssh_restart_hook.chroot +++ b/config/hooks/live/0822_ssh_restart_hook.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" mkdir -p /etc/systemd/system/ssh.service.d @@ -24,7 +24,7 @@ Wants=network-online.target ExecStartPre=/bin/sleep 5 EOF -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0825_my_sqltuner_perl.chroot b/config/hooks/live/0825_my_sqltuner_perl.chroot index 57a92d3..7310607 100644 --- a/config/hooks/live/0825_my_sqltuner_perl.chroot +++ b/config/hooks/live/0825_my_sqltuner_perl.chroot @@ -11,12 +11,12 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root/git git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0830_download_yq.chroot b/config/hooks/live/0830_download_yq.chroot index cc7d55c..906609a 100644 --- a/config/hooks/live/0830_download_yq.chroot +++ b/config/hooks/live/0830_download_yq.chroot @@ -11,12 +11,12 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq chmod +x /usr/bin/yq -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0835_testssl.sh.chroot b/config/hooks/live/0835_testssl.sh.chroot index 770c853..b3618d2 100644 --- a/config/hooks/live/0835_testssl.sh.chroot +++ b/config/hooks/live/0835_testssl.sh.chroot @@ -11,12 +11,12 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root/git git clone https://github.com/testssl/testssl.sh.git -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot index ec15332..12c1d72 100644 --- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot +++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -22,7 +22,7 @@ apt-get install -y nodejs cd /root/git git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0845_harbian_audit.chroot b/config/hooks/live/0845_harbian_audit.chroot index dd4613f..d48857a 100644 --- a/config/hooks/live/0845_harbian_audit.chroot +++ b/config/hooks/live/0845_harbian_audit.chroot @@ -11,12 +11,12 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root/git git clone https://github.com/hardenedlinux/harbian-audit.git -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0850_ssh_audit.chroot b/config/hooks/live/0850_ssh_audit.chroot index 1ae09bf..bade971 100644 --- a/config/hooks/live/0850_ssh_audit.chroot +++ b/config/hooks/live/0850_ssh_audit.chroot @@ -11,12 +11,12 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root/git git clone https://github.com/jtesta/ssh-audit.git -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0855_dnsviz.chroot b/config/hooks/live/0855_dnsviz.chroot index 2b5c896..f866bad 100644 --- a/config/hooks/live/0855_dnsviz.chroot +++ b/config/hooks/live/0855_dnsviz.chroot @@ -11,12 +11,12 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root/git git clone https://github.com/dnsviz/dnsviz.git -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0860_sops.chroot b/config/hooks/live/0860_sops.chroot index b1f5e48..586af4b 100644 --- a/config/hooks/live/0860_sops.chroot +++ b/config/hooks/live/0860_sops.chroot @@ -11,47 +11,307 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" export INITRD="No" -SOPS_VER="v3.13.0" -ARCH="$(dpkg --print-architecture)" -case "${ARCH}" in - amd64) SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;; - arm64) SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;; - *) echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;; -esac +declare SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP="https://github.com/getsops" +declare SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER="https://token.actions.githubusercontent.com" -cd /tmp +####################################### +# Print a fatal error and abort the hook. +# Globals: +# None +# Arguments: +# 1: Message string +# Returns: +# None +####################################### +die() { + declare message="$1" + printf "\e[91m❌ ERROR: %s \e[0m\n" "${message}" >&2 + exit 43 +} -curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}" -curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt" -curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem" -curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig" +####################################### +# Require an executable tool. +# Globals: +# None +# Arguments: +# 1: Tool name +# Returns: +# 0: on success +####################################### +require_tool() { + declare tool_name="$1" -cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \ - --certificate "sops-${SOPS_VER}.checksums.pem" \ - --signature "sops-${SOPS_VER}.checksums.sig" \ - --certificate-identity-regexp="https://github.com/getsops" \ - --certificate-oidc-issuer="https://token.actions.githubusercontent.com" + command -v "${tool_name}" >/dev/null 2>&1 || die "Required tool not found: ${tool_name}" -sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing + return 0 +} -install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops -sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log -age --version >| /root/.ciss/cdlb/log/age.log +####################################### +# Validate and normalize a SOPS semantic version. +# Globals: +# None +# Arguments: +# 1: SOPS version string +# Outputs: +# Normalized bare semantic version +# Returns: +# 0: on success +####################################### +normalize_sops_version() { + declare sops_version="${1#v}" -rm -f "/tmp/${SOPS_FILE}" -rm -f "/tmp/sops-${SOPS_VER}.checksums.txt" -rm -f "/tmp/sops-${SOPS_VER}.checksums.pem" -rm -f "/tmp/sops-${SOPS_VER}.checksums.sig" + [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || \ + die "Invalid SOPS version '${1}'. Expected '..' without prerelease metadata." -chmod 0400 /root/.config/sops/age/keys.txt + printf '%s' "${sops_version}" -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" + return 0 +} + +####################################### +# Download a mandatory release asset. +# Globals: +# None +# Arguments: +# 1: Asset URL +# 2: Target filename +# Returns: +# 0: on success +####################################### +download_required_asset() { + declare asset_url="$1" + declare target_file="$2" + + if ! curl -fsSLo "${target_file}" "${asset_url}"; then + die "Failed to download required SOPS asset '${target_file}' from '${asset_url}'." + fi + + [[ -s "${target_file}" ]] || die "Downloaded SOPS asset is empty: ${target_file}" + + return 0 +} + +####################################### +# Download an optional release asset and distinguish absence from download errors. +# Globals: +# None +# Arguments: +# 1: Asset URL +# 2: Target filename +# Returns: +# 0: asset was downloaded +# 1: asset is absent upstream +####################################### +download_optional_asset() { + declare asset_url="$1" + declare target_file="$2" + declare http_code="" + + if ! http_code=$(curl -sSLo "${target_file}" -w '%{http_code}' "${asset_url}"); then + rm -f -- "${target_file}" + die "Failed to query optional SOPS asset '${target_file}' from '${asset_url}'." + fi + + case "${http_code}" in + 200) + [[ -s "${target_file}" ]] || die "Optional SOPS asset is empty after HTTP 200: ${target_file}" + return 0 + ;; + 404) + rm -f -- "${target_file}" + return 1 + ;; + *) + rm -f -- "${target_file}" + die "Unexpected HTTP status ${http_code} for optional SOPS asset '${target_file}' from '${asset_url}'." + ;; + esac +} + +####################################### +# Verify the SOPS checksums file with Cosign. +# Globals: +# SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP +# SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER +# Arguments: +# 1: Checksums filename +# 2: Bundle filename +# 3: Certificate filename +# 4: Signature filename +# Returns: +# 0: on success +####################################### +verify_sops_checksums_signature() { + declare checksums_file="$1" + declare bundle_file="$2" + declare certificate_file="$3" + declare signature_file="$4" + + if [[ -f "${bundle_file}" ]]; then + printf "\e[95m[INFO] Verifying SOPS checksums with Cosign bundle: %s \e[0m\n" "${bundle_file}" + cosign verify-blob "${checksums_file}" \ + --bundle "${bundle_file}" \ + --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \ + --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \ + die "SOPS checksum signature verification failed in bundle mode for '${checksums_file}' using '${bundle_file}'." + return 0 + fi + + if [[ -f "${certificate_file}" && -f "${signature_file}" ]]; then + printf "\e[95m[INFO] Verifying SOPS checksums with Cosign split certificate/signature: %s %s \e[0m\n" "${certificate_file}" "${signature_file}" + cosign verify-blob "${checksums_file}" \ + --certificate "${certificate_file}" \ + --signature "${signature_file}" \ + --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \ + --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \ + die "SOPS checksum signature verification failed in legacy split mode for '${checksums_file}' using '${certificate_file}' and '${signature_file}'." + return 0 + fi + + if [[ -f "${certificate_file}" || -f "${signature_file}" ]]; then + die "Incomplete legacy SOPS signature layout for '${checksums_file}'. Expected both '${certificate_file}' and '${signature_file}'." + fi + + die "No supported SOPS checksum signature layout found for '${checksums_file}'. Expected bundle or split certificate/signature assets." +} + +####################################### +# Verify the SOPS artifact checksum and ensure the expected artifact was covered. +# Globals: +# None +# Arguments: +# 1: Checksums filename +# 2: Artifact filename +# Returns: +# 0: on success +####################################### +verify_sops_artifact_checksum() { + declare checksums_file="$1" + declare artifact_file="$2" + declare checksum_output="" + + if ! checksum_output=$(sha256sum -c "${checksums_file}" --ignore-missing 2>&1); then + printf '%s\n' "${checksum_output}" >&2 + die "SOPS artifact checksum verification failed for '${artifact_file}' using '${checksums_file}'." + fi + + printf '%s\n' "${checksum_output}" + + if ! grep -Fxq "${artifact_file}: OK" <<< "${checksum_output}" && \ + ! grep -Fxq "./${artifact_file}: OK" <<< "${checksum_output}"; then + die "SOPS checksum verification did not cover expected artifact '${artifact_file}' from '${checksums_file}'." + fi + + return 0 +} + +####################################### +# Install SOPS from an upstream GitHub release after signature and checksum verification. +# Globals: +# CISS_SOPS_VERSION +# Arguments: +# None +# Returns: +# 0: on success +####################################### +main() { + require_tool curl + require_tool cosign + require_tool sha256sum + + declare sops_env="/root/sops.env" + [[ -r "${sops_env}" ]] || die "Missing SOPS environment file: ${sops_env}" + + # shellcheck disable=SC1090 + . "${sops_env}" + + declare ciss_sops_version + ciss_sops_version=$(normalize_sops_version "${CISS_SOPS_VERSION:?CISS_SOPS_VERSION is not set}") + + declare architecture + architecture="$(dpkg --print-architecture)" + + declare sops_tag="v${ciss_sops_version}" + declare sops_file="" + case "${architecture}" in + amd64) + sops_file="sops-${sops_tag}.linux.amd64" + ;; + arm64) + sops_file="sops-${sops_tag}.linux.arm64" + ;; + *) + die "Unsupported architecture '${architecture}' for SOPS version '${ciss_sops_version}'. Expected amd64 or arm64." + ;; + esac + + declare release_base_url="https://github.com/getsops/sops/releases/download/${sops_tag}" + declare checksums_file="sops-${sops_tag}.checksums.txt" + declare bundle_file="sops-${sops_tag}.checksums.sigstore.json" + declare certificate_file="sops-${sops_tag}.checksums.pem" + declare signature_file="sops-${sops_tag}.checksums.sig" + declare bundle_available="false" + declare certificate_available="false" + declare signature_available="false" + + cd /tmp + + printf "\e[95m[INFO] Downloading SOPS %s asset: %s \e[0m\n" "${ciss_sops_version}" "${sops_file}" + download_required_asset "${release_base_url}/${sops_file}" "${sops_file}" + download_required_asset "${release_base_url}/${checksums_file}" "${checksums_file}" + + # shellcheck disable=SC2310 + if download_optional_asset "${release_base_url}/${bundle_file}" "${bundle_file}"; then + bundle_available="true" + fi + + if [[ "${bundle_available}" == "false" ]]; then + # shellcheck disable=SC2310 + if download_optional_asset "${release_base_url}/${certificate_file}" "${certificate_file}"; then + certificate_available="true" + fi + + # shellcheck disable=SC2310 + if download_optional_asset "${release_base_url}/${signature_file}" "${signature_file}"; then + signature_available="true" + fi + + if [[ "${certificate_available}" != "${signature_available}" ]]; then + die "Incomplete legacy SOPS signature assets for version '${ciss_sops_version}'. Expected both '${certificate_file}' and '${signature_file}'." + fi + fi + + verify_sops_checksums_signature "${checksums_file}" "${bundle_file}" "${certificate_file}" "${signature_file}" + verify_sops_artifact_checksum "${checksums_file}" "${sops_file}" + + install -m 0755 "${sops_file}" /usr/local/bin/sops + sops --version >| /root/.ciss/cdlb/log/sops.log + age --version >| /root/.ciss/cdlb/log/age.log + + rm -f -- "/tmp/${sops_file}" + rm -f -- "/tmp/${checksums_file}" + rm -f -- "/tmp/${bundle_file}" + rm -f -- "/tmp/${certificate_file}" + rm -f -- "/tmp/${signature_file}" + + if [[ -f /root/.config/sops/age/keys.txt ]]; then + chmod 0400 /root/.config/sops/age/keys.txt + fi + + printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" + + return 0 +} + +if [[ "${CISS_SOPS_TEST_MODE:-false}" != "true" ]]; then + main "$@" + exit 0 +fi -exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0865_yq.chroot b/config/hooks/live/0865_yq.chroot index d23b6fd..409efe3 100644 --- a/config/hooks/live/0865_yq.chroot +++ b/config/hooks/live/0865_yq.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -21,7 +21,7 @@ wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O yq --version -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0870_bashdb.chroot b/config/hooks/live/0870_bashdb.chroot index c1d8512..dafc31c 100644 --- a/config/hooks/live/0870_bashdb.chroot +++ b/config/hooks/live/0870_bashdb.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" umask 0077 @@ -31,7 +31,7 @@ apt-get purge -y texinfo apt-get autoremove --purge -y apt-get autoclean -y -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0900_ufw_setup.chroot b/config/hooks/live/0900_ufw_setup.chroot index 45aea05..3612928 100644 --- a/config/hooks/live/0900_ufw_setup.chroot +++ b/config/hooks/live/0900_ufw_setup.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" declare -r UFW_OUT_POLICY="deny" declare -r SSHPORT="SSHPORT_MUST_BE_SET" @@ -61,7 +61,7 @@ sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9900_process_accounting.chroot b/config/hooks/live/9900_process_accounting.chroot index 97d8d38..dac9fbd 100644 --- a/config/hooks/live/9900_process_accounting.chroot +++ b/config/hooks/live/9900_process_accounting.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -26,15 +26,15 @@ fi if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n" + printf "\e[92m✅ 'Process Accounting' enabled successful. \e[0m\n" else - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2 + printf "\e[91m❌ 'Process Accounting' already enabled. \e[0m\n" >&2 fi -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9910_motd.chroot b/config/hooks/live/9910_motd.chroot index 745eb9c..15d4216 100644 --- a/config/hooks/live/9910_motd.chroot +++ b/config/hooks/live/9910_motd.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" mkdir -p /root/.ciss/cdlb/backup/update-motd.d cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d @@ -23,7 +23,7 @@ EOF chmod 0755 /etc/update-motd.d/10-uname -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9920_deleting_invalid_x509.chroot b/config/hooks/live/9920_deleting_invalid_x509.chroot index 6f24442..5fe9344 100644 --- a/config/hooks/live/9920_deleting_invalid_x509.chroot +++ b/config/hooks/live/9920_deleting_invalid_x509.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt") declare backup_dir="/root/.ciss/cdlb/backup/certificates" @@ -29,7 +29,7 @@ declare -ax expired_certificates=() # None ####################################### create_backup() { - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}" + printf "\e[95m🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}" mkdir -p "${backup_dir}" declare dir="" @@ -44,7 +44,7 @@ create_backup() { done - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}" + printf "\e[92m✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}" } ####################################### @@ -104,7 +104,7 @@ delete_expired_from_all_bundles() { if [[ -f ${bundle} ]]; then - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}" + printf "\e[95m🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}" declare tmp_bundle="${bundle}.tmp" declare -a block=() declare expired=0 @@ -149,7 +149,7 @@ delete_expired_from_all_bundles() { else - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}" + printf "\e[92m✅ Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}" fi @@ -161,29 +161,29 @@ delete_expired_from_all_bundles() { mv -f "${tmp_bundle}" "${bundle}" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}" + printf "\e[92m✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}" fi done } -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}" +printf "\e[95m🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}" create_backup delete_expired_from_all_bundles check_certificates if [[ ${#expired_certificates[@]} -eq 0 ]]; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No expired certificates found.\e[0m\n" + printf "\e[92m✅ No expired certificates found.\e[0m\n" else - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n" + printf "\e[95m🧪 Expired certificates found:\e[0m\n" for exp_cert in "${expired_certificates[@]}"; do - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}" + printf "\e[92m'%s'. \e[0m\n" "${exp_cert}" done @@ -191,7 +191,7 @@ else rm -f "${exp_cert}" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}" + printf "\e[92m✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}" basename=$(basename "${exp_cert}") mozilla_entry="mozilla/${basename%.pem}.crt" mozilla_entry="${mozilla_entry%.crt}.crt" @@ -200,19 +200,19 @@ else if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}" + printf "\e[92m✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}" fi done - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n" + printf "\e[95m✅ Updating the certificate cache ... \e[0m\n" update-ca-certificates --fresh - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n" + printf "\e[92m✅ Updating the certificate cache done.\e[0m\n" fi -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 diff --git a/config/hooks/live/9930_hardening_ssh.chroot b/config/hooks/live/9930_hardening_ssh.chroot index 1cc7cda..b90f5a9 100644 --- a/config/hooks/live/9930_hardening_ssh.chroot +++ b/config/hooks/live/9930_hardening_ssh.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" declare _key="" cd /etc/ssh @@ -115,7 +115,7 @@ fi /usr/sbin/sshd -t || exit 42 -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9935_hardening_ssl.chroot b/config/hooks/live/9935_hardening_ssl.chroot index 1ff3b34..20b8ce1 100644 --- a/config/hooks/live/9935_hardening_ssl.chroot +++ b/config/hooks/live/9935_hardening_ssl.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" mkdir -p /root/.ciss/cdlb/backup/etc/ssl @@ -439,7 +439,7 @@ SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_ps # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9940_hardening_memory.dump.chroot b/config/hooks/live/9940_hardening_memory.dump.chroot index 8da7e6d..32f00de 100644 --- a/config/hooks/live/9940_hardening_memory.dump.chroot +++ b/config/hooks/live/9940_hardening_memory.dump.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak @@ -82,7 +82,7 @@ KeepFree=0 EOF chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9950_hardening_fail2ban.chroot b/config/hooks/live/9950_hardening_fail2ban.chroot index 6d4c93d..90125c8 100644 --- a/config/hooks/live/9950_hardening_fail2ban.chroot +++ b/config/hooks/live/9950_hardening_fail2ban.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root @@ -235,7 +235,7 @@ EOF touch /var/log/fail2ban/fail2ban.log chmod 0640 /var/log/fail2ban/fail2ban.log -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9960_disable_services.chroot b/config/hooks/live/9960_disable_services.chroot index 12294c9..10bea13 100644 --- a/config/hooks/live/9960_disable_services.chroot +++ b/config/hooks/live/9960_disable_services.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" ########################################################################################### # Remarks: Turn off Energy saving mode and ctrl-alt-del # @@ -23,7 +23,7 @@ done unset target -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9970_remove_exim.chroot b/config/hooks/live/9970_remove_exim.chroot index 7217cd6..f0315ae 100644 --- a/config/hooks/live/9970_remove_exim.chroot +++ b/config/hooks/live/9970_remove_exim.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -33,7 +33,7 @@ if [[ -d /etc/exim4 ]]; then rm -rf /etc/exim4 fi -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9980_usb_guard.chroot b/config/hooks/live/9980_usb_guard.chroot index 369c1b7..dc2da15 100644 --- a/config/hooks/live/9980_usb_guard.chroot +++ b/config/hooks/live/9980_usb_guard.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -41,7 +41,7 @@ cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon rm -f /tmp/rules.conf -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9990_final_purge.chroot b/config/hooks/live/9990_final_purge.chroot index c2d561f..0d8eefa 100644 --- a/config/hooks/live/9990_final_purge.chroot +++ b/config/hooks/live/9990_final_purge.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh @@ -29,7 +29,7 @@ dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true if [[ -s /tmp/deinstall.log ]]; then printf "\n" - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n" + printf "\e[95m🧪 Packages to purge ... \e[0m\n" sed -i 's!deinstall!!' /tmp/deinstall.log while IFS= read -r line; do @@ -37,16 +37,16 @@ if [[ -s /tmp/deinstall.log ]]; then declare trimmed_string trimmed_string=$(echo "${line}" | awk '{$1=$1};1') echo "y" | apt-get purge "${trimmed_string}" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}" + printf "\e[92m✅ Package '%s' purged. \e[0m\n" "${trimmed_string}" done < /tmp/deinstall.log - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n" + printf "\e[92m✅ Packages to purge done. \e[0m\n" else printf "\n" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n" + printf "\e[92m✅ No Packages to purge, proceeding with clean up. \e[0m\n" fi @@ -60,7 +60,7 @@ apt-get autopurge -y updatedb -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9991_file_permissions.chroot b/config/hooks/live/9991_file_permissions.chroot index 9973674..cdc0d95 100644 --- a/config/hooks/live/9991_file_permissions.chroot +++ b/config/hooks/live/9991_file_permissions.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" chmod 0644 /etc/banner chmod 0644 /etc/issue @@ -109,7 +109,7 @@ find /root -xdev -exec chown -h root:root {} + rm -f /etc/tmpfiles.d/legacy.conf -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9992_password_expiration.chroot b/config/hooks/live/9992_password_expiration.chroot index c7a622d..5b86661 100644 --- a/config/hooks/live/9992_password_expiration.chroot +++ b/config/hooks/live/9992_password_expiration.chroot @@ -10,6 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail + ####################################### # Iterates all '/etc/shadow' entries and sets: # 4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102 @@ -92,12 +93,12 @@ update_shadow() { # shellcheck disable=SC2034 readonly -f update_shadow -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" if ! command -v chage &>/dev/null; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" + printf "\e[92m✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n" + printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 @@ -111,8 +112,8 @@ mapfile -t users_to_update < <( if [[ ${#users_to_update[@]} -eq 0 ]]; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" + printf "\e[92m✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n" + printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 @@ -120,7 +121,7 @@ fi declare user for user in "${users_to_update[@]}"; do - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}" + printf "\e[92m✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}" chage --maxdays "${max_days}" "${user}" done @@ -128,11 +129,11 @@ unset max_days user users_to_update awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n" +printf "\e[92m✅ All applicable accounts have been updated. \e[0m\n" update_shadow -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9993_aide.chroot b/config/hooks/live/9993_aide.chroot index 687568f..691d3a9 100644 --- a/config/hooks/live/9993_aide.chroot +++ b/config/hooks/live/9993_aide.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -23,15 +23,15 @@ sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf if aideinit > /dev/null 2>&1; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n" + printf "\e[92m✅ 'aideinit' successful. \e[0m\n" else - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2 + printf "\e[91m❌ 'aideinit' NOT successful. \e[0m\n" >&2 fi -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9994_password_policy.chroot b/config/hooks/live/9994_password_policy.chroot index d4b5e59..46ab6af 100644 --- a/config/hooks/live/9994_password_policy.chroot +++ b/config/hooks/live/9994_password_policy.chroot @@ -15,7 +15,7 @@ set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" # shellcheck disable=SC2155 declare -r VAR_DATE="$(date +%F)" @@ -130,7 +130,7 @@ local_users_only EOF -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9995_sysstat.chroot b/config/hooks/live/9995_sysstat.chroot index 94b952a..fe9299a 100644 --- a/config/hooks/live/9995_sysstat.chroot +++ b/config/hooks/live/9995_sysstat.chroot @@ -11,11 +11,11 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot index bfff85f..42572f4 100644 --- a/config/hooks/live/9996_auditd.chroot +++ b/config/hooks/live/9996_auditd.chroot @@ -21,7 +21,7 @@ set -Ceuo pipefail ####################################### log() { printf '[auditd-build] %s\n' "${*}" >&2; } -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root @@ -374,7 +374,7 @@ ExecStart=/usr/sbin/augenrules --load EOF -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9997_debsums.chroot b/config/hooks/live/9997_debsums.chroot index 212107d..2ca2e2c 100644 --- a/config/hooks/live/9997_debsums.chroot +++ b/config/hooks/live/9997_debsums.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" cd /root @@ -26,16 +26,16 @@ sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums if debsums -g > /dev/null 2>&1; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n" + printf "\e[92m✅ 'debsums -g' successful. \e[0m\n" else # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup. - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n" > /dev/null 2>&1 + printf "\e[91m❌ 'debsums -g' NOT successful. \e[0m\n" > /dev/null 2>&1 fi -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9998_sources_list_trixie.chroot b/config/hooks/live/9998_sources_list_trixie.chroot index 0839fb6..f68498b 100644 --- a/config/hooks/live/9998_sources_list_trixie.chroot +++ b/config/hooks/live/9998_sources_list_trixie.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" @@ -130,7 +130,7 @@ apt-get dist-upgrade -y # (= apt full-upgrade) allow installs/replacement apt-get autoremove --purge -y # 'autopurge' == 'autoremove --purge'. apt-get clean -y # Stronger than autoclean: removes the entire '.deb'-cache. -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9999_yyyy_logrotate.chroot b/config/hooks/live/9999_yyyy_logrotate.chroot index 94431b0..b01ab4e 100644 --- a/config/hooks/live/9999_yyyy_logrotate.chroot +++ b/config/hooks/live/9999_yyyy_logrotate.chroot @@ -11,7 +11,7 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" ### Declare Arrays, HashMaps, and Variables. declare -ar ary_logrotate=( @@ -53,15 +53,15 @@ done if ! logrotate -d /etc/logrotate.conf; then - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n" + printf "\e[91m✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n" else - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n" + printf "\e[92m✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n" fi -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9999_zzzz.chroot b/config/hooks/live/9999_zzzz.chroot index 3c2df02..645c20a 100644 --- a/config/hooks/live/9999_zzzz.chroot +++ b/config/hooks/live/9999_zzzz.chroot @@ -11,7 +11,11 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +# Final live-build chroot cleanup hook. Removes transient build artifacts, tightens permissions on CISS root/key material, +# regenerates initramfs images, prepares systemd-resolved DNS configuration, and forces the live system to boot into +# multi-user.target by masking common display managers. + +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target" @@ -92,7 +96,7 @@ for var_dm in "${ary_dm_units[@]}"; do done -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9999_zzzz_secure_boot.chroot b/config/hooks/live/9999_zzzz_secure_boot.chroot deleted file mode 100644 index a9e5bd3..0000000 --- a/config/hooks/live/9999_zzzz_secure_boot.chroot +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2026-05-16; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu -set -Ceuo pipefail - -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" - -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" - -exit 0 -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary index 7ccc8f2..be5a0da 100644 --- a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary +++ b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary @@ -11,9 +11,11 @@ # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail -# ToDo: Unify --integrity hmac-sha512 mode for standalone and runner mode. +# Final live-build binary hook for encrypted root filesystem packaging. Preallocate a LUKS2 container, formats it with the +# generated build secret, copies the generated filesystem.squashfs into the opened encrypted mapping, then closes the container, +# shreds the temporary LUKS secret, and removes the plaintext SquashFS from the ISO payload. -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" +printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}" __umask=$(umask) umask 0077 @@ -36,23 +38,23 @@ preallocate() { if fallocate -l "${size}" -- "${file}" 2>/dev/null; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}" + printf "\e[92m✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}" return 0 else - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}" + printf "\e[91m❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}" fi if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}" + printf "\e[92m✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}" return 0 else - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}" + printf "\e[91m❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}" return 42 fi @@ -129,11 +131,11 @@ declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}" if (( LUKS_FREE >= SQUASH_FS )); then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" + printf "\e[92m✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" else - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2 + printf "\e[91m❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2 exit 42 fi @@ -151,7 +153,7 @@ rm -f -- "${ROOTFS}" umask "${__umask}" __umask="" -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" +printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index 302b81f..5984e35 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index b976300..525caa9 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened index 4c1f394..9ec38f8 100644 --- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened +++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened @@ -11,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.004.2026.05.17 +# Version Master V9.14.008.2026.06.04 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 150bc1e..4efa887 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V9.14.004.2026.05.17" +declare -gr VERSION="Master V9.14.008.2026.06.04" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 6c9aa3d..c259736 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V9.14.004.2026.05.17 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V9.14.008.2026.06.04 at: 10:18:37.9542 diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index c268a46..3a25566 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index f9c0a01..a26c71c 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 31bd644..4eb6ffb 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 445c6b4..546c81e 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index 06df12b..b6fe5b1 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index b79b3e9..df0aff9 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index e328058..b0fd7af 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. Changelog +## V9.14.008.2026.06.04 +tba + ## V9.14.004.2026.05.17 * **Added**: [AGENTS.md](../AGENTS.md) * **Added**: [code_review.md](../code_review.md) diff --git a/docs/CNET.md b/docs/CNET.md index 9267aa1..3d72506 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 0fe2e51..a866414 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -10,23 +10,27 @@ include_toc: true # 2. Purpose -This document defines the coding and review conventions for this repository. +This document defines the coding and review conventions for this repository. This file is the detailed engineering convention. The project builds Debian-based live and installer infrastructure. Treat every change as security-sensitive and boot-chain-sensitive, especially changes that affect initramfs behavior, encrypted SquashFS handling, LUKS, Dropbear, GRUB, checksums, signatures, package sources, hardening settings, or network exposure. +`AGENTS.md` is the short operational guide for Codex. +`code_review.md` is used for review tasks and final self-review. + # 3. Change discipline -* Keep changes small, local, and reviewable. -* Make one functional change per pull request or patch set. -* Preserve existing architecture, naming style, error handling, formatting, and security posture. -* Do not introduce Ubuntu-specific assumptions. The default target distribution is Debian 13 Trixie. -* Do not invent live-build, live-boot, initramfs, cryptsetup, GRUB, systemd, or Debian package behavior. Verify against existing - code or authoritative Debian/upstream documentation. -* Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification, checksum - verification, or input validation unless the task explicitly requires it and the risk is documented. -* Prefer simple, inspectable Bash over clever abstractions. +* Keep changes small, local, and reviewable. +* Make one functional change per patch set. +* Preserve existing architecture, naming style, error handling, formatting, and security posture. +* Do not introduce Ubuntu-specific assumptions. +* Target Debian 13 Trixie unless explicitly instructed otherwise. +* Do not invent live-build, live-boot, initramfs, cryptsetup, GRUB, systemd, Debian package, or upstream tool behavior. +* Verify uncertain behavior against repository code or authoritative upstream documentation. +* Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification, checksum verification, provenance verification, or input validation unless explicitly requested and documented. +* Prefer simple, inspectable Bash over clever abstractions. +* Do not perform unrelated cleanup or formatting churn. # 4. Boot and build phases @@ -123,7 +127,7 @@ Run the narrowest checks that prove the change: * Live-build, initramfs, or ISO behavior changes: document the required Debian Trixie build validation command, normally `make live` or the equivalent `./ciss_live_builder.sh ...` invocation. -If a relevant check cannot be run in the current environment, state the exact reason and the command that should be run locally. +If a relevant check cannot be run in the current environment, state the exact reason, and the command that should be run locally. # 12. Code review diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 94c6ed5..40909dd 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index 3970b82..892d360 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 20e9c8f..3b6a4d5 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 48dadae..fa48cc5 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,18 +8,18 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.004.2026.05.17
+**Build**: V9.14.008.2026.06.04
# 2.1. Usage ````text CDLB(1) CISS.debian.live.builder CDLB(1) CISS.debian.live.builder from https://git.coresecret.dev/msw -Master V9.14.004.2026.05.17 +Master V9.14.008.2026.06.04 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. -(c) Marc S. Weidner, 2018 - 2025 -(p) Centurion Press, 2024 - 2025 +(c) Marc S. Weidner, 2018 - 2026 +(p) Centurion Press, 2024 - 2026 ./ciss_live_builder.sh