V8.13.440.2025.11.19

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-21 09:07:08 +00:00
parent 55e4ebe670
commit f1720a2321
4 changed files with 18 additions and 9 deletions
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -40,6 +40,13 @@ dropbear_setup() {
    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key        /etc/dropbear/initramfs/dropbear_ed25519_host_key
    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
    if [[ -f /root/ssh/ssh_host_rsa_key ]]; then
      dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key          /etc/dropbear/initramfs/dropbear_rsa_host_key
      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key   >| /etc/dropbear/initramfs/dropbear_rsa_host_key.pub
    fi
  else
    # shellcheck disable=SC2312
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -36,7 +36,7 @@ else
  ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
  # shellcheck disable=SC2312
-  ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
+  ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
 fi
--- a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
+++ b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
@@ -19,6 +19,8 @@
 set -eu
 sleep 3
 printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] ... \n\e[0m"
 ### Declare variables ----------------------------------------------------------------------------------------------------------
--- a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
+++ b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
@@ -21,14 +21,14 @@ set -eu
 printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m"
-echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
+#echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
-echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
+#echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
-echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
+#echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
-echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
+#echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
-echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
+#echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
-echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
+#echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
-echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
+#echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
-echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
+#echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
 printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"