msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.02.644.2025.05.31
All checks were successful
Retrieve the DNSSEC status at the time of updating the repository. / build-dnssec-diagram (push) Successful in 30s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-05-31 00:42:24 +02:00
parent d9fb33376d
commit efa3a5d3aa
49 changed files with 712 additions and 444 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
lib/lib_arg_parser.sh
View File

@@ -30,11 +30,11 @@
# ERR_SPLASH_PNG
# ERR_UNCRITICAL
# ERR__SSH__PORT
# HANDLER_ARCHITECTURE
# handler_architecture
# HANDLER_BUILD_DIR
# HANDLER_CDI
# HANDLER_DHCP
# HANDLER_ISO_COUNTER
# VAR_HANDLER_ISO_COUNTER
# HANDLER_PRIORITY
# HANDLER_SPLASH
# HANDLER_SSHPORT
@@ -44,16 +44,61 @@
# ISO8601
# REIONICE_CLASS
# REIONICE_PRIORITY
# VERSION
# VAR_VERSION
# handler_jumphost
# Arguments:
# None
#######################################
#######################################
# description
# Globals:
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_NETCUP_IPV6
# ERR_ARG_MSMTCH
# ERR_CONTROL_CT
# ERR_MISS_PWD_F
# ERR_MISS_PWD_P
# ERR_OWNS_PWD_F
# ERR_PASS_LENGH
# ERR_PASS_PLICY
# ERR_REIONICE_P
# ERR_REIO_C_VAL
# ERR_REIO_P_VAL
# ERR_RENICE_PRI
# ERR_RGHT_PWD_F
# ERR_SPLASH_PNG
# ERR_UNCRITICAL
# ERR__SSH__PORT
# VAR_ARCHITECTURE
# VAR_BUILD_LOG
# VAR_EARLY_DEBUG
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_CDI
# VAR_HANDLER_DHCP
# VAR_HANDLER_ISO_COUNTER
# VAR_HANDLER_NETCUP_IPV6
# VAR_HANDLER_PRIORITY
# VAR_HANDLER_SPLASH
# VAR_HANDLER_STA
# VAR_HASHED_PWD
# VAR_ISO8601
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# VAR_SSHPORT
# VAR_SSHPUBKEY
# Arguments:
# None
#######################################
arg_parser() {
while [[ $# -gt 0 ]]; do
declare argument="${1}"
case "${argument,,}" in
-a=* | --autobuild=*)
shift 1
;;
-c | --contact)
if [[ -n "${2}" && "${2}" != -* ]]; then
boot_screen_cleaner
@@ -86,7 +131,7 @@ arg_parser() {
--architecture)
if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then
declare -gx HANDLER_ARCHITECTURE="$2"
declare -gx VAR_ARCHITECTURE="${2}"
shift 2
else
boot_screen_cleaner
@@ -98,8 +143,8 @@ arg_parser() {
;;
--build-directory)
declare -gx HANDLER_BUILD_DIR="${2}"
declare -gx BUILD_LOG="${HANDLER_BUILD_DIR}/${ISO8601}_build.log"
declare -gx VAR_HANDLER_BUILD_DIR="${2}"
declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log"
shift 2
;;
@@ -110,13 +155,13 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
declare -g HANDLER_CDI=true
declare -g VAR_HANDLER_CDI=true
shift 1
;;
--change-splash )
if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then
declare -g HANDLER_SPLASH="${2}"
declare -g VAR_HANDLER_SPLASH="${2}"
shift 2
else
boot_screen_cleaner
@@ -129,7 +174,7 @@ arg_parser() {
--control)
if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65536 ]]; then
declare -gi HANDLER_ISO_COUNTER="$2"
declare -gi VAR_HANDLER_ISO_COUNTER="$2"
shift 2
else
boot_screen_cleaner
@@ -157,7 +202,7 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
declare -gi HANDLER_DHCP=1
declare -gi VAR_HANDLER_DHCP=1
shift 1
;;
@@ -166,7 +211,7 @@ arg_parser() {
declare -i count=0
shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
declare -g handler_jumphost+=("$1")
declare -g ARY_HANDLER_JUMPHOST+=("$1")
count=$((count + 1))
shift
done
@@ -188,18 +233,18 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
declare -gi HANDLER_STA=1
declare -gi VAR_HANDLER_STA=1
shift 1
;;
--provider-netcup-ipv6)
if [[ -n "${2}" && "${2}" != -* ]]; then
declare -i count=0
declare -g handler_netcup_ipv6=true
declare -g VAR_HANDLER_NETCUP_IPV6=true
shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do
declare cleaned="${1//[\[\]]/}"
declare -g handler_netcup_ipv6_array+=("${cleaned}")
declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}")
count=$((count + 1))
shift
done
@@ -216,7 +261,7 @@ arg_parser() {
--renice-priority)
if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
declare -gi HANDLER_PRIORITY="$2"
declare -gi VAR_HANDLER_PRIORITY="$2"
shift 2
else
boot_screen_cleaner
@@ -235,12 +280,12 @@ arg_parser() {
exit "${ERR_REIONICE_P}"
else
if [[ "${2}" =~ ^[1-3]$ ]]; then
declare -gi REIONICE_CLASS="${2}"
declare -gi VAR_REIONICE_CLASS="${2}"
if [[ -z "${3}" ]]; then
:
else
if [[ "${3}" =~ ^[0-7]$ ]]; then
declare -gi REIONICE_PRIORITY="${3}"
declare -gi VAR_REIONICE_PRIORITY="${3}"
else
boot_screen_cleaner
printf "\e[91m❌ Error: --reionice-priority PRIORITY MUST be an integer between '0' and '7'.\e[0m\n" >&2
@@ -255,7 +300,7 @@ arg_parser() {
exit "${ERR_REIO_C_VAL}"
fi
fi
if [[ -n ${REIONICE_PRIORITY} ]]; then
if [[ -n ${VAR_REIONICE_PRIORITY} ]]; then
shift 3
else
shift 2
@@ -305,11 +350,11 @@ arg_parser() {
fi
declare plaintext_pw
[[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
if ! IFS= read -r plaintext_pw < "${pw_file}"; then
:
fi
[[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
declare pw_length
pw_length=${#plaintext_pw}
@@ -321,16 +366,16 @@ arg_parser() {
exit "${ERR_PASS_LENGH}"
fi
[[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
if [[ "${plaintext_pw}" == *\"* ]]; then
[[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
boot_screen_cleaner
printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_PASS_PLICY}"
fi
[[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
declare salt
set +o pipefail
@@ -341,11 +386,11 @@ arg_parser() {
set -o pipefail
declare hash_temp
[[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
[[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
declare -g HASHED_PWD="${hash_temp}"
declare -g VAR_HASHED_PWD="${hash_temp}"
unset hash_temp plaintext_pw
sync
@@ -361,7 +406,7 @@ arg_parser() {
--ssh-port)
if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
declare -gi HANDLER_SSHPORT="${2}"
declare -gi VAR_SSHPORT="${2}"
shift 2
else
boot_screen_cleaner
@@ -372,7 +417,7 @@ arg_parser() {
;;
--ssh-pubkey)
declare -g HANDLER_SSHPUBKEY="${2}"
declare -g VAR_SSHPUBKEY="${2}"
shift 2
;;

14
lib/lib_arg_priority_check.sh
View File

@@ -13,17 +13,17 @@
#######################################
# Check and setup Script Priorities
# Globals:
# HANDLER_PRIORITY
# REIONICE_CLASS
# REIONICE_PRIORITY
# VAR_HANDLER_PRIORITY
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# Arguments:
# None
#######################################
arg_priority_check() {
declare var
# Check if nice PRIORITY is set and adjust nice priority.
if [[ -n ${HANDLER_PRIORITY} ]]; then
renice "${HANDLER_PRIORITY}" -p "$$"
if [[ -n ${VAR_HANDLER_PRIORITY} ]]; then
renice "${VAR_HANDLER_PRIORITY}" -p "$$"
var=$(ps -o ni= -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
# sleep 1
@@ -31,8 +31,8 @@ arg_priority_check() {
fi
# Check if ionice PRIORITY is set and adjust ionice priority.
if [[ -n ${REIONICE_CLASS} ]]; then
ionice -c"${REIONICE_CLASS:-2}" -n"${REIONICE_PRIORITY:-4}" -p "$$"
if [[ -n ${VAR_REIONICE_CLASS} ]]; then
ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
var=$(ionice -p $$) > /dev/null 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
# sleep 1

20
lib/lib_boot_screen.sh
View File

@@ -13,15 +13,15 @@
#######################################
# Change Grub Boot Screen Splash
# Globals:
# boot_screen_pid
# boot_screen_pipe
# PID_BOOT_SCREEN
# PIPE_BOOT_SCREEN
# Arguments:
# None
#######################################
boot_screen() {
clear
declare -gr boot_screen_pipe="/tmp/progress.fifo"
[[ -p "${boot_screen_pipe}" ]] || mkfifo "${boot_screen_pipe}"
declare -gr PIPE_BOOT_SCREEN="/tmp/progress.fifo"
[[ -p "${PIPE_BOOT_SCREEN}" ]] || mkfifo "${PIPE_BOOT_SCREEN}"
setsid dialog --no-collapse \
--ascii-lines \
@@ -29,9 +29,9 @@ boot_screen() {
--title "CISS.debian.live.builder" \
--gauge "Starting initialization..." \
10 70 0 \
< "${boot_screen_pipe}" &
declare -gr boot_screen_pid="$!"
exec 3> "${boot_screen_pipe}"
< "${PIPE_BOOT_SCREEN}" &
declare -gr PID_BOOT_SCREEN="$!"
exec 3> "${PIPE_BOOT_SCREEN}"
}
#######################################
@@ -44,9 +44,9 @@ boot_screen() {
#######################################
boot_screen_cleaner() {
exec 3>&-
kill -TERM -- -"${boot_screen_pid}" 2>/dev/null || true
wait "${boot_screen_pid}" 2>/dev/null || true
rm -f "${boot_screen_pipe}"
kill -TERM -- -"${PID_BOOT_SCREEN}" 2>/dev/null || true
wait "${PID_BOOT_SCREEN}" 2>/dev/null || true
rm -f "${PIPE_BOOT_SCREEN}"
clean_screen
sleep 1
}

32
lib/lib_cdi.sh
View File

@@ -14,48 +14,48 @@
# CISS.2025.debian.installer GRUB and Autostart Generator
# Globals:
# BASH_SOURCE
# HANDLER_BUILD_DIR
# HANDLER_CDI
# WORKDIR
# kernel
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_CDI
# VAR_KERNEL
# VAR_WORKDIR
# Arguments:
# None
#######################################
cdi() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${HANDLER_CDI}" == "true" ]]; then
if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
fi
cp "${WORKDIR}/scripts/9000-cdi-starter" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chmod 0750 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
cp "${VAR_WORKDIR}/scripts/9000-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chmod 0750 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
declare tmp_entry
tmp_entry="$(mktemp)"
cat << EOF >| "${tmp_entry}"
menuentry "CISS Hardened DI (${kernel})" --hotkey=i {
linux /live/vmlinuz-${kernel} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${kernel}
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${VAR_KERNEL}
}
EOF
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
sed -i "/#MUST_BE_REPLACED/{
r ${tmp_entry}
d
}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
rm -f "${tmp_entry}"
else
# shellcheck disable=SC1003
sed -i '/#MUST_BE_REPLACED/c\\' "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
}

22
lib/lib_change_splash.sh
View File

@@ -13,24 +13,24 @@
#######################################
# Change Grub Boot Screen Splash
# Globals:
# HANDLER_BUILD_DIR
# HANDLER_SPLASH
# WORKDIR
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_SPLASH
# VAR_WORKDIR
# Arguments:
# None
#######################################
change_splash() {
if [[ ${HANDLER_SPLASH} == "club" ]]; then
if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
elif [[ ${HANDLER_SPLASH} == "hexagon" ]]; then
elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
fi
}

8
lib/lib_check_dhcp.sh
View File

@@ -13,14 +13,14 @@
#######################################
# Check if hardened Centurion DNS servers are desired.
# Globals:
# HANDLER_DHCP
# WORKDIR
# VAR_HANDLER_DHCP
# VAR_WORKDIR
# Arguments:
# None
#######################################
check_dhcp() {
if [[ ${HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${WORKDIR}"/scripts/0010_dhcp_supersede.sh
if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
lib/lib_check_hooks.sh
View File

@@ -14,7 +14,7 @@
# Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
# Globals:
# ERR_UNCRITICAL
# WORKDIR
# VAR_WORKDIR
# Arguments:
# None
#######################################
@@ -22,10 +22,10 @@ check_hooks() {
declare ifs
ifs=$'\n\t'
shopt -s nullglob
declare -a files=("${WORKDIR}"/config/hooks/live/*.chroot)
declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
if (( ${#files[@]} == 0 )); then
printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${WORKDIR}" >&2
printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
exit "${ERR_UNCRITICAL}"
fi

30
lib/lib_check_kernel.sh
View File

@@ -13,10 +13,10 @@
#######################################
# Kernel Image Selector
# Globals:
# HANDLER_ARCHITECTURE
# KERNEL_SRT
# KERNEL_TMP
# kernel
# VAR_ARCHITECTURE
# VAR_KERNEL
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# Arguments:
# None
# Returns:
@@ -27,17 +27,17 @@ check_kernel() {
declare -i counter=1
declare first_string=""
declare line=""
declare -gx kernel=""
declare -gx VAR_KERNEL=""
declare name=""
declare options=""
if [[ ${HANDLER_ARCHITECTURE} != arm64 ]]; then
apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}"
if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
else
apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}"
apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
fi
sort --output="${KERNEL_SRT}" "${KERNEL_TMP}" || {
sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
printf "❌ Error check_kernel() Line 40 sort failed\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -49,10 +49,10 @@ check_kernel() {
name=${first_string#linux-image-}
options+=("${name}" "${counter}" off)
((counter++))
done < "${KERNEL_SRT}"
done < "${VAR_KERNEL_SRT}"
# shellcheck disable=SC2155
if declare -g kernel=$(dialog \
if declare -g VAR_KERNEL=$(dialog \
--no-collapse \
--ascii-lines \
--clear \
@@ -62,10 +62,10 @@ check_kernel() {
clear
else
clear
if [[ "${HANDLER_ARCHITECTURE}" == "amd64" ]]; then
declare -gr kernel="amd64"
elif [[ "${HANDLER_ARCHITECTURE}" == "arm64" ]]; then
declare -gr kernel="arm64"
if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
declare -gr VAR_KERNEL="amd64"
elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
declare -gr VAR_KERNEL="arm64"
fi
fi
}

6
lib/lib_check_provider.sh
View File

@@ -17,8 +17,8 @@
#######################################
check_provider() {
clear
cat << 'EOF' >| "${notes}"
Build: Master V8.02.512.2025.05.30
cat << 'EOF' >| "${VAR_NOTES}"
Build: Master V8.02.644.2025.05.31
Press 'EXIT' to continue with CISS.debian.live.builder.
@@ -59,7 +59,7 @@ EOF
--backtitle "CISS.debian.live.builder" \
--title "Important Notes" \
--scrollbar \
--textbox "${notes}" 32 128
--textbox "${VAR_NOTES}" 32 128
clear
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
lib/lib_check_stats.sh
View File

@@ -13,12 +13,12 @@
#######################################
# Check if analysis run is desired only.
# Globals:
# HANDLER_STA
# VAR_HANDLER_STA
# Arguments:
# None
#######################################
check_stats() {
if [[ ${HANDLER_STA} -eq 1 ]]; then
if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
clear
run_analysis
exit 0

26
lib/lib_clean_up.sh
View File

@@ -13,26 +13,26 @@
#######################################
# Clean Up Wrapper on Trap on 'ERR' and 'EXIT'.
# Globals:
# ERROR_LOG
# KERNEL_INF
# KERNEL_SRT
# KERNEL_TMP
# WORKDIR
# LOG_ERROR
# VAR_KERNEL_INF
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# VAR_WORKDIR
# Arguments:
# 1 : ${trap_on_exit_code} of trap_on_exit()
#######################################
clean_up() {
declare clean_exit_code="$1"
rm -f -- "${KERNEL_INF}"
rm -f -- "${KERNEL_SRT}"
rm -f -- "${KERNEL_TMP}"
rm -f -- "${VAR_KERNEL_INF}"
rm -f -- "${VAR_KERNEL_SRT}"
rm -f -- "${VAR_KERNEL_TMP}"
rm -f /run/lock/ciss_live_builder.lock
if (( clean_exit_code == 0 )); then rm -f -- "${ERROR_LOG}"; fi
if [[ -f "${WORKDIR}/hosts.allow" ]]; then
rm -f "${WORKDIR}/hosts.allow"
if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
rm -f "${VAR_WORKDIR}/hosts.allow"
fi
if [[ -f "${WORKDIR}/hosts.deny" ]]; then
rm -f "${WORKDIR}/hosts.deny"
if [[ -f "${VAR_WORKDIR}/hosts.deny" ]]; then
rm -f "${VAR_WORKDIR}/hosts.deny"
fi
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
lib/lib_copy_integrity.sh
View File

@@ -14,7 +14,7 @@
# Copy Initial ISO aide Database into Host System
# Globals:
# BASH_SOURCE
# HANDLER_BUILD_DIR
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
# Returns:
@@ -23,12 +23,12 @@
copy_db() {
# printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ ! -d "${HANDLER_BUILD_DIR}/.integrity" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/.integrity"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
fi
if cp -p "${HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${HANDLER_BUILD_DIR}/.integrity/"; then
chmod 0400 "${HANDLER_BUILD_DIR}/.integrity/"*
if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
# printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
else

21
lib/lib_debug.sh
View File

@@ -13,12 +13,13 @@
#######################################
# Debugger Wrapper for xtrace to Debug Log
# Globals:
# BASH_SOURCE
# BASH_XTRACEFD
# DEBUG_LOG
# EARLY_DEBUG
# LOG_DEBUG
# PS4
# SHELLOPTS
# dump_vars_initial
# VAR_DUMP_VARS_INITIAL
# VAR_EARLY_DEBUG
# var
# Arguments:
# None
@@ -26,22 +27,22 @@
debugger() {
### Capture an initial snapshot of all variables (excluding '^(BASH|_).*')
# shellcheck disable=SC2155
declare -grx dump_vars_initial=$(mktemp)
declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
{
declare var
while IFS= read -r var; do
declare -p "${var}" 2>/dev/null
done < <(compgen -v | grep -Ev '^(BASH|_).*')
} | sort >| "${dump_vars_initial}"
declare -grx EARLY_DEBUG=true
} | sort >| "${VAR_DUMP_VARS_INITIAL}"
declare -grx VAR_EARLY_DEBUG=true
### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
declare -grx PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
# shellcheck disable=SC2155
declare -grx DEBUG_LOG="/tmp/ciss_live_builder_$$_debug.log"
### Generates empty DEBUG_LOG
touch "${DEBUG_LOG}" && chmod 0600 "${DEBUG_LOG}"
declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
### Generates empty LOG_DEBUG
touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
### Open file descriptor 42 for writing to the debug log
exec 42>| "${DEBUG_LOG}"
exec 42>| "${LOG_DEBUG}"
### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
### Determine the directory of this script, even if sourced.
# shellcheck disable=SC2155

4
lib/lib_debug_header.sh
View File

@@ -21,7 +21,7 @@
# PPID
# PWD
# UID
# VERSION
# VAR_VERSION
# Arguments:
# $0: Script Name $0
# $1: Argument Counter $#
@@ -32,7 +32,7 @@ debug_header() {
declare -r arg_string="$2"
{
printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%T.%4N)" "${VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Version : %s \e[0m\n" "$(date +%T.%4N)" "${VAR_VERSION}"
printf "\e[97m+\e[0m\e[92m%s: Epoch : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}"
printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}"
printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}"

44
lib/lib_hardening_root_pw.sh
View File

@@ -13,15 +13,15 @@
#######################################
# Updates the Live ISO to use root password authentication for local console access.
# Globals:
# HANDLER_BUILD_DIR
# HASHED_PWD
# VAR_HANDLER_BUILD_DIR
# VAR_HASHED_PWD
# Arguments:
# None
# Returns:
# 0: In case no root password is desired.
#######################################
hardening_root_pw() {
if [[ -z ${HASHED_PWD} ]]; then
if [[ -z ${VAR_HASHED_PWD} ]]; then
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
# sleep 1
return 0
@@ -30,7 +30,7 @@ hardening_root_pw() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
# sleep 1
declare cfg_dir="${HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
declare cfg_file="${cfg_dir}/config.conf"
declare dropin_dir="${cfg_dir}/config.conf.d"
declare dropin_file="${dropin_dir}/20-root-password.conf"
@@ -45,27 +45,27 @@ EOF
sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}"
fi
declare clean_hash="${HASHED_PWD//\"/}"
declare clean_hash="${VAR_HASHED_PWD//\"/}"
printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}"
chmod 0600 "${dropin_file}"
chown root:root "${dropin_file}"
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root"
printf '%s\n' "${clean_hash}" >| "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root"
printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
[Service]
ExecStart=
#ExecStart=-/usr/sbin/agetty --noclear %I $TERM
ExecStart=-agetty --noclear %I $TERM
EOF
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc
cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
tty1
tty2
tty3
@@ -74,21 +74,21 @@ tty5
tty6
EOF
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
### Hotfix I
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
cat << 'EOF' >| "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
#!/bin/sh
# bypass live-config-getty-generator
exit 0
EOF
chmod +x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
chmod +x "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
### Hotfix II
#mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"

16
lib/lib_hardening_ssh.sh
View File

@@ -13,15 +13,15 @@
#######################################
# SSH Hardening Ultra via TCP Wrapper
# Globals:
# WORKDIR
# handler_jumphost
# ARY_HANDLER_JUMPHOST
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ssh() {
if ((${#handler_jumphost[@]} > 0)); then
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
declare allowed=""
cat << 'EOF' >| "${WORKDIR}/hosts.allow"
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
@@ -34,10 +34,10 @@ hardening_ssh() {
EOF
allowed=$(echo "${handler_jumphost[*]}" | tr '\n' ' ')
printf 'sshd: %s\n' "${allowed}" >> "${WORKDIR}/hosts.allow"
allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
cat << 'EOF' >| "${WORKDIR}/hosts.deny"
cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
@@ -52,7 +52,7 @@ EOF
#
# You may wish to enable this to ensure any programs that don't
# validate looked-up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# versions of Debian, this has been the default.
# ALL: PARANOID
ALL: ALL

128
lib/lib_hardening_ultra.sh
View File

@@ -11,65 +11,65 @@
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Wrapper for accompanying all CISS.2025 hardening features into the Live ISO image.
# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
# Globals:
# HANDLER_ARCHITECTURE
# HANDLER_BUILD_DIR
# HANDLER_SSHPORT
# HANDLER_SSHPUBKEY
# WORKDIR
# handler_jumphost
# handler_jumphost_unique
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_SSHPORT
# VAR_SSHPUBKEY
# VAR_WORKDIR
# Arguments:
# None
#######################################
hardening_ultra() {
# shellcheck disable=SC2164
cd "${WORKDIR}"
cd "${VAR_WORKDIR}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/bootloaders"
cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config"
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config"
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/hooks/live"
cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks"
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot"
cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config"
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/package-lists"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
fi
cp -af ./config/package-lists/live.list.common.chroot "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
cp -af ./config/package-lists/live.list.common.chroot "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
case "${HANDLER_ARCHITECTURE}" in
case "${VAR_ARCHITECTURE}" in
amd64)
declare arch_list="./config/package-lists/live.list.amd64.chroot"
declare arch_comment="# amd64 specific packages"
@@ -79,7 +79,7 @@ hardening_ultra() {
declare arch_comment="# arm64 specific packages"
;;
*)
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${HANDLER_ARCHITECTURE}"
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
exit 1
;;
esac
@@ -105,26 +105,26 @@ hardening_ultra() {
}
print
}
' "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${HANDLER_SSHPORT:-22}"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#handler_jumphost[@]} -gt 0 ]]; then
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
@@ -135,7 +135,7 @@ hardening_ultra() {
fi
declare host
for host in "${handler_jumphost_unique[@]}"; do
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
@@ -143,19 +143,19 @@ hardening_ultra() {
else
cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
declare -r sshport="${HANDLER_SSHPORT:-22}"
declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#handler_jumphost_unique[@]} -gt 0 ]]; then
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
@@ -166,7 +166,7 @@ hardening_ultra() {
fi
declare host
for host in "${handler_jumphost_unique[@]}"; do
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++))
sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
done
@@ -174,21 +174,21 @@ hardening_ultra() {
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
if [[ -f "${WORKDIR}/hosts.allow" ]]; then
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
cp -af "${WORKDIR}/hosts.allow" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${WORKDIR}/hosts.deny" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${WORKDIR}/hosts.allow"
rm -f "${WORKDIR}/hosts.deny"
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
rm -f "${VAR_WORKDIR}/hosts.allow"
rm -f "${VAR_WORKDIR}/hosts.deny"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
fi
if ((${#handler_jumphost[@]} > 0)); then
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
# Join array entries with spaces, preserving any newlines
declare ips="${handler_jumphost[*]}"
declare ips="${ARY_HANDLER_JUMPHOST[*]}"
# Flatten to a single line and strip literal brackets []
declare flat_ips
flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
@@ -196,14 +196,14 @@ hardening_ultra() {
# Perform an in-place replacement of MUST_BE_SET with the cleaned list
sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \
"${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
else
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
sed -i \
-e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \
-e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
"${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
fi
}

8
lib/lib_helper_ip.sh
View File

@@ -13,15 +13,15 @@
#######################################
# IP Notation cleaner for pure IP output only
# Globals:
# handler_jumphost
# handler_jumphost_unique
# ARY_HANDLER_JUMPHOST
# ARY_HANDLER_JUMPHOST_UNIQUE
# Arguments:
# None
#######################################
clean_ip() {
declare host
declare stripped
for host in "${handler_jumphost[@]}"; do
for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
# Remove leading '[' and trailing ']'
stripped="${host#\[}"
stripped="${stripped%\]}"
@@ -30,7 +30,7 @@ clean_ip() {
continue
fi
# Directly append, no duplicate check
declare -ga handler_jumphost_unique+=("${stripped}")
declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

10
lib/lib_lb_build_start.sh
View File

@@ -13,20 +13,20 @@
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# BUILD_LOG
# ERR_UNCRITICAL
# HANDLER_BUILD_DIR
# VAR_BUILD_LOG
# VAR_HANDLER_BUILD_DIR
# Arguments:
# None
#######################################
lb_build_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${BUILD_LOG}"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
# sleep 1
# shellcheck disable=SC2164
cd "${HANDLER_BUILD_DIR}"
cd "${VAR_HANDLER_BUILD_DIR}"
if lb build --color 2>&1 | tee "${BUILD_LOG}"; then
if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
printf "\e[92m✅ Build successfully completed.\e[0m\n"
else
printf "\e[91m❌ Build failed!\e[0m\n" >&2

14
lib/lib_lb_config_start.sh
View File

@@ -13,24 +13,24 @@
#######################################
# Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
# Globals:
# HANDLER_BUILD_DIR
# VAR_HANDLER_BUILD_DIR
# Arguments:
# $0: Script-name
#######################################
lb_config_start() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
if [[ ! -d ${HANDLER_BUILD_DIR} ]]; then
mkdir -p "${HANDLER_BUILD_DIR}"
if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2164
cd "${HANDLER_BUILD_DIR}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${HANDLER_BUILD_DIR}"
cd "${VAR_HANDLER_BUILD_DIR}"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
else
# shellcheck disable=SC2164
cd "${HANDLER_BUILD_DIR}"
cd "${VAR_HANDLER_BUILD_DIR}"
fi
if [[ ! -d "${HANDLER_BUILD_DIR}/.build" ]]; then
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
# Start lb config in a completely detached shell
bash -c "lb config" &

36
lib/lib_lb_config_write.sh
View File

@@ -13,12 +13,20 @@
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# HANDLER_ARCHITECTURE
# HANDLER_BUILD_DIR
# HANDLER_ISO_COUNTER
# VERSION
# WORKDIR
# kernel
# VAR_HANDLER_ISO_COUNTER
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_KERNEL
# VAR_WORKDIR
# VAR_VERSION
# Arguments:
# None
#######################################
#######################################
# description
# Globals:
# Arguments:
# None
#######################################
@@ -31,7 +39,7 @@ lb_config_write() {
--apt-recommends true \
--apt-secure true \
--apt-source-archives true \
--architecture "${HANDLER_ARCHITECTURE}" \
--architecture "${VAR_ARCHITECTURE}" \
--archive-areas main contrib non-free non-free-firmware \
--backports true \
--binary-filesystem fat32 \
@@ -59,15 +67,15 @@ lb_config_write() {
--firmware-binary true \
--firmware-chroot true \
--hdd-label "CENTURIONLIVE" \
--image-name "ciss-debian-live-${HANDLER_ISO_COUNTER}" \
--image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
--initramfs "live-boot" \
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
--iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${kernel}" \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
--loadlin true \
--memtest memtest86+ \
@@ -103,10 +111,10 @@ lb_config_write() {
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${WORKDIR}/scripts/live-boot/0030-verify-checksums" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
}

16
lib/lib_provider_netcup.sh
View File

@@ -16,14 +16,14 @@
# None
#######################################
provider_netcup() {
if "${handler_netcup_ipv6}"; then
if "${VAR_HANDLER_NETCUP_IPV6}"; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare handler_netcup_ipv6_string="${handler_netcup_ipv6_array[*]}"
declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
cat << EOF >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
### Static IPv6 Address for Netcup Root Server
iface ens3 inet6 static
address ${handler_netcup_ipv6_string}/128
@@ -34,10 +34,10 @@ iface ens3 inet6 static
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
fi

24
lib/lib_run_analysis.sh
View File

@@ -13,17 +13,17 @@
#######################################
# Wrapper for statistic functions of the final build.
# Globals:
# BUILD_LOG
# CHROOT_DIR
# ERR_UNCRITICAL
# HANDLER_BUILD_DIR
# PACKAGES_FILE
# VAR_BUILD_LOG
# VAR_CHROOT_DIR
# VAR_HANDLER_BUILD_DIR
# VAR_PACKAGES_FILE
# Arguments:
# None
#######################################
run_analysis() {
# shellcheck disable=SC2164
cd "${HANDLER_BUILD_DIR}"
cd "${VAR_HANDLER_BUILD_DIR}"
# shellcheck disable=SC2155
declare iso_file=$(find . -maxdepth 1 -name "*.iso" -printf "%f\n" | sort | tail -n1)
@@ -38,21 +38,21 @@ run_analysis() {
# shellcheck disable=SC2155
declare iso_size_bytes=$(du -b "${iso_file}" | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_hr=$(du -sh "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
declare chroot_size_hr=$(du -sh "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare chroot_size_bytes=$(du -sb "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
declare chroot_size_bytes=$(du -sb "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
# shellcheck disable=SC2155
declare compression=$(awk -v iso="${iso_size_bytes}" -v chroot="${chroot_size_bytes}" 'BEGIN { printf "%.2f%%", 100 * iso / chroot }')
# shellcheck disable=SC2155
declare package_count=$(wc -l < "${PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
declare package_count=$(wc -l < "${VAR_PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
# shellcheck disable=SC2155
declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${BUILD_LOG}")"
declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${VAR_BUILD_LOG}")"
if [[ -f "${BUILD_LOG}" ]]; then
if [[ -f "${VAR_BUILD_LOG}" ]]; then
# shellcheck disable=SC2155
declare start_line=$(grep 'lb build' "${BUILD_LOG}" | head -n1 || true)
declare start_line=$(grep 'lb build' "${VAR_BUILD_LOG}" | head -n1 || true)
# shellcheck disable=SC2155
declare end_line=$(grep 'lb source' "${BUILD_LOG}" | tail -n1 || true)
declare end_line=$(grep 'lb source' "${VAR_BUILD_LOG}" | tail -n1 || true)
if [[ -n "${start_line}" && -n "${end_line}" ]]; then
# shellcheck disable=SC2155

4
lib/lib_sanitizer.sh
View File

@@ -27,8 +27,8 @@ arg_check() {
#######################################
# Function to sanitize a single argument
# Globals:
# ERROR_LOG
# ERR_INVLD_CHAR
# LOG_ERROR
# Arguments:
# $1: Argument to check
#######################################
@@ -46,7 +46,7 @@ sanitize_arg() {
printf "❌ in argument : '%s'. \n" "${input}"
printf "❌ Allowed Characters : 'a-z A-Z 0-9 . _ / = [ ] : \" - ' \n"
printf "\n"
} >> "${ERROR_LOG}"
} >> "${LOG_ERROR}"
boot_screen_cleaner
printf "\e[91m❌ Invalid character : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
printf "\e[91m❌ in argument : '%s'. \e[0m\n" "${input}" >&2

134
lib/lib_trap_on_err.sh
View File

@@ -16,40 +16,42 @@
# ARGUMENTS_COUNT
# ARG_STR_ORG_INPUT
# ARG_STR_SANITIZED
# DEBUG_LOG
# EARLY_DEBUG
# ERROR_LOG
# VAR_LOG
# VERSION
# errcmmd
# errcode
# errfunc
# errline
# errscrt
# LOG_DEBUG
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_ERROR
# LOG_VAR
# SECONDS
# VAR_EARLY_DEBUG
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# None
#######################################
print_file_err() {
{
printf "❌ CISS.debian.live.builder Script failed. \n"
printf "❌ Version : %s \n" "${VERSION}"
printf "❌ Environment : %s \n" "${SYSTEM_VAR}"
printf "❌ Error : %s \n" "${errcode}"
printf "❌ Line : %s \n" "${errline}"
printf "❌ Script : %s \n" "${errscrt}"
printf "❌ Function : %s \n" "${errfunc}"
printf "❌ Command : %s \n" "${errcmmd}"
printf "❌ Version : %s \n" "${VAR_VERSION}"
printf "❌ Environment : %s \n" "${VAR_SYSTEM}"
printf "❌ Error : %s \n" "${ERRCODE}"
printf "❌ Line : %s \n" "${ERRLINE}"
printf "❌ Script : %s \n" "${ERRSCRT}"
printf "❌ Function : %s \n" "${ERRFUNC}"
printf "❌ Command : %s \n" "${ERRCMMD}"
printf "❌ Script Runtime : %s \n" "${SECONDS}"
printf "❌ Arguments Counter : %s \n" "${ARGUMENTS_COUNT}"
printf "❌ Arguments Original : %s \n" "${ARG_STR_ORG_INPUT}"
printf "❌ Arguments Sanitized : %s \n" "${ARG_STR_SANITIZED}"
if "${EARLY_DEBUG}"; then
printf "❌ Vars Dump saved at : %s \n" "${VAR_LOG}"
printf "❌ Debug Log saved at : %s \n" "${DEBUG_LOG}"
printf "❌ cat %s \n" "${DEBUG_LOG}"
if "${VAR_EARLY_DEBUG}"; then
printf "❌ Vars Dump saved at : %s \n" "${LOG_VAR}"
printf "❌ Debug Log saved at : %s \n" "${LOG_DEBUG}"
printf "❌ cat %s \n" "${LOG_DEBUG}"
fi
printf "\n"
} >> "${ERROR_LOG}"
} >> "${LOG_ERROR}"
}
#######################################
@@ -58,38 +60,40 @@ print_file_err() {
# ARGUMENTS_COUNT
# ARG_STR_ORG_INPUT
# ARG_STR_SANITIZED
# DEBUG_LOG
# EARLY_DEBUG
# ERROR_LOG
# VAR_LOG
# VERSION
# errcmmd
# errcode
# errfunc
# errline
# errscrt
# LOG_DEBUG
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# LOG_ERROR
# LOG_VAR
# SECONDS
# VAR_EARLY_DEBUG
# VAR_SYSTEM
# VAR_VERSION
# Arguments:
# None
#######################################
print_scr_err() {
printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2
printf "\e[91m❌ Version : %s \e[0m\n" "${VERSION}" >&2
printf "\e[91m❌ Environment : %s \e[0m\n" "${SYSTEM_VAR}" >&2
printf "\e[91m❌ Error : %s \e[0m\n" "${errcode}" >&2
printf "\e[91m❌ Line : %s \e[0m\n" "${errline}" >&2
printf "\e[91m❌ Script : %s \e[0m\n" "${errscrt}" >&2
printf "\e[91m❌ Function : %s \e[0m\n" "${errfunc}" >&2
printf "\e[91m❌ Command : %s \e[0m\n" "${errcmmd}" >&2
printf "\e[91m❌ Version : %s \e[0m\n" "${VAR_VERSION}" >&2
printf "\e[91m❌ Environment : %s \e[0m\n" "${VAR_SYSTEM}" >&2
printf "\e[91m❌ Error : %s \e[0m\n" "${ERRCODE}" >&2
printf "\e[91m❌ Line : %s \e[0m\n" "${ERRLINE}" >&2
printf "\e[91m❌ Script : %s \e[0m\n" "${ERRSCRT}" >&2
printf "\e[91m❌ Function : %s \e[0m\n" "${ERRFUNC}" >&2
printf "\e[91m❌ Command : %s \e[0m\n" "${ERRCMMD}" >&2
printf "\e[91m❌ Script Runtime : %s \e[0m\n" "${SECONDS}" >&2
printf "\e[91m❌ Arguments Counter : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
printf "\e[91m❌ Arguments Original : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${ARG_STR_SANITIZED}" >&2
printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${ERROR_LOG}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${ERROR_LOG}" >&2
if "${EARLY_DEBUG}"; then
printf "\e[91m❌ Vars Dump saved at : %s \e[0m\n" "${VAR_LOG}" >&2
printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${DEBUG_LOG}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${DEBUG_LOG}" >&2
printf "\e[91m❌ Error Log saved at : %s \e[0m\n" "${LOG_ERROR}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_ERROR}" >&2
if "${VAR_EARLY_DEBUG}"; then
printf "\e[91m❌ Vars Dump saved at : %s \e[0m\n" "${LOG_VAR}" >&2
printf "\e[91m❌ Debug Log saved at : %s \e[0m\n" "${LOG_DEBUG}" >&2
printf "\e[91m❌ cat %s \e[0m\n" "${LOG_DEBUG}" >&2
fi
printf "\n"
}
@@ -97,7 +101,12 @@ print_scr_err() {
#######################################
# Trap function to be called on 'ERR'.
# Globals:
# EARLY_DEBUG
# ERRCMMD
# ERRCODE
# ERRFUNC
# ERRLINE
# ERRSCRT
# VAR_EARLY_DEBUG
# Arguments:
# $1: $?
# $2: ${BASH_SOURCE[0]}
@@ -106,14 +115,14 @@ print_scr_err() {
# $5: ${BASH_COMMAND}
#######################################
trap_on_err() {
declare -g errcode="$1"
declare -g errscrt="$2"
declare -g errline="$3"
declare -g errfunc="$4"
declare -g errcmmd="$5"
declare -g ERRCODE="$1"
declare -g ERRSCRT="$2"
declare -g ERRLINE="$3"
declare -g ERRFUNC="$4"
declare -g ERRCMMD="$5"
trap - ERR
if "${EARLY_DEBUG}"; then dump_user_vars; fi
clean_up "${errcode}"
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
clean_up "${ERRCODE}"
clean_screen
print_file_err
print_scr_err
@@ -122,10 +131,9 @@ trap_on_err() {
#######################################
# Gather all user-defined variables (name and value)
# Globals:
# VAR_LOG
# VERSION
# dump_vars_initial
# var
# LOG_VAR
# VAR_DUMP_VARS_INITIAL
# VAR_VERSION
# Arguments:
# None
#######################################
@@ -144,19 +152,19 @@ dump_user_vars() {
{
printf "✅ CISS.debian.live.builder Config Variable Dump. \n"
printf "✅ Version : %s \n" "${VERSION}"
printf "✅ Version : %s \n" "${VAR_VERSION}"
printf "\n"
printf "===== Initial VAR Environment ===== \n"
} >> "${VAR_LOG}"
} >> "${LOG_VAR}"
comm -23 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}" || true
comm -23 "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" >> "${LOG_VAR}" || true
{
printf "\n"
printf "===== Final VAR Environment ===== \n"
} >> "${VAR_LOG}"
} >> "${LOG_VAR}"
comm -13 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}" || true
rm "${dump_vars_initial}" "${dump_vars_final}"
comm -13 "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" >> "${LOG_VAR}" || true
rm "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

27
lib/lib_trap_on_exit.sh
View File

@@ -13,7 +13,7 @@
#######################################
# Trap function to be called on 'EXIT'.
# Globals:
# EARLY_DEBUG
# VAR_EARLY_DEBUG
# Arguments:
# $1: $?
#######################################
@@ -21,7 +21,7 @@ trap_on_exit() {
declare -r trap_on_exit_code="$1"
trap - EXIT
if (( trap_on_exit_code == 0 )); then
if "${EARLY_DEBUG}"; then dump_user_vars; fi
if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
clean_up "${trap_on_exit_code}"
print_scr_exit "${trap_on_exit_code}"
exit 0
@@ -33,28 +33,29 @@ trap_on_exit() {
#######################################
# Print Success Message for Trap on 'EXIT' on 'stdout'
# Globals:
# DEBUG
# DEBUG_LOG
# HANDLER_BUILD_DIR
# VAR_LOG
# handler_success
# LOG_DEBUG
# LOG_VAR
# SECONDS
# VAR_EARLY_DEBUG
# VAR_HANDLER_BUILD_DIR
# VAR_SCRIPT_SUCCESS
# Arguments:
# $1: ${trap_on_exit_code} of trap_on_exit()
#######################################
print_scr_exit() {
declare -r print_scr_exit_code="$1"
if (( print_scr_exit_code == 0 )); then
if [[ "${handler_success}" == "true" ]]; then
if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
printf "\n"
printf "\e[92m✅ CISS.debian.live.builder Script successful. \e[0m\n"
printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${HANDLER_BUILD_DIR}/.integrity/"
printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${print_scr_exit_code}"
printf "\n"
if [[ "${EARLY_DEBUG}" == "true" ]]; then
if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then
printf "\e[92m✅ Script Runtime : %s \e[0m\n" "${SECONDS}"
printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${VAR_LOG}"
printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${DEBUG_LOG}"
printf "\e[92m✅ cat %s \e[0m\n" "${DEBUG_LOG}"
printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${LOG_VAR}"
printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${LOG_DEBUG}"
printf "\e[92m✅ cat %s \e[0m\n" "${LOG_DEBUG}"
printf "\n"
fi
printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"

2
lib/lib_usage.sh
View File

@@ -22,7 +22,7 @@ usage() {
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.02.512.2025.05.30\e[0m")
$(echo -e "\e[92mMaster V8.02.644.2025.05.31\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")