msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.384.2025.11.06
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m9s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-06 19:59:22 +01:00
parent d436346343
commit ef87becefe
93 changed files with 2021 additions and 1229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.archive/.0000_lib_usage.sh
View File

@@ -21,7 +21,7 @@ usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.13.296.2025.10.29\e[0m")
$(echo -e "\e[92mMaster V8.13.384.2025.11.06\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

248
.archive/0002_verify_checksums.chroot Normal file
View File

@@ -0,0 +1,248 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
target="/usr/lib/live/boot/0030-verify-checksums"
src="$(mktemp)"
if [[ ! -d /usr/lib/live/boot ]]; then
mkdir -p /usr/lib/live/boot
fi
cat << 'EOF' >| "${src}"
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
# Globals:
# LIVE_BOOT_CMDLINE
# _TTY
# Arguments:
# 1: _MOUNTPOINT
# Returns:
# 0 : Successful verification
#######################################
Verify_checksums() {
_MOUNTPOINT="${1}"
_TTY="/dev/tty8"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
live-boot.verify-checksums-signatures | verify-checksums-signatures)
LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
;;
esac
done
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
:
;;
*)
return 0
;;
esac
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
printf "\n"
CDLB_SCRIPT="$(basename "${0}")"
CDLB_SHA="sha512"
CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
for CDLB_ITEM in ${CDLB_SHA}; do
CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
CDLB_CMD="${CDLB_ITEM}sum"
printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
sleep 8
# TODO: Remove debug mode
# return 0
else
printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
fi
printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
sleep 8
# TODO: Remove debug mode
# return 0
fi
printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
done
printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
log_end_msg
printf "\n"
fi
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
if [ -e "${_CHECKSUM}" ]; then
printf "Found [%s] ...\n" "${_CHECKSUM}"
if [ -e "/bin/${_DIGEST}sum" ]; then
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
_RETURN_PGP="${?}"
else
_RETURN_PGP="na"
fi
printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
# shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN_SHA="${?}"
# Stop after the first verification.
break 2
else
printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
fi
fi
done
done
log_end_msg
case "${_RETURN_PGP},${_RETURN_SHA}" in
0,0)
log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
na,0)
log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
*,0)
panic "Verification of signature file failed while verification of checksum file successful."
;;
na,*)
panic "Verification of checksum file failed."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
# Copy and make executable
install -m 0755 "${src}" "${target}"
rm -f "${src}"
unset target src
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

0
config/hooks/live/9998_sources_list_bookworm.chroot → .archive/9998_sources_list_bookworm.chroot
View File

11
.gitea/workflows/generate_PRIVATE_trixie_0.yaml → .archive/generate_PRIVATE_trixie_0.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -72,11 +72,11 @@ jobs:
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
chmod 0600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
@@ -87,7 +87,7 @@ jobs:
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
chmod 0600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -242,6 +242,7 @@ jobs:
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "$OUT"
echo "Hook removed: $OUT"
shred -fzu -n 5 /opt/config/authorized_keys
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash
@@ -418,7 +419,7 @@ jobs:
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]

136
.archive/generate_PRIVATE_trixie_1.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -35,10 +35,23 @@ jobs:
container:
image: debian:trixie
steps:
- name: 🛠️ Basic Image Setup.
defaults:
run:
shell: bash
working-directory: ${{ github.workspace }}
steps:
- name: ⏳ Waiting random time to desynchronize parallel workflows.
run: |
set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
- name: 🛠️ Basic Image Setup.
run: |
set -euo pipefail
umask 0077
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get upgrade -y
@@ -56,27 +69,23 @@ jobs:
util-linux
- name: ⚙️ Check GnuPG Version.
shell: bash
run: |
gpg --version
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
umask 0077
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
chmod 0600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
@@ -87,44 +96,40 @@ jobs:
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
chmod 0600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠 Cleaning the workspace.
shell: bash
- name: Init GNUPGHOME.
run: |
git reset --hard
git clean -fd
set -euo pipefail
umask 0077
GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
mkdir -p -m 700 "${GNUPGHOME}"
echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
gpgconf --reload gpg-agent || true
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
env:
PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
run: |
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
gpg --batch --import centurion-root.PUB.asc
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
umask 0077
printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
@@ -132,15 +137,33 @@ jobs:
git config gpg.format openpgp
- name: ⚙️ Preparing the build environment.
shell: bash
run: |
set -euo pipefail
mkdir -p /opt/config
mkdir -p /opt/livebuild
touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
umask 0077
mkdir -p /opt/cdlb/secrets
mkdir -p /opt/cdlb/livebuild
install -m 0600 /dev/null /opt/cdlb/secrets/password.txt
install -m 0600 /dev/null /opt/cdlb/secrets/authorized_keys
install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key
install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key.pub
install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key
install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key.pub
install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
install -m 0600 /dev/null /opt/cdlb/secrets/keys.txt
install -m 0600 /dev/null /opt/cdlb/secrets/luks.txt
echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/cdlb/secrets/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/cdlb/secrets/authorized_keys
echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key
echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key.pub
echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}" >| /opt/cdlb/secrets/ssh_host_rsa_key
echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_rsa_key.pub
echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}" >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
echo "${{ secrets.CISS_PHYS_AGE }}" >| /opt/cdlb/secrets/keys.txt
echo "${{ secrets.CISS_PHYS_LUKS }}" >| /opt/cdlb/secrets/luks.txt
- name: 🔧 Render live hook with secrets.
shell: bash
@@ -153,6 +176,7 @@ jobs:
CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
CISS_PHYS_AGE: ${{ secrets.CISS_PHYS_AGE }}
MSW_GPG_DEPLOY_BOT: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
run: |
set -Ceuo pipefail
umask 077
@@ -164,6 +188,7 @@ jobs:
ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
BINARY_CHECKSUMS="${REPO_ROOT}/scripts/usr/lib/live/build/binary_checksums.sh"
if [[ ! -f "${TPL}" ]]; then
echo "Template not found: ${TPL}"
@@ -180,6 +205,7 @@ jobs:
export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
export MSW_GPG_DEPLOY_BOT="${MSW_GPG_DEPLOY_BOT//$'\r'/}"
(
cat << EOF >| "${ID_OUT}"
@@ -216,13 +242,21 @@ jobs:
chmod 0755 "${OUT}"
#perl -0777 -i -pe '
# BEGIN {
# our $age = $ENV{CISS_PHYS_AGE} // q{};
# }
# s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
#' -- "${SOPS}"
#chmod 0755 "${SOPS}"
perl -0777 -i -pe '
BEGIN {
our $age = $ENV{CISS_PHYS_AGE} // q{};
}
s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
' -- "${SOPS}"
chmod 0755 "${SOPS}"
perl -0777 -i -pe '
BEGIN {
our $deploy = $ENV{MSW_GPG_DEPLOY_BOT} // q{};
}
s/\{\{\s*secrets\.MSW_GPG_DEPLOY_BOT\s*\}\}/$deploy/g;
' -- "${BINARY_CHECKSUMS}"
chmod 0755 "${BINARY_CHECKSUMS}"
echo "Hook rendered: ${OUT}"
@@ -237,19 +271,21 @@ jobs:
./ciss_live_builder.sh \
--autobuild=6.16.3+deb13-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--build-directory /opt/cdlb/livebuild \
--cdi \
--control "${timestamp}" \
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
--root-password-file /opt/config/password.txt \
--root-password-file /opt/cdlb/secrets/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
--ssh-pubkey /opt/config \
--ssh-pubkey /opt/cdlb/secrets \
--sshfp \
--trixie
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "$OUT"
echo "Hook removed: $OUT"
shred -fzu -n 5 /opt/cdlb/secrets/authorized_keys
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash
@@ -297,11 +333,11 @@ jobs:
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
run: |
set -euo pipefail
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
@@ -318,11 +354,11 @@ jobs:
- name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
shell: bash
run: |
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi

12
.gitea/workflows/generate_PUBLIC_iso.yaml → .archive/generate_PUBLIC_iso.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
name: 💙 Generating a PUBLIC Live ISO.
@@ -72,11 +72,11 @@ jobs:
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
chmod 0600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
@@ -87,7 +87,7 @@ jobs:
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
chmod 0600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -146,7 +146,7 @@ jobs:
shell: bash
run: |
set -euo pipefail
sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
sed -i '/^hardening_ssh_tcp.*/d' ciss_live_builder.sh
chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
@@ -337,7 +337,7 @@ jobs:
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]

8
.archive/icon.lib
View File

@@ -17,6 +17,10 @@
🔑
✍️
🖥️
⬆️
🔼
🆙
🔄
🔁
🌌
@@ -32,6 +36,7 @@
🧪
📩
📥
📤
📦
📑
📂
@@ -52,4 +57,7 @@
☢️
☣️
☁️
📡
🛡️
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

0
lib/lib_lb_config_write.sh → .archive/lib_lb_config_write.sh
View File

2
.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
View File

@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
placeholder: "e.g., Master V8.13.296.2025.10.29"
placeholder: "e.g., Master V8.13.384.2025.11.06"
validations:
required: true

2
.gitea/TODO/dockerfile
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
FROM debian:bookworm

8
.gitea/TODO/render-md-to-html.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
name: 🔁 Render README.md to README.html.
@@ -38,11 +38,11 @@ jobs:
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
chmod 0600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
@@ -53,7 +53,7 @@ jobs:
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
chmod 0600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.

4
.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
View File

@@ -10,6 +10,6 @@
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 1024
version: V8.13.296.2025.10.29
counter: 1023
version: V8.13.384.2025.11.06
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.gitea/trigger/t_generate_dns.yaml
View File

@@ -11,5 +11,5 @@
build:
counter: 1023
version: V8.13.296.2025.10.29
version: V8.13.384.2025.11.06
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

302
.gitea/workflows/generate_PRIVATE_trixie_1.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -35,11 +35,31 @@ jobs:
container:
image: debian:trixie
steps:
- name: 🛠️ Basic Image Setup.
defaults:
run:
shell: bash
working-directory: ${{ github.workspace }}
steps:
- name: 🕑 Waiting random time to desynchronize parallel workflows.
run: |
set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
- name: 🔧 Basic Image Setup.
run: |
set -euo pipefail
umask 0022
echo "APT_LISTCHANGES_FRONTEND=none" >> "${GITHUB_ENV}"
echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
echo "VAR_CDLB_INSIDE_RUNNER=true" >> "${GITHUB_ENV}"
export APT_LISTCHANGES_FRONTEND=none
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq
apt-get upgrade -y
apt-get install -y --no-install-recommends \
@@ -56,27 +76,24 @@ jobs:
util-linux
- name: ⚙️ Check GnuPG Version.
shell: bash
run: |
gpg --version
- name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
shell: bash
run: |
set +x
set -euo pipefail
var_wait=$(( RANDOM % 33 ))
printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
sleep "${var_wait}"
umask 0077
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
chmod 0600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
@@ -87,173 +104,113 @@ jobs:
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
chmod 0600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
shell: bash
- name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
- name: 🛠 Cleaning the workspace.
shell: bash
- name: Init GNUPGHOME.
run: |
git reset --hard
git clean -fd
set +x
set -euo pipefail
umask 0077
GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
# shellcheck disable=SC2174
mkdir -p -m 0700 "${GNUPGHOME}"
echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
gpgconf --reload gpg-agent || true
- name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
shell: bash
env:
PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
run: |
set +x
set -euo pipefail
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m 700 "${GNUPGHOME}"
echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
gpg --batch --import centurion-root.PUB.asc
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
umask 0077
printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
- name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
shell: bash
run: |
set +x
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
git config --get user.signingkey
- name: ⚙️ Preparing the build environment.
shell: bash
run: |
set +x
set -euo pipefail
umask 0077
mkdir -p /dev/shm/cdlb_secrets
install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /dev/shm/cdlb_secrets/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /dev/shm/cdlb_secrets/authorized_keys
echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt
echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt
- name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
run: |
set -euo pipefail
mkdir -p /opt/config
mkdir -p /opt/livebuild
touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
- name: 🔧 Render live hook with secrets.
shell: bash
working-directory: ${{ github.workspace }}
env:
ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
CISS_PHYS_AGE: ${{ secrets.CISS_PHYS_AGE }}
run: |
set -Ceuo pipefail
umask 077
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
if [[ ! -f "${TPL}" ]]; then
echo "Template not found: ${TPL}"
echo "::group::Tree of config/hooks/live"
ls -la "${REPO_ROOT}/config/hooks/live" || true
echo "::endgroup::"
exit 2
fi
export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
export ED25519_PUB="${ED25519_PUB//$'\r'/}"
export RSA_PRIV="${RSA_PRIV//$'\r'/}"
export RSA_PUB="${RSA_PUB//$'\r'/}"
export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
(
cat << EOF >| "${ID_OUT}"
${CISS_PRIMORDIAL}
EOF
) && chmod 0600 "${ID_OUT}"
if [[ -f "${ID_OUT}" ]]; then
echo "Written: ${ID_OUT}"
else
echo "Error: ${ID_OUT} not written."
fi
(
cat << EOF >| "${ID_OUT_PUB}"
${CISS_PRIMORDIAL_PUB}
EOF
) && chmod 0600 "${ID_OUT_PUB}"
if [[ -f "${ID_OUT_PUB}" ]]; then
echo "Written: ${ID_OUT_PUB}"
else
echo "Error: ${ID_OUT_PUB} not written."
fi
perl -0777 -pe '
BEGIN{
$ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
$rsa=$ENV{RSA_PRIV}; $rsapub=$ENV{RSA_PUB};
}
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
' "${TPL}" > "${OUT}"
chmod 0755 "${OUT}"
perl -0777 -i -pe '
BEGIN {
our $age = $ENV{CISS_PHYS_AGE} // q{};
}
s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
' -- "${SOPS}"
chmod 0755 "${SOPS}"
echo "Hook rendered: ${OUT}"
- name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
shell: bash
working-directory: ${{ github.workspace }}
run: |
set -euo pipefail
chmod 0755 ciss_live_builder.sh
chmod 0700 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
./ciss_live_builder.sh \
--autobuild=6.16.3+deb13-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--build-directory /opt/cdlb \
--cdi \
--control "${timestamp}" \
--jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
--root-password-file /opt/config/password.txt \
--root-password-file /dev/shm/cdlb_secrets/password.txt \
--signing_key=signing_key.asc \
--signing_key_fpr="${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }}" \
--signing_key_pass=signing_key_pass.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
--ssh-pubkey /opt/config \
--ssh-pubkey /dev/shm/cdlb_secrets \
--sshfp \
--trixie
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "$OUT"
echo "Hook removed: $OUT"
OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "${OUT}"
echo "Hook removed: ${OUT}"
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
shell: bash
env:
NC_BASE: "https://cloud.e2ee.li"
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
@@ -263,83 +220,106 @@ jobs:
SHARE_SUBDIR=""
echo "📥 Get directory listing via PROPFIND ..."
curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X PROPFIND \
-H "Depth: 1" \
"${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-o propfind_public.xml
echo "📥 Filter .iso files from the PROPFIND response ..."
grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
echo "💡 Old ISO files found and deleted :"
while IFS= read -r href; do
FILE_URL="${NC_BASE}${href}"
echo " Delete: ${FILE_URL}"
if curl -s \
--user "${SHARE_TOKEN}:${SHARE_PASS}" \
-X DELETE "${FILE_URL}"; then
if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
echo " ✅ Successfully deleted: $(basename "${href}")"
else
echo " ❌ Error: $(basename "${href}") could not be deleted"
fi
done < public_iso_list.txt
else
echo "💡 No old ISO files found to delete."
fi
- name: 🛠 Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
shell: bash
- name: Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
env:
NC_BASE: "https://cloud.e2ee.li"
SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
run: |
set -euo pipefail
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
--upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
echo "✅ New ISO successfully uploaded."
else
echo "❌ Uploading the new ISO failed."
exit 1
fi
- name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
shell: bash
run: |
if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
echo "❌ There must be exactly one .iso file in the directory!"
exit 1
else
VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
fi
VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
touch "${VAR_ISO_FILE_SHA512}"
sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
touch "${SIGNATURE_FILE}"
export GNUPGHOME="$(pwd)/.gnupg"
gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
VAR_DATE="$(date +%F)"
PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
touch "${PRIVATE_FILE}"
cat << EOF >| "${PRIVATE_FILE}"
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -365,7 +345,6 @@ jobs:
EOF
- name: 🚧 Stash local changes (including untracked).
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
@@ -374,12 +353,10 @@ jobs:
git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
- name: 🔄 Sync with remote before commit using merge strategy.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
echo "🔄 Fetching origin/master ..."
git fetch origin master
@@ -391,8 +368,7 @@ jobs:
git status
git log --oneline -n 5
- name: 🛠️ Restore stashed changes.
shell: bash
- name: 🔧 Restore stashed changes.
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
@@ -401,7 +377,6 @@ jobs:
git stash pop || echo "✔️ Nothing to pop."
- name: 📦 Stage generated files.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
@@ -410,16 +385,17 @@ jobs:
git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
- name: 🔑 Commit and sign changes with CI metadata.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |
set -euo pipefail
export GNUPGHOME="$(pwd)/.gnupg"
if git diff --cached --quiet; then
echo "✔️ No staged changes to commit."
else
echo "📝 Committing changes with GPG signature ..."
### CI Metadata
@@ -427,7 +403,7 @@ jobs:
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_1.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
@@ -443,10 +419,10 @@ jobs:
echo "🔏 Commit message :"
echo "${COMMIT_MSG}"
git commit -S -m "${COMMIT_MSG}"
fi
- name: 🔁 Push back to repository.
shell: bash
env:
GIT_SSH_COMMAND: "ssh -p 42842"
run: |

10
.gitea/workflows/linter_char_scripts.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
# Gitea Workflow: Shell-Script Linting
#
@@ -49,11 +49,11 @@ jobs:
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
chmod 0600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
@@ -64,7 +64,7 @@ jobs:
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
chmod 0600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -316,7 +316,7 @@ jobs:
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

10
.gitea/workflows/render-dnssec-status.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -41,11 +41,11 @@ jobs:
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
chmod 0600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
@@ -56,7 +56,7 @@ jobs:
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
chmod 0600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -193,7 +193,7 @@ jobs:
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci]

10
.gitea/workflows/render-dot-to-png.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
name: 🔁 Render Graphviz Diagrams.
@@ -42,11 +42,11 @@ jobs:
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
chmod 0600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
@@ -57,7 +57,7 @@ jobs:
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
chmod 0600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
@@ -186,7 +186,7 @@ jobs:
HOSTNAME="$(hostname -f || hostname)"
GIT_SHA="$(git rev-parse --short HEAD)"
GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
COMMIT_MSG="DEPLOY BOT : 🔁 Auto-Generate PNG from *.dot. [skip ci]

21
.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc Normal file
View File

@@ -0,0 +1,21 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mEkFaQzeVBYAAAA/AytlcQHGPz+Tku/rFh5KSbHE465pYWjWOWSl26vKCk5HNMX6
y2MGyUUbm5tVYHymp3EYbRBS8dJ+qKCKrzyAtDJNYXJjIFMuIFdlaWRuZXIgREVQ
TE9ZIDxtc3crZGVwbG95QGNvcmVzZWNyZXQuZGV2PojNBRMWCABNIiEFmAiaRyzP
RgHNUdfHCV02U1KW6hS43pIZhyPE3GBuj3YFAmkM3lQCGwMFCQfPlNwFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AAAA+GAcduwdOub1yMWc0o5e1qdkI/8Pv9jqYF
P46Ko2UU24Q3AaYC5oBFyD4sKf4ojosYovs4fzrZCXqbH4ABxi0kmYEUZT11L+Ex
AfiwNvJBCzlcvLzdK7A+ZBDgdaV5pybSN4/ZnUKkUSzZV/6odcVM2LtqkbAHAIjU
BRAWCABUIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmkM3vEF
gwfP84AkFIAAAAAADQAOcmVtQGdudXBnLm9yZ0NlbnR1cmlvbixDSUNBAACKBAHI
5t3aZSnSERrnAZ3rwxItsTB9KeTVdtRnpxyZ7leBf4987ECcfwDDozkDGFo2cJwg
eKPRloMif1eAAcjOdUXeunlNBTlPlyOBk0ukWT5SgVeZUl5bsNRgJWu7MoNiT9vQ
M7gJjlyYcVoMZ47G7TA9Z+goJwC4TAVpDN5UEgAAAEIDK2VvAcCPfkOJzBvvplco
PXb8jg4AsJXU10wHSucHMdR2R26+IJTCAYU6d3O47wTBr6QFc5HRgDZcf6FngQMB
CgmIsgUYFggAMiIhBZgImkcsz0YBzVHXxwldNlNSluoUuN6SGYcjxNxgbo92BQJp
DN5UAhsMBQkHz5TcAABuDQHI5Zp2rsRwc0WR0WaaQOIFh7KdL7x3dHljJ5u2m6Zc
pzmlnZGuCTe0BmVzECJhq7Yqi+ajENbWOc+AAcUbToifr1VvbgZgUDtA+f2IlHRM
ovaAOH5ED+DHy6OjEmBG43ZIPQbsbD4td5VIZoi+f6npZrhXNQA=
=Q67G
-----END PGP PUBLIC KEY BLOCK-----

2
.version.properties
View File

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V8.13.296.2025.10.29"
properties_version="V8.13.384.2025.11.06"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

2
CISS.debian.live.builder.spdx
View File

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
PackageVersion: Master V8.13.296.2025.10.29
PackageVersion: Master V8.13.384.2025.11.06
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

8
README.md
View File

@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.296.2025.10.29-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.384.2025.11.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
Example: `V8.13.296.2025.10.29`
Example: `V8.13.384.2025.11.06`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -533,7 +533,7 @@ preview it or run it.
### Private Key
echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/id_ed25519
#...
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.

4
REPOSITORY.md
View File

@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2.1. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder
**Branch:** `master`
**Repository State:** Master Version **8.13**, Build **V8.13.296.2025.10.29** (as of 2025-10-11)
**Repository State:** Master Version **8.13**, Build **V8.13.384.2025.11.06** (as of 2025-10-11)
## 2.2. Top-Level Layout

130
ciss_live_builder.sh
View File

@@ -22,23 +22,19 @@
### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
# shellcheck disable=SC2155
declare -agx ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array.
declare -girx VAR_START_TIME="${SECONDS}" # Start time of script execution.
declare -grx VAR_PARAM_COUNT="$#" # Arguments passed to script.
declare -grx VAR_PARAM_STRNG="$*" # Arguments passed to script as string.
declare -ag ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array.
declare -grx VAR_SETUP_FILE="${0##*/}" # 'ciss_debian_live_builder.sh'
declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/opt/git/CISS.debian.live.builder'
declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
# shellcheck disable=SC2155
declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
# shellcheck disable=SC2155
declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
# shellcheck disable=SC2155
declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/root/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/root/git/CISS.debian.live.builder'
declare -grx VAR_TMP_SECRET="/dev/shm/cdlb_secrets" # Fixed tmpfs path to store securely build artifacts.
declare -grx VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")" # '/root/git/CISS.debian.live.builder'
### PRELIMINARY CHECKS.
### No ash, dash, ksh, sh.
# shellcheck disable=2292
# shellcheck disable=SC2292
[ -z "${BASH_VERSINFO[0]}" ] && {
. ./var/global.var.sh
printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
@@ -60,7 +56,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
}
### Check to be not called by sh.
# shellcheck disable=2312
# shellcheck disable=SC2312
[[ $(kill -l | grep -c SIG) -eq 0 ]] && {
. ./var/global.var.sh
printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
@@ -95,30 +91,29 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
exit 1
}
### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT().
. ./var/early.var.sh
. ./lib/lib_guard_sourcing.sh
. ./lib/lib_source_guard.sh
source_guard "./lib/lib_git_var.sh"
### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh ; usage ; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh ; contact; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh ; usage ; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh ; version; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
### ALL CHECKS DONE. READY TO START THE SCRIPT
source_guard "./var/bash.var.sh"
check_git
for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
declare -gx VAR_SETUP="true"
### ALL CHECKS DONE. READY TO START THE SCRIPT.
find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/secret" -type f -exec chmod 0400 {} +
declare -grx VAR_SETUP="true"
### SOURCING VARIABLES
### SOURCING VARIABLES.
[[ "${VAR_SETUP}" == true ]] && {
source_guard "./var/bash.var.sh"
source_guard "./var/color.var.sh"
source_guard "./var/global.var.sh"
}
### SOURCING LIBRARIES
### SOURCING LIBRARIES.
[[ "${VAR_SETUP}" == true ]] && {
source_guard "./lib/lib_arg_parser.sh"
source_guard "./lib/lib_arg_priority_check.sh"
@@ -132,19 +127,21 @@ declare -gx VAR_SETUP="true"
source_guard "./lib/lib_check_provider.sh"
source_guard "./lib/lib_check_stats.sh"
source_guard "./lib/lib_check_var.sh"
source_guard "./lib/lib_ciss_upgrades.sh"
source_guard "./lib/lib_ciss_upgrades_boot.sh"
source_guard "./lib/lib_ciss_upgrades_build.sh"
source_guard "./lib/lib_clean_screen.sh"
source_guard "./lib/lib_clean_up.sh"
source_guard "./lib/lib_copy_integrity.sh"
source_guard "./lib/lib_gnupg.sh"
source_guard "./lib/lib_hardening_root_pw.sh"
source_guard "./lib/lib_hardening_ssh.sh"
source_guard "./lib/lib_hardening_ssh_tcp.sh"
source_guard "./lib/lib_hardening_ultra.sh"
source_guard "./lib/lib_helper_ip.sh"
source_guard "./lib/lib_lb_build_start.sh"
source_guard "./lib/lib_lb_config_start.sh"
source_guard "./lib/lib_lb_config_write.sh"
source_guard "./lib/lib_lb_config_write_trixie.sh"
source_guard "./lib/lib_note_target.sh"
source_guard "./lib/lib_primordial.sh"
source_guard "./lib/lib_provider_netcup.sh"
source_guard "./lib/lib_run_analysis.sh"
source_guard "./lib/lib_sanitizer.sh"
@@ -154,7 +151,7 @@ declare -gx VAR_SETUP="true"
source_guard "./lib/lib_usage.sh"
}
### ADVISORY LOCK
### ADVISORY LOCK.
exec 127>/var/lock/ciss_live_builder.lock || {
printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
exit "${ERR_FLOCK_WRTG}"
@@ -165,97 +162,92 @@ if ! flock -x -n 127; then
exit "${ERR_FLOCK_COLL}"
fi
### CHECK FOR AUTOBUILD MODE
### CHECK FOR AUTOBUILD MODE.
for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
### CHECKING REQUIRED PACKAGES
### CHECKING REQUIRED PACKAGES.
check_pkgs
### DIALOG OUTPUT FOR INITIALIZATION
### DIALOG OUTPUT FOR INITIALIZATION.
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
### Following the CISS Bash naming and ordering scheme:
trap 'trap_on_exit "$?"' EXIT
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
arg_check "$@"
declare -ar ARY_ARG_SANITIZED=("$@")
declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
declare -ar ARY_ARG_SANITIZED=("$@")
declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
arg_parser "$@"
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
clean_ip
### Updating Status of Dialog Gauge Bar
### Updating Status of Dialog Gauge Bar.
if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
### Turn off Dialog Wrapper
### Turn off the dialog wrapper.
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
### MAIN Program
### MAIN Program ---------------------------------------------------------------------------------------------------------------
arg_priority_check
check_stats
if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
if [[ ! "${VAR_SSHFP}" == "true" ]]; then
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
fi
ciss_upgrades_build
hardening_ssh_tcp
check_hooks
hardening_ssh
ciss_upgrades
### Preparing the build environment.
lb_config_start
if [[ "${VAR_SUITE}" == "bookworm" ]]; then
lb_config_write
rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
else
lb_config_write_trixie
rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
fi
# shellcheck disable=SC2164
cd "${VAR_WORKDIR}"
hardening_ultra
hardening_root_pw
### Writing the build configuration.
lb_config_write_trixie
### Init GNUPGHOME.
init_gnupg
### Integrate primordial SSH identity files.
init_primordial
### CISS.debian.installer 'GRUB' and 'autostart' generator.
cdi
change_splash
check_dhcp
cdi
provider_netcup
ciss_upgrades_boot
hardening_root_pw
hardening_ultra
note_target
provider_netcup
update_microcode
x_hooks
### Start the build process
set +o errtrace
lb_build_start
set -o errtrace
run_analysis
copy_db
declare -g VAR_SCRIPT_SUCCESS=true
declare -grx VAR_SCRIPT_SUCCESS="true"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

29
config/hooks/live/0000_basic_chroot_setup.chroot
View File

@@ -13,6 +13,9 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# shellcheck disable=SC2155
declare -gx VAR_DATE="$(date +%F)"
#######################################
# Generates '/etc/default/ciss-xdg-profile'
# Globals:
@@ -23,9 +26,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
# 0: on success
#######################################
generate_ciss_xdg_profile() {
cat << 'EOF' >> /etc/default/ciss-xdg-profile
cat << EOF >> /etc/default/ciss-xdg-profile
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -63,10 +66,10 @@ readonly -f generate_ciss_xdg_profile
# 0: on success
#######################################
generate_ciss_xdg_sh() {
cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
cat << EOF >| /etc/profile.d/ciss-xdg.sh
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -76,6 +79,8 @@ generate_ciss_xdg_sh() {
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
EOF
cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
# shellcheck shell=sh
# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
@@ -141,21 +146,23 @@ readonly -f generate_ciss_xdg_sh
# 0: on success
#######################################
generate_ciss_xdg_tmp_sh() {
cat << 'EOF' >> /root/ciss_xdg_tmp.sh
cat << EOF >| /root/ciss_xdg_tmp.sh
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### XDG variables (do not override if already set).
EOF
cat << 'EOF' >> /root/ciss_xdg_tmp.sh
set -a
# shellcheck disable=SC2034
@@ -207,6 +214,12 @@ if [[ -f /root/.architecture ]]; then
fi
if [[ -f /root/.architecture ]]; then
:
fi
mkdir -p /root/.ciss/dlb/{backup,log,private_keys}
chmod 0700 /root/.ciss/dlb/{backup,log,private_keys}

26
config/hooks/live/0001_initramfs_modules.chroot
View File

@@ -58,10 +58,10 @@ export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y intel-microcode amd64-microcode
# shellcheck disable=SC2155
declare nic_driver="$(grep_nic_driver_modules)"
declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
cat << EOF >| /etc/initramfs-tools/modules
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -201,9 +201,9 @@ virtio_scsi
EOF
cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
cat << EOF >| /etc/initramfs-tools/update-initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -236,9 +236,9 @@ backup_initramfs=no
EOF
cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
cat << EOF >| /etc/initramfs-tools/initramfs.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -340,10 +340,10 @@ FSTYPE=auto
EOF
cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
cat << EOF >| /etc/initramfs-tools/hooks/ciss_debian_live_builder
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -353,9 +353,12 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
EOF
cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
set -e
printf "\e[95mStarting: [0001_initramfs_modules.chroot] \n\e[0m"
printf "\e[95mStarting: [ciss_debian_live_builder] \n\e[0m"
PREREQ=""
prereqs() { echo "${PREREQ}"; }
@@ -449,14 +452,15 @@ install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/ciss/keys/0
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}"
printf "\e[92mSuccessfully executed: [0001_initramfs_modules.chroot] \n\e[0m"
printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
### Regenerate the initramfs for the live system kernel
# TODO: Move to 9999_zzzz.chroot
### Regenerate the initramfs for the live system kernel.
update-initramfs -u -k all -v
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

172
config/hooks/live/0002_verify_checksums.chroot
View File

@@ -1,172 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
target="/usr/lib/live/boot/0030-verify-checksums"
src="$(mktemp)"
if [[ ! -d /usr/lib/live/boot ]]; then
mkdir -p /usr/lib/live/boot
fi
cat << 'EOF' >| "${src}"
#!/bin/sh
# bashsupport disable=BP5007
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### In case of successful verification of one of the offered checksums, proceed with booting, else panic.
#######################################
# Modified checksum-verification script for continuing the boot process.
# Globals:
# LIVE_BOOT_CMDLINE
# LIVE_VERIFY_CHECKSUMS
# LIVE_VERIFY_CHECKSUMS_DIGESTS
# _CHECKSUM
# _CHECKSUMS
# _DIGEST
# _MOUNTPOINT
# _PARAMETER
# _RETURN
# _TTY
# Arguments:
# 1: ${_PARAMETER}
# Returns:
# 0 : Successful Verification
#######################################
Verify_checksums() {
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
esac
done
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
:
;;
*)
return 0
;;
esac
_MOUNTPOINT="${1}"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
_TTY="/dev/tty8"
log_begin_msg "Verifying checksums"
printf "\n"
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
# shellcheck disable=SC2292
if [ -e "${_CHECKSUM}" ]; then
#echo "Found ${_CHECKSUM}..." > "${_TTY}"
printf "Found %s...\n" "${_CHECKSUM}"
if [ -e "/bin/${_DIGEST}sum" ]; then
#echo "Checking ${_CHECKSUM}..." > "${_TTY}"
printf "Checking %s...\n" "${_CHECKSUM}"
# Verify checksums
# shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN="${?}"
# Stop after the first verification
# break 2
else
#echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
printf "Not found /bin/%ssum....\n" "${_DIGEST}"
fi
fi
done
done
log_end_msg
case "${_RETURN}" in
0)
log_success_msg "Verification of checksums successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
*)
panic "Verification failed, $(basename "${_TTY}") for more information."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
# Copy and make executable
install -Dm755 "${src}" "${target}"
rm -f "${src}"
unset target src
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
config/hooks/live/0007_update_logrotate.chroot
View File

@@ -23,10 +23,10 @@ cat << EOF >| "/etc/logrotate.conf"
# Rotate log files daily
daily
# Keep 384 daily worth of backlogs.
# Keep 90 daily worth of backlogs.
rotate 90
# Hard cap: delete rotated logs older than 384 days.
# Hard cap: delete rotated logs older than 90 days.
maxage 90
# Do not rotate the log if it is empty (this overrides the ifempty option).

6
config/hooks/live/0050_activate_root.chroot
View File

@@ -39,13 +39,13 @@ unset hashed_pwd safe_hashed_pwd
cat /etc/shadow
if shred -vfzu -n 5 /root/.pwd; then
if shred -fzu -n 5 /root/.pwd; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
fi

36
config/hooks/live/0870_bashdb.chroot Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
umask 0077
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y texinfo
cd /root/git
git clone https://github.com/Trepan-Debuggers/bashdb.git
cd /root/git/bashdb
./autogen.sh
make
apt-get purge -y texinfo
apt-get autoremove --purge -y
apt-get autoclean -y
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

31
config/hooks/live/9930_hardening_ssh.chroot
View File

@@ -13,26 +13,35 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
cd /etc/ssh || {
printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
}
cd /etc/ssh
rm -rf ssh_host_*key*
# shellcheck disable=SC2312
ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
# shellcheck disable=SC2312
ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
if [[ -d /root/ssh ]]; then
awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
rm -rf /etc/ssh/moduli
mv /etc/ssh/moduli.safe /etc/ssh/moduli
mv /root/ssh/ssh_host_*key* /etc/ssh
rm -rf /root/ssh
else
# shellcheck disable=SC2312
ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
# shellcheck disable=SC2312
ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
fi
chmod 0600 /etc/ssh/ssh_host_*_key
chown root:root /etc/ssh/ssh_host_*_key
chmod 0644 /etc/ssh/ssh_host_*_key.pub
chown root:root /etc/ssh/ssh_host_*_key.pub
chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
rm -rf /etc/ssh/moduli
mv /etc/ssh/moduli.safe /etc/ssh/moduli
chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
touch /root/sshfp
ssh-keygen -r @ >| /root/sshfp

93
config/hooks/live/9935_hardening_ssh.chroot.tmpl
View File

@@ -1,93 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
cd /etc/ssh || {
printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
}
cat << 'EOF' >| ssh_host_ed25519_key
{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
EOF
cat << 'EOF' >| ssh_host_ed25519_key.pub
{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
EOF
cat << 'EOF' >| ssh_host_rsa_key
{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
EOF
cat << 'EOF' >| ssh_host_rsa_key.pub
{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
EOF
awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
rm -rf /etc/ssh/moduli
mv /etc/ssh/moduli.safe /etc/ssh/moduli
chmod 0600 /etc/ssh/ssh_host_*_key
chown root:root /etc/ssh/ssh_host_*_key
chmod 0644 /etc/ssh/ssh_host_*_key.pub
chown root:root /etc/ssh/ssh_host_*_key.pub
chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
touch /root/sshfp
ssh-keygen -r @ >| /root/sshfp
###########################################################################################
# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only #
# environment variables: TMOUT and HISTFILE. #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
cat << 'EOF' >| /etc/profile.d/idle-users.sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
case $- in
*i*)
TMOUT=14400
export TMOUT
readonly TMOUT
;;
esac
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod +x /etc/profile.d/idle-users.sh
mkdir -p /etc/systemd/system/ssh.service.d
cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
[Unit]
After=ufw.service
Requires=ufw.service
EOF
chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
config/hooks/live/9999_zzzz.chroot
View File

@@ -15,6 +15,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
### Regenerate the initramfs for the live system kernel.
update-initramfs -u -k all -v
### Determine the canonical systemd unit dir inside chroot.
if [[ -d /lib/systemd/system ]]; then

2
config/includes.chroot/etc/ssh/ssh_known_hosts
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

6
config/includes.chroot/etc/ssh/sshd_config
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -48,8 +48,8 @@ MaxAuthTries 3
MaxSessions 2
### Begin randomly dropping new unauthenticated connections after the 2nd attempt,
### with a 64% chance to drop each additional connection, up to a hard limit of 08.
MaxStartups 02:64:08
### Restrict each individual source IP to only 4 unauthenticated connection slot
MaxStartups 16:32:48
### Restrict each individual source IP to only 8 unauthenticated connection slot
### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
PerSourceMaxStartups 8
ClientAliveInterval 300

4
config/includes.chroot/etc/sysctl.d/99_local.hardened
View File

@@ -1,3 +1,5 @@
# bashsupport disable=BP5007
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -9,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.296.2025.10.29
# Version Master V8.13.384.2025.11.06
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/

2
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.13.296.2025.10.29"
declare -gr VERSION="Master V8.13.384.2025.11.06"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then

2
config/includes.chroot/preseed/preseed.cfg
View File

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.296.2025.10.29 at: 10:18:37.9542
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.384.2025.11.06 at: 10:18:37.9542

212
config/includes.chroot/usr/lib/live/boot/0030-verify-checksums Normal file
View File

@@ -0,0 +1,212 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
# Globals:
# LIVE_BOOT_CMDLINE
# _TTY
# Arguments:
# 1: _MOUNTPOINT
# Returns:
# 0 : Successful verification
#######################################
Verify_checksums() {
_MOUNTPOINT="${1}"
_TTY="/dev/tty8"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
live-boot.verify-checksums-signatures | verify-checksums-signatures)
LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
;;
esac
done
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
:
;;
*)
return 0
;;
esac
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
printf "\n"
CDLB_SCRIPT="$(basename "${0}")"
CDLB_SHA="sha512"
CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
for CDLB_ITEM in ${CDLB_SHA}; do
CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
CDLB_CMD="${CDLB_ITEM}sum"
printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
sleep 8
# TODO: Remove debug mode
# return 0
else
printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
fi
printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
sleep 8
# TODO: Remove debug mode
# return 0
fi
printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
done
printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
log_end_msg
printf "\n"
fi
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
if [ -e "${_CHECKSUM}" ]; then
printf "Found [%s] ...\n" "${_CHECKSUM}"
if [ -e "/bin/${_DIGEST}sum" ]; then
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
_RETURN_PGP="${?}"
else
_RETURN_PGP="na"
fi
printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
# shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN_SHA="${?}"
# Stop after the first verification.
break 2
else
printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
fi
fi
done
done
log_end_msg
case "${_RETURN_PGP},${_RETURN_SHA}" in
0,0)
log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
na,0)
log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
*,0)
panic "Verification of signature file failed while verification of checksum file successful."
;;
na,*)
panic "Verification of checksum file failed."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
config/package-lists/live.list.common.chroot
View File

@@ -129,6 +129,7 @@ sudo
sysstat
systemd-sysv
tar
tmux
tree
tshark
ufw

2
docs/AUDIT_DNSSEC.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. DNSSEC Status

2
docs/AUDIT_HAVEGED.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Haveged Audit on Netcup RS 2000 G11

2
docs/AUDIT_LYNIS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Lynis Audit:

2
docs/AUDIT_SSH.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. SSH Audit by ssh-audit.com

2
docs/AUDIT_TLS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. TLS Audit:
````text

2
docs/BOOTPARAMS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Hardened Kernel Boot Parameters

63
docs/CHANGELOG.md
View File

@@ -8,10 +8,66 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Changelog
## V8.13.384.2025.11.06
* **Global**: Changed ``shred -vfzu -n 5`` to ``shred -fzu -n 5``.
* **Global**: Live-hooks: ``apt-get`` commands safeguarded by ``export DEBIAN_FRONTEND="noninteractive" INITRD="No"``.
* **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
* **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
* **Added**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [0030-verify-checksums](../scripts/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
* **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
* **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
* **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
* **Changed**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) Rewritten for new secrets handling.
* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + VAR_DATE improvements.
* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + VAR_DATE improvements.
* **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet primordial-workflow™.
* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + Final update-initramfs
* **Changed**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) + Less strict MaxStartups settings.
* **Changed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux
* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet primordial-workflow™.
* **Changed**: [lib_arg_priority_check.sh](../lib/lib_arg_priority_check.sh) Unified UI.
* **Changed**: [lib_cdi.sh](../lib/lib_cdi.sh) + Commandline parameters: verify-checksums=sha512,sha384 verify-checksums-signatures
* **Changed**: [lib_change_splash.sh](../lib/lib_change_splash.sh) Unified UI.
* **Changed**: [lib_check_dhcp.sh](../lib/lib_check_dhcp.sh) Unified UI.
* **Changed**: [lib_check_hooks.sh](../lib/lib_check_hooks.sh) Unified UI.
* **Changed**: [lib_check_kernel.sh](../lib/lib_check_kernel.sh) Minor declare unification.
* **Changed**: [lib_check_pkgs.sh](../lib/lib_check_pkgs.sh) Improved command checks. Unified UI.
* **Changed**: [lib_check_provider.sh](../lib/lib_check_provider.sh) Unified variables.
* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet primordial-workflow™ artifacts.
* **Changed**: [lib_debug.sh](../lib/lib_debug.sh) + Integrated EPOCH in PS4.
* **Changed**: [lib_debug_header.sh](../lib/lib_debug_header.sh) + Integrated SOURCE_DATE_EPOCH.
* **Changed**: [lib_hardening_root_pw.sh](../lib/lib_hardening_root_pw.sh) Unified UI.
* **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet primordial-workflow™.
* **Changed**: [lib_hardening_ssh_tcp.sh](../lib/lib_hardening_ssh_tcp.sh) Unified UI.
* **Changed**: [lib_lb_build_start.sh](../lib/lib_lb_build_start.sh) Deterministic return code examination.
* **Changed**: [lib_lb_config_start.sh](../lib/lib_lb_config_start.sh) Removed potential disown race condition.
* **Changed**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified config writing for deterministic workflow.
* **Changed**: [lib_note_target.sh](../lib/lib_note_target.sh) Unified UI.
* **Changed**: [lib_provider_netcup.sh](../lib/lib_provider_netcup.sh) Added Centurion DNS Server 03.
* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + PGP signature verification.
* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + mksquashfs-excludes.
* **Changed**: [early.var.sh](../var/early.var.sh) Unified variable declaration.
* **Changed**: [global.var.sh](../var/global.var.sh) Unified variable declaration.
* **Changed**: [ciss_live_builder.sh](../ciss_live_builder.sh) Updated program workflow for deterministic environment creation.
* **Removed**: [0002_verify_checksums.chroot](../.archive/0002_verify_checksums.chroot) Unified handling via includes.chroot.
* **Removed**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot) Debian bookworm support deprecated.
* **Removed**: [lib_lb_config_write.sh](../.archive/lib_lb_config_write.sh) Debian bookworm support deprecated.
* **Updated**: [icon.lib](../.archive/icon.lib) + Emojis
## V8.13.298.2025.10.30
* **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot)
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux
## V8.13.296.2025.10.29
* **Changed**: ``lockdown=confidentiality`` -> ``lockdown=integrity``
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - clamav, clamav-daemon
@@ -19,7 +75,7 @@ include_toc: true
## V8.13.294.2025.10.28
* **Added**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) + mksquashfs-excludes
* **Added**: [lib_ciss_upgrades.sh](../lib/lib_ciss_upgrades.sh) + modifies '/usr/lib/live/build/...' scripts
* **Added**: [lib_ciss_upgrades.sh](../lib/lib_ciss_upgrades_build.sh) + modifies '/usr/lib/live/build/...' scripts
* **Added**: [lib_update_microcode.sh](../lib/lib_update_microcode.sh)
* **Added**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + modifies binary_rootfs script
* **Updated**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + --sshfp
@@ -125,7 +181,7 @@ include_toc: true
* **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
* **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
* **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
* **Updated**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot)
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
* **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
@@ -222,7 +278,6 @@ include_toc: true
* **Updated**: [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
* Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
* Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
* **Added**: Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
* **Added**: ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
to prevent the caller LIB-file from being sourced twice.

2
docs/CNET.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Centurion Net - Developer Branch Overview

2
docs/CODING_CONVENTION.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Coding Style

2
docs/CONTRIBUTING.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Contributing / participating

2
docs/CREDITS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Credits

2
docs/DL_PUB_ISO.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Download the latest PUBLIC CISS.debian.live.ISO

6
docs/DOCUMENTATION.md
View File

@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2.1. Usage
````text
CISS.debian.live.builder
Master V8.13.296.2025.10.29
Master V8.13.384.2025.11.06
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
# 2.2. Contact
````text
CISS.debian.live.builder
Master V8.13.296.2025.10.29
Master V8.13.384.2025.11.06
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025

2
docs/REFERENCES.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.296.2025.10.29<br>
**Build**: V8.13.384.2025.11.06<br>
# 2. Resources

87
lib/lib_arg_parser.sh
View File

@@ -33,6 +33,10 @@ guard_sourcing
# VAR_ISO8601
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# VAR_SIGNER
# VAR_SIGNING_KEY
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASS
# VAR_SSHFP
# VAR_SSHPORT
# VAR_SSHPUBKEY
@@ -119,7 +123,7 @@ arg_parser() {
printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
exit "${ERR_NOTABSPATH}"
fi
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log"
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/cdlb_${VAR_ISO8601}_build.log"
shift 2
;;
@@ -294,20 +298,25 @@ arg_parser() {
--root-password-file)
declare pw_file="${2}"
if [[ -z "${pw_file}" ]]; then
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file missing password file path argument.\e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_MISS_PWD_P}"
fi
if [[ ! -f "${pw_file}" ]]; then
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_MISS_PWD_F}"
fi
declare owner
@@ -335,32 +344,42 @@ arg_parser() {
fi
declare plaintext_pw
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
### No tracing for security reasons ----------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
if ! IFS= read -r plaintext_pw < "${pw_file}"; then
:
fi
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
### Turn on tracing again --------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
declare pw_length
pw_length=${#plaintext_pw}
if (( pw_length < 20 || pw_length > 64 )); then
if (( pw_length < 42 || pw_length > 64 )); then
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2
printf "\e[91m❌ Error: --root-password-file password MUST be between 42 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_PASS_LENGH}"
fi
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
### No tracing for security reasons ----------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
if [[ "${plaintext_pw}" == *\"* ]]; then
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_PASS_PLICY}"
fi
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
### Turn on tracing again --------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
declare salt
set +o pipefail
@@ -371,53 +390,81 @@ arg_parser() {
set -o pipefail
declare hash_temp
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
### No tracing for security reasons ----------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
### Turn on tracing again --------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
# shellcheck disable=SC2034
declare -g VAR_HASHED_PWD="${hash_temp}"
unset hash_temp plaintext_pw
sync
if shred -vfzu -n 5 "${pw_file}" > /dev/null 2>&1; then
printf "\e[92m✅ Password file '%s': shred -vfzu -n 5 >> done. \e[0m\n" "${pw_file}" > /dev/null 2>&1
if shred -fzu -n 5 "${pw_file}" > /dev/null 2>&1; then
printf "\e[92m✅ Password file '%s': shred -fzu -n 5 >> done. \e[0m\n" "${pw_file}" > /dev/null 2>&1
else
printf "\e[91m❌ Password file '%s': shred -vfzu -n 5 >> NOT successful. \e[0m\n" "${pw_file}" > /dev/null 2>&1
printf "\e[91m❌ Password file '%s': shred -fzu -n 5 >> NOT successful. \e[0m\n" "${pw_file}" > /dev/null 2>&1
fi
sync
shift 2
;;
--signing_key=*)
# shellcheck disable=SC2034
declare -gx VAR_SIGNER="true"
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_KEY="${1#*=}"
shift 1
;;
--signing_key_fpr=*)
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_KEY_FPR="${1#*=}"
shift 1
;;
--signing_key_pass=*)
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_KEY_PASS="${1#*=}"
shift 1
;;
--ssh-port)
if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
# shellcheck disable=SC2034
declare -gi VAR_SSHPORT="${2}"
declare -gix VAR_SSHPORT="${2}"
shift 2
else
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --ssh-port MUST be an integer between '1' and '65535'.\e[0m\n" >&2
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR__SSH__PORT}"
fi
;;
--sshfp)
# shellcheck disable=SC2034
declare -g VAR_SSHFP="true"
# shellcheck disable=SC2034
declare -gx VAR_SSHFP="true"
shift 1
;;
--ssh-pubkey)
# shellcheck disable=SC2034
declare -g VAR_SSHPUBKEY="${2}"
# shellcheck disable=SC2034
declare -gx VAR_SSHPUBKEY="${2}"
shift 2
;;
--trixie)
# shellcheck disable=SC2034
declare -g VAR_SUITE="trixie"
# shellcheck disable=SC2034
declare -gx VAR_SUITE="trixie"
shift 1
;;

13
lib/lib_arg_priority_check.sh
View File

@@ -15,6 +15,7 @@ guard_sourcing
#######################################
# Check and setup Script Priorities
# Globals:
# BASH_SOURCE
# VAR_HANDLER_PRIORITY
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
@@ -24,18 +25,18 @@ guard_sourcing
# 0: on success
#######################################
arg_priority_check() {
declare var
declare var=""
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Check if nice PRIORITY is set and adjust nice priority.
if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
if command -v renice >/dev/null; then
renice "${VAR_HANDLER_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
# sleep 1
unset var
else
@@ -53,8 +54,6 @@ arg_priority_check() {
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
# sleep 1
unset var
else
@@ -64,6 +63,8 @@ arg_priority_check() {
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.

11
lib/lib_cdi.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing
#######################################
# CISS.debian.installer 'GRUB' and 'Autostart' generator.
# CISS.debian.installer 'GRUB' and 'autostart' generator.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
@@ -30,24 +30,19 @@ cdi() {
if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
touch "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin"
fi
cp "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
declare tmp_entry
tmp_entry="$(mktemp)"
cat << EOF >| "${tmp_entry}"
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
linux /live/vmlinuz-${VAR_KERNEL} boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${VAR_KERNEL}
}
EOF

5
lib/lib_change_splash.sh
View File

@@ -15,6 +15,7 @@ guard_sourcing
#######################################
# Change Grub Boot Screen Splash
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_SPLASH
# VAR_WORKDIR
@@ -24,6 +25,8 @@ guard_sourcing
# 0: on success
#######################################
change_splash() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
@@ -42,6 +45,8 @@ change_splash() {
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.

5
lib/lib_check_dhcp.sh
View File

@@ -15,6 +15,7 @@ guard_sourcing
#######################################
# Check if hardened Centurion DNS servers are desired.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_DHCP
# VAR_WORKDIR
# Arguments:
@@ -23,10 +24,14 @@ guard_sourcing
# 0: on success
#######################################
check_dhcp() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" && "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.

18
lib/lib_check_hooks.sh
View File

@@ -13,8 +13,10 @@
guard_sourcing
#######################################
# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
# Check and apply 0755 Permissions on every '"${VAR_HANDLER_BUILD_DIR}"/./config/hooks/live/*.chroot'-file.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_WORKDIR
# Arguments:
# None
@@ -22,11 +24,15 @@ guard_sourcing
# 0: on success
# ERR_UNCRITICAL: on failure
#######################################
check_hooks() {
x_hooks() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare ifs
ifs=$'\n\t'
shopt -s nullglob
declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
declare -a files=("${VAR_HANDLER_BUILD_DIR}"/config/hooks/live/*.chroot)
if (( ${#files[@]} == 0 )); then
@@ -43,9 +49,13 @@ check_hooks() {
done
shopt -u nullglob
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_hooks
readonly -f x_hooks
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
lib/lib_check_kernel.sh
View File

@@ -26,12 +26,9 @@ guard_sourcing
#######################################
check_kernel() {
clear
declare -i counter=1
declare first_string=""
declare line=""
declare -gx VAR_KERNEL=""
declare name=""
declare options=""
declare -i counter=1
declare first_string="" line="" name="" options=""
if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then

38
lib/lib_check_pkgs.sh
View File

@@ -14,27 +14,32 @@ guard_sourcing
#######################################
# Check for required Deb Packages to run the script.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_AUTOBUILD
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_pkgs() {
apt-get update > /dev/null 2>&1
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ -z "$(command -v batcat || true)" ]]; then
apt-get update -qq > /dev/null 2>&1
apt-get install -y --no-install-recommends bat
fi
if [[ -z "$(command -v lsb_release || true)" ]]; then
if ! command -v lsb_release >/dev/null 2>&1; then
apt-get install -y --no-install-recommends lsb-release
fi
if [[ -z "$(command -v debootstrap || true)" ]]; then
if ! command -v batcat >/dev/null 2>&1; then
apt-get install -y --no-install-recommends bat
fi
if ! command -v debootstrap >/dev/null 2>&1; then
if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
@@ -50,15 +55,21 @@ check_pkgs() {
fi
if ! command -v gpg >/dev/null 2>&1; then
apt-get install -y --no-install-recommends gnupg gpgv gpg-agent pinentry-curses gnupg-utils
fi
if [[ ! -f /usr/share/live/build/VERSION ]]; then
apt-get install -y live-build
fi
if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then
if [[ "${VAR_HANDLER_AUTOBUILD}" == "false" ]]; then
if [[ -z "$(command -v dialog || true)" ]]; then
if ! command -v dialog >/dev/null 2>&1; then
apt-get install -y --no-install-recommends dialog
@@ -66,16 +77,13 @@ check_pkgs() {
fi
if [[ -z "$(command -v mkpasswd || true)" ]]; then
if ! command -v mkpasswd >/dev/null 2>&1; then
apt-get install -y --no-install-recommends whois
fi
# shellcheck disable=SC2034,SC2155
declare -gr VAR_LB_VER="$(lb -v)"
# shellcheck disable=SC2034,SC2155
declare -gr VAR_DS_VER="$(debootstrap --version)"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}

4
lib/lib_check_provider.sh
View File

@@ -14,6 +14,10 @@ guard_sourcing
#######################################
# Notes Textbox.
# Globals:
# VAR_GIT_REL
# VAR_NOTES
# VAR_VERSION
# Arguments:
# None
# Returns:

7
lib/lib_check_var.sh
View File

@@ -17,9 +17,10 @@ guard_sourcing
# Globals:
# ERR_UNBOUNDVAR
# Arguments:
# $1: VAR_NAME to check
# 1: VAR_NAME to check
# Returns:
# {ERR_UNBOUNDVAR: on failure
# 0: on success
# ERR_UNBOUNDVAR: on failure
#######################################
check_var() {
declare var_name_to_check="$1"
@@ -43,6 +44,8 @@ check_var() {
return "${ERR_UNBOUNDVAR}"
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034

50
lib/lib_ciss_upgrades_boot.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Integrates primordial SSH identity- and / or ssh_host-files.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASSFILE
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
ciss_upgrades_boot() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Updates '/usr/lib/live/boot/0030-verify-checksums'.
install -D -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512"
declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512.sig"
declare var_fil="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
sha512sum "${var_fil}" >| "${var_sha}"
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
--detach-sign --output "${var_sig}" "${var_sha}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_upgrades_boot
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

23
lib/lib_ciss_upgrades.sh → lib/lib_ciss_upgrades_build.sh
View File

@@ -13,19 +13,30 @@
guard_sourcing
#######################################
# Wrapper to update '/usr/lib/live/build/...' scripts.
# Module to update '/usr/lib/live/build/...' scripts.
# Globals:
# SCRIPT_BASEPATH
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# BASH_SOURCE
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
ciss_upgrades() {
ciss_upgrades_build() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### CISS signing binary-checksums override.
if [[ ! -e /usr/lib/live/build/binary_checksums.original ]]; then
cp /usr/lib/live/build/binary_checksums /usr/lib/live/build/binary_checksums.original
chmod 0444 /usr/lib/live/build/binary_checksums.original
fi
rm -f /usr/lib/live/build/binary_checksums
install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_checksums.sh" /usr/lib/live/build/binary_checksums
### https://wiki.debian.org/ReproducibleInstalls/LiveImages
### https://reproducible-builds.org/docs/system-images/
### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
if [[ ! -e /usr/lib/live/build/binary_rootfs.original ]]; then
cp /usr/lib/live/build/binary_rootfs /usr/lib/live/build/binary_rootfs.original
chmod 0444 /usr/lib/live/build/binary_rootfs.original
@@ -40,5 +51,5 @@ ciss_upgrades() {
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_upgrades
readonly -f ciss_upgrades_build
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

59
lib/lib_clean_up.sh
View File

@@ -13,33 +13,88 @@
guard_sourcing
#######################################
# Clean Up Wrapper on Trap on 'ERR' and 'EXIT'.
# Cleanup wrapper on the traps on 'ERR' and 'EXIT'.
# Globals:
# VAR_CDLB_INSIDE_RUNNER
# GNUPGHOME
# LOG_ERROR
# VAR_HANDLER_BUILD_DIR
# VAR_KERNEL_INF
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# VAR_NOTES
# VAR_WORKDIR
# Arguments:
# 1 : ${trap_on_exit_code} of trap_on_exit()
# Returns:
# 0: on success
#######################################
clean_up() {
declare clean_exit_code="$1"
declare clean_exit_code="$1" fs_type=""
shopt -s nullglob dotglob
rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}"
rm -f -- "${VAR_KERNEL_TMP}"
rm -f -- "${VAR_NOTES}"
# Release advisory lock on FD 127.
flock -u 127
# Close file descriptor 127.
exec 127>&-
# Remove the lockfile artifact.
rm -f /run/lock/ciss_live_builder.lock
# Removes the error log on clean exit.
if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
# Cleaning TCP wrapper artifacts.
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
rm -f "${VAR_WORKDIR}/hosts.allow"
fi
if [[ -f "${VAR_WORKDIR}/hosts.deny" ]]; then
rm -f "${VAR_WORKDIR}/hosts.deny"
fi
# Kill gpg-agent and remove artifacts securely.
if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" && "${GNUPGHOME}" == /dev/shm/cdlb_*_gnupg ]]; then
gpgconf --kill gpg-agent >/dev/null 2>&1 || true
fs_type="$(stat -f -c %T "${GNUPGHOME}" 2>/dev/null || echo "GNUPGHOME: unknown fs.")"
if [[ "${fs_type}" == "tmpfs" || "${fs_type}" == "ramfs" ]]; then
rm -rf --one-file-system -- "${GNUPGHOME}" 2>/dev/null || true
else
chmod -R u+rwX "${GNUPGHOME}" >/dev/null 2>&1 || true
find "${GNUPGHOME}" -type f -exec shred -fuz -n 2 -- {} + 2>/dev/null || true
find "${GNUPGHOME}" \( -type s -o -type p -o -type l \) -delete 2>/dev/null || true
rm -rf --one-file-system -- "${GNUPGHOME}" 2>/dev/null || true
fi
fi
fi
# Removes secrets securely.
# shellcheck disable=SC2312
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 -- no-run-if-empty shred -fzu -n 5 --
find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
shopt -u nullglob dotglob
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f clean_up
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

11
lib/lib_contact.sh
View File

@@ -13,9 +13,11 @@
#######################################
# Contact Wrapper CISS.debian.live.builder
# Globals:
# none
# None
# Arguments:
# none
# None
# Returns:
# 0: on success
#######################################
contact() {
clear
@@ -38,5 +40,10 @@ $(echo -e "\e[95m 🌐 https://coresecret.eu/spenden/ \e[0m")
$(echo -e "\e[97m################################################################################ \e[0m")
EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f contact
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

15
lib/lib_copy_integrity.sh
View File

@@ -18,23 +18,28 @@ guard_sourcing
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
# None
# Returns:
# 0 : Aide Init DB copying successful.
# 0 : on success
#######################################
copy_db() {
# printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
fi
if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
# printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f copy_db
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

34
lib/lib_debug.sh
View File

@@ -13,47 +13,63 @@
guard_sourcing
#######################################
# Debugger Wrapper for xtrace to Debug Log
# Debugger module for xtrace to debug log.
# Globals:
# BASH_SOURCE
# BASH_XTRACEFD
# LOG_DEBUG
# LOG_VAR
# PS4
# SHELLOPTS
# VAR_DUMP_VARS_INITIAL
# VAR_EARLY_DEBUG
# var
# VAR_ISO8601
# Arguments:
# None
# None
# Returns:
# 0: on success
#######################################
debugger() {
### Capture an initial snapshot of all variables (excluding '^(BASH|_).*')
# shellcheck disable=SC2155
declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
# shellcheck disable=SC2312
{
declare var
while IFS= read -r var; do
declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*')
} | sort >| "${VAR_DUMP_VARS_INITIAL}"
declare -gx VAR_EARLY_DEBUG="true"
### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
# shellcheck disable=SC2155
declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
declare -grx LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
declare -grx PS4='\e[97m+\e[96m[${EPOCHREALTIME}]\e[97m:\e[94m[$$]\e[97m:\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[97m:\e[93m[${?}]\e[97m:\e[95m[${FUNCNAME[0]:-main}()]\e[97m>>\e[0m '
declare -grx LOG_DEBUG="/tmp/cdlb_${VAR_ISO8601}_debug.log"
declare -grx LOG_VAR="/tmp/cdlb_${VAR_ISO8601}_var.log"
### Generates empty LOG_DEBUG and LOG_VAR
touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
### Open file descriptor 42 for writing to the debug log
exec 42>| "${LOG_DEBUG}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
debug_header "$#" "$*"
### Tell Bash to send xtrace output to FD 42
export BASH_XTRACEFD=42
### Enable inheritable shell options
export SHELLOPTS
### Turn on xtrace
set -x
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f debugger
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

17
lib/lib_debug_header.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing
#######################################
# Generates Debug Log Header
# Generates the debug log header.
# Globals:
# BASHOPTS
# BASH_VERSINFO
@@ -22,21 +22,27 @@ guard_sourcing
# HOSTNAME
# PPID
# PWD
# SHELLOPTS
# SOURCE_DATE_EPOCH
# UID
# VAR_GIT_REL
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# $0: Script Name $0
# $1: Argument Counter $#
# $2: Argument String $*
# 0: Script Name $0
# 1: Argument Counter $#
# 2: Argument String $*
#######################################
debug_header() {
declare -r arg_counter="$1"
declare -r arg_string="$2"
# shellcheck disable=SC2312
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
printf "\e[97m+\e[0m\e[92m%s: Git Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_REL}"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Source Date Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SOURCE_DATE_EPOCH}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
@@ -58,4 +64,7 @@ debug_header() {
printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
} >&42
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f debug_header
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
lib/lib_git_var.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Define Git Repo related Variables.
# Globals:
# VAR_GIT_HEAD
# VAR_GIT_REL
# VAR_GIT_REL_DATE
# VAR_GIT_REL_DATE_TIME
# VAR_GIT_REL_SHORT
# Arguments:
# None
#######################################
check_git() {
# shellcheck disable=SC2155
if git rev-parse --is-inside-work-tree &>/dev/null; then
declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

87
lib/lib_gnupg.sh Normal file
View File

@@ -0,0 +1,87 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Init GNUPGHOME.
# Globals:
# BASH_SOURCE
# GNUPGHOME
# VAR_CDLB_INSIDE_RUNNER
# VAR_EARLY_DEBUG
# VAR_HANDLER_BUILD_DIR
# VAR_ISO8601
# VAR_SIGNER
# VAR_SIGNING_KEY
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASS
# VAR_SIGNING_KEY_PASSFILE
# VAR_TMP_SECRET
# VAR_VERIFY_KEYRING
# Arguments:
# None
# Returns:
# 0: on success
#######################################
init_gnupg() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_SIGNER}" == "true" ]]; then
__umask=$(umask)
umask 0077
### Avoid collision with Gitea runner workflows.
if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
declare -grx GNUPGHOME="/dev/shm/cdlb_${VAR_ISO8601}_gnupg"
# shellcheck disable=SC2174
mkdir -p -m 0700 "${GNUPGHOME}"
echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
gpgconf --reload gpg-agent || true
fi
gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg"
gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg"
declare -grx VAR_VERIFY_KEYRING="${GNUPGHOME}/pubring.kbx"
declare -grx VAR_SIGNING_KEY_PASSFILE="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}"
### No tracing for security reasons ------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
declare __pw=""
__pw="$(<"${VAR_SIGNING_KEY_PASSFILE}")"; __pw="${__pw%$'\r'}"; printf '%s' "${__pw}" >| "${VAR_SIGNING_KEY_PASSFILE}"
__pw="" && unset __pw
### Turn on tracing again ----------------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
umask "${__umask}"
__umask=""
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f init_gnupg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

8
lib/lib_guard_sourcing.sh
View File

@@ -11,12 +11,12 @@
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Prevent the caller LIB-file from being sourced twice.
# Prevents the caller LIB-file from being sourced twice.
# Derive a safe guard-variable name from the caller script filename.
# Globals:
# BASH_SOURCE
# Arguments:
# $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
# 1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
# Returns:
# 0: Returns '0' in both cases as they are intended to be successful.
#######################################
@@ -37,6 +37,10 @@ guard_sourcing() {
### Mark as loaded (readonly + exported)
declare -grx "${var_guard_var}"=1
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f guard_sourcing
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
lib/lib_hardening_root_pw.sh
View File

@@ -15,18 +15,22 @@ guard_sourcing
#######################################
# Updates the Live ISO to use root password authentication for local console access.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_HASHED_PWD
# Arguments:
# None
# None
# Returns:
# 0: In case no root password is desired.
# 0: on success
#######################################
hardening_root_pw() {
if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
return 0
fi
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
@@ -79,5 +83,12 @@ EOF
#chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_root_pw
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

43
lib/lib_hardening_ssh.sh → lib/lib_hardening_ssh_tcp.sh
View File

@@ -13,17 +13,33 @@
guard_sourcing
#######################################
# SSH Hardening Ultra via TCP Wrapper
# SSH hardening via TCP wrapper.
# Globals:
# ARY_HANDLER_JUMPHOST
# BASH_SOURCE
# VAR_WORKDIR
# Arguments:
# None
# None
# Returns:
# 0: on success
#######################################
hardening_ssh() {
hardening_ssh_tcp() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
declare allowed=""
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
@@ -37,9 +53,20 @@ hardening_ssh() {
EOF
allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
printf 'sshd: %s\n\n# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
@@ -59,7 +86,15 @@ EOF
ALL: ALL
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_ssh_tcp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

162
lib/lib_hardening_ultra.sh
View File

@@ -13,24 +13,29 @@
guard_sourcing
#######################################
# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image.
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# BASH_SOURCE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_SSHFP
# VAR_SSHPORT
# VAR_SSHPUBKEY
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_ultra() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
# shellcheck disable=SC2164
cd "${VAR_WORKDIR}"
### ./config/bootloaders
### ./config/bootloaders -----------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
@@ -47,7 +52,7 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
### ./config/includes.binary
### ./config/includes.binary -------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
@@ -64,7 +69,7 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
### ./config/includes.chroot
### ./config/includes.chroot -------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
@@ -85,7 +90,7 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
### ./config/hooks/early
### ./config/hooks/early -----------------------------------------------------------------------------------------------------
if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
@@ -106,7 +111,7 @@ hardening_ultra() {
fi
### ./config/hooks/live
### ./config/hooks/live ------------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
@@ -123,7 +128,7 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
### ./config/package-lists ---------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
@@ -167,150 +172,82 @@ hardening_ultra() {
}
print
}
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" >| temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
### Updating SSH Keys, Ports.
### Updating SSH Keys, Ports -------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
### Check for static SSHFP key material via Gitea Actions Runner Secrets injection.
if [[ "${VAR_SSHFP}" == "true" ]]; then
### ./config/includes.chroot/root/.ssh ---------------------------------------------------------------------------------------
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
install -m 0600 -o root -g root "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
declare -r sshport="${VAR_SSHPORT:-22}"
else
### /config/includes.chroot/etc/ssh/sshd_config
# shellcheck disable=SC2155
declare pad="$(printf '%-29s' 'Port')"
sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
### /config/hooks/live/9950_hardening_fail2ban.chroot
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
fi
### /config/hooks/live/0900_ufw_setup.chroot
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
### /config/includes.chroot/root/.ssh
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
### /config/hooks/live/0900_ufw_setup.chroot
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
### /config/includes.chroot/etc/ssh/sshd_config
# shellcheck disable=SC2155
declare pad="$(printf '%-29s' 'Port')"
sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
declare line
### /config/hooks/live/9950_hardening_fail2ban.chroot
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
# shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
### /config/hooks/live/0900_ufw_setup.chroot
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
if [[ -z "${line}" ]]; then
### /config/hooks/live/0900_ufw_setup.chroot
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
# shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
done
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
else
declare host
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
declare -r sshport="${VAR_SSHPORT:-22}"
((line++))
### /config/includes.chroot/etc/ssh/sshd_config
# shellcheck disable=SC2155
declare pad="$(printf '%-29s' 'Port')"
sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
### /config/hooks/live/9950_hardening_fail2ban.chroot
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
### /config/hooks/live/0900_ufw_setup.chroot
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
### /config/hooks/live/0900_ufw_setup.chroot
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
# shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m❌ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
done
fi
done
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
### /config/includes.chroot/etc/hosts.allow
### ./config/includes.chroot/etc/hosts. --------------------------------------------------------------------------------------
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
mv "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
mv "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${VAR_WORKDIR}/hosts.allow"
rm -f "${VAR_WORKDIR}/hosts.deny"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
fi
### /config/hooks/live/9950_hardening_fail2ban.chroot
### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
@@ -338,5 +275,12 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_ultra
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

16
lib/lib_helper_ip.sh
View File

@@ -13,26 +13,32 @@
guard_sourcing
#######################################
# IP Notation cleaner for pure IP output only
# IP notation cleaner for pure IP output only.
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# Arguments:
# None
# None
# Returns:
# 0: on success
#######################################
clean_ip() {
declare host
declare stripped
declare host="" stripped=""
for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
# Remove leading '[' and trailing ']'
stripped="${host#\[}"
stripped="${stripped%\]}"
# Skip if it contains a slash (CIDR range)
if [[ ${stripped} == */* ]]; then
if [[ ${stripped} == */* ]]; then
continue
fi
# Directly append, no duplicate check
# shellcheck disable=SC2034
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
done
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f clean_ip
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

14
lib/lib_lb_build_start.sh
View File

@@ -15,7 +15,7 @@ guard_sourcing
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# SCRIPT_BASEPATH
# VAR_WORKDIR
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# Arguments:
@@ -25,23 +25,29 @@ guard_sourcing
# ERR_UNCRITICAL: on failure
#######################################
lb_build_start() {
declare -i var_build_rc=""
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
# shellcheck disable=SC2164
cd "${SCRIPT_BASEPATH}"
cd "${VAR_WORKDIR}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2312
if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"
var_build_rc=${PIPESTATUS[0]}
if [[ "${var_build_rc}" -eq 0 ]]; then
printf "\e[92m✅ Build successfully completed.\e[0m\n"
else
printf "\e[91m❌ Build failed!\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
exit "${var_build_rc}"
fi

44
lib/lib_lb_config_start.sh
View File

@@ -15,12 +15,15 @@ guard_sourcing
#######################################
# Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# Arguments:
# 0: Script-name
# None
# Returns:
# 0: on success
#######################################
lb_config_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
@@ -36,30 +39,27 @@ lb_config_start() {
fi
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
# Start lb config in a completely detached shell
bash -c "lb config" &
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Preparing environment done.\e[0m\n"
else
if [[ -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
rm -f ./config/binary
rm -f ./config/bootstrap
rm -f ./config/chroot
rm -f ./config/common
rm -f ./config/source
rm -f ./*.{contents,files,iso,bz2,packages}
# Start lb clean in a completely detached shell
bash -c "lb clean && lb clean --binary --cache" &
disown
sleep 1
lb clean --binary --cache --purge --source
if [[ "${PWD}" == "${VAR_HANDLER_BUILD_DIR}" && "${PWD}" != "/" && -n "${PWD}" ]]; then
rm -rf -- ./* ./.??*
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f lb_config_start
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

35
lib/lib_lb_config_write_trixie.sh
View File

@@ -15,18 +15,19 @@ guard_sourcing
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# BASH_SOURCE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_ISO_COUNTER
# VAR_KERNEL
# VAR_VERSION
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
lb_config_write_trixie() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
lb config \
@@ -41,10 +42,10 @@ lb_config_write_trixie() {
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha256 md5 \
--checksums sha512 sha384 sha256 \
--chroot-filesystem squashfs \
--chroot-squashfs-compression-level 22 \
--chroot-squashfs-compression-type zstd \
@@ -104,33 +105,10 @@ lb_config_write_trixie() {
sleep 1
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
sed -i 's/^LB_CHECKSUMS=.*/LB_CHECKSUMS="sha512 sha384 sha256"/' ./config/binary
sed -i 's/^LB_DM_VERITY=.*/LB_DM_VERITY="false"/' ./config/binary
### Update 0030-verify-checksums
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot"
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
### Installing PGP Public Keys for signature verification.
#mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
#install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg"
#install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg"
#### Installing PGP Private Deploy Key for signature creation
#mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys"
#cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys/"
#{{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
#EOF
#if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
# : >| /root/.config/sops/age/keys.txt
#fi
#chmod 0400 /root/.config/sops/age/keys.txt
### https://wiki.debian.org/ReproducibleInstalls/LiveImages
### https://reproducible-builds.org/docs/system-images/
@@ -156,6 +134,7 @@ EOF
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}

11
lib/lib_note_target.sh
View File

@@ -13,6 +13,15 @@
#######################################
# Version file generator for '/root/cdlb.txt' of Live ISO.
# Globals:
# BASH_SOURCE
# SOURCE_DATE_EPOCH
# VAR_BASH_VER
# VAR_DATE_INFO
# VAR_DS_VER
# VAR_GIT_REL
# VAR_HANDLER_BUILD_DIR
# VAR_HOST
# VAR_LB_VER
# VAR_VERSION
# Arguments:
# None
@@ -31,6 +40,7 @@ note_target() {
Version : ${VAR_VERSION}
Git : ${VAR_GIT_REL}
Epoch : ${SOURCE_DATE_EPOCH}
Date : ${VAR_DATE_INFO}
Host : ${VAR_HOST}
Bash : ${VAR_BASH_VER}
@@ -63,6 +73,7 @@ export CDLB_CR_HOST="${VAR_HOST}"
export CDLB_BASHVER="${VAR_BASH_VER}"
export CDLB_DS_VER="${VAR_DS_VER}"
export CDLB_LB_VER="${VAR_LB_VER}"
export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
EOF
chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"

63
lib/lib_primordial.sh Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Integrate primordial SSH identity files.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_SSHFP
# VAR_TMP_SECRET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
init_primordial() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then
if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"*
fi
if compgen -G "${VAR_TMP_SECRET}/ssh_host_*" > /dev/null; then
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"*
fi
else
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
install -m 0600 "${VAR_TMP_SECRET}/id"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/id"*
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh"
install -m 0600 "${VAR_TMP_SECRET}/ssh_host_"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/ssh_host_"*
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f init_primordial
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
lib/lib_provider_netcup.sh
View File

@@ -13,12 +13,21 @@
guard_sourcing
#######################################
# Notes Textbox
# Module for Netcup static IPv6 address.
# Globals:
# ARY_HANDLER_NETCUP_IPV6
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_NETCUP_IPV6
# VAR_WORKDIR
# Arguments:
# None
# None
# Returns:
# 0: on success
#######################################
provider_netcup() {
if "${VAR_HANDLER_NETCUP_IPV6}"; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
@@ -29,19 +38,25 @@ provider_netcup() {
### Static IPv6 Address for Netcup Root Server
iface ens3 inet6 static
address ${handler_netcup_ipv6_string}/128
### dns01.eddns.eu dns02.eddns.de
dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53
### dns01.eddns.eu dns02.eddns.de dns03.eddns.eu
dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53 2a01:4f8:c013:8011:138:199:237:109
gateway fe80::1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f provider_netcup
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
lib/lib_trap_on_err.sh
View File

@@ -138,7 +138,9 @@ readonly -f print_scr_err
# ERRFUNC
# ERRLINE
# ERRSCRT
# ERRTRAP
# VAR_EARLY_DEBUG
# VAR_HANDLER_AUTOBUILD
# Arguments:
# 1: $?
# 2: ${BASH_SOURCE[0]}

98
lib/lib_usage.sh
View File

@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
# shellcheck disable=SC2155
declare var_footer=$(center "V8.13.296.2025.10.29 2025-10-07 CLB(1)" "${var_cols}")
declare var_footer=$(center "V8.13.384.2025.11.06 2025-11-07 CLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
echo -e "\e[92mMaster V8.13.296.2025.10.29\e[0m"
echo -e "\e[92mMaster V8.13.384.2025.11.06\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
@@ -57,70 +57,64 @@ usage() {
echo " What you're looking at."
echo
echo -e "\e[97m --autobuild=*, -a=* \e[0m"
echo " Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel"
echo " selector dialog. Change '*' to your desired Linux kernel and trim the"
echo " 'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'."
echo " Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel selector dialog."
echo " Change '*' to your desired Linux kernel and trim the 'linux-image-' string to select a specific kernel,"
echo " e.g. '--autobuild=6.12.30+bpo-amd64'."
echo
echo -e "\e[97m --architecture <STRING> one of <amd64 | arm64> \e[0m"
echo " A string reflecting the architecture of the Live System."
echo " MUST be provided."
echo
echo -e "\e[97m --build-directory </path/to/build_directory> \e[0m"
echo " RECOMMENDED path: </opt/cdlb>"
echo " Where the Debian Live Build Image should be generated."
echo " MUST be provided."
echo
echo -e "\e[97m --change-splash <STRING> one of <club | hexagon>\e[0m"
echo " A string reflecting the Grub Boot Screen Splash you want to use."
echo " If omitted defaults to './.archive/background/club.png'."
echo " A string reflecting the Grub Boot Screen Splash you want to use. If omitted defaults to:"
echo " <./.archive/background/club.png>"
echo
echo -e "\e[97m --cdi (Experimental Feature)\e[0m"
echo " This option generates a boot menu entry to start the forthcoming"
echo " 'CISS.debian.installer', which will be executed after"
echo " the system has successfully booted up."
echo " This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed"
echo " once the system has successfully booted up."
echo
echo -e "\e[97m --contact, -c\ e[0m"
echo " Show author contact information."
echo
echo -e "\e[97m --control <INTEGER>\e[0m"
echo " An integer that reflects the version of your Live ISO Image."
echo -e "\e[97m --control <STRING>\e[0m"
echo " A string, that reflects the version of your Live ISO Image."
echo " MUST be provided."
echo
echo -e "\e[97m --debug, -d \e[0m"
echo " Enables debug logging for the main program routine. Detailed logging"
echo " information are written to '/tmp/ciss_live_builder_$$.log'."
echo " Enables debug logging for the main program routine. Detailed logging information are written to:"
echo " </tmp/ciss_live_builder_$$.log>"
echo
echo -e "\e[97m --dhcp-centurion \e[0m"
echo " If a DHCP lease is provided, the provider's nameserver will be overridden,"
echo " and only the hardened, privacy-focused Centurion DNS servers will be used:"
echo " If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused "
echo " Centurion DNS servers will be used instead:"
echo " - https://dns01.eddns.eu/"
echo " - https://dns02.eddns.de/"
echo " - https://dns03.eddns.eu/"
echo
echo -e "\e[97m --jump-host <IP | IP | ... > \e[0m"
echo " Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access."
echo " Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation."
echo " If provided, than it MUST be a <SPACE> separated list."
echo " Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
echo " addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
echo " IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
echo
echo -e "\e[97m --log-statistics-only\e[0m"
echo " Provides statistic only after successful building a"
echo " CISS.debian.live-ISO. While enabling '--log-statistics-only'"
echo " the argument '--build-directory' MUST be provided while"
echo " all further options MUST be omitted."
echo " Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
echo " the argument '--build-directory' MUST be provided."
echo
echo -e "\e[97m --provider-netcup-ipv6 \e[0m"
echo " Activates IPv6 support for Netcup Root Server. One unique"
echo " IPv6 address MUST be provided in this case and MUST be encapsulated"
echo " with [], e.g., [1234::abcd]."
echo " Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be"
echo " encapsulated with [], e.g., [1234::abcd]."
echo
echo -e "\e[97m --renice-priority <PRIORITY> \e[0m"
echo " Reset the nice priority value of the script and all its children"
echo " to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
echo " Negative (higher) values MUST be enclosed in double quotes '\"'."
echo " Reset the nice priority value of the script and all its children to the desired <PRIORITY>. MUST be an integer"
echo " between '-19' and 19. Negative (higher) values MUST be enclosed in double quotes '\"'."
echo
echo -e "\e[97m --reionice-priority <CLASS> <PRIORITY> \e[0m"
echo " Reset the ionice priority value of the script and all its children"
echo " to the desired <CLASS>. MUST be an integer:"
echo " Reset the ionice priority value of the script and all its children to the desired <CLASS>. MUST be an integer:"
echo " 1: realtime"
echo " 2: best-effort"
echo " 3: idle"
@@ -129,31 +123,39 @@ usage() {
echo " 0: highest priority and"
echo " 7: lowest priority."
echo " Defaults to '4'."
echo " A real-time I/O process can significantly slow down other processes"
echo " or even cause them to starve if it continuously requests I/O."
echo " A real-time I/O process can significantly slow down other processes or even cause them to starve if it"
echo " continuously requests I/O."
echo
echo -e "\e[97m --root-password-file </path/to/password.txt> \e[0m"
echo " Password file for 'root', if given, MUST be a string of 20 to 64 characters,"
echo " and MUST NOT contain the special character '\"'."
echo " If the argument is omitted, no further login authentication is required for"
echo " the local console. The root password is hashed with an 16 Byte '/dev/random'"
echo " generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately"
echo " after Hash generation all Variables containing plain password fragments are"
echo " deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without"
echo " further prompt after password hash has been successfully generated via:"
echo " 'shred -vfzu 5 -f'."
echo " 'No tracing of any plain text password fragment in any debug log."
echo -e "\e[97m --root-password-file </dev/shm/cdlb_secrets/password.txt>> \e[0m"
echo " Password file for 'root', if given, MUST be a string of 42 to 64 characters."
echo " If the argument is omitted, no further login authentication is required for the local console."
echo " MUST be placed in:"
echo " </dev/shm/cdlb_secrets/password.txt>"
echo
echo -e "\e[97m --signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=* \e[0m"
echo " The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is"
echo " specified via '--signing_key=*'. If the keyring is passphrase protected provide the passphrase in its own file."
echo " Specify the fingerprint of the key to use via '--signing_key_fpr=*'."
echo " Change '*' to your desired files / fingerprint. Files MUST be placed in:"
echo " </dev/shm/cdlb_secrets>"
echo
echo -e "\e[97m --sshfp \e[0m"
echo " Desired SSH id-files that should be incorporated in '/root/.ssh/id*'."
echo " Desired SSH host-files that should be incorporated in '/etc/ssh/ssh_host_*'."
echo " The respective id-files and / or host-files MUST be placed in:"
echo " </dev/shm/cdlb_secrets/id*> / </dev/shm/cdlb_secrets/ssh_host_*>"
echo
echo -e "\e[97m --ssh-port <INTEGER> \e[0m"
echo " The desired Port SSH should listen to."
echo " If not provided defaults to Port '22'."
echo
echo -e "\e[97m --ssh-pubkey </path/to/.ssh/> \e[0m"
echo " Imports the SSH Public Key from the FILE 'authorized_keys' of the"
echo " specified PATH into the Live ISO. MUST be provided."
echo -e "\e[97m --ssh-pubkey </dev/shm/cdlb_secrets/> \e[0m"
echo " Imports the SSH Public Key from the file 'authorized_keys' into the Live ISO."
echo " Key file MUST be placed in:"
echo " </dev/shm/cdlb_secrets/authorized_keys>"
echo
echo -e "\e[97m --trixie \e[0m"
echo " Create a Debian Trixie Live ISO."
echo " Creates a Debian Trixie Live ISO. If omitted defaults to 'Trixie'. No other Debian Version is supported."
echo
echo -e "\e[97m --version, -v \e[0m"
echo " Show version of ${0}."

26
lib/lib_version.sh
View File

@@ -11,26 +11,20 @@
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Version Wrapper CISS.debian.live.builder
# Version module 'CISS.debian.live.builder'.
# Globals:
# VAR_BASH_VER
# VAR_GIT_REL
# VAR_HOST
# VAR_VERSION
# VAR_VER_DS
# VAR_VER_LB
# Arguments:
# None
# Returns:
# 0: on success
#######################################
version() {
# shellcheck disable=SC2155
declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
# shellcheck disable=SC2155
declare -r var_lb_ver="$(lb -v)"
# shellcheck disable=SC2155
declare -r var_ds_ver="$(debootstrap --version)"
# shellcheck disable=SC2155
declare -r var_host="$(uname -n)"
# shellcheck disable=SC2155
declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
clear
cat << EOF
$(echo -e "\e[97m################################################################################ \e[0m")
@@ -38,7 +32,7 @@ $(echo -e "\e[92m CISS.debian.live.builder from https://git.coresecret.dev/msw
$(echo -e "\e[92m A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
Version : ${VAR_VERSION}
Git : ${var_repo_ver}
Git : ${VAR_GIT_REL}
$(echo -e "\e[97m This program is free software. Distribution and modification under \e[0m")
$(echo -e "\e[97m EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
@@ -47,9 +41,9 @@ $(echo -e "\e[97m EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OW
$(echo -e "\e[95m https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
$(echo -e "\e[97m################################################################################\e[0m")
Using : lb (${var_lb_ver}) debootstrap (${var_ds_ver})
on : ${var_host}
Bash : ${var_bash_ver}
Using : lb (${VAR_VER_LB}) debootstrap (${VAR_VER_DS})
on : ${VAR_HOST}
Bash : ${VAR_BASH_VER}
EOF

136
scripts/live-boot/0030-verify-checksums
View File

@@ -1,136 +0,0 @@
#!/bin/sh
# bashsupport disable=BP5007
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### In case of successful verification of one of the offered checksums, proceed with booting, else panic.
#######################################
# Modified checksum-verification script for continuing the boot process.
# Globals:
# LIVE_BOOT_CMDLINE
# LIVE_VERIFY_CHECKSUMS
# LIVE_VERIFY_CHECKSUMS_DIGESTS
# _CHECKSUM
# _CHECKSUMS
# _DIGEST
# _MOUNTPOINT
# _PARAMETER
# _RETURN
# _TTY
# Arguments:
# 1: ${_PARAMETER}
# Returns:
# 0 : Successful Verification
#######################################
Verify_checksums() {
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
esac
done
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
:
;;
*)
return 0
;;
esac
_MOUNTPOINT="${1}"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
_TTY="/dev/tty8"
log_begin_msg "Verifying checksums"
printf "\n"
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
# shellcheck disable=SC2292
if [ -e "${_CHECKSUM}" ]; then
#echo "Found ${_CHECKSUM}..." > "${_TTY}"
printf "Found %s...\n" "${_CHECKSUM}"
if [ -e "/bin/${_DIGEST}sum" ]; then
#echo "Checking ${_CHECKSUM}..." > "${_TTY}"
printf "Checking %s...\n" "${_CHECKSUM}"
# Verify checksums
# shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN="${?}"
# Stop after the first verification
# break 2
else
#echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
printf "Not found /bin/%ssum....\n" "${_DIGEST}"
fi
fi
done
done
log_end_msg
case "${_RETURN}" in
0)
log_success_msg "Verification of checksums successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
*)
panic "Verification failed, $(basename "${_TTY}") for more information."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

212
scripts/usr/lib/live/boot/0030-verify-checksums Normal file
View File

@@ -0,0 +1,212 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
# Globals:
# LIVE_BOOT_CMDLINE
# _TTY
# Arguments:
# 1: _MOUNTPOINT
# Returns:
# 0 : Successful verification
#######################################
Verify_checksums() {
_MOUNTPOINT="${1}"
_TTY="/dev/tty8"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
live-boot.verify-checksums-signatures | verify-checksums-signatures)
LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
;;
esac
done
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
:
;;
*)
return 0
;;
esac
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
printf "\n"
CDLB_SCRIPT="$(basename "${0}")"
CDLB_SHA="sha512"
CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
for CDLB_ITEM in ${CDLB_SHA}; do
CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
CDLB_CMD="${CDLB_ITEM}sum"
printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
sleep 8
# TODO: Remove debug mode
# return 0
else
printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
fi
printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
sleep 8
# TODO: Remove debug mode
# return 0
fi
printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
done
printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
log_end_msg
printf "\n"
fi
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
if [ -e "${_CHECKSUM}" ]; then
printf "Found [%s] ...\n" "${_CHECKSUM}"
if [ -e "/bin/${_DIGEST}sum" ]; then
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
_RETURN_PGP="${?}"
else
_RETURN_PGP="na"
fi
printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
# shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN_SHA="${?}"
# Stop after the first verification.
break 2
else
printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
fi
fi
done
done
log_end_msg
case "${_RETURN_PGP},${_RETURN_SHA}" in
0,0)
log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
na,0)
log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
*,0)
panic "Verification of signature file failed while verification of checksum file successful."
;;
na,*)
panic "Verification of checksum file failed."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
scripts/usr/lib/live/build/binary_checksums.sh
View File

@@ -1,11 +1,13 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -22,10 +24,9 @@
## This is free software, and you are welcome to redistribute it
## under certain conditions; see COPYING for details.
set -e
set -Ceu
### Including common functions.
# shellcheck disable=SC2292
if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
. "${LIVE_BUILD}/scripts/build.sh"
else
@@ -34,19 +35,17 @@ fi
### Setting static variables.
# shellcheck disable=SC2034
DESCRIPTION="Create binary checksums and PGP signature files."
DESCRIPTION="[CDLB] Create binary checksums and PGP signature files."
# shellcheck disable=SC2034
USAGE="${PROGRAM} [--force]"
### Processing arguments and configuration files.
Init_config_data "${@}"
# shellcheck disable=SC2292
if [ "${LB_CHECKSUMS}" = "none" ]; then
exit 0
fi
# shellcheck disable=SC2292
if [ "${LB_INITRAMFS}" = "dracut-live" ]; then
### The checksums will be generated by binary_iso.
exit 0
@@ -61,7 +60,7 @@ Check_stagefile
### Acquire a lock file.
Acquire_lockfile
declare CHECKSUM=""
CHECKSUM=""
for CHECKSUM in ${LB_CHECKSUMS}; do
@@ -69,7 +68,7 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
Echo_message "Begin creating binary ${CHECKSUMS} ..."
### Remove old checksums.
### Remove old checksums.
# shellcheck disable=SC2292
if [ -f "binary/${CHECKSUMS}" ]; then
@@ -91,18 +90,29 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
\! -path './*gpg' \
\! -path './*sig' \
-print0 | LC_ALL=C sort -z | xargs -0 "${CHECKSUM}sum" >| "${CHECKSUMS}"
Echo_message "Begin creating binary ${CHECKSUMS} done."
### sha256sum.txt
Echo_message "Begin creating GPG armor signature ${CHECKSUMS} ..."
gpg --batch --yes --local-user "${LB_GPG_SIGN_KEY}" --armor --detach-sign --output "${CHECKSUMS}.asc" "${CHECKSUMS}"
Echo_message "Begin verifying binary ${CHECKSUMS} ..."
"${CHECKSUM}sum" -c --strict --quiet "${CHECKSUMS}"
Echo_message "Begin verifying binary ${CHECKSUMS} done."
Echo_message "Begin creating GPG binary signature ${CHECKSUMS} ..."
gpg --batch --yes --local-user "${LB_GPG_SIGN_KEY}" --detach-sign --output "${CHECKSUMS}.sig" "${CHECKSUMS}"
if [ "${VAR_SIGNER}" = "true" ]; then
Echo_message "Begin creating GPG binary signature ${CHECKSUMS} ..."
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
--detach-sign --output "${CHECKSUMS}.sig" "${CHECKSUMS}"
Echo_message "Begin creating GPG binary signature ${CHECKSUMS} done."
Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} ..."
gpgv --keyring "${VAR_VERIFY_KEYRING}" "${CHECKSUMS}.sig" "${CHECKSUMS}"
Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} done."
fi
Echo_message "Begin creating '${CHECKSUM}sum.README' ..."
cat << EOF >| "${CHECKSUM}sum.README"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -119,6 +129,7 @@ ${CHECKSUM}sum -c ${CHECKSUMS}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
EOF
Echo_message "Begin creating '${CHECKSUM}sum.README' done."
cd "${OLDPWD}"

26
scripts/usr/lib/live/build/binary_rootfs.sh
View File

@@ -1,11 +1,13 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -25,7 +27,6 @@
set -e
# Including common functions.
# shellcheck disable=SC2292
if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then
. "${LIVE_BUILD}/scripts/build.sh"
else
@@ -77,7 +78,6 @@ esac
# Creating directory
mkdir -p "binary/${INITFS}"
# shellcheck disable=SC2292
if In_list "rootfs" "${LB_CACHE_STAGES}" && [ -d cache/binary_rootfs ]
then
# Removing old chroot
@@ -104,7 +104,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
Install_packages
# Remove old image
# shellcheck disable=SC2292
if [ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ]
then
rm -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}"
@@ -140,7 +139,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
FAKE_MTAB=true
fi
BLOCK_SIZE=1024
# shellcheck disable=SC2292
if [ "${LB_DM_VERITY}" = "true" ]
then
# Module dm-verity needs a block size of at least 4k
@@ -168,7 +166,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
# Removing depends
Remove_packages
# shellcheck disable=SC2292
if [ -e chroot/chroot.cache ]
then
Remove_lockfile
@@ -215,13 +212,11 @@ case "${LB_CHROOT_FILESYSTEM}" in
Install_packages
# Remove old jffs2 image
# shellcheck disable=SC2292
if [ -f "binary/${INITFS}/filesystem.jffs2" ]
then
rm -f "binary/${INITFS}/filesystem.jffs2"
fi
# shellcheck disable=SC2292
if [ -n "${LB_JFFS2_ERASEBLOCK}" ]
then
JFFS2_OPTIONS="--eraseblock=${LB_JFFS2_ERASEBLOCK}"
@@ -237,7 +232,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
# Removing depends
Remove_packages
# shellcheck disable=SC2292
if [ -e chroot/chroot.cache ]
then
Remove_lockfile
@@ -266,7 +260,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
;;
plain)
# shellcheck disable=SC2292
if [ -d "binary/${INITFS}/filesystem.dir" ]
then
rm -rf "binary/${INITFS}/filesystem.dir"
@@ -274,7 +267,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
case "${LB_BUILD_WITH_CHROOT}" in
true)
# shellcheck disable=SC2292
if [ -e chroot/chroot.cache ]
then
# Different from the other LB_CHROOT_FILESYSTEM values:
@@ -310,7 +302,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
Echo_message "This may take a while."
# Remove old squashfs image
# shellcheck disable=SC2292
if [ -f "binary/${INITFS}/filesystem.squashfs" ]
then
rm -f "binary/${INITFS}/filesystem.squashfs"
@@ -322,19 +313,16 @@ case "${LB_CHROOT_FILESYSTEM}" in
# Do not display the progress bar if:
# - Run with --quiet, or
# - stdin is not a terminal (e.g., in CI, cron, etc.)
# shellcheck disable=SC2292
if [ "${_QUIET}" = "true" ] || [ ! -t 0 ]
then
MKSQUASHFS_OPTIONS="-no-progress ${MKSQUASHFS_OPTIONS}"
fi
# shellcheck disable=SC2292
if [ "${_VERBOSE}" = "true" ]
then
MKSQUASHFS_OPTIONS="-info ${MKSQUASHFS_OPTIONS}"
fi
# shellcheck disable=SC2292
if [ -f config/rootfs/squashfs.sort ]
then
MKSQUASHFS_OPTIONS="-sort squashfs.sort ${MKSQUASHFS_OPTIONS}"
@@ -351,7 +339,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
fi
# Set squashfs compression type or default to xz
# shellcheck disable=SC2292
if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ]
then
MKSQUASHFS_OPTIONS="-comp ${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE} ${MKSQUASHFS_OPTIONS}"
@@ -359,7 +346,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
MKSQUASHFS_OPTIONS="-comp xz ${MKSQUASHFS_OPTIONS}"
fi
# shellcheck disable=SC2292
if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ]
then
MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}"
@@ -367,7 +353,9 @@ case "${LB_CHROOT_FILESYSTEM}" in
case "${LB_BUILD_WITH_CHROOT}" in
true)
# shellcheck disable=SC2292
### https://wiki.debian.org/ReproducibleInstalls/LiveImages
### https://reproducible-builds.org/docs/system-images/
### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
if [ -e config/rootfs/excludes ]
then
@@ -403,7 +391,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
# Removing depends
Remove_packages
# shellcheck disable=SC2292
if [ -e chroot/chroot.cache ]
then
Remove_lockfile
@@ -423,7 +410,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
;;
false)
# shellcheck disable=SC2292
if [ -e config/rootfs/excludes ]
then
MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}"
@@ -440,7 +426,6 @@ case "${LB_CHROOT_FILESYSTEM}" in
;;
none)
# shellcheck disable=SC2292
if [ -d binary ]
then
rm -rf binary
@@ -466,7 +451,6 @@ then
mkdir -p cache/binary_rootfs
# shellcheck disable=SC2292
if [ "${LB_CHROOT_FILESYSTEM}" != "none" ]
then
cp -a binary/"${INITFS}"/filesystem.* cache/binary_rootfs

4
scripts/usr/local/sbin/9999-cdi-starter
View File

@@ -127,7 +127,7 @@ main() {
# shellcheck disable=SC2312
exec > >(tee -a "${var_log}") 2>&1
printf "CISS.debian.installer Master V8.13.296.2025.10.29 is up! \n" >> "${var_log}"
printf "CISS.debian.installer Master V8.13.384.2025.11.06 is up! \n" >> "${var_log}"
### Sleep a moment to settle boot artifacts.
sleep 8
@@ -182,7 +182,7 @@ main() {
### Timeout reached without acceptable semaphore.
logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
printf "CISS.debian.installer Master V8.13.296.2025.10.29: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
printf "CISS.debian.installer Master V8.13.384.2025.11.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
exit 0
}

27
var/early.var.sh
View File

@@ -10,12 +10,35 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Definition of MUST set early Variables
### Definition of MUST set early variables.
# shellcheck disable=SC2155
declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{
# Print $4 and $5; include $6 only if it exists
out = $4
if (NF >= 5) out = out " " $5
if (NF >= 6) out = out " " $6
print out
}')"
declare -grx VAR_CONTACT="security@coresecret.eu"
declare -grx VAR_VERSION="Master V8.13.296.2025.10.29"
declare -grx VAR_DATE="$(date +%F)"
declare -grx VAR_DATE_EPOCH="$(date -u +%s)"
declare -grx VAR_DATE_INFO="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%S %z')"
declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
declare -grx VAR_HOST="$(uname -n)"
declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
declare -grx VAR_VERSION="Master V8.13.384.2025.11.06"
declare -grx VAR_VER_DS="$(debootstrap --version)"
declare -grx VAR_VER_LB="$(lb -v)"
declare -gx APT_LISTCHANGES_FRONTEND="none"
declare -gx DEBIAN_FRONTEND="noninteractive"
declare -gx SOURCE_DATE_EPOCH="$(git log -1 --format=%ct)"
declare -gx VAR_EARLY_DEBUG="false"
declare -gx VAR_HANDLER_AUTOBUILD="false"

51
var/global.var.sh
View File

@@ -14,46 +14,41 @@
guard_sourcing
### Definition of MUST set global variables.
declare -gr VAR_BASH_VER="$(bash --version | head -n1 | awk '{
# Print $4 and $5; include $6 only if it exists
out = $4
if (NF >= 5) out = out " " $5
if (NF >= 6) out = out " " $6
print out
}')"
declare -gr VAR_HOST="$(uname -n)"
declare -gr VAR_DATE_EPOCH="$(date -u +%s)"
declare -gr VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
declare -gr VAR_DATE_INFO="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%S %z')"
declare -gr VAR_KERNEL_INF="$(mktemp)"
declare -gr VAR_KERNEL_TMP="$(mktemp)"
declare -gr VAR_KERNEL_SRT="$(mktemp)"
declare -gr VAR_KERNEL_TMP="$(mktemp)"
declare -gr VAR_NOTES="$(mktemp)"
declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"
declare -gr LOG_ERROR="/tmp/cdlb_${VAR_ISO8601}_error.log"
touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"
declare -g VAR_ARCHITECTURE=""
declare -g VAR_HANDLER_BUILD_DIR=""
declare -g VAR_HANDLER_CDI="false"
declare -g __umask=""
declare -g VAR_ARCHITECTURE=""
declare -g VAR_HANDLER_BUILD_DIR=""
declare -g VAR_HANDLER_CDI="false"
declare -g VAR_HANDLER_NETCUP_IPV6="false"
declare -g VAR_HANDLER_SPLASH=""
declare -g VAR_HASHED_PWD=""
declare -g VAR_SCRIPT_SUCCESS="false"
declare -g VAR_SSHFP="false"
declare -g VAR_SSHPORT=""
declare -g VAR_SSHPUBKEY=""
declare -g VAR_SUITE="trixie"
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=()
declare -ga ARY_HANDLER_JUMPHOST=()
declare -ga ARY_HANDLER_NETCUP_IPV6=()
declare -gi VAR_HANDLER_DHCP=0
declare -g VAR_HANDLER_SPLASH=""
declare -g VAR_SSHPORT=""
declare -g VAR_SSHPUBKEY=""
declare -g VAR_SCRIPT_SUCCESS="false"
declare -g VAR_SUITE="bookworm"
declare -g VAR_HANDLER_NETCUP_IPV6="false"
declare -g VAR_HASHED_PWD=""
declare -g VAR_SSHFP="false"
declare -gi VAR_HANDLER_STA=0
declare -gi VAR_HANDLER_PRIORITY=0
declare -gi VAR_HANDLER_STA=0
declare -gi VAR_REIONICE_CLASS=2
declare -gi VAR_REIONICE_PRIORITY=4
declare -gr VAR_CHROOT_DIR="chroot"
declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
declare -ga ARY_HANDLER_JUMPHOST=()
declare -ga ARY_HANDLER_NETCUP_IPV6=()
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=()
declare -gx VAR_SIGNER="false"
declare -gx VAR_SIGNING_KEY_FPR=""
declare -gx VAR_SIGNING_KEY_PASS=""
declare -gx VAR_SIGNING_KEY_PASSFILE=""
declare -gx VAR_SIGNING_KEY=""
### Definition of error codes
declare -gir ERR_UNCRITICAL=127