#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target" ### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------ rm -f /root/ciss_xdg_tmp.sh rm -fr /root/build find /etc /home /root /usr /var -type f -name '.keep' -print -delete ### Securing '/root/.ciss' ---------------------------------------------------------------------------------------------------------- find /root/.ciss -type d -exec chmod 0700 {} + find /root/.ciss -type f -exec chmod 0440 {} + ### Securing '/etc/ciss/keys' -------------------------------------------------------------------------------------------------- find /etc/ciss/keys -type f -exec chmod 0440 {} + ### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------ update-initramfs -u -k all -v ### Determine the canonical systemd unit dir inside chroot --------------------------------------------------------------------- if [[ -d /lib/systemd/system ]]; then var_unit_dir=/lib/systemd/system elif [[ -d /usr/lib/systemd/system ]]; then var_unit_dir=/usr/lib/systemd/system fi ### Enforce 'default.target' -> 'multi-user.target' as a symlink. if [[ -e "${var_link}" ]] && [[ ! -L "${var_link}" ]]; then ### A regular file here is wrong; we remove it to avoid vendor fallback to graphical. rm -f -- "${var_link}" fi if [[ ! -L "${var_link}" ]]; then ln -s "${var_unit_dir}/multi-user.target" "${var_link}" else ### Ensure it points to multi-user. # shellcheck disable=SC2312 if [[ "$(readlink -f "${var_link}")" != "${var_unit_dir}/multi-user.target" ]]; then rm -f -- "${var_link}" ln -s "${var_unit_dir}/multi-user.target" "${var_link}" fi fi ### Hard-block any display manager (mask via /dev/null symlink). Include common DMs, and the generic alias: ary_dm_units=( "display-manager.service" "gdm.service" "gdm3.service" "sddm.service" "lightdm.service" "xdm.service" "lxdm.service" "slim.service" ) for var_dm in "${ary_dm_units[@]}"; do if [[ ! -L "/etc/systemd/system/${var_dm}" ]]; then ln -s /dev/null "/etc/systemd/system/${var_dm}" fi done printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh