msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.02.644.2025.05.31
All checks were successful
Retrieve the DNSSEC status at the time of updating the repository. / build-dnssec-diagram (push) Successful in 30s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-05-31 00:42:24 +02:00
parent d9fb33376d
commit efa3a5d3aa
49 changed files with 712 additions and 444 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
.gitea/TODO/generate-iso.yaml Normal file
View File

@@ -0,0 +1,169 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
name: Generating private Live ISO.
permissions:
contents: write
on:
push:
branches:
- master
paths:
- '.gitea/autobuild.yaml'
jobs:
generating-ciss-debian-live-iso:
runs-on: ubuntu-latest
### Run all steps inside Debian Bookworm
container:
image: debian:bookworm
options: --user root
steps:
- name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
run: |
rm -rf ~/.ssh && mkdir -m700 ~/.ssh
### Private Key
echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
chmod 600 ~/.ssh/known_hosts
### Generate SSH Config for git.coresecret.dev Custom-Port
cat <<EOF >| ~/.ssh/config
Host git.coresecret.dev
HostName git.coresecret.dev
Port 42842
IdentityFile ~/.ssh/id_ed25519
StrictHostKeyChecking yes
UserKnownHostsFile ~/.ssh/known_hosts
EOF
chmod 600 ~/.ssh/config
### https://github.com/actions/checkout/issues/1843
- name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
run: |
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
env:
### GITHUB_REF_NAME contains the branch name from the push event.
GITHUB_REF_NAME: ${{ github.ref_name }}
- name: Cleaning workspace.
run: |
git reset --hard
git clean -fd
- name: Installing Debian Live-Build and Tools.
run: |
apt-get update
apt-get install -y live-build gnupg curl whois
- name: Importing "CI PGP DEPLOY ONLY" Key.
run: |
### GPG-Home relative to the Runner Workspace to avoid changing global files.
export GNUPGHOME="$(pwd)/.gnupg"
mkdir -m700 "${GNUPGHOME}"
echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
gpg --batch --import ci-bot.sec.asc
### Trust the key automatically
KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
- name: Configuring Git for signed CI DEPLOY commits.
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git config user.name "Marc S. Weidner BOT"
git config user.email "msw+bot@coresecret.dev"
git config commit.gpgsign true
git config gpg.program gpg
git config gpg.format openpgp
- name: Preparing Build Environment.
run: |
rm -rf /opt/{config,livebuild}
mkdir -p /opt/{config,livebuild}
echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
chmod 0600 /opt/config/authorized_keys
- name: Starting CISS.debian.live.builder.
run: |
timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
./ciss_live_builder.sh \
--autobuild=6.12.22+bpo-amd64 \
--architecture amd64 \
--build-directory /opt/livebuild \
--control "${timestamp}" \
--debug \
--dhcp-centurion \
--jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
--provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
--renice-priority "-19" \
--reionice-priority 1 2 \
--root-password-file /opt/config/password.txt \
--ssh-port 4242 \
--ssh-pubkey /opt/config
- name: Uploading ISO to CenturionCloud "cloud.e2ee.li" via WebDAV
env:
WEBDAV_URL: "https://cloud.e2ee.li/remote.php/dav/files/runner/PUBLIC/CISS-live/NAME.iso"
WEBDAV_USER: ${{ secrets.NC_USER }}
WEBDAV_PASS: ${{ secrets.NC_PASS }}
run: |
### Remove old ISO if exists
curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -X DELETE "${WEBDAV_URL}" || true
### Upload new ISO
curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -T NAME.iso "${WEBDAV_URL}"
### Verify upload
HTTP_CODE=$(curl -o /dev/null -s -w "%{http_code}" -u "${WEBDAV_USER}:${WEBDAV_PASS}" "${WEBDAV_URL}")
if [ "$HTTP_CODE" -ne 200 ]; then
echo "Upload failed with HTTP status ${HTTP_CODE}"
exit 1
fi
echo "ISO successfully uploaded and verified."
- name: Generating Hash and Signing with Private Key
run: |
:
### TODO: Implement this function
- name: Generating Success Message to Push back into Repo
run: |
:
### TODO: Implement this function
- name: Stage generated files.
run: |
git add !!!!!!!!!!!!!
env:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Commit and Sign changes.
run: |
export GNUPGHOME="$(pwd)/.gnupg"
git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
env:
GIT_SSH_COMMAND: "ssh -p 42842"
- name: Push back to Repository.
run: |
git push origin HEAD:${GITHUB_REF_NAME}
env:
GIT_SSH_COMMAND: "ssh -p 42842"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

15
.gitea/autobuild.yaml Normal file
View File

@@ -0,0 +1,15 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
build:
counter: 1024
version: V8.02.644.2025.05.31
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.version.properties
View File

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V8.02.512.2025.05.30"
properties_version="V8.02.644.2025.05.31"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

2
CISS.debian.live.builder.spdx
View File

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
PackageVersion: Master V8.02.512.2025.05.30
PackageVersion: Master V8.02.644.2025.05.31
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

21
README.md
View File

@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.512.2025.05.30-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.644.2025.05.31-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -43,14 +43,13 @@ Check out more:
> Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped.
> The next step is to move to a room-gapped environment.
Please note that `coresecret.dev` is included in the HSTS Preload list and always serves the headers:
Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
````nginx configuration pro
add_header Expect-CT "max-age=86400, enforce" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
````
Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
## 1.1. Immutable Source-of-Truth System
This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
@@ -367,15 +366,17 @@ predictable script behavior.
# 5. Installation & Usage
# 5.1. Interactive CLI / Dialog Wrapper
1. Clone the repository:
```bash
git clone https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
cd CISS.2025.debian.live.builder
git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
cd CISS.debian.live.builder
```
2. Run the config builder and the integrated `lb build` command (example):
2. Edit the '.gitea/workflows/generate-iso.yaml' file according to your requirements.
```bash
```yaml
./ciss_live_builder.sh --architecture amd64 \
--build-directory /opt/livebuild \
--change-splash hexagon \
@@ -397,6 +398,10 @@ predictable script behavior.
7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
8. Type `celp` for some shortcuts.
# 5.2. CI/CD Gitea Runner Workflow Example
1. tba
# 6. Licensing & Compliance
This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure

48
ciss_live_builder.sh
View File

@@ -38,15 +38,16 @@
[[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
. ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
declare -gr VERSION="Master V8.02.512.2025.05.30"
declare -gr CONTACT="security@coresecret.eu"
declare -gr VAR_VERSION="Master V8.02.644.2025.05.31"
declare -gr VAR_CONTACT="security@coresecret.eu"
### VERY EARLY CHECK FOR CONTACT, USAGE, AND VERSION STRING
### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
declare arg
if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${CONTACT}"; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VERSION}"; exit 0;; esac; done
for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
unset arg
### VERY EARLY CHECK FOR XTRACE DEBUGGING
@@ -54,7 +55,7 @@ if [[ $* == *" --debug "* ]]; then
. ./lib/lib_debug.sh
debugger "${@}"
else
declare -grx EARLY_DEBUG=false
declare -grx VAR_EARLY_DEBUG=false
fi
### Advisory Lock
@@ -75,15 +76,15 @@ fi
check_pkgs
### Dialog Output for Initialization
. ./lib/lib_boot_screen.sh && boot_screen
if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi
### Updating Status of Dialog Gauge Bar
printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
. ./var/global.var.sh
. ./var/colors.var.sh
### Updating Status of Dialog Gauge Bar
printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
set -o errexit # Exit script when a command exits with non-zero status, the same as "set -e".
set -o errtrace # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
@@ -93,18 +94,18 @@ set -o pipefail # Makes pipelines return the exit status of the last command in
set -o noclobber # Prevent overwriting, the same as "set -C".
### Updating Status of Dialog Gauge Bar
printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
### Initialization
declare -gr ARGUMENTS_COUNT="$#"
declare -gr ARG_STR_ORG_INPUT="$*"
declare -ar ARG_ARY_ORG_INPUT=("$@")
#declare -ar ARG_ARY_ORG_INPUT=("$@")
# shellcheck disable=SC2155
declare -gr SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
# shellcheck disable=SC2155
declare -grx WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
### Updating Status of Dialog Gauge Bar
printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
. ./lib/lib_arg_parser.sh
. ./lib/lib_arg_priority_check.sh
. ./lib/lib_cdi.sh
@@ -133,42 +134,41 @@ printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3
. ./lib/lib_usage.sh
### Updating Status of Dialog Gauge Bar
printf "XXX\nActivate traps ... \nXXX\n55\n" >&3
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
### Following the CISS Bash naming and ordering scheme
trap 'trap_on_exit "$?"' EXIT
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
### Updating Status of Dialog Gauge Bar
printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
arg_check "$@"
declare -ar ARG_ARY_SANITIZED=("$@")
declare -gr ARG_STR_SANITIZED="${ARG_ARY_SANITIZED[*]}"
### Updating Status of Dialog Gauge Bar
printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
arg_parser "$@"
### Updating Status of Dialog Gauge Bar
printf "XXX\nFinal checks ... \nXXX\n95\n" >&3
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
clean_ip
### Updating Status of Dialog Gauge Bar
printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3
sleep 1
if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
boot_screen_cleaner
if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
### MAIN Program
arg_priority_check
check_stats
check_provider
check_kernel
if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi
if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi
check_hooks
hardening_ssh
lb_config_start
lb_config_write
cd "${WORKDIR}"
cd "${VAR_WORKDIR}"
hardening_ultra
hardening_root_pw
change_splash
@@ -183,6 +183,6 @@ lb_build_start
set -o errtrace
run_analysis
copy_db
declare -g handler_success=true
declare -g VAR_SCRIPT_SUCCESS=true
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/includes.chroot/etc/ssh/sshd_config
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.02.512.2025.05.30
### Version Master V8.02.644.2025.05.31
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

2
config/includes.chroot/etc/sysctl.d/99_local.hardened
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.02.512.2025.05.30
### Version Master V8.02.644.2025.05.31
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/

2
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.02.512.2025.05.30"
declare -gr VERSION="Master V8.02.644.2025.05.31"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then

2
config/includes.chroot/preseed/preseed.cfg
View File

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.02.512.2025.05.30 at: 10:18:37.9542
# Written by: ./preseed_hash_generator.sh Version: Master V8.02.644.2025.05.31 at: 10:18:37.9542

6
docs/AUDIT_DNSSEC.md
View File

@@ -8,11 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# 2. DNSSEC Status
![DNSSEC Status](docs/SECURITY/coresecret.dev.png)
This is an auto-generated overview of the DNSSEC status of `coresecret.dev` at the time of the last human-initiated push event.
![DNSSEC Status](SECURITY/coresecret.dev.png)
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

2
docs/AUDIT_HAVEGED.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# 2. Haveged Audit on Netcup RS 2000 G11

2
docs/AUDIT_LYNIS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# 2. Lynis Audit:

2
docs/AUDIT_SSH.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# 2. SSH Audit by ssh-audit.com

2
docs/CHANGELOG.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# TBA

27
docs/CODING_CONVENTION.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# 2. Coding Style
@@ -62,14 +62,27 @@ neat features. Here's how you make use of them. Besides those short hints here,
* Global variables:
* use them only when really necessary,
* in CAPS,
* initialize them (`declare -g VAR=""`),
* use `declare -g` and use typing (variable types) if possible.
* initialize them (`declare -g VAR_EXAMPLE=""`),
* SHOULD start with:
* `ARY_` for Arrays,
* `C_` for Variables defining colored outputs,
* `ERR_` for Error Codes Variables,
* `HMP_` for HashMap Arrays,
* `LOG_` for Logfile Variables,
* `PID_` for PID Variables,
* `PIPE_` for PIPE Variables,
* `VAR_` for Variables
* Local variables:
* are lower case,
* declare them before usage (`declare`),
* initialize them (`declare VAR=""`).
* Preferred declaration and initialization:
* VAR: `declare -g VAR=""` and `declare -a ARRAY=()`.
* declare them before usage (`declare` eq `local`),
* initialize them (`declare var_example=""`),
* SHOULD start with:
* `ary_` for Arrays,
* `c_` for Variables defining colored outputs,
* `err_` for Error Codes Variables,
* `hmp_` for HashMap Arrays,
* `log_` for Logfile Variables,
* `var_` for Variables.
# 3. Misc

2
docs/CONTRIBUTING.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# 2. Contributors

2
docs/CREDITS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# 2. Credits

4
docs/DOCUMENTATION.md
View File

@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# 2. Usage
````text
CISS.debian.live.builder
Master V8.02.512.2025.05.30
Master V8.02.644.2025.05.31
(c) Marc S. Weidner, 2018 - 2025
(p) Centurion Press, 2024 - 2025

2
docs/REFERENCES.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.02<br>
**Build**: V8.02.512.2025.05.30<br>
**Build**: V8.02.644.2025.05.31<br>
# 2. Resources

101
lib/lib_arg_parser.sh
View File

@@ -30,11 +30,11 @@
# ERR_SPLASH_PNG
# ERR_UNCRITICAL
# ERR__SSH__PORT
# HANDLER_ARCHITECTURE
# handler_architecture
# HANDLER_BUILD_DIR
# HANDLER_CDI
# HANDLER_DHCP
# HANDLER_ISO_COUNTER
# VAR_HANDLER_ISO_COUNTER
# HANDLER_PRIORITY
# HANDLER_SPLASH
# HANDLER_SSHPORT
@@ -44,16 +44,61 @@
# ISO8601
# REIONICE_CLASS
# REIONICE_PRIORITY
# VERSION
# VAR_VERSION
# handler_jumphost
# Arguments:
# None
#######################################
#######################################
# description
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_NETCUP_IPV6
# ERR_ARG_MSMTCH
# ERR_CONTROL_CT
# ERR_MISS_PWD_F
# ERR_MISS_PWD_P
# ERR_OWNS_PWD_F
# ERR_PASS_LENGH
# ERR_PASS_PLICY
# ERR_REIONICE_P
# ERR_REIO_C_VAL
# ERR_REIO_P_VAL
# ERR_RENICE_PRI
# ERR_RGHT_PWD_F
# ERR_SPLASH_PNG
# ERR_UNCRITICAL
# ERR__SSH__PORT
# VAR_ARCHITECTURE
# VAR_BUILD_LOG
# VAR_EARLY_DEBUG
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_CDI
# VAR_HANDLER_DHCP
# VAR_HANDLER_ISO_COUNTER
# VAR_HANDLER_NETCUP_IPV6
# VAR_HANDLER_PRIORITY
# VAR_HANDLER_SPLASH
# VAR_HANDLER_STA
# VAR_HASHED_PWD
# VAR_ISO8601
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# VAR_SSHPORT
# VAR_SSHPUBKEY
# Arguments:
# None
#######################################
arg_parser() {
while [[ $# -gt 0 ]]; do
declare argument="${1}"
case "${argument,,}" in
-a=* | --autobuild=*)
shift 1
;;
-c | --contact)
if [[ -n "${2}" && "${2}" != -* ]]; then
boot_screen_cleaner
@@ -86,7 +131,7 @@ arg_parser() {
--architecture)
if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then
declare -gx HANDLER_ARCHITECTURE="$2"
declare -gx VAR_ARCHITECTURE="${2}"
shift 2
else
boot_screen_cleaner
@@ -98,8 +143,8 @@ arg_parser() {
;;
--build-directory)
declare -gx HANDLER_BUILD_DIR="${2}"
declare -gx BUILD_LOG="${HANDLER_BUILD_DIR}/${ISO8601}_build.log"
declare -gx VAR_HANDLER_BUILD_DIR="${2}"
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log"
shift 2
;;
@@ -110,13 +155,13 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
declare -g HANDLER_CDI=true
declare -g VAR_HANDLER_CDI=true
shift 1
;;
--change-splash )
if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then
declare -g HANDLER_SPLASH="${2}"
declare -g VAR_HANDLER_SPLASH="${2}"
shift 2
else
boot_screen_cleaner
@@ -129,7 +174,7 @@ arg_parser() {
--control)
if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65536 ]]; then
declare -gi HANDLER_ISO_COUNTER="$2"
declare -gi VAR_HANDLER_ISO_COUNTER="$2"
shift 2
else
boot_screen_cleaner
@@ -157,7 +202,7 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
declare -gi HANDLER_DHCP=1
declare -gi VAR_HANDLER_DHCP=1
shift 1
;;
@@ -166,7 +211,7 @@ arg_parser() {
declare -i count=0
shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
declare -g handler_jumphost+=("$1")
declare -g ARY_HANDLER_JUMPHOST+=("$1")
count=$((count + 1))
shift
done
@@ -188,18 +233,18 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
declare -gi HANDLER_STA=1
declare -gi VAR_HANDLER_STA=1
shift 1
;;
--provider-netcup-ipv6)
if [[ -n "${2}" && "${2}" != -* ]]; then
declare -i count=0
declare -g handler_netcup_ipv6=true
declare -g VAR_HANDLER_NETCUP_IPV6=true
shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do
declare cleaned="${1//[\[\]]/}"
declare -g handler_netcup_ipv6_array+=("${cleaned}")
declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}")
count=$((count + 1))
shift
done
@@ -216,7 +261,7 @@ arg_parser() {
--renice-priority)
if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
declare -gi HANDLER_PRIORITY="$2"
declare -gi VAR_HANDLER_PRIORITY="$2"
shift 2
else
boot_screen_cleaner
@@ -235,12 +280,12 @@ arg_parser() {
exit "${ERR_REIONICE_P}"
else
if [[ "${2}" =~ ^[1-3]$ ]]; then
declare -gi REIONICE_CLASS="${2}"
declare -gi VAR_REIONICE_CLASS="${2}"
if [[ -z "${3}" ]]; then
:
else
if [[ "${3}" =~ ^[0-7]$ ]]; then
declare -gi REIONICE_PRIORITY="${3}"
declare -gi VAR_REIONICE_PRIORITY="${3}"
else
boot_screen_cleaner
printf "\e[91m❌ Error: --reionice-priority PRIORITY MUST be an integer between '0' and '7'.\e[0m\n" >&2
@@ -255,7 +300,7 @@ arg_parser() {
exit "${ERR_REIO_C_VAL}"
fi
fi
if [[ -n ${REIONICE_PRIORITY} ]]; then
if [[ -n ${VAR_REIONICE_PRIORITY} ]]; then
shift 3
else
shift 2
@@ -305,11 +350,11 @@ arg_parser() {
fi
declare plaintext_pw
[[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
if ! IFS= read -r plaintext_pw < "${pw_file}"; then
:
fi
[[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
declare pw_length
pw_length=${#plaintext_pw}
@@ -321,16 +366,16 @@ arg_parser() {
exit "${ERR_PASS_LENGH}"
fi
[[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
if [[ "${plaintext_pw}" == *\"* ]]; then
[[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
boot_screen_cleaner
printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_PASS_PLICY}"
fi
[[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
declare salt
set +o pipefail
@@ -341,11 +386,11 @@ arg_parser() {
set -o pipefail
declare hash_temp
[[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
[[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
declare -g HASHED_PWD="${hash_temp}"
declare -g VAR_HASHED_PWD="${hash_temp}"
unset hash_temp plaintext_pw
sync
@@ -361,7 +406,7 @@ arg_parser() {
--ssh-port)
if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
declare -gi HANDLER_SSHPORT="${2}"
declare -gi VAR_SSHPORT="${2}"
shift 2
else
boot_screen_cleaner
@@ -372,7 +417,7 @@ arg_parser() {
;;
--ssh-pubkey)
declare -g HANDLER_SSHPUBKEY="${2}"
declare -g VAR_SSHPUBKEY="${2}"
shift 2
;;

14
lib/lib_arg_priority_check.sh
View File

@@ -13,17 +13,17 @@
#######################################
# Check and setup Script Priorities
# Globals:
# HANDLER_PRIORITY
# REIONICE_CLASS
# REIONICE_PRIORITY
# VAR_HANDLER_PRIORITY
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# Arguments:
# None
#######################################
arg_priority_check() {
declare var
# Check if nice PRIORITY is set and adjust nice priority.
if [[ -n ${HANDLER_PRIORITY} ]]; then
renice "${HANDLER_PRIORITY}" -p "$$"
if [[ -n ${VAR_HANDLER_PRIORITY} ]]; then
renice "${VAR_HANDLER_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
# sleep 1
@@ -31,8 +31,8 @@ arg_priority_check() {
fi
# Check if ionice PRIORITY is set and adjust ionice priority.
if [[ -n ${REIONICE_CLASS} ]]; then
ionice -c"${REIONICE_CLASS:-2}" -n"${REIONICE_PRIORITY:-4}" -p "$$"
if [[ -n ${VAR_REIONICE_CLASS} ]]; then
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
# sleep 1

20
lib/lib_boot_screen.sh
View File

@@ -13,15 +13,15 @@
#######################################
# Change Grub Boot Screen Splash
# Globals:
# boot_screen_pid
# boot_screen_pipe
# PID_BOOT_SCREEN
# PIPE_BOOT_SCREEN
# Arguments:
# None
#######################################
boot_screen() {
clear
declare -gr boot_screen_pipe="/tmp/progress.fifo"
[[ -p "${boot_screen_pipe}" ]] || mkfifo "${boot_screen_pipe}"
declare -gr PIPE_BOOT_SCREEN="/tmp/progress.fifo"
[[ -p "${PIPE_BOOT_SCREEN}" ]] || mkfifo "${PIPE_BOOT_SCREEN}"
setsid dialog --no-collapse \
--ascii-lines \
@@ -29,9 +29,9 @@ boot_screen() {
--title "CISS.debian.live.builder" \
--gauge "Starting initialization..." \
10 70 0 \
< "${boot_screen_pipe}" &
declare -gr boot_screen_pid="$!"
exec 3> "${boot_screen_pipe}"
< "${PIPE_BOOT_SCREEN}" &
declare -gr PID_BOOT_SCREEN="$!"
exec 3> "${PIPE_BOOT_SCREEN}"
}
#######################################
@@ -44,9 +44,9 @@ boot_screen() {
#######################################
boot_screen_cleaner() {
exec 3>&-
kill -TERM -- -"${boot_screen_pid}" 2>/dev/null || true
wait "${boot_screen_pid}" 2>/dev/null || true
rm -f "${boot_screen_pipe}"
kill -TERM -- -"${PID_BOOT_SCREEN}" 2>/dev/null || true
wait "${PID_BOOT_SCREEN}" 2>/dev/null || true
rm -f "${PIPE_BOOT_SCREEN}"
clean_screen
sleep 1
}

32
lib/lib_cdi.sh
View File

@@ -14,48 +14,48 @@
# CISS.2025.debian.installer GRUB and Autostart Generator
# Globals:
# BASH_SOURCE
# HANDLER_BUILD_DIR
# HANDLER_CDI
# WORKDIR
# kernel
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_CDI
# VAR_KERNEL
# VAR_WORKDIR
# Arguments:
# None
#######################################
cdi() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${HANDLER_CDI}" == "true" ]]; then
if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
fi
cp "${WORKDIR}/scripts/9000-cdi-starter" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chmod 0750 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
cp "${VAR_WORKDIR}/scripts/9000-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chmod 0750 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
declare tmp_entry
tmp_entry="$(mktemp)"
cat << EOF >| "${tmp_entry}"
menuentry "CISS Hardened DI (${kernel})" --hotkey=i {
linux /live/vmlinuz-${kernel} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${kernel}
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${VAR_KERNEL}
}
EOF
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
rm -f "${tmp_entry}"
else
# shellcheck disable=SC1003
sed -i '/#MUST_BE_REPLACED/c\\' "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
}

22
lib/lib_change_splash.sh
View File

@@ -13,24 +13,24 @@
#######################################
# Change Grub Boot Screen Splash
# Globals:
# HANDLER_BUILD_DIR
# HANDLER_SPLASH
# WORKDIR
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_SPLASH
# VAR_WORKDIR
# Arguments:
# None
#######################################
change_splash() {
if [[ ${HANDLER_SPLASH} == "club" ]]; then
if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
elif [[ ${HANDLER_SPLASH} == "hexagon" ]]; then
elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
fi
}

8
lib/lib_check_dhcp.sh
View File

@@ -13,14 +13,14 @@
#######################################
# Check if hardened Centurion DNS servers are desired.
# Globals:
# HANDLER_DHCP
# WORKDIR
# VAR_HANDLER_DHCP
# VAR_WORKDIR
# Arguments:
# None
#######################################
check_dhcp() {
if [[ ${HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${WORKDIR}"/scripts/0010_dhcp_supersede.sh
if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
lib/lib_check_hooks.sh
View File

@@ -14,7 +14,7 @@
# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
# Globals:
# ERR_UNCRITICAL
# WORKDIR
# VAR_WORKDIR
# Arguments:
# None
#######################################
@@ -22,10 +22,10 @@ check_hooks() {
declare ifs
ifs=$'\n\t'
shopt -s nullglob
declare -a files=("${WORKDIR}"/config/hooks/live/*.chroot)
declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
if (( ${#files[@]} == 0 )); then
printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${WORKDIR}" >&2
printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
exit "${ERR_UNCRITICAL}"
fi

30
lib/lib_check_kernel.sh
View File

@@ -13,10 +13,10 @@
#######################################
# Kernel Image Selector
# Globals:
# HANDLER_ARCHITECTURE
# KERNEL_SRT
# KERNEL_TMP
# kernel
# VAR_ARCHITECTURE
# VAR_KERNEL
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# Arguments:
# None
# Returns:
@@ -27,17 +27,17 @@ check_kernel() {
declare -i counter=1
declare first_string=""
declare line=""
declare -gx kernel=""
declare -gx VAR_KERNEL=""
declare name=""
declare options=""
if [[ ${HANDLER_ARCHITECTURE} != arm64 ]]; then
apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}"
if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
else
apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}"
apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
fi
sort --output="${KERNEL_SRT}" "${KERNEL_TMP}" || {
sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
printf "❌ Error check_kernel() Line 40 sort failed\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -49,10 +49,10 @@ check_kernel() {
name=${first_string#linux-image-}
options+=("${name}" "${counter}" off)
((counter++))
done < "${KERNEL_SRT}"
done < "${VAR_KERNEL_SRT}"
# shellcheck disable=SC2155
if declare -g kernel=$(dialog \
if declare -g VAR_KERNEL=$(dialog \
--no-collapse \
--ascii-lines \
--clear \
@@ -62,10 +62,10 @@ check_kernel() {
clear
else
clear
if [[ "${HANDLER_ARCHITECTURE}" == "amd64" ]]; then
declare -gr kernel="amd64"
elif [[ "${HANDLER_ARCHITECTURE}" == "arm64" ]]; then
declare -gr kernel="arm64"
if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
declare -gr VAR_KERNEL="amd64"
elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
declare -gr VAR_KERNEL="arm64"
fi
fi
}

6
lib/lib_check_provider.sh
View File

@@ -17,8 +17,8 @@
#######################################
check_provider() {
clear
cat << 'EOF' >| "${notes}"
Build: Master V8.02.512.2025.05.30
cat << 'EOF' >| "${VAR_NOTES}"
Build: Master V8.02.644.2025.05.31
Press 'EXIT' to continue with CISS.debian.live.builder.
@@ -59,7 +59,7 @@ EOF
--backtitle "CISS.debian.live.builder" \
--title "Important Notes" \
--scrollbar \
--textbox "${notes}" 32 128
--textbox "${VAR_NOTES}" 32 128
clear
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
lib/lib_check_stats.sh
View File

@@ -13,12 +13,12 @@
#######################################
# Check if analysis run is desired only.
# Globals:
# HANDLER_STA
# VAR_HANDLER_STA
# Arguments:
# None
#######################################
check_stats() {
if [[ ${HANDLER_STA} -eq 1 ]]; then
if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
clear
run_analysis
exit 0

26
lib/lib_clean_up.sh
View File

@@ -13,26 +13,26 @@
#######################################
# Clean Up Wrapper on Trap on 'ERR' and 'EXIT'.
# Globals:
# ERROR_LOG
# KERNEL_INF
# KERNEL_SRT
# KERNEL_TMP
# WORKDIR
# LOG_ERROR
# VAR_KERNEL_INF
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# VAR_WORKDIR
# Arguments:
# 1 : ${trap_on_exit_code} of trap_on_exit()
#######################################
clean_up() {
declare clean_exit_code="$1"
rm -f -- "${KERNEL_INF}"
rm -f -- "${KERNEL_SRT}"
rm -f -- "${KERNEL_TMP}"
rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}"
rm -f -- "${VAR_KERNEL_TMP}"
rm -f /run/lock/ciss_live_builder.lock
if (( clean_exit_code == 0 )); then rm -f -- "${ERROR_LOG}"; fi
if [[ -f "${WORKDIR}/hosts.allow" ]]; then
rm -f "${WORKDIR}/hosts.allow"
if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
rm -f "${VAR_WORKDIR}/hosts.allow"
fi
if [[ -f "${WORKDIR}/hosts.deny" ]]; then
rm -f "${WORKDIR}/hosts.deny"
if [[ -f "${VAR_WORKDIR}/hosts.deny" ]]; then
rm -f "${VAR_WORKDIR}/hosts.deny"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
lib/lib_copy_integrity.sh
View File

@@ -14,7 +14,7 @@
# Copy Initial ISO aide Database into Host System
# Globals:
# BASH_SOURCE
# HANDLER_BUILD_DIR
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
# Returns:
@@ -23,12 +23,12 @@
copy_db() {
# printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d "${HANDLER_BUILD_DIR}/.integrity" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/.integrity"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
fi
if cp -p "${HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${HANDLER_BUILD_DIR}/.integrity/"; then
chmod 0400 "${HANDLER_BUILD_DIR}/.integrity/"*
if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
# printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
else

21
lib/lib_debug.sh
View File

@@ -13,12 +13,13 @@
#######################################
# Debugger Wrapper for xtrace to Debug Log
# Globals:
# BASH_SOURCE
# BASH_XTRACEFD
# DEBUG_LOG
# EARLY_DEBUG
# LOG_DEBUG
# PS4
# SHELLOPTS
# dump_vars_initial
# VAR_DUMP_VARS_INITIAL
# VAR_EARLY_DEBUG
# var
# Arguments:
# None
@@ -26,22 +27,22 @@
debugger() {
### Capture an initial snapshot of all variables (excluding '^(BASH|_).*')
# shellcheck disable=SC2155
declare -grx dump_vars_initial=$(mktemp)
declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
{
declare var
while IFS= read -r var; do
declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*')
} | sort >| "${dump_vars_initial}"
declare -grx EARLY_DEBUG=true
} | sort >| "${VAR_DUMP_VARS_INITIAL}"
declare -grx VAR_EARLY_DEBUG=true
### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
declare -grx PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
# shellcheck disable=SC2155
declare -grx DEBUG_LOG="/tmp/ciss_live_builder_$$_debug.log"
### Generates empty DEBUG_LOG
touch "${DEBUG_LOG}" && chmod 0600 "${DEBUG_LOG}"
declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
### Generates empty LOG_DEBUG
touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
### Open file descriptor 42 for writing to the debug log
exec 42>| "${DEBUG_LOG}"
exec 42>| "${LOG_DEBUG}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
### Determine the directory of this script, even if sourced.
# shellcheck disable=SC2155

4
lib/lib_debug_header.sh
View File

@@ -21,7 +21,7 @@
# PPID
# PWD
# UID
# VERSION
# VAR_VERSION
# Arguments:
# $0: Script Name $0
# $1: Argument Counter $#
@@ -32,7 +32,7 @@ debug_header() {
declare -r arg_string="$2"
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%T.%4N)" "${VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%T.%4N)" "${VAR_VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}"

44
lib/lib_hardening_root_pw.sh
View File

@@ -13,15 +13,15 @@
#######################################
# Updates the Live ISO to use root password authentication for local console access.
# Globals:
# HANDLER_BUILD_DIR
# HASHED_PWD
# VAR_HANDLER_BUILD_DIR
# VAR_HASHED_PWD
# Arguments:
# None
# Returns:
# 0: In case no root password is desired.
#######################################
hardening_root_pw() {
if [[ -z ${HASHED_PWD} ]]; then
if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
# sleep 1
return 0
@@ -30,7 +30,7 @@ hardening_root_pw() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
# sleep 1
declare cfg_dir="${HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
declare cfg_file="${cfg_dir}/config.conf"
declare dropin_dir="${cfg_dir}/config.conf.d"
declare dropin_file="${dropin_dir}/20-root-password.conf"
@@ -45,27 +45,27 @@ EOF
sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}"
fi
declare clean_hash="${HASHED_PWD//\"/}"
declare clean_hash="${VAR_HASHED_PWD//\"/}"
printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}"
chmod 0600 "${dropin_file}"
chown root:root "${dropin_file}"
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root"
printf '%s\n' "${clean_hash}" >| "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root"
printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
[Service]
ExecStart=
#ExecStart=-/usr/sbin/agetty --noclear %I $TERM
ExecStart=-agetty --noclear %I $TERM
EOF
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc
cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
tty1
tty2
tty3
@@ -74,21 +74,21 @@ tty5
tty6
EOF
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
### Hotfix I
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
cat << 'EOF' >| "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
#!/bin/sh
# bypass live-config-getty-generator
exit 0
EOF
chmod +x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
chmod +x "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
### Hotfix II
#mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"

16
lib/lib_hardening_ssh.sh
View File

@@ -13,15 +13,15 @@
#######################################
# SSH Hardening Ultra via TCP Wrapper
# Globals:
# WORKDIR
# handler_jumphost
# ARY_HANDLER_JUMPHOST
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ssh() {
if ((${#handler_jumphost[@]} > 0)); then
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
declare allowed=""
cat << 'EOF' >| "${WORKDIR}/hosts.allow"
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
@@ -34,10 +34,10 @@ hardening_ssh() {
EOF
allowed=$(echo "${handler_jumphost[*]}" | tr '\n' ' ')
printf 'sshd: %s\n' "${allowed}" >> "${WORKDIR}/hosts.allow"
allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
cat << 'EOF' >| "${WORKDIR}/hosts.deny"
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
@@ -52,7 +52,7 @@ EOF
#
# You may wish to enable this to ensure any programs that don't
# validate looked-up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# versions of Debian, this has been the default.
# ALL: PARANOID
ALL: ALL

128
lib/lib_hardening_ultra.sh
View File

@@ -11,65 +11,65 @@
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for accompanying all CISS.2025 hardening features into the Live ISO image.
# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
# Globals:
# HANDLER_ARCHITECTURE
# HANDLER_BUILD_DIR
# HANDLER_SSHPORT
# HANDLER_SSHPUBKEY
# WORKDIR
# handler_jumphost
# handler_jumphost_unique
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_SSHPORT
# VAR_SSHPUBKEY
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ultra() {
# shellcheck disable=SC2164
cd "${WORKDIR}"
cd "${VAR_WORKDIR}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/bootloaders"
cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config"
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config"
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/hooks/live"
cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks"
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot"
cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config"
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/package-lists"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
fi
cp -af ./config/package-lists/live.list.common.chroot "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
cp -af ./config/package-lists/live.list.common.chroot "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
case "${HANDLER_ARCHITECTURE}" in
case "${VAR_ARCHITECTURE}" in
amd64)
declare arch_list="./config/package-lists/live.list.amd64.chroot"
declare arch_comment="# amd64 specific packages"
@@ -79,7 +79,7 @@ hardening_ultra() {
declare arch_comment="# arm64 specific packages"
;;
*)
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${HANDLER_ARCHITECTURE}"
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
exit 1
;;
esac
@@ -105,26 +105,26 @@ hardening_ultra() {
}
print
}
' "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${HANDLER_SSHPORT:-22}"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#handler_jumphost[@]} -gt 0 ]]; then
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
@@ -135,7 +135,7 @@ hardening_ultra() {
fi
declare host
for host in "${handler_jumphost_unique[@]}"; do
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
@@ -143,19 +143,19 @@ hardening_ultra() {
else
cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${HANDLER_SSHPORT:-22}"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#handler_jumphost_unique[@]} -gt 0 ]]; then
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
@@ -166,7 +166,7 @@ hardening_ultra() {
fi
declare host
for host in "${handler_jumphost_unique[@]}"; do
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
@@ -174,21 +174,21 @@ hardening_ultra() {
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
if [[ -f "${WORKDIR}/hosts.allow" ]]; then
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
cp -af "${WORKDIR}/hosts.allow" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${WORKDIR}/hosts.deny" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${WORKDIR}/hosts.allow"
rm -f "${WORKDIR}/hosts.deny"
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${VAR_WORKDIR}/hosts.allow"
rm -f "${VAR_WORKDIR}/hosts.deny"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
fi
if ((${#handler_jumphost[@]} > 0)); then
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
# Join array entries with spaces, preserving any newlines
declare ips="${handler_jumphost[*]}"
declare ips="${ARY_HANDLER_JUMPHOST[*]}"
# Flatten to a single line and strip literal brackets []
declare flat_ips
flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
@@ -196,14 +196,14 @@ hardening_ultra() {
# Perform an in-place replacement of MUST_BE_SET with the cleaned list
sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \
"${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
sed -i \
-e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \
-e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
"${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
fi
}

8
lib/lib_helper_ip.sh
View File

@@ -13,15 +13,15 @@
#######################################
# IP Notation cleaner for pure IP output only
# Globals:
# handler_jumphost
# handler_jumphost_unique
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# Arguments:
# None
#######################################
clean_ip() {
declare host
declare stripped
for host in "${handler_jumphost[@]}"; do
for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
# Remove leading '[' and trailing ']'
stripped="${host#\[}"
stripped="${stripped%\]}"
@@ -30,7 +30,7 @@ clean_ip() {
continue
fi
# Directly append, no duplicate check
declare -ga handler_jumphost_unique+=("${stripped}")
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
lib/lib_lb_build_start.sh
View File

@@ -13,20 +13,20 @@
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# BUILD_LOG
# ERR_UNCRITICAL
# HANDLER_BUILD_DIR
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
#######################################
lb_build_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${BUILD_LOG}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
# sleep 1
# shellcheck disable=SC2164
cd "${HANDLER_BUILD_DIR}"
cd "${VAR_HANDLER_BUILD_DIR}"
if lb build --color 2>&1 | tee "${BUILD_LOG}"; then
if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
printf "\e[92m✅ Build successfully completed.\e[0m\n"
else
printf "\e[91m❌ Build failed!\e[0m\n" >&2

14
lib/lib_lb_config_start.sh
View File

@@ -13,24 +13,24 @@
#######################################
# Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
# Globals:
# HANDLER_BUILD_DIR
# VAR_HANDLER_BUILD_DIR
# Arguments:
# $0: Script-name
#######################################
lb_config_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
if [[ ! -d ${HANDLER_BUILD_DIR} ]]; then
mkdir -p "${HANDLER_BUILD_DIR}"
if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2164
cd "${HANDLER_BUILD_DIR}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${HANDLER_BUILD_DIR}"
cd "${VAR_HANDLER_BUILD_DIR}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
else
# shellcheck disable=SC2164
cd "${HANDLER_BUILD_DIR}"
cd "${VAR_HANDLER_BUILD_DIR}"
fi
if [[ ! -d "${HANDLER_BUILD_DIR}/.build" ]]; then
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
# Start lb config in a completely detached shell
bash -c "lb config" &

36
lib/lib_lb_config_write.sh
View File

@@ -13,12 +13,20 @@
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# HANDLER_ARCHITECTURE
# HANDLER_BUILD_DIR
# HANDLER_ISO_COUNTER
# VERSION
# WORKDIR
# kernel
# VAR_HANDLER_ISO_COUNTER
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_KERNEL
# VAR_WORKDIR
# VAR_VERSION
# Arguments:
# None
#######################################
#######################################
# description
# Globals:
# Arguments:
# None
#######################################
@@ -31,7 +39,7 @@ lb_config_write() {
--apt-recommends true \
--apt-secure true \
--apt-source-archives true \
--architecture "${HANDLER_ARCHITECTURE}" \
--architecture "${VAR_ARCHITECTURE}" \
--archive-areas main contrib non-free non-free-firmware \
--backports true \
--binary-filesystem fat32 \
@@ -59,15 +67,15 @@ lb_config_write() {
--firmware-binary true \
--firmware-chroot true \
--hdd-label "CENTURIONLIVE" \
--image-name "ciss-debian-live-${HANDLER_ISO_COUNTER}" \
--image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
--initramfs "live-boot" \
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
--iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${kernel}" \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
--loadlin true \
--memtest memtest86+ \
@@ -103,10 +111,10 @@ lb_config_write() {
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${WORKDIR}/scripts/live-boot/0030-verify-checksums" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
}

16
lib/lib_provider_netcup.sh
View File

@@ -16,14 +16,14 @@
# None
#######################################
provider_netcup() {
if "${handler_netcup_ipv6}"; then
if "${VAR_HANDLER_NETCUP_IPV6}"; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare handler_netcup_ipv6_string="${handler_netcup_ipv6_array[*]}"
declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
cat << EOF >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
### Static IPv6 Address for Netcup Root Server
iface ens3 inet6 static
address ${handler_netcup_ipv6_string}/128
@@ -34,10 +34,10 @@ iface ens3 inet6 static
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi

24
lib/lib_run_analysis.sh
View File

@@ -13,17 +13,17 @@
#######################################
# Wrapper for statistic functions of the final build.
# Globals:
# BUILD_LOG
# CHROOT_DIR
# ERR_UNCRITICAL
# HANDLER_BUILD_DIR
# PACKAGES_FILE
# VAR_BUILD_LOG
# VAR_CHROOT_DIR
# VAR_HANDLER_BUILD_DIR
# VAR_PACKAGES_FILE
# Arguments:
# None
#######################################
run_analysis() {
# shellcheck disable=SC2164
cd "${HANDLER_BUILD_DIR}"
cd "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2155
declare iso_file=$(find . -maxdepth 1 -name "*.iso" -printf "%f\n" | sort | tail -n1)
@@ -38,21 +38,21 @@ run_analysis() {
# shellcheck disable=SC2155
declare iso_size_bytes=$(du -b "${iso_file}" | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_hr=$(du -sh "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
declare chroot_size_hr=$(du -sh "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_bytes=$(du -sb "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
declare chroot_size_bytes=$(du -sb "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare compression=$(awk -v iso="${iso_size_bytes}" -v chroot="${chroot_size_bytes}" 'BEGIN { printf "%.2f%%", 100 * iso / chroot }')
# shellcheck disable=SC2155
declare package_count=$(wc -l < "${PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
declare package_count=$(wc -l < "${VAR_PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
# shellcheck disable=SC2155
declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${BUILD_LOG}")"
declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${VAR_BUILD_LOG}")"
if [[ -f "${BUILD_LOG}" ]]; then
if [[ -f "${VAR_BUILD_LOG}" ]]; then
# shellcheck disable=SC2155
declare start_line=$(grep 'lb build' "${BUILD_LOG}" | head -n1 || true)
declare start_line=$(grep 'lb build' "${VAR_BUILD_LOG}" | head -n1 || true)
# shellcheck disable=SC2155
declare end_line=$(grep 'lb source' "${BUILD_LOG}" | tail -n1 || true)
declare end_line=$(grep 'lb source' "${VAR_BUILD_LOG}" | tail -n1 || true)
if [[ -n "${start_line}" && -n "${end_line}" ]]; then
# shellcheck disable=SC2155

4
lib/lib_sanitizer.sh
View File

@@ -27,8 +27,8 @@ arg_check() {
#######################################
# Function to sanitize a single argument
# Globals:
# ERROR_LOG
# ERR_INVLD_CHAR
# LOG_ERROR
# Arguments:
# $1: Argument to check
#######################################
@@ -46,7 +46,7 @@ sanitize_arg() {
printf "❌ in argument : '%s'. \n" "${input}"
printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - ' \n"
printf "\n"
} >> "${ERROR_LOG}"
} >> "${LOG_ERROR}"
boot_screen_cleaner
printf "\e[91m❌ Invalid character : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2

134
lib/lib_trap_on_err.sh
View File

@@ -16,40 +16,42 @@
# ARGUMENTS_COUNT
# ARG_STR_ORG_INPUT
# ARG_STR_SANITIZED
# DEBUG_LOG
# EARLY_DEBUG
# ERROR_LOG
# VAR_LOG
# VERSION
# errcmmd
# errcode
# errfunc
# errline
# errscrt
# LOG_DEBUG
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_ERROR
# LOG_VAR
# SECONDS
# VAR_EARLY_DEBUG
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# None
#######################################
print_file_err() {
{
printf "❌ CISS.debian.live.builder Script failed. \n"
printf "❌ Version : %s \n" "${VERSION}"
printf "❌ Environment : %s \n" "${SYSTEM_VAR}"
printf "❌ Error : %s \n" "${errcode}"
printf "❌ Line : %s \n" "${errline}"
printf "❌ Script : %s \n" "${errscrt}"
printf "❌ Function : %s \n" "${errfunc}"
printf "❌ Command : %s \n" "${errcmmd}"
printf "❌ Version : %s \n" "${VAR_VERSION}"
printf "❌ Environment : %s \n" "${VAR_SYSTEM}"
printf "❌ Error : %s \n" "${ERRCODE}"
printf "❌ Line : %s \n" "${ERRLINE}"
printf "❌ Script : %s \n" "${ERRSCRT}"
printf "❌ Function : %s \n" "${ERRFUNC}"
printf "❌ Command : %s \n" "${ERRCMMD}"
printf "❌ Script Runtime : %s \n" "${SECONDS}"
printf "❌ Arguments Counter : %s \n" "${ARGUMENTS_COUNT}"
printf "❌ Arguments Original : %s \n" "${ARG_STR_ORG_INPUT}"
printf "❌ Arguments Sanitized : %s \n" "${ARG_STR_SANITIZED}"
if "${EARLY_DEBUG}"; then
printf "❌ Vars Dump saved at : %s \n" "${VAR_LOG}"
printf "❌ Debug Log saved at : %s \n" "${DEBUG_LOG}"
printf "❌ cat %s \n" "${DEBUG_LOG}"
if "${VAR_EARLY_DEBUG}"; then
printf "❌ Vars Dump saved at : %s \n" "${LOG_VAR}"
printf "❌ Debug Log saved at : %s \n" "${LOG_DEBUG}"
printf "❌ cat %s \n" "${LOG_DEBUG}"
fi
printf "\n"
} >> "${ERROR_LOG}"
} >> "${LOG_ERROR}"
}
#######################################
@@ -58,38 +60,40 @@ print_file_err() {
# ARGUMENTS_COUNT
# ARG_STR_ORG_INPUT
# ARG_STR_SANITIZED
# DEBUG_LOG
# EARLY_DEBUG
# ERROR_LOG
# VAR_LOG
# VERSION
# errcmmd
# errcode
# errfunc
# errline
# errscrt
# LOG_DEBUG
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_ERROR
# LOG_VAR
# SECONDS
# VAR_EARLY_DEBUG
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# None
#######################################
print_scr_err() {
printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2
printf "\e[91m❌ Version : %s \e[0m\n" "${VERSION}" >&2
printf "\e[91m❌ Environment : %s \e[0m\n" "${SYSTEM_VAR}" >&2
printf "\e[91m❌ Error : %s \e[0m\n" "${errcode}" >&2
printf "\e[91m❌ Line : %s \e[0m\n" "${errline}" >&2
printf "\e[91m❌ Script : %s \e[0m\n" "${errscrt}" >&2
printf "\e[91m❌ Function : %s \e[0m\n" "${errfunc}" >&2
printf "\e[91m❌ Command : %s \e[0m\n" "${errcmmd}" >&2
printf "\e[91m❌ Version : %s \e[0m\n" "${VAR_VERSION}" >&2
printf "\e[91m❌ Environment : %s \e[0m\n" "${VAR_SYSTEM}" >&2
printf "\e[91m❌ Error : %s \e[0m\n" "${ERRCODE}" >&2
printf "\e[91m❌ Line : %s \e[0m\n" "${ERRLINE}" >&2
printf "\e[91m❌ Script : %s \e[0m\n" "${ERRSCRT}" >&2
printf "\e[91m❌ Function : %s \e[0m\n" "${ERRFUNC}" >&2
printf "\e[91m❌ Command : %s \e[0m\n" "${ERRCMMD}" >&2
printf "\e[91m❌ Script Runtime : %s \e[0m\n" "${SECONDS}" >&2
printf "\e[91m❌ Arguments Counter : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
printf "\e[91m❌ Arguments Original : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${ARG_STR_SANITIZED}" >&2
printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${ERROR_LOG}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${ERROR_LOG}" >&2
if "${EARLY_DEBUG}"; then
printf "\e[91m❌ Vars Dump saved at : %s \e[0m\n" "${VAR_LOG}" >&2
printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${DEBUG_LOG}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${DEBUG_LOG}" >&2
printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${LOG_ERROR}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_ERROR}" >&2
if "${VAR_EARLY_DEBUG}"; then
printf "\e[91m❌ Vars Dump saved at : %s \e[0m\n" "${LOG_VAR}" >&2
printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${LOG_DEBUG}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_DEBUG}" >&2
fi
printf "\n"
}
@@ -97,7 +101,12 @@ print_scr_err() {
#######################################
# Trap function to be called on 'ERR'.
# Globals:
# EARLY_DEBUG
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# VAR_EARLY_DEBUG
# Arguments:
# $1: $?
# $2: ${BASH_SOURCE[0]}
@@ -106,14 +115,14 @@ print_scr_err() {
# $5: ${BASH_COMMAND}
#######################################
trap_on_err() {
declare -g errcode="$1"
declare -g errscrt="$2"
declare -g errline="$3"
declare -g errfunc="$4"
declare -g errcmmd="$5"
declare -g ERRCODE="$1"
declare -g ERRSCRT="$2"
declare -g ERRLINE="$3"
declare -g ERRFUNC="$4"
declare -g ERRCMMD="$5"
trap - ERR
if "${EARLY_DEBUG}"; then dump_user_vars; fi
clean_up "${errcode}"
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
clean_up "${ERRCODE}"
clean_screen
print_file_err
print_scr_err
@@ -122,10 +131,9 @@ trap_on_err() {
#######################################
# Gather all user-defined variables (name and value)
# Globals:
# VAR_LOG
# VERSION
# dump_vars_initial
# var
# LOG_VAR
# VAR_DUMP_VARS_INITIAL
# VAR_VERSION
# Arguments:
# None
#######################################
@@ -144,19 +152,19 @@ dump_user_vars() {
{
printf "✅ CISS.debian.live.builder Config Variable Dump. \n"
printf "✅ Version : %s \n" "${VERSION}"
printf "✅ Version : %s \n" "${VAR_VERSION}"
printf "\n"
printf "===== Initial VAR Environment ===== \n"
} >> "${VAR_LOG}"
} >> "${LOG_VAR}"
comm -23 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}" || true
comm -23 "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" >> "${LOG_VAR}" || true
{
printf "\n"
printf "===== Final VAR Environment ===== \n"
} >> "${VAR_LOG}"
} >> "${LOG_VAR}"
comm -13 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}" || true
rm "${dump_vars_initial}" "${dump_vars_final}"
comm -13 "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" >> "${LOG_VAR}" || true
rm "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

27
lib/lib_trap_on_exit.sh
View File

@@ -13,7 +13,7 @@
#######################################
# Trap function to be called on 'EXIT'.
# Globals:
# EARLY_DEBUG
# VAR_EARLY_DEBUG
# Arguments:
# $1: $?
#######################################
@@ -21,7 +21,7 @@ trap_on_exit() {
declare -r trap_on_exit_code="$1"
trap - EXIT
if (( trap_on_exit_code == 0 )); then
if "${EARLY_DEBUG}"; then dump_user_vars; fi
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
clean_up "${trap_on_exit_code}"
print_scr_exit "${trap_on_exit_code}"
exit 0
@@ -33,28 +33,29 @@ trap_on_exit() {
#######################################
# Print Success Message for Trap on 'EXIT' on 'stdout'
# Globals:
# DEBUG
# DEBUG_LOG
# HANDLER_BUILD_DIR
# VAR_LOG
# handler_success
# LOG_DEBUG
# LOG_VAR
# SECONDS
# VAR_EARLY_DEBUG
# VAR_HANDLER_BUILD_DIR
# VAR_SCRIPT_SUCCESS
# Arguments:
# $1: ${trap_on_exit_code} of trap_on_exit()
#######################################
print_scr_exit() {
declare -r print_scr_exit_code="$1"
if (( print_scr_exit_code == 0 )); then
if [[ "${handler_success}" == "true" ]]; then
if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
printf "\n"
printf "\e[92m✅ CISS.debian.live.builder Script successful. \e[0m\n"
printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${HANDLER_BUILD_DIR}/.integrity/"
printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${print_scr_exit_code}"
printf "\n"
if [[ "${EARLY_DEBUG}" == "true" ]]; then
if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then
printf "\e[92m✅ Script Runtime : %s \e[0m\n" "${SECONDS}"
printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${VAR_LOG}"
printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${DEBUG_LOG}"
printf "\e[92m✅ cat %s \e[0m\n" "${DEBUG_LOG}"
printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${LOG_VAR}"
printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${LOG_DEBUG}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_DEBUG}"
printf "\n"
fi
printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"

2
lib/lib_usage.sh
View File

@@ -22,7 +22,7 @@ usage() {
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.02.512.2025.05.30\e[0m")
$(echo -e "\e[92mMaster V8.02.644.2025.05.31\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")

2
scripts/9000-cdi-starter
View File

@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
# sleep 1
[[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
printf "CISS.debian.installer Master V8.02.512.2025.05.30 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
printf "CISS.debian.installer Master V8.02.644.2025.05.31 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh

71
var/global.var.sh
View File

@@ -11,45 +11,46 @@
# SPDX-Security-Contact: security@coresecret.eu
# shellcheck disable=SC2155
declare -gr SYSTEM_VAR="$(uname -a)"
declare -gr VAR_SYSTEM="$(uname -a)"
# shellcheck disable=SC2155
declare -gr ISO8601="$(date +%Y_%m_%d_%H_%M_%S)"
declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)"
# shellcheck disable=SC2155
declare -gr KERNEL_INF="$(mktemp)"
declare -gr VAR_KERNEL_INF="$(mktemp)"
# shellcheck disable=SC2155
declare -gr KERNEL_TMP="$(mktemp)"
declare -gr VAR_KERNEL_TMP="$(mktemp)"
# shellcheck disable=SC2155
declare -gr KERNEL_SRT="$(mktemp)"
declare -gr VAR_KERNEL_SRT="$(mktemp)"
# shellcheck disable=SC2155
declare -gr notes="$(mktemp)"
declare -gr VAR_NOTES="$(mktemp)"
if "${EARLY_DEBUG}"; then
declare -gr VAR_LOG="/tmp/ciss_live_builder_$$_var.log"
touch "${VAR_LOG}" && chmod 0600 "${VAR_LOG}"
if "${VAR_EARLY_DEBUG}"; then
declare -gr LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
fi
declare -gr ERROR_LOG="/tmp/ciss_live_builder_$$_error.log"
touch "${ERROR_LOG}" && chmod 0600 "${ERROR_LOG}"
declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"
touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"
declare -g HANDLER_ARCHITECTURE=""
declare -g HANDLER_BUILD_DIR=""
declare -g HANDLER_CDI=""
declare -g HANDLER_DHCP=""
declare -g HANDLER_SPLASH=""
declare -g HANDLER_SSHPORT=""
declare -g HANDLER_SSHPUBKEY=""
declare -g handler_success=""
declare -g HANDLER_PRIORITY=""
declare -g handler_netcup_ipv6=""
declare -g handler_netcup_ipv6_array=""
declare -g HASHED_PWD=""
declare -g HANDLER_STA=""
declare -g REIONICE_CLASS=""
declare -g REIONICE_PRIORITY=""
declare -gr CHROOT_DIR="chroot"
declare -gr PACKAGES_FILE="chroot.packages.live"
declare -ga handler_jumphost=()
declare -ga handler_jumphost_unique=()
declare -g VAR_ARCHITECTURE=""
declare -g VAR_HANDLER_AUTOBUILD="false"
declare -g VAR_HANDLER_BUILD_DIR=""
declare -g VAR_HANDLER_CDI=""
declare -g VAR_HANDLER_DHCP=""
declare -g VAR_HANDLER_SPLASH=""
declare -g VAR_SSHPORT=""
declare -g VAR_SSHPUBKEY=""
declare -g VAR_SCRIPT_SUCCESS=""
declare -g VAR_HANDLER_PRIORITY=""
declare -g VAR_HANDLER_NETCUP_IPV6=""
declare -g VAR_HASHED_PWD=""
declare -g VAR_HANDLER_STA=""
declare -g VAR_REIONICE_CLASS=""
declare -g VAR_REIONICE_PRIORITY=""
declare -gr VAR_CHROOT_DIR="chroot"
declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
declare -ga ARY_HANDLER_JUMPHOST=()
declare -ga ARY_HANDLER_NETCUP_IPV6=()
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=()
### Definition of error codes
declare -gir ERR_UNCRITICAL=127
@@ -75,9 +76,9 @@ declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash
### Definition of error trap vars
declare -g errcode="" # = $? = $1 = ERRCODE
declare -g errscrt="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT
declare -g errline="" # = ${LINENO} = $3 = ERRLINE
declare -g errfunc="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
declare -g errcmmd="" # = ${$BASH_COMMAND} = $5 = ERRCMMD
declare -g ERRCODE="" # = $? = $1 = ERRCODE
declare -g ERRSCRT="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT
declare -g ERRLINE="" # = ${LINENO} = $3 = ERRLINE
declare -g ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
declare -g ERRCMMD="" # = ${$BASH_COMMAND} = $5 = ERRCMMD
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh