diff --git a/.gitea/TODO/generate-iso.yaml b/.gitea/TODO/generate-iso.yaml new file mode 100644 index 0000000..091704a --- /dev/null +++ b/.gitea/TODO/generate-iso.yaml @@ -0,0 +1,169 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +name: Generating private Live ISO. + +permissions: + contents: write + +on: + push: + branches: + - master + paths: + - '.gitea/autobuild.yaml' + +jobs: + generating-ciss-debian-live-iso: + runs-on: ubuntu-latest + + ### Run all steps inside Debian Bookworm + container: + image: debian:bookworm + options: --user root + + steps: + - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config. + run: | + rm -rf ~/.ssh && mkdir -m700 ~/.ssh + + ### Private Key + echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + + ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts + ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts + chmod 600 ~/.ssh/known_hosts + + ### Generate SSH Config for git.coresecret.dev Custom-Port + cat <| ~/.ssh/config + Host git.coresecret.dev + HostName git.coresecret.dev + Port 42842 + IdentityFile ~/.ssh/id_ed25519 + StrictHostKeyChecking yes + UserKnownHostsFile ~/.ssh/known_hosts + EOF + chmod 600 ~/.ssh/config + + ### https://github.com/actions/checkout/issues/1843 + - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues. + run: | + git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git . + git fetch --unshallow || echo "Nothing to fetch - already full clone." + env: + ### GITHUB_REF_NAME contains the branch name from the push event. + GITHUB_REF_NAME: ${{ github.ref_name }} + + - name: Cleaning workspace. + run: | + git reset --hard + git clean -fd + + - name: Installing Debian Live-Build and Tools. + run: | + apt-get update + apt-get install -y live-build gnupg curl whois + + - name: Importing "CI PGP DEPLOY ONLY" Key. + run: | + ### GPG-Home relative to the Runner Workspace to avoid changing global files. + export GNUPGHOME="$(pwd)/.gnupg" + mkdir -m700 "${GNUPGHOME}" + echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc + gpg --batch --import ci-bot.sec.asc + ### Trust the key automatically + KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}') + echo "trust-model always" >| "${GNUPGHOME}/gpg.conf" + + - name: Configuring Git for signed CI DEPLOY commits. + run: | + export GNUPGHOME="$(pwd)/.gnupg" + git config user.name "Marc S. Weidner BOT" + git config user.email "msw+bot@coresecret.dev" + git config commit.gpgsign true + git config gpg.program gpg + git config gpg.format openpgp + + - name: Preparing Build Environment. + run: | + rm -rf /opt/{config,livebuild} + mkdir -p /opt/{config,livebuild} + echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt + echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys + chmod 0600 /opt/config/authorized_keys + + - name: Starting CISS.debian.live.builder. + run: | + timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z") + ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64. + ./ciss_live_builder.sh \ + --autobuild=6.12.22+bpo-amd64 \ + --architecture amd64 \ + --build-directory /opt/livebuild \ + --control "${timestamp}" \ + --debug \ + --dhcp-centurion \ + --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \ + --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \ + --renice-priority "-19" \ + --reionice-priority 1 2 \ + --root-password-file /opt/config/password.txt \ + --ssh-port 4242 \ + --ssh-pubkey /opt/config + + - name: Uploading ISO to CenturionCloud "cloud.e2ee.li" via WebDAV + env: + WEBDAV_URL: "https://cloud.e2ee.li/remote.php/dav/files/runner/PUBLIC/CISS-live/NAME.iso" + WEBDAV_USER: ${{ secrets.NC_USER }} + WEBDAV_PASS: ${{ secrets.NC_PASS }} + run: | + ### Remove old ISO if exists + curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -X DELETE "${WEBDAV_URL}" || true + ### Upload new ISO + curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -T NAME.iso "${WEBDAV_URL}" + ### Verify upload + HTTP_CODE=$(curl -o /dev/null -s -w "%{http_code}" -u "${WEBDAV_USER}:${WEBDAV_PASS}" "${WEBDAV_URL}") + if [ "$HTTP_CODE" -ne 200 ]; then + echo "Upload failed with HTTP status ${HTTP_CODE}" + exit 1 + fi + echo "ISO successfully uploaded and verified." + + - name: Generating Hash and Signing with Private Key + run: | + : + ### TODO: Implement this function + + - name: Generating Success Message to Push back into Repo + run: | + : + ### TODO: Implement this function + + - name: Stage generated files. + run: | + git add !!!!!!!!!!!!! + env: + GIT_SSH_COMMAND: "ssh -p 42842" + + - name: Commit and Sign changes. + run: | + export GNUPGHOME="$(pwd)/.gnupg" + git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit." + env: + GIT_SSH_COMMAND: "ssh -p 42842" + + - name: Push back to Repository. + run: | + git push origin HEAD:${GITHUB_REF_NAME} + env: + GIT_SSH_COMMAND: "ssh -p 42842" +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/autobuild.yaml b/.gitea/autobuild.yaml new file mode 100644 index 0000000..e9e5d49 --- /dev/null +++ b/.gitea/autobuild.yaml @@ -0,0 +1,15 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +build: + counter: 1024 + version: V8.02.644.2025.05.31 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.version.properties b/.version.properties index 6419347..951d07d 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0" properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V8.02.512.2025.05.30" +properties_version="V8.02.644.2025.05.31" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \ No newline at end of file diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 902a10c..d3f1c83 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V8.02.512.2025.05.30 +PackageVersion: Master V8.02.644.2025.05.31 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 93321ce..1970535 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.512.2025.05.30-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.644.2025.05.31-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -26,7 +26,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for @@ -43,14 +43,13 @@ Check out more: > Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. > The next step is to move to a room-gapped environment. -Please note that `coresecret.dev` is included in the HSTS Preload list and always serves the headers: +Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers: ````nginx configuration pro add_header Expect-CT "max-age=86400, enforce" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; ```` Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md) - ## 1.1. Immutable Source-of-Truth System This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static @@ -367,15 +366,17 @@ predictable script behavior. # 5. Installation & Usage +# 5.1. Interactive CLI / Dialog Wrapper + 1. Clone the repository: ```bash - git clone https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git - cd CISS.2025.debian.live.builder + git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git + cd CISS.debian.live.builder ``` -2. Run the config builder and the integrated `lb build` command (example): +2. Edit the '.gitea/workflows/generate-iso.yaml' file according to your requirements. - ```bash + ```yaml ./ciss_live_builder.sh --architecture amd64 \ --build-directory /opt/livebuild \ --change-splash hexagon \ @@ -397,6 +398,10 @@ predictable script behavior. 7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit. 8. Type `celp` for some shortcuts. +# 5.2. CI/CD Gitea Runner Workflow Example + +1. tba + # 6. Licensing & Compliance This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index cf11d0d..38f62a6 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -38,15 +38,16 @@ [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && { . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; } -declare -gr VERSION="Master V8.02.512.2025.05.30" -declare -gr CONTACT="security@coresecret.eu" +declare -gr VAR_VERSION="Master V8.02.644.2025.05.31" +declare -gr VAR_CONTACT="security@coresecret.eu" -### VERY EARLY CHECK FOR CONTACT, USAGE, AND VERSION STRING +### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING declare arg if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi -for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${CONTACT}"; exit 0;; esac; done +for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done +for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done -for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VERSION}"; exit 0;; esac; done +for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done unset arg ### VERY EARLY CHECK FOR XTRACE DEBUGGING @@ -54,7 +55,7 @@ if [[ $* == *" --debug "* ]]; then . ./lib/lib_debug.sh debugger "${@}" else - declare -grx EARLY_DEBUG=false + declare -grx VAR_EARLY_DEBUG=false fi ### Advisory Lock @@ -75,15 +76,15 @@ fi check_pkgs ### Dialog Output for Initialization -. ./lib/lib_boot_screen.sh && boot_screen +if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi ### Updating Status of Dialog Gauge Bar -printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3 +if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi . ./var/global.var.sh . ./var/colors.var.sh ### Updating Status of Dialog Gauge Bar -printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3 +if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin set -o errexit # Exit script when a command exits with non-zero status, the same as "set -e". set -o errtrace # Any traps on ERR are inherited in a subshell environment, the same as "set -E". @@ -93,18 +94,18 @@ set -o pipefail # Makes pipelines return the exit status of the last command in set -o noclobber # Prevent overwriting, the same as "set -C". ### Updating Status of Dialog Gauge Bar -printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3 +if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi ### Initialization declare -gr ARGUMENTS_COUNT="$#" declare -gr ARG_STR_ORG_INPUT="$*" -declare -ar ARG_ARY_ORG_INPUT=("$@") +#declare -ar ARG_ARY_ORG_INPUT=("$@") # shellcheck disable=SC2155 declare -gr SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")" # shellcheck disable=SC2155 -declare -grx WORKDIR="$(dirname "${SCRIPT_FULLPATH}")" +declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")" ### Updating Status of Dialog Gauge Bar -printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3 +if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi . ./lib/lib_arg_parser.sh . ./lib/lib_arg_priority_check.sh . ./lib/lib_cdi.sh @@ -133,42 +134,41 @@ printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3 . ./lib/lib_usage.sh ### Updating Status of Dialog Gauge Bar -printf "XXX\nActivate traps ... \nXXX\n55\n" >&3 +if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi ### Following the CISS Bash naming and ordering scheme trap 'trap_on_exit "$?"' EXIT trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR ### Updating Status of Dialog Gauge Bar -printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3 +if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi arg_check "$@" declare -ar ARG_ARY_SANITIZED=("$@") declare -gr ARG_STR_SANITIZED="${ARG_ARY_SANITIZED[*]}" ### Updating Status of Dialog Gauge Bar -printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3 +if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi arg_parser "$@" ### Updating Status of Dialog Gauge Bar -printf "XXX\nFinal checks ... \nXXX\n95\n" >&3 +if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi clean_ip ### Updating Status of Dialog Gauge Bar -printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3 -sleep 1 +if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi -boot_screen_cleaner +if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi ### MAIN Program arg_priority_check check_stats -check_provider -check_kernel +if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi +if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi check_hooks hardening_ssh lb_config_start lb_config_write -cd "${WORKDIR}" +cd "${VAR_WORKDIR}" hardening_ultra hardening_root_pw change_splash @@ -183,6 +183,6 @@ lb_build_start set -o errtrace run_analysis copy_db -declare -g handler_success=true +declare -g VAR_SCRIPT_SUCCESS=true exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index 6032c2b..a6081fb 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.02.512.2025.05.30 +### Version Master V8.02.644.2025.05.31 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened index d11c1f9..33bf1cd 100644 --- a/config/includes.chroot/etc/sysctl.d/99_local.hardened +++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -### Version Master V8.02.512.2025.05.30 +### Version Master V8.02.644.2025.05.31 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index 32310b1..c0cbc83 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V8.02.512.2025.05.30" +declare -gr VERSION="Master V8.02.644.2025.05.31" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index 54ac294..985717b 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V8.02.512.2025.05.30 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V8.02.644.2025.05.31 at: 10:18:37.9542 diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index 84d2d65..2df6254 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,11 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# 2. DNSSEC Status -![DNSSEC Status](docs/SECURITY/coresecret.dev.png) +This is an auto-generated overview of the DNSSEC status of `coresecret.dev` at the time of the last human-initiated push event. + +![DNSSEC Status](SECURITY/coresecret.dev.png) --- **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index ddb4e3b..d67d19a 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 18ac32a..67da645 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 6320e59..da0d26c 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# 2. SSH Audit by ssh-audit.com diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 3f8f829..7b2386b 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# TBA diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index a3505bf..2757c75 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# 2. Coding Style @@ -62,14 +62,27 @@ neat features. Here's how you make use of them. Besides those short hints here, * Global variables: * use them only when really necessary, * in CAPS, - * initialize them (`declare -g VAR=""`), - * use `declare -g` and use typing (variable types) if possible. + * initialize them (`declare -g VAR_EXAMPLE=""`), + * SHOULD start with: + * `ARY_` for Arrays, + * `C_` for Variables defining colored outputs, + * `ERR_` for Error Codes Variables, + * `HMP_` for HashMap Arrays, + * `LOG_` for Logfile Variables, + * `PID_` for PID Variables, + * `PIPE_` for PIPE Variables, + * `VAR_` for Variables * Local variables: * are lower case, - * declare them before usage (`declare`), - * initialize them (`declare VAR=""`). - * Preferred declaration and initialization: - * VAR: `declare -g VAR=""` and `declare -a ARRAY=()`. + * declare them before usage (`declare` eq `local`), + * initialize them (`declare var_example=""`), + * SHOULD start with: + * `ary_` for Arrays, + * `c_` for Variables defining colored outputs, + * `err_` for Error Codes Variables, + * `hmp_` for HashMap Arrays, + * `log_` for Logfile Variables, + * `var_` for Variables. # 3. Misc diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 20f3cbd..6c9a41e 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# 2. Contributors diff --git a/docs/CREDITS.md b/docs/CREDITS.md index faf24e6..76ba7bf 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# 2. Credits diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index b48fbfa..72dbc70 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,12 +8,12 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# 2. Usage ````text CISS.debian.live.builder -Master V8.02.512.2025.05.30 +Master V8.02.644.2025.05.31 (c) Marc S. Weidner, 2018 - 2025 (p) Centurion Press, 2024 - 2025 diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index a988338..a01e6b6 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.02
-**Build**: V8.02.512.2025.05.30
+**Build**: V8.02.644.2025.05.31
# 2. Resources diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh index e0144f8..e504537 100644 --- a/lib/lib_arg_parser.sh +++ b/lib/lib_arg_parser.sh @@ -30,11 +30,11 @@ # ERR_SPLASH_PNG # ERR_UNCRITICAL # ERR__SSH__PORT -# HANDLER_ARCHITECTURE +# handler_architecture # HANDLER_BUILD_DIR # HANDLER_CDI # HANDLER_DHCP -# HANDLER_ISO_COUNTER +# VAR_HANDLER_ISO_COUNTER # HANDLER_PRIORITY # HANDLER_SPLASH # HANDLER_SSHPORT @@ -44,16 +44,61 @@ # ISO8601 # REIONICE_CLASS # REIONICE_PRIORITY -# VERSION +# VAR_VERSION # handler_jumphost # Arguments: # None ####################################### + +####################################### +# description +# Globals: +# ARY_HANDLER_JUMPHOST +# ARY_HANDLER_NETCUP_IPV6 +# ERR_ARG_MSMTCH +# ERR_CONTROL_CT +# ERR_MISS_PWD_F +# ERR_MISS_PWD_P +# ERR_OWNS_PWD_F +# ERR_PASS_LENGH +# ERR_PASS_PLICY +# ERR_REIONICE_P +# ERR_REIO_C_VAL +# ERR_REIO_P_VAL +# ERR_RENICE_PRI +# ERR_RGHT_PWD_F +# ERR_SPLASH_PNG +# ERR_UNCRITICAL +# ERR__SSH__PORT +# VAR_ARCHITECTURE +# VAR_BUILD_LOG +# VAR_EARLY_DEBUG +# VAR_HANDLER_BUILD_DIR +# VAR_HANDLER_CDI +# VAR_HANDLER_DHCP +# VAR_HANDLER_ISO_COUNTER +# VAR_HANDLER_NETCUP_IPV6 +# VAR_HANDLER_PRIORITY +# VAR_HANDLER_SPLASH +# VAR_HANDLER_STA +# VAR_HASHED_PWD +# VAR_ISO8601 +# VAR_REIONICE_CLASS +# VAR_REIONICE_PRIORITY +# VAR_SSHPORT +# VAR_SSHPUBKEY +# Arguments: +# None +####################################### arg_parser() { while [[ $# -gt 0 ]]; do declare argument="${1}" case "${argument,,}" in + -a=* | --autobuild=*) + shift 1 + ;; + -c | --contact) if [[ -n "${2}" && "${2}" != -* ]]; then boot_screen_cleaner @@ -86,7 +131,7 @@ arg_parser() { --architecture) if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then - declare -gx HANDLER_ARCHITECTURE="$2" + declare -gx VAR_ARCHITECTURE="${2}" shift 2 else boot_screen_cleaner @@ -98,8 +143,8 @@ arg_parser() { ;; --build-directory) - declare -gx HANDLER_BUILD_DIR="${2}" - declare -gx BUILD_LOG="${HANDLER_BUILD_DIR}/${ISO8601}_build.log" + declare -gx VAR_HANDLER_BUILD_DIR="${2}" + declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log" shift 2 ;; @@ -110,13 +155,13 @@ arg_parser() { read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_ARG_MSMTCH}" fi - declare -g HANDLER_CDI=true + declare -g VAR_HANDLER_CDI=true shift 1 ;; --change-splash ) if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then - declare -g HANDLER_SPLASH="${2}" + declare -g VAR_HANDLER_SPLASH="${2}" shift 2 else boot_screen_cleaner @@ -129,7 +174,7 @@ arg_parser() { --control) if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65536 ]]; then - declare -gi HANDLER_ISO_COUNTER="$2" + declare -gi VAR_HANDLER_ISO_COUNTER="$2" shift 2 else boot_screen_cleaner @@ -157,7 +202,7 @@ arg_parser() { read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_ARG_MSMTCH}" fi - declare -gi HANDLER_DHCP=1 + declare -gi VAR_HANDLER_DHCP=1 shift 1 ;; @@ -166,7 +211,7 @@ arg_parser() { declare -i count=0 shift while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do - declare -g handler_jumphost+=("$1") + declare -g ARY_HANDLER_JUMPHOST+=("$1") count=$((count + 1)) shift done @@ -188,18 +233,18 @@ arg_parser() { read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_ARG_MSMTCH}" fi - declare -gi HANDLER_STA=1 + declare -gi VAR_HANDLER_STA=1 shift 1 ;; --provider-netcup-ipv6) if [[ -n "${2}" && "${2}" != -* ]]; then declare -i count=0 - declare -g handler_netcup_ipv6=true + declare -g VAR_HANDLER_NETCUP_IPV6=true shift while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do declare cleaned="${1//[\[\]]/}" - declare -g handler_netcup_ipv6_array+=("${cleaned}") + declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}") count=$((count + 1)) shift done @@ -216,7 +261,7 @@ arg_parser() { --renice-priority) if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then - declare -gi HANDLER_PRIORITY="$2" + declare -gi VAR_HANDLER_PRIORITY="$2" shift 2 else boot_screen_cleaner @@ -235,12 +280,12 @@ arg_parser() { exit "${ERR_REIONICE_P}" else if [[ "${2}" =~ ^[1-3]$ ]]; then - declare -gi REIONICE_CLASS="${2}" + declare -gi VAR_REIONICE_CLASS="${2}" if [[ -z "${3}" ]]; then : else if [[ "${3}" =~ ^[0-7]$ ]]; then - declare -gi REIONICE_PRIORITY="${3}" + declare -gi VAR_REIONICE_PRIORITY="${3}" else boot_screen_cleaner printf "\e[91m❌ Error: --reionice-priority PRIORITY MUST be an integer between '0' and '7'.\e[0m\n" >&2 @@ -255,7 +300,7 @@ arg_parser() { exit "${ERR_REIO_C_VAL}" fi fi - if [[ -n ${REIONICE_PRIORITY} ]]; then + if [[ -n ${VAR_REIONICE_PRIORITY} ]]; then shift 3 else shift 2 @@ -305,11 +350,11 @@ arg_parser() { fi declare plaintext_pw - [[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons if ! IFS= read -r plaintext_pw < "${pw_file}"; then : fi - [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again declare pw_length pw_length=${#plaintext_pw} @@ -321,16 +366,16 @@ arg_parser() { exit "${ERR_PASS_LENGH}" fi - [[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons if [[ "${plaintext_pw}" == *\"* ]]; then - [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again boot_screen_cleaner printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2 # shellcheck disable=SC2162 read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' exit "${ERR_PASS_PLICY}" fi - [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again declare salt set +o pipefail @@ -341,11 +386,11 @@ arg_parser() { set -o pipefail declare hash_temp - [[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}") - [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again + [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again - declare -g HASHED_PWD="${hash_temp}" + declare -g VAR_HASHED_PWD="${hash_temp}" unset hash_temp plaintext_pw sync @@ -361,7 +406,7 @@ arg_parser() { --ssh-port) if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then - declare -gi HANDLER_SSHPORT="${2}" + declare -gi VAR_SSHPORT="${2}" shift 2 else boot_screen_cleaner @@ -372,7 +417,7 @@ arg_parser() { ;; --ssh-pubkey) - declare -g HANDLER_SSHPUBKEY="${2}" + declare -g VAR_SSHPUBKEY="${2}" shift 2 ;; diff --git a/lib/lib_arg_priority_check.sh b/lib/lib_arg_priority_check.sh index 93417f5..c59b7c7 100644 --- a/lib/lib_arg_priority_check.sh +++ b/lib/lib_arg_priority_check.sh @@ -13,17 +13,17 @@ ####################################### # Check and setup Script Priorities # Globals: -# HANDLER_PRIORITY -# REIONICE_CLASS -# REIONICE_PRIORITY +# VAR_HANDLER_PRIORITY +# VAR_REIONICE_CLASS +# VAR_REIONICE_PRIORITY # Arguments: # None ####################################### arg_priority_check() { declare var # Check if nice PRIORITY is set and adjust nice priority. - if [[ -n ${HANDLER_PRIORITY} ]]; then - renice "${HANDLER_PRIORITY}" -p "$$" + if [[ -n ${VAR_HANDLER_PRIORITY} ]]; then + renice "${VAR_HANDLER_PRIORITY}" -p "$$" var=$(ps -o ni= -p $$) > /dev/null 2>&1 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}" # sleep 1 @@ -31,8 +31,8 @@ arg_priority_check() { fi # Check if ionice PRIORITY is set and adjust ionice priority. - if [[ -n ${REIONICE_CLASS} ]]; then - ionice -c"${REIONICE_CLASS:-2}" -n"${REIONICE_PRIORITY:-4}" -p "$$" + if [[ -n ${VAR_REIONICE_CLASS} ]]; then + ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$" var=$(ionice -p $$) > /dev/null 2>&1 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}" # sleep 1 diff --git a/lib/lib_boot_screen.sh b/lib/lib_boot_screen.sh index 2ba4bc4..494d421 100644 --- a/lib/lib_boot_screen.sh +++ b/lib/lib_boot_screen.sh @@ -13,15 +13,15 @@ ####################################### # Change Grub Boot Screen Splash # Globals: -# boot_screen_pid -# boot_screen_pipe +# PID_BOOT_SCREEN +# PIPE_BOOT_SCREEN # Arguments: # None ####################################### boot_screen() { clear - declare -gr boot_screen_pipe="/tmp/progress.fifo" - [[ -p "${boot_screen_pipe}" ]] || mkfifo "${boot_screen_pipe}" + declare -gr PIPE_BOOT_SCREEN="/tmp/progress.fifo" + [[ -p "${PIPE_BOOT_SCREEN}" ]] || mkfifo "${PIPE_BOOT_SCREEN}" setsid dialog --no-collapse \ --ascii-lines \ @@ -29,9 +29,9 @@ boot_screen() { --title "CISS.debian.live.builder" \ --gauge "Starting initialization..." \ 10 70 0 \ - < "${boot_screen_pipe}" & - declare -gr boot_screen_pid="$!" - exec 3> "${boot_screen_pipe}" + < "${PIPE_BOOT_SCREEN}" & + declare -gr PID_BOOT_SCREEN="$!" + exec 3> "${PIPE_BOOT_SCREEN}" } ####################################### @@ -44,9 +44,9 @@ boot_screen() { ####################################### boot_screen_cleaner() { exec 3>&- - kill -TERM -- -"${boot_screen_pid}" 2>/dev/null || true - wait "${boot_screen_pid}" 2>/dev/null || true - rm -f "${boot_screen_pipe}" + kill -TERM -- -"${PID_BOOT_SCREEN}" 2>/dev/null || true + wait "${PID_BOOT_SCREEN}" 2>/dev/null || true + rm -f "${PIPE_BOOT_SCREEN}" clean_screen sleep 1 } diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh index a841279..d62c377 100644 --- a/lib/lib_cdi.sh +++ b/lib/lib_cdi.sh @@ -14,48 +14,48 @@ # CISS.2025.debian.installer GRUB and Autostart Generator # Globals: # BASH_SOURCE -# HANDLER_BUILD_DIR -# HANDLER_CDI -# WORKDIR -# kernel +# VAR_HANDLER_BUILD_DIR +# VAR_HANDLER_CDI +# VAR_KERNEL +# VAR_WORKDIR # Arguments: # None ####################################### cdi() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" - if [[ "${HANDLER_CDI}" == "true" ]]; then + if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then - if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then - mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" fi - cp "${WORKDIR}/scripts/9000-cdi-starter" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter" - chmod 0750 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter" - chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter" + cp "${VAR_WORKDIR}/scripts/9000-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter" + chmod 0750 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter" + chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter" declare tmp_entry tmp_entry="$(mktemp)" cat << EOF >| "${tmp_entry}" -menuentry "CISS Hardened DI (${kernel})" --hotkey=i { - linux /live/vmlinuz-${kernel} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path} - initrd /live/initrd.img-${kernel} +menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i { + linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path} + initrd /live/initrd.img-${VAR_KERNEL} } EOF sed -i "/#MUST_BE_REPLACED/{ r ${tmp_entry} d -}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg" +}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg" sed -i "/#MUST_BE_REPLACED/{ r ${tmp_entry} d -}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg" +}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg" rm -f "${tmp_entry}" else # shellcheck disable=SC1003 - sed -i '/#MUST_BE_REPLACED/c\\' "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg" + sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg" fi printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}" } diff --git a/lib/lib_change_splash.sh b/lib/lib_change_splash.sh index 37fd476..ad0dd69 100644 --- a/lib/lib_change_splash.sh +++ b/lib/lib_change_splash.sh @@ -13,24 +13,24 @@ ####################################### # Change Grub Boot Screen Splash # Globals: -# HANDLER_BUILD_DIR -# HANDLER_SPLASH -# WORKDIR +# VAR_HANDLER_BUILD_DIR +# VAR_HANDLER_SPLASH +# VAR_WORKDIR # Arguments: # None ####################################### change_splash() { - if [[ ${HANDLER_SPLASH} == "club" ]]; then + if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n" - cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png - cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png - cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png + cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png + cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png + cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n" - elif [[ ${HANDLER_SPLASH} == "hexagon" ]]; then + elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n" - cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png - cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png - cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png + cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png + cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png + cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n" fi } diff --git a/lib/lib_check_dhcp.sh b/lib/lib_check_dhcp.sh index d3857b3..b4537e7 100644 --- a/lib/lib_check_dhcp.sh +++ b/lib/lib_check_dhcp.sh @@ -13,14 +13,14 @@ ####################################### # Check if hardened Centurion DNS servers are desired. # Globals: -# HANDLER_DHCP -# WORKDIR +# VAR_HANDLER_DHCP +# VAR_WORKDIR # Arguments: # None ####################################### check_dhcp() { - if [[ ${HANDLER_DHCP} -eq 1 ]]; then - chmod +x "${WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${WORKDIR}"/scripts/0010_dhcp_supersede.sh + if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then + chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh fi } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_hooks.sh b/lib/lib_check_hooks.sh index 34c158c..52e10c1 100644 --- a/lib/lib_check_hooks.sh +++ b/lib/lib_check_hooks.sh @@ -14,7 +14,7 @@ # Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file # Globals: # ERR_UNCRITICAL -# WORKDIR +# VAR_WORKDIR # Arguments: # None ####################################### @@ -22,10 +22,10 @@ check_hooks() { declare ifs ifs=$'\n\t' shopt -s nullglob - declare -a files=("${WORKDIR}"/config/hooks/live/*.chroot) + declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot) if (( ${#files[@]} == 0 )); then - printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${WORKDIR}" >&2 + printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2 exit "${ERR_UNCRITICAL}" fi diff --git a/lib/lib_check_kernel.sh b/lib/lib_check_kernel.sh index 4ae6cbf..c5a469a 100644 --- a/lib/lib_check_kernel.sh +++ b/lib/lib_check_kernel.sh @@ -13,10 +13,10 @@ ####################################### # Kernel Image Selector # Globals: -# HANDLER_ARCHITECTURE -# KERNEL_SRT -# KERNEL_TMP -# kernel +# VAR_ARCHITECTURE +# VAR_KERNEL +# VAR_KERNEL_SRT +# VAR_KERNEL_TMP # Arguments: # None # Returns: @@ -27,17 +27,17 @@ check_kernel() { declare -i counter=1 declare first_string="" declare line="" - declare -gx kernel="" + declare -gx VAR_KERNEL="" declare name="" declare options="" - if [[ ${HANDLER_ARCHITECTURE} != arm64 ]]; then - apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}" + if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then + apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}" else - apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}" + apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}" fi - sort --output="${KERNEL_SRT}" "${KERNEL_TMP}" || { + sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || { printf "❌ Error check_kernel() Line 40 sort failed\n" >&2 # shellcheck disable=SC2162 read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m' @@ -49,10 +49,10 @@ check_kernel() { name=${first_string#linux-image-} options+=("${name}" "${counter}" off) ((counter++)) - done < "${KERNEL_SRT}" + done < "${VAR_KERNEL_SRT}" # shellcheck disable=SC2155 - if declare -g kernel=$(dialog \ + if declare -g VAR_KERNEL=$(dialog \ --no-collapse \ --ascii-lines \ --clear \ @@ -62,10 +62,10 @@ check_kernel() { clear else clear - if [[ "${HANDLER_ARCHITECTURE}" == "amd64" ]]; then - declare -gr kernel="amd64" - elif [[ "${HANDLER_ARCHITECTURE}" == "arm64" ]]; then - declare -gr kernel="arm64" + if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then + declare -gr VAR_KERNEL="amd64" + elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then + declare -gr VAR_KERNEL="arm64" fi fi } diff --git a/lib/lib_check_provider.sh b/lib/lib_check_provider.sh index bc7d8d4..0cede07 100644 --- a/lib/lib_check_provider.sh +++ b/lib/lib_check_provider.sh @@ -17,8 +17,8 @@ ####################################### check_provider() { clear - cat << 'EOF' >| "${notes}" -Build: Master V8.02.512.2025.05.30 + cat << 'EOF' >| "${VAR_NOTES}" +Build: Master V8.02.644.2025.05.31 Press 'EXIT' to continue with CISS.debian.live.builder. @@ -59,7 +59,7 @@ EOF --backtitle "CISS.debian.live.builder" \ --title "Important Notes" \ --scrollbar \ - --textbox "${notes}" 32 128 + --textbox "${VAR_NOTES}" 32 128 clear } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_check_stats.sh b/lib/lib_check_stats.sh index 56f9505..0fd9f51 100644 --- a/lib/lib_check_stats.sh +++ b/lib/lib_check_stats.sh @@ -13,12 +13,12 @@ ####################################### # Check if analysis run is desired only. # Globals: -# HANDLER_STA +# VAR_HANDLER_STA # Arguments: # None ####################################### check_stats() { - if [[ ${HANDLER_STA} -eq 1 ]]; then + if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then clear run_analysis exit 0 diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh index 36ae7e2..9e652bc 100644 --- a/lib/lib_clean_up.sh +++ b/lib/lib_clean_up.sh @@ -13,26 +13,26 @@ ####################################### # Clean Up Wrapper on Trap on 'ERR' and 'EXIT'. # Globals: -# ERROR_LOG -# KERNEL_INF -# KERNEL_SRT -# KERNEL_TMP -# WORKDIR +# LOG_ERROR +# VAR_KERNEL_INF +# VAR_KERNEL_SRT +# VAR_KERNEL_TMP +# VAR_WORKDIR # Arguments: # 1 : ${trap_on_exit_code} of trap_on_exit() ####################################### clean_up() { declare clean_exit_code="$1" - rm -f -- "${KERNEL_INF}" - rm -f -- "${KERNEL_SRT}" - rm -f -- "${KERNEL_TMP}" + rm -f -- "${VAR_KERNEL_INF}" + rm -f -- "${VAR_KERNEL_SRT}" + rm -f -- "${VAR_KERNEL_TMP}" rm -f /run/lock/ciss_live_builder.lock - if (( clean_exit_code == 0 )); then rm -f -- "${ERROR_LOG}"; fi - if [[ -f "${WORKDIR}/hosts.allow" ]]; then - rm -f "${WORKDIR}/hosts.allow" + if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi + if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then + rm -f "${VAR_WORKDIR}/hosts.allow" fi - if [[ -f "${WORKDIR}/hosts.deny" ]]; then - rm -f "${WORKDIR}/hosts.deny" + if [[ -f "${VAR_WORKDIR}/hosts.deny" ]]; then + rm -f "${VAR_WORKDIR}/hosts.deny" fi } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_copy_integrity.sh b/lib/lib_copy_integrity.sh index 74caff7..9de42b0 100644 --- a/lib/lib_copy_integrity.sh +++ b/lib/lib_copy_integrity.sh @@ -14,7 +14,7 @@ # Copy Initial ISO aide Database into Host System # Globals: # BASH_SOURCE -# HANDLER_BUILD_DIR +# VAR_HANDLER_BUILD_DIR # Arguments: # None # Returns: @@ -23,12 +23,12 @@ copy_db() { # printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}" - if [[ ! -d "${HANDLER_BUILD_DIR}/.integrity" ]]; then - mkdir -p "${HANDLER_BUILD_DIR}/.integrity" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity" fi - if cp -p "${HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${HANDLER_BUILD_DIR}/.integrity/"; then - chmod 0400 "${HANDLER_BUILD_DIR}/.integrity/"* + if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then + chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"* # printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${BASH_SOURCE[0]}" return 0 else diff --git a/lib/lib_debug.sh b/lib/lib_debug.sh index 5e5aac9..d8dec56 100644 --- a/lib/lib_debug.sh +++ b/lib/lib_debug.sh @@ -13,12 +13,13 @@ ####################################### # Debugger Wrapper for xtrace to Debug Log # Globals: +# BASH_SOURCE # BASH_XTRACEFD -# DEBUG_LOG -# EARLY_DEBUG +# LOG_DEBUG # PS4 # SHELLOPTS -# dump_vars_initial +# VAR_DUMP_VARS_INITIAL +# VAR_EARLY_DEBUG # var # Arguments: # None @@ -26,22 +27,22 @@ debugger() { ### Capture an initial snapshot of all variables (excluding '^(BASH|_).*') # shellcheck disable=SC2155 - declare -grx dump_vars_initial=$(mktemp) + declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp) { declare var while IFS= read -r var; do declare -p "${var}" 2>/dev/null done < <(compgen -v | grep -Ev '^(BASH|_).*') - } | sort >| "${dump_vars_initial}" - declare -grx EARLY_DEBUG=true + } | sort >| "${VAR_DUMP_VARS_INITIAL}" + declare -grx VAR_EARLY_DEBUG=true ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name declare -grx PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m ' # shellcheck disable=SC2155 - declare -grx DEBUG_LOG="/tmp/ciss_live_builder_$$_debug.log" - ### Generates empty DEBUG_LOG - touch "${DEBUG_LOG}" && chmod 0600 "${DEBUG_LOG}" + declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log" + ### Generates empty LOG_DEBUG + touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}" ### Open file descriptor 42 for writing to the debug log - exec 42>| "${DEBUG_LOG}" + exec 42>| "${LOG_DEBUG}" ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables ### Determine the directory of this script, even if sourced. # shellcheck disable=SC2155 diff --git a/lib/lib_debug_header.sh b/lib/lib_debug_header.sh index 76c9245..f75a243 100644 --- a/lib/lib_debug_header.sh +++ b/lib/lib_debug_header.sh @@ -21,7 +21,7 @@ # PPID # PWD # UID -# VERSION +# VAR_VERSION # Arguments: # $0: Script Name $0 # $1: Argument Counter $# @@ -32,7 +32,7 @@ debug_header() { declare -r arg_string="$2" { printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)" - printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%T.%4N)" "${VERSION}" + printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%T.%4N)" "${VAR_VERSION}" printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}" printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}" printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}" diff --git a/lib/lib_hardening_root_pw.sh b/lib/lib_hardening_root_pw.sh index c1d6298..bedc6f8 100644 --- a/lib/lib_hardening_root_pw.sh +++ b/lib/lib_hardening_root_pw.sh @@ -13,15 +13,15 @@ ####################################### # Updates the Live ISO to use root password authentication for local console access. # Globals: -# HANDLER_BUILD_DIR -# HASHED_PWD +# VAR_HANDLER_BUILD_DIR +# VAR_HASHED_PWD # Arguments: # None # Returns: # 0: In case no root password is desired. ####################################### hardening_root_pw() { - if [[ -z ${HASHED_PWD} ]]; then + if [[ -z ${VAR_HASHED_PWD} ]]; then printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n" # sleep 1 return 0 @@ -30,7 +30,7 @@ hardening_root_pw() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n" # sleep 1 - declare cfg_dir="${HANDLER_BUILD_DIR}/config/includes.chroot/etc/live" + declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live" declare cfg_file="${cfg_dir}/config.conf" declare dropin_dir="${cfg_dir}/config.conf.d" declare dropin_file="${dropin_dir}/20-root-password.conf" @@ -45,27 +45,27 @@ EOF sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}" fi - declare clean_hash="${HASHED_PWD//\"/}" + declare clean_hash="${VAR_HASHED_PWD//\"/}" printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}" chmod 0600 "${dropin_file}" chown root:root "${dropin_file}" - mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root" - printf '%s\n' "${clean_hash}" >| "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" - chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" - chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root" + printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" + chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" + chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd" - mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d - cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf + mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d + cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf [Service] ExecStart= #ExecStart=-/usr/sbin/agetty --noclear %I $TERM ExecStart=-agetty --noclear %I $TERM EOF - mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc - cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty + mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc + cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty tty1 tty2 tty3 @@ -74,21 +74,21 @@ tty5 tty6 EOF - mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin - mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin - mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/sbin - cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty" - cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty" - cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty" + mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin + mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin + mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/sbin + cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty" + cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty" + cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty" ### Hotfix I - mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators" - cat << 'EOF' >| "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators" + cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" #!/bin/sh # bypass live-config-getty-generator exit 0 EOF - chmod +x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" + chmod +x "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator" ### Hotfix II #mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators" diff --git a/lib/lib_hardening_ssh.sh b/lib/lib_hardening_ssh.sh index b56eed7..989e1c5 100644 --- a/lib/lib_hardening_ssh.sh +++ b/lib/lib_hardening_ssh.sh @@ -13,15 +13,15 @@ ####################################### # SSH Hardening Ultra via TCP Wrapper # Globals: -# WORKDIR -# handler_jumphost +# ARY_HANDLER_JUMPHOST +# VAR_WORKDIR # Arguments: # None ####################################### hardening_ssh() { - if ((${#handler_jumphost[@]} > 0)); then + if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then declare allowed="" - cat << 'EOF' >| "${WORKDIR}/hosts.allow" + cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow" # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # @@ -34,10 +34,10 @@ hardening_ssh() { EOF - allowed=$(echo "${handler_jumphost[*]}" | tr '\n' ' ') - printf 'sshd: %s\n' "${allowed}" >> "${WORKDIR}/hosts.allow" + allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ') + printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow" - cat << 'EOF' >| "${WORKDIR}/hosts.deny" + cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny" # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # @@ -52,7 +52,7 @@ EOF # # You may wish to enable this to ensure any programs that don't # validate looked-up hostnames still leave understandable logs. In past -# versions of Debian this has been the default. +# versions of Debian, this has been the default. # ALL: PARANOID ALL: ALL diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh index d33cdd9..41264b4 100644 --- a/lib/lib_hardening_ultra.sh +++ b/lib/lib_hardening_ultra.sh @@ -11,65 +11,65 @@ # SPDX-Security-Contact: security@coresecret.eu ####################################### -# Wrapper for accompanying all CISS.2025 hardening features into the Live ISO image. +# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image. # Globals: -# HANDLER_ARCHITECTURE -# HANDLER_BUILD_DIR -# HANDLER_SSHPORT -# HANDLER_SSHPUBKEY -# WORKDIR -# handler_jumphost -# handler_jumphost_unique +# ARY_HANDLER_JUMPHOST +# ARY_HANDLER_JUMPHOST_UNIQUE +# VAR_ARCHITECTURE +# VAR_HANDLER_BUILD_DIR +# VAR_SSHPORT +# VAR_SSHPUBKEY +# VAR_WORKDIR # Arguments: # None ####################################### hardening_ultra() { # shellcheck disable=SC2164 - cd "${WORKDIR}" + cd "${VAR_WORKDIR}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n" - if [[ ! -d "${HANDLER_BUILD_DIR}/config/bootloaders" ]]; then - mkdir -p "${HANDLER_BUILD_DIR}/config/bootloaders" - cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" + cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config" else - cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config" + cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config" fi printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n" - if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then - mkdir -p "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" - cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" + cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config" else - cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config" + cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config" fi printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n" - if [[ ! -d "${HANDLER_BUILD_DIR}/config/hooks/live" ]]; then - mkdir -p "${HANDLER_BUILD_DIR}/config/hooks/live" - cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" + cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks" else - cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks" + cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks" fi printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n" - if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then - mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot" - cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" + cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config" else - cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config" + cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config" fi printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n" - if [[ ! -d "${HANDLER_BUILD_DIR}/config/package-lists" ]]; then - mkdir -p "${HANDLER_BUILD_DIR}/config/package-lists" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists" fi - cp -af ./config/package-lists/live.list.common.chroot "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" + cp -af ./config/package-lists/live.list.common.chroot "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" - case "${HANDLER_ARCHITECTURE}" in + case "${VAR_ARCHITECTURE}" in amd64) declare arch_list="./config/package-lists/live.list.amd64.chroot" declare arch_comment="# amd64 specific packages" @@ -79,7 +79,7 @@ hardening_ultra() { declare arch_comment="# arm64 specific packages" ;; *) - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${HANDLER_ARCHITECTURE}" + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}" exit 1 ;; esac @@ -105,26 +105,26 @@ hardening_ultra() { } print } - ' "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" + ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n" - if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then - mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" - cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" - chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" - chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" + cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" + chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" - declare -r sshport="${HANDLER_SSHPORT:-22}" + declare -r sshport="${VAR_SSHPORT:-22}" - sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" - sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" - sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" - if [[ ${#handler_jumphost[@]} -gt 0 ]]; then + if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then - declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" declare line line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) @@ -135,7 +135,7 @@ hardening_ultra() { fi declare host - for host in "${handler_jumphost_unique[@]}"; do + for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do ((line++)) sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file" done @@ -143,19 +143,19 @@ hardening_ultra() { else - cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" - chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" - chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" + chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" + chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys" - declare -r sshport="${HANDLER_SSHPORT:-22}" + declare -r sshport="${VAR_SSHPORT:-22}" - sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" - sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" - sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" + sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" - if [[ ${#handler_jumphost_unique[@]} -gt 0 ]]; then + if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then - declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" + declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" declare line line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) @@ -166,7 +166,7 @@ hardening_ultra() { fi declare host - for host in "${handler_jumphost_unique[@]}"; do + for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do ((line++)) sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file" done @@ -174,21 +174,21 @@ hardening_ultra() { fi printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n" - if [[ -f "${WORKDIR}/hosts.allow" ]]; then + if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n" - cp -af "${WORKDIR}/hosts.allow" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc" - cp -af "${WORKDIR}/hosts.deny" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc" - chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow" - chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny" - rm -f "${WORKDIR}/hosts.allow" - rm -f "${WORKDIR}/hosts.deny" + cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" + cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc" + chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow" + chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny" + rm -f "${VAR_WORKDIR}/hosts.allow" + rm -f "${VAR_WORKDIR}/hosts.deny" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n" fi - if ((${#handler_jumphost[@]} > 0)); then + if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n" # Join array entries with spaces, preserving any newlines - declare ips="${handler_jumphost[*]}" + declare ips="${ARY_HANDLER_JUMPHOST[*]}" # Flatten to a single line and strip literal brackets [] declare flat_ips flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]') @@ -196,14 +196,14 @@ hardening_ultra() { # Perform an in-place replacement of MUST_BE_SET with the cleaned list sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \ - "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n" else printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n" sed -i \ -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \ -e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \ - "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" + "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n" fi } diff --git a/lib/lib_helper_ip.sh b/lib/lib_helper_ip.sh index 1cbcd50..093e24f 100644 --- a/lib/lib_helper_ip.sh +++ b/lib/lib_helper_ip.sh @@ -13,15 +13,15 @@ ####################################### # IP Notation cleaner for pure IP output only # Globals: -# handler_jumphost -# handler_jumphost_unique +# ARY_HANDLER_JUMPHOST +# ARY_HANDLER_JUMPHOST_UNIQUE # Arguments: # None ####################################### clean_ip() { declare host declare stripped - for host in "${handler_jumphost[@]}"; do + for host in "${ARY_HANDLER_JUMPHOST[@]}"; do # Remove leading '[' and trailing ']' stripped="${host#\[}" stripped="${stripped%\]}" @@ -30,7 +30,7 @@ clean_ip() { continue fi # Directly append, no duplicate check - declare -ga handler_jumphost_unique+=("${stripped}") + declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}") done } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_build_start.sh b/lib/lib_lb_build_start.sh index 8c840f4..9580ba5 100644 --- a/lib/lib_lb_build_start.sh +++ b/lib/lib_lb_build_start.sh @@ -13,20 +13,20 @@ ####################################### # Wrapper to write a new 'lb config' environment. # Globals: -# BUILD_LOG # ERR_UNCRITICAL -# HANDLER_BUILD_DIR +# VAR_BUILD_LOG +# VAR_HANDLER_BUILD_DIR # Arguments: # None ####################################### lb_build_start() { - printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${BUILD_LOG}" + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}" # sleep 1 # shellcheck disable=SC2164 - cd "${HANDLER_BUILD_DIR}" + cd "${VAR_HANDLER_BUILD_DIR}" - if lb build --color 2>&1 | tee "${BUILD_LOG}"; then + if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then printf "\e[92m✅ Build successfully completed.\e[0m\n" else printf "\e[91m❌ Build failed!\e[0m\n" >&2 diff --git a/lib/lib_lb_config_start.sh b/lib/lib_lb_config_start.sh index f663941..a3d51a6 100644 --- a/lib/lib_lb_config_start.sh +++ b/lib/lib_lb_config_start.sh @@ -13,24 +13,24 @@ ####################################### # Wrapper for 'lb config' - set up a build environment or deleting old build artifacts. # Globals: -# HANDLER_BUILD_DIR +# VAR_HANDLER_BUILD_DIR # Arguments: # $0: Script-name ####################################### lb_config_start() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" - if [[ ! -d ${HANDLER_BUILD_DIR} ]]; then - mkdir -p "${HANDLER_BUILD_DIR}" + if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then + mkdir -p "${VAR_HANDLER_BUILD_DIR}" # shellcheck disable=SC2164 - cd "${HANDLER_BUILD_DIR}" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${HANDLER_BUILD_DIR}" + cd "${VAR_HANDLER_BUILD_DIR}" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}" else # shellcheck disable=SC2164 - cd "${HANDLER_BUILD_DIR}" + cd "${VAR_HANDLER_BUILD_DIR}" fi - if [[ ! -d "${HANDLER_BUILD_DIR}/.build" ]]; then + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n" # Start lb config in a completely detached shell bash -c "lb config" & diff --git a/lib/lib_lb_config_write.sh b/lib/lib_lb_config_write.sh index 0b1b679..d5186b9 100644 --- a/lib/lib_lb_config_write.sh +++ b/lib/lib_lb_config_write.sh @@ -13,12 +13,20 @@ ####################################### # Wrapper to write a new 'lb config' environment. # Globals: -# HANDLER_ARCHITECTURE -# HANDLER_BUILD_DIR -# HANDLER_ISO_COUNTER -# VERSION -# WORKDIR -# kernel +# VAR_HANDLER_ISO_COUNTER +# VAR_ARCHITECTURE +# VAR_HANDLER_BUILD_DIR +# VAR_KERNEL +# VAR_WORKDIR +# VAR_VERSION +# Arguments: +# None +####################################### + +####################################### +# description +# Globals: + # Arguments: # None ####################################### @@ -31,7 +39,7 @@ lb_config_write() { --apt-recommends true \ --apt-secure true \ --apt-source-archives true \ - --architecture "${HANDLER_ARCHITECTURE}" \ + --architecture "${VAR_ARCHITECTURE}" \ --archive-areas main contrib non-free non-free-firmware \ --backports true \ --binary-filesystem fat32 \ @@ -59,15 +67,15 @@ lb_config_write() { --firmware-binary true \ --firmware-chroot true \ --hdd-label "CENTURIONLIVE" \ - --image-name "ciss-debian-live-${HANDLER_ISO_COUNTER}" \ + --image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \ --initramfs "live-boot" \ --initramfs-compression gzip \ --initsystem systemd \ - --iso-application "CISS.debian.live.builder: ${VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \ + --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \ --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \ --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \ --iso-volume 'CISS.debian.live' \ - --linux-flavours "${kernel}" \ + --linux-flavours "${VAR_KERNEL}" \ --linux-packages linux-image \ --loadlin true \ --memtest memtest86+ \ @@ -103,10 +111,10 @@ lb_config_write() { sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary - mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot - cp -a "${WORKDIR}/scripts/live-boot/0030-verify-checksums" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" - chmod 0755 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" - chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" + mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot + cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" + chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" + chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n" } diff --git a/lib/lib_provider_netcup.sh b/lib/lib_provider_netcup.sh index 5895cda..2872eb4 100644 --- a/lib/lib_provider_netcup.sh +++ b/lib/lib_provider_netcup.sh @@ -16,14 +16,14 @@ # None ####################################### provider_netcup() { - if "${handler_netcup_ipv6}"; then + if "${VAR_HANDLER_NETCUP_IPV6}"; then printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" - declare handler_netcup_ipv6_string="${handler_netcup_ipv6_array[*]}" + declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}" - mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d + mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d - cat << EOF >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static + cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static ### Static IPv6 Address for Netcup Root Server iface ens3 inet6 static address ${handler_netcup_ipv6_string}/128 @@ -34,10 +34,10 @@ iface ens3 inet6 static # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF - sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" - rm -f "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" - cp "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" - chmod 0755 "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" + rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" + chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}" fi diff --git a/lib/lib_run_analysis.sh b/lib/lib_run_analysis.sh index 77d5986..adf9439 100644 --- a/lib/lib_run_analysis.sh +++ b/lib/lib_run_analysis.sh @@ -13,17 +13,17 @@ ####################################### # Wrapper for statistic functions of the final build. # Globals: -# BUILD_LOG -# CHROOT_DIR # ERR_UNCRITICAL -# HANDLER_BUILD_DIR -# PACKAGES_FILE +# VAR_BUILD_LOG +# VAR_CHROOT_DIR +# VAR_HANDLER_BUILD_DIR +# VAR_PACKAGES_FILE # Arguments: # None ####################################### run_analysis() { # shellcheck disable=SC2164 - cd "${HANDLER_BUILD_DIR}" + cd "${VAR_HANDLER_BUILD_DIR}" # shellcheck disable=SC2155 declare iso_file=$(find . -maxdepth 1 -name "*.iso" -printf "%f\n" | sort | tail -n1) @@ -38,21 +38,21 @@ run_analysis() { # shellcheck disable=SC2155 declare iso_size_bytes=$(du -b "${iso_file}" | awk '{print $1}') # shellcheck disable=SC2155 - declare chroot_size_hr=$(du -sh "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}') + declare chroot_size_hr=$(du -sh "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}') # shellcheck disable=SC2155 - declare chroot_size_bytes=$(du -sb "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}') + declare chroot_size_bytes=$(du -sb "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}') # shellcheck disable=SC2155 declare compression=$(awk -v iso="${iso_size_bytes}" -v chroot="${chroot_size_bytes}" 'BEGIN { printf "%.2f%%", 100 * iso / chroot }') # shellcheck disable=SC2155 - declare package_count=$(wc -l < "${PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden") + declare package_count=$(wc -l < "${VAR_PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden") # shellcheck disable=SC2155 - declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${BUILD_LOG}")" + declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${VAR_BUILD_LOG}")" - if [[ -f "${BUILD_LOG}" ]]; then + if [[ -f "${VAR_BUILD_LOG}" ]]; then # shellcheck disable=SC2155 - declare start_line=$(grep 'lb build' "${BUILD_LOG}" | head -n1 || true) + declare start_line=$(grep 'lb build' "${VAR_BUILD_LOG}" | head -n1 || true) # shellcheck disable=SC2155 - declare end_line=$(grep 'lb source' "${BUILD_LOG}" | tail -n1 || true) + declare end_line=$(grep 'lb source' "${VAR_BUILD_LOG}" | tail -n1 || true) if [[ -n "${start_line}" && -n "${end_line}" ]]; then # shellcheck disable=SC2155 diff --git a/lib/lib_sanitizer.sh b/lib/lib_sanitizer.sh index a212d78..116d01e 100644 --- a/lib/lib_sanitizer.sh +++ b/lib/lib_sanitizer.sh @@ -27,8 +27,8 @@ arg_check() { ####################################### # Function to sanitize a single argument # Globals: -# ERROR_LOG # ERR_INVLD_CHAR +# LOG_ERROR # Arguments: # $1: Argument to check ####################################### @@ -46,7 +46,7 @@ sanitize_arg() { printf "❌ in argument : '%s'. \n" "${input}" printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - ' \n" printf "\n" - } >> "${ERROR_LOG}" + } >> "${LOG_ERROR}" boot_screen_cleaner printf "\e[91m❌ Invalid character : '%s'. \e[0m\n" "${disallowed//?/& }" >&2 printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2 diff --git a/lib/lib_trap_on_err.sh b/lib/lib_trap_on_err.sh index 794f316..14b574e 100644 --- a/lib/lib_trap_on_err.sh +++ b/lib/lib_trap_on_err.sh @@ -16,40 +16,42 @@ # ARGUMENTS_COUNT # ARG_STR_ORG_INPUT # ARG_STR_SANITIZED -# DEBUG_LOG -# EARLY_DEBUG -# ERROR_LOG -# VAR_LOG -# VERSION -# errcmmd -# errcode -# errfunc -# errline -# errscrt +# LOG_DEBUG +# ERRCMMD +# ERRCODE +# ERRFUNC +# ERRLINE +# ERRSCRT +# LOG_ERROR +# LOG_VAR +# SECONDS +# VAR_EARLY_DEBUG +# VAR_SYSTEM +# VAR_VERSION # Arguments: # None ####################################### print_file_err() { { printf "❌ CISS.debian.live.builder Script failed. \n" - printf "❌ Version : %s \n" "${VERSION}" - printf "❌ Environment : %s \n" "${SYSTEM_VAR}" - printf "❌ Error : %s \n" "${errcode}" - printf "❌ Line : %s \n" "${errline}" - printf "❌ Script : %s \n" "${errscrt}" - printf "❌ Function : %s \n" "${errfunc}" - printf "❌ Command : %s \n" "${errcmmd}" + printf "❌ Version : %s \n" "${VAR_VERSION}" + printf "❌ Environment : %s \n" "${VAR_SYSTEM}" + printf "❌ Error : %s \n" "${ERRCODE}" + printf "❌ Line : %s \n" "${ERRLINE}" + printf "❌ Script : %s \n" "${ERRSCRT}" + printf "❌ Function : %s \n" "${ERRFUNC}" + printf "❌ Command : %s \n" "${ERRCMMD}" printf "❌ Script Runtime : %s \n" "${SECONDS}" printf "❌ Arguments Counter : %s \n" "${ARGUMENTS_COUNT}" printf "❌ Arguments Original : %s \n" "${ARG_STR_ORG_INPUT}" printf "❌ Arguments Sanitized : %s \n" "${ARG_STR_SANITIZED}" - if "${EARLY_DEBUG}"; then - printf "❌ Vars Dump saved at : %s \n" "${VAR_LOG}" - printf "❌ Debug Log saved at : %s \n" "${DEBUG_LOG}" - printf "❌ cat %s \n" "${DEBUG_LOG}" + if "${VAR_EARLY_DEBUG}"; then + printf "❌ Vars Dump saved at : %s \n" "${LOG_VAR}" + printf "❌ Debug Log saved at : %s \n" "${LOG_DEBUG}" + printf "❌ cat %s \n" "${LOG_DEBUG}" fi printf "\n" - } >> "${ERROR_LOG}" + } >> "${LOG_ERROR}" } ####################################### @@ -58,38 +60,40 @@ print_file_err() { # ARGUMENTS_COUNT # ARG_STR_ORG_INPUT # ARG_STR_SANITIZED -# DEBUG_LOG -# EARLY_DEBUG -# ERROR_LOG -# VAR_LOG -# VERSION -# errcmmd -# errcode -# errfunc -# errline -# errscrt +# LOG_DEBUG +# ERRCMMD +# ERRCODE +# ERRFUNC +# ERRLINE +# ERRSCRT +# LOG_ERROR +# LOG_VAR +# SECONDS +# VAR_EARLY_DEBUG +# VAR_SYSTEM +# VAR_VERSION # Arguments: # None ####################################### print_scr_err() { printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2 - printf "\e[91m❌ Version : %s \e[0m\n" "${VERSION}" >&2 - printf "\e[91m❌ Environment : %s \e[0m\n" "${SYSTEM_VAR}" >&2 - printf "\e[91m❌ Error : %s \e[0m\n" "${errcode}" >&2 - printf "\e[91m❌ Line : %s \e[0m\n" "${errline}" >&2 - printf "\e[91m❌ Script : %s \e[0m\n" "${errscrt}" >&2 - printf "\e[91m❌ Function : %s \e[0m\n" "${errfunc}" >&2 - printf "\e[91m❌ Command : %s \e[0m\n" "${errcmmd}" >&2 + printf "\e[91m❌ Version : %s \e[0m\n" "${VAR_VERSION}" >&2 + printf "\e[91m❌ Environment : %s \e[0m\n" "${VAR_SYSTEM}" >&2 + printf "\e[91m❌ Error : %s \e[0m\n" "${ERRCODE}" >&2 + printf "\e[91m❌ Line : %s \e[0m\n" "${ERRLINE}" >&2 + printf "\e[91m❌ Script : %s \e[0m\n" "${ERRSCRT}" >&2 + printf "\e[91m❌ Function : %s \e[0m\n" "${ERRFUNC}" >&2 + printf "\e[91m❌ Command : %s \e[0m\n" "${ERRCMMD}" >&2 printf "\e[91m❌ Script Runtime : %s \e[0m\n" "${SECONDS}" >&2 printf "\e[91m❌ Arguments Counter : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2 printf "\e[91m❌ Arguments Original : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2 printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${ARG_STR_SANITIZED}" >&2 - printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${ERROR_LOG}" >&2 - printf "\e[91m❌ cat %s \e[0m\n" "${ERROR_LOG}" >&2 - if "${EARLY_DEBUG}"; then - printf "\e[91m❌ Vars Dump saved at : %s \e[0m\n" "${VAR_LOG}" >&2 - printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${DEBUG_LOG}" >&2 - printf "\e[91m❌ cat %s \e[0m\n" "${DEBUG_LOG}" >&2 + printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${LOG_ERROR}" >&2 + printf "\e[91m❌ cat %s \e[0m\n" "${LOG_ERROR}" >&2 + if "${VAR_EARLY_DEBUG}"; then + printf "\e[91m❌ Vars Dump saved at : %s \e[0m\n" "${LOG_VAR}" >&2 + printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${LOG_DEBUG}" >&2 + printf "\e[91m❌ cat %s \e[0m\n" "${LOG_DEBUG}" >&2 fi printf "\n" } @@ -97,7 +101,12 @@ print_scr_err() { ####################################### # Trap function to be called on 'ERR'. # Globals: -# EARLY_DEBUG +# ERRCMMD +# ERRCODE +# ERRFUNC +# ERRLINE +# ERRSCRT +# VAR_EARLY_DEBUG # Arguments: # $1: $? # $2: ${BASH_SOURCE[0]} @@ -106,14 +115,14 @@ print_scr_err() { # $5: ${BASH_COMMAND} ####################################### trap_on_err() { - declare -g errcode="$1" - declare -g errscrt="$2" - declare -g errline="$3" - declare -g errfunc="$4" - declare -g errcmmd="$5" + declare -g ERRCODE="$1" + declare -g ERRSCRT="$2" + declare -g ERRLINE="$3" + declare -g ERRFUNC="$4" + declare -g ERRCMMD="$5" trap - ERR - if "${EARLY_DEBUG}"; then dump_user_vars; fi - clean_up "${errcode}" + if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi + clean_up "${ERRCODE}" clean_screen print_file_err print_scr_err @@ -122,10 +131,9 @@ trap_on_err() { ####################################### # Gather all user-defined variables (name and value) # Globals: -# VAR_LOG -# VERSION -# dump_vars_initial -# var +# LOG_VAR +# VAR_DUMP_VARS_INITIAL +# VAR_VERSION # Arguments: # None ####################################### @@ -144,19 +152,19 @@ dump_user_vars() { { printf "✅ CISS.debian.live.builder Config Variable Dump. \n" - printf "✅ Version : %s \n" "${VERSION}" + printf "✅ Version : %s \n" "${VAR_VERSION}" printf "\n" printf "===== Initial VAR Environment ===== \n" - } >> "${VAR_LOG}" + } >> "${LOG_VAR}" - comm -23 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}" || true + comm -23 "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" >> "${LOG_VAR}" || true { printf "\n" printf "===== Final VAR Environment ===== \n" - } >> "${VAR_LOG}" + } >> "${LOG_VAR}" - comm -13 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}" || true - rm "${dump_vars_initial}" "${dump_vars_final}" + comm -13 "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" >> "${LOG_VAR}" || true + rm "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_trap_on_exit.sh b/lib/lib_trap_on_exit.sh index 2ff8b82..9e9cbdf 100644 --- a/lib/lib_trap_on_exit.sh +++ b/lib/lib_trap_on_exit.sh @@ -13,7 +13,7 @@ ####################################### # Trap function to be called on 'EXIT'. # Globals: -# EARLY_DEBUG +# VAR_EARLY_DEBUG # Arguments: # $1: $? ####################################### @@ -21,7 +21,7 @@ trap_on_exit() { declare -r trap_on_exit_code="$1" trap - EXIT if (( trap_on_exit_code == 0 )); then - if "${EARLY_DEBUG}"; then dump_user_vars; fi + if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi clean_up "${trap_on_exit_code}" print_scr_exit "${trap_on_exit_code}" exit 0 @@ -33,28 +33,29 @@ trap_on_exit() { ####################################### # Print Success Message for Trap on 'EXIT' on 'stdout' # Globals: -# DEBUG -# DEBUG_LOG -# HANDLER_BUILD_DIR -# VAR_LOG -# handler_success +# LOG_DEBUG +# LOG_VAR +# SECONDS +# VAR_EARLY_DEBUG +# VAR_HANDLER_BUILD_DIR +# VAR_SCRIPT_SUCCESS # Arguments: # $1: ${trap_on_exit_code} of trap_on_exit() ####################################### print_scr_exit() { declare -r print_scr_exit_code="$1" if (( print_scr_exit_code == 0 )); then - if [[ "${handler_success}" == "true" ]]; then + if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then printf "\n" printf "\e[92m✅ CISS.debian.live.builder Script successful. \e[0m\n" - printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${HANDLER_BUILD_DIR}/.integrity/" + printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/" printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${print_scr_exit_code}" printf "\n" - if [[ "${EARLY_DEBUG}" == "true" ]]; then + if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then printf "\e[92m✅ Script Runtime : %s \e[0m\n" "${SECONDS}" - printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${VAR_LOG}" - printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${DEBUG_LOG}" - printf "\e[92m✅ cat %s \e[0m\n" "${DEBUG_LOG}" + printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${LOG_VAR}" + printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${LOG_DEBUG}" + printf "\e[92m✅ cat %s \e[0m\n" "${LOG_DEBUG}" printf "\n" fi printf "\e[95m💷 Please consider donating to my work at: \e[0m\n" diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh index 7107275..f63b756 100644 --- a/lib/lib_usage.sh +++ b/lib/lib_usage.sh @@ -22,7 +22,7 @@ usage() { cat << EOF $(echo -e "\e[92mCISS.debian.live.builder\e[0m") -$(echo -e "\e[92mMaster V8.02.512.2025.05.30\e[0m") +$(echo -e "\e[92mMaster V8.02.644.2025.05.31\e[0m") $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m") $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m") diff --git a/scripts/9000-cdi-starter b/scripts/9000-cdi-starter index e2dd7cb..56d56c7 100644 --- a/scripts/9000-cdi-starter +++ b/scripts/9000-cdi-starter @@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" " # sleep 1 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log -printf "CISS.debian.installer Master V8.02.512.2025.05.30 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log +printf "CISS.debian.installer Master V8.02.644.2025.05.31 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh diff --git a/var/global.var.sh b/var/global.var.sh index c3eadeb..d8157e3 100644 --- a/var/global.var.sh +++ b/var/global.var.sh @@ -11,45 +11,46 @@ # SPDX-Security-Contact: security@coresecret.eu # shellcheck disable=SC2155 -declare -gr SYSTEM_VAR="$(uname -a)" +declare -gr VAR_SYSTEM="$(uname -a)" # shellcheck disable=SC2155 -declare -gr ISO8601="$(date +%Y_%m_%d_%H_%M_%S)" +declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)" # shellcheck disable=SC2155 -declare -gr KERNEL_INF="$(mktemp)" +declare -gr VAR_KERNEL_INF="$(mktemp)" # shellcheck disable=SC2155 -declare -gr KERNEL_TMP="$(mktemp)" +declare -gr VAR_KERNEL_TMP="$(mktemp)" # shellcheck disable=SC2155 -declare -gr KERNEL_SRT="$(mktemp)" +declare -gr VAR_KERNEL_SRT="$(mktemp)" # shellcheck disable=SC2155 -declare -gr notes="$(mktemp)" +declare -gr VAR_NOTES="$(mktemp)" -if "${EARLY_DEBUG}"; then - declare -gr VAR_LOG="/tmp/ciss_live_builder_$$_var.log" - touch "${VAR_LOG}" && chmod 0600 "${VAR_LOG}" +if "${VAR_EARLY_DEBUG}"; then + declare -gr LOG_VAR="/tmp/ciss_live_builder_$$_var.log" + touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}" fi -declare -gr ERROR_LOG="/tmp/ciss_live_builder_$$_error.log" -touch "${ERROR_LOG}" && chmod 0600 "${ERROR_LOG}" +declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log" +touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}" -declare -g HANDLER_ARCHITECTURE="" -declare -g HANDLER_BUILD_DIR="" -declare -g HANDLER_CDI="" -declare -g HANDLER_DHCP="" -declare -g HANDLER_SPLASH="" -declare -g HANDLER_SSHPORT="" -declare -g HANDLER_SSHPUBKEY="" -declare -g handler_success="" -declare -g HANDLER_PRIORITY="" -declare -g handler_netcup_ipv6="" -declare -g handler_netcup_ipv6_array="" -declare -g HASHED_PWD="" -declare -g HANDLER_STA="" -declare -g REIONICE_CLASS="" -declare -g REIONICE_PRIORITY="" -declare -gr CHROOT_DIR="chroot" -declare -gr PACKAGES_FILE="chroot.packages.live" -declare -ga handler_jumphost=() -declare -ga handler_jumphost_unique=() +declare -g VAR_ARCHITECTURE="" +declare -g VAR_HANDLER_AUTOBUILD="false" +declare -g VAR_HANDLER_BUILD_DIR="" +declare -g VAR_HANDLER_CDI="" +declare -g VAR_HANDLER_DHCP="" +declare -g VAR_HANDLER_SPLASH="" +declare -g VAR_SSHPORT="" +declare -g VAR_SSHPUBKEY="" +declare -g VAR_SCRIPT_SUCCESS="" +declare -g VAR_HANDLER_PRIORITY="" +declare -g VAR_HANDLER_NETCUP_IPV6="" +declare -g VAR_HASHED_PWD="" +declare -g VAR_HANDLER_STA="" +declare -g VAR_REIONICE_CLASS="" +declare -g VAR_REIONICE_PRIORITY="" +declare -gr VAR_CHROOT_DIR="chroot" +declare -gr VAR_PACKAGES_FILE="chroot.packages.live" +declare -ga ARY_HANDLER_JUMPHOST=() +declare -ga ARY_HANDLER_NETCUP_IPV6=() +declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=() ### Definition of error codes declare -gir ERR_UNCRITICAL=127 @@ -75,9 +76,9 @@ declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash ### Definition of error trap vars -declare -g errcode="" # = $? = $1 = ERRCODE -declare -g errscrt="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT -declare -g errline="" # = ${LINENO} = $3 = ERRLINE -declare -g errfunc="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC -declare -g errcmmd="" # = ${$BASH_COMMAND} = $5 = ERRCMMD +declare -g ERRCODE="" # = $? = $1 = ERRCODE +declare -g ERRSCRT="" # = ${BASH_SOURCE[0]} = $2 = ERRSCRT +declare -g ERRLINE="" # = ${LINENO} = $3 = ERRLINE +declare -g ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC +declare -g ERRCMMD="" # = ${$BASH_COMMAND} = $5 = ERRCMMD # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh