V8.13.392.2025.11.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-07 20:46:09 +01:00
parent f797c16278
commit f4cec85f7f
10 changed files with 72 additions and 73 deletions
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -136,6 +136,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_check_kernel.sh"
  source_guard "./lib/lib_check_pkgs.sh"
  source_guard "./lib/lib_check_provider.sh"
+  source_guard "./lib/lib_check_secrets.sh"
  source_guard "./lib/lib_check_stats.sh"
  source_guard "./lib/lib_check_var.sh"
  source_guard "./lib/lib_ciss_upgrades_boot.sh"
@@ -249,6 +250,7 @@ note_target
 provider_netcup
 update_microcode
 x_hooks
+x_remove

 ### Start the build process ----------------------------------------------------------------------------------------------------
 set +o errtrace
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -14,7 +14,8 @@ include_toc: true

 ## V8.13.392.2025.11.07
 * **Global**: Changed ``guard_sourcing`` to ``guard_sourcing || return "${ERR_GUARD_SRCE}"``
-* **Added**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh) + ``print_stacktrace`()
+* **Added**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + Final secrets wiper before starting ``lb build``.
+* **Added**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh) + ``print_stacktrace()``
 * **Added**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh) + Trap on ``EXIT`` handler for 'non-0' exit-code.
 * **Bugfixes**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + modified passphrase handling

--- a/lib/lib_check_secrets.sh
+++ b/lib/lib_check_secrets.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SRCE}"
+
+#######################################
+# Removes secrets securely before 'lb build' execution.
+# Globals:
+#   BASH_SOURCE
+#   VAR_TMP_SECRET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+x_remove() {
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+
+  shopt -s nullglob dotglob
+
+  ### Removes secrets securely.
+  # shellcheck disable=SC2312
+  find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
+  find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
+
+  shopt -u nullglob dotglob
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f x_remove
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -39,19 +39,19 @@ clean_up() {
  rm -f -- "${VAR_KERNEL_TMP}"
  rm -f -- "${VAR_NOTES}"

-  # Release advisory lock on FD 127.
+  ### Release advisory lock on FD 127.
  flock -u 127

-  # Close file descriptor 127.
+  ### Close file descriptor 127.
  exec 127>&-

-  # Remove the lockfile artifact.
+  ### Remove the lockfile artifact.
  rm -f /run/lock/ciss_live_builder.lock

-  # Removes the error log on clean exit.
+  ### Removes the error log on clean exit.
  if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi

-  # Cleaning TCP wrapper artifacts.
+  ### Cleaning TCP wrapper artifacts.
  if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
    rm -f "${VAR_WORKDIR}/hosts.allow"
  fi
@@ -59,7 +59,7 @@ clean_up() {
    rm -f "${VAR_WORKDIR}/hosts.deny"
  fi

-  # Kill gpg-agent and remove artifacts securely.
+  ### Kill gpg-agent and remove artifacts securely.
  if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then

    if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" ]]; then
@@ -85,7 +85,7 @@ clean_up() {

  fi

-  # Removes secrets securely.
+  ### Removes secrets securely.
  # shellcheck disable=SC2312
  find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
  find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -75,13 +75,13 @@ hardening_ultra() {
  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then

    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
-    rsync -aHAX --delete ./config/includes.chroot/ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/"
+    cp -af ./config/includes.chroot/ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/"
    chmod 0755 ./config/includes.chroot/etc/ciss/keys
    chmod 0444 ./config/includes.chroot/etc/ciss/keys/*

  else

-    rsync -aHAX --delete ./config/includes.chroot/ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/"
+    cp -af ./config/includes.chroot/ "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/"
    chmod 0755 ./config/includes.chroot/etc/ciss/keys
    chmod 0444 ./config/includes.chroot/etc/ciss/keys/*

--- a/lib/lib_note_target.sh
+++ b/lib/lib_note_target.sh
@@ -70,9 +70,9 @@ export CDLB_VERSION="${VAR_VERSION}"
 export CDLB_GIT_REL="${VAR_GIT_REL}"
 export CDLB_CR_DATE="${VAR_DATE_INFO}"
 export CDLB_CR_HOST="${VAR_HOST}"
-export CDLB_BASHVER="${VAR_VER_BASH}"
-export CDLB_DS_VER="${VAR_VER_DS}"
-export CDLB_LB_VER="${VAR_VER_LB}"
+export CDLB_VER_BASH="${VAR_VER_BASH}"
+export CDLB_VER_DS="${VAR_VER_DS}"
+export CDLB_VER_LB="${VAR_VER_LB}"
 export CDLB_SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
 EOF
  chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"
--- a/lib/lib_primordial.sh
+++ b/lib/lib_primordial.sh
@@ -73,8 +73,6 @@ init_primordial() {

  fi

-
-
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
--- a/lib/lib_trap_on_err.sh
+++ b/lib/lib_trap_on_err.sh
@@ -167,13 +167,13 @@ readonly -f print_scr_err
 trap_on_err() {
  trap - DEBUG ERR INT TERM

