msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.384.2025.11.06
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m9s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-06 19:59:22 +01:00
parent d436346343
commit ef87becefe
93 changed files with 2021 additions and 1229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
lib/lib_arg_parser.sh
View File

@@ -33,6 +33,10 @@ guard_sourcing
# VAR_ISO8601
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# VAR_SIGNER
# VAR_SIGNING_KEY
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASS
# VAR_SSHFP
# VAR_SSHPORT
# VAR_SSHPUBKEY
@@ -119,7 +123,7 @@ arg_parser() {
printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
exit "${ERR_NOTABSPATH}"
fi
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log"
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/cdlb_${VAR_ISO8601}_build.log"
shift 2
;;
@@ -294,20 +298,25 @@ arg_parser() {
--root-password-file)
declare pw_file="${2}"
if [[ -z "${pw_file}" ]]; then
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file missing password file path argument.\e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_MISS_PWD_P}"
fi
if [[ ! -f "${pw_file}" ]]; then
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_MISS_PWD_F}"
fi
declare owner
@@ -335,32 +344,42 @@ arg_parser() {
fi
declare plaintext_pw
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
### No tracing for security reasons ----------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
if ! IFS= read -r plaintext_pw < "${pw_file}"; then
:
fi
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
### Turn on tracing again --------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
declare pw_length
pw_length=${#plaintext_pw}
if (( pw_length < 20 || pw_length > 64 )); then
if (( pw_length < 42 || pw_length > 64 )); then
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2
printf "\e[91m❌ Error: --root-password-file password MUST be between 42 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_PASS_LENGH}"
fi
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
### No tracing for security reasons ----------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
if [[ "${plaintext_pw}" == *\"* ]]; then
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_PASS_PLICY}"
fi
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
### Turn on tracing again --------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
declare salt
set +o pipefail
@@ -371,53 +390,81 @@ arg_parser() {
set -o pipefail
declare hash_temp
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
### No tracing for security reasons ----------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
### Turn on tracing again --------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
# shellcheck disable=SC2034
declare -g VAR_HASHED_PWD="${hash_temp}"
unset hash_temp plaintext_pw
sync
if shred -vfzu -n 5 "${pw_file}" > /dev/null 2>&1; then
printf "\e[92m✅ Password file '%s': shred -vfzu -n 5 >> done. \e[0m\n" "${pw_file}" > /dev/null 2>&1
if shred -fzu -n 5 "${pw_file}" > /dev/null 2>&1; then
printf "\e[92m✅ Password file '%s': shred -fzu -n 5 >> done. \e[0m\n" "${pw_file}" > /dev/null 2>&1
else
printf "\e[91m❌ Password file '%s': shred -vfzu -n 5 >> NOT successful. \e[0m\n" "${pw_file}" > /dev/null 2>&1
printf "\e[91m❌ Password file '%s': shred -fzu -n 5 >> NOT successful. \e[0m\n" "${pw_file}" > /dev/null 2>&1
fi
sync
shift 2
;;
--signing_key=*)
# shellcheck disable=SC2034
declare -gx VAR_SIGNER="true"
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_KEY="${1#*=}"
shift 1
;;
--signing_key_fpr=*)
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_KEY_FPR="${1#*=}"
shift 1
;;
--signing_key_pass=*)
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_KEY_PASS="${1#*=}"
shift 1
;;
--ssh-port)
if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
# shellcheck disable=SC2034
declare -gi VAR_SSHPORT="${2}"
declare -gix VAR_SSHPORT="${2}"
shift 2
else
if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
printf "\e[91m❌ Error: --ssh-port MUST be an integer between '1' and '65535'.\e[0m\n" >&2
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR__SSH__PORT}"
fi
;;
--sshfp)
# shellcheck disable=SC2034
declare -g VAR_SSHFP="true"
# shellcheck disable=SC2034
declare -gx VAR_SSHFP="true"
shift 1
;;
--ssh-pubkey)
# shellcheck disable=SC2034
declare -g VAR_SSHPUBKEY="${2}"
# shellcheck disable=SC2034
declare -gx VAR_SSHPUBKEY="${2}"
shift 2
;;
--trixie)
# shellcheck disable=SC2034
declare -g VAR_SUITE="trixie"
# shellcheck disable=SC2034
declare -gx VAR_SUITE="trixie"
shift 1
;;

13
lib/lib_arg_priority_check.sh
View File

@@ -15,6 +15,7 @@ guard_sourcing
#######################################
# Check and setup Script Priorities
# Globals:
# BASH_SOURCE
# VAR_HANDLER_PRIORITY
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
@@ -24,18 +25,18 @@ guard_sourcing
# 0: on success
#######################################
arg_priority_check() {
declare var
declare var=""
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Check if nice PRIORITY is set and adjust nice priority.
if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
if [[ "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
if command -v renice >/dev/null; then
renice "${VAR_HANDLER_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
# sleep 1
unset var
else
@@ -53,8 +54,6 @@ arg_priority_check() {
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
# sleep 1
unset var
else
@@ -64,6 +63,8 @@ arg_priority_check() {
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.

11
lib/lib_cdi.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing
#######################################
# CISS.debian.installer 'GRUB' and 'Autostart' generator.
# CISS.debian.installer 'GRUB' and 'autostart' generator.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
@@ -30,24 +30,19 @@ cdi() {
if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
touch "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin"
fi
cp "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
declare tmp_entry
tmp_entry="$(mktemp)"
cat << EOF >| "${tmp_entry}"
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
linux /live/vmlinuz-${VAR_KERNEL} boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${VAR_KERNEL}
}
EOF

5
lib/lib_change_splash.sh
View File

@@ -15,6 +15,7 @@ guard_sourcing
#######################################
# Change Grub Boot Screen Splash
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_SPLASH
# VAR_WORKDIR
@@ -24,6 +25,8 @@ guard_sourcing
# 0: on success
#######################################
change_splash() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
@@ -42,6 +45,8 @@ change_splash() {
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.

5
lib/lib_check_dhcp.sh
View File

@@ -15,6 +15,7 @@ guard_sourcing
#######################################
# Check if hardened Centurion DNS servers are desired.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_DHCP
# VAR_WORKDIR
# Arguments:
@@ -23,10 +24,14 @@ guard_sourcing
# 0: on success
#######################################
check_dhcp() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" && "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.

18
lib/lib_check_hooks.sh
View File

@@ -13,8 +13,10 @@
guard_sourcing
#######################################
# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
# Check and apply 0755 Permissions on every '"${VAR_HANDLER_BUILD_DIR}"/./config/hooks/live/*.chroot'-file.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_WORKDIR
# Arguments:
# None
@@ -22,11 +24,15 @@ guard_sourcing
# 0: on success
# ERR_UNCRITICAL: on failure
#######################################
check_hooks() {
x_hooks() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare ifs
ifs=$'\n\t'
shopt -s nullglob
declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
declare -a files=("${VAR_HANDLER_BUILD_DIR}"/config/hooks/live/*.chroot)
if (( ${#files[@]} == 0 )); then
@@ -43,9 +49,13 @@ check_hooks() {
done
shopt -u nullglob
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_hooks
readonly -f x_hooks
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
lib/lib_check_kernel.sh
View File

@@ -26,12 +26,9 @@ guard_sourcing
#######################################
check_kernel() {
clear
declare -i counter=1
declare first_string=""
declare line=""
declare -gx VAR_KERNEL=""
declare name=""
declare options=""
declare -i counter=1
declare first_string="" line="" name="" options=""
if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then

38
lib/lib_check_pkgs.sh
View File

@@ -14,27 +14,32 @@ guard_sourcing
#######################################
# Check for required Deb Packages to run the script.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_AUTOBUILD
# Arguments:
# None
# Returns:
# 0: on success
#######################################
check_pkgs() {
apt-get update > /dev/null 2>&1
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ -z "$(command -v batcat || true)" ]]; then
apt-get update -qq > /dev/null 2>&1
apt-get install -y --no-install-recommends bat
fi
if [[ -z "$(command -v lsb_release || true)" ]]; then
if ! command -v lsb_release >/dev/null 2>&1; then
apt-get install -y --no-install-recommends lsb-release
fi
if [[ -z "$(command -v debootstrap || true)" ]]; then
if ! command -v batcat >/dev/null 2>&1; then
apt-get install -y --no-install-recommends bat
fi
if ! command -v debootstrap >/dev/null 2>&1; then
if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
@@ -50,15 +55,21 @@ check_pkgs() {
fi
if ! command -v gpg >/dev/null 2>&1; then
apt-get install -y --no-install-recommends gnupg gpgv gpg-agent pinentry-curses gnupg-utils
fi
if [[ ! -f /usr/share/live/build/VERSION ]]; then
apt-get install -y live-build
fi
if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then
if [[ "${VAR_HANDLER_AUTOBUILD}" == "false" ]]; then
if [[ -z "$(command -v dialog || true)" ]]; then
if ! command -v dialog >/dev/null 2>&1; then
apt-get install -y --no-install-recommends dialog
@@ -66,16 +77,13 @@ check_pkgs() {
fi
if [[ -z "$(command -v mkpasswd || true)" ]]; then
if ! command -v mkpasswd >/dev/null 2>&1; then
apt-get install -y --no-install-recommends whois
fi
# shellcheck disable=SC2034,SC2155
declare -gr VAR_LB_VER="$(lb -v)"
# shellcheck disable=SC2034,SC2155
declare -gr VAR_DS_VER="$(debootstrap --version)"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}

4
lib/lib_check_provider.sh
View File

@@ -14,6 +14,10 @@ guard_sourcing
#######################################
# Notes Textbox.
# Globals:
# VAR_GIT_REL
# VAR_NOTES
# VAR_VERSION
# Arguments:
# None
# Returns:

7
lib/lib_check_var.sh
View File

@@ -17,9 +17,10 @@ guard_sourcing
# Globals:
# ERR_UNBOUNDVAR
# Arguments:
# $1: VAR_NAME to check
# 1: VAR_NAME to check
# Returns:
# {ERR_UNBOUNDVAR: on failure
# 0: on success
# ERR_UNBOUNDVAR: on failure
#######################################
check_var() {
declare var_name_to_check="$1"
@@ -43,6 +44,8 @@ check_var() {
return "${ERR_UNBOUNDVAR}"
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034

50
lib/lib_ciss_upgrades_boot.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Integrates primordial SSH identity- and / or ssh_host-files.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASSFILE
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
ciss_upgrades_boot() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Updates '/usr/lib/live/boot/0030-verify-checksums'.
install -D -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512"
declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512.sig"
declare var_fil="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
sha512sum "${var_fil}" >| "${var_sha}"
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
--detach-sign --output "${var_sig}" "${var_sha}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_upgrades_boot
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

