From ef87becefe3c049f46a9ae68c0d48bbd5c0c832e3cc84b582a71bbdcdb33aed2 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Thu, 6 Nov 2025 19:59:22 +0100 Subject: [PATCH] V8.13.384.2025.11.06 Signed-off-by: Marc S. Weidner --- .archive/.0000_lib_usage.sh | 2 +- .archive/0002_verify_checksums.chroot | 248 ++++++++++++++ .../9998_sources_list_bookworm.chroot | 0 .../generate_PRIVATE_trixie_0.yaml | 11 +- .archive/generate_PRIVATE_trixie_1.yaml | 136 +++++--- .../generate_PUBLIC_iso.yaml | 12 +- .archive/icon.lib | 8 + {lib => .archive}/lib_lb_config_write.sh | 0 .gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml | 2 +- .gitea/TODO/dockerfile | 2 +- .gitea/TODO/render-md-to-html.yaml | 8 +- .../trigger/t_generate_PRIVATE_trixie_1.yaml | 4 +- .gitea/trigger/t_generate_dns.yaml | 2 +- .../workflows/generate_PRIVATE_trixie_1.yaml | 302 ++++++++---------- .gitea/workflows/linter_char_scripts.yaml | 10 +- .gitea/workflows/render-dnssec-status.yaml | 10 +- .gitea/workflows/render-dot-to-png.yaml | 10 +- ...deploy@coresecet.dev_0x2CCF4601_public.asc | 21 ++ .version.properties | 2 +- CISS.debian.live.builder.spdx | 2 +- README.md | 8 +- REPOSITORY.md | 4 +- ciss_live_builder.sh | 130 ++++---- .../hooks/live/0000_basic_chroot_setup.chroot | 29 +- .../hooks/live/0001_initramfs_modules.chroot | 26 +- .../hooks/live/0002_verify_checksums.chroot | 172 ---------- .../hooks/live/0007_update_logrotate.chroot | 4 +- config/hooks/live/0050_activate_root.chroot | 6 +- config/hooks/live/0870_bashdb.chroot | 36 +++ config/hooks/live/9930_hardening_ssh.chroot | 31 +- .../hooks/live/9935_hardening_ssh.chroot.tmpl | 93 ------ config/hooks/live/9999_zzzz.chroot | 3 + .../includes.chroot/etc/ssh/ssh_known_hosts | 2 +- config/includes.chroot/etc/ssh/sshd_config | 6 +- .../etc/sysctl.d/99_local.hardened | 4 +- .../preseed/.iso/preseed_hash_generator.sh | 2 +- config/includes.chroot/preseed/preseed.cfg | 2 +- .../usr/lib/live/boot/0030-verify-checksums | 212 ++++++++++++ config/package-lists/live.list.common.chroot | 1 + docs/AUDIT_DNSSEC.md | 2 +- docs/AUDIT_HAVEGED.md | 2 +- docs/AUDIT_LYNIS.md | 2 +- docs/AUDIT_SSH.md | 2 +- docs/AUDIT_TLS.md | 2 +- docs/BOOTPARAMS.md | 2 +- docs/CHANGELOG.md | 63 +++- docs/CNET.md | 2 +- docs/CODING_CONVENTION.md | 2 +- docs/CONTRIBUTING.md | 2 +- docs/CREDITS.md | 2 +- docs/DL_PUB_ISO.md | 2 +- docs/DOCUMENTATION.md | 6 +- docs/REFERENCES.md | 2 +- lib/lib_arg_parser.sh | 87 +++-- lib/lib_arg_priority_check.sh | 13 +- lib/lib_cdi.sh | 11 +- lib/lib_change_splash.sh | 5 + lib/lib_check_dhcp.sh | 5 + lib/lib_check_hooks.sh | 18 +- lib/lib_check_kernel.sh | 7 +- lib/lib_check_pkgs.sh | 38 ++- lib/lib_check_provider.sh | 4 + lib/lib_check_var.sh | 7 +- lib/lib_ciss_upgrades_boot.sh | 50 +++ ...upgrades.sh => lib_ciss_upgrades_build.sh} | 23 +- lib/lib_clean_up.sh | 59 +++- lib/lib_contact.sh | 11 +- lib/lib_copy_integrity.sh | 15 +- lib/lib_debug.sh | 34 +- lib/lib_debug_header.sh | 17 +- lib/lib_git_var.sh | 36 --- lib/lib_gnupg.sh | 87 +++++ lib/lib_guard_sourcing.sh | 8 +- lib/lib_hardening_root_pw.sh | 19 +- ...dening_ssh.sh => lib_hardening_ssh_tcp.sh} | 43 ++- lib/lib_hardening_ultra.sh | 162 +++------- lib/lib_helper_ip.sh | 16 +- lib/lib_lb_build_start.sh | 14 +- lib/lib_lb_config_start.sh | 44 +-- lib/lib_lb_config_write_trixie.sh | 35 +- lib/lib_note_target.sh | 11 + lib/lib_primordial.sh | 63 ++++ lib/lib_provider_netcup.sh | 33 +- lib/lib_trap_on_err.sh | 2 + lib/lib_usage.sh | 98 +++--- lib/lib_version.sh | 26 +- scripts/live-boot/0030-verify-checksums | 136 -------- .../usr/lib/live/boot/0030-verify-checksums | 212 ++++++++++++ .../usr/lib/live/build/binary_checksums.sh | 37 ++- scripts/usr/lib/live/build/binary_rootfs.sh | 26 +- scripts/usr/local/sbin/9999-cdi-starter | 4 +- var/early.var.sh | 27 +- var/global.var.sh | 51 ++- 93 files changed, 2021 insertions(+), 1229 deletions(-) create mode 100644 .archive/0002_verify_checksums.chroot rename {config/hooks/live => .archive}/9998_sources_list_bookworm.chroot (100%) rename {.gitea/workflows => .archive}/generate_PRIVATE_trixie_0.yaml (98%) rename {.gitea/workflows => .archive}/generate_PUBLIC_iso.yaml (97%) rename {lib => .archive}/lib_lb_config_write.sh (100%) create mode 100644 .pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc delete mode 100644 config/hooks/live/0002_verify_checksums.chroot create mode 100644 config/hooks/live/0870_bashdb.chroot delete mode 100644 config/hooks/live/9935_hardening_ssh.chroot.tmpl create mode 100644 config/includes.chroot/usr/lib/live/boot/0030-verify-checksums create mode 100644 lib/lib_ciss_upgrades_boot.sh rename lib/{lib_ciss_upgrades.sh => lib_ciss_upgrades_build.sh} (63%) delete mode 100644 lib/lib_git_var.sh create mode 100644 lib/lib_gnupg.sh rename lib/{lib_hardening_ssh.sh => lib_hardening_ssh_tcp.sh} (55%) create mode 100644 lib/lib_primordial.sh delete mode 100644 scripts/live-boot/0030-verify-checksums create mode 100644 scripts/usr/lib/live/boot/0030-verify-checksums diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh index 2d92bcc..1493c54 100644 --- a/.archive/.0000_lib_usage.sh +++ b/.archive/.0000_lib_usage.sh @@ -21,7 +21,7 @@ usage() { clear cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.13.296.2025.10.29\e[0m") +$(echo -e "\e[92mMaster V8.13.384.2025.11.06\e[0m") $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") diff --git a/.archive/0002_verify_checksums.chroot b/.archive/0002_verify_checksums.chroot new file mode 100644 index 0000000..82369a7 --- /dev/null +++ b/.archive/0002_verify_checksums.chroot @@ -0,0 +1,248 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -Ceuo pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" + +target="/usr/lib/live/boot/0030-verify-checksums" +src="$(mktemp)" + +if [[ ! -d /usr/lib/live/boot ]]; then + mkdir -p /usr/lib/live/boot +fi + +cat << 'EOF' >| "${src}" +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Modified Version of the original file: +### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' +### In case of successful verification of the offered checksum, proceed with booting; otherwise panic. + +####################################### +# Modified checksum-integrity and authenticity-verification-script for continuing the boot process. +# Globals: +# LIVE_BOOT_CMDLINE +# _TTY +# Arguments: +# 1: _MOUNTPOINT +# Returns: +# 0 : Successful verification +####################################### +Verify_checksums() { + _MOUNTPOINT="${1}" + + _TTY="/dev/tty8" + + LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" + + LIVE_VERIFY_CHECKSUMS_SIGNATURES="false" + + for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do + + case "${_PARAMETER}" in + + live-boot.verify-checksums=* | verify-checksums=*) + + LIVE_VERIFY_CHECKSUMS="true" + LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" + ;; + + live-boot.verify-checksums | verify-checksums) + + LIVE_VERIFY_CHECKSUMS="true" + ;; + + live-boot.verify-checksums-signatures | verify-checksums-signatures) + + LIVE_VERIFY_CHECKSUMS_SIGNATURES="true" + ;; + + esac + + done + + case "${LIVE_VERIFY_CHECKSUMS}" in + + true) + : + ;; + + *) + return 0 + ;; + + esac + + # shellcheck disable=SC2164 + cd "${_MOUNTPOINT}" + + ### CDLB verification of script integrity itself ----------------------------------------------------------------------------- + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then + + log_begin_msg "Verifying integrity of '0030-verify-checksums' ..." + printf "\n" + + CDLB_SCRIPT="$(basename "${0}")" + CDLB_SHA="sha512" + CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE="" + + for CDLB_ITEM in ${CDLB_SHA}; do + + CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}" + CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" + CDLB_CMD="${CDLB_ITEM}sum" + + printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}" + + if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then + + printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}" + sleep 8 + # TODO: Remove debug mode + # return 0 + + else + + printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}" + + fi + + printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}" + + CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; }) + read -r CDLB_EXPECTED < "${CDLB_HASHFILE}" + + if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then + + printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}" + sleep 8 + # TODO: Remove debug mode + # return 0 + + fi + + printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}" + + done + + printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding." + + log_end_msg + printf "\n" + + fi + + ### Checksum and checksum signature verification ----------------------------------------------------------------------------- + log_begin_msg "Verifying checksums" + printf "\n" + + # shellcheck disable=SC2001 + for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do + + # shellcheck disable=SC2060 + _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" + + for _CHECKSUM in ${_CHECKSUMS}; do + + if [ -e "${_CHECKSUM}" ]; then + + printf "Found [%s] ...\n" "${_CHECKSUM}" + + if [ -e "/bin/${_DIGEST}sum" ]; then + + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then + + printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}" + _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig" + gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}" + _RETURN_PGP="${?}" + + else + + _RETURN_PGP="na" + + fi + + printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}" + + # shellcheck disable=SC2312 + grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" + _RETURN_SHA="${?}" + + # Stop after the first verification. + break 2 + + else + + printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum" + + fi + + fi + + done + + done + + log_end_msg + + case "${_RETURN_PGP},${_RETURN_SHA}" in + + 0,0) + log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds." + sleep 8 + return 0 + ;; + + na,0) + log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds." + sleep 8 + return 0 + ;; + + *,0) + panic "Verification of signature file failed while verification of checksum file successful." + ;; + + na,*) + panic "Verification of checksum file failed." + ;; + + esac +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh +EOF + +# Copy and make executable +install -m 0755 "${src}" "${target}" + +rm -f "${src}" + +unset target src + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9998_sources_list_bookworm.chroot b/.archive/9998_sources_list_bookworm.chroot similarity index 100% rename from config/hooks/live/9998_sources_list_bookworm.chroot rename to .archive/9998_sources_list_bookworm.chroot diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml similarity index 98% rename from .gitea/workflows/generate_PRIVATE_trixie_0.yaml rename to .archive/generate_PRIVATE_trixie_0.yaml index a05ebd2..a3249c7 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. @@ -72,11 +72,11 @@ jobs: ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config @@ -87,7 +87,7 @@ jobs: StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF - chmod 600 ~/.ssh/config + chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: ๐Ÿ› ๏ธ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. @@ -242,6 +242,7 @@ jobs: OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot" rm -f "$OUT" echo "Hook removed: $OUT" + shred -fzu -n 5 /opt/config/authorized_keys - name: ๐Ÿ“ฅ Checking Centurion Cloud for existing LIVE ISOs. shell: bash @@ -418,7 +419,7 @@ jobs: HOSTNAME="$(hostname -f || hostname)" GIT_SHA="$(git rev-parse --short HEAD)" GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" COMMIT_MSG="DEPLOY BOT : ๐Ÿ” Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci] diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index 8ec6e26..c4018f6 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. @@ -35,10 +35,23 @@ jobs: container: image: debian:trixie - steps: - - name: ๐Ÿ› ๏ธ Basic Image Setup. + defaults: + run: shell: bash + working-directory: ${{ github.workspace }} + + steps: + - name: โณ Waiting random time to desynchronize parallel workflows. run: | + set -euo pipefail + var_wait=$(( RANDOM % 33 )) + printf "โณ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" + sleep "${var_wait}" + + - name: ๐Ÿ› ๏ธ Basic Image Setup. + run: | + set -euo pipefail + umask 0077 export DEBIAN_FRONTEND=noninteractive apt-get update -qq apt-get upgrade -y @@ -56,27 +69,23 @@ jobs: util-linux - name: โš™๏ธ Check GnuPG Version. - shell: bash run: | gpg --version - name: โš™๏ธ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. - shell: bash run: | set -euo pipefail - var_wait=$(( RANDOM % 33 )) - printf "โณ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" - sleep "${var_wait}" + umask 0077 rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config @@ -87,44 +96,40 @@ jobs: StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF - chmod 600 ~/.ssh/config + chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: ๐Ÿ› ๏ธ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. - shell: bash env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} run: | + set -euo pipefail git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." - - name: ๐Ÿ› ๏ธ Cleaning the workspace. - shell: bash + - name: โš™๏ธ Init GNUPGHOME. run: | - git reset --hard - git clean -fd + set -euo pipefail + umask 0077 + GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}" + mkdir -p -m 700 "${GNUPGHOME}" + echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}" + echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf" + gpgconf --reload gpg-agent || true - name: โš™๏ธ Importing the 'CI PGP DEPLOY ONLY' key. - shell: bash + env: + PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }} run: | set -euo pipefail - ### GPG-Home relative to the Runner Workspace to avoid changing global files. - export GNUPGHOME="$(pwd)/.gnupg" - mkdir -m 700 "${GNUPGHOME}" - echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc - gpg --batch --import centurion-root.PUB.asc - echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc - gpg --batch --import ci-bot.sec.asc - ### Trust the key automatically - KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') - echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" + umask 0077 + printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import + unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV - name: โš™๏ธ Configuring Git for signed CI/DEPLOY commits. - shell: bash run: | set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" git config commit.gpgsign true @@ -132,15 +137,33 @@ jobs: git config gpg.format openpgp - name: โš™๏ธ Preparing the build environment. - shell: bash run: | set -euo pipefail - mkdir -p /opt/config - mkdir -p /opt/livebuild - touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt - touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys - echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt - echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys + umask 0077 + mkdir -p /opt/cdlb/secrets + mkdir -p /opt/cdlb/livebuild + install -m 0600 /dev/null /opt/cdlb/secrets/password.txt + install -m 0600 /dev/null /opt/cdlb/secrets/authorized_keys + install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key + install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key.pub + install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key + install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key.pub + install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial + install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub + install -m 0600 /dev/null /opt/cdlb/secrets/keys.txt + install -m 0600 /dev/null /opt/cdlb/secrets/luks.txt + + echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/cdlb/secrets/password.txt + echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/cdlb/secrets/authorized_keys + echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key + echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key.pub + echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}" >| /opt/cdlb/secrets/ssh_host_rsa_key + echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_rsa_key.pub + echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}" >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial + echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub + echo "${{ secrets.CISS_PHYS_AGE }}" >| /opt/cdlb/secrets/keys.txt + echo "${{ secrets.CISS_PHYS_LUKS }}" >| /opt/cdlb/secrets/luks.txt + - name: ๐Ÿ”ง Render live hook with secrets. shell: bash @@ -153,6 +176,7 @@ jobs: CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }} CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }} CISS_PHYS_AGE: ${{ secrets.CISS_PHYS_AGE }} + MSW_GPG_DEPLOY_BOT: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }} run: | set -Ceuo pipefail umask 077 @@ -164,6 +188,7 @@ jobs: ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial" ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub" SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot" + BINARY_CHECKSUMS="${REPO_ROOT}/scripts/usr/lib/live/build/binary_checksums.sh" if [[ ! -f "${TPL}" ]]; then echo "Template not found: ${TPL}" @@ -180,6 +205,7 @@ jobs: export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}" export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}" export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}" + export MSW_GPG_DEPLOY_BOT="${MSW_GPG_DEPLOY_BOT//$'\r'/}" ( cat << EOF >| "${ID_OUT}" @@ -216,13 +242,21 @@ jobs: chmod 0755 "${OUT}" - #perl -0777 -i -pe ' - # BEGIN { - # our $age = $ENV{CISS_PHYS_AGE} // q{}; - # } - # s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g; - #' -- "${SOPS}" - #chmod 0755 "${SOPS}" + perl -0777 -i -pe ' + BEGIN { + our $age = $ENV{CISS_PHYS_AGE} // q{}; + } + s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g; + ' -- "${SOPS}" + chmod 0755 "${SOPS}" + + perl -0777 -i -pe ' + BEGIN { + our $deploy = $ENV{MSW_GPG_DEPLOY_BOT} // q{}; + } + s/\{\{\s*secrets\.MSW_GPG_DEPLOY_BOT\s*\}\}/$deploy/g; + ' -- "${BINARY_CHECKSUMS}" + chmod 0755 "${BINARY_CHECKSUMS}" echo "Hook rendered: ${OUT}" @@ -237,19 +271,21 @@ jobs: ./ciss_live_builder.sh \ --autobuild=6.16.3+deb13-amd64 \ --architecture amd64 \ - --build-directory /opt/livebuild \ + --build-directory /opt/cdlb/livebuild \ --cdi \ --control "${timestamp}" \ --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \ - --root-password-file /opt/config/password.txt \ + --root-password-file /opt/cdlb/secrets/password.txt \ --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \ - --ssh-pubkey /opt/config \ + --ssh-pubkey /opt/cdlb/secrets \ + --sshfp \ --trixie REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)" OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot" rm -f "$OUT" echo "Hook removed: $OUT" + shred -fzu -n 5 /opt/cdlb/secrets/authorized_keys - name: ๐Ÿ“ฅ Checking Centurion Cloud for existing LIVE ISOs. shell: bash @@ -297,11 +333,11 @@ jobs: SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" run: | set -euo pipefail - if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then echo "โŒ There must be exactly one .iso file in the directory!" exit 1 else - VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "โœ… ISO file found: ${VAR_ISO_FILE_NAME}" fi @@ -318,11 +354,11 @@ jobs: - name: ๐Ÿ”‘ Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. shell: bash run: | - if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then echo "โŒ There must be exactly one .iso file in the directory!" exit 1 else - VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "โœ… ISO file found: ${VAR_ISO_FILE_NAME}" fi diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml similarity index 97% rename from .gitea/workflows/generate_PUBLIC_iso.yaml rename to .archive/generate_PUBLIC_iso.yaml index 724ea97..be0b505 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 name: ๐Ÿ’™ Generating a PUBLIC Live ISO. @@ -72,11 +72,11 @@ jobs: ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config @@ -87,7 +87,7 @@ jobs: StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF - chmod 600 ~/.ssh/config + chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: ๐Ÿ› ๏ธ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. @@ -146,7 +146,7 @@ jobs: shell: bash run: | set -euo pipefail - sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh + sed -i '/^hardening_ssh_tcp.