-  declare -g ERRCODE="$1"
-  declare -g ERRSCRT="$2"
-  declare -g ERRLINE="$3"
-  declare -g ERRFUNC="$4"
-  declare -g ERRCMMD="$5"
+  declare -gx ERRCODE="$1"
+  declare -gx ERRSCRT="$2"
+  declare -gx ERRLINE="$3"
+  declare -gx ERRFUNC="$4"
+  declare -gx ERRCMMD="$5"
  # shellcheck disable=SC2034
-  declare -g ERRTRAP="true"
+  declare -gx ERRTRAP="true"

  if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi

--- a/var/error.var.sh
+++ b/var/error.var.sh
@@ -1,47 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-# shellcheck disable=SC2034
-
-### Definition of error codes.
-declare -gir ERR_UNCRITICAL=127
-declare -gir ERR_NOT_USER_0=128 # Not running as root
-declare -gir ERR_FLOCK_WRTG=129 # Cannot open lockfile for writing
-declare -gir ERR_FLOCK_COLL=130 # The Script is already running
-declare -gir ERR_GUARD_SRCE=131 # Module tried to load twice.
-declare -gir ERR_GPG__AGENT=132 # GNUPG agent error.
-declare -gir ERR_SPLASH_PNG=200 # --change-splash MUST be 'club' or 'hexagon'
-declare -gir ERR_CONTROL_CT=201 # --control MUST be an integer between '1' and '65535'
-declare -gir ERR_RENICE_PRI=202 # --renice-priority MUST an integer between '-19' and '19'
-declare -gir ERR_REIONICE_P=203 # --reionice-priority no values provided.
-declare -gir ERR_REIO_P_VAL=204 # --reionice-priority PRIORITY MUST be an integer between '0' and '7'
-declare -gir ERR_REIO_C_VAL=205 # --reionice-priority CLASS MUST be an integer between '1' and '3'
-declare -gir ERR_MISS_PWD_P=206 # --root-password-file missing password file path argument
-declare -gir ERR_MISS_PWD_F=207 # --root-password-file password file does not exist
-declare -gir ERR_OWNS_PWD_F=208 # --root-password-file failed to set owner root:root on the PWD file
-declare -gir ERR_RGHT_PWD_F=209 # --root-password-file failed to set permissions 0400 on the PWD file
-declare -gir ERR_PASS_LENGH=210 # --root-password-file password MUST be between 20 and 64 characters
-declare -gir ERR_PASS_PLICY=211 # --root-password-file password MUST NOT contain double quotes
-declare -gir ERR__SSH__PORT=212 # --ssh-port MUST be an integer between '1' and '65535'
-declare -gir ERR_ARG_MSMTCH=213 # Wrong Number of optional Arguments provided
-declare -gir ERR_NOTABSPATH=252 # Not an absolute path
-declare -gir ERR_INVLD_CHAR=253 # Invalid Character
-declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
-declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash
-
-### Definition of error trap vars
-declare -g ERRCODE="" # = $?                   = $1 = ERRCODE
-declare -g ERRSCRT="" # = ${BASH_SOURCE[0]}    = $2 = ERRSCRT
-declare -g ERRLINE="" # = ${LINENO}            = $3 = ERRLINE
-declare -g ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
-declare -g ERRCMMD="" # = ${$BASH_COMMAND}     = $5 = ERRCMMD
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -87,10 +87,11 @@ declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
 declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash

 ### Definition of error trap vars
-declare -g ERRCODE="" # = $?                   = $1 = ERRCODE
-declare -g ERRSCRT="" # = ${BASH_SOURCE[0]}    = $2 = ERRSCRT
-declare -g ERRLINE="" # = ${LINENO}            = $3 = ERRLINE
-declare -g ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
-declare -g ERRCMMD="" # = ${$BASH_COMMAND}     = $5 = ERRCMMD
+declare -gx ERRCODE="" # = $?                   = $1 = ERRCODE
+declare -gx ERRSCRT="" # = ${BASH_SOURCE[0]}    = $2 = ERRSCRT
+declare -gx ERRLINE="" # = ${LINENO}            = $3 = ERRLINE
+declare -gx ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
+declare -gx ERRCMMD="" # = ${$BASH_COMMAND}     = $5 = ERRCMMD
+declare -gx ERRTRAP="false"

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh