From f1720a232118854798afc714cbca4c0f61b325c7a6c09102b75818044e597978 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Fri, 21 Nov 2025 09:07:08 +0000 Subject: [PATCH] V8.13.440.2025.11.19 Signed-off-by: Marc S. Weidner --- config/hooks/live/0022_dropbear_setup.chroot | 7 +++++++ config/hooks/live/9930_hardening_ssh.chroot | 2 +- .../usr/lib/live/boot/0022-ciss-overlay-tmpfs | 2 ++ .../usr/lib/live/boot/0026-ciss-early-sysctl | 16 ++++++++-------- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/config/hooks/live/0022_dropbear_setup.chroot b/config/hooks/live/0022_dropbear_setup.chroot index 8aae560..ef165ad 100644 --- a/config/hooks/live/0022_dropbear_setup.chroot +++ b/config/hooks/live/0022_dropbear_setup.chroot @@ -40,6 +40,13 @@ dropbear_setup() { dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key /etc/dropbear/initramfs/dropbear_ed25519_host_key dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub + if [[ -f /root/ssh/ssh_host_rsa_key ]]; then + + dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key /etc/dropbear/initramfs/dropbear_rsa_host_key + dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key >| /etc/dropbear/initramfs/dropbear_rsa_host_key.pub + + fi + else # shellcheck disable=SC2312 diff --git a/config/hooks/live/9930_hardening_ssh.chroot b/config/hooks/live/9930_hardening_ssh.chroot index ae1a773..18ec26a 100644 --- a/config/hooks/live/9930_hardening_ssh.chroot +++ b/config/hooks/live/9930_hardening_ssh.chroot @@ -36,7 +36,7 @@ else ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)" # shellcheck disable=SC2312 - ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)" + ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)" fi diff --git a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs index dff1244..bd6cc84 100644 --- a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs +++ b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs @@ -19,6 +19,8 @@ set -eu +sleep 3 + printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] ... \n\e[0m" ### Declare variables ---------------------------------------------------------------------------------------------------------- diff --git a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl index 51f0841..4d40ae4 100644 --- a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl +++ b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl @@ -21,14 +21,14 @@ set -eu printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m" -echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true -echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true -echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true -echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true -echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true -echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true -echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true -echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true +#echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true +#echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true +#echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true +#echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true +#echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true +#echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true +#echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true +#echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"