*/d' ciss_live_builder.sh chmod 0755 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'. @@ -337,7 +337,7 @@ jobs: HOSTNAME="$(hostname -f || hostname)" GIT_SHA="$(git rev-parse --short HEAD)" GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" COMMIT_MSG="DEPLOY BOT : ๐Ÿ’™ Auto-Generate PUBLIC LIVE ISO [skip ci] diff --git a/.archive/icon.lib b/.archive/icon.lib index 0165772..a0616c4 100644 --- a/.archive/icon.lib +++ b/.archive/icon.lib @@ -17,6 +17,10 @@ ๐Ÿ”‘ โœ๏ธ ๐Ÿ–ฅ๏ธ +โฌ†๏ธ +โซ +๐Ÿ”ผ +๐Ÿ†™ ๐Ÿ”„ ๐Ÿ” ๐ŸŒŒ @@ -32,6 +36,7 @@ ๐Ÿงช ๐Ÿ“ฉ ๐Ÿ“ฅ +๐Ÿ“ค ๐Ÿ“ฆ ๐Ÿ“‘ ๐Ÿ“‚ @@ -52,4 +57,7 @@ โ˜ข๏ธ โ˜ฃ๏ธ โ€ข +โ˜๏ธ +๐Ÿ“ก +๐Ÿ›ก๏ธ # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_config_write.sh b/.archive/lib_lb_config_write.sh similarity index 100% rename from lib/lib_lb_config_write.sh rename to .archive/lib_lb_config_write.sh diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index f1c0ebf..0380994 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V8.13.296.2025.10.29" + placeholder: "e.g., Master V8.13.384.2025.11.06" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index 6621adc..5e682b6 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index 9b5664a..1e804b8 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 name: ๐Ÿ” Render README.md to README.html. @@ -38,11 +38,11 @@ jobs: ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config @@ -53,7 +53,7 @@ jobs: StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF - chmod 600 ~/.ssh/config + chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: ๐Ÿ› ๏ธ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index 31db890..abba2b4 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1024 - version: V8.13.296.2025.10.29 + counter: 1023 + version: V8.13.384.2025.11.06 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index dc81ba4..627d42f 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V8.13.296.2025.10.29 + version: V8.13.384.2025.11.06 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index f556364..fb287a6 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 name: ๐Ÿ” Generating a Private Live ISO TRIXIE. @@ -35,11 +35,31 @@ jobs: container: image: debian:trixie - steps: - - name: ๐Ÿ› ๏ธ Basic Image Setup. + defaults: + run: shell: bash + working-directory: ${{ github.workspace }} + + steps: + - name: ๐Ÿ•‘ Waiting random time to desynchronize parallel workflows. run: | + set -euo pipefail + var_wait=$(( RANDOM % 33 )) + printf "๐Ÿ•‘ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" + sleep "${var_wait}" + + - name: ๐Ÿ”ง Basic Image Setup. + run: | + set -euo pipefail + umask 0022 + + echo "APT_LISTCHANGES_FRONTEND=none" >> "${GITHUB_ENV}" + echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}" + echo "VAR_CDLB_INSIDE_RUNNER=true" >> "${GITHUB_ENV}" + + export APT_LISTCHANGES_FRONTEND=none export DEBIAN_FRONTEND=noninteractive + apt-get update -qq apt-get upgrade -y apt-get install -y --no-install-recommends \ @@ -56,27 +76,24 @@ jobs: util-linux - name: โš™๏ธ Check GnuPG Version. - shell: bash run: | gpg --version - name: โš™๏ธ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. - shell: bash run: | + set +x set -euo pipefail - var_wait=$(( RANDOM % 33 )) - printf "โณ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}" - sleep "${var_wait}" + umask 0077 rm -rf ~/.ssh && mkdir -m700 ~/.ssh ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config @@ -87,173 +104,113 @@ jobs: StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF - chmod 600 ~/.ssh/config + chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - - name: ๐Ÿ› ๏ธ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. - shell: bash + - name: ๐Ÿ”ง Using manual clone via SSH to circumvent Gitea SHA-256 object issues. env: ### GITHUB_REF_NAME contains the branch name from the push event. GITHUB_REF_NAME: ${{ github.ref_name }} run: | + set -euo pipefail git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . git fetch --unshallow || echo "Nothing to fetch - already full clone." - - name: ๐Ÿ› ๏ธ Cleaning the workspace. - shell: bash + - name: โš™๏ธ Init GNUPGHOME. run: | - git reset --hard - git clean -fd + set +x + set -euo pipefail + umask 0077 + GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}" + # shellcheck disable=SC2174 + mkdir -p -m 0700 "${GNUPGHOME}" + echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}" + echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf" + gpgconf --reload gpg-agent || true - name: โš™๏ธ Importing the 'CI PGP DEPLOY ONLY' key. - shell: bash + env: + PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }} run: | + set +x set -euo pipefail - ### GPG-Home relative to the Runner Workspace to avoid changing global files. - export GNUPGHOME="$(pwd)/.gnupg" - mkdir -m 700 "${GNUPGHOME}" - echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc - gpg --batch --import centurion-root.PUB.asc - echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc - gpg --batch --import ci-bot.sec.asc - ### Trust the key automatically - KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') - echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" + umask 0077 + printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import + unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV - name: โš™๏ธ Configuring Git for signed CI/DEPLOY commits. - shell: bash run: | + set +x set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" git config user.name "Marc S. Weidner BOT" git config user.email "msw+bot@coresecret.dev" + git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} git config commit.gpgsign true git config gpg.program gpg git config gpg.format openpgp + git config --get user.signingkey - name: โš™๏ธ Preparing the build environment. - shell: bash + run: | + set +x + set -euo pipefail + umask 0077 + mkdir -p /dev/shm/cdlb_secrets + + install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt + install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys + install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key + install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub + install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key + install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub + install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial + install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub + install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt + install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt + install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc + install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt + + echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /dev/shm/cdlb_secrets/password.txt + echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /dev/shm/cdlb_secrets/authorized_keys + echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key + echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub + echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key + echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub + echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial + echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub + echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt + echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt + echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc + echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt + + - name: ๐Ÿ”ง Starting CISS.debian.live.builder. This may take about an hour ... run: | set -euo pipefail - mkdir -p /opt/config - mkdir -p /opt/livebuild - touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt - touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys - echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt - echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys - - - name: ๐Ÿ”ง Render live hook with secrets. - shell: bash - working-directory: ${{ github.workspace }} - env: - ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }} - ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }} - RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }} - RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }} - CISS_PRIMORDIAL: ${{ secrets.CISS_PRIMORDIAL_PRIVATE }} - CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }} - CISS_PHYS_AGE: ${{ secrets.CISS_PHYS_AGE }} - run: | - set -Ceuo pipefail - umask 077 - - REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)" - - TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl" - OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot" - ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial" - ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub" - SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot" - - if [[ ! -f "${TPL}" ]]; then - echo "Template not found: ${TPL}" - echo "::group::Tree of config/hooks/live" - ls -la "${REPO_ROOT}/config/hooks/live" || true - echo "::endgroup::" - exit 2 - fi - - export ED25519_PRIV="${ED25519_PRIV//$'\r'/}" - export ED25519_PUB="${ED25519_PUB//$'\r'/}" - export RSA_PRIV="${RSA_PRIV//$'\r'/}" - export RSA_PUB="${RSA_PUB//$'\r'/}" - export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}" - export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}" - export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}" - - ( - cat << EOF >| "${ID_OUT}" - ${CISS_PRIMORDIAL} - EOF - ) && chmod 0600 "${ID_OUT}" - if [[ -f "${ID_OUT}" ]]; then - echo "Written: ${ID_OUT}" - else - echo "Error: ${ID_OUT} not written." - fi - - ( - cat << EOF >| "${ID_OUT_PUB}" - ${CISS_PRIMORDIAL_PUB} - EOF - ) && chmod 0600 "${ID_OUT_PUB}" - if [[ -f "${ID_OUT_PUB}" ]]; then - echo "Written: ${ID_OUT_PUB}" - else - echo "Error: ${ID_OUT_PUB} not written." - fi - - perl -0777 -pe ' - BEGIN{ - $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB}; - $rsa=$ENV{RSA_PRIV}; $rsapub=$ENV{RSA_PUB}; - } - s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g; - s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g; - s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g; - s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g; - ' "${TPL}" > "${OUT}" - - chmod 0755 "${OUT}" - - perl -0777 -i -pe ' - BEGIN { - our $age = $ENV{CISS_PHYS_AGE} // q{}; - } - s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g; - ' -- "${SOPS}" - chmod 0755 "${SOPS}" - - echo "Hook rendered: ${OUT}" - - - name: ๐Ÿ› ๏ธ Starting CISS.debian.live.builder. This may take a while ... - shell: bash - working-directory: ${{ github.workspace }} - run: | - set -euo pipefail - chmod 0755 ciss_live_builder.sh + chmod 0700 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'. ./ciss_live_builder.sh \ --autobuild=6.16.3+deb13-amd64 \ --architecture amd64 \ - --build-directory /opt/livebuild \ + --build-directory /opt/cdlb \ --cdi \ --control "${timestamp}" \ --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \ - --root-password-file /opt/config/password.txt \ + --root-password-file /dev/shm/cdlb_secrets/password.txt \ + --signing_key=signing_key.asc \ + --signing_key_fpr="${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }}" \ + --signing_key_pass=signing_key_pass.txt \ --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \ - --ssh-pubkey /opt/config \ + --ssh-pubkey /dev/shm/cdlb_secrets \ --sshfp \ --trixie REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)" - OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot" - rm -f "$OUT" - echo "Hook removed: $OUT" + OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot" + rm -f "${OUT}" + echo "Hook removed: ${OUT}" - name: ๐Ÿ“ฅ Checking Centurion Cloud for existing LIVE ISOs. - shell: bash env: NC_BASE: "https://cloud.e2ee.li" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" @@ -263,83 +220,106 @@ jobs: SHARE_SUBDIR="" echo "๐Ÿ“ฅ Get directory listing via PROPFIND ..." - curl -s \ - --user "${SHARE_TOKEN}:${SHARE_PASS}" \ - -X PROPFIND \ - -H "Depth: 1" \ - "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ + + curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \ -o propfind_public.xml echo "๐Ÿ“ฅ Filter .iso files from the PROPFIND response ..." + grep -oP '(?<=)[^<]+\.iso(?=)' propfind_public.xml >| public_iso_list.txt || true if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then + echo "๐Ÿ’ก Old ISO files found and deleted :" + while IFS= read -r href; do + FILE_URL="${NC_BASE}${href}" echo " Delete: ${FILE_URL}" - if curl -s \ - --user "${SHARE_TOKEN}:${SHARE_PASS}" \ - -X DELETE "${FILE_URL}"; then + + if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then + echo " โœ… Successfully deleted: $(basename "${href}")" + else + echo " โŒ Error: $(basename "${href}") could not be deleted" + fi + done < public_iso_list.txt + else + echo "๐Ÿ’ก No old ISO files found to delete." + fi - - name: ๐Ÿ› ๏ธ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. - shell: bash + - name: โฌ†๏ธ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV. env: NC_BASE: "https://cloud.e2ee.li" SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}" SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}" run: | set -euo pipefail - if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + + if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + echo "โŒ There must be exactly one .iso file in the directory!" exit 1 + else - VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + + VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "โœ… ISO file found: ${VAR_ISO_FILE_NAME}" + fi AUTH="${SHARE_TOKEN}:${SHARE_PASS}" - if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \ + + if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then + echo "โœ… New ISO successfully uploaded." + else + echo "โŒ Uploading the new ISO failed." exit 1 + fi - name: ๐Ÿ”‘ Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file. - shell: bash run: | - if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then + echo "โŒ There must be exactly one .iso file in the directory!" exit 1 + else - VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso) + + VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso) VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}") echo "โœ… ISO file found: ${VAR_ISO_FILE_NAME}" + fi VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512" touch "${VAR_ISO_FILE_SHA512}" + sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}" + SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign" touch "${SIGNATURE_FILE}" - export GNUPGHOME="$(pwd)/.gnupg" - gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" + + gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}" timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") VAR_DATE="$(date +%F)" PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private" touch "${PRIVATE_FILE}" + cat << EOF >| "${PRIVATE_FILE}" # SPDX-Version: 3.0 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; @@ -365,7 +345,6 @@ jobs: EOF - name: ๐Ÿšง Stash local changes (including untracked). - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -374,12 +353,10 @@ jobs: git stash push --include-untracked -m "ci-temp" || echo "โœ”๏ธ Nothing to stash." - name: ๐Ÿ”„ Sync with remote before commit using merge strategy. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" echo "๐Ÿ”„ Fetching origin/master ..." git fetch origin master @@ -391,8 +368,7 @@ jobs: git status git log --oneline -n 5 - - name: ๐Ÿ› ๏ธ Restore stashed changes. - shell: bash + - name: ๐Ÿ”ง Restore stashed changes. env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -401,7 +377,6 @@ jobs: git stash pop || echo "โœ”๏ธ Nothing to pop." - name: ๐Ÿ“ฆ Stage generated files. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | @@ -410,16 +385,17 @@ jobs: git add "${PRIVATE_FILE}" || echo "โœ”๏ธ Nothing to add." - name: ๐Ÿ”‘ Commit and sign changes with CI metadata. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | set -euo pipefail - export GNUPGHOME="$(pwd)/.gnupg" if git diff --cached --quiet; then + echo "โœ”๏ธ No staged changes to commit." + else + echo "๐Ÿ“ Committing changes with GPG signature ..." ### CI Metadata @@ -427,7 +403,7 @@ jobs: HOSTNAME="$(hostname -f || hostname)" GIT_SHA="$(git rev-parse --short HEAD)" GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_1.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" COMMIT_MSG="DEPLOY BOT : ๐Ÿ” Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci] @@ -443,10 +419,10 @@ jobs: echo "๐Ÿ” Commit message :" echo "${COMMIT_MSG}" git commit -S -m "${COMMIT_MSG}" + fi - name: ๐Ÿ” Push back to repository. - shell: bash env: GIT_SSH_COMMAND: "ssh -p 42842" run: | diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index e192c8c..18c5d1a 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 # Gitea Workflow: Shell-Script Linting # @@ -49,11 +49,11 @@ jobs: ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config @@ -64,7 +64,7 @@ jobs: StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF - chmod 600 ~/.ssh/config + chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: ๐Ÿ› ๏ธ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. @@ -316,7 +316,7 @@ jobs: HOSTNAME="$(hostname -f || hostname)" GIT_SHA="$(git rev-parse --short HEAD)" GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" COMMIT_MSG="DEPLOY BOT : ๐Ÿ›ก๏ธ Shell Script Linting [skip ci] diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 16e978c..f2395e0 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 name: ๐Ÿ›ก๏ธ Retrieve DNSSEC status of coresecret.dev. @@ -41,11 +41,11 @@ jobs: ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config @@ -56,7 +56,7 @@ jobs: StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF - chmod 600 ~/.ssh/config + chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: ๐Ÿ› ๏ธ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. @@ -193,7 +193,7 @@ jobs: HOSTNAME="$(hostname -f || hostname)" GIT_SHA="$(git rev-parse --short HEAD)" GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" COMMIT_MSG="DEPLOY BOT : ๐Ÿ›ก๏ธ Auto-Generate DNSSEC Status [skip ci] diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index 7b167d6..5652bf1 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 name: ๐Ÿ” Render Graphviz Diagrams. @@ -42,11 +42,11 @@ jobs: ### Private Key echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts - chmod 600 ~/.ssh/known_hosts + chmod 0600 ~/.ssh/known_hosts ### Generate SSH Config for git.coresecret.dev Custom-Port cat <| ~/.ssh/config @@ -57,7 +57,7 @@ jobs: StrictHostKeyChecking yes UserKnownHostsFile ~/.ssh/known_hosts EOF - chmod 600 ~/.ssh/config + chmod 0600 ~/.ssh/config ### https://github.com/actions/checkout/issues/1843 - name: ๐Ÿ› ๏ธ Using manual clone via SSH to circumvent Gitea SHA-256 object issues. @@ -186,7 +186,7 @@ jobs: HOSTNAME="$(hostname -f || hostname)" GIT_SHA="$(git rev-parse --short HEAD)" GIT_REF="$(git symbolic-ref --short HEAD || echo detached)" - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}" + WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}" CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}" COMMIT_MSG="DEPLOY BOT : ๐Ÿ” Auto-Generate PNG from *.dot. [skip ci] diff --git a/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc b/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc new file mode 100644 index 0000000..be866dc --- /dev/null +++ b/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc @@ -0,0 +1,21 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mEkFaQzeVBYAAAA/AytlcQHGPz+Tku/rFh5KSbHE465pYWjWOWSl26vKCk5HNMX6 +y2MGyUUbm5tVYHymp3EYbRBS8dJ+qKCKrzyAtDJNYXJjIFMuIFdlaWRuZXIgREVQ +TE9ZIDxtc3crZGVwbG95QGNvcmVzZWNyZXQuZGV2PojNBRMWCABNIiEFmAiaRyzP +RgHNUdfHCV02U1KW6hS43pIZhyPE3GBuj3YFAmkM3lQCGwMFCQfPlNwFCwkIBwIC +IgIGFQoJCAsCBBYCAwECHgcCF4AAAA+GAcduwdOub1yMWc0o5e1qdkI/8Pv9jqYF +P46Ko2UU24Q3AaYC5oBFyD4sKf4ojosYovs4fzrZCXqbH4ABxi0kmYEUZT11L+Ex +AfiwNvJBCzlcvLzdK7A+ZBDgdaV5pybSN4/ZnUKkUSzZV/6odcVM2LtqkbAHAIjU +BRAWCABUIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmkM3vEF +gwfP84AkFIAAAAAADQAOcmVtQGdudXBnLm9yZ0NlbnR1cmlvbixDSUNBAACKBAHI +5t3aZSnSERrnAZ3rwxItsTB9KeTVdtRnpxyZ7leBf4987ECcfwDDozkDGFo2cJwg +eKPRloMif1eAAcjOdUXeunlNBTlPlyOBk0ukWT5SgVeZUl5bsNRgJWu7MoNiT9vQ +M7gJjlyYcVoMZ47G7TA9Z+goJwC4TAVpDN5UEgAAAEIDK2VvAcCPfkOJzBvvplco +PXb8jg4AsJXU10wHSucHMdR2R26+IJTCAYU6d3O47wTBr6QFc5HRgDZcf6FngQMB +CgmIsgUYFggAMiIhBZgImkcsz0YBzVHXxwldNlNSluoUuN6SGYcjxNxgbo92BQJp +DN5UAhsMBQkHz5TcAABuDQHI5Zp2rsRwc0WR0WaaQOIFh7KdL7x3dHljJ5u2m6Zc +pzmlnZGuCTe0BmVzECJhq7Yqi+ajENbWOc+AAcUbToifr1VvbgZgUDtA+f2IlHRM +ovaAOH5ED+DHy6OjEmBG43ZIPQbsbD4td5VIZoi+f6npZrhXNQA= +=Q67G +-----END PGP PUBLIC KEY BLOCK----- diff --git a/.version.properties b/.version.properties index 81d27d2..cd1b90c 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.13.296.2025.10.29" +properties_version="V8.13.384.2025.11.06" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index d5b8147..3fb4fb9 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.13.296.2025.10.29 +PackageVersion: Master V8.13.384.2025.11.06 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 6ef0fb4..3db01b7 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.296.2025.10.29-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.384.2025.11.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -26,7 +26,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d- This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V8.13.296.2025.10.29` +Example: `V8.13.384.2025.11.06` `x.y.z` represents major (x), minor (y), and patch (z) version increments. @@ -533,7 +533,7 @@ preview it or run it. ### Private Key echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519 - chmod 600 ~/.ssh/id_ed25519 + chmod 0600 ~/.ssh/id_ed25519 #... ### https://github.com/actions/checkout/issues/1843 - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues. diff --git a/REPOSITORY.md b/REPOSITORY.md index a1282ca..ae0902f 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2.1. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) โ€” Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **8.13**, Build **V8.13.296.2025.10.29** (as of 2025-10-11) +**Repository State:** Master Version **8.13**, Build **V8.13.384.2025.11.06** (as of 2025-10-11) ## 2.2. Top-Level Layout diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 7ae7786..c23b5c6 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -22,23 +22,19 @@ ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES. # shellcheck disable=SC2155 +declare -agx ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array. declare -girx VAR_START_TIME="${SECONDS}" # Start time of script execution. declare -grx VAR_PARAM_COUNT="$#" # Arguments passed to script. declare -grx VAR_PARAM_STRNG="$*" # Arguments passed to script as string. -declare -ag ARY_PARAM_ARRAY=("$@") # Arguments passed to script as an array. declare -grx VAR_SETUP_FILE="${0##*/}" # 'ciss_debian_live_builder.sh' -declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/opt/git/CISS.debian.live.builder' -declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh' -# shellcheck disable=SC2155 -declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")" -# shellcheck disable=SC2155 -declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")" -# shellcheck disable=SC2155 -declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")" +declare -grx VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/root/git/CISS.debian.live.builder/ciss_debian_live_builder.sh' +declare -grx VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)" # '/root/git/CISS.debian.live.builder' +declare -grx VAR_TMP_SECRET="/dev/shm/cdlb_secrets" # Fixed tmpfs path to store securely build artifacts. +declare -grx VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")" # '/root/git/CISS.debian.live.builder' ### PRELIMINARY CHECKS. ### No ash, dash, ksh, sh. -# shellcheck disable=2292 +# shellcheck disable=SC2292 [ -z "${BASH_VERSINFO[0]}" ] && { . ./var/global.var.sh printf "\e[91mโŒ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2 @@ -60,7 +56,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")" } ### Check to be not called by sh. -# shellcheck disable=2312 +# shellcheck disable=SC2312 [[ $(kill -l | grep -c SIG) -eq 0 ]] && { . ./var/global.var.sh printf "\e[91mโŒ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2 @@ -95,30 +91,29 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")" exit 1 } -### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT() +### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT(). . ./var/early.var.sh . ./lib/lib_guard_sourcing.sh . ./lib/lib_source_guard.sh -source_guard "./lib/lib_git_var.sh" -### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG -for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done -for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh ; usage ; exit 0;; esac; done -for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done +### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG. +for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh ; contact; exit 0;; esac; done +for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh ; usage ; exit 0;; esac; done +for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh ; version; exit 0;; esac; done +for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done -### ALL CHECKS DONE. READY TO START THE SCRIPT -source_guard "./var/bash.var.sh" -check_git -for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done -declare -gx VAR_SETUP="true" +### ALL CHECKS DONE. READY TO START THE SCRIPT. +find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/secret" -type f -exec chmod 0400 {} + +declare -grx VAR_SETUP="true" -### SOURCING VARIABLES +### SOURCING VARIABLES. [[ "${VAR_SETUP}" == true ]] && { + source_guard "./var/bash.var.sh" source_guard "./var/color.var.sh" source_guard "./var/global.var.sh" } -### SOURCING LIBRARIES +### SOURCING LIBRARIES. [[ "${VAR_SETUP}" == true ]] && { source_guard "./lib/lib_arg_parser.sh" source_guard "./lib/lib_arg_priority_check.sh" @@ -132,19 +127,21 @@ declare -gx VAR_SETUP="true" source_guard "./lib/lib_check_provider.sh" source_guard "./lib/lib_check_stats.sh" source_guard "./lib/lib_check_var.sh" - source_guard "./lib/lib_ciss_upgrades.sh" + source_guard "./lib/lib_ciss_upgrades_boot.sh" + source_guard "./lib/lib_ciss_upgrades_build.sh" source_guard "./lib/lib_clean_screen.sh" source_guard "./lib/lib_clean_up.sh" source_guard "./lib/lib_copy_integrity.sh" + source_guard "./lib/lib_gnupg.sh" source_guard "./lib/lib_hardening_root_pw.sh" - source_guard "./lib/lib_hardening_ssh.sh" + source_guard "./lib/lib_hardening_ssh_tcp.sh" source_guard "./lib/lib_hardening_ultra.sh" source_guard "./lib/lib_helper_ip.sh" source_guard "./lib/lib_lb_build_start.sh" source_guard "./lib/lib_lb_config_start.sh" - source_guard "./lib/lib_lb_config_write.sh" source_guard "./lib/lib_lb_config_write_trixie.sh" source_guard "./lib/lib_note_target.sh" + source_guard "./lib/lib_primordial.sh" source_guard "./lib/lib_provider_netcup.sh" source_guard "./lib/lib_run_analysis.sh" source_guard "./lib/lib_sanitizer.sh" @@ -154,7 +151,7 @@ declare -gx VAR_SETUP="true" source_guard "./lib/lib_usage.sh" } -### ADVISORY LOCK +### ADVISORY LOCK. exec 127>/var/lock/ciss_live_builder.lock || { printf "\e[91mโŒ Cannot open lockfile for writing! Bye... \e[0m\n" >&2 exit "${ERR_FLOCK_WRTG}" @@ -165,97 +162,92 @@ if ! flock -x -n 127; then exit "${ERR_FLOCK_COLL}" fi -### CHECK FOR AUTOBUILD MODE +### CHECK FOR AUTOBUILD MODE. for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir -### CHECKING REQUIRED PACKAGES +### CHECKING REQUIRED PACKAGES. check_pkgs -### DIALOG OUTPUT FOR INITIALIZATION +### DIALOG OUTPUT FOR INITIALIZATION. if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi -### Updating Status of Dialog Gauge Bar +### Updating Status of Dialog Gauge Bar. if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi -### Updating Status of Dialog Gauge Bar +### Updating Status of Dialog Gauge Bar. if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi -### Updating Status of Dialog Gauge Bar +### Updating Status of Dialog Gauge Bar. if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi ### Following the CISS Bash naming and ordering scheme: trap 'trap_on_exit "$?"' EXIT trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR -### Updating Status of Dialog Gauge Bar +### Updating Status of Dialog Gauge Bar. if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi arg_check "$@" -declare -ar ARY_ARG_SANITIZED=("$@") -declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}" +declare -ar ARY_ARG_SANITIZED=("$@") +declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}" -### Updating Status of Dialog Gauge Bar +### Updating Status of Dialog Gauge Bar. if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi arg_parser "$@" -### Updating Status of Dialog Gauge Bar +### Updating Status of Dialog Gauge Bar. if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi clean_ip -### Updating Status of Dialog Gauge Bar +### Updating Status of Dialog Gauge Bar. if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi -### Turn off Dialog Wrapper +### Turn off the dialog wrapper. if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi -### MAIN Program +### MAIN Program --------------------------------------------------------------------------------------------------------------- arg_priority_check check_stats + if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi -if [[ ! "${VAR_SSHFP}" == "true" ]]; then - rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial" - rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub" -fi +ciss_upgrades_build +hardening_ssh_tcp -check_hooks -hardening_ssh -ciss_upgrades +### Preparing the build environment. lb_config_start -if [[ "${VAR_SUITE}" == "bookworm" ]]; then - - lb_config_write - rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot" - rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs" - -else - - lb_config_write_trixie - rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot" - rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot" - -fi - # shellcheck disable=SC2164 cd "${VAR_WORKDIR}" -hardening_ultra -hardening_root_pw +### Writing the build configuration. +lb_config_write_trixie + +### Init GNUPGHOME. +init_gnupg + +### Integrate primordial SSH identity files. +init_primordial + +### CISS.debian.installer 'GRUB' and 'autostart' generator. +cdi + change_splash check_dhcp -cdi -provider_netcup +ciss_upgrades_boot +hardening_root_pw +hardening_ultra note_target +provider_netcup update_microcode +x_hooks ### Start the build process set +o errtrace lb_build_start - set -o errtrace run_analysis copy_db -declare -g VAR_SCRIPT_SUCCESS=true +declare -grx VAR_SCRIPT_SUCCESS="true" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot index 9354ada..30e2c05 100644 --- a/config/hooks/live/0000_basic_chroot_setup.chroot +++ b/config/hooks/live/0000_basic_chroot_setup.chroot @@ -13,6 +13,9 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" +# shellcheck disable=SC2155 +declare -gx VAR_DATE="$(date +%F)" + ####################################### # Generates '/etc/default/ciss-xdg-profile' # Globals: @@ -23,9 +26,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " # 0: on success ####################################### generate_ciss_xdg_profile() { - cat << 'EOF' >> /etc/default/ciss-xdg-profile + cat << EOF >> /etc/default/ciss-xdg-profile # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -63,10 +66,10 @@ readonly -f generate_ciss_xdg_profile # 0: on success ####################################### generate_ciss_xdg_sh() { - cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh + cat << EOF >| /etc/profile.d/ciss-xdg.sh #!/bin/sh # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -76,6 +79,8 @@ generate_ciss_xdg_sh() { # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu +EOF + cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh # shellcheck shell=sh # This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible. @@ -141,21 +146,23 @@ readonly -f generate_ciss_xdg_sh # 0: on success ####################################### generate_ciss_xdg_tmp_sh() { - cat << 'EOF' >> /root/ciss_xdg_tmp.sh + cat << EOF >| /root/ciss_xdg_tmp.sh #!/bin/bash # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git +# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.installer +# SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu ### XDG variables (do not override if already set). +EOF + cat << 'EOF' >> /root/ciss_xdg_tmp.sh set -a # shellcheck disable=SC2034 @@ -207,6 +214,12 @@ if [[ -f /root/.architecture ]]; then fi + +if [[ -f /root/.architecture ]]; then + : +fi + + mkdir -p /root/.ciss/dlb/{backup,log,private_keys} chmod 0700 /root/.ciss/dlb/{backup,log,private_keys} diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot index 1087cdd..05643c2 100644 --- a/config/hooks/live/0001_initramfs_modules.chroot +++ b/config/hooks/live/0001_initramfs_modules.chroot @@ -58,10 +58,10 @@ export DEBIAN_FRONTEND="noninteractive" INITRD="No" apt-get install -y intel-microcode amd64-microcode # shellcheck disable=SC2155 -declare nic_driver="$(grep_nic_driver_modules)" +declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)" cat << EOF >| /etc/initramfs-tools/modules # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -201,9 +201,9 @@ virtio_scsi EOF -cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf +cat << EOF >| /etc/initramfs-tools/update-initramfs.conf # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -236,9 +236,9 @@ backup_initramfs=no EOF -cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf +cat << EOF >| /etc/initramfs-tools/initramfs.conf # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -340,10 +340,10 @@ FSTYPE=auto EOF -cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder +cat << EOF >| /etc/initramfs-tools/hooks/ciss_debian_live_builder #!/bin/sh # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -353,9 +353,12 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu +EOF + +cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder set -e -printf "\e[95mStarting: [0001_initramfs_modules.chroot] \n\e[0m" +printf "\e[95mStarting: [ciss_debian_live_builder] \n\e[0m" PREREQ="" prereqs() { echo "${PREREQ}"; } @@ -449,14 +452,15 @@ install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg "${DESTDIR}/etc/ciss/keys/0 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/ciss/keys/0xE62E84F8_public.gpg %s/etc/ciss/keys/0xE62E84F8_public.gpg] \n\e[0m" "${DESTDIR}" -printf "\e[92mSuccessfully executed: [0001_initramfs_modules.chroot] \n\e[0m" +printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder -### Regenerate the initramfs for the live system kernel +# TODO: Move to 9999_zzzz.chroot +### Regenerate the initramfs for the live system kernel. update-initramfs -u -k all -v printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" diff --git a/config/hooks/live/0002_verify_checksums.chroot b/config/hooks/live/0002_verify_checksums.chroot deleted file mode 100644 index ddd3f26..0000000 --- a/config/hooks/live/0002_verify_checksums.chroot +++ /dev/null @@ -1,172 +0,0 @@ -#!/bin/bash -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu -set -Ceuo pipefail - -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" - -target="/usr/lib/live/boot/0030-verify-checksums" -src="$(mktemp)" - -if [[ ! -d /usr/lib/live/boot ]]; then - mkdir -p /usr/lib/live/boot -fi - -cat << 'EOF' >| "${src}" -#!/bin/sh -# bashsupport disable=BP5007 - -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: GPL-3.0-or-later -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -### Modified Version of the original file: -### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' -### In case of successful verification of one of the offered checksums, proceed with booting, else panic. - -####################################### -# Modified checksum-verification script for continuing the boot process. -# Globals: -# LIVE_BOOT_CMDLINE -# LIVE_VERIFY_CHECKSUMS -# LIVE_VERIFY_CHECKSUMS_DIGESTS -# _CHECKSUM -# _CHECKSUMS -# _DIGEST -# _MOUNTPOINT -# _PARAMETER -# _RETURN -# _TTY -# Arguments: -# 1: ${_PARAMETER} -# Returns: -# 0 : Successful Verification -####################################### -Verify_checksums() { - for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do - - case "${_PARAMETER}" in - - live-boot.verify-checksums=* | verify-checksums=*) - - LIVE_VERIFY_CHECKSUMS="true" - LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" - ;; - - live-boot.verify-checksums | verify-checksums) - - LIVE_VERIFY_CHECKSUMS="true" - ;; - - esac - - done - - case "${LIVE_VERIFY_CHECKSUMS}" in - - true) - : - ;; - - *) - return 0 - ;; - - esac - - _MOUNTPOINT="${1}" - - LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" - _TTY="/dev/tty8" - - log_begin_msg "Verifying checksums" - printf "\n" - - # shellcheck disable=SC2164 - cd "${_MOUNTPOINT}" - - # shellcheck disable=SC2001 - for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do - - # shellcheck disable=SC2060 - _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" - - for _CHECKSUM in ${_CHECKSUMS}; do - - # shellcheck disable=SC2292 - if [ -e "${_CHECKSUM}" ]; then - - #echo "Found ${_CHECKSUM}..." > "${_TTY}" - printf "Found %s...\n" "${_CHECKSUM}" - - if [ -e "/bin/${_DIGEST}sum" ]; then - - #echo "Checking ${_CHECKSUM}..." > "${_TTY}" - printf "Checking %s...\n" "${_CHECKSUM}" - - # Verify checksums - # shellcheck disable=SC2312 - grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" - _RETURN="${?}" - - # Stop after the first verification - # break 2 - - else - - #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" - printf "Not found /bin/%ssum....\n" "${_DIGEST}" - - fi - - fi - - done - - done - - log_end_msg - - case "${_RETURN}" in - - 0) - log_success_msg "Verification of checksums successful; continuing booting in 8 seconds." - sleep 8 - return 0 - ;; - - *) - panic "Verification failed, $(basename "${_TTY}") for more information." - ;; - - esac -} -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh -EOF - -# Copy and make executable -install -Dm755 "${src}" "${target}" - -rm -f "${src}" - -unset target src - -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" - -exit 0 -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0007_update_logrotate.chroot b/config/hooks/live/0007_update_logrotate.chroot index ffed492..68802c7 100644 --- a/config/hooks/live/0007_update_logrotate.chroot +++ b/config/hooks/live/0007_update_logrotate.chroot @@ -23,10 +23,10 @@ cat << EOF >| "/etc/logrotate.conf" # Rotate log files daily daily -# Keep 384 daily worth of backlogs. +# Keep 90 daily worth of backlogs. rotate 90 -# Hard cap: delete rotated logs older than 384 days. +# Hard cap: delete rotated logs older than 90 days. maxage 90 # Do not rotate the log if it is empty (this overrides the ifempty option). diff --git a/config/hooks/live/0050_activate_root.chroot b/config/hooks/live/0050_activate_root.chroot index f29da93..3842270 100644 --- a/config/hooks/live/0050_activate_root.chroot +++ b/config/hooks/live/0050_activate_root.chroot @@ -39,13 +39,13 @@ unset hashed_pwd safe_hashed_pwd cat /etc/shadow -if shred -vfzu -n 5 /root/.pwd; then +if shred -fzu -n 5 /root/.pwd; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n" else - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2 + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2 fi diff --git a/config/hooks/live/0870_bashdb.chroot b/config/hooks/live/0870_bashdb.chroot new file mode 100644 index 0000000..36c6c8b --- /dev/null +++ b/config/hooks/live/0870_bashdb.chroot @@ -0,0 +1,36 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -Ceuo pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" + +umask 0077 + +[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh +export DEBIAN_FRONTEND="noninteractive" INITRD="No" + +apt-get install -y texinfo + +cd /root/git +git clone https://github.com/Trepan-Debuggers/bashdb.git +cd /root/git/bashdb +./autogen.sh +make + +apt-get purge -y texinfo +apt-get autoremove --purge -y +apt-get autoclean -y + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9930_hardening_ssh.chroot b/config/hooks/live/9930_hardening_ssh.chroot index 2430697..faac680 100644 --- a/config/hooks/live/9930_hardening_ssh.chroot +++ b/config/hooks/live/9930_hardening_ssh.chroot @@ -13,26 +13,35 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" -cd /etc/ssh || { - printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n" -} +cd /etc/ssh + rm -rf ssh_host_*key* -# shellcheck disable=SC2312 -ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)" -# shellcheck disable=SC2312 -ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)" +if [[ -d /root/ssh ]]; then -awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe -rm -rf /etc/ssh/moduli -mv /etc/ssh/moduli.safe /etc/ssh/moduli + mv /root/ssh/ssh_host_*key* /etc/ssh + rm -rf /root/ssh + +else + + # shellcheck disable=SC2312 + ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)" + + # shellcheck disable=SC2312 + ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)" + +fi chmod 0600 /etc/ssh/ssh_host_*_key chown root:root /etc/ssh/ssh_host_*_key chmod 0644 /etc/ssh/ssh_host_*_key.pub chown root:root /etc/ssh/ssh_host_*_key.pub -chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config +awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe +rm -rf /etc/ssh/moduli +mv /etc/ssh/moduli.safe /etc/ssh/moduli + +chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config touch /root/sshfp ssh-keygen -r @ >| /root/sshfp diff --git a/config/hooks/live/9935_hardening_ssh.chroot.tmpl b/config/hooks/live/9935_hardening_ssh.chroot.tmpl deleted file mode 100644 index 4873de4..0000000 --- a/config/hooks/live/9935_hardening_ssh.chroot.tmpl +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/bash -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu -set -Ceuo pipefail - -printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" - -cd /etc/ssh || { - printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n" -} - -cat << 'EOF' >| ssh_host_ed25519_key -{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }} -EOF - -cat << 'EOF' >| ssh_host_ed25519_key.pub -{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }} -EOF - -cat << 'EOF' >| ssh_host_rsa_key -{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }} -EOF - -cat << 'EOF' >| ssh_host_rsa_key.pub -{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }} -EOF - -awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe -rm -rf /etc/ssh/moduli -mv /etc/ssh/moduli.safe /etc/ssh/moduli - -chmod 0600 /etc/ssh/ssh_host_*_key -chown root:root /etc/ssh/ssh_host_*_key -chmod 0644 /etc/ssh/ssh_host_*_key.pub -chown root:root /etc/ssh/ssh_host_*_key.pub - -chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config - -touch /root/sshfp -ssh-keygen -r @ >| /root/sshfp - -########################################################################################### -# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only # -# environment variables: TMOUT and HISTFILE. # -# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.# -# readonly HISTFILE ensures that the command history cannot be changed. # -# The chmod +x command ensures that the file is executed in every shell session. # -########################################################################################### -cat << 'EOF' >| /etc/profile.d/idle-users.sh -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -case $- in - *i*) - TMOUT=14400 - export TMOUT - readonly TMOUT - ;; -esac - -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh -EOF - -chmod +x /etc/profile.d/idle-users.sh - -mkdir -p /etc/systemd/system/ssh.service.d -cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf -[Unit] -After=ufw.service -Requires=ufw.service -EOF -chmod 0644 /etc/systemd/system/ssh.service.d/override.conf - -printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' applied successfully. \e[0m\n" "${0}" - -exit 0 -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/9999_zzzz.chroot b/config/hooks/live/9999_zzzz.chroot index df89811..2f965a7 100644 --- a/config/hooks/live/9999_zzzz.chroot +++ b/config/hooks/live/9999_zzzz.chroot @@ -15,6 +15,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" " declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target" +### Regenerate the initramfs for the live system kernel. +update-initramfs -u -k all -v + ### Determine the canonical systemd unit dir inside chroot. if [[ -d /lib/systemd/system ]]; then diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index d6368ce..94dbf30 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index 6d5c124..250222d 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig @@ -48,8 +48,8 @@ MaxAuthTries 3 MaxSessions 2 ### Begin randomly dropping new unauthenticated connections after the 2nd attempt, ### with a 64% chance to drop each additional connection, up to a hard limit of 08. -MaxStartups 02:64:08 -### Restrict each individual source IP to only 4 unauthenticated connection slot +MaxStartups 16:32:48 +### Restrict each individual source IP to only 8 unauthenticated connection slot ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots. PerSourceMaxStartups 8 ClientAliveInterval 300 diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index 292a77b..b8332b0 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -1,3 +1,5 @@ +# bashsupport disable=BP5007 + # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git @@ -9,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V8.13.296.2025.10.29 +# Version Master V8.13.384.2025.11.06 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 7147486..b5ce627 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.13.296.2025.10.29" +declare -gr VERSION="Master V8.13.384.2025.11.06" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 110cfd6..fe997f0 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.13.296.2025.10.29 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.13.384.2025.11.06 at: 10:18:37.9542 diff --git a/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums new file mode 100644 index 0000000..4528a1d --- /dev/null +++ b/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums @@ -0,0 +1,212 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Modified Version of the original file: +### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' +### In case of successful verification of the offered checksum, proceed with booting; otherwise panic. + +####################################### +# Modified checksum-integrity and authenticity-verification-script for continuing the boot process. +# Globals: +# LIVE_BOOT_CMDLINE +# _TTY +# Arguments: +# 1: _MOUNTPOINT +# Returns: +# 0 : Successful verification +####################################### +Verify_checksums() { + _MOUNTPOINT="${1}" + + _TTY="/dev/tty8" + + LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" + + LIVE_VERIFY_CHECKSUMS_SIGNATURES="false" + + for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do + + case "${_PARAMETER}" in + + live-boot.verify-checksums=* | verify-checksums=*) + + LIVE_VERIFY_CHECKSUMS="true" + LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" + ;; + + live-boot.verify-checksums | verify-checksums) + + LIVE_VERIFY_CHECKSUMS="true" + ;; + + live-boot.verify-checksums-signatures | verify-checksums-signatures) + + LIVE_VERIFY_CHECKSUMS_SIGNATURES="true" + ;; + + esac + + done + + case "${LIVE_VERIFY_CHECKSUMS}" in + + true) + : + ;; + + *) + return 0 + ;; + + esac + + # shellcheck disable=SC2164 + cd "${_MOUNTPOINT}" + + ### CDLB verification of script integrity itself ----------------------------------------------------------------------------- + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then + + log_begin_msg "Verifying integrity of '0030-verify-checksums' ..." + printf "\n" + + CDLB_SCRIPT="$(basename "${0}")" + CDLB_SHA="sha512" + CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE="" + + for CDLB_ITEM in ${CDLB_SHA}; do + + CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}" + CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" + CDLB_CMD="${CDLB_ITEM}sum" + + printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}" + + if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then + + printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}" + sleep 8 + # TODO: Remove debug mode + # return 0 + + else + + printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}" + + fi + + printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}" + + CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; }) + read -r CDLB_EXPECTED < "${CDLB_HASHFILE}" + + if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then + + printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}" + sleep 8 + # TODO: Remove debug mode + # return 0 + + fi + + printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}" + + done + + printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding." + + log_end_msg + printf "\n" + + fi + + ### Checksum and checksum signature verification ----------------------------------------------------------------------------- + log_begin_msg "Verifying checksums" + printf "\n" + + # shellcheck disable=SC2001 + for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do + + # shellcheck disable=SC2060 + _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" + + for _CHECKSUM in ${_CHECKSUMS}; do + + if [ -e "${_CHECKSUM}" ]; then + + printf "Found [%s] ...\n" "${_CHECKSUM}" + + if [ -e "/bin/${_DIGEST}sum" ]; then + + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then + + printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}" + _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig" + gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}" + _RETURN_PGP="${?}" + + else + + _RETURN_PGP="na" + + fi + + printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}" + + # shellcheck disable=SC2312 + grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" + _RETURN_SHA="${?}" + + # Stop after the first verification. + break 2 + + else + + printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum" + + fi + + fi + + done + + done + + log_end_msg + + case "${_RETURN_PGP},${_RETURN_SHA}" in + + 0,0) + log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds." + sleep 8 + return 0 + ;; + + na,0) + log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds." + sleep 8 + return 0 + ;; + + *,0) + panic "Verification of signature file failed while verification of checksum file successful." + ;; + + na,*) + panic "Verification of checksum file failed." + ;; + + esac +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/package-lists/live.list.common.chroot b/config/package-lists/live.list.common.chroot index b4ae2b5..5287588 100644 --- a/config/package-lists/live.list.common.chroot +++ b/config/package-lists/live.list.common.chroot @@ -129,6 +129,7 @@ sudo sysstat systemd-sysv tar +tmux tree tshark ufw diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index ea2fd61..ba8880d 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index 56425de..f6f2609 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 9d06350..fff999b 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 6c0401f..b24d9d7 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index 4282d81..dc92859 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 2fbaeec..27c18c0 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index b9db765..7979334 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,66 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Changelog +## V8.13.384.2025.11.06 + +* **Global**: Changed ``shred -vfzu -n 5`` to ``shred -fzu -n 5``. +* **Global**: Live-hooks: ``apt-get`` commands safeguarded by ``export DEBIAN_FRONTEND="noninteractive" INITRD="No"``. +* **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc) +* **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git +* **Added**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot. +* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflowโ„ข. +* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflowโ„ข. +* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflowโ„ข. +* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflowโ„ข. +* **Added**: [0030-verify-checksums](../scripts/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot. +* **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}" +* **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}" +* **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}" +* **Changed**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) Rewritten for new secrets handling. +* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + VAR_DATE improvements. +* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + VAR_DATE improvements. +* **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet primordial-workflowโ„ข. +* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + Final update-initramfs +* **Changed**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) + Less strict MaxStartups settings. +* **Changed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux +* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet primordial-workflowโ„ข. +* **Changed**: [lib_arg_priority_check.sh](../lib/lib_arg_priority_check.sh) Unified UI. +* **Changed**: [lib_cdi.sh](../lib/lib_cdi.sh) + Commandline parameters: verify-checksums=sha512,sha384 verify-checksums-signatures +* **Changed**: [lib_change_splash.sh](../lib/lib_change_splash.sh) Unified UI. +* **Changed**: [lib_check_dhcp.sh](../lib/lib_check_dhcp.sh) Unified UI. +* **Changed**: [lib_check_hooks.sh](../lib/lib_check_hooks.sh) Unified UI. +* **Changed**: [lib_check_kernel.sh](../lib/lib_check_kernel.sh) Minor declare unification. +* **Changed**: [lib_check_pkgs.sh](../lib/lib_check_pkgs.sh) Improved command checks. Unified UI. +* **Changed**: [lib_check_provider.sh](../lib/lib_check_provider.sh) Unified variables. +* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet primordial-workflowโ„ข artifacts. +* **Changed**: [lib_debug.sh](../lib/lib_debug.sh) + Integrated EPOCH in PS4. +* **Changed**: [lib_debug_header.sh](../lib/lib_debug_header.sh) + Integrated SOURCE_DATE_EPOCH. +* **Changed**: [lib_hardening_root_pw.sh](../lib/lib_hardening_root_pw.sh) Unified UI. +* **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet primordial-workflowโ„ข. +* **Changed**: [lib_hardening_ssh_tcp.sh](../lib/lib_hardening_ssh_tcp.sh) Unified UI. +* **Changed**: [lib_lb_build_start.sh](../lib/lib_lb_build_start.sh) Deterministic return code examination. +* **Changed**: [lib_lb_config_start.sh](../lib/lib_lb_config_start.sh) Removed potential disown race condition. +* **Changed**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified config writing for deterministic workflow. +* **Changed**: [lib_note_target.sh](../lib/lib_note_target.sh) Unified UI. +* **Changed**: [lib_provider_netcup.sh](../lib/lib_provider_netcup.sh) Added Centurion DNS Server 03. +* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + PGP signature verification. +* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + mksquashfs-excludes. +* **Changed**: [early.var.sh](../var/early.var.sh) Unified variable declaration. +* **Changed**: [global.var.sh](../var/global.var.sh) Unified variable declaration. +* **Changed**: [ciss_live_builder.sh](../ciss_live_builder.sh) Updated program workflow for deterministic environment creation. +* **Removed**: [0002_verify_checksums.chroot](../.archive/0002_verify_checksums.chroot) Unified handling via includes.chroot. +* **Removed**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot) Debian bookworm support deprecated. +* **Removed**: [lib_lb_config_write.sh](../.archive/lib_lb_config_write.sh) Debian bookworm support deprecated. +* **Updated**: [icon.lib](../.archive/icon.lib) + Emojis + +## V8.13.298.2025.10.30 +* **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) +* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux + ## V8.13.296.2025.10.29 * **Changed**: ``lockdown=confidentiality`` -> ``lockdown=integrity`` * **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - clamav, clamav-daemon @@ -19,7 +75,7 @@ include_toc: true ## V8.13.294.2025.10.28 * **Added**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) + mksquashfs-excludes -* **Added**: [lib_ciss_upgrades.sh](../lib/lib_ciss_upgrades.sh) + modifies '/usr/lib/live/build/...' scripts +* **Added**: [lib_ciss_upgrades.sh](../lib/lib_ciss_upgrades_build.sh) + modifies '/usr/lib/live/build/...' scripts * **Added**: [lib_update_microcode.sh](../lib/lib_update_microcode.sh) * **Added**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + modifies binary_rootfs script * **Updated**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + --sshfp @@ -125,7 +181,7 @@ include_toc: true * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh) * **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot) -* **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot) +* **Updated**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot) * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) * **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot) * **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter. @@ -222,7 +278,6 @@ include_toc: true * **Updated**: [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts. * Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh) * Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh) -* **Added**: Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh) * **Added**: ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh) to prevent the caller LIB-file from being sourced twice. diff --git a/docs/CNET.md b/docs/CNET.md index 16e336d..ceb2821 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index 21c8ab5..62ff9b8 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Coding Style diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 115150e..9f5f7ee 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index 6f3f760..93a2a7b 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 6147d73..807933c 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index bc103a5..ad73014 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,12 +8,12 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2.1. Usage ````text CISS.debian.live.builder -Master V8.13.296.2025.10.29 +Master V8.13.384.2025.11.06 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 @@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima # 2.2. Contact ````text CISS.debian.live.builder -Master V8.13.296.2025.10.29 +Master V8.13.384.2025.11.06 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image. (c) Marc S. Weidner, 2018 - 2025 diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index 7f19e0e..626610e 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.296.2025.10.29
+**Build**: V8.13.384.2025.11.06
# 2. Resources diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh index 47e0119..b34adae 100644 --- a/lib/lib_arg_parser.sh +++ b/lib/lib_arg_parser.sh @@ -33,6 +33,10 @@ guard_sourcing # VAR_ISO8601 # VAR_REIONICE_CLASS # VAR_REIONICE_PRIORITY +# VAR_SIGNER +# VAR_SIGNING_KEY +# VAR_SIGNING_KEY_FPR +# VAR_SIGNING_KEY_PASS # VAR_SSHFP # VAR_SSHPORT # VAR_SSHPUBKEY @@ -119,7 +123,7 @@ arg_parser() { printf "\e[91mโŒ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2 exit "${ERR_NOTABSPATH}" fi - declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log" + declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/cdlb_${VAR_ISO8601}_build.log" shift 2 ;; @@ -294,20 +298,25 @@ arg_parser() { --root-password-file) declare pw_file="${2}" + if [[ -z "${pw_file}" ]]; then + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi printf "\e[91mโŒ Error: --root-password-file missing password file path argument.\e[0m\n" >&2 # shellcheck disable=SC2162 read -p $'\e[92mโœ… Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_MISS_PWD_P}" + fi if [[ ! -f "${pw_file}" ]]; then + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi printf "\e[91mโŒ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2 # shellcheck disable=SC2162 read -p $'\e[92mโœ… Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_MISS_PWD_F}" + fi declare owner @@ -335,32 +344,42 @@ arg_parser() { fi declare plaintext_pw - [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons + ### No tracing for security reasons ---------------------------------------------------------------------------------- + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x + if ! IFS= read -r plaintext_pw < "${pw_file}"; then : fi - [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + + ### Turn on tracing again -------------------------------------------------------------------------------------------- + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x declare pw_length pw_length=${#plaintext_pw} - if (( pw_length < 20 || pw_length > 64 )); then + if (( pw_length < 42 || pw_length > 64 )); then if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi - printf "\e[91mโŒ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2 + printf "\e[91mโŒ Error: --root-password-file password MUST be between 42 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2 # shellcheck disable=SC2162 read -p $'\e[92mโœ… Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_PASS_LENGH}" fi - [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons + ### No tracing for security reasons ---------------------------------------------------------------------------------- + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x + if [[ "${plaintext_pw}" == *\"* ]]; then - [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi + printf "\e[91mโŒ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2 # shellcheck disable=SC2162 read -p $'\e[92mโœ… Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_PASS_PLICY}" + fi - [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + + ### Turn on tracing again -------------------------------------------------------------------------------------------- + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x declare salt set +o pipefail @@ -371,53 +390,81 @@ arg_parser() { set -o pipefail declare hash_temp - [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons + ### No tracing for security reasons ---------------------------------------------------------------------------------- + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x + hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}") - [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + + ### Turn on tracing again -------------------------------------------------------------------------------------------- + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # shellcheck disable=SC2034 declare -g VAR_HASHED_PWD="${hash_temp}" unset hash_temp plaintext_pw sync - if shred -vfzu -n 5 "${pw_file}" > /dev/null 2>&1; then - printf "\e[92mโœ… Password file '%s': shred -vfzu -n 5 >> done. \e[0m\n" "${pw_file}" > /dev/null 2>&1 + if shred -fzu -n 5 "${pw_file}" > /dev/null 2>&1; then + printf "\e[92mโœ… Password file '%s': shred -fzu -n 5 >> done. \e[0m\n" "${pw_file}" > /dev/null 2>&1 else - printf "\e[91mโŒ Password file '%s': shred -vfzu -n 5 >> NOT successful. \e[0m\n" "${pw_file}" > /dev/null 2>&1 + printf "\e[91mโŒ Password file '%s': shred -fzu -n 5 >> NOT successful. \e[0m\n" "${pw_file}" > /dev/null 2>&1 fi sync shift 2 ;; + --signing_key=*) + # shellcheck disable=SC2034 + declare -gx VAR_SIGNER="true" + # shellcheck disable=SC2034 + declare -gx VAR_SIGNING_KEY="${1#*=}" + shift 1 + ;; + + --signing_key_fpr=*) + # shellcheck disable=SC2034 + declare -gx VAR_SIGNING_KEY_FPR="${1#*=}" + shift 1 + ;; + + --signing_key_pass=*) + # shellcheck disable=SC2034 + declare -gx VAR_SIGNING_KEY_PASS="${1#*=}" + shift 1 + ;; + --ssh-port) if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then + # shellcheck disable=SC2034 - declare -gi VAR_SSHPORT="${2}" + declare -gix VAR_SSHPORT="${2}" shift 2 + else + if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi printf "\e[91mโŒ Error: --ssh-port MUST be an integer between '1' and '65535'.\e[0m\n" >&2 read -p -r $'\e[92mโœ… Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR__SSH__PORT}" + fi ;; --sshfp) - # shellcheck disable=SC2034 - declare -g VAR_SSHFP="true" + # shellcheck disable=SC2034 + declare -gx VAR_SSHFP="true" shift 1 ;; --ssh-pubkey) - # shellcheck disable=SC2034 - declare -g VAR_SSHPUBKEY="${2}" + # shellcheck disable=SC2034 + declare -gx VAR_SSHPUBKEY="${2}" shift 2 ;; --trixie) - # shellcheck disable=SC2034 - declare -g VAR_SUITE="trixie" + # shellcheck disable=SC2034 + declare -gx VAR_SUITE="trixie" shift 1 ;; diff --git a/lib/lib_arg_priority_check.sh b/lib/lib_arg_priority_check.sh index 1e67e21..c525276 100644 --- a/lib/lib_arg_priority_check.sh +++ b/lib/lib_arg_priority_check.sh @@ -15,6 +15,7 @@ guard_sourcing ####################################### # Check and setup Script Priorities # Globals: +# BASH_SOURCE # VAR_HANDLER_PRIORITY # VAR_REIONICE_CLASS # VAR_REIONICE_PRIORITY @@ -24,18 +25,18 @@ guard_sourcing # 0: on success ####################################### arg_priority_check() { - declare var + declare var="" + + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" ### Check if nice PRIORITY is set and adjust nice priority. - if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then + if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then if command -v renice >/dev/null; then renice "${VAR_HANDLER_PRIORITY}" -p "$$" var=$(ps -o ni= -p $$) > /dev/null 2>&1 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… New renice value: %s\e[0m\n" "${var}" - # sleep 1 - unset var else @@ -53,8 +54,6 @@ arg_priority_check() { ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$" var=$(ionice -p $$) > /dev/null 2>&1 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… New ionice value: %s\e[0m\n" "${var}" - # sleep 1 - unset var else @@ -64,6 +63,8 @@ arg_priority_check() { fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + return 0 } ### Prevents accidental 'unset -f'. diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh index e609269..ba95c5a 100644 --- a/lib/lib_cdi.sh +++ b/lib/lib_cdi.sh @@ -13,7 +13,7 @@ guard_sourcing ####################################### -# CISS.debian.installer 'GRUB' and 'Autostart' generator. +# CISS.debian.installer 'GRUB' and 'autostart' generator. # Globals: # BASH_SOURCE # VAR_HANDLER_BUILD_DIR @@ -30,24 +30,19 @@ cdi() { if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then - touch "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi" - chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi" - if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" ]]; then mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" fi - cp "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh" - chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh" - chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh" + install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh" declare tmp_entry tmp_entry="$(mktemp)" cat << EOF >| "${tmp_entry}" menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i { - linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} + linux /live/vmlinuz-${VAR_KERNEL} boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} initrd /live/initrd.img-${VAR_KERNEL} } EOF diff --git a/lib/lib_change_splash.sh b/lib/lib_change_splash.sh index 3609ed8..b4172a3 100644 --- a/lib/lib_change_splash.sh +++ b/lib/lib_change_splash.sh @@ -15,6 +15,7 @@ guard_sourcing ####################################### # Change Grub Boot Screen Splash # Globals: +# BASH_SOURCE # VAR_HANDLER_BUILD_DIR # VAR_HANDLER_SPLASH # VAR_WORKDIR @@ -24,6 +25,8 @@ guard_sourcing # 0: on success ####################################### change_splash() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Grub Splash 'club.png' selected ...\e[0m\n" @@ -42,6 +45,8 @@ change_splash() { fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + return 0 } ### Prevents accidental 'unset -f'. diff --git a/lib/lib_check_dhcp.sh b/lib/lib_check_dhcp.sh index 66dcbb8..ba88715 100644 --- a/lib/lib_check_dhcp.sh +++ b/lib/lib_check_dhcp.sh @@ -15,6 +15,7 @@ guard_sourcing ####################################### # Check if hardened Centurion DNS servers are desired. # Globals: +# BASH_SOURCE # VAR_HANDLER_DHCP # VAR_WORKDIR # Arguments: @@ -23,10 +24,14 @@ guard_sourcing # 0: on success ####################################### check_dhcp() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then chmod +x "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" && "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + return 0 } ### Prevents accidental 'unset -f'. diff --git a/lib/lib_check_hooks.sh b/lib/lib_check_hooks.sh index 9d6f704..9091d30 100644 --- a/lib/lib_check_hooks.sh +++ b/lib/lib_check_hooks.sh @@ -13,8 +13,10 @@ guard_sourcing ####################################### -# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file +# Check and apply 0755 Permissions on every '"${VAR_HANDLER_BUILD_DIR}"/./config/hooks/live/*.chroot'-file. # Globals: +# BASH_SOURCE +# VAR_HANDLER_BUILD_DIR # VAR_WORKDIR # Arguments: # None @@ -22,11 +24,15 @@ guard_sourcing # 0: on success # ERR_UNCRITICAL: on failure ####################################### -check_hooks() { +x_hooks() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + declare ifs ifs=$'\n\t' + shopt -s nullglob - declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot) + + declare -a files=("${VAR_HANDLER_BUILD_DIR}"/config/hooks/live/*.chroot) if (( ${#files[@]} == 0 )); then @@ -43,9 +49,13 @@ check_hooks() { done + shopt -u nullglob + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 -readonly -f check_hooks +readonly -f x_hooks # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_kernel.sh b/lib/lib_check_kernel.sh index 5bdc93d..2f2b88e 100644 --- a/lib/lib_check_kernel.sh +++ b/lib/lib_check_kernel.sh @@ -26,12 +26,9 @@ guard_sourcing ####################################### check_kernel() { clear - declare -i counter=1 - declare first_string="" - declare line="" declare -gx VAR_KERNEL="" - declare name="" - declare options="" + declare -i counter=1 + declare first_string="" line="" name="" options="" if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then diff --git a/lib/lib_check_pkgs.sh b/lib/lib_check_pkgs.sh index a340997..34217ca 100644 --- a/lib/lib_check_pkgs.sh +++ b/lib/lib_check_pkgs.sh @@ -14,27 +14,32 @@ guard_sourcing ####################################### # Check for required Deb Packages to run the script. +# Globals: +# BASH_SOURCE +# VAR_HANDLER_AUTOBUILD # Arguments: # None # Returns: # 0: on success ####################################### check_pkgs() { - apt-get update > /dev/null 2>&1 + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" - if [[ -z "$(command -v batcat || true)" ]]; then + apt-get update -qq > /dev/null 2>&1 - apt-get install -y --no-install-recommends bat - - fi - - if [[ -z "$(command -v lsb_release || true)" ]]; then + if ! command -v lsb_release >/dev/null 2>&1; then apt-get install -y --no-install-recommends lsb-release fi - if [[ -z "$(command -v debootstrap || true)" ]]; then + if ! command -v batcat >/dev/null 2>&1; then + + apt-get install -y --no-install-recommends bat + + fi + + if ! command -v debootstrap >/dev/null 2>&1; then if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then @@ -50,15 +55,21 @@ check_pkgs() { fi + if ! command -v gpg >/dev/null 2>&1; then + + apt-get install -y --no-install-recommends gnupg gpgv gpg-agent pinentry-curses gnupg-utils + + fi + if [[ ! -f /usr/share/live/build/VERSION ]]; then apt-get install -y live-build fi - if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then + if [[ "${VAR_HANDLER_AUTOBUILD}" == "false" ]]; then - if [[ -z "$(command -v dialog || true)" ]]; then + if ! command -v dialog >/dev/null 2>&1; then apt-get install -y --no-install-recommends dialog @@ -66,16 +77,13 @@ check_pkgs() { fi - if [[ -z "$(command -v mkpasswd || true)" ]]; then + if ! command -v mkpasswd >/dev/null 2>&1; then apt-get install -y --no-install-recommends whois fi - # shellcheck disable=SC2034,SC2155 - declare -gr VAR_LB_VER="$(lb -v)" - # shellcheck disable=SC2034,SC2155 - declare -gr VAR_DS_VER="$(debootstrap --version)" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" return 0 } diff --git a/lib/lib_check_provider.sh b/lib/lib_check_provider.sh index ed33cfe..eb9a667 100644 --- a/lib/lib_check_provider.sh +++ b/lib/lib_check_provider.sh @@ -14,6 +14,10 @@ guard_sourcing ####################################### # Notes Textbox. +# Globals: +# VAR_GIT_REL +# VAR_NOTES +# VAR_VERSION # Arguments: # None # Returns: diff --git a/lib/lib_check_var.sh b/lib/lib_check_var.sh index 8e3d20d..ee2bbcd 100644 --- a/lib/lib_check_var.sh +++ b/lib/lib_check_var.sh @@ -17,9 +17,10 @@ guard_sourcing # Globals: # ERR_UNBOUNDVAR # Arguments: -# $1: VAR_NAME to check +# 1: VAR_NAME to check # Returns: -# {ERR_UNBOUNDVAR: on failure +# 0: on success +# ERR_UNBOUNDVAR: on failure ####################################### check_var() { declare var_name_to_check="$1" @@ -43,6 +44,8 @@ check_var() { return "${ERR_UNBOUNDVAR}" fi + + return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 diff --git a/lib/lib_ciss_upgrades_boot.sh b/lib/lib_ciss_upgrades_boot.sh new file mode 100644 index 0000000..62f0d29 --- /dev/null +++ b/lib/lib_ciss_upgrades_boot.sh @@ -0,0 +1,50 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +guard_sourcing + +####################################### +# Integrates primordial SSH identity- and / or ssh_host-files. +# Globals: +# BASH_SOURCE +# VAR_HANDLER_BUILD_DIR +# VAR_SIGNING_KEY_FPR +# VAR_SIGNING_KEY_PASSFILE +# VAR_WORKDIR +# Arguments: +# None +# Returns: +# 0: on success +####################################### +ciss_upgrades_boot() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + + ### Updates '/usr/lib/live/boot/0030-verify-checksums'. + install -D -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" + + declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512" + declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512.sig" + declare var_fil="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" + + sha512sum "${var_fil}" >| "${var_sha}" + + gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \ + --detach-sign --output "${var_sig}" "${var_sha}" + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f ciss_upgrades_boot +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_ciss_upgrades.sh b/lib/lib_ciss_upgrades_build.sh similarity index 63% rename from lib/lib_ciss_upgrades.sh rename to lib/lib_ciss_upgrades_build.sh index 221e4f8..3f09df3 100644 --- a/lib/lib_ciss_upgrades.sh +++ b/lib/lib_ciss_upgrades_build.sh @@ -13,19 +13,30 @@ guard_sourcing ####################################### -# Wrapper to update '/usr/lib/live/build/...' scripts. +# Module to update '/usr/lib/live/build/...' scripts. # Globals: -# SCRIPT_BASEPATH -# VAR_BUILD_LOG -# VAR_HANDLER_BUILD_DIR +# BASH_SOURCE +# VAR_WORKDIR # Arguments: # None # Returns: # 0: on success ####################################### -ciss_upgrades() { +ciss_upgrades_build() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + ### CISS signing binary-checksums override. + if [[ ! -e /usr/lib/live/build/binary_checksums.original ]]; then + cp /usr/lib/live/build/binary_checksums /usr/lib/live/build/binary_checksums.original + chmod 0444 /usr/lib/live/build/binary_checksums.original + fi + + rm -f /usr/lib/live/build/binary_checksums + install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_checksums.sh" /usr/lib/live/build/binary_checksums + + ### https://wiki.debian.org/ReproducibleInstalls/LiveImages + ### https://reproducible-builds.org/docs/system-images/ + ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes if [[ ! -e /usr/lib/live/build/binary_rootfs.original ]]; then cp /usr/lib/live/build/binary_rootfs /usr/lib/live/build/binary_rootfs.original chmod 0444 /usr/lib/live/build/binary_rootfs.original @@ -40,5 +51,5 @@ ciss_upgrades() { } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 -readonly -f ciss_upgrades +readonly -f ciss_upgrades_build # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh index 362dd5d..8962b38 100644 --- a/lib/lib_clean_up.sh +++ b/lib/lib_clean_up.sh @@ -13,33 +13,88 @@ guard_sourcing ####################################### -# Clean Up Wrapper on Trap on 'ERR' and 'EXIT'. +# Cleanup wrapper on the traps on 'ERR' and 'EXIT'. # Globals: +# VAR_CDLB_INSIDE_RUNNER +# GNUPGHOME # LOG_ERROR +# VAR_HANDLER_BUILD_DIR # VAR_KERNEL_INF # VAR_KERNEL_SRT # VAR_KERNEL_TMP +# VAR_NOTES # VAR_WORKDIR # Arguments: # 1 : ${trap_on_exit_code} of trap_on_exit() +# Returns: +# 0: on success ####################################### clean_up() { - declare clean_exit_code="$1" + declare clean_exit_code="$1" fs_type="" + + shopt -s nullglob dotglob + rm -f -- "${VAR_KERNEL_INF}" rm -f -- "${VAR_KERNEL_SRT}" rm -f -- "${VAR_KERNEL_TMP}" + rm -f -- "${VAR_NOTES}" + # Release advisory lock on FD 127. flock -u 127 + # Close file descriptor 127. exec 127>&- + # Remove the lockfile artifact. rm -f /run/lock/ciss_live_builder.lock + + # Removes the error log on clean exit. if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi + + # Cleaning TCP wrapper artifacts. if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then rm -f "${VAR_WORKDIR}/hosts.allow" fi if [[ -f "${VAR_WORKDIR}/hosts.deny" ]]; then rm -f "${VAR_WORKDIR}/hosts.deny" fi + + # Kill gpg-agent and remove artifacts securely. + if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then + + if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" && "${GNUPGHOME}" == /dev/shm/cdlb_*_gnupg ]]; then + + gpgconf --kill gpg-agent >/dev/null 2>&1 || true + + fs_type="$(stat -f -c %T "${GNUPGHOME}" 2>/dev/null || echo "GNUPGHOME: unknown fs.")" + + if [[ "${fs_type}" == "tmpfs" || "${fs_type}" == "ramfs" ]]; then + + rm -rf --one-file-system -- "${GNUPGHOME}" 2>/dev/null || true + + else + + chmod -R u+rwX "${GNUPGHOME}" >/dev/null 2>&1 || true + find "${GNUPGHOME}" -type f -exec shred -fuz -n 2 -- {} + 2>/dev/null || true + find "${GNUPGHOME}" \( -type s -o -type p -o -type l \) -delete 2>/dev/null || true + rm -rf --one-file-system -- "${GNUPGHOME}" 2>/dev/null || true + + fi + + fi + + fi + + # Removes secrets securely. + # shellcheck disable=SC2312 + find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 -- no-run-if-empty shred -fzu -n 5 -- + find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete + + shopt -u nullglob dotglob + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f clean_up # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_contact.sh b/lib/lib_contact.sh index 31459e0..0bdb40d 100644 --- a/lib/lib_contact.sh +++ b/lib/lib_contact.sh @@ -13,9 +13,11 @@ ####################################### # Contact Wrapper CISS.debian.live.builder # Globals: -# none +# None # Arguments: -# none +# None +# Returns: +# 0: on success ####################################### contact() { clear @@ -38,5 +40,10 @@ $(echo -e "\e[95m ๐ŸŒ https://coresecret.eu/spenden/ \e[0m") $(echo -e "\e[97m################################################################################ \e[0m") EOF + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f contact # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_copy_integrity.sh b/lib/lib_copy_integrity.sh index 3811b8c..a99a059 100644 --- a/lib/lib_copy_integrity.sh +++ b/lib/lib_copy_integrity.sh @@ -18,23 +18,28 @@ guard_sourcing # BASH_SOURCE # VAR_HANDLER_BUILD_DIR # Arguments: -# None +# None # Returns: -# 0 : Aide Init DB copying successful. +# 0 : on success ####################################### copy_db() { - # printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}" - if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity" fi if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then + chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"* - # printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… '%s' successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + return 0 + else + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ '%s' NOT successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + fi } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f copy_db # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_debug.sh b/lib/lib_debug.sh index 8684dc9..39700f3 100644 --- a/lib/lib_debug.sh +++ b/lib/lib_debug.sh @@ -13,47 +13,63 @@ guard_sourcing ####################################### -# Debugger Wrapper for xtrace to Debug Log +# Debugger module for xtrace to debug log. # Globals: -# BASH_SOURCE # BASH_XTRACEFD # LOG_DEBUG +# LOG_VAR # PS4 # SHELLOPTS # VAR_DUMP_VARS_INITIAL # VAR_EARLY_DEBUG -# var +# VAR_ISO8601 # Arguments: -# None +# None +# Returns: +# 0: on success ####################################### debugger() { ### Capture an initial snapshot of all variables (excluding '^(BASH|_).*') # shellcheck disable=SC2155 declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp) + + # shellcheck disable=SC2312 { declare var while IFS= read -r var; do declare -p "${var}" 2>/dev/null done < <(compgen -v | grep -Ev '^(BASH|_).*') } | sort >| "${VAR_DUMP_VARS_INITIAL}" + declare -gx VAR_EARLY_DEBUG="true" ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name - declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m ' - # shellcheck disable=SC2155 - declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log" - declare -grx LOG_VAR="/tmp/ciss_live_builder_$$_var.log" + + declare -grx PS4='\e[97m+\e[96m[${EPOCHREALTIME}]\e[97m:\e[94m[$$]\e[97m:\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[97m:\e[93m[${?}]\e[97m:\e[95m[${FUNCNAME[0]:-main}()]\e[97m>>\e[0m ' + declare -grx LOG_DEBUG="/tmp/cdlb_${VAR_ISO8601}_debug.log" + declare -grx LOG_VAR="/tmp/cdlb_${VAR_ISO8601}_var.log" + ### Generates empty LOG_DEBUG and LOG_VAR touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}" - touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}" + touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}" + ### Open file descriptor 42 for writing to the debug log exec 42>| "${LOG_DEBUG}" + ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables debug_header "$#" "$*" + ### Tell Bash to send xtrace output to FD 42 export BASH_XTRACEFD=42 + ### Enable inheritable shell options export SHELLOPTS + ### Turn on xtrace set -x + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f debugger # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_debug_header.sh b/lib/lib_debug_header.sh index ee37b57..b6cf3eb 100644 --- a/lib/lib_debug_header.sh +++ b/lib/lib_debug_header.sh @@ -13,7 +13,7 @@ guard_sourcing ####################################### -# Generates Debug Log Header +# Generates the debug log header. # Globals: # BASHOPTS # BASH_VERSINFO @@ -22,21 +22,27 @@ guard_sourcing # HOSTNAME # PPID # PWD +# SHELLOPTS +# SOURCE_DATE_EPOCH # UID +# VAR_GIT_REL +# VAR_SYSTEM # VAR_VERSION # Arguments: -# $0: Script Name $0 -# $1: Argument Counter $# -# $2: Argument String $* +# 0: Script Name $0 +# 1: Argument Counter $# +# 2: Argument String $* ####################################### debug_header() { declare -r arg_counter="$1" declare -r arg_string="$2" + # shellcheck disable=SC2312 { printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" printf "\e[97m+\e[0m\e[92m%s: Git Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_REL}" printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}" printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}" + printf "\e[97m+\e[0m\e[92m%s: Source Date Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SOURCE_DATE_EPOCH}" printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}" printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}" printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}" @@ -58,4 +64,7 @@ debug_header() { printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" } >&42 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f debug_header # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_git_var.sh b/lib/lib_git_var.sh deleted file mode 100644 index dfdea73..0000000 --- a/lib/lib_git_var.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -guard_sourcing - -####################################### -# Define Git Repo related Variables. -# Globals: -# VAR_GIT_HEAD -# VAR_GIT_REL -# VAR_GIT_REL_DATE -# VAR_GIT_REL_DATE_TIME -# VAR_GIT_REL_SHORT -# Arguments: -# None -####################################### -check_git() { - # shellcheck disable=SC2155 - if git rev-parse --is-inside-work-tree &>/dev/null; then - declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')" - declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}" - declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }" - declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}" - declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" - fi -} -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_gnupg.sh b/lib/lib_gnupg.sh new file mode 100644 index 0000000..408205d --- /dev/null +++ b/lib/lib_gnupg.sh @@ -0,0 +1,87 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +guard_sourcing + +####################################### +# Init GNUPGHOME. +# Globals: +# BASH_SOURCE +# GNUPGHOME +# VAR_CDLB_INSIDE_RUNNER +# VAR_EARLY_DEBUG +# VAR_HANDLER_BUILD_DIR +# VAR_ISO8601 +# VAR_SIGNER +# VAR_SIGNING_KEY +# VAR_SIGNING_KEY_FPR +# VAR_SIGNING_KEY_PASS +# VAR_SIGNING_KEY_PASSFILE +# VAR_TMP_SECRET +# VAR_VERIFY_KEYRING +# Arguments: +# None +# Returns: +# 0: on success +####################################### +init_gnupg() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + + if [[ "${VAR_SIGNER}" == "true" ]]; then + + __umask=$(umask) + umask 0077 + + ### Avoid collision with Gitea runner workflows. + if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then + + declare -grx GNUPGHOME="/dev/shm/cdlb_${VAR_ISO8601}_gnupg" + + # shellcheck disable=SC2174 + mkdir -p -m 0700 "${GNUPGHOME}" + + echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf" + gpgconf --reload gpg-agent || true + + fi + + gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}" + shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}" + + gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg" + gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg" + + declare -grx VAR_VERIFY_KEYRING="${GNUPGHOME}/pubring.kbx" + declare -grx VAR_SIGNING_KEY_PASSFILE="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}" + ### No tracing for security reasons ------------------------------------------------------------------------------------------ + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x + + declare __pw="" + __pw="$(<"${VAR_SIGNING_KEY_PASSFILE}")"; __pw="${__pw%$'\r'}"; printf '%s' "${__pw}" >| "${VAR_SIGNING_KEY_PASSFILE}" + __pw="" && unset __pw + + ### Turn on tracing again ---------------------------------------------------------------------------------------------------- + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x + + umask "${__umask}" + __umask="" + + fi + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f init_gnupg +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_guard_sourcing.sh b/lib/lib_guard_sourcing.sh index 109ed66..8e1f5dc 100644 --- a/lib/lib_guard_sourcing.sh +++ b/lib/lib_guard_sourcing.sh @@ -11,12 +11,12 @@ # SPDX-Security-Contact: security@coresecret.eu ####################################### -# Prevent the caller LIB-file from being sourced twice. +# Prevents the caller LIB-file from being sourced twice. # Derive a safe guard-variable name from the caller script filename. # Globals: # BASH_SOURCE # Arguments: -# $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.) +# 1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.) # Returns: # 0: Returns '0' in both cases as they are intended to be successful. ####################################### @@ -37,6 +37,10 @@ guard_sourcing() { ### Mark as loaded (readonly + exported) declare -grx "${var_guard_var}"=1 + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f guard_sourcing # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_hardening_root_pw.sh b/lib/lib_hardening_root_pw.sh index 4d051ca..331fc0f 100644 --- a/lib/lib_hardening_root_pw.sh +++ b/lib/lib_hardening_root_pw.sh @@ -15,18 +15,22 @@ guard_sourcing ####################################### # Updates the Live ISO to use root password authentication for local console access. # Globals: +# BASH_SOURCE # VAR_HANDLER_BUILD_DIR # VAR_HASHED_PWD # Arguments: -# None +# None # Returns: -# 0: In case no root password is desired. +# 0: on success ####################################### hardening_root_pw() { - if [[ -z ${VAR_HASHED_PWD} ]]; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… No Root Password for Console set, skipping root password hook.\e[0m\n" + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + if [[ -z ${VAR_HASHED_PWD} ]]; then + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… No Root Password for Console set, skipping root password hook.\e[0m\n" return 0 + fi printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Setup Root Password for Console ... \e[0m\n" @@ -79,5 +83,12 @@ EOF #chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Setup Root Password for Console done. \e[0m\n" + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f hardening_root_pw # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_hardening_ssh.sh b/lib/lib_hardening_ssh_tcp.sh similarity index 55% rename from lib/lib_hardening_ssh.sh rename to lib/lib_hardening_ssh_tcp.sh index afb368c..b19ac8a 100644 --- a/lib/lib_hardening_ssh.sh +++ b/lib/lib_hardening_ssh_tcp.sh @@ -13,17 +13,33 @@ guard_sourcing ####################################### -# SSH Hardening Ultra via TCP Wrapper +# SSH hardening via TCP wrapper. # Globals: # ARY_HANDLER_JUMPHOST +# BASH_SOURCE # VAR_WORKDIR # Arguments: -# None +# None +# Returns: +# 0: on success ####################################### -hardening_ssh() { +hardening_ssh_tcp() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then declare allowed="" cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow" +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # @@ -37,9 +53,20 @@ hardening_ssh() { EOF allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ') - printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow" + printf 'sshd: %s\n\n# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow" cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny" +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # @@ -59,7 +86,15 @@ EOF ALL: ALL +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF fi + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f hardening_ssh_tcp # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh index cf357b3..dcb0a7f 100644 --- a/lib/lib_hardening_ultra.sh +++ b/lib/lib_hardening_ultra.sh @@ -13,24 +13,29 @@ guard_sourcing ####################################### -# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image. +# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image. # Globals: # ARY_HANDLER_JUMPHOST # ARY_HANDLER_JUMPHOST_UNIQUE +# BASH_SOURCE # VAR_ARCHITECTURE # VAR_HANDLER_BUILD_DIR +# VAR_SSHFP # VAR_SSHPORT # VAR_SSHPUBKEY # VAR_WORKDIR # Arguments: # None +# Returns: +# 0: on success ####################################### hardening_ultra() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + # shellcheck disable=SC2164 cd "${VAR_WORKDIR}" - - ### ./config/bootloaders + ### ./config/bootloaders ----------------------------------------------------------------------------------------------------- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Copying ./config/bootloaders ... \e[0m\n" if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then @@ -47,7 +52,7 @@ hardening_ultra() { printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Copying ./config/bootloaders done.\e[0m\n" - ### ./config/includes.binary + ### ./config/includes.binary ------------------------------------------------------------------------------------------------- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Copying ./config/includes.binary ... \e[0m\n" if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then @@ -64,7 +69,7 @@ hardening_ultra() { printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Copying ./config/includes.binary done.\e[0m\n" - ### ./config/includes.chroot + ### ./config/includes.chroot ------------------------------------------------------------------------------------------------- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Copying ./config/includes.chroot ... \e[0m\n" if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then @@ -85,7 +90,7 @@ hardening_ultra() { printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Copying ./config/includes.chroot done.\e[0m\n" - ### ./config/hooks/early + ### ./config/hooks/early ----------------------------------------------------------------------------------------------------- if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Copying ./config/hooks/early ... \e[0m\n" @@ -106,7 +111,7 @@ hardening_ultra() { fi - ### ./config/hooks/live + ### ./config/hooks/live ------------------------------------------------------------------------------------------------------ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Copying ./config/hooks/live ... \e[0m\n" if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then @@ -123,7 +128,7 @@ hardening_ultra() { printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Copying ./config/hooks/live done.\e[0m\n" - + ### ./config/package-lists --------------------------------------------------------------------------------------------------- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Copying ./config/package-lists ... \e[0m\n" if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists" @@ -167,150 +172,82 @@ hardening_ultra() { } print } - ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" + ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" >| temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Copying ./config/package-lists done.\e[0m\n" - ### Updating SSH Keys, Ports. + ### Updating SSH Keys, Ports ------------------------------------------------------------------------------------------------- printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Updating SSH Keys, Ports ... \e[0m\n" - ### Check for static SSHFP key material via Gitea Actions Runner Secrets injection. - if [[ "${VAR_SSHFP}" == "true" ]]; then + ### ./config/includes.chroot/root/.ssh --------------------------------------------------------------------------------------- + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" + install -m 0600 -o root -g root "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/" - rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot" - rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl" + declare -r sshport="${VAR_SSHPORT:-22}" - else + ### /config/includes.chroot/etc/ssh/sshd_config + # shellcheck disable=SC2155 + declare pad="$(printf '%-29s' 'Port')" + sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" - rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot" - rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl" + ### /config/hooks/live/9950_hardening_fail2ban.chroot + sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot" - fi + ### /config/hooks/live/0900_ufw_setup.chroot + sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" - ### /config/includes.chroot/root/.ssh - if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then + ### /config/hooks/live/0900_ufw_setup.chroot + if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then - mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" - cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" - chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" - chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" - declare -r sshport="${VAR_SSHPORT:-22}" + sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" - ### /config/includes.chroot/etc/ssh/sshd_config - # shellcheck disable=SC2155 - declare pad="$(printf '%-29s' 'Port')" - sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + declare line - ### /config/hooks/live/9950_hardening_fail2ban.chroot - sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot" + # shellcheck disable=SC2312 + line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) - ### /config/hooks/live/0900_ufw_setup.chroot - sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + if [[ -z "${line}" ]]; then - - ### /config/hooks/live/0900_ufw_setup.chroot - if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then - - declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" - - sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" - - declare line - - # shellcheck disable=SC2312 - line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) - - if [[ -z "${line}" ]]; then - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2 - exit 1 - fi - - declare host - - for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do - - ((line++)) - - sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}" - - done + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โŒ'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2 + exit 1 fi - else + declare host - cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" - chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" - chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do - declare -r sshport="${VAR_SSHPORT:-22}" + ((line++)) - ### /config/includes.chroot/etc/ssh/sshd_config - # shellcheck disable=SC2155 - declare pad="$(printf '%-29s' 'Port')" - sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}" - ### /config/hooks/live/9950_hardening_fail2ban.chroot - sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot" - - ### /config/hooks/live/0900_ufw_setup.chroot - sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" - - - ### /config/hooks/live/0900_ufw_setup.chroot - if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then - - declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" - - sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" - - declare line - # shellcheck disable=SC2312 - line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) - - if [[ -z "${line}" ]]; then - printf "\e[91mโŒ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2 - exit 1 - fi - - declare host - - for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do - - ((line++)) - sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}" - - done - - fi + done fi printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Updating SSH Keys, Ports done. \e[0m\n" - ### /config/includes.chroot/etc/hosts.allow + ### ./config/includes.chroot/etc/hosts. -------------------------------------------------------------------------------------- if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช SSH Hardening Ultra ... \e[0m\n" - cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" - cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" + mv "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" + mv "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow" chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny" - rm -f "${VAR_WORKDIR}/hosts.allow" - rm -f "${VAR_WORKDIR}/hosts.deny" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… SSH Hardening Ultra done.\e[0m\n" fi - ### /config/hooks/live/9950_hardening_fail2ban.chroot + ### ./config/hooks/live/9950_hardening_fail2ban.chroot ----------------------------------------------------------------------- if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Updating fail2ban Jumphosts IPs ... \e[0m\n" @@ -338,5 +275,12 @@ hardening_ultra() { printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Placeholder removed. \e[0m\n" fi + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f hardening_ultra # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_helper_ip.sh b/lib/lib_helper_ip.sh index 5876355..a3592f3 100644 --- a/lib/lib_helper_ip.sh +++ b/lib/lib_helper_ip.sh @@ -13,26 +13,32 @@ guard_sourcing ####################################### -# IP Notation cleaner for pure IP output only +# IP notation cleaner for pure IP output only. # Globals: # ARY_HANDLER_JUMPHOST # ARY_HANDLER_JUMPHOST_UNIQUE # Arguments: -# None +# None +# Returns: +# 0: on success ####################################### clean_ip() { - declare host - declare stripped + declare host="" stripped="" for host in "${ARY_HANDLER_JUMPHOST[@]}"; do # Remove leading '[' and trailing ']' stripped="${host#\[}" stripped="${stripped%\]}" # Skip if it contains a slash (CIDR range) - if [[ ${stripped} == */* ]]; then + if [[ ${stripped} == */* ]]; then continue fi # Directly append, no duplicate check + # shellcheck disable=SC2034 declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}") done + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f clean_ip # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_build_start.sh b/lib/lib_lb_build_start.sh index c38a606..7958718 100644 --- a/lib/lib_lb_build_start.sh +++ b/lib/lib_lb_build_start.sh @@ -15,7 +15,7 @@ guard_sourcing ####################################### # Wrapper to write a new 'lb config' environment. # Globals: -# SCRIPT_BASEPATH +# VAR_WORKDIR # VAR_BUILD_LOG # VAR_HANDLER_BUILD_DIR # Arguments: @@ -25,23 +25,29 @@ guard_sourcing # ERR_UNCRITICAL: on failure ####################################### lb_build_start() { + declare -i var_build_rc="" + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿ”จ Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}" # shellcheck disable=SC2164 - cd "${SCRIPT_BASEPATH}" + cd "${VAR_WORKDIR}" # shellcheck disable=SC2164 cd "${VAR_HANDLER_BUILD_DIR}" # shellcheck disable=SC2312 - if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then + lb build --color 2>&1 | tee "${VAR_BUILD_LOG}" + var_build_rc=${PIPESTATUS[0]} + + + if [[ "${var_build_rc}" -eq 0 ]]; then printf "\e[92mโœ… Build successfully completed.\e[0m\n" else printf "\e[91mโŒ Build failed!\e[0m\n" >&2 - exit "${ERR_UNCRITICAL}" + exit "${var_build_rc}" fi diff --git a/lib/lib_lb_config_start.sh b/lib/lib_lb_config_start.sh index 795f0d2..4380dc4 100644 --- a/lib/lib_lb_config_start.sh +++ b/lib/lib_lb_config_start.sh @@ -15,12 +15,15 @@ guard_sourcing ####################################### # Wrapper for 'lb config' - set up a build environment or deleting old build artifacts. # Globals: +# BASH_SOURCE # VAR_HANDLER_BUILD_DIR # Arguments: -# 0: Script-name +# None +# Returns: +# 0: on success ####################################### lb_config_start() { - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช '%s' starting ... \e[0m\n" "${0}" + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then @@ -36,30 +39,27 @@ lb_config_start() { fi - if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then - - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Preparing environment ... \e[0m\n" - # Start lb config in a completely detached shell - bash -c "lb config" & - disown - sleep 1 - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Preparing environment done.\e[0m\n" - - else + if [[ -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Deleting former config, binary and cache ... \e[0m\n" - rm -f ./config/binary - rm -f ./config/bootstrap - rm -f ./config/chroot - rm -f ./config/common - rm -f ./config/source - rm -f ./*.{contents,files,iso,bz2,packages} - # Start lb clean in a completely detached shell - bash -c "lb clean && lb clean --binary --cache" & - disown - sleep 1 + + lb clean --binary --cache --purge --source + + if [[ "${PWD}" == "${VAR_HANDLER_BUILD_DIR}" && "${PWD}" != "/" && -n "${PWD}" ]]; then + + rm -rf -- ./* ./.??* + + fi + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Deleting former config, binary and cache done.\e[0m\n" fi + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f lb_config_start # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh index 0e8eac3..7a491a1 100644 --- a/lib/lib_lb_config_write_trixie.sh +++ b/lib/lib_lb_config_write_trixie.sh @@ -15,18 +15,19 @@ guard_sourcing ####################################### # Wrapper to write a new 'lb config' environment. # Globals: +# BASH_SOURCE # VAR_ARCHITECTURE # VAR_HANDLER_BUILD_DIR # VAR_HANDLER_ISO_COUNTER # VAR_KERNEL # VAR_VERSION -# VAR_WORKDIR # Arguments: # None # Returns: # 0: on success ####################################### lb_config_write_trixie() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Writing new config ... \e[0m\n" lb config \ @@ -41,10 +42,10 @@ lb_config_write_trixie() { --binary-filesystem fat32 \ --binary-image iso-hybrid \ --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \ - --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \ + --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \ --bootloaders grub-efi \ --cache true \ - --checksums sha512 sha256 md5 \ + --checksums sha512 sha384 sha256 \ --chroot-filesystem squashfs \ --chroot-squashfs-compression-level 22 \ --chroot-squashfs-compression-type zstd \ @@ -104,33 +105,10 @@ lb_config_write_trixie() { sleep 1 - sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary - sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary + sed -i 's/^LB_CHECKSUMS=.*/LB_CHECKSUMS="sha512 sha384 sha256"/' ./config/binary + sed -i 's/^LB_DM_VERITY=.*/LB_DM_VERITY="false"/' ./config/binary - ### Update 0030-verify-checksums - mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot" - cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" - chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" - chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" - - - ### Installing PGP Public Keys for signature verification. - #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys" - #install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg" - #install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg" - - #### Installing PGP Private Deploy Key for signature creation - #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys" - #cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys/" -#{{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }} -#EOF - - #if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then - # : >| /root/.config/sops/age/keys.txt - #fi - - #chmod 0400 /root/.config/sops/age/keys.txt ### https://wiki.debian.org/ReproducibleInstalls/LiveImages ### https://reproducible-builds.org/docs/system-images/ @@ -156,6 +134,7 @@ EOF chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Writing new config done.\e[0m\n" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" return 0 } diff --git a/lib/lib_note_target.sh b/lib/lib_note_target.sh index 416fddd..bafbde6 100644 --- a/lib/lib_note_target.sh +++ b/lib/lib_note_target.sh @@ -13,6 +13,15 @@ ####################################### # Version file generator for '/root/cdlb.txt' of Live ISO. # Globals: +# BASH_SOURCE +# SOURCE_DATE_EPOCH +# VAR_BASH_VER +# VAR_DATE_INFO +# VAR_DS_VER +# VAR_GIT_REL +# VAR_HANDLER_BUILD_DIR +# VAR_HOST +# VAR_LB_VER # VAR_VERSION # Arguments: # None @@ -31,6 +40,7 @@ note_target() { Version : ${VAR_VERSION} Git : ${VAR_GIT_REL} + Epoch : ${SOURCE_DATE_EPOCH} Date : ${VAR_DATE_INFO} Host : ${VAR_HOST} Bash : ${VAR_BASH_VER} @@ -63,6 +73,7 @@ export CDLB_CR_HOST="${VAR_HOST}" export CDLB_BASHVER="${VAR_BASH_VER}" export CDLB_DS_VER="${VAR_DS_VER}" export CDLB_LB_VER="${VAR_LB_VER}" +export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}" EOF chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env" diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh new file mode 100644 index 0000000..ead58df --- /dev/null +++ b/lib/lib_primordial.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +guard_sourcing + +####################################### +# Integrate primordial SSH identity files. +# Globals: +# BASH_SOURCE +# VAR_HANDLER_BUILD_DIR +# VAR_SSHFP +# VAR_TMP_SECRET +# Arguments: +# None +# Returns: +# 0: on success +####################################### +init_primordial() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + + if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then + + if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then + + shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"* + + fi + + if compgen -G "${VAR_TMP_SECRET}/ssh_host_*" > /dev/null; then + + shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"* + + fi + + else + + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" + install -m 0600 "${VAR_TMP_SECRET}/id"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/" + shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/id"* + + install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh" + install -m 0600 "${VAR_TMP_SECRET}/ssh_host_"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/" + shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/ssh_host_"* + + fi + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f init_primordial +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_provider_netcup.sh b/lib/lib_provider_netcup.sh index e507294..b466ebc 100644 --- a/lib/lib_provider_netcup.sh +++ b/lib/lib_provider_netcup.sh @@ -13,12 +13,21 @@ guard_sourcing ####################################### -# Notes Textbox +# Module for Netcup static IPv6 address. +# Globals: +# ARY_HANDLER_NETCUP_IPV6 +# BASH_SOURCE +# VAR_HANDLER_BUILD_DIR +# VAR_HANDLER_NETCUP_IPV6 +# VAR_WORKDIR # Arguments: -# None +# None +# Returns: +# 0: on success ####################################### provider_netcup() { if "${VAR_HANDLER_NETCUP_IPV6}"; then + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}" @@ -29,19 +38,25 @@ provider_netcup() { ### Static IPv6 Address for Netcup Root Server iface ens3 inet6 static address ${handler_netcup_ipv6_string}/128 - ### dns01.eddns.eu dns02.eddns.de - dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53 + ### dns01.eddns.eu dns02.eddns.de dns03.eddns.eu + dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53 2a01:4f8:c013:8011:138:199:237:109 gateway fe80::1 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF - sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" - rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" - cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" - chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" + rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" fi + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f provider_netcup # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_trap_on_err.sh b/lib/lib_trap_on_err.sh index b5343e0..6e42aef 100644 --- a/lib/lib_trap_on_err.sh +++ b/lib/lib_trap_on_err.sh @@ -138,7 +138,9 @@ readonly -f print_scr_err # ERRFUNC # ERRLINE # ERRSCRT +# ERRTRAP # VAR_EARLY_DEBUG +# VAR_HANDLER_AUTOBUILD # Arguments: # 1: $? # 2: ${BASH_SOURCE[0]} diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index 7752e78..efdb6c3 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -39,13 +39,13 @@ usage() { # shellcheck disable=SC2155 declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}") # shellcheck disable=SC2155 - declare var_footer=$(center "V8.13.296.2025.10.29 2025-10-07 CLB(1)" "${var_cols}") + declare var_footer=$(center "V8.13.384.2025.11.06 2025-11-07 CLB(1)" "${var_cols}") { echo -e "\e[1;97m${var_header}\e[0m" echo echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m" - echo -e "\e[92mMaster V8.13.296.2025.10.29\e[0m" + echo -e "\e[92mMaster V8.13.384.2025.11.06\e[0m" echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m" echo echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m" @@ -57,70 +57,64 @@ usage() { echo " What you're looking at." echo echo -e "\e[97m --autobuild=*, -a=* \e[0m" - echo " Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel" - echo " selector dialog. Change '*' to your desired Linux kernel and trim the" - echo " 'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'." + echo " Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel selector dialog." + echo " Change '*' to your desired Linux kernel and trim the 'linux-image-' string to select a specific kernel," + echo " e.g. '--autobuild=6.12.30+bpo-amd64'." echo echo -e "\e[97m --architecture one of \e[0m" echo " A string reflecting the architecture of the Live System." echo " MUST be provided." echo echo -e "\e[97m --build-directory \e[0m" + echo " RECOMMENDED path: " echo " Where the Debian Live Build Image should be generated." echo " MUST be provided." echo echo -e "\e[97m --change-splash one of \e[0m" - echo " A string reflecting the Grub Boot Screen Splash you want to use." - echo " If omitted defaults to './.archive/background/club.png'." + echo " A string reflecting the Grub Boot Screen Splash you want to use. If omitted defaults to:" + echo " <./.archive/background/club.png>" echo echo -e "\e[97m --cdi (Experimental Feature)\e[0m" - echo " This option generates a boot menu entry to start the forthcoming" - echo " 'CISS.debian.installer', which will be executed after" - echo " the system has successfully booted up." + echo " This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed" + echo " once the system has successfully booted up." echo echo -e "\e[97m --contact, -c\ e[0m" echo " Show author contact information." echo - echo -e "\e[97m --control \e[0m" - echo " An integer that reflects the version of your Live ISO Image." + echo -e "\e[97m --control \e[0m" + echo " A string, that reflects the version of your Live ISO Image." echo " MUST be provided." echo echo -e "\e[97m --debug, -d \e[0m" - echo " Enables debug logging for the main program routine. Detailed logging" - echo " information are written to '/tmp/ciss_live_builder_$$.log'." + echo " Enables debug logging for the main program routine. Detailed logging information are written to:" + echo " " echo echo -e "\e[97m --dhcp-centurion \e[0m" - echo " If a DHCP lease is provided, the provider's nameserver will be overridden," - echo " and only the hardened, privacy-focused Centurion DNS servers will be used:" + echo " If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused " + echo " Centurion DNS servers will be used instead:" echo " - https://dns01.eddns.eu/" echo " - https://dns02.eddns.de/" echo " - https://dns03.eddns.eu/" echo echo -e "\e[97m --jump-host \e[0m" - echo " Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access." - echo " Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation." - echo " If provided, than it MUST be a separated list." + echo " Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 " + echo " addresses and / or CCDIR notation. If provided, than it MUST be a separated list." echo " IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64." echo echo -e "\e[97m --log-statistics-only\e[0m" - echo " Provides statistic only after successful building a" - echo " CISS.debian.live-ISO. While enabling '--log-statistics-only'" - echo " the argument '--build-directory' MUST be provided while" - echo " all further options MUST be omitted." + echo " Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'" + echo " the argument '--build-directory' MUST be provided." echo echo -e "\e[97m --provider-netcup-ipv6 \e[0m" - echo " Activates IPv6 support for Netcup Root Server. One unique" - echo " IPv6 address MUST be provided in this case and MUST be encapsulated" - echo " with [], e.g., [1234::abcd]." + echo " Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be" + echo " encapsulated with [], e.g., [1234::abcd]." echo echo -e "\e[97m --renice-priority \e[0m" - echo " Reset the nice priority value of the script and all its children" - echo " to the desired . MUST be an integer (between '-19' and 19)." - echo " Negative (higher) values MUST be enclosed in double quotes '\"'." + echo " Reset the nice priority value of the script and all its children to the desired . MUST be an integer" + echo " between '-19' and 19. Negative (higher) values MUST be enclosed in double quotes '\"'." echo echo -e "\e[97m --reionice-priority \e[0m" - echo " Reset the ionice priority value of the script and all its children" - echo " to the desired . MUST be an integer:" + echo " Reset the ionice priority value of the script and all its children to the desired . MUST be an integer:" echo " 1: realtime" echo " 2: best-effort" echo " 3: idle" @@ -129,31 +123,39 @@ usage() { echo " 0: highest priority and" echo " 7: lowest priority." echo " Defaults to '4'." - echo " A real-time I/O process can significantly slow down other processes" - echo " or even cause them to starve if it continuously requests I/O." + echo " A real-time I/O process can significantly slow down other processes or even cause them to starve if it" + echo " continuously requests I/O." echo - echo -e "\e[97m --root-password-file \e[0m" - echo " Password file for 'root', if given, MUST be a string of 20 to 64 characters," - echo " and MUST NOT contain the special character '\"'." - echo " If the argument is omitted, no further login authentication is required for" - echo " the local console. The root password is hashed with an 16 Byte '/dev/random'" - echo " generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately" - echo " after Hash generation all Variables containing plain password fragments are" - echo " deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without" - echo " further prompt after password hash has been successfully generated via:" - echo " 'shred -vfzu 5 -f'." - echo " 'No tracing of any plain text password fragment in any debug log." + echo -e "\e[97m --root-password-file > \e[0m" + echo " Password file for 'root', if given, MUST be a string of 42 to 64 characters." + echo " If the argument is omitted, no further login authentication is required for the local console." + echo " MUST be placed in:" + echo " " + echo + echo -e "\e[97m --signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=* \e[0m" + echo " The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is" + echo " specified via '--signing_key=*'. If the keyring is passphrase protected provide the passphrase in its own file." + echo " Specify the fingerprint of the key to use via '--signing_key_fpr=*'." + echo " Change '*' to your desired files / fingerprint. Files MUST be placed in:" + echo " " + echo + echo -e "\e[97m --sshfp \e[0m" + echo " Desired SSH id-files that should be incorporated in '/root/.ssh/id*'." + echo " Desired SSH host-files that should be incorporated in '/etc/ssh/ssh_host_*'." + echo " The respective id-files and / or host-files MUST be placed in:" + echo " / " echo echo -e "\e[97m --ssh-port \e[0m" echo " The desired Port SSH should listen to." echo " If not provided defaults to Port '22'." echo - echo -e "\e[97m --ssh-pubkey \e[0m" - echo " Imports the SSH Public Key from the FILE 'authorized_keys' of the" - echo " specified PATH into the Live ISO. MUST be provided." + echo -e "\e[97m --ssh-pubkey \e[0m" + echo " Imports the SSH Public Key from the file 'authorized_keys' into the Live ISO." + echo " Key file MUST be placed in:" + echo " " echo echo -e "\e[97m --trixie \e[0m" - echo " Create a Debian Trixie Live ISO." + echo " Creates a Debian Trixie Live ISO. If omitted defaults to 'Trixie'. No other Debian Version is supported." echo echo -e "\e[97m --version, -v \e[0m" echo " Show version of ${0}." diff --git a/lib/lib_version.sh b/lib/lib_version.sh index 7ad3c68..6d8c04d 100644 --- a/lib/lib_version.sh +++ b/lib/lib_version.sh @@ -11,26 +11,20 @@ # SPDX-Security-Contact: security@coresecret.eu ####################################### -# Version Wrapper CISS.debian.live.builder +# Version module 'CISS.debian.live.builder'. # Globals: +# VAR_BASH_VER +# VAR_GIT_REL +# VAR_HOST # VAR_VERSION +# VAR_VER_DS +# VAR_VER_LB # Arguments: # None # Returns: # 0: on success ####################################### version() { - # shellcheck disable=SC2155 - declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')" - # shellcheck disable=SC2155 - declare -r var_lb_ver="$(lb -v)" - # shellcheck disable=SC2155 - declare -r var_ds_ver="$(debootstrap --version)" - # shellcheck disable=SC2155 - declare -r var_host="$(uname -n)" - # shellcheck disable=SC2155 - declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')" - clear cat << EOF $(echo -e "\e[97m################################################################################ \e[0m") @@ -38,7 +32,7 @@ $(echo -e "\e[92m CISS.debian.live.builder from https://git.coresecret.dev/msw $(echo -e "\e[92m A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m") Version : ${VAR_VERSION} - Git : ${var_repo_ver} + Git : ${VAR_GIT_REL} $(echo -e "\e[97m This program is free software. Distribution and modification under \e[0m") $(echo -e "\e[97m EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m") @@ -47,9 +41,9 @@ $(echo -e "\e[97m EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OW $(echo -e "\e[95m https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m") $(echo -e "\e[97m################################################################################\e[0m") - Using : lb (${var_lb_ver}) debootstrap (${var_ds_ver}) - on : ${var_host} - Bash : ${var_bash_ver} + Using : lb (${VAR_VER_LB}) debootstrap (${VAR_VER_DS}) + on : ${VAR_HOST} + Bash : ${VAR_BASH_VER} EOF diff --git a/scripts/live-boot/0030-verify-checksums b/scripts/live-boot/0030-verify-checksums deleted file mode 100644 index c121763..0000000 --- a/scripts/live-boot/0030-verify-checksums +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/sh -# bashsupport disable=BP5007 - -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: GPL-3.0-or-later -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -### Modified Version of the original file: -### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' -### In case of successful verification of one of the offered checksums, proceed with booting, else panic. - -####################################### -# Modified checksum-verification script for continuing the boot process. -# Globals: -# LIVE_BOOT_CMDLINE -# LIVE_VERIFY_CHECKSUMS -# LIVE_VERIFY_CHECKSUMS_DIGESTS -# _CHECKSUM -# _CHECKSUMS -# _DIGEST -# _MOUNTPOINT -# _PARAMETER -# _RETURN -# _TTY -# Arguments: -# 1: ${_PARAMETER} -# Returns: -# 0 : Successful Verification -####################################### -Verify_checksums() { - for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do - - case "${_PARAMETER}" in - - live-boot.verify-checksums=* | verify-checksums=*) - - LIVE_VERIFY_CHECKSUMS="true" - LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" - ;; - - live-boot.verify-checksums | verify-checksums) - - LIVE_VERIFY_CHECKSUMS="true" - ;; - - esac - - done - - case "${LIVE_VERIFY_CHECKSUMS}" in - - true) - : - ;; - - *) - return 0 - ;; - - esac - - _MOUNTPOINT="${1}" - - LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" - _TTY="/dev/tty8" - - log_begin_msg "Verifying checksums" - printf "\n" - - # shellcheck disable=SC2164 - cd "${_MOUNTPOINT}" - - # shellcheck disable=SC2001 - for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do - - # shellcheck disable=SC2060 - _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" - - for _CHECKSUM in ${_CHECKSUMS}; do - - # shellcheck disable=SC2292 - if [ -e "${_CHECKSUM}" ]; then - - #echo "Found ${_CHECKSUM}..." > "${_TTY}" - printf "Found %s...\n" "${_CHECKSUM}" - - if [ -e "/bin/${_DIGEST}sum" ]; then - - #echo "Checking ${_CHECKSUM}..." > "${_TTY}" - printf "Checking %s...\n" "${_CHECKSUM}" - - # Verify checksums - # shellcheck disable=SC2312 - grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" - _RETURN="${?}" - - # Stop after the first verification - # break 2 - - else - - #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" - printf "Not found /bin/%ssum....\n" "${_DIGEST}" - - fi - - fi - - done - - done - - log_end_msg - - case "${_RETURN}" in - - 0) - log_success_msg "Verification of checksums successful; continuing booting in 8 seconds." - sleep 8 - return 0 - ;; - - *) - panic "Verification failed, $(basename "${_TTY}") for more information." - ;; - - esac -} -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/scripts/usr/lib/live/boot/0030-verify-checksums b/scripts/usr/lib/live/boot/0030-verify-checksums new file mode 100644 index 0000000..4528a1d --- /dev/null +++ b/scripts/usr/lib/live/boot/0030-verify-checksums @@ -0,0 +1,212 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Modified Version of the original file: +### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums' +### In case of successful verification of the offered checksum, proceed with booting; otherwise panic. + +####################################### +# Modified checksum-integrity and authenticity-verification-script for continuing the boot process. +# Globals: +# LIVE_BOOT_CMDLINE +# _TTY +# Arguments: +# 1: _MOUNTPOINT +# Returns: +# 0 : Successful verification +####################################### +Verify_checksums() { + _MOUNTPOINT="${1}" + + _TTY="/dev/tty8" + + LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" + + LIVE_VERIFY_CHECKSUMS_SIGNATURES="false" + + for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do + + case "${_PARAMETER}" in + + live-boot.verify-checksums=* | verify-checksums=*) + + LIVE_VERIFY_CHECKSUMS="true" + LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" + ;; + + live-boot.verify-checksums | verify-checksums) + + LIVE_VERIFY_CHECKSUMS="true" + ;; + + live-boot.verify-checksums-signatures | verify-checksums-signatures) + + LIVE_VERIFY_CHECKSUMS_SIGNATURES="true" + ;; + + esac + + done + + case "${LIVE_VERIFY_CHECKSUMS}" in + + true) + : + ;; + + *) + return 0 + ;; + + esac + + # shellcheck disable=SC2164 + cd "${_MOUNTPOINT}" + + ### CDLB verification of script integrity itself ----------------------------------------------------------------------------- + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then + + log_begin_msg "Verifying integrity of '0030-verify-checksums' ..." + printf "\n" + + CDLB_SCRIPT="$(basename "${0}")" + CDLB_SHA="sha512" + CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE="" + + for CDLB_ITEM in ${CDLB_SHA}; do + + CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}" + CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" + CDLB_CMD="${CDLB_ITEM}sum" + + printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}" + + if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then + + printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}" + sleep 8 + # TODO: Remove debug mode + # return 0 + + else + + printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}" + + fi + + printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}" + + CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; }) + read -r CDLB_EXPECTED < "${CDLB_HASHFILE}" + + if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then + + printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}" + sleep 8 + # TODO: Remove debug mode + # return 0 + + fi + + printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}" + + done + + printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding." + + log_end_msg + printf "\n" + + fi + + ### Checksum and checksum signature verification ----------------------------------------------------------------------------- + log_begin_msg "Verifying checksums" + printf "\n" + + # shellcheck disable=SC2001 + for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do + + # shellcheck disable=SC2060 + _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" + + for _CHECKSUM in ${_CHECKSUMS}; do + + if [ -e "${_CHECKSUM}" ]; then + + printf "Found [%s] ...\n" "${_CHECKSUM}" + + if [ -e "/bin/${_DIGEST}sum" ]; then + + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then + + printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}" + _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig" + gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}" + _RETURN_PGP="${?}" + + else + + _RETURN_PGP="na" + + fi + + printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}" + + # shellcheck disable=SC2312 + grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}" + _RETURN_SHA="${?}" + + # Stop after the first verification. + break 2 + + else + + printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum" + + fi + + fi + + done + + done + + log_end_msg + + case "${_RETURN_PGP},${_RETURN_SHA}" in + + 0,0) + log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds." + sleep 8 + return 0 + ;; + + na,0) + log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds." + sleep 8 + return 0 + ;; + + *,0) + panic "Verification of signature file failed while verification of checksum file successful." + ;; + + na,*) + panic "Verification of checksum file failed." + ;; + + esac +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/scripts/usr/lib/live/build/binary_checksums.sh b/scripts/usr/lib/live/build/binary_checksums.sh index fc6dbdc..4da8042 100644 --- a/scripts/usr/lib/live/build/binary_checksums.sh +++ b/scripts/usr/lib/live/build/binary_checksums.sh @@ -1,11 +1,13 @@ #!/bin/sh # bashsupport disable=BP5007 +# shellcheck shell=sh # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2006-2015 Daniel Baumann +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: GPL-3.0-or-later # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. @@ -22,10 +24,9 @@ ## This is free software, and you are welcome to redistribute it ## under certain conditions; see COPYING for details. -set -e +set -Ceu ### Including common functions. -# shellcheck disable=SC2292 if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then . "${LIVE_BUILD}/scripts/build.sh" else @@ -34,19 +35,17 @@ fi ### Setting static variables. # shellcheck disable=SC2034 -DESCRIPTION="Create binary checksums and PGP signature files." +DESCRIPTION="[CDLB] Create binary checksums and PGP signature files." # shellcheck disable=SC2034 USAGE="${PROGRAM} [--force]" ### Processing arguments and configuration files. Init_config_data "${@}" -# shellcheck disable=SC2292 if [ "${LB_CHECKSUMS}" = "none" ]; then exit 0 fi -# shellcheck disable=SC2292 if [ "${LB_INITRAMFS}" = "dracut-live" ]; then ### The checksums will be generated by binary_iso. exit 0 @@ -61,7 +60,7 @@ Check_stagefile ### Acquire a lock file. Acquire_lockfile -declare CHECKSUM="" +CHECKSUM="" for CHECKSUM in ${LB_CHECKSUMS}; do @@ -69,7 +68,7 @@ for CHECKSUM in ${LB_CHECKSUMS}; do Echo_message "Begin creating binary ${CHECKSUMS} ..." - ### Remove old checksums. + ### Remove old checksums. # shellcheck disable=SC2292 if [ -f "binary/${CHECKSUMS}" ]; then @@ -91,18 +90,29 @@ for CHECKSUM in ${LB_CHECKSUMS}; do \! -path './*gpg' \ \! -path './*sig' \ -print0 | LC_ALL=C sort -z | xargs -0 "${CHECKSUM}sum" >| "${CHECKSUMS}" + Echo_message "Begin creating binary ${CHECKSUMS} done." - ### sha256sum.txt - Echo_message "Begin creating GPG armor signature ${CHECKSUMS} ..." - gpg --batch --yes --local-user "${LB_GPG_SIGN_KEY}" --armor --detach-sign --output "${CHECKSUMS}.asc" "${CHECKSUMS}" + Echo_message "Begin verifying binary ${CHECKSUMS} ..." + "${CHECKSUM}sum" -c --strict --quiet "${CHECKSUMS}" + Echo_message "Begin verifying binary ${CHECKSUMS} done." - Echo_message "Begin creating GPG binary signature ${CHECKSUMS} ..." - gpg --batch --yes --local-user "${LB_GPG_SIGN_KEY}" --detach-sign --output "${CHECKSUMS}.sig" "${CHECKSUMS}" + if [ "${VAR_SIGNER}" = "true" ]; then + Echo_message "Begin creating GPG binary signature ${CHECKSUMS} ..." + gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \ + --detach-sign --output "${CHECKSUMS}.sig" "${CHECKSUMS}" + Echo_message "Begin creating GPG binary signature ${CHECKSUMS} done." + Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} ..." + gpgv --keyring "${VAR_VERIFY_KEYRING}" "${CHECKSUMS}.sig" "${CHECKSUMS}" + Echo_message "Begin verifying GPG binary signature ${CHECKSUMS} done." + + fi + + Echo_message "Begin creating '${CHECKSUM}sum.README' ..." cat << EOF >| "${CHECKSUM}sum.README" # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; +# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -119,6 +129,7 @@ ${CHECKSUM}sum -c ${CHECKSUMS} # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text EOF + Echo_message "Begin creating '${CHECKSUM}sum.README' done." cd "${OLDPWD}" diff --git a/scripts/usr/lib/live/build/binary_rootfs.sh b/scripts/usr/lib/live/build/binary_rootfs.sh index 65b04cd..4515c85 100644 --- a/scripts/usr/lib/live/build/binary_rootfs.sh +++ b/scripts/usr/lib/live/build/binary_rootfs.sh @@ -1,11 +1,13 @@ #!/bin/sh # bashsupport disable=BP5007 +# shellcheck shell=sh # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2006-2015 Daniel Baumann +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: GPL-3.0-or-later # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. @@ -25,7 +27,6 @@ set -e # Including common functions. -# shellcheck disable=SC2292 if [ -e "${LIVE_BUILD}/scripts/build.sh" ]; then . "${LIVE_BUILD}/scripts/build.sh" else @@ -77,7 +78,6 @@ esac # Creating directory mkdir -p "binary/${INITFS}" -# shellcheck disable=SC2292 if In_list "rootfs" "${LB_CACHE_STAGES}" && [ -d cache/binary_rootfs ] then # Removing old chroot @@ -104,7 +104,6 @@ case "${LB_CHROOT_FILESYSTEM}" in Install_packages # Remove old image - # shellcheck disable=SC2292 if [ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ] then rm -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" @@ -140,7 +139,6 @@ case "${LB_CHROOT_FILESYSTEM}" in FAKE_MTAB=true fi BLOCK_SIZE=1024 - # shellcheck disable=SC2292 if [ "${LB_DM_VERITY}" = "true" ] then # Module dm-verity needs a block size of at least 4k @@ -168,7 +166,6 @@ case "${LB_CHROOT_FILESYSTEM}" in # Removing depends Remove_packages - # shellcheck disable=SC2292 if [ -e chroot/chroot.cache ] then Remove_lockfile @@ -215,13 +212,11 @@ case "${LB_CHROOT_FILESYSTEM}" in Install_packages # Remove old jffs2 image - # shellcheck disable=SC2292 if [ -f "binary/${INITFS}/filesystem.jffs2" ] then rm -f "binary/${INITFS}/filesystem.jffs2" fi - # shellcheck disable=SC2292 if [ -n "${LB_JFFS2_ERASEBLOCK}" ] then JFFS2_OPTIONS="--eraseblock=${LB_JFFS2_ERASEBLOCK}" @@ -237,7 +232,6 @@ case "${LB_CHROOT_FILESYSTEM}" in # Removing depends Remove_packages - # shellcheck disable=SC2292 if [ -e chroot/chroot.cache ] then Remove_lockfile @@ -266,7 +260,6 @@ case "${LB_CHROOT_FILESYSTEM}" in ;; plain) - # shellcheck disable=SC2292 if [ -d "binary/${INITFS}/filesystem.dir" ] then rm -rf "binary/${INITFS}/filesystem.dir" @@ -274,7 +267,6 @@ case "${LB_CHROOT_FILESYSTEM}" in case "${LB_BUILD_WITH_CHROOT}" in true) - # shellcheck disable=SC2292 if [ -e chroot/chroot.cache ] then # Different from the other LB_CHROOT_FILESYSTEM values: @@ -310,7 +302,6 @@ case "${LB_CHROOT_FILESYSTEM}" in Echo_message "This may take a while." # Remove old squashfs image - # shellcheck disable=SC2292 if [ -f "binary/${INITFS}/filesystem.squashfs" ] then rm -f "binary/${INITFS}/filesystem.squashfs" @@ -322,19 +313,16 @@ case "${LB_CHROOT_FILESYSTEM}" in # Do not display the progress bar if: # - Run with --quiet, or # - stdin is not a terminal (e.g., in CI, cron, etc.) - # shellcheck disable=SC2292 if [ "${_QUIET}" = "true" ] || [ ! -t 0 ] then MKSQUASHFS_OPTIONS="-no-progress ${MKSQUASHFS_OPTIONS}" fi - # shellcheck disable=SC2292 if [ "${_VERBOSE}" = "true" ] then MKSQUASHFS_OPTIONS="-info ${MKSQUASHFS_OPTIONS}" fi - # shellcheck disable=SC2292 if [ -f config/rootfs/squashfs.sort ] then MKSQUASHFS_OPTIONS="-sort squashfs.sort ${MKSQUASHFS_OPTIONS}" @@ -351,7 +339,6 @@ case "${LB_CHROOT_FILESYSTEM}" in fi # Set squashfs compression type or default to xz - # shellcheck disable=SC2292 if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ] then MKSQUASHFS_OPTIONS="-comp ${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE} ${MKSQUASHFS_OPTIONS}" @@ -359,7 +346,6 @@ case "${LB_CHROOT_FILESYSTEM}" in MKSQUASHFS_OPTIONS="-comp xz ${MKSQUASHFS_OPTIONS}" fi - # shellcheck disable=SC2292 if [ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ] then MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}" @@ -367,7 +353,9 @@ case "${LB_CHROOT_FILESYSTEM}" in case "${LB_BUILD_WITH_CHROOT}" in true) - # shellcheck disable=SC2292 + ### https://wiki.debian.org/ReproducibleInstalls/LiveImages + ### https://reproducible-builds.org/docs/system-images/ + ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes if [ -e config/rootfs/excludes ] then @@ -403,7 +391,6 @@ case "${LB_CHROOT_FILESYSTEM}" in # Removing depends Remove_packages - # shellcheck disable=SC2292 if [ -e chroot/chroot.cache ] then Remove_lockfile @@ -423,7 +410,6 @@ case "${LB_CHROOT_FILESYSTEM}" in ;; false) - # shellcheck disable=SC2292 if [ -e config/rootfs/excludes ] then MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}" @@ -440,7 +426,6 @@ case "${LB_CHROOT_FILESYSTEM}" in ;; none) - # shellcheck disable=SC2292 if [ -d binary ] then rm -rf binary @@ -466,7 +451,6 @@ then mkdir -p cache/binary_rootfs - # shellcheck disable=SC2292 if [ "${LB_CHROOT_FILESYSTEM}" != "none" ] then cp -a binary/"${INITFS}"/filesystem.* cache/binary_rootfs diff --git a/scripts/usr/local/sbin/9999-cdi-starter b/scripts/usr/local/sbin/9999-cdi-starter index 8e1b4f2..6055ddc 100644 --- a/scripts/usr/local/sbin/9999-cdi-starter +++ b/scripts/usr/local/sbin/9999-cdi-starter @@ -127,7 +127,7 @@ main() { # shellcheck disable=SC2312 exec > >(tee -a "${var_log}") 2>&1 - printf "CISS.debian.installer Master V8.13.296.2025.10.29 is up! \n" >> "${var_log}" + printf "CISS.debian.installer Master V8.13.384.2025.11.06 is up! \n" >> "${var_log}" ### Sleep a moment to settle boot artifacts. sleep 8 @@ -182,7 +182,7 @@ main() { ### Timeout reached without acceptable semaphore. logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle." - printf "CISS.debian.installer Master V8.13.296.2025.10.29: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" + printf "CISS.debian.installer Master V8.13.384.2025.11.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" exit 0 } diff --git a/var/early.var.sh b/var/early.var.sh index e3e9152..2ee11a8 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -10,12 +10,35 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Definition of MUST set early Variables +### Definition of MUST set early variables. # shellcheck disable=SC2155 + +declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{ + # Print $4 and $5; include $6 only if it exists + out = $4 + if (NF >= 5) out = out " " $5 + if (NF >= 6) out = out " " $6 + print out +}')" declare -grx VAR_CONTACT="security@coresecret.eu" -declare -grx VAR_VERSION="Master V8.13.296.2025.10.29" +declare -grx VAR_DATE="$(date +%F)" +declare -grx VAR_DATE_EPOCH="$(date -u +%s)" +declare -grx VAR_DATE_INFO="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%S %z')" +declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')" +declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}" +declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }" +declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}" +declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" +declare -grx VAR_HOST="$(uname -n)" +declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" declare -grx VAR_SYSTEM="$(uname -mnosv)" +declare -grx VAR_VERSION="Master V8.13.384.2025.11.06" +declare -grx VAR_VER_DS="$(debootstrap --version)" +declare -grx VAR_VER_LB="$(lb -v)" +declare -gx APT_LISTCHANGES_FRONTEND="none" +declare -gx DEBIAN_FRONTEND="noninteractive" +declare -gx SOURCE_DATE_EPOCH="$(git log -1 --format=%ct)" declare -gx VAR_EARLY_DEBUG="false" declare -gx VAR_HANDLER_AUTOBUILD="false" diff --git a/var/global.var.sh b/var/global.var.sh index 977862b..b5417c9 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -14,46 +14,41 @@ guard_sourcing ### Definition of MUST set global variables. -declare -gr VAR_BASH_VER="$(bash --version | head -n1 | awk '{ - # Print $4 and $5; include $6 only if it exists - out = $4 - if (NF >= 5) out = out " " $5 - if (NF >= 6) out = out " " $6 - print out -}')" -declare -gr VAR_HOST="$(uname -n)" -declare -gr VAR_DATE_EPOCH="$(date -u +%s)" -declare -gr VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" -declare -gr VAR_DATE_INFO="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%S %z')" declare -gr VAR_KERNEL_INF="$(mktemp)" -declare -gr VAR_KERNEL_TMP="$(mktemp)" declare -gr VAR_KERNEL_SRT="$(mktemp)" +declare -gr VAR_KERNEL_TMP="$(mktemp)" declare -gr VAR_NOTES="$(mktemp)" -declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log" +declare -gr LOG_ERROR="/tmp/cdlb_${VAR_ISO8601}_error.log" touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}" -declare -g VAR_ARCHITECTURE="" -declare -g VAR_HANDLER_BUILD_DIR="" -declare -g VAR_HANDLER_CDI="false" +declare -g __umask="" +declare -g VAR_ARCHITECTURE="" +declare -g VAR_HANDLER_BUILD_DIR="" +declare -g VAR_HANDLER_CDI="false" +declare -g VAR_HANDLER_NETCUP_IPV6="false" +declare -g VAR_HANDLER_SPLASH="" +declare -g VAR_HASHED_PWD="" +declare -g VAR_SCRIPT_SUCCESS="false" +declare -g VAR_SSHFP="false" +declare -g VAR_SSHPORT="" +declare -g VAR_SSHPUBKEY="" +declare -g VAR_SUITE="trixie" +declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=() +declare -ga ARY_HANDLER_JUMPHOST=() +declare -ga ARY_HANDLER_NETCUP_IPV6=() declare -gi VAR_HANDLER_DHCP=0 -declare -g VAR_HANDLER_SPLASH="" -declare -g VAR_SSHPORT="" -declare -g VAR_SSHPUBKEY="" -declare -g VAR_SCRIPT_SUCCESS="false" -declare -g VAR_SUITE="bookworm" -declare -g VAR_HANDLER_NETCUP_IPV6="false" -declare -g VAR_HASHED_PWD="" -declare -g VAR_SSHFP="false" -declare -gi VAR_HANDLER_STA=0 declare -gi VAR_HANDLER_PRIORITY=0 +declare -gi VAR_HANDLER_STA=0 declare -gi VAR_REIONICE_CLASS=2 declare -gi VAR_REIONICE_PRIORITY=4 declare -gr VAR_CHROOT_DIR="chroot" declare -gr VAR_PACKAGES_FILE="chroot.packages.live" -declare -ga ARY_HANDLER_JUMPHOST=() -declare -ga ARY_HANDLER_NETCUP_IPV6=() -declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=() +declare -gx VAR_SIGNER="false" +declare -gx VAR_SIGNING_KEY_FPR="" +declare -gx VAR_SIGNING_KEY_PASS="" +declare -gx VAR_SIGNING_KEY_PASSFILE="" +declare -gx VAR_SIGNING_KEY="" ### Definition of error codes declare -gir ERR_UNCRITICAL=127