23
lib/lib_ciss_upgrades.sh → lib/lib_ciss_upgrades_build.sh
View File

@@ -13,19 +13,30 @@
guard_sourcing
#######################################
# Wrapper to update '/usr/lib/live/build/...' scripts.
# Module to update '/usr/lib/live/build/...' scripts.
# Globals:
# SCRIPT_BASEPATH
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# BASH_SOURCE
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
ciss_upgrades() {
ciss_upgrades_build() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### CISS signing binary-checksums override.
if [[ ! -e /usr/lib/live/build/binary_checksums.original ]]; then
cp /usr/lib/live/build/binary_checksums /usr/lib/live/build/binary_checksums.original
chmod 0444 /usr/lib/live/build/binary_checksums.original
fi
rm -f /usr/lib/live/build/binary_checksums
install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_checksums.sh" /usr/lib/live/build/binary_checksums
### https://wiki.debian.org/ReproducibleInstalls/LiveImages
### https://reproducible-builds.org/docs/system-images/
### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
if [[ ! -e /usr/lib/live/build/binary_rootfs.original ]]; then
cp /usr/lib/live/build/binary_rootfs /usr/lib/live/build/binary_rootfs.original
chmod 0444 /usr/lib/live/build/binary_rootfs.original
@@ -40,5 +51,5 @@ ciss_upgrades() {
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_upgrades
readonly -f ciss_upgrades_build
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

59
lib/lib_clean_up.sh
View File

@@ -13,33 +13,88 @@
guard_sourcing
#######################################
# Clean Up Wrapper on Trap on 'ERR' and 'EXIT'.
# Cleanup wrapper on the traps on 'ERR' and 'EXIT'.
# Globals:
# VAR_CDLB_INSIDE_RUNNER
# GNUPGHOME
# LOG_ERROR
# VAR_HANDLER_BUILD_DIR
# VAR_KERNEL_INF
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# VAR_NOTES
# VAR_WORKDIR
# Arguments:
# 1 : ${trap_on_exit_code} of trap_on_exit()
# Returns:
# 0: on success
#######################################
clean_up() {
declare clean_exit_code="$1"
declare clean_exit_code="$1" fs_type=""
shopt -s nullglob dotglob
rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}"
rm -f -- "${VAR_KERNEL_TMP}"
rm -f -- "${VAR_NOTES}"
# Release advisory lock on FD 127.
flock -u 127
# Close file descriptor 127.
exec 127>&-
# Remove the lockfile artifact.
rm -f /run/lock/ciss_live_builder.lock
# Removes the error log on clean exit.
if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
# Cleaning TCP wrapper artifacts.
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
rm -f "${VAR_WORKDIR}/hosts.allow"
fi
if [[ -f "${VAR_WORKDIR}/hosts.deny" ]]; then
rm -f "${VAR_WORKDIR}/hosts.deny"
fi
# Kill gpg-agent and remove artifacts securely.
if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" && "${GNUPGHOME}" == /dev/shm/cdlb_*_gnupg ]]; then
gpgconf --kill gpg-agent >/dev/null 2>&1 || true
fs_type="$(stat -f -c %T "${GNUPGHOME}" 2>/dev/null || echo "GNUPGHOME: unknown fs.")"
if [[ "${fs_type}" == "tmpfs" || "${fs_type}" == "ramfs" ]]; then
rm -rf --one-file-system -- "${GNUPGHOME}" 2>/dev/null || true
else
chmod -R u+rwX "${GNUPGHOME}" >/dev/null 2>&1 || true
find "${GNUPGHOME}" -type f -exec shred -fuz -n 2 -- {} + 2>/dev/null || true
find "${GNUPGHOME}" \( -type s -o -type p -o -type l \) -delete 2>/dev/null || true
rm -rf --one-file-system -- "${GNUPGHOME}" 2>/dev/null || true
fi
fi
fi
# Removes secrets securely.
# shellcheck disable=SC2312
find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 -- no-run-if-empty shred -fzu -n 5 --
find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
shopt -u nullglob dotglob
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f clean_up
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

11
lib/lib_contact.sh
View File

@@ -13,9 +13,11 @@
#######################################
# Contact Wrapper CISS.debian.live.builder
# Globals:
# none
# None
# Arguments:
# none
# None
# Returns:
# 0: on success
#######################################
contact() {
clear
@@ -38,5 +40,10 @@ $(echo -e "\e[95m 🌐 https://coresecret.eu/spenden/ \e[0m")
$(echo -e "\e[97m################################################################################ \e[0m")
EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f contact
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

15
lib/lib_copy_integrity.sh
View File

@@ -18,23 +18,28 @@ guard_sourcing
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
# None
# Returns:
# 0 : Aide Init DB copying successful.
# 0 : on success
#######################################
copy_db() {
# printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
fi
if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
# printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
else
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ '%s' NOT successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f copy_db
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

34
lib/lib_debug.sh
View File

@@ -13,47 +13,63 @@
guard_sourcing
#######################################
# Debugger Wrapper for xtrace to Debug Log
# Debugger module for xtrace to debug log.
# Globals:
# BASH_SOURCE
# BASH_XTRACEFD
# LOG_DEBUG
# LOG_VAR
# PS4
# SHELLOPTS
# VAR_DUMP_VARS_INITIAL
# VAR_EARLY_DEBUG
# var
# VAR_ISO8601
# Arguments:
# None
# None
# Returns:
# 0: on success
#######################################
debugger() {
### Capture an initial snapshot of all variables (excluding '^(BASH|_).*')
# shellcheck disable=SC2155
declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
# shellcheck disable=SC2312
{
declare var
while IFS= read -r var; do
declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*')
} | sort >| "${VAR_DUMP_VARS_INITIAL}"
declare -gx VAR_EARLY_DEBUG="true"
### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
# shellcheck disable=SC2155
declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
declare -grx LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
declare -grx PS4='\e[97m+\e[96m[${EPOCHREALTIME}]\e[97m:\e[94m[$$]\e[97m:\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[97m:\e[93m[${?}]\e[97m:\e[95m[${FUNCNAME[0]:-main}()]\e[97m>>\e[0m '
declare -grx LOG_DEBUG="/tmp/cdlb_${VAR_ISO8601}_debug.log"
declare -grx LOG_VAR="/tmp/cdlb_${VAR_ISO8601}_var.log"
### Generates empty LOG_DEBUG and LOG_VAR
touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
### Open file descriptor 42 for writing to the debug log
exec 42>| "${LOG_DEBUG}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
debug_header "$#" "$*"
### Tell Bash to send xtrace output to FD 42
export BASH_XTRACEFD=42
### Enable inheritable shell options
export SHELLOPTS
### Turn on xtrace
set -x
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f debugger
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

17
lib/lib_debug_header.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing
#######################################
# Generates Debug Log Header
# Generates the debug log header.
# Globals:
# BASHOPTS
# BASH_VERSINFO
@@ -22,21 +22,27 @@ guard_sourcing
# HOSTNAME
# PPID
# PWD
# SHELLOPTS
# SOURCE_DATE_EPOCH
# UID
# VAR_GIT_REL
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# $0: Script Name $0
# $1: Argument Counter $#
# $2: Argument String $*
# 0: Script Name $0
# 1: Argument Counter $#
# 2: Argument String $*
#######################################
debug_header() {
declare -r arg_counter="$1"
declare -r arg_string="$2"
# shellcheck disable=SC2312
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
printf "\e[97m+\e[0m\e[92m%s: Git Commit : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_REL}"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Source Date Epoch : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SOURCE_DATE_EPOCH}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
@@ -58,4 +64,7 @@ debug_header() {
printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
} >&42
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f debug_header
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

36
lib/lib_git_var.sh
View File

@@ -1,36 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Define Git Repo related Variables.
# Globals:
# VAR_GIT_HEAD
# VAR_GIT_REL
# VAR_GIT_REL_DATE
# VAR_GIT_REL_DATE_TIME
# VAR_GIT_REL_SHORT
# Arguments:
# None
#######################################
check_git() {
# shellcheck disable=SC2155
if git rev-parse --is-inside-work-tree &>/dev/null; then
declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

87
lib/lib_gnupg.sh Normal file
View File

@@ -0,0 +1,87 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Init GNUPGHOME.
# Globals:
# BASH_SOURCE
# GNUPGHOME
# VAR_CDLB_INSIDE_RUNNER
# VAR_EARLY_DEBUG
# VAR_HANDLER_BUILD_DIR
# VAR_ISO8601
# VAR_SIGNER
# VAR_SIGNING_KEY
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASS
# VAR_SIGNING_KEY_PASSFILE
# VAR_TMP_SECRET
# VAR_VERIFY_KEYRING
# Arguments:
# None
# Returns:
# 0: on success
#######################################
init_gnupg() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_SIGNER}" == "true" ]]; then
__umask=$(umask)
umask 0077
### Avoid collision with Gitea runner workflows.
if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
declare -grx GNUPGHOME="/dev/shm/cdlb_${VAR_ISO8601}_gnupg"
# shellcheck disable=SC2174
mkdir -p -m 0700 "${GNUPGHOME}"
echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
gpgconf --reload gpg-agent || true
fi
gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg"
gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg"
declare -grx VAR_VERIFY_KEYRING="${GNUPGHOME}/pubring.kbx"
declare -grx VAR_SIGNING_KEY_PASSFILE="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}"
### No tracing for security reasons ------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
declare __pw=""
__pw="$(<"${VAR_SIGNING_KEY_PASSFILE}")"; __pw="${__pw%$'\r'}"; printf '%s' "${__pw}" >| "${VAR_SIGNING_KEY_PASSFILE}"
__pw="" && unset __pw
### Turn on tracing again ----------------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
umask "${__umask}"
__umask=""
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f init_gnupg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

8
lib/lib_guard_sourcing.sh
View File

@@ -11,12 +11,12 @@
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Prevent the caller LIB-file from being sourced twice.
# Prevents the caller LIB-file from being sourced twice.
# Derive a safe guard-variable name from the caller script filename.
# Globals:
# BASH_SOURCE
# Arguments:
# $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
# 1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
# Returns:
# 0: Returns '0' in both cases as they are intended to be successful.
#######################################
@@ -37,6 +37,10 @@ guard_sourcing() {
### Mark as loaded (readonly + exported)
declare -grx "${var_guard_var}"=1
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f guard_sourcing
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
lib/lib_hardening_root_pw.sh
View File

@@ -15,18 +15,22 @@ guard_sourcing
#######################################
# Updates the Live ISO to use root password authentication for local console access.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_HASHED_PWD
# Arguments:
# None
# None
# Returns:
# 0: In case no root password is desired.
# 0: on success
#######################################
hardening_root_pw() {
if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
return 0
fi
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
@@ -79,5 +83,12 @@ EOF
#chmod -x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setup Root Password for Console done. \e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_root_pw
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

43
lib/lib_hardening_ssh.sh → lib/lib_hardening_ssh_tcp.sh
View File

@@ -13,17 +13,33 @@
guard_sourcing
#######################################
# SSH Hardening Ultra via TCP Wrapper
# SSH hardening via TCP wrapper.
# Globals:
# ARY_HANDLER_JUMPHOST
# BASH_SOURCE
# VAR_WORKDIR
# Arguments:
# None
# None
# Returns:
# 0: on success
#######################################
hardening_ssh() {
hardening_ssh_tcp() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
declare allowed=""
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
@@ -37,9 +53,20 @@ hardening_ssh() {
EOF
allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
printf 'sshd: %s\n\n# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
@@ -59,7 +86,15 @@ EOF
ALL: ALL
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_ssh_tcp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

162
lib/lib_hardening_ultra.sh
View File

@@ -13,24 +13,29 @@
guard_sourcing
#######################################
# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image.
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# BASH_SOURCE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_SSHFP
# VAR_SSHPORT
# VAR_SSHPUBKEY
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_ultra() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
# shellcheck disable=SC2164
cd "${VAR_WORKDIR}"
### ./config/bootloaders
### ./config/bootloaders -----------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
@@ -47,7 +52,7 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
### ./config/includes.binary
### ./config/includes.binary -------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
@@ -64,7 +69,7 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
### ./config/includes.chroot
### ./config/includes.chroot -------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
@@ -85,7 +90,7 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
### ./config/hooks/early
### ./config/hooks/early -----------------------------------------------------------------------------------------------------
if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
@@ -106,7 +111,7 @@ hardening_ultra() {
fi
### ./config/hooks/live
### ./config/hooks/live ------------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
@@ -123,7 +128,7 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
### ./config/package-lists ---------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
@@ -167,150 +172,82 @@ hardening_ultra() {
}
print
}
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" >| temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
### Updating SSH Keys, Ports.
### Updating SSH Keys, Ports -------------------------------------------------------------------------------------------------
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
### Check for static SSHFP key material via Gitea Actions Runner Secrets injection.
if [[ "${VAR_SSHFP}" == "true" ]]; then
### ./config/includes.chroot/root/.ssh ---------------------------------------------------------------------------------------
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
install -m 0600 -o root -g root "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
declare -r sshport="${VAR_SSHPORT:-22}"
else
### /config/includes.chroot/etc/ssh/sshd_config
# shellcheck disable=SC2155
declare pad="$(printf '%-29s' 'Port')"
sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
### /config/hooks/live/9950_hardening_fail2ban.chroot
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
fi
### /config/hooks/live/0900_ufw_setup.chroot
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
### /config/includes.chroot/root/.ssh
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
### /config/hooks/live/0900_ufw_setup.chroot
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
### /config/includes.chroot/etc/ssh/sshd_config
# shellcheck disable=SC2155
declare pad="$(printf '%-29s' 'Port')"
sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
declare line
### /config/hooks/live/9950_hardening_fail2ban.chroot
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
# shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
### /config/hooks/live/0900_ufw_setup.chroot
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
if [[ -z "${line}" ]]; then
### /config/hooks/live/0900_ufw_setup.chroot
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
# shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
done
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
else
declare host
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
declare -r sshport="${VAR_SSHPORT:-22}"
((line++))
### /config/includes.chroot/etc/ssh/sshd_config
# shellcheck disable=SC2155
declare pad="$(printf '%-29s' 'Port')"
sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
### /config/hooks/live/9950_hardening_fail2ban.chroot
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
### /config/hooks/live/0900_ufw_setup.chroot
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
### /config/hooks/live/0900_ufw_setup.chroot
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
# shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then
printf "\e[91m❌ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
exit 1
fi
declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
done
fi
done
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
### /config/includes.chroot/etc/hosts.allow
### ./config/includes.chroot/etc/hosts. --------------------------------------------------------------------------------------
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
mv "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
mv "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${VAR_WORKDIR}/hosts.allow"
rm -f "${VAR_WORKDIR}/hosts.deny"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
fi
### /config/hooks/live/9950_hardening_fail2ban.chroot
### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
@@ -338,5 +275,12 @@ hardening_ultra() {
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_ultra
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

16
lib/lib_helper_ip.sh
View File

@@ -13,26 +13,32 @@
guard_sourcing
#######################################
# IP Notation cleaner for pure IP output only
# IP notation cleaner for pure IP output only.
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# Arguments:
# None
# None
# Returns:
# 0: on success
#######################################
clean_ip() {
declare host
declare stripped
declare host="" stripped=""
for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
# Remove leading '[' and trailing ']'
stripped="${host#\[}"
stripped="${stripped%\]}"
# Skip if it contains a slash (CIDR range)
if [[ ${stripped} == */* ]]; then
if [[ ${stripped} == */* ]]; then
continue
fi
# Directly append, no duplicate check
# shellcheck disable=SC2034
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
done
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f clean_ip
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

14
lib/lib_lb_build_start.sh
View File

@@ -15,7 +15,7 @@ guard_sourcing
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# SCRIPT_BASEPATH
# VAR_WORKDIR
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# Arguments:
@@ -25,23 +25,29 @@ guard_sourcing
# ERR_UNCRITICAL: on failure
#######################################
lb_build_start() {
declare -i var_build_rc=""
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
# shellcheck disable=SC2164
cd "${SCRIPT_BASEPATH}"
cd "${VAR_WORKDIR}"
# shellcheck disable=SC2164
cd "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2312
if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"
var_build_rc=${PIPESTATUS[0]}
if [[ "${var_build_rc}" -eq 0 ]]; then
printf "\e[92m✅ Build successfully completed.\e[0m\n"
else
printf "\e[91m❌ Build failed!\e[0m\n" >&2
exit "${ERR_UNCRITICAL}"
exit "${var_build_rc}"
fi

44
lib/lib_lb_config_start.sh
View File

@@ -15,12 +15,15 @@ guard_sourcing
#######################################
# Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# Arguments:
# 0: Script-name
# None
# Returns:
# 0: on success
#######################################
lb_config_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
@@ -36,30 +39,27 @@ lb_config_start() {
fi
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
# Start lb config in a completely detached shell
bash -c "lb config" &
disown
sleep 1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Preparing environment done.\e[0m\n"
else
if [[ -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Deleting former config, binary and cache ... \e[0m\n"
rm -f ./config/binary
rm -f ./config/bootstrap
rm -f ./config/chroot
rm -f ./config/common
rm -f ./config/source
rm -f ./*.{contents,files,iso,bz2,packages}
# Start lb clean in a completely detached shell
bash -c "lb clean && lb clean --binary --cache" &
disown
sleep 1
lb clean --binary --cache --purge --source
if [[ "${PWD}" == "${VAR_HANDLER_BUILD_DIR}" && "${PWD}" != "/" && -n "${PWD}" ]]; then
rm -rf -- ./* ./.??*
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Deleting former config, binary and cache done.\e[0m\n"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f lb_config_start
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

115
lib/lib_lb_config_write.sh
View File

@@ -1,115 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_ISO_COUNTER
# VAR_KERNEL
# VAR_VERSION
# VAR_WORKDIR
# Arguments:
# None
#######################################
lb_config_write() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
lb config \
--apt apt \
--apt-indices true \
--apt-recommends true \
--apt-secure true \
--apt-source-archives true \
--architecture "${VAR_ARCHITECTURE}" \
--archive-areas main contrib non-free non-free-firmware \
--backports true \
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha256 md5 \
--chroot-filesystem squashfs \
--chroot-squashfs-compression-level 22 \
--chroot-squashfs-compression-type zstd \
--color \
--compression bzip2 \
--debconf-frontend noninteractive \
--debconf-priority critical \
--debian-installer cdrom \
--debian-installer-distribution bookworm \
--debian-installer-gui true \
--debian-installer-preseedfile "preseed.cfg" \
--debug \
--distribution bookworm \
--distribution-binary bookworm \
--distribution-chroot bookworm \
--firmware-binary true \
--firmware-chroot true \
--hdd-label "CENTURIONLIVE" \
--image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
--initramfs "live-boot" \
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
--iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
--loadlin true \
--memtest memtest86+ \
--mirror-binary 'https://deb/debian.org/debian/' \
--mirror-binary-security 'https://security.debian.org/' \
--mirror-bootstrap 'https://deb.debian.org/debian/' \
--mirror-chroot 'https://deb.debian.org/debian/' \
--mirror-chroot-security 'https://security.debian.org/' \
--mirror-debian-installer 'https://deb.debian.org/debian/' \
--mode debian \
--parent-archive-areas main contrib non-free non-free-firmware \
--parent-debian-installer-distribution bookworm \
--parent-distribution bookworm \
--parent-distribution-binary bookworm \
--parent-distribution-chroot bookworm \
--parent-mirror-binary 'https://deb.debian.org/debian/' \
--parent-mirror-binary-security 'https://security.debian.org/' \
--parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
--parent-mirror-chroot 'https://deb.debian.org/debian/' \
--parent-mirror-chroot-security 'https://security.debian.org/' \
--parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
--security true \
--system live \
--source false \
--source-images tar \
--uefi-secure-boot auto \
--updates true \
--utc-time true \
--verbose
sleep 1
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

35
lib/lib_lb_config_write_trixie.sh
View File

@@ -15,18 +15,19 @@ guard_sourcing
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# BASH_SOURCE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_ISO_COUNTER
# VAR_KERNEL
# VAR_VERSION
# VAR_WORKDIR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
lb_config_write_trixie() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
lb config \
@@ -41,10 +42,10 @@ lb_config_write_trixie() {
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha256 md5 \
--checksums sha512 sha384 sha256 \
--chroot-filesystem squashfs \
--chroot-squashfs-compression-level 22 \
--chroot-squashfs-compression-type zstd \
@@ -104,33 +105,10 @@ lb_config_write_trixie() {
sleep 1
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
sed -i 's/^LB_CHECKSUMS=.*/LB_CHECKSUMS="sha512 sha384 sha256"/' ./config/binary
sed -i 's/^LB_DM_VERITY=.*/LB_DM_VERITY="false"/' ./config/binary
### Update 0030-verify-checksums
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot"
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
### Installing PGP Public Keys for signature verification.
#mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
#install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg"
#install -m 0444 -o root -g root "${VAR_WORKDIR}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg"
#### Installing PGP Private Deploy Key for signature creation
#mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys"
#cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/cdlb/private_keys/"
#{{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
#EOF
#if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
# : >| /root/.config/sops/age/keys.txt
#fi
#chmod 0400 /root/.config/sops/age/keys.txt
### https://wiki.debian.org/ReproducibleInstalls/LiveImages
### https://reproducible-builds.org/docs/system-images/
@@ -156,6 +134,7 @@ EOF
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}

11
lib/lib_note_target.sh
View File

@@ -13,6 +13,15 @@
#######################################
# Version file generator for '/root/cdlb.txt' of Live ISO.
# Globals:
# BASH_SOURCE
# SOURCE_DATE_EPOCH
# VAR_BASH_VER
# VAR_DATE_INFO
# VAR_DS_VER
# VAR_GIT_REL
# VAR_HANDLER_BUILD_DIR
# VAR_HOST
# VAR_LB_VER
# VAR_VERSION
# Arguments:
# None
@@ -31,6 +40,7 @@ note_target() {
Version : ${VAR_VERSION}
Git : ${VAR_GIT_REL}
Epoch : ${SOURCE_DATE_EPOCH}
Date : ${VAR_DATE_INFO}
Host : ${VAR_HOST}
Bash : ${VAR_BASH_VER}
@@ -63,6 +73,7 @@ export CDLB_CR_HOST="${VAR_HOST}"
export CDLB_BASHVER="${VAR_BASH_VER}"
export CDLB_DS_VER="${VAR_DS_VER}"
export CDLB_LB_VER="${VAR_LB_VER}"
export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
EOF
chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"

63
lib/lib_primordial.sh Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Integrate primordial SSH identity files.
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_SSHFP
# VAR_TMP_SECRET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
init_primordial() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! "${VAR_SSHFP,,}" == "true" ]]; then
if compgen -G "${VAR_TMP_SECRET}/id*" > /dev/null; then
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"*
fi
if compgen -G "${VAR_TMP_SECRET}/ssh_host_*" > /dev/null; then
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"*
fi
else
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
install -m 0600 "${VAR_TMP_SECRET}/id"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/id"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/id"*
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh"
install -m 0600 "${VAR_TMP_SECRET}/ssh_host_"* "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ssh/"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/ssh_host_"* 2>/dev/null || rm -f "${VAR_TMP_SECRET}/ssh_host_"*
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f init_primordial
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
lib/lib_provider_netcup.sh
View File

@@ -13,12 +13,21 @@
guard_sourcing
#######################################
# Notes Textbox
# Module for Netcup static IPv6 address.
# Globals:
# ARY_HANDLER_NETCUP_IPV6
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_NETCUP_IPV6
# VAR_WORKDIR
# Arguments:
# None
# None
# Returns:
# 0: on success
#######################################
provider_netcup() {
if "${VAR_HANDLER_NETCUP_IPV6}"; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
@@ -29,19 +38,25 @@ provider_netcup() {
### Static IPv6 Address for Netcup Root Server
iface ens3 inet6 static
address ${handler_netcup_ipv6_string}/128
### dns01.eddns.eu dns02.eddns.de
dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53
### dns01.eddns.eu dns02.eddns.de dns03.eddns.eu
dns-nameservers 2a01:4f9:c012:a813:135:181:207:105 2a0a:4cc0:1:e6:89:58:62:53 2a01:4f8:c013:8011:138:199:237:109
gateway fe80::1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f provider_netcup
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
lib/lib_trap_on_err.sh
View File

@@ -138,7 +138,9 @@ readonly -f print_scr_err
# ERRFUNC
# ERRLINE
# ERRSCRT
# ERRTRAP
# VAR_EARLY_DEBUG
# VAR_HANDLER_AUTOBUILD
# Arguments:
# 1: $?
# 2: ${BASH_SOURCE[0]}

98
lib/lib_usage.sh
View File

@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
# shellcheck disable=SC2155
declare var_footer=$(center "V8.13.296.2025.10.29 2025-10-07 CLB(1)" "${var_cols}")
declare var_footer=$(center "V8.13.384.2025.11.06 2025-11-07 CLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
echo -e "\e[92mMaster V8.13.296.2025.10.29\e[0m"
echo -e "\e[92mMaster V8.13.384.2025.11.06\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
@@ -57,70 +57,64 @@ usage() {
echo " What you're looking at."
echo
echo -e "\e[97m --autobuild=*, -a=* \e[0m"
echo " Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel"
echo " selector dialog. Change '*' to your desired Linux kernel and trim the"
echo " 'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'."
echo " Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel selector dialog."
echo " Change '*' to your desired Linux kernel and trim the 'linux-image-' string to select a specific kernel,"
echo " e.g. '--autobuild=6.12.30+bpo-amd64'."
echo
echo -e "\e[97m --architecture <STRING> one of <amd64 | arm64> \e[0m"
echo " A string reflecting the architecture of the Live System."
echo " MUST be provided."
echo
echo -e "\e[97m --build-directory </path/to/build_directory> \e[0m"
echo " RECOMMENDED path: </opt/cdlb>"
echo " Where the Debian Live Build Image should be generated."
echo " MUST be provided."
echo
echo -e "\e[97m --change-splash <STRING> one of <club | hexagon>\e[0m"
echo " A string reflecting the Grub Boot Screen Splash you want to use."
echo " If omitted defaults to './.archive/background/club.png'."
echo " A string reflecting the Grub Boot Screen Splash you want to use. If omitted defaults to:"
echo " <./.archive/background/club.png>"
echo
echo -e "\e[97m --cdi (Experimental Feature)\e[0m"
echo " This option generates a boot menu entry to start the forthcoming"
echo " 'CISS.debian.installer', which will be executed after"
echo " the system has successfully booted up."
echo " This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed"
echo " once the system has successfully booted up."
echo
echo -e "\e[97m --contact, -c\ e[0m"
echo " Show author contact information."
echo
echo -e "\e[97m --control <INTEGER>\e[0m"
echo " An integer that reflects the version of your Live ISO Image."
echo -e "\e[97m --control <STRING>\e[0m"
echo " A string, that reflects the version of your Live ISO Image."
echo " MUST be provided."
echo
echo -e "\e[97m --debug, -d \e[0m"
echo " Enables debug logging for the main program routine. Detailed logging"
echo " information are written to '/tmp/ciss_live_builder_$$.log'."
echo " Enables debug logging for the main program routine. Detailed logging information are written to:"
echo " </tmp/ciss_live_builder_$$.log>"
echo
echo -e "\e[97m --dhcp-centurion \e[0m"
echo " If a DHCP lease is provided, the provider's nameserver will be overridden,"
echo " and only the hardened, privacy-focused Centurion DNS servers will be used:"
echo " If a DHCP lease is provided, the provider's name server will be overridden and the hardened, privacy-focused "
echo " Centurion DNS servers will be used instead:"
echo " - https://dns01.eddns.eu/"
echo " - https://dns02.eddns.de/"
echo " - https://dns03.eddns.eu/"
echo
echo -e "\e[97m --jump-host <IP | IP | ... > \e[0m"
echo " Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access."
echo " Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation."
echo " If provided, than it MUST be a <SPACE> separated list."
echo " Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6 "
echo " addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list."
echo " IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
echo
echo -e "\e[97m --log-statistics-only\e[0m"
echo " Provides statistic only after successful building a"
echo " CISS.debian.live-ISO. While enabling '--log-statistics-only'"
echo " the argument '--build-directory' MUST be provided while"
echo " all further options MUST be omitted."
echo " Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
echo " the argument '--build-directory' MUST be provided."
echo
echo -e "\e[97m --provider-netcup-ipv6 \e[0m"
echo " Activates IPv6 support for Netcup Root Server. One unique"
echo " IPv6 address MUST be provided in this case and MUST be encapsulated"
echo " with [], e.g., [1234::abcd]."
echo " Activates IPv6 support for Netcup Root Server. One unique IPv6 address MUST be provided in this case and MUST be"
echo " encapsulated with [], e.g., [1234::abcd]."
echo
echo -e "\e[97m --renice-priority <PRIORITY> \e[0m"
echo " Reset the nice priority value of the script and all its children"
echo " to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
echo " Negative (higher) values MUST be enclosed in double quotes '\"'."
echo " Reset the nice priority value of the script and all its children to the desired <PRIORITY>. MUST be an integer"
echo " between '-19' and 19. Negative (higher) values MUST be enclosed in double quotes '\"'."
echo
echo -e "\e[97m --reionice-priority <CLASS> <PRIORITY> \e[0m"
echo " Reset the ionice priority value of the script and all its children"
echo " to the desired <CLASS>. MUST be an integer:"
echo " Reset the ionice priority value of the script and all its children to the desired <CLASS>. MUST be an integer:"
echo " 1: realtime"
echo " 2: best-effort"
echo " 3: idle"
@@ -129,31 +123,39 @@ usage() {
echo " 0: highest priority and"
echo " 7: lowest priority."
echo " Defaults to '4'."
echo " A real-time I/O process can significantly slow down other processes"
echo " or even cause them to starve if it continuously requests I/O."
echo " A real-time I/O process can significantly slow down other processes or even cause them to starve if it"
echo " continuously requests I/O."
echo
echo -e "\e[97m --root-password-file </path/to/password.txt> \e[0m"
echo " Password file for 'root', if given, MUST be a string of 20 to 64 characters,"
echo " and MUST NOT contain the special character '\"'."
echo " If the argument is omitted, no further login authentication is required for"
echo " the local console. The root password is hashed with an 16 Byte '/dev/random'"
echo " generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately"
echo " after Hash generation all Variables containing plain password fragments are"
echo " deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without"
echo " further prompt after password hash has been successfully generated via:"
echo " 'shred -vfzu 5 -f'."
echo " 'No tracing of any plain text password fragment in any debug log."
echo -e "\e[97m --root-password-file </dev/shm/cdlb_secrets/password.txt>> \e[0m"
echo " Password file for 'root', if given, MUST be a string of 42 to 64 characters."
echo " If the argument is omitted, no further login authentication is required for the local console."
echo " MUST be placed in:"
echo " </dev/shm/cdlb_secrets/password.txt>"
echo
echo -e "\e[97m --signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=* \e[0m"
echo " The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is"
echo " specified via '--signing_key=*'. If the keyring is passphrase protected provide the passphrase in its own file."
echo " Specify the fingerprint of the key to use via '--signing_key_fpr=*'."
echo " Change '*' to your desired files / fingerprint. Files MUST be placed in:"
echo " </dev/shm/cdlb_secrets>"
echo
echo -e "\e[97m --sshfp \e[0m"
echo " Desired SSH id-files that should be incorporated in '/root/.ssh/id*'."
echo " Desired SSH host-files that should be incorporated in '/etc/ssh/ssh_host_*'."
echo " The respective id-files and / or host-files MUST be placed in:"
echo " </dev/shm/cdlb_secrets/id*> / </dev/shm/cdlb_secrets/ssh_host_*>"
echo
echo -e "\e[97m --ssh-port <INTEGER> \e[0m"
echo " The desired Port SSH should listen to."
echo " If not provided defaults to Port '22'."
echo
echo -e "\e[97m --ssh-pubkey </path/to/.ssh/> \e[0m"
echo " Imports the SSH Public Key from the FILE 'authorized_keys' of the"
echo " specified PATH into the Live ISO. MUST be provided."
echo -e "\e[97m --ssh-pubkey </dev/shm/cdlb_secrets/> \e[0m"
echo " Imports the SSH Public Key from the file 'authorized_keys' into the Live ISO."
echo " Key file MUST be placed in:"
echo " </dev/shm/cdlb_secrets/authorized_keys>"
echo
echo -e "\e[97m --trixie \e[0m"
echo " Create a Debian Trixie Live ISO."
echo " Creates a Debian Trixie Live ISO. If omitted defaults to 'Trixie'. No other Debian Version is supported."
echo
echo -e "\e[97m --version, -v \e[0m"
echo " Show version of ${0}."

26
lib/lib_version.sh
View File

@@ -11,26 +11,20 @@
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Version Wrapper CISS.debian.live.builder
# Version module 'CISS.debian.live.builder'.
# Globals:
# VAR_BASH_VER
# VAR_GIT_REL
# VAR_HOST
# VAR_VERSION
# VAR_VER_DS
# VAR_VER_LB
# Arguments:
# None
# Returns:
# 0: on success
#######################################
version() {
# shellcheck disable=SC2155
declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
# shellcheck disable=SC2155
declare -r var_lb_ver="$(lb -v)"
# shellcheck disable=SC2155
declare -r var_ds_ver="$(debootstrap --version)"
# shellcheck disable=SC2155
declare -r var_host="$(uname -n)"
# shellcheck disable=SC2155
declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
clear
cat << EOF
$(echo -e "\e[97m################################################################################ \e[0m")
@@ -38,7 +32,7 @@ $(echo -e "\e[92m CISS.debian.live.builder from https://git.coresecret.dev/msw
$(echo -e "\e[92m A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
Version : ${VAR_VERSION}
Git : ${var_repo_ver}
Git : ${VAR_GIT_REL}
$(echo -e "\e[97m This program is free software. Distribution and modification under \e[0m")
$(echo -e "\e[97m EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
@@ -47,9 +41,9 @@ $(echo -e "\e[97m EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OW
$(echo -e "\e[95m https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
$(echo -e "\e[97m################################################################################\e[0m")
Using : lb (${var_lb_ver}) debootstrap (${var_ds_ver})
on : ${var_host}
Bash : ${var_bash_ver}
Using : lb (${VAR_VER_LB}) debootstrap (${VAR_VER_DS})
on : ${VAR_HOST}
Bash : ${VAR_BASH_VER}
